Merge remote-tracking branch 'origin/release/2.1'

.travis.yml

@@ -2,8 +2,14 @@ language: php
 
 php:
   - 5.6
-  - 7.0
-  - 7.1
+  - 7.2
+  - 7.3
+
+
+matrix:
+  allow_failures:
+    - php: 7.2
+    - php: 7.3
 
 cache:
   directories:

CHANGELOG.md

@@ -37,7 +37,7 @@
  * Add translatable contact email placeholder #259
  * Rename 'team name' to 'team identifier' #258
  * Add translatable footer links #253
- * Show motivationless attributes on entity detail #255
+ * Show motivationless attributes on entity detaOil #255
  * Show OIDC items on entity details #256
  * Fix urn validator regex #251
  * Fix the playground url after copy to production #247

ansible/group_vars/all.yml

@@ -37,6 +37,7 @@ spdashboard:
 spdashboard_saml_remote_idp_entity_id: "https://engine.{{ base_domain }}/authentication/idp/metadata"
 spdashboard_saml_remote_idp_sso_url: "https://engine.{{ base_domain }}/authentication/idp/single-sign-on"
 spdashboard_saml_remote_idp_certificate: "MIIDuDCCAqCgAwIBAgIJAPdqJ9JQKN6vMA0GCSqGSIb3DQEBBQUAMEYxDzANBgNVBAMTBkVuZ2luZTERMA8GA1UECxMIU2VydmljZXMxEzARBgNVBAoTCk9wZW5Db25leHQxCzAJBgNVBAYTAk5MMB4XDTE1MDQwMjE0MDE1NFoXDTI1MDQwMTE0MDE1NFowRjEPMA0GA1UEAxMGRW5naW5lMREwDwYDVQQLEwhTZXJ2aWNlczETMBEGA1UEChMKT3BlbkNvbmV4dDELMAkGA1UEBhMCTkwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCeVodghQwFR0pItxGaJ3LXHA+ZLy1w/TMaGDcJaszAZRWRkL/6djwbabR7TB45QN6dfKOFGzobQxG1Oksky3gz4Pki1BSzi/DwsjWCw+Yi40cYpYeg/XM0tvHKVorlsx/7Thm5WuC7rwytujr/lV7f6lavf/ApnLHnOORU2h0ZWctJiestapMaC5mc40msruWWp04axmrYICmTmGhEy7w0qO4/HLKjXtWbJh71GWtJeLzG5Hj04X44wI+D9PUJs9U3SYh9SCFZwq0v+oYeqajiX0JPzB+8aVOPmOOM5WqoT8OCddOM/TlsL/0PcxByGHsgJuWbWMI1PKlK3omR764PAgMBAAGjgagwgaUwHQYDVR0OBBYEFLowmsUCD2CrHU0lich1DMkNppmLMHYGA1UdIwRvMG2AFLowmsUCD2CrHU0lich1DMkNppmLoUqkSDBGMQ8wDQYDVQQDEwZFbmdpbmUxETAPBgNVBAsTCFNlcnZpY2VzMRMwEQYDVQQKEwpPcGVuQ29uZXh0MQswCQYDVQQGEwJOTIIJAPdqJ9JQKN6vMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAIF9tGG1C9HOSTQJA5qL13y5Ad8G57bJjBfTjp/dw308zwagsdTeFQIgsP4tdQqPMwYmBImcTx6vUNdiwlIol7TBCPGuqQAHD0lgTkChCzWezobIPxjitlkTUZGHqn4Kpq+mFelX9x4BElmxdLj0RQV3c3BhoW0VvJvBkqVKWkZ0HcUTQMlMrQEOq6D32jGh0LPCQN7Ke6ir0Ix5knb7oegND49fbLSxpdo5vSuxQd+Zn6nI1/VLWtWpdeHMKhiw2+/ArR9YM3cY8UwFQOj9Y6wI6gPCGh/q1qv2HnngmnPrNzZik8XucGcf1Wm2zE4UIVYKW31T52mqRVDKRk8F3Eo="
+spdashboard_saml_remote_idp_host: "engine.{{ base_domain }}"
 spdashboard_manage_prod_host: "https://manage-prod.{{ base_domain}}"
 spdashboard_jira_username: api_spdashboard_user
 spdashboard_playground_uri_test: "https://authz-playground.{{ base_domain }}/redirect"

ansible/roles/spdashboard/templates/parameters.yml.j2

@@ -28,6 +28,7 @@ parameters:
     saml_remote_idp_entity_id: "{{ spdashboard_saml_remote_idp_entity_id }}"
     saml_remote_idp_sso_url: "{{ spdashboard_saml_remote_idp_sso_url }}"
     saml_remote_idp_certificate: "{{ spdashboard_saml_remote_idp_certificate }}"
+    saml_remote_idp_host: "{{ spdashboard_saml_remote_idp_host }}"
     manage_test_host: https://manage.{{ base_domain }}
     manage_test_username: sp-dashboard
     manage_test_password: {{ manage_sp_dashboard_secret }}

app/AppKernel.php

@@ -24,6 +24,7 @@ public function registerBundles()
             new Symfony\Bundle\SecurityBundle\SecurityBundle(),
             new Symfony\Bundle\SwiftmailerBundle\SwiftmailerBundle(),
             new Symfony\Bundle\TwigBundle\TwigBundle(),
+            new Nelmio\SecurityBundle\NelmioSecurityBundle(),
         ];
 
