protected function doExecute(ProfileContext $context) { if ($context->getRelayState()) { $this->logger->debug(sprintf('RelayState from context set to outbound message: "%s"', $context->getRelayState()), LogHelper::getActionContext($context, $this)); MessageContextHelper::asSamlMessage($context->getOutboundContext())->setRelayState($context->getRelayState()); } }
/** * @param ProfileContext $context */ protected function doExecute(ProfileContext $context) { $response = MessageContextHelper::asResponse($context->getInboundContext()); if (count($response->getAllEncryptedAssertions()) === 0) { $this->logger->debug('Response has no encrypted assertions', LogHelper::getActionContext($context, $this)); return; } $ownEntityDescriptor = $context->getOwnEntityDescriptor(); $query = $this->credentialResolver->query(); $query->add(new EntityIdCriteria($ownEntityDescriptor->getEntityID()))->add(new MetadataCriteria(ProfileContext::ROLE_IDP === $context->getOwnRole() ? MetadataCriteria::TYPE_IDP : MetadataCriteria::TYPE_SP, SamlConstants::PROTOCOL_SAML2))->add(new UsageCriteria(UsageType::ENCRYPTION)); $query->resolve(); $privateKeys = $query->getPrivateKeys(); if (empty($privateKeys)) { $message = 'No credentials resolved for assertion decryption'; $this->logger->emergency($message, LogHelper::getActionErrorContext($context, $this)); throw new LightSamlContextException($context, $message); } $this->logger->info('Trusted decryption candidates', LogHelper::getActionContext($context, $this, array('credentials' => array_map(function (CredentialInterface $credential) { return sprintf("Entity: '%s'; PK X509 Thumb: '%s'", $credential->getEntityId(), $credential->getPublicKey() ? $credential->getPublicKey()->getX509Thumbprint() : ''); }, $privateKeys)))); foreach ($response->getAllEncryptedAssertions() as $index => $encryptedAssertion) { if ($encryptedAssertion instanceof EncryptedAssertionReader) { $name = sprintf('assertion_encrypted_%s', $index); /** @var DeserializationContext $deserializationContext */ $deserializationContext = $context->getInboundContext()->getSubContext($name, DeserializationContext::class); $assertion = $encryptedAssertion->decryptMultiAssertion($privateKeys, $deserializationContext); $response->addAssertion($assertion); $this->logger->info('Assertion decrypted', LogHelper::getActionContext($context, $this, array('assertion' => $deserializationContext->getDocument()->saveXML()))); } } }
/** * @param ProfileContext $context * * @return void */ protected function doExecute(ProfileContext $context) { $ownEntityDescriptor = $context->getOwnEntityDescriptor(); $issuer = new Issuer($ownEntityDescriptor->getEntityID()); $issuer->setFormat(SamlConstants::NAME_ID_FORMAT_ENTITY); MessageContextHelper::asSamlMessage($context->getOutboundContext())->setIssuer($issuer); $this->logger->debug(sprintf('Issuer set to "%s"', $ownEntityDescriptor->getEntityID()), LogHelper::getActionContext($context, $this)); }
/** * @param ProfileContext $context */ protected function doExecute(ProfileContext $context) { $message = MessageContextHelper::asSamlMessage($context->getOutboundContext()); $state = new RequestState(); $state->setId($message->getID()); $state->setNonce($message); $this->requestStore->set($state); }
protected function doExecute(ProfileContext $context) { $message = MessageContextHelper::asSamlMessage($context->getInboundContext()); if (null == $message->getIssuer()) { throw new LightSamlContextException($context, 'Inbound messages does not have Issuer'); } $context->getPartyEntityContext()->setEntityId($message->getIssuer()->getValue()); }
/** * @param ProfileContext $context */ protected function doExecute(ProfileContext $context) { $logoutRequest = MessageContextHelper::asLogoutRequest($context->getOutboundContext()); $ssoSessionState = $context->getLogoutSsoSessionState(); $nameId = new NameID(); $nameId->setValue($ssoSessionState->getNameId()); $nameId->setFormat($ssoSessionState->getNameIdFormat()); $logoutRequest->setNameID($nameId); }
protected function doExecute(ProfileContext $context) { $response = MessageContextHelper::asResponse($context->getInboundContext()); if ($response->getBearerAssertions()) { return; } $message = 'Response must contain at least one bearer assertion'; $this->logger->error($message, LogHelper::getActionErrorContext($context, $this)); throw new LightSamlContextException($context, $message); }
