Merge remote-tracking branch 'origin/develop'

.github/workflows/build-push-docker-image.yml

@@ -0,0 +1,48 @@
+name: build-push-docker-image
+
+#on: workflow_dispatch
+on:
+  push:
+    branches: feature/docker_configs
+  workflow_dispatch:
+
+jobs:
+  build-push-docker-image:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Get the latest release
+        id: release
+        uses: robinraju/[email protected]
+        with:
+          latest: true
+          fileName: "*.tar.bz2"
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push the Production image
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          file: docker/Dockerfile.prod
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            ghcr.io/openconext/stepup-tiqr/stepup-tiqr:prod
+            ghcr.io/openconext/stepup-tiqr/stepup-tiqr:${{ github.sha }}
+            ghcr.io/openconext/stepup-tiqr/stepup-tiqr:${{ steps.release.outputs.tag_name }}

.github/workflows/daily-security-check.yml

@@ -0,0 +1,102 @@
+---
+name: Daily security check
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+
+      # PHP checks
+      - name: Check for php composer project
+        id: check_composer
+        uses: andstor/file-existence-action@v2
+        with:
+          files: "composer.lock"
+      - name: Run php local security checker
+        if: steps.check_composer.outputs.files_exists == 'true'
+        uses: symfonycorp/security-checker-action@v4
+
+      # node-yarn checks
+      - name: Check for node-yarn project
+        id: check_node_yarn
+        uses: andstor/file-existence-action@v2
+        with:
+          files: "yarn.lock"
+      - name: Setup node
+        if: steps.check_node_yarn.outputs.files_exists == 'true'
+        uses: actions/setup-node@v3
+        with:
+          node-version: 14
+      - name: Yarn Audit
+        if: steps.check_node_yarn.outputs.files_exists == 'true'
+        run: yarn audit --level high --groups dependencies optionalDependencies
+
+      # node-npm checks
+      - name: Check for node-npm project
+        id: check_node_npm
+        uses: andstor/file-existence-action@v2
+        with:
+          files: "package.lock"
+      - name: Setup node
+        if: steps.check_node_npm.outputs.files_exists == 'true'
+        uses: actions/setup-node@v3
+        with:
+          node-version: 14
+      - name: npm audit
+        if: steps.check_node_npm.outputs.files_exists == 'true'
+        run: npm audit --audit-level=high
+
+      # python checks
+      - name: Check for python project
+        id: check_python
+        uses: andstor/file-existence-action@v2
+        with:
+          files: "requirements.txt"
+      - name: Safety checks Python dependencies
+        if: steps.check_python.outputs.files_exists == 'true'
+        uses: pyupio/[email protected]
+
+      # java checks
+      - name: Check for java maven project
+        id: check_maven
+        uses: andstor/file-existence-action@v2
+        with:
+          files: "pom.xml"
+      - name: Setup java if needed
+        if: steps.check_maven.outputs.files_exists == 'true'
+        uses: actions/setup-java@v3
+        with:
+          java-version: 11
+          distribution: 'temurin'
+          cache: 'maven'
+      - name: Set up maven cache if needed
+        if: steps.check_maven.outputs.files_exists == 'true'
+        uses: actions/cache@v1
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            ${{ runner.os }}-maven-
+      - name: Check java
+        if: steps.check_maven.outputs.files_exists == 'true'
+        run: mvn org.owasp:dependency-check-maven:check
+
+      # Send results
+      - name: Send to Slack if something failed
+        if: failure()
+        uses: rtCamp/action-slack-notify@v2
+        env:
+          SLACK_CHANNEL: surfconext-nightly-check
+          SLACK_COLOR: ${{ job.status }}
+          SLACK_ICON: https://static.surfconext.nl/logos/idp/surfnet.png
+          SLACK_MESSAGE: 'Dependency check failed :crying_cat_face:'
+          SLACK_TITLE: ${{ github.repository }} wants attention
+          SLACK_USERNAME: NightlySecurityCheck
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}

.github/workflows/tag-release.yml

@@ -60,4 +60,13 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          release_id: ${{ steps.create_release.outputs.id }}
+          release_id: ${{ steps.create_release.outputs.id }}
+
+  after_build:
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger Docker container build
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: build-push-docker-image.yml

README.md

@@ -186,12 +186,83 @@ tiqr_library_options:
 # Release strategy
 Please read: https://github.com/OpenConext/Stepup-Deploy/wiki/Release-Management fro more information on the release strategy used in Stepup projects.
 
