/**
* @param Request $request
* @return AuthnRequest
* @throws \Exception
*
* @SuppressWarnings(PHPMD.CyclomaticComplexity)
* @SuppressWarnings(PHPMD.NPathComplexity)
*/
public function processRequest(Request $request)
{
if (!$this->entityRepository) {
throw new LogicException('RedirectBinding::processRequest requires a ServiceProviderRepository to be configured');
}
$rawSamlRequest = $request->get(AuthnRequest::PARAMETER_REQUEST);
if (!$rawSamlRequest) {
throw new BadRequestHttpException(sprintf('Required GET parameter "%s" is missing', AuthnRequest::PARAMETER_REQUEST));
}
if ($request->get(AuthnRequest::PARAMETER_SIGNATURE) && !$request->get(AuthnRequest::PARAMETER_SIGNATURE_ALGORITHM)) {
throw new BadRequestHttpException(sprintf('The request includes a signature "%s", but does not include the signature algorithm (SigAlg) parameter', $request->get('Signature')));
}
$authnRequest = AuthnRequestFactory::createFromHttpRequest($request);
$currentUri = $this->getFullRequestUri($request);
if (!$authnRequest->getDestination() === $currentUri) {
throw new BadRequestHttpException(sprintf('Actual Destination "%s" does no match the AuthnRequest Destination "%s"', $currentUri, $authnRequest->getDestination()));
}
if (!$this->entityRepository->hasServiceProvider($authnRequest->getServiceProvider())) {
throw new UnknownServiceProviderException($authnRequest->getServiceProvider());
}
if (!$authnRequest->isSigned()) {
return $authnRequest;
}
if (!$authnRequest->getSignatureAlgorithm()) {
throw new BadRequestHttpException(sprintf('The SAMLRequest has to be signed with SHA256 algorithm: "%s"', XMLSecurityKey::RSA_SHA256));
}
$serviceProvider = $this->entityRepository->getServiceProvider($authnRequest->getServiceProvider());
if (!$this->signatureVerifier->hasValidSignature($authnRequest, $serviceProvider)) {
throw new BadRequestHttpException('The SAMLRequest has been signed, but the signature could not be validated');
}
return $authnRequest;
}
/**
* @param $authnRequest
*/
private function verifySignature(AuthnRequest $authnRequest)
{
if (!$authnRequest->isSigned()) {
throw new BadRequestHttpException('The SAMLRequest has to be signed');
}
if (!$authnRequest->getSignatureAlgorithm()) {
throw new BadRequestHttpException(sprintf('The SAMLRequest has to be signed with SHA256 algorithm: "%s"', XMLSecurityKey::RSA_SHA256));
}
$serviceProvider = $this->entityRepository->getServiceProvider($authnRequest->getServiceProvider());
if (!$this->signatureVerifier->hasValidSignature($authnRequest, $serviceProvider)) {
throw new BadRequestHttpException('The SAMLRequest has been signed, but the signature could not be validated');
}
}
