Merge pull request #10 from pajavyskocil/CSC_MFA

Added process filter for CSCMfa

Author: vyskocilpavel

CHANGELOG.md

@@ -2,6 +2,9 @@
  All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
+#### Added
+- Added process filter for MFA using CSC MFA OIDC server
+ 
 #### Changed
 - Using of short array syntax ([] instead of array())
 - Using imports instead of qualified names

composer.json

@@ -18,6 +18,8 @@
     "require": {
         "simplesamlphp/composer-module-installer": "~1.0",
         "simplesamlphp/simplesamlphp": "~1.17",
-        "cesnet/simplesamlphp-module-perun": "~3.0"
+        "cesnet/simplesamlphp-module-perun": "~3.0",
+        "ext-json": "*",
+        "ext-curl": "*"
     }
 }

config-templates/module_elixir.php

@@ -0,0 +1,28 @@
+<?php
+
+/**
+ * The config template for module ELIXIR
+ */
+$config = array(
+
+    /**
+     * The clientId from CSC_MFA server
+     */
+    'clientId' => '',
+
+    /**
+     * The clientSecret from CSC_MFA server
+     */
+    'clientSecret' => '',
+
+    /**
+     * List of requested scopes
+     */
+    'requestedScopes' => [],
+
+    /**
+     * The openid configuration url of CSC_MFA server
+     */
+    'openidConfigurationUrl' => ''
+
+);

