Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • cesnet_simplesamlphp-1.19.8
  • elixir_simplesamlphp-1.19.8
  • simplesamlphp-1.19.8
  • cesnet_simplesamlphp-1.19.5
  • simplesamlphp-2.0
  • feature/assets
  • feature/rac-source-selector
  • cleanup/remove-base64-attributes
  • simplesamlphp-1.19
  • elixir_simplesamlphp-1.19.5
  • aarc_idp_hinting
  • feature/validate-authstate-before-processing
  • feature/build-two-tarballs
  • dependabot/composer/twig/twig-3.4.3
  • tvdijen-patch-1
  • unchanged-acs-url-no-www-script
  • feature/translation-improvements
  • symfony6
  • move_tests
  • v1.19.9
  • v2.1.3
  • v2.0.10
  • v2.1.2
  • v2.0.9
  • v2.1.1
  • v2.0.8
  • v2.1.0
  • v2.0.7
  • v2.1.0-rc1
  • v2.0.6
  • v2.0.5
  • 2.0.4-alpha.1
  • v2.0.4-alpha.1
  • v2.0.4
  • v2.0.3
  • v2.0.2
  • v2.0.1-alpha.1
  • v2.0.1
  • v1.19.8
40 results
Blame Permalink
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
ExpectedAuthnContextClassRef.php 2.52 KiB 
<?php

/**
 * Attribute filter for validate AuthnContextClassRef
 *
 * 91 => array(
 *      'class' => 'saml:ExpectedAuthnContextClassRef',
 *      'accepted' => array(
 *         'urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:3',
 *         'urn:oasis:names:tc:SAML:2.0:ac:classes:Password',
 *         ),
 *       ),
 *
 * @package simpleSAMLphp
 * @version $Id$
 */
class sspmod_saml_Auth_Process_ExpectedAuthnContextClassRef extends SimpleSAML_Auth_ProcessingFilter {

	/**
	 * Array of accepted AuthnContextClassRef
	 * @var array
	 */
	private $accepted;


	/**
	 * AuthnContextClassRef of the assertion
	 * @var string
	 */
	private $AuthnContextClassRef;

	/**
	 * Initialize this filter, parse configuration
	 *
	 * @param array $config  Configuration information about this filter.
	 * @param mixed $reserved  For future use.
	 */
	public function __construct($config, $reserved) {
		parent::__construct($config, $reserved);

		assert('is_array($config)');
		if (empty($config['accepted'])){
			SimpleSAML_Logger::error('ExpectedAuthnContextClassRef: Configuration error. There is no accepted AuthnContextClassRef.');
			throw new SimpleSAML_Error_Exception('ExpectedAuthnContextClassRef: Configuration error. There is no accepted AuthnContextClassRef.');
		}
		$this->accepted = $config['accepted'];
	}


	/**
	 *
	 * @param array &$request  The current request
	 */
	public function process(&$request) {
		assert('is_array($request)');
		assert('array_key_exists("Attributes", $request)');

		$this->AuthnContextClassRef = $request['saml:sp:State']['saml:sp:AuthnContext'];

		if (! in_array($this->AuthnContextClassRef,$this->accepted)){
			$this->unauthorized($request);
		}
	}

	/**
	 * When the process logic determines that the user is not
	 * authorized for this service, then forward the user to
	 * an 403 unauthorized page.
	 *
	 * Separated this code into its own method so that child
	 * classes can override it and change the action. Forward
	 * thinking in case a "chained" ACL is needed, more complex
	 * permission logic.
	 *
	 * @param array $request
	 */
	protected function unauthorized(&$request) {
		SimpleSAML_Logger::error('ExpectedAuthnContextClassRef: Invalid authentication context: '.$this->AuthnContextClassRef.'. Accepted values are: ' . var_export($this->accepted, TRUE));

		$id = SimpleSAML_Auth_State::saveState($request, 'saml:ExpectedAuthnContextClassRef:unauthorized');
		$url = SimpleSAML_Module::getModuleURL(
			'saml/sp/wrong_authncontextclassref.php');
		SimpleSAML_Utilities::redirect($url, array('StateId' => $id));
	}
}