Exemplo n.º 1
0
 /**
  * This method applies the filter, removing any values
  *
  * @param array &$request the current request
  */
 public function process(&$request)
 {
     $src = $request['Source'];
     if (!count($this->scopedAttributes)) {
         // paranoia, should never happen
         Logger::warning('No scoped attributes configured.');
         return;
     }
     $validScopes = array();
     if (array_key_exists('scope', $src) && is_array($src['scope']) && !empty($src['scope'])) {
         $validScopes = $src['scope'];
     }
     foreach ($this->scopedAttributes as $attribute) {
         if (!isset($request['Attributes'][$attribute])) {
             continue;
         }
         $values = $request['Attributes'][$attribute];
         $newValues = array();
         foreach ($values as $value) {
             $ep = \SimpleSAML\Utils\Config\Metadata::getDefaultEndpoint($request['Source']['SingleSignOnService']);
             $loc = $ep['Location'];
             $host = parse_url($loc, PHP_URL_HOST);
             if ($host === null) {
                 $host = '';
             }
             $value_a = explode('@', $value, 2);
             if (count($value_a) < 2) {
                 $newValues[] = $value;
                 continue;
                 // there's no scope
             }
             $scope = $value_a[1];
             if (in_array($scope, $validScopes, true)) {
                 $newValues[] = $value;
             } elseif (strpos($host, $scope) === strlen($host) - strlen($scope)) {
                 $newValues[] = $value;
             } else {
                 Logger::warning("Removing value '{$value}' for attribute '{$attribute}'. Undeclared scope.");
             }
         }
         if (empty($newValues)) {
             Logger::warning("No suitable values for attribute '{$attribute}', removing it.");
             unset($request['Attributes'][$attribute]);
             // remove empty attributes
         } else {
             $request['Attributes'][$attribute] = $newValues;
         }
     }
 }
Exemplo n.º 2
0
 /**
  * Add contact information.
  *
  * Accepts a contact type, and a contact array that must be previously sanitized.
  *
  * WARNING: This function will change its signature and no longer parse a 'name' element.
  *
  * @param string $type The type of contact. Deprecated.
  * @param array  $details The details about the contact.
  *
  * @todo Change the signature to remove $type.
  * @todo Remove the capability to pass a name and parse it inside the method.
  */
 public function addContact($type, $details)
 {
     assert('is_string($type)');
     assert('is_array($details)');
     assert('in_array($type, array("technical", "support", "administrative", "billing", "other"), TRUE)');
     // TODO: remove this check as soon as getContact() is called always before calling this function
     $details = \SimpleSAML\Utils\Config\Metadata::getContact($details);
     $e = new \SAML2\XML\md\ContactPerson();
     $e->contactType = $type;
     if (isset($details['company'])) {
         $e->Company = $details['company'];
     }
     if (isset($details['givenName'])) {
         $e->GivenName = $details['givenName'];
     }
     if (isset($details['surName'])) {
         $e->SurName = $details['surName'];
     }
     if (isset($details['emailAddress'])) {
         $eas = $details['emailAddress'];
         if (!is_array($eas)) {
             $eas = array($eas);
         }
         foreach ($eas as $ea) {
             $e->EmailAddress[] = $ea;
         }
     }
     if (isset($details['telephoneNumber'])) {
         $tlfNrs = $details['telephoneNumber'];
         if (!is_array($tlfNrs)) {
             $tlfNrs = array($tlfNrs);
         }
         foreach ($tlfNrs as $tlfNr) {
             $e->TelephoneNumber[] = $tlfNr;
         }
     }
     $this->entityDescriptor->ContactPerson[] = $e;
 }
Exemplo n.º 3
0
 /**
  * Test \SimpleSAML\Utils\Config\Metadata::isHiddenFromDiscovery().
