/**
* Notifies managing contact about updated metadata of entity
*
* @param sspmod_janus_Entity $entity
* @param string $metadataXml
* @return void
*/
protected function _mailUpdatedMetaData(sspmod_janus_Entity $entity, $metadataXml)
{
$config = SimpleSAML_Configuration::getInstance();
$time = date(DATE_RFC822);
$entityName = $entity->getPrettyname();
$entityId = $entity->getEntityId();
$message = <<<MESSAGE
<h1>Metadata Change detected</h1>
<p>Cron ran at {$time}</p>
<p>Name: {$entityName}</p>
<p>EntityId: {$entityId}</p>
MESSAGE;
$toAddress = $config->getString('managingcontact_email');
if (empty($toAddress)) {
SimpleSAML_Logger::error('Cron - Could not send email. [managingcontact_email] not set in config.');
}
$fromAddress = '*****@*****.**';
$subject = "Metadata Change detected for entity " . $entity->getPrettyname() . " (" . $entity->getEntityId() . "])";
$email = new SimpleSAML_XHTML_EMail($toAddress, $subject, $fromAddress);
$email->setBody($message);
// Add gzipped metadata
$attachmentContent = gzencode($metadataXml);
$attachmentFileName = 'metadata-' . $entityName . '.xml.gz';
$email->addAttachment($attachmentContent, $attachmentFileName, 'application/zip');
$email->send();
}
/**
* Given an entity (like a SAML2 SP) and a list of remote entities (like a set of SAML2 IdPs)
* find out which of those remote entities do not allow the entity to connect.
*
* @param sspmod_janus_Entity $entity
* @param array $remoteEntities
*/
public function getReverseBlockedEntities(sspmod_janus_Entity $entity, array $remoteEntities)
{
if (empty($remoteEntities)) {
return array();
}
$remoteEids = array();
foreach ($remoteEntities as $remoteEntity) {
$remoteEids[] = $remoteEntity['eid'];
}
$queryParams = array($entity->getEid(), $entity->getEid());
$queryParams = array_merge($queryParams, $remoteEids);
$queryEidsIn = implode(', ', array_fill(0, count($remoteEids), '?'));
$tablePrefix = $this->getTablePrefix();
$query = <<<SQL
SELECT eid,
entityid,
revisionid,
state,
type
FROM (
SELECT CONNECTION_REVISION.eid,
CONNECTION_REVISION.entityid,
CONNECTION_REVISION.revisionid,
CONNECTION_REVISION.state,
CONNECTION_REVISION.type,
CONNECTION_REVISION.allowedall,
(SELECT COUNT(*) > 0 FROM {$tablePrefix}allowedConnection WHERE connectionRevisionId = CONNECTION_REVISION.id) AS uses_whitelist,
(SELECT COUNT(*) > 0 FROM {$tablePrefix}blockedConnection WHERE connectionRevisionId = CONNECTION_REVISION.id) AS uses_blacklist,
(SELECT COUNT(*) > 0 FROM {$tablePrefix}allowedConnection WHERE connectionRevisionId = CONNECTION_REVISION.id AND remoteeid = ?) AS in_whitelist,
(SELECT COUNT(*) > 0 FROM {$tablePrefix}blockedConnection WHERE connectionRevisionId = CONNECTION_REVISION.id AND remoteeid = ?) AS in_blacklist
FROM {$tablePrefix}connection CONNECTION
INNER JOIN {$tablePrefix}connectionRevision CONNECTION_REVISION
ON CONNECTION_REVISION.eid = CONNECTION.id
AND CONNECTION_REVISION.revisionid = CONNECTION.revisionNr
WHERE CONNECTION.id IN ({$queryEidsIn})
) AS LATEST_REVISION
WHERE allowedall = 'no'
AND (
(uses_whitelist = TRUE AND in_whitelist = FALSE)
OR (uses_blacklist = TRUE AND in_blacklist = TRUE)
OR (uses_blacklist = FALSE AND uses_whitelist = FALSE)
)
SQL;
$statement = $this->execute($query, $queryParams);
return $statement->fetchAll();
}
if (isset($tmp[1]) && ctype_digit((string) $tmp[1])) {
$user = new sspmod_janus_User($janus_config);
$user->setUid($tmp[1]);
$user->load();
$name = $tmp[0] . ' - ' . $user->getUserid();
} else {
if (isset($tmp[1]) && $tmp[1] == 'NEW') {
$name = $tmp[0] . ' - ' . 'NEW';
} else {
$name = $tmp[0];
}
}
} else {
if ($tmp[0] == 'ENTITYUPDATE') {
if (isset($tmp[1]) && ctype_digit((string) $tmp[1])) {
$entity = new sspmod_janus_Entity($janus_config);
$entity->setEid($tmp[1]);
try {
$entity->load();
$name = $tmp[0] . ' - ' . $entity->getEntityid();
} catch (\Exception $ex) {
$name = "Entity '{$tmp['1']}' does not exist";
}
} else {
$name = implode('-', $tmp);
}
} else {
$name = implode('-', $tmp);
}
}
echo '<option value="' . htmlspecialchars($subscription) . '">' . htmlspecialchars($name) . '</option>';
if (isset($tmp[1]) && ctype_digit((string) $tmp[1])) {
$user = new sspmod_janus_User($janus_config);
$user->setUid($tmp[1]);
$user->load();
$name = $tmp[0] . ' - ' . $user->getUserid();
} else {
if (isset($tmp[1]) && $tmp[1] == 'NEW') {
$name = $tmp[0] . ' - ' . 'NEW';
} else {
$name = $tmp[0];
}
}
} else {
if ($tmp[0] == 'ENTITYUPDATE') {
if (isset($tmp[1]) && ctype_digit((string) $tmp[1])) {
$entity = new sspmod_janus_Entity($janus_config);
$entity->setEid($tmp[1]);
$entity->load();
$name = $tmp[0] . ' - ' . $entity->getEntityid();
} else {
$name = implode('-', $tmp);
}
} else {
$name = implode('-', $tmp);
}
}
echo '<option value="' . $subscription . '">' . $name . '</option>';
}
echo '</select>';
echo '<a class="janus_button" onclick="addSubscription(' . $this->data['user']->getUid() . ', $(\'select#subscriptions_select option:selected\').val());">' . $this->t('admin_add') . '</a>';
}
/**
* Get the entity history.
*
* Returns an array of entities. One for each revision.
*
* @param int $lower_limit The lower limit from which get revisions
* @param int $upper_limit The upper limit up to which get revisions
*
* @return array|bool An array of sspmod_janus_Entity or FALSE on error
*/
public function getHistory($lower_limit = null, $upper_limit = null)
{
assert('$this->_entity instanceof Sspmod_Janus_Entity');
if ($lower_limit !== null || $upper_limit !== null) {
$limit_clause = ' LIMIT';
if ($lower_limit !== null) {
$limit_clause = $limit_clause . ' ' . $lower_limit;
}
if ($upper_limit !== null) {
$separator = $limit_clause === null ? ' ' : ', ';
$limit_clause = $limit_clause . $separator . $upper_limit;
}
} else {
$limit_clause = '';
}
$st = $this->execute('SELECT *
FROM ' . $this->getTablePrefix() . 'connectionRevision
WHERE `eid` = ?
