public function getAttributes($nameId, $attributes = array())
 {
     // Set up config
     $config = $this->config;
     // Setup cURL
     $url = $this->as_config['api_url'] . '/' . $nameId;
     $ch = curl_init($url);
     curl_setopt_array($ch, array(CURLOPT_CUSTOMREQUEST => 'GET', CURLOPT_RETURNTRANSFER => true, CURLOPT_HTTPHEADER => array('Content-Type: application/json')));
     // Send the request
     $response = curl_exec($ch);
     $http_response = curl_getinfo($ch, CURLINFO_HTTP_CODE);
     // Check for error; not even redirects are allowed here
     if ($http_response == 507) {
         throw new SimpleSAML_Error_Exception("Out of resources: " . $response);
     } elseif ($response === false || !($http_response >= 200 && $http_response < 300)) {
         SimpleSAML_Logger::error('[afra] API query failed: HTTP response code: ' . $http_response . ', curl error: "' . curl_error($ch)) . '"';
         SimpleSAML_Logger::debug('[afra] API query failed: curl info: ' . var_export(curl_getinfo($ch), 1));
         SimpleSAML_Logger::debug('[afra] API query failed: HTTP response: ' . var_export($response, 1));
         throw new SimpleSAML_Error_Exception("Error at REST API response: " . $response . $http_response);
     } else {
         $data = json_decode($response, true);
         SimpleSAML_Logger::info('[afra] got reply from API');
         SimpleSAML_Logger::debug('[afra] API query url: ' . var_export($url, true));
         SimpleSAML_Logger::debug('[afra] API query result: ' . var_export($data, true));
     }
     $attributes = $data['data'];
     return $attributes;
 }
Ejemplo n.º 2
0
/**
 * Hook to run a cron job.
 *
 * @param array &$croninfo  Output
 */
function sanitycheck_hook_cron(&$croninfo)
{
    assert('is_array($croninfo)');
    assert('array_key_exists("summary", $croninfo)');
    assert('array_key_exists("tag", $croninfo)');
    SimpleSAML_Logger::info('cron [sanitycheck]: Running cron in cron tag [' . $croninfo['tag'] . '] ');
    try {
        $sconfig = SimpleSAML_Configuration::getOptionalConfig('config-sanitycheck.php');
        $cronTag = $sconfig->getString('cron_tag', NULL);
        if ($cronTag === NULL || $cronTag !== $croninfo['tag']) {
            return;
        }
        $info = array();
        $errors = array();
        $hookinfo = array('info' => &$info, 'errors' => &$errors);
        SimpleSAML_Module::callHooks('sanitycheck', $hookinfo);
        if (count($errors) > 0) {
            foreach ($errors as $err) {
                $croninfo['summary'][] = 'Sanitycheck error: ' . $err;
            }
        }
    } catch (Exception $e) {
        $croninfo['summary'][] = 'Error executing sanity check: ' . $e->getMessage();
    }
}
Ejemplo n.º 3
0
 public static function receiveAuthnRequest(SimpleSAML_IdP $idp)
 {
     try {
         // accomodate for disfunctional $_GET "windows" slash decoding in PHP
         $wctx = $_GET['wctx'];
         foreach (explode('&', $_SERVER['REQUEST_URI']) as $e) {
             $a = explode('=', $e);
             if ($a[0] == 'wctx') {
                 $wctx = urldecode($a[1]);
             }
         }
         $requestid = $wctx;
         $issuer = $_GET['wtrealm'];
         $requestcache = array('RequestID' => $requestid, 'Issuer' => $issuer, 'RelayState' => $requestid);
         $spEntityId = $requestcache['Issuer'];
         $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
         $spMetadata = $metadata->getMetaDataConfig($spEntityId, 'adfs-sp-remote');
         SimpleSAML_Logger::info('ADFS - IdP.prp: Incoming Authentication request: ' . $issuer . ' id ' . $requestid);
     } catch (Exception $exception) {
         throw new SimpleSAML_Error_Error('PROCESSAUTHNREQUEST', $exception);
     }
     $sessionLostURL = NULL;
     // TODO?
     $forceAuthn = FALSE;
     $isPassive = FALSE;
     $state = array('Responder' => array('sspmod_adfs_IdP_ADFS', 'sendResponse'), 'SPMetadata' => $spMetadata->toArray(), 'ForceAuthn' => $forceAuthn, 'isPassive' => $isPassive, 'adfs:wctx' => $wctx);
     $idp->handleAuthenticationRequest($state);
 }
Ejemplo n.º 4
0
function driveProcessingChain($idp_metadata, $source, $sp_metadata, $sp_entityid, $attributes, $userid, $hashAttributes = FALSE)
{
    /* 
     * Create a new processing chain 
     */
    $pc = new SimpleSAML_Auth_ProcessingChain($idp_metadata, $sp_metadata, 'idp');
    /* 
     * Construct the state.
     * REMEMBER: Do not set Return URL if you are calling processStatePassive
     */
    $authProcState = array('Attributes' => $attributes, 'Destination' => $sp_metadata, 'Source' => $idp_metadata, 'isPassive' => TRUE);
    /* 
     * Call processStatePAssive.
     * We are not interested in any user interaction, only modifications to the attributes
     */
    $pc->processStatePassive($authProcState);
    $attributes = $authProcState['Attributes'];
    /*
     * Generate identifiers and hashes
     */
    $destination = $sp_metadata['metadata-set'] . '|' . $sp_entityid;
    $targeted_id = sspmod_consent_Auth_Process_Consent::getTargetedID($userid, $source, $destination);
    $attribute_hash = sspmod_consent_Auth_Process_Consent::getAttributeHash($attributes, $hashAttributes);
    SimpleSAML_Logger::info('consentAdmin: user: '******'consentAdmin: target: ' . $targeted_id);
    SimpleSAML_Logger::info('consentAdmin: attribute: ' . $attribute_hash);
    /* Return values */
    return array($targeted_id, $attribute_hash, $attributes);
}
Ejemplo n.º 5
0
 public function getAttributes($nameId, $spid, $attributes = array())
 {
     // Generate API key
     $time = new \DateTime();
     date_timezone_set($time, new \DateTimeZone('UTC'));
     $stamp = $time->format('Y-m-d H:i');
     $apiKey = hash('sha256', $this->as_config['hexaa_master_secret'] . $stamp);
     // Make the call
     // The data to send to the API
     $postData = array("apikey" => $apiKey, "fedid" => $nameId, "entityid" => $spid);
     // Setup cURL
     $ch = curl_init($this->as_config['hexaa_api_url'] . '/attributes.json');
     curl_setopt_array($ch, array(CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_RETURNTRANSFER => TRUE, CURLOPT_HTTPHEADER => array('Content-Type: application/json'), CURLOPT_POSTFIELDS => json_encode($postData), CURLOPT_FOLLOWLOCATION => TRUE, CURLOPT_POSTREDIR => 3));
     // Send the request
     $response = curl_exec($ch);
     $http_response = curl_getinfo($ch, CURLINFO_HTTP_CODE);
     // Check for error; not even redirects are allowed here
     if ($response === FALSE || !($http_response >= 200 && $http_response < 300)) {
         SimpleSAML_Logger::error('[aa] HEXAA API query failed: HTTP response code: ' . $http_response . ', curl error: "' . curl_error($ch)) . '"';
         SimpleSAML_Logger::debug('[aa] HEXAA API query failed: curl info: ' . var_export(curl_getinfo($ch), 1));
         SimpleSAML_Logger::debug('[aa] HEXAA API query failed: HTTP response: ' . var_export($response, 1));
         $data = array();
     } else {
         $data = json_decode($response, true);
         SimpleSAML_Logger::info('[aa] got reply from HEXAA API');
         SimpleSAML_Logger::debug('[aa] HEXAA API query postData: ' . var_export($postData, TRUE));
         SimpleSAML_Logger::debug('[aa] HEXAA API query result: ' . var_export($data, TRUE));
     }
     return $data;
 }
Ejemplo n.º 6
0
 function new_access_token($requestToken, $consumer)
 {
     SimpleSAML_Logger::info('OAuth new_access_token(' . $requestToken . ',' . $consumer . ')');
     $token = new OAuthToken(SimpleSAML_Utilities::generateID(), SimpleSAML_Utilities::generateID());
     // SimpleSAML_Logger::info('OAuth new_access_token(' . $requestToken . ',' . $consumer . ',' . $token . ')');
     $this->store->set('access', $token->key, $consumer->key, $token, $this->config->getValue('accessTokenDuration', 60 * 60 * 24));
     return $token;
 }
 /**
  * Filter out YubiKey 'otp' attribute and replace it with
  * a 'yubiPrefix' attribute that leaves out the dynamic part.
  *
  * @param array &$state  The state we should update.
  */
 public function process(&$state)
 {
     assert('is_array($state)');
     assert('array_key_exists("Attributes", $state)');
     $attributes = $state['Attributes'];
     SimpleSAML_Logger::debug('OTP2YubiPrefix: enter with attributes: ' . implode(',', array_keys($attributes)));
     $otps = $attributes['otp'];
     $otp = $otps['0'];
     $token_size = 32;
     $identity = substr($otp, 0, strlen($otp) - $token_size);
     $attributes['yubiPrefix'] = array($identity);
     SimpleSAML_Logger::info('OTP2YubiPrefix: otp: ' . $otp . ' identity: ' . $identity . ' (otp keys: ' . implode(',', array_keys($otps)) . ')');
     unset($attributes['otp']);
     SimpleSAML_Logger::debug('OTP2YubiPrefix: leaving with attributes: ' . implode(',', array_keys($attributes)));
 }
Ejemplo n.º 8
0
/**
 * Hook to run a cron job.
 *
 * @param array &$croninfo  Output
 */
function metarefresh_hook_cron(&$croninfo)
{
    assert('is_array($croninfo)');
    assert('array_key_exists("summary", $croninfo)');
    assert('array_key_exists("tag", $croninfo)');
    SimpleSAML_Logger::info('cron [metarefresh]: Running cron in cron tag [' . $croninfo['tag'] . '] ');
    try {
        $config = SimpleSAML_Configuration::getInstance();
        $mconfig = SimpleSAML_Configuration::getConfig('config-metarefresh.php');
        $sets = $mconfig->getConfigList('sets');
        foreach ($sets as $setkey => $set) {
            // Only process sets where cron matches the current cron tag.
            $cronTags = $set->getArray('cron');
            if (!in_array($croninfo['tag'], $cronTags)) {
                continue;
            }
            SimpleSAML_Logger::info('cron [metarefresh]: Executing set [' . $setkey . ']');
            $expireAfter = $set->getInteger('expireAfter', NULL);
            if ($expireAfter !== NULL) {
                $expire = time() + $expireAfter;
            } else {
                $expire = NULL;
            }
            $metaloader = new sspmod_metarefresh_MetaLoader($expire);
            foreach ($set->getArray('sources') as $source) {
                SimpleSAML_Logger::debug('cron [metarefresh]: In set [' . $setkey . '] loading source [' . $source['src'] . ']');
                $metaloader->loadSource($source);
            }
            $outputDir = $set->getString('outputDir');
            $outputDir = $config->resolvePath($outputDir);
            $outputFormat = $set->getValueValidate('outputFormat', array('flatfile', 'serialize'), 'flatfile');
            switch ($outputFormat) {
                case 'flatfile':
                    $metaloader->writeMetadataFiles($outputDir);
                    break;
                case 'serialize':
                    $metaloader->writeMetadataSerialize($outputDir);
                    break;
            }
            if ($set->hasValue('arp')) {
                $arpconfig = SimpleSAML_Configuration::loadFromArray($set->getValue('arp'));
                $metaloader->writeARPfile($arpconfig);
            }
        }
    } catch (Exception $e) {
        $croninfo['summary'][] = 'Error during metarefresh: ' . $e->getMessage();
    }
}
Ejemplo n.º 9
0
 protected function __construct(array $option)
 {
     // Is path parsed as a string
     if (!isset($option['path']) || !is_string($option['path'])) {
         throw new Exception('Invalid path given for FileSystem exporter.' . ' Should be a string:' . var_export($option['path'], true));
     }
     // Do the file exists in advance
     if (file_exists($option['path'])) {
         SimpleSAML_Logger::info('File: ' . $option['path'] . ' exists and will be overwritten');
     }
     // Is file writable
     if (!is_writable($option['path'])) {
         throw new Exception('Path not writable:' . var_export($option['path'], true));
     }
     $this->_path = $option['path'];
 }
Ejemplo n.º 10
0
 /**
  * Receive an authentication request.
  *
  * @param SimpleSAML_IdP $idp  The IdP we are receiving it for.
  */
 public static function receiveAuthnRequest(SimpleSAML_IdP $idp)
 {
     if (isset($_REQUEST['cookieTime'])) {
         $cookieTime = (int) $_REQUEST['cookieTime'];
         if ($cookieTime + 5 > time()) {
             /*
              * Less than five seconds has passed since we were
              * here the last time. Cookies are probably disabled.
              */
             SimpleSAML_Utilities::checkCookie(SimpleSAML_Utilities::selfURL());
         }
     }
     if (!isset($_REQUEST['providerId'])) {
         throw new SimpleSAML_Error_BadRequest('Missing providerId parameter.');
     }
     $spEntityId = (string) $_REQUEST['providerId'];
     if (!isset($_REQUEST['shire'])) {
         throw new SimpleSAML_Error_BadRequest('Missing shire parameter.');
     }
     $shire = (string) $_REQUEST['shire'];
     if (isset($_REQUEST['target'])) {
         $target = $_REQUEST['target'];
     } else {
         $target = NULL;
     }
     SimpleSAML_Logger::info('Shib1.3 - IdP.SSOService: Got incoming Shib authnRequest from ' . var_export($spEntityId, TRUE) . '.');
     $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
     $spMetadata = $metadata->getMetaDataConfig($spEntityId, 'shib13-sp-remote');
     $found = FALSE;
     foreach ($spMetadata->getEndpoints('AssertionConsumerService') as $ep) {
         if ($ep['Binding'] !== 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post') {
             continue;
         }
         if ($ep['Location'] !== $shire) {
             continue;
         }
         $found = TRUE;
         break;
     }
     if (!$found) {
         throw new Exception('Invalid AssertionConsumerService for SP ' . var_export($spEntityId, TRUE) . ': ' . var_export($shire, TRUE));
     }
     SimpleSAML_Stats::log('saml:idp:AuthnRequest', array('spEntityID' => $spEntityId, 'protocol' => 'saml1'));
     $sessionLostURL = SimpleSAML_Utilities::addURLparameter(SimpleSAML_Utilities::selfURL(), array('cookieTime' => time()));
     $state = array('Responder' => array('sspmod_saml_IdP_SAML1', 'sendResponse'), 'SPMetadata' => $spMetadata->toArray(), 'saml:shire' => $shire, 'saml:target' => $target, 'saml:AuthnRequestReceivedAt' => microtime(TRUE));
     $idp->handleAuthenticationRequest($state);
 }
Ejemplo n.º 11
0
/**
 * Hook to run a cron job.
 *
 * @param array &$croninfo  Output
 */
function discojuice_hook_cron(&$croninfo) {
	assert('is_array($croninfo)');
	assert('array_key_exists("summary", $croninfo)');
	assert('array_key_exists("tag", $croninfo)');

	if ($croninfo['tag'] !== 'hourly') return;

	SimpleSAML_Logger::info('cron [discojuice metadata caching]: Running cron in tag [' . $croninfo['tag'] . '] ');

	try {
	
		$feed = new sspmod_discojuice_Feed();
		$feed->store();

	} catch (Exception $e) {
		$croninfo['summary'][] = 'Error during discojuice metadata caching: ' . $e->getMessage();
	}
}
Ejemplo n.º 12
0
 /**
  * Continue the logout operation.
  *
  * This function will never return.
  *
  * @param string $assocId The association that is terminated.
  * @param string|null $relayState The RelayState from the start of the logout.
  * @param SimpleSAML_Error_Exception|null $error The error that occurred during session termination (if any).
  *
  * @throws SimpleSAML_Error_Exception If the RelayState was lost during logout.
  */
 public function onResponse($assocId, $relayState, SimpleSAML_Error_Exception $error = null)
 {
     assert('is_string($assocId)');
     assert('is_string($relayState) || is_null($relayState)');
     if ($relayState === null) {
         throw new SimpleSAML_Error_Exception('RelayState lost during logout.');
     }
     $state = SimpleSAML_Auth_State::loadState($relayState, 'core:LogoutTraditional');
     if ($error === null) {
         SimpleSAML_Logger::info('Logged out of ' . var_export($assocId, true) . '.');
         $this->idp->terminateAssociation($assocId);
     } else {
         SimpleSAML_Logger::warning('Error received from ' . var_export($assocId, true) . ' during logout:');
         $error->logWarning();
         $state['core:Failed'] = true;
     }
     self::logoutNextSP($state);
 }
/**
 * Cron hook for JANUS
 *
 * This hook does the following:
 *
 * - Downloads the metadata of the entities registered in JANUS and
 *   update the entities with the new metadata.
 * - Validates all entity certificates
 * - Validates all entity endpoints
 *
 * @param array &$cronInfo The array with the tags and output summary of the cron run
 *
 * @return void
 *
 * @since Function available since Release 1.4.0
 */
function janus_hook_cron(&$cronInfo)
{
    assert('is_array($cronInfo)');
    assert('array_key_exists("summary", $cronInfo)');
    assert('array_key_exists("tag", $cronInfo)');
    SimpleSAML_Logger::info('cron [janus]: Running cron in cron tag [' . $cronInfo['tag'] . '] ');
    // Refresh metadata
    $refresher = new sspmod_janus_Cron_Job_MetadataRefresh();
    $summaryLines = $refresher->runForCronTag($cronInfo['tag']);
    $cronInfo['summary'] = array_merge($cronInfo['summary'], $summaryLines);
    // Validate entity signing certificates
    $validator = new sspmod_janus_Cron_Job_ValidateEntityCertificate();
    $summaryLines = $validator->runForCronTag($cronInfo['tag']);
    $cronInfo['summary'] = array_merge($cronInfo['summary'], $summaryLines);
    // Validate entity endpoints
    $validator = new sspmod_janus_Cron_Job_ValidateEntityEndpoints();
    $summaryLines = $validator->runForCronTag($cronInfo['tag']);
    $cronInfo['summary'] = array_merge($cronInfo['summary'], $summaryLines);
}
Ejemplo n.º 14
0
/**
 * Hook to run a cron job.
 *
 * @param array &$croninfo  Output
 */
function riak_hook_cron(&$croninfo)
{
    assert('is_array($croninfo)');
    assert('array_key_exists("summary", $croninfo)');
    assert('array_key_exists("tag", $croninfo)');
    if ($croninfo['tag'] !== 'hourly') {
        return;
    }
    try {
        $store = new sspmod_riak_Store_Store();
        $result = $store->bucket->indexSearch('expires', 'int', 1, time() - 30);
        foreach ($result as $link) {
            $link->getBinary()->delete();
        }
        SimpleSAML_Logger::info(sprintf("deleted %s riak key%s", sizeof($result), sizeof($result) == 1 ? '' : 's'));
    } catch (Exception $e) {
        $message = 'riak threw exception: ' . $e->getMessage();
        SimpleSAML_Logger::warning($message);
        $croninfo['summary'][] = $message;
    }
}
Ejemplo n.º 15
0
 /**
  * Continue the logout operation.
  *
  * This function will never return.
  *
  * @param string $assocId  The association that is terminated.
  * @param string|NULL $relayState  The RelayState from the start of the logout.
  * @param SimpleSAML_Error_Exception|NULL $error  The error that occurred during session termination (if any).
  */
 public function onResponse($assocId, $relayState, SimpleSAML_Error_Exception $error = NULL)
 {
     assert('is_string($assocId)');
     assert('is_string($relayState) || is_null($relayState)');
     if ($relayState === NULL) {
         throw new SimpleSAML_Error_Exception('RelayState lost during logout.');
     }
     // sanitize the input
     $sid = SimpleSAML_Utilities::parseStateID($relayState);
     if (!is_null($sid['url'])) {
         SimpleSAML_Utilities::checkURLAllowed($sid['url']);
     }
     $state = SimpleSAML_Auth_State::loadState($relayState, 'core:LogoutTraditional');
     if ($error === NULL) {
         SimpleSAML_Logger::info('Logged out of ' . var_export($assocId, TRUE) . '.');
         $this->idp->terminateAssociation($assocId);
     } else {
         SimpleSAML_Logger::warning('Error received from ' . var_export($assocId, TRUE) . ' during logout:');
         $error->logWarning();
         $state['core:Failed'] = TRUE;
     }
     self::logoutNextSP($state);
 }
Ejemplo n.º 16
0
 /**
  * Check for consent.
  *
  * This function checks whether a given user has authorized the release of
  * the attributes identified by $attributeSet from $source to $destination.
  *
  * @param string $userId        The hash identifying the user at an IdP.
  * @param string $destinationId A string which identifies the destination.
  * @param string $attributeSet  A hash which identifies the attributes.
  *
  * @return bool True if the user has given consent earlier, false if not
  *              (or on error).
  */
 public function hasConsent($userId, $destinationId, $attributeSet)
 {
     assert('is_string($userId)');
     assert('is_string($destinationId)');
     assert('is_string($attributeSet)');
     $cookieName = self::_getCookieName($userId, $destinationId);
     $data = $userId . ':' . $attributeSet . ':' . $destinationId;
     SimpleSAML_Logger::debug('Consent cookie - Get [' . $data . ']');
     if (!array_key_exists($cookieName, $_COOKIE)) {
         SimpleSAML_Logger::debug('Consent cookie - no cookie with name \'' . $cookieName . '\'.');
         return false;
     }
     if (!is_string($_COOKIE[$cookieName])) {
         SimpleSAML_Logger::warning('Value of consent cookie wasn\'t a string. Was: ' . var_export($_COOKIE[$cookieName], true));
         return false;
     }
     $data = self::_sign($data);
     if ($_COOKIE[$cookieName] !== $data) {
         SimpleSAML_Logger::info('Attribute set changed from the last time consent was given.');
         return false;
     }
     SimpleSAML_Logger::debug('Consent cookie - found cookie with correct name and value.');
     return true;
 }
Ejemplo n.º 17
0
 if ($ldapconfig['search.enable'] === TRUE) {
     if (!$ldap->bind($ldapconfig['search.username'], $ldapconfig['search.password'])) {
         throw new Exception('Error authenticating using search username & password.');
     }
     $dn = $ldap->searchfordn($ldapconfig['search.base'], $ldapconfig['search.attributes'], $_POST['username']);
 } else {
     $dn = str_replace('%username%', $_POST['username'], $ldapconfig['dnpattern']);
 }
 $pwd = $_POST['password'];
 $ldap = new SimpleSAML_Auth_LDAP($ldapconfig['hostname'], $ldapconfig['enable_tls']);
 if ($pwd == "" or !$ldap->bind($dn, $pwd)) {
     SimpleSAML_Logger::info('AUTH - ldap-multi: ' . $_POST['username'] . ' failed to authenticate. DN=' . $dn);
     throw new Exception('Wrong username or password');
 }
 $attributes = $ldap->getAttributes($dn, $ldapconfig['attributes']);
 SimpleSAML_Logger::info('AUTH - ldap-multi: ' . $_POST['username'] . ' successfully authenticated');
 $session->doLogin('login-ldapmulti');
 $session->setAttributes($attributes);
 $session->setNameID(array('value' => SimpleSAML_Utilities::generateID(), 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'));
 /**
  * Create a statistics log entry for every successfull login attempt.
  * Also log a specific attribute as set in the config: statistics.authlogattr
  */
 $authlogattr = $config->getValue('statistics.authlogattr', null);
 if ($authlogattr && array_key_exists($authlogattr, $attributes)) {
     SimpleSAML_Logger::stats('AUTH-login-ldapmulti OK ' . $attributes[$authlogattr][0]);
 } else {
     SimpleSAML_Logger::stats('AUTH-login-ldapmulti OK');
 }
 $returnto = $_REQUEST['RelayState'];
 SimpleSAML_Utilities::redirect($returnto);
Ejemplo n.º 18
0
 /**
  * Validate certificate and login
  *
  * This function try to validate the certificate.
  * On success, the user is logged in without going through
  * o login page.
  * On failure, The authX509:X509error.php template is
  * loaded.
  *
  * @param array &$state  Information about the current authentication.
  */
 public function authenticate(&$state)
 {
     assert('is_array($state)');
     $ldapcf = $this->ldapcf;
     if (!isset($_SERVER['SSL_CLIENT_CERT']) || $_SERVER['SSL_CLIENT_CERT'] == '') {
         $state['authX509.error'] = "NOCERT";
         $this->authFailed($state);
         assert('FALSE');
         /* NOTREACHED */
         return;
     }
     $client_cert = $_SERVER['SSL_CLIENT_CERT'];
     $client_cert_data = openssl_x509_parse($client_cert);
     if ($client_cert_data == FALSE) {
         SimpleSAML_Logger::error('authX509: invalid cert');
         $state['authX509.error'] = "INVALIDCERT";
         $this->authFailed($state);
         assert('FALSE');
         /* NOTREACHED */
         return;
     }
     $dn = NULL;
     foreach ($this->x509attributes as $x509_attr => $ldap_attr) {
         /* value is scalar */
         if (array_key_exists($x509_attr, $client_cert_data['subject'])) {
             $value = $client_cert_data['subject'][$x509_attr];
             SimpleSAML_Logger::info('authX509: cert ' . $x509_attr . ' = ' . $value);
             $dn = $ldapcf->searchfordn($ldap_attr, $value, TRUE);
             if ($dn !== NULL) {
                 break;
             }
         }
     }
     if ($dn === NULL) {
         SimpleSAML_Logger::error('authX509: cert has ' . 'no matching user in LDAP');
         $state['authX509.error'] = "UNKNOWNCERT";
         $this->authFailed($state);
         assert('FALSE');
         /* NOTREACHED */
         return;
     }
     if ($this->ldapusercert === NULL) {
         // do not check for certificate match
         $attributes = $ldapcf->getAttributes($dn);
         assert('is_array($attributes)');
         $state['Attributes'] = $attributes;
         $this->authSuccesful($state);
         assert('FALSE');
         /* NOTREACHED */
         return;
     }
     $ldap_certs = $ldapcf->getAttributes($dn, $this->ldapusercert);
     if ($ldap_certs === FALSE) {
         SimpleSAML_Logger::error('authX509: no certificate ' . 'found in LDAP for dn=' . $dn);
         $state['authX509.error'] = "UNKNOWNCERT";
         $this->authFailed($state);
         assert('FALSE');
         /* NOTREACHED */
         return;
     }
     $merged_ldapcerts = array();
     foreach ($this->ldapusercert as $attr) {
         $merged_ldapcerts = array_merge($merged_ldapcerts, $ldap_certs[$attr]);
     }
     $ldap_certs = $merged_ldapcerts;
     foreach ($ldap_certs as $ldap_cert) {
         $pem = $this->der2pem($ldap_cert);
         $ldap_cert_data = openssl_x509_parse($pem);
         if ($ldap_cert_data == FALSE) {
             SimpleSAML_Logger::error('authX509: cert in ' . 'LDAP in invalid for ' . 'dn = ' . $dn);
             continue;
         }
         if ($ldap_cert_data === $client_cert_data) {
             $attributes = $ldapcf->getAttributes($dn);
             assert('is_array($attributes)');
             $state['Attributes'] = $attributes;
             $this->authSuccesful($state);
             assert('FALSE');
             /* NOTREACHED */
             return;
         }
     }
     SimpleSAML_Logger::error('authX509: no matching cert in ' . 'LDAP for dn = ' . $dn);
     $state['authX509.error'] = "UNKNOWNCERT";
     $this->authFailed($state);
     assert('FALSE');
     /* NOTREACHED */
     return;
 }
Ejemplo n.º 19
0
<?php

/**
 * about2expire.php
 *
 * @package simpleSAMLphp
 */
SimpleSAML_Logger::info('expirycheck - User has been warned that NetID is near to expirational date.');
if (!array_key_exists('StateId', $_REQUEST)) {
    throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.');
}
$id = $_REQUEST['StateId'];
// sanitize the input
$sid = SimpleSAML_Utilities::parseStateID($id);
if (!is_null($sid['url'])) {
    SimpleSAML_Utilities::checkURLAllowed($sid['url']);
}
$state = SimpleSAML_Auth_State::loadState($id, 'expirywarning:about2expire');
if (array_key_exists('yes', $_REQUEST)) {
    /* The user has pressed the yes-button. */
    SimpleSAML_Auth_ProcessingChain::resumeProcessing($state);
}
$globalConfig = SimpleSAML_Configuration::getInstance();
$t = new SimpleSAML_XHTML_Template($globalConfig, 'expirycheck:about2expire.php');
$t->data['yesTarget'] = SimpleSAML_Module::getModuleURL('expirycheck/about2expire.php');
$t->data['yesData'] = array('StateId' => $id);
$t->data['daysleft'] = $state['daysleft'];
$t->data['expireOnDate'] = $state['expireOnDate'];
$t->data['netId'] = $state['netId'];
$t->show();
<?php

/*
 * This endpoint is provided for backwards compatibility,
 * and should not be used.
 *
 * Use SingleLogoutService.php instead.
 */
require_once '../../_include.php';
SimpleSAML_Logger::info('SAML2.0 - IdP.SingleLogoutServiceiFrame: Accessing SAML 2.0 IdP endpoint SingleLogoutService (iFrame version)');
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
$idp = SimpleSAML_IdP::getById('saml2:' . $idpEntityId);
sspmod_saml_IdP_SAML2::receiveLogoutMessage($idp);
assert('FALSE');
Ejemplo n.º 21
0
 * WS-Federation/ADFS PRP protocol support for simpleSAMLphp.
 *
 * The AssertionConsumerService handler accepts responses from a WS-Federation
 * Account Partner using the Passive Requestor Profile (PRP) and handles it as
 * a Resource Partner.  It receives a response, parses it and passes on the
 * authentication+attributes.
 *
 * @author Hans Zandbelt, SURFnet BV. <*****@*****.**>
 * @package simpleSAMLphp
 */
require_once '../../_include.php';
$config = SimpleSAML_Configuration::getInstance();
$session = SimpleSAML_Session::getSessionFromRequest();
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
SimpleSAML_Logger::warning('The file wsfed/sp/prp.php is deprecated and will be removed in future versions.');
SimpleSAML_Logger::info('WS-Fed - SP.AssertionConsumerService: Accessing WS-Fed SP endpoint AssertionConsumerService');
if (!$config->getBoolean('enable.wsfed-sp', false)) {
    throw new SimpleSAML_Error_Error('NOACCESS');
}
if (!empty($_GET['wa']) and $_GET['wa'] == 'wsignoutcleanup1.0') {
    if (isset($session) && $session->isValid('wsfed')) {
        $session->doLogout('wsfed');
    }
    if (!empty($_GET['wreply'])) {
        SimpleSAML_Utilities::redirectUntrustedURL(urldecode($_GET['wreply']));
    }
    exit;
}
/* Make sure that the correct query parameters are passed to this script. */
try {
    if (empty($_POST['wresult'])) {
Ejemplo n.º 22
0
     foreach ($indexFiles as $if) {
         if (file_exists($path . $if)) {
             $path .= $if;
             break;
         }
     }
 }
 if (is_dir($path)) {
     /* Path is a directory - maybe no index file was found in the previous step, or maybe the path didn't end with
      * a slash. Either way, we don't do directory listings.
      */
     throw new SimpleSAML_Error_NotFound('Directory listing not available.');
 }
 if (!file_exists($path)) {
     // file not found
     SimpleSAML_Logger::info('Could not find file \'' . $path . '\'.');
     throw new SimpleSAML_Error_NotFound('The URL wasn\'t found in the module.');
 }
 if (preg_match('#\\.php$#D', $path)) {
     // PHP file - attempt to run it
     $_SERVER['SCRIPT_NAME'] .= '/' . $module . '/' . $url;
     require $path;
     exit;
 }
 // some other file type - attempt to serve it
 // find MIME type for file, based on extension
 $contentType = null;
 if (preg_match('#\\.([^/\\.]+)$#D', $path, $type)) {
     $type = strtolower($type[1]);
     if (array_key_exists($type, $mimeTypes)) {
         $contentType = $mimeTypes[$type];
 /**
  * Add attributes from an LDAP server.
  *
  * @param array &$request The current request
  */
 public function process(&$request)
 {
     assert('is_array($request)');
     assert('array_key_exists("Attributes", $request)');
     $attributes =& $request['Attributes'];
     // perform a merge on the ldap_search_filter
     // loop over the attributes and build the search and replace arrays
     foreach ($attributes as $attr => $val) {
         $arrSearch[] = '%' . $attr . '%';
         if (strlen($val[0]) > 0) {
             $arrReplace[] = SimpleSAML_Auth_LDAP::escape_filter_value($val[0]);
         } else {
             $arrReplace[] = '';
         }
     }
     // merge the attributes into the ldap_search_filter
     $filter = str_replace($arrSearch, $arrReplace, $this->search_filter);
     if (strpos($filter, '%') !== FALSE) {
         SimpleSAML_Logger::info('AttributeAddFromLDAP: There are non-existing attributes in the search filter. (' . $this->search_filter . ')');
         return;
     }
     if (!in_array($this->attr_policy, array('merge', 'replace', 'add'))) {
         SimpleSAML_Logger::warning("AttributeAddFromLDAP: 'attribute.policy' must be one of 'merge'," . "'replace' or 'add'.");
         return;
     }
     // search for matching entries
     try {
         $entries = $this->getLdap()->searchformultiple($this->base_dn, $filter, array_values($this->search_attributes), TRUE, FALSE);
     } catch (Exception $e) {
         return;
         // silent fail, error is still logged by LDAP search
     }
     // handle [multiple] values
     foreach ($entries as $entry) {
         foreach ($this->search_attributes as $target => $name) {
             if (is_numeric($target)) {
                 $target = $name;
             }
             if (isset($attributes[$target]) && $this->attr_policy === 'replace') {
                 unset($attributes[$target]);
             }
             $name = strtolower($name);
             if (isset($entry[$name])) {
                 unset($entry[$name]['count']);
                 if (isset($attributes[$target])) {
                     foreach (array_values($entry[$name]) as $value) {
                         if ($this->attr_policy === 'merge') {
                             if (!in_array($value, $attributes[$target])) {
                                 $attributes[$target][] = $value;
                             }
                         } else {
                             $attributes[$target][] = $value;
                         }
                     }
                 } else {
                     $attributes[$target] = array_values($entry[$name]);
                 }
             }
         }
     }
 }
Ejemplo n.º 24
0
 /**
  * Retrieve a logout URL for a given logout association.
  *
  * @param SimpleSAML_IdP $idp  The IdP we are sending a logout request from.
  * @param array $association  The association that should be terminated.
  * @param string|NULL $relayState  An id that should be carried across the logout.
  */
 public static function getLogoutURL(SimpleSAML_IdP $idp, array $association, $relayState)
 {
     assert('is_string($relayState) || is_null($relayState)');
     SimpleSAML_Logger::info('Sending SAML 2.0 LogoutRequest to: ' . var_export($association['saml:entityID'], TRUE));
     $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
     $idpMetadata = $idp->getConfig();
     $spMetadata = $metadata->getMetaDataConfig($association['saml:entityID'], 'saml20-sp-remote');
     $bindings = array(SAML2_Const::BINDING_HTTP_REDIRECT, SAML2_Const::BINDING_HTTP_POST);
     $dst = $spMetadata->getEndpointPrioritizedByBinding('SingleLogoutService', $bindings);
     if ($dst['Binding'] === SAML2_Const::BINDING_HTTP_POST) {
         $params = array('association' => $association['id'], 'idp' => $idp->getId());
         if ($relayState !== NULL) {
             $params['RelayState'] = $relayState;
         }
         return SimpleSAML_Module::getModuleURL('core/idp/logout-iframe-post.php', $params);
     }
     $lr = self::buildLogoutRequest($idpMetadata, $spMetadata, $association, $relayState);
     $lr->setDestination($dst['Location']);
     $binding = new SAML2_HTTPRedirect();
     return $binding->getRedirectURL($lr);
 }
Ejemplo n.º 25
0
    if ($idp === NULL) {
        /* No issuer found in the assertions. */
        throw new Exception('Missing <saml:Issuer> in message delivered to AssertionConsumerService.');
    }
}
$session = SimpleSAML_Session::getInstance();
$prevAuth = $session->getAuthData($sourceId, 'saml:sp:prevAuth');
if ($prevAuth !== NULL && $prevAuth['id'] === $response->getId() && $prevAuth['issuer'] === $idp) {
    /* OK, it looks like this message has the same issuer
     * and ID as the SP session we already have active. We
     * therefore assume that the user has somehow triggered
     * a resend of the message.
     * In that case we may as well just redo the previous redirect
     * instead of displaying a confusing error message.
     */
    SimpleSAML_Logger::info('Duplicate SAML 2 response detected - ignoring the response and redirecting the user to the correct page.');
    SimpleSAML_Utilities::redirect($prevAuth['redirect']);
}
$stateId = $response->getInResponseTo();
if (!empty($stateId)) {
    /* This is a response to a request we sent earlier. */
    $state = SimpleSAML_Auth_State::loadState($stateId, 'saml:sp:sso');
    /* Check that the authentication source is correct. */
    assert('array_key_exists("saml:sp:AuthId", $state)');
    if ($state['saml:sp:AuthId'] !== $sourceId) {
        throw new SimpleSAML_Error_Exception('The authentication source id in the URL does not match the authentication source which sent the request.');
    }
    /* Check that the issuer is the one we are expecting. */
    assert('array_key_exists("ExpectedIssuer", $state)');
    if ($state['ExpectedIssuer'] !== $idp) {
        throw new SimpleSAML_Error_Exception('The issuer of the response does not match to the identity provider we sent the request to.');
Ejemplo n.º 26
0
                $session->doLogin('login-radius');
                $session->setAttributes($attributes);
                $session->setNameID(array('value' => SimpleSAML_Utilities::generateID(), 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'));
                /**
                 * Create a statistics log entry for every successfull login attempt.
                 * Also log a specific attribute as set in the config: statistics.authlogattr
                 */
                $authlogattr = $config->getValue('statistics.authlogattr', null);
                if ($authlogattr && array_key_exists($authlogattr, $attributes)) {
                    SimpleSAML_Logger::stats('AUTH-login-radius OK ' . $attributes[$authlogattr][0]);
                } else {
                    SimpleSAML_Logger::stats('AUTH-login-radius OK');
                }
                SimpleSAML_Utilities::redirectTrustedURL($relaystate);
            case RADIUS_ACCESS_REJECT:
                SimpleSAML_Logger::info('AUTH - radius: ' . $_POST['username'] . ' failed to authenticate');
                throw new Exception('Radius authentication error: Bad credentials ');
                break;
            case RADIUS_ACCESS_CHALLENGE:
                SimpleSAML_Logger::critical('AUTH - radius: Challenge requested: ' . radius_strerror($radius));
                throw new Exception('Radius authentication error: Challenge requested');
                break;
            default:
                SimpleSAML_Logger::critical('AUTH  -radius: General radius error: ' . radius_strerror($radius));
                throw new Exception('Error during radius authentication: ' . radius_strerror($radius));
        }
    } catch (Exception $e) {
        $error = $e->getMessage();
    }
}
$t = new SimpleSAML_XHTML_Template($config, 'login.php', 'login');
    $userid = null;
    if (!array_key_exists('SSL_CLIENT_VERIFY', $_SERVER)) {
        throw new Exception('Apache header variable SSL_CLIENT_VERIFY was not available. Recheck your apache configuration.');
    }
    if (strcmp($_SERVER['SSL_CLIENT_VERIFY'], "SUCCESS") != 0) {
        throw new SimpleSAML_Error_Error('NOTVALIDCERT', $e);
    }
    $userid = $_SERVER['SSL_CLIENT_S_DN'];
    $attributes['CertificateDN'] = array($userid);
    $attributes['CertificateDNCN'] = array($_SERVER['SSL_CLIENT_S_DN_CN']);
    $session->doLogin('tlsclient');
    $session->setAttributes($attributes);
    #echo '<pre>';
    #print_r($_SERVER);
    #echo '</pre>'; exit;
    SimpleSAML_Logger::info('AUTH - tlsclient: ' . $userid . ' successfully authenticated');
    $session->setNameID(array('value' => SimpleSAML_Utilities::generateID(), 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'));
    /**
     * Create a statistics log entry for every successfull login attempt.
     * Also log a specific attribute as set in the config: statistics.authlogattr
     */
    $authlogattr = $config->getValue('statistics.authlogattr', null);
    if ($authlogattr && array_key_exists($authlogattr, $attributes)) {
        SimpleSAML_Logger::stats('AUTH-tlsclient OK ' . $attributes[$authlogattr][0]);
    } else {
        SimpleSAML_Logger::stats('AUTH-tlsclient OK');
    }
    SimpleSAML_Utilities::redirectUntrustedURL($_REQUEST['RelayState']);
} catch (Exception $e) {
    throw new SimpleSAML_Error_Error('CONFIG', $e);
}
Ejemplo n.º 28
0
 public function validate($config, $username, $password = null)
 {
     /* Escape any characters with a special meaning in LDAP. The following
      * characters have a special meaning (according to RFC 2253):
      * ',', '+', '"', '\', '<', '>', ';', '*'
      * These characters are escaped by prefixing them with '\'.
      */
     $username = addcslashes($username, ',+"\\<>;*');
     $password = addcslashes($password, ',+"\\<>;*');
     if (isset($config['priv_user_dn'])) {
         $this->bind($config['priv_user_dn'], $config['priv_user_pw']);
     }
     if (isset($config['dnpattern'])) {
         $dn = str_replace('%username%', $username, $config['dnpattern']);
     } else {
         $dn = $this->searchfordn($config['searchbase'], $config['searchattributes'], $username);
     }
     if ($password != null) {
         /* checking users credentials ... assuming below that she may read her own attributes ... */
         if (!$this->bind($dn, $password)) {
             SimpleSAML_Logger::info('Library - LDAP validate(): Failed to authenticate \'' . $username . '\' using DN \'' . $dn . '\'');
             return FALSE;
         }
     }
     /*
      * Retrieve attributes from LDAP
      */
     $attributes = $this->getAttributes($dn, $config['attributes']);
     return $attributes;
 }
Ejemplo n.º 29
0
 /**
  * Log a message.
  *
  * This is an helper function for logging messages. It will prefix the messages with our
  * discovery service type.
  *
  * @param $message  The message which should be logged.
  */
 protected function log($message)
 {
     SimpleSAML_Logger::info('PowerIdPDisco.' . $this->instance . ': ' . $message);
 }
Ejemplo n.º 30
0
<?php

/**
 *  * This script displays a page to the user, which requests that the user
 *   * authorizes the release of attributes.
 *    *
 *     * @package simpleSAMLphp
 *      * @version $Id$
 *       */
SimpleSAML_Logger::info('JANUS - Access blocked');
if (!array_key_exists('StateId', $_REQUEST)) {
    throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.');
}
$id = $_REQUEST['StateId'];
$state = SimpleSAML_Auth_State::loadState($id, 'janus:accessblock');
$globalConfig = SimpleSAML_Configuration::getInstance();
$t = new SimpleSAML_XHTML_Template($globalConfig, 'janus:accessblock.php', 'janus:accessblock');
$t->data['stateid'] = array('StateId' => $id);
$t->show();