A small module that allows users to authenticate with a Belgian eID card, using Fedict's OpenID Identity Provider.

The Drupal website will act as the Relying Party, while the IDP will take care of the communication with the eID card itself, using a java applet.

The beididp_profile submodule can be used to map eID information (like name, address ...) to Drupal Profile fields.
The beididp_pape submodule adds support for OpenID PAPE 1.0

Difference with other modules:

- This module does not use the eid reverse proxy (unlike the eID module), but reuses as much (Drupal core) openid code as possible, while providing a user friendly interface (eID button).
- Unlike OpenID core module, the user does not have to remember his OpenID identifier. To prevent session cookie hijacking, login with eID is only available over HTTPS
- Unlike the OpenID Selector, the module does not use Javascript.

The sandbox page: http://drupal.org/sandbox/bart.hanssens/1311900

git clone --branch 6.x-0.x http://git.drupal.org/sandbox/bart.hanssens/1311900.git belgian_eid_idp_integration

Drupal 6.x

Reviews of other projects
3rd round of reviews

CommentFileSizeAuthor
#19 drupalcs-result.txt1.8 KBklausi

Comments

jasonrichardsmith@gmail.com’s picture

Results from pareview:

Review of the 6.x-0.x branch:

  • Remove LICENSE.txt, it will be added by drupal.org packaging automatically.
  • Remove "version" from the info file, it will be added by drupal.org packaging automatically.
  • Drupal Code Sniffer has found some code style issues (please check the Drupal coding standards). See attachment.

This automated report was generated with PAReview.sh, your friendly project application review script. You can also use the online version to check your project. Go and review some other project applications, so we can get back to yours sooner.


FILE: ...l-7-pareview/sites/all/modules/pareview_temp/test_candidate/beididp.inc
--------------------------------------------------------------------------------
FOUND 12 ERROR(S) AFFECTING 12 LINE(S)
--------------------------------------------------------------------------------
  74 | ERROR | Missing parameter type at position 1
  76 | ERROR | Missing parameter type at position 2
 130 | ERROR | Missing parameter type at position 1
 133 | ERROR | Data type of return value is missing
 213 | ERROR | Missing parameter type at position 1
 216 | ERROR | Data type of return value is missing
 268 | ERROR | Missing parameter type at position 1
 271 | ERROR | Data type of return value is missing
 319 | ERROR | Missing parameter type at position 1
 400 | ERROR | Missing parameter type at position 1
 402 | ERROR | Missing parameter type at position 2
 405 | ERROR | Data type of return value is missing
--------------------------------------------------------------------------------

Source: http://ventral.org/pareview - PAReview.sh online service

jasonrichardsmith@gmail.com’s picture

Status: Needs review » Needs work
bart.hanssens’s picture

Status: Needs work » Needs review

Thanks, I've updated the comments in the module, and removed the LICENSE file / version info.
Pareview error report is empty now.

attiks’s picture

Status: Needs review » Needs work

I did some testing, but without https, and it works:

  1. I created a new account using my eid card
  2. I logged out and used my eid card to login again

Some remarks:

  • You're using hook_form_alter (ex beididp_form_user_login_block_alter), but the comment does not mention it: Implements hook_form_FORM_ID_alter().
  • beididp_cron: don't log a message if $rows = 0?
  • beididp_hash: the comments says 'change this', why not make it a setting?
  • beididp_admin_validate: there's a space between ! and (
  • beididp_checkrole_login_validate: exclude UID 1?
  • beididp_profile_admin: uses for ($i = 1; $record = db_fetch_object($result); $i++), why not a while loop?
bart.hanssens’s picture

Thanks for the review

- added implements hook...
- don't log message when no rows are affected
- ...validate: removed the space
- ...login_validate: added exception for admin
- used a while loop (for ...$i was leftover code, don't need $i anymore)

About the "change this": the idea is to add a prefix (salt) to the unique rijksregister number to be hashed (rainbow table protection).
If it is stored as a setting, it is stored in the database, which is a risk when someone gets a hold on the database (or a backup).
Storing it on the file system adds a (tiny) protection.

Note that this hashing should actually be done on the (remote) IDP server, not on the Drupal relying party itself.
But this option is added to the module anyway, just in case the IDP isn't configured to hash the RRN.

I will add this info in the README.txt

attiks’s picture

you missed one in beididp_admin_validate: if (! valid_url($idp)) {

About the "change this": now the values are in code, and people can not change the value inside the module, because if they upgrade they loose their values and all registered accounts stop working. If people don't want to store the value inside the database they can add it to their settings.php like this:

  global $conf;
  $conf['beididp_hash_prefix'] = 'myprefix';
  $conf['beididp_hash_suffix'] = 'mysuffix';
bart.hanssens’s picture

Status: Needs work » Needs review

Ok, thanks ! Fixed the space in beididp_admin_validate.

I've added variable_get()'s in the hash function to retrieve the values from settings.php and added some info to the README.txt

attiks’s picture

Status: Needs review » Reviewed & tested by the community
Issue tags: +PAreview: security

This looks good to me, marking his as RTBC so someone else can have a look, also adding a tag for security review.

klausi’s picture

Status: Reviewed & tested by the community » Needs work
Issue tags: -PAreview: security

@attiks: we use the security tag only for applications where we find security issues, so I'm removing it from this one.

manual review:

  • beididp_perm(): doc block is wrong, see http://drupal.org/node/1354#hookimpl . Also on other hook implementing functions.
  • _beididp_form_alter(): doc block does not tell anything.
  • "@db_fetch_array(...": why do you need the "@"?
  • "define('OPENID_NS_AX', 'http://openid.net/srv/ax/1.0');": all constants should be prefixed with ypur module's name to avoid name colissions with others. Same for OPENID_NS_PAPE and possibly others.
  • "drupal_set_message($result->error, 'error');": the result is untrusted input from the outside, so you should sanitize it.
bart.hanssens’s picture

Status: Needs work » Needs review

Thanks.

