initial commit

Author: lucidprogrammer

README.md

@@ -1,2 +1,85 @@
 # yii2-simplesamlphp
-SAML Service Provider(SP) for Yii2 using simplesamlphp (yii2 extension)
+
+SAML Service Provider(SP) for Yii2 using simplesamlphp (yii2 extension). This is useful when you want to act as a Service Provider(SP), where a partner company is acting as a SAML Identity Provider (IDP). User data and their credentials are with the IDP and you are using SAML based login and use those users information in your yii2 application.
+
+This is a very basic implementation where we are not persisting user data coming from the IDP at the Service Provider side for reporting on usage etc. However, those are fairly straightforward additions one can do.
+
+# Installation
+
+This is available to be installed via composer. In your yii2 application folder, run the following command.
+
+```
+composer require lucidprogrammer/yii2-simplesamlphp
+```
+
+This will install the package as a yii2 extension and update the extensions and installs the simplesamlphp project too in the vendor folder.
+
+## Configuration
+
+### Step 1 - Configuring an alias for /saml in your web server.
+
+In a standard web server configuration like Apache, the DocumentRoot will be pointing to the yii2 application's web folder. Create an alias for /saml pointing to pathto_my-yii2-app/vendor/simplesamlphp/simplesamlphp/www.
+
+In the case of Apache, you may do something like (replace pathto_my-yii2-app with your real path.)
+
+```
+echo "Alias /saml pathto_my-yii2-app/vendor/simplesamlphp/simplesamlphp/www" >> /etc/apache2/apache2.conf
+echo "<Directory \"pathto_my-yii2-app/simplesamlphp/simplesamlphp/www/\"> \n Options Indexes FollowSymLinks \n AllowOverride all \n Require all granted \n   </Directory>" >> /etc/apache2/apache2.conf
+```
+
+To explain it visually, following could help.
+```
+my-yii2-app/
+          /web    -> DocumentRoot
+          ..
+          ..
+          /vendor
+              ...
+              ...
+              /lucidprogrammer  (newly created folder in vendor)
+              /simplesamlphp    (newly created folder in vendor)
+                  /simplesamlphp/wwww      -> [Create an alias /saml pointing to pathto_my-yii2-app/vendor/simplesamlphp/simplesamlphp/www]
+```
+
+### Step 2 - Configure yii2 configuration.
+
+Yii configuration straightforward, just add the following in your config/web.php
+
+```
+'user' => [
+    'class' => 'lucidprogrammer\simplesamlphp\SamlUser',
+],
+
+```
+
+### Note on enabling authentication for a route using yii2
+
+Let's say you have a rule like the following in your yii2 setting,
+
+```
+'access' => [
+    'class' => AccessControl::className(),
+    'only' => ['index','logout','about'],
+    'rules' => [
+      [
+            'allow' => true,
+            'actions' => ['index'],
+            'roles' => ['?'],
+        ],
+        [
+            'actions' => ['logout'],
+            'allow' => true,
+            'roles' => ['@'],
+        ],
+    ],
+  ],
+
+```
+After the component is installed, the moment you hit the site/about page, it should redirect you to the configured saml idp login page.
+
+So, if you want to do SAML provided attributes and want to implement a fine grained access control, yii2 makes it easy.
+
+### Note on yii2 login link.
+If your application has links to login, for example, 'site/login', you need to change to _saml/login.
+
+However, it is best if you use Yii::$app->user->loginUrl[0], so it will take whatever is the correct loginUrl, so it will work with or without this plugin.

composer.json

@@ -0,0 +1,26 @@
+{
+    "name": "lucidprogrammer/yii2-simplesamlphp",
+    "type": "yii2-extension",
+    "description": "SAML Service Provider(SP) for Yii2 using simplesamlphp",
+    "keywords": ["yii2", "saml","simplesamlphp","yii"],
+    "license": "BSD-3-Clause",
+    "require": {
+        "yiisoft/yii2": "2.*.*",
+        "simplesamlphp/simplesamlphp": ">=1.14"
+    },
+    "authors": [
+        {
+            "name": "Lucid Programmer",
+            "email": "[email protected]"
+        }
+    ],
+    "autoload": {
+       "psr-4": {
+           "lucidprogrammer\\simplesamlphp\\": "src/"
+       }
+   },
+   "extra": {
+        "bootstrap": "lucidprogrammer\\simplesamlphp\\BootstrapClass"
+    }
+
+}

