feat: 🎸 IsEligible authProc filter

Author: Dominik František Bučík

config-templates/processFilterConfigurations-example.md

@@ -338,3 +338,55 @@ Configuration options:
     'interface' => 'ldap',
 ],
 ```
+
+## IsEligible
+
+Checks the eligibility timestamp. If the value is not older than `validity_period_months`, it lets the user in. Otherwise, user is forced to reauthenticate using other identity.
+
+Configuration options:
+* `trigger_attribute`: attribute name which has to be consumed by the service (in the SP remote metadata part attributes) to run this filter. If the attribute specified by the option is not released, filter is skipped.
+* `eligible_last_seen_timestamp_attribute`: attribute containing the timestamp of last eligible login (timestamp of this event). Has to be available in `$state[PerunConstants::Attributes]`.
+* `validity_period_months`: if the timestamp is older that this number of months, user won't be let in.
+* `translations`: inline translations for the unauthorized page.
+```php
+25 => [
+    'class' => 'perun:IsEligible',
+    'trigger_attribute' => 'isCesnetEligible',
+    'eligible_last_seen_timestamp_attribute' => 'isCesnetEligibleLastSeen',
+    'validity_period_months' => 12,
+    'translations' => [
+      'old_value_header'=> [
+        'en' => '...',
+        'cs' => '...',
+      ],
+      'old_value_text'=> [
+        'en' => '...',
+        'cs' => '...',
+      ],
+      'old_value_button'=> [
+        'en' => '...',
+        'cs' => '...',
+      ],
+      'old_value_contact'=> [
+        'en' => '...',
+        'cs' => '...',
+      ],
+      'no_value_header'=> [
+        'en' => '...',
+        'cs' => '...',
+      ],
+      'no_value_text'=> [
+        'en' => '...',
+        'cs' => '...',
+      ],
+      'no_value_button'=> [
+        'en' => '...',
+        'cs' => '...',
+      ],
+      'no_value_contact'=> [
+        'en' => '...',
+        'cs' => '...',
+      ],
+    ]
+],
+```

dictionaries/perun.definition.json

@@ -162,5 +162,21 @@
   "sp_authorize_notify_button": {
     "en": "Proceed to registration",
     "cs": "Pokračovat na registrační stránku"
+  },
+  "403_is_eligible_default_header": {
+    "en": "Access denied",
+    "cs": "Přístup zamítnut"
+  },
+  "403_is_eligible_default_text": {
+    "en": "Your account does not meet the criteria for accessing the service. Please log in with other account.",
+    "cs": "Přístup ke službě byl zamítnut, protože Váš účet nesplňuje pomdínky přístupu. Přihlaste se, prosíme, pomocí jiného účtu."
+  },
+  "403_is_eligible_default_button": {
+    "en": "Continue with other account",
+    "cs": "Pokračovat"
+  },
+  "403_is_eligible_default_contact": {
+    "en": "If you think you have used an account which meets the criteria, and you are still prevented from logging in to the service, please contact us at",
+    "cs": "Pokud si myslíte, že používáte správný účet a přístup je Vám odmítnut neprávem, prosíme kontakujte nás na"
   }
 }

lib/Auth/Process/IsEligible.php

@@ -0,0 +1,203 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\perun\Auth\Process;
+
+use DateTime;
+use SimpleSAML\Auth\ProcessingFilter;
+use SimpleSAML\Auth\State;
+use SimpleSAML\Configuration;
+use SimpleSAML\Error\Exception;
+use SimpleSAML\Locale\Translate;
+use SimpleSAML\Logger;
+use SimpleSAML\Module;
+use SimpleSAML\Module\perun\PerunConstants;
+use SimpleSAML\Session;
+use SimpleSAML\Utils\HTTP;
+
+class IsEligible extends ProcessingFilter
+{
+    public const STAGE = 'perun:IsEligible';
+
