Skip to content
Snippets Groups Projects
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
Simple.php 12.71 KiB
<?php

namespace SimpleSAML\Auth;

use \SimpleSAML\Configuration;
use \SimpleSAML\Error;
use \SimpleSAML\Module;
use \SimpleSAML\Session;
use \SimpleSAML\Utils;

/**
 * Helper class for simple authentication applications.
 *
 * @package SimpleSAMLphp
 */

class Simple
{
    /**
     * The id of the authentication source we are accessing.
     *
     * @var string
     */
    protected $authSource;

    /** @var \SimpleSAML\Configuration|null */
    protected $app_config;

    /** @var \SimpleSAML\Session */
    protected $session;


    /**
     * Create an instance with the specified authsource.
     *
     * @param string $authSource The id of the authentication source.
     * @param \SimpleSAML\Configuration|null $config Optional configuration to use.
     * @param \SimpleSAML\Session|null $session Optional session to use.
     */
    public function __construct($authSource, Configuration $config = null, Session $session = null)
    {
        assert(is_string($authSource));

        if ($config === null) {
            $config = Configuration::getInstance();
        }
        $this->authSource = $authSource;
        $this->app_config = $config->getConfigItem('application', null);

        if ($session === null) {
            $session = Session::getSessionFromRequest();
        }
        $this->session = $session;
    }


    /**
     * Retrieve the implementing authentication source.
     *
     * @return Source The authentication source.
     *
     * @throws AuthSourceError If the requested auth source is unknown.
     */
    public function getAuthSource()
    {
        $as = Source::getById($this->authSource);
        if ($as === null) {
            throw new Error\AuthSource($this->authSource, 'Unknown authentication source.');
        }
        return $as;
    }


    /**
     * Check if the user is authenticated.
     *
     * This function checks if the user is authenticated with the default authentication source selected by the
     * 'default-authsource' option in 'config.php'.
     *
     * @return bool True if the user is authenticated, false if not.
     */
    public function isAuthenticated()
    {
        return $this->session->isValid($this->authSource);
    }


    /**
     * Require the user to be authenticated.
     *
     * If the user is authenticated, this function returns immediately.
     *
     * If the user isn't authenticated, this function will authenticate the user with the authentication source, and
     * then return the user to the current page.
     *
     * This function accepts an array $params, which controls some parts of the authentication. See the login()
     * method for a description.
     *
     * @param array $params Various options to the authentication request. See the documentation.
     * @return void
     */
    public function requireAuth(array $params = [])
    {
        if ($this->session->isValid($this->authSource)) {
            // Already authenticated
            return;
        }

        $this->login($params);
    }


    /**
     * Start an authentication process.
     *
     * This function accepts an array $params, which controls some parts of the authentication. The accepted parameters
     * depends on the authentication source being used. Some parameters are generic:
     *  - 'ErrorURL': A URL that should receive errors from the authentication.
     *  - 'KeepPost': If the current request is a POST request, keep the POST data until after the authentication.
     *  - 'ReturnTo': The URL the user should be returned to after authentication.
     *  - 'ReturnCallback': The function we should call after the user has finished authentication.
     *
     * Please note: this function never returns.
     *
     * @param array $params Various options to the authentication request.
     * @return void
     */
    public function login(array $params = [])
    {
        if (array_key_exists('KeepPost', $params)) {
            $keepPost = (bool) $params['KeepPost'];
        } else {
            $keepPost = true;
        }

        if (array_key_exists('ReturnTo', $params)) {
            $returnTo = (string) $params['ReturnTo'];
        } else {
            if (array_key_exists('ReturnCallback', $params)) {
                $returnTo = (array) $params['ReturnCallback'];
            } else {
                $returnTo = Utils\HTTP::getSelfURL();
            }
        }

        if (is_string($returnTo) && $keepPost && $_SERVER['REQUEST_METHOD'] === 'POST') {
            $returnTo = Utils\HTTP::getPOSTRedirectURL($returnTo, $_POST);
        }

        if (array_key_exists('ErrorURL', $params)) {
            $errorURL = (string) $params['ErrorURL'];
        } else {
            $errorURL = null;
        }


        if (!isset($params[State::RESTART]) && is_string($returnTo)) {
            /*
             * A URL to restart the authentication, in case the user bookmarks
             * something, e.g. the discovery service page.
             */
            $restartURL = $this->getLoginURL($returnTo);
            $params[State::RESTART] = $restartURL;
        }

        $as = $this->getAuthSource();
        $as->initLogin($returnTo, $errorURL, $params);
        assert(false);
    }


    /**
     * Log the user out.
     *
     * This function logs the user out. It will never return. By default, it will cause a redirect to the current page
     * after logging the user out, but a different URL can be given with the $params parameter.
     *
     * Generic parameters are:
     *  - 'ReturnTo': The URL the user should be returned to after logout.
     *  - 'ReturnCallback': The function that should be called after logout.
     *  - 'ReturnStateParam': The parameter we should return the state in when redirecting.
     *  - 'ReturnStateStage': The stage the state array should be saved with.
     *
     * @param string|array|null $params Either the URL the user should be redirected to after logging out, or an array
     * with parameters for the logout. If this parameter is null, we will return to the current page.
     * @return void
     */
    public function logout($params = null)
    {
        assert(is_array($params) || is_string($params) || $params === null);

        if ($params === null) {
            $params = Utils\HTTP::getSelfURL();
        }

        if (is_string($params)) {
            $params = [
                'ReturnTo' => $params,
            ];
        }

        assert(is_array($params));
        assert(isset($params['ReturnTo']) || isset($params['ReturnCallback']));

        if (isset($params['ReturnStateParam']) || isset($params['ReturnStateStage'])) {
            assert(isset($params['ReturnStateParam'], $params['ReturnStateStage']));
        }

        if ($this->session->isValid($this->authSource)) {
            $state = $this->session->getAuthData($this->authSource, 'LogoutState');
            if ($state !== null) {
                $params = array_merge($state, $params);
            }

            $this->session->doLogout($this->authSource);

            $params['LogoutCompletedHandler'] = [get_class(), 'logoutCompleted'];

            $as = Source::getById($this->authSource);
            if ($as !== null) {
                $as->logout($params);
            }
        }

        self::logoutCompleted($params);
    }


    /**
     * Called when logout operation completes.
     *
     * This function never returns.
     *
     * @param array $state The state after the logout.
     * @return void
     */
    public static function logoutCompleted($state)
    {
        assert(is_array($state));
        assert(isset($state['ReturnTo']) || isset($state['ReturnCallback']));

        if (isset($state['ReturnCallback'])) {
            call_user_func($state['ReturnCallback'], $state);
            assert(false);
        } else {
            $params = [];
            if (isset($state['ReturnStateParam']) || isset($state['ReturnStateStage'])) {
                assert(isset($state['ReturnStateParam'], $state['ReturnStateStage']));
                $stateID = State::saveState($state, $state['ReturnStateStage']);
                $params[$state['ReturnStateParam']] = $stateID;
            }
            Utils\HTTP::redirectTrustedURL($state['ReturnTo'], $params);
        }
    }


    /**
     * Retrieve attributes of the current user.
     *
     * This function will retrieve the attributes of the current user if the user is authenticated. If the user isn't
     * authenticated, it will return an empty array.
     *
     * @return array The users attributes.
     */
    public function getAttributes()
    {
        if (!$this->isAuthenticated()) {
            // Not authenticated
            return [];
        }

        // Authenticated
        return $this->session->getAuthData($this->authSource, 'Attributes');
    }


    /**
     * Retrieve authentication data.
     *
     * @param string $name The name of the parameter, e.g. 'Attributes', 'Expire' or 'saml:sp:IdP'.
     *
     * @return mixed|null The value of the parameter, or null if it isn't found or we are unauthenticated.
     */
    public function getAuthData($name)
    {
        assert(is_string($name));

        if (!$this->isAuthenticated()) {
            return null;
        }

        return $this->session->getAuthData($this->authSource, $name);
    }


    /**
     * Retrieve all authentication data.
     *
     * @return array|null All persistent authentication data, or null if we aren't authenticated.
     */
    public function getAuthDataArray()
    {
        if (!$this->isAuthenticated()) {
            return null;
        }

        return $this->session->getAuthState($this->authSource);
    }


    /**
     * Retrieve a URL that can be used to log the user in.
     *
     * @param string|null $returnTo The page the user should be returned to afterwards. If this parameter is null, the
     * user will be returned to the current page.
     *
     * @return string A URL which is suitable for use in link-elements.
     */
    public function getLoginURL($returnTo = null)
    {
        assert($returnTo === null || is_string($returnTo));

        if ($returnTo === null) {
            $returnTo = Utils\HTTP::getSelfURL();
        }

        $login = Module::getModuleURL('core/as_login.php', [
            'AuthId'   => $this->authSource,
            'ReturnTo' => $returnTo,
        ]);

        return $login;
    }


    /**
     * Retrieve a URL that can be used to log the user out.
     *
     * @param string|null $returnTo The page the user should be returned to afterwards. If this parameter is null, the
     * user will be returned to the current page.
     *
     * @return string A URL which is suitable for use in link-elements.
     */
    public function getLogoutURL($returnTo = null)
    {
        assert($returnTo === null || is_string($returnTo));

        if ($returnTo === null) {
            $returnTo = Utils\HTTP::getSelfURL();
        }

        $logout = Module::getModuleURL('core/as_logout.php', [
            'AuthId'   => $this->authSource,
            'ReturnTo' => $returnTo,
        ]);

        return $logout;
    }


    /**
     * Process a URL and modify it according to the application/baseURL configuration option, if present.
     *
     * @param string|null $url The URL to process, or null if we want to use the current URL. Both partial and full
     * URLs can be used as a parameter. The maximum precedence is given to the application/baseURL configuration option,
     * then the URL specified (if it specifies scheme, host and port) and finally the environment observed in the
     * server.
     *
     * @return string The URL modified according to the precedence rules.
     */
    protected function getProcessedURL($url = null)
    {
        if ($url === null) {
            $url = Utils\HTTP::getSelfURL();
        }

        $scheme = parse_url($url, PHP_URL_SCHEME);
        $host = parse_url($url, PHP_URL_HOST) ? : Utils\HTTP::getSelfHost();
        $port = parse_url($url, PHP_URL_PORT) ? : (
            $scheme ? '' : ltrim(Utils\HTTP::getServerPort(), ':')
        );
        $scheme = $scheme ? : (Utils\HTTP::getServerHTTPS() ? 'https' : 'http');
        $path = parse_url($url, PHP_URL_PATH) ? : '/';
        $query = parse_url($url, PHP_URL_QUERY) ? : '';
        $fragment = parse_url($url, PHP_URL_FRAGMENT) ? : '';

        $port = !empty($port) ? ':'.$port : '';
        if (($scheme === 'http' && $port === ':80') || ($scheme === 'https' && $port === ':443')) {
            $port = '';
        }

        if (is_null($this->app_config)) {
            // nothing more we can do here
            return $scheme.'://'.$host.$port.$path.($query ? '?'.$query : '').($fragment ? '#'.$fragment : '');
        }

        $base = rtrim($this->app_config->getString(
            'baseURL',
            $scheme.'://'.$host.$port
        ), '/');
        return $base.$path.($query ? '?'.$query : '').($fragment ? '#'.$fragment : '');
    }
}