/**
* @param ProfileContext $context
*/
protected function doExecute(ProfileContext $context)
{
if (false === in_array($context->getInboundContext()->getBindingType(), $this->expectedBindingTypes)) {
$message = sprintf('Unexpected binding type "%s" - expected binding types are: %s', $context->getInboundContext()->getBindingType(), implode(' ', $this->expectedBindingTypes));
$this->logger->critical($message, LogHelper::getActionErrorContext($context, $this, array('actualBindingType' => $context->getInboundContext()->getBindingType(), 'expectedBindingTypes' => $this->expectedBindingTypes)));
throw new LightSamlContextException($context, $message);
}
}
/**
* @expectedException \LightSaml\Error\LightSamlContextException
* @expectedExceptionMessage Response must contain at least one bearer assertion
*/
public function test_throws_context_exception_if_no_bearer_assertion()
{
$action = new HasBearerAssertionsValidatorAction(TestHelper::getLoggerMock($this));
$context = new ProfileContext(Profiles::SSO_IDP_RECEIVE_AUTHN_REQUEST, ProfileContext::ROLE_IDP);
$context->getInboundContext()->setMessage($response = new Response());
$action->execute($context);
}
/**
* @expectedException \LightSaml\Error\LightSamlContextException
* @expectedExceptionMessage Inbound messages does not have Issuer
*/
public function test_throws_when_inbound_message_has_no_issuer()
{
$action = new EntityIdFromMessageIssuerAction(TestHelper::getLoggerMock($this));
$context = new ProfileContext(Profiles::SSO_IDP_RECEIVE_AUTHN_REQUEST, ProfileContext::ROLE_IDP);
$context->getInboundContext()->setMessage(new AuthnRequest());
$action->execute($context);
}
/**
* @param ProfileContext $context
*/
protected function doExecute(ProfileContext $context)
{
$response = MessageContextHelper::asResponse($context->getInboundContext());
if (count($response->getAllEncryptedAssertions()) === 0) {
$this->logger->debug('Response has no encrypted assertions', LogHelper::getActionContext($context, $this));
return;
}
$ownEntityDescriptor = $context->getOwnEntityDescriptor();
$query = $this->credentialResolver->query();
$query->add(new EntityIdCriteria($ownEntityDescriptor->getEntityID()))->add(new MetadataCriteria(ProfileContext::ROLE_IDP === $context->getOwnRole() ? MetadataCriteria::TYPE_IDP : MetadataCriteria::TYPE_SP, SamlConstants::PROTOCOL_SAML2))->add(new UsageCriteria(UsageType::ENCRYPTION));
$query->resolve();
$privateKeys = $query->getPrivateKeys();
if (empty($privateKeys)) {
$message = 'No credentials resolved for assertion decryption';
$this->logger->emergency($message, LogHelper::getActionErrorContext($context, $this));
throw new LightSamlContextException($context, $message);
}
$this->logger->info('Trusted decryption candidates', LogHelper::getActionContext($context, $this, array('credentials' => array_map(function (CredentialInterface $credential) {
return sprintf("Entity: '%s'; PK X509 Thumb: '%s'", $credential->getEntityId(), $credential->getPublicKey() ? $credential->getPublicKey()->getX509Thumbprint() : '');
}, $privateKeys))));
foreach ($response->getAllEncryptedAssertions() as $index => $encryptedAssertion) {
if ($encryptedAssertion instanceof EncryptedAssertionReader) {
$name = sprintf('assertion_encrypted_%s', $index);
/** @var DeserializationContext $deserializationContext */
$deserializationContext = $context->getInboundContext()->getSubContext($name, DeserializationContext::class);
$assertion = $encryptedAssertion->decryptMultiAssertion($privateKeys, $deserializationContext);
$response->addAssertion($assertion);
$this->logger->info('Assertion decrypted', LogHelper::getActionContext($context, $this, array('assertion' => $deserializationContext->getDocument()->saveXML())));
