diff --git a/lib/Disco.php b/lib/Disco.php index 94ef9c81b2aeb930ae568fb6cecc48de257487ce..f716529dc0b6d569d6cf2cc8acf3330ab6f02822 100644 --- a/lib/Disco.php +++ b/lib/Disco.php @@ -19,9 +19,9 @@ use SimpleSAML\Utils\HTTP; * * This module extends the DiscoPower IdP disco handler, so it needs to be avaliable and enabled and configured. * - * It adds functionality of greylisting IdPs per SP. for security reasons for blacklisting please manipulate - * directly with metadata. In case of manual idps comment them out or in case of automated metadata fetching configure - * blacklist in config-metarefresh.php + * Supports hiding IdPs from discovery per SP. + * If you want to block IdPs, please modify metadata directly. + * Either remove individual IdPs from metadata or configure metarefresh to skip them in config-metarefresh.php. */ class Disco extends PowerIdPDisco { @@ -107,8 +107,11 @@ class Disco extends PowerIdPDisco public const METADATA_ADD_INSTITUTION_APP = 'disco.addInstitutionApp'; + /** @deprecated */ public const SP_GREYLIST = 'greylist'; + public const SP_HIDE_FROM_DISCOVERY = 'hide_from_discovery'; + public const IDP_ENTITY_ID = 'entityid'; public const SP_ENTITY_ID = 'entityid'; @@ -658,11 +661,20 @@ class Disco extends PowerIdPDisco protected static function scoping(array $list, array $scopedIDPList): array { if (!empty($scopedIDPList)) { - foreach ($list as $entityId => $idp) { - if (!in_array($entityId, $scopedIDPList, true)) { - unset($list[$entityId]); - } + if (isset($sp[self::SP_HIDE_FROM_DISCOVERY])) { + $hideFromDiscovery = $sp[self::SP_HIDE_FROM_DISCOVERY]; + } elseif (isset($sp[self::SP_GREYLIST])) { + Logger::warning(sprintf( + 'perun:Disco: You are using a deprecated option %s in your SP metadata. Please rename it to %s.', + self::SP_GREYLIST, + self::SP_HIDE_FROM_DISCOVERY + )); + $hideFromDiscovery = $sp[self::SP_GREYLIST]; + } else { + return $list; } + + return array_diff_key($list, array_flip($hideFromDiscovery)); } return $list;