Merge pull request #220 from OpenConext/develop

EB 4.7

Author: Boy Baukema

.gitignore

@@ -1,8 +1,2 @@
-*.iml
-*.ipr
-*.iws
-.idea/
 /build
 /vendor/
-/www/authentication/generated/
-bin/ignore_me.php

README.md

@@ -293,3 +293,8 @@ load the required theme modules.
 
 Themes can be deployed using a Grunt task, from the theme directory run `grunt theme:mythemename`, this will initiate 
 the appropriate tasks for cleaning the previous theme and deploying the new theme on your installation.
+
+The following commandline may give you all the needed dependencies and run grunt to update the installed files after changing a theme:
+```
+(cd theme && npm install && sudo npm install -g bower && bower install && grunt)
+```

application/configs/application.ini

@@ -210,23 +210,24 @@ serviceRegistry.caching.backend.options.file_name_prefix = "eb_sr_cache"
 serviceRegistry.caching.backend.options.lifetime = 1;
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;;;;;;;;;; API VO VALIDATION SETTINGS ;;;;;;;;;;
+;;;;;;;;;; EngineBlock API credentials ;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 
-; Base URL that engineblock can use to validate that a given use belongs to a given Virtual Organization.
-api.vovalidate.baseUrl = "https://api.demo.openconext.org"
-api.vovalidate.key = "oauth_key"
-api.vovalidate.secret = "oauth_secret"
+; Username and password for engine-api usage.
+engineApi.user = janus-ssp
+;engineApi.password = RANDOM PASSWORD HERE
 
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;;;;;;;;;; EngineBlock API credentials ;;;;;;;;;
+;;;;;;;;;;;; PDP SETTINGS ;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 
-; Username and password for engine-api usage.
-engineApi.user = janus-ssp
-;engineApi.password = RANDOM PASSWORD HERE
+; Location of PDP
+pdp.baseUrl = "https://pdp.surfconext.nl/decide/policy"
 
+; PDP uses basic auth
+pdp.username = "pdp_admin"
+pdp.password = "secret"
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;; MISCELLANEOUS SETTINGS ;;;;;;;;;;;;
@@ -289,4 +290,4 @@ subjectIdAttribute = "collabpersonid"
 ; trustedProxyIps[] = 192.168.1.1
 
 ; UI Options
-ui.return_to_sp_link.active = false
+ui.return_to_sp_link.active = false

application/modules/Authentication/Controller/Feedback.php

@@ -2,77 +2,100 @@
 
 class Authentication_Controller_Feedback extends EngineBlock_Controller_Abstract
 {
-    public function vomembershiprequiredAction()
+    public function unableToReceiveMessageAction()
     {
-        $this->_getResponse()->setStatus(403, 'Forbidden');
+        $this->_getResponse()->setStatus(400, 'Bad Request');
+        session_start();
     }
 
-    public function unableToReceiveMessageAction()
+    public function sessionLostAction()
     {
         $this->_getResponse()->setStatus(400, 'Bad Request');
+        session_start();
     }
 
-    public function sessionLostAction()
+    public function dissimilarWorkflowStatesAction()
     {
         $this->_getResponse()->setStatus(400, 'Bad Request');
+        session_start();
     }
 
     public function unknownIssuerAction()
     {
         $this->_getResponse()->setStatus(404, 'Not Found');
         $this->__set('entity-id', $this->_getRequest()->getQueryParameter('entity-id'));
         $this->__set('destination', $this->_getRequest()->getQueryParameter('destination'));
+        session_start();
     }
 
     public function unknownServiceProviderAction()
     {
         $this->_getResponse()->setStatus(400, 'Bad Request');
         $this->__set('entity-id', $this->_getRequest()->getQueryParameter('entity-id'));
+        session_start();
+    }
+
+    public function unknownPreselectedIdpAction()
+    {
+        $this->_getResponse()->setStatus(400, 'Bad Request');
+        $this->__set('idp-hash', $this->_getRequest()->getQueryParameter('idp-hash'));
+        session_start();
     }
 
     public function missingRequiredFieldsAction()
     {
         $this->_getResponse()->setStatus(400, 'Bad Request');
+        session_start();
     }
 
