WIP: replace example-userpass with silauth and id-broker container

silinternational · Jun 9, 2024 · ade438a · ade438a
1 parent 18dc22c
commit ade438a
Show file tree

Hide file tree

Showing 11 changed files with 375 additions and 143 deletions.
diff --git a/actions-services.yml b/actions-services.yml
@@ -81,12 +81,12 @@ services:
     build: .
     depends_on:
       - db
+      - broker
     volumes:
       # Utilize custom certs
       - ./development/idp-local/cert:/data/vendor/simplesamlphp/simplesamlphp/cert
 
       # Utilize custom configs
-      - ./development/idp-local/config/authsources.php:/data/vendor/simplesamlphp/simplesamlphp/config/authsources.php
       - ./development/idp-local/config/config.php:/data/vendor/simplesamlphp/simplesamlphp/config/config.php
       - ./development/announcement.php:/data/vendor/simplesamlphp/simplesamlphp/announcement/announcement.php
 
@@ -110,11 +110,11 @@ services:
       ADMIN_PASS: "a"
       SECRET_SALT: "not-secret-h57fjemb&dn^nsJFGNjweJ"
       IDP_NAME: "IDP 1"
-      IDP_DOMAIN_NAME: "mfaidp"
-      ID_BROKER_ACCESS_TOKEN: "dummy"
-      ID_BROKER_ASSERT_VALID_IP: "false"
-      ID_BROKER_BASE_URI: "dummy"
-      ID_BROKER_TRUSTED_IP_RANGES: "192.168.0.1/8"
+      IDP_DOMAIN_NAME: "ssp-idp1.local"
+      ID_BROKER_ACCESS_TOKEN: "test-cli-abc123"
+      ID_BROKER_ASSERT_VALID_IP: "true"
+      ID_BROKER_BASE_URI: "http://broker"
+      ID_BROKER_TRUSTED_IP_RANGES: "10.20.38.0/24"
       MFA_SETUP_URL: "http://pwmanager.local/module.php/core/authenticate.php?as=ssp-hub-custom-port"
       REMEMBER_ME_SECRET: "12345"
       PROFILE_URL: "http://pwmanager.local/module.php/core/authenticate.php?as=ssp-hub-custom-port"
@@ -286,12 +286,19 @@ services:
       EMAIL_SIGNATURE: "one red pill, please"
       API_ACCESS_KEYS: "test-cli-abc123"
       APP_ENV: "prod"
+      RP_ORIGINS: "https://ssp-idp1.local,https://ssp-idp3.local,https://ssp-idp3.local"
+      HIBP_CHECK_ON_LOGIN: "false"
       MFA_TOTP_apiBaseUrl: not_needed_here
       MFA_TOTP_apiKey: not_needed_here
       MFA_TOTP_apiSecret: not_needed_here
       MFA_WEBAUTHN_apiBaseUrl: not_needed_here
+      MFA_WEBAUTHN_apiKey: 10345678-1234-1234-1234-123456789012
+      MFA_WEBAUTHN_apiSecret: 11345678-1234-1234-1234-12345678
       MFA_WEBAUTHN_apiKey: not_needed_here
+      MFA_WEBAUTHN_rpDisplayName: Our App
       MFA_WEBAUTHN_apiSecret: not_needed_here
+    volumes:
+      - ./development/m991231_235959_insert_test_users.php:/data/console/migrations/m991231_235959_insert_test_users.php
     command: "bash -c 'whenavail brokerDb 3306 60 ./yii migrate --interactive=0 && ./run.sh'"
 
   brokerDb:

diff --git a/development/idp-local/config/authsources.php b/development/idp-local/config/authsources.php
@@ -1,6 +1,7 @@
 <?php
 
 use Sil\SspBase\Features\fakes\FakeIdBrokerClient;
+use SimpleSAML\Module\silauth\Auth\Source\config\ConfigManager;
 
 $config = [
 
@@ -11,7 +12,10 @@
 
         'core:AdminPassword',
     ],
-
+
+    // Use SilAuth
+    'silauth' => ConfigManager::getSspConfig(),
+
     // Set up example users for testing expirychecker module.
     'example-userpass' => [
         'exampleauth:UserPass',

diff --git a/development/idp-local/metadata/saml20-idp-hosted.php b/development/idp-local/metadata/saml20-idp-hosted.php
@@ -10,7 +10,7 @@
  */
 
 use Sil\Psr3Adapters\Psr3StdOutLogger;
-use Sil\SspBase\Features\fakes\FakeIdBrokerClient;
+use Sil\Idp\IdBroker\Client\IdBrokerClient;
 