}
}
}
protected function doExecute(ProfileContext $context)
{
$message = MessageContextHelper::asSamlMessage($context->getInboundContext());
if (null == $message->getIssuer()) {
throw new LightSamlContextException($context, 'Inbound messages does not have Issuer');
}
$context->getPartyEntityContext()->setEntityId($message->getIssuer()->getValue());
}
protected function doExecute(ProfileContext $context)
{
if (null == $context->getInboundContext()->getMessage()) {
return;
}
$this->logger->debug(sprintf('Forwarding relay state: "%s"', $context->getInboundMessage()->getRelayState()));
$context->getOutboundMessage()->setRelayState($context->getInboundMessage()->getRelayState());
}
/**
* @param ProfileContext $context
*
* @return void
*/
protected function doExecute(ProfileContext $context)
{
$this->flush($context->getInboundContext()->getSubContext(ProfileContexts::REQUEST_STATE, null));
foreach ($context as $child) {
if ($child instanceof AssertionContext) {
$this->flush($child->getSubContext(ProfileContexts::REQUEST_STATE, null));
}
}
}
/**
* @expectedException \LightSaml\Error\LightSamlContextException
* @expectedExceptionMessage Unknown InResponseTo '1234567890'
*/
public function test_throws_context_exception_if_no_request_state_for_in_response_to_from_message()
{
$action = new InResponseToValidatorAction($loggerMock = TestHelper::getLoggerMock($this), $requestStateStoreMock = $this->getRequestStateStoreMock());
$context = new ProfileContext(Profiles::SSO_IDP_RECEIVE_AUTHN_REQUEST, ProfileContext::ROLE_IDP);
$context->getInboundContext()->setMessage($response = $this->getStatusResponseMock());
$response->setInResponseTo($inResponseTo = '1234567890');
$requestStateStoreMock->expects($this->once())->method('get')->willReturn(null);
$loggerMock->expects($this->once())->method('critical');
$action->execute($context);
}
protected function doExecute(ProfileContext $context)
{
$response = MessageContextHelper::asResponse($context->getInboundContext());
if ($response->getBearerAssertions()) {
return;
}
$message = 'Response must contain at least one bearer assertion';
$this->logger->error($message, LogHelper::getActionErrorContext($context, $this));
throw new LightSamlContextException($context, $message);
}
/**
* @expectedException \LightSaml\Error\LightSamlAuthenticationException
* @expectedExceptionMessage("Unsuccessful SAML response: urn:oasis:names:tc:SAML:2.0:status:Requester
* urn:oasis:names:tc:SAML:2.0:status:UnsupportedBinding")
*/
public function test_throws_authentication_exception_if_status_not_success()
{
$action = new StatusAction($loggerMock = TestHelper::getLoggerMock($this));
$context = new ProfileContext(Profiles::SSO_IDP_RECEIVE_AUTHN_REQUEST, ProfileContext::ROLE_IDP);
$context->getInboundContext()->setMessage($response = new Response());
$response->setStatus(new Status($statusCode = new StatusCode(SamlConstants::STATUS_REQUESTER)));
$statusCode->setStatusCode(new StatusCode(SamlConstants::STATUS_UNSUPPORTED_BINDING));
$loggerMock->expects($this->once())->method('error');
$action->execute($context);
}
public function test_sets_relat_state_from_inbound_to_outbound_message()
{
$action = new ForwardRelayStateAction(TestHelper::getLoggerMock($this));
$context = new ProfileContext(Profiles::SSO_IDP_RECEIVE_AUTHN_REQUEST, ProfileContext::ROLE_IDP);
$context->getInboundContext()->setMessage($inboundMessage = new AuthnRequest());
$context->getOutboundContext()->setMessage($outboundMessage = new Response());
$inboundMessage->setRelayState($relayState = '123');
$action->execute($context);
$this->assertEquals($relayState, $context->getOutboundMessage()->getRelayState());
}
/**
* @param string $ownRole