-    public function noConsentAction()
+    public function authorizationPolicyViolationAction()
     {
+        session_start();
+    }
 
+    public function noConsentAction()
+    {
+        session_start();
     }
 
     public function customAction()
     {
-        $proxyServer = new EngineBlock_Corto_ProxyServer();
-        $proxyServer->startSession();
+        session_start();
     }
 
     public function invalidAcsLocationAction()
     {
         $this->_getResponse()->setStatus(400, 'Bad Request');
+        session_start();
     }
 
     public function invalidAcsBindingAction()
     {
         // @todo Send 4xx or 5xx header depending on invalid binding came from request or configured metadata
+        session_start();
     }
 
     public function receivedErrorStatusCodeAction()
     {
         // @todo Send 4xx or 5xx header?
+        session_start();
     }
 
     public function receivedInvalidResponseAction()
     {
         // @todo Send 4xx or 5xx header?
+        session_start();
     }
 
     public function receivedInvalidSignedResponseAction()
     {
         // @todo Send 4xx or 5xx header?
+        session_start();
     }
 
     public function noIdpsAction()
     {
         // @todo Send 4xx or 5xx header?
+        session_start();
     }
 }

application/modules/Authentication/Controller/IdentityProvider.php

@@ -36,8 +36,8 @@ protected function _singleSignOn($service = 'singleSignOn', array $arguments = a
 
             $idPEntityId = NULL;
 
-            // Optionally allow /single-sign-on/vo:myVoId/remoteIdPHash or
-            // /single-sign-on/remoteIdPHash/vo:myVoId/key:20140420
+            // Optionally allow /single-sign-on/remoteIdPHash or
+            // /single-sign-on/remoteIdPHash/key:20140420
             foreach ($arguments as $argument) {
                 if (substr($argument, 0, 3) == 'vo:') {
                     $proxyServer->setVirtualOrganisationContext(substr($argument, 3));
@@ -68,14 +68,6 @@ protected function _singleSignOn($service = 'singleSignOn', array $arguments = a
             $application->handleExceptionWithFeedback($e,
                 '/authentication/feedback/unable-to-receive-message');
         }
-        catch (EngineBlock_Corto_Exception_UserNotMember $e) {
-            $application->getLogInstance()->notice(
-                "User is not a member",
-                array('exception' => $e)
-            );
-            $application->handleExceptionWithFeedback($e,
-                '/authentication/feedback/vomembershiprequired');
-        }
         catch (EngineBlock_Corto_Module_Services_SessionLostException $e) {
             $application->getLogInstance()->notice(
                 "Session lost",
@@ -99,7 +91,8 @@ protected function _singleSignOn($service = 'singleSignOn', array $arguments = a
                 "No Identity Providers",
                 array('exception' => $e)
             );
-            $application->handleExceptionWithFeedback($e,
+            $application->handleExceptionWithFeedback(
+                $e,
                 '/authentication/feedback/no-idps'
             );
         }
@@ -108,10 +101,31 @@ protected function _singleSignOn($service = 'singleSignOn', array $arguments = a
                 "Invalid ACS location",
                 array('exception' => $e)
             );
-            $application->handleExceptionWithFeedback($e,
+            $application->handleExceptionWithFeedback(
+                $e,
                 '/authentication/feedback/invalidAcsLocation'
             );
         }
+        catch (EngineBlock_Exception_DissimilarServiceProviderWorkflowStates $e) {
+            $application->getLogInstance()->notice(
+                "Dissimilar Service Provider workflowstates in request chain (transparant proxying)",
+                array('exception' => $e)
+            );
+            $application->handleExceptionWithFeedback(
+                $e,
+                '/authentication/feedback/dissimilar-workflow-states'
+            );
+        }
+        catch (EngineBlock_Corto_Exception_UnknownPreselectedIdp $e) {
+            $application->getLogInstance()->notice(
+                $e->getMessage(),
+                array('exception' => $e)
+            );
+            $application->handleExceptionWithFeedback(
+                $e,
+                '/authentication/feedback/unknown-preselected-idp?idp-hash=' . $e->getRemoteIdpMd5Hash()
+            );
+        }
     }
 
