From 023fbef73ca9d35ecb9aba6efca8a5da97047fb8 Mon Sep 17 00:00:00 2001 From: Brock Fanning Date: Fri, 22 Dec 2023 14:45:49 +0000 Subject: [PATCH 1/8] FOIA-0: Attempt to use placeholder temporarily. --- config/default/core.extension.yml | 1 + docroot/modules/custom/swiftmailer/swiftmailer.info.yml | 5 +++++ docroot/modules/custom/swiftmailer/swiftmailer.module | 6 ++++++ 3 files changed, 12 insertions(+) create mode 100644 docroot/modules/custom/swiftmailer/swiftmailer.info.yml create mode 100644 docroot/modules/custom/swiftmailer/swiftmailer.module diff --git a/config/default/core.extension.yml b/config/default/core.extension.yml index 9ec4abcff..f9c4bd92f 100644 --- a/config/default/core.extension.yml +++ b/config/default/core.extension.yml @@ -150,6 +150,7 @@ module: serialization: 0 shortcut: 0 simplesamlphp_auth: 0 + swiftmailer: 0 symfony_mailer: 0 syslog: 0 system: 0 diff --git a/docroot/modules/custom/swiftmailer/swiftmailer.info.yml b/docroot/modules/custom/swiftmailer/swiftmailer.info.yml new file mode 100644 index 000000000..0f217da28 --- /dev/null +++ b/docroot/modules/custom/swiftmailer/swiftmailer.info.yml @@ -0,0 +1,5 @@ +name: 'Swiftmailer - placeholder' +type: module +description: 'Placeholder for a missing module.' +core_version_requirement: ^8 || ^9 || ^10 +package: 'FOIA' diff --git a/docroot/modules/custom/swiftmailer/swiftmailer.module b/docroot/modules/custom/swiftmailer/swiftmailer.module new file mode 100644 index 000000000..79704c5f6 --- /dev/null +++ b/docroot/modules/custom/swiftmailer/swiftmailer.module @@ -0,0 +1,6 @@ + Date: Fri, 12 Jan 2024 21:52:05 +0000 Subject: [PATCH 2/8] FOIA-0: Saml-related settings changes. --- config/default/samlauth.authentication.yml | 113 ++++++++++++++++-- .../default/simplesamlphp_auth.settings.yml | 4 +- config/default/user.role.anonymous.yml | 2 + config/default/user.role.authenticated.yml | 2 + 4 files changed, 111 insertions(+), 10 deletions(-) diff --git a/config/default/samlauth.authentication.yml b/config/default/samlauth.authentication.yml index d28af7c8a..4654ca0f3 100644 --- a/config/default/samlauth.authentication.yml +++ b/config/default/samlauth.authentication.yml @@ -1,15 +1,110 @@ _core: default_config_hash: oDGEkhP0h5rXXqlDplxeBDre0goLigOJupHKMDMwcqM -metadata_cache_http: false -metadata_valid_secs: 60 +login_menu_item_title: '' +logout_menu_item_title: '' +login_link_show: true +login_link_title: 'Login via MAX.gov' +login_redirect_url: '' +logout_redirect_url: '' +error_redirect_url: '' +error_throw: false local_login_saml_error: false -security_authn_requests_sign: true -security_logout_requests_sign: true -security_logout_responses_sign: true +logout_different_user: false +drupal_login_roles: + authenticated: '0' + administrator: '0' + page_creator: '0' + layout_manager: '0' + page_reviewer: '0' + landing_page_creator: '0' + landing_page_reviewer: '0' + media_creator: '0' + media_manager: '0' + agency_component_creator: '0' + agency_component_reviewer: '0' + agency_administrator: '0' + agency_manager: '0' + non_sso: '0' + quarterly_foia_report_data_creator: '0' + quarterly_foia_report_data_reviewer: '0' + cfo_meeting_creator: '0' + cfo_meeting_reviewer: '0' + cfo_committee_creator: '0' + cfo_committee_reviewer: '0' + cfo_council_creator: '0' + cfo_council_reviewer: '0' + cfo_page_creator: '0' + cfo_page_reviewer: '0' +sp_entity_id: doj_foia_api_dev +sp_name_id_format: '' +sp_x509_certificate: 'file:/var/www/html/foia.dev/acquia-files/saml/samlauth_key.pub' +sp_new_certificate: '' +sp_private_key: 'file:/var/www/html/foia.dev/acquia-files/saml/samlauth_key' +metadata_valid_secs: 60 +metadata_cache_http: false +idp_entity_id: 'https://login.test.max.gov/idp/shibboleth' +idp_single_sign_on_service: 'https://login.test.max.gov/idp/profile/SAML2/Redirect/SSO' +idp_single_log_out_service: '' +idp_change_password_service: '' +idp_certs: + - 