/** * @param ProfileContext $context */ protected function doExecute(ProfileContext $context) { $response = MessageContextHelper::asResponse($context->getInboundContext()); foreach ($response->getAllAssertions() as $index => $assertion) { $name = sprintf('assertion_%s', $index); /** @var AssertionContext $assertionContext */ $assertionContext = $context->getSubContext($name, AssertionContext::class); $assertionContext->setAssertion($assertion)->setId($name); $this->assertionAction->execute($assertionContext); } }
protected function doExecute(ProfileContext $context) { $response = MessageContextHelper::asResponse($context->getInboundContext()); foreach ($response->getAllAssertions() as $assertion) { if ($assertion->getAllAuthnStatements()) { return; } } $message = 'Response must have at least one Assertion containing AuthnStatement element'; $this->logger->error($message, LogHelper::getActionErrorContext($context, $this)); throw new LightSamlContextException($context, $message); }
protected function doExecute(ProfileContext $context) { $ownEntityDescriptor = $context->getOwnEntityDescriptor(); $criteriaSet = new CriteriaSet([new DescriptorTypeCriteria(SpSsoDescriptor::class), new ServiceTypeCriteria(AssertionConsumerService::class), new BindingCriteria([SamlConstants::BINDING_SAML2_HTTP_POST])]); $endpoints = $this->endpointResolver->resolve($criteriaSet, $ownEntityDescriptor->getAllEndpoints()); if (empty($endpoints)) { $message = 'Missing ACS Service with HTTP POST binding in own SP SSO Descriptor'; $this->logger->error($message, LogHelper::getActionErrorContext($context, $this)); throw new LightSamlContextException($context, $message); } MessageContextHelper::asAuthnRequest($context->getOutboundContext())->setAssertionConsumerServiceURL($endpoints[0]->getEndpoint()->getLocation()); }
/** * @param ProfileContext $context */ protected function doExecute(ProfileContext $context) { $message = MessageContextHelper::asSamlMessage($context->getOutboundContext()); $state = new RequestState(); $state->setId($message->getID()); $partyEntityId = $context->getPartyEntityContext() ? $context->getPartyEntityContext()->getEntityId() : ''; if ($context->getPartyEntityContext() && $context->getPartyEntityContext()->getEntityDescriptor()) { $partyEntityId = $context->getPartyEntityContext()->getEntityDescriptor()->getEntityID(); } $state->getParameters()->add([RequestStateParameters::ID => $message->getID(), RequestStateParameters::TYPE => get_class($message), RequestStateParameters::TIMESTAMP => $message->getIssueInstantTimestamp(), RequestStateParameters::PARTY => $partyEntityId, RequestStateParameters::RELAY_STATE => $message->getRelayState()]); if ($message instanceof LogoutRequest) { $state->getParameters()->add([RequestStateParameters::NAME_ID => $message->getNameID()->getValue(), RequestStateParameters::NAME_ID_FORMAT => $message->getNameID()->getFormat(), RequestStateParameters::SESSION_INDEX => $message->getSessionIndex()]); } $this->requestStore->set($state); }
protected function doExecute(ProfileContext $context) { $shouldSign = $this->shouldSignMessage($context); if ($shouldSign) { $signature = $this->signatureResolver->getSignature($context); if ($signature) { MessageContextHelper::asSamlMessage($context->getOutboundContext())->setSignature($signature); $this->logger->debug(sprintf('Message signed with fingerprint "%s"', $signature->getCertificate()->getFingerprint()), LogHelper::getActionContext($context, $this, array('certificate' => $signature->getCertificate()->getInfo()))); } else { $this->logger->critical('No signature resolved, although signing enabled', LogHelper::getActionErrorContext($context, $this, array())); } } else { $this->logger->debug('Signing disabled', LogHelper::getActionContext($context, $this)); } }
/** * @param ProfileContext $context * * @return void */ protected function doExecute(ProfileContext $context) { $message = MessageContextHelper::asSamlMessage($context->getInboundContext()); $destination = $message->getDestination(); if (null == $destination) { return; } $criteriaSet = $this->getCriteriaSet($context, $destination); $endpoints = $this->endpointResolver->resolve($criteriaSet, $context->getOwnEntityDescriptor()->getAllEndpoints()); if ($endpoints) { return; } $message = sprintf('Invalid inbound message destination "%s"', $destination); $this->logger->emergency($message, LogHelper::getActionErrorContext($context, $this)); throw new LightSamlContextException($context, $message); }
/** * @param ProfileContext $context */ protected function doExecute(ProfileContext $context) { $response = MessageContextHelper::asStatusResponse($context->getInboundContext()); $inResponseTo = $response->getInResponseTo(); if ($inResponseTo) { $requestState = $this->requestStore->get($inResponseTo); if (null == $requestState) { $message = sprintf("Unknown InResponseTo '%s'", $inResponseTo); $this->logger->error($message, LogHelper::getActionErrorContext($context, $this, array('in_response_to' => $inResponseTo))); throw new LightSamlContextException($context, $message); } /** @var RequestStateContext $requestStateContext */ $requestStateContext = $context->getInboundContext()->getSubContext(ProfileContexts::REQUEST_STATE, RequestStateContext::class); $requestStateContext->setRequestState($requestState); } }
protected function doExecute(ProfileContext $context) { $logoutResponse = MessageContextHelper::asLogoutResponse($context->getInboundContext()); $id = $logoutResponse->getInResponseTo(); $requestState = $this->requestStore->get($id); $partyEntityId = $requestState->getParameters()->get(RequestStateParameters::PARTY); if ($partyEntityId && $logoutResponse->getIssuer() && $partyEntityId != $logoutResponse->getIssuer()->getValue()) { $message = sprintf('LogoutRequest sent to %s but LogoutResponse for that request was issued by %s', $partyEntityId, $logoutResponse->getIssuer()->getValue()); $this->logger->critical($message, LogHelper::getActionErrorContext($context, $this, ['sent_to' => $partyEntityId, 'received_from' => $logoutResponse->getIssuer()->getValue()])); throw new LightSamlContextException($context, $message); } $nameId = $requestState->getParameters()->get(RequestStateParameters::NAME_ID); $nameIdFormat = $requestState->getParameters()->get(RequestStateParameters::NAME_ID_FORMAT); $sessionIndex = $requestState->getParameters()->get(RequestStateParameters::SESSION_INDEX); $numberOfTerminatedSessions = $this->logoutResolver->terminateSession($logoutResponse->getIssuer()->getValue(), $nameId, $nameIdFormat, $sessionIndex); $this->logger->debug(sprintf('Processing LogoutResponse from %s for %s in format %s and session index %s resulted in termination of %s sso session from the store', $partyEntityId, $nameId, $nameIdFormat, $sessionIndex, $numberOfTerminatedSessions), LogHelper::getActionContext($context, $this)); }
/** * @param ProfileContext $context * * @return void */ protected function doExecute(ProfileContext $context) { $authnRequest = MessageContextHelper::asAuthnRequest($context->getInboundContext()); if (false == $authnRequest->getAssertionConsumerServiceURL()) { return; } $spEntityDescriptor = $context->getPartyEntityDescriptor(); foreach ($spEntityDescriptor->getAllSpSsoDescriptors() as $sp) { if ($sp->getAllAssertionConsumerServicesByUrl($authnRequest->getAssertionConsumerServiceURL())) { $this->logger->debug(sprintf('AuthnRequest has assertion consumer url "%s" that belongs to entity "%s"', $authnRequest->getAssertionConsumerServiceURL(), $spEntityDescriptor->getEntityID()), LogHelper::getActionContext($context, $this)); return; } } $message = sprintf("Invalid ACS Url '%s' for '%s' entity", $authnRequest->getAssertionConsumerServiceURL(), $spEntityDescriptor->getEntityID()); $this->logger->emergency($message, LogHelper::getActionErrorContext($context, $this)); throw new LightSamlValidationException($message); }
/** * @param ProfileContext $context * * @return void */ protected function doExecute(ProfileContext $context) { $response = MessageContextHelper::asResponse($context->getOutboundContext()); foreach ($this->assertionActions as $index => $action) { $name = sprintf('assertion_%s', $index); /** @var AssertionContext $assertionContext */ $assertionContext = $context->getSubContext($name, AssertionContext::class); $assertionContext->setId($index); $action->execute($assertionContext); if ($assertionContext->getEncryptedAssertion()) { $response->addEncryptedAssertion($assertionContext->getEncryptedAssertion()); } elseif ($assertionContext->getAssertion()) { $response->addAssertion($assertionContext->getAssertion()); } else { $this->logger->warning('No assertion was built', LogHelper::getActionContext($context, $this)); } } }
