/** * @expectedException EngineBlock_Corto_Module_Bindings_UnsupportedBindingException */ public function testResponseRedirectIsNotSupported() { $response = new EngineBlock_Saml2_ResponseAnnotationDecorator(new SAML2_Response()); $response->setDeliverByBinding(SAML2_Const::BINDING_HTTP_REDIRECT); $remoteEntity = new ServiceProvider('https://sp.example.edu'); $this->bindings->send($response, $remoteEntity); }
/** * Filter the response. * * @param EngineBlock_Saml2_ResponseAnnotationDecorator $response * @param array $responseAttributes * @param EngineBlock_Saml2_AuthnRequestAnnotationDecorator $request * @param ServiceProvider $serviceProvider * @param IdentityProvider $identityProvider * @throws EngineBlock_Exception * @throws Exception */ public function filter(EngineBlock_Saml2_ResponseAnnotationDecorator $response, array &$responseAttributes, EngineBlock_Saml2_AuthnRequestAnnotationDecorator $request, ServiceProvider $serviceProvider, IdentityProvider $identityProvider) { /** @var SAML2_AuthnRequest $request */ // Note that IDs are only unique per SP... we hope... $responseNameId = $response->getAssertion()->getNameId(); $sessionKey = $serviceProvider->entityId . '>' . $request->getId(); if (isset($_SESSION[$sessionKey]['collabPersonId'])) { $collabPersonId = $_SESSION[$sessionKey]['collabPersonId']; } else { if ($response->getCollabPersonId()) { $collabPersonId = $response->getCollabPersonId(); } else { if (isset($responseAttributes['urn:oid:1.3.6.1.4.1.1076.20.40.40.1'][0])) { $collabPersonId = $responseAttributes['urn:oid:1.3.6.1.4.1.1076.20.40.40.1'][0]; } else { if (!empty($responseNameId['Value'])) { $collabPersonId = $responseNameId['Value']; } else { $collabPersonId = null; } } } } $commands = $this->_getCommands(); /** @var EngineBlock_Corto_Filter_Command_Abstract $command */ foreach ($commands as $command) { // Inject everything we have into the adapter $command->setProxyServer($this->_server); $command->setIdentityProvider($identityProvider); $command->setServiceProvider($serviceProvider); $command->setRequest($request); $command->setResponse($response); $command->setResponseAttributes($responseAttributes); $command->setCollabPersonId($collabPersonId); // Execute the command try { $command->execute(); } catch (EngineBlock_Exception $e) { $e->idpEntityId = $identityProvider->entityId; $e->spEntityId = $serviceProvider->entityId; $e->userId = $collabPersonId; throw $e; } if (method_exists($command, 'getResponse')) { $response = $command->getResponse(); } if (method_exists($command, 'getResponseAttributes')) { $responseAttributes = $command->getResponseAttributes(); } if (method_exists($command, 'getCollabPersonId')) { $collabPersonId = $command->getCollabPersonId(); } // Give the command a chance to stop filtering if (!$command->mustContinueFiltering()) { break; } } $_SESSION[$sessionKey]['collabPersonId'] = $collabPersonId; }
public static function cacheResponse(EngineBlock_Saml2_AuthnRequestAnnotationDecorator $receivedRequest, EngineBlock_Saml2_ResponseAnnotationDecorator $receivedResponse, $type) { if ($type !== self::RESPONSE_CACHE_TYPE_IN) { throw new EngineBlock_Exception('Unknown response type'); } if (!isset($_SESSION['CachedResponses'])) { $_SESSION['CachedResponses'] = array(); } $_SESSION['CachedResponses'][] = array('sp' => $receivedRequest->getIssuer(), 'idp' => $receivedResponse->getIssuer(), 'type' => $type, 'response' => $receivedResponse, 'vo' => $receivedRequest->getVoContext(), 'key' => $receivedRequest->getKeyId()); }
public function testMetadataOverAuthnRequest() { // Input $nameId = array('Format' => Saml2_Const::NAMEID_UNSPECIFIED, 'Value' => $this->response->getIntendedNameId()); $this->serviceProvider->nameIdFormat = $nameId['Format']; $this->serviceProvider->supportedNameIdFormats[] = Saml2_Const::NAMEID_UNSPECIFIED; /** @var SAML2_AuthnRequest $request */ $request = $this->request; $request->setNameIdPolicy(array('Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient')); // Run $resolvedNameId = $this->resolver->resolve($this->request, $this->response, $this->serviceProvider, $this->collabPersonId); // Test $this->assertEquals($nameId, $resolvedNameId, 'Assertion NameID is set to what is set for this SP in the Metadata, NOT what it requested'); }
