CDPT-1511 Intranet migration add microsoft login azure ad (#508)

* WIP checkin

* Auth class complete.

* Make CDN a node application, for testing CloudFront functions.

* Cookie signing iis working

* Update moj-auth.php

* Complete auth for allowed IPs, cdn validates the CloudFront signed cookies.

* Remove oauth2

* Allow for key rotation.

* Improve env var generation.

* Update amazon-s3-and-cloudfront.php

* Update moj-auth.php

* Update local-key-gen.sh

* Add CloudFront env vars.

* Document format

* Add allowed ips to ConfigMap.

* Fix error: Each class must be in a file by itself

* Azure auth draft working.

- add oauth2 composer package
- add env vars to example
- add readme - how to make an azure entra app
- add all error pages for nginx to statically serve

* CDPT-1511 Move moj-auth to own folder to improve readability.

* CDPT-1511 copy expiry from oauth to jwt. Improve docs add debugging.

* Add Azure config values for dev deployment.

* Allow for disabling OAuth.

* Fix untrusted redirect vulnrability.

* Move composer.json comment.

* Update composer.lock

* Improve composer.json comment

* Update composer.lock

* Update composer.json comments

* Delete moj-auth.php duplicate

.env.example

@@ -53,6 +53,11 @@ SECURE_AUTH_SALT='generate-key'
 LOGGED_IN_SALT='generate-key'
 NONCE_SALT='generate-key'
 
+# Entra API - see readme for more info.
+OAUTH_CLIENT_ID=
+OAUTH_TENNANT_ID=
+OAUTH_CLIENT_SECRET=""
+
 # IP addresses, with optional CIDR notation. Separated by newlines & # comments.
 ALLOWED_IPS="
 # Home netowrk IP range - at http://intranet.docker/info.php > HTTP_X_REAL_IP

.github/README.md

@@ -265,6 +265,49 @@ To verify that S3 & CloudFront are working correctly.
 - The img source domain should be CloudFront.
 - Directly trying to access an image via the S3 bucket url should return an access denied message.
 
+## Azure Setup
+
+### Useful links
+
+- [Ministry of Justice | Overview](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview)
+- App [MOJ-Local-Intranet-v2](https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/~/Overview/appId/73ed65a5-e879-4027-beab-f5e64de803b7/isMSAApp~/false)
+- App [MOJ-Dev-Intranet-V2](https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/~/Overview/quickStartType~/null/sourceType/Microsoft_AAD_IAM/appId/1dac3cbf-91d2-4c0e-9c80-0bf3f8fabd75)
+
+### Register an application
+
+1. Go to the Azure portal and sign in with your account.
+2. Click on the `Microsoft Entra ID` service.
+3. Click on `App registrations`.
+4. Click on `New registration`.
+5. Fill in the form (adjust to the environment):
+   - Name: `MOJ-Local-Intranet-v2`
+   - Supported account types: `Accounts in this organizational directory only`
+   - Redirect URI: `Web` and `http://localhost/oauth2?action=callback`  
+     or `https://dev-intranet.apps.live.cloud-platform.service.justice.gov.uk/oauth2?action=callback` etc.
+6. Copy the `Application (client) ID` and `Directory (tenant) ID` values,
+  make them available as environment variables `OAUTH_CLIENT_ID`, `OAUTH_TENNANT_ID`.
+7. Click on `Certificates & secrets` > `New client secret`.
+8. Fill in the form:
+   - Description: `Local-Intranet-v2`
+   - Expires: `6 months`
+9. Set a reminder to update the client secret before it expires.
+10. Copy the `Value` value, make it available as environment variable `OAUTH_CLIENT_SECRET`.
+11. Click on `Expose an API` > `Add a scope`.
+12. Use the default Application ID URI, which is `api://<client_id>`.
+13. Fill in the form:
+    - Scope name: `user_impersonation`
+    - Who can consent: `Admins and users`
+    - Admin consent display name: `Access Intranet`
+    - Admin consent description: `Access Intranet on behalf of the signed-in user`
+    - User consent display name: `Access Intranet`
+    - User consent description: `Access Intranet on your behalf`
+14. Click on `Add a client application`.
+15. Enter the Client ID of the application you created.
+16. Check the box next to the application you created.
+17. Click on `Add application`.
+
+The oauth2 flow should now work with the Azure AD/Entra ID application.
+You can get an Access Token, Refresh Token and an expiry of the token.
 