* @param string $destination
*
* @return ProfileContext
*/
private function buildContext($ownRole, $destination)
{
$context = new ProfileContext(Profiles::SSO_IDP_RECEIVE_AUTHN_REQUEST, $ownRole);
$context->getInboundContext()->setMessage(new AuthnRequest());
if ($destination) {
$context->getInboundMessage()->setDestination($destination);
}
$context->getOwnEntityContext()->setEntityDescriptor(new EntityDescriptor());
return $context;
}
/**
* @expectedException \LightSaml\Error\LightSamlContextException
* @expectedExceptionMessage No credentials resolved for assertion decryption
*/
public function test_throws_context_exception_when_no_credentials_resolved()
{
$action = new DecryptAssertionsAction($loggerMock = TestHelper::getLoggerMock($this), $credentialResolverMock = $this->getCredentialResolverMock());
$context = new ProfileContext(Profiles::SSO_IDP_RECEIVE_AUTHN_REQUEST, ProfileContext::ROLE_IDP);
$context->getOwnEntityContext()->setEntityDescriptor(new EntityDescriptor($entityId = 'http://entity.id'));
$context->getInboundContext()->setMessage($response = new Response());
$response->addEncryptedAssertion($encryptedAssertionMock1 = $this->getEncryptedAssertionReaderMock());
$credentialResolverMock->expects($this->once())->method('query')->willReturn($query = new CredentialResolverQuery($credentialResolverMock));
$credentialResolverMock->expects($this->once())->method('resolve')->with($query)->willReturn([]);
$action->execute($context);
}
/**
* @expectedException \LightSaml\Error\LightSamlContextException
* @expectedExceptionMessage Error from name id validator
*/
public function test_wrapps_validation_exception_in_context_exception()
{
$nameIdValidatorMock = $this->getNameIdValidatorMock();
$action = new IssuerValidatorAction(TestHelper::getLoggerMock($this), $nameIdValidatorMock, $allowedFormat = SamlConstants::NAME_ID_FORMAT_EMAIL);
$context = new ProfileContext(Profiles::SSO_IDP_RECEIVE_AUTHN_REQUEST, ProfileContext::ROLE_IDP);
$context->getInboundContext()->setMessage(new AuthnRequest());
$expectedIssuer = new Issuer('http://localhost', $allowedFormat);
$context->getInboundMessage()->setIssuer($expectedIssuer);
$nameIdValidatorMock->expects($this->once())->method('validateNameId')->with($expectedIssuer)->willThrowException(new LightSamlValidationException('Error from name id validator'));
$action->execute($context);
}
/**
* @expectedException \LightSaml\Error\LightSamlContextException
* @expectedExceptionMessage Unexpected binding type "urn:oasis:names:tc:SAML:2.0:bindings:SOAP" - expected binding types are: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
*/
public function test_throws_when_inbound_binding_type_not_one_of_expected()
{
$action = new AssertBindingTypeAction($logger = TestHelper::getLoggerMock($this), [SamlConstants::BINDING_SAML2_HTTP_POST]);
$context = new ProfileContext(Profiles::SSO_IDP_RECEIVE_AUTHN_REQUEST, ProfileContext::ROLE_IDP);
$context->getInboundContext()->setBindingType(SamlConstants::BINDING_SAML2_SOAP);
$logger->expects($this->once())->method('critical')->willReturnCallback(function ($message, $arr) {
$this->assertEquals('Unexpected binding type "urn:oasis:names:tc:SAML:2.0:bindings:SOAP" - expected binding types are: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', $message);
$this->assertTrue(is_array($arr));
});
$action->execute($context);
}
/**
* @param ProfileContext $context
*/
protected function doExecute(ProfileContext $context)
{
$response = MessageContextHelper::asResponse($context->getInboundContext());
foreach ($response->getAllAssertions() as $index => $assertion) {
$name = sprintf('assertion_%s', $index);
/** @var AssertionContext $assertionContext */
$assertionContext = $context->getSubContext($name, AssertionContext::class);
$assertionContext->setAssertion($assertion)->setId($name);
$this->assertionAction->execute($assertionContext);
}
}
protected function doExecute(ProfileContext $context)
{
$response = MessageContextHelper::asResponse($context->getInboundContext());
foreach ($response->getAllAssertions() as $assertion) {
if ($assertion->getAllAuthnStatements()) {
return;
}
}
$message = 'Response must have at least one Assertion containing AuthnStatement element';
$this->logger->error($message, LogHelper::getActionErrorContext($context, $this));
throw new LightSamlContextException($context, $message);
}
public function test_warning_logged_if_no_verification()
{
$action = new MessageSignatureValidatorAction($logger = TestHelper::getLoggerMock($this), $signatureValidator = $this->getSignatureValidatorMock());
$context = new ProfileContext(Profiles::SSO_IDP_RECEIVE_AUTHN_REQUEST, ProfileContext::ROLE_IDP);
$context->getInboundContext()->setMessage($message = new AuthnRequest());
$message->setSignature($signature = new SignatureStringReader());
$message->setIssuer(new Issuer($issuerValue = 'http://localhost/issuer'));
$signatureValidator->expects($this->once())->method('validate')->willReturn(null);
$logger->expects($this->never())->method('debug');
$logger->expects($this->once())->method('warning')->with('Signature verification was not performed', $this->isType('array'));
$action->execute($context);
}
public function test_receives_message()
{
$action = new ReceiveMessageAction($logger = TestHelper::getLoggerMock($this), $bindingFactory = $this->getBindingFactoryMock());
$context = new ProfileContext(Profiles::SSO_SP_SEND_AUTHN_REQUEST, ProfileContext::ROLE_SP);
$context->getHttpRequestContext()->setRequest($request = new Request());
$binding = $this->getBindingMock();
$bindingFactory->expects($this->once())->method('detectBindingType')->with($request)->willReturn($bindingType = SamlConstants::BINDING_SAML2_HTTP_POST);
$logger->expects($this->once())->method('debug')->with('Detected binding type: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', $this->isType('array'));
$bindingFactory->expects($this->once())->method('create')->with($bindingType)->willReturn($binding);
$binding->expects($this->once())->method('receive')->with($request, $context->getInboundContext());
$action->execute($context);
$this->assertEquals($bindingType, $context->getInboundContext()->getBindingType());
}
public function test_flushes_store_with_inbound_request_state()
{
$loggerMock = $this->getLoggerMock();
$requestStoreMock = $this->getRequestStateStoreMock();
$action = new FlushRequestStatesAction($loggerMock, $requestStoreMock);
$expectedIds = ['1111', '2222', '3333'];
$context = new ProfileContext(Profiles::METADATA, ProfileContext::ROLE_IDP);
$context->getInboundContext()->addSubContext(ProfileContexts::REQUEST_STATE, (new RequestStateContext())->setRequestState(new RequestState($expectedIds[0])));
$context->addSubContext('assertion_1', (new AssertionContext())->addSubContext(ProfileContexts::REQUEST_STATE, (new RequestStateContext())->setRequestState(new RequestState($expectedIds[1]))));
$context->addSubContext('assertion_2', (new AssertionContext())->addSubContext(ProfileContexts::REQUEST_STATE, (new RequestStateContext())->setRequestState(new RequestState($expectedIds[2]))));
$requestStoreMock->expects($this->exactly(3))->method('remove')->withConsecutive([$this->equalTo($expectedIds[0])], [$this->equalTo($expectedIds[1])], [$this->equalTo($expectedIds[2])])->willReturnOnConsecutiveCalls(true, true, false);
