Commit 0491f2f4 authored by Dmitrii Metelkin's avatar Dmitrii Metelkin
Browse files

Bug 1715802: Improve requirements checks for auth/saml

behatnotneeded

Change-Id: Iddb57a880675ec6097f19a597cd2e8f1083534ba
parent 4a67f525
......@@ -31,28 +31,17 @@ foreach ($metadata_files as $file) {
// Fix up session handling config - to match Mahara
$memcache_config = array();
if (get_config('memcacheservers') || extension_loaded('memcache')) {
if (empty(get_config('ssphpsessionhandler'))) {
if (empty(get_config('ssphpsessionhandler'))) {
if (PluginAuthSaml::is_memcache_configured()) {
$sessionhandler = 'memcache';
$memcache_config = PluginAuthSaml::get_memcache_servers();
}
else {
$sessionhandler = get_config('ssphpsessionhandler');
}
$servers = get_config('memcacheservers');
if (empty($servers)) {
$servers = 'localhost';
}
$servers = explode(',', $servers);
foreach ($servers as $server) {
$url = parse_url($server);
$host = !empty($url['host']) ? $url['host'] : $url['path'];
$port = !empty($url['port']) ? $url['port'] : 11211;
$memcache_config[] = array('hostname' => $host, 'port'=> $port);
throw new AuthInstanceException(get_string('errornomemcache', 'auth.saml'));
}
}
else {
$sessionhandler = 'phpsession';
$sessionhandler = get_config('ssphpsessionhandler');
}
/*
......@@ -222,7 +211,6 @@ $config = array (
*/
//'session.phpsession.cookiename' => null,
'session.phpsession.cookiename' => 'SSPHP_SESSION',
'session.phpsession.limitedpath' => false,
'session.phpsession.savepath' => null,
'session.datastore.timeout' => (4*60*60), // 4 hours
// 'session.datastore.timeout' => 60,
......
......@@ -46,13 +46,7 @@ if (!extension_loaded('mcrypt')) {
$sp = 'default-sp';
if (!file_exists(get_config('docroot') . 'auth/saml/extlib/simplesamlphp/vendor/autoload.php')) {
throw new AuthInstanceException(get_string('errorbadlib', 'auth.saml', get_config('docroot') . 'auth/saml/extlib/simplesamlphp/vendor/autoload.php'));
}
require_once(get_config('docroot') . 'auth/saml/extlib/simplesamlphp/vendor/autoload.php');
require_once(get_config('docroot') . 'auth/saml/extlib/_autoload.php');
SimpleSAML_Configuration::init(get_config('docroot') . 'auth/saml/config');
PluginAuthSaml::init_simplesamlphp();
// Check the SimpleSAMLphp config is compatible
$saml_config = SimpleSAML_Configuration::getInstance();
......
......@@ -24,14 +24,15 @@ $string['errorbadinstitution'] = 'Institution for connecting user not resolved';
$string['errorbadssphp'] = 'Invalid SimpleSAMLphp session handler: Must not be phpsession';
$string['errorbadssphpmetadata'] = 'Invalid SimpleSAMLphp configuration: No Identity Provider metadata configured';
$string['errorbadssphpspentityid'] = 'Invalid Service Provider entityId';
$string['errorextrarequiredfield'] = 'This field is required when "We auto-create users" is enabled';
$string['errorretryexceeded'] = 'Maximum number of retries exceeded (%s): There is a problem with the identity service';
$string['errnosamluser'] = 'No user found';
$string['errorssphpsetup'] = 'SAML is not set up correctly. You Need to run "make ssphp" from the commandline first.';
$string['errorbadlib'] = 'The SimpleSAMLPHP library\'s "autoloader" file was not found at %s.<br>Make sure you install SimpleSAMLphp via "make ssphp" and the file is readable.';
$string['errornomcrypt'] = 'The PHP library "mcrypt" must be installed for auth/saml. Make sure you install and activate mcrypt, e.g.:<br>sudo apt-get install php5-mcrypt<br>sudo php5enmod mcrypt<br>Then restart your web server.';
$string['errornomcrypt7php'] = 'The PHP library "mcrypt" must be installed for auth/saml. Make sure you install and activate mcrypt, e.g.:<br>sudo apt-get install php7.0-mcrypt<br>sudo phpenmod mcrypt<br>Then restart your web server.';
$string['errornomemcache'] = 'A memcache server is needed for auth/saml. Either list the paths to your memcache servers in the $cfg->memcacheservers config variable or install memcache locally.<br>To install the PHP library "memcache" locally:<br>sudo apt-get install php5-memcache<br>sudo php5enmod memcache<br>Then restart you web server.';