lib/Auth/Process/CSCMfa.php

@@ -0,0 +1,148 @@
+<?php
+namespace SimpleSAML\Module\elixir\Auth\Process;
+
+use SimpleSAML\Auth\ProcessingFilter;
+use SimpleSAML\Auth\State;
+use SimpleSAML\Configuration;
+use SimpleSAML\Error\Exception;
+use SimpleSAML\Logger;
+use SimpleSAML\Module;
+
+class CSCMfa extends ProcessingFilter
+{
+    const MFA_IDENTIFIER = 'https://refeds.org/profile/mfa';
+    const CONFIG_FILE_NAME = 'module_elixir.php';
+
+    const CLIENT_ID = 'clientId';
+    const CLIENT_SECRET = 'clientSecret';
+    const REQUESTED_SCOPES = 'requestedScopes';
+    const OPENID_CONFIGURATION_URL = 'openidConfigurationUrl';
+    const AUTHORIZATION_ENDPOINT = 'authorization_endpoint';
+    const TOKEN_ENDPOINT = 'token_endpoint';
+    const USERINFO_ENDPOINT = 'userinfo_endpoint';
+
+    private $clientId;
+    private $requestedScopes;
+    private $authorizationEndpoint;
+    private $redirectUri;
+
+    public function __construct($config, $reserved)
+    {
+        assert('is_array($config)');
+        parent::__construct($config, $reserved);
+
+        $conf = Configuration::getConfig(self::CONFIG_FILE_NAME);
+
+        $this->clientId = $conf->getString(self::CLIENT_ID, '');
+        $this->requestedScopes = $conf->getArray(self::REQUESTED_SCOPES, []);
+        $openidConfigurationUrl =$conf->getString(self::OPENID_CONFIGURATION_URL, '');
+
+        if (empty($this->clientId)) {
+            throw new Exception(
+                'elixir:CSCMfa: missing mandatory configuration option "' . self::CLIENT_ID .
+                '" in configuration file "' . self::CONFIG_FILE_NAME . '".'
+            );
+        }
+
+        if (empty($this->requestedScopes)) {
+            throw new Exception(
+                'elixir:CSCMfa: missing mandatory configuration option "' . self::REQUESTED_SCOPES .
+                '" in configuration file "' . self::CONFIG_FILE_NAME . '".'
+            );
+        }
+
+        if (empty($openidConfigurationUrl)) {
+            throw new Exception(
+                'elixir:CSCMfa: missing mandatory configuration option "' . self::AUTHORIZATION_ENDPOINT .
+                '" in configuration file "' . self::CONFIG_FILE_NAME . '".'
+            );
+        }
+
+        $metadata = json_decode(file_get_contents($openidConfigurationUrl), true);
+        $this->authorizationEndpoint = $metadata[self::AUTHORIZATION_ENDPOINT];
+
+        $this->redirectUri = Module::getModuleURL('elixir').'/CSCMfaContinue.php';
+
+    }
+
+
+    public function process(&$request)
+    {
+        assert('is_array($request)');
+
+        $requestedAuthnContextClassRef = array();
+
+        if (isset($request['saml:RequestedAuthnContext']['AuthnContextClassRef'])) {
+            $requestedAuthnContextClassRef = $request['saml:RequestedAuthnContext']['AuthnContextClassRef'][0];
+            if (! is_array($requestedAuthnContextClassRef)) {
+                $requestedAuthnContextClassRef = array($requestedAuthnContextClassRef);
+            }
+        }
+
+        if (!in_array(self::MFA_IDENTIFIER, $requestedAuthnContextClassRef)) {
+            # Everything is OK, SP didn't requested MFA
+            Logger::debug('Multi factor authentication is not required');
+            return;
+        }
+
+        # Check if IdP did MFA
+        $authContextClassRef = array();
+        if (isset($request['saml:sp:AuthnContext'])) {
+            $authContextClassRef = $request['saml:sp:AuthnContext'];
+            if (!is_array($authContextClassRef)) {
+                $authContextClassRef = array($authContextClassRef);
+            }
+        }
+        if (in_array(self::MFA_IDENTIFIER, $authContextClassRef)) {
+            # MFA was performed on IdP
+            Logger::debug('Multi factor authentication was performed on Identity provider side');
+            return;
+        }
+
+        Logger::debug('Multi factor authentication wasn\'t performed and will be performed on CSC side.');
+
+        $stateId = State::saveState($request, 'elixir:CSCMfa', true);
+
+        if (!isset($request['Attributes']['eduPersonUniqueId'][0])) {
+            throw new Exception(
+                'elixir:CSCMfa: missing required attribute "eduPersonUniqueId" in request'
+            );
+        }
+        $elixirId = $request['Attributes']['eduPersonUniqueId'][0];
+
+        # Prepare claims
+        $claims = [
+            'id_token' => [
+                'sub' => [
+                    'value' => $stateId
+                ],
+                'otp_key' => [
+                    'value' => $elixirId
+                ]
+            ]
+        ];
+
+        if (isset( $request['Attributes']['mobile'][0])) {
+            $phoneNumber = $request['Attributes']['mobile'][0];
+            $claims['id_token']['mobile']['value'] = $phoneNumber;
+        }
+
+        # Prepare params
+        $params = [
+            'response_type' => 'code',
+            'scope' => implode(' ', $this->requestedScopes),
+            'client_id' => $this->clientId,
+            'redirect_uri' => $this->redirectUri,
+            'state' => $stateId,
+            'claims' => json_encode($claims),
+        ];
+
+        $mfa_url = $this->authorizationEndpoint . '?' .  http_build_query($params);
+
+        Header('Location: ' . $mfa_url);
+        exit();
+
+    }
+}
+
+?>

