Merge pull request #236 from silinternational/develop

Update to use WebAuthn instead of U2F - Release as 6.0.0
silinternational · Dec 14, 2021 · 35cf4d5 · 35cf4d5
2 parents ed7c3e8 + 204bb63
commit 35cf4d5
Show file tree

Hide file tree

Showing 10 changed files with 116 additions and 35 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,19 +1,10 @@
 FROM silintl/php7:7.4
-MAINTAINER Phillip Shipley <[email protected]>
-
-ENV REFRESHED_AT 2020-06-09
 
 RUN apt-get update -y && \
     apt-get install -y php-memcache && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 
-RUN mkdir -p /data
-
-# get s3-expand
-RUN curl https://raw.githubusercontent.com/silinternational/s3-expand/1.5/s3-expand -o /usr/local/bin/s3-expand
-RUN chmod a+x /usr/local/bin/s3-expand
-
 WORKDIR /data
 
 # Install/cleanup composer dependencies
@@ -38,5 +29,4 @@ RUN sed -i -E 's@ErrorLog .*@ErrorLog /proc/self/fd/2@i' /etc/apache2/apache2.co
 RUN touch /etc/default/locale
 
 EXPOSE 80
-ENTRYPOINT ["/usr/local/bin/s3-expand"]
 CMD ["/data/run.sh"]
diff --git a/api.raml b/api.raml
@@ -82,7 +82,7 @@ types:
     properties:
       id?: integer
       type:
-        enum: [ backupcode, totp, u2f ]
+        enum: [ backupcode, totp, webauthn ]
       label?: string
       created_utc?: string
       last_used_utc?: string
@@ -339,7 +339,7 @@ types:
       409:
         description: >
           An MFA of the requested type already exists. Note that this would only
-          be returned for 'totp' or 'u2f'. The code types ('backupcode' and
+          be returned for 'totp' or 'webauthn'. The code types ('backupcode' and
           'manager') reuse the existing MFA and create new codes.
         body:
           type: Error

diff --git a/application/common/config/main.php b/application/common/config/main.php
@@ -26,6 +26,7 @@
 $recaptchaSecretKey = Env::get('RECAPTCHA_SECRET_KEY');
 $uiUrl = Env::get('UI_URL');
 $uiCorsOrigin = Env::get('UI_CORS_ORIGIN', $uiUrl);
+$rpOrigin = Env::get('WEBAUTHN_RP_ORIGIN', $uiCorsOrigin);
 $helpCenterUrl = Env::get('HELP_CENTER_URL');
 $codeLength = Env::get('CODE_LENGTH', 6);
 $supportEmail = Env::get('SUPPORT_EMAIL');
@@ -201,6 +202,7 @@
         'helpCenterUrl' => $helpCenterUrl,
         'uiUrl' => $uiUrl,
         'uiCorsOrigin' => $uiCorsOrigin,
+        'rpOrigin' => $rpOrigin,
         'reset' => [
             'lifetimeSeconds' => 3600,  // 1 hour
             'gracePeriod' => '-1 week', // time between expiration and deletion, relative to now (time of execution)

diff --git a/application/composer.json b/application/composer.json
@@ -9,7 +9,7 @@
     }
   ],
   "require": {
-    "php": ">=7.2",
+    "php": ">=7.4",
     "ext-json": "*",
     "ext-iconv": "*",
     "ext-memcache": "*",
@@ -20,7 +20,7 @@
     "silinternational/php-env": "^2.1.1",
     "silinternational/yii2-json-log-targets": "^2.0",
     "silinternational/yii2-email-log-target": "^1.0.1",
-    "silinternational/idp-id-broker-php-client": "^3.1.0",
+    "silinternational/idp-id-broker-php-client": "^4.0.0",
     "silinternational/zxcvbn-api-client-php": "^2.0",
     "simplesamlphp/saml2": "^3.4.2",
     "google/apiclient": "^2.0",

diff --git a/application/composer.lock b/application/composer.lock
diff --git a/application/frontend/controllers/MfaController.php b/application/frontend/controllers/MfaController.php
@@ -61,17 +61,20 @@ public function init()
      * @return array
      * @throws ServiceException
      */
-    public function actionIndex()
+    public function actionIndex(): array
     {
-        return $this->idBrokerClient->mfaList(\Yii::$app->user->identity->employee_id);
+        return $this->idBrokerClient->mfaList(
+            \Yii::$app->user->identity->employee_id,
+            \Yii::$app->params['rpOrigin']
+        );
     }
 
