Stepup Middleware - This component is part of "Step-up Authentication as-a Service".

Overview

Step-up Middleware

Build Status Scrutinizer Code Quality

This component is part of "Step-up Authentication as-a Service". See Stepup-Deploy for an overview and installation instructions for a complete Stepup system, including this component. The requirements and installation instructions below cover this component only.

Requirements

  • PHP 5.6+ or PHP7
  • Composer
  • A web server (Apache, Nginx)
  • MariaDB 10
  • A working Gateway

Installation

Clone the repository or download the archive to a directory. Install the dependencies by running composer install and fill out the database credentials et cetera.

Make sure to run database migrations using bin/console middleware:migrations:migrate.

When using 'Stepup-Deploy' the 'deploy' entity manager should be used in order to use the correct credentials e.g. bin/console middleware:migrations:migrate --em=deploy

Management API

Some of the configuratio of the components is static (i.e. stored in parameteres.yml). The configuration that is expected to change during the operation of a Stepup system is managed through an API on the middleware. This provides one place and action to change the configuration and allows changing of this configuration without having to modify the configuration of several components on several servers.

  • The API calls are documented in the middleware API documentation.
  • The configuration itself is elaborate and is described in detail in the Middlware configuration.
  • The ansible Stepup-Middleware role write scripts in /opt/stepup/ for pushing the configuration to the middleware component

Development Notes

Adding new events

Whenever adding a new event, be sure to update bin/config/events.yml. This is a list of events that is shown when replaying events. Also be sure to create or update the event serialization/deserialization tests, for example see EventSerializationAndDeserializationTest for Configuration events

Mocking time

Due to a limitation of mocking of static methods, to mock time, the helper DateTimeHelper::stubNow(DateTime $now) was created. Call ::stubNow($now) to set a fixed date/time, and call ::stubNow(null) to disable stubbing. It is recommended to run tests in a separate process when using this helper so the stub value doesn't persist between tests.

/** @runTestInSeparateProcess */
public function testItWorks()
{
    # Trick `DateTime::now()` into thinking it is 1970.
    DateTimeHelper::stubNow(new DateTime('@0'));

    $this->assertEquals('1970-01-01T00:00:00+00:00', (string) \Surfnet\Stepup\DateTime\DateTime::now());
}

Adding support for a new Generic SAML Second Factor biometric, by example

gssp_allowed_sps:
   - (...)
   - 'https://ss-dev.stepup.coin.surf.net/app_dev.php/registration/gssf/biometric/metadata'
   - 'https://ra-dev.stepup.coin.surf.net/app_dev.php/vetting-procedure/gssf/biometric/metadata'
  • Configure these SPs through the Middleware configuration API.

Release strategy

Please read: https://github.com/OpenConext/Stepup-Deploy/wiki/Release-Management fro more information on the release strategy used in Stepup projects.

Comments
  • Add self vet feature to Middleware

    Add self vet feature to Middleware

    This option was added throughout the application. The setting will be saved to the event store, but is also projected to the institution configuration projection. This way the setting can be retrieved via the Middelware management API. At this location the option is also evaluated to store it for both new and existing institutions. For institutions without the configuration option, the default 'false' is configured.

    I later also added the actual SelfVet command, used to indicate a self vet option was used. This resulted in quite a lot of additional code changes. Maybe better to review them on a per-commit basis to keep things somewhat manageable.

    Be advised! a migration was added to project the new setting. Be sure to run your Doctrine migrations command

    This PR will not pass on travis on account of the security tests failing. They are patched up in #321. I do not see any security advisories on that branch. So this should be green too.

    See: https://www.pivotaltracker.com/story/show/176714989 See: https://www.pivotaltracker.com/story/show/176715329

    opened by MKodde 8
  • Add bootstrap console commands

    Add bootstrap console commands

    Allow bootstrapping of an Identity with an SMS token. Three verification states can be achieved: Unverified, Verified and Vetted.

    Example usage: app/console middleware:bootstrap:identity-with-sms my:fancy:name-id institution-a.example.com "Jesse James" "[email protected]" en_GB "+31 (0) 612345678" vetted

    Some open ends:

    • Solve the authority id issue (which RA is vetting the token?) Either save the actor id on the event or in the metadata. For now does not have to end up in the audit log, but should be saved.
    • ~Review the overall structure of the command, and look into making the code more maintainable, readable and robust~
    • Discuss the separation of the identity creation logic to another command

    PM @phavekes expressed his preference to keep the logic bundled in the command. I did however move the creation logic to an abstract command. That way other similar bootstrap events can borrow that logic.

    • ~Be 'email verification required' aware~

    https://www.pivotaltracker.com/story/show/172429585

    opened by MKodde 7
  • Revert RA-checking and cross-institution vetting check in Identity aggregate

    Revert RA-checking and cross-institution vetting check in Identity aggregate

    This reverts commit a1543deca6a1f989b12eca2c119644b3fa951a6a, reversing changes made to 4b0c8a62ef1182754d887529d2f98ca4f20ae291.

    In the Identity aggregate, it is not known whether a certain identity is an SRAA or not. If he is an SRAA, the registrationAuthority property is set to null -- contrary to what one might assume. That is why these checks currently do not work.

    In the future, we need to find another way to determine in the Identity aggregate whether the one doing the vetting is a registration authority and whether he is an SRAA. See: https://www.pivotaltracker.com/story/show/135335407

    Reverting this means that, in theory, any Identity can vet a second factor regardless of whether they are within the same institution. However, these checks are already done by the front-ends: RA and SS.

    This reverts work done in PR #160.

    bug review 
    opened by arothuis 7
  • Add additional allowed sandbox methods

    Add additional allowed sandbox methods

    The implicit __toString call is no longer allowed, and a critical error is raised by Twig. The solution is to add the __toString calls to the list of allowed sandbox methods.

    This change fixes the problem where sending the verification mail message would trigger an error.

    opened by MKodde 6
  • Separate templates for RA locations and RAs

    Separate templates for RA locations and RAs

    • Removes concept of vetting locations in favor of separate concepts (RAs/RA locations)
    • Removes concept of institutions with RA locations in favor of institution configuration options
    • Fixes flaws in saving institution configuration options and handling commands
    review 
    opened by arothuis 5
  • Add API for institution configuration options for institution

    Add API for institution configuration options for institution

    This depends on the service introduced in #146

    GET /institution-configuration-options/dev.organisation.example
    
    {
      "use_ra_locations": false,
      "show_raa_contact_information": true
    }
    
    opened by arothuis 5
  • Fix invalid RA candidate authorization

    Fix invalid RA candidate authorization

    The RA-Candidates were filtered on RA institution but that should have been on institution. Because we only want to use identities from the institutions we are currently RA for.

    https://www.pivotaltracker.com/story/show/171703175

    opened by pablothedude 4
  • Fix ra-listing static factory method

    Fix ra-listing static factory method

    After the fix to be able to login with the highest ra(a) level the original static method was removed, but this shouldn't be removed. Restored the original method to allow construction of ra-listings.

    opened by pablothedude 4
  • Identity aggregate root changes to allow the

    Identity aggregate root changes to allow the "select_raa" FGA option

    This PR will add the changes to the Aggregateroot to allow FGA in middleware. There are however a few changes that still needs to be adressed before this PR could be merged and those changes are:

    • [x] Test the accredit identity unhappy flow
    • [ ] Add behat coverage for select_raa
    • [ ] Events have been documented (in class documentation and/or on wiki)

    Also the commits need to be rebased before merge to have atomic commits and better commit logs.

    See: https://www.pivotaltracker.com/story/show/160283517

    opened by pablothedude 4
  • More specific configuration allows succesful cache:clear on prod

    More specific configuration allows succesful cache:clear on prod

    Initial error report:

    [root@test-app Stepup-Middleware-2.0.0-20160808152839Z-b38acd98a77c89bffa2649d956f92709954aa036]# php app/console cache:clear --env=prod --no-debug
    Clearing the cache for the prod environment with debug false
    PHP Fatal error:  Class 'PHPUnit_Framework_TestCase' not found in /opt/stepup/Stepup-Middleware-2.0.0-20160808152839Z-b38acd98a77c89bffa2649d956f92709954aa036/src/Surfnet/StepupMiddleware/ApiBundle/Tests/Configuration/Entity/ConfiguredInstitutionTest.php on line 26
    [Symfony\Component\Debug\Exception\ClassNotFoundException] Attempted to load class "PHPUnit_Framework_TestCase" from the global namespace.  Did you forget a "use" statement?
    

    What seems to happen is that the cache cannot be cleared due to Test classes being loaded during the cache:clear command.

    In order to reproduce this locally, run:

    SYMFONY_ENV=prod composer install -o --no-dev
    

    This should remove any dev dependencies and then attempt to clear the cache as if Symfony was running in prod mode, therefor causing a similar or the same error. This is reproducible with a command as reported originally:

    SYMFONY_ENV=prod app/console c:c --env=prod --no-debug
    

    For me this resulted in:

    Clearing the cache for the prod environment with debug false
    PHP Fatal error:  Class 'PHPUnit_Framework_TestCase' not found in /opt/workspace/SURFnet/Stepup-Middleware/src/Surfnet/StepupMiddleware/ApiBundle/Tests/Configuration/Entity/RaLocationTest.php on line 28
    PHP Stack trace:
    PHP   1. {main}() /opt/workspace/SURFnet/Stepup-Middleware/app/console:0
    PHP   2. Symfony\Component\Console\Application->run() /opt/workspace/SURFnet/Stepup-Middleware/app/console:25
    PHP   3. Symfony\Bundle\FrameworkBundle\Console\Application->doRun() /opt/workspace/SURFnet/Stepup-Middleware/vendor/symfony/symfony/src/Symfony/Component/Console/Application.php:120
    PHP   4. Symfony\Component\Console\Application->doRun() /opt/workspace/SURFnet/Stepup-Middleware/vendor/symfony/symfony/src/Symfony/Bundle/FrameworkBundle/Console/Application.php:90
    PHP   5. Symfony\Component\Console\Application->doRunCommand() /opt/workspace/SURFnet/Stepup-Middleware/vendor/symfony/symfony/src/Symfony/Component/Console/Application.php:189
    PHP   6. Symfony\Component\Console\Command\Command->run() /opt/workspace/SURFnet/Stepup-Middleware/vendor/symfony/symfony/src/Symfony/Component/Console/Application.php:852
    PHP   7. Symfony\Bundle\FrameworkBundle\Command\CacheClearCommand->execute() /opt/workspace/SURFnet/Stepup-Middleware/vendor/symfony/symfony/src/Symfony/Component/Console/Command/Command.php:256
    PHP   8. Symfony\Bundle\FrameworkBundle\Command\CacheClearCommand->warmup() /opt/workspace/SURFnet/Stepup-Middleware/vendor/symfony/symfony/src/Symfony/Bundle/FrameworkBundle/Command/CacheClearCommand.php:92
    PHP   9. Symfony\Component\HttpKernel\Kernel->boot() /opt/workspace/SURFnet/Stepup-Middleware/vendor/symfony/symfony/src/Symfony/Bundle/FrameworkBundle/Command/CacheClearCommand.php:128
    PHP  10. Symfony\Component\HttpKernel\Kernel->initializeContainer() /opt/workspace/SURFnet/Stepup-Middleware/app/bootstrap.php.cache:2447
    PHP  11. Symfony\Component\HttpKernel\CacheWarmer\CacheWarmerAggregate->warmUp() /opt/workspace/SURFnet/Stepup-Middleware/app/bootstrap.php.cache:2677
    PHP  12. Symfony\Bridge\Doctrine\CacheWarmer\ProxyCacheWarmer->warmUp() /opt/workspace/SURFnet/Stepup-Middleware/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/CacheWarmer/CacheWarmerAggregate.php:48
    PHP  13. Doctrine\Common\Persistence\Mapping\AbstractClassMetadataFactory->getAllMetadata() /opt/workspace/SURFnet/Stepup-Middleware/vendor/symfony/symfony/src/Symfony/Bridge/Doctrine/CacheWarmer/ProxyCacheWarmer.php:69
    PHP  14. Doctrine\Common\Persistence\Mapping\Driver\MappingDriverChain->getAllClassNames() /opt/workspace/SURFnet/Stepup-Middleware/vendor/doctrine/common/lib/Doctrine/Common/Persistence/Mapping/AbstractClassMetadataFactory.php:114
    PHP  15. Doctrine\Common\Persistence\Mapping\Driver\AnnotationDriver->getAllClassNames() /opt/workspace/SURFnet/Stepup-Middleware/vendor/doctrine/common/lib/Doctrine/Common/Persistence/Mapping/Driver/MappingDriverChain.php:128
    PHP  16. require_once() /opt/workspace/SURFnet/Stepup-Middleware/vendor/doctrine/common/lib/Doctrine/Common/Persistence/Mapping/Driver/AnnotationDriver.php:236
    
    
      [Symfony\Component\Debug\Exception\ClassNotFoundException]                       
      Attempted to load class "PHPUnit_Framework_TestCase" from the global namespace.  
      Did you forget a "use" statement?                                                
    
    
    cache:clear [--no-warmup] [--no-optional-warmers]
    

    This indicated that Doctrine was the culprit when attempting to generate the cache files for all entities within a specific mapping. This would trigger loading of test files, which apparently breaks things. Being more specific in the mapping circumvents this.

    bug 
    opened by DRvanR 4
  • Create identity resource

    Create identity resource

    Create identity read model resource, not limited by institution for now. This, so the read model API can be built in the Middleware API client package.

    opened by rjkip 4
  • Add support for old 'vetting type-less' identity move event payload

    Add support for old 'vetting type-less' identity move event payload

    When vetting_type is not present in the event data, the default vetting type is used (VettingType::UNKNOWN).

    See: https://www.pivotaltracker.com/story/show/184060757

    opened by MKodde 0
  • Reproduce buggy behavior in useRaa configuration

    Reproduce buggy behavior in useRaa configuration

    When an institution is configured to use RAA's from another institution, but the useRa is not set for that same institution. And a RAA user is made RAA for that institution. He/She is not allowed to perform RA actions (vet second factor and revocation of a token).

    This is because in the authorisation service we 'downgrade' the Vet and Revoke actions to require the use ra role.

    The succesive buildInstitutionsAuthorizationContext then searches for the institutions that have that useRa role applied. None are found, an authorization exception is raised.

    To fix this. Either add both the useRa and useRaa actions to the authz context. Or make the parent method more user context aware. Where we would have to check that if the useRaa role is applied for either one of the Vet or Revoke events, we should set the useRaa role instead of the hard coded useRa.

    See: https://www.pivotaltracker.com/story/show/180081100

    opened by MKodde 1
Releases(5.0.6-beta1)
Owner
OpenConext
OpenConext
A Virtualmin API designed to run standalone or as part of a Laravel Application

Virtualmin API A Virtualmin API designed to run standalone or as part of a Laravel Application Requirements: PHP 8.0 A running Virtualmin server Featu

Fintech Systems 6 Jan 26, 2022
Provides a Middleware to integration Tideways into Symfony Messenger Processing

Tideways Middleware for Symfony Messenger This package is currently under development and might be moved into the Tideways PHP Extension or stay indep

Tideways 6 Jul 5, 2022
Disable Google's FLoC with help of PSR-15 middleware

Disable Google's FLoC with PSR-15 middleware This package will help you disable Google's FLoC. Installation You can install the package via composer:

P7V 9 Dec 14, 2022
A simple and flexible PHP middleware dispatcher based on PSR-7, PSR-11, and PSR-15

Woohoo Labs. Harmony Woohoo Labs. Harmony is a PSR-15 compatible middleware dispatcher. Harmony was born to be a totally flexible and almost invisible

Woohoo Labs. 153 Sep 5, 2022
A lightweight middleware to make api routing session capable.

