/**
* Add an item to the cache.
*
* @param string $id The identifier of this data.
* @param string $data The data.
* @param int $expires The timestamp the data expires.
* @param string|NULL $tag An extra tag that can be used to verify the validity of the cached data.
*/
public function addCacheItem($id, $data, $expires, $tag = NULL)
{
assert('is_string($id)');
assert('is_string($data)');
assert('is_int($expires)');
assert('is_null($tag) || is_string($tag)');
$cacheFile = $this->cacheDirectory . '/' . $id;
try {
SimpleSAML_Utilities::writeFile($cacheFile, $data);
} catch (Exception $e) {
SimpleSAML_Logger::warning($this->logLoc . 'Unable to write to cache file ' . var_export($cacheFile, TRUE));
return;
}
$expireInfo = (string) $expires;
if ($tag !== NULL) {
$expireInfo .= ':' . $tag;
}
$expireFile = $cacheFile . '.expire';
try {
SimpleSAML_Utilities::writeFile($expireFile, $expireInfo);
} catch (Exception $e) {
SimpleSAML_Logger::warning($this->logLoc . 'Unable to write expiration info to ' . var_export($expireFile, TRUE));
}
}
/**
* This function receives a SAML 1.1 artifact.
*
* @param SimpleSAML_Configuration $spMetadata The metadata of the SP.
* @param SimpleSAML_Configuration $idpMetadata The metadata of the IdP.
* @return string The <saml1p:Response> element, as an XML string.
*/
public static function receive(SimpleSAML_Configuration $spMetadata, SimpleSAML_Configuration $idpMetadata)
{
$artifacts = self::getArtifacts();
$request = self::buildRequest($artifacts);
SimpleSAML_Utilities::debugMessage($msgStr, 'out');
$url = $idpMetadata->getDefaultEndpoint('ArtifactResolutionService', array('urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding'));
$url = $url['Location'];
$peerPublicKeys = $idpMetadata->getPublicKeys('signing', TRUE);
$certData = '';
foreach ($peerPublicKeys as $key) {
if ($key['type'] !== 'X509Certificate') {
continue;
}
$certData .= "-----BEGIN CERTIFICATE-----\n" . chunk_split($key['X509Certificate'], 64) . "-----END CERTIFICATE-----\n";
}
$file = SimpleSAML_Utilities::getTempDir() . '/' . sha1($certData) . '.crt';
if (!file_exists($file)) {
SimpleSAML_Utilities::writeFile($file, $certData);
}
$spKeyCertFile = SimpleSAML_Utilities::resolveCert($spMetadata->getString('privatekey'));
$opts = array('ssl' => array('verify_peer' => TRUE, 'cafile' => $file, 'local_cert' => $spKeyCertFile, 'capture_peer_cert' => TRUE, 'capture_peer_chain' => TRUE), 'http' => array('method' => 'POST', 'content' => $request, 'header' => 'SOAPAction: http://www.oasis-open.org/committees/security' . "\r\n" . 'Content-Type: text/xml'));
/* Fetch the artifact. */
$response = SimpleSAML_Utilities::fetch($url, $opts);
if ($response === FALSE) {
throw new SimpleSAML_Error_Exception('Failed to retrieve assertion from IdP.');
}
SimpleSAML_Utilities::debugMessage($response, 'in');
/* Find the response in the SOAP message. */
$response = self::extractResponse($response);
return $response;
}
/**
* This function writes the metadata to to separate files in the output directory.
*/
function writeMetadataFiles($outputDir)
{
while (strlen($outputDir) > 0 && $outputDir[strlen($outputDir) - 1] === '/') {
$outputDir = substr($outputDir, 0, strlen($outputDir) - 1);
}
if (!file_exists($outputDir)) {
SimpleSAML_Logger::info('Creating directory: ' . $outputDir . "\n");
$res = @mkdir($outputDir, 0777, TRUE);
if ($res === FALSE) {
throw new Exception('Error creating directory: ' . $outputDir);
}
}
foreach (self::$types as $type) {
$filename = $outputDir . '/' . $type . '.php';
if (array_key_exists($type, $this->metadata)) {
$elements = $this->metadata[$type];
SimpleSAML_Logger::debug('Writing: ' . $filename);
$content = '<?php' . "\n" . '/* This file was generated by the metarefresh module at ' . $this->getTime() . "\n";
$content .= ' Do not update it manually as it will get overwritten' . "\n" . '*/' . "\n";
foreach ($elements as $m) {
$entityID = $m['metadata']['entityid'];
$content .= "\n";
$content .= '$metadata[\'' . addslashes($entityID) . '\'] = ' . var_export($m['metadata'], TRUE) . ';' . "\n";
}
$content .= "\n" . '?>';
SimpleSAML_Utilities::writeFile($filename, $content);
} elseif (is_file($filename)) {
if (unlink($filename)) {
SimpleSAML_Logger::debug('Deleting stale metadata file: ' . $filename);
} else {
SimpleSAML_Logger::warning('Could not delete stale metadata file: ' . $filename);
}
}
}
}
/**
* This function sends the SOAP message to the service location and returns SOAP response
*
* @param SAML2_Message $m The request that should be sent.
