/** * @param AssertionContext $context * * @throws \LogicException * @throws \LightSaml\Error\LightSamlValidationException * * @return \DateTime */ protected function getIdExpiryTime(AssertionContext $context) { /** @var \DateTime $result */ $result = null; $bearerConfirmations = $context->getAssertion()->getSubject()->getBearerConfirmations(); if (null == $bearerConfirmations) { throw new \LogicException('Bearer assertion must have bearer subject confirmations'); } foreach ($bearerConfirmations as $subjectConfirmation) { if (null == $subjectConfirmation->getSubjectConfirmationData()) { $message = 'Bearer SubjectConfirmation must have SubjectConfirmationData element'; $this->logger->error($message, LogHelper::getActionErrorContext($context, $this)); throw new LightSamlContextException($context, $message); } $dt = $subjectConfirmation->getSubjectConfirmationData()->getNotOnOrAfterDateTime(); if (null == $dt) { $message = 'Bearer SubjectConfirmation must have NotOnOrAfter attribute'; $this->logger->error($message, LogHelper::getActionErrorContext($context, $this)); throw new LightSamlContextException($context, $message); } if (null == $result || $result->getTimestamp() < $dt->getTimestamp()) { $result = $dt; } } if (null == $result) { $message = 'Unable to find NotOnOrAfter attribute in bearer assertion'; $this->logger->error($message, LogHelper::getActionErrorContext($context, $this)); throw new LightSamlContextException($context, $message); } return $result; }
/** * @param AssertionContext $context * * @return void */ protected function doExecute(AssertionContext $context) { $profileContext = $context->getProfileContext(); $trustOptions = $profileContext->getTrustOptions(); if (false === $trustOptions->getEncryptAssertions()) { return; } if (null == ($assertion = $context->getAssertion())) { throw new LightSamlContextException($context, 'Assertion for encryption is not set'); } $context->setAssertion(null); $query = $this->credentialResolver->query(); $query->add(new EntityIdCriteria($profileContext->getPartyEntityDescriptor()->getEntityID()))->add(new MetadataCriteria(ProfileContext::ROLE_IDP === $profileContext->getOwnRole() ? MetadataCriteria::TYPE_SP : MetadataCriteria::TYPE_IDP, SamlConstants::PROTOCOL_SAML2))->add(new UsageCriteria(UsageType::ENCRYPTION)); $query->resolve(); /** @var CredentialInterface $credential */ $credential = $query->firstCredential(); if (null == $credential) { throw new LightSamlContextException($context, 'Unable to resolve encrypting credential'); } if (null == $credential->getPublicKey()) { throw new LightSamlContextException($context, 'Credential resolved for assertion encryption does not have a public key'); } $encryptedAssertionWriter = new EncryptedAssertionWriter($trustOptions->getBlockEncryptionAlgorithm(), $trustOptions->getKeyTransportEncryptionAlgorithm()); $encryptedAssertionWriter->encrypt($assertion, $credential->getPublicKey()); $context->setEncryptedAssertion($encryptedAssertionWriter); }
/** * @param AssertionContext $context * * @return void */ protected function doExecute(AssertionContext $context) { $signature = $context->getAssertion()->getSignature(); if (null === $signature) { if ($this->requireSignature) { $message = 'Assertions must be signed'; $this->logger->critical($message, LogHelper::getActionErrorContext($context, $this)); throw new LightSamlContextException($context, $message); } else { $this->logger->debug('Assertion is not signed', LogHelper::getActionContext($context, $this)); return; } } if ($signature instanceof AbstractSignatureReader) { $metadataType = ProfileContext::ROLE_IDP === $context->getProfileContext()->getOwnRole() ? MetadataCriteria::TYPE_SP : MetadataCriteria::TYPE_IDP; $credential = $this->signatureValidator->validate($signature, $context->getAssertion()->getIssuer()->getValue(), $metadataType); if ($credential) { $keyNames = $credential->getKeyNames(); $this->logger->debug(sprintf('Assertion signature validated with key "%s"', implode(', ', $keyNames)), LogHelper::getActionContext($context, $this, array('credential' => $credential))); } else { $this->logger->warning('Assertion signature verification was not performed', LogHelper::getActionContext($context, $this)); } } else { $message = 'Expected AbstractSignatureReader'; $this->logger->critical($message, LogHelper::getActionErrorContext($context, $this)); throw new LightSamlModelException($message); } }
/** * @param Assertion $assertion * * @return AssertionContext */ public static function getAssertionContext(Assertion $assertion) { $context = new AssertionContext(); if ($assertion) { $context->setAssertion($assertion); } return $context; }
