/**
  * @param array $legacyResponse
  * @return EngineBlock_Saml2_ResponseAnnotationDecorator
  */
 public function fromOldFormat(array $legacyResponse)
 {
     $legacyResponse = EngineBlock_Corto_XmlToArray::registerNamespaces($legacyResponse);
     $xml = EngineBlock_Corto_XmlToArray::array2xml($legacyResponse);
     $document = new DOMDocument();
     $document->loadXML($xml);
     $response = new SAML2_Response($document->firstChild);
     $annotatedResponse = new EngineBlock_Saml2_ResponseAnnotationDecorator($response);
     return $this->addPrivateVars($annotatedResponse, $legacyResponse);
 }
 public function serve($serviceName)
 {
     // Get the configuration for EngineBlock in it's IdP role.
     $engineIdpEntityId = $this->_server->getUrl('idpMetadataService');
     $engineIdpEntity = $this->_server->getRepository()->fetchIdentityProviderByEntityId($engineIdpEntityId);
     $edugainEntities = array();
     $ssoServiceReplacer = new ServiceReplacer($engineIdpEntity, 'SingleSignOnService', ServiceReplacer::REQUIRED);
     $slServiceReplacer = new ServiceReplacer($engineIdpEntity, 'SingleLogoutService', ServiceReplacer::OPTIONAL);
     $remoteEntities = $this->_server->getRepository()->findEntitiesPublishableInEdugain();
     foreach ($remoteEntities as $entity) {
         // Use EngineBlock certificates
         $entity->certificates = $engineIdpEntity->certificates;
         // Ignore the NameIDFormats the IdP supports, any requests made on this endpoint will use EngineBlock
         // NameIDs, so advertise that.
         unset($entity->nameIdFormat);
         $entity->supportedNameIdFormats = $engineIdpEntity->supportedNameIdFormats;
         // For IdP's replace the SingleSignService with the one from EB
         if ($entity instanceof IdentityProvider) {
             // Replace service locations and bindings with those of EB
             $transparentSsoUrl = $this->_server->getUrl('singleSignOnService', $entity->entityId);
             $ssoServiceReplacer->replace($entity, $transparentSsoUrl);
             $transparentSlUrl = $this->_server->getUrl('singleLogoutService');
             $slServiceReplacer->replace($entity, $transparentSlUrl);
         }
         $entity->contactPersons = $engineIdpEntity->contactPersons;
         $entity = $this->_addRequestAttributes($entity);
         $edugainEntities[] = $entity;
     }
     // Map the IdP configuration to a Corto XMLToArray structured document array
     $mapper = new EngineBlock_Corto_Mapper_Metadata_EdugainDocument($this->_server->getNewId(\OpenConext\Component\EngineBlockFixtures\IdFrame::ID_USAGE_SAML2_METADATA), $this->_server->timeStamp($this->_server->getConfig('metadataValidUntilSeconds', 86400)), true);
     $document = $mapper->setEntities($edugainEntities)->map();
     // Sign the document
     $document = $this->_server->sign($document);
     // Convert the document to XML
     $xml = EngineBlock_Corto_XmlToArray::array2xml($document);
     // If debugging is enabled then validate it according to the schema
     if ($this->_server->getConfig('debug', false)) {
         $validator = new EngineBlock_Xml_Validator('http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd');
         $validator->validate($xml);
     }
     // The spec dictates we use a custom mimetype, but debugging is easier with a normal mimetype
     // also no single SP / IdP complains over this.
     //$this->_server->sendHeader('Content-Type', 'application/samlmetadata+xml');
     $this->_server->sendHeader('Content-Type', 'application/xml');
     $this->_server->sendOutput($xml);
 }
Ejemplo n.º 3
0
 public function serve($serviceName)
 {
     // Get the configuration for EngineBlock in it's IdP / SP role without the VO.
