Commit 30f1da0e authored by Robert Lyon's avatar Robert Lyon Committed by Gerrit Code Review
Browse files

Merge "Bug 1704887: Expose signing algorithm config to mahara"

parents d246f592 059b0765
......@@ -22,6 +22,12 @@ if (empty($spentityid)) {
$spentityid = $_SERVER['HTTP_HOST'].'/mahara';
}
/*
* Get the configured signature algorithm, falling back to SHA256 if no valid
* value is found
*/
$signaturealgo = PluginAuthSaml::get_config_saml_signature_algorithm();
$config = array(
// This is a authentication source which handles admin authentication.
......@@ -52,7 +58,7 @@ $config = array(
'discoURL' => NULL,
'encryption.blacklisted-algorithms' => array(),
'signature.algorithm' => $signaturealgo,
'privatekey' => $key,
'privatekey_pass' => get_config('sitename'),
'certificate' => $cert,
......
......@@ -55,6 +55,12 @@ else {
$sessionhandler = 'phpsession';
}
/*
* Get the configured signature algorithm, falling back to SHA256 if no valid
* value is found
*/
$signaturealgo = PluginAuthSaml::get_config_saml_signature_algorithm();
/*
* The configuration of simpleSAMLphp
*
......@@ -500,6 +506,12 @@ $config = array (
*/
'metadata.sign.enable' => FALSE,
/*
* What signature algorithm to use when signing the sp requests, configured
* in the plugin settings
*/
'signature.algorithm' => $signaturealgo,
/*
* The default key & certificate which should be used to sign generated metadata. These
* are files stored in the cert dir.
......
<?php
/**
*
* @package mahara
* @subpackage core
* @author Catalyst IT Ltd
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL version 3 or later
* @copyright For copyright information on Mahara, please see the README file distributed with this software.
*
*/
function xmldb_auth_saml_upgrade($oldversion=0) {
$status = true;
/**
*/
if ($oldversion < 2017071800) {
//For legacy installs we default to rsa-sha1 as that was the default previously, although we would
//ideally like them to use rsa-256
set_config_plugin('auth', 'saml', 'sigalgo', 'http://www.w3.org/2000/09/xmldsig#rsa-sha1');
}
return $status;
}
......@@ -83,3 +83,8 @@ $string['simplesamlphpconfig'] = 'SimpleSAMLPHP config directory';
$string['weautocreateusers'] = 'We auto-create users';
$string['remoteuser'] = 'Match username attribute to remote username';
$string['selectidp'] = 'Please select the Identity Provider that you wish to log in with.';
$string['sha1'] = 'Legacy SHA1 (Dangerous)';
$string['sha256'] = 'SHA256 (Default)';
$string['sha384'] = 'SHA384';
$string['sha512'] = 'SHA512';
$string['sigalgo'] = 'Signing Algorithm';
<!-- @license http://www.gnu.org/copyleft/gpl.html GNU GPL version 3 or later -->
<!-- @copyright For copyright information on Mahara, please see the README file distributed with this software. -->
<h3>Signature Algorithm</h3>
<p>This is the algorithm that will be used to sign SAML requests.<br/><strong>Warning:</strong> The SHA1 Algorithm is only provided for backwards compatibility, unless you absolutely must use it it is recommended to avoid it and use at least SHA256 instead</p>
......@@ -409,6 +409,49 @@ class PluginAuthSaml extends PluginAuth {
}
}
/*
* Return an array of signature algorithms in a form suitable for feeding into a dropdown form
*/
public static function get_valid_saml_signature_algorithms() {
$return = array();
$return['http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'] = get_string('sha256', 'auth.saml');
$return['http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'] = get_string('sha384', 'auth.saml');
$return['http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'] = get_string('sha512', 'auth.saml');
$return['http://www.w3.org/2000/09/xmldsig#rsa-sha1'] = get_string('sha1', 'auth.saml');
return $return;
}
/*
* Return a sensible default signature algorithm for simplesamlphp config
*/
public static function get_default_saml_signature_algorithm() {
//Sha1 is deprecated so we default to something more sensible
return 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256';
}
/*
* Check if a given value is a valid signature algorithm for configuration
* in simplesamlphp
*/
public static function is_valid_saml_signature_algorithm($value) {
$valids = self::get_valid_saml_signature_algorithms();
return array_key_exists($value, $valids);
}
/*
* Get the configured signature algorithm, falling back to the default if
* no valid value can be found or no value is set
*/
public static function get_config_saml_signature_algorithm() {
$signaturealgo = get_config_plugin('auth', 'saml', 'sigalgo');
if (empty($signaturealgo) || !self::is_valid_saml_signature_algorithm($signaturealgo)) {
$signaturealgo = self::get_default_saml_signature_algorithm();
}
return $signaturealgo;
}
public static function get_config_options() {
$spentityid = get_config_plugin('auth', 'saml', 'spentityid');
......@@ -416,6 +459,9 @@ class PluginAuthSaml extends PluginAuth {
$spentityid = $_SERVER['HTTP_HOST'] . '/mahara';
}
$signaturealgo = self::get_config_saml_signature_algorithm();
$possiblealgos = self::get_valid_saml_signature_algorithms();
// first time - create it
if (!file_exists(AuthSaml::get_certificate_path() . 'server.crt')) {
error_log("auth/saml: Creating the certificate for the first time");
......@@ -463,6 +509,13 @@ class PluginAuthSaml extends PluginAuth {
'defaultvalue' => $spentityid,
'help' => true,
),
'sigalgo' => array(
'type' => 'select',
'title' => get_string('sigalgo', 'auth.saml'),
'options' => $possiblealgos,
'defaultvalue' => $signaturealgo,
'help' => true,
),
'makereallysure' => array(
'type' => 'html',
'value' => "<script>jQuery('document').ready(function() { jQuery('#pluginconfig_save').on('click', function() {
......@@ -539,7 +592,7 @@ class PluginAuthSaml extends PluginAuth {
public static function save_config_options(Pieform $form, $values) {
delete_records('auth_config', 'plugin', 'saml');
$configs = array('spentityid');
$configs = array('spentityid', 'sigalgo');
foreach ($configs as $config) {
set_config_plugin('auth', 'saml', $config, $values[$config]);
}
......
......@@ -11,7 +11,7 @@
defined('INTERNAL') || die();
$config = new StdClass;
$config->version = 2016062900;
$config->version = 2017071800;
$config->release = '1.2.0';
$config->name = 'saml';
$config->requires_config = 1;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment