/**
* @param AssertionContext $context
*
* @throws \LogicException
* @throws \LightSaml\Error\LightSamlValidationException
*
* @return \DateTime
*/
protected function getIdExpiryTime(AssertionContext $context)
{
/** @var \DateTime $result */
$result = null;
$bearerConfirmations = $context->getAssertion()->getSubject()->getBearerConfirmations();
if (null == $bearerConfirmations) {
throw new \LogicException('Bearer assertion must have bearer subject confirmations');
}
foreach ($bearerConfirmations as $subjectConfirmation) {
if (null == $subjectConfirmation->getSubjectConfirmationData()) {
$message = 'Bearer SubjectConfirmation must have SubjectConfirmationData element';
$this->logger->error($message, LogHelper::getActionErrorContext($context, $this));
throw new LightSamlContextException($context, $message);
}
$dt = $subjectConfirmation->getSubjectConfirmationData()->getNotOnOrAfterDateTime();
if (null == $dt) {
$message = 'Bearer SubjectConfirmation must have NotOnOrAfter attribute';
$this->logger->error($message, LogHelper::getActionErrorContext($context, $this));
throw new LightSamlContextException($context, $message);
}
if (null == $result || $result->getTimestamp() < $dt->getTimestamp()) {
$result = $dt;
}
}
if (null == $result) {
$message = 'Unable to find NotOnOrAfter attribute in bearer assertion';
$this->logger->error($message, LogHelper::getActionErrorContext($context, $this));
throw new LightSamlContextException($context, $message);
}
return $result;
}
/**
* @param AssertionContext $context
*
* @return void
*/
protected function doExecute(AssertionContext $context)
{
$profileContext = $context->getProfileContext();
$trustOptions = $profileContext->getTrustOptions();
if (false === $trustOptions->getEncryptAssertions()) {
return;
}
if (null == ($assertion = $context->getAssertion())) {
throw new LightSamlContextException($context, 'Assertion for encryption is not set');
}
$context->setAssertion(null);
$query = $this->credentialResolver->query();
$query->add(new EntityIdCriteria($profileContext->getPartyEntityDescriptor()->getEntityID()))->add(new MetadataCriteria(ProfileContext::ROLE_IDP === $profileContext->getOwnRole() ? MetadataCriteria::TYPE_SP : MetadataCriteria::TYPE_IDP, SamlConstants::PROTOCOL_SAML2))->add(new UsageCriteria(UsageType::ENCRYPTION));
$query->resolve();
/** @var CredentialInterface $credential */
$credential = $query->firstCredential();
if (null == $credential) {
throw new LightSamlContextException($context, 'Unable to resolve encrypting credential');
}
if (null == $credential->getPublicKey()) {
throw new LightSamlContextException($context, 'Credential resolved for assertion encryption does not have a public key');
}
$encryptedAssertionWriter = new EncryptedAssertionWriter($trustOptions->getBlockEncryptionAlgorithm(), $trustOptions->getKeyTransportEncryptionAlgorithm());
$encryptedAssertionWriter->encrypt($assertion, $credential->getPublicKey());
$context->setEncryptedAssertion($encryptedAssertionWriter);
}
/**
* @param AssertionContext $context
*
* @return void
*/
protected function doExecute(AssertionContext $context)
{
$signature = $context->getAssertion()->getSignature();
if (null === $signature) {
if ($this->requireSignature) {
$message = 'Assertions must be signed';
$this->logger->critical($message, LogHelper::getActionErrorContext($context, $this));
throw new LightSamlContextException($context, $message);
} else {
$this->logger->debug('Assertion is not signed', LogHelper::getActionContext($context, $this));
return;
}
}
if ($signature instanceof AbstractSignatureReader) {
$metadataType = ProfileContext::ROLE_IDP === $context->getProfileContext()->getOwnRole() ? MetadataCriteria::TYPE_SP : MetadataCriteria::TYPE_IDP;
$credential = $this->signatureValidator->validate($signature, $context->getAssertion()->getIssuer()->getValue(), $metadataType);
if ($credential) {
$keyNames = $credential->getKeyNames();
$this->logger->debug(sprintf('Assertion signature validated with key "%s"', implode(', ', $keyNames)), LogHelper::getActionContext($context, $this, array('credential' => $credential)));
} else {
$this->logger->warning('Assertion signature verification was not performed', LogHelper::getActionContext($context, $this));
}
} else {
$message = 'Expected AbstractSignatureReader';
$this->logger->critical($message, LogHelper::getActionErrorContext($context, $this));
throw new LightSamlModelException($message);
}
}
/**
* @param Assertion $assertion
*
* @return AssertionContext
*/
public static function getAssertionContext(Assertion $assertion)
{
$context = new AssertionContext();
if ($assertion) {
$context->setAssertion($assertion);
}
return $context;
}
/**
* @param AssertionContext $context
*
* @return void
*/
protected function doExecute(AssertionContext $context)
{
$ownEntityDescriptor = $context->getProfileContext()->getOwnEntityDescriptor();
$issuer = new Issuer($ownEntityDescriptor->getEntityID());
$issuer->setFormat(SamlConstants::NAME_ID_FORMAT_ENTITY);
$context->getAssertion()->setIssuer($issuer);
$this->logger->debug(sprintf('Assertion Issuer set to "%s"', $ownEntityDescriptor->getEntityID()), LogHelper::getActionContext($context, $this));
}
/**
* @param AssertionContext $context
*
* @return EncryptedAssertionReader
*/
public static function getEncryptedAssertionReader(AssertionContext $context)
{
$result = $context->getEncryptedAssertion();
if ($result instanceof EncryptedAssertionReader) {
return $result;
}
throw new LightSamlContextException($context, 'Expected EncryptedAssertionReader');
}
/**
* @param AssertionContext $context
*
* @return void
*/
protected function doExecute(AssertionContext $context)
{
$partyEntityDescriptor = $context->getProfileContext()->getPartyEntityDescriptor();
$conditions = new Conditions();
$conditions->setNotBefore($this->timeProvider->getTimestamp());
$conditions->setNotOnOrAfter($conditions->getNotBeforeTimestamp() + $this->expirationSeconds);
$audienceRestriction = new AudienceRestriction(array($partyEntityDescriptor->getEntityID()));
$conditions->addItem($audienceRestriction);
$context->getAssertion()->setConditions($conditions);
}
/**
* @param AssertionContext $context
*/
protected function doExecute(AssertionContext $context)
{
if (null == $context->getAssertion()->getIssuer()) {
$message = 'Assertion element must have an issuer element';
$this->logger->error($message, LogHelper::getActionErrorContext($context, $this));
throw new LightSamlContextException($context, $message);
}
if ($context->getAssertion()->getIssuer()->getFormat() && $context->getAssertion()->getIssuer()->getFormat() != $this->expectedIssuerFormat) {
$message = sprintf("Response Issuer Format if set must have value '%s' but it was '%s'", $this->expectedIssuerFormat, $context->getAssertion()->getIssuer()->getFormat());
$this->logger->error($message, LogHelper::getActionErrorContext($context, $this, ['actualFormat' => $context->getAssertion()->getIssuer()->getFormat(), 'expectedFormat' => $this->expectedIssuerFormat]));
throw new LightSamlContextException($context, $message);
}
}
/**
* @param AssertionContext $context
*
* @return void
*/
protected function doExecute(AssertionContext $context)
{
if (null === $context->getAssertion()->getIssuer()) {
$message = 'Assertion element must have an issuer element';
$this->logger->error($message, LogHelper::getActionErrorContext($context, $this));
throw new LightSamlContextException($context, $message);
}
if (false == $this->idpEntityDescriptorProvider->has($context->getAssertion()->getIssuer()->getValue())) {
$message = sprintf("Unknown issuer '%s'", $context->getAssertion()->getIssuer()->getValue());
$this->logger->error($message, LogHelper::getActionErrorContext($context, $this, ['messageIssuer' => $context->getAssertion()->getIssuer()->getValue()]));
throw new LightSamlContextException($context, $message);
}
$this->logger->debug(sprintf('Known assertion issuer: "%s"', $context->getAssertion()->getIssuer()->getValue()), LogHelper::getActionContext($context, $this));
}
/**
* @param AssertionContext $context
*/
protected function doExecute(AssertionContext $context)
{
if (null === $context->getAssertion()->getSubject()) {
return;
}
foreach ($context->getAssertion()->getSubject()->getAllSubjectConfirmations() as $subjectConfirmation) {
if ($subjectConfirmation->getSubjectConfirmationData() && $subjectConfirmation->getSubjectConfirmationData()->getInResponseTo()) {
$requestState = $this->validateInResponseTo($subjectConfirmation->getSubjectConfirmationData()->getInResponseTo(), $context);
/** @var RequestStateContext $requestStateContext */
$requestStateContext = $context->getSubContext(ProfileContexts::REQUEST_STATE, RequestStateContext::class);
$requestStateContext->setRequestState($requestState);
}
}
}
/**
* @param AssertionContext $context
*
* @return void
*/
protected function doExecute(AssertionContext $context)
{
$profileContext = $context->getProfileContext();
$trustOptions = $profileContext->getTrustOptions();
if ($trustOptions->getSignAssertions()) {
$signature = $this->signatureResolver->getSignature($profileContext);
if ($signature) {
$this->logger->debug(sprintf('Signing assertion with fingerprint %s', $signature->getCertificate()->getFingerprint()), LogHelper::getActionContext($context, $this, array('certificate' => $signature->getCertificate()->getInfo())));
$context->getAssertion()->setSignature($signature);
} else {
$this->logger->critical('Unable to resolve assertion signature, though signing enabled', LogHelper::getActionErrorContext($context, $this));
}
} else {
$this->logger->debug('Assertion signing disabled', LogHelper::getActionContext($context, $this));
}
}
/**
* @param AssertionContext $context
*
* @return void
*/
protected function doExecute(AssertionContext $context)
{
$authnContext = new AuthnContext();
$authnContextClassRef = $this->sessionInfoProvider->getAuthnContextClassRef() ?: SamlConstants::AUTHN_CONTEXT_UNSPECIFIED;
$authnContext->setAuthnContextClassRef($authnContextClassRef);
$authnStatement = new AuthnStatement();
$authnStatement->setAuthnContext($authnContext);
$sessionIndex = $this->sessionInfoProvider->getSessionIndex();
if ($sessionIndex) {
$authnStatement->setSessionIndex($sessionIndex);
}
$authnInstant = $this->sessionInfoProvider->getAuthnInstant() ?: new \DateTime();
$authnStatement->setAuthnInstant($authnInstant);
$subjectLocality = new SubjectLocality();
$subjectLocality->setAddress($context->getProfileContext()->getHttpRequest()->getClientIp());
$authnStatement->setSubjectLocality($subjectLocality);
$context->getAssertion()->addItem($authnStatement);
}
/**
* @param AssertionContext $context
*
* @return void
*/
protected function doExecute(AssertionContext $context)
{
$profileContext = $context->getProfileContext();
$inboundMessage = $profileContext->getInboundContext()->getMessage();
$endpoint = $profileContext->getEndpoint();
$data = new SubjectConfirmationData();
if ($inboundMessage) {
$data->setInResponseTo($inboundMessage->getID());
}
$data->setAddress($profileContext->getHttpRequest()->getClientIp());
$data->setNotOnOrAfter($this->timeProvider->getTimestamp() + $this->expirationSeconds);
$data->setRecipient($endpoint->getLocation());
$subjectConfirmation = new SubjectConfirmation();
$subjectConfirmation->setMethod(SamlConstants::CONFIRMATION_METHOD_BEARER);
$subjectConfirmation->setSubjectConfirmationData($data);
if (null === $context->getAssertion()->getSubject()) {
$context->getAssertion()->setSubject(new Subject());
}
$context->getAssertion()->getSubject()->addSubjectConfirmation($subjectConfirmation);
}
/**
* @param AssertionContext $context
*/
protected function validateBearerAssertion(AssertionContext $context)
{
foreach ($context->getAssertion()->getSubject()->getBearerConfirmations() as $subjectConfirmation) {
$this->validateSubjectConfirmation($context, $subjectConfirmation);
}
}
/**
* @param AssertionContext $context
*
* @return void
*/
protected function doExecute(AssertionContext $context)
{
if ($context->getAssertion()) {
$this->sessionProcessor->processAssertions(array($context->getAssertion()), $context->getProfileContext()->getOwnEntityDescriptor()->getEntityID(), $context->getProfileContext()->getPartyEntityDescriptor()->getEntityID());
}
}
/**
* @param AssertionContext $context
*
* @return void
*/
protected function doExecute(AssertionContext $context)
{
$context->getAssertion()->setIssueInstant($this->timeProvider->getTimestamp());
$this->logger->info(sprintf('Assertion IssueInstant set to "%s"', $context->getAssertion()->getIssueInstantString()), LogHelper::getActionContext($context, $this));
}
public function test_to_string_gives_debug_tree_string()
{
$profileContext = TestHelper::getProfileContext();
$profileContext->getOwnEntityContext();
$profileContext->getPartyEntityContext();
$profileContext->addSubContext('assertion_01', $assertionSubContext01 = new AssertionContext());
$assertionSubContext01->addSubContext('rs', new RequestStateContext());
$actual = (string) $profileContext;
$expected = <<<EOT
{
"root": "LightSaml\\\\Context\\\\Profile\\\\ProfileContext",
"root__children": {
"own_entity": "LightSaml\\\\Context\\\\Profile\\\\EntityContext",
"party_entity": "LightSaml\\\\Context\\\\Profile\\\\EntityContext",
"assertion_01": "LightSaml\\\\Context\\\\Profile\\\\AssertionContext",
"assertion_01__children": {
"rs": "LightSaml\\\\Context\\\\Profile\\\\RequestStateContext"
}
}
}
EOT;
$this->assertEquals($expected, $actual);
}
/**
* @param AssertionContext $context
*
* @return void
*/
protected function doExecute(AssertionContext $context)
{
$this->assertionTimeValidator->validateTimeRestrictions($context->getAssertion(), $this->timeProvider->getTimestamp(), $this->allowedSecondsSkew);
}
/**
* @param AssertionContext $context
*
* @return void
*/
protected function doExecute(AssertionContext $context)
{
$id = Helper::generateID();
$context->getAssertion()->setId($id);
$this->logger->info(sprintf('Assertion ID set to "%s"', $id), LogHelper::getActionContext($context, $this, array('message_id' => $id)));
}
/**
* @param AssertionContext $context
*
* @return void
*/
protected function doExecute(AssertionContext $context)
{
$context->getAssertion()->setVersion($this->version);
$this->logger->debug(sprintf('Assertion Version set to "%s"', $this->version), LogHelper::getActionContext($context, $this));
}
/**
* @param AssertionContext $context
*/
protected function doExecute(AssertionContext $context)
{
$this->assertionValidator->validateAssertion($context->getAssertion());
}
/**
* @param AssertionContext $context
*
* @return void
*/
protected function doExecute(AssertionContext $context)
{
$context->setAssertion(new Assertion());
}