$loggerMock->expects($this->exactly(3))->method('debug')->withConsecutive([$this->equalTo(sprintf('Removed request state "%s"', $expectedIds[0]))], [$this->equalTo(sprintf('Removed request state "%s"', $expectedIds[1]))], [$this->equalTo(sprintf('Request state "%s" does not exist', $expectedIds[2]))]);
$action->execute($context);
}
public function test_creates_context_for_each_assertion()
{
$action = new AssertionAction(TestHelper::getLoggerMock($this), $assertionActionMock = $this->getActionMock());
$context = new ProfileContext(Profiles::SSO_IDP_RECEIVE_AUTHN_REQUEST, ProfileContext::ROLE_IDP);
$context->getInboundContext()->setMessage($response = new Response());
$response->addAssertion($assertion1 = new Assertion())->addAssertion($assertion2 = new Assertion());
$action->execute($context);
/** @var AssertionContext $assertionContext */
$assertionContext = $context->getSubContext('assertion_0');
$this->assertInstanceOf(AssertionContext::class, $assertionContext);
$this->assertSame($assertion1, $assertionContext->getAssertion());
$assertionContext = $context->getSubContext('assertion_1');
$this->assertInstanceOf(AssertionContext::class, $assertionContext);
$this->assertSame($assertion2, $assertionContext->getAssertion());
}
public function test_calls_session_processor()
{
$action = new SpSsoStateAction(TestHelper::getLoggerMock($this), $sessionProcessorMock = $this->getSessionProcessorMock());
$context = new ProfileContext(Profiles::SSO_IDP_RECEIVE_AUTHN_REQUEST, ProfileContext::ROLE_IDP);
$context->getInboundContext()->setMessage($response = new Response());
$response->addAssertion($assertion1 = new Assertion());
$response->addAssertion($assertion2 = new Assertion());
$context->getOwnEntityContext()->setEntityDescriptor(new EntityDescriptor($ownEntityId = 'http://own.entity.id'));
$context->getPartyEntityContext()->setEntityDescriptor(new EntityDescriptor($partyEntityId = 'http://party.id'));
$sessionProcessorMock->expects($this->once())->method('processAssertions')->with($this->isType('array'), $ownEntityId, $partyEntityId)->willReturnCallback(function (array $assertions, $ownId, $partyId) use($assertion1, $assertion2) {
$this->assertSame($assertion1, $assertions[0]);
$this->assertSame($assertion2, $assertions[1]);
});
$action->execute($context);
}
/**
* @param ProfileContext $context
*
* @return void
*/
protected function doExecute(ProfileContext $context)
{
$message = MessageContextHelper::asSamlMessage($context->getInboundContext());
$destination = $message->getDestination();
if (null == $destination) {
return;
}
$criteriaSet = $this->getCriteriaSet($context, $destination);
$endpoints = $this->endpointResolver->resolve($criteriaSet, $context->getOwnEntityDescriptor()->getAllEndpoints());
if ($endpoints) {
return;
}
$message = sprintf('Invalid inbound message destination "%s"', $destination);
$this->logger->emergency($message, LogHelper::getActionErrorContext($context, $this));
throw new LightSamlContextException($context, $message);
}
/**
* @param ProfileContext $context
*/
protected function doExecute(ProfileContext $context)
{
$response = MessageContextHelper::asStatusResponse($context->getInboundContext());
$inResponseTo = $response->getInResponseTo();
if ($inResponseTo) {
$requestState = $this->requestStore->get($inResponseTo);
if (null == $requestState) {
$message = sprintf("Unknown InResponseTo '%s'", $inResponseTo);
$this->logger->error($message, LogHelper::getActionErrorContext($context, $this, array('in_response_to' => $inResponseTo)));
throw new LightSamlContextException($context, $message);
}
/** @var RequestStateContext $requestStateContext */
$requestStateContext = $context->getInboundContext()->getSubContext(ProfileContexts::REQUEST_STATE, RequestStateContext::class);
$requestStateContext->setRequestState($requestState);
}
}
protected function doExecute(ProfileContext $context)
{
$logoutResponse = MessageContextHelper::asLogoutResponse($context->getInboundContext());
$id = $logoutResponse->getInResponseTo();
$requestState = $this->requestStore->get($id);
$partyEntityId = $requestState->getParameters()->get(RequestStateParameters::PARTY);
if ($partyEntityId && $logoutResponse->getIssuer() && $partyEntityId != $logoutResponse->getIssuer()->getValue()) {
$message = sprintf('LogoutRequest sent to %s but LogoutResponse for that request was issued by %s', $partyEntityId, $logoutResponse->getIssuer()->getValue());
$this->logger->critical($message, LogHelper::getActionErrorContext($context, $this, ['sent_to' => $partyEntityId, 'received_from' => $logoutResponse->getIssuer()->getValue()]));
throw new LightSamlContextException($context, $message);
}
$nameId = $requestState->getParameters()->get(RequestStateParameters::NAME_ID);
$nameIdFormat = $requestState->getParameters()->get(RequestStateParameters::NAME_ID_FORMAT);
$sessionIndex = $requestState->getParameters()->get(RequestStateParameters::SESSION_INDEX);
$numberOfTerminatedSessions = $this->logoutResolver->terminateSession($logoutResponse->getIssuer()->getValue(), $nameId, $nameIdFormat, $sessionIndex);
$this->logger->debug(sprintf('Processing LogoutResponse from %s for %s in format %s and session index %s resulted in termination of %s sso session from the store', $partyEntityId, $nameId, $nameIdFormat, $sessionIndex, $numberOfTerminatedSessions), LogHelper::getActionContext($context, $this));
}
/**
* @param ProfileContext $context
*
* @return void
*/
protected function doExecute(ProfileContext $context)
{
$authnRequest = MessageContextHelper::asAuthnRequest($context->getInboundContext());
if (false == $authnRequest->getAssertionConsumerServiceURL()) {
return;
}
$spEntityDescriptor = $context->getPartyEntityDescriptor();
foreach ($spEntityDescriptor->getAllSpSsoDescriptors() as $sp) {
if ($sp->getAllAssertionConsumerServicesByUrl($authnRequest->getAssertionConsumerServiceURL())) {
$this->logger->debug(sprintf('AuthnRequest has assertion consumer url "%s" that belongs to entity "%s"', $authnRequest->getAssertionConsumerServiceURL(), $spEntityDescriptor->getEntityID()), LogHelper::getActionContext($context, $this));
return;
}
}
$message = sprintf("Invalid ACS Url '%s' for '%s' entity", $authnRequest->getAssertionConsumerServiceURL(), $spEntityDescriptor->getEntityID());
$this->logger->emergency($message, LogHelper::getActionErrorContext($context, $this));
throw new LightSamlValidationException($message);
}
/**
* @param ProfileContext $context
*
* @return void
*/
protected function doExecute(ProfileContext $context)
{
$message = MessageContextHelper::asSamlMessage($context->getInboundContext());
if (false == $message->getIssuer()) {
$message = 'Inbound message must have Issuer element';
$this->logger->emergency($message, LogHelper::getActionErrorContext($context, $this));
throw new LightSamlContextException($context, $message);
}
if ($this->allowedFormat && $message->getIssuer()->getValue() && $message->getIssuer()->getFormat() && $message->getIssuer()->getFormat() != $this->allowedFormat) {
$message = sprintf("Response Issuer Format if set must have value '%s' but it was '%s'", $this->allowedFormat, $message->getIssuer()->getFormat());
$this->logger->emergency($message, LogHelper::getActionErrorContext($context, $this));
throw new LightSamlContextException($context, $message);
}
try {
$this->nameIdValidator->validateNameId($message->getIssuer());
} catch (LightSamlValidationException $ex) {
throw new LightSamlContextException($context, $ex->getMessage(), 0, $ex);
