Merge pull request #129 from workivate/develop

Develop to Master

.github/workflows/php-package.yml

@@ -0,0 +1,54 @@
+# This workflow will install PHP dependencies, run tests and lint with a variety of PHP versions
+# For more information see: https://github.com/marketplace/actions/setup-php-action
+
+name: php-saml 4.x package
+
+on:
+  push:
+    branches: [ 4.* ]
+  pull_request:
+    branches: [ 4.* ]
+
+jobs:
+  test:
+    runs-on: ${{ matrix.operating-system }}
+    strategy:
+      fail-fast: false
+      matrix:
+        operating-system: ['ubuntu-latest']
+        php-versions: [7.3, 7.4, 8.0, 8.1]
+    steps:
+      - name: Setup PHP, with composer and extensions
+        uses: shivammathur/setup-php@v2 #https://github.com/shivammathur/setup-php
+        with:
+          php-version: ${{ matrix.php-versions }}
+          extensions: mbstring, intl, mcrypt, xml
+          tools: composer:v2
+          ini-values: post_max_size=256M, max_execution_time=180
+          coverage: xdebug
+
+      - name: Set git to use LF
+        run: |
+          git config --global core.autocrlf false
+          git config --global core.eol lf
+      - uses: actions/checkout@v2
+
+      - name: Validate composer.json and composer.lock
+        run: composer validate
+
+      - name: Install Composer dependencies
+        run: |
+          composer self-update
+          composer install --prefer-source --no-interaction
+      - name: Syntax check PHP
+        run: |
+          php vendor/bin/phpcpd --exclude tests --exclude vendor .
+          php vendor/bin/phploc src/.
+          mkdir -p tests/build/dependences
+          php vendor/bin/pdepend --summary-xml=tests/build/logs/dependence-summary.xml --jdepend-chart=tests/build/dependences/jdepend.svg --overview-pyramid=tests/build/dependences/pyramid.svg  src/.
+ 
+      - name: PHP Code Sniffer
+        run: php vendor/bin/phpcs --standard=tests/ZendModStandard src/Saml2 demo1 demo2 endpoints tests/src
+
+      - name: Run unit tests
+        run: vendor/bin/phpunit --verbose --debug

.github/workflows/php.yml

@@ -19,7 +19,7 @@ jobs:
       - name: Setup PHP
         uses: shivammathur/setup-php@2.12.0
         with:
-          php-version: 7.4
+          php-version: 8.1
           coverage: pcov
 
       - name: Get composer cache directory
@@ -65,7 +65,7 @@ jobs:
       - name: Setup PHP
         uses: shivammathur/setup-php@2.12.0
         with:
-          php-version: 7.4
+          php-version: 8.1
 
       - name: Get composer cache directory
         id: composer-cache
@@ -82,8 +82,8 @@ jobs:
       - name: Install dependencies
         run: composer install --prefer-dist --no-progress --no-interaction
 
-      - name: Run psalm
-        run: vendor/bin/psalm --config=psalm.xml --show-info=true
+      - name: Run phpstan
+        run: ./vendor/bin/phpstan analyse --memory-limit=-1 -c phpstan.neon
 