$string['errornomemcache7php'] = 'A memcache server is needed for auth/saml. Either list the paths to your memcache servers in the $cfg->memcacheservers config variable or install memcache locally.<br>To install the PHP library "memcache" locally:<br>sudo apt-get install php-memcache<br>sudo phpenmod memcache<br>Then restart you web server.';
$string['errornomemcache'] = 'Memcache is misconfigured for auth/saml or a memcache server is currently unavailable.';
$string['errornomemcache7php'] = 'Memcache is misconfigured for auth/saml or a memcache server is currently unavailable.';
$string['errorbadconfig'] = 'The SimpleSAMLPHP config directory %s is incorrect.';
$string['errorbadmetadata'] = 'Badly formed SAML metadata. Ensure XML contains one valid Identity Provider.';
$string['errorbadinstitutioncombo'] = 'There is already an existing authentication instance with this institution attribute and institution value combination.';
......@@ -63,7 +64,7 @@ $string['logo'] = 'Logo';
$string['institutionregex'] = 'Do partial string match with institution shortname';
$string['login'] = 'SSO';
$string['newidpentity'] = 'Add new Identity Provider';
$string['notusable'] = 'Please install the SimpleSAMLPHP Service Provider libraries';
$string['notusable'] = 'Please install the SimpleSAMLPHP libraries and configure Memcache server for sessions';
$string['obsoletesamlplugin'] = 'The auth/saml plugin needs to be reconfigured. Please update the plugin via the <a href="%s">plugin configuration</a> form.';
$string['obsoletesamlinstance'] = 'The SAML authentication instance <a href="%s">%s</a> for institution "%s" needs updating.';
$string['reallyreallysure1'] = "You are trying to save the Service Provider metadata for Mahara. This cannot be undone. Existing SAML logins will not work until you have reshared your new metadata with all Identity Providers.";
......
<!-- @license http://www.gnu.org/copyleft/gpl.html GNU GPL version 3 or later -->
<!-- @copyright For copyright information on Mahara, please see the README file distributed with this software. -->
<h3>SAML 2.0 field for email</h3>
<p>Enter the name of the attribute passed by the Identity Provider (IdP)
that contains the user's student ID.</p>
......@@ -563,12 +563,11 @@ class PluginAuthSaml extends PluginAuth {
$libchecks .= '<li>' . get_string_php_version('errornomcrypt', 'auth.saml') . '</li>';
}
// Make sure the simplesamlphp files have been installed via 'make ssphp'
if (!file_exists(get_config('docroot') .'auth/saml/extlib/simplesamlphp/vendor/autoload.php')) {
if (!self::is_simplesamlphp_installed()) {
$libchecks .= '<li>' . get_string('errorbadlib', 'auth.saml', get_config('docroot') .'auth/saml/extlib/simplesamlphp/vendor/autoload.php') . '</li>';
}
// Make sure we can use 'memcache' with simplesamlphp as 'phpsession' doesn't work correctly in many situations
$memcacheservers_config = get_config('memcacheservers');
if (empty($memcacheservers_config) && !extension_loaded('memcache')) {
if (!self::is_memcache_configured()) {
$libchecks .= '<li>' . get_string_php_version('errornomemcache', 'auth.saml') . '</li>';
}
if (!empty($libchecks)) {
......@@ -608,10 +607,73 @@ class PluginAuthSaml extends PluginAuth {
}
public static function is_usable() {
// would be good to be able to detect SimpleSAMLPHP libraries
if (!self::is_simplesamlphp_installed()) {
return false;
}
if (empty(get_config('ssphpsessionhandler'))) {
return self::is_memcache_configured();
}
return true;
}
public static function is_simplesamlphp_installed() {
return file_exists(get_config('docroot') . 'auth/saml/extlib/simplesamlphp/vendor/autoload.php');
}
public static function init_simplesamlphp() {
if (!self::is_simplesamlphp_installed()) {
throw new AuthInstanceException(get_string('errorbadlib', 'auth.saml', get_config('docroot') . 'auth/saml/extlib/simplesamlphp/vendor/autoload.php'));
}
require_once(get_config('docroot') . 'auth/saml/extlib/simplesamlphp/vendor/autoload.php');
require_once(get_config('docroot') . 'auth/saml/extlib/_autoload.php');
SimpleSAML_Configuration::init(get_config('docroot') . 'auth/saml/config');
}
public static function is_memcache_configured() {
$is_configured = false;
if (extension_loaded('memcache')) {
foreach (self::get_memcache_servers() as $server) {
$memcache = new Memcache;
if (!empty($server['hostname']) && !empty($server['port'])) {
