BLT-481: BLT/SimpleSAMLphp Integration (#478)

* Adds simplesaml files and tasks to blt.

* Updates simplesaml phing task and blt settings.

* Fixes symlink from docroot to library.

* Cleans up simplesamlphp.xml targets.

* Adds a simplesamlphp-setup.md readme file.

* Moves simplesaml files to scripts dir.

* Updates path to library in simplesamlphp.settings.php.

* Updates the config init task to include the Acquia snippet.

* Renames the htaccess target, adds comments.

* Renames init complete target.

* Fixes incorrect target name in complete message.

* Adds readme to mkdocs.yml, removes property from project.yml.

* Fixes incorrect checks of the simplesamlphp property.

* Adds high level checks of SimpleSAMLphp installation to BltDoctorCommand.

* Updates BltDoctorCommand to remove some cruft.

Author: dooleymatt

mkdocs.yml

@@ -41,6 +41,7 @@ pages:
           - Release process: 'readme/release-process.md'
           - Release notes: 'scripts/release-notes/README.md'
         - Setting up continuous integration: 'readme/ci.md'
+        - Setting up SSO with SimpleSAMLphp: 'readme/simplesamlphp-setup.md'
         - Open source contribution: 'readme/os-contribution.md'
   - Troubleshooting & Support: 'readme/support.md'
   - Extending / Overriding BLT: 'readme/extending-blt.md'

phing/build.xml

@@ -68,6 +68,9 @@
   <!-- Contains Drupal VM tasks. -->
   <import file="${phing.dir}/tasks/vm.xml"/>
 
+  <!-- Contains Drupal SimpleSAMLphp tasks. -->
+  <import file="${phing.dir}/tasks/simplesamlphp.xml"/>
+
   <!-- Disable targets defined in the disable-targets array in project.yml. -->
   <!-- This must be executed after all targets are defined. -->
   <disabletargets file="${repo.root}/project.yml" property="disable-targets"/>

phing/tasks/deploy.xml

@@ -77,6 +77,14 @@
     <phingcall target="target-hook:invoke">
       <property name="hook-name" value="post-deploy-build"/>
     </phingcall>
+
+    <available property="simplesamlphp" file="${blt.root}/settings/simplesamlphp.settings.php"/>
+    <if>
+      <equals arg1="${simplesamlphp}" arg2="true"/>
+        <then>
+          <phingcall target="simplesamlphp:deploy:config"/>
+        </then>
+    </if>
   </target>
 
   <target name="deploy:commit" hidden="true">

phing/tasks/setup.xml

@@ -63,6 +63,14 @@
   <target name="setup:build" description="Generates all required files for a full build. E.g., (re)builds docroot, etc."
           depends="setup:git-hooks, setup:drupal:settings, setup:behat, setup:composer:install, frontend">
 
+    <available property="simplesamlphp" file="${blt.root}/settings/simplesamlphp.settings.php"/>
+    <if>
+      <equals arg1="${simplesamlphp}" arg2="true"/>
+        <then>
+          <phingcall target="simplesamlphp:build:config"/>
+        </then>
+    </if>
+
     <phingcall target="target-hook:invoke">
       <property name="hook-name" value="post-setup-build"/>
     </phingcall>

