/**
* Tests the isValid method of the OneLogin_Saml2_LogoutRequest
*
* @covers OneLogin_Saml2_LogoutRequest::isValid
*/
public function testIsInValidSign()
{
$currentURL = OneLogin_Saml2_Utils::getSelfURLNoQuery();
$this->_settings->setStrict(false);
$_GET = array('SAMLRequest' => 'lVLBitswEP0Vo7tjeWzJtki8LIRCYLvbNksPewmyPc6K2pJqyXQ/v1LSQlroQi/DMJr33rwZbZ2cJysezNms/gt+X9H55G2etBOXlx1ZFy2MdMoJLWd0wvfieP/xQcCGCrsYb3ozkRvI+wjpHC5eGU2Sw35HTg3lA8hqZFwWFcMKsStpxbEsxoLXeQN9OdY1VAgk+YqLC8gdCUQB7tyKB+281D6UaF6mtEiBPudcABcMXkiyD26Ulv6CevXeOpFlVvlunb5ttEmV3ZjlnGn8YTRO5qx0NuBs8kzpAd829tXeucmR5NH4J/203I8el6gFRUqbFPJnyEV51Wq30by4TLW0/9ZyarYTxt4sBsjUYLMZvRykl1Fxm90SXVkfwx4P++T4KSafVzmpUcVJ/sfSrQZJPphllv79W8WKGtLx0ir8IrVTqD1pT2MH3QAMSs4KTvui71jeFFiwirOmprwPkYW063+5uRq4urHiiC4e8hCX3J5wqAEGaPpw9XB5JmkBdeDqSlkz6CmUXdl0Qae5kv2F/1384wu3PwE=', 'RelayState' => '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6', 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', 'Signature' => 'XCwCyI5cs7WhiJlB5ktSlWxSBxv+6q2xT3c8L7dLV6NQG9LHWhN7gf8qNsahSXfCzA0Ey9dp5BQ0EdRvAk2DIzKmJY6e3hvAIEp1zglHNjzkgcQmZCcrkK9Czi2Y1WkjOwR/WgUTUWsGJAVqVvlRZuS3zk3nxMrLH6f7toyvuJc=');
$request = gzinflate(base64_decode($_GET['SAMLRequest']));
$encodedRequest = $_GET['SAMLRequest'];
$logoutRequest = new OneLogin_Saml2_LogoutRequest($this->_settings, $encodedRequest);
$this->assertTrue($logoutRequest->isValid());
$this->_settings->setStrict(true);
$logoutRequest2 = new OneLogin_Saml2_LogoutRequest($this->_settings, $encodedRequest);
$this->assertFalse($logoutRequest2->isValid());
$this->assertContains('The LogoutRequest was received at', $logoutRequest2->getError());
$this->_settings->setStrict(false);
$oldSignature = $_GET['Signature'];
$_GET['Signature'] = 'vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVf3333=';
$logoutRequest3 = new OneLogin_Saml2_LogoutRequest($this->_settings, $encodedRequest);
$this->assertFalse($logoutRequest3->isValid());
$this->assertContains('Signature validation failed. Logout Request rejected', $logoutRequest3->getError());
$_GET['Signature'] = $oldSignature;
$oldSigAlg = $_GET['SigAlg'];
unset($_GET['SigAlg']);
$this->assertTrue($logoutRequest3->isValid());
$oldRelayState = $_GET['RelayState'];
$_GET['RelayState'] = 'http://example.com/relaystate';
$this->assertFalse($logoutRequest3->isValid());
$this->assertContains('Signature validation failed. Logout Request rejected', $logoutRequest3->getError());
$this->_settings->setStrict(true);
$request2 = str_replace('https://pitbulk.no-ip.org/newonelogin/demo1/index.php?sls', $currentURL, $request);
$request2 = str_replace('https://pitbulk.no-ip.org/simplesaml/saml2/idp/metadata.php', 'http://idp.example.com/', $request2);
$deflatedRequest2 = gzdeflate($request2);
$encodedRequest2 = base64_encode($deflatedRequest2);
$_GET['SAMLRequest'] = $encodedRequest2;
$logoutRequest4 = new OneLogin_Saml2_LogoutRequest($this->_settings, $encodedRequest2);
$this->assertFalse($logoutRequest4->isValid());
$this->assertEquals('Signature validation failed. Logout Request rejected', $logoutRequest4->getError());
$this->_settings->setStrict(false);
$logoutRequest5 = new OneLogin_Saml2_LogoutRequest($this->_settings, $encodedRequest2);
