Compare commits
9 Commits
de3731a63d
...
poc-2fa
| Author | SHA1 | Date | |
|---|---|---|---|
| 3c3dba768e | |||
| 6667f44aac | |||
| 148f05ef79 | |||
| d79cf65bb4 | |||
| 7448a9af4d | |||
| 3933f8bfba | |||
| 6faf465733 | |||
| 5f2654c3c4 | |||
| 2e5e1e72ae |
9
.env
9
.env
@@ -14,7 +14,7 @@
|
||||
# https://symfony.com/doc/current/best_practices.html#use-environment-variables-for-infrastructure-configuration
|
||||
|
||||
###> symfony/framework-bundle ###
|
||||
APP_ENV=prod
|
||||
APP_ENV=dev
|
||||
APP_SECRET=406ccaa0c76a451fdcc2307ea146cbef
|
||||
URL_LINK="http://localhost"
|
||||
|
||||
@@ -25,7 +25,7 @@ DB_USER="lasql"
|
||||
DB_PASSWORD="lasql"
|
||||
|
||||
ISSUER_URL="http://localhost:8000"
|
||||
BASE_URL='http://localhost:8080'
|
||||
BASE_URL='http://localhost:8083'
|
||||
# connexion hydra
|
||||
HYDRA_ADMIN_BASE_URL='http://hydra:4445'
|
||||
APP_LOCALES="fr,en"
|
||||
@@ -43,4 +43,7 @@ ALTCHA_DEBUG=false
|
||||
ALTCHA_WORKERS=8
|
||||
ALTCHA_DELAY=100
|
||||
ALTCHA_MOCK_ERROR=false
|
||||
ALTCHA_ENABLED=true
|
||||
ALTCHA_ENABLED=false
|
||||
|
||||
ENABLED_2FA=true
|
||||
URL_2FA=http://localhost:8084/2fa
|
||||
84
compose.yml
84
compose.yml
@@ -1,4 +1,26 @@
|
||||
services:
|
||||
hydra-dispatcher:
|
||||
image: reg.cadoles.com/cadoles/hydra-dispatcher-standalone:2025.9.2-develop.1152.3cd1c49
|
||||
ports:
|
||||
- 8082:80
|
||||
environment:
|
||||
- APP_ENV=prod
|
||||
- APP_DEBUG=false
|
||||
- PHP_FPM_MEMORY_LIMIT=256m
|
||||
- CADDY_HTTP_PORT=80
|
||||
- HYDRA_ADMIN_BASE_URL=http://hydra:4445
|
||||
- HYDRA_BASE_URL=http://hydra:4444
|
||||
- HYDRA_REWRITE_ISSUER=yes
|
||||
- HYDRA_ORIGINAL_ISSUER=http://localhost:8081
|
||||
- HYDRA_NEW_ISSUER=http://localhost:8082
|
||||
- DEFAULT_LOCALE=fr
|
||||
- DISABLE_APP_AUTO_SELECT=false
|
||||
- APP_LOCALES=fr,en
|
||||
- HYDRA_ADMIN_AUTHORIZED_HOSTS=10.0.0.0/8,172.16.0.0/12,172.19.0.0/12,192.168.0.0/16
|
||||
- REDIS_DSN=redis://redis:6379
|
||||
- TRUSTED_PROXIES=REMOTE_ADDR
|
||||
volumes:
|
||||
- ./misc/compose/dispatcher/:/app/config/hydra/
|
||||
hydra-sql:
|
||||
build:
|
||||
context: .