/** * @param MessageContext $context * @param null|string $destination * * @return SamlPostResponse */ public function send(MessageContext $context, $destination = null) { $message = MessageContextHelper::asSamlMessage($context); $destination = $message->getDestination() ? $message->getDestination() : $destination; $serializationContext = $context->getSerializationContext(); $message->serialize($serializationContext->getDocument(), $serializationContext); $msgStr = $serializationContext->getDocument()->saveXML(); $this->dispatchSend($msgStr); $msgStr = base64_encode($msgStr); $type = $message instanceof AbstractRequest ? 'SAMLRequest' : 'SAMLResponse'; $data = array($type => $msgStr); if ($message->getRelayState()) { $data['RelayState'] = $message->getRelayState(); } $result = new SamlPostResponse($destination, $data); $result->renderContent(); return $result; }
/** * @param ProfileContext $context * * @return void */ protected function doExecute(ProfileContext $context) { $message = MessageContextHelper::asSamlMessage($context->getInboundContext()); if (false == $message->getIssuer()) { $message = 'Inbound message must have Issuer element'; $this->logger->emergency($message, LogHelper::getActionErrorContext($context, $this)); throw new LightSamlContextException($context, $message); } if ($this->allowedFormat && $message->getIssuer()->getValue() && $message->getIssuer()->getFormat() && $message->getIssuer()->getFormat() != $this->allowedFormat) { $message = sprintf("Response Issuer Format if set must have value '%s' but it was '%s'", $this->allowedFormat, $message->getIssuer()->getFormat()); $this->logger->emergency($message, LogHelper::getActionErrorContext($context, $this)); throw new LightSamlContextException($context, $message); } try { $this->nameIdValidator->validateNameId($message->getIssuer()); } catch (LightSamlValidationException $ex) { throw new LightSamlContextException($context, $ex->getMessage(), 0, $ex); } }
protected function doExecute(ProfileContext $context) { $statusResponse = MessageContextHelper::asStatusResponse($context->getInboundContext()); if ($statusResponse->getStatus() && $statusResponse->getStatus()->isSuccess()) { return; } if (null == $statusResponse->getStatus()) { $message = 'Status response does not have Status set'; $this->logger->error($message, LogHelper::getActionErrorContext($context, $this)); throw new LightSamlContextException($context, $message); } $status = $statusResponse->getStatus()->getStatusCode()->getValue(); $status .= "\n" . $statusResponse->getStatus()->getStatusMessage(); if ($statusResponse->getStatus()->getStatusCode()->getStatusCode()) { $status .= "\n" . $statusResponse->getStatus()->getStatusCode()->getStatusCode()->getValue(); } $message = 'Unsuccessful SAML response: ' . $status; $this->logger->error($message, LogHelper::getActionErrorContext($context, $this, ['status' => $status])); throw new LightSamlAuthenticationException($statusResponse, $message); }
/** * @param ProfileContext $context */ protected function doExecute(ProfileContext $context) { $response = MessageContextHelper::asStatusResponse($context->getInboundContext()); $inResponseTo = $response->getInResponseTo(); if ($inResponseTo) { $requestState = $this->requestStore->get($inResponseTo); if (null == $requestState) { $message = sprintf("Unknown InResponseTo '%s'", $inResponseTo); $this->logger->critical($message, LogHelper::getActionErrorContext($context, $this, array('in_response_to' => $inResponseTo))); throw new LightSamlContextException($context, $message); } $sentToParty = $requestState->getParameters()->get(RequestStateParameters::PARTY); if ($sentToParty && $response->getIssuer() && $response->getIssuer()->getValue() != $sentToParty) { $message = sprintf('AuthnRequest with id "%s" sent to party "%s" but StatusResponse for that request issued by party "%s"', $inResponseTo, $sentToParty, $response->getIssuer()->getValue()); $this->logger->critical($message, LogHelper::getActionErrorContext($context, $this, array('sent_to' => $sentToParty, 'received_from' => $response->getIssuer()->getValue()))); throw new LightSamlContextException($context, $message); } /** @var RequestStateContext $requestStateContext */ $requestStateContext = $context->getInboundContext()->getSubContext(ProfileContexts::REQUEST_STATE, RequestStateContext::class); $requestStateContext->setRequestState($requestState); } }
