Merge pull request #1321 from ITfoxtec/test

Test

Author: Revsgaard

.github/workflows/sbom_syft.yaml

@@ -0,0 +1,44 @@
+name: sbom_syft
+
+on:
+  push:
+    branches:
+      - "main"
+  workflow_dispatch:
+
+jobs:
+  sbom:
+    name: Generate SBOM with Syft
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Prepare SBOM directory
+        run: mkdir -p sbom
+
+      - name: Generate SPDX SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          path: .
+          format: spdx-json
+          output-file: sbom/foxids.spdx.json
+          upload-artifact: false
+
+      - name: Generate CycloneDX SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          path: .
+          format: cyclonedx-json
+          output-file: sbom/foxids.cdx.json
+          upload-artifact: false
+
+      - name: Upload SBOM artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: foxids-sbom
+          path: sbom
+          if-no-files-found: error

docs/app-reg-saml-2.0.md

@@ -1,4 +1,4 @@
-# SAML 2.0 application registration
+# SAML 2.0 application registration
 
 FoxIDs SAML 2.0 application registration enable you to connect an SAML 2.0 based application. 
 
@@ -12,6 +12,8 @@ Your application become a SAML 2.0 Relying Party (RP) and FoxIDs acts as an SAML
 
 FoxIDs support [SAML 2.0 redirect and post bindings](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf).
 
+FoxIDs also supports forwarding a login hint from the SAML Authn request URL using either the login_hint or LoginHint query parameter when the request does not include a NameID. This enables relying parties such as Microsoft Entra and Okta to pre-fill the user identifier in the FoxIDs login experience.
+
 A application registration expose [SAML 2.0 metadata](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf) where your application can discover the SAML 2.0 Identity Provider (IdP).
 
 Both the login, logout and single logout [SAML 2.0 profiles](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) are supported. The Artifact profile is not supported.
@@ -69,3 +71,5 @@ The `AuthnContextClassRef` property can be set in the `Login` method in `SamlCon
 
         return binding.Bind(saml2AuthnRequest).ToActionResult();
     }
+
+

docs/claim-transform-task.md

@@ -195,4 +195,4 @@ Use a `Regex map` claim transformation and select the `Replace claim` action.
 
 Find the ID without the default added post authentication method name with regex `^(nemlogin\|)(?<map>.+)$`
 
-> You can do the same in a SAML 2.0 authentication method using the `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier` claim instead of the `sub` claim.
+> You can do the same in a SAML 2.0 authentication method using the `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier` claim (which contains the SAML 2.0 Authn Response `NameID` value) instead of the `sub` claim.

docs/name-title-icon-css.md

@@ -26,6 +26,7 @@ Find the login authentication method in [FoxIDs Control Client](control.md#foxid
 
 1. Add the **Browser Title** text
 2. Add the **Browser Icon URL** from an external site, supported image formats: ico, png, gif, jpeg and webp
+   You can also paste an inline data URI such as `data:image/png;base64,...` to embed the icon directly.
 3. Add your **CSS**, if necessary drag the field bigger
 4. Click **Update**
 
@@ -71,6 +72,18 @@ It is also possible to use a logo image.
 }
 ```
 
+You can also embed the logo image directly in the CSS with a `data:` URI to avoid external requests.
+
+```CSS
+.brand-content-text {
+    display: none;
+}
+
+.brand-content-icon::before {
+    content:url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8/x8AAusB9FHSMNcAAAAASUVORK5CYII=');
+}
+```
+
 Add a background image from an external site.
 
 ```CSS
@@ -144,4 +157,4 @@ div.page-content::before {
 ```
 
 
-![Configure login box with CSS](images/configure-login-css-sample-test.png)
+![Configure login box with CSS](images/configure-login-css-sample-test.png)

src/FoxIDs.Control/FoxIDs.Control.csproj

@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net9.0</TargetFramework>
-		<Version>2.5.3</Version>
+		<Version>2.5.4</Version>
 		<RootNamespace>FoxIDs</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>FoxIDs</Company>

src/FoxIDs.Control/Logic/Validators/ValidateApiModelExternalLoginPartyLogic.cs

@@ -32,10 +32,14 @@ public bool ValidateApiModel(ModelStateDictionary modelState, Api.ExternalLoginU
                 party.Css = sanitizedCss;
             }
 
-            if (!ValidateApiModelLoginPartyLogic.TryValidateIconUrl(modelState, logger, nameof(Api.ExternalLoginUpParty.IconUrl), party.IconUrl))
+            if (!ValidateApiModelLoginPartyLogic.TryValidateIconUrl(modelState, logger, nameof(Api.ExternalLoginUpParty.IconUrl), party.IconUrl, out var sanitizedIconUrl))
             {
                 isValid = false;
             }
+            else
+            {
+                party.IconUrl = sanitizedIconUrl;
+            }
 
             if (party.Title.IsNullOrWhiteSpace())
             {

src/FoxIDs.Control/Logic/Validators/ValidateApiModelLoginPartyLogic.cs

@@ -1,6 +1,8 @@
 using FoxIDs.Infrastructure;
 using Api = FoxIDs.Models.Api;
 using ITfoxtec.Identity;
+using System;
+using System.Collections.Generic;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc.ModelBinding;
 using System.ComponentModel.DataAnnotations;
@@ -19,7 +21,17 @@ public class ValidateApiModelLoginPartyLogic : LogicBase
         private static readonly Regex cssStyleTagPattern = new Regex("<\\s*/?\\s*style[^>]*>", RegexOptions.Compiled | RegexOptions.IgnoreCase | RegexOptions.CultureInvariant);
         private static readonly Regex cssHtmlTagPattern = new Regex("<[^>]+>", RegexOptions.Compiled | RegexOptions.CultureInvariant);
         private static readonly Regex cssHtmlCommentPattern = new Regex("<!--.*?-->", RegexOptions.Compiled | RegexOptions.Singleline | RegexOptions.CultureInvariant);
-        private static readonly Regex cssUnsafePattern = new Regex("(?i)(expression\\s*\\(|behavior(u)?r\\s*:|-moz-binding\\s*:|@import\\b|@charset\\b|@namespace\\b|url\\s*\\(\\s*[\'\\\"]?\\s*(?:javascript|vbscript|data)\\s*:|<\\s*/?\\s*(?:style|script)[^>]*>)", RegexOptions.Compiled | RegexOptions.Singleline | RegexOptions.CultureInvariant);
+        private static readonly Regex cssUnsafePattern = new Regex("(?i)(expression\\s*\\(|behavior(u)?r\\s*:|-moz-binding\\s*:|@import\\b|@charset\\b|@namespace\\b|url\\s*\\(\\s*[\'\\\"]?\\s*(?:javascript|vbscript|data(?!\\s*:\\s*image\\/))\\s*:|<\\s*/?\\s*(?:style|script)[^>]*>)", RegexOptions.Compiled | RegexOptions.Singleline | RegexOptions.CultureInvariant);
+        private const string DataUriPrefix = "data:";
+        private static readonly IDictionary<string, string> iconExtensionToMimeType = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase)
+        {
+            [".ico"] = "image/x-icon",
+            [".png"] = "image/png",
+            [".gif"] = "image/gif",
+            [".jpeg"] = "image/jpeg",
+            [".webp"] = "image/webp"
+        };
+        private static readonly HashSet<string> supportedIconMimeTypes = new HashSet<string>(iconExtensionToMimeType.Values, StringComparer.OrdinalIgnoreCase);
 
         private readonly TelemetryScopedLogger logger;
         private readonly ValidateApiModelGenericPartyLogic validateApiModelGenericPartyLogic;
@@ -45,10 +57,14 @@ public async Task<bool> ValidateApiModelAsync(ModelStateDictionary modelState, A
                 party.Css = sanitizedCss;
             }
 
-            if (!TryValidateIconUrl(modelState, logger, nameof(Api.LoginUpParty.IconUrl), party.IconUrl))
