/**
* Attempt to log in using the given username and password.
*
* On a successful login, this function should return the username as 'uid' attribute,
* and merged attributes from the configuration file.
* On failure, it should throw an exception. A SimpleSAML_Error_Error('WRONGUSERPASS')
* should be thrown in case of a wrong username OR a wrong password, to prevent the
* enumeration of usernames.
*
* @param string $username The username the user wrote.
* @param string $password The password the user wrote.
* @return array Associative array with the users attributes.
*/
protected function login($username, $password)
{
assert('is_string($username)');
assert('is_string($password)');
foreach ($this->users as $userpass) {
$matches = explode(':', $userpass, 2);
if ($matches[0] == $username) {
$crypted = $matches[1];
// This is about the only attribute we can add
$attributes = array_merge(array('uid' => array($username)), $this->attributes);
// Traditional crypt(3)
if (crypt($password, $crypted) == $crypted) {
SimpleSAML_Logger::debug('User ' . $username . ' authenticated successfully');
return $attributes;
}
// Apache's custom MD5
if (APR1_MD5::check($crypted, $password)) {
SimpleSAML_Logger::debug('User ' . $username . ' authenticated successfully');
return $attributes;
}
// SHA1 or plain-text
if (SimpleSAML\Utils\Crypto::pwValid($crypted, $password)) {
SimpleSAML_Logger::debug('User ' . $username . ' authenticated successfully');
return $attributes;
}
throw new SimpleSAML_Error_Error('WRONGUSERPASS');
}
}
throw new SimpleSAML_Error_Error('WRONGUSERPASS');
}
/**
* Attempt to log in using the given username and password.
*
* On a successful login, this function should return the users attributes. On failure,
* it should throw an exception. If the error was caused by the user entering the wrong
* username OR password, a SimpleSAML_Error_Error('WRONGUSERPASS') should be thrown.
*
* The username is UTF-8 encoded, and the hash is base64 encoded.
*
* @param string $username The username the user wrote.
* @param string $password The password the user wrote.
* @return array Associative array with the users attributes.
*/
protected function login($username, $password)
{
assert('is_string($username)');
assert('is_string($password)');
foreach ($this->users as $userpass => $attrs) {
$matches = explode(':', $userpass, 2);
if ($matches[0] === $username) {
if (SimpleSAML\Utils\Crypto::pwValid($matches[1], $password)) {
return $this->users[$userpass];
} else {
SimpleSAML_Logger::debug('Incorrect password "' . $password . '" for user ' . $username);
}
}
}
throw new SimpleSAML_Error_Error('WRONGUSERPASS');
}
/**
* Attempt to log in using the given username and password.
*
* On a successful login, this function should return the users attributes. On failure,
* it should throw an exception. If the error was caused by the user entering the wrong
* username or password, a SimpleSAML_Error_Error('WRONGUSERPASS') should be thrown.
*
* Note that both the username and the password are UTF-8 encoded.
*
* @param string $username The username the user wrote.
* @param string $password The password the user wrote.
* @return array Associative array with the users attributes.
*/
protected function login($username, $password)
{
assert('is_string($username)');
assert('is_string($password)');
$config = SimpleSAML_Configuration::getInstance();
$adminPassword = $config->getString('auth.adminpassword', '123');
if ($adminPassword === '123') {
/* We require that the user changes the password. */
throw new SimpleSAML_Error_Error('NOTSET');
}
if ($username !== "admin") {
throw new SimpleSAML_Error_Error('WRONGUSERPASS');
}
if (!SimpleSAML\Utils\Crypto::pwValid($adminPassword, $password)) {
throw new SimpleSAML_Error_Error('WRONGUSERPASS');
}
return array('user' => array('admin'));
}
/**
* Send an authenticationResponse using HTTP-POST.
*
* @param string $response The response which should be sent.
* @param SimpleSAML_Configuration $idpmd The metadata of the IdP which is sending the response.
* @param SimpleSAML_Configuration $spmd The metadata of the SP which is receiving the response.
* @param string|null $relayState The relaystate for the SP.
* @param string $shire The shire which should receive the response.
*/
public function sendResponse($response, SimpleSAML_Configuration $idpmd, SimpleSAML_Configuration $spmd, $relayState, $shire)
{
\SimpleSAML\Utils\XML::checkSAMLMessage($response, 'saml11');
$privatekey = SimpleSAML\Utils\Crypto::loadPrivateKey($idpmd, true);
$publickey = SimpleSAML\Utils\Crypto::loadPublicKey($idpmd, true);
$responsedom = new DOMDocument();
$responsedom->loadXML(str_replace("\r", "", $response));
$responseroot = $responsedom->getElementsByTagName('Response')->item(0);
$firstassertionroot = $responsedom->getElementsByTagName('Assertion')->item(0);
/* Determine what we should sign - either the Response element or the Assertion. The default is to sign the
* Assertion, but that can be overridden by the 'signresponse' option in the SP metadata or
* 'saml20.signresponse' in the global configuration.
