Giter VIP home page Giter VIP logo

simplesamlphp-module-material's Introduction

Material Design theme for use with SimpleSAMLphp

Installation

composer.phar require silinternational/simplesamlphp-module-material:dev-master

Configuration

Update /simplesamlphp/config/config.php:

'theme.use' => 'material:material'

ssp-base provides a convenience by loading this config with whatever is in the environment variable THEME_USE.

Google reCAPTCHA

If a site key has been provided in $this->data['recaptcha.siteKey'], the username/password page may require the user prove his/her humanity.

Branding

Update /simplesamlphp/config/config.php:

'theme.color-scheme' => ['indigo-purple'|'blue_grey-teal'|'red-teal'|'orange-light_blue'|'brown-orange'|'teal-blue']

The login page looks for /simplesamlphp/www/logo.png which is NOT provided by default.

Analytics

Update /simplesamlphp/config/config.php:

'analytics.trackingId' => 'G-some-unique-id-for-your-site'

ssp-base provides a convenience by loading this config with whatever is in the environment variable ANALYTICS_ID.

Announcements

Update /simplesamlphp/announcement/announcement.php:

 return 'Some <strong>important</strong> announcement';

ssp-utilities provides whatever is returned by /simplesamlphp/announcement/announcement.php.

If provided, an alert will be shown to the user filled with the content of that announcement. HTML is supported.

Testing theme

Make, Docker and Docker Compose are required.

Setup

  1. Setup localhost (or 192.168.62.54, if using Vagrant) aliases for ssp-hub1.local, ssp-hub2.local, ssp-idp1.local, ssp-idp2.local, ssp-idp3.local, ssp-idp4.local, ssp-sp1.local and ssp-sp2.local. This is typically done in /etc/hosts. Example line: 0.0.0.0 ssp-hub1.local ssp-idp1.local ssp-idp2.local ssp-idp4.local ssp-hub2.local ssp-idp3.local ssp-sp1.local ssp-sp2.local
  2. Start test environment, i.e., make from the command line.

Hub page

  1. Goto Hub 1

Error page

  1. Goto Hub 1
  2. Click Federation tab
  3. Click either Show metadata link
  4. Login as hub administrator: username=admin password=abc123

Logout page

  1. Goto Hub 1
  2. Click Authentication tab
  3. Click Test configured authentication sources
  4. Click admin
  5. Login as hub administrator: username=admin password=abc123
  6. Click Logout

Login page

Without theme in place

  1. Goto SP 1
  2. Click idp1 (first one)
  3. login page should NOT have material design

With theme in place

  1. Goto SP 1
  2. Click idp2 (second one)
  3. login page SHOULD have material design

Forgot password functionality

  1. Goto SP 1
  2. Click idp2 (second one)
  3. Forgot password link should be visible

Helpful links functionality

  1. Goto SP 1
  2. Click idp4 (third one)
  3. Help link should be visible under login form
  4. Profile link should be visible under login form

Expiry functionality

About to expire page (expires in one day)

Note: This nag only works once since choosing later will simply set the nag date into the future a little. If needed, use a new private/incognito browser window to retry.

  1. Goto SP 1
  2. Click idp2 (second one)
  3. Login as an "about to expire" user: username=near_future password=a
  4. Click Later
  5. Click Logout

About to expire page (expires in three days)

Note: This nag only works once since choosing later will simply set the nag date into the future a little. If needed, use a new private/incognito browser window to retry.

  1. Goto SP 1
  2. Click idp2 (second one)
  3. Login as an "about to expire" user: username=near_future password=a
  4. Click Later
  5. Click Logout

Expired page

  1. Goto SP 1
  2. Click idp2 (second one)
  3. Login as an "expired" user: username=already_past password=a

Multi-factor authentication (MFA) functionality

Nag about missing MFA setup

  1. Goto SP 1
  2. Click idp4 (third one)
  3. Login as an "unprotected" user: username=nag_for_mfa password=a
  4. The "learn more" link should be visible
  5. Click Enable
  6. Click your browser's back button
  7. Click Remind me later
  8. Click Logout

Nag about missing password recovery methods

  1. Goto SP 1
  2. Click idp4 (third one)
  3. Login as a user without any methods: username=nag_for_method password=a
  4. Enter one of the following codes to verify (94923279, 82743523, 77802769, 01970541, 37771076)
  5. Click Add
  6. Click your browser's back button
  7. Click Remind me later
  8. Click Logout

Force MFA setup

  1. Goto SP 1
  2. Click idp4 (third one)
  3. Login as an "unsafe" user: username=must_set_up_mfa password=a

Backup code

  1. Goto SP 1
  2. Click idp4 (third one)
  3. Login as a "backup code" user: username=has_backupcode password=a
  4. Enter one of the following codes to verify (94923279, 82743523, 77802769, 01970541, 37771076)
  5. Click Logout
  6. In order to see the "running low on codes" page, simply log back in and use another code.
  7. In order to see the "out of codes" page, simply log back in and out repeatedly until there are no more codes.

