/**
* @param SAML2_Response $response
* @param SimpleSAML_Configuration $idpConfig
*/
private function addSigns(SAML2_Response $response, SimpleSAML_Configuration $idpConfig)
{
$assertions = $response->getAssertions();
$className = EngineBlock_ApplicationSingleton::getInstance()->getDiContainer()->getMessageUtilClassName();
// Special case the 'normal' message verification class name so we have IDE support.
if ($className === 'sspmod_saml_Message') {
sspmod_saml_Message::addSign($idpConfig, SimpleSAML_Configuration::loadFromArray(array()), $assertions[0]);
return;
}
$className::addSign($idpConfig, SimpleSAML_Configuration::loadFromArray(array()), $assertions[0]);
}
/**
* Determines if a Response carries an encrypted assertion.
*
* @param SAML2_Response $sspResponse
* @return bool
*/
private function hasEncryptedAssertion(SAML2_Response $sspResponse)
{
$hasEncryptedAssertion = false;
foreach ($sspResponse->getAssertions() as $assertion) {
if ($assertion instanceof SAML2_EncryptedAssertion) {
$hasEncryptedAssertion = true;
break;
}
}
return $hasEncryptedAssertion;
}
/**
* @return SAML2_Response
*/
private function getSignedResponseWithSignedAssertion()
{
$doc = new DOMDocument();
$doc->load(__DIR__ . '/response.xml');
$response = new SAML2_Response($doc->firstChild);
$response->setSignatureKey(SAML2_CertificatesMock::getPrivateKey());
$response->setCertificates(array(SAML2_CertificatesMock::PUBLIC_KEY_PEM));
$assertions = $response->getAssertions();
$assertion = $assertions[0];
$assertion->setSignatureKey(SAML2_CertificatesMock::getPrivateKey());
$assertion->setCertificates(array(SAML2_CertificatesMock::PUBLIC_KEY_PEM));
return new SAML2_Response($response->toSignedXML());
}
/**
* @param SAML2_Response $response
*
* @return SAML2_Assertion[]
*/
private function processAssertions(SAML2_Response $response)
{
$assertions = $response->getAssertions();
if (empty($assertions)) {
throw new SAML2_Response_Exception_NoAssertionsFoundException('No assertions found in response from IdP.');
}
if (!$this->responseIsSigned) {
foreach ($assertions as $assertion) {
if (!$assertion->getWasSignedAtConstruction()) {
throw new SAML2_Response_Exception_UnsignedResponseException('Both the response and the assertion it containes are not signed.');
}
}
}
return $this->assertionProcessor->processAssertions($assertions);
}
private static function combine_response(array $values, \SAML2_Response $response = NULL)
{
if (!isset($response)) {
$response = new \SAML2_Response();
}
$presented_assertions = $response->getAssertions();
$assertion = empty($presented_assertions) ? new \SAML2_Assertion() : $presented_assertions[0];
if (self::original_spid_isset($values)) {
$response->setInResponseTo($values['InResponseTo']);
}
if (array_key_exists('ResponseID', $values)) {
$response->setId($values['ResponseID']);
}
if (array_key_exists('AssertionID', $values)) {
$assertion->setId($values['AssertionID']);
}
if (array_key_exists('Issuer', $values)) {
$response->setIssuer($values['Issuer']);
$assertion->setIssuer($values['Issuer']);
}
if (array_key_exists('NameID', $values)) {
$assertion->setNameId(self::build_name_id($values['NameID']));
}
$not_on_or_after_time = time();
if (array_key_exists('AllowedTimeDelta', $values)) {
$not_on_or_after_time += $values['AllowedTimeDelta'];
$assertion->setNotBefore(time() - $values['AllowedTimeDelta']);
$assertion->setNotOnOrAfter($not_on_or_after_time);
} else {
$not_on_or_after_time += DEFAULT_RESPONSE_TIME_DELTA;
}
if (array_key_exists('Audience', $values)) {
$assertion->setValidAudiences(array($values['Audience']));
}
if (array_key_exists('Attributes', $values)) {
$assertion->setAttributes($values['Attributes']);
}
$assertion->setAuthnInstant(time());
if (array_key_exists('AuthnContextClassRef', $values)) {
$assertion->setAuthnContextClassRef($values['AuthnContextClassRef']);
}
if (array_key_exists('SessionIndex', $values)) {
$assertion->setSessionIndex($values['SessionIndex']);
}
if (self::original_spid_isset($values) || array_key_exists('Destination', $values)) {
$original_confirmations = $assertion->getSubjectConfirmation();
$confirmation = NULL;
if (empty($original_confirmations)) {
$confirmation = new \SAML2_XML_saml_SubjectConfirmation();
$confirmation->Method = SAML_CONFIGURATION_METHOD;
} else {
$confirmation = $original_confirmations[0];
}
$original_data = $confirmation->SubjectConfirmationData;
$data = NULL;
if (empty($original_data)) {
$data = new \SAML2_XML_saml_SubjectConfirmationData();
$data->NotOnOrAfter = $not_on_or_after_time;
} else {
$data = $original_data;
if (empty($data->NotOnOrAfter)) {
$data->NotOnOrAfter = $not_on_or_after_time;
}
}
if (array_key_exists('Destination', $values)) {
$data->Recipient = $values['Destination'];
}
if (self::original_spid_isset($values)) {
$data->InResponseTo = $values['InResponseTo'];
}
$confirmation->SubjectConfirmationData = $data;
$assertion->setSubjectConfirmation(array($confirmation));
}
if (array_key_exists('Destination', $values)) {
$response->setDestination($values['Destination']);
}
if (self::need_sign($values)) {
if (array_key_exists('SHA256KeyFile', $values)) {
$ekey = new \XMLSecurityKey(\XMLSecurityKey::RSA_SHA256, array('type' => 'private'));
$ekey->loadKey($values['SHA256KeyFile'], true);
if (self::need_sign_attributes($values)) {
$assertion->setSignatureKey($ekey);
}
if (self::need_sign_message($values)) {
$response->setSignatureKey($ekey);
}
}
if (array_key_exists('SHA256CertFile', $values)) {
$certifictaes = array(file_get_contents($values['SHA256CertFile']));
if (self::need_sign_attributes($values)) {
$assertion->setCertificates($certifictaes);
}
if (self::need_sign_message($values)) {
$response->setCertificates($certifictaes);
}
}
}
$response->setAssertions(array($assertion));
return $response;
}
/**
* @return SAML2_Assertion[]|SAML2_EncryptedAssertion[]
*/
public function getAssertions()
{
return $this->sspMessage->getAssertions();
}
