/**
* @expectedException EngineBlock_Corto_Module_Bindings_UnsupportedBindingException
*/
public function testResponseRedirectIsNotSupported()
{
$response = new EngineBlock_Saml2_ResponseAnnotationDecorator(new SAML2_Response());
$response->setDeliverByBinding(SAML2_Const::BINDING_HTTP_REDIRECT);
$remoteEntity = new ServiceProvider('https://sp.example.edu');
$this->bindings->send($response, $remoteEntity);
}
/**
* Filter the response.
*
* @param EngineBlock_Saml2_ResponseAnnotationDecorator $response
* @param array $responseAttributes
* @param EngineBlock_Saml2_AuthnRequestAnnotationDecorator $request
* @param ServiceProvider $serviceProvider
* @param IdentityProvider $identityProvider
* @throws EngineBlock_Exception
* @throws Exception
*/
public function filter(EngineBlock_Saml2_ResponseAnnotationDecorator $response, array &$responseAttributes, EngineBlock_Saml2_AuthnRequestAnnotationDecorator $request, ServiceProvider $serviceProvider, IdentityProvider $identityProvider)
{
/** @var SAML2_AuthnRequest $request */
// Note that IDs are only unique per SP... we hope...
$responseNameId = $response->getAssertion()->getNameId();
$sessionKey = $serviceProvider->entityId . '>' . $request->getId();
if (isset($_SESSION[$sessionKey]['collabPersonId'])) {
$collabPersonId = $_SESSION[$sessionKey]['collabPersonId'];
} else {
if ($response->getCollabPersonId()) {
$collabPersonId = $response->getCollabPersonId();
} else {
if (isset($responseAttributes['urn:oid:1.3.6.1.4.1.1076.20.40.40.1'][0])) {
$collabPersonId = $responseAttributes['urn:oid:1.3.6.1.4.1.1076.20.40.40.1'][0];
} else {
if (!empty($responseNameId['Value'])) {
$collabPersonId = $responseNameId['Value'];
} else {
$collabPersonId = null;
}
}
}
}
$commands = $this->_getCommands();
/** @var EngineBlock_Corto_Filter_Command_Abstract $command */
foreach ($commands as $command) {
// Inject everything we have into the adapter
$command->setProxyServer($this->_server);
$command->setIdentityProvider($identityProvider);
$command->setServiceProvider($serviceProvider);
$command->setRequest($request);
$command->setResponse($response);
$command->setResponseAttributes($responseAttributes);
$command->setCollabPersonId($collabPersonId);
// Execute the command
try {
$command->execute();
} catch (EngineBlock_Exception $e) {
$e->idpEntityId = $identityProvider->entityId;
$e->spEntityId = $serviceProvider->entityId;
$e->userId = $collabPersonId;
throw $e;
}
if (method_exists($command, 'getResponse')) {
$response = $command->getResponse();
}
if (method_exists($command, 'getResponseAttributes')) {
$responseAttributes = $command->getResponseAttributes();
}
if (method_exists($command, 'getCollabPersonId')) {
$collabPersonId = $command->getCollabPersonId();
}
// Give the command a chance to stop filtering
if (!$command->mustContinueFiltering()) {
break;
}
}
$_SESSION[$sessionKey]['collabPersonId'] = $collabPersonId;
}
public static function cacheResponse(EngineBlock_Saml2_AuthnRequestAnnotationDecorator $receivedRequest, EngineBlock_Saml2_ResponseAnnotationDecorator $receivedResponse, $type)
{
if ($type !== self::RESPONSE_CACHE_TYPE_IN) {
throw new EngineBlock_Exception('Unknown response type');
}
if (!isset($_SESSION['CachedResponses'])) {
$_SESSION['CachedResponses'] = array();
}
$_SESSION['CachedResponses'][] = array('sp' => $receivedRequest->getIssuer(), 'idp' => $receivedResponse->getIssuer(), 'type' => $type, 'response' => $receivedResponse, 'vo' => $receivedRequest->getVoContext(), 'key' => $receivedRequest->getKeyId());
}
public function testMetadataOverAuthnRequest()
{
// Input
$nameId = array('Format' => Saml2_Const::NAMEID_UNSPECIFIED, 'Value' => $this->response->getIntendedNameId());
$this->serviceProvider->nameIdFormat = $nameId['Format'];
$this->serviceProvider->supportedNameIdFormats[] = Saml2_Const::NAMEID_UNSPECIFIED;
/** @var SAML2_AuthnRequest $request */
$request = $this->request;
$request->setNameIdPolicy(array('Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'));
// Run
$resolvedNameId = $this->resolver->resolve($this->request, $this->response, $this->serviceProvider, $this->collabPersonId);
// Test
$this->assertEquals($nameId, $resolvedNameId, 'Assertion NameID is set to what is set for this SP in the Metadata, NOT what it requested');
}
/**
* @param EngineBlock_Saml2_AuthnRequestAnnotationDecorator $request
* @param EngineBlock_Saml2_ResponseAnnotationDecorator $response
* @param ServiceProvider $destinationMetadata
* @param $collabPersonId
* @return array
*/
