/**
* @param ProfileContext $context
*/
protected function doExecute(ProfileContext $context)
{
$response = MessageContextHelper::asResponse($context->getInboundContext());
if (count($response->getAllEncryptedAssertions()) === 0) {
$this->logger->debug('Response has no encrypted assertions', LogHelper::getActionContext($context, $this));
return;
}
$ownEntityDescriptor = $context->getOwnEntityDescriptor();
$query = $this->credentialResolver->query();
$query->add(new EntityIdCriteria($ownEntityDescriptor->getEntityID()))->add(new MetadataCriteria(ProfileContext::ROLE_IDP === $context->getOwnRole() ? MetadataCriteria::TYPE_IDP : MetadataCriteria::TYPE_SP, SamlConstants::PROTOCOL_SAML2))->add(new UsageCriteria(UsageType::ENCRYPTION));
$query->resolve();
$privateKeys = $query->getPrivateKeys();
if (empty($privateKeys)) {
$message = 'No credentials resolved for assertion decryption';
$this->logger->emergency($message, LogHelper::getActionErrorContext($context, $this));
throw new LightSamlContextException($context, $message);
}
$this->logger->info('Trusted decryption candidates', LogHelper::getActionContext($context, $this, array('credentials' => array_map(function (CredentialInterface $credential) {
return sprintf("Entity: '%s'; PK X509 Thumb: '%s'", $credential->getEntityId(), $credential->getPublicKey() ? $credential->getPublicKey()->getX509Thumbprint() : '');
}, $privateKeys))));
foreach ($response->getAllEncryptedAssertions() as $index => $encryptedAssertion) {
if ($encryptedAssertion instanceof EncryptedAssertionReader) {
$name = sprintf('assertion_encrypted_%s', $index);
/** @var DeserializationContext $deserializationContext */
$deserializationContext = $context->getInboundContext()->getSubContext($name, DeserializationContext::class);
$assertion = $encryptedAssertion->decryptMultiAssertion($privateKeys, $deserializationContext);
$response->addAssertion($assertion);
$this->logger->info('Assertion decrypted', LogHelper::getActionContext($context, $this, array('assertion' => $deserializationContext->getDocument()->saveXML())));
}
}
}
/**
* @param AssertionContext $context
*
* @return void
*/
protected function doExecute(AssertionContext $context)
{
$profileContext = $context->getProfileContext();
$trustOptions = $profileContext->getTrustOptions();
if (false === $trustOptions->getEncryptAssertions()) {
return;
}
if (null == ($assertion = $context->getAssertion())) {
throw new LightSamlContextException($context, 'Assertion for encryption is not set');
}
$context->setAssertion(null);
$query = $this->credentialResolver->query();
$query->add(new EntityIdCriteria($profileContext->getPartyEntityDescriptor()->getEntityID()))->add(new MetadataCriteria(ProfileContext::ROLE_IDP === $profileContext->getOwnRole() ? MetadataCriteria::TYPE_SP : MetadataCriteria::TYPE_IDP, SamlConstants::PROTOCOL_SAML2))->add(new UsageCriteria(UsageType::ENCRYPTION));
$query->resolve();
/** @var CredentialInterface $credential */
$credential = $query->firstCredential();
if (null == $credential) {
throw new LightSamlContextException($context, 'Unable to resolve encrypting credential');
}
if (null == $credential->getPublicKey()) {
throw new LightSamlContextException($context, 'Credential resolved for assertion encryption does not have a public key');
}
$encryptedAssertionWriter = new EncryptedAssertionWriter($trustOptions->getBlockEncryptionAlgorithm(), $trustOptions->getKeyTransportEncryptionAlgorithm());
$encryptedAssertionWriter->encrypt($assertion, $credential->getPublicKey());
$context->setEncryptedAssertion($encryptedAssertionWriter);
}
/**
* @param AbstractSignatureReader $signature
* @param string $issuer
* @param string $metadataType
*
* @return CredentialInterface|null
*/
public function validate(AbstractSignatureReader $signature, $issuer, $metadataType)
{
$query = $this->credentialResolver->query();
$query->add(new EntityIdCriteria($issuer))->add(new MetadataCriteria($metadataType, SamlConstants::VERSION_20))->add(new UsageCriteria(UsageType::SIGNING));
$query->resolve();
$credentialCandidates = $query->allCredentials();
if (empty($credentialCandidates)) {
throw new LightSamlSecurityException('No credentials resolved for signature verification');
}
$credential = $signature->validateMulti($credentialCandidates);
return $credential;
}
/**
* @param AbstractProfileContext $context
*
* @return X509CredentialInterface|null
*/
private function getSigningCredential(AbstractProfileContext $context)
{
$profileContext = $context->getProfileContext();
$entityDescriptor = $profileContext->getOwnEntityDescriptor();
$query = $this->credentialResolver->query();
$query->add(new EntityIdCriteria($entityDescriptor->getEntityID()))->add(new UsageCriteria(UsageType::SIGNING))->add(new X509CredentialCriteria())->addIf(ProfileContext::ROLE_IDP === $profileContext->getOwnRole(), function () {
return new MetadataCriteria(MetadataCriteria::TYPE_IDP, SamlConstants::VERSION_20);
})->addIf(ProfileContext::ROLE_SP === $profileContext->getOwnRole(), function () {
return new MetadataCriteria(MetadataCriteria::TYPE_SP, SamlConstants::VERSION_20);
});
$query->resolve();
$result = $query->firstCredential();
if ($result && false === $result instanceof X509CredentialInterface) {
throw new \LogicException(sprintf('Expected X509CredentialInterface but got %s', get_class($result)));
}
return $result;
}
/**
* @return CredentialResolverQuery
*/
public function resolve()
{
$this->arrCredentials = $this->resolver->resolve($this);
return $this;
}