+            if (!TryValidateIconUrl(modelState, logger, nameof(Api.LoginUpParty.IconUrl), party.IconUrl, out var sanitizedIconUrl))
             {
                 isValid = false;
             }
+            else
+            {
+                party.IconUrl = sanitizedIconUrl;
+            }
 
             if (party.TwoFactorAppName.IsNullOrWhiteSpace())
             {
@@ -110,11 +126,6 @@ internal static bool TryValidateAndSanitizeCss(ModelStateDictionary modelState,
                     throw new ValidationException("CSS contains unbalanced braces.");
                 }
 
-                if (cssUnsafePattern.IsMatch(css))
-                {
-                    throw new ValidationException("CSS contains unsupported or unsafe content.");
-                }
-
                 sanitizedCss = SanitizeCss(css);
                 return true;
             }
@@ -126,25 +137,26 @@ internal static bool TryValidateAndSanitizeCss(ModelStateDictionary modelState,
             }
         }
 
-        internal static bool TryValidateIconUrl(ModelStateDictionary modelState, TelemetryScopedLogger logger, string iconUrlFieldName, string iconUrl)
+        internal static bool TryValidateIconUrl(ModelStateDictionary modelState, TelemetryScopedLogger logger, string iconUrlFieldName, string iconUrl, out string sanitizedIconUrl)
         {
+            sanitizedIconUrl = iconUrl;
             if (iconUrl.IsNullOrWhiteSpace())
             {
                 return true;
             }
 
             try
             {
-                var iconExtension = Path.GetExtension(iconUrl.Split('?')[0]);
-                _ = iconExtension switch
+                sanitizedIconUrl = iconUrl.Trim();
+                sanitizedIconUrl = RemoveCssUrlWrapper(sanitizedIconUrl);
+                if (IsDataImageIcon(sanitizedIconUrl))
                 {
-                    ".ico" => "image/x-icon",
-                    ".png" => "image/png",
-                    ".gif" => "image/gif",
-                    ".jpeg" => "image/jpeg",
-                    ".webp" => "image/webp",
-                    _ => throw new ValidationException($"Icon image format '{iconExtension}' not supported.")
-                };
+                    ValidateDataImageIcon(sanitizedIconUrl);
+                }
+                else
+                {
+                    ValidateIconUrlExtension(sanitizedIconUrl);
+                }
 
                 return true;
             }
@@ -200,5 +212,86 @@ private static string RemoveUnsafeComments(string css)
         {
             return cssCommentPattern.Replace(css, match => cssUnsafePattern.IsMatch(match.Value) ? string.Empty : match.Value);
         }
+
+        private static string RemoveCssUrlWrapper(string iconUrl)
+        {
+            if (iconUrl.StartsWith("url(", StringComparison.OrdinalIgnoreCase) && iconUrl.EndsWith(")"))
+            {
+                var inner = iconUrl.Substring(4, iconUrl.Length - 5).Trim();
+                inner = inner.Trim('\'', '"');
+                return inner;
+            }
+
+            return iconUrl;
+        }
+
+        private static bool IsDataImageIcon(string iconUrl)
+        {
+            return iconUrl.StartsWith(DataUriPrefix, StringComparison.OrdinalIgnoreCase);
+        }
+
+        private static void ValidateIconUrlExtension(string iconUrl)
+        {
+            var iconPath = iconUrl.Split(['?', '#'], 2)[0];
+            var iconExtension = Path.GetExtension(iconPath);
+
+            if (iconExtension.IsNullOrWhiteSpace() || !iconExtensionToMimeType.ContainsKey(iconExtension))
+            {
+                throw new ValidationException($"Icon image format '{iconExtension}' not supported.");
+            }
+        }
+
+        private static void ValidateDataImageIcon(string iconUrl)
+        {
+            var commaIndex = iconUrl.IndexOf(',');
+            if (commaIndex < 0)
+            {
