CornellCustomDev
diff --git a/‎.editorconfig‎
Lines changed: 18 additions & 0 deletions b/‎.editorconfig‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎.gitattributes‎
Lines changed: 12 additions & 0 deletions b/‎.gitattributes‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 7 additions & 0 deletions b/‎.gitignore‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 156 additions & 0 deletions b/‎README.md‎
Lines changed: 156 additions & 0 deletions
diff --git a/‎SHIBBOLETH.md‎
Lines changed: 81 additions & 0 deletions b/‎SHIBBOLETH.md‎
Lines changed: 81 additions & 0 deletions
diff --git a/‎composer.json‎
Lines changed: 36 additions & 0 deletions b/‎composer.json‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎config/cu-auth.php‎
Lines changed: 82 additions & 0 deletions b/‎config/cu-auth.php‎
Lines changed: 82 additions & 0 deletions
@@ -0,0 +1,18 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 4
+indent_style = space
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.md]
+trim_trailing_whitespace = false
+
+[*.{yml,yaml}]
+indent_size = 2
+
+[*.json]
+indent_size = 2
@@ -0,0 +1,12 @@
+# Path-based git attributes
+# https://www.kernel.org/pub/software/scm/git/docs/gitattributes.html
+
+# Ignore all test and documentation with "export-ignore".
+/.editorconfig      export-ignore
+/.github            export-ignore
+/.gitattributes     export-ignore
+/.gitignore         export-ignore
+/.lando.yml         export-ignore
+/phpunit.xml        export-ignore
+/pint.json          export-ignore
+/tests              export-ignore
@@ -0,0 +1,7 @@
+/.phpunit.cache
+/.phpunit.result.cache
+/.idea
+/.vscode
+*.local.*
+/composer.lock
+/vendor
@@ -0,0 +1,156 @@
+# CUAuth
+
+Middleware for authorizing Laravel users.
+
+- [CUAuth SSO](#cuauth) - Single sign-on and authorization middleware 
+  - SAML PHP Toolkit integration
+  - Apache mod_shib integration
+- [AppTesters](#apptesters) - Limit access to users in the `APP_TESTERS` environment variable
+- [Local Login](#local-login) - Allow Laravel users to log in with a local username and password
+
+## Use Cases
+
+- **Single Sign-On**: Protect routes with SSO (mod_shib or PHP SAML)
+  - Optionally log in SSO users to app user accounts
+- **AppTesters**: Limit access on non-production sites to users in the `APP_TESTERS` environment variable
+
+
+## Single Sign-On
+
+### Usage
+
+```php
+// File: routes/web.php
+use CornellCustomDev\LaravelStarterKit\CUAuth\Middleware\CUAuth;
+
+Route::group(['middleware' => [CUAuth::class]], function () {
+    // Protected routes here
+    Route::get('profile', [UserController::class, 'show']);
+});
+```
+
+```dotenv
+# File: .env
+# apache-shib (default) | php-saml
+CU_AUTH_IDENTITY_MANAGER=apache-shib
+```
+
+See [Authorization](#identity-and-authorization) for details on how to log in remote users for local authorization.
+
+> _See also: [shibboleth configuration](SHIBBOLETH.md)._
+
+---
+
+### Routing
+
+Any pages protected by middleware are automatically redirected to SSO. To directly trigger log in or log out, use the following routes (parameters are optional and will default to `'/'`):
+- Login: `route('cu-auth.sso-login', ['redirect_url' => '/home'])` 
+- Logout: `route('cu-auth.sso-logout', ['return' => '/'])`
+
+### Certs and Metadata (php-saml)
+
+For using the PHP SAML Toolkit, the SAML keys and certs can be generated with the following command, or as an option from the starter kit installer:
+
+```bash
+  php artisan cu-auth:generate-keys
+```
+
+The SAML metadata can be retrieved at `https://<site-url>/sso/metadata`.
+
+The default location for the SAML keys and certs is in `storage/app/keys`. This location is configurable in the `config/cu-auth.php` file or by setting the `SAML_CERT_PATH` in `.env`.
