From ef7599daa35212037e98aa09da734684e46bfcb5 Mon Sep 17 00:00:00 2001 From: Mike Decker Date: Thu, 7 Sep 2023 10:39:11 -0700 Subject: [PATCH 1/4] Add and configured samlauth module --- composer.json | 1 + composer.lock | 382 ++++++++++++- config/default/autologout.settings.yml | 22 + config/default/config_ignore.settings.yml | 3 +- config/default/core.extension.yml | 7 +- config/default/r4032login.settings.yml | 18 + config/default/samlauth.authentication.yml | 37 ++ .../default/samlauth_user_fields.mappings.yml | 5 + .../default/simplesamlphp_auth.settings.yml | 30 - config/default/stanford_samlauth.settings.yml | 28 + config/default/stanford_ssp.settings.yml | 13 - config/default/views.view.samlauth_map.yml | 530 ++++++++++++++++++ .../sites/settings/default.local.settings.php | 26 +- docroot/sites/settings/global.settings.php | 2 +- .../{simplesaml.php => saml.settings.php} | 27 + 15 files changed, 1080 insertions(+), 51 deletions(-) create mode 100644 config/default/autologout.settings.yml create mode 100644 config/default/r4032login.settings.yml create mode 100644 config/default/samlauth.authentication.yml create mode 100644 config/default/samlauth_user_fields.mappings.yml delete mode 100644 config/default/simplesamlphp_auth.settings.yml create mode 100644 config/default/stanford_samlauth.settings.yml delete mode 100644 config/default/stanford_ssp.settings.yml create mode 100644 config/default/views.view.samlauth_map.yml rename docroot/sites/settings/{simplesaml.php => saml.settings.php} (56%) diff --git a/composer.json b/composer.json index 20b1eea10..99f64f933 100644 --- a/composer.json +++ b/composer.json @@ -198,6 +198,7 @@ "su-sws/stanford_fields": "^8.1", "su-sws/stanford_media": "dev-HSD8-1416 as 8.3.0", "su-sws/stanford_migrate": "^8.4", + "su-sws/stanford_samlauth": "^1.0", "su-sws/stanford_ssp": "^8.1" }, "require-dev": { diff --git a/composer.lock b/composer.lock index eee79ad6b..8a72953e8 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "b6e4958b8d50c7072a93e491a88e6bda", + "content-hash": "34c1087450bf3f63625c0a099a8fbcf3", "packages": [ { "name": "acquia/blt", @@ -2566,6 +2566,94 @@ "issues": "https://www.drupal.org/project/issues/auto_entitylabel" } }, + { + "name": "drupal/autologout", + "version": "1.4.0", + "source": { + "type": "git", + "url": "https://git.drupalcode.org/project/autologout.git", + "reference": "8.x-1.4" + }, + "dist": { + "type": "zip", + "url": "https://ftp.drupal.org/files/projects/autologout-8.x-1.4.zip", + "reference": "8.x-1.4", + "shasum": "f751062f463d0b52df81764f67cee3a0be97825e" + }, + "require": { + "drupal/core": "^9.2 || ^10" + }, + "type": "drupal-module", + "extra": { + "drupal": { + "version": "8.x-1.4", + "datestamp": "1658168199", + "security-coverage": { + "status": "covered", + "message": "Covered by Drupal's security advisory policy" + } + } + }, + "notification-url": "https://packages.drupal.org/8/downloads", + "license": [ + "GPL-2.0-or-later" + ], + "authors": [ + { + "name": "AjitS", + "homepage": "https://www.drupal.org/user/981944" + }, + { + "name": "AjK", + "homepage": "https://www.drupal.org/user/39030" + }, + { + "name": "boshtian", + "homepage": "https://www.drupal.org/user/1773456" + }, + { + "name": "dandrews", + "homepage": "https://www.drupal.org/user/2014490" + }, + { + "name": "darksnow", + "homepage": "https://www.drupal.org/user/391915" + }, + { + "name": "japerry", + "homepage": "https://www.drupal.org/user/45640" + }, + { + "name": "johnennew", + "homepage": "https://www.drupal.org/user/1150042" + }, + { + "name": "jrglasgow", + "homepage": "https://www.drupal.org/user/36590" + }, + { + "name": "kmasood", + "homepage": "https://www.drupal.org/user/1262860" + }, + { + "name": "levelos", + "homepage": "https://www.drupal.org/user/54135" + }, + { + "name": "prabeen.giri", + "homepage": "https://www.drupal.org/user/913078" + }, + { + "name": "str8", + "homepage": "https://www.drupal.org/user/2865063" + } + ], + "description": "Adds automated timed logout.", + "homepage": "http://drupal.org/project/autologout", + "support": { + "source": "https://git.drupalcode.org/project/autologout" + } + }, { "name": "drupal/bartik", "version": "1.0.2", @@ -10323,6 +10411,98 @@ "source": "https://git.drupalcode.org/project/purge" } }, + { + "name": "drupal/r4032login", + "version": "2.2.1", + "source": { + "type": "git", + "url": "https://git.drupalcode.org/project/r4032login.git", + "reference": "2.2.1" + }, + "dist": { + "type": "zip", + "url": "https://ftp.drupal.org/files/projects/r4032login-2.2.1.zip", + "reference": "2.2.1", + "shasum": "b1ee040ec84a1feee28ed9ac6c8576f6e9edfd3a" + }, + "require": { + "drupal/core": "^9.3 || ^10" + }, + "type": "drupal-module", + "extra": { + "drupal": { + "version": "2.2.1", + "datestamp": "1680284411", + "security-coverage": { + "status": "covered", + "message": "Covered by Drupal's security advisory