- I've changed the beididp_perm() doc and the documentation of hook_form_FORM_ID_alter() implementations
- changed doc of beididp_form_alter()
- removed the @, is not needed
- changed OPENID_... defines to BEIDIDP_ ...
- changed it into t(... @error)

klausi’s picture

The response time for a review is now approaching 4 weeks. Get a review bonus and we will come back to your application sooner.

bart.hanssens’s picture

Issue tags: +PAreview: review bonus

ok, I'll give it a try ...

klausi’s picture

Status: Needs review » Needs work
Issue tags: -PAreview: review bonus +PAreview: security

manual review:

  • beididp_install(): no need to set variables, you can always use defaults in variable_get() anyway. Same in beididp_profile_install().
  • still found several "@" brefore db_query() in your code.
  • beididp_user_add_form(): the closing ")" of an array should be on a separate line, see http://drupal.org/node/318#array
  • "db_query("INSERT INTO {beididp_association} ...": why can't you use drupal_write_record() here? Applis also for other insert/update queries.
  • beididp_checkrole_install(): empty function, so remove it.
  • beididp_checkrole_admin(): the role name is user provided data, so it needs to be sanitized before printing in #title. See also http://drupal.org/node/28984
  • "Implements beidip_auth_request()." should be "Implements hook_beidip_auth_request().
  • beididp_profile_admin(): sanitization again: #title and #options need to be sanitized to avoid XSS vulnerabilities.

Removing review bonus tag, you can add it again if you have done another 3 reviews of other projects.

bart.hanssens’s picture

Status: Needs work » Needs review

- removed the setting of the variables
- removed the @'s
- closing ) of array on a separate line
- now using drupal_write_record (the INSERT... was based upon the openid module in Drupal 6 core)
- added sanitizing
- "Implements hook_beidip_auth_request()".
- removed empty function

bart.hanssens’s picture

Issue summary: View changes

added info about bonus

bart.hanssens’s picture

Issue summary: View changes

added / changed "other projects reviewed"

bart.hanssens’s picture

Ok, reviewed 3 other projects, listed in the summary.

klausi’s picture

Issue tags: +PAreview: security

Please don't remove the security tag, we use that for statistics and to show examples of security problems.

attiks’s picture

Status: Needs review » Needs work

Can you run your code through coder again, there are still some warnings:

  • replace all tabs with spaces
  • indentation problems
  • leading white spaces
  • return($name . $prefix); can be changed to return $name . $prefix;

There a strange sentence inside the README.txt: The IDP applet can work with our without eID middleware, so there is no need to install it on the client.

Inside beididp_help: if the string inside t() contains single quotes, you better use double quotes around the string, this will make it easier for translators because they don't have to escape the single quotes.

bart.hanssens’s picture

Status: Needs work » Needs review

Hi,

  • thanks for the heads-up, I've fixed the (white)space / indentation issues.
  • I've slightly modified the README file, hopefully it is more clear now
  • Changed the single to double quotes (but only for the t() with escaped single quote)
klausi’s picture

Status: Needs review » Needs work
Issue tags: -PAreview: review bonus
StatusFileSize
new1.8 KB

Review of the 6.x-0.x branch:

This automated report was generated with PAReview.sh, your friendly project application review script. You can also use the online version to check your project. Get a review bonus and we will come back to your application sooner.

manual review:

  • "$form['account']['name']['#default_value'] = check_plain($nickname);": #default_value will be sanitized for you, no need to use check_plain() here. See http://drupal.org/node/28984 . Also in other places.
  • beididp_profile_admin(): no need to use check_plain() for #options on 'select' boxes.
  • "return db_result(db_query("SELECT COUNT(*) FROM {users} WHERE name = '%s';", $name));": the ";" at the end of the query is not needed.

Sorry to bump this back to "needs work", but you need to know where to use check_plain() and where not. Removing review bonus tag, you can add it again if you have done another 3 reviews of other projects.

bart.hanssens’s picture

Status: Needs work » Needs review

Thanks for the feedback

  • removed translation folders
  • fixed the whitespace / array length issues (IIRC they didn't show up during the online verification at ventral.org/pareview)
  • removed check_plain from #default_value
  • removed check_plain from select box
  • removed ; from db_result
bart.hanssens’s picture

Issue summary: View changes

added reviewed projects

bart.hanssens’s picture

Issue summary: View changes

started 3rd round of reviews (for pareview bonus)

bart.hanssens’s picture

Issue summary: View changes

added reviewed project

bart.hanssens’s picture

Issue tags: +PAreview: review bonus

3rd round of 3 reviews (bonus)

klausi’s picture

Status: Needs review » Reviewed & tested by the community

Great, looks RTBC to me now.

klausi’s picture

Assigned: Unassigned » tim.plunkett

Assigning to tim.plunkett, as he said he might have time to review this.

tim.plunkett’s picture

Status: Reviewed & tested by the community » Fixed

This looks great, and welcome to the community of project contributors on drupal.org.

I've granted you the git vetted user role which will let you promote this to a full project and also create new projects as either sandbox or "full" projects depending on which you feel is best.

Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.

As you continue to work on your module, keep in mind: Commit messages - providing history and credit and Release naming conventions.

bart.hanssens’s picture

That's great, thanks !

Automatically closed -- issue fixed for 2 weeks with no activity.

Anonymous’s picture

Issue summary: View changes

added review