* @param SimpleSAML_Configuration $srcMetadata The metadata of the issuer of the message.
* @param SimpleSAML_Configuration $dstMetadata The metadata of the destination of the message.
* @return SAML2_Message The response we received.
*/
public function send(SAML2_Message $msg, SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata = NULL)
{
$issuer = $msg->getIssuer();
$ctxOpts = array('ssl' => array('capture_peer_cert' => TRUE));
// Determine if we are going to do a MutualSSL connection between the IdP and SP - Shoaib
if ($srcMetadata->hasValue('saml.SOAPClient.certificate')) {
$ctxOpts['ssl']['local_cert'] = SimpleSAML_Utilities::resolveCert($srcMetadata->getString('saml.SOAPClient.certificate'));
if ($srcMetadata->hasValue('saml.SOAPClient.privatekey_pass')) {
$ctxOpts['ssl']['passphrase'] = $srcMetadata->getString('saml.SOAPClient.privatekey_pass');
}
} else {
/* Use the SP certificate and privatekey if it is configured. */
$privateKey = SimpleSAML_Utilities::loadPrivateKey($srcMetadata);
$publicKey = SimpleSAML_Utilities::loadPublicKey($srcMetadata);
if ($privateKey !== NULL && $publicKey !== NULL && isset($publicKey['PEM'])) {
$keyCertData = $privateKey['PEM'] . $publicKey['PEM'];
$file = SimpleSAML_Utilities::getTempDir() . '/' . sha1($keyCertData) . '.pem';
if (!file_exists($file)) {
SimpleSAML_Utilities::writeFile($file, $keyCertData);
}
$ctxOpts['ssl']['local_cert'] = $file;
if (isset($privateKey['password'])) {
$ctxOpts['ssl']['passphrase'] = $privateKey['password'];
}
}
}
// do peer certificate verification
if ($dstMetadata !== NULL) {
$peerPublicKeys = $dstMetadata->getPublicKeys('signing', TRUE);
$certData = '';
foreach ($peerPublicKeys as $key) {
if ($key['type'] !== 'X509Certificate') {
continue;
}
$certData .= "-----BEGIN CERTIFICATE-----\n" . chunk_split($key['X509Certificate'], 64) . "-----END CERTIFICATE-----\n";
}
$peerCertFile = SimpleSAML_Utilities::getTempDir() . '/' . sha1($certData) . '.pem';
if (!file_exists($peerCertFile)) {
SimpleSAML_Utilities::writeFile($peerCertFile, $certData);
}
// create ssl context
$ctxOpts['ssl']['verify_peer'] = TRUE;
$ctxOpts['ssl']['verify_depth'] = 1;
$ctxOpts['ssl']['cafile'] = $peerCertFile;
}
$context = stream_context_create($ctxOpts);
if ($context === NULL) {
throw new Exception('Unable to create SSL stream context');
}
$options = array('uri' => $issuer, 'location' => $msg->getDestination(), 'stream_context' => $context);
$x = new SoapClient(NULL, $options);
// Add soap-envelopes
$request = $msg->toSignedXML();
$request = self::START_SOAP_ENVELOPE . $request->ownerDocument->saveXML($request) . self::END_SOAP_ENVELOPE;
SimpleSAML_Utilities::debugMessage($request, 'out');
$action = 'http://www.oasis-open.org/committees/security';
$version = '1.1';
$destination = $msg->getDestination();
/* Perform SOAP Request over HTTP */
$soapresponsexml = $x->__doRequest($request, $destination, $action, $version);
if ($soapresponsexml === NULL || $soapresponsexml === "") {
throw new Exception('Empty SOAP response, check peer certificate.');
}
SimpleSAML_Utilities::debugMessage($soapresponsexml, 'in');
// Convert to SAML2_Message (DOMElement)
$dom = new DOMDocument();
if (!$dom->loadXML($soapresponsexml)) {
throw new Exception('Not a SOAP response.');
}
$soapfault = $this->getSOAPFault($dom);
if (isset($soapfault)) {
throw new Exception($soapfault);
}
//Extract the message from the response
$xml = $dom->firstChild;
/* Soap Envelope */
$samlresponse = SAML2_Utils::xpQuery($dom->firstChild, '/soap-env:Envelope/soap-env:Body/*[1]');
$samlresponse = SAML2_Message::fromXML($samlresponse[0]);
/* Add validator to message which uses the SSL context. */
self::addSSLValidator($samlresponse, $context);
SimpleSAML_Logger::debug("Valid ArtifactResponse received from IdP");
return $samlresponse;
}
/**
* This function sends the SOAP message to the service location and returns SOAP response
*
* @param SAML2_Message $msg The request that should be sent.