|
||||
@@ -12,7 +34,7 @@ services:
|
||||
- http_proxy=${http_proxy}
|
||||
- https_proxy=${https_proxy}
|
||||
ports:
|
||||
- 8082:8071
|
||||
- 8083:8071
|
||||
tmpfs:
|
||||
- /var/www/var/logs:uid=${FIXUID:-1000},gid=${FIXGID:-1000}
|
||||
- /var/www/var/cache:uid=${FIXUID:-1000},gid=${FIXGID:-1000}
|
||||
@@ -22,6 +44,7 @@ services:
|
||||
- hydra
|
||||
depends_on:
|
||||
- redis
|
||||
- hydra-dispatcher
|
||||
extra_hosts:
|
||||
- "localhost:127.0.0.1"
|
||||
- "localhost:host-gateway"
|
||||
@@ -48,10 +71,10 @@ services:
|
||||
- APP_ENV=dev
|
||||
- PHP_FPM_MEMORY_LIMIT=128m
|
||||
- APP_LOCALES=fr,en
|
||||
- HYDRA_ADMIN_BASE_URL=http://hydra:4445
|
||||
- HYDRA_ADMIN_BASE_URL=http://hydra-dispatcher
|
||||
- TRUSTED_PROXIES=127.0.0.1,REMOTE_ADDR,localhost
|
||||
- ISSUER_URL=http://localhost:8000
|
||||
- BASE_URL=http://localhost:8082
|
||||
- BASE_URL=http://localhost:8083
|
||||
- DB_USER=lasql
|
||||
- DB_PASSWORD=lasql
|
||||
- DEFAULT_LOCALE=fr
|
||||
@@ -59,7 +82,8 @@ services:
|
||||
- HASH_ALGO_LEGACY="sha256"
|
||||
- SECURITY_PATTERN=password,salt,pepper
|
||||
- CADDY_HTTP_PORT=8071
|
||||
|
||||
- ENABLED_2FA=true
|
||||
- URL_2FA=http://localhost:8084/2fa
|
||||
oidc-test:
|
||||
image: bornholm/oidc-test:v0.0.0-1-g936a77e
|
||||
environment:
|
||||
@@ -85,8 +109,8 @@ services:
|
||||
- HYDRA_ALLOW_INSECURE=yes
|
||||
- HYDRA_URLS_SELF_ISSUER=http://localhost:8081/
|
||||
- HYDRA_URLS_LOGOUT=http://localhost:8082/logout
|
||||
- HYDRA_URLS_LOGIN=http://localhost:8082/
|
||||
- HYDRA_URLS_CONSENT=http://localhost:8082/connect/consent
|
||||
- HYDRA_URLS_LOGIN=http://localhost:8082/login
|
||||
- HYDRA_URLS_CONSENT=http://localhost:8082/consent
|
||||
- HYDRA_URLS_ERROR=http://localhost:8082/error
|
||||
- HYDRA_LEVEL=debug
|
||||
- HYDRA_DSN=postgres://lasql:lasql@postgres:5432/hydra
|
||||
@@ -104,7 +128,7 @@ services:
|
||||
"wget",
|
||||
"--spider",
|
||||
"-q",
|
||||
"http://127.0.0.1:4444/.well-known/openid-configuration",
|
||||
"http://localhost:4444/.well-known/openid-configuration",
|
||||
]
|
||||
interval: 10s
|
||||
timeout: 10s
|
||||
@@ -124,17 +148,17 @@ services:
|
||||
- postgres:/var/lib/pgsql/data
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
|
||||
pgadmin:
|
||||
image: dpage/pgadmin4
|
||||
ports:
|
||||
- 8085:80
|
||||
restart: always
|
||||
environment:
|
||||
PGADMIN_DEFAULT_EMAIL: admin@admin.com
|
||||
PGADMIN_DEFAULT_PASSWORD: admin
|
||||
PGADMIN_SERVER_JSON_FILE: /pgadminfile/server.json
|
||||
volumes:
|
||||
- ./misc/compose/pgadmin:/pgadminfile/:ro
|
||||
# pgadmin:
|
||||
# image: dpage/pgadmin4
|
||||
# ports:
|
||||
# - 8085:80
|
||||
# restart: always
|
||||
# environment:
|
||||
# PGADMIN_DEFAULT_EMAIL: admin@admin.com
|
||||
# PGADMIN_DEFAULT_PASSWORD: admin
|
||||
# PGADMIN_SERVER_JSON_FILE: /pgadminfile/server.json
|
||||
# volumes:
|
||||
# - ./misc/compose/pgadmin:/pgadminfile/:ro
|
||||
mariadb:
|
||||
image: mariadb:10.10
|
||||
environment:
|
||||
@@ -158,6 +182,30 @@ services:
|
||||
image: reg.cadoles.com/cadoles/altcha:2024.10.29-develop.1213.22e038b
|
||||
environment:
|
||||
ALTCHA_HMAC_KEY: 'change_me'
|
||||
hydra-2fa:
|
||||
build:
|
||||
context: ../hydra-2fa # Répertoire du sous-projet
|
||||
dockerfile: Dockerfile
|
||||
volumes:
|
||||