/** * @param ProfileContext $context * * @return void */ protected function doExecute(ProfileContext $context) { $message = MessageContextHelper::asSamlMessage($context->getInboundContext()); $signature = $message->getSignature(); if (null === $signature) { $this->logger->debug('Message is not signed', LogHelper::getActionContext($context, $this)); return; } if ($signature instanceof AbstractSignatureReader) { $metadataType = ProfileContext::ROLE_IDP === $context->getOwnRole() ? MetadataCriteria::TYPE_SP : MetadataCriteria::TYPE_IDP; $credential = $this->signatureValidator->validate($signature, $message->getIssuer()->getValue(), $metadataType); if ($credential) { $keyNames = $credential->getKeyNames(); $this->logger->debug(sprintf('Message signature validated with key "%s"', implode(', ', $keyNames)), LogHelper::getActionContext($context, $this, array('credential' => $credential))); } else { $this->logger->warning('Signature verification was not performed', LogHelper::getActionContext($context, $this)); } } else { $message = 'Expected AbstractSignatureReader'; $this->logger->critical($message, LogHelper::getActionErrorContext($context, $this)); throw new LightSamlModelException($message); } }
/** * @param ProfileContext $context * * @return void */ protected function doExecute(ProfileContext $context) { MessageContextHelper::asSamlMessage($context->getOutboundContext())->setVersion($this->version); $this->logger->debug(sprintf('Message Version set to "%s"', $this->version), LogHelper::getActionContext($context, $this)); }
public function test__as_saml_message_returns_message() { $context = new MessageContext(); $context->setMessage($expectedMessage = $this->getMessageMock()); $this->assertSame($expectedMessage, MessageContextHelper::asSamlMessage($context)); }
/** * @param ProfileContext $context * * @return void */ protected function doExecute(ProfileContext $context) { MessageContextHelper::asSamlMessage($context->getOutboundContext())->setIssueInstant($this->timeProvider->getTimestamp()); $this->logger->info(sprintf('Message IssueInstant set to "%s"', MessageContextHelper::asSamlMessage($context->getOutboundContext())->getIssueInstantString()), LogHelper::getActionContext($context, $this)); }
/** * @param ProfileContext $context */ protected function doExecute(ProfileContext $context) { $logoutRequest = MessageContextHelper::asLogoutRequest($context->getOutboundContext()); $logoutRequest->setNotOnOrAfter($this->timeProvider->getTimestamp() + $this->secondsSkew); }
/** * @param ProfileContext $context * * @return void */ protected function doExecute(ProfileContext $context) { $endpoint = $context->getEndpoint(); MessageContextHelper::asSamlMessage($context->getOutboundContext())->setDestination($endpoint->getLocation()); $this->logger->debug(sprintf('Destination set to "%s"', $endpoint->getLocation()), LogHelper::getActionContext($context, $this)); }
/** * @param ProfileContext $context */ protected function doExecute(ProfileContext $context) { $response = MessageContextHelper::asResponse($context->getInboundContext()); $this->sessionProcessor->processAssertions($response->getAllAssertions(), $context->getOwnEntityDescriptor()->getEntityID(), $context->getPartyEntityDescriptor()->getEntityID()); }
/** * @param ProfileContext $context */ protected function doExecute(ProfileContext $context) { $statusResponse = MessageContextHelper::asStatusResponse($context->getOutboundContext()); $statusResponse->setStatus(new Status(new StatusCode($this->statusCode), $this->statusCode)); }
/** * @param MessageContext $context * @param string|null $destination * * @return string */ protected function getRedirectURL(MessageContext $context, $destination) { $message = MessageContextHelper::asSamlMessage($context); $signature = $message->getSignature(); if ($signature && false == $signature instanceof SignatureWriter) { throw new LightSamlBindingException('Signature must be SignatureWriter'); } $xml = $this->getMessageEncodedXml($message, $context); $msg = $this->addMessageToUrl($message, $xml); $this->addRelayStateToUrl($msg, $message); $this->addSignatureToUrl($msg, $signature); return $this->getDestinationUrl($msg, $message, $destination); }