phing/tasks/simplesamlphp.xml

@@ -0,0 +1,108 @@
+<project name="simplesamlphp" default="simplesamlphp:init">
+
+  <target name="simplesamlphp:init" description="Initializes SimpleSAMLphp for project.">
+
+    <!-- Adds simplesamlphp_auth as a dependency. -->
+    <available property="simplesamlphp" file="${blt.root}/settings/simplesamlphp.settings.php"/>
+
+    <if>
+      <not><equals arg1="${simplesamlphp}" arg2="true"/></not>
+      <then>
+        <phingcall target="simplesamlphp:lib:init"/>
+
+        <!-- Copies the configuration templates from the library to a simplesamlphp directory located in the project root. -->
+        <phingcall target="simplesamlphp:config:init"/>
+
+        <!-- Copies a settings file used by the simplesamlphp_auth module to blt's settings dir. -->
+        <phingcall target="simplesamlphp:settings"/>
+
+        <!-- Creates a symlink from the docroot to the web accessible library dir. -->
+        <echo>Creating a symbolic link from ${docroot}/simplesaml to web accessible directory in the simplesamlphp library</echo>
+        <symlink target="../vendor/simplesamlphp/simplesamlphp/www/" link="${docroot}/simplesaml" overwrite="true" />
+
+        <!-- Outputs a message to edit the new config files. -->
+        <phingcall target="simplesamlphp:init:complete"/>
+      </then>
+      <else>
+        <echo>SimpleSAMLphp has already been initialized by BLT.</echo>
+      </else>
+    </if>
+  </target>
+
+  <!-- Adds simplesamlphp_auth as a dependency. -->
+  <target name="simplesamlphp:lib:init" hidden="true">
+    <echo>Adding SimpleSAMLphp Auth module as a dependency.</echo>
+    <exec dir="${repo.root}" command="composer require drupal/simplesamlphp_auth:8.3.x-dev#283994f" logoutput="true" checkreturn="true" passthru="true" level="info"/>
+  </target>
+
+  <!-- Copies the configuration templates from the library to a simplesamlphp directory located in the project root. -->
+  <target name="simplesamlphp:config:init" hidden="true">
+    <echo>Copying config files to ${repo.root}/simplesamlphp/config.</echo>
+    <copy todir="${repo.root}/simplesamlphp/config" overwrite="false">
+      <filelist dir="${repo.root}/vendor/simplesamlphp/simplesamlphp/config-templates" files="authsources.php, config.php"/>
+    </copy>
+    <exec dir="${repo.root}/simplesamlphp/config" command="curl https://gist.githubusercontent.com/acquialibrary/8059715/raw/a6dc376bfb5068a2c7fe01be315d13bd47d4c10b/9191_config.php > acquia_config.php" passthru="true"/>
+    <append destFile="${repo.root}/simplesamlphp/config/config.php" file="${repo.root}/simplesamlphp/config/acquia_config.php">
+      <filterchain>
+        <replaceregexp>
+          <regexp pattern=".*php\n" replace="" ignoreCase="true"/>
+        </replaceregexp>
+      </filterchain>
+    </append>
+    <echo>Copying config files to ${repo.root}/simplesamlphp/metadata.</echo>
+    <copy todir="${repo.root}/simplesamlphp/metadata" file="${repo.root}/vendor/simplesamlphp/simplesamlphp/metadata-templates/saml20-idp-remote.php" overwrite="false"/>
+  </target>
+
+  <!-- Copies a settings file used by simplesamlphp_auth to blt settings dir. -->
+  <target name="simplesamlphp:settings" hidden="true">
+    <echo>Adding a simplesamlphp.settings.php file.</echo>
+    <copy file="${blt.root}/scripts/simplesamlphp/simplesamlphp.settings.php" tofile="${blt.root}/settings/simplesamlphp.settings.php" overwrite="false"/>
+  </target>
+
+  <!-- Copies customized config files into the library on deployments. -->
+  <target name="simplesamlphp:deploy:config" description="Copies config template files to the appropriate place in simplesamlphp library." hidden="true">
+    <echo>Copying config files to the appropriate place in simplesamlphp library in the deploy artifact.</echo>
+    <copy todir="${repo.root}/deploy/vendor/simplesamlphp/simplesamlphp" overwrite="true">
+      <fileset dir="${repo.root}/simplesamlphp/" />
+    </copy>
+    <copy file="${blt.root}/scripts/simplesamlphp/gitignore.txt" tofile="${repo.root}/deploy/vendor/simplesamlphp/simplesamlphp/.gitignore" overwrite="true"/>
+  </target>
+
+  <!-- Copies customized config files into the library on builds. -->
+  <target name="simplesamlphp:build:config" description="Copies config template files to the appropriate place in simplesamlphp library.">
+    <echo>Copying config files to the appropriate place in simplesamlphp library.</echo>
+    <copy todir="${repo.root}/vendor/simplesamlphp/simplesamlphp" overwrite="true">
+      <fileset dir="${repo.root}/simplesamlphp/" />
+    </copy>
+    <copy file="${blt.root}/scripts/simplesamlphp/gitignore.txt" tofile="${repo.root}/vendor/simplesamlphp/simplesamlphp/.gitignore" overwrite="true"/>
+  </target>
+
+  <!-- Outputs a message to edit the new config files. -->
+  <target name="simplesamlphp:init:complete" hidden="true">
+    <echo>
+
+
+    ============================================================================
+      To complete the setup you must manually modify several files.
+    ============================================================================
+
+      * ${docroot}/.htaccess
+      * ${repo.root}/simplesamlphp/config/config.php
+      * ${repo.root}/simplesamlphp/config/authsources.php
+      * ${repo.root}/simplesamlphp/metadata/saml20-idp-remote.php
+
+
+      After editting these files execute the following command to copy the
+      modified files to the correct location in the SimpleSAMLphp library
+
+      'blt simplesamlphp:build:config'
+
+    ============================================================================
+      See simplesamlphp-setup.md for details on how to modify the files.
+    ============================================================================
+
+
+    </echo>
+  </target>
+
+</project>

