feat: 🎸 PerunAup authProcFilter

Filter to check approved AUP and redirect to approval

Author: Dominik Frantisek Bucik

config-templates/processFilterConfigurations-example.md

@@ -164,6 +164,7 @@ Example how to enable filter AttributeMap:
 ## ExtractRequestAttribute
 
 Filter is intended to extract an attribute specified by set of keys forming the chain of keys in the `$request` variable into the configured destination attribute.
+
 Configuration options:
 * `attr_name`: specifies attribute name, into which the extracted value will be stored
 * `request_keys`: string, which contains a semicolon (`;`) separated chain of keys that are examined in the state. Numeric keys are automatically treated as array indexes. For instance, value `'saml:AuthenticatingAuthority;0'` will be treated as code `$request['saml:AuthenticatingAuthority'][0]`. In case of this value being empty, exception is thrown. Otherwise, extracted value is stored into the configured destination attribute.
@@ -204,3 +205,27 @@ Configuration options:
     'perun_register_url' => 'https://signup.perun.cesnet.cz/fed/registrar/?vo=cesnet'
 ],
 ```
+
+## PerunAup
+
+Filter fetches the given attribute holding approved AUP and checks, if expected value is set in the attribute or not. If not, it redirects the user to specified registration component, where user will be asked to approve the AUP.
+
+Configuration options:
+* `interface`: specifies what interface of Perun should be used to fetch data. See class `SimpleSAML\Module\perun\PerunAdapter` for more details.
+* `attribute`: name of the attribute, which will be fetched from Perun and holds the value of approved AUP.
+* `value`: value that is expected in the attribute as mark of approved AUP. Expected is a string.
+* `approval_url`: URL to which the user will be forwarded for registration. Leave empty to use the Perun registrar.
+* `callback_parameter_name`: name of the parameter wich will hold callback URL, where the user should be redirected after the AUP approval on URL configured in the `approval_url` property.
+* `perun_register_url`: the complete URL (including vo and group) to which user will be redirected, if `approval_url` has not been configured. Parameters targetnew, targetexisting and targetextended will be set to callback URL to continue after the AUP approval is completed.
+
+```php
+3 => [
+    'class' => 'perun:PerunAup',
+    'interface' => 'LDAP',
+    'value' => 'aup_2020_01_01',
+    'attribute' => 'approved_aup',
+    'approval_url' => 'https://signup.cesnet.cz/aup/',
+    'callback_parameter_name' => 'callback',
+    'perun_approval_url' => 'https://signup.perun.cesnet.cz/fed/registrar/?vo=cesnet&group=aup'
+],
+```

dictionaries/perun.definition.json

@@ -102,5 +102,13 @@
   "register_button": {
     "en": "Proceed to register for an account",
     "cs": "Pokračovat na registraci ůčtu"
+  },
+  "aup_text": {
+    "en": "Oops! It seems you have tried to access service via Perun AAI, but you have not approved the Acceptable Use Policy (AUP). Let's fix that!",
+    "cs": "Ups! Vyzerá to, že jste se pokousil(a) přihlásit ke službě skrze Perun AAI, no neschválili jste Podmínky užití služby (AUP). Pojďme to napravit!"
+  },
+  "aup_button": {
+    "en": "Proceed to approval of the AUP",
+    "cs": "Pokračovat na potvrzení souhlasu s AUP"
   }
 }

lib/Auth/Process/PerunAup.php

@@ -0,0 +1,152 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\perun\Auth\Process;
+
+use SimpleSAML\Auth\ProcessingFilter;
+use SimpleSAML\Auth\State;
+use SimpleSAML\Configuration;
+use SimpleSAML\Error\Exception;
+use SimpleSAML\Logger;
+use SimpleSAML\Module;
+use SimpleSAML\Module\perun\Adapter;
+use SimpleSAML\Module\perun\PerunConstants;
+use SimpleSAML\Utils\HTTP;
+
+/**
+ * Class checks if the user has approved given aup, and forwards to approval page if not.
+ */
+class PerunAup extends ProcessingFilter
+{
+    public const STAGE = 'perun:PerunAup';
+    public const DEBUG_PREFIX = self::STAGE . ' - ';
+
