validateTimestamps() public method

Verifies that the document is still valid according Conditions Element.
public validateTimestamps ( ) : boolean
return boolean
Exemplo n.º 1
0
    define('OPTION_SHOW_USE_LOCAL_CREDENTIALS', false);
}
$force_sso = false;
$wi_remote_user_login = '';
if (defined('OPTION_FORCE_SSO') && OPTION_FORCE_SSO === true) {
    if (array_key_exists('REMOTE_USER', $_SERVER)) {
        $wi_remote_user_login = $_SERVER['REMOTE_USER'];
        $force_sso = true;
        $wi_use_local_credentials = 0;
    }
}
if (array_key_exists('SAML2', $_SESSION) && $_SESSION['SAML2'] === true && array_key_exists('ovd-sso', $_COOKIE)) {
    require_once dirname(__FILE__) . "/auth/saml2/common.inc.php";
    $response = new OneLogin_Saml2_Response(new OneLogin_Saml2_Settings(build_saml_settings('https://www.ulteo.com', NULL, NULL)), $_SESSION['SAML2_ticket']);
    $sessionExpiration = $response->getSessionNotOnOrAfter();
    if (!empty($sessionExpiration) && $sessionExpiration <= time() || !$response->validateTimestamps()) {
        setcookie('ovd-sso', '', time() - 42000, '/ovd/');
        require dirname(__FILE__) . "/auth/saml2/sp.php";
    }
    $wi_remote_user_login = $_SESSION['SAML2_login'];
    $force_sso = true;
    $wi_use_local_credentials = 0;
    setcookie('ovd-sso', 'true', 0, '/ovd/');
} elseif (defined('OPTION_FORCE_SAML2') && OPTION_FORCE_SAML2 === true) {
    // Redirect the user to the SAML2 Identity Provider
    setcookie('ovd-sso', '', time() - 42000, '/ovd/');
    require dirname(__FILE__) . "/auth/saml2/sp.php";
} else {
    setcookie('ovd-sso', '', time() - 42000, '/ovd/');
}
$wi_session_mode = 'desktop';
Exemplo n.º 2
0
 /**
  * Tests the validateTimestamps method of the OneLogin_Saml2_Response
  *
  * @covers OneLogin_Saml2_Response::validateTimestamps
  */
 public function testValidateTimestamps()
 {
     $xml = file_get_contents(TEST_ROOT . '/data/responses/valid_response.xml.base64');
     $response = new OneLogin_Saml2_Response($this->_settings, $xml);
     $this->assertTrue($response->validateTimestamps());
     $xml2 = file_get_contents(TEST_ROOT . '/data/responses/valid_encrypted_assertion.xml.base64');
     $response2 = new OneLogin_Saml2_Response($this->_settings, $xml2);
     $this->assertTrue($response2->validateTimestamps());
     $xml3 = file_get_contents(TEST_ROOT . '/data/responses/expired_response.xml.base64');
     $response3 = new OneLogin_Saml2_Response($this->_settings, $xml3);
     $this->assertFalse($response3->validateTimestamps());
     $xml4 = file_get_contents(TEST_ROOT . '/data/responses/invalids/not_after_failed.xml.base64');
     $response4 = new OneLogin_Saml2_Response($this->_settings, $xml4);
     $this->assertFalse($response4->validateTimestamps());
     $xml5 = file_get_contents(TEST_ROOT . '/data/responses/invalids/not_before_failed.xml.base64');
     $response5 = new OneLogin_Saml2_Response($this->_settings, $xml5);
     $this->assertFalse($response5->validateTimestamps());
 }
Exemplo n.º 3
0
 public function get_login()
 {
     Logger::debug('main', 'AuthMethod_SAML2::get_login()');
     $my_settings = $this->prefs->get('AuthMethod', 'SAML2');
     $saml_node = $this->user_node_request->getElementsByTagname('saml_ticket')->item(0);
     if (is_null($saml_node)) {
         Logger::error('main', 'Authentication SAML2: No incoming SAML ticket');
         return NULL;
     }
     $saml_response_ticket = NULL;
     for ($child = $saml_node->firstChild; $child != NULL; $child = $child->nextSibling) {
         if ($child->nodeType != XML_TEXT_NODE) {
             Logger::error('main', 'Authentication SAML2: node is not text');
             continue;
         }
         $saml_response_ticket = $child->wholeText;
     }
     if (is_null($saml_response_ticket)) {
         Logger::error('main', 'Authentication SAML2: No incoming SAML ticket (bad protocol)');
         return NULL;
     }
     $settings = $this->build_saml_settings($my_settings['idp_url'], $my_settings['idp_fingerprint'], $my_settings['idp_cert']);
     try {
         $response = new OneLogin_Saml2_Response($settings, $saml_response_ticket);
         ob_start();
         // Catch debug messages
         if (!$response->isValid()) {
             Logger::error('main', 'Authentication SAML2: the SAML response is not valid ' . ob_get_contents());
             ob_end_clean();
             return NULL;
         }
         ob_end_clean();
         $sessionExpiration = $response->getSessionNotOnOrAfter();