*
* TODO: neither 'signresponse' nor 'shib13.signresponse' are valid options any longer. Remove!
*/
if ($spmd->hasValue('signresponse')) {
$signResponse = $spmd->getBoolean('signresponse');
} else {
$signResponse = $this->configuration->getBoolean('shib13.signresponse', true);
}
// check if we have an assertion to sign. Force to sign the response if not
if ($firstassertionroot === null) {
$signResponse = true;
}
$signer = new SimpleSAML_XML_Signer(array('privatekey_array' => $privatekey, 'publickey_array' => $publickey, 'id' => $signResponse ? 'ResponseID' : 'AssertionID'));
if ($idpmd->hasValue('certificatechain')) {
$signer->addCertificate($idpmd->getString('certificatechain'));
}
if ($signResponse) {
// sign the response - this must be done after encrypting the assertion
// we insert the signature before the saml2p:Status element
$statusElements = SimpleSAML\Utils\XML::getDOMChildren($responseroot, 'Status', '@saml1p');
assert('count($statusElements) === 1');
$signer->sign($responseroot, $responseroot, $statusElements[0]);
} else {
/* Sign the assertion */
$signer->sign($firstassertionroot, $firstassertionroot);
}
$response = $responsedom->saveXML();
\SimpleSAML\Utils\XML::debugSAMLMessage($response, 'out');
\SimpleSAML\Utils\HTTP::submitPOSTData($shire, array('TARGET' => $relayState, 'SAMLResponse' => base64_encode($response)));
}
<?php
// Load SimpleSAMLphp, configuration and metadata
$config = SimpleSAML_Configuration::getInstance();
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
if (!$config->getBoolean('enable.saml20-idp', false)) {
throw new SimpleSAML_Error_Error('NOACCESS');
}
// Check if valid local session exists..
if ($config->getBoolean('admin.protectmetadata', false)) {
SimpleSAML\Utils\Auth::requireAdmin();
}
$idpentityid = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
$idpmeta = $metadata->getMetaDataConfig($idpentityid, 'saml20-idp-hosted');
switch ($_SERVER['PATH_INFO']) {
case '/new_idp.crt':
$certInfo = SimpleSAML\Utils\Crypto::loadPublicKey($idpmeta, FALSE, 'new_');
break;
case '/idp.crt':
$certInfo = SimpleSAML\Utils\Crypto::loadPublicKey($idpmeta, TRUE);
break;
case '/https.crt':
$certInfo = SimpleSAML\Utils\Crypto::loadPublicKey($idpmeta, TRUE, 'https.');
break;
default:
throw new SimpleSAML_Error_NotFound('Unknown certificate.');
}
header('Content-Disposition: attachment; filename=' . substr($_SERVER['PATH_INFO'], 1));
header('Content-Type: application/x-x509-ca-cert');
echo $certInfo['PEM'];
exit(0);
$idpmeta = $metadata->getMetaDataConfig($idpentityid, 'adfs-idp-hosted');
$availableCerts = array();
$keys = array();
$certInfo = SimpleSAML\Utils\Crypto::loadPublicKey($idpmeta, false, 'new_');
if ($certInfo !== null) {
$availableCerts['new_idp.crt'] = $certInfo;
$keys[] = array('type' => 'X509Certificate', 'signing' => true, 'encryption' => true, 'X509Certificate' => $certInfo['certData']);
$hasNewCert = true;
} else {
$hasNewCert = false;
}
$certInfo = SimpleSAML\Utils\Crypto::loadPublicKey($idpmeta, true);
$availableCerts['idp.crt'] = $certInfo;
$keys[] = array('type' => 'X509Certificate', 'signing' => true, 'encryption' => $hasNewCert ? false : true, 'X509Certificate' => $certInfo['certData']);
if ($idpmeta->hasValue('https.certificate')) {
$httpsCert = SimpleSAML\Utils\Crypto::loadPublicKey($idpmeta, true, 'https.');
assert('isset($httpsCert["certData"])');
$availableCerts['https.crt'] = $httpsCert;
$keys[] = array('type' => 'X509Certificate', 'signing' => true, 'encryption' => false, 'X509Certificate' => $httpsCert['certData']);
}
$adfs_service_location = SimpleSAML\Module::getModuleURL('adfs') . '/idp/prp.php';
$metaArray = array('metadata-set' => 'adfs-idp-remote', 'entityid' => $idpentityid, 'SingleSignOnService' => array(0 => array('Binding' => \SAML2\Constants::BINDING_HTTP_REDIRECT, 'Location' => $adfs_service_location)), 'SingleLogoutService' => array(0 => array('Binding' => \SAML2\Constants::BINDING_HTTP_REDIRECT, 'Location' => $adfs_service_location)));
if (count($keys) === 1) {
$metaArray['certData'] = $keys[0]['X509Certificate'];
} else {
$metaArray['keys'] = $keys;
}
$metaArray['NameIDFormat'] = $idpmeta->getString('NameIDFormat', 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient');
if ($idpmeta->hasValue('OrganizationName')) {
$metaArray['OrganizationName'] = $idpmeta->getLocalizedString('OrganizationName');
$metaArray['OrganizationDisplayName'] = $idpmeta->getLocalizedString('OrganizationDisplayName', $metaArray['OrganizationName']);
// This is the base directory of the SimpleSAMLphp installation
$baseDir = dirname(dirname(__FILE__));
// Add library autoloader
require_once $baseDir . '/lib/_autoload.php';
echo "Enter password: "******"Need at least one character for a password\n";
exit(1);
}
$table = '';
foreach (array_chunk(hash_algos(), 6) as $chunk) {
foreach ($chunk as $algo) {
$table .= sprintf('%-13s', $algo);
}
$table .= "\n";
}
echo "The following hashing algorithms are available:\n" . $table . "\n";
echo "Which one do you want? [sha256] ";
$algo = trim(fgets(STDIN));
if (empty($algo)) {
$algo = 'sha256';
}
if (!in_array(strtolower($algo), hash_algos())) {
echo "Hashing algorithm '{$algo}' is not supported\n";
exit(1);
}
echo "Do you want to use a salt? (yes/no) [yes] ";
$s = trim(fgets(STDIN)) == 'no' ? '' : 'S';
echo "\n " . SimpleSAML\Utils\Crypto::pwHash($password, strtoupper($s . $algo)) . "\n\n";
<?php
/**
* This page provides a way to create a redirect to a POST request.
*
* @package simpleSAMLphp
*/
if (array_key_exists('RedirId', $_REQUEST)) {
$postId = $_REQUEST['RedirId'];
$session = SimpleSAML_Session::getSessionFromRequest();
} elseif (array_key_exists('RedirInfo', $_REQUEST)) {
$encData = base64_decode($_REQUEST['RedirInfo']);
if (empty($encData)) {
throw new SimpleSAML_Error_BadRequest('Invalid RedirInfo data.');
}
list($sessionId, $postId) = explode(':', SimpleSAML\Utils\Crypto::aesDecrypt($encData));
if (empty($sessionId) || empty($postId)) {
throw new SimpleSAML_Error_BadRequest('Invalid session info data.');
}
$session = SimpleSAML_Session::getSession($sessionId);
} else {
throw new SimpleSAML_Error_BadRequest('Missing redirection info parameter.');
}
if ($session === NULL) {
throw new Exception('Unable to load session.');
}
$postData = $session->getData('core_postdatalink', $postId);
if ($postData === NULL) {
/* The post data is missing, probably because it timed out. */
throw new Exception('The POST data we should restore was lost.');
}
/**
* Retrieve the decryption keys from metadata.
*
* @param SimpleSAML_Configuration $srcMetadata The metadata of the sender (IdP).
* @param SimpleSAML_Configuration $dstMetadata The metadata of the recipient (SP).
* @return array Array of decryption keys.