src/BootstrapClass.php

@@ -0,0 +1,33 @@
+<?php
+/**
+ * Bootstrap class for the extension.
+ *
+ * @see http://www.yiiframework.com/doc-2.0/guide-runtime-bootstrapping.html
+ *
+ * @author     Lucid Programmer<[email protected]>
+ * @copyright  2017 Lucid Programmer
+ * @license    https://github.com/lucidprogrammer/yii2-simplesamlphp/blob/master/README.md
+ * @link       https://github.com/lucidprogrammer/yii2-simplesamlphp
+ */
+
+namespace lucidprogrammer\simplesamlphp;
+use yii;
+use yii\base\BootstrapInterface;
+use yii\base\Application;
+use lucidprogrammer\simplesamlphp\Saml;
+
+class BootstrapClass implements BootstrapInterface
+{
+    public function bootstrap($app)
+    {
+        $app->on(Application::EVENT_BEFORE_REQUEST, function () {
+            //creating a controller for the login route
+            Yii::$app->controllerMap['_saml'] = '\lucidprogrammer\simplesamlphp\_SamlController';
+            //a globally accessible instance of saml
+            Yii::$container->set('saml',new Saml());
+            // TODO possibly check if the user has enabled /saml alias.
+        });
+    }
+
+
+}

src/Saml.php

@@ -0,0 +1,109 @@
+<?php
+/**
+ * Saml Object which uses the simplesamlphp project
+ *
+ * @see https://simplesamlphp.org
+ * @author     Lucid Programmer<[email protected]>
+ * @copyright  2017 Lucid Programmer
+ * @license    https://github.com/lucidprogrammer/yii2-simplesamlphp/blob/master/README.md
+ * @link       https://github.com/lucidprogrammer/yii2-simplesamlphp
+ */
+
+namespace lucidprogrammer\simplesamlphp;
+use yii\base\Object;
+
+class Saml extends Object {
+
+    /**
+     * Authentication source you will use.
+     */
+    public $authSource='default-sp';
+
+    /**
+     * SimpleSAML_Auth_Simple's object.
+     */
+    private $auth;
+
+
+    public function init() {
+        $this->auth = new \SimpleSAML_Auth_Simple($this->authSource);
+        parent::init();
+    }
+
+
+    /**
+     * Make sure user is authenticated. If the user is not authenticated, he will be rediected to Simplesamlphp IdP login page. If he is authenticated, it does nothing.
+     * @see https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api#section_3
+     */
+    public function requireAuth(array $params = array()) {
+        $this->auth->requireAuth($params);
+    }
+
+    /**
+     * Log in the current user. He will be redirected to Simplesamlphp IdP login page. After a successfull login, he will be redirected to the referer page.
+     * @see https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api#section_4
+     */
+    public function login(array $params = array()) {
+        $this->auth->login($params);
+    }
+
+    /**
+     * Logout the current user. Clear Simplesamlphp Sp and Simplesamlphp IdP session and redirected to the referer page.
+     * @see https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api#section_5
+     */
+    public function logout($params = NULL) {
+        $this->auth->logout($params);
+    }
+
+    /**
+     * Get login url.
+     * @see https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api#section_8
+     */
+    public function getLoginURL($returnTo = null) {
+        $this->auth->getLogoutUrl($returnTo);
+    }
+
+    /**
+     * Get logout url.
+     * @see https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api#section_9
+     */
+    public function getLogoutURL($returnTo = null) {
+        $this->auth->getLogoutUrl($returnTo);
+    }
+
+    /**
+     * Check wether the user is authenticated or not.
+     * @see https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api#section_9
+     * @return bool true if user is authenticated, false it he is not.
+     */
+    public function isAuthenticated() {
+        return $this->auth->isAuthenticated();
+    }
+
+    /**
+     * Get attributes which are returned from Simplesamlphp IdP after a successfull login.
+     * @see https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api#section_6
+     * @return array attributes
+     */
+    public function getAttributes() {
+        return $this->auth->getAttributes();
+    }
+
+    /**
+     * Get auth data.
+     * @see https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api#section_7
+     * @return mixed
+     */
+    public function getAuthData(string $name) {
+        return $this->auth->getAuthData($name);
+    }
+
+    /**
+     * Get attribute by it's key.
+     * @return string the attribute value
+     */
+    public function __get($name) {
+        return isset($this->getAttributes()[$name]) ? $this->getAttributes()[$name][0] : null;
+    }
+
+}