/** * @param AssertionContext $context * * @return void */ protected function doExecute(AssertionContext $context) { $ownEntityDescriptor = $context->getProfileContext()->getOwnEntityDescriptor(); $issuer = new Issuer($ownEntityDescriptor->getEntityID()); $issuer->setFormat(SamlConstants::NAME_ID_FORMAT_ENTITY); $context->getAssertion()->setIssuer($issuer); $this->logger->debug(sprintf('Assertion Issuer set to "%s"', $ownEntityDescriptor->getEntityID()), LogHelper::getActionContext($context, $this)); }
/** * @param AssertionContext $context * * @return EncryptedAssertionReader */ public static function getEncryptedAssertionReader(AssertionContext $context) { $result = $context->getEncryptedAssertion(); if ($result instanceof EncryptedAssertionReader) { return $result; } throw new LightSamlContextException($context, 'Expected EncryptedAssertionReader'); }
/** * @param AssertionContext $context * * @return void */ protected function doExecute(AssertionContext $context) { $partyEntityDescriptor = $context->getProfileContext()->getPartyEntityDescriptor(); $conditions = new Conditions(); $conditions->setNotBefore($this->timeProvider->getTimestamp()); $conditions->setNotOnOrAfter($conditions->getNotBeforeTimestamp() + $this->expirationSeconds); $audienceRestriction = new AudienceRestriction(array($partyEntityDescriptor->getEntityID())); $conditions->addItem($audienceRestriction); $context->getAssertion()->setConditions($conditions); }
/** * @param AssertionContext $context */ protected function doExecute(AssertionContext $context) { if (null == $context->getAssertion()->getIssuer()) { $message = 'Assertion element must have an issuer element'; $this->logger->error($message, LogHelper::getActionErrorContext($context, $this)); throw new LightSamlContextException($context, $message); } if ($context->getAssertion()->getIssuer()->getFormat() && $context->getAssertion()->getIssuer()->getFormat() != $this->expectedIssuerFormat) { $message = sprintf("Response Issuer Format if set must have value '%s' but it was '%s'", $this->expectedIssuerFormat, $context->getAssertion()->getIssuer()->getFormat()); $this->logger->error($message, LogHelper::getActionErrorContext($context, $this, ['actualFormat' => $context->getAssertion()->getIssuer()->getFormat(), 'expectedFormat' => $this->expectedIssuerFormat])); throw new LightSamlContextException($context, $message); } }
/** * @param AssertionContext $context * * @return void */ protected function doExecute(AssertionContext $context) { if (null === $context->getAssertion()->getIssuer()) { $message = 'Assertion element must have an issuer element'; $this->logger->error($message, LogHelper::getActionErrorContext($context, $this)); throw new LightSamlContextException($context, $message); } if (false == $this->idpEntityDescriptorProvider->has($context->getAssertion()->getIssuer()->getValue())) { $message = sprintf("Unknown issuer '%s'", $context->getAssertion()->getIssuer()->getValue()); $this->logger->error($message, LogHelper::getActionErrorContext($context, $this, ['messageIssuer' => $context->getAssertion()->getIssuer()->getValue()])); throw new LightSamlContextException($context, $message); } $this->logger->debug(sprintf('Known assertion issuer: "%s"', $context->getAssertion()->getIssuer()->getValue()), LogHelper::getActionContext($context, $this)); }
/** * @param AssertionContext $context */ protected function doExecute(AssertionContext $context) { if (null === $context->getAssertion()->getSubject()) { return; } foreach ($context->getAssertion()->getSubject()->getAllSubjectConfirmations() as $subjectConfirmation) { if ($subjectConfirmation->getSubjectConfirmationData() && $subjectConfirmation->getSubjectConfirmationData()->getInResponseTo()) { $requestState = $this->validateInResponseTo($subjectConfirmation->getSubjectConfirmationData()->getInResponseTo(), $context); /** @var RequestStateContext $requestStateContext */ $requestStateContext = $context->getSubContext(ProfileContexts::REQUEST_STATE, RequestStateContext::class); $requestStateContext->setRequestState($requestState); } } }
/** * @param AssertionContext $context * * @return void */ protected function doExecute(AssertionContext $context) { $profileContext = $context->getProfileContext(); $trustOptions = $profileContext->getTrustOptions(); if ($trustOptions->getSignAssertions()) { $signature = $this->signatureResolver->getSignature($profileContext); if ($signature) { $this->logger->debug(sprintf('Signing assertion with fingerprint %s', $signature->getCertificate()->getFingerprint()), LogHelper::getActionContext($context, $this, array('certificate' => $signature->getCertificate()->getInfo()))); $context->getAssertion()->setSignature($signature); } else { $this->logger->critical('Unable to resolve assertion signature, though signing enabled', LogHelper::getActionErrorContext($context, $this)); } } else { $this->logger->debug('Assertion signing disabled', LogHelper::getActionContext($context, $this)); } }