*/
public static function getDecryptionKeys(SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata)
{
$sharedKey = $srcMetadata->getString('sharedkey', NULL);
if ($sharedKey !== NULL) {
$key = new XMLSecurityKey(XMLSecurityKey::AES128_CBC);
$key->loadKey($sharedKey);
return array($key);
}
$keys = array();
/* Load the new private key if it exists. */
$keyArray = SimpleSAML\Utils\Crypto::loadPrivateKey($dstMetadata, FALSE, 'new_');
if ($keyArray !== NULL) {
assert('isset($keyArray["PEM"])');
$key = new XMLSecurityKey(XMLSecurityKey::RSA_1_5, array('type' => 'private'));
if (array_key_exists('password', $keyArray)) {
$key->passphrase = $keyArray['password'];
}
$key->loadKey($keyArray['PEM']);
$keys[] = $key;
}
/* Find the existing private key. */
$keyArray = SimpleSAML\Utils\Crypto::loadPrivateKey($dstMetadata, TRUE);
assert('isset($keyArray["PEM"])');
$key = new XMLSecurityKey(XMLSecurityKey::RSA_1_5, array('type' => 'private'));
if (array_key_exists('password', $keyArray)) {
$key->passphrase = $keyArray['password'];
}
$key->loadKey($keyArray['PEM']);
$keys[] = $key;
return $keys;
}
if (!$config->getBoolean('enable.shib13-idp', false)) {
throw new SimpleSAML_Error_Error('NOACCESS');
}
// check if valid local session exists
if ($config->getBoolean('admin.protectmetadata', false)) {
SimpleSAML\Utils\Auth::requireAdmin();
}
try {
$idpentityid = isset($_GET['idpentityid']) ? $_GET['idpentityid'] : $metadata->getMetaDataCurrentEntityID('shib13-idp-hosted');
$idpmeta = $metadata->getMetaDataConfig($idpentityid, 'shib13-idp-hosted');
$keys = array();
$certInfo = SimpleSAML\Utils\Crypto::loadPublicKey($idpmeta, false, 'new_');
if ($certInfo !== null) {
$keys[] = array('type' => 'X509Certificate', 'signing' => true, 'encryption' => false, 'X509Certificate' => $certInfo['certData']);
}
$certInfo = SimpleSAML\Utils\Crypto::loadPublicKey($idpmeta, true);
$keys[] = array('type' => 'X509Certificate', 'signing' => true, 'encryption' => false, 'X509Certificate' => $certInfo['certData']);
$metaArray = array('metadata-set' => 'shib13-idp-remote', 'entityid' => $idpentityid, 'SingleSignOnService' => $metadata->getGenerated('SingleSignOnService', 'shib13-idp-hosted'));
if (count($keys) === 1) {
$metaArray['certData'] = $keys[0]['X509Certificate'];
} else {
$metaArray['keys'] = $keys;
}
$metaArray['NameIDFormat'] = $idpmeta->getString('NameIDFormat', 'urn:mace:shibboleth:1.0:nameIdentifier');
if ($idpmeta->hasValue('OrganizationName')) {
$metaArray['OrganizationName'] = $idpmeta->getLocalizedString('OrganizationName');
$metaArray['OrganizationDisplayName'] = $idpmeta->getLocalizedString('OrganizationDisplayName', $metaArray['OrganizationName']);
if (!$idpmeta->hasValue('OrganizationURL')) {
throw new SimpleSAML_Error_Exception('If OrganizationName is set, OrganizationURL must also be set.');
}
$metaArray['OrganizationURL'] = $idpmeta->getLocalizedString('OrganizationURL');
/**
* @deprecated This method will be removed in SSP 2.0. Please use SimpleSAML\Utils\Crypto::aesDecrypt() instead.
*/
public static function aesDecrypt($encData)
{
return SimpleSAML\Utils\Crypto::aesDecrypt($encData);
}
break;
}
$eps[] = $acsArray;
$index++;
}
$metaArray20['AssertionConsumerService'] = $eps;
$keys = array();
$certInfo = SimpleSAML\Utils\Crypto::loadPublicKey($spconfig, FALSE, 'new_');
if ($certInfo !== NULL && array_key_exists('certData', $certInfo)) {
$hasNewCert = TRUE;
$certData = $certInfo['certData'];
$keys[] = array('type' => 'X509Certificate', 'signing' => TRUE, 'encryption' => TRUE, 'X509Certificate' => $certInfo['certData']);
} else {
$hasNewCert = FALSE;
}
$certInfo = SimpleSAML\Utils\Crypto::loadPublicKey($spconfig);
if ($certInfo !== NULL && array_key_exists('certData', $certInfo)) {
$certData = $certInfo['certData'];
$keys[] = array('type' => 'X509Certificate', 'signing' => TRUE, 'encryption' => $hasNewCert ? FALSE : TRUE, 'X509Certificate' => $certInfo['certData']);
} else {
$certData = NULL;
}
$format = $spconfig->getString('NameIDPolicy', NULL);
if ($format !== NULL) {
$metaArray20['NameIDFormat'] = $format;
}
$name = $spconfig->getLocalizedString('name', NULL);
$attributes = $spconfig->getArray('attributes', array());
if ($name !== NULL && !empty($attributes)) {
$metaArray20['name'] = $name;
$metaArray20['attributes'] = $attributes;