+    public const CALLBACK = 'perun/perun_aup_callback.php';
+    public const REDIRECT = 'perun/perun_aup.php';
+    public const TEMPLATE = 'perun:perun-aup-tpl.php';
+
+    public const PARAM_STATE_ID = PerunConstants::STATE_ID;
+    public const PARAM_APPROVAL_URL = 'approvalUrl';
+
+    public const INTERFACE = 'interface';
+    public const AUP_ATTR = 'attribute';
+    public const AUP_VALUE = 'value';
+    public const APPROVAL_URL = 'approval_url';
+    public const CALLBACK_PARAMETER_NAME = 'callback_parameter_name';
+    public const PERUN_APPROVAL_URL = 'perun_approval_url';
+
+    private $adapter;
+    private $aupAttr;
+    private $aupValue;
+    private $approvalUrl;
+    private $callbackParameterName;
+    private $perunApprovalUrl;
+    private $config;
+    private $filterConfig;
+
+    public function __construct($config, $reserved)
+    {
+        parent::__construct($config, $reserved);
+        $this->config = $config;
+        $this->filterConfig = Configuration::loadFromArray($config);
+
+        $interface = $this->filterConfig->getString(self::INTERFACE, Adapter::RPC);
+        $this->adapter = Adapter::getInstance($interface);
+
+        $this->aupAttr = $this->filterConfig->getString(self::AUP_ATTR, null);
+        if (empty($this->aupAttr)) {
+            throw new Exception(
+                self::DEBUG_PREFIX . 'Invalid configuration: no attribute containing approved AUP ' . 'has been configured. Use option \'' . self::AUP_ATTR . '\' to configure the name of the Perun' . 'attribute, which should contain the approved AUP version.'
+            );
+        }
+
+        $this->aupValue = $this->filterConfig->getString(self::AUP_VALUE, null);
+        if (empty($this->aupValue)) {
+            throw new Exception(
+                self::DEBUG_PREFIX . 'Invalid configuration: no value signaling AUP which needs to be approved ' . 'has been configured. Use option \'' . self::AUP_VALUE . '\' to configure the value, which needs to ' . 'be present in the attribute containing the approved AUP version.'
+            );
+        }
+
+        $this->approvalUrl = $this->filterConfig->getString(self::APPROVAL_URL, null);
+        $this->callbackParameterName = $this->filterConfig->getString(self::CALLBACK_PARAMETER_NAME, null);
+        $this->perunApprovalUrl = $this->filterConfig->getString(self::PERUN_APPROVAL_URL, null);
+        if (empty($this->approvalUrl) && empty($this->callbackParameterName) && empty($this->perunApprovalUrl)) {
+            throw new Exception(
+                self::DEBUG_PREFIX . 'Invalid configuration: no URL where user should approve the AUP ' . 'has been configured. Use option \'' . self::APPROVAL_URL . '\' to configure the URL and ' . 'option \'' . self::CALLBACK_PARAMETER_NAME . '\' to configure name of the callback parameter. 
+                . If you wish to use the Perun registrar, use the option \'' . self::PERUN_APPROVAL_URL . '\'.'
+            );
+        }
+    }
+
+    public function process(&$request)
+    {
+        assert(is_array($request));
+        assert(!empty($request[PerunConstants::PERUN][PerunConstants::USER]));
+
+        if (empty($request[PerunConstants::PERUN][PerunConstants::USER])) {
+            throw new Exception(
+                self::DEBUG_PREFIX . 'Request does not contain Perun user. Did you configure ' . PerunUser::STAGE . ' filter before this filter in the processing chain?'
+            );
+        }
+        $user = $request[PerunConstants::PERUN][PerunConstants::USER];
+
+        $aupAttr = null;
+        $userAttributesValues = $this->adapter->getUserAttributesValues($user, [$this->aupAttr]);
+        if (empty($userAttributesValues) || empty($userAttributesValues[$this->aupAttr])) {
+            Logger::warning(
+                self::DEBUG_PREFIX . 'Attribute \'' . $this->aupAttr . '\' is empty. Probably could not be '
+                . 'fetched. Redirecting user to approve AUP.'
+            );
+        } else {
