protected function _getAccessToken($conf, $subjectId, $requireNew) { $cache = EngineBlock_ApplicationSingleton::getInstance()->getDiContainer()->getApplicationCache(); if (!$requireNew && $cache instanceof Zend_Cache_Backend_Apc) { $accessToken = $cache->load(self::ACCESS_TOKEN_KEY); if ($accessToken) { return $accessToken; } } // for example https://api.dev.surfconext.nl/v1/oauth2/token $baseUrl = $this->_ensureTrailingSlash($conf->baseUrl) . 'v1/oauth2/token'; $client = new Zend_Http_Client($baseUrl); try { $response = $client->setConfig(array('timeout' => 15))->setHeaders(Zend_Http_Client::CONTENT_TYPE, Zend_Http_Client::ENC_URLENCODED)->setAuth($conf->key, $conf->secret)->setParameterPost('grant_type', 'client_credentials')->request(Zend_Http_Client::POST); $result = json_decode($response->getBody(), true); if (isset($result['access_token'])) { $accessToken = $result['access_token']; if ($cache instanceof Zend_Cache_Backend_Apc) { $cache->save($accessToken, self::ACCESS_TOKEN_KEY); } return $accessToken; } throw new EngineBlock_VirtualOrganization_AccessTokenNotGrantedException('AccessToken not granted for EB as SP. Check SR and the Group Provider endpoint log.'); } catch (Exception $exception) { $additionalInfo = EngineBlock_Log_Message_AdditionalInfo::create()->setUserId($subjectId)->setDetails($exception->getTraceAsString()); EngineBlock_ApplicationSingleton::getLog()->error("Error in connecting to API(s) for access token grant" . $exception->getMessage(), array('additional_info' => $additionalInfo->toArray())); throw new EngineBlock_VirtualOrganization_AccessTokenNotGrantedException('AccessToken not granted for EB as SP. Check SR and the Group Provider endpoint log', EngineBlock_Exception::CODE_ALERT, $exception); } }
/** * @return array|Zend_Rest_Client_Result */ public function get($args = array()) { if (!isset($args[0])) { $args[0] = $this->_uri->getPath(); } $this->_data['rest'] = 1; $data = array_slice($args, 1) + $this->_data; $response = $this->restGet($args[0], $data); /** * @var Zend_Http_Client $httpClient */ $httpClient = $this->getHttpClient(); EngineBlock_ApplicationSingleton::getLog()->debug("REST Request: " . $httpClient->getLastRequest()); EngineBlock_ApplicationSingleton::getLog()->debug("REST Response: " . $httpClient->getLastResponse()->getBody()); $this->_data = array(); //Initializes for next Rest method. if ($response->getStatus() !== 200) { throw new EngineBlock_Exception("Response status !== 200: " . var_export($httpClient->getLastRequest(), true) . var_export($response, true) . var_export($response->getBody(), true)); } if (strpos($response->getHeader("Content-Type"), "application/json") !== false) { return json_decode($response->getBody(), true); } else { try { return new Zend_Rest_Client_Result($response->getBody()); } catch (Zend_Rest_Client_Result_Exception $e) { throw new EngineBlock_Exception('Error parsing response' . var_export($httpClient->getLastRequest(), true) . var_export($response, true) . var_export($response->getBody(), true), null, $e); } } }
/** * Send a mail based on the configuration in the emails table * * @throws EngineBlock_Exception in case there is no EmailConfiguration in emails table * @param $emailAddress the email address of the recipient * @param $emailType the pointer to the emails configuration * @param $replacements array where the key is a variable (e.g. {user}) and the value the string where the variable should be replaced * @return void */ public function sendMail($emailAddress, $emailType, $replacements) { $dbh = $this->_getDatabaseConnection(); $query = "SELECT email_text, email_from, email_subject, is_html FROM emails where email_type = ?"; $parameters = array($emailType); $statement = $dbh->prepare($query); $statement->execute($parameters); $rows = $statement->fetchAll(); if (count($rows) !== 1) { EngineBlock_ApplicationSingleton::getLog()->err("Unable to send mail because of missing email configuration: " . $emailType); return; } $emailText = $rows[0]['email_text']; foreach ($replacements as $key => $value) { // Single value replacement if (!is_array($value)) { $emailText = str_ireplace($key, $value, $emailText); } else { $replacement = '<ul>'; foreach ($value as $valElem) { $replacement .= '<li>' . $valElem . '</li>'; } $replacement .= '</ul>'; $emailText = str_ireplace($key, $replacement, $emailText); } } $emailFrom = $rows[0]['email_from']; $emailSubject = $rows[0]['email_subject']; $mail = new Zend_Mail('UTF-8'); $mail->setBodyHtml($emailText, 'utf-8', 'utf-8'); $mail->setFrom($emailFrom, "SURFconext Support"); $mail->addTo($emailAddress); $mail->setSubject($emailSubject); $mail->send(); }
/** * Validate the license information * * @param string $userId * @param array $spMetadata * @param array $idpMetadata * @return string */ public function validate($userId, array $spMetadata, array $idpMetadata) { if (!$this->_active) { return EngineBlock_LicenseEngine_ValidationManager::LICENSE_UNKNOWN; } $client = new Zend_Http_Client($this->_url); $client->setConfig(array('timeout' => 15)); try { $client->setHeaders(Zend_Http_Client::CONTENT_TYPE, 'application/json; charset=utf-8')->setParameterGet('userId', urlencode($userId))->setParameterGet('serviceProviderEntityId', urlencode($spMetadata['EntityId']))->setParameterGet('identityProviderEntityId', urlencode($idpMetadata['EntityId']))->request('GET'); $body = $client->getLastResponse()->getBody(); $response = json_decode($body, true); $status = $response['status']; } catch (Exception $exception) { $additionalInfo = new EngineBlock_Log_Message_AdditionalInfo($userId, $idpMetadata['EntityId'], $spMetadata['EntityId'], $exception->getTraceAsString()); EngineBlock_ApplicationSingleton::getLog()->error("Could not connect to License Manager" . $exception->getMessage(), $additionalInfo); return EngineBlock_LicenseEngine_ValidationManager::LICENSE_UNKNOWN; } if ($status['returnUrl']) { $currentResponse = EngineBlock_ApplicationSingleton::getInstance()->getHttpResponse(); $currentResponse->setRedirectUrl($status['returnUrl']); $currentResponse->send(); exit; } else { if ($status['licenseStatus']) { return $status['licenseStatus']; } else { return EngineBlock_LicenseEngine_ValidationManager::LICENSE_UNKNOWN; } } }
public function metadataAction() { $this->setNoRender(); $request = EngineBlock_ApplicationSingleton::getInstance()->getHttpRequest(); $entityId = $request->getQueryParameter("entityid"); $gadgetUrl = $request->getQueryParameter('gadgeturl'); // If we were only handed a gadget url, no entity id, lookup the Service Provider entity id if ($gadgetUrl && !$entityId) { $identifiers = $this->_getRegistry()->findIdentifiersByMetadata('coin:gadgetbaseurl', $gadgetUrl); if (count($identifiers) > 1) { EngineBlock_ApplicationSingleton::getLog()->warn("Multiple identifiers found for gadgetbaseurl: '{$gadgetUrl}'"); throw new EngineBlock_Exception('Multiple identifiers found for gadgetbaseurl'); } if (count($identifiers) === 0) { EngineBlock_ApplicationSingleton::getInstance()->getLog()->warn("No Entity Id found for gadgetbaseurl '{$gadgetUrl}'"); $this->_getResponse()->setHeader('Content-Type', 'application/json'); $this->_getResponse()->setBody(json_encode(new stdClass())); return; } $entityId = $identifiers[0]; } if (!$entityId) { throw new EngineBlock_Exception('No entity id provided to get metadata for?!'); } if (isset($_REQUEST["keys"])) { $result = $this->_getRegistry()->getMetaDataForKeys($entityId, explode(",", $_REQUEST["keys"])); } else { $result = $this->_getRegistry()->getMetadata($entityId); } $result['entityId'] = $entityId; $this->_getResponse()->setHeader('Content-Type', 'application/json'); $this->_getResponse()->setBody(json_encode($result)); }