readme/simplesamlphp-setup.md

@@ -0,0 +1,46 @@
+# SimpleSAMLphp Setup
+
+To configure SimpleSAMLphp, perform the following steps after initially setting up BLT:
+
+1. Execute `blt simplesamlphp:init`. This will perform the initial setup tasks including:
+	* Adds the simplesamlphp_auth module as a project dependency.
+	* Copies congigruation files to `${project.root}/simplesamlphp`
+	* Adds a simplesamlphp property to project.yml
+	* Creates a symbolic link in the docroot to the web accessible directory of the simplesamlphp library.
+	* Adds a settings.php file to the project's default settings directory.
+	
+1. Edit `docroot/.htaccess` to include the following 2 lines. Note: the only 2 lines that need to be added are the lines marked with "+" signs. 
+		
+		  # Copy and adapt this rule to directly execute PHP files in contributed or  
+    	  # custom modules or to run another PHP application in the same directory.  
+    	  RewriteCond %{REQUEST_URI} !/core/modules/statistics/statistics.php$  
+  		+ # Allow access to simplesaml paths  
+  		+ RewriteCond %{REQUEST_URI} !^/simplesaml  
+    	  # Deny access to any other PHP files that do not match the rules above.  
+    	  RewriteRule "^.+/.*\.php$" - [F]
+    
+1. Edit `${project.root}/simplesamlphp/config/config.php`
+	* This file has been pre-populated with a code snippet recommended for Acquia Cloud Environments. You will need to edit the `$config` array for your local environment. 
+	* Update your database name in `$ah_options`
+		
+			$ah_options = array(  
+  			  'database_name' => '[DATABASE-NAME]',  
+  			  'session_store' => array(  
+    		    'prod' => 'memcache', // This can be either `memcache` or `database`  
+    		    'test' => 'memcache', // This can be either `memcache` or `database`  
+    		    'dev'  => 'database', // This can be either `memcache` or `database`  
+  			  ),
+			);
+	* Update the following values int the `$config` array
+	
+
+			$config['technicalcontact_name'] = "Technical Contact Name";
+			$config['technicalcontact_email'] = "[email protected]";
+			$config['secretsalt'] = '[YOUR-SECERET-SALT]';
+			$config['auth.adminpassword'] = '[ADMIN-PASSWORD]';
+
+1. Edit `${project.root}/simplesamlphp/config/authsources.php`
+1. Edit `${project.root}/simplesamlphp/metadata/saml20-idp-remote.php`
+1. Execute `blt simplesamlphp:config:build` to copy these configuration files to the SimpleSAMLphp library.
+1. Commit the changes.
+