+    public const DEBUG_PREFIX = self::STAGE . ' - ';
+
+    public const REDIRECT = 'perun/403_is_eligible.php';
+
+    public const TEMPLATE = 'perun:403-is-eligible-tpl.php';
+
+    public const DEFAULT_VALIDITY_PERIOD_MONTHS = 12;
+
+    public const PARAM_STATE_ID = PerunConstants::STATE_ID;
+
+    public const PARAM_RESTART_URL = 'restart_url';
+
+    public const TRIGGER_ATTRIBUTE = 'trigger_attribute';
+
+    public const ELIGIBLE_LAST_SEEN_TIMESTAMP_ATTRIBUTE = 'eligible_last_seen_timestamp_attribute';
+
+    public const VALIDITY_PERIOD_MONTHS = 'validity_period_months';
+
+    public const TRANSLATIONS = 'translations';
+
+    public const OLD_VALUE_HEADER_TRANSLATION = 'old_value_header';
+
+    public const OLD_VALUE_TEXT_TRANSLATION = 'old_value_text';
+
+    public const OLD_VALUE_BUTTON_TRANSLATION = 'old_value_button';
+
+    public const OLD_VALUE_CONTACT_TRANSLATION = 'old_value_contact';
+
+    public const NO_VALUE_HEADER_TRANSLATION = 'no_value_header';
+
+    public const NO_VALUE_TEXT_TRANSLATION = 'no_value_text';
+
+    public const NO_VALUE_BUTTON_TRANSLATION = 'no_value_button';
+
+    public const NO_VALUE_CONTACT_TRANSLATION = 'no_value_contact';
+
+    public const HEADER_TRANSLATION = 'header_translation';
+
+    public const TEXT_TRANSLATION = 'text_translation';
+
+    public const BUTTON_TRANSLATION = 'button_translation';
+
+    public const CONTACT_TRANSLATION = 'contact_translation';
+
+    private $triggerAttribute;
+
+    private $timestampAttribute;
+
+    private $validityPeriodMonths;
+
+    private $filterConfig;
+
+    private $translations;
+
+    public function __construct($config, $reserved)
+    {
+        parent::__construct($config, $reserved);
+        $this->filterConfig = Configuration::loadFromArray($config);
+
+        $this->triggerAttribute = $this->filterConfig->getString(self::TRIGGER_ATTRIBUTE);
+        $this->timestampAttribute = $this->filterConfig->getString(self::ELIGIBLE_LAST_SEEN_TIMESTAMP_ATTRIBUTE);
+
+        $this->validityPeriodMonths = $this->filterConfig->getInteger(
+            self::VALIDITY_PERIOD_MONTHS,
+            self::DEFAULT_VALIDITY_PERIOD_MONTHS
+        );
+
+        $this->translations = $this->filterConfig->getArray(self::TRANSLATIONS, []);
+    }
+
+    public function process(&$request)
+    {
+        assert(is_array($request));
+        assert(!empty($request[PerunConstants::DESTINATION]));
+        assert(!empty($request[PerunConstants::ATTRIBUTES]));
+
+        $attributesReleasedToSp = [];
+        if (!empty($request[PerunConstants::DESTINATION][PerunConstants::DESTINATION_ATTRIBUTES])) {
+            $attributesReleasedToSp = $request[PerunConstants::DESTINATION][PerunConstants::DESTINATION_ATTRIBUTES];
+        }
+
+        if (!in_array($this->triggerAttribute, $attributesReleasedToSp, true)) {
+            Logger::info(
+                self::DEBUG_PREFIX . 'SP does not consume the trigger attribute \'' . $this->triggerAttribute . '\'. Terminating execution of this filter.'
+            );
+            return;
+        }
+
+        $lastSeenEligibleTimestampString = null;
+        if (!empty($request[PerunConstants::ATTRIBUTES][$this->timestampAttribute])) {
+            $lastSeenEligibleTimestampString = $request[PerunConstants::ATTRIBUTES][$this->timestampAttribute][0];
+        } else {
+            Logger::info(
+                self::DEBUG_PREFIX . 'Timestamp of the last seen eligibility is empty, cannot let user go through. Redirecting to unauthorized explanation page.'