TOTP code

  1. Goto SP 1
  2. Click idp4 (third one)
  3. Login as a "totp" user: username=has_totp password=a
  4. You should see the form to enter a totp code.
  5. Set up an app using this secret, JVRXKYTMPBEVKXLS
  6. Enter code from app to verify
  7. Click Logout

Key (U2F)

  1. Goto SP 1
  2. Click idp4 (third one)
  3. Login as a "u2f" user: username=has_u2f password=a
  4. Insert key and press
  5. Click Logout

Key (WebAuthn)

  1. Goto SP 1
  2. Click idp4 (third one)
  3. Login as a "webauthn" user: username=has_webauthn password=a
  4. Insert key and press
  5. Click Logout

Multiple options

  1. Goto SP 1
  2. Click idp4 (third one)
  3. Login as a "multiple option" user: username=has_all password=a
  4. Click MORE OPTIONS

Multiple options (legacy, with U2F)

  1. Goto SP 1
  2. Click idp4 (third one)
  3. Login as a "multiple option" user: username=has_all_legacy password=a
  4. Click MORE OPTIONS

Manager rescue

  1. Goto SP 1
  2. Click idp4 (third one)
  3. Login as a "multiple option" user: username=has_all password=a
  4. Click MORE OPTIONS
  5. Click the help option
  6. Choose Send

NOTE: At this time, the correct code is not known and can't be tested locally (it's only available in an email to the manager)

Announcements functionality

  1. Goto SP 2
  2. The announcement should be displayed on the hub
  3. Click idp3 (first one)
  4. The announcement should be displayed at the login screen

SP name functionality

  1. Goto SP 1
  2. The sp name should appear in the banner

Profile review functionality

  1. Goto SP 1
  2. Click idp4 (third one)
  3. Login as a "Review needed" user: username=needs_review password=a
  4. Enter one of the following printable codes to verify (94923279, 82743523, 77802769, 01970541, 37771076)
  5. Click the button to update the profile
  6. Click the button to continue
  7. Click Logout

i18n support

Translations are categorized by page in definition files located in the dictionaries directory.

Localization is affected by the configuration setting language.available. Only language codes found in this property will be utilized.
For example, if a translation is provided in Afrikaans for this module, the configuration must be adjusted to make 'af' an available language. If that's not done, the translation function will not utilize the translations even if provided.

Debugging

Xdebug can be enabled by doing the following:

  1. Define REMOTE_DEBUG_IP in local.env. This should be the IP address of your development machine, i.e. the one that is running your IDE. If you're using Linux as your Docker host, you can use 172.17.0.1 here. Note that the IP address shown in your containers' logs may not be your machines actual IP address (it could be for a VM, for example).
  2. Map run-debug.sh into the container you wish to debug. For example:
    volumes:
      - ./development/run-debug.sh:/data/run.sh
  1. Enable debugging in your IDE. See the next section for PhpStorm setup.

Configuring PhpStorm for remote debugging

In PhpStorm go to: Preferences > PHP > Debug > DBGp Proxy and set the following settings:

  • Host: (your IP address or hostname)
  • Port: 9000

Set path mappings in: Preferences > PHP > Servers

  • Add a server, giving it your IP address and a port of 9000, and map the project folder to '/data/vendor/simplesamlphp/simplesamlphp/modules/material'
  • Map other directories as needed. PhpStorm should prompt when an unrecognized path is encountered.

Then start listening by clicking the "listen" button on the PhpStorm toolbar.

simplesamlphp-module-material's People

Contributors

baggerone avatar briskt avatar fillup avatar forevermatt avatar hobbitronics avatar jason-jackson avatar longrunningprocess avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

Forkers

dpenezic sokratisvidros simplexx tphipps isabella232

simplesamlphp-module-material's Issues

WS-2016-0090 (Medium) detected in jquery-1.8.3-2.0.0.min.js, simplesamlphp/simplesamlphp-v1.17.6

WS-2016-0090 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-1.8.3-2.0.0.min.js, simplesamlphp/simplesamlphp-v1.17.6

jquery-1.8.3-2.0.0.min.js

Flat UI Free is a beautiful theme for Bootstrap. We have redesigned many of its components to look flat in every pixel

Library home page: https://cdnjs.cloudflare.com/ajax/libs/flat-ui/2.0.0/js/jquery-1.8.3.min.js

Path to vulnerable library: /simplesamlphp-module-material/vendor/simplesamlphp/simplesamlphp/www/resources/jquery-1.8.js

Dependency Hierarchy:

  • jquery-1.8.3-2.0.0.min.js (Vulnerable Library)
simplesamlphp/simplesamlphp-v1.17.6

SimpleSAMLphp is an award-winning application written in native PHP that deals with authentication.