+            $aupAttr = $userAttributesValues[$this->aupAttr];
+        }
+
+        if ($aupAttr === $this->aupValue) {
+            Logger::info(
+                self::DEBUG_PREFIX . 'User approved AUP did match the expected value, continue processing.'
+            );
+
+            return;
+        }
+        Logger::info(
+            self::DEBUG_PREFIX . 'User did not approve the expected AUP. Expected value \''
+            . $this->aupValue . '\', actual value \'' . $aupAttr . '\'. Redirecting user to AUP approval page.'
+        );
+        $this->redirect($request);
+    }
+
+    private function redirect(&$request): void
+    {
+        $request[PerunConstants::CONTINUE_FILTER_CONFIG] = $this->config;
+        $stateId = State::saveState($request, self::STAGE);
+        $callback = Module::getModuleURL(self::CALLBACK, [
+            self::PARAM_STATE_ID => $stateId,
+        ]);
+        if (!empty($this->approvalUrl) && !empty($this->callbackParameterName)) {
+            Logger::debug(
+                self::DEBUG_PREFIX . 'Redirecting to \'' . $this->approvalUrl . ', callback parameter \''
+                . $this->callbackParameterName . '\' with value \'' . $callback . '\''
+            );
+            HTTP::redirectTrustedURL($this->approvalUrl, [
+                $this->callbackParameterName => $callback,
+            ]);
+        } elseif (!empty($this->perunApprovalUrl)) {
+            $params[PerunConstants::TARGET_NEW] = $callback;
+            $params[PerunConstants::TARGET_EXISTING] = $callback;
+            $params[PerunConstants::TARGET_EXTENDED] = $callback;
+
+            $url = Module::getModuleURL(self::REDIRECT);
+            $approvalUrl = HTTP::addURLParameters($this->approvalUrl, $params);
+            Logger::debug(
+                self::DEBUG_PREFIX . 'Redirecting to \'' . self::REDIRECT . ', approval URL \''
+                . $approvalUrl . '\''
+            );
+            HTTP::redirectTrustedURL($url, [
+                self::PARAM_APPROVAL_URL => $approvalUrl,
+            ]);
+        } else {
+            throw new Exception(self::DEBUG_PREFIX . 'No configuration for AUP approval enabled. Cannot proceed');
+        }
+    }
+}

templates/perun-aup-tpl.php

@@ -0,0 +1,21 @@
+<?php declare(strict_types=1);
+
+use SimpleSAML\Module\perun\Auth\Process\PerunAup;
+
+$this->includeAtTemplateBase('includes/header.php');
+
+?>
+
+<div class="row">
+    <div class="offset-1 col-10 offset-sm-1 col-sm-10 offset-md-2 col-md-8 offset-lg-3 col-lg-6 offset-xl-3 col-xl-6">
+        <p><?php echo $this->t('{perun:perun:aup_text}'); ?></p>
+        <a class="btn btn-block" href="<?php echo $this->data[PerunAup::PARAM_APPROVAL_URL]; ?>">
+            <?php echo $this->t('{perun:perun:aup_button}'); ?>
+        </a>
+    </div>
+</div>
+
+
+<?php
+
+$this->includeAtTemplateBase('includes/footer.php');

www/perun_aup.php

@@ -0,0 +1,13 @@
+<?php
+
+declare(strict_types=1);
+
+use SimpleSAML\Configuration;
+use SimpleSAML\Module\perun\Auth\Process\PerunAup;
+use SimpleSAML\XHTML\Template;
+
+$config = Configuration::getInstance();
+$t = new Template($config, PerunAup::TEMPLATE);
+$t->data[PerunAup::PARAM_APPROVAL_URL] = $_REQUEST[PerunAup::PARAM_APPROVAL_URL];
+
+$t->show();

www/perun_aup_callback.php

@@ -0,0 +1,21 @@
+<?php
+
+declare(strict_types=1);
+
+use SimpleSAML\Auth\ProcessingChain;
+use SimpleSAML\Auth\State;
+use SimpleSAML\Error\BadRequest;
+use SimpleSAML\Module\perun\Auth\Process\PerunAup;
+use SimpleSAML\Module\perun\PerunConstants;
+
+if (empty($_REQUEST[PerunAup::PARAM_STATE_ID])) {
+    throw new BadRequest('Missing required \'' . PerunAup::PARAM_STATE_ID . '\' query parameter.');
+}
+$state = State::loadState($_REQUEST[PerunAup::PARAM_STATE_ID], PerunAup::STAGE);
+
+$filterConfig = $state[PerunConstants::CONTINUE_FILTER_CONFIG];
+$perunAup = new PerunAup($filterConfig, null);
+$perunAup->process($state);
+
+// we have not been redirected, continue processing
+ProcessingChain::resumeProcessing($state);