/** * This method applies the filter, removing any values * * @param array &$request the current request */ public function process(&$request) { $src = $request['Source']; if (!count($this->scopedAttributes)) { // paranoia, should never happen Logger::warning('No scoped attributes configured.'); return; } $validScopes = array(); if (array_key_exists('scope', $src) && is_array($src['scope']) && !empty($src['scope'])) { $validScopes = $src['scope']; } foreach ($this->scopedAttributes as $attribute) { if (!isset($request['Attributes'][$attribute])) { continue; } $values = $request['Attributes'][$attribute]; $newValues = array(); foreach ($values as $value) { $ep = \SimpleSAML\Utils\Config\Metadata::getDefaultEndpoint($request['Source']['SingleSignOnService']); $loc = $ep['Location']; $host = parse_url($loc, PHP_URL_HOST); if ($host === null) { $host = ''; } $value_a = explode('@', $value, 2); if (count($value_a) < 2) { $newValues[] = $value; continue; // there's no scope } $scope = $value_a[1]; if (in_array($scope, $validScopes, true)) { $newValues[] = $value; } elseif (strpos($host, $scope) === strlen($host) - strlen($scope)) { $newValues[] = $value; } else { Logger::warning("Removing value '{$value}' for attribute '{$attribute}'. Undeclared scope."); } } if (empty($newValues)) { Logger::warning("No suitable values for attribute '{$attribute}', removing it."); unset($request['Attributes'][$attribute]); // remove empty attributes } else { $request['Attributes'][$attribute] = $newValues; } } }
/** * Find the default endpoint of the given type. * * @param string $endpointType The endpoint type. * @param array $bindings Array with acceptable bindings. Can be null if any binding is allowed. * @param mixed $default The default value to return if no matching endpoint is found. If no default is provided, * an exception will be thrown. * * @return array|null The default endpoint, or null if no acceptable endpoints are used. * * @throws Exception If no supported endpoint is found. */ public function getDefaultEndpoint($endpointType, array $bindings = null, $default = self::REQUIRED_OPTION) { assert('is_string($endpointType)'); $endpoints = $this->getEndpoints($endpointType); $defaultEndpoint = \SimpleSAML\Utils\Config\Metadata::getDefaultEndpoint($endpoints, $bindings); if ($defaultEndpoint !== null) { return $defaultEndpoint; } if ($default === self::REQUIRED_OPTION) { $loc = $this->location . '[' . var_export($endpointType, true) . ']:'; throw new Exception($loc . 'Could not find a supported ' . $endpointType . ' endpoint.'); } return $default; }
/** * @deprecated This method will be removed in SSP 2.0. Please use SimpleSAML\Utils\Config\Metadata::getDefaultEndpoint() instead. */ public static function getDefaultEndpoint(array $endpoints, array $bindings = NULL) { return \SimpleSAML\Utils\Config\Metadata::getDefaultEndpoint($endpoints, $bindings); }
if ($metadata['owner'] !== $userid) { throw new Exception('Metadata has an owner that is not equal to your userid, hence you are not granted access.'); } } if (array_key_exists('entityid', $_REQUEST)) { $metadata = $mdh->getMetadata($_REQUEST['entityid'], 'saml20-sp-remote'); requireOwnership($metadata, $userid); } elseif (array_key_exists('xmlmetadata', $_REQUEST)) { $xmldata = $_REQUEST['xmlmetadata']; \SimpleSAML\Utils\XML::checkSAMLMessage($xmldata, 'saml-meta'); $entities = SimpleSAML_Metadata_SAMLParser::parseDescriptorsString($xmldata); $entity = array_pop($entities); $metadata = $entity->getMetadata20SP(); /* Trim metadata endpoint arrays. */ $metadata['AssertionConsumerService'] = array(\SimpleSAML\Utils\Config\Metadata::getDefaultEndpoint($metadata['AssertionConsumerService'], array(SAML2_Const::BINDING_HTTP_POST))); $metadata['SingleLogoutService'] = array(\SimpleSAML\Utils\Config\Metadata::getDefaultEndpoint($metadata['SingleLogoutService'], array(SAML2_Const::BINDING_HTTP_REDIRECT))); } else { $metadata = array('owner' => $userid); } $editor = new sspmod_metaedit_MetaEditor(); if (isset($_POST['submit'])) { $editor->checkForm($_POST); $metadata = $editor->formToMeta($_POST, array(), array('owner' => $userid)); if (isset($_REQUEST['was-entityid']) && $_REQUEST['was-entityid'] !== $metadata['entityid']) { $premetadata = $mdh->getMetadata($_REQUEST['was-entityid'], 'saml20-sp-remote'); requireOwnership($premetadata, $userid); $mdh->deleteMetadata($_REQUEST['was-entityid'], 'saml20-sp-remote'); } $testmetadata = NULL; try { $testmetadata = $mdh->getMetadata($metadata['entityid'], 'saml20-sp-remote');