MFA infrastructure needed

Author: Billy Clark

.gitignore

@@ -3,3 +3,4 @@ vendor/
 composer.lock
 nbproject/
 .vagrant/
+local.env

Makefile

@@ -5,7 +5,13 @@ errors:
 	docker-compose exec hub cat /var/log/apache2/error.log
 	docker-compose exec idp1 cat /var/log/apache2/error.log
 	docker-compose exec idp2 cat /var/log/apache2/error.log
+	docker-compose exec idp4 cat /var/log/apache2/error.log
+	docker-compose exec hub2 cat /var/log/apache2/error.log
+	docker-compose exec idp3 cat /var/log/apache2/error.log
 
 clean:
 	docker-compose kill
 	docker system prune -f
+
+
+# TODO: create local migrations for broker to load users and mfas to make testing easier.

development/hub/saml20-idp-remote.php

@@ -21,6 +21,17 @@
     'SingleLogoutService'  => 'http://ssp-hub-idp2.local:8086/saml2/idp/SingleLogoutService.php',
     'certData' => 'MIIDzzCCAregAwIBAgIJALBaUrvz1X5DMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE4MTQwMDUxWhcNMjYxMDE4MTQwMDUxWjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx5mZNwjEnakJho+5etuFyx+2g9rs96iLX/LDC24aBAsdNxTNuIc1jJ7pxBxGrepEND4LkietLNBlOr1q50nq2+ddTrCfmoJB+9BqBOxcm9qWeqWbp8/arUjaxPzK3DfZrxJxIVFjzqFF7gI91y9yvEW/fqLRMhvnH1ns+N1ne59zr1y6h9mmHfBffGr1YXAfyEAuV1ich4AfTfjqhdwFwxhFLLCVnxA0bDbNw/0eGCSiA13N7a013xTurLeJu0AQaZYssMqvc/17UphH4gWDMEZAwy0EfRSBOsDOYCxeNxVajnWX1834VDpBDfpnZj996Gh8tzRQxQgT9/plHKhGiwIDAQABo1AwTjAdBgNVHQ4EFgQUApxlUQg26GrG3eH8lEG3SkqbH/swHwYDVR0jBBgwFoAUApxlUQg26GrG3eH8lEG3SkqbH/swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANhbm8WgIqBDlF7DIRVUbq04TEA9nOJG8wdjJYdoKrPX9f/E9slkFuD2StcK99RTcowa8Z2OmW7tksa+onyH611Lq21QXh4aHzQUAm2HbsmPQRZnkByeYoCJ/1tuEho+x+VGanaUICSBVWYiebAQVKHR6miFypRElibNBizm2nqp6Q9B87V8COzyDVngR1DlWDduxYaNOBgvht3Rk9Y2pVHqym42dIfN+pprcsB1PGBkY/BngIuS/aqTENbmoC737vcb06e8uzBsbCpHtqUBjPpL2psQZVJ2Y84JmHafC3B7nFQrjdZBbc9eMHfPo240Rh+pDLwxdxPqRAZdeLaUkCQ==',
 ];
+$metadata['http://ssp-hub-idp4.local:8088'] = [
+    'enabled' => true,
+    'metadata-set' => 'saml20-idp-remote',
+    'entityid' => 'http://ssp-hub-idp4.local:8088',
+    'name' => [
+        'en' => 'IdP 4'
+    ],
+    'SingleSignOnService'  => 'http://ssp-hub-idp4.local:8088/saml2/idp/SSOService.php',
+    'SingleLogoutService'  => 'http://ssp-hub-idp4.local:8088/saml2/idp/SingleLogoutService.php',
+    'certData' => 'MIIDzzCCAregAwIBAgIJALBaUrvz1X5DMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE4MTQwMDUxWhcNMjYxMDE4MTQwMDUxWjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx5mZNwjEnakJho+5etuFyx+2g9rs96iLX/LDC24aBAsdNxTNuIc1jJ7pxBxGrepEND4LkietLNBlOr1q50nq2+ddTrCfmoJB+9BqBOxcm9qWeqWbp8/arUjaxPzK3DfZrxJxIVFjzqFF7gI91y9yvEW/fqLRMhvnH1ns+N1ne59zr1y6h9mmHfBffGr1YXAfyEAuV1ich4AfTfjqhdwFwxhFLLCVnxA0bDbNw/0eGCSiA13N7a013xTurLeJu0AQaZYssMqvc/17UphH4gWDMEZAwy0EfRSBOsDOYCxeNxVajnWX1834VDpBDfpnZj996Gh8tzRQxQgT9/plHKhGiwIDAQABo1AwTjAdBgNVHQ4EFgQUApxlUQg26GrG3eH8lEG3SkqbH/swHwYDVR0jBBgwFoAUApxlUQg26GrG3eH8lEG3SkqbH/swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANhbm8WgIqBDlF7DIRVUbq04TEA9nOJG8wdjJYdoKrPX9f/E9slkFuD2StcK99RTcowa8Z2OmW7tksa+onyH611Lq21QXh4aHzQUAm2HbsmPQRZnkByeYoCJ/1tuEho+x+VGanaUICSBVWYiebAQVKHR6miFypRElibNBizm2nqp6Q9B87V8COzyDVngR1DlWDduxYaNOBgvht3Rk9Y2pVHqym42dIfN+pprcsB1PGBkY/BngIuS/aqTENbmoC737vcb06e8uzBsbCpHtqUBjPpL2psQZVJ2Y84JmHafC3B7nFQrjdZBbc9eMHfPo240Rh+pDLwxdxPqRAZdeLaUkCQ==',
+];
 $metadata['jaars-idp'] = [
     'enabled' => true,
     'metadata-set' => 'saml20-idp-remote',

development/idp4/authsources.php

@@ -0,0 +1,10 @@
+<?php
+
+use Sil\SilAuth\config\ConfigManager;
+
+$config = [
+    'admin' => [
+        'core:AdminPassword',
+    ],
+    'silauth' => ConfigManager::getSspConfig(),
+];

development/idp4/cert/ssp-hub-idp4.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDHmZk3CMSdqQmG
+j7l624XLH7aD2uz3qItf8sMLbhoECx03FM24hzWMnunEHEat6kQ0PguSJ60s0GU6
+vWrnSerb511OsJ+agkH70GoE7Fyb2pZ6pZunz9qtSNrE/MrcN9mvEnEhUWPOoUXu
+Aj3XL3K8Rb9+otEyG+cfWez43Wd7n3OvXLqH2aYd8F98avVhcB/IQC5XWJyHgB9N
++OqF3AXDGEUssJWfEDRsNs3D/R4YJKIDXc3trTXfFO6st4m7QBBpliywyq9z/XtS
+mEfiBYMwRkDDLQR9FIE6wM5gLF43FVqOdZfXzfhUOkEN+mdmP33oaHy3NFDFCBP3
++mUcqEaLAgMBAAECggEACinHBGdc44483u4oipns6RfXSkV2dXHOjvckeUuE5ZnP
+RgO4KeIwltVsn8C01JwuFt7l5e5BQhvmW6RTci1wWPwh4yTZK5vgUjsdetyyJnlt
+2hbeox/RSauBADDC/42Udvagbgrf4yCRF/pjPba7x9xhUMhnkH6dORpyF4XmhAPW
+TVCA7VVRL5aoEfemiZYOpjPkY135QqI6/PaLbRDUkqUtKdAB2+/XRTF2K8gbb44x
+f/wZeqpOG1y82P3aYVM1f3RLQUAS0rKyQJBRB8fHy5LY2z9LAlC8KSp1BAIKtqMT
+lUr6MIs2oImrLL0JyvEbcmtZI4MdGgnmkxrjc/8ZYQKBgQD8t18HVfmTu+5HZCuv
+NItpLOu/uxm6UwwAwbljtM2K2562wCsu9/tt72V0Ismysz19VUva/FtSqksuOWcA
+HC+APHtWMMtsBcQMZGrFHUlJCKv963gu7CoeJvY3mSWm4t8xuZBSz5pAeoeENioH
+NrL4+K2+cmVGRNjKIDipN5Ng8QKBgQDKMYrqNmH8/IaIDTi27d1A+1YTEZe/toaP
+YbTyyQ731mLwnukAx1MhFgoXe294nXiD3tC0g6ISpFgyUTL5OplIs/yiXks0y5/G
+mKxGsVc5qtBQB8utA3i8EzT6x2fIYmuJY2Pj3r6jFFzqOjlILN8ct1v05qjKH+gM
+n5C/IC/fOwKBgQCEcubPRXQkxZ5AtHNgxD08xlpYhosZaGUmEGJFq4D+gdRRG66G
+U1nnaEzX7VOg4OgdRBMZlqGWVcJJW7RsDlmm8AwERFaZKvxxMj/zR0IdkPnzfvHi
+RcxdOTZaNV3SdZ1cxlCp1jyWBqH33Rtx5G0wp8UHx5Tkmziz1udbaNFJQQKBgQDA
+EvpE7i59tqJSQkUbObFSVrB44uCGJW2EbawIa0lF1KoerMbpj3B/4MDrd734FZdz
+pkobAWUIUojaG9rReYI914Vp9St6VulMLqKRcUxMIuFK9WzdyYt7Fr/gb2c+q4g+
+dmVhBauRnfl6JJ9f2giE7gZ0Cl5TzKWSwE4v0fLIGwKBgGuiI+2j8YOsV4LYyin+
+9p5qmk4gVUe5ohPUKCdPeaZiiQbAJ3l5B3LR2sgV1mOm996Nm9Y0HEback4ISAjz
+Nd3TkcwDVaa7GV9pMknM2rK0U6gupbtPAaTMCanXu2VZbKGfQDlkpE3iYvMsuGIW
+1ppvkZ+ZtqGlvPGk+CWjr6vu
+-----END PRIVATE KEY-----

development/idp4/saml20-idp-hosted.php

@@ -0,0 +1,21 @@
+<?php
+use Sil\PhpEnv\Env;
+use Sil\Psr3Adapters\Psr3SamlLogger;
+
+$metadata['http://ssp-hub-idp4.local:8088'] = [
+    'host' => '__DEFAULT__',
+    'privatekey' => 'ssp-hub-idp4.pem',
+    'auth' => 'silauth',
+    'authproc' => [
+        10 => [
+            'class' => 'mfa:Mfa',
+            'employeeIdAttr' => 'employeeNumber',
+            'idBrokerAccessToken' => Env::get('ID_BROKER_ACCESS_TOKEN'),
+            'idBrokerAssertValidIp' => Env::get('ID_BROKER_ASSERT_VALID_IP'),
+            'idBrokerBaseUri' => Env::get('ID_BROKER_BASE_URI'),
+            'idBrokerTrustedIpRanges' => Env::get('ID_BROKER_TRUSTED_IP_RANGES'),
+            'mfaSetupUrl' => Env::get('MFA_SETUP_URL'),
+            'loggerClass' => Psr3SamlLogger::class,
+        ],
+    ]
+];

development/idp4/saml20-sp-remote.php

@@ -0,0 +1,5 @@
+<?php
+$metadata['ssp-hub.local'] = [
+	'AssertionConsumerService' => 'http://ssp-hub.local:8080/module.php/saml/sp/saml2-acs.php/hub-discovery',
+	'SingleLogoutService' => 'http://ssp-hub.local:8080/module.php/saml/sp/saml2-logout.php/hub-discovery',
+];

docker-compose.yml

@@ -1,4 +1,7 @@
-version: '2'
+version: '2.0'
+#TODO: update README with new idp and local mfa testing (also need a reference in /etc/hosts to idp4)
+#TODO: change names to idp's to exclude hub, e.g., ssp-hub-idp4.local is misleading...ssp-idp4.local would be better
+
 services:
   hub:
     image: silintl/ssp-base:develop
@@ -11,7 +14,13 @@ services:
       - ./www/default-logo.png:/data/vendor/simplesamlphp/simplesamlphp/www/logo.png
       - ./:/data/vendor/simplesamlphp/simplesamlphp/modules/material
     ports:
-      - '80:80'
+      - "80:80"
+    depends_on:
+      - idp1
+      - idp2
+      - idp4
+    env_file:
+      - ./local.env
     environment:
       ADMIN_PASS: "abc123"
       SECURE_COOKIE: "false"
@@ -20,9 +29,10 @@ services:
       HUB_MODE: "true"
       ADMIN_EMAIL: "[email protected]"
       SECRET_SALT: "FcJwl0zCDc4nuzOuQL9/7WPIj3hdfusGm2ny0dcRQm0="
-      IDP_NAME: hub
+      IDP_NAME: "hub"
       IDP_DISPLAY_NAME: "The Hub"
       ANALYTICS_ID: "UA-XXXX-Y"
+
   idp1:
     image: silintl/ssp-base:develop
     volumes:
@@ -31,7 +41,9 @@ services:
       - ./development/idp1/saml20-idp-hosted.php:/data/vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-hosted.php
       - ./development/idp1/saml20-sp-remote.php:/data/vendor/simplesamlphp/simplesamlphp/metadata/saml20-sp-remote.php
     ports:
-      - '8085:80'
+      - "8085:80"
+    env_file:
+      - ./local.env
     environment:
       ADMIN_PASS: "a"
       SECURE_COOKIE: "false"
@@ -53,7 +65,9 @@ services:
       - ./www/default-logo.png:/data/vendor/simplesamlphp/simplesamlphp/www/logo.png
       - ./:/data/vendor/simplesamlphp/simplesamlphp/modules/material
     ports:
-      - '8086:80'
+      - "8086:80"
+    env_file:
+      - ./local.env
     environment:
       ADMIN_PASS: "b"
       SECURE_COOKIE: "false"
@@ -68,6 +82,86 @@ services:
       PASSWORD_CHANGE_URL:  "http://example.org"
       PASSWORD_FORGOT_URL:  "http://example.org"
 
+  idp4:
+    image: silintl/ssp-base:feature_mfa #TODO: move this to :develop when PR'd
+    volumes:
+      - ./development/idp4/cert:/data/vendor/simplesamlphp/simplesamlphp/cert
+      - ./development/idp4/authsources.php:/data/vendor/simplesamlphp/simplesamlphp/config/authsources.php
+      - ./development/idp4/saml20-idp-hosted.php:/data/vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-hosted.php
+      - ./development/idp4/saml20-sp-remote.php:/data/vendor/simplesamlphp/simplesamlphp/metadata/saml20-sp-remote.php
+      - ./www/default-logo.png:/data/vendor/simplesamlphp/simplesamlphp/www/logo.png
+      - ./:/data/vendor/simplesamlphp/simplesamlphp/modules/material
+    ports:
+      - "8088:80"
+    depends_on:
+      - silAuthDb
+      - broker
+    env_file:
+      - ./local.env
+    environment:
+      ADMIN_PASS: "b"
+      SECURE_COOKIE: "false"
+      SHOW_SAML_ERRORS: "true"
+      ADMIN_PROTECT_INDEX_PAGE: "false"
+      THEME_USE: "material:material"
+      ADMIN_EMAIL: "[email protected]"
+      SECRET_SALT: "NlFalr5Faa73coPUFPP78BCi2ZUYhL+qVCOuJ466Bh4="
+      IDP_NAME: "idp-4"
+      IDP_DISPLAY_NAME: "Idp 4"
+      IDP_DOMAIN_NAME: "idp-4.local"
+      MFA_SETUP_URL: "https://example.org/mfa-setup"
+      MYSQL_HOST: "silAuthDb"
+      MYSQL_DATABASE: "silauth"
+      MYSQL_USER: "user"
+      MYSQL_PASSWORD: "pass"
+      ID_BROKER_ACCESS_TOKEN: "arc-cli-abc123"
+      ID_BROKER_ASSERT_VALID_IP: "false"
+      ID_BROKER_BASE_URI: "http://broker"
+      REMEMBER_ME_SECRET: "dummy"
+    command: ["bash", "-c", "whenavail silAuthDb 3306 60 ./run-idp.sh"]
+
+  silAuthDb:
+      image: silintl/mariadb:latest
+      ports:
+        - "3306"
+      environment:
+        MYSQL_ROOT_PASSWORD: "r00tp@ss!"
+        MYSQL_DATABASE: "silauth"
+        MYSQL_USER: "user"
+        MYSQL_PASSWORD: "pass"
+
+  broker:
+    image: silintl/idp-id-broker:feature2sv #TODO: move this to :develop when PR'd
+    ports:
+      - "8090:80"
+    depends_on:
+      - brokerDb
+    env_file:
+      - ./local.env
+    environment:
+      IDP_NAME: "idp-4"
+      MYSQL_HOST: "brokerDb"
+      MYSQL_DATABASE: "broker"
+      MYSQL_USER: "user"
+      MYSQL_PASSWORD: "pass"
+      EMAIL_SERVICE_accessToken: "dummy"
+      EMAIL_SERVICE_assertValidIp: "false"
+      EMAIL_SERVICE_baseUrl: "localhost"
+      API_ACCESS_KEYS: "arc-cli-abc123"
+      APP_ENV: "dev"
+      MIGRATE_PW_FROM_LDAP: "false"
+    command: ["bash", "-c", "whenavail brokerDb 3306 60 ./yii migrate --interactive=0 && ./run.sh"]
+
+  brokerDb:
+      image: silintl/mariadb:latest
+      ports:
+        - "3306"
+      environment:
+        MYSQL_ROOT_PASSWORD: "r00tp@ss!"
+        MYSQL_DATABASE: "broker"
+        MYSQL_USER: "user"
+        MYSQL_PASSWORD: "pass"
+
   hub2:
     image: silintl/ssp-base:develop
     volumes:
@@ -78,7 +172,11 @@ services:
       - ./:/data/vendor/simplesamlphp/simplesamlphp/modules/material
       - ./development/idp3/announcement.php:/data/vendor/simplesamlphp/simplesamlphp/announcement/announcement.php
     ports:
-      - '8081:80'
+      - "8081:80"
+    depends_on:
+      - idp3
+    env_file:
+      - ./local.env
     environment:
       ADMIN_PASS: "abc123"
       SECURE_COOKIE: "false"
@@ -89,6 +187,7 @@ services:
       SECRET_SALT: "QthhmKnsmC7X/+2bv3CgzBWaFR68J3fP6QgmZhM1L7M="
       IDP_NAME: "hub-2"
       IDP_DISPLAY_NAME: "The Hub2"
+
   idp3:
     image: silintl/ssp-base:develop
     volumes:
@@ -100,7 +199,9 @@ services:
       - ./:/data/vendor/simplesamlphp/simplesamlphp/modules/material
       - ./development/idp3/announcement.php:/data/vendor/simplesamlphp/simplesamlphp/announcement/announcement.php
     ports:
-      - '8087:80'
+      - "8087:80"
+    env_file:
+      - ./local.env
     environment:
       ADMIN_PASS: "a"
       SECURE_COOKIE: "false"

local.env.dist

@@ -0,0 +1,12 @@
+### Required ENV vars ###
+MFA_TOTP_apiBaseUrl=
+MFA_TOTP_apiKey=
+MFA_TOTP_apiSecret=
+MFA_U2F_apiBaseUrl=
+MFA_U2F_apiKey=
+MFA_U2F_apiSecret=
+MFA_U2F_appId=
+
+### Optional ENV vars ###
+LOGENTRIES_KEY=
+COMPOSER_AUTH=