src/SamlIdentity.php

@@ -0,0 +1,91 @@
+<?php
+
+/**
+ * Identity Object as per yii2
+ *
+ * @see http://www.yiiframework.com/doc-2.0/guide-security-authentication.html
+ * @author     Lucid Programmer<[email protected]>
+ * @copyright  2017 Lucid Programmer
+ * @license    https://github.com/lucidprogrammer/yii2-simplesamlphp/blob/master/README.md
+ * @link       https://github.com/lucidprogrammer/yii2-simplesamlphp
+ */
+
+namespace lucidprogrammer\simplesamlphp;
+
+
+use yii;
+use yii\base\Object;
+use yii\web\IdentityInterface;
+use lucidprogrammer\simplesamlphp\SamlIdentity;
+
+class SamlIdentity extends Object implements IdentityInterface {
+
+  public $id;
+  public $attributes;
+
+
+  public function __construct($id,$attributes, $config = [])
+  {
+      $this->id = $id;
+      $this->attributes = $attributes;
+      parent::__construct($config);
+  }
+
+
+  /**
+   * Finds an identity by the given ID.
+   *
+   * @param string|int $id the ID to be looked for
+   * @return IdentityInterface|null the identity object that matches the given ID.
+   */
+    public static function findIdentity($id)
+
+    {
+      $attributes = Yii::$container->get('saml')->getAttributes();
+      if(sizeof($attributes) > 0){
+        $id = $attributes['username'][0];
+        return new SamlIdentity($id,$attributes);
+      }
+      return null;
+
+
+    }
+
+  /**
+   * @return int|string current user ID
+   */
+    public function getId()
+    {
+        return $this->id;
+    }
+
+  /**
+     * @return string current user auth key
+     */
+    public function getAuthKey()
+    {
+
+    }
+
+    /**
+     * @param string $authKey
+     * @return bool if auth key is valid for current user
+     */
+    public function validateAuthKey($authKey)
+    {
+
+    }
+    public static function findIdentityByAccessToken($token, $type = null)
+    {
+
+    }
+
+    public function __get($name)
+    {
+        return isset($this->attributes[$name]) ? $this->attributes[$name][0] : null;
+    }
+
+
+
+
+}

src/SamlUser.php

@@ -0,0 +1,40 @@
+<?php
+/**
+ * User Object as per yii2, minor changes to the yii\web\User
+ *
+ * @see http://www.yiiframework.com/doc-2.0/guide-security-authentication.html
+ * @author     Lucid Programmer<[email protected]>
+ * @copyright  2017 Lucid Programmer
+ * @license    https://github.com/lucidprogrammer/yii2-simplesamlphp/blob/master/README.md
+ * @link       https://github.com/lucidprogrammer/yii2-simplesamlphp
+ */
+
+namespace lucidprogrammer\simplesamlphp;
+
+use yii;
+use yii\web\User;
+
+class SamlUser extends User
+{
+  /**
+  * changing the loginUrl and identityClass
+  * so while configuring yii2, just point to the user class and all other auth rules should automatically work.
+  */
+  public function init()
+  {
+      $this->loginUrl = ['_saml/login'];
+      $this->identityClass = 'lucidprogrammer\simplesamlphp\SamlIdentity';
+      $this->enableAutoLogin = true;
+      parent::init();
+  }
+
+  public function logout($destroySession = true)
+  {
+
+    Yii::$container->get('saml')->logout(Yii::$app->homeUrl);
+    parent::logout($destroySession);
+
+  }
+
+
+}