$this->assertFalse($logoutRequest5->isValid());
$this->assertEquals('Signature validation failed. Logout Request rejected', $logoutRequest5->getError());
$_GET['SigAlg'] = 'http://www.w3.org/2000/09/xmldsig#dsa-sha1';
$this->assertFalse($logoutRequest5->isValid());
$this->assertEquals('Invalid signAlg in the recieved Logout Request', $logoutRequest5->getError());
$settingsDir = TEST_ROOT . '/settings/';
include $settingsDir . 'settings1.php';
$settingsInfo['strict'] = true;
$settingsInfo['security']['wantMessagesSigned'] = true;
$settings = new OneLogin_Saml2_Settings($settingsInfo);
$_GET['SigAlg'] = $oldSigAlg;
$oldSignature = $_GET['Signature'];
unset($_GET['Signature']);
$logoutRequest6 = new OneLogin_Saml2_LogoutRequest($settings, $encodedRequest2);
$this->assertFalse($logoutRequest6->isValid());
$this->assertEquals('The Message of the Logout Request is not signed and the SP require it', $logoutRequest6->getError());
$_GET['Signature'] = $oldSignature;
$settingsInfo['idp']['certFingerprint'] = 'afe71c28ef740bc87425be13a2263d37971da1f9';
unset($settingsInfo['idp']['x509cert']);
$settings2 = new OneLogin_Saml2_Settings($settingsInfo);
$logoutRequest7 = new OneLogin_Saml2_LogoutRequest($settings2, $encodedRequest2);
$this->assertFalse($logoutRequest7->isValid());
$this->assertContains('In order to validate the sign on the Logout Request, the x509cert of the IdP is required', $logoutRequest7->getError());
}
/**
* Process the SAML Logout Response / Logout Request sent by the IdP.
*
* @param boolean $keepLocalSession When false will destroy the local session, otherwise will keep it
* @param string $requestId The ID of the LogoutRequest sent by this SP to the IdP
*/
public function processSLO($keepLocalSession = false, $requestId = null, $retrieveParametersFromServer = false)
{
$this->_errors = array();
$samlResponse = null;
if (isset($_GET) && isset($_GET['SAMLResponse'])) {
$samlResponse = $_GET['SAMLResponse'];
} else {
if (isset($_POST) && isset($_POST['SAMLResponse'])) {
$samlResponse = $_POST['SAMLResponse'];
}
}
$relayState = null;
if (isset($_GET['RelayState'])) {
$relayState = $_GET['RelayState'];
} else {
if ($_POST['RelayState']) {
$relayState = $_POST['RelayState'];
}
}
$samlRequest = null;
if (isset($_GET) && isset($_GET['SAMLRequest'])) {
$samlRequest = $_GET['SAMLRequest'];
} else {
if (isset($_POST) && isset($_POST['SAMLRequest'])) {
$samlRequest = $_POST['SAMLRequest'];
}
}
if ($samlResponse) {
$logoutResponse = new OneLogin_Saml2_LogoutResponse($this->_settings, $samlResponse);
if (!$logoutResponse->isValid($requestId, $retrieveParametersFromServer)) {
$this->_errors[] = 'invalid_logout_response';
$this->_errorReason = $logoutResponse->getError();
} else {
if ($logoutResponse->getStatus() !== OneLogin_Saml2_Constants::STATUS_SUCCESS) {
$this->_errors[] = 'logout_not_success';
} else {
if (!$keepLocalSession) {
OneLogin_Saml2_Utils::deleteLocalSession();
}
}
}
} else {
if ($samlRequest) {
$logoutRequest = new OneLogin_Saml2_LogoutRequest($this->_settings, $samlRequest);
if (!$logoutRequest->isValid($retrieveParametersFromServer)) {
$this->_errors[] = 'invalid_logout_request';
