Merge pull request #5717 from ProcessMaker/feature/FOUR-12244

caleeli · web-flow · commit c01485a4a5c2 · 2023-11-30T16:59:33.000-04:00
FOUR-12244 implement IDP for processmaker
diff --git a/.env.example b/.env.example
@@ -40,3 +40,4 @@ BROWSER_CACHE=true
 VUE_APP_WEBSOCKET_PROVIDER=socket.io
 VUE_APP_WEBSOCKET_PROVIDER_URL=ws:127.0.0.1:1234
 VUE_APP_COLLABORATIVE_ENABLED=true
+SAML_SP_DESTINATION="https://keycloak.processmaker.net/realms/realmname/broker/saml/endpoint"
diff --git a/composer.json b/composer.json
@@ -12,6 +12,7 @@
     "require": {
         "php": "^8.2",
         "babenkoivan/elastic-scout-driver": "^3.0",
+        "codegreencreative/laravel-samlidp": "^5.2",
         "composer/semver": "^3.3",
         "darkaonline/l5-swagger": "^8.3",
         "doctrine/dbal": "^3.5",
diff --git a/composer.lock b/composer.lock
diff --git a/config/filesystems.php b/config/filesystems.php
@@ -109,6 +109,11 @@
             'visibility' => 'public',
         ],
 
+        'samlidp' => [
+            'driver' => 'local',
+            'root' => storage_path() . '/samlidp',
+        ],
+
     ],
 
     /*
diff --git a/config/samlidp.php b/config/samlidp.php
@@ -0,0 +1,69 @@
+<?php
+
+return [
+    /*
+    |--------------------------------------------------------------------------
+    | SAML idP configuration file
+    |--------------------------------------------------------------------------
+    |
+    | Use this file to configure the service providers you want to use.
+    |
+     */
+    // Outputs data to your laravel.log file for debugging
+    'debug' => false,
+    // Define the email address field name in the users table
+    'email_field' => 'email',
+    // Define the name field in the users table
+    'name_field' => 'name',
+    // The URI to your login page
+    'login_uri' => 'login',
+    // Log out of the IdP after SLO
+    'logout_after_slo' => env('LOGOUT_AFTER_SLO', false),
+    // The URI to the saml metadata file, this describes your idP
+    'issuer_uri' => 'saml/metadata',
+    // The certificate
+    'cert' => env('SAMLIDP_CERT'),
+    // Name of the certificate PEM file, ignored if cert is used
+    'certname' => 'cert.pem',
+    // The certificate key
+    'key' => env('SAMLIDP_KEY'),
+    // Name of the certificate key PEM file, ignored if key is used
+    'keyname' => 'key.pem',
+    // Encrypt requests and responses
+    'encrypt_assertion' => true,
+    // Make sure messages are signed
+    'messages_signed' => true,
+    // Defind what digital algorithm you want to use
+    'digest_algorithm' => \RobRichards\XMLSecLibs\XMLSecurityDSig::SHA1,
+    // list of all service providers
+    'sp' => [
+        // Base64 encoded ACS URL
+        base64_encode(env('SAML_SP_DESTINATION', '')) => [
+            'destination' => env('SAML_SP_DESTINATION', ''),
+            'logout' => '',
+            // SP certificate
+            'certificate' => '',
+            // Turn off auto appending of the idp query param
+            'query_params' => false,
+            // Turn off the encryption of the assertion per SP
+            'encrypt_assertion' => false,
+        ],
+    ],
+
+    // If you need to redirect after SLO depending on SLO initiator
+    // key is beginning of HTTP_REFERER value from SERVER, value is redirect path
+    'sp_slo_redirects' => [
+        // 'https://example.com' => 'https://example.com',
+    ],
+
+    // All of the Laravel SAML IdP event / listener mappings.
+    'events' => [
+        'CodeGreenCreative\SamlIdp\Events\Assertion' => [],
+        'Illuminate\Auth\Events\Logout' => ['CodeGreenCreative\SamlIdp\Listeners\SamlLogout'],
+        'Illuminate\Auth\Events\Authenticated' => ['CodeGreenCreative\SamlIdp\Listeners\SamlAuthenticated'],
+        'Illuminate\Auth\Events\Login' => ['CodeGreenCreative\SamlIdp\Listeners\SamlLogin'],
+    ],
+
+    // List of guards saml idp will catch Authenticated, Login and Logout events
+    'guards' => ['web'],
+];
diff --git a/resources/views/auth/newLogin.blade.php b/resources/views/auth/newLogin.blade.php
@@ -3,7 +3,7 @@
 <head>
   <meta charset="utf-8">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
-  <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline' 'unsafe-eval'; object-src 'none';"> 
+  <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline' 'unsafe-eval'; object-src 'none';">
   <meta name="viewport" content="width=device-width, initial-scale=1">
   <meta name="csrf-token" content="{{ csrf_token() }}">
   <meta name="i18n-mdate" content='{!! json_encode(ProcessMaker\i18nHelper::mdates()) !!}'>
@@ -44,6 +44,9 @@
                 @if (session()->has('login-error'))
                 <div class="alert alert-danger">{{ session()->get('login-error')}}</div>
                 @endif
+
+                @samlidp
+
                 <div class="form-group">
                   <label for="username">{{ __('Username') }}</label>
                   <div class="password-container">
@@ -110,7 +113,7 @@
   if (isMobileDevice) {
     document.cookie = "isMobile=true"
   }
-  
+
   const togglePassword = document.querySelector('#togglePassword');
   const password = document.querySelector('#password');
 
diff --git a/storage/samlidp/.gitignore b/storage/samlidp/.gitignore
@@ -0,0 +1,2 @@
+*
+!.gitignore
diff --git a/tests/Feature/AuthTest.php b/tests/Feature/AuthTest.php
@@ -21,7 +21,7 @@ public function testAuthLoginAndLogout()
         $user = User::factory()->create();
         Auth::login($user);
         $this->assertEquals($user->id, Auth::id());
-        Auth::logout();
+        Auth::logoutCurrentDevice();
         $this->assertNull(Auth::user());
     }
 
diff --git a/tests/Feature/RedirectTest.php b/tests/Feature/RedirectTest.php
@@ -27,7 +27,7 @@ public function test401RedirectsToLogin()
         $response = $this->get('/requests');
         $response->assertStatus(200);
         $response->assertViewIs('requests.index');
-        Auth::logout();
+        Auth::logoutCurrentDevice();
         $response = $this->get('/requests');
         //302 because we want to make sure they are being redirected
         $response->assertStatus(302);
diff --git a/tests/Feature/SecurityLoggerTest.php b/tests/Feature/SecurityLoggerTest.php
@@ -43,7 +43,11 @@ public function testLogSecurityEvents()
         $this->assertDatabaseHas('security_logs', ['event' => 'login', 'user_id' => $user->id]);
 
         // Attempt to logout
-        Auth::logout();
+        if (in_array(Auth::getDefaultDriver(), config('samlidp.guards'))) {
+            return redirect('saml/logout');
+        } else {
+            Auth::logout();
+        }
         $this->assertDatabaseHas('security_logs', ['event' => 'logout', 'user_id' => $user->id]);
 
         // Disable security logging

Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ public function testAuthLoginAndLogout()`
`21`	`21`	`$user = User::factory()->create();`
`22`	`22`	`Auth::login($user);`
`23`	`23`	`$this->assertEquals($user->id, Auth::id());`
`24`		`- Auth::logout();`
	`24`	`+ Auth::logoutCurrentDevice();`
`25`	`25`	`$this->assertNull(Auth::user());`
`26`	`26`	`}`
`27`	`27`