Skip to content

Commit

Permalink
namespaced classes
Browse files Browse the repository at this point in the history
  • Loading branch information
@szabogyula
szabogyula committed Mar 21, 2019
1 parent 611f5f4 commit 17b448e
Show file tree
Hide file tree
Showing 2 changed files with 43 additions and 40 deletions.
3 changes: 3 additions & 0 deletions composer.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,5 +4,8 @@
"type": "simplesamlphp-module",
"require": {
"simplesamlphp/composer-module-installer": "~1.0"
},
"require-dev": {
"simplesamlphp/saml2": "3.1.*"
}
}
80 changes: 40 additions & 40 deletions lib/AA/SAML2.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ class sspmod_aa_AA_SAML2

public function __construct($metadata)
{
$this->config = SimpleSAML_Configuration::getConfig('module_aa.php');
$this->config = SimpleSAML\Configuration::getConfig('module_aa.php');

$this->signAssertion = false;
if ($this->config->hasValue('signAssertion')) {
Expand All @@ -43,12 +43,12 @@ public function __construct($metadata)
public function getBinding()
{
/* Receiving the attribute query */
$binding = SAML2_Binding::getCurrentBinding();
SimpleSAML_Logger::debug('[aa] binding: '.var_export($binding, true));
$binding = SAML2\Binding::getCurrentBinding();
SimpleSAML\Logger::debug('[aa] binding: '.var_export($binding, true));

/* Supported binding is SOAP */
if (!($binding instanceof SAML2_SOAP || $binding instanceof SAML2\SOAP)) {
throw new SimpleSAML_Error_BadRequest('[aa] Unsupported binding. It must be SAML2_SOAP.');
if (!($binding instanceof SAML2\SOAP)) {
throw new SimpleSAML\Error\BadRequest('[aa] Unsupported binding. It must be SAML2\SOAP.');
}

return $binding;
Expand All @@ -57,10 +57,10 @@ public function getBinding()
private function getQuery()
{
$query = $this->binding->receive();
SimpleSAML_Logger::debug('[aa] query: '.var_export($query, true));
SimpleSAML\Logger::debug('[aa] query: '.var_export($query, true));

if (!($query instanceof SAML2_AttributeQuery || $query instanceof SAML2\AttributeQuery)) {
throw new SimpleSAML_Error_BadRequest('Invalid message received on AttributeQuery endpoint.');
if (!($query instanceof SAML2\AttributeQuery)) {
throw new SimpleSAML\Error\BadRequest('Invalid message received on AttributeQuery endpoint.');
}

return $query;
Expand All @@ -74,7 +74,7 @@ private function getEntities($metadata)

$spEntityId = $this->query->getIssuer();
if ($spEntityId === null) {
throw new SimpleSAML_Error_BadRequest('Missing <saml:Issuer> in <samlp:AttributeQuery>.');
throw new SimpleSAML\Error\BadRequest('Missing <saml:Issuer> in <samlp:AttributeQuery>.');
}
$spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote');

Expand All @@ -87,8 +87,7 @@ private function getEntities($metadata)
private function getAttributeNameFormat()
{
/* The name format of the attributes. */
//$attributeNameFormat = SAML2_Const::NAMEFORMAT_URI;
$attributeNameFormat = 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri';
$attributeNameFormat = SAML2\Constants::NAMEFORMAT_URI;
if ($this->config->hasValue('attributeNameFormat')) {
$attributeNameFormat = $this->config->getValue('attributeNameFormat');
}
Expand Down Expand Up @@ -123,60 +122,60 @@ private function authenticate()

/* Authenticate the requestor by verifying the TLS certificate used for the HTTP query */
if (array_key_exists('SSL_CLIENT_VERIFY', $_SERVER)) {
SimpleSAML_Logger::debug('[aa] Request was made using the following certificate: '.var_export($_SERVER['SSL_CLIENT_VERIFY'], 1));
SimpleSAML\Logger::debug('[aa] Request was made using the following certificate: '.var_export($_SERVER['SSL_CLIENT_VERIFY'], 1));
}
if (array_key_exists('SSL_CLIENT_VERIFY', $_SERVER) && $_SERVER['SSL_CLIENT_VERIFY'] && $_SERVER['SSL_CLIENT_VERIFY'] != 'NONE') {
/* compare certificate fingerprints */
$clientCertData = trim(preg_replace('/--.* CERTIFICATE-+-/', '', $_SERVER['SSL_CLIENT_CERT']));
$clientCertFingerprint = strtolower(sha1(base64_decode($clientCertData)));
if (!$clientCertFingerprint) {
throw new SimpleSAML_Error_Exception('[aa] Can not calculate certificate fingerprint from the request.');
throw new SimpleSAML\Error\Exception('[aa] Can not calculate certificate fingerprint from the request.');
}

$spCertArray = SimpleSAML_Utilities::loadPublicKey($this->spMetadata);
$spCertArray = SimpleSAML\Utils\Crypto::loadPublicKey($this->spMetadata);
if (!$spCertArray) {
throw new SimpleSAML_Error_Exception('[aa] Can not find the public key of the requestor in the metadata!');
throw new SimpleSAML\Error\Exception('[aa] Can not find the public key of the requestor in the metadata!');
}

foreach ($spCertArray['certFingerprint'] as $fingerprint) {
if ($fingerprint && $clientCertFingerprint == $fingerprint) {
$client_is_authenticated = true;
SimpleSAML_Logger::debug('[aa] SSL certificate is checked and valid.');
SimpleSAML\Logger::debug('[aa] SSL certificate is checked and valid.');
break;
}
}
/* Reject the request if the TLS certificate used for the request does not match metadata */
if (!$client_is_authenticated) {
throw new SimpleSAML_Error_Exception('[aa] SSL certificate check failed.');
throw new SimpleSAML\Error\Exception('[aa] SSL certificate check failed.');
}
} else {
/* The request may be signed, so this is not fatal */
SimpleSAML_Logger::debug('[aa] SSL client certificate does not exist.');
SimpleSAML\Logger::debug('[aa] SSL client certificate does not exist.');
}

/* Authenticate the requestor by verifying the XML signature on the query */
$certs_of_query = $this->query->getCertificates();
if (count($certs_of_query) > 0) {
if (sspmod_saml_Message::checkSign($this->spMetadata, $this->query)) {
$client_is_authenticated = true;
SimpleSAML_Logger::debug('[aa] AttributeQuery signature is checked and valid.');
SimpleSAML\Logger::debug('[aa] AttributeQuery signature is checked and valid.');
} else {
/* An invalid or unverifiable signature is fatal */
throw new SimpleSAML_Error_Exception('[aa] The signature of the AttributeQuery is wrong!');
throw new SimpleSAML\Error\Exception('[aa] The signature of the AttributeQuery is wrong!');
}
} else {
/* The request may be protected by HTTP TLS (X.509) authentication, so this is not fatal */
SimpleSAML_Logger::debug('[aa] AttributeQuery has no signature.');
SimpleSAML\Logger::debug('[aa] AttributeQuery has no signature.');
}

if (!$client_is_authenticated) {
SimpleSAML_Logger::info('[aa] Attribute query was not authenticated. Drop.');
SimpleSAML\Logger::info('[aa] Attribute query was not authenticated. Drop.');
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: None', false);
echo 'Not authenticated. Neither query signature nor SSL client certificate was available.';
exit;
} else {
SimpleSAML_Logger::debug('[aa] Attribute query was authenticated.');
SimpleSAML\Logger::debug('[aa] Attribute query was authenticated.');
}
}

Expand All @@ -185,13 +184,14 @@ private function getAttributes()
$nameId = $this->query->getNameId();

if (!$nameId) {
throw new SimpleSAML_Error_BadRequest('[aa] Error getting NameID from AttributeQuery.');
throw new SimpleSAML\Error\BadRequest('[aa] Error getting NameID from AttributeQuery.');
}
if (array_key_exists('Format', $nameId)) {
$nameIdFormat = $nameId['Format'];
if ($nameId->getFormat()) {
$nameIdFormat = $nameId->getFormat();
}
$nameIdValue = $nameId->getValue();

SimpleSAML_Logger::info('[aa] Received attribute query for '.$nameId['Value'].' (nameIdFormat: '.$nameIdFormat.')');
SimpleSAML\Logger::info('[aa] Received attribute query for '.$nameIdValue.' (nameIdFormat: '.$nameIdFormat.')');