public function resolve(EngineBlock_Saml2_AuthnRequestAnnotationDecorator $request, EngineBlock_Saml2_ResponseAnnotationDecorator $response, ServiceProvider $destinationMetadata, $collabPersonId)
{
$customNameId = $response->getCustomNameId();
if ($customNameId) {
return $customNameId;
}
$nameIdFormat = $this->_getNameIdFormat($request, $destinationMetadata);
$requireUnspecified = $nameIdFormat === SAML2_Const::NAMEID_UNSPECIFIED;
if ($requireUnspecified) {
return array('Format' => $nameIdFormat, 'Value' => $response->getIntendedNameId());
}
$requireTransient = $nameIdFormat === SAML2_Const::NAMEID_TRANSIENT;
if ($requireTransient) {
return array('Format' => $nameIdFormat, 'Value' => $this->_getTransientNameId($destinationMetadata->entityId, $response->getOriginalIssuer()));
}
return array('Format' => $nameIdFormat, 'Value' => $this->_getPersistentNameId($collabPersonId, $destinationMetadata->entityId));
}
/**
* @param SAML2_Response|EngineBlock_Saml2_ResponseAnnotationDecorator $response
*/
protected function _sendDebugMail(EngineBlock_Saml2_ResponseAnnotationDecorator $response)
{
$layout = EngineBlock_ApplicationSingleton::getInstance()->getLayout();
$oldLayout = $layout->getLayout();
$layout->setLayout('empty');
$wasEnabled = $layout->isEnabled();
if ($wasEnabled) {
$layout->disableLayout();
}
$identityProvider = $this->_server->getRepository()->fetchIdentityProviderByEntityId($response->getIssuer());
$attributes = $response->getAssertion()->getAttributes();
$output = $this->_server->renderTemplate('debugidpmail', array('idp' => $identityProvider, 'response' => $response, 'attributes' => $attributes));
$emailConfiguration = EngineBlock_ApplicationSingleton::getInstance()->getConfigurationValue('email')->idpDebugging;
$mailer = new Zend_Mail('UTF-8');
$mailer->setFrom($emailConfiguration->from->address, $emailConfiguration->from->name);
$mailer->addTo($emailConfiguration->to->address, $emailConfiguration->to->name);
$mailer->setSubject(sprintf($emailConfiguration->subject, $identityProvider->nameEn));
$mailer->setBodyText($output);
$mailer->send();
$layout->setLayout($oldLayout);
}
protected function _getConsentUid()
{
return $this->_response->getNameIdValue();
}
/**
* @param EngineBlock_Saml2_ResponseAnnotationDecorator $response
* @return array
*/
public function fromNewFormat(EngineBlock_Saml2_ResponseAnnotationDecorator $response)
{
$legacyResponse = EngineBlock_Corto_XmlToArray::xml2array($response->getSspMessage()->toUnsignedXML()->ownerDocument->saveXML());
return $this->addPrivateVarsToLegacy($legacyResponse, $response);
}
/**
* @return EngineBlock_Corto_Module_Bindings
*/
private function mockBindingsModule()
{
$spRequest = new SAML2_AuthnRequest();
$spRequest->setId('SPREQUEST');
$spRequest->setIssuer('testSp');
$spRequest = new EngineBlock_Saml2_AuthnRequestAnnotationDecorator($spRequest);
$ebRequest = new SAML2_AuthnRequest();
$ebRequest->setId('EBREQUEST');
$ebRequest = new EngineBlock_Saml2_AuthnRequestAnnotationDecorator($ebRequest);
$dummyLog = new Psr\Log\NullLogger();
$authnRequestRepository = new EngineBlock_Saml2_AuthnRequestSessionRepository($dummyLog);
$authnRequestRepository->store($spRequest);
$authnRequestRepository->store($ebRequest);
$authnRequestRepository->link($ebRequest, $spRequest);
$assertion = new SAML2_Assertion();
$assertion->setAttributes(array('urn:org:openconext:corto:internal:sp-entity-id' => array('testSp'), 'urn:mace:dir:attribute-def:cn' => array(null)));
$responseFixture = new SAML2_Response();
$responseFixture->setInResponseTo('EBREQUEST');
$responseFixture->setAssertions(array($assertion));
$responseFixture = new EngineBlock_Saml2_ResponseAnnotationDecorator($responseFixture);
$responseFixture->setOriginalIssuer('testIdP');
// Mock bindings module
/** @var EngineBlock_Corto_Module_Bindings $bindingsModuleMock */
$bindingsModuleMock = Phake::mock('EngineBlock_Corto_Module_Bindings');
Phake::when($bindingsModuleMock)->receiveResponse()->thenReturn($responseFixture);
return $bindingsModuleMock;
}
protected function callAttributeFilter($callback, EngineBlock_Saml2_ResponseAnnotationDecorator &$response, EngineBlock_Saml2_AuthnRequestAnnotationDecorator $request, ServiceProvider $spEntityMetadata, IdentityProvider $idpEntityMetadata)
{
// Take em out
$responseAttributes = $response->getAssertion()->getAttributes();
// Call the filter
call_user_func_array($callback, array(&$response, &$responseAttributes, $request, $spEntityMetadata, $idpEntityMetadata));
// Put em back where they belong
$response->getAssertion()->setAttributes($responseAttributes);
}