+                throw new ValidationException("Icon data URI is missing image data.");
+            }
+
+            var metadata = iconUrl.Substring(DataUriPrefix.Length, commaIndex - DataUriPrefix.Length);
+            if (metadata.IsNullOrWhiteSpace())
+            {
+                throw new ValidationException("Icon data URI is missing the media type.");
+            }
+
+            var metadataParts = metadata.Split(';', StringSplitOptions.RemoveEmptyEntries);
+            var mimeType = metadataParts.FirstOrDefault()?.Trim();
+            if (mimeType.IsNullOrWhiteSpace())
+            {
+                throw new ValidationException("Icon data URI is missing the media type.");
+            }
+
+            if (!mimeType.StartsWith("image/", StringComparison.OrdinalIgnoreCase))
+            {
+                throw new ValidationException($"Icon data URI media type '{mimeType}' is not an image.");
+            }
+
+            if (!supportedIconMimeTypes.Contains(mimeType))
+            {
+                throw new ValidationException($"Icon image format '{mimeType}' not supported.");
+            }
+
+            if (!metadataParts.Skip(1).Any(p => p.Equals("base64", StringComparison.OrdinalIgnoreCase)))
+            {
+                throw new ValidationException("Icon data URI must specify base64 encoding.");
+            }
+
+            var imageData = iconUrl.Substring(commaIndex + 1).Trim();
+            if (imageData.IsNullOrWhiteSpace())
+            {
+                throw new ValidationException("Icon data URI is missing image data.");
+            }
+
+            try
+            {
+                Convert.FromBase64String(imageData);
+            }
+            catch (FormatException)
+            {
+                throw new ValidationException("Icon data URI image data is not valid base64.");
+            }
+        }
     }
 }
+

src/FoxIDs.ControlClient/FoxIDs.ControlClient.csproj

@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net9.0</TargetFramework>
-		<Version>2.5.3</Version>
+		<Version>2.5.4</Version>
 		<RootNamespace>FoxIDs.Client</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>FoxIDs</Company>

src/FoxIDs.ControlClient/Models/ViewModels/Parties/ExternalLoginUpPartyViewModel.cs

@@ -1,4 +1,4 @@
-using FoxIDs.Infrastructure.DataAnnotations;
+using FoxIDs.Infrastructure.DataAnnotations;
 using FoxIDs.Models.Api;
 using System;
 using System.Collections.Generic;
@@ -120,7 +120,7 @@ public class ExternalLoginUpPartyViewModel : IValidatableObject, IUpPartySession
         public string Title { get; set; }
 
         [MaxLength(Constants.Models.LoginUpParty.IconUrlLength)]
-        [Display(Name = "Browser Icon URL (https://example.somewhere/favicon.ico)")]
+        [Display(Name = "Browser Icon URL (https://example.somewhere/favicon.ico or data:image/png;base64,...)")]
         public string IconUrl { get; set; }        
 
         [MaxLength(Constants.Models.LoginUpParty.CssStyleLength)]
@@ -190,4 +190,4 @@ public IEnumerable<ValidationResult> Validate(ValidationContext validationContex
             return results;
         }
     }
-}
+}

src/FoxIDs.ControlClient/Models/ViewModels/Parties/LoginUpPartyViewModel.cs

@@ -154,7 +154,7 @@ public class LoginUpPartyViewModel : IUpPartySessionLifetime, IUpPartyHrd, IVali
         public string Title { get; set; }
 
         [MaxLength(Constants.Models.LoginUpParty.IconUrlLength)]
-        [Display(Name = "Browser Icon URL (https://example.somewhere/favicon.ico)")]
+        [Display(Name = "Browser Icon URL (https://example.somewhere/favicon.ico or data:image/png;base64,...)")]
         public string IconUrl { get; set; }        
 
         [MaxLength(Constants.Models.LoginUpParty.CssStyleLength)]
@@ -252,4 +252,5 @@ public IEnumerable<ValidationResult> Validate(ValidationContext validationContex
             return results;
         }
     }
-}
+}
+