     public function processWayfAction()
@@ -162,10 +176,6 @@ public function processConsentAction()
             $application->handleExceptionWithFeedback($e,
                 '/authentication/feedback/unable-to-receive-message');
         }
-        catch (EngineBlock_Corto_Exception_UserNotMember $e) {
-            $application->handleExceptionWithFeedback($e,
-                '/authentication/feedback/vomembershiprequired');
-        }
         catch (EngineBlock_Corto_Module_Services_SessionLostException $e) {
             $application->handleExceptionWithFeedback($e,
                 '/authentication/feedback/session-lost');

application/modules/Authentication/Controller/Proxy.php

@@ -95,16 +95,6 @@ public function processedAssertionAction()
             $proxyServer = new EngineBlock_Corto_Adapter();
             $proxyServer->processedAssertionConsumer();
         }
-        catch (EngineBlock_Corto_Exception_UserNotMember $e) {
-            $application->getLogInstance()->notice(
-                "VO membership required",
-                array('exception' => $e)
-            );
-            $application->handleExceptionWithFeedback(
-                $e,
-                '/authentication/feedback/vomembershiprequired'
-            );
-        }
         catch (EngineBlock_Attributes_Manipulator_CustomException $e) {
             $application->getLogInstance()->notice(
                 "Custom attribute manipulator exception",

application/modules/Authentication/Controller/ServiceProvider.php

@@ -12,15 +12,14 @@ public function consumeAssertionAction()
         try {
             $proxyServer->consumeAssertion();
         }
-        catch (EngineBlock_Corto_Exception_UserNotMember $e) {
+        catch (EngineBlock_Corto_Exception_PEPNoAccess $e) {
             $application->getLogInstance()->notice(
-                "VO membership required",
+                "PEP authorization rule violation",
                 array('exception' => $e)
             );
-            $application->handleExceptionWithFeedback(
-                $e,
-                '/authentication/feedback/vomembershiprequired'
-            );
+            $application->handleExceptionWithFeedback($e,
+                '/authentication/feedback/authorization-policy-violation',
+                array("error_authorization_policy_violation_name" => $e->getMessage()));
         }
         catch (EngineBlock_Corto_Module_Services_SessionLostException $e) {
             $application->getLogInstance()->notice(
@@ -110,6 +109,16 @@ public function consumeAssertionAction()
                 '/authentication/feedback/received-invalid-response'
             );
         }
+        catch (EngineBlock_Exception_DissimilarServiceProviderWorkflowStates $e) {
+            $application->getLogInstance()->notice(
+                "Dissimilar Service Provider workflowstates in request chain (transparant proxying)",
+                array('exception' => $e)
+            );
+            $application->handleExceptionWithFeedback(
+                $e,
+                '/authentication/feedback/dissimilar-workflow-states'
+            );
+        }
     }
 
     public function processConsentAction()
@@ -126,9 +135,14 @@ public function processConsentAction()
             $application->handleExceptionWithFeedback($e,
                 '/authentication/feedback/session-lost');
         }
-        catch (EngineBlock_Corto_Exception_UserNotMember $e) {
+        catch (EngineBlock_Corto_Exception_PEPNoAccess $e) {
+            $application->getLogInstance()->notice(
+                "PEP authorization rule violation",
+                array('exception' => $e)
+            );
             $application->handleExceptionWithFeedback($e,
-                '/authentication/feedback/vomembershiprequired');
+                '/authentication/feedback/authorization-policy-violation',
+                array("error_authorization_policy_violation_name" => $e->getMessage()));
         }
         catch (EngineBlock_Attributes_Manipulator_CustomException $e) {
             $_SESSION['feedback_custom'] = $e->getFeedback();

application/modules/Authentication/View/Feedback/AuthorizationPolicyViolation.phtml