+
+---
+
+### Local Testing (apache-shib)
+For local testing where mod_shib is not available, the `REMOTE_USER` environment variable can be set to simulate
+Shibboleth authentication. Note that `APP_ENV` must be set to "local" for this to work and the config cache must be cleared when `REMOTE_USER` is changed.
+
+```dotenv
+# File: .env
+APP_ENV=local
+REMOTE_USER=abc123
+```
+
+## Identity and Authorization
+
+Once authenticated via SSO, the user's identity is available via the `IdentityManager`, which can be accessed via the app container.
+
+```php
+use CornellCustomDev\LaravelStarterKit\CUAuth\Managers\IdentityManager;
+
+$remoteIdentity = app(IdentityManager::class)->getIdentity();
+$netid = $remoteIdentity->id(); // NetID | CWID
+
+// If provided with SSO attributes:
+$email = $remoteIdentity->email(); // Primary email (i.e. [email protected])
+$name = $remoteIdentity->name(); // Display name
+```
+
+### User authorization
+
+If the site should manage authorization for users in the application, set `config('cu-auth.require_local_user')` to true:
+
+```php
+# File: config/cu-auth.php
+'require_local_user' => env('REQUIRE_LOCAL_USER', true),
+```
+
+Requiring a local user triggers the `CUAuthenticated` event when a user is authenticated via single sign-on. The site must
+[register a listener](https://laravel.com/docs/11.x/events#registering-events-and-listeners) for
+the `CUAuthenticated` event. This listener should look up the user in the database and log them in or create a user
+as needed.
+
+> [AuthorizeUser](Listeners/AuthorizeUser.php) is provided as a starting point for handling the CUAuthenticated event.
+> It is simplistic and should be replaced with a site-specific implementation in the site code base. It demonstrates 
+> retrieving user data via the [IdentityManager](Managers/IdentityManager.php) and creating a user if they do not exist. 
+
+
+## Configuration
+
+See [config/cu-auth.php](../../config/cu-auth.php) for configuration options, all of which can be set with environment variables.
+
+To modify the default configuration, publish the configuration file:
+
+```bash
+  php artisan vendor:publish --tag=starterkit:cu-auth-config
+```
+
+To modify the PHP SAML Toolkit configuration, publish the configuration file:
+
+```bash
+  php artisan vendor:publish --tag=starterkit:php-saml-toolkit-config
+```
+
+
+## AppTesters
+
+Limits non-production access to users in the `APP_TESTERS` environment variable.
+
+### Usage
+
+```php
+// File: routes/web.php
+use CornellCustomDev\LaravelStarterKit\CUAuth\Middleware\AppTesters;
+use CornellCustomDev\LaravelStarterKit\CUAuth\Middleware\CUAuth;
+
+Route::group(['middleware' => [CUAuth::class, AppTesters::class], function () {
+    Route::get('profile', [UserController::class, 'show']);
+});
+```
+
+```dotenv
+# File: .env
+APP_TESTERS=abc123,def456
+```
+
+On non-production sites, the [AppTesters](Middleware/AppTesters.php) middleware checks the "APP_TESTERS" environment variable for a comma-separated list of users. If a user is logged in and not in the list, the middleware will return an HTTP_FORBIDDEN response.
+
+The field used for looking up users is `netid` by default. It is configured in [config/cu-auth.php](../../config/cu-auth.php) file as `app_testers_field`.
+
+
+## Local Login
+For testing purposes, the environment variable "ALLOW_LOCAL_LOGIN" can be set to true to bypass the middleware for a currently authenticated user.
+```dotenv
+# File: .env
+ALLOW_LOCAL_LOGIN=true
+
@@ -0,0 +1,81 @@
+# Media 3 Server Configuration for Shibboleth 
+
+[CUAuth](README.md) can be configured to protect specific routes with Shibboleth authentication and manage multiple 
+Identity Providers (IdPs).
+
+Below is server configuration for using [CUAuth](README.md) with mod_shib on Media 3.
+
+## Apache configuration
+
+The vhost configuration determines which pages are protected by Shibboleth. The configuration below allows
+Laravel to use routing to determine when to authenticate the user.
+
+```apache
+# File: /etc/apache2/conf.d/userdata/ssl/2_4/<username>/<sitename>/<sitename>.conf
+<Directory /home/<username>/public_html/<site>/public>
+    ...
+    AuthType shibboleth
+    ShibRequestSetting redirectToSSL 443
+    # Laravel will determine when to authenticate, set to 1 if all pages should be protected
+    ShibRequestSetting requireSession 0
+    # Set the applicationId if not using the default IdP
+    # ShibRequestSetting applicationId idselect-test
+    require shibboleth
+</Directory>
+```
+
+Use [CUAuth middleware](README.md#single-sign-on) to protect routes that need authorization. If all routes for the site 
+should be protected by Shibboleth, `requireSession` can be set to `1`. 
+
+To utilize a Shibboleth `ApplicationOverride` configuration, the Apache vhost configuration for the site must specify 
+the `applicationId`, which should be configured in shibboleth2.xml ([see below](#shibboleth-with-multiple-idps)).
+
+
+## PHP configuration
+
+On Media 3 servers, Shibboleth attributes are available only on sites served with suphp. Sites using php-cgi
+only pass the validated user identifier. If you need to determine which IdP authenticated the user, you must use suphp.
+
+> **Important**: Selection of suphp / php-cgi is set server-wide for each PHP version. Additionally, file and directory permissions must be properly set if using suphp. Media 3 support can help with this.
+
+
+## Shibboleth with Multiple IdPs
+
+In `/etc/shibboleth/shibboleth2.xml`, specify identity providers in the `ApplicationDefaults` element. Use `ApplicationOverride` for alternate IdPs. Make sure to include the `MetadataProvider` for each IdP.
+
+> Note: If all sites on a server should use the same IdP, modification of `shibboleth2.xml` is not necessary.
+
+Key elements (can be set up for any Media 3 server):
+```xml
+<!-- File: /etc/shibboleth/shibboleth2.xml -->
+...
+    <ApplicationDefaults ...>
+        <Sessions ...>
+            <!-- Default IdP-->
+            <SSO entityID="https://shibidp.cit.cornell.edu/idp/shibboleth" ...>
+            ...
+        </Sessions>
+        <MetadataProvider url="https://shibidp.cit.cornell.edu/idp/shibboleth" backingFilePath="cornellidp.xml" ... />
+        <MetadataProvider url="https://shibidp-test.cit.cornell.edu/idp/shibboleth" backingFilePath="cornell-test-idp.xml" ... />
+        <MetadataProvider url="https://login.weill.cornell.edu/idp/saml2/idp/metadata.php" backingFilePath="weill-idp.xml" ... />
+        <MetadataProvider url="https://login-test.weill.cornell.edu/idp/saml2/idp/metadata.php" backingFilePath="weill-test-idp.xml" ... />
+        ...
+        <ApplicationOverride id="cit-test">
+            <Sessions ...>
+                <SSO discoveryURL="https://shibidp-test.cit.cornell.edu/idp/shibboleth" ...>
+                ...
+            </Sessions>
+        </ApplicationOverride>
+        <ApplicationOverride id="idselect">
+            <Sessions ...>
+                <SSO discoveryURL="https://idselect.idm.cit.cornell.edu/idselect/select.html" ...>
+                ...
+            </Sessions>
+        </ApplicationOverride>
+        <ApplicationOverride id="idselect-test">
+            <Sessions ...>
+                <SSO discoveryURL="https://idselect-test.idm.cit.cornell.edu/idselect/select.html" ...>
+                ...
