ISSUE-338: saml login (#1064)

* update action version

* ISSUE-338: login-logout

* ISSUE-338: style

* ISSUE-338: after review 1

* update SSO login logic

* ISSUE-339: oidc login

* ISSUE-338: settings

---------

Co-authored-by: Tatevik <[email protected]>

* ISSUE-338: make login display safe + test config update

* ISSUE-338: test

* ISSUE-338: show default login

---------

Co-authored-by: Tatevik <[email protected]>
Co-authored-by: Michiel Dethmers <[email protected]>

Author: 3 people

.github/workflows/main.yml

@@ -18,7 +18,7 @@ jobs:
             experimental: true
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Set up PHP ${{ matrix.php-version }}
         uses: shivammathur/setup-php@v2
@@ -79,8 +79,9 @@ jobs:
           cp -fv tests/ci/config.php public_html/lists/config/config.php
           mkdir -p output/screenshots
           mkdir -p build/mails
+          chmod -R 777 output/screenshots build/mails
           ./bin/start-selenium > output/selenium.log 2>&1 &
-          sleep 5
+          sleep 15
           sudo php -S 0.0.0.0:80 -t public_html > /dev/null 2>&1 &
         continue-on-error: ${{ matrix.experimental }}
 

public_html/lists/admin/home.php

@@ -130,8 +130,20 @@
     </p>
 
     <p><span class="total"><?php echo number_format($lastcampaign['total']) ?></span> Messages sent on <span class="total"><?php echo $lastcampaign['sent'] ?></span>.</p>
-    <p><span class="total"><?php echo number_format($lastcampaign['views']) ?> </span> Viewed (<span class="total"><?php echo sprintf('%0.2f', ($lastcampaign['views'] / ($lastcampaign['total'] - $lastcampaign['bounced']) * 100)) ?>%</span>), and <span class="total"><?php echo $lastcampaign['bounced'] ?></span> bounced (<span class="total"><?php echo sprintf('%0.2f', ($lastcampaign['bounced'] / $lastcampaign['total'] * 100)) ?>%</span>).</p>
-
+            <p>
+                <span class="total"><?php echo number_format($lastcampaign['views']) ?> </span> Viewed
+                (<?php
+                echo $lastcampaign['total'] > 0
+                    ? '<span class="total">' . sprintf('%0.2f', ($lastcampaign['views'] / ($lastcampaign['total'] - $lastcampaign['bounced']) * 100)) . '%</span>'
+                    : 'N/A';
+                ?>),
+                and <span class="total"><?php echo $lastcampaign['bounced'] ?></span> bounced
+                (<?php
+                echo $lastcampaign['total'] > 0
+                    ? '<span class="total">' . sprintf('%0.2f', ($lastcampaign['bounced'] / $lastcampaign['total'] * 100)) . '%</span>'
+                    : 'N/A';
+                ?>).
+            </p>
     <?php
 } ?>
 

public_html/lists/admin/index.php

@@ -100,6 +100,7 @@ function mb_strtolower($string)
 if (file_exists(dirname(__FILE__).'/../texts/'.$GLOBALS['language_module'])) {
     include_once dirname(__FILE__).'/../texts/'.$GLOBALS['language_module'];
 }
+@session_start();
 include_once dirname(__FILE__).'/languages.php';
 require_once dirname(__FILE__).'/defaultconfig.php';
 
@@ -290,6 +291,11 @@ function mb_strtolower($string)
 }
 echo "$page_title</title>";
 $inRemoteCall = false;
+if ($page_title === 'enablelogin') {
+    SaveConfig('hide_default_login', 0);
+    header('Location: ?page=home');
+    exit;
+}
 $doLoginCheck = Sql_Table_exists($tables['admin_login']);
 
 if (!empty($GLOBALS['require_login'])) {
@@ -374,6 +380,9 @@ function mb_strtolower($string)
         //$msg = 'Not logged in';
         $logged = false;
         foreach ($GLOBALS['plugins'] as $pluginname => $plugin) {
+            if ($pluginname == 'simplesaml' && !isset($_GET[$GLOBALS['plugins'][$pluginname]->autUrl])) {
+                continue;
+            }
             if ($plugin->login()) {
                 $logged = true;
                 break;

public_html/lists/admin/init.php

@@ -647,7 +647,11 @@
 if (!isset($allowed_referrers) || !is_array($allowed_referrers)) {
     $allowed_referrers = array();
 }
-if (isset($_SERVER['HTTP_ORIGIN']) && defined('ACCESS_CONTROL_ALLOW_ORIGINS') && in_array($_SERVER['HTTP_ORIGIN'], ACCESS_CONTROL_ALLOW_ORIGINS)) {
+if (
+    isset($_SERVER['HTTP_ORIGIN'])
+    && defined('ACCESS_CONTROL_ALLOW_ORIGINS')
+    && in_array($_SERVER['HTTP_ORIGIN'], ACCESS_CONTROL_ALLOW_ORIGINS)
+) {
     define('ACCESS_CONTROL_ALLOW_ORIGIN', $_SERVER['HTTP_ORIGIN']);
 } elseif (!defined('ACCESS_CONTROL_ALLOW_ORIGIN')) {
     define('ACCESS_CONTROL_ALLOW_ORIGIN', $GLOBALS['scheme'].'://'.$_SERVER['HTTP_HOST']);