     $this->_server->setProcessingMode();
     $engineEntityId = $this->_server->getUrl($serviceName);
     $this->_server->unsetProcessingMode();
     $engineEntity = $this->_server->getRepository()->fetchEntityByEntityId($engineEntityId);
     // Override the EntityID and SSO location to optionally append VO id
     $externalEngineEntityId = $this->_server->getUrl($serviceName);
     $engineEntity->entityId = $externalEngineEntityId;
     if ($serviceName === 'idpMetadataService') {
         $ssoServiceReplacer = new ServiceReplacer($engineEntity, 'SingleSignOnService', ServiceReplacer::REQUIRED);
         $ssoLocation = $this->_server->getUrl('singleSignOnService');
         $ssoServiceReplacer->replace($engineEntity, $ssoLocation);
     }
     // Override Single Logout Service Location with generated url
     $slServiceReplacer = new ServiceReplacer($engineEntity, 'SingleLogoutService', ServiceReplacer::OPTIONAL);
     $slLocation = $this->_server->getUrl('singleLogoutService');
     $slServiceReplacer->replace($engineEntity, $slLocation);
     // Map the IdP configuration to a Corto XMLToArray structured document array
     $mapper = new EngineBlock_Corto_Mapper_Metadata_EdugainDocument($this->_server->getNewId(IdFrame::ID_USAGE_SAML2_METADATA), $this->_server->timeStamp($this->_server->getConfig('metadataValidUntilSeconds', 86400)), false);
     $document = $mapper->setEntity($engineEntity)->map();
     // Sign the document
     $document = $this->_server->sign($document);
     // Convert the document to XML
     $xml = EngineBlock_Corto_XmlToArray::array2xml($document);
     // If debugging is enabled then validate it according to the schema
     if ($this->_server->getConfig('debug', false)) {
         $validator = new EngineBlock_Xml_Validator('http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd');
         $validator->validate($xml);
     }
     // The spec dictates we use a custom mimetype, but debugging is easier with a normal mimetype
     // also no single SP / IdP complains over this.
     //$this->_server->sendHeader('Content-Type', 'application/samlmetadata+xml');
     $this->_server->sendHeader('Content-Type', 'application/xml');
     $this->_server->sendOutput($xml);
 }
 /**
  * @dataProvider xmlOutputProvider
  */
 public function testArrayToXml($phpFile, $xmlFile)
 {
     $phpInput = (require $phpFile);
     $expectedXmlOutput = file_get_contents($xmlFile);
     $this->assertEquals($expectedXmlOutput, EngineBlock_Corto_XmlToArray::array2xml($phpInput));
 }
 /**
  * Sign a Corto_XmlToArray array with XML.
  *
  * @param  $element    Element to sign
  * @return array Signed element
  */
 public function sign(array $element)
 {
     $signingKeyPair = $this->getSigningCertificates();
     $signature = array('__t' => 'ds:Signature', '_xmlns:ds' => 'http://www.w3.org/2000/09/xmldsig#', 'ds:SignedInfo' => array('__t' => 'ds:SignedInfo', '_xmlns:ds' => 'http://www.w3.org/2000/09/xmldsig#', 'ds:CanonicalizationMethod' => array('_Algorithm' => 'http://www.w3.org/2001/10/xml-exc-c14n#'), 'ds:SignatureMethod' => array('_Algorithm' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'), 'ds:Reference' => array(0 => array('_URI' => '__placeholder__', 'ds:Transforms' => array('ds:Transform' => array(array('_Algorithm' => 'http://www.w3.org/2000/09/xmldsig#enveloped-signature'), array('_Algorithm' => 'http://www.w3.org/2001/10/xml-exc-c14n#'))), 'ds:DigestMethod' => array('_Algorithm' => 'http://www.w3.org/2000/09/xmldsig#sha1'), 'ds:DigestValue' => array('__v' => '__placeholder__')))), 'ds:SignatureValue' => array('__v' => '__placeholder__'), 'ds:KeyInfo' => array('ds:X509Data' => array('ds:X509Certificate' => array('__v' => $signingKeyPair->getCertificate()->toCertData()))));
     // Convert the XMl object to actual XML and get a reference to what we're about to sign
     $canonicalXmlDom = new DOMDocument();
     $canonicalXmlDom->loadXML(EngineBlock_Corto_XmlToArray::array2xml($element));
     // Note that the current element may not be the first or last, because we might include comments, so look for
     // the actual XML element
     $xpath = new DOMXPath($canonicalXmlDom);
     $nodes = $xpath->query('/*[@ID="' . $element['_ID'] . '"]');
     if ($nodes->length < 1) {
         throw new EngineBlock_Corto_ProxyServer_Exception("Unable to sign message can't find element with id to sign?", EngineBlock_Corto_ProxyServer_Exception::CODE_NOTICE);
     }
     $canonicalXmlDom = $nodes->item(0);
     // Now do 'exclusive no-comments' XML cannonicalization
     $canonicalXml = $canonicalXmlDom->C14N(true, false);
     // Hash it, encode it in Base64 and include that as the 'Reference'
     $signature['ds:SignedInfo']['ds:Reference'][0]['ds:DigestValue']['__v'] = base64_encode(sha1($canonicalXml, true));
     $signature['ds:SignedInfo']['ds:Reference'][0]['_URI'] = "#" . $element['_ID'];
     // Now we start the actual signing, instead of signing the entire (possibly large) document,
     // we only sign the 'SignedInfo' which includes the 'Reference' hash
     $canonicalXml2Dom = new DOMDocument();
     $canonicalXml2Dom->loadXML(EngineBlock_Corto_XmlToArray::array2xml($signature['ds:SignedInfo']));
     $canonicalXml2 = $canonicalXml2Dom->firstChild->C14N(true, false);
     $signatureValue = null;
     $signatureValue = $signingKeyPair->getPrivateKey()->sign($canonicalXml2);
     $signature['ds:SignatureValue']['__v'] = base64_encode($signatureValue);
     $element['ds:Signature'] = $signature;
     $element[EngineBlock_Corto_XmlToArray::PRIVATE_PFX]['Signed'] = true;
     return $element;
 }
 public function serve($serviceName)
 {
     // Fetch SP Entity Descriptor for the SP Entity ID that is fetched from the request
     $request = EngineBlock_ApplicationSingleton::getInstance()->getHttpRequest();
     $spEntityId = $request->getQueryParameter('sp-entity-id');
     if ($spEntityId) {
         // See if an sp-entity-id was specified for which we need to use sp specific metadata
         $spEntity = $this->_server->getRepository()->fetchServiceProviderByEntityId($spEntityId);
     }
     // Get the configuration for EngineBlock in it's IdP role.
