diff --git a/Dockerfile b/Dockerfile index 79d5591b..09d2bf0c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,19 +1,10 @@ FROM silintl/php7:7.4 -MAINTAINER Phillip Shipley - -ENV REFRESHED_AT 2020-06-09 RUN apt-get update -y && \ apt-get install -y php-memcache && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* -RUN mkdir -p /data - -# get s3-expand -RUN curl https://raw.githubusercontent.com/silinternational/s3-expand/1.5/s3-expand -o /usr/local/bin/s3-expand -RUN chmod a+x /usr/local/bin/s3-expand - WORKDIR /data # Install/cleanup composer dependencies @@ -38,5 +29,4 @@ RUN sed -i -E 's@ErrorLog .*@ErrorLog /proc/self/fd/2@i' /etc/apache2/apache2.co RUN touch /etc/default/locale EXPOSE 80 -ENTRYPOINT ["/usr/local/bin/s3-expand"] CMD ["/data/run.sh"] diff --git a/api.raml b/api.raml index d4ef17d6..643146be 100644 --- a/api.raml +++ b/api.raml @@ -82,7 +82,7 @@ types: properties: id?: integer type: - enum: [ backupcode, totp, u2f ] + enum: [ backupcode, totp, webauthn ] label?: string created_utc?: string last_used_utc?: string @@ -339,7 +339,7 @@ types: 409: description: > An MFA of the requested type already exists. Note that this would only - be returned for 'totp' or 'u2f'. The code types ('backupcode' and + be returned for 'totp' or 'webauthn'. The code types ('backupcode' and 'manager') reuse the existing MFA and create new codes. body: type: Error diff --git a/application/common/config/main.php b/application/common/config/main.php index 7beaad60..d7a5e5c6 100644 --- a/application/common/config/main.php +++ b/application/common/config/main.php @@ -26,6 +26,7 @@ $recaptchaSecretKey = Env::get('RECAPTCHA_SECRET_KEY'); $uiUrl = Env::get('UI_URL'); $uiCorsOrigin = Env::get('UI_CORS_ORIGIN', $uiUrl); +$rpOrigin = Env::get('WEBAUTHN_RP_ORIGIN', $uiCorsOrigin); $helpCenterUrl = Env::get('HELP_CENTER_URL'); $codeLength = Env::get('CODE_LENGTH', 6); $supportEmail = Env::get('SUPPORT_EMAIL'); @@ -201,6 +202,7 @@ 'helpCenterUrl' => $helpCenterUrl, 'uiUrl' => $uiUrl, 'uiCorsOrigin' => $uiCorsOrigin, + 'rpOrigin' => $rpOrigin, 'reset' => [ 'lifetimeSeconds' => 3600, // 1 hour 'gracePeriod' => '-1 week', // time between expiration and deletion, relative to now (time of execution) diff --git a/application/composer.json b/application/composer.json index f4f5ca3e..6e52f422 100644 --- a/application/composer.json +++ b/application/composer.json @@ -9,7 +9,7 @@ } ], "require": { - "php": ">=7.2", + "php": ">=7.4", "ext-json": "*", "ext-iconv": "*", "ext-memcache": "*", @@ -20,7 +20,7 @@ "silinternational/php-env": "^2.1.1", "silinternational/yii2-json-log-targets": "^2.0", "silinternational/yii2-email-log-target": "^1.0.1", - "silinternational/idp-id-broker-php-client": "^3.1.0", + "silinternational/idp-id-broker-php-client": "^4.0.0", "silinternational/zxcvbn-api-client-php": "^2.0", "simplesamlphp/saml2": "^3.4.2", "google/apiclient": "^2.0", diff --git a/application/composer.lock b/application/composer.lock index 20ed6d28..0ffeb94a 100644 --- a/application/composer.lock +++ b/application/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "b7508e143c528ecdf56804551a4afdd1", + "content-hash": "f0488972e121029f5472f8be857ca62b", "packages": [ { "name": "adldap2/adldap2", @@ -1138,6 +1138,77 @@ }, "time": "2021-06-01T14:53:38+00:00" }, + { + "name": "mlocati/ip-lib", + "version": "1.17.1", + "source": { + "type": "git", + "url": "https://github.com/mlocati/ip-lib.git", + "reference": "28763c87f9a3e24ff4df9258ec4e8375d8fa6523" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/mlocati/ip-lib/zipball/28763c87f9a3e24ff4df9258ec4e8375d8fa6523", + "reference": "28763c87f9a3e24ff4df9258ec4e8375d8fa6523", + "shasum": "" + }, + "require": { + "php": ">=5.3.3" + }, + "require-dev": { + "ext-pdo_sqlite": "*", + "phpunit/phpunit": "^4.8 || ^5.7 || ^6.5 || ^7.5 || ^8.5 || ^9.5" + }, + "type": "library", + "autoload": { + "psr-4": { + "IPLib\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Michele Locati", + "email": "mlocati@gmail.com", + "homepage": "https://github.com/mlocati", + "role": "Author" + } + ], + "description": "Handle IPv4, IPv6 addresses and ranges", + "homepage": "https://github.com/mlocati/ip-lib", + "keywords": [ + "IP", + "address", + "addresses", + "ipv4", + "ipv6", + "manage", + "managing", + "matching", + "network", + "networking", + "range", + "subnet" + ], + "support": { + "issues": "https://github.com/mlocati/ip-lib/issues", + "source": "https://github.com/mlocati/ip-lib/tree/1.17.1" + }, + "funding": [ + { + "url": "https://github.com/sponsors/mlocati", + "type": "github" + }, + { + "url": "https://paypal.me/mlocati", + "type": "other" + } + ], + "time": "2021-11-10T15:24:32+00:00" + }, { "name": "monolog/monolog", "version": "2.2.0", @@ -2401,22 +2472,22 @@ }, { "name": "silinternational/idp-id-broker-php-client", - "version": "3.1.0", + "version": "4.0.0", "source": { "type": "git", "url": "https://github.com/silinternational/idp-id-broker-php-client.git", - "reference": "60b58316687e821fec02c7991f288226cbbc2432" + "reference": "8080ab07a521d34b37bc3f51f4282b1a38c0bfd7" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/silinternational/idp-id-broker-php-client/zipball/60b58316687e821fec02c7991f288226cbbc2432", - "reference": "60b58316687e821fec02c7991f288226cbbc2432", + "url": "https://api.github.com/repos/silinternational/idp-id-broker-php-client/zipball/8080ab07a521d34b37bc3f51f4282b1a38c0bfd7", + "reference": "8080ab07a521d34b37bc3f51f4282b1a38c0bfd7", "shasum": "" }, "require": { "guzzlehttp/guzzle-services": "^1.1", - "php": ">=7.0", - "rlanvin/php-ip": "^1.0", + "mlocati/ip-lib": "^1.14", + "php": ">=7.4", "roave/security-advisories": "dev-master" }, "require-dev": { @@ -2454,9 +2525,9 @@ ], "support": { "issues": "https://github.com/silinternational/idp-id-broker-php-client/issues", - "source": "https://github.com/silinternational/idp-id-broker-php-client/tree/master" + "source": "https://github.com/silinternational/idp-id-broker-php-client/tree/4.0.0" }, - "time": "2019-04-10T13:47:54+00:00" + "time": "2021-12-14T21:18:39+00:00" }, { "name": "silinternational/php-env", @@ -7695,7 +7766,7 @@ "prefer-stable": false, "prefer-lowest": false, "platform": { - "php": ">=7.2", + "php": ">=7.4", "ext-json": "*", "ext-iconv": "*", "ext-memcache": "*" diff --git a/application/frontend/controllers/MfaController.php b/application/frontend/controllers/MfaController.php index b5250842..0ff1bda6 100644 --- a/application/frontend/controllers/MfaController.php +++ b/application/frontend/controllers/MfaController.php @@ -61,9 +61,12 @@ public function init() * @return array * @throws ServiceException */ - public function actionIndex() + public function actionIndex(): array { - return $this->idBrokerClient->mfaList(\Yii::$app->user->identity->employee_id); + return $this->idBrokerClient->mfaList( + \Yii::$app->user->identity->employee_id, + \Yii::$app->params['rpOrigin'] + ); } /** @@ -71,7 +74,7 @@ public function actionIndex() * @throws BadRequestHttpException * @throws HttpException */ - public function actionCreate() + public function actionCreate(): ?array { $messages = [ 409 => \Yii::t('app', 'Mfa.AlreadyExists'), @@ -85,7 +88,12 @@ public function actionCreate() $label = \Yii::$app->request->getBodyParam('label'); try { - $mfa = $this->idBrokerClient->mfaCreate(\Yii::$app->user->identity->employee_id, $type, $label); + $mfa = $this->idBrokerClient->mfaCreate( + \Yii::$app->user->identity->employee_id, + $type, + $label, + \Yii::$app->params['rpOrigin'] + ); } catch (ServiceException $e) { \Yii::error([ 'status' => 'MFA create error', @@ -148,7 +156,12 @@ public function actionVerify($mfaId) } try { - $mfa = $this->idBrokerClient->mfaVerify($mfaId, \Yii::$app->user->identity->employee_id, $value); + $mfa = $this->idBrokerClient->mfaVerify( + $mfaId, + \Yii::$app->user->identity->employee_id, + $value, + \Yii::$app->params['rpOrigin'] + ); } catch (ServiceException $e) { \Yii::warning([ 'status' => 'MFA verify error', diff --git a/application/versions.json b/application/versions.json index 69b0809d..4443f4f4 100644 --- a/application/versions.json +++ b/application/versions.json @@ -67,7 +67,7 @@ }, { "name": "silinternational/idp-id-broker-php-client", - "version": "3.1.0", + "version": "4.0.0", "description": "PHP client to interact with our IdP ID Broker's API: https://github.com/silinternational/idp-id-broker" }, { diff --git a/codeship-services.yml b/codeship-services.yml index c2e5335a..2b8e77d2 100644 --- a/codeship-services.yml +++ b/codeship-services.yml @@ -1,5 +1,5 @@ db: - image: silintl/mariadb:latest + image: mariadb:latest environment: MYSQL_ROOT_PASSWORD: r00tp@ss! MYSQL_DATABASE: test diff --git a/docker-compose.yml b/docker-compose.yml index 1b81fa5d..1f84c5c3 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -7,7 +7,7 @@ services: user: "${DOCKER_UIDGID}" db: - image: silintl/mariadb:latest + image: mariadb:latest environment: MYSQL_ROOT_PASSWORD: r00tp@ss! MYSQL_DATABASE: pwmgr @@ -15,7 +15,7 @@ services: MYSQL_PASSWORD: idpmgmt testDb: - image: silintl/mariadb:latest + image: mariadb:latest environment: MYSQL_ROOT_PASSWORD: r00tp@ss! MYSQL_DATABASE: test @@ -172,7 +172,7 @@ services: image: wcjr/zxcvbn-api:1.1.0 brokerDb: - image: silintl/mariadb:latest + image: mariadb:latest environment: MYSQL_ROOT_PASSWORD: r00tp@ss! MYSQL_DATABASE: broker diff --git a/local.env.dist b/local.env.dist index 99dde8b5..fef950dc 100644 --- a/local.env.dist +++ b/local.env.dist @@ -31,7 +31,7 @@ HELP_CENTER_URL= # URL of the profile manager user interface, e.g. https://profile.example.com UI_URL= -# CORS_ORIGIN of the UI, defalts to the value of UI_URL +# CORS_ORIGIN of the UI, defaults to the value of UI_URL UI_CORS_ORIGIN= # === frontend config data === @@ -109,6 +109,11 @@ ID_BROKER_assertValidBrokerIp= # Example: 127.0.0.1/32,192.168.65.1/32 ID_BROKER_validIpRanges= +# === WebAuthn === +# RP Origin is the UI origin URL with https, but without port/path +# If empty it will default to UI_CORS_ORIGIN +# Example: https://idp-pw.domain.com +WEBAUTHN_RP_ORIGIN= # === Password validation rules ===