@@ -0,0 +1,23 @@
+<?php /* This file is generated. Please edit the files of the appropriate theme in the 'theme/' directory. */ ?>
+<?php
+
+/**
+ * @var Zend_Layout $layout
+ */
+$layout = $this->layout();
+
+// Set Layout properties
+$layout->title = $layout->title. ' - ' .$this->t('error_authorization_policy_violation');
+$layout->header = $layout->title;
+$layout->subheader = $this->t('error_authorization_policy_violation');
+$layout->wide = true;
+
+?>
+<div class="box">
+  <div class="mod-content">
+    <h1><?php echo htmlentities($this->layout()->subheader, 0, "UTF-8"); ?></h1>
+    <?= $this->t('error_authorization_policy_violation_desc');
+
+    require_once realpath(__DIR__ . '/../../../Default/View/Error/include/footer.php'); ?>
+  </div>
+</div>

…View/Feedback/Vomembershiprequired.phtml …/Feedback/DissimilarWorkflowStates.phtmlapplication/modules/Authentication/View/Feedback/Vomembershiprequired.phtml renamed to application/modules/Authentication/View/Feedback/DissimilarWorkflowStates.phtml application/modules/Authentication/View/Feedback/Vomembershiprequired.phtml renamed to application/modules/Authentication/View/Feedback/DissimilarWorkflowStates.phtml

@@ -7,17 +7,17 @@
 $layout = $this->layout();
 
 // Set Layout properties
-$layout->title = $layout->title. ' - ' .$this->t('error_vo_membership_required');
+$layout->title = $layout->title. ' - ' .$this->t('error_session');
 $layout->header = $layout->title;
-$layout->subheader = $this->t('error_vo_membership_required');
+$layout->subheader = $this->t('error_dissimilar_workflow_state');
 $layout->wide = true;
 
 ?>
 <div class="box">
   <div class="mod-content">
     <h1><?php echo htmlentities($this->layout()->subheader, 0, "UTF-8"); ?></h1>
-    <p><?= $this->t('error_vo_membership_required_desc') ?></p>
+    <?= $this->t('error_dissimilar_workflow_state_desc');
 
-    <?php require_once realpath(__DIR__ . '/../../../Default/View/Error/include/footer.php') ?>
+    require_once realpath(__DIR__ . '/../../../Default/View/Error/include/footer.php'); ?>
   </div>
 </div>

application/modules/Authentication/View/Feedback/UnknownPreselectedIdp.phtml

@@ -0,0 +1,29 @@
+<?php /* This file is generated. Please edit the files of the appropriate theme in the 'theme/' directory. */ ?>
+<?php
+
+/**
+ * @var Zend_Layout $layout
+ */
+$layout = $this->layout();
+
+// Set Layout properties
+$layout->title = $layout->title. ' - Error';
+$layout->header = $layout->title;
+$layout->subheader = $this->t('error_unknown_preselected_idp');
+$layout->wide = true;
+?>
+<div class="box">
+    <div class="mod-content">
+        <h1><?php echo htmlentities($this->layout()->subheader, 0, "UTF-8"); ?></h1>
+        <?= $this->t('error_unknown_preselected_idp_desc');
+
+        // Add feedback info from url
+        $customFeedbackInfo['Idp Hash'] = $this->_data['idp-hash'];
+        if (!isset($_SESSION['feedbackInfo'])) {
+            $_SESSION['feedbackInfo'] = array();
+        }
+        $_SESSION['feedbackInfo'] = array_merge($customFeedbackInfo, $_SESSION['feedbackInfo']);
+
+        require_once realpath(__DIR__ . '/../../../Default/View/Error/include/footer.php'); ?>
+    </div>
+</div>