   sonarcloud:
     runs-on: ubuntu-latest

README.md

@@ -1,3 +1,53 @@
+# LifeWorks fork of SAML PHP
+This repository is a fork from OneLogin's php-saml repository (see below)
+
+It appears that the Master branch of the upstream repository is not how releases are managed, but in the Lifeworks repository we maintain the normal process of feature branch -> Develop -> Master for releases.
+
+Version
+-------
+2022-08-22 : As part of the preparation for upgrading all PHP code bases to PHP 8.1 (and specifically wa-sso) this package has been synced with the latest changes from the upstream branch, tag version 4.1.0
+
+Notes
+-----
+As at August 2022, the upstream is not considered to be under active development
+
+https://github.com/onelogin/php-saml/issues/531
+
+In order to make the PHPUnit tests pass, a number of changes that are maintained in the LifeWork Develop branch have been included. 
+
+Unit Testing and Static Analysis
+--------------------------------
+There is no Docker container for this package so PHPUnit and PHPStan must be run from the local development environment.
+
+PHP 8.1 is required
+
+####PHPUnit
+Runs the unit tests. This includes the changes maintained within the LifeWorks Repository
+```
+./vendor/bin/phpunit
+```
+
+####PHPStan
+PHPStan has been added as part of the PHP 8.1 and Tag 4.1 upgrade work.
+```
+./vendor/bin/phpstan analyse --memory-limit=-1 -c phpstan.neon
+```
+
+Usage
+-----
+Unlike most other php packages which have been added to the Lifeworks GemFury repository, php-saml was being included directly from the GitHub repository. With this upgrade, the package will be added to GemFury to bring it inline with LifeWorks best practices.
+
+GemFury is the preferred package repository as it works for both local development and also for the CI/CD pipelines.
+
+A ssuch, please remember to do the following when any changes are made.
+
+Update the version in composer.json
+Create a new tag and release in Github that matches the new version
+Manually download the resulting release ZIP file and upload it to the Lifeworks GemFury account
+Run Composer
+
+composer require "workivate/php-saml":"^4.1"
+
 # OneLogin's SAML PHP Toolkit Compatible with PHP 7.X & 8.X
 
 [![Build Status](https://api.travis-ci.org/onelogin/php-saml.png?branch=master)](http://travis-ci.org/onelogin/php-saml) [![Coverage Status](https://coveralls.io/repos/onelogin/php-saml/badge.png)](https://coveralls.io/r/onelogin/php-saml) [![License](https://poser.pugx.org/onelogin/php-saml/license.png)](https://packagist.org/packages/onelogin/php-saml)
@@ -148,6 +198,37 @@ environment is not secure and will be exposed to attacks.
 
 In production also we highly recommended to register on the settings the IdP certificate instead of using the fingerprint method. The fingerprint, is a hash, so at the end is open to a collision attack that can end on a signature validation bypass. Other SAML toolkits deprecated that mechanism, we maintain it for compatibility and also to be used on test environment.
 
+
+### Avoiding Open Redirect attacks ###
+
+Some implementations uses the RelayState parameter as a way to control the flow when SSO and SLO succeeded. So basically the
+user is redirected to the value of the RelayState.
+
+If you are using Signature Validation on the HTTP-Redirect binding, you will have the RelayState value integrity covered, otherwise, and
+on HTTP-POST binding, you can't trust the RelayState so before
+executing the validation, you need to verify that its value belong
+a trusted and expected URL.
+
+Read more about Open Redirect [CWE-601](https://cwe.mitre.org/data/definitions/601.html).
+
+
+### Avoiding Reply attacks ###
+
+A reply attack is basically try to reuse an intercepted valid SAML Message in order to impersonate a SAML action (SSO or SLO).
+
+SAML Messages have a limited timelife (NotBefore, NotOnOrAfter) that
+make harder this kind of attacks, but they are still possible.
+
+In order to avoid them, the SP can keep a list of SAML Messages or Assertion IDs alredy valdidated and processed. Those values only need
+to be stored the amount of time of the SAML Message life time, so
+we don't need to store all processed message/assertion Ids, but the most recent ones.
+
+The OneLogin_Saml2_Auth class contains the [getLastRequestID](https://github.com/onelogin/php-saml/blob/b8214b74dd72960fa6aa88ab454667c64cea935c/src/Saml2/Auth.php#L657), [getLastMessageId](https://github.com/onelogin/php-saml/blob/b8214b74dd72960fa6aa88ab454667c64cea935c/src/Saml2/Auth.php#L762) and [getLastAssertionId](https://github.com/onelogin/php-saml/blob/b8214b74dd72960fa6aa88ab454667c64cea935c/src/Saml2/Auth.php#L770) methods to retrieve the IDs
+
+Checking that the ID of the current Message/Assertion does not exists in the list of the ones already processed will prevent reply
+attacks.
+
+
 Getting started
 ---------------
 