if ($memcache->connect($server['hostname'], $server['port'])) {
$is_configured = true;
break;
}
}
}
}
return $is_configured;
}
public static function get_memcache_servers() {
$memcache_servers = array();
$servers = get_config('memcacheservers');
if (empty($servers)) {
$servers = 'localhost';
}
$servers = explode(',', $servers);
foreach ($servers as $server) {
$url = parse_url($server);
$host = !empty($url['host']) ? $url['host'] : $url['path'];
$port = !empty($url['port']) ? $url['port'] : 11211;
$memcache_servers[] = array('hostname' => $host, 'port' => $port);
}
return $memcache_servers;
}
public static function get_idps($xml) {
$xml = new SimpleXMLElement($xml);
$xml->registerXPathNamespace('md', 'urn:oasis:names:tc:SAML:2.0:metadata');
......@@ -629,9 +691,7 @@ class PluginAuthSaml extends PluginAuth {
if (empty($lang)) {
$lang = current_language();
}
require_once(get_config('docroot') . 'auth/saml/extlib/simplesamlphp/vendor/autoload.php');
require_once(get_config('docroot') . 'auth/saml/extlib/_autoload.php');
SimpleSAML_Configuration::init(get_config('docroot') . 'auth/saml/config');
PluginAuthSaml::init_simplesamlphp();
$discoHandler = new PluginAuthSaml_IdPDisco(array('saml20-idp-remote', 'shib13-idp-remote'), 'saml');
$disco = $discoHandler->getTheIdPs();
if (count($disco['list']) > 0) {
......@@ -931,6 +991,17 @@ EOF;
if ((!$values['remoteuser']) && ($values['weautocreateusers']) && ($institutions = get_column('institution', 'name', 'registerallowed', '1'))) {
$form->set_error('weautocreateusers', get_string('errorregistrationenabledwithautocreate1', 'auth.saml'));
}
// If enabled "We auto-create users" check that all required fields for that are set.
if ($values['weautocreateusers']) {
$required= array('firstnamefield', 'surnamefield', 'emailfield');
foreach ($required as $required_field) {
if (empty($values[$required_field])) {
$form->set_error($required_field, get_string('errorextrarequiredfield', 'auth.saml'));
}
}
}
$dup = get_records_sql_array('SELECT COUNT(instance) AS instance FROM {auth_instance_config}
WHERE ((field = \'institutionattribute\' AND value = ?) OR
(field = \'institutionvalue\' AND value = ?)) AND
......@@ -1118,7 +1189,6 @@ if (file_exists(get_config('docroot') . 'auth/saml/extlib/simplesamlphp/lib/Simp
// initialize standard classes
$this->config = SimpleSAML_Configuration::getInstance();
$this->metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$this->session = SimpleSAML_Session::getSessionFromRequest();
$this->instance = $instance;
$this->metadataSets = $metadataSets;
$this->isPassive = false;
......
......@@ -44,11 +44,6 @@ if (!extension_loaded('mcrypt')) {
throw new AuthInstanceException(get_string_php_version('errornomcrypt', 'auth.saml'));
}
if (!file_exists(get_config('docroot') . 'auth/saml/extlib/simplesamlphp/vendor/autoload.php')) {
throw new AuthInstanceException(get_string('errorbadlib', 'auth.saml', get_config('docroot') . 'auth/saml/extlib/simplesamlphp/vendor/autoload.php'));
}
require_once(get_config('docroot') . 'auth/saml/extlib/simplesamlphp/vendor/autoload.php');
require_once(get_config('docroot') . 'auth/saml/extlib/_autoload.php');
SimpleSAML_Configuration::init(get_config('docroot') . 'auth/saml/config');
PluginAuthSaml::init_simplesamlphp();
require('../extlib/simplesamlphp/modules/saml/www/disco.php');
......@@ -45,17 +45,7 @@ if (!extension_loaded('mcrypt')) {
throw new AuthInstanceException(get_string_php_version('errornomcrypt', 'auth.saml'));
}
if (!file_exists(get_config('docroot') . 'auth/saml/extlib/simplesamlphp/vendor/autoload.php')) {
throw new AuthInstanceException(get_string('errorbadlib', 'auth.saml', get_config('docroot') . 'auth/saml/extlib/simplesamlphp/vendor/autoload.php'));
}
require_once(get_config('docroot') . 'auth/saml/extlib/simplesamlphp/vendor/autoload.php');
require_once(get_config('docroot') . 'auth/saml/extlib/_autoload.php');
// get all the things that we will need from the SAML authentication
// and then shutdown the session control
// echo $samlconfig;
// die();
SimpleSAML_Configuration::init(get_config('docroot') . 'auth/saml/config');
PluginAuthSaml::init_simplesamlphp();
$config = SimpleSAML_Configuration::getInstance();
if ($config->getBoolean('admin.protectmetadata', false)) {
......