Dependency Hierarchy:

  • simplesamlphp/composer-module-installer-v1.1.6 (Root Library)
    • simplesamlphp/simplesamlphp-v1.17.6 (Vulnerable Library)

Found in HEAD commit: 0ebaceae321bb63d8b694d46f6b8303be0713d20

Vulnerability Details

JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.

Publish Date: 2016-11-27

URL: WS-2016-0090

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jquery/jquery@b078a62

Release Date: 2019-04-08

Fix Resolution: 2.2.0

Step up your Open Source Security Game with WhiteSource here

CVE-2012-6708 (Medium) detected in jquery-1.8.3-2.0.0.min.js

CVE-2012-6708 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.3-2.0.0.min.js

Flat UI Free is a beautiful theme for Bootstrap. We have redesigned many of its components to look flat in every pixel

Library home page: https://cdnjs.cloudflare.com/ajax/libs/flat-ui/2.0.0/js/jquery-1.8.3.min.js

Path to vulnerable library: /simplesamlphp-module-material/vendor/simplesamlphp/simplesamlphp/www/resources/jquery-1.8.js

Dependency Hierarchy:

  • jquery-1.8.3-2.0.0.min.js (Vulnerable Library)

Found in HEAD commit: edc7e3bf95f649730765a08ffdb8b6eb5026761f

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: 1.9.0

Step up your Open Source Security Game with WhiteSource here

CVE-2015-9251 (Medium) detected in jquery-1.8.3-2.0.0.min.js

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.3-2.0.0.min.js

Flat UI Free is a beautiful theme for Bootstrap. We have redesigned many of its components to look flat in every pixel

Library home page: https://cdnjs.cloudflare.com/ajax/libs/flat-ui/2.0.0/js/jquery-1.8.3.min.js

Path to vulnerable library: /simplesamlphp-module-material/vendor/simplesamlphp/simplesamlphp/www/resources/jquery-1.8.js

Dependency Hierarchy:

  • jquery-1.8.3-2.0.0.min.js (Vulnerable Library)

Found in HEAD commit: edc7e3bf95f649730765a08ffdb8b6eb5026761f

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: 3.0.0

Step up your Open Source Security Game with WhiteSource here

Remember computer for 30 days checkbox

if a user unchecks the checkbox and receives an error or goes from one mfa option to another, the checkbox does not retain that choice and it should.

localStorage might be a good choice for a toggle, e.g., rememberComputer=[true|false] rather than a cookie.

Problem installing theme on simplesamlphp 1.14.11

Hi guys,

I've a problem when try to install the theme in simplesamlphp 1.14.11. Composer show this errors:

  Problem 1
    - simplesamlphp/simplesamlphp v1.14.11 requires robrichards/xmlseclibs ~1.4.1 -> satisfiable by robrichards/xmlseclibs[1.4.1, 1.4.2, 1.4.x-dev] but these conflict with your requirements or minimum-stability.
    - simplesamlphp/simplesamlphp v1.14.10 requires robrichards/xmlseclibs ~1.4.1 -> satisfiable by robrichards/xmlseclibs[1.4.1, 1.4.2, 1.4.x-dev] but these conflict with your requirements or minimum-stability.
    - silinternational/simplesamlphp-module-material dev-master requires simplesamlphp/simplesamlphp ^1.14.10 -> satisfiable by simplesamlphp/simplesamlphp[v1.14.10, v1.14.11].
    - Installation request for silinternational/simplesamlphp-module-material dev-master -> satisfiable by silinternational/simplesamlphp-module-material[dev-master].

If I update xmlseclibs to 1.4.x the SAML2 not work, this require 2.x

The simplesamlphp/simplesamlphp is updated to 1.14.11.

You can help me?

Thanks!

CVE-2016-7103 (Medium) detected in jquery-ui-1.8.23.min.js

CVE-2016-7103 - Medium Severity Vulnerability

Vulnerable Library - jquery-ui-1.8.23.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.8.23/jquery-ui.min.js

Path to vulnerable library: /simplesamlphp-module-material/vendor/simplesamlphp/simplesamlphp/www/resources/jquery-ui-1.8.js

Dependency Hierarchy:

  • jquery-ui-1.8.23.min.js (Vulnerable Library)

Found in HEAD commit: edc7e3bf95f649730765a08ffdb8b6eb5026761f

Vulnerability Details

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.

Publish Date: 2017-03-15

URL: CVE-2016-7103

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-7103

Release Date: 2017-03-15

Fix Resolution: 1.12.0

Step up your Open Source Security Game with WhiteSource here

[Low priority] Consider making login form field text color darker

The current login form fields use a medium grey text color (due to semi-transparency) that ends up looking like rgb(117, 117, 117):

image

Since that color is often used for placeholder text, and text entered into a field is often closer to black, it may look better to use rgb(0, 0, 0) for the color of text entered into a field, as Google does on their login form:

image

If this ends up requiring manually modifying several minified CSS rules (or for some other reason would be unreasonably painful to do or to maintain), feel free to reject this as not worth the effort.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.