@@ -754,6 +835,8 @@ $_SESSION['samlNameidSPNameQualifier'] = $auth->getNameIdSPNameQualifier();
 $_SESSION['samlSessionIndex'] = $auth->getSessionIndex();
 
 if (isset($_POST['RelayState']) && OneLogin\Saml2\Utils::getSelfURL() != $_POST['RelayState']) {
+    // To avoid 'Open Redirect' attacks, before execute the
+    // redirection confirm the value of $_POST['RelayState'] is a // trusted URL.
     $auth->redirectTo($_POST['RelayState']);
 }
 
@@ -1092,6 +1175,8 @@ if (isset($_GET['sso'])) {    // SSO action.  Will send an AuthNRequest to the I
 
     $_SESSION['samlUserdata'] = $auth->getAttributes(); // Retrieves user data
     if (isset($_POST['RelayState']) && OneLogin\Saml2\Utils::getSelfURL() != $_POST['RelayState']) {
+        // To avoid 'Open Redirect' attacks, before execute the
+        // redirection confirm the value of $_POST['RelayState'] is a // trusted URL.
         $auth->redirectTo($_POST['RelayState']);  // Redirect if there is a
     }                                             // relayState set
 } else if (isset($_GET['sls'])) {   // Single Logout Service
@@ -1100,7 +1185,7 @@ if (isset($_GET['sso'])) {    // SSO action.  Will send an AuthNRequest to the I
     if (empty($errors)) {
         echo '<p>Sucessfully logged out</p>';
     } else {
-        echo '<p>' . implode(', ', $errors) . '</p>';
+        echo '<p>' . htmlentities(implode(', ', $errors)) . '</p>';
     }
 }
 
@@ -1384,6 +1469,8 @@ Auxiliary class that contains several methods to retrieve and process IdP metada
  * `parseXML` - Get IdP Metadata Info from XML.
  * `injectIntoSettings` - Inject metadata info into php-saml settings array.
 
+The class does not validate in any way the URL that is introduced on methods like parseRemoteXML in order to retrieve the remove XML. Usually is the same administrator that handles the Service Provider the ones that set the URL that should belong to a trusted third-party IdP.
+But there are other scenarios, like a SAAS app where the administrator of the app delegates on other administrators. In such case, extra protection should be taken in order to validate such URL inputs and avoid attacks like SSRF.
 
 For more info, look at the source code; each method is documented and details
 about what it does and how to use it are provided. Make sure to also check the doc folder where

composer.json

@@ -1,6 +1,8 @@
 {
     "name": "workivate/php-saml",
     "description": "Workivate version of OneLogin PHP SAML Toolkit",
+    "type": "library",
+    "version": "4.1.0",
     "license": "MIT",
     "homepage": "https://developers.onelogin.com/saml/php",
     "keywords": ["saml", "saml2", "onelogin"],
@@ -15,17 +17,23 @@
         "source": "https://github.com/workivate/php-saml/"
     },
     "require": {
-        "php": ">=7.3",
+        "php": "^8.1",
         "robrichards/xmlseclibs": ">=3.1.1"
     },
     "require-dev": {
-        "phpunit/phpunit": "^9.5.2",
+        "phpunit/phpunit": "^9.5",
         "php-coveralls/php-coveralls": "^2.0",
+        "sebastian/phpcpd": "^4.0 || ^5.0 || ^6.0 ",
+        "phploc/phploc": "^4.0 || ^5.0 || ^6.0 || ^7.0",
         "pdepend/pdepend": "^2.8.0",
         "squizlabs/php_codesniffer": "^3.5.8",
-        "vimeo/psalm": "^4.6"
+        "phpstan/phpstan": "^1.3.0",
+        "phpstan/phpstan-phpunit": "^1.0.0"
     },
     "config": {
+        "platform": {
+            "php": "8.1.0"
+        },
         "optimize-autoloader": true,
         "sort-packages": true
     },