/* Get the attributes from the AuthSource */
$spMetadataArray = $this->spMetadata->toArray();
Expand All @@ -201,11 +201,11 @@ private function getAttributes()
'Attributes' => $attributes,
'Destination' => $spMetadataArray,
'Source' => $aaMetadataArray,
'aa:nameId' => $nameId['Value'],
'aa:nameId' => $nameIdValue,
'aa:nameIdFormat' => $nameIdFormat,
);

$as = SimpleSAML_Auth_Source::getById($this->config->getValue('authsource'));
$as = SimpleSAML\Auth\Source::getById($this->config->getValue('authsource'));
$as->authenticate($state);

$attributes = $state['Attributes'];
Expand All @@ -217,7 +217,7 @@ private function processFilters(&$attributes)
{
$spMetadataArray = $this->spMetadata->toArray();
$aaMetadataArray = $this->aaMetadata->toArray();
$pc = new SimpleSAML_Auth_ProcessingChain($aaMetadataArray, $spMetadataArray, 'aa');
$pc = new SimpleSAML\Auth\ProcessingChain($aaMetadataArray, $spMetadataArray, 'aa');
$authProcState = array(
'Attributes' => $attributes,
'Destination' => $spMetadataArray,
Expand All @@ -231,19 +231,19 @@ private function filterFromRequest(&$attributes)
{
$requestedAttributes = $this->query->getAttributes();
if (count($requestedAttributes) === 0) {
SimpleSAML_Logger::debug(
SimpleSAML\Logger::debug(
'[aa] No attributes requested - return all previously resolved attributes: '.var_export($attributes, true)
);
} elseif ($this->query->getAttributeNameFormat() !== $this->attributeNameFormat) {
SimpleSAML_Logger::debug(
SimpleSAML\Logger::debug(
'[aa] NameFormat mismatch - no attributes returned. Expected: '.$this->attributeNameFormat.' Requested: '.$this->query->getAttributeNameFormat()
);
$attributes = array();
} else {
foreach ($attributes as $name => $values) {
if (!array_key_exists($name, $requestedAttributes)) {
/* They didn't request this attribute. */
SimpleSAML_Logger::debug('[aa] Remove attribute because it was not requested: '.$name);
SimpleSAML\Logger::debug('[aa] Remove attribute because it was not requested: '.$name);
unset($attributes[$name]);
continue;
}
Expand All @@ -262,14 +262,14 @@ private function filterFromRequest(&$attributes)
private function buildResponse($returnAttributes)
{
/* SubjectConfirmation */
$sc = new SAML2_XML_saml_SubjectConfirmation();
$sc->Method = SAML2_Const::CM_BEARER;
$sc->SubjectConfirmationData = new SAML2_XML_saml_SubjectConfirmationData();
$sc = new SAML2\XML\saml\SubjectConfirmation();
$sc->Method = SAML2\Constants::CM_BEARER;
$sc->SubjectConfirmationData = new SAML2\XML\saml\SubjectConfirmationData();
$sc->SubjectConfirmationData->NotBefore = time();
$sc->SubjectConfirmationData->NotOnOrAfter = time() + $this->config->getInteger('validFor');
$sc->SubjectConfirmationData->InResponseTo = $this->query->getId();

$assertion = new SAML2_Assertion();
$assertion = new SAML2\Assertion();
$assertion->setSubjectConfirmation(array($sc));
$assertion->setIssuer($this->aaEntityId);
$assertion->setNameId($this->query->getNameId());
Expand All @@ -283,7 +283,7 @@ private function buildResponse($returnAttributes)
}

/* The Response */
$response = new SAML2_Response();
$response = new SAML2\Response();
$response->setRelayState($this->query->getRelayState());
$response->setIssuer($this->aaEntityId);
$response->setInResponseTo($this->query->getId());
Expand All @@ -297,8 +297,8 @@ private function buildResponse($returnAttributes)

private function sendResponse($response)
{
SimpleSAML_Logger::debug('[aa] Sending: '.var_export($response, true));
SimpleSAML_Logger::info('[aa] Sending assertion.');
SimpleSAML\Logger::debug('[aa] Sending: '.var_export($response, true));
SimpleSAML\Logger::info('[aa] Sending assertion.');
$this->binding->send($response);
}
}

0 comments on commit 17b448e

Please sign in to comment.