ORDER BY `revisionid` DESC' . $limit_clause, array($this->_entity->getEid()));
if ($st === false) {
return false;
}
$rs = $st->fetchAll(PDO::FETCH_ASSOC);
$history = array();
foreach ($rs as $data) {
$entity = new sspmod_janus_Entity($this->_config);
$entity->setEid($this->_entity->getEid());
$entity->setRevisionid($data['revisionid']);
if (!$entity->load()) {
SimpleSAML_Logger::error(__CLASS__ . ':getHistory - Entity could not ' . 'load. Eid: ' . $this->_entity->getEntityid() . ' - Rid: ' . $data['revisionid']);
return false;
}
$history[] = $entity;
}
return $history;
}
}
if ($securityContext->isGranted('allentities')) {
$userEntities = $remoteEntities;
} else {
$userEntities = $adminUtil->getEntitiesFromUser($user->getUid());
}
$reverseBlockedEntities = $adminUtil->getReverseBlockedEntities($entity, $userEntities);
// Get metadatafields
$mfc = $janus_config->getArray('metadatafields.' . $entity->getType());
$mb = new sspmod_janus_MetadataFieldBuilder($mfc);
$et->data['metadatafields'] = $mb->getMetadataFields();
$remote_entities = array();
$remote_entities_acl_sorted = array();
// Only parse name and description in current language
foreach ($remoteEntities as $remoteEntityRow) {
$remoteEntity = new sspmod_janus_Entity($janus_config);
$remoteEntity->setEid($remoteEntityRow["eid"]);
$remoteEntity->setRevisionid($remoteEntityRow["revisionid"]);
$remoteEntity->load();
$remoteEntityFormatted = array('eid' => $remoteEntity->getEid(), 'revisionid' => $remoteEntity->getRevisionid(), 'type' => $remoteEntity->getType(), 'notes' => $remoteEntity->getNotes());
// Format the name for the remote entity
$remoteEntityName = $remoteEntity->getPrettyName();
if (isset($remoteEntityName)) {
if (is_array($remoteEntityName)) {
if (array_key_exists($language, $remoteEntityName)) {
$remoteEntityFormatted['name'][$language] = $remoteEntityName[$language];
} else {
reset($remoteEntityName);
$remoteEntityFormatted['name'][$language] = 'No name in current language (' . current($remoteEntityName) . ')';
}
} else {
/**
* Retrieve all Eids for entities that match a certain metadata value.
*
* The query is revision aware (only searches the latest revision of every
* entity)
*
* Note that this function supports regular expressions in the metadata
* value. If a metadata entry in the database is a regular expression,
* it will be matched against the $value passed to this function. This
* works only one way, it's not possible to pass a regular expression
* to this function; the regex must be in the db.
*
* @param String $key The metadata key on which to perform the search
* @param String $value The value to search for.
*/
public function searchEntitiesByMetadata($key, $value)
{
assert('is_string($key)');
assert('is_string($value)');
$st = $this->execute('SELECT DISTINCT eid
FROM ' . self::$prefix . "metadata jm\n WHERE `key` = ?\n AND ((value=?) OR (? REGEXP CONCAT('^',value,'\$')))\n AND revisionid = (SELECT MAX(revisionid) FROM " . self::$prefix . "metadata WHERE eid = jm.eid);", array($key, $value, $value));
if ($st === false) {
return 'error_db';
}
$this->_entities = array();
$rows = $st->fetchAll(PDO::FETCH_ASSOC);
foreach ($rows as $row) {
$entity = new sspmod_janus_Entity($this->_config);
$entity->setEid($row['eid']);
if ($entity->load()) {
$this->_entities[] = $entity;
} else {
SimpleSAML_Logger::error('JANUS:UserController:searchEntitiesByMetadata - Entity could not be
loaded, eid: ' . $row['eid']);
}
}
return $this->_entities;
}
/**
* @param \sspmod_janus_Entity $entity
* @return \sspmod_janus_EntityController
*/
protected function getEntityControllerForEntity(\sspmod_janus_Entity $entity)
{
if (!isset($this->entityControllers[$entity->getId()])) {
$controller = new \sspmod_janus_EntityController($this->configuration);
$controller->setEntity($entity);
$this->entityControllers[$entity->getId()] = $controller;
}
return $this->entityControllers[$entity->getId()];
}
/**
* Retrieve all Eids for entities that match a certain metadata value.
*
* The query is revision aware (only searches the latest revision of every
* entity)
*
* Note that this function supports regular expressions in the metadata
* value. If a metadata entry in the database is a regular expression,
* it will be matched against the $value passed to this function. This
* works only one way, it's not possible to pass a regular expression
* to this function; the regex must be in the db.