  */
 public function testIsHiddenFromDiscovery()
 {
     // test for success
     $metadata = array('EntityAttributes' => array(Metadata::$ENTITY_CATEGORY => array(Metadata::$HIDE_FROM_DISCOVERY)));
     $this->assertTrue(Metadata::isHiddenFromDiscovery($metadata));
     // test for failures
     $this->assertFalse(Metadata::isHiddenFromDiscovery(array('foo')));
     $this->assertFalse(Metadata::isHiddenFromDiscovery(array('EntityAttributes' => 'bar')));
     $this->assertFalse(Metadata::isHiddenFromDiscovery(array('EntityAttributes' => array())));
     $this->assertFalse(Metadata::isHiddenFromDiscovery(array('EntityAttributes' => array(Metadata::$ENTITY_CATEGORY => ''))));
     $this->assertFalse(Metadata::isHiddenFromDiscovery(array('EntityAttributes' => array(Metadata::$ENTITY_CATEGORY => array()))));
 }
Exemplo n.º 4
0
 if ($idpmeta->hasValue('UIInfo')) {
     $metaArray['UIInfo'] = $idpmeta->getArray('UIInfo');
 }
 if ($idpmeta->hasValue('DiscoHints')) {
     $metaArray['DiscoHints'] = $idpmeta->getArray('DiscoHints');
 }
 if ($idpmeta->hasValue('RegistrationInfo')) {
     $metaArray['RegistrationInfo'] = $idpmeta->getArray('RegistrationInfo');
 }
 $metaflat = '$metadata[' . var_export($idpentityid, true) . '] = ' . var_export($metaArray, true) . ';';
 $metaBuilder = new SimpleSAML_Metadata_SAMLBuilder($idpentityid);
 $metaBuilder->addSecurityTokenServiceType($metaArray);
 $metaBuilder->addOrganizationInfo($metaArray);
 $technicalContactEmail = $config->getString('technicalcontact_email', null);
 if ($technicalContactEmail && $technicalContactEmail !== '*****@*****.**') {
     $metaBuilder->addContact('technical', \SimpleSAML\Utils\Config\Metadata::getContact(array('emailAddress' => $technicalContactEmail, 'name' => $config->getString('technicalcontact_name', null), 'contactType' => 'technical')));
 }
 $output_xhtml = array_key_exists('output', $_GET) && $_GET['output'] == 'xhtml';
 $metaxml = $metaBuilder->getEntityDescriptorText($output_xhtml);
 if (!$output_xhtml) {
     $metaxml = str_replace("\n", '', $metaxml);
 }
 // sign the metadata if enabled
 $metaxml = SimpleSAML_Metadata_Signer::sign($metaxml, $idpmeta->toArray(), 'ADFS IdP');
 if ($output_xhtml) {
     $defaultidp = $config->getString('default-adfs-idp', null);
     $t = new SimpleSAML_XHTML_Template($config, 'metadata.php', 'admin');
     $t->data['clipboard.js'] = true;
     $t->data['available_certs'] = $availableCerts;
     $t->data['header'] = 'adfs-idp';
     // TODO: Replace with headerString in 2.0
Exemplo n.º 5
0
 /**
  * Find the default endpoint of the given type.
  *
  * @param string $endpointType The endpoint type.
  * @param array  $bindings Array with acceptable bindings. Can be null if any binding is allowed.
  * @param mixed  $default The default value to return if no matching endpoint is found. If no default is provided,
  *     an exception will be thrown.
  *
  * @return array|null The default endpoint, or null if no acceptable endpoints are used.
  *
  * @throws Exception If no supported endpoint is found.
  */
 public function getDefaultEndpoint($endpointType, array $bindings = null, $default = self::REQUIRED_OPTION)
 {
     assert('is_string($endpointType)');
     $endpoints = $this->getEndpoints($endpointType);
     $defaultEndpoint = \SimpleSAML\Utils\Config\Metadata::getDefaultEndpoint($endpoints, $bindings);
     if ($defaultEndpoint !== null) {
         return $defaultEndpoint;
     }
     if ($default === self::REQUIRED_OPTION) {
         $loc = $this->location . '[' . var_export($endpointType, true) . ']:';
         throw new Exception($loc . 'Could not find a supported ' . $endpointType . ' endpoint.');
     }
     return $default;
 }
Exemplo n.º 6
0
 }
 if ($idpmeta->hasValue('redirect.validate')) {
     $metaArray['redirect.sign'] = $idpmeta->getBoolean('redirect.validate');
 }
 if ($idpmeta->hasValue('contacts')) {
     $contacts = $idpmeta->getArray('contacts');
     foreach ($contacts as $contact) {
         $metaArray['contacts'][] = \SimpleSAML\Utils\Config\Metadata::getContact($contact);
     }
 }
 $technicalContactEmail = $config->getString('technicalcontact_email', false);
 if ($technicalContactEmail && $technicalContactEmail !== '*****@*****.**') {
     $techcontact['emailAddress'] = $technicalContactEmail;
     $techcontact['name'] = $config->getString('technicalcontact_name', null);
     $techcontact['contactType'] = 'technical';
     $metaArray['contacts'][] = \SimpleSAML\Utils\Config\Metadata::getContact($techcontact);
 }
 $metaBuilder = new SimpleSAML_Metadata_SAMLBuilder($idpentityid);
 $metaBuilder->addMetadataIdP20($metaArray);
 $metaBuilder->addOrganizationInfo($metaArray);
 $metaxml = $metaBuilder->getEntityDescriptorText();
 $metaflat = '$metadata[' . var_export($idpentityid, true) . '] = ' . var_export($metaArray, true) . ';';
 // sign the metadata if enabled
 $metaxml = SimpleSAML_Metadata_Signer::sign($metaxml, $idpmeta->toArray(), 'SAML 2 IdP');
 if (array_key_exists('output', $_GET) && $_GET['output'] == 'xhtml') {
     $defaultidp = $config->getString('default-saml20-idp', null);
     $t = new SimpleSAML_XHTML_Template($config, 'metadata.php', 'admin');
     $t->data['clipboard.js'] = true;
     $t->data['available_certs'] = $availableCerts;
     $t->data['header'] = 'saml20-idp';
     $t->data['metaurl'] = \SimpleSAML\Utils\HTTP::getSelfURLNoQuery();
Exemplo n.º 7
0
 /**
  * @deprecated This method will be removed in SSP 2.0. Please use SimpleSAML\Utils\Config\Metadata::getDefaultEndpoint() instead.
  */
 public static function getDefaultEndpoint(array $endpoints, array $bindings = NULL)
 {
     return \SimpleSAML\Utils\Config\Metadata::getDefaultEndpoint($endpoints, $bindings);
 }
Exemplo n.º 8
0
 /**
  * Test contact configuration parsing and sanitizing.
  */
 public function testGetContact()
 {
     // test missing type
     $contact = array('name' => 'John Doe');
     try {
         $parsed = \SimpleSAML\Utils\Config\Metadata::getContact($contact);
     } catch (InvalidArgumentException $e) {
         $this->assertStringStartsWith('"contactType" is mandatory and must be one of ', $e->getMessage());
     }
     // test invalid type
     $contact = array('contactType' => 'invalid');
     try {
         $parsed = \SimpleSAML\Utils\Config\Metadata::getContact($contact);
     } catch (InvalidArgumentException $e) {
         $this->assertStringStartsWith('"contactType" is mandatory and must be one of ', $e->getMessage());
     }
     // test all valid contact types
     foreach (\SimpleSAML\Utils\Config\Metadata::$VALID_CONTACT_TYPES as $type) {
         $contact = array('contactType' => $type);
         $parsed = \SimpleSAML\Utils\Config\Metadata::getContact($contact);
         $this->assertArrayHasKey('contactType', $parsed);
         $this->assertArrayNotHasKey('givenName', $parsed);
         $this->assertArrayNotHasKey('surName', $parsed);
     }
     // test basic name parsing
     $contact = array('contactType' => 'technical', 'name' => 'John Doe');
     $parsed = \SimpleSAML\Utils\Config\Metadata::getContact($contact);
     $this->assertArrayNotHasKey('name', $parsed);
     $this->assertArrayHasKey('givenName', $parsed);
     $this->assertArrayHasKey('surName', $parsed);
     $this->assertEquals('John', $parsed['givenName']);