- ../hydra-2fa:/app # Montage pour synchronisation en temps réel (ajuste si le WORKDIR change)
|
||||
environment:
|
||||
- APP_ENV=dev
|
||||
- APP_DEBUG=1 # Pour mode debug en dev
|
||||
- CADDY_GLOBAL_OPTIONS=debug # Activer le mode debug
|
||||
ports:
|
||||
- "8084:80" # Mappe le port 80 du conteneur sur 8081 de l'hôte
|
||||
depends_on:
|
||||
- postgres # Si tu utilises la DB partagée
|
||||
# pgweb:
|
||||
# container_name: pgweb
|
||||
# restart: always
|
||||
# image: sosedoff/pgweb
|
||||
# ports:
|
||||
# - "8085:8081"
|
||||
# environment:
|
||||
# - PGWEB_DATABASE_URL=postgres://lasql:lasql@postgres:5432/lasql?sslmode=disable
|
||||
# depends_on:
|
||||
# - postgres
|
||||
volumes:
|
||||
postgres:
|
||||
mariadb:
|
||||
|
||||
@@ -26,7 +26,6 @@
|
||||
"symfony/translation": "6.4.*",
|
||||
"symfony/twig-bundle": "6.4.*",
|
||||
"symfony/validator": "6.4.*",
|
||||
"symfony/web-profiler-bundle": "6.4.*",
|
||||
"symfony/webpack-encore-bundle": "^1.16",
|
||||
"symfony/yaml": "6.4.*"
|
||||
},
|
||||
@@ -81,6 +80,7 @@
|
||||
},
|
||||
"require-dev": {
|
||||
"rector/rector": "^2.1",
|
||||
"symfony/debug-bundle": "6.4.*"
|
||||
"symfony/debug-bundle": "6.4.*",
|
||||
"symfony/web-profiler-bundle": "6.4.*"
|
||||
}
|
||||
}
|
||||
|
||||
@@ -29,7 +29,14 @@ framework:
|
||||
php_errors:
|
||||
log: true
|
||||
error_controller: App\Controller\CustomErrorController::show
|
||||
|
||||
trusted_headers:
|
||||
[
|
||||
"x-forwarded-for",
|
||||
"x-forwarded-host",
|
||||
"x-forwarded-proto",
|
||||
"x-forwarded-port",
|
||||
"x-forwarded-prefix",
|
||||
]
|
||||
when@test:
|
||||
framework:
|
||||
test: true
|
||||
|
||||
@@ -51,7 +51,10 @@ services:
|
||||
App\Hydra\HydraService:
|
||||
arguments:
|
||||
$baseUrl: '%base_url%'
|
||||
|
||||
App\Controller\MainController:
|
||||
arguments:
|
||||
$url2fa: '%env(string:URL_2FA)%'
|
||||
$enabled2fa: '%env(bool:ENABLED_2FA)%'
|
||||
App\SQLLogin\SQLLoginRequest:
|
||||
arguments:
|
||||
$config: []
|
||||
|
||||
33
misc/compose/dispatcher/example.yml
Normal file
33
misc/compose/dispatcher/example.yml
Normal file
@@ -0,0 +1,33 @@
|
||||
hydra:
|
||||
apps:
|
||||
- id: hydra-sql
|
||||
title:
|
||||
fr: Hydra Sql
|
||||
en: Hydra Sql En
|
||||
description:
|
||||
fr: Authentification via adresse courriel
|
||||
en: Authentication by email address
|
||||
icon_url: http://placehold.jp/84x123.png
|
||||
login_url: http://localhost:8083/login
|
||||
consent_url: http://localhost:8083/consent
|
||||
options:
|
||||
text_libre:
|
||||
fr: "Connexion avec mot de passe"
|
||||
en: "Login with password"
|
||||
logout_url: http://localhost:8083/logout
|
||||
attributes_rewrite_configuration:
|
||||
mail:
|
||||
replace: email
|
||||
rules:
|
||||
- "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null"
|
||||
webhook:
|
||||
enabled: false
|
||||
api_url: http://hydra-dispatcher/test
|
||||
api_key: ~
|
||||
api_method: POST
|
||||
webhook_post_login:
|
||||
enabled: false
|
||||
api_url: http://hydra-dispatcher/test
|
||||
api_key: ~
|
||||
api_method: POST
|
||||
connected_user_redirect_url: '/'
|
||||
@@ -1,5 +1,5 @@
|
||||
ARG NODE_OPTIONS="--openssl-legacy-provider" \
|
||||
PHP_PKG_VERSION="8.4.5-r0" \
|
||||
PHP_PKG_VERSION="8.4.11-r0" \
|
||||
ENCORE_MODE="production" \
|
||||
APP_ENV="prod" \
|
||||
BASE_PATH="" \
|
||||