     $engineIdpEntityId = $this->_server->getUrl('idpMetadataService');
     $engineIdentityProvider = $this->_server->getRepository()->fetchIdentityProviderByEntityId($engineIdpEntityId);
     $idpEntities = array();
     // Note that Shibboleth likes to see it's self in the metadata, so if an sp-entity-id was passed along
     // we make sure the first thing is the Service Provider
     if (isset($spEntity)) {
         $idpEntities[] = $spEntity;
     }
     $ssoServiceReplacer = new ServiceReplacer($engineIdentityProvider, 'SingleSignOnService', ServiceReplacer::REQUIRED);
     $slServiceReplacer = new ServiceReplacer($engineIdentityProvider, 'SingleLogoutService', ServiceReplacer::OPTIONAL);
     if (isset($spEntity)) {
         $identityProviders = $this->_server->getRepository()->findIdentityProvidersByEntityId($this->_server->getRepository()->findAllowedIdpEntityIdsForSp($spEntity));
     } else {
         $identityProviders = $this->_server->getRepository()->findIdentityProviders();
     }
     foreach ($identityProviders as $entity) {
         // Don't add ourselves
         if ($entity->entityId === $engineIdentityProvider->entityId) {
             continue;
         }
         if ($entity->hidden) {
             continue;
         }
         // Use EngineBlock certificates
         $entity->certificates = $engineIdentityProvider->certificates;
         // Ignore the NameIDFormats the IdP supports, any requests made on this endpoint will use EngineBlock
         // NameIDs, so advertise that.
         unset($entity->nameIdFormat);
         $entity->supportedNameIdFormats = $engineIdentityProvider->supportedNameIdFormats;
         // Replace service locations and bindings with those of EB
         $transparentSsoUrl = $this->_server->getUrl('singleSignOnService', $entity->entityId);
         $ssoServiceReplacer->replace($entity, $transparentSsoUrl);
         $transparentSlUrl = $this->_server->getUrl('singleLogoutService');
         $slServiceReplacer->replace($entity, $transparentSlUrl);
         $entity->contactPersons = $engineIdentityProvider->contactPersons;
         $idpEntities[] = $entity;
     }
     // Map the IdP configuration to a Corto XMLToArray structured document array
     $mapper = new EngineBlock_Corto_Mapper_Metadata_EdugainDocument($this->_server->getNewId(\OpenConext\Component\EngineBlockFixtures\IdFrame::ID_USAGE_SAML2_METADATA), $this->_server->timeStamp($this->_server->getConfig('metadataValidUntilSeconds', 86400)), false);
     $document = $mapper->setEntities($idpEntities)->map();
     // Sign the document
     $document = $this->_server->sign($document);
     // Convert the document to XML
     $xml = EngineBlock_Corto_XmlToArray::array2xml($document);
     // If debugging is enabled then validate it according to the schema
     if ($this->_server->getConfig('debug', false)) {
         $validator = new EngineBlock_Xml_Validator('http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd');
         $validator->validate($xml);
     }
     // The spec dictates we use a custom mimetype, but debugging is easier with a normal mimetype
     // also no single SP / IdP complains over this.
     //$this->_server->sendHeader('Content-Type', 'application/samlmetadata+xml');
     $this->_server->sendHeader('Content-Type', 'application/xml');
     $this->_server->sendOutput($xml);
 }