/**
  * This method applies the filter, removing any values
  *
  * @param array &$request the current request
  */
 public function process(&$request)
 {
     $src = $request['Source'];
     if (!count($this->scopedAttributes)) {
         // paranoia, should never happen
         Logger::warning('No scoped attributes configured.');
         return;
     }
     $validScopes = array();
     if (array_key_exists('scope', $src) && is_array($src['scope']) && !empty($src['scope'])) {
         $validScopes = $src['scope'];
     }
     foreach ($this->scopedAttributes as $attribute) {
         if (!isset($request['Attributes'][$attribute])) {
             continue;
         }
         $values = $request['Attributes'][$attribute];
         $newValues = array();
         foreach ($values as $value) {
             $ep = \SimpleSAML\Utils\Config\Metadata::getDefaultEndpoint($request['Source']['SingleSignOnService']);
             $loc = $ep['Location'];
             $host = parse_url($loc, PHP_URL_HOST);
             if ($host === null) {
                 $host = '';
             }
             $value_a = explode('@', $value, 2);
             if (count($value_a) < 2) {
                 $newValues[] = $value;
                 continue;
                 // there's no scope
             }
             $scope = $value_a[1];
             if (in_array($scope, $validScopes, true)) {
                 $newValues[] = $value;
             } elseif (strpos($host, $scope) === strlen($host) - strlen($scope)) {
                 $newValues[] = $value;
             } else {
                 Logger::warning("Removing value '{$value}' for attribute '{$attribute}'. Undeclared scope.");
             }
         }
         if (empty($newValues)) {
             Logger::warning("No suitable values for attribute '{$attribute}', removing it.");
             unset($request['Attributes'][$attribute]);
             // remove empty attributes
         } else {
             $request['Attributes'][$attribute] = $newValues;
         }
     }
 }
Example #2
0
 /**
  * Find the default endpoint of the given type.
  *
  * @param string $endpointType The endpoint type.
  * @param array  $bindings Array with acceptable bindings. Can be null if any binding is allowed.
  * @param mixed  $default The default value to return if no matching endpoint is found. If no default is provided,
  *     an exception will be thrown.
  *
  * @return array|null The default endpoint, or null if no acceptable endpoints are used.
  *
  * @throws Exception If no supported endpoint is found.
  */
 public function getDefaultEndpoint($endpointType, array $bindings = null, $default = self::REQUIRED_OPTION)
 {
     assert('is_string($endpointType)');
     $endpoints = $this->getEndpoints($endpointType);
     $defaultEndpoint = \SimpleSAML\Utils\Config\Metadata::getDefaultEndpoint($endpoints, $bindings);
     if ($defaultEndpoint !== null) {
         return $defaultEndpoint;
     }
     if ($default === self::REQUIRED_OPTION) {
         $loc = $this->location . '[' . var_export($endpointType, true) . ']:';
         throw new Exception($loc . 'Could not find a supported ' . $endpointType . ' endpoint.');
     }
     return $default;
 }
Example #3
0
 /**
  * @deprecated This method will be removed in SSP 2.0. Please use SimpleSAML\Utils\Config\Metadata::getDefaultEndpoint() instead.
  */
 public static function getDefaultEndpoint(array $endpoints, array $bindings = NULL)
 {
     return \SimpleSAML\Utils\Config\Metadata::getDefaultEndpoint($endpoints, $bindings);
 }
    if ($metadata['owner'] !== $userid) {
        throw new Exception('Metadata has an owner that is not equal to your userid, hence you are not granted access.');
    }
}
if (array_key_exists('entityid', $_REQUEST)) {
    $metadata = $mdh->getMetadata($_REQUEST['entityid'], 'saml20-sp-remote');
    requireOwnership($metadata, $userid);
} elseif (array_key_exists('xmlmetadata', $_REQUEST)) {
    $xmldata = $_REQUEST['xmlmetadata'];
    \SimpleSAML\Utils\XML::checkSAMLMessage($xmldata, 'saml-meta');
    $entities = SimpleSAML_Metadata_SAMLParser::parseDescriptorsString($xmldata);
    $entity = array_pop($entities);
    $metadata = $entity->getMetadata20SP();
    /* Trim metadata endpoint arrays. */
    $metadata['AssertionConsumerService'] = array(\SimpleSAML\Utils\Config\Metadata::getDefaultEndpoint($metadata['AssertionConsumerService'], array(SAML2_Const::BINDING_HTTP_POST)));
    $metadata['SingleLogoutService'] = array(\SimpleSAML\Utils\Config\Metadata::getDefaultEndpoint($metadata['SingleLogoutService'], array(SAML2_Const::BINDING_HTTP_REDIRECT)));
} else {
    $metadata = array('owner' => $userid);
}
$editor = new sspmod_metaedit_MetaEditor();
if (isset($_POST['submit'])) {
    $editor->checkForm($_POST);
    $metadata = $editor->formToMeta($_POST, array(), array('owner' => $userid));
    if (isset($_REQUEST['was-entityid']) && $_REQUEST['was-entityid'] !== $metadata['entityid']) {
        $premetadata = $mdh->getMetadata($_REQUEST['was-entityid'], 'saml20-sp-remote');
        requireOwnership($premetadata, $userid);
        $mdh->deleteMetadata($_REQUEST['was-entityid'], 'saml20-sp-remote');
    }
    $testmetadata = NULL;
    try {
        $testmetadata = $mdh->getMetadata($metadata['entityid'], 'saml20-sp-remote');