*
* @param String $key The metadata key on which to perform the search
* @param String $value The value to search for.
*/
public function searchEntitiesByMetadata($key, $value)
{
assert('is_string($key)');
assert('is_string($value)');
$st = $this->execute("\n SELECT DISTINCT CONNECTION_REVISION.eid\n FROM " . $this->getTablePrefix() . "metadata AS METADATA\n INNER JOIN " . $this->getTablePrefix() . "connectionRevision AS CONNECTION_REVISION\n ON CONNECTION_REVISION.id = METADATA.connectionRevisionId\n INNER JOIN " . $this->getTablePrefix() . "connection AS CONNECTION\n ON CONNECTION.id = CONNECTION_REVISION.eid\n AND CONNECTION.revisionNr = CONNECTION_REVISION.revisionid\n WHERE METADATA.`key` = ?\n AND (\n (METADATA.value=?)\n OR (? REGEXP CONCAT('^',METADATA.value,'\$'))\n )\n ", array($key, $value, $value));
if ($st === false) {
return 'error_db';
}
$this->_entities = array();
$rows = $st->fetchAll(PDO::FETCH_ASSOC);
foreach ($rows as $row) {
$entity = new sspmod_janus_Entity($this->_config);
$entity->setEid($row['eid']);
if ($entity->load()) {
$this->_entities[] = $entity;
} else {
SimpleSAML_Logger::error('JANUS:UserController:searchEntitiesByMetadata - Entity could not be
loaded, eid: ' . $row['eid']);
}
}
return $this->_entities;
}
$loaded_entities = array_merge($autil->getEntitiesByStateType(null, 'saml20-idp'), $autil->getEntitiesByStateType(null, 'shib13-idp'));
} else {
if ($entity->getType() == 'shib13-idp') {
$loaded_entities = array_merge($autil->getEntitiesByStateType(null, 'saml20-sp'), $autil->getEntitiesByStateType(null, 'shib13-sp'));
}
}
}
}
// Get metadatafields
$mfc = $janus_config->getArray('metadatafields.' . $entity->getType());
$mb = new sspmod_janus_MetadatafieldBuilder($mfc);
$et->data['metadatafields'] = $mb->getMetadatafields();
$remote_entities = array();
// Only parse name and description in current language
foreach ($loaded_entities as $entityRow) {
$instance = new sspmod_janus_Entity($janus_config);
$instance->setEid($entityRow["eid"]);
$instance->setRevisionid($entityRow["revisionid"]);
$instance->load();
$value = array("name" => $instance->getPrettyName(), "description" => $instance->getEntityId());
$key = $instance->getEntityId();
unset($value2);
if (isset($value['name'])) {
if (is_array($value['name'])) {
if (array_key_exists($language, $value['name'])) {
$value2['name'][$language] = $value['name'][$language];
} else {
reset($value['name']);
$value2['name'][$language] = 'No name in current language (' . current($value['name']) . ')';
}
} else {
/**
* Does the Identity Provider allow a particular connection?
*
* @static
* @param string sspmod_janus_Entity $sp Service Provider to check for
* @param string sspmod_janus_Entity $idp Identity Provider to check against
* @return bool Is the connection allowed?
*/
protected static function _checkIdPMetadataIsConnectionAllowed(sspmod_janus_Entity $sp, sspmod_janus_Entity $idp)
{
$idpController = sspmod_janus_DiContainer::getInstance()->getEntityController();
$idpController->setEntity($idp);
$spEid = $sp->getEid();
if ($idpController->getAllowedAll() === "yes") {
return true;
}
$allowedSps = $idpController->getAllowedEntities();
if (count($allowedSps) > 0 && array_key_exists($spEid, $allowedSps)) {
return true;
}
$blockedSps = $idpController->getBlockedEntities();
if (count($blockedSps) > 0 && !array_key_exists($spEid, $blockedSps)) {
return true;
}
return false;
}