......@@ -44,11 +44,6 @@ if (!extension_loaded('mcrypt')) {
throw new AuthInstanceException(get_string_php_version('errornomcrypt', 'auth.saml'));
}
if (!file_exists(get_config('docroot') . 'auth/saml/extlib/simplesamlphp/vendor/autoload.php')) {
throw new AuthInstanceException(get_string('errorbadlib', 'auth.saml', get_config('docroot') . 'auth/saml/extlib/simplesamlphp/vendor/autoload.php'));
}
require_once(get_config('docroot') . 'auth/saml/extlib/simplesamlphp/vendor/autoload.php');
require_once(get_config('docroot') . 'auth/saml/extlib/_autoload.php');
SimpleSAML_Configuration::init(get_config('docroot') . 'auth/saml/config');
PluginAuthSaml::init_simplesamlphp();
require('../extlib/simplesamlphp/modules/saml/www/sp/saml1-acs.php');
......@@ -44,11 +44,6 @@ if (!extension_loaded('mcrypt')) {
throw new AuthInstanceException(get_string_php_version('errornomcrypt', 'auth.saml'));
}
if (!file_exists(get_config('docroot') . 'auth/saml/extlib/simplesamlphp/vendor/autoload.php')) {
throw new AuthInstanceException(get_string('errorbadlib', 'auth.saml', get_config('docroot') . 'auth/saml/extlib/simplesamlphp/vendor/autoload.php'));
}
require_once(get_config('docroot') . 'auth/saml/extlib/simplesamlphp/vendor/autoload.php');
require_once(get_config('docroot') . 'auth/saml/extlib/_autoload.php');
SimpleSAML_Configuration::init(get_config('docroot') . 'auth/saml/config');
PluginAuthSaml::init_simplesamlphp();
require('../extlib/simplesamlphp/modules/saml/www/sp/saml2-acs.php');
......@@ -44,12 +44,7 @@ if (!extension_loaded('mcrypt')) {
throw new AuthInstanceException(get_string_php_version('errornomcrypt', 'auth.saml'));
}
if (!file_exists(get_config('docroot') . 'auth/saml/extlib/simplesamlphp/vendor/autoload.php')) {
throw new AuthInstanceException(get_string('errorbadlib', 'auth.saml', get_config('docroot') . 'auth/saml/extlib/simplesamlphp/vendor/autoload.php'));
}
require_once(get_config('docroot') . 'auth/saml/extlib/simplesamlphp/vendor/autoload.php');
require_once(get_config('docroot') . 'auth/saml/extlib/_autoload.php');
SimpleSAML_Configuration::init(get_config('docroot') . 'auth/saml/config');
PluginAuthSaml::init_simplesamlphp();
// Bug #1693426: destroy mahara session when Single Logout is initiated by IdP
if ($USER->is_logged_in()) {
......
......@@ -716,6 +716,13 @@ $cfg->passwordsaltalt1 = 'old salt value';
*/
$cfg->openbadgedisplayer_source = '{"backpack":"https://backpack.openbadges.org/","passport":"https://openbadgepassport.com/"}';
/**
* @global string $cfg->memcacheservers
* A comma separated list of memcache servers to store user sessions for SimpleSAMLphp.
* localhost:11211 will be used by default.
*/
// $cfg->memcacheservers = 'hostname1:port1,hostname2:port2,hostname3:port3';
/**
* @global string $cfg->ssphpsessionhandler
* An alternative session handler for SimpleSAMLphp if you do not wish to use memcache.
......@@ -723,7 +730,6 @@ $cfg->openbadgedisplayer_source = '{"backpack":"https://backpack.openbadges.org/
*/
// $cfg->ssphpsessionhandler = 'memcached';
/**
* @global array $cfg->saml_custommappingfile
* A list of paths to custom attribute mapping files for SimpleSAMLphp IDP and SP
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment