Decrypt the NameId of the subject in the assertion.
|
public decryptNameId ( |
||
| $key | The decryption key. | |
| $blacklist | array | Blacklisted decryption algorithms. |
public function transform(Assertion $assertion)
{
if (!$assertion->isNameIdEncrypted()) {
return $assertion;
}
$decryptionKeys = $this->privateKeyLoader->loadDecryptionKeys($this->identityProvider, $this->serviceProvider);
$blacklistedKeys = $this->identityProvider->getBlacklistedAlgorithms();
if (is_null($blacklistedKeys)) {
$blacklistedKeys = $this->serviceProvider->getBlacklistedAlgorithms();
}
foreach ($decryptionKeys as $index => $key) {
try {
$assertion->decryptNameId($key, $blacklistedKeys);
$this->logger->debug(sprintf('Decrypted assertion NameId with key "#%d"', $index));
} catch (\Exception $e) {
$this->logger->debug(sprintf('Decrypting assertion NameId with key "#%d" failed, "%s" thrown: "%s"', $index, get_class($e), $e->getMessage()));
}
}
if ($assertion->isNameIdEncrypted()) {
throw new NotDecryptedException('Could not decrypt the assertion NameId with the configured keys, see the debug log for information');
}
return $assertion;
}
/**
* Test NameID Encryption and Decryption.
*/
public function testNameIdEncryption()
{
// Create an assertion
$assertion = new Assertion();
$assertion->setIssuer('testIssuer');
$assertion->setValidAudiences(array('audience1', 'audience2'));
$assertion->setAuthnContext('someAuthnContext');
$assertion->setNameId(array("Value" => "just_a_basic_identifier", "Format" => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"));
$this->assertFalse($assertion->isNameIdEncrypted());
$publicKey = CertificatesMock::getPublicKey();
$assertion->encryptNameId($publicKey);
$this->assertTrue($assertion->isNameIdEncrypted());
// Marshall it to a \DOMElement
$assertionElement = $assertion->toXML()->ownerDocument->saveXML();
$assertionToVerify = new Assertion(DOMDocumentFactory::fromString($assertionElement)->firstChild);
$this->assertTrue($assertionToVerify->isNameIdEncrypted());
$privateKey = CertificatesMock::getPrivateKey();
$assertionToVerify->decryptNameId($privateKey);
$this->assertFalse($assertionToVerify->isNameIdEncrypted());
$nameID = $assertionToVerify->getNameID();
$this->assertEquals('just_a_basic_identifier', $nameID['Value']);
$this->assertEquals('urn:oasis:names:tc:SAML:2.0:nameid-format:transient', $nameID['Format']);
}