}
}
protected function doExecute(ProfileContext $context)
{
$statusResponse = MessageContextHelper::asStatusResponse($context->getInboundContext());
if ($statusResponse->getStatus() && $statusResponse->getStatus()->isSuccess()) {
return;
}
if (null == $statusResponse->getStatus()) {
$message = 'Status response does not have Status set';
$this->logger->error($message, LogHelper::getActionErrorContext($context, $this));
throw new LightSamlContextException($context, $message);
}
$status = $statusResponse->getStatus()->getStatusCode()->getValue();
$status .= "\n" . $statusResponse->getStatus()->getStatusMessage();
if ($statusResponse->getStatus()->getStatusCode()->getStatusCode()) {
$status .= "\n" . $statusResponse->getStatus()->getStatusCode()->getStatusCode()->getValue();
}
$message = 'Unsuccessful SAML response: ' . $status;
$this->logger->error($message, LogHelper::getActionErrorContext($context, $this, ['status' => $status]));
throw new LightSamlAuthenticationException($statusResponse, $message);
}
/**
* @param ProfileContext $context
*/
protected function doExecute(ProfileContext $context)
{
$response = MessageContextHelper::asStatusResponse($context->getInboundContext());
$inResponseTo = $response->getInResponseTo();
if ($inResponseTo) {
$requestState = $this->requestStore->get($inResponseTo);
if (null == $requestState) {
$message = sprintf("Unknown InResponseTo '%s'", $inResponseTo);
$this->logger->critical($message, LogHelper::getActionErrorContext($context, $this, array('in_response_to' => $inResponseTo)));
throw new LightSamlContextException($context, $message);
}
$sentToParty = $requestState->getParameters()->get(RequestStateParameters::PARTY);
if ($sentToParty && $response->getIssuer() && $response->getIssuer()->getValue() != $sentToParty) {
$message = sprintf('AuthnRequest with id "%s" sent to party "%s" but StatusResponse for that request issued by party "%s"', $inResponseTo, $sentToParty, $response->getIssuer()->getValue());
$this->logger->critical($message, LogHelper::getActionErrorContext($context, $this, array('sent_to' => $sentToParty, 'received_from' => $response->getIssuer()->getValue())));
throw new LightSamlContextException($context, $message);
}
/** @var RequestStateContext $requestStateContext */
$requestStateContext = $context->getInboundContext()->getSubContext(ProfileContexts::REQUEST_STATE, RequestStateContext::class);
$requestStateContext->setRequestState($requestState);
}
}
/**
* @param ProfileContext $context
*
* @return void
*/
protected function doExecute(ProfileContext $context)
{
$message = MessageContextHelper::asSamlMessage($context->getInboundContext());
$signature = $message->getSignature();
if (null === $signature) {
$this->logger->debug('Message is not signed', LogHelper::getActionContext($context, $this));
return;
}
if ($signature instanceof AbstractSignatureReader) {
$metadataType = ProfileContext::ROLE_IDP === $context->getOwnRole() ? MetadataCriteria::TYPE_SP : MetadataCriteria::TYPE_IDP;
$credential = $this->signatureValidator->validate($signature, $message->getIssuer()->getValue(), $metadataType);
if ($credential) {
$keyNames = $credential->getKeyNames();
$this->logger->debug(sprintf('Message signature validated with key "%s"', implode(', ', $keyNames)), LogHelper::getActionContext($context, $this, array('credential' => $credential)));
} else {
$this->logger->warning('Signature verification was not performed', LogHelper::getActionContext($context, $this));
}
} else {
$message = 'Expected AbstractSignatureReader';
$this->logger->critical($message, LogHelper::getActionErrorContext($context, $this));
throw new LightSamlModelException($message);
}
}
