Merge pull request #225 from silinternational/develop

Release 5.5.0
silinternational · May 26, 2021 · f0a5f69 · f0a5f69
2 parents 9369c4c + 14efcf1
commit f0a5f69
Show file tree

Hide file tree

Showing 12 changed files with 645 additions and 414 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased]
 
+## [5.5.0]
+### Added
+- In Google adapter, search by email as well as by external ID
+
 ## [5.4.0]
 ### Added
 - Allow LDAP host name to be a list of hostname strings as well as a single string for backward compatibility
@@ -142,12 +146,13 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 ### Added
 - Initial version of Password Manager Backend.
 
-[Unreleased]: https://github.com/silinternational/idp-pw-api/compare/5.4.0..HEAD
-[5.4.0]: https://github.com/silinternational/idp-pw-api/compare/5.3.4..5.4.0
-[5.3.4]: https://github.com/silinternational/idp-pw-api/compare/5.3.3..5.3.4
-[5.3.3]: https://github.com/silinternational/idp-pw-api/compare/5.3.2..5.3.3
-[5.3.2]: https://github.com/silinternational/idp-pw-api/compare/5.3.1..5.3.2
-[5.3.1]: https://github.com/silinternational/idp-pw-api/compare/5.3.0..5.3.1
+[Unreleased]: https://github.com/silinternational/idp-pw-api/compare/5.5.0...HEAD
+[5.5.0]: https://github.com/silinternational/idp-pw-api/compare/5.4.0...5.5.0
+[5.4.0]: https://github.com/silinternational/idp-pw-api/compare/5.3.4...5.4.0
+[5.3.4]: https://github.com/silinternational/idp-pw-api/compare/5.3.3...5.3.4
+[5.3.3]: https://github.com/silinternational/idp-pw-api/compare/5.3.2...5.3.3
+[5.3.2]: https://github.com/silinternational/idp-pw-api/compare/5.3.1...5.3.2
+[5.3.1]: https://github.com/silinternational/idp-pw-api/compare/5.3.0...5.3.1
 [5.3.0]: https://github.com/silinternational/idp-pw-api/compare/5.2.2...5.3.0
 [5.2.2]: https://github.com/silinternational/idp-pw-api/compare/5.2.1...5.2.2
 [5.2.1]: https://github.com/silinternational/idp-pw-api/compare/5.2.0...5.2.1

diff --git a/Dockerfile b/Dockerfile
@@ -1,18 +1,53 @@
-FROM silintl/php7:7.2
-MAINTAINER Phillip Shipley <[email protected]>
-
-ENV REFRESHED_AT 2020-04-07
+FROM silintl/php7-apache:7.4.19
+LABEL maintainer="Phillip Shipley <[email protected]>"
 
 RUN apt-get update -y && \
-    apt-get install -y php-memcache && \
-    apt-get clean
+    apt-get install -y \
+# Needed to install s3cmd
+        python-pip \
+# Needed to build php extensions
+        libfreetype6-dev \
+        libgmp-dev \
+        libjpeg62-turbo-dev \
+        libldap2-dev \
+        libpng-dev \
+        libonig-dev \
+        libxml2-dev \
+        libzip-dev \
+        libcurl4-openssl-dev \
+# Clean up to reduce docker image size
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN curl https://raw.githubusercontent.com/silinternational/runny/0.2/runny -o /usr/local/bin/runny
+RUN chmod a+x /usr/local/bin/runny
+
+# Install and enable, see the README on the docker hub for the image
+RUN pecl install memcache-4.0.5.2 && docker-php-ext-enable memcache
+RUN docker-php-ext-configure ldap --with-libdir=lib/x86_64-linux-gnu/ && \
+    docker-php-ext-install gmp ldap zip
 
+# Copy in vhost configuration
+COPY dockerbuild/vhost.conf /etc/apache2/sites-enabled/
+
+# Ensure the DocumentRoot folder exists
 RUN mkdir -p /data
 
-# get s3-expand
+# Validate apache configuration
+RUN ["apache2ctl", "configtest"]
+
+# Copy in any additional PHP ini files
+COPY dockerbuild/*.ini "$PHP_INI_DIR/conf.d/"
+
+# get s3cmd and s3-expand
+RUN pip install s3cmd
 RUN curl https://raw.githubusercontent.com/silinternational/s3-expand/1.5/s3-expand -o /usr/local/bin/s3-expand
 RUN chmod a+x /usr/local/bin/s3-expand
 