public function saml2AttributesToLdapAttributes($attributes) { $log = EngineBlock_ApplicationSingleton::getLog(); $required = $this->_saml2Required; $ldapAttributes = array(); foreach ($attributes as $saml2Name => $values) { // Map it to an LDAP attribute if (isset($this->_s2lMap[$saml2Name])) { if (count($values) > 1) { $log->notice("Ignoring everything but first value of {$saml2Name}", array('attribute_values' => $values)); } $ldapAttributes[$this->_s2lMap[$saml2Name]] = $values[0]; } // Check off against required attribute list $requiredAttributeKey = array_search($saml2Name, $required); if ($requiredAttributeKey !== false) { unset($required[$requiredAttributeKey]); } } if (!empty($required)) { $log->error('Missing required SAML2 fields in attributes', array('required_fields' => $required, 'attributes' => $attributes)); throw new EngineBlock_Exception_MissingRequiredFields('Missing required SAML2 fields in attributes'); } return $ldapAttributes; }
/** * * @example /profile/group-oauth/consume/provider2?oauth_token=request-token * * @param string $providerId * @return void */ public function consumeAction($providerId) { $this->setNoRender(); $providerConfig = $this->_getProviderConfiguration($providerId); $consumer = new Zend_Oauth_Consumer($providerConfig->auth); $queryParameters = $this->_getRequest()->getQueryParameters(); if (empty($queryParameters)) { throw new EngineBlock_Exception('Unable to consume access token, no query parameters given'); } if (!isset($_SESSION['request_token'][$providerId])) { throw new EngineBlock_Exception("Unable to consume access token, no request token (session lost?)"); } $requestToken = unserialize($_SESSION['request_token'][$providerId]); $token = $consumer->getAccessToken($queryParameters, $requestToken); $userId = $this->attributes['nameid'][0]; $provider = EngineBlock_Group_Provider_OpenSocial_Oauth_ThreeLegged::createFromConfigs($providerConfig, $userId); $provider->setAccessToken($token); if (!$provider->validatePreconditions()) { EngineBlock_ApplicationSingleton::getLog()->err("Unable to test OpenSocial 3-legged Oauth provider because not all preconditions have been matched?", new EngineBlock_Log_Message_AdditionalInfo($userId, null, null, null)); $this->providerId = $providerId; $this->renderAction("Error"); } else { // Now that we have an Access Token, we can discard the Request Token $_SESSION['request_token'][$providerId] = null; $this->_redirectToUrl($_SESSION['return_url']); } }
/** * Add the 'urn:collab:org:surf.nl' value to the isMemberOf attribute in case a user * is considered a 'full member' of the SURFfederation. * * @return array Response Attributes */ protected function _addIsMemberOfSurfNlAttribute() { if ($this->_identityProvider->guestQualifier === IdentityProvider::GUEST_QUALIFIER_ALL) { // All users from this IdP are guests, so no need to add the isMemberOf return; } if ($this->_identityProvider->guestQualifier === IdentityProvider::GUEST_QUALIFIER_NONE) { $this->_setIsMember(); return; } $log = EngineBlock_ApplicationSingleton::getLog(); if ($this->_identityProvider->guestQualifier === IdentityProvider::GUEST_QUALIFIER_SOME) { if (isset($this->_responseAttributes[static::URN_SURF_PERSON_AFFILIATION][0])) { if ($this->_responseAttributes[static::URN_SURF_PERSON_AFFILIATION][0] === 'member') { $this->_setIsMember(); } else { $log->notice("Idp guestQualifier is set to 'Some', surfPersonAffiliation attribute does not contain " . 'the value "member", so not adding isMemberOf for surf.nl'); } } else { $log->warning("Idp guestQualifier is set to 'Some' however, " . "the surfPersonAffiliation attribute was not provided, " . "not adding the isMemberOf for surf.nl", array('idp' => $this->_identityProvider, 'response_attributes' => $this->_responseAttributes)); } return; } // Unknown policy for handling guests? Treat the user as a guest, but issue a warning in the logs $log->warning("Idp guestQualifier is set to unknown value '{$this->_identityProvider['GuestQualifier']}", array('idp' => $this->_identityProvider, 'response_attributes' => $this->_responseAttributes)); }
public function execute() { $spEntityId = $this->_spMetadata['EntityId']; $serviceRegistryAdapter = $this->_getServiceRegistryAdapter(); $arp = $serviceRegistryAdapter->getArp($spEntityId); if ($arp) { EngineBlock_ApplicationSingleton::getLog()->info("Applying attribute release policy {$arp['name']} for {$spEntityId}"); $newAttributes = array(); foreach ($this->_responseAttributes as $attribute => $attributeValues) { if (!isset($arp['attributes'][$attribute])) { EngineBlock_ApplicationSingleton::getLog()->info("ARP: Removing attribute {$attribute}"); continue; } $allowedValues = $arp['attributes'][$attribute]; if (in_array('*', $allowedValues)) { // Passthrough all values $newAttributes[$attribute] = $attributeValues; continue; } foreach ($attributeValues as $attributeValue) { if (in_array($attributeValue, $allowedValues)) { if (!isset($newAttributes[$attribute])) { $newAttributes[$attribute] = array(); } $newAttributes[$attribute][] = $attributeValue; } } } $this->_responseAttributes = $newAttributes; } }
public function dispatch($uri = "") { try { $application = EngineBlock_ApplicationSingleton::getInstance(); if (!$uri) { $uri = $application->getHttpRequest()->getUri(); } if (!$this->_dispatch($uri)) { EngineBlock_ApplicationSingleton::getLog()->notice("[404]Unroutable URI: '{$uri}'"); $this->_getControllerInstance('default', 'error')->handleAction('NotFound'); } } catch (Exception $e) { $this->_handleDispatchException($e); } }
public function execute() { if (!isset($this->_responseAttributes[self::URN_IS_MEMBER_OF])) { return; } $groups =& $this->_responseAttributes[self::URN_IS_MEMBER_OF]; for ($i = 0; $i < count($groups); $i++) { $hasVoPrefix = strpos($groups[$i], self::URN_COLLAB_ORG_PREFIX) === 0; if (!$hasVoPrefix) { continue; } unset($groups[$i]); EngineBlock_ApplicationSingleton::getLog()->notice(sprintf('FilterReservedMemberOfValue: Removed "%s" value from %s attribute by %s', $groups[$i], self::URN_IS_MEMBER_OF, $this->_identityProvider->entityId)); } }
/** * * * @param $userId * @param $attributes * @param $spMetadata * @param $idpMetadata * @return void */ public function provisionUser($userId, $attributes, $spMetadata, $idpMetadata) { if (!$spMetadata['MustProvisionExternally']) { return; } // https://os.XXX.surfconext.nl/provisioning-manager/provisioning/jit.shtml? // provisionDomain=apps.surfnet.nl&provisionAdmin=admin%40apps.surfnet.nl& // provisionPassword=xxxxx&provisionType=GOOGLE&provisionGroups=true $client = new Zend_Http_Client($this->_url); $client->setHeaders(Zend_Http_Client::CONTENT_TYPE, 'application/json; charset=utf-8')->setParameterGet('provisionType', $spMetadata['ExternalProvisionType'])->setParameterGet('provisionDomain', $spMetadata['ExternalProvisionDomain'])->setParameterGet('provisionAdmin', $spMetadata['ExternalProvisionAdmin'])->setParameterGet('provisionPassword', $spMetadata['ExternalProvisionPassword'])->setParameterGet('provisionGroups', $spMetadata['ExternalProvisionGroups'])->setRawData(json_encode($this->_getData($userId, $attributes)))->request('POST'); $additionalInfo = new EngineBlock_Log_Message_AdditionalInfo($userId, $idpMetadata['EntityId'], $spMetadata['EntityId'], null); EngineBlock_ApplicationSingleton::getLog()->debug("PROVISIONING: Sent HTTP request to provision user using " . __CLASS__, $additionalInfo); EngineBlock_ApplicationSingleton::getLog()->debug("PROVISIONING: URI: " . $client->getUri(true), $additionalInfo); EngineBlock_ApplicationSingleton::getLog()->debug("PROVISIONING: REQUEST: " . $client->getLastRequest(), $additionalInfo); EngineBlock_ApplicationSingleton::getLog()->debug("PROVISIONING: RESPONSE: " . $client->getLastResponse(), $additionalInfo); }
public function indexAction() { $this->metadata = new EngineBlock_AttributeMetadata(); $this->aggregator = EngineBlock_Group_Provider_Aggregator_MemoryCacheProxy::createFromDatabaseFor($this->attributes['nameid'][0]); $this->groupOauth = $this->user->getUserOauth(); $serviceRegistryClient = new Janus_Client_CacheProxy(); $this->spList = $serviceRegistryClient->getSpList(); $this->consent = $this->user->getConsent(); $this->spAttributesList = $this->_getSpAttributeList($this->spList); try { $this->spOauthList = $this->_getSpOauthList($this->spList); } catch (Exception $e) { $additionalInfo = new EngineBlock_Log_Message_AdditionalInfo($this->user->getUid(), null, null, $e->getTraceAsString()); EngineBlock_ApplicationSingleton::getLog()->critical($e->getMessage(), $additionalInfo); } }
protected function _isMemberOfGroups(EngineBlock_VirtualOrganization $virtualOrganization, $subjectId) { $groupProvider = $this->_getGroupProvider($subjectId); try { $groups = $virtualOrganization->getGroups(); foreach ($groups as $group) { if ($groupProvider->isMember($group->id)) { return true; } } } catch (EngineBlock_VirtualOrganization_VoIdentifierNotFoundException $e) { $additionalInfo = new EngineBlock_Log_Message_AdditionalInfo($subjectId, null, null, $virtualOrganization); EngineBlock_ApplicationSingleton::getLog()->warn($e->getMessage(), $additionalInfo); } return false; }
/** * Ask PDP for access. * * @return \Pdp_PolicyResponse * @throws \EngineBlock_Exception */ protected function requestAccess() { $httpClient = new Zend_Http_Client($this->baseUrl); try { $result = $httpClient->setConfig(array('timeout' => 15))->setAuth($this->username, $this->password, Zend_Http_Client::AUTH_BASIC)->setRawData($this->policyRequest->toJson())->setEncType('application/json')->request('POST'); if ($result->getStatus() != '200') { $error = "Received invalid HTTP " . $result->getStatus() . "response from PDP"; EngineBlock_ApplicationSingleton::getLog()->error($error); throw new EngineBlock_Exception($error); } } catch (Zend_Http_Client_Exception $e) { EngineBlock_ApplicationSingleton::getLog()->error($e->getMessage()); throw new EngineBlock_Exception($e->getMessage()); } $this->policyResponse = new Pdp_PolicyResponse($result->getBody()); return $this->policyResponse; }
protected function _doManipulation($manipulationCode, $entityId, &$subjectId, array &$attributes, array &$response, EngineBlock_Saml2_ResponseAnnotationDecorator $responseObj, array $idpMetadata, array $spMetadata) { $entityType = $this->_entityType; EngineBlock_ApplicationSingleton::getInstance()->getErrorHandler()->withExitHandler(function () use($manipulationCode, $entityId, &$subjectId, &$attributes, &$response, $responseObj, $idpMetadata, $spMetadata) { eval($manipulationCode); }, function (EngineBlock_Exception $exception) use($entityType, $manipulationCode, $entityId, $subjectId, $attributes, $response, $responseObj, $idpMetadata, $spMetadata) { EngineBlock_ApplicationSingleton::getLog()->error('An error occurred while running service registry manipulation code', array('manipulation_code' => array('EntityID' => $entityId, 'Manipulation code' => $manipulationCode, 'Subject NameID' => $subjectId, 'Attributes' => $attributes, 'Response' => $response, 'IdPMetadata' => $idpMetadata, 'SPMetadata' => $spMetadata))); if ($entityType === 'sp') { $exception->spEntityId = $entityId; } else { if ($entityType === 'idp') { $exception->idpEntityId = $entityId; } } $exception->userId = $subjectId; $exception->description = $entityType; }); }
public function execute() { if (!$this->_collabPersonId) { throw new EngineBlock_Corto_Filter_Command_Exception_PreconditionFailed('Missing collabPersonId'); } // In filter stage we need to take a look at the VO context $vo = $this->_request->getVoContext(); if (!$vo) { return; } // If in VO context, validate the user's membership EngineBlock_ApplicationSingleton::getLog()->debug("VO {$vo} membership required"); $validator = $this->_getValidator(); $isMember = $validator->isMember($vo, $this->_collabPersonId, $this->_identityProvider->entityId); if (!$isMember) { throw new EngineBlock_Corto_Exception_UserNotMember("User not a member of VO {$vo}"); } $this->_responseAttributes[self::VO_NAME_ATTRIBUTE] = array($vo); }
protected function _getNameIdFormat($request, $spEntityMetadata) { // Persistent is our default $defaultNameIdFormat = 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'; // If a NameIDFormat was explicitly set in the ServiceRegistry, use that... if (isset($spEntityMetadata['NameIDFormat'])) { return $spEntityMetadata['NameIDFormat']; } else { if (isset($request['samlp:NameIDPolicy']['_Format'])) { $requestedNameIdFormat = $request['samlp:NameIDPolicy']['_Format']; if (in_array($requestedNameIdFormat, $this->SUPPORTED_NAMEID_FORMATS)) { return $request['samlp:NameIDPolicy']['_Format']; } else { EngineBlock_ApplicationSingleton::getLog()->warn("Whoa, SP '{$spEntityMetadata['EntityID']}' requested '{$requestedNameIdFormat}' " . "however we don't support that format, opting to try '{$defaultNameIdFormat}' " . "instead of sending an error. SP might not be happy with that..."); return $defaultNameIdFormat; } } } return $defaultNameIdFormat; }
public function execute() { $logger = EngineBlock_ApplicationSingleton::getLog(); $enforcer = new EngineBlock_Arp_AttributeReleasePolicyEnforcer(); $attributes = $this->_responseAttributes; // Get the Requester chain, which starts at the oldest (farthest away from us SP) and ends with our next hop. $requesterChain = EngineBlock_SamlHelper::getSpRequesterChain($this->_serviceProvider, $this->_request, $this->_server->getRepository()); // Note that though we should traverse in reverse ordering, it doesn't make a difference. // A then B filter or B then A filter are equivalent. foreach ($requesterChain as $spMetadata) { $spEntityId = $spMetadata->entityId; $arp = $this->getMetadataRepository()->fetchServiceProviderArp($spMetadata); if (!$arp) { continue; } $logger->info("Applying attribute release policy for {$spEntityId}"); $attributes = $enforcer->enforceArp($arp, $attributes); } $this->_responseAttributes = $attributes; }
/** * @param string $message */ protected function _logRequest($message) { /** * @var Zend_Http_Client $httpClient */ $httpClient = $this->getHttpClient(); $logContext = array('http_request' => $httpClient->getLastRequest()); $response = $httpClient->getLastResponse(); $originalBody = $response->getBody(); $body = substr($originalBody, 0, 1024); if ($body !== $originalBody) { $body .= '...'; } // If able to decode as JSON, show parsed result $decoded = json_decode($body); if ($decoded) { $logContext['json_response'] = $decoded; } $logContext['http_response'] = $response->getHeadersAsString() . PHP_EOL . $response->getBody(); EngineBlock_ApplicationSingleton::getLog()->error($message, $logContext); }