'file:/var/www/html/foia.dev/acquia-files/saml/max_key.pub' +idp_cert_encryption: '' +unique_id_attribute: maxEmail +map_users: false +map_users_name: true +map_users_mail: true +map_users_roles: + administrator: administrator + page_creator: page_creator + layout_manager: layout_manager + page_reviewer: page_reviewer + landing_page_creator: landing_page_creator + landing_page_reviewer: landing_page_reviewer + media_creator: media_creator + media_manager: media_manager + agency_component_creator: agency_component_creator + agency_component_reviewer: agency_component_reviewer + agency_administrator: agency_administrator + agency_manager: agency_manager + non_sso: non_sso + quarterly_foia_report_data_creator: quarterly_foia_report_data_creator + quarterly_foia_report_data_reviewer: quarterly_foia_report_data_reviewer + cfo_meeting_creator: cfo_meeting_creator + cfo_meeting_reviewer: cfo_meeting_reviewer + cfo_committee_creator: cfo_committee_creator + cfo_committee_reviewer: cfo_committee_reviewer + cfo_council_creator: cfo_council_creator + cfo_council_reviewer: cfo_council_reviewer + cfo_page_creator: cfo_page_creator + cfo_page_reviewer: cfo_page_reviewer +create_users: true +sync_name: true +sync_mail: true +user_name_attribute: maxEmail +user_mail_attribute: maxEmail +request_set_name_id_policy: false strict: true +security_metadata_sign: false +security_authn_requests_sign: true +security_logout_requests_sign: false +security_logout_responses_sign: false +security_nameid_encrypt: false +security_signature_algorithm: '' +security_encryption_algorithm: '' security_messages_sign: true -security_lowercase_url_encoding: true -request_set_name_id_policy: true -security_want_name_id: true -security_request_authn_context: true +security_assertions_signed: false +security_assertions_encrypt: false +security_nameid_encrypted: false +security_want_name_id: false +security_request_authn_context: false +security_lowercase_url_encoding: false +security_logout_reuse_sigs: false +security_allow_repeat_attribute_name: false +debug_display_error_details: false +debug_log_in: false +debug_log_saml_in: true +debug_log_saml_out: true +debug_phpsaml: false +use_proxy_headers: false use_base_url: true +bypass_relay_state_check: false diff --git a/config/default/simplesamlphp_auth.settings.yml b/config/default/simplesamlphp_auth.settings.yml index a891eda62..df18bd398 100644 --- a/config/default/simplesamlphp_auth.settings.yml +++ b/config/default/simplesamlphp_auth.settings.yml @@ -1,7 +1,7 @@ _core: default_config_hash: SlvBDvDYAFLAkAikHJp_4rntvPn-nX6DLf92HOoX2cQ langcode: en -activate: true +activate: false auth_source: default-sp login_link_display_name: 'Login via MAX.gov' login_link_show: true @@ -39,3 +39,5 @@ sync: user_name: true autoenablesaml: true debug: false +secure: false +httponly: false diff --git a/config/default/user.role.anonymous.yml b/config/default/user.role.anonymous.yml index a7553e35d..78c676487 100644 --- a/config/default/user.role.anonymous.yml +++ b/config/default/user.role.anonymous.yml @@ -10,6 +10,7 @@ dependencies: - foia_personnel - media - rest + - samlauth - system - view_unpublished - webform @@ -45,3 +46,4 @@ permissions: - 'view own field_is_centralized' - 'view own field_request_submission_form' - 'view published foia personnel entities' + - 'view sp metadata' diff --git a/config/default/user.role.authenticated.yml b/config/default/user.role.authenticated.yml index 072985436..1f996162f 100644 --- a/config/default/user.role.authenticated.yml +++ b/config/default/user.role.authenticated.yml @@ -11,6 +11,7 @@ dependencies: - foia_personnel - form_mode_manager - media + - samlauth - shortcut - system - webform @@ -30,3 +31,4 @@ permissions: - 'view files' - 'view media' - 'view published foia personnel entities' + - 'view sp metadata' From 5cb674731d9a36bf0edc576d3fad44311b51dad1 Mon Sep 17 00:00:00 2001 From: Brock Fanning Date: Fri, 12 Jan 2024 22:17:39 +0000 Subject: [PATCH 3/8] FOIA-0: Per environment saml settings. --- .../default/settings/includes.settings.php | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/docroot/sites/default/settings/includes.settings.php b/docroot/sites/default/settings/includes.settings.php index 7e9918b95..23315f46c 100644 --- a/docroot/sites/default/settings/includes.settings.php +++ b/docroot/sites/default/settings/includes.settings.php @@ -34,4 +34,31 @@ ac_protect_this_site(); } } + + switch ($ah_dev) { + case 'dev': + $config['samlauth.authentication']['sp_entity_id'] = 'doj_foia_api_dev'; + $config['samlauth.authentication']['idp_single_sign_on_service'] = 'https://login.test.max.gov/idp/profile/SAML2/Redirect/SSO'; + $config['samlauth.authentication']['idp_entity_id'] = 'https://login.test.max.gov/idp/shibboleth'; + break; + + case 'test': + $config['samlauth.authentication']['sp_entity_id'] = 'doj_foia_api_test'; + $config['samlauth.authentication']['idp_single_sign_on_service'] = 'https://login.test.max.gov/idp/profile/SAML2/Redirect/SSO'; + $config['samlauth.authentication']['idp_entity_id'] = 'https://login.test.max.gov/idp/shibboleth'; + break; + + case 'uat': + $config['samlauth.authentication']['sp_entity_id'] = 'doj_foia_api_uat'; + $config['samlauth.authentication']['idp_single_sign_on_service'] = 'https://login.test.max.gov/idp/profile/SAML2/Redirect/SSO'; + $config['samlauth.authentication']['idp_entity_id'] = 'https://login.test.max.gov/idp/shibboleth'; + break; + + case 'prod': + $config['samlauth.authentication']['sp_entity_id'] = 'doj_foia_api_prod'; + $config['samlauth.authentication']['idp_single_sign_on_service'] = 'https://login.test.max.gov/idp/profile/SAML2/Redirect/SSO'; + $config['samlauth.authentication']['idp_entity_id'] = 'https://login.test.max.gov/idp/shibboleth'; + break; + + } } From 3ce520758fa4f2525cf70c3bb19a6e909c34735a Mon Sep 17 00:00:00 2001 From: Brock Fanning Date: Fri, 12 Jan 2024 22:28:59 +0000 Subject: [PATCH 4/8] FOIA-0: Disable saml on non-Acquia envs. --- docroot/sites/default/settings/includes.settings.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/docroot/sites/default/settings/includes.settings.php b/docroot/sites/default/settings/includes.settings.php index 23315f46c..70be4f78c 100644 --- a/docroot/sites/default/settings/includes.settings.php +++ b/docroot/sites/default/settings/includes.settings.php @@ -35,7 +35,7 @@ } } - switch ($ah_dev) { + switch ($ah_env) { case 'dev': $config['samlauth.authentication']['sp_entity_id'] = 'doj_foia_api_dev'; $config['samlauth.authentication']['idp_single_sign_on_service'] = 'https://login.test.max.gov/idp/profile/SAML2/Redirect/SSO'; @@ -62,3 +62,8 @@ } } +else { + // If this is not Acquia, do not try to use saml. + $config['simplesamlphp_auth.settings']['activate'] = FALSE; + $config['samlauth.authentication'] = []; +} From 7bcb906593893304358254f0a2a18b561bc9dc19 Mon Sep 17 00:00:00 2001 From: Brock Fanning Date: Thu, 18 Jan 2024 20:35:57 +0000 Subject: [PATCH 5/8] FOIA-0: Uninstall samlauth during tests. --- .github/workflows/test-pull-requests.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test-pull-requests.yml b/.github/workflows/test-pull-requests.yml index 90c789b23..279ab5b3c 100644 --- a/.github/workflows/test-pull-requests.yml +++ b/.github/workflows/test-pull-requests.yml @@ -20,6 +20,7 @@ jobs: ddev exec blt setup --no-interaction || true ddev drush cim ddev drush cr + ddev drush samlauth - name: Validate code run: ddev exec blt validate --no-interaction - name: Run tests From 97df4439a1c7edf08c54334730c3d790b737438e Mon Sep 17 00:00:00 2001 From: Brock Fanning Date: Thu, 18 Jan 2024 20:44:38 +0000 Subject: [PATCH 6/8] FOIA-0: Revert previous attempt since it did not work. --- docroot/sites/default/settings/includes.settings.php | 5 ----- 1 file changed, 5 deletions(-) diff --git a/docroot/sites/default/settings/includes.settings.php