$this->_errorReason = $logoutRequest->getError();
} else {
if (!$keepLocalSession) {
OneLogin_Saml2_Utils::deleteLocalSession();
}
$inResponseTo = $logoutRequest->id;
$responseBuilder = new OneLogin_Saml2_LogoutResponse($this->_settings);
$responseBuilder->build($inResponseTo);
$logoutResponse = $responseBuilder->getResponse();
$parameters = array('SAMLResponse' => $logoutResponse);
if ($relayState) {
$parameters['RelayState'] = $relayState;
}
$security = $this->_settings->getSecurityData();
if (isset($security['logoutResponseSigned']) && $security['logoutResponseSigned']) {
$signature = $this->buildResponseSignature($logoutResponse, $parameters['RelayState']);
$parameters['SigAlg'] = XMLSecurityKey::RSA_SHA1;
$parameters['Signature'] = $signature;
}
$sloUrlWithParameters = $this->redirectTo($this->getSLOurl(), $parameters, true);
}
} else {
$this->_errors[] = 'invalid_binding';
throw new OneLogin_Saml2_Error('SAML LogoutRequest/LogoutResponse not found. Only supported HTTP_REDIRECT Binding', OneLogin_Saml2_Error::SAML_LOGOUTMESSAGE_NOT_FOUND);
}
}
}
/**
* Process the SAML Logout Response / Logout Request sent by the IdP.
*
* @param boolean $keepLocalSession When false will destroy the local session, otherwise will destroy it
* @param string $requestId The ID of the LogoutRequest sent by this SP to the IdP
*/
public function processSLO($keepLocalSession = false, $requestId = null)
{
$this->_errors = array();
if (isset($_GET) && isset($_GET['SAMLResponse'])) {
$logoutResponse = new OneLogin_Saml2_LogoutResponse($this->_settings, $_GET['SAMLResponse']);
if (!$logoutResponse->isValid($requestId)) {
$this->_errors[] = 'invalid_logout_response';
} else {
if ($logoutResponse->getStatus() !== OneLogin_Saml2_Constants::STATUS_SUCCESS) {
$this->_errors[] = 'logout_not_success';
} else {
if (!$keepLocalSession) {
OneLogin_Saml2_Utils::deleteLocalSession();
}
}
}
} else {
if (isset($_GET) && isset($_GET['SAMLRequest'])) {
$decoded = base64_decode($_GET['SAMLRequest']);
$request = gzinflate($decoded);
if (!OneLogin_Saml2_LogoutRequest::isValid($this->_settings, $request)) {
$this->_errors[] = 'invalid_logout_request';
} else {
if (!$keepLocalSession) {
OneLogin_Saml2_Utils::deleteLocalSession();
}
$inResponseTo = OneLogin_Saml2_LogoutRequest::getID($request);
$responseBuilder = new OneLogin_Saml2_LogoutResponse($this->_settings);
$responseBuilder->build($inResponseTo);
$logoutResponse = $responseBuilder->getResponse();
$parameters = array('SAMLResponse' => $logoutResponse);
if (isset($_GET['RelayState'])) {
$parameters['RelayState'] = $_GET['RelayState'];
}
$security = $this->_settings->getSecurityData();
if (isset($security['logoutResponseSigned']) && $security['logoutResponseSigned']) {
$signature = $this->buildResponseSignature($logoutResponse, $parameters['RelayState']);
$parameters['SigAlg'] = XMLSecurityKey::RSA_SHA1;
$parameters['Signature'] = $signature;
}
$this->redirectTo($this->getSLOurl(), $parameters);
}
} else {
$this->_errors[] = 'invalid_binding';
throw new OneLogin_Saml2_Error('SAML LogoutRequest/LogoutResponse not found. Only supported HTTP_REDIRECT Binding', OneLogin_Saml2_Error::SAML_LOGOUTMESSAGE_NOT_FOUND);
}
}
}