Laravel stateless session A lightweight middleware to make api routing session capable. Installing $ composer require overtrue/laravel-stateless-sessi

安正超 17 Jul 6, 2022
Use middleware to decorate method calls within your application code.

Laravel Middlewarize ?? Chain of Responsibility Design Pattern In Laravel Apps ?? You can use middlewares to decorate any method calls on any object.

Iman 99 Jan 1, 2023
PSR-15 middleware to geolocate the client using the ip address

middlewares/geolocation ![SensioLabs Insight][ico-sensiolabs] Middleware to geolocate the client using the ip address and Geocoder and save the result

Middlewares 10 Mar 22, 2022
A PSR-15 middleware adapter for react/http

A PSR-15 middleware adapter for react/http Wraps PSR-15 middleware into coroutines using RecoilPHP making them usable within react/http as middleware.

Friends of ReactPHP 22 Nov 12, 2022
PSR-15 middleware to use Whoops as error handler

middlewares/whoops Middleware to use Whoops as error handler. Requirements PHP >= 7.2 A PSR-7 http library A PSR-15 middleware dispatcher Installation

Middlewares 31 Jun 23, 2022
A PSR-15 middleware to handle content negotiation

Content negotiation middleware Motivation Packages like middlewares/negotiation do a very good job to detect the correct content type based on the Acc

Luís Cobucci 47 Nov 16, 2022
PSR-15 compatible middleware for Whoops, the pretty error handler

PSR-15 middleware for Whoops A PSR-15 compatible middleware for Whoops, the fantastic pretty error handler for PHP. Installation You can install the l

Franz Liedke 25 May 20, 2022
Middleware to provide IP filtering

middlewares/firewall Middleware to provide IP filtering using M6Web/Firewall. Requirements PHP >= 7.2 A PSR-7 http library A PSR-15 middleware dispatc

Middlewares 10 Dec 1, 2022
An internal redirect mechanism for PSR-15 middleware stacks

HTTP Request Forwarder The aim of this library is to make it possible to pass the HTTP request to another handler, creating a so-called internal redir

Zoltan Kovago 0 Jul 27, 2022
The Yaml component loads and dumps YAML files.

Yaml Component The Yaml component loads and dumps YAML files. Resources Documentation Contributing Report issues and send Pull Requests in the main Sy

Symfony 3.5k Dec 30, 2022
Monorepo of the PoP project, including: a server-side component model in PHP, a GraphQL server, a GraphQL API plugin for WordPress, and a website builder

PoP PoP is a monorepo containing several projects. The GraphQL API for WordPress plugin GraphQL API for WordPress is a forward-looking and powerful Gr

Leonardo Losoviz 265 Jan 7, 2023
Fork of Symfony Rate Limiter Component for Symfony 4

Rate Limiter Component Fork (Compatible with Symfony <=4.4) The Rate Limiter component provides a Token Bucket implementation to rate limit input and

AvaiBook by idealista 4 Apr 19, 2022
The PasswordHasher component provides password hashing utilities.

PasswordHasher Component The PasswordHasher component provides secure password hashing utilities. Getting Started $ composer require symfony/password-

Symfony 482 Dec 29, 2022
Enter-to-the-Matrix-with-Symfony-Console - Reproduction of the "Matrix characterfall" effect with the Symfony Console component.

Enter to the Matrix (with Symfony Console) Reproduction of the "Matrix characterfall" effect with the Symfony Console component. Run Clone the project

Yoan Bernabeu 23 Aug 28, 2022
Http-kernel - The HttpKernel component provides a structured process for converting a Request into a Response.

HttpKernel Component The HttpKernel component provides a structured process for converting a Request into a Response by making use of the EventDispatc

Symfony 7.8k Jan 9, 2023