/** * Gets the SessionIndexes from the Logout Request. * Notice: Our Constructor only support 1 SessionIndex but this parser * extracts an array of all the SessionIndex found on a * Logout Request, that could be many. * * @param string|DOMDocument $request Logout Request Message * * @return array The SessionIndex value */ public static function getSessionIndexes($request) { if ($request instanceof DOMDocument) { $dom = $request; } else { $dom = new DOMDocument(); $dom = OneLogin_Saml2_Utils::loadXML($dom, $request); } $sessionIndexes = array(); $sessionIndexNodes = OneLogin_Saml2_Utils::query($dom, '/samlp:LogoutRequest/samlp:SessionIndex'); foreach ($sessionIndexNodes as $sessionIndexNode) { $sessionIndexes[] = $sessionIndexNode->textContent; } return $sessionIndexes; }
/** * Tests the query method of the OneLogin_Saml2_Utils * * @covers OneLogin_Saml2_Utils::query */ public function testQuery() { $xml = base64_decode(file_get_contents(TEST_ROOT . '/data/responses/valid_response.xml.base64')); $dom = new DOMDocument(); $dom->loadXML($xml); $assertionNodes = OneLogin_Saml2_Utils::query($dom, '/samlp:Response/saml:Assertion'); $this->assertEquals(1, $assertionNodes->length); $assertion = $assertionNodes->item(0); $this->assertEquals('saml:Assertion', $assertion->tagName); $attributeStatementNodes = OneLogin_Saml2_Utils::query($dom, '/samlp:Response/saml:Assertion/saml:AttributeStatement'); $this->assertEquals(1, $attributeStatementNodes->length); $attributeStatement = $attributeStatementNodes->item(0); $this->assertEquals('saml:AttributeStatement', $attributeStatement->tagName); $attributeStatementNodes2 = OneLogin_Saml2_Utils::query($dom, './saml:AttributeStatement', $assertion); $this->assertEquals(1, $attributeStatementNodes2->length); $attributeStatement2 = $attributeStatementNodes2->item(0); $this->assertEquals($attributeStatement, $attributeStatement2); $signatureResNodes = OneLogin_Saml2_Utils::query($dom, '/samlp:Response/ds:Signature'); $this->assertEquals(1, $signatureResNodes->length); $signatureRes = $signatureResNodes->item(0); $this->assertEquals('ds:Signature', $signatureRes->tagName); $signatureNodes = OneLogin_Saml2_Utils::query($dom, '/samlp:Response/saml:Assertion/ds:Signature'); $this->assertEquals(1, $signatureNodes->length); $signature = $signatureNodes->item(0); $this->assertEquals('ds:Signature', $signature->tagName); $signatureNodes2 = OneLogin_Saml2_Utils::query($dom, './ds:Signature', $assertion); $this->assertEquals(1, $signatureNodes2->length); $signature2 = $signatureNodes2->item(0); $this->assertEquals($signature->textContent, $signature2->textContent); $this->assertNotEquals($signatureRes->textContent, $signature2->textContent); $signatureNodes3 = OneLogin_Saml2_Utils::query($dom, './ds:SignatureValue', $assertion); $this->assertEquals(0, $signatureNodes3->length); $signatureNodes4 = OneLogin_Saml2_Utils::query($dom, './ds:Signature/ds:SignatureValue', $assertion); $this->assertEquals(1, $signatureNodes4->length); $signatureNodes5 = OneLogin_Saml2_Utils::query($dom, './/ds:SignatureValue', $assertion); $this->assertEquals(1, $signatureNodes5->length); }
/** * Extracts nodes that match the query from the DOMDocument (Response Menssage) * * @param string $query Xpath Expresion * * @return DOMNodeList The queried nodes */ private function _query($query) { if ($this->encrypted) { return OneLogin_Saml2_Utils::query($this->decryptedDocument, $query); } else { return OneLogin_Saml2_Utils::query($this->document, $query); } }
/** * Extracts a node from the DOMDocument (Logout Response Menssage) * * @param string $query Xpath Expresion * * @return DOMNodeList The queried node */ private function _query($query) { return OneLogin_Saml2_Utils::query($this->document, $query); }
/** * Validates a signature (Message or Assertion). * * @param string|DomNode $xml The element we should validate * @param string|null $cert The pubic cert * @param string|null $fingerprint The fingerprint of the public cert * @param string|null $fingerprintalg The algorithm used to get the fingerprint * @param string|null $xpath The xpath of the signed element * * @return bool * * @throws Exception */ public static function validateSign($xml, $cert = null, $fingerprint = null, $fingerprintalg = 'sha1', $xpath = null) { if ($xml instanceof DOMDocument) { $dom = clone $xml; } else { if ($xml instanceof DOMElement) { $dom = clone $xml->ownerDocument; } else { $dom = new DOMDocument(); $dom = self::loadXML($dom, $xml); } } $objXMLSecDSig = new XMLSecurityDSig(); $objXMLSecDSig->idKeys = array('ID'); if ($xpath) { $nodeset = OneLogin_Saml2_Utils::query($dom, $xpath); $objDSig = $nodeset->item(0); $objXMLSecDSig->sigNode = $objDSig; } else { $objDSig = $objXMLSecDSig->locateSignature($dom); } if (!$objDSig) { throw new Exception('Cannot locate Signature Node'); } $objKey = $objXMLSecDSig->locateKey(); if (!$objKey) { throw new Exception('We have no idea about the key'); } $objXMLSecDSig->canonicalizeSignedInfo(); try { $retVal = $objXMLSecDSig->validateReference(); } catch (Exception $e) { throw $e; } XMLSecEnc::staticLocateKeyInfo($objKey, $objDSig); if (!empty($cert)) { $objKey->loadKey($cert, false, true); return $objXMLSecDSig->verify($objKey) === 1; } else { $domCert = $objKey->getX509Certificate(); $domCertFingerprint = OneLogin_Saml2_Utils::calculateX509Fingerprint($domCert, $fingerprintalg); if (OneLogin_Saml2_Utils::formatFingerPrint($fingerprint) !== $domCertFingerprint) { return false; } else { $objKey->loadKey($domCert, false, true); return $objXMLSecDSig->verify($objKey) === 1; } } }