+            );
+            $this->unauthorized($request, false);
+        }
+
+        $lastSeenEligibleTimestamp = DateTime::createFromFormat('Y-m-d H:i:s', $lastSeenEligibleTimestampString);
+        $lastSeenEligibleTimestamp = $lastSeenEligibleTimestamp->modify('+' . $this->validityPeriodMonths . 'months');
+        $now = new DateTime();
+
+        if ($lastSeenEligibleTimestamp < $now) {
+            Logger::info(
+                self::DEBUG_PREFIX . 'Last seen eligibility timestamp value \'' . $lastSeenEligibleTimestampString . '\' is out of the defined period of ' . $this->validityPeriodMonths . ' months until now. Redirecting to unauthorized explanation page.'
+            );
+            $this->unauthorized($request, true);
+        }
+        Logger::info(
+            self::DEBUG_PREFIX . 'Last seen eligibility timestamp value \'' . $lastSeenEligibleTimestampString . '\' is inside the defined period of ' . $this->validityPeriodMonths . ' months until now. Continue to next filter.'
+        );
+    }
+
+    public function unauthorized(&$state, $hasValue)
+    {
+        $translations = $this->loadLocalTranslations($hasValue);
+        $state[self::TRANSLATIONS] = $translations;
+
+        $state = State::saveState($state, self::STAGE);
+
+        try {
+            $session = Session::getSessionFromRequest();
+            $session->doLogout('default-sp');
+        } catch (Exception|\Exception $exception) {
+            Logger::warning(self::DEBUG_PREFIX . 'Error when logging user out. Logout has failed!');
+            Logger::debug(
+                self::DEBUG_PREFIX . 'Details about the logout failure \'' . $exception->getMessage() . '\'.'
+            );
+        }
+        $url = Module::getModuleURL(self::REDIRECT);
+        $params = [
+            self::PARAM_STATE_ID => $state,
+        ];
+
+        HTTP::redirectTrustedURL($url, $params);
+    }
+
+    public static function loadLocalTranslation(
+        Translate $translator,
+        string $key,
+        array $translations,
+        string $defaultTranslationKey
+    ): string {
+        if (!empty($translations[$key])) {
+            $translation = $translations[$key];
+            $translationKey = '{' . self::STAGE . '_' . $key . '}';
+            $translator->includeInlineTranslation($translationKey, $translation);
+            return $translationKey;
+        }
+        return $defaultTranslationKey;
+    }
+
+    private function loadLocalTranslations($hasValue): array
+    {
+        if ($hasValue) {
+            $header = $this->loadTranslation(self::OLD_VALUE_HEADER_TRANSLATION, $this->translations);
+            $text = $this->loadTranslation(self::OLD_VALUE_TEXT_TRANSLATION, $this->translations);
+            $button = $this->loadTranslation(self::OLD_VALUE_BUTTON_TRANSLATION, $this->translations);
+            $contact = $this->loadTranslation(self::OLD_VALUE_CONTACT_TRANSLATION, $this->translations);
+        } else {
+            $header = $this->loadTranslation(self::NO_VALUE_HEADER_TRANSLATION, $this->translations);
+            $text = $this->loadTranslation(self::NO_VALUE_TEXT_TRANSLATION, $this->translations);
+            $button = $this->loadTranslation(self::NO_VALUE_BUTTON_TRANSLATION, $this->translations);
+            $contact = $this->loadTranslation(self::NO_VALUE_CONTACT_TRANSLATION, $this->translations);
+        }
+        return [
+            self::HEADER_TRANSLATION => $header,
+            self::TEXT_TRANSLATION => $text,
+            self::BUTTON_TRANSLATION => $button,
+            self::CONTACT_TRANSLATION => $contact,
+        ];
+    }
+
+    private function loadTranslation(string $key, array $translations): array
+    {
+        if (array_key_exists($key, $translations)) {
+            return $translations[$key];
+        }
+        return [];
+    }
+}

lib/PerunConstants.php

@@ -41,4 +41,8 @@ class PerunConstants
     public const SP_ADMINISTRATION_CONTACT = 'administrationContact';
 
     public const SP_NAME = 'name';
+
+    public const DESTINATION = 'Destination';
+
+    public const DESTINATION_ATTRIBUTES = 'attributes';
 }

templates/403-is-eligible-tpl.php

@@ -0,0 +1,48 @@
+<?php declare(strict_types=1);
+
+use SimpleSAML\Configuration;
+use SimpleSAML\Module;
+use SimpleSAML\Module\perun\Auth\Process\IsEligible;
+
+header('HTTP/1.0 403 Forbidden');
+
+$headerKey = $this->data[IsEligible::HEADER_TRANSLATION];
+$textKey = $this->data[IsEligible::TEXT_TRANSLATION];
+$buttonKey = $this->data[IsEligible::BUTTON_TRANSLATION];
+$contactKey = $this->data[IsEligible::CONTACT_TRANSLATION];
+
+$restartUrl = $this->data[IsEligible::PARAM_RESTART_URL] ?: null;
+$config = Configuration::getInstance();
+$supportAddress = $config->getString('technicalcontact_email', 'N/A');
+
+$this->data['head'] = '<link rel="stylesheet"  media="screen" type="text/css" href="' .