* @param SimpleSAML_Configuration $srcMetadata The metadata of the issuer of the message.
* @param SimpleSAML_Configuration $dstMetadata The metadata of the destination of the message.
* @return SAML2_Message The response we received.
* @throws Exception
*/
public function send(SAML2_Message $msg, SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata = NULL)
{
$issuer = $msg->getIssuer();
$ctxOpts = array('ssl' => array('capture_peer_cert' => TRUE));
/* Determine if we are going to do a MutualSSL connection between the IdP and SP - Shoaib */
if ($srcMetadata->hasValue('saml.SOAPClient.certificate')) {
$cert = $srcMetadata->getValue('saml.SOAPClient.certificate');
if ($cert !== FALSE) {
$ctxOpts['ssl']['local_cert'] = SimpleSAML_Utilities::resolveCert($srcMetadata->getString('saml.SOAPClient.certificate'));
if ($srcMetadata->hasValue('saml.SOAPClient.privatekey_pass')) {
$ctxOpts['ssl']['passphrase'] = $srcMetadata->getString('saml.SOAPClient.privatekey_pass');
}
}
} else {
/* Use the SP certificate and privatekey if it is configured. */
$privateKey = SimpleSAML_Utilities::loadPrivateKey($srcMetadata);
$publicKey = SimpleSAML_Utilities::loadPublicKey($srcMetadata);
if ($privateKey !== NULL && $publicKey !== NULL && isset($publicKey['PEM'])) {
$keyCertData = $privateKey['PEM'] . $publicKey['PEM'];
$file = SimpleSAML_Utilities::getTempDir() . '/' . sha1($keyCertData) . '.pem';
if (!file_exists($file)) {
SimpleSAML_Utilities::writeFile($file, $keyCertData);
}
$ctxOpts['ssl']['local_cert'] = $file;
if (isset($privateKey['password'])) {
$ctxOpts['ssl']['passphrase'] = $privateKey['password'];
}
}
}
/* Do peer certificate verification */
if ($dstMetadata !== NULL) {
$peerPublicKeys = $dstMetadata->getPublicKeys('signing', TRUE);
$certData = '';
foreach ($peerPublicKeys as $key) {
if ($key['type'] !== 'X509Certificate') {
continue;
}
$certData .= "-----BEGIN CERTIFICATE-----\n" . chunk_split($key['X509Certificate'], 64) . "-----END CERTIFICATE-----\n";
}
$peerCertFile = SimpleSAML_Utilities::getTempDir() . '/' . sha1($certData) . '.pem';
if (!file_exists($peerCertFile)) {
SimpleSAML_Utilities::writeFile($peerCertFile, $certData);
}
/* Create ssl context */
$ctxOpts['ssl']['verify_peer'] = TRUE;
$ctxOpts['ssl']['verify_depth'] = 1;
$ctxOpts['ssl']['cafile'] = $peerCertFile;
}
$ctxOpts['http']['header'] = 'SOAPAction: "http://www.oasis-open.org/committees/security"' . "\n";
if ($this->username !== NULL && $this->password !== NULL) {
/* Add HTTP Basic authentication header. */
$authData = $this->username . ':' . $this->password;
$authData = base64_encode($authData);
$ctxOpts['http']['header'] .= 'Authorization: Basic ' . $authData . "\n";
}
if ($srcMetadata->hasValue('saml.SOAPClient.proxyhost')) {
$options['proxy_host'] = $srcMetadata->getValue('saml.SOAPClient.proxyhost');
}
if ($srcMetadata->hasValue('saml.SOAPClient.proxyport')) {
$options['proxy_port'] = $srcMetadata->getValue('saml.SOAPClient.proxyport');
}
$x = new SoapClient(NULL, $options);
/* Add soap-envelopes */
$request = $msg->toSignedXML();
$request = self::START_SOAP_ENVELOPE . $request->ownerDocument->saveXML($request) . self::END_SOAP_ENVELOPE;
SAML2_Utils::getContainer()->debugMessage($request, 'out');