 $metadata['http://ssp-idp1.local:8085'] = [
 	/*
@@ -30,7 +30,7 @@
 	 * Authentication source to use. Must be one that is configured in
 	 * 'config/authsources.php'.
 	 */
-    'auth' => 'example-userpass',
+    'auth' => 'silauth',
 
     'authproc' => [
         10 => [
@@ -39,7 +39,7 @@
             'idBrokerAccessToken' => Env::get('ID_BROKER_ACCESS_TOKEN'),
             'idBrokerAssertValidIp' => Env::get('ID_BROKER_ASSERT_VALID_IP'),
             'idBrokerBaseUri' => Env::get('ID_BROKER_BASE_URI'),
-            'idBrokerClientClass' => FakeIdBrokerClient::class,
+            'idBrokerClientClass' => IdBrokerClient::class,
             'idBrokerTrustedIpRanges' => Env::get('ID_BROKER_TRUSTED_IP_RANGES'),
             'idpDomainName' => Env::get('IDP_DOMAIN_NAME'),
             'mfaSetupUrl' => Env::get('MFA_SETUP_URL'),

diff --git a/development/m991231_235959_insert_test_users.php b/development/m991231_235959_insert_test_users.php
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -98,6 +98,7 @@ services:
       - ./development/hub/cert:/data/vendor/simplesamlphp/simplesamlphp/cert
 
       # Utilize custom configs
+      - ./dockerbuild/config/config.php:/data/vendor/simplesamlphp/simplesamlphp/config/config.php
       - ./development/hub/config/authsources.php:/data/vendor/simplesamlphp/simplesamlphp/config/authsources.php
       - ./development/announcement.php:/data/vendor/simplesamlphp/simplesamlphp/announcement/announcement.php
 
@@ -134,12 +135,12 @@ services:
     build: .
     depends_on:
       - db
+      - broker
     volumes:
       # Utilize custom certs
-      - ./development/idp-local/cert:/data/vendor/simplesamlphp/simplesamlphp/cert 
+      - ./development/idp-local/cert:/data/vendor/simplesamlphp/simplesamlphp/cert
 
       # Utilize custom configs
-      - ./development/idp-local/config/authsources.php:/data/vendor/simplesamlphp/simplesamlphp/config/authsources.php
       - ./development/idp-local/config/config.php:/data/vendor/simplesamlphp/simplesamlphp/config/config.php
       - ./development/announcement.php:/data/vendor/simplesamlphp/simplesamlphp/announcement/announcement.php
 
@@ -173,11 +174,11 @@ services:
       ADMIN_PASS: "a"
       SECRET_SALT: "h57fjemb&dn^nsJFGNjweJ"
       IDP_NAME: "IDP 1"
-      IDP_DOMAIN_NAME: "mfaidp"
-      ID_BROKER_ACCESS_TOKEN: "dummy"
-      ID_BROKER_ASSERT_VALID_IP: "false"
-      ID_BROKER_BASE_URI: "dummy"
-      ID_BROKER_TRUSTED_IP_RANGES: "192.168.0.1/8"
+      IDP_DOMAIN_NAME: "ssp-idp1.local"
+      ID_BROKER_ACCESS_TOKEN: "test-cli-abc123"
+      ID_BROKER_ASSERT_VALID_IP: "true"
+      ID_BROKER_BASE_URI: "http://broker"
+      ID_BROKER_TRUSTED_IP_RANGES: "10.20.38.0/24"
       MFA_SETUP_URL: "http://pwmanager.local:8084/module.php/core/authenticate.php?as=ssp-hub-custom-port"
       REMEMBER_ME_SECRET: "12345"
       PROFILE_URL: "http://pwmanager.local:8084/module.php/core/authenticate.php?as=ssp-hub-custom-port"
@@ -397,6 +398,19 @@ services:
       EMAIL_SIGNATURE: "one red pill, please"
       API_ACCESS_KEYS: "test-cli-abc123"
       APP_ENV: "dev"
+      RP_ORIGINS: "https://ssp-idp1.local,https://ssp-idp3.local,https://ssp-idp3.local"
+      HIBP_CHECK_ON_LOGIN: "false"
+      MFA_TOTP_apiBaseUrl: dummy
+      MFA_TOTP_apiKey: 10345678-1234-1234-1234-123456789012
+      MFA_TOTP_apiSecret: 11345678-1234-1234-1234-12345678
+      MFA_WEBAUTHN_apiBaseUrl: dummy
+      MFA_WEBAUTHN_apiKey: 10345678-1234-1234-1234-123456789012
+      MFA_WEBAUTHN_apiSecret: 11345678-1234-1234-1234-12345678
+      MFA_WEBAUTHN_appId: ourApp99
+      MFA_WEBAUTHN_rpDisplayName: Our App
+      MFA_WEBAUTHN_rpId: http://app99
+    volumes:
+      - ./development/m991231_235959_insert_test_users.php:/data/console/migrations/m991231_235959_insert_test_users.php
     command: ["bash", "-c", "whenavail brokerDb 3306 60 ./yii migrate --interactive=0 && ./run.sh"]
 
   brokerDb:
@@ -409,6 +423,15 @@ services:
       MYSQL_USER: "user"
       MYSQL_PASSWORD: "pass"
 