/** * @param AssertionContext $context * * @return void */ protected function doExecute(AssertionContext $context) { $authnContext = new AuthnContext(); $authnContextClassRef = $this->sessionInfoProvider->getAuthnContextClassRef() ?: SamlConstants::AUTHN_CONTEXT_UNSPECIFIED; $authnContext->setAuthnContextClassRef($authnContextClassRef); $authnStatement = new AuthnStatement(); $authnStatement->setAuthnContext($authnContext); $sessionIndex = $this->sessionInfoProvider->getSessionIndex(); if ($sessionIndex) { $authnStatement->setSessionIndex($sessionIndex); } $authnInstant = $this->sessionInfoProvider->getAuthnInstant() ?: new \DateTime(); $authnStatement->setAuthnInstant($authnInstant); $subjectLocality = new SubjectLocality(); $subjectLocality->setAddress($context->getProfileContext()->getHttpRequest()->getClientIp()); $authnStatement->setSubjectLocality($subjectLocality); $context->getAssertion()->addItem($authnStatement); }
/** * @param AssertionContext $context * * @return void */ protected function doExecute(AssertionContext $context) { $profileContext = $context->getProfileContext(); $inboundMessage = $profileContext->getInboundContext()->getMessage(); $endpoint = $profileContext->getEndpoint(); $data = new SubjectConfirmationData(); if ($inboundMessage) { $data->setInResponseTo($inboundMessage->getID()); } $data->setAddress($profileContext->getHttpRequest()->getClientIp()); $data->setNotOnOrAfter($this->timeProvider->getTimestamp() + $this->expirationSeconds); $data->setRecipient($endpoint->getLocation()); $subjectConfirmation = new SubjectConfirmation(); $subjectConfirmation->setMethod(SamlConstants::CONFIRMATION_METHOD_BEARER); $subjectConfirmation->setSubjectConfirmationData($data); if (null === $context->getAssertion()->getSubject()) { $context->getAssertion()->setSubject(new Subject()); } $context->getAssertion()->getSubject()->addSubjectConfirmation($subjectConfirmation); }
/** * @param AssertionContext $context */ protected function validateBearerAssertion(AssertionContext $context) { foreach ($context->getAssertion()->getSubject()->getBearerConfirmations() as $subjectConfirmation) { $this->validateSubjectConfirmation($context, $subjectConfirmation); } }
/** * @param AssertionContext $context * * @return void */ protected function doExecute(AssertionContext $context) { if ($context->getAssertion()) { $this->sessionProcessor->processAssertions(array($context->getAssertion()), $context->getProfileContext()->getOwnEntityDescriptor()->getEntityID(), $context->getProfileContext()->getPartyEntityDescriptor()->getEntityID()); } }
/** * @param AssertionContext $context * * @return void */ protected function doExecute(AssertionContext $context) { $context->getAssertion()->setIssueInstant($this->timeProvider->getTimestamp()); $this->logger->info(sprintf('Assertion IssueInstant set to "%s"', $context->getAssertion()->getIssueInstantString()), LogHelper::getActionContext($context, $this)); }
public function test_to_string_gives_debug_tree_string() { $profileContext = TestHelper::getProfileContext(); $profileContext->getOwnEntityContext(); $profileContext->getPartyEntityContext(); $profileContext->addSubContext('assertion_01', $assertionSubContext01 = new AssertionContext()); $assertionSubContext01->addSubContext('rs', new RequestStateContext()); $actual = (string) $profileContext; $expected = <<<EOT { "root": "LightSaml\\\\Context\\\\Profile\\\\ProfileContext", "root__children": { "own_entity": "LightSaml\\\\Context\\\\Profile\\\\EntityContext", "party_entity": "LightSaml\\\\Context\\\\Profile\\\\EntityContext", "assertion_01": "LightSaml\\\\Context\\\\Profile\\\\AssertionContext", "assertion_01__children": { "rs": "LightSaml\\\\Context\\\\Profile\\\\RequestStateContext" } } } EOT; $this->assertEquals($expected, $actual); }
/** * @param AssertionContext $context * * @return void */ protected function doExecute(AssertionContext $context) { $this->assertionTimeValidator->validateTimeRestrictions($context->getAssertion(), $this->timeProvider->getTimestamp(), $this->allowedSecondsSkew); }
/** * @param AssertionContext $context * * @return void */ protected function doExecute(AssertionContext $context) { $id = Helper::generateID(); $context->getAssertion()->setId($id); $this->logger->info(sprintf('Assertion ID set to "%s"', $id), LogHelper::getActionContext($context, $this, array('message_id' => $id))); }
/** * @param AssertionContext $context * * @return void */ protected function doExecute(AssertionContext $context) { $context->getAssertion()->setVersion($this->version); $this->logger->debug(sprintf('Assertion Version set to "%s"', $this->version), LogHelper::getActionContext($context, $this)); }
/** * @param AssertionContext $context */ protected function doExecute(AssertionContext $context) { $this->assertionValidator->validateAssertion($context->getAssertion()); }
/** * @param AssertionContext $context * * @return void */ protected function doExecute(AssertionContext $context) { $context->setAssertion(new Assertion()); }