policy" + } + } + }, + "notification-url": "https://packages.drupal.org/8/downloads", + "license": [ + "GPL-2.0-or-later" + ], + "authors": [ + { + "name": "bdone", + "homepage": "https://www.drupal.org/user/687670" + }, + { + "name": "Bevan", + "homepage": "https://www.drupal.org/user/49989" + }, + { + "name": "deekayen", + "homepage": "https://www.drupal.org/user/972" + }, + { + "name": "Grayle", + "homepage": "https://www.drupal.org/user/3145497" + }, + { + "name": "lotyrin", + "homepage": "https://www.drupal.org/user/216580" + }, + { + "name": "markdorison", + "homepage": "https://www.drupal.org/user/346106" + }, + { + "name": "ms2011", + "homepage": "https://www.drupal.org/user/108440" + }, + { + "name": "Nixou", + "homepage": "https://www.drupal.org/user/2304734" + }, + { + "name": "pwolanin", + "homepage": "https://www.drupal.org/user/49851" + }, + { + "name": "RobLoach", + "homepage": "https://www.drupal.org/user/61114" + }, + { + "name": "shrop", + "homepage": "https://www.drupal.org/user/14767" + }, + { + "name": "Sk8erPeter", + "homepage": "https://www.drupal.org/user/1441344" + } + ], + "description": "Redirect anonymous users from 403 Access Denied pages to the /user/login page.", + "homepage": "https://www.drupal.org/project/r4032login", + "keywords": [ + "Drupal" + ], + "support": { + "source": "https://git.drupalcode.org/project/r4032login", + "issues": "https://www.drupal.org/project/issues/r4032login" + } + }, { "name": "drupal/rabbit_hole", "version": "1.0.0-beta11", @@ -10585,6 +10765,54 @@ "source": "https://git.drupalcode.org/project/redirect" } }, + { + "name": "drupal/require_login", + "version": "3.0.6", + "source": { + "type": "git", + "url": "https://git.drupalcode.org/project/require_login.git", + "reference": "3.0.6" + }, + "dist": { + "type": "zip", + "url": "https://ftp.drupal.org/files/projects/require_login-3.0.6.zip", + "reference": "3.0.6", + "shasum": "d2dbf69cf10f73eca15daed36f1b05a5996a86b3" + }, + "require": { + "drupal/core": "^9 || ^10" + }, + "type": "drupal-module", + "extra": { + "drupal": { + "version": "3.0.6", + "datestamp": "1687875848", + "security-coverage": { + "status": "covered", + "message": "Covered by Drupal's security advisory policy" + } + } + }, + "notification-url": "https://packages.drupal.org/8/downloads", + "license": [ + "GPL-2.0-or-later" + ], + "authors": [ + { + "name": "robphillips", + "homepage": "https://www.drupal.org/user/459772" + }, + { + "name": "sindurig", + "homepage": "https://www.drupal.org/user/3684910" + } + ], + "description": "Easily require user authentication on all pages.", + "homepage": "https://www.drupal.org/project/require_login", + "support": { + "source": "https://git.drupalcode.org/project/require_login" + } + }, { "name": "drupal/role_delegation", "version": "1.2.0", @@ -10694,6 +10922,68 @@ "issues": "https://www.drupal.org/project/issues/role_watchdog" } }, + { + "name": "drupal/samlauth", + "version": "3.9.0", + "source": { + "type": "git", + "url": "https://git.drupalcode.org/project/samlauth.git", + "reference": "8.x-3.9" + }, + "dist": { + "type": "zip", + "url": "https://ftp.drupal.org/files/projects/samlauth-8.x-3.9.zip", + "reference": "8.x-3.9", + "shasum": "1af6aec1b9f7f49bd2bc8e023ef53dbbd7329722" + }, + "require": { + "drupal/core": "^9.2 || ^10", + "drupal/externalauth": "^1.3 || ^2", + "onelogin/php-saml": "^3.3.1 || ^4" + }, + "type": "drupal-module", + "extra": { + "drupal": { + "version": "8.x-3.9", + "datestamp": "1690407017", + "security-coverage": { + "status": "covered", + "message": "Covered by Drupal's security advisory policy" + } + }, + "branch-alias": { + "dev-8.x-3.x": "3.x-dev" + } + }, + "notification-url": "https://packages.drupal.org/8/downloads", + "license": [ + "GPL-2.0-or-later" + ], + "authors": [ + { + "name": "cweagans", + "homepage": "https://www.drupal.org/user/404732" + }, + { + "name": "japerry", + "homepage": "https://www.drupal.org/user/45640" + }, + { + "name": "roderik", + "homepage": "https://www.drupal.org/user/8841" + }, + { + "name": "smfsh", + "homepage": "https://www.drupal.org/user/3348892" + } + ], + "description": "Allows users to authenticate against an external SAML identity provider.", + "homepage": "http://drupal.org/project/samlauth", + "support": { + "source": "http://cgit.drupalcode.org/samlauth", + "issues": "http://drupal.org/project/samlauth" + } + }, { "name": "drupal/search_api", "version": "1.29.0", @@ -15179,6 +15469,62 @@ }, "time": "2023-08-13T19:53:39+00:00" }, + { + "name": "onelogin/php-saml", + "version": "4.1.0", + "source": { + "type": "git", + "url": "https://github.com/onelogin/php-saml.git", + "reference": "b22a57ebd13e838b90df5d3346090bc37056409d" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/onelogin/php-saml/zipball/b22a57ebd13e838b90df5d3346090bc37056409d", + "reference": "b22a57ebd13e838b90df5d3346090bc37056409d", + "shasum": "" + }, + "require": { + "php": ">=7.3", + "robrichards/xmlseclibs": ">=3.1.1" + }, + "require-dev": { + "pdepend/pdepend": "^2.8.0", + "php-coveralls/php-coveralls": "^2.0", + "phploc/phploc": "^4.0 || ^5.0 || ^6.0 || ^7.0", + "phpunit/phpunit": "^9.5", + "sebastian/phpcpd": "^4.0 || ^5.0 || ^6.0 ", + "squizlabs/php_codesniffer": "^3.5.8" + }, + "suggest": { + "ext-curl": "Install curl lib to be able to use the IdPMetadataParser for parsing remote XMLs", + "ext-dom": "Install xml lib", + "ext-openssl": "Install openssl lib in order to handle with x509 certs (require to support sign and encryption)", + "ext-zlib": "Install zlib" + }, + "type": "library", + "autoload": { + "psr-4": { + "OneLogin\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "description": "OneLogin PHP SAML Toolkit", + "homepage": "https://developers.onelogin.com/saml/php", + "keywords": [ + "SAML2", + "onelogin", + "saml" + ], + "support": { + "email": "sixto.garcia@onelogin.com", + "issues": "https://github.com/onelogin/php-saml/issues", + "source": "https://github.com/onelogin/php-saml/" + }, + "time": "2022-07-15T20:44:36+00:00" + }, { "name": "onlyextart/colorbox", "version": "dev-master", @@ -18382,6 +18728,38 @@ }, "time": "2023-08-25T18:35:52+00:00" }, + { + "name": "su-sws/stanford_samlauth", + "version": "1.0.0", + "source": { + "type": "git", + "url": "https://github.com/SU-SWS/stanford_samlauth.git", + "reference": "08fd7c2f4f975956a13e28131082341ccfec52ce" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/SU-SWS/stanford_samlauth/zipball/08fd7c2f4f975956a13e28131082341ccfec52ce", + "reference": "08fd7c2f4f975956a13e28131082341ccfec52ce", + "shasum": "" + }, + "require": { + "drupal/autologout": "^1.4", + "drupal/r4032login": "^2.2", + "drupal/require_login": "^3.0", + "drupal/samlauth": "^3.9", + "php": ">=8.1" + }, + "type": "drupal-custom-module", + "notification-url": "https://packagist.org/downloads/", + "license": [ + "GPL-2.0-or-later" + ], + "support": { + "issues": "https://github.com/SU-SWS/stanford_samlauth/issues", + "source": "https://github.com/SU-SWS/stanford_samlauth/tree/1.0.0" + }, + "time": "2023-09-05T15:59:01+00:00" + }, { "name": "su-sws/stanford_ssp", "version": "8.3.5", @@ -27764,5 +28142,5 @@ "php": ">=8.0" }, "platform-dev": [], - "plugin-api-version": "2.2.0" + "plugin-api-version": "2.3.0" } diff --git a/config/default/autologout.settings.yml b/config/default/autologout.settings.yml new file mode 100644 index 000000000..79e14f8a2 --- /dev/null +++ b/config/default/autologout.settings.yml @@ -0,0 +1,22 @@ +_core: + default_config_hash: kwGGKvKSU7cPTEgTMWrbW0o9Jwe6FSDmpgdUWmIXCdg +enabled: true +timeout: 43200 +max_timeout: 172800 +padding: 20 +logout_regardless_of_activity: false +no_individual_logout_threshold: false +role_logout: false +role_logout_max: false +redirect_url: /user/login +no_dialog: false +message: 'Your session is about to expire. Do you want to reset it?' +inactivity_message: 'You have been logged out due to inactivity.' +inactivity_message_type: status +modal_width: 450 +enforce_admin: false +jstimer_format: '%hours%:%mins%:%secs%' +jstimer_js_load_option: false +use_alt_logout_method: false +use_watchdog: true +whitelisted_ip_addresses: '' diff --git a/config/default/config_ignore.settings.yml b/config/default/config_ignore.settings.yml index 321caf388..3a2dd04b6 100644 --- a/config/default/config_ignore.settings.yml +++ b/config/default/config_ignore.settings.yml @@ -33,8 +33,7 @@ ignored_config_entities: - 'menu_position.menu_position_rule.*' - 'migrate_plus.migration.*:status' - 'migrate_plus.migration.custm*' - - simplesamlphp_auth.settings - - stanford_ssp.settings + - stanford_samlauth.settings - 'system.theme:default' - 'user.role.*:permissions' - 'user.role.custm*' diff --git a/config/default/core.extension.yml b/config/default/core.extension.yml index 5731ecd7b..5e263eaef 100644 --- a/config/default/core.extension.yml +++ b/config/default/core.extension.yml @@ -11,6 +11,7 @@ module: allowed_formats: 0 asset_injector: 0 auto_entitylabel: 0 + autologout: 0 better_exposed_filters: 0 better_normalizers: 0 blazy: 0 @@ -186,6 +187,7 @@ module: path_redirect_import: 0 preprocess_event_dispatcher: 0 publishcontent: 0 + r4032login: 0 rabbit_hole: 0 readonly_field_widget: 0 real_aes: 0 @@ -197,12 +199,13 @@ module: rh_taxonomy: 0 role_delegation: 0 role_watchdog: 0 + samlauth: 0 + samlauth_user_fields: 0 search_api: 0 search_api_db: 0 serialization: 0 shortcut: 0 shortcut_menu: 0 - simplesamlphp_auth: 0 slick: 0 slick_paragraphs: 0 smart_date: 0 @@ -212,7 +215,7 @@ module: stanford_fields: 0 stanford_media: 0 stanford_migrate: 0 - stanford_ssp: 0 + stanford_samlauth: 0 syslog: 0 system: 0 taxonomy: 0 diff --git a/config/default/r4032login.settings.yml b/config/default/r4032login.settings.yml new file mode 100644 index 000000000..e35ae9e13 --- /dev/null +++ b/config/default/r4032login.settings.yml @@ -0,0 +1,18 @@ +_core: + default_config_hash: FtwnuCXmazPAh2H2i_gbDhMK1-eBmNy1dG4RBU4qt4o +langcode: en +display_denied_message: true +access_denied_message: 'Access denied. You must log in to view this page.' +access_denied_message_type: error +redirect_authenticated_users_to: '' +throw_authenticated_404: false +display_auth_denied_message: true +access_denied_auth_message: 'Access denied. Check with your site administrator if you need assistance.' +access_denied_auth_message_type: error +user_login_path: /user/login +default_redirect_code: 307 +add_noindex_header: true +destination_parameter_override: '' +match_noredirect_pages: "/jsonapi\r\n/jsonapi/*\r\n/subrequests" +match_noredirect_negate: 0 +redirect_to_destination: true diff --git a/config/default/samlauth.authentication.yml b/config/default/samlauth.authentication.yml new file mode 100644 index 000000000..8c4874ba0 --- /dev/null +++ b/config/default/samlauth.authentication.yml @@ -0,0 +1,37 @@ +_core: + default_config_hash: oDGEkhP0h5rXXqlDplxeBDre0goLigOJupHKMDMwcqM +local_login_saml_error: false +sp_entity_id: '' +sp_name_id_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' +sp_x509_certificate: 'file:/path/to/file.crt' +sp_private_key: 'file:/path/to/file.key' +metadata_valid_secs: 60 +metadata_cache_http: false +idp_entity_id: 'https://idp.stanford.edu/' +idp_single_sign_on_service: 'https://login.stanford.edu/idp/profile/SAML2/Redirect/SSO' +idp_certs: { } +unique_id_attribute: uid +map_users_name: true +map_users_mail: true +map_users_roles: + administrator: administrator + site_manager: site_manager + contributor: contributor + author: author + intranet_viewer: intranet_viewer + stanford_faculty: stanford_faculty + stanford_staff: stanford_staff + stanford_student: stanford_student +create_users: true +user_name_attribute: uid +user_mail_attribute: mail +request_set_name_id_policy: true +strict: true +security_authn_requests_sign: true +security_logout_requests_sign: true +security_logout_responses_sign: true +security_messages_sign: true +security_want_name_id: true +security_request_authn_context: true +security_lowercase_url_encoding: true +use_base_url: true diff --git a/config/default/samlauth_user_fields.mappings.yml b/config/default/samlauth_user_fields.mappings.yml new file mode 100644 index 000000000..0c80585a7 --- /dev/null +++ b/config/default/samlauth_user_fields.mappings.yml @@ -0,0 +1,5 @@ +field_mappings: + - + attribute_name: displayName + field_name: su_display_name + link_user_order: null diff --git a/config/default/simplesamlphp_auth.settings.yml b/config/default/simplesamlphp_auth.settings.yml deleted file mode 100644 index f3cca82f5..000000000 --- a/config/default/simplesamlphp_auth.settings.yml +++ /dev/null @@ -1,30 +0,0 @@ -_core: - default_config_hash: BuLah1nwoT5oUjn6XIuKnXkjcvdt5tDIGQ6gAflOY0s -langcode: en -activate: true -auth_source: default-sp -login_link_display_name: 'SUNetID Login' -login_link_show: true -user_name: displayName -unique_id: uid -mail_attr: mail -header_no_cache: true -role: - population: 'administrator:eduPersonEntitlement,=,hsdo:web|administrator:eduPersonEntitlement,=,uit:sws|administrator:eduPersonEntitlement,=,hsweb:fourkitchens' - eval_every_time: 2 -register_users: true -allow: - set_drupal_pwd: false - default_login: true - default_login_roles: { } - default_login_users: '1' -logout_goto_url: null -user_register_original: admin_only -sync: - mail: true - user_name: true -autoenablesaml: true -debug: false -secure: true -httponly: false -default_langcode: en diff --git a/config/default/stanford_samlauth.settings.yml b/config/default/stanford_samlauth.settings.yml new file mode 100644 index 000000000..189faa2ed --- /dev/null +++ b/config/default/stanford_samlauth.settings.yml @@ -0,0 +1,28 @@ +_core: + default_config_hash: Gg16MjldLejVucRsgAVxrnzR6CxV4zt94j_HnyyxQ3g +hide_local_login: true +local_login_fieldset_label: 'Drupal Login' +local_login_fieldset_open: false +allowed: + restrict: false + users: null + affiliations: null + groups: null +role_mapping: + workgroup_api: + cert: /var/www/suhumsci/docroot/../keys/saml/workgroup_api.cert + key: /var/www/suhumsci/docroot/../keys/saml/workgroup_api.key + reevaluate: new + mapping: + - + role: administrator + attribute: eduPersonEntitlement + value: 'hsdo:web' + - + role: administrator + attribute: eduPersonEntitlement + value: 'uit:sws' + - + role: administrator + attribute: eduPersonEntitlement + value: 'hsweb:fourkitchens' diff --git a/config/default/stanford_ssp.settings.yml b/config/default/stanford_ssp.settings.yml deleted file mode 100644 index b83c9941f..000000000 --- a/config/default/stanford_ssp.settings.yml +++ /dev/null @@ -1,13 +0,0 @@ -_core: - default_config_hash: Xm4MNDvuD7BJ089bXHgqkS7_mOjVgGxnekzaeYLwW7k -saml_attribute: eduPersonEnttitlement -hide_local_login: true -use_workgroup_api: true -workgroup_api_cert: /mnt/gfs/humscigryphon.prod/nobackup/apikeys/saml/workgroup_api.cert -workgroup_api_key: /mnt/gfs/humscigryphon.prod/nobackup/apikeys/saml/workgroup_api.key -restriction: all -exclude_redirect: - - /jsonapi - - '/jsonapi/*' -allowed_groups: { } -allowed_users: { } diff --git a/config/default/views.view.samlauth_map.yml b/config/default/views.view.samlauth_map.yml new file mode 100644 index 000000000..85fce0526 --- /dev/null +++ b/config/default/views.view.samlauth_map.yml @@ -0,0 +1,530 @@ +uuid: 1a64437c-71d4-4e88-9e21-b62c7e0facda +langcode: en +status: true +dependencies: + module: + - externalauth + - samlauth + - user +id: samlauth_map +label: 'SAML Authentication Links' +module: views +description: '' +tag: '' +base_table: authmap +base_field: '' +display: + default: + id: default + display_title: Master + display_plugin: default + position: 0 + display_options: + title: 'SAML Authentication Links' + fields: + authname: + id: authname + table: authmap + field: authname + relationship: none + group_type: group + admin_label: '' + plugin_id: standard + label: 'SAML IdP Unique ID' + exclude: false + alter: + alter_text: false + text: '' + make_link: false + path: '' + absolute: false + external: false + replace_spaces: false + path_case: none + trim_whitespace: false + alt: '' + rel: '' + link_class: '' + prefix: '' + suffix: '' + target: '' + nl2br: false + max_length: 0 + word_boundary: true + ellipsis: true + more_link: false + more_link_text: '' + more_link_path: '' + strip_tags: false + trim: false + preserve_tags: '' + html: false + element_type: '' + element_class: '' + element_label_type: '' + element_label_class: '' + element_label_colon: true + element_wrapper_type: '' + element_wrapper_class: '' + element_default_classes: true + empty: '' + hide_empty: false + empty_zero: false + hide_alter_empty: true + uid: + id: uid + table: authmap + field: uid + relationship: none + group_type: group + admin_label: '' + plugin_id: numeric + label: 'Drupal User ID' + exclude: false + alter: + alter_text: false + text: '' + make_link: false + path: '' + absolute: false + external: false + replace_spaces: false + path_case: none + trim_whitespace: false + alt: '' + rel: '' + link_class: '' + prefix: '' + suffix: '' + target: '' + nl2br: false + max_length: 0 + word_boundary: true + ellipsis: true + more_link: false + more_link_text: '' + more_link_path: '' + strip_tags: false + trim: false + preserve_tags: '' + html: false + element_type: '' + element_class: '' + element_label_type: '' + element_label_class: '' + element_label_colon: true + element_wrapper_type: '' + element_wrapper_class: '' + element_default_classes: true + empty: '' + hide_empty: false + empty_zero: false + hide_alter_empty: true + set_precision: false + precision: 0 + decimal: . + separator: '' + format_plural: false + format_plural_string: !!binary MQNAY291bnQ= + prefix: '' + suffix: '' + name: + id: name + table: users_field_data + field: name + relationship: uid + group_type: group + admin_label: '' + entity_type: user + entity_field: name + plugin_id: field + label: 'Drupal User Name' + exclude: false + alter: + alter_text: false + text: '' + make_link: false + path: '' + absolute: false + external: false + replace_spaces: false + path_case: none + trim_whitespace: false + alt: '' + rel: '' + link_class: '' + prefix: '' + suffix: '' + target: '' + nl2br: false + max_length: 0 + word_boundary: true + ellipsis: true + more_link: false + more_link_text: '' + more_link_path: '' + strip_tags: false + trim: false + preserve_tags: '' + html: false + element_type: '' + element_class: '' + element_label_type: '' + element_label_class: '' + element_label_colon: true + element_wrapper_type: '' + element_wrapper_class: '' + element_default_classes: true + empty: '' + hide_empty: false + empty_zero: false + hide_alter_empty: true + click_sort_column: value + type: user_name + settings: + link_to_entity: true + group_column: value + group_columns: { } + group_rows: true + delta_limit: 0 + delta_offset: 0 + delta_reversed: false + delta_first_last: false + multi_type: separator + separator: ', ' + field_api_classes: false + delete: + id: delete + table: authmap + field: delete + relationship: none + group_type: group + admin_label: '' + plugin_id: samlauth_link_delete + label: delete + exclude: false + alter: + alter_text: false + text: '' + make_link: false + path: '' + absolute: false + external: false + replace_spaces: false + path_case: none + trim_whitespace: false + alt: '' + rel: '' + link_class: '' + prefix: '' + suffix: '' + target: '' + nl2br: false + max_length: 0 + word_boundary: true + ellipsis: true + more_link: false + more_link_text: '' + more_link_path: '' + strip_tags: false + trim: false + preserve_tags: '' + html: false + element_type: '' + element_class: '' + element_label_type: '' + element_label_class: '' + element_label_colon: true + element_wrapper_type: '' + element_wrapper_class: '' + element_default_classes: true + empty: '' + hide_empty: false + empty_zero: false + hide_alter_empty: true + text: delete + output_url_as_text: false + absolute: false + pager: + type: mini + options: + offset: 0 + items_per_page: 50 + total_pages: null + id: 0 + tags: + next: ›› + previous: ‹‹ + expose: + items_per_page: false + items_per_page_label: 'Items per page' + items_per_page_options: '5, 10, 25, 50' + items_per_page_options_all: false + items_per_page_options_all_label: '- All -' + offset: false + offset_label: Offset + exposed_form: + type: basic + options: + submit_button: Apply + reset_button: false + reset_button_label: Reset + exposed_sorts_label: 'Sort by' + expose_sort_order: true + sort_asc_label: Asc + sort_desc_label: Desc + access: + type: perm + options: + perm: 'configure saml' + cache: + type: none + options: { } + empty: + area_text_custom: + id: area_text_custom + table: views + field: area_text_custom + relationship: none + group_type: group + admin_label: '' + plugin_id: text_custom + empty: true + content: 'No links (from SAML Authentication ID to Drupal user) found.' + tokenize: false + sorts: { } + arguments: { } + filters: + authname: + id: authname + table: authmap + field: authname + relationship: none + group_type: group + admin_label: '' + plugin_id: string + operator: starts + value: '' + group: 1 + exposed: true + expose: + operator_id: authname_op + label: 'SAML IdP Unique ID' + description: '' + use_operator: false + operator: authname_op + operator_limit_selection: false + operator_list: { } + identifier: authname + required: false + remember: false + multiple: false + remember_roles: + authenticated: authenticated + anonymous: '0' + administrator: '0' + role3: '0' + role4: '0' + placeholder: '' + is_grouped: false + group_info: + label: '' + description: '' + identifier: '' + optional: true + widget: select + multiple: false + remember: false + default_group: All + default_group_multiple: { } + group_items: { } + uid: + id: uid + table: users_field_data + field: uid + relationship: uid + group_type: group + admin_label: '' + entity_type: user + entity_field: uid + plugin_id: user_name + operator: in + value: { } + group: 1 + exposed: true + expose: + operator_id: uid_op + label: 'Drupal user' + description: '' + use_operator: false + operator: uid_op + operator_limit_selection: false + operator_list: { } + identifier: uid + required: false + remember: false + multiple: false + remember_roles: + authenticated: authenticated + anonymous: '0' + administrator: '0' + role3: '0' + role4: '0' + reduce: false + is_grouped: false + group_info: + label: '' + description: '' + identifier: '' + optional: true + widget: select + multiple: false + remember: false + default_group: All + default_group_multiple: { } + group_items: { } + provider_field: + id: provider_field + table: authmap + field: provider_field + relationship: none + group_type: group + admin_label: '' + plugin_id: string + operator: '=' + value: samlauth + group: 1 + exposed: false + expose: + operator_id: '' + label: '' + description: '' + use_operator: false + operator: '' + operator_limit_selection: false + operator_list: { } + identifier: '' + required: false + remember: false + multiple: false + remember_roles: + authenticated: authenticated + placeholder: '' + is_grouped: false + group_info: + label: '' + description: '' + identifier: '' + optional: true + widget: select + multiple: false + remember: false + default_group: All + default_group_multiple: { } + group_items: { } + style: + type: table + options: + grouping: { } + row_class: '' + default_row_class: true + columns: + authname: authname + uid: uid + name: name + delete: delete + default: authname + info: + authname: + sortable: true + default_sort_order: asc + align: '' + separator: '' + empty_column: false + responsive: '' + uid: + sortable: true + default_sort_order: asc + align: '' + separator: '' + empty_column: false + responsive: '' + name: + sortable: true + default_sort_order: asc + align: '' + separator: '' + empty_column: false + responsive: '' + delete: + sortable: false + default_sort_order: asc + align: '' + separator: '' + empty_column: false + responsive: '' + override: true + sticky: false + summary: '' + empty_table: false + caption: '' + description: '' + row: + type: fields + query: + type: views_query + options: + query_comment: '' + disable_sql_rewrite: false + distinct: false + replica: false + query_tags: { } + relationships: + uid: + id: uid + table: authmap + field: uid + relationship: none + group_type: group + admin_label: 'Linked Drupal user' + plugin_id: standard + required: false + show_admin_links: false + header: { } + footer: { } + display_extenders: { } + cache_metadata: + max-age: -1 + contexts: + - 'languages:language_content' + - 'languages:language_interface' + - url + - url.query_args + - user.permissions + tags: { } + page: + id: page + display_title: Page + display_plugin: page + position: 1 + display_options: + display_extenders: { } + path: admin/config/people/saml/authmap + menu: + type: tab + title: Links + description: '' + weight: 7 + expanded: false + menu_name: admin + parent: samlauth.samlauth_configure_form + context: '0' + cache_metadata: + max-age: -1 + contexts: + - 'languages:language_content' + - 'languages:language_interface' + - url + - url.query_args + - user.permissions + tags: { } diff --git a/docroot/sites/settings/default.local.settings.php b/docroot/sites/settings/default.local.settings.php index c6c8085a1..8706a4685 100644 --- a/docroot/sites/settings/default.local.settings.php +++ b/docroot/sites/settings/default.local.settings.php @@ -2,4 +2,28 @@ $config['devel.settings']['devel_dumper'] = 'var_dumper'; // Prevent errors from showing in the UI for prod & qa environments. -error_reporting(E_ALL & ~E_DEPRECATED & ~E_STRICT); +error_reporting(E_ALL & ~E_DEPRECATED); + +/** + * SAML configuration + */ +if (file_exists(DRUPAL_ROOT . '/../keys/saml/cert/saml.crt')) { + $config['samlauth.authentication']['sp_x509_certificate'] = 'file:' . DRUPAL_ROOT . '/../keys/saml/cert/saml.crt'; + $config['samlauth.authentication']['sp_private_key'] = 'file:' . DRUPAL_ROOT . '/../keys/saml/cert/saml.pem'; + $config['samlauth.authentication']['idp_certs'] = [ + 'file:' . DRUPAL_ROOT . '/../keys/saml/cert/signing.crt', + ]; + $config['stanford_samlauth.settings']['role_mapping']['workgroup_api'] = [ + 'cert' => DRUPAL_ROOT . '/../keys/saml/workgroup_api.cert', + 'key' => DRUPAL_ROOT . '/../keys/saml/workgroup_api.key', + ]; +} + +// Saml login doesn't work on gitpod or tugboat, don't set config values. +if (getenv('GITPOD_WORKSPACE_URL') || getenv('TUGBOAT_REPO')) { + unset($config['samlauth.authentication'], $config['stanford_samlauth.settings']); +} + +if (file_exists(DRUPAL_ROOT . '/../keys.secrets.settings.php')) { + require DRUPAL_ROOT . '/../keys.secrets.settings.php'; +} diff --git a/docroot/sites/settings/global.settings.php b/docroot/sites/settings/global.settings.php index 305e976e4..500aef849 100644 --- a/docroot/sites/settings/global.settings.php +++ b/docroot/sites/settings/global.settings.php @@ -18,7 +18,7 @@ * file in docroot/sites/{site-name}/settings/default.includes.settings.php. */ $additionalSettingsFiles = [ - __DIR__ . '/simplesaml.php', + __DIR__ . '/saml.settings.php', __DIR__ . '/environment_indicator.php', __DIR__ . '/local.settings.php', __DIR__ . '/fast404.settings.php', diff --git a/docroot/sites/settings/simplesaml.php b/docroot/sites/settings/saml.settings.php similarity index 56% rename from docroot/sites/settings/simplesaml.php rename to docroot/sites/settings/saml.settings.php index 20ceffa93..11351f773 100644 --- a/docroot/sites/settings/simplesaml.php +++ b/docroot/sites/settings/saml.settings.php @@ -49,3 +49,30 @@ 'user_name' => TRUE, ], ]; + + +// Don't enable SAML configs if we're on CI systems. +if (!EnvironmentDetector::isCiEnv()) { + $idp = 'https://idp.stanford.edu/'; + $login = 'https://login.stanford.edu/idp/profile/SAML2/Redirect/SSO'; + + $config['samlauth.authentication'] = [ + 'user_name_attribute' => 'uid', + 'idp_entity_id' => 'https://idp.stanford.edu/', + 'sp_entity_id' => 'https://swshumsci.stanford.edu', + 'idp_single_sign_on_service' => 'https://login.stanford.edu/idp/profile/SAML2/Redirect/SSO', + 'sp_x509_certificate' => 'file:' . EnvironmentDetector::getAhFilesRoot() . '/nobackup/apikeys/saml/cert/saml.crt', + 'sp_private_key' => 'file:' . EnvironmentDetector::getAhFilesRoot() . '/nobackup/apikeys/saml/cert/saml.pem', + 'idp_certs' => [ + 'file:' . EnvironmentDetector::getAhFilesRoot() . '/nobackup/apikeys/saml/cert/signing.crt', + ], + ]; + $config['stanford_samlauth.settings'] = [ + 'role_mapping' => [ + 'workgroup_api' => [ + 'cert' => EnvironmentDetector::getAhFilesRoot() . '/nobackup/apikeys/saml/workgroup_api.cert', + 'key' => EnvironmentDetector::getAhFilesRoot() . '/nobackup/apikeys/saml/workgroup_api.key', + ], + ], + ]; +} From 4b5cc3900df3e2f21ea1faa6b9312c3b73745386 Mon Sep 17 00:00:00 2001 From: Mike Decker Date: Thu, 7 Sep 2023 12:48:05 -0700 Subject: [PATCH 2/4] update saml --- composer.lock | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/composer.lock b/composer.lock index 8a72953e8..68001ae38 100644 --- a/composer.lock +++ b/composer.lock @@ -18730,16 +18730,16 @@ }, { "name": "su-sws/stanford_samlauth", - "version": "1.0.0", + "version": "1.0.1", "source": { "type": "git", "url": "https://github.com/SU-SWS/stanford_samlauth.git", - "reference": "08fd7c2f4f975956a13e28131082341ccfec52ce" + "reference": "fa21a46a4a39cafb0e5e0bbbc6033079f2dc47b9" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/SU-SWS/stanford_samlauth/zipball/08fd7c2f4f975956a13e28131082341ccfec52ce", - "reference": "08fd7c2f4f975956a13e28131082341ccfec52ce", + "url": "https://api.github.com/repos/SU-SWS/stanford_samlauth/zipball/fa21a46a4a39cafb0e5e0bbbc6033079f2dc47b9", + "reference": "fa21a46a4a39cafb0e5e0bbbc6033079f2dc47b9", "shasum": "" }, "require": { @@ -18756,9 +18756,9 @@ ], "support": { "issues": "https://github.com/SU-SWS/stanford_samlauth/issues", - "source": "https://github.com/SU-SWS/stanford_samlauth/tree/1.0.0" + "source": "https://github.com/SU-SWS/stanford_samlauth/tree/1.0.1" }, - "time": "2023-09-05T15:59:01+00:00" + "time": "2023-09-07T19:32:55+00:00" }, { "name": "su-sws/stanford_ssp", @@ -27569,12 +27569,12 @@ "source": { "type": "git", "url": "https://github.com/SU-SWS/stanford-caravan.git", - "reference": "dfa3e7e6e35ad099cfb8f776eba1713a2c6e7f11" + "reference": "32dce040305991c882521ba0ee80767e45f437e8" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/SU-SWS/stanford-caravan/zipball/dfa3e7e6e35ad099cfb8f776eba1713a2c6e7f11", - "reference": "dfa3e7e6e35ad099cfb8f776eba1713a2c6e7f11", + "url": "https://api.github.com/repos/SU-SWS/stanford-caravan/zipball/32dce040305991c882521ba0ee80767e45f437e8", + "reference": "32dce040305991c882521ba0ee80767e45f437e8", "shasum": "" }, "require": { @@ -27604,7 +27604,7 @@ "issues": "https://github.com/SU-SWS/stanford-caravan/issues", "source": "https://github.com/SU-SWS/stanford-caravan/tree/8.x-3.x" }, - "time": "2023-08-21T22:43:16+00:00" + "time": "2023-09-07T03:48:02+00:00" }, { "name": "symfony/browser-kit", From 222e2db3f99422e42318e438349d4e6e07d2edf4 Mon Sep 17 00:00:00 2001 From: Mike Decker Date: Thu, 7 Sep 2023 14:05:51 -0700 Subject: [PATCH 3/4] fix for ci --- config/default/samlauth.authentication.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/default/samlauth.authentication.yml b/config/default/samlauth.authentication.yml index 8c4874ba0..e623c7dfa 100644 --- a/config/default/samlauth.authentication.yml +++ b/config/default/samlauth.authentication.yml @@ -23,7 +23,7 @@ map_users_roles: stanford_staff: stanford_staff stanford_student: stanford_student create_users: true -user_name_attribute: uid +user_name_attribute: '' user_mail_attribute: mail request_set_name_id_policy: true strict: true From 5348337cb3d821636ea23f27be4004a56a7ffcf8 Mon Sep 17 00:00:00 2001 From: Mike Decker Date: Tue, 12 Sep 2023 08:57:50 -0700 Subject: [PATCH 4/4] update hook to install samlauth --- blt/blt.yml | 1 - blt/src/Blt/Plugin/Commands/HsHooksCommands.php | 14 -------------- .../su_humsci_profile/su_humsci_profile.install | 16 +++++++++++++++- .../sites/settings/default.local.settings.php | 2 +- 4 files changed, 16 insertions(+), 17 deletions(-) diff --git a/blt/blt.yml b/blt/blt.yml index ba4038a69..e273ff6af 100644 --- a/blt/blt.yml +++ b/blt/blt.yml @@ -36,7 +36,6 @@ modules: - purge - acquia_connector - shield - - simplesamlphp_auth dev: enable: - acquia_connector diff --git a/blt/src/Blt/Plugin/Commands/HsHooksCommands.php b/blt/src/Blt/Plugin/Commands/HsHooksCommands.php index 19714c658..f2bdc3033 100644 --- a/blt/src/Blt/Plugin/Commands/HsHooksCommands.php +++ b/blt/src/Blt/Plugin/Commands/HsHooksCommands.php @@ -10,20 +10,6 @@ */ class HsHooksCommands extends BltTasks { - /** - * Disable Saml module. - * - * @hook pre-command tests:codeception:run - */ - public function preCodecepton() { - $this->taskDrush() - ->drush('cset') - ->arg('simplesamlphp_auth.settings') - ->arg('activate') - ->arg(0) - ->run(); - } - /** * @hook pre-command drupal:sync:default:site */ diff --git a/docroot/profiles/humsci/su_humsci_profile/su_humsci_profile.install b/docroot/profiles/humsci/su_humsci_profile/su_humsci_profile.install index 08858792e..e9963912c 100644 --- a/docroot/profiles/humsci/su_humsci_profile/su_humsci_profile.install +++ b/docroot/profiles/humsci/su_humsci_profile/su_humsci_profile.install @@ -219,5 +219,19 @@ function su_humsci_profile_update_9500() { if (!$theme_handler->themeExists('stable9')) { $theme_installer->install(['stable9']); } - \Drupal::service('module_installer')->uninstall(['bricks']); + if (\Drupal::moduleHandler()->moduleExists('bricks')) { + \Drupal::service('module_installer')->uninstall(['bricks']); + } +} + +/** + * Install SamlAuth + */ +function su_humsci_profile_update_9501() { + $config_ignore = \Drupal::configFactory() + ->getEditable('config_ignore.settings'); + $ignored = $config_ignore->get('ignored_config_entities'); + $ignored[] = 'stanford_samlauth.settings'; + $config_ignore->set('ignored_config_entities', $ignored)->save(); + \Drupal::service('module_installer')->install(['stanford_samlauth']); } diff --git a/docroot/sites/settings/default.local.settings.php b/docroot/sites/settings/default.local.settings.php index 8706a4685..4097fe7df 100644 --- a/docroot/sites/settings/default.local.settings.php +++ b/docroot/sites/settings/default.local.settings.php @@ -25,5 +25,5 @@ } if (file_exists(DRUPAL_ROOT . '/../keys.secrets.settings.php')) { - require DRUPAL_ROOT . '/../keys.secrets.settings.php'; + require DRUPAL_ROOT . '/../keys/secrets.settings.php'; }