Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CU Auth package #67

Open
wants to merge 40 commits into
base: main
Choose a base branch
from
Open

CU Auth package #67

wants to merge 40 commits into from

Conversation

woodseowl
Copy link
Collaborator

@woodseowl woodseowl commented Aug 15, 2024

A package for supporting Apache mod_shib integration and typical development login requirements. An implementation that grew from what was discussed in #42.

This PR does the following

  • Creates CUAuth package (see CUAuth/README.md)
  • Provides full testing coverage for CUAuth package
  • Provides documentation for usage
  • Provides a ShibIdentity data object for normalizing retrieval of user data provided via Shibboleth
  • Documents how to configure Shibboleth + Apache to utilize multiple identity providers on the same server (see CUAuth/SHIBBOLETH.md).

Basic Review:

  1. Read CUAuth/README.md and ask questions.
  2. Read CUAuth/SHIBBOLETH.md and ask questions.
  3. Create a new Laravel project per the Starter Kit README.md and run php artisan starterkit:install
  4. Add this line to .env:
    REMOTE_USER=test123
    
  5. Wrap the routes in:
    Route::group(['middleware' => [ApacheShib::class]], function() {
      ...
    });
    
    • Run php artisan config:cache
    • Confirm that you can get to the welcome page.
  6. Unset REMOTE_USER in .env and php artisan config:cache
    • Confirm you are forbidden from the page.

Example Sites + PRs

This PR by itself is not able to show the funtionality, so the examples below are available for review.

Laravel Demo

Demonstrates authorization of a specific route, remote login, no local user.

IT Gov

Demonstrates remote login with lookup of a local user for authorization by policy.

Sorry, something went wrong.

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
# Conflicts:
#	phpunit.xml
#	src/StarterKitServiceProvider.php
#	tests/Feature/InstallStarterKitTest.php
# Conflicts:
#	src/StarterKitServiceProvider.php
#	tests/Feature/InstallStarterKitTest.php
Base automatically changed from updates to main October 31, 2024 18:19
woodseowl and others added 3 commits October 31, 2024 14:19
@woodseowl woodseowl marked this pull request as ready for review December 2, 2024 21:10
@woodseowl woodseowl requested a review from nst37 December 2, 2024 21:39
$user = new $userModel;
$user->name = $shibboleth->name();
$user->email = $shibboleth->email();
$user->password = Str::random(32);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest to use eduPersonPrincipalName (netid email) here instead of mail attribute which is alias email. This can be changed later.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apparently I was already in agreement with you! Looking at the ShibIdentity implementation, it uses eduPersonPrincipalName as the value for email if it is available, and it uses mail as a fallback. (See ShibIdentity::fromServerVars() and the phpdoc for ShibIdentity::email())

So, basically, yes, and already done!

Copy link

@inaydich inaydich left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good work, Eric! Thanks for implementing it. I have two suggestions that can be done later:

  1. Use eduPersonPrincipalName (netid email) here instead of mail attribute which is alias email.
  2. Add authorization for admin role besides a regular user. I think all our application have an admin role and it will be a good example how to do different roles.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants