Extracts nodes from the DOMDocument.
/**
* Gets the SessionIndexes from the Logout Request.
* Notice: Our Constructor only support 1 SessionIndex but this parser
* extracts an array of all the SessionIndex found on a
* Logout Request, that could be many.
*
* @param string|DOMDocument $request Logout Request Message
*
* @return array The SessionIndex value
*/
public static function getSessionIndexes($request)
{
if ($request instanceof DOMDocument) {
$dom = $request;
} else {
$dom = new DOMDocument();
$dom = OneLogin_Saml2_Utils::loadXML($dom, $request);
}
$sessionIndexes = array();
$sessionIndexNodes = OneLogin_Saml2_Utils::query($dom, '/samlp:LogoutRequest/samlp:SessionIndex');
foreach ($sessionIndexNodes as $sessionIndexNode) {
$sessionIndexes[] = $sessionIndexNode->textContent;
}
return $sessionIndexes;
}
/**
* Tests the query method of the OneLogin_Saml2_Utils
*
* @covers OneLogin_Saml2_Utils::query
*/
public function testQuery()
{
$xml = base64_decode(file_get_contents(TEST_ROOT . '/data/responses/valid_response.xml.base64'));
$dom = new DOMDocument();
$dom->loadXML($xml);
$assertionNodes = OneLogin_Saml2_Utils::query($dom, '/samlp:Response/saml:Assertion');
$this->assertEquals(1, $assertionNodes->length);
$assertion = $assertionNodes->item(0);
$this->assertEquals('saml:Assertion', $assertion->tagName);
$attributeStatementNodes = OneLogin_Saml2_Utils::query($dom, '/samlp:Response/saml:Assertion/saml:AttributeStatement');
$this->assertEquals(1, $attributeStatementNodes->length);
$attributeStatement = $attributeStatementNodes->item(0);
$this->assertEquals('saml:AttributeStatement', $attributeStatement->tagName);
$attributeStatementNodes2 = OneLogin_Saml2_Utils::query($dom, './saml:AttributeStatement', $assertion);
$this->assertEquals(1, $attributeStatementNodes2->length);
$attributeStatement2 = $attributeStatementNodes2->item(0);
$this->assertEquals($attributeStatement, $attributeStatement2);
$signatureResNodes = OneLogin_Saml2_Utils::query($dom, '/samlp:Response/ds:Signature');
$this->assertEquals(1, $signatureResNodes->length);
$signatureRes = $signatureResNodes->item(0);
$this->assertEquals('ds:Signature', $signatureRes->tagName);
$signatureNodes = OneLogin_Saml2_Utils::query($dom, '/samlp:Response/saml:Assertion/ds:Signature');
$this->assertEquals(1, $signatureNodes->length);
$signature = $signatureNodes->item(0);
$this->assertEquals('ds:Signature', $signature->tagName);
$signatureNodes2 = OneLogin_Saml2_Utils::query($dom, './ds:Signature', $assertion);
$this->assertEquals(1, $signatureNodes2->length);
$signature2 = $signatureNodes2->item(0);
$this->assertEquals($signature->textContent, $signature2->textContent);
$this->assertNotEquals($signatureRes->textContent, $signature2->textContent);
$signatureNodes3 = OneLogin_Saml2_Utils::query($dom, './ds:SignatureValue', $assertion);
$this->assertEquals(0, $signatureNodes3->length);
$signatureNodes4 = OneLogin_Saml2_Utils::query($dom, './ds:Signature/ds:SignatureValue', $assertion);
$this->assertEquals(1, $signatureNodes4->length);
$signatureNodes5 = OneLogin_Saml2_Utils::query($dom, './/ds:SignatureValue', $assertion);
$this->assertEquals(1, $signatureNodes5->length);
}
/**
* Extracts nodes that match the query from the DOMDocument (Response Menssage)
*
* @param string $query Xpath Expresion
*
* @return DOMNodeList The queried nodes
*/
private function _query($query)
{
if ($this->encrypted) {
return OneLogin_Saml2_Utils::query($this->decryptedDocument, $query);
} else {
return OneLogin_Saml2_Utils::query($this->document, $query);
}
}
/**
* Extracts a node from the DOMDocument (Logout Response Menssage)
*
* @param string $query Xpath Expresion
*
* @return DOMNodeList The queried node
*/
private function _query($query)
{
return OneLogin_Saml2_Utils::query($this->document, $query);
}
/**
* Validates a signature (Message or Assertion).
*
* @param string|DomNode $xml The element we should validate
* @param string|null $cert The pubic cert
* @param string|null $fingerprint The fingerprint of the public cert
* @param string|null $fingerprintalg The algorithm used to get the fingerprint
* @param string|null $xpath The xpath of the signed element
*
* @return bool
*
* @throws Exception
*/
public static function validateSign($xml, $cert = null, $fingerprint = null, $fingerprintalg = 'sha1', $xpath = null)
{
if ($xml instanceof DOMDocument) {
$dom = clone $xml;
} else {
if ($xml instanceof DOMElement) {
$dom = clone $xml->ownerDocument;
} else {
$dom = new DOMDocument();
$dom = self::loadXML($dom, $xml);
}
}
$objXMLSecDSig = new XMLSecurityDSig();
$objXMLSecDSig->idKeys = array('ID');
if ($xpath) {
$nodeset = OneLogin_Saml2_Utils::query($dom, $xpath);
$objDSig = $nodeset->item(0);
$objXMLSecDSig->sigNode = $objDSig;
} else {
$objDSig = $objXMLSecDSig->locateSignature($dom);
}
if (!$objDSig) {
throw new Exception('Cannot locate Signature Node');
}
$objKey = $objXMLSecDSig->locateKey();
if (!$objKey) {
throw new Exception('We have no idea about the key');
}
$objXMLSecDSig->canonicalizeSignedInfo();
try {
$retVal = $objXMLSecDSig->validateReference();
} catch (Exception $e) {
throw $e;
}
XMLSecEnc::staticLocateKeyInfo($objKey, $objDSig);
if (!empty($cert)) {
$objKey->loadKey($cert, false, true);
return $objXMLSecDSig->verify($objKey) === 1;
} else {
$domCert = $objKey->getX509Certificate();
$domCertFingerprint = OneLogin_Saml2_Utils::calculateX509Fingerprint($domCert, $fingerprintalg);
if (OneLogin_Saml2_Utils::formatFingerPrint($fingerprint) !== $domCertFingerprint) {
return false;
} else {
$objKey->loadKey($domCert, false, true);
return $objXMLSecDSig->verify($objKey) === 1;
}
}
}