+  brokerpma:
+    image: phpmyadmin/phpmyadmin
+    ports:
+      - "8088:80"
+    environment:
+      PMA_HOST: brokerDb
+      PMA_USER: user
+      PMA_PASSWORD: pass
+
   dynamo:
     image: cnadiminti/dynamodb-local
     command: "-sharedDb -inMemory"

diff --git a/features/bootstrap/ExpiryContext.php b/features/bootstrap/ExpiryContext.php
@@ -66,7 +66,6 @@ protected function assertFormNotContains($text, $page)
      */
     public function iProvideCredentialsThatWillExpireInTheDistantFuture()
     {
-        // See `development/idp-local/config/authsources.php` for options.
         $this->username = 'distant_future';
         $this->password = 'a';
     }
@@ -76,7 +75,6 @@ public function iProvideCredentialsThatWillExpireInTheDistantFuture()
      */
     public function iProvideCredentialsThatWillExpireVerySoon()
     {
-        // See `development/idp-local/config/authsources.php` for options.
         $this->username = 'near_future';
         $this->password = 'b';
     }
@@ -113,7 +111,6 @@ public function thereShouldBeAWayToContinueWithoutChangingMyPassword()
      */
     public function iProvideCredentialsThatHaveExpired()
     {
-        // See `development/idp-local/config/authsources.php` for options.
         $this->username = 'already_past';
         $this->password = 'c';
     }
@@ -141,7 +138,6 @@ public function thereShouldNotBeAWayToContinueWithoutChangingMyPassword()
      */
     public function iProvideCredentialsThatHaveNoPasswordExpirationDate()
     {
-        // See `development/idp-local/config/authsources.php` for options.
         $this->username = 'missing_exp';
         $this->password = 'd';
     }
@@ -160,7 +156,6 @@ public function iShouldSeeAnErrorMessage()
      */
     public function iProvideCredentialsThatHaveAnInvalidPasswordExpirationDate()
     {
-        // See `development/idp-local/config/authsources.php` for options.
         $this->username = 'invalid_exp';
         $this->password = 'e';
     }

diff --git a/features/bootstrap/MfaContext.php b/features/bootstrap/MfaContext.php
@@ -4,7 +4,6 @@
 use Behat\Mink\Exception\ElementNotFoundException;
 use PHPUnit\Framework\Assert;
 use Sil\PhpEnv\Env;
-use Sil\SspBase\Features\fakes\FakeIdBrokerClient;
 use SimpleSAML\Module\mfa\LoginBrowser;
 
 /**
@@ -100,7 +99,6 @@ protected function submitMfaForm($page)
      */
     public function iProvideCredentialsThatDoNotNeedMfa()
     {
-        // See `development/idp-local/config/authsources.php` for options.
         $this->username = 'no_mfa_needed';
         $this->password = 'a';
     }
@@ -110,7 +108,6 @@ public function iProvideCredentialsThatDoNotNeedMfa()
      */
     public function iProvideCredentialsThatNeedMfaButHaveNoMfaOptionsAvailable()
     {
-        // See `development/idp-local/config/authsources.php` for options.
         $this->username = 'must_set_up_mfa';
         $this->password = 'a';
     }
@@ -138,7 +135,6 @@ public function thereShouldBeAWayToGoSetUpMfaNow()
      */
     public function iProvideCredentialsThatNeedMfaAndHaveBackupCodesAvailable()
     {
-        // See `development/idp-local/config/authsources.php` for options.
         $this->username = 'has_backupcode';
         $this->password = 'a';
     }
@@ -159,7 +155,6 @@ public function iShouldSeeAPromptForABackupCode()
      */
     public function iProvideCredentialsThatNeedMfaAndHaveTotpAvailable()
     {
-        // See `development/idp-local/config/authsources.php` for options.
         $this->username = 'has_totp';
         $this->password = 'a';
     }
@@ -180,7 +175,6 @@ public function iShouldSeeAPromptForATotpCode()
      */
     public function iProvideCredentialsThatNeedMfaAndHaveUfAvailable()
     {
-        // See `development/idp-local/config/authsources.php` for options.
         $this->username = 'has_webauthn';
         $this->password = 'a';
     }
@@ -212,7 +206,7 @@ public function iSubmitACorrectBackupCode()
             $printableCodeOption = $this->session->getPage()->find('css', 'img[src=mfa-backupcode\002Esvg]');
             $printableCodeOption->click();
         }
-        $this->submitMfaValue(FakeIdBrokerClient::CORRECT_VALUE);
+        $this->submitMfaValue(94923279);
     }
 
     protected function pageContainsElementWithText($cssSelector, $text)
@@ -232,7 +226,7 @@ protected function pageContainsElementWithText($cssSelector, $text)
      */
     public function iSubmitAnIncorrectBackupCode()
     {
-        $this->submitMfaValue(FakeIdBrokerClient::INCORRECT_VALUE);
+        $this->submitMfaValue('000000');
     }
 
     /**
@@ -261,7 +255,6 @@ public function iShouldSeeAMessageThatItWasIncorrect()
      */
     public function iProvideCredentialsThatHaveARateLimitedMfa()
     {
-        // See `development/idp-local/config/authsources.php` for options.
         $this->username = 'has_rate_limited_mfa';
         $this->password = 'a';
     }
@@ -334,7 +327,6 @@ public function iShouldNotBeAbleToGetToMyIntendedDestination()
      */
     public function iProvideCredentialsThatNeedMfaAndHave4BackupCodesAvailable()
     {
-        // See `development/idp-local/config/authsources.php` for options.
         $this->username = 'has_4_backupcodes';
         $this->password = 'a';
     }
@@ -365,7 +357,6 @@ public function thereShouldBeAWayToGetMoreBackupCodesNow()
      */
     public function iProvideCredentialsThatNeedMfaAndHave1BackupCodeAvailableAndNoOtherMfa()
     {
-        // See `development/idp-local/config/authsources.php` for options.
         $this->username = 'has_1_backupcode_only';
         $this->password = 'a';
     }
@@ -387,7 +378,6 @@ public function iShouldSeeAMessageThatIHaveUsedUpMyBackupCodes()
      */
     public function iProvideCredentialsThatNeedMfaAndHave1BackupCodeAvailablePlusSomeOtherMfa()
     {
-        // See `development/idp-local/config/authsources.php` for options.
         $this->username = 'has_1_backupcode_plus';
         $this->password = 'a';
     }
@@ -451,7 +441,6 @@ public function theUsersBrowserSupportsUf()
      */
     public function iProvideCredentialsThatHaveUfTotp()
     {
-        // See `development/idp-local/config/authsources.php` for options.
         $this->username = 'has_webauthn_totp';
         $this->password = 'a';
     }
@@ -461,7 +450,6 @@ public function iProvideCredentialsThatHaveUfTotp()
      */
     public function iProvideCredentialsThatHaveUfBackupCodes()
     {
-        // See `development/idp-local/config/authsources.php` for options.
         $this->username = 'has_webauthn_backupcodes';
         $this->password = 'a';
     }
@@ -471,7 +459,6 @@ public function iProvideCredentialsThatHaveUfBackupCodes()
      */
     public function iProvideCredentialsThatHaveUfTotpBackupCodes()
     {
-        // See `development/idp-local/config/authsources.php` for options.
         $this->username = 'has_webauthn_totp_backupcodes';
         $this->password = 'a';
     }
@@ -489,7 +476,6 @@ public function iProvideCredentialsThatHaveTotp()
      */
     public function iProvideCredentialsThatHaveTotpBackupCodes()
     {
-        // See `development/idp-local/config/authsources.php` for options.
         $this->username = 'has_totp_backupcodes';
         $this->password = 'a';
     }
@@ -507,7 +493,6 @@ public function iProvideCredentialsThatHaveBackupCodes()
      */
     public function IProvideCredentialsThatHaveManagerCodeWebauthnAndMoreRecentlyUsedTotp()
     {
-        // See `development/idp-local/config/authsources.php` for options.
         $this->username = 'has_mgr_code_webauthn_and_more_recently_used_totp';
         $this->password = 'a';
     }
@@ -668,23 +653,22 @@ public function iShouldSeeAPromptForAManagerRescueCode()
      */
     public function iSubmitTheCorrectManagerCode()
     {
-        $this->submitMfaValue(FakeIdBrokerClient::CORRECT_VALUE);
+        $this->submitMfaValue('94923279');
     }
 
     /**
      * @When I submit an incorrect manager code
      */
     public function iSubmitAnIncorrectManagerCode()
     {
-        $this->submitMfaValue(FakeIdBrokerClient::INCORRECT_VALUE);
+        $this->submitMfaValue('000000');
     }
 
     /**
      * @Given I provide credentials that have a manager code
      */
     public function iProvideCredentialsThatHaveAManagerCode()
     {
-        // See `development/idp-local/config/authsources.php` for options.
         $this->username = 'has_mgr_code';
         $this->password = 'a';
     }