www/CSCMfaContinue.php

@@ -0,0 +1,119 @@
+<?php
+
+use SimpleSAML\Auth\State;
+use SimpleSAML\Configuration;
+use SimpleSAML\Error\Exception;
+use SimpleSAML\Logger;
+use SimpleSAML\Module;
+use SimpleSAML\Module\elixir\Auth\Process\CSCMfa;
+
+
+$mfaTokenUrl = null;
+$mfaUserInfoUrl = null;
+
+$conf = Configuration::getConfig(CSCMfa::CONFIG_FILE_NAME);
+
+$clientId = $conf->getString(CSCMfa::CLIENT_ID, '');
+if (empty($clientId)) {
+    throw new Exception(
+        'elixir:CSCMfa_continue: missing mandatory configuration option "' . CSCMfa::CLIENT_ID .
+        '" in configuration file "' . CSCMfa::CONFIG_FILE_NAME . '".'    );
+}
+
+$clientSecret = $conf->getString(CSCMfa::CLIENT_SECRET, '');
+if (empty($clientSecret)) {
+    throw new Exception(
+        'elixir:CSCMfa_continue: missing mandatory configuration option "' . CSCMfa::CLIENT_SECRET .
+        '" in configuration file "' . CSCMfa::CONFIG_FILE_NAME . '".'    );
+}
+
+$openidConfigurationUrl = $conf->getString(CSCMfa::OPENID_CONFIGURATION_URL, '');
+if (empty($openidConfigurationUrl)) {
+    throw new Exception(
+        'elixir:CSCMfa_continue: missing mandatory configuration option "' . CSCMfa::TOKEN_ENDPOINT .
+        '" in configuration file "' . CSCMfa::CONFIG_FILE_NAME . '".'    );
+}
+
+$metadata = json_decode(file_get_contents($openidConfigurationUrl), true);
+
+if (isset($metadata[CSCMfa::TOKEN_ENDPOINT])) {
+    $mfaTokenUrl = $metadata[CSCMfa::TOKEN_ENDPOINT];
+}
+
+if (isset($metadata[CSCMfa::USERINFO_ENDPOINT])) {
+    $mfaUserInfoUrl = $metadata[CSCMfa::USERINFO_ENDPOINT];
+}
+
+if ($mfaTokenUrl === null || $mfaUserInfoUrl === null) {
+        throw new Exception(
+        'elixir:CSCMfa_continue: Problem to get ' . CSCMfa::TOKEN_ENDPOINT . ' or ' .
+        CSCMfa::USERINFO_ENDPOINT . ' from Openid configuration.'   );
+}
+
+$redirectUri = Module::getModuleURL('elixir') . '/CSCMfa_continue.php';
+
+if (!isset($_GET['code'], $_GET['state'] )) {
+    throw new Exception(
+        'elixir:CSCMfa_continue: One of following required params: "code", "state" is missing.');
+}
+
+$code = $_GET['code'];
+$stateId = $_GET['state'];
+
+$state = State::loadState($stateId, 'elixir:CSCMfa');
+
+# Prepare params for token endpoint
+$params = [
+    'code' => $code,
+    'grant_type' => 'authorization_code',
+    'redirect_uri' => $redirectUri,
+    'client_id' => $clientId,
+    'client_secret' => $clientSecret,
+    'nonce' => time(),
+];
+
+# Request to token endpoint
+$ch = curl_init();
+curl_setopt($ch, CURLOPT_URL, $mfaTokenUrl);
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+curl_setopt($ch, CURLOPT_POST, true);
+curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));
+
+if (($response = curl_exec($ch)) === false) {
+    throw new \Exception("Request to token endpoint wasn't successful : " . curl_error($ch));
+}
+$response = json_decode($response, true);
+
+$accessToken = null;
+$idToken = null;
+if (isset($response['access_token'])) {
+    $accessToken = $response['access_token'];
+}
+
+if (isset($response['id_token'])) {
+    $idToken = $response['id_token'];
+}
+
+$params = array(
+    'access_token' => $accessToken,
+);
+
+# Request to userinfo endpoint
+$ch = curl_init();
+curl_setopt($ch, CURLOPT_URL, $mfaUserInfoUrl);
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+curl_setopt($ch, CURLOPT_POST, true);
+curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));
+curl_setopt($ch, CURLOPT_HTTPHEADER, array('Authorization: Bearer ' . $accessToken));
+
+if (($response = curl_exec($ch)) === false) {
+    throw new \Exception("Request to token endpoint wasn't successful : " . curl_error($ch));
+}
+
+curl_close($ch);
+
+$state['saml:sp:AuthnContext'] = CSCMfa::MFA_IDENTIFIER;
+
+SimpleSAML\Auth\ProcessingChain::resumeProcessing($state);
+
+?>