/** * Create a new Database connection, for a given mode self::MODE_READ and self::MODE_WRITE, * defaults to write mode. * * @static * @throws EngineBlock_Exception * @param $mode * @return PDO */ public function create($mode = null) { if ($mode === null) { $mode = self::MODE_WRITE; } $databaseSettings = $this->_getDatabaseSettings(); if ($mode === self::MODE_READ) { try { return $this->_createReadConnection($databaseSettings); } catch (Exception $e) { $additionalInfo = EngineBlock_Log_Message_AdditionalInfo::create()->setDetails($e->getTraceAsString()); EngineBlock_ApplicationSingleton::getLog()->error("Unable to create a Read connection, trying to create a write connection, exception: " . print_r($e, true), array('additional_info' => $additionalInfo->toArray())); return $this->_createWriteConnection($databaseSettings); } } else { if ($mode === self::MODE_WRITE) { return $this->_createWriteConnection($databaseSettings); } else { throw new EngineBlock_Database_Exception("Requested database connection with unknown mode '{$mode}'"); } } }
public function execute() { $serviceProvider = EngineBlock_SamlHelper::findRequesterServiceProvider($this->_serviceProvider, $this->_request, $this->_server->getRepository()); if (!$serviceProvider) { $serviceProvider = $this->_serviceProvider; } if (!$serviceProvider->policyEnforcementDecisionRequired) { return; } EngineBlock_ApplicationSingleton::getLog()->debug("Policy Enforcement Point consult"); $validator = $this->_getValidator(); $hasAccess = $validator->hasAccess($this->_collabPersonId, $this->_identityProvider->entityId, $serviceProvider->entityId, $this->_responseAttributes); if ($hasAccess) { return; } $message = "Policy Decision Point: access denied."; if ($validator->getMessage()) { $message = $validator->getMessage(); } EngineBlock_ApplicationSingleton::getLog()->debug("Policy Enforcement Point access denied: " . $message); throw new EngineBlock_Corto_Exception_PEPNoAccess($message); }
public function enforceArp(AttributeReleasePolicy $arp = null, $responseAttributes) { if (!$arp) { return $responseAttributes; } $newAttributes = array(); foreach ($responseAttributes as $attributeName => $attributeValues) { if (!$arp->hasAttribute($attributeName)) { continue; } foreach ($attributeValues as $attributeValue) { if (!$arp->isAllowed($attributeName, $attributeValue)) { EngineBlock_ApplicationSingleton::getLog()->info("ARP: non allowed attribute value '{$attributeValue}' for attribute '{$attributeName}'"); continue; } if (!isset($newAttributes[$attributeName])) { $newAttributes[$attributeName] = array(); } $newAttributes[$attributeName][] = $attributeValue; } } return $newAttributes; }
public function getMembersWithPrivileges($groupName) { $members = $this->getMembers($groupName); $membersWithPrivileges = array(); foreach ($members as $member) { try { $member->privileges = $this->getMemberPrivileges($member->id, $groupName); $membersWithPrivileges[] = $member; } catch (Exception $e) { $additionalInfo = new EngineBlock_Log_Message_AdditionalInfo($member->id, null, null, $e->getTraceAsString()); EngineBlock_ApplicationSingleton::getLog()->warn("Something wrong with user: " . var_export($member, true) . 'Received Exception: ' . var_export($e, true), $additionalInfo); } } return $membersWithPrivileges; }