         if (!empty($sessionExpiration) && $sessionExpiration <= time() || !$response->validateTimestamps()) {
             Logger::error('main', 'Authentication SAML2: Session expired');
             return NULL;
         }
     } catch (Exception $e) {
         Logger::error('main', 'Authentication SAML2: ' . $e->getMessage());
         return NULL;
     }
     $attributes = $response->getAttributes();
     $user = $this->userDB->import($response->getNameId());
     if ($user == NULL) {
         Logger::error('main', 'Authentication SAML2: user not found');
         throw new Exception();
     }
     $login = $user->getAttribute('login');
     // we recognize following attributes:
     //  * ovd.group_member: for user group matching
     //  * ovd.setting.*: for settings
     if (array_key_exists("ovd.group_member", $attributes) && is_array($attributes["ovd.group_member"])) {
         $userGroupDB = UserGroupDB::getInstance();
         $to_delete = array();
         $current_groups = array_keys(Abstract_Liaison::loadGroups('UsersGroup', $login));
         foreach ($attributes["ovd.group_member"] as $group_name) {
             $found = false;
             list($groups, $sizelimit_exceeded) = $userGroupDB->getGroupsContains($group_name, array('name'));
             foreach ($groups as $group) {
                 if ($group->name == $group_name) {
                     $found = True;
                     if (!in_array($group->getUniqueID(), $current_groups)) {
                         Logger::info('main', 'Authentication SAML2: Add user "' . $login . '" to group "' . $group->name . '"');
                         $ret = Abstract_Liaison::save('UsersGroup', $login, $group->getUniqueID());
                         if ($ret !== true) {
                             Logger::error('main', 'Authentication SAML2: Unable to add user "' . $login . '" to group "' . $group->name . '"');
                             throw new Exception();
                         }
                     } else {
                         unset($current_groups[array_search($group->getUniqueID(), $current_groups)]);
                     }
                 }
             }
             if (!$found) {
                 Logger::error('main', 'Authentication SAML2: group "' . $group_name . '" not found');
                 throw new Exception();
             }
         }
         foreach ($current_groups as $group) {
             Logger::info('main', 'Authentication SAML2: remove group "' . $group . '" from ' . $login);
             Abstract_Liaison::delete('UsersGroup', $login, $group);
         }
     }
     $prefs = Preferences::getInstance();
     foreach ($attributes as $attribute => $value) {
         if (is_array($value) && count($value) == 1) {
             $value = $value[0];
         }
         if (substr($attribute, 0, 12) == 'ovd.setting.') {
             $attribute = explode('.', $attribute);
             if (count($attribute) != 4) {
                 Logger::error('main', 'Authentication SAML2: incorrect setting : "' . implode('.', $attribute) . '"');
                 throw new Exception();
             }
             $container = $attribute[2];
             $setting = $attribute[3];
             $session_settings_defaults = $prefs->getElements('general', $container);
             if (!array_key_exists($setting, $session_settings_defaults)) {
                 Logger::error('main', 'Authentication SAML2: setting "' . implode('.', $attribute) . '" does not exists');
                 throw new Exception();
             }
             $config_element = clone $session_settings_defaults[$setting];
             $ugp = new User_Preferences($login, 'general', $container, $setting, $config_element->content);
             Logger::info('main', 'Authentication SAML2: set setting "' . implode('.', $attribute) . '" to ' . str_replace("\n", "", print_r($value, true)));
             $ugp->value = $value;
             Abstract_User_Preferences::delete($login, 'general', $container, $setting);
             $ret = Abstract_User_Preferences::save($ugp);
             if (!$ret) {
                 Logger::error('main', 'Authentication SAML2: impossible to save setting "' . implode('.', $attribute) . '"');
                 throw new Exception();
             }
         }
     }
     // return true or false.. No redirection to any IdP. We must have a valid ticket at this point. No artifact method
     return $response->getNameId();
 }