     $this->assertEquals('Doe', $parsed['surName']);
     // test comma-separated names
     $contact = array('contactType' => 'technical', 'name' => 'Doe, John');
     $parsed = \SimpleSAML\Utils\Config\Metadata::getContact($contact);
     $this->assertArrayHasKey('givenName', $parsed);
     $this->assertArrayHasKey('surName', $parsed);
     $this->assertEquals('John', $parsed['givenName']);
     $this->assertEquals('Doe', $parsed['surName']);
     // test long names
     $contact = array('contactType' => 'technical', 'name' => 'John Fitzgerald Doe Smith');
     $parsed = \SimpleSAML\Utils\Config\Metadata::getContact($contact);
     $this->assertArrayNotHasKey('name', $parsed);
     $this->assertArrayHasKey('givenName', $parsed);
     $this->assertArrayNotHasKey('surName', $parsed);
     $this->assertEquals('John Fitzgerald Doe Smith', $parsed['givenName']);
     // test comma-separated long names
     $contact = array('contactType' => 'technical', 'name' => 'Doe Smith, John Fitzgerald');
     $parsed = \SimpleSAML\Utils\Config\Metadata::getContact($contact);
     $this->assertArrayNotHasKey('name', $parsed);
     $this->assertArrayHasKey('givenName', $parsed);
     $this->assertArrayHasKey('surName', $parsed);
     $this->assertEquals('John Fitzgerald', $parsed['givenName']);
     $this->assertEquals('Doe Smith', $parsed['surName']);
     // test givenName
     $contact = array('contactType' => 'technical');
     $invalid_types = array(0, array(0), 0.1, true, false);
     foreach ($invalid_types as $type) {
         $contact['givenName'] = $type;
         try {
             \SimpleSAML\Utils\Config\Metadata::getContact($contact);
         } catch (InvalidArgumentException $e) {
             $this->assertEquals('"givenName" must be a string and cannot be empty.', $e->getMessage());
         }
     }
     // test surName
     $contact = array('contactType' => 'technical');
     $invalid_types = array(0, array(0), 0.1, true, false);
     foreach ($invalid_types as $type) {
         $contact['surName'] = $type;
         try {
             \SimpleSAML\Utils\Config\Metadata::getContact($contact);
         } catch (InvalidArgumentException $e) {
             $this->assertEquals('"surName" must be a string and cannot be empty.', $e->getMessage());
         }
     }
     // test company
     $contact = array('contactType' => 'technical');
     $invalid_types = array(0, array(0), 0.1, true, false);
     foreach ($invalid_types as $type) {
         $contact['company'] = $type;
         try {
             \SimpleSAML\Utils\Config\Metadata::getContact($contact);
         } catch (InvalidArgumentException $e) {
             $this->assertEquals('"company" must be a string and cannot be empty.', $e->getMessage());
         }
     }
     // test emailAddress
     $contact = array('contactType' => 'technical');
     $invalid_types = array(0, 0.1, true, false, array());
     foreach ($invalid_types as $type) {
         $contact['emailAddress'] = $type;
         try {
             \SimpleSAML\Utils\Config\Metadata::getContact($contact);
         } catch (InvalidArgumentException $e) {
             $this->assertEquals('"emailAddress" must be a string or an array and cannot be empty.', $e->getMessage());
         }
     }
     $invalid_types = array(array("string", true), array("string", 0));
     foreach ($invalid_types as $type) {
         $contact['emailAddress'] = $type;
         try {
             \SimpleSAML\Utils\Config\Metadata::getContact($contact);
         } catch (InvalidArgumentException $e) {
             $this->assertEquals('Email addresses must be a string and cannot be empty.', $e->getMessage());
         }
     }
     // test telephoneNumber
     $contact = array('contactType' => 'technical');
     $invalid_types = array(0, 0.1, true, false, array());
     foreach ($invalid_types as $type) {
         $contact['telephoneNumber'] = $type;
         try {
             \SimpleSAML\Utils\Config\Metadata::getContact($contact);
         } catch (InvalidArgumentException $e) {
             $this->assertEquals('"telephoneNumber" must be a string or an array and cannot be empty.', $e->getMessage());
         }
     }
     $invalid_types = array(array("string", true), array("string", 0));