         // The LexikTranslationBundle should be loaded *after* the

app/Resources/views/Translation/layout.html.twig

@@ -5,7 +5,7 @@
 
     {% block lexik_stylesheets %}
         <link rel="stylesheet" href="//netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css">
-            <link rel="stylesheet" href="{{ asset('bundles/lexiktranslation/ng-table/ng-table.min.css') }}">
+        <link rel="stylesheet" href="{{ asset('bundles/lexiktranslation/ng-table/ng-table.min.css') }}">
     {% endblock %}
     {% block lexik_flash_message %}
         <div class="container">

app/config/parameters.yml.dist

@@ -33,6 +33,7 @@ parameters:
     saml_metadata_publickey: '%kernel.root_dir%/../vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_publickey.cer'
     saml_metadata_privatekey: '%kernel.root_dir%/../vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_privatekey.pem'
     saml_remote_idp_entity_id: 'https://engine.dev.support.surfconext.nl/authentication/idp/metadata'
+    saml_remote_idp_host: engine.dev.support.surfconext.nl
     saml_remote_idp_sso_url: 'https://engine.dev.support.surfconext.nl/authentication/idp/single-sign-on'
     saml_remote_idp_certificate: 'MIIDuDCCAqCgAwIBAgIJAPdqJ9JQKN6vMA0GCSqGSIb3DQEBBQUAMEYxDzANBgNVBAMTBkVuZ2luZTERMA8GA1UECxMIU2VydmljZXMxEzARBgNVBAoTCk9wZW5Db25leHQxCzAJBgNVBAYTAk5MMB4XDTE1MDQwMjE0MDE1NFoXDTI1MDQwMTE0MDE1NFowRjEPMA0GA1UEAxMGRW5naW5lMREwDwYDVQQLEwhTZXJ2aWNlczETMBEGA1UEChMKT3BlbkNvbmV4dDELMAkGA1UEBhMCTkwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCeVodghQwFR0pItxGaJ3LXHA+ZLy1w/TMaGDcJaszAZRWRkL/6djwbabR7TB45QN6dfKOFGzobQxG1Oksky3gz4Pki1BSzi/DwsjWCw+Yi40cYpYeg/XM0tvHKVorlsx/7Thm5WuC7rwytujr/lV7f6lavf/ApnLHnOORU2h0ZWctJiestapMaC5mc40msruWWp04axmrYICmTmGhEy7w0qO4/HLKjXtWbJh71GWtJeLzG5Hj04X44wI+D9PUJs9U3SYh9SCFZwq0v+oYeqajiX0JPzB+8aVOPmOOM5WqoT8OCddOM/TlsL/0PcxByGHsgJuWbWMI1PKlK3omR764PAgMBAAGjgagwgaUwHQYDVR0OBBYEFLowmsUCD2CrHU0lich1DMkNppmLMHYGA1UdIwRvMG2AFLowmsUCD2CrHU0lich1DMkNppmLoUqkSDBGMQ8wDQYDVQQDEwZFbmdpbmUxETAPBgNVBAsTCFNlcnZpY2VzMRMwEQYDVQQKEwpPcGVuQ29uZXh0MQswCQYDVQQGEwJOTIIJAPdqJ9JQKN6vMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAIF9tGG1C9HOSTQJA5qL13y5Ad8G57bJjBfTjp/dw308zwagsdTeFQIgsP4tdQqPMwYmBImcTx6vUNdiwlIol7TBCPGuqQAHD0lgTkChCzWezobIPxjitlkTUZGHqn4Kpq+mFelX9x4BElmxdLj0RQV3c3BhoW0VvJvBkqVKWkZ0HcUTQMlMrQEOq6D32jGh0LPCQN7Ke6ir0Ix5knb7oegND49fbLSxpdo5vSuxQd+Zn6nI1/VLWtWpdeHMKhiw2+/ArR9YM3cY8UwFQOj9Y6wI6gPCGh/q1qv2HnngmnPrNzZik8XucGcf1Wm2zE4UIVYKW31T52mqRVDKRk8F3Eo='
 

app/config/security.yml

@@ -46,4 +46,36 @@ security:
     access_control:
         - { path: ^/saml, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
         - { path: ^/entity/metadata, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
+        - { path: ^/translations, roles: ROLE_ADMINISTRATOR, requires_channel: https }
         - { path: ^/, roles: IS_AUTHENTICATED_FULLY, requires_channel: https }
+
+nelmio_security:
+    clickjacking:
+        paths:
+            '^/.*': DENY
+    external_redirects:
+        abort: true
+        log: true
+        whitelist:
+            - '%saml_remote_idp_host%'
+    csp:
+        report_logger_service: monolog.logger.security
+        hosts:
+            - 'ajax.googleapis.com'
+        content_types: []
+        enforce:
+            report-uri: [/csp/report]
+            default-src:
+                - 'self'
+                - 'data:'
+            object-src:
+                - 'none'
+    content_type:
+        nosniff: true
+    xss_protection:
+        enabled: true
+        mode_block: true
+    forced_ssl:
+        enabled: true
+        hsts_max_age: 31536000 # 365 days
+        hsts_subdomains: true

composer.json

@@ -33,6 +33,7 @@
         "league/tactician-bundle": "^0.4.1",
         "lesstif/php-jira-rest-client": "^1.33",
         "lexik/translation-bundle": "^4.0",
+        "nelmio/security-bundle": "^2.7",
         "openconext/monitor-bundle": "^1.0",
         "ramsey/uuid": "^3.7",
         "sensio/framework-extra-bundle": "^3.0",
@@ -43,7 +44,8 @@
         "symfony/polyfill-apcu": "^1.0",
         "symfony/swiftmailer-bundle": "^2.3.10",
         "symfony/symfony": "3.4.*",
-        "twig/twig": "^1.34.4"
+        "twig/twig": "^1.34.4",
+        "xemlock/htmlpurifier-html5": "^0.1.10"
     },
     "require-dev": {
         "doctrine/doctrine-fixtures-bundle": "^2.4",