@@ -20,4 +20,4 @@ ARG NODE_OPTIONS="--openssl-legacy-provider" \
|
||||
BASE_PATH=${BASE_PATH} \
|
||||
APP_LOCALES=${APP_LOCALES}"
|
||||
|
||||
FROM reg.cadoles.com/cadoles/symfony:alpine-php-8.4-base-2025.6.12-stable.1038.48ea3b9
|
||||
FROM reg.cadoles.com/cadoles/symfony:alpine-php-8.4-base-2025.9.1-stable.1652.6889275
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
ARG NODE_OPTIONS="--openssl-legacy-provider" \
|
||||
PHP_PKG_VERSION="8.4.5-r0" \
|
||||
PHP_PKG_VERSION="8.4.11-r0" \
|
||||
ENCORE_MODE="production" \
|
||||
APP_ENV="prod" \
|
||||
BASE_PATH="" \
|
||||
@@ -20,5 +20,5 @@ ARG NODE_OPTIONS="--openssl-legacy-provider" \
|
||||
BASE_PATH=${BASE_PATH} \
|
||||
APP_LOCALES=${APP_LOCALES}"
|
||||
|
||||
FROM reg.cadoles.com/cadoles/symfony:alpine-php-8.4-standalone-2025.6.12-stable.1038.48ea3b9
|
||||
FROM reg.cadoles.com/cadoles/symfony:alpine-php-8.4-standalone-2025.9.1-stable.1652.6889275
|
||||
USER www-data
|
||||
|
||||
@@ -20,8 +20,10 @@ class MainController extends AbstractController
|
||||
public function __construct(
|
||||
private readonly RequestStack $requestStack,
|
||||
private readonly HydraService $hydra,
|
||||
private readonly Client $client
|
||||
){
|
||||
private readonly Client $client,
|
||||
private readonly string $url2fa,
|
||||
private readonly bool $enabled2fa
|
||||
) {
|
||||
}
|
||||
|
||||
#[Route('/', name: 'app_home')]
|
||||
@@ -61,6 +63,9 @@ class MainController extends AbstractController
|
||||
$subject = $expressionLanguage->evaluate($subjectRewriteExpression, $user->getAttributes());
|
||||
}
|
||||
|
||||
if ($this->url2fa) {
|
||||
return $this->redirect($this->url2fa.'?loginchallenge='.$challenge.'&identifier='.$subject);
|
||||
}
|
||||
$loginAcceptRes = $this->client->acceptLoginRequest($challenge, [
|
||||
'subject' => $subject,
|
||||
'remember' => true,
|
||||
@@ -70,7 +75,7 @@ class MainController extends AbstractController
|
||||
}
|
||||
|
||||
#[Route('/connect/consent', name: 'app_consent')]
|
||||
public function consent(Request $request): RedirectResponse
|
||||
public function consent(Request $request): Response
|
||||
{
|
||||
return $this->hydra->handleConsentRequest($request);
|
||||
}
|
||||
|
||||
@@ -32,7 +32,7 @@ class SQLLoginUserAuthenticator extends AbstractLoginFormAuthenticator
|
||||
private readonly SQLLoginService $sqlLoginService,
|
||||
private readonly PasswordEncoder $passwordHasher,
|
||||
private readonly SQLLoginRequest $sqlLoginRequest
|
||||
){
|
||||
) {
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -60,7 +60,7 @@ class SQLLoginUserAuthenticator extends AbstractLoginFormAuthenticator
|
||||
public function authenticate(Request $request): SelfValidatingPassport
|
||||
{
|
||||
$form = $request->request->all(key: 'login');
|
||||
$login = $form['login'];
|
||||
$login = \strtolower($form['login']);
|
||||
$plaintextPassword = $form['password'];
|
||||
$session = $request->getSession();
|
||||
try {
|
||||
|
||||
@@ -28,7 +28,6 @@ class SQLLoginService extends AbstractController
|
||||
public function fetchPasswordAndDatas(string $login): array
|
||||
{
|
||||
$dataRequest = $this->sqlLoginRequest->getDatasRequest();
|
||||
$login = \strtolower($login);
|
||||
$datas = $this->executeRequestWithLogin($dataRequest, $login);
|
||||
|
||||
return $datas;
|
||||
|
||||
Reference in New Issue
Block a user