     foreach ($invalid_types as $type) {
         $contact['telephoneNumber'] = $type;
         try {
             \SimpleSAML\Utils\Config\Metadata::getContact($contact);
         } catch (InvalidArgumentException $e) {
             $this->assertEquals('Telephone numbers must be a string and cannot be empty.', $e->getMessage());
         }
     }
     // test completeness
     $contact = array();
     foreach (\SimpleSAML\Utils\Config\Metadata::$VALID_CONTACT_OPTIONS as $option) {
         $contact[$option] = 'string';
     }
     $contact['contactType'] = 'technical';
     $contact['name'] = 'to_be_removed';
     $parsed = \SimpleSAML\Utils\Config\Metadata::getContact($contact);
     foreach (array_keys($parsed) as $key) {
         $this->assertEquals($parsed[$key], $contact[$key]);
     }
     $this->assertArrayNotHasKey('name', $parsed);
 }
Exemplo n.º 9
0
 }
 if ($idpmeta->hasValue('redirect.validate')) {
     $metaArray['redirect.sign'] = $idpmeta->getBoolean('redirect.validate');
 }
 if ($idpmeta->hasValue('contacts')) {
     $contacts = $idpmeta->getArray('contacts');
     foreach ($contacts as $contact) {
         $metaArray['contacts'][] = Metadata::getContact($contact);
     }
 }
 $technicalContactEmail = $config->getString('technicalcontact_email', false);
 if ($technicalContactEmail && $technicalContactEmail !== '*****@*****.**') {
     $techcontact['emailAddress'] = $technicalContactEmail;
     $techcontact['name'] = $config->getString('technicalcontact_name', null);
     $techcontact['contactType'] = 'technical';
     $metaArray['contacts'][] = Metadata::getContact($techcontact);
 }
 $metaBuilder = new SimpleSAML_Metadata_SAMLBuilder($idpentityid);
 $metaBuilder->addMetadataIdP20($metaArray);
 $metaBuilder->addOrganizationInfo($metaArray);
 $metaxml = $metaBuilder->getEntityDescriptorText();
 $metaflat = '$metadata[' . var_export($idpentityid, true) . '] = ' . var_export($metaArray, true) . ';';
 // sign the metadata if enabled
 $metaxml = SimpleSAML_Metadata_Signer::sign($metaxml, $idpmeta->toArray(), 'SAML 2 IdP');
 if (array_key_exists('output', $_GET) && $_GET['output'] == 'xhtml') {
     $defaultidp = $config->getString('default-saml20-idp', null);
     $t = new SimpleSAML_XHTML_Template($config, 'metadata.php', 'admin');
     $t->data['clipboard.js'] = true;
     $t->data['available_certs'] = $availableCerts;
     $t->data['header'] = 'saml20-idp';
     // TODO: Replace with headerString in 2.0
    if ($metadata['owner'] !== $userid) {
        throw new Exception('Metadata has an owner that is not equal to your userid, hence you are not granted access.');
    }
}
if (array_key_exists('entityid', $_REQUEST)) {
    $metadata = $mdh->getMetadata($_REQUEST['entityid'], 'saml20-sp-remote');
    requireOwnership($metadata, $userid);
} elseif (array_key_exists('xmlmetadata', $_REQUEST)) {
    $xmldata = $_REQUEST['xmlmetadata'];
    \SimpleSAML\Utils\XML::checkSAMLMessage($xmldata, 'saml-meta');
    $entities = SimpleSAML_Metadata_SAMLParser::parseDescriptorsString($xmldata);
    $entity = array_pop($entities);
    $metadata = $entity->getMetadata20SP();
    /* Trim metadata endpoint arrays. */
    $metadata['AssertionConsumerService'] = array(\SimpleSAML\Utils\Config\Metadata::getDefaultEndpoint($metadata['AssertionConsumerService'], array(SAML2_Const::BINDING_HTTP_POST)));
    $metadata['SingleLogoutService'] = array(\SimpleSAML\Utils\Config\Metadata::getDefaultEndpoint($metadata['SingleLogoutService'], array(SAML2_Const::BINDING_HTTP_REDIRECT)));
} else {
    $metadata = array('owner' => $userid);
}
$editor = new sspmod_metaedit_MetaEditor();
if (isset($_POST['submit'])) {
    $editor->checkForm($_POST);
    $metadata = $editor->formToMeta($_POST, array(), array('owner' => $userid));
    if (isset($_REQUEST['was-entityid']) && $_REQUEST['was-entityid'] !== $metadata['entityid']) {
        $premetadata = $mdh->getMetadata($_REQUEST['was-entityid'], 'saml20-sp-remote');
        requireOwnership($premetadata, $userid);
        $mdh->deleteMetadata($_REQUEST['was-entityid'], 'saml20-sp-remote');
    }
    $testmetadata = NULL;
    try {
        $testmetadata = $mdh->getMetadata($metadata['entityid'], 'saml20-sp-remote');