Merge pull request #18 from silinternational/develop

Password expiration splash screen

Author: longrunningprocess

README.md

@@ -73,11 +73,34 @@ content of that announcement.  HTML is supported.
 4. Click **Login with idp1** (NOTE: login page should NOT have material design)
 5. Login as idp1 administrator, e.g., username=admin & password=a
 6. Click **Logout**
-7. Click **Authentication** tab
-8. Click **Test configured authentication sources**
-9. Click **hub-discovery**
-10. Click **Login with idp2** (NOTE: login page should have material design)
-11. Login as idp2 administrator, e.g., username=admin & password=b
+7. Goto [http://ssp-hub.local](http://ssp-hub.local)
+8. Click **Authentication** tab
+9. Click **Test configured authentication sources**
+10. Click **hub-discovery**
+11. Click **Login with idp2** (NOTE: login page should have material design)
+12. Login as an idp2 user, e.g., username=distant_future & password=a
+13. Click **Logout**
+
+### Expiry
+
+#### About to expire
+1. Goto [http://ssp-hub.local](http://ssp-hub.local)
+2. Click **Authentication** tab
+3. Click **Test configured authentication sources**
+4. Click **hub-discovery**
+5. Click **Login with idp2**
+6. Login as an an "about to expire" user, e.g., username=near_future & password=b
+7. Click **Maybe later**
+8. Click **Logout**
+
+#### Expired
+1. Goto [http://ssp-hub.local](http://ssp-hub.local)
+2. Click **Authentication** tab
+3. Click **Test configured authentication sources**
+4. Click **hub-discovery**
+5. Click **Login with idp2**
+6. Login as an an "expired" user, e.g., username=already_past & password=c
+
 
 ## i18n support
 Translations are categorized by page in definition files located in the `dictionaries` directory.

development/idp2/authsources.php

@@ -1,6 +1,42 @@
 <?php
 $config = [
-    'admin' => [
-        'core:AdminPassword',
+    'example-userpass' => [
+        'exampleauth:UserPass',
+        'distant_future:a' => [
+            'eduPersonPrincipalName' => ['[email protected]'],
+            'eduPersonTargetID' => ['11111111-1111-1111-1111-111111111111'],
+            'sn' => ['Future'],
+            'givenName' => ['Distant'],
+            'mail' => ['[email protected]'],
+            'employeeNumber' => ['11111'],
+            'cn' => ['DISTANT_FUTURE'],
+            'schacExpiryDate' => [
+                gmdate('YmdHis\Z', strtotime('+6 months')), // Distant future
+            ],
+        ],
+        'near_future:b' => [
+            'eduPersonPrincipalName' => ['[email protected]'],
+            'eduPersonTargetID' => ['22222222-2222-2222-2222-222222222222'],
+            'sn' => ['Future'],
+            'givenName' => ['Near'],
+            'mail' => ['[email protected]'],
+            'employeeNumber' => ['22222'],
+            'cn' => ['NEAR_FUTURE'],
+            'schacExpiryDate' => [
+                gmdate('YmdHis\Z', strtotime('+1 day')), // Very soon
+            ],
+        ],
+        'already_past:c' => [
+            'eduPersonPrincipalName' => ['[email protected]'],
+            'eduPersonTargetID' => ['33333333-3333-3333-3333-333333333333'],
+            'sn' => ['Past'],
+            'givenName' => ['Already'],
+            'mail' => ['[email protected]'],
+            'employeeNumber' => ['33333'],
+            'cn' => ['ALREADY_PAST'],
+            'schacExpiryDate' => [
+                gmdate('YmdHis\Z', strtotime('-1 day')), // In the past
+            ],
+        ],
     ],
-];
+];

development/idp2/enable

@@ -0,0 +1 @@
+used to enable simplesaml modules.

development/idp2/saml20-idp-hosted.php

@@ -1,7 +1,21 @@
 <?php
+use Sil\PhpEnv\Env;
+use Sil\Psr3Adapters\Psr3SamlLogger;
+
 $metadata['http://ssp-hub-idp2.local:8086'] = [
 	'host' => '__DEFAULT__',
 	'privatekey' => 'ssp-hub-idp2.pem',
 	'certificate' => 'ssp-hub-idp2.crt',
-	'auth' => 'admin',
-];
+	'auth' => 'example-userpass',
+    'authproc' => [
+        10 => [
+            'class' => 'expirychecker:ExpiryDate',
+            'accountNameAttr' => 'cn',
+            'expiryDateAttr' => 'schacExpiryDate',
+            'changePwdUrl' => Env::get('CHANGE_PWD_URL'),
+            'warnDaysBefore' => 14,
+            'dateFormat' => 'Y-m-d',
+            'loggerClass' => Psr3SamlLogger::class,
+        ]
+    ]
+];

dictionaries/about2expire.definition.json

@@ -0,0 +1,45 @@
+
+{
+	"title": {
+		"en": "Expiring password",
+		"es": "Contraseña vencida",
+		"fr": "Mot de passe expiré",
+		"ko": "만료 된 암호"
+	},
+	"header": {
+		"en": "Password expiring soon",
+		"es": "Contraseña caducada pronto",
+		"fr": "Mot de passe expirant bientôt",
+		"ko": "곧 만료되는 암호"
+	},
+	"expiring_in_a_day": {
+		"en": "Your password will expire in one day.",
+		"es": "Su contraseña caducará en un día.",
+		"fr": "Votre mot de passe expirera en un jour.",
+		"ko": "암호는 하루 만료됩니다."
+	},
+	"expiring_soon": {
+		"en": "Your password will expire in {daysLeft} days.",
+		"es": "Su contraseña caducará en {daysLeft} días.",
+		"fr": "Votre mot de passe expirera dans les jours {daysLeft}.",
+		"ko": "비밀번호는 {daysLeft} 일 후에 만료됩니다."
+	},
+	"change_now": {
+		"en": "Would you like to go ahead and change it now?",
+		"es": "¿Te gustaría seguir adelante y cambiarlo ahora?",
+		"fr": "Voulez-vous aller de l'avant et le changer maintenant?",
+		"ko": "지금 가서 바꾸시겠습니까?"
+	},
+	"button_change": {
+		"en": "Yes",
+		"es": "Sí",
+		"fr": "Oui",
+		"ko": "예"
+	},
+	"button_continue": {
+		"en": "Maybe later",
+		"es": "Quizas despues",
+		"fr": "Peut-être plus tard",
+		"ko": "나중에"
+	}
+}

dictionaries/expired.definition.json

@@ -0,0 +1,27 @@
+
+{
+	"title": {
+		"en": "Expired password",
+		"es": "Contraseña caducada",
+		"fr": "Mot de passe expiré",
+		"ko": "만료 된 암호"
+	},
+	"header": {
+		"en": "Password expired",
+		"es": "La contraseña expiró",
+		"fr": "Mot de passe expiré",
+		"ko": "암호가 만료되었습니다."
+	},
+	"expired": {
+		"en": "Your password has expired and must be changed before continuing.",
+		"es": "Su contraseña ha caducado y debe cambiarse antes de continuar.",
+		"fr": "Votre mot de passe a expiré et doit être modifié avant de continuer.",
+		"ko": "비밀번호가 만료되었으므로 계속하기 전에 비밀번호를 변경해야합니다."
+	},
+	"button_change": {
+		"en": "Change",
+		"es": "Cambiar",
+		"fr": "Changer",
+		"ko": "바꾸다"
+	}
+}

docker-compose.yml

@@ -7,6 +7,7 @@ services:
       - ./development/hub/authsources.php:/data/vendor/simplesamlphp/simplesamlphp/config/authsources.php
       - ./development/hub/saml20-idp-remote.php:/data/vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-remote.php
       - ./development/hub/saml20-idp-hosted.php:/data/vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-hosted.php
+      - ./www/default-logo.png:/data/vendor/simplesamlphp/simplesamlphp/www/logo.png
       - ./:/data/vendor/simplesamlphp/simplesamlphp/modules/material
     ports:
       - '80:80'
@@ -42,9 +43,11 @@ services:
     image: silintl/ssp-base:develop
     volumes:
       - ./development/idp2/cert:/data/vendor/simplesamlphp/simplesamlphp/cert
+      - ./development/idp2/enable:/data/vendor/simplesamlphp/simplesamlphp/modules/exampleauth/enable
       - ./development/idp2/authsources.php:/data/vendor/simplesamlphp/simplesamlphp/config/authsources.php
       - ./development/idp2/saml20-idp-hosted.php:/data/vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-hosted.php
       - ./development/idp2/saml20-sp-remote.php:/data/vendor/simplesamlphp/simplesamlphp/metadata/saml20-sp-remote.php
+      - ./www/default-logo.png:/data/vendor/simplesamlphp/simplesamlphp/www/logo.png
       - ./:/data/vendor/simplesamlphp/simplesamlphp/modules/material
     ports:
       - '8086:80'
@@ -58,3 +61,4 @@ services:
       SECRET_SALT: "edI4GGkYfkzD6/OXFvHBHb9Meu9hdKXQpNFg4q/GGfY="
       IDP_NAME: "Idp 2"
       ANALYTICS_ID: "UA-XXXX-Y"
+      CHANGE_PWD_URL: "http://example.org"

themes/material/common-announcement.php

@@ -1,5 +1,5 @@
 <?php
-$announcement = htmlentities($this->data['announcement'] ?? null);
+$announcement = htmlentities($this->data['announcement']);
 
 if (! empty($announcement)) {
 ?>

themes/material/common-head-elements.php

@@ -33,3 +33,5 @@
 <link rel="stylesheet" href="/module.php/material/styles.2.2.0.css">
 
 <script async src="/module.php/material/material.1.2.1.min.js"></script>
+
+<link rel="shortcut icon" href="/logo.png" />

themes/material/core/loginuserpass.php

@@ -6,7 +6,7 @@
     <?php include __DIR__ . '/../common-head-elements.php' ?>
 
     <?php
-    $siteKey = htmlentities($this->data['recaptcha.siteKey'] ?? null);
+    $siteKey = htmlentities($this->data['recaptcha.siteKey']);
     if (! empty($siteKey)) {
     ?>
     <script src='https://www.google.com/recaptcha/api.js?onload=onRecaptchaLoad&render=explicit'
@@ -38,11 +38,11 @@ function onRecaptchaLoad() {
         <?php include __DIR__ . '/../common-announcement.php' ?>
 
 
-        <form method="POST" action="<?= htmlentities($_SERVER['PHP_SELF']) ?>">
+        <form method="POST">
             <input type="hidden" name="AuthState"
-                   value="<?= htmlentities($this->data['stateparams']['AuthState']  ?? null) ?>" />
+                   value="<?= htmlentities($this->data['stateparams']['AuthState']) ?>" />
             <?php
-            $csrfToken = htmlentities($this->data['csrfToken'] ?? null);
+            $csrfToken = htmlentities($this->data['csrfToken']);
             ?>
             <input type="hidden" name="csrf-token" value="<?= $csrfToken ?>" />
 
@@ -67,7 +67,7 @@ function onRecaptchaLoad() {
                             <?= $this->t('{material:login:label_username}') ?>
                         </label>
                         <?php
-                        $username = htmlentities($this->data['username'] ?? null);
+                        $username = htmlentities($this->data['username']);
                         ?>
                         <input type="text" name="username" class="mdl-textfield__input"
                                value="<?= $username ?>"
@@ -87,7 +87,7 @@ function onRecaptchaLoad() {
                 $errorCode = htmlentities($this->data['errorcode']);
                 if ($errorCode == 'WRONGUSERPASS') {
                     $errorMessageKey = $this->data['errorparams'][1] ?? '{material:login:error_wronguserpass}';
-                    $errorMessageTokens = $this->data['errorparams'][2] ?? null;
+                    $errorMessageTokens = $this->data['errorparams'][2];
 
                     $message = htmlentities($this->t($errorMessageKey, $errorMessageTokens));
                 ?>
@@ -108,7 +108,7 @@ function onRecaptchaLoad() {
 
                 <div class="mdl-card__actions" layout-children="row">
                     <?php
-                    $forgotPasswordUrl = htmlentities($this->data['forgotPasswordUrl'] ?? null);
+                    $forgotPasswordUrl = htmlentities($this->data['forgotPasswordUrl']);
                     if (! empty($forgotPasswordUrl)) {
                     ?>
                     <a href="<?= $forgotPasswordUrl ?>" target="_blank"