FOUR-12244 implement IDP for processmaker

.env.example

@@ -40,3 +40,4 @@ BROWSER_CACHE=true
 VUE_APP_WEBSOCKET_PROVIDER=socket.io
 VUE_APP_WEBSOCKET_PROVIDER_URL=ws:127.0.0.1:1234
 VUE_APP_COLLABORATIVE_ENABLED=true
+SAML_SP_DESTINATION="https://keycloak.processmaker.net/realms/realmname/broker/saml/endpoint"

composer.json

@@ -12,6 +12,7 @@
     "require": {
         "php": "^8.2",
         "babenkoivan/elastic-scout-driver": "^3.0",
+        "codegreencreative/laravel-samlidp": "^5.2",
         "composer/semver": "^3.3",
         "darkaonline/l5-swagger": "^8.3",
         "doctrine/dbal": "^3.5",

config/filesystems.php

@@ -109,6 +109,11 @@
             'visibility' => 'public',
         ],
 
+        'samlidp' => [
+            'driver' => 'local',
+            'root' => storage_path() . '/samlidp',
+        ],
+
     ],
 
     /*

config/samlidp.php

@@ -0,0 +1,69 @@
+<?php
+
+return [
+    /*
+    |--------------------------------------------------------------------------
+    | SAML idP configuration file
+    |--------------------------------------------------------------------------
+    |
+    | Use this file to configure the service providers you want to use.
+    |
+     */
+    // Outputs data to your laravel.log file for debugging
+    'debug' => false,
+    // Define the email address field name in the users table
+    'email_field' => 'email',
+    // Define the name field in the users table
+    'name_field' => 'name',
+    // The URI to your login page
+    'login_uri' => 'login',
+    // Log out of the IdP after SLO
+    'logout_after_slo' => env('LOGOUT_AFTER_SLO', false),
+    // The URI to the saml metadata file, this describes your idP
+    'issuer_uri' => 'saml/metadata',
+    // The certificate
+    'cert' => env('SAMLIDP_CERT'),
+    // Name of the certificate PEM file, ignored if cert is used
+    'certname' => 'cert.pem',
+    // The certificate key
+    'key' => env('SAMLIDP_KEY'),
+    // Name of the certificate key PEM file, ignored if key is used
+    'keyname' => 'key.pem',
+    // Encrypt requests and responses
+    'encrypt_assertion' => true,
+    // Make sure messages are signed
+    'messages_signed' => true,
+    // Defind what digital algorithm you want to use
+    'digest_algorithm' => \RobRichards\XMLSecLibs\XMLSecurityDSig::SHA1,
+    // list of all service providers
+    'sp' => [
+        // Base64 encoded ACS URL
+        base64_encode(env('SAML_SP_DESTINATION', '')) => [
+            'destination' => env('SAML_SP_DESTINATION', ''),
+            'logout' => '',
+            // SP certificate
+            'certificate' => '',
+            // Turn off auto appending of the idp query param
+            'query_params' => false,
+            // Turn off the encryption of the assertion per SP
+            'encrypt_assertion' => false,
+        ],
+    ],
+
+    // If you need to redirect after SLO depending on SLO initiator
+    // key is beginning of HTTP_REFERER value from SERVER, value is redirect path
+    'sp_slo_redirects' => [
+        // 'https://example.com' => 'https://example.com',
+    ],
+
+    // All of the Laravel SAML IdP event / listener mappings.
+    'events' => [
+        'CodeGreenCreative\SamlIdp\Events\Assertion' => [],
+        'Illuminate\Auth\Events\Logout' => ['CodeGreenCreative\SamlIdp\Listeners\SamlLogout'],
+        'Illuminate\Auth\Events\Authenticated' => ['CodeGreenCreative\SamlIdp\Listeners\SamlAuthenticated'],
+        'Illuminate\Auth\Events\Login' => ['CodeGreenCreative\SamlIdp\Listeners\SamlLogin'],
+    ],
+
+    // List of guards saml idp will catch Authenticated, Login and Logout events
+    'guards' => ['web'],
+];

resources/views/auth/newLogin.blade.php

@@ -3,7 +3,7 @@
 <head>
   <meta charset="utf-8">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
-  <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline' 'unsafe-eval'; object-src 'none';"> 
+  <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline' 'unsafe-eval'; object-src 'none';">
   <meta name="viewport" content="width=device-width, initial-scale=1">
   <meta name="csrf-token" content="{{ csrf_token() }}">
   <meta name="i18n-mdate" content='{!! json_encode(ProcessMaker\i18nHelper::mdates()) !!}'>
@@ -44,6 +44,9 @@
                 @if (session()->has('login-error'))
                 <div class="alert alert-danger">{{ session()->get('login-error')}}</div>
                 @endif
+
+                @samlidp
+
                 <div class="form-group">
                   <label for="username">{{ __('Username') }}</label>
                   <div class="password-container">
@@ -110,7 +113,7 @@
   if (isMobileDevice) {
     document.cookie = "isMobile=true"
   }
-  
+
   const togglePassword = document.querySelector('#togglePassword');
   const password = document.querySelector('#password');
 

storage/samlidp/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

tests/Feature/AuthTest.php

@@ -21,7 +21,7 @@ public function testAuthLoginAndLogout()
         $user = User::factory()->create();
         Auth::login($user);
         $this->assertEquals($user->id, Auth::id());
-        Auth::logout();
+        Auth::logoutCurrentDevice();
         $this->assertNull(Auth::user());
     }
 

tests/Feature/RedirectTest.php

@@ -27,7 +27,7 @@ public function test401RedirectsToLogin()
         $response = $this->get('/requests');
         $response->assertStatus(200);
         $response->assertViewIs('requests.index');
-        Auth::logout();
+        Auth::logoutCurrentDevice();
         $response = $this->get('/requests');
         //302 because we want to make sure they are being redirected
         $response->assertStatus(302);

tests/Feature/SecurityLoggerTest.php

@@ -43,7 +43,11 @@ public function testLogSecurityEvents()
         $this->assertDatabaseHas('security_logs', ['event' => 'login', 'user_id' => $user->id]);
 
         // Attempt to logout
-        Auth::logout();
+        if (in_array(Auth::getDefaultDriver(), config('samlidp.guards'))) {
+            return redirect('saml/logout');
+        } else {
+            Auth::logout();
+        }
         $this->assertDatabaseHas('security_logs', ['event' => 'logout', 'user_id' => $user->id]);
 
         // Disable security logging