+# Clean up all the build stuff we don't need
+RUN apt purge -y dpkg-dev cpp-8 gcc-8 python2-dev python2.7-dev && \
+    apt autoremove -y
+
 WORKDIR /data
 
 # Install/cleanup composer dependencies
@@ -29,13 +64,12 @@ RUN chown -R www-data:www-data \
     frontend/runtime/ \
     frontend/web/assets/
 
-COPY dockerbuild/vhost.conf /etc/apache2/sites-enabled/
-
 # ErrorLog inside a VirtualHost block is ineffective for unknown reasons
 RUN sed -i -E 's@ErrorLog .*@ErrorLog /proc/self/fd/2@i' /etc/apache2/apache2.conf
 
 RUN touch /etc/default/locale
 
 EXPOSE 80
 ENTRYPOINT ["/usr/local/bin/s3-expand"]
+
 CMD ["/data/run.sh"]
diff --git a/application/common/components/passwordStore/Google.php b/application/common/components/passwordStore/Google.php
@@ -56,16 +56,8 @@ class Google extends Component implements PasswordStoreInterface
 
     public $displayName = 'Google';
 
-    /**
-     * @var bool $findByExternalId If `true`, when retrieving a user by employee_id,
-     * a call will be made to `Users: list` to retrieve the user by the Google user
-     * property `externalId`.
-     */
-    public $findByExternalId = false;
-
     /**
      * @var string $searchDomain Domain name in which to search for a matching user
-     * when `findByExternalId` is `true`.
      */
     public $searchDomain = '';
 
@@ -178,16 +170,40 @@ public function getMeta($employeeId): UserPasswordMeta
      * Employee ID.
      *
      * @param string $employeeId The Employee ID of the desired user.
-     * @return Google_Service_Directory_User The user record from Google.
+     * @return Google_Service_Directory_User|null The user record from Google.
+     * @throws UserNotFoundException if email not defined or user not found in Google
      */
-    protected function getUser($employeeId)
+    protected function getUser(string $employeeId): ?Google_Service_Directory_User
     {
-        if ($this->findByExternalId === true) {
+        $email = $this->getEmailFromLocalStore($employeeId);
+        $user = $this->getUserByEmail($email);
+
+        if ($user === null) {
             return $this->getUserByEmployeeId($employeeId);
-        } else {
-            $email = $this->getEmailFromLocalStore($employeeId);
-            return $this->getUserByEmail($email);
         }
+
+        if (! self::hasCorrectEmployeeId($user, $employeeId)) {
+            return null;
+        }
+
+        return $user;
+    }
+
+    /**
+     * Verify that the user's employee ID matches what we think it should
+     *
+     * @param Google_Service_Directory_User $user The Google user to verify
+     * @param string $employeeId The employee ID.
+     * @return bool
+     */
+    protected static function hasCorrectEmployeeId(Google_Service_Directory_User $user, string $employeeId): bool
+    {
+        foreach($user['externalIds'] as $externalId) {
+            if ($externalId['value'] === $employeeId && $externalId['type'] === 'organization') {
+                return true;
+            }
+        }
+        return false;
     }
 
     /**

diff --git a/application/common/config/local.php.dist b/application/common/config/local.php.dist
@@ -67,7 +67,6 @@ return [
                     'jsonAuthFilePath' => '/data/google.json',
                     'delegatedAdminEmail' => '[email protected]',
                     'searchDomain' => 'example.org',
-                    'findByExternalId' => true,
                 ]
             ],
         ],

diff --git a/application/composer.json b/application/composer.json
@@ -2,12 +2,6 @@
   "name": "silinternational/idp-pw-api",
   "description": "Backend API for Identity Provider Password Management",
   "minimum-stability": "stable",
-  "repositories": [
-    {
-      "type": "git",
-      "url": "https://github.com/silinternational/idp-id-broker-php-client"
-    }
-  ],
   "require": {
     "php": ">=7.2",
     "ext-json": "*",