+# How the Stepup-tiqr uses the Tiqr library
+The Tiqr server's purpose is to facilitate Tiqr authentications. In doing so communicating with the Tiqr app. Details about this communication flow can be found in the flow above. Here you will find a communication diagram for enrollment and authentication.
+
+The following code examples show some of the concepts that are used during authentication from the web frontend. It does not include the communication with the Tiqr client (app).
+
+```php
+# 1. The name id (username) of the user is used to identify that specific user in Tiqr. 
+#    In the case of Stepup-Tiqr (SAML based) we get the NameId from the SAML 2.0 AuthnRequest
+#
+# Example below is pseudocode you might write in your controller dealing with an authentication request
+$nameId = $this->authenticationService->getNameId();
+
+# The request id of the SAML AuthnRequest message, used to match the originating authentication request with the Tiqr authentication
+$requestId = $this->authenticationService->getRequestId();
+```
+
+```php
+# 2. Next you can do some verifications on the user, is it found in tiqr-server user storage?
+#    Is it not locked out temporarily?
+#
+# Example below is pseudocode you might write in your controller dealing with an authentication request
+$user = $this->userRepository->getUser($nameId);
+if ($this->authenticationRateLimitService->isBlockedTemporarily($user)) {
+    throw new Exception('You are locked out of the system');
+}
+
+$this->startAuthentication($nameId, $requestId)
+public function startAuthentication($nameId, $requestId)
+{
+    # Authentication is started by providing the NameId and the PHP session id
+    $sessionKey = $this->tiqrService->startAuthenticationSession($nameId, $this->session->getId());
+    # The Service (Tiqr_Service) generates a session key which is stored in the state storage, but also returned to
+    # persist in the Tiqr server implementation. 
+    $this->session->set('sessionKey', $sessionKey);
+    $this->storeRequestIdForNameId($sessionKey, $requestId);
+    # Creates an authentication challenge URL. It links directly to the application 
+    return $this->tiqrService->generateAuthURL($sessionKey);
+}
+```
+
+```php
+# 3. The tiqr server implementation now must wait for the Tiqr App to finalize its authentication with the user.
+#    In the Stepup-Tiqr implementation, we do this by polling the tiqr server for the atuthentication status.
+# Example below is pseudocode
+
+# Javascript
+function pollTiqrStatus() {
+    getTiqrStatus()
+    setTimeout(refresh, 5000);
+}
+pollTiqrStatus();
+
+# In the PHP application:
+$isAuthenticated = $this->tiqrService->getAuthenticatedUser($this->session->getId());
+if ($isAuthenticated) {
+    # Your controller can now go to the next action, maybe send back a successful SamlResponse, or signal otherwise
+    # that the authentication succeeded. 
+    return $successResponse;
+}
+# And deal with the non happy flow
+
+if ($isExpired) {
+    return $errorResponse;
+}
+
+if ($otherErrorConddition) {
+    # ...
+}
+```
+
 Other resources
-======================
+===============
 
  - [Developer documentation](docs/index.md)
  - [Issue tracker](https://www.pivotaltracker.com/n/projects/1163646)
  - [License](LICENSE)
  - [Tiqr library](https://github.com/SURFnet/tiqr-server-libphp)
  - [Library documentation](https://tiqr.org/documentation/) 
  - [Tiqr config parameters](https://github.com/SURFnet/simplesamlphp-module-authtiqr)
+

component_info

@@ -3,3 +3,4 @@ SYMFONY_VERSION=4
 ENCORE=yes
 ASSETIC=no
 NODE_VERSION=14
+COMPOSER_VERSION=2