/** * @param EngineBlock_Saml2_AuthnRequestAnnotationDecorator $request * @param EngineBlock_Saml2_ResponseAnnotationDecorator $response * @param ServiceProvider $destinationMetadata * @param $collabPersonId * @return array */ public function resolve(EngineBlock_Saml2_AuthnRequestAnnotationDecorator $request, EngineBlock_Saml2_ResponseAnnotationDecorator $response, ServiceProvider $destinationMetadata, $collabPersonId) { $customNameId = $response->getCustomNameId(); if ($customNameId) { return $customNameId; } $nameIdFormat = $this->_getNameIdFormat($request, $destinationMetadata); $requireUnspecified = $nameIdFormat === SAML2_Const::NAMEID_UNSPECIFIED; if ($requireUnspecified) { return array('Format' => $nameIdFormat, 'Value' => $response->getIntendedNameId()); } $requireTransient = $nameIdFormat === SAML2_Const::NAMEID_TRANSIENT; if ($requireTransient) { return array('Format' => $nameIdFormat, 'Value' => $this->_getTransientNameId($destinationMetadata->entityId, $response->getOriginalIssuer())); } return array('Format' => $nameIdFormat, 'Value' => $this->_getPersistentNameId($collabPersonId, $destinationMetadata->entityId)); }
/** * @param SAML2_Response|EngineBlock_Saml2_ResponseAnnotationDecorator $response */ protected function _sendDebugMail(EngineBlock_Saml2_ResponseAnnotationDecorator $response) { $layout = EngineBlock_ApplicationSingleton::getInstance()->getLayout(); $oldLayout = $layout->getLayout(); $layout->setLayout('empty'); $wasEnabled = $layout->isEnabled(); if ($wasEnabled) { $layout->disableLayout(); } $identityProvider = $this->_server->getRepository()->fetchIdentityProviderByEntityId($response->getIssuer()); $attributes = $response->getAssertion()->getAttributes(); $output = $this->_server->renderTemplate('debugidpmail', array('idp' => $identityProvider, 'response' => $response, 'attributes' => $attributes)); $emailConfiguration = EngineBlock_ApplicationSingleton::getInstance()->getConfigurationValue('email')->idpDebugging; $mailer = new Zend_Mail('UTF-8'); $mailer->setFrom($emailConfiguration->from->address, $emailConfiguration->from->name); $mailer->addTo($emailConfiguration->to->address, $emailConfiguration->to->name); $mailer->setSubject(sprintf($emailConfiguration->subject, $identityProvider->nameEn)); $mailer->setBodyText($output); $mailer->send(); $layout->setLayout($oldLayout); }
protected function _getConsentUid() { return $this->_response->getNameIdValue(); }
/** * @param EngineBlock_Saml2_ResponseAnnotationDecorator $response * @return array */ public function fromNewFormat(EngineBlock_Saml2_ResponseAnnotationDecorator $response) { $legacyResponse = EngineBlock_Corto_XmlToArray::xml2array($response->getSspMessage()->toUnsignedXML()->ownerDocument->saveXML()); return $this->addPrivateVarsToLegacy($legacyResponse, $response); }
/** * @return EngineBlock_Corto_Module_Bindings */ private function mockBindingsModule() { $spRequest = new SAML2_AuthnRequest(); $spRequest->setId('SPREQUEST'); $spRequest->setIssuer('testSp'); $spRequest = new EngineBlock_Saml2_AuthnRequestAnnotationDecorator($spRequest); $ebRequest = new SAML2_AuthnRequest(); $ebRequest->setId('EBREQUEST'); $ebRequest = new EngineBlock_Saml2_AuthnRequestAnnotationDecorator($ebRequest); $dummyLog = new Psr\Log\NullLogger(); $authnRequestRepository = new EngineBlock_Saml2_AuthnRequestSessionRepository($dummyLog); $authnRequestRepository->store($spRequest); $authnRequestRepository->store($ebRequest); $authnRequestRepository->link($ebRequest, $spRequest); $assertion = new SAML2_Assertion(); $assertion->setAttributes(array('urn:org:openconext:corto:internal:sp-entity-id' => array('testSp'), 'urn:mace:dir:attribute-def:cn' => array(null))); $responseFixture = new SAML2_Response(); $responseFixture->setInResponseTo('EBREQUEST'); $responseFixture->setAssertions(array($assertion)); $responseFixture = new EngineBlock_Saml2_ResponseAnnotationDecorator($responseFixture); $responseFixture->setOriginalIssuer('testIdP'); // Mock bindings module /** @var EngineBlock_Corto_Module_Bindings $bindingsModuleMock */ $bindingsModuleMock = Phake::mock('EngineBlock_Corto_Module_Bindings'); Phake::when($bindingsModuleMock)->receiveResponse()->thenReturn($responseFixture); return $bindingsModuleMock; }
protected function callAttributeFilter($callback, EngineBlock_Saml2_ResponseAnnotationDecorator &$response, EngineBlock_Saml2_AuthnRequestAnnotationDecorator $request, ServiceProvider $spEntityMetadata, IdentityProvider $idpEntityMetadata) { // Take em out $responseAttributes = $response->getAssertion()->getAttributes(); // Call the filter call_user_func_array($callback, array(&$response, &$responseAttributes, $request, $spEntityMetadata, $idpEntityMetadata)); // Put em back where they belong $response->getAssertion()->setAttributes($responseAttributes); }