$ctxOpts['http']['content'] = $request;
$ctxOpts['http']['header'] .= 'Content-Type: text/xml; charset=utf-8' . "\n";
$ctxOpts['http']['method'] = 'POST';
$destination = $msg->getDestination();
/* Perform SOAP Request over HTTP */
$context = stream_context_create($ctxOpts);
if ($context === NULL) {
throw new Exception('Unable to create stream context');
}
$soapresponsexml = @file_get_contents($destination, FALSE, $context);
if ($soapresponsexml === FALSE) {
throw new Exception('Error processing SOAP call: ' . SimpleSAML_Utilities::getLastError());
}
SAML2_Utils::getContainer()->debugMessage($soapresponsexml, 'in');
/* Convert to SAML2_Message (DOMElement) */
try {
$dom = SAML2_DOMDocumentFactory::fromString($soapresponsexml);
} catch (SAML2_Exception_RuntimeException $e) {
throw new Exception('Not a SOAP response.', 0, $e);
}
$soapfault = $this->getSOAPFault($dom);
if (isset($soapfault)) {
throw new Exception($soapfault);
}
/* Extract the message from the response */
$samlresponse = SAML2_Utils::xpQuery($dom->firstChild, '/soap-env:Envelope/soap-env:Body/*[1]');
$samlresponse = SAML2_Message::fromXML($samlresponse[0]);
/* Add validator to message which uses the SSL context. */
self::addSSLValidator($samlresponse, $context);
SAML2_Utils::getContainer()->getLogger()->debug("Valid ArtifactResponse received from IdP");
return $samlresponse;
}
/**
* This function receives a SAML 1.1 artifact.
*
* @param SimpleSAML_Configuration $spMetadata The metadata of the SP.
* @param SimpleSAML_Configuration $idpMetadata The metadata of the IdP.
* @return string The <saml1p:Response> element, as an XML string.
*/
public static function receive(SimpleSAML_Configuration $spMetadata, SimpleSAML_Configuration $idpMetadata)
{
$artifacts = self::getArtifacts();
$request = self::buildRequest($artifacts);
$url = 'https://skjak.uninett.no:1245/test...';
$url = $idpMetadata->getString('ArtifactResolutionService');
$certData = SimpleSAML_Utilities::loadPublicKey($idpMetadata->toArray(), TRUE);
if (!array_key_exists('PEM', $certData)) {
throw new SimpleSAML_Error_Exception('Missing one of certData or certificate in metadata for ' . var_export($idpMetadata->getString('entityid'), TRUE));
}
$certData = $certData['PEM'];
$file = SimpleSAML_Utilities::getTempDir() . '/' . sha1($certData) . '.crt';
if (!file_exists($file)) {
SimpleSAML_Utilities::writeFile($file, $certData);
}
$globalConfig = SimpleSAML_Configuration::getInstance();
$spKeyCertFile = $globalConfig->getPathValue('certdir', 'cert/') . $spMetadata->getString('privatekey');
$opts = array('ssl' => array('verify_peer' => TRUE, 'cafile' => $file, 'local_cert' => $spKeyCertFile, 'capture_peer_cert' => TRUE, 'capture_peer_chain' => TRUE), 'http' => array('method' => 'POST', 'content' => $request, 'header' => 'SOAPAction: http://www.oasis-open.org/committees/security' . "\r\n" . 'Content-Type: text/xml'));
$context = stream_context_create($opts);
/* Fetch the artifact. */
$response = file_get_contents($url, FALSE, $context);
if ($response === FALSE) {
throw new SimpleSAML_Error_Exception('Failed to retrieve assertion from IdP.');
}
/* Find the response in the SOAP message. */
$response = self::extractResponse($response);
return $response;
}