protected function _setFileLocation() { $location = $this->_getFileLocationFromConfiguration(); if (substr($location, 0, 1) !== '/') { $realLocation = realpath(ENGINEBLOCK_FOLDER_ROOT . $location); if ($realLocation === FALSE) { EngineBlock_ApplicationSingleton::getLog()->warn("Location '{$location}' does not exist, " . "relative from the EngineBlock root: " . ENGINEBLOCK_FOLDER_ROOT); return false; } $location = $realLocation; } $this->_fileLocation = $location; return $this; }
private function getNameEn(IdentityProvider $identityProvider, EngineBlock_Log_Message_AdditionalInfo $additionalInfo) { if ($identityProvider->displayNameEn) { return $identityProvider->displayNameEn; } if ($identityProvider->nameEn) { return $identityProvider->nameEn; } EngineBlock_ApplicationSingleton::getLog()->warning('No EN displayName and name found for idp: ' . $identityProvider->entityId, array('additional_info' => $additionalInfo->toArray())); return $identityProvider->entityId; }
protected static function _logErrorMessage($providerId, Exception $e) { $additionalInfo = new EngineBlock_Log_Message_AdditionalInfo(null, null, null, $e->getTraceAsString()); EngineBlock_ApplicationSingleton::getLog()->err("Unable to use provider {$providerId}, received Exception: " . $e->getMessage(), $additionalInfo); EngineBlock_ApplicationSingleton::getLog()->debug($e->getTraceAsString()); }
/** * The dummy logger ignores any call to warn() * @param EngineBlock_Log_Message_AdditionalInfo $additionalInfo Some extra information * that can be supplied with the log message * @param String $message */ public function warn($message, EngineBlock_Log_Message_AdditionalInfo $additionalInfo = null) { EngineBlock_ApplicationSingleton::getLog()->warn($this->_getPrefix() . $message, $additionalInfo); }
/** * Add the 'urn:collab:org:surf.nl' value to the isMemberOf attribute in case a user * is considered a 'full member' of the SURFfederation. * * @return array Response Attributes */ protected function _addIsMemberOfSurfNlAttribute() { if (!isset($this->_idpMetadata['GuestQualifier'])) { EngineBlock_ApplicationSingleton::getLog()->warn('No GuestQualifier for IdP: ' . var_export($this->_idpMetadata, true) . 'Setting it to "All" and continuing.'); $this->_idpMetadata['GuestQualifier'] = 'All'; } if ($this->_idpMetadata['GuestQualifier'] === 'None') { $this->_setIsMember(); } else { if ($this->_idpMetadata['GuestQualifier'] === 'Some') { if (isset($this->_responseAttributes[static::URN_SURF_PERSON_AFFILIATION][0])) { if ($this->_responseAttributes[static::URN_SURF_PERSON_AFFILIATION][0] === 'member') { $this->_setIsMember(); } else { EngineBlock_ApplicationSingleton::getLog()->notice("Idp guestQualifier is set to 'Some', surfPersonAffiliation attribute does not contain " . 'the value "member", so not adding isMemberOf for surf.nl'); } } else { EngineBlock_ApplicationSingleton::getLog()->warn("Idp guestQualifier is set to 'Some' however, " . "the surfPersonAffiliation attribute was not provided, " . "not adding the isMemberOf for surf.nl" . var_export($this->_idpMetadata, true) . var_export($this->_responseAttributes, true)); } } else { if ($this->_idpMetadata['GuestQualifier'] === 'All') { // All users from this IdP are guests, so no need to add the isMemberOf } else { // Unknown policy for handling guests? Treat the user as a guest, but issue a warning in the logs EngineBlock_ApplicationSingleton::getLog()->warn("Idp guestQualifier is set to unknown value '{$this->_idpMetadata['GuestQualifier']}, idp metadata: " . var_export($this->_idpMetadata, true) . var_export($this->_responseAttributes, true)); } } } }
/** * @return Psr\Log\LoggerInterface */ protected function _getSessionLog() { return EngineBlock_ApplicationSingleton::getLog(); }