+    Module::getModuleUrl('perun/res/css/perun.css') . '" />';
+
+$this->data['header'] = $this->t($headerKey);
+
+
+
+$this->includeAtTemplateBase('includes/header.php');
+
+?>
+
+<div class="row">
+    <div>
+        <p><?php echo $this->t($textKey); ?></p>
+        <?php if (!empty($restartUrl)): ?>
+        <p>
+            <a class="btn btn-lg btn-block btn-primary" href="<?php echo $restartUrl ?>">
+                <?php echo $this->t($buttonKey); ?>
+            </a>
+        </p>
+        <?php endif ?>
+        <p><?php echo $this->t(
+    $contactKey
+); ?> <a href="mailto:<?php echo $supportAddress; ?>"><?php echo $supportAddress; ?></a></p>
+    </div>
+</div>
+
+
+<?php
+
+$this->includeAtTemplateBase('includes/footer.php');

www/403_is_eligible.php

@@ -0,0 +1,57 @@
+<?php
+
+declare(strict_types=1);
+
+use SimpleSAML\Auth\State;
+use SimpleSAML\Configuration;
+use SimpleSAML\Error\BadRequest;
+use SimpleSAML\Module\perun\Auth\Process\IsEligible;
+use SimpleSAML\XHTML\Template;
+
+if (empty($_REQUEST[IsEligible::PARAM_STATE_ID])) {
+    throw new BadRequest('Missing required \'' . IsEligible::PARAM_STATE_ID . '\' query parameter.');
+}
+
+$state = State::loadState($_REQUEST[IsEligible::PARAM_STATE_ID], IsEligible::STAGE);
+
+$config = Configuration::getInstance();
+$t = new Template($config, IsEligible::TEMPLATE);
+
+$restartUrl = $state[State::RESTART] ?: null;
+
+$headerKey = '{perun:perun:403_is_eligible_default_header}';
+$textKey = '{perun:perun:403_is_eligible_default_text}';
+$buttonKey = '{perun:perun:403_is_eligible_default_button}';
+$contactKey = '{perun:perun:403_is_eligible_default_contact}';
+
+$translations = $state[IsEligible::TRANSLATIONS] ?: [];
+if (!empty($translations)) {
+    $translator = $t->getTranslator();
+    $headerKey = IsEligible::loadLocalTranslation(
+        $translator,
+        IsEligible::HEADER_TRANSLATION,
+        $translations,
+        $headerKey
+    );
+    $textKey = IsEligible::loadLocalTranslation($translator, IsEligible::TEXT_TRANSLATION, $translations, $textKey);
+    $buttonKey = IsEligible::loadLocalTranslation(
+        $translator,
+        IsEligible::BUTTON_TRANSLATION,
+        $translations,
+        $buttonKey
+    );
+    $contactKey = IsEligible::loadLocalTranslation(
+        $translator,
+        IsEligible::CONTACT_TRANSLATION,
+        $translations,
+        $contactKey
+    );
+}
+
+$t->data[IsEligible::PARAM_RESTART_URL] = $restartUrl;
+$t->data[IsEligible::HEADER_TRANSLATION] = $headerKey;
+$t->data[IsEligible::TEXT_TRANSLATION] = $textKey;
+$t->data[IsEligible::BUTTON_TRANSLATION] = $buttonKey;
+$t->data[IsEligible::CONTACT_TRANSLATION] = $contactKey;
+
+$t->show();