+            </Sessions>
+        </ApplicationOverride>
+```
@@ -0,0 +1,36 @@
+{
+  "name": "cornell-custom-dev/laravel-cu-auth",
+  "description": "A Laravel package for authentication and identity management at Cornell University",
+  "license": "MIT",
+  "type": "library",
+  "require": {
+    "php": "^8.2",
+    "ext-openssl": "*",
+    "illuminate/contracts": "^11.0|^12.0",
+    "spatie/laravel-package-tools": "^1.92",
+    "onelogin/php-saml": "^4.3"
+  },
+  "require-dev": {
+    "laravel/pint": "^1.20",
+    "orchestra/testbench": "^9.0|^10.0",
+    "phpunit/phpunit": "^10.5|^11.5"
+  },
+  "autoload": {
+    "psr-4": {
+      "CornellCustomDev\\LaravelStarterKit\\CUAuth\\": "src"
+    }
+  },
+  "autoload-dev": {
+    "psr-4": {
+      "CornellCustomDev\\LaravelStarterKit\\CUAuth\\Tests\\": "tests"
+    }
+  },
+  "extra": {
+    "laravel": {
+      "providers": [
+        "CornellCustomDev\\LaravelStarterKit\\CUAuth\\CUAuthServiceProvider"
+      ]
+    }
+  },
+  "prefer-stable": true
+}
@@ -0,0 +1,82 @@
+<?php
+
+return [
+    /*
+    |--------------------------------------------------------------------------
+    | Identity Manager
+    |--------------------------------------------------------------------------
+    |
+    | The identity manager to use for user authentication. Options are:
+    | - apache-shib: Apache mod_shib
+    | - php-saml: OneLogin SAML PHP Toolkit
+    |
+    */
+    'identity_manager' => env('CU_AUTH_IDENTITY_MANAGER', 'apache-shib'),
+
+    /*
+    |--------------------------------------------------------------------------
+    | Require Local User
+    |--------------------------------------------------------------------------
+    |
+    | Require a local user account in the application for the authenticated
+    | remote user. This setting controls the CUAuthenticated event to handle
+    | user login.
+    |
+    */
+    'require_local_user' => env('REQUIRE_LOCAL_USER', false),
+
+    /*
+    |--------------------------------------------------------------------------
+    | ApacheShib Configuration
+    |--------------------------------------------------------------------------
+    |
+    | ApacheShib retrieves user data from server variables populated by the
+    | Apache shibboleth module (mod_shib).
+    |
+    | The default user variable is "REMOTE_USER", but this may differ depending
+    | on how mod_shib is configured.
+    |
+    | For local development without shibboleth, you can add
+    | REMOTE_USER=<netid> to your project .env file to log in as that user.
+    |
+    */
+    'apache_shib_user_variable' => env('APACHE_SHIB_USER_VARIABLE', 'REMOTE_USER'),
+    'remote_user_override' => env('REMOTE_USER'),
+
+    /*
+    |--------------------------------------------------------------------------
+    | PHP-SAML Configuration
+    |--------------------------------------------------------------------------
+    |
+    | Note: Configuration for the OneLogin SAML PHP Toolkit can be found
+    | in config/php-saml-toolkit.php.
+    |
+    | The default path of storage/app/keys is ignored by git in a standard
+    | Laravel installation, so typically this does not need to be changed.
+    |
+    */
+    'cert-path' => storage_path(env('SAML_CERT_PATH', 'app/keys')),
+
+    /*
+    |--------------------------------------------------------------------------
+    | AppTesters Configuration
+    |--------------------------------------------------------------------------
+    |
+    | Comma-separated list of users to allow in development environments.
+    | APP_TESTERS_FIELD is the field on the user model to compare against.
+    |
+    */
+    'app_testers' => env('APP_TESTERS', ''),
+    'app_testers_field' => env('APP_TESTERS_FIELD', 'netid'),
+
+    /*
+    |--------------------------------------------------------------------------
+    | Allow Local Login
+    |--------------------------------------------------------------------------
+    |
+    | Allow Laravel password-based login? Typically, this would only be used
+    | for local or automated testing.
+    |
+    */
+    'allow_local_login' => boolval(env('ALLOW_LOCAL_LOGIN', false)),
+];