Merge pull request #1958 from devnull-/ssl_client

Client SSL Certificate Authentication improvements

app/Config/config.default.php

@@ -69,19 +69,25 @@ $config = array(
 	// Uncomment the following to enable client SSL certificate authentication
 	/*
 	'CertAuth'         =>
-		array(
-			'ca'           => array('FIRST.Org'), // allowed CAs
-			'caId'         => 'O',          // which attribute will be used to verify the CA
-			'userModel'    => 'User',       // name of the User class to check if user exists
-			'userModelKey' => 'nids_sid',   // User field that will be used for querying
-			'map'          => array(        // maps client certificate attributes to User properties
+        array(
+
+            // CA
+            'ca'           => array('FIRST.Org'), // List of CAs authorized
+            'caId'         => 'O',          // Certificate field used to verify the CA. In this example, the field O (organization) of the client certificate has to equal to 'FIRST.Org' in order to validate the CA
+
+            // User/client configuration
+			'userModel'    => 'User',       // name of the User class (MISP class) to check if the user exists
+            'userModelKey' => 'email',      // User field that will be used for querying. In this example, the field email of the MISP accounts will be used to search if the user exists.
+            'map'          => array(        // maps client certificate attributes to User properties. This map will be used as conditions to find if the user exists. In this example, the client certificate fields 'O' (organization) and 'emailAddress' have to match with the MISP fields 'org' and 'email' to validate the user.
 				'O'            => 'org',
 				'emailAddress' => 'email',
-			),
+            ),
+
+            // Synchronization/RestAPI
 			'syncUser'     => true,         // should the User be synchronized with an external REST API
-			'userDefaults' => array(          // default user attributes, only used when creating new users
-				'role_id' => 4,
-			),
+			'userDefaults' => array(          // default user attributes, only used when creating new users. By default, new users are "Read only" users (role_id: 6).
+				'role_id' => 6,
+            ),
 			'restApi'      => array(        // API parameters
 				'url'     => 'https://example.com/data/users',  // URL to query
 				'headers' => array(),                           // additional headers, used for authentication
@@ -93,7 +99,7 @@ $config = array(
 					'pgp_public' => 'gpgkey',
 				),
 			),
-			'userDefaults' => array('role_id' => 3),          // default attributes for new users
+			'userDefaults' => array('role_id' => 6),          // default attributes for new users. By default, new users are "Read only" users (role_id: 6).
 		),
 	*/
 	/*

app/Plugin/CertAuth/Controller/Component/Auth/CertificateAuthenticate.php

@@ -187,7 +187,10 @@ class CertificateAuthenticate extends BaseAuthenticate
 							CakeLog::write('alert', 'Could not insert model at database from RestAPI data.');
 						}
 						unset($org);
-					}
+					} else {
+                        // No match -- User doesn't exist !!!
+                        self::$user = false;
+                    }
 					unset($U, $User, $q, $k);
 				}
 				unset($cn);

app/Plugin/CertAuth/README.md

@@ -4,7 +4,9 @@ This plugin enables CakePHP applications to use client SSL certificates to state
 
 Basically it loads the `SSL_CLIENT_*` variables, parses and maps the certificate information to the user. So you first need a server that checks client certificates and forwards that information to the PHP `$_SERVER` environment.
 
-## Usage
+## Configuration
+
+1. Enable the plugin
 
 Enable the plugin at bootstrap.php:
 
@@ -12,34 +14,59 @@ Enable the plugin at bootstrap.php:
 CakePlugin::load('CertAuth');
 ```
 
-And configure it:
+2. Configure
+
+* Uncomment the line "'auth'=>array('CertAuth.Certificate')," in Config.php, section "Security"
 
 ```php
-Configure::write('CertAuth',
-  array(
-    'ca'    => array( 'FIRST.Org' ), // allowed CAs
-    'caId'          => 'O',          // which attribute will be used to verify the CA
-    'userModel'     => 'User',       // name of the User class to check if user exists
-    'userModelKey'  => 'nids_sid',   // User field that will be used for querying
-    'map'           => array(        // maps client certificate attributes to User properties
-      'O'           => 'org',
-      'emailAddress'=>'email',
-    ),
-    'syncUser'      => true,         // should the User be synchronized with an external REST API
-    'restApi'       => array(        // API parameters
-      'url'         => 'https://example.com/data/users',  // URL to query
-      'headers'     => array(),                           // additional headers, used for authentication
-      'param'       => array( 'email' => 'email'),        // query parameters to add to the URL, mapped to USer properties
-      'map'         =>  array(                            // maps REST result to the User properties
-        'uid'       => 'id',
-        'name'      => 'name',
-        'company'   => 'org',
-        'email'     => 'email',
-      ),
-    ),
-    'userDefaults'  => array ( 'role_id' => 3 ),          // default attributes for new users
-  )
-);
+    ....
+	'Security'         =>
+		array(
+			'level'      => 'medium',
+			'salt'       => '',
+			'cipherSeed' => '',
+		    'auth'=>array('CertAuth.Certificate'), // additional authentication methods
+			//'auth'=>array('ShibbAuth.ApacheShibb'dd),
+		),
+    .....
+```
+
+* Uncomment the following lines in Config.php, section "CertAuth" and configure them.
+
+```php
+	'CertAuth'         =>
+        array(
+
+            // CA
+            'ca'           => array('FIRST.Org'), // List of CAs authorized
+            'caId'         => 'O',          // Certificate field used to verify the CA. In this example, the field O (organization) of the client certificate has to equal to 'FIRST.Org' in order to validate the CA
+
+            // User/client configuration
+			'userModel'    => 'User',       // name of the User class (MISP class) to check if the user exists
+            'userModelKey' => 'email',      // User field that will be used for querying. In this example, the field email of the MISP accounts will be used to search if the user exists.
+            'map'          => array(        // maps client certificate attributes to User properties. This map will be used as conditions to find if the user exists. In this example, the client certificate fields 'O' (organization) and 'emailAddress' have to match with the MISP fields 'org' and 'email' to validate the user.
+				'O'            => 'org',
+				'emailAddress' => 'email',
+            ),
+
+            // Synchronization/RestAPI
+			'syncUser'     => true,         // should the User be synchronized with an external REST API
+			'userDefaults' => array(          // default user attributes, only used when creating new users. By default, new users are "Read only" users (role_id: 6).
+				'role_id' => 6,
+            ),
+			'restApi'      => array(        // API parameters
+				'url'     => 'https://example.com/data/users',  // URL to query
+				'headers' => array(),                           // additional headers, used for authentication
+				'param'   => array('email' => 'email'),       // query parameters to add to the URL, mapped to User properties
+				'map'     => array(                            // maps REST result to the User properties
+					'uid'        => 'nids_sid',
+					'team'       => 'org',
+					'email'      => 'email',
+					'pgp_public' => 'gpgkey',
+				),
+			),
+			'userDefaults' => array('role_id' => 6),          // default attributes for new users. By default, new users are "Read only" users (role_id: 6).
+		),
 ```
 
 If you set *syncUser* to *true* and *restApi.url* to *null*, new users will be created with the defaults defined by *userDefaults* without the need for a REST server.