 
 <!-- License -->

.gitignore

@@ -14,6 +14,7 @@ public/app/debug.log
 public/app/plugins/*
 public/app/db.php
 public/app/mu-plugins/*/
+!public/app/mu-plugins/moj-auth/
 public/app/upgrade
 public/app/languages/*
 public/app/uploads/*

composer.json

@@ -75,7 +75,9 @@
         "stayallive/wp-sentry": "^7.11",
         "ext-posix": "*",
         "ext-mysqli": "*",
-        "ext-zlib": "*"
+        "ext-zlib": "*",
+        "league/oauth2-client": "^2.7",
+        "firebase/php-jwt": "^6.10"
     },
     "require-dev": {
         "squizlabs/php_codesniffer": "^3.0.2"
@@ -105,7 +107,21 @@
                 "vendor:koodimonni-theme-language"
             ]
         },
-        "wordpress-install-dir": "public/wp"
+        "wordpress-install-dir": "public/wp",
+        "meta-comments": {
+            "description": [
+                "As comments are not allowed in composer.json, use this section for comments.",
+                "After adding comments here, run a benign composer command like ",
+                "`composer update paragonie/random_compat` to update composer.lock's hash."
+            ],
+            "replace.paragonie/random_compat": [
+                "The `paragonie/random_compat` package is a dependency of `league/oauth2-client`.",
+                "As our php version is > 7 we do not need this package.",
+                "The package authors have an empty version of the package for this case: 9.99.99",
+                "Defining it inside `replace`, will prevent it from being installed.",
+                "@see: https://github.com/paragonie/random_compat?tab=readme-ov-file#version-99999"
+            ]
+        }
     },
     "scripts": {
         "post-root-package-install": [
@@ -118,6 +134,9 @@
             "vendor/bin/phpcbf -d memory_limit=256M"
         ]
     },
+    "replace": {
+        "paragonie/random_compat": "9.99.99"
+    },
     "authors": [
         {
             "name": "Ministry of Justice",

deploy/config/local/nginx/server.conf

@@ -30,6 +30,8 @@ server {
     # CUSTOM ERROR PAGES
     ###
     error_page 400 /app/themes/clarity/error-pages/400.html;
+    error_page 401 /app/themes/clarity/error-pages/401.html;
+    error_page 403 /app/themes/clarity/error-pages/403.html;
     error_page 404 /app/themes/clarity/error-pages/404.html;
     error_page 500 /app/themes/clarity/error-pages/500.html;
     error_page 503 /app/themes/clarity/error-pages/maintenance.html;

deploy/config/server.conf

@@ -31,6 +31,8 @@ server {
 
     client_max_body_size 250m;
     error_page 400 /app/themes/clarity/error-pages/400.html;
+    error_page 401 /app/themes/clarity/error-pages/401.html;
+    error_page 403 /app/themes/clarity/error-pages/403.html;
     error_page 404 /app/themes/clarity/error-pages/404.html;
     error_page 500 /app/themes/clarity/error-pages/500.html;
     error_page 503 /app/themes/clarity/error-pages/maintenance.html;

deploy/development/config.yml

@@ -7,6 +7,9 @@ data:
   WP_ENV: "development"
   WP_HOME: 'https://dev.intranet.justice.gov.uk'
   WP_SITEURL: 'https://dev.intranet.justice.gov.uk/wp'
+  # See Azure Setup for more information on how to get these values.
+  OAUTH_CLIENT_ID: 1dac3cbf-91d2-4c0e-9c80-0bf3f8fabd75
+  OAUTH_TENNANT_ID: c6874728-71e6-41fe-a9e1-2e8c36776ad8
   # IP addresses, with optional CIDR notation. Separated by newlines and using # for comments.
   ALLOWED_IPS: |
     # Global Protect

deploy/development/secret.tpl

@@ -16,6 +16,7 @@ stringData:
   SECURE_AUTH_KEY: "${SECURE_AUTH_KEY}"
   SECURE_AUTH_SALT: "${SECURE_AUTH_SALT}"
   JWT_SECRET: "${JWT_SECRET}"
+  OAUTH_CLIENT_SECRET: "${OAUTH_CLIENT_SECRET}"
 ---
 apiVersion: v1
 kind: Secret