     /**
      * @return array|null
      * @throws BadRequestHttpException
      * @throws HttpException
      */
-    public function actionCreate()
+    public function actionCreate(): ?array
     {
         $messages = [
             409 => \Yii::t('app', 'Mfa.AlreadyExists'),
@@ -85,7 +88,12 @@ public function actionCreate()
         $label = \Yii::$app->request->getBodyParam('label');
 
         try {
-            $mfa = $this->idBrokerClient->mfaCreate(\Yii::$app->user->identity->employee_id, $type, $label);
+            $mfa = $this->idBrokerClient->mfaCreate(
+                \Yii::$app->user->identity->employee_id,
+                $type,
+                $label,
+                \Yii::$app->params['rpOrigin']
+            );
         } catch (ServiceException $e) {
             \Yii::error([
                 'status' => 'MFA create error',
@@ -148,7 +156,12 @@ public function actionVerify($mfaId)
         }
 
         try {
-            $mfa = $this->idBrokerClient->mfaVerify($mfaId, \Yii::$app->user->identity->employee_id, $value);
+            $mfa = $this->idBrokerClient->mfaVerify(
+                $mfaId,
+                \Yii::$app->user->identity->employee_id,
+                $value,
+                \Yii::$app->params['rpOrigin']
+            );
         } catch (ServiceException $e) {
             \Yii::warning([
                 'status' => 'MFA verify error',

diff --git a/application/versions.json b/application/versions.json
@@ -67,7 +67,7 @@
         },
         {
             "name": "silinternational/idp-id-broker-php-client",
-            "version": "3.1.0",
+            "version": "4.0.0",
             "description": "PHP client to interact with our IdP ID Broker's API: https://github.com/silinternational/idp-id-broker"
         },
         {

diff --git a/codeship-services.yml b/codeship-services.yml
@@ -1,5 +1,5 @@
 db:
-    image: silintl/mariadb:latest
+    image: mariadb:latest
     environment:
         MYSQL_ROOT_PASSWORD: r00tp@ss!
         MYSQL_DATABASE: test

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -7,15 +7,15 @@ services:
         user: "${DOCKER_UIDGID}"
 
     db:
-        image: silintl/mariadb:latest
+        image: mariadb:latest
         environment:
             MYSQL_ROOT_PASSWORD: r00tp@ss!
             MYSQL_DATABASE: pwmgr
             MYSQL_USER: idpmgmt
             MYSQL_PASSWORD: idpmgmt
 
     testDb:
-       image: silintl/mariadb:latest
+       image: mariadb:latest
        environment:
            MYSQL_ROOT_PASSWORD: r00tp@ss!
            MYSQL_DATABASE: test
@@ -172,7 +172,7 @@ services:
         image: wcjr/zxcvbn-api:1.1.0
 
     brokerDb:
-        image: silintl/mariadb:latest
+        image: mariadb:latest
         environment:
             MYSQL_ROOT_PASSWORD: r00tp@ss!
             MYSQL_DATABASE: broker

diff --git a/local.env.dist b/local.env.dist
@@ -31,7 +31,7 @@ HELP_CENTER_URL=
 # URL of the profile manager user interface, e.g. https://profile.example.com
 UI_URL=
 
-# CORS_ORIGIN of the UI, defalts to the value of UI_URL
+# CORS_ORIGIN of the UI, defaults to the value of UI_URL
 UI_CORS_ORIGIN=
 
 # === frontend config data ===
@@ -109,6 +109,11 @@ ID_BROKER_assertValidBrokerIp=
 # Example: 127.0.0.1/32,192.168.65.1/32
 ID_BROKER_validIpRanges=
 
+# === WebAuthn ===
+# RP Origin is the UI origin URL with https, but without port/path
+# If empty it will default to UI_CORS_ORIGIN
+# Example: https://idp-pw.domain.com
+WEBAUTHN_RP_ORIGIN=
 
 # === Password validation rules ===