scripts/simplesamlphp/gitignore.txt

@@ -0,0 +1,160 @@
+.gitignore
+log
+
+!config/.gitkeep
+!metadata/.gitkeep
+
+# https://www.gitignore.io/api/osx,windows,linux,netbeans,sublimetext,composer,phpstorm,vagrant
+# Created by https://www.gitignore.io
+
+# Created by https://www.gitignore.io
+
+### OSX ###
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+
+### Windows ###
+# Windows image file caches
+Thumbs.db
+ehthumbs.db
+
+# Folder config file
+Desktop.ini
+
+# Recycle Bin used on file shares
+$RECYCLE.BIN/
+
+# Windows Installer files
+*.cab
+*.msi
+*.msm
+*.msp
+
+# Windows shortcuts
+*.lnk
+
+
+### Linux ###
+*~
+
+# KDE directory preferences
+.directory
+
+# Linux trash folder which might appear on any partition or disk
+.Trash-*
+
+### Eclipse ###
+.project
+
+### NetBeans ###
+nbproject/private/
+build/
+nbbuild/
+dist/
+nbdist/
+nbactions.xml
+nb-configuration.xml
+.nb-gradle/
+
+
+### SublimeText ###
+# cache files for sublime text
+*.tmlanguage.cache
+*.tmPreferences.cache
+*.stTheme.cache
+
+# workspace files are user-specific
+*.sublime-workspace
+
+# project files should be checked into the repository, unless a significant
+# proportion of contributors will probably not be using SublimeText
+# *.sublime-project
+
+# sftp configuration file
+sftp-config.json
+
+
+### Composer ###
+composer.phar
+vendor/
+
+# Commit your application's lock file http://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file
+# You may choose to ignore a library lock file http://getcomposer.org/doc/02-libraries.md#lock-file
+# composer.lock
+
+
+### PhpStorm ###
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm
+
+*.iml
+
+## Directory-based project format:
+.idea/
+# if you remove the above rule, at least ignore the following:
+
+# User-specific stuff:
+# .idea/workspace.xml
+# .idea/tasks.xml
+# .idea/dictionaries
+
+# Sensitive or high-churn files:
+# .idea/dataSources.ids
+# .idea/dataSources.xml
+# .idea/sqlDataSources.xml
+# .idea/dynamic.xml
+# .idea/uiDesigner.xml
+
+# Gradle:
+# .idea/gradle.xml
+# .idea/libraries
+
+# Mongo Explorer plugin:
+# .idea/mongoSettings.xml
+
+## File-based project format:
+*.ipr
+*.iws
+
+## Plugin-specific files:
+
+# IntelliJ
+/out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+
+
+### Vagrant ###
+.vagrant/

scripts/simplesamlphp/simplesamlphp.settings.php

@@ -0,0 +1,13 @@
+<?php
+
+// SimpleSAMLphp configuration
+# Provide universal absolute path to the installation.
+if (isset($_ENV['AH_SITE_NAME']) && is_dir('/var/www/html/' . $_ENV['AH_SITE_NAME'] . '/vendor/simplesamlphp/simplesamlphp')) {
+  $settings['simplesamlphp_dir'] = '/var/www/html/' . $_ENV['AH_SITE_NAME'] . '/vendor/simplesamlphp/simplesamlphp';
+}
+else {
+  // Local SAML path.
+  if (is_dir(DRUPAL_ROOT . '/../simplesamlphp')) {
+    $settings['simplesamlphp_dir'] = DRUPAL_ROOT . '/../vendor/simplesamlphp/simplesamlphp';
+  }
+}

settings/blt.settings.php

@@ -56,6 +56,11 @@
 // Prevent APCu memory exhaustion.
 $settings['container_yamls'][] = __DIR__ . '/apcu_fix.yml';
 
+// Include simplesamlphp settings if the file exists.
+if (file_exists(__DIR__ . '/simplesamlphp.settings.php')) {
+  require __DIR__ . '/simplesamlphp.settings.php';
+}
+
 /**
  * Salt for one-time login links, cancel links, form tokens, etc.
  *
@@ -75,7 +80,6 @@
  */
 $settings['hash_salt'] = file_get_contents(DRUPAL_ROOT . '/../salt.txt');
 
-
 /*******************************************************************************
  * Environment-specific includes.
  ******************************************************************************/