b/docroot/sites/default/settings/includes.settings.php index 70be4f78c..c687f032d 100644 --- a/docroot/sites/default/settings/includes.settings.php +++ b/docroot/sites/default/settings/includes.settings.php @@ -62,8 +62,3 @@ } } -else { - // If this is not Acquia, do not try to use saml. - $config['simplesamlphp_auth.settings']['activate'] = FALSE; - $config['samlauth.authentication'] = []; -} From 8a79dfb3805b910fb0b2260be196a9222687bd82 Mon Sep 17 00:00:00 2001 From: Brock Fanning Date: Thu, 18 Jan 2024 20:47:40 +0000 Subject: [PATCH 7/8] FOIA-0: Drush command fix. --- .github/workflows/test-pull-requests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-pull-requests.yml b/.github/workflows/test-pull-requests.yml index 279ab5b3c..22185a72b 100644 --- a/.github/workflows/test-pull-requests.yml +++ b/.github/workflows/test-pull-requests.yml @@ -20,7 +20,7 @@ jobs: ddev exec blt setup --no-interaction || true ddev drush cim ddev drush cr - ddev drush samlauth + ddev drush pmu samlauth - name: Validate code run: ddev exec blt validate --no-interaction - name: Run tests From 158e48160ade201f92224ae46e5692e67c3c3e2f Mon Sep 17 00:00:00 2001 From: Brock Fanning Date: Thu, 18 Jan 2024 21:18:11 +0000 Subject: [PATCH 8/8] FOIA-0: Try the staging Max.gov network. --- .../sites/default/settings/includes.settings.php | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docroot/sites/default/settings/includes.settings.php b/docroot/sites/default/settings/includes.settings.php index c687f032d..44a59d42d 100644 --- a/docroot/sites/default/settings/includes.settings.php +++ b/docroot/sites/default/settings/includes.settings.php @@ -38,26 +38,26 @@ switch ($ah_env) { case 'dev': $config['samlauth.authentication']['sp_entity_id'] = 'doj_foia_api_dev'; - $config['samlauth.authentication']['idp_single_sign_on_service'] = 'https://login.test.max.gov/idp/profile/SAML2/Redirect/SSO'; - $config['samlauth.authentication']['idp_entity_id'] = 'https://login.test.max.gov/idp/shibboleth'; + $config['samlauth.authentication']['idp_single_sign_on_service'] = 'https://login.stage.max.gov/idp/profile/SAML2/Redirect/SSO'; + $config['samlauth.authentication']['idp_entity_id'] = 'https://login.stage.max.gov/idp/shibboleth'; break; case 'test': $config['samlauth.authentication']['sp_entity_id'] = 'doj_foia_api_test'; - $config['samlauth.authentication']['idp_single_sign_on_service'] = 'https://login.test.max.gov/idp/profile/SAML2/Redirect/SSO'; - $config['samlauth.authentication']['idp_entity_id'] = 'https://login.test.max.gov/idp/shibboleth'; + $config['samlauth.authentication']['idp_single_sign_on_service'] = 'https://login.stage.max.gov/idp/profile/SAML2/Redirect/SSO'; + $config['samlauth.authentication']['idp_entity_id'] = 'https://login.stage.max.gov/idp/shibboleth'; break; case 'uat': $config['samlauth.authentication']['sp_entity_id'] = 'doj_foia_api_uat'; - $config['samlauth.authentication']['idp_single_sign_on_service'] = 'https://login.test.max.gov/idp/profile/SAML2/Redirect/SSO'; - $config['samlauth.authentication']['idp_entity_id'] = 'https://login.test.max.gov/idp/shibboleth'; + $config['samlauth.authentication']['idp_single_sign_on_service'] = 'https://login.stage.max.gov/idp/profile/SAML2/Redirect/SSO'; + $config['samlauth.authentication']['idp_entity_id'] = 'https://login.stage.max.gov/idp/shibboleth'; break; case 'prod': $config['samlauth.authentication']['sp_entity_id'] = 'doj_foia_api_prod'; - $config['samlauth.authentication']['idp_single_sign_on_service'] = 'https://login.test.max.gov/idp/profile/SAML2/Redirect/SSO'; - $config['samlauth.authentication']['idp_entity_id'] = 'https://login.test.max.gov/idp/shibboleth'; + $config['samlauth.authentication']['idp_single_sign_on_service'] = 'https://login.stage.max.gov/idp/profile/SAML2/Redirect/SSO'; + $config['samlauth.authentication']['idp_entity_id'] = 'https://login.stage.max.gov/idp/shibboleth'; break; }