public_html/lists/admin/languages.php

@@ -53,7 +53,6 @@ function lanSort($a, $b)
 if (!empty($GLOBALS['SessionTableName'])) {
     require_once dirname(__FILE__).'/sessionlib.php';
 }
-@session_start();
 
 if (isset($_POST['setlanguage']) && !empty($_POST['setlanguage']) && is_array($LANGUAGES[$_POST['setlanguage']])) {
     //# just in case

public_html/lists/admin/login.php

@@ -46,6 +46,41 @@ function footer()
     echo '</div></form>';
 }
 
+function enableDefaultLogin()
+{
+    echo '<div class="login"><p>';
+    echo '<strong>' . $GLOBALS['I18N']->get('Having trouble with SSO login?') . '</strong><br>';
+    echo $GLOBALS['I18N']->get('You can still use default login by clicking on the button') . ' ';
+    echo '<a href="?page=enablelogin" class="submit">' . $GLOBALS['I18N']->get('Enable default login') . '</a>';
+    echo '</p><div class="clear"></div></div>';
+}
+
+
+function renderSSO()
+{
+    if (!empty($GLOBALS['ssoplugin'])) {
+        echo '<form method="post" id="forgotpassword-form" action="">';
+        echo '<div style="display: flex; justify-content: space-around; align-items: center;">';
+
+        foreach ($GLOBALS['ssoplugin'] as $plugin) {
+            if (isset($GLOBALS['plugins'][$plugin])) {
+                $pluginInstance = $GLOBALS['plugins'][$plugin];
+                $ssoUrl = $pluginInstance->autUrl;
+                $buttonText = 'Login with ' . getConfig($pluginInstance->name);
+
+                echo '<a href="?' . $ssoUrl . '" 
+                    style="display: inline-block; padding: 8px 15px; background-color: #3c3c3c; color: #fff; 
+                           text-decoration: none; border-radius: 5px; font-size: 16px; text-align: center; 
+                           min-width: 120px;">
+                    ' .  $buttonText . '
+                  </a>';
+            }
+        }
+
+        echo '</div>';
+        echo '</form>';
+    }
+}
 //Delete from the DB every token older than certain elapsed time.
 function deleteOldTokens()
 {
@@ -116,16 +151,24 @@ function deleteOldTokens()
         exit;
     }
 } else {
-    echo "<form method=\"post\" id=\"login-form\" action=\"\">\n";
-    echo "  <input type=\"hidden\" name=\"page\" value=\"$page\" />\n";
-    echo "  <table class=\"loginPassUpdate\" width=\"100%\" border=\"0\" cellpadding=\"2\" cellspacing=\"0\">\n";
-    echo '    <tr><td><span class="general">'.$GLOBALS['I18N']->get('Name').":</span></td></tr>\n";
-    echo '    <tr><td><input type="text" name="login" value="" size="30"  autofocus="autofocus" /></td></tr>';
-    echo '    <tr><td><span class="general">'.$GLOBALS['I18N']->get('Password').':</span></td></tr>';
-    echo '    <tr><td><input type="password" name="password" value="" size="30" /></td></tr>';
-    echo '    <tr><td><input class="submit" type="submit" name="process" value="'.$GLOBALS['I18N']->get('Continue').'" /></td></tr>';
-    echo '  </table>';
-    echo '</form>';
-    footer();
+    $showDefaultLogin = !isset($GLOBALS['ssoplugin']) || !getConfig('hide_default_login');
+    if ($showDefaultLogin) {
+        echo "<form method=\"post\" id=\"login-form\" action=\"\">\n";
+        echo "  <input type=\"hidden\" name=\"page\" value=\"$page\" />\n";
+        echo "  <table class=\"loginPassUpdate\" width=\"100%\" border=\"0\" cellpadding=\"2\" cellspacing=\"0\">\n";
+        echo '    <tr><td><span class="general">'.$GLOBALS['I18N']->get('Name').":</span></td></tr>\n";
+        echo '    <tr><td><input type="text" name="login" value="" size="30"  autofocus="autofocus" /></td></tr>';
+        echo '    <tr><td><span class="general">'.$GLOBALS['I18N']->get('Password').':</span></td></tr>';
+        echo '    <tr><td><input type="password" name="password" value="" size="30" /></td></tr>';
+        echo '    <tr><td><input class="submit" type="submit" name="process" value="'.$GLOBALS['I18N']->get('Continue').'" /></td></tr>';
+        echo '  </table>';
+        echo '</form>';
+        footer();
+    }
+    renderSSO();
+
+    if (!$showDefaultLogin) {
+        enableDefaultLogin();
+    }
 }
 ?>

public_html/lists/admin/pluginlib.php

@@ -12,6 +12,7 @@
 $GLOBALS['emailsenderplugin'] = false;
 $GLOBALS['analyticsqueryplugin'] = false;
 $GLOBALS['updaterplugin'] = false;
+$GLOBALS['ssoplugin'] = [];
 
 $pluginRootDirs = array();
 if (PLUGIN_ROOTDIRS != '') {
@@ -111,6 +112,10 @@
                     ) {
                         $GLOBALS['editorplugin'] = $className;
                     }
+                    if (method_exists($pluginInstance, 'login') && isset($pluginInstance->ssoProvider))
+                    {
+                        $GLOBALS['ssoplugin'][] = $className;
+                    }
                     if (!$GLOBALS['authenticationplugin'] && $pluginInstance->authProvider && method_exists($pluginInstance,
                             'validateLogin')
                     ) {

public_html/lists/admin/plugins/.htaccess

@@ -10,7 +10,7 @@
 		Require all denied
 	</IfModule>
 </FilesMatch>
-<FilesMatch "index.php$">
+<FilesMatch "(index.php|module.php)$">
 	# Apache < 2.3
 	<IfModule !mod_authz_core.c>
 		Order allow,deny

tests/ci/behat.yml

@@ -7,13 +7,11 @@ default:
         - ./features
       contexts:
         - FeatureContext:
-          # Set database access credentials
           database:
             host: 127.0.0.1
             user: phplist
             password: phplist
             name: phplistdb
-          # Set admin user login credentials
           admin:
             username: admin
             password: Mypassword123+
@@ -24,7 +22,7 @@ default:
         - FailAid\Context\FailureContext
   extensions:
     Behat\MinkExtension:
-      show_cmd: 'cp %s ./output/lastResponse.html' #'cat %s'
+      show_cmd: 'cp %s ./output/lastResponse.html'
       base_url: 'http://127.0.0.1'
       default_session: chrome
       sessions:
@@ -35,6 +33,11 @@ default:
               browserName: chrome
               browser: chrome
               version: ""
+              extra_capabilities:
+                timeouts:
+                  implicit: 10000     # 5 seconds for implicit waits
+                  pageLoad: 60000    # 30 seconds for page loads
+                  script: 60000      # 30 seconds for async scripts
               chrome:
                 switches:
                   - "--headless"
@@ -54,7 +57,7 @@ default:
           selenium2:
             browser: "firefox"
             wd_host: http://127.0.0.1:4444/wd/hub
-    FailAid\Extension: 
+    FailAid\Extension:
       screenshot:
         directory: /tmp/screenshots/
         mode: default

tests/features/bootstrap/FeatureContext.php

@@ -1,17 +1,8 @@
 <?php
 
-use Behat\Behat\Context\Context;
 
 use Behat\Mink\Exception\ExpectationException;
 use Behat\MinkExtension\Context\MinkContext;
-#use Behat\MinkExtension\Context\RawMinkContext;
-
-//
-// Require 3rd-party libraries here:
-//
-//   require_once 'PHPUnit/Autoload.php';
-//   require_once 'PHPUnit/Framework/Assert/Functions.php';
-//
 
 /**
  * Features context.
@@ -107,7 +98,7 @@ public function spins($closure, $tries = 10)
                 $closure();
 
                 return;
-            } catch (\Exception $e) {
+            } catch (Exception $e) {
                 if ($i == $tries) {
                     throw $e;
                 }
@@ -185,7 +176,7 @@ public function isLoggedIn($throwsException = false)
     {
         $retVal = $this->token != null;
         if(!$retVal && $throwsException){
-            throw new \Exception('Not logged in yet');
+            throw new Exception('Not logged in yet');
         }
         return $retVal;
     }
@@ -339,4 +330,28 @@ public function iConfirmThePopup()
         $this->getSession()->getDriver()->getWebDriverSession()->accept_alert();
     }
 
+    /**
+     * @Then I must see :text
+     */
+    public function iMustSee($text)
+    {
+        $maxAttempts = 3;
+        $waitTimeMs = 1000;
+        $this->getSession()->wait(5000, "document.readyState === 'complete'");
+
+        for ($attempt = 1; $attempt <= $maxAttempts; $attempt++) {
+            try {
+                $this->assertSession()->pageTextContains($this->fixStepArgument($text));
+                return;
+            } catch (\WebDriver\Exception\StaleElementReference $e) {
+                // Handle Selenium stale element exception, retry
+            } catch (\Behat\Mink\Exception\ResponseTextException $e) {
+                // Handle Mink text assertion failure, retry
+            }
+
+            usleep($waitTimeMs * 1000);
+        }
+
+        throw new Exception(sprintf("Text '%s' not found after %d attempts.", $text, $maxAttempts));
+    }
 }