Skip to content
Snippets Groups Projects
Commit 20cb8982 authored by Guy Halse's avatar Guy Halse
Browse files

Add attributes.exclude option to correspond with the Consent module

The Consent module has a (currently undocumented) noconsentattributes
option that allows specified attributes to be removed from the consent
hash calculation. The noconsentattribute option was introduced at
simplesamlphp/simplesamlphp@1efcfa8 but no corresponding option
was added to the consentAdmin module. Thus if people are using the
noconsentattribute option to remove attributes, the consentAdmin module
will *always* show this as attribute values having been changed.

This is a rework of simplesamlphp/simplesamlphp#531 which has gotten corrupted over time.
parent fe14e750
Branches
Tags
No related merge requests found
...@@ -19,6 +19,9 @@ $config = array( ...@@ -19,6 +19,9 @@ $config = array(
// Hash attributes including values or not // Hash attributes including values or not
'attributes.hash' => true, 'attributes.hash' => true,
// If you set noconsentattributes in the consent module, this must match
// 'attributes.exclude' => array(),
// Where to direct the user after logout // Where to direct the user after logout
// REMEMBER to prefix with http:// otherwise the relaystate is only appended // REMEMBER to prefix with http:// otherwise the relaystate is only appended
// to saml2 logout URL // to saml2 logout URL
......
...@@ -44,7 +44,9 @@ Setting optional parameters ...@@ -44,7 +44,9 @@ Setting optional parameters
In order to make the consentAdmin module work together with the consent In order to make the consentAdmin module work together with the consent
module correctly, you need to set the configuration 'attributes.hash' module correctly, you need to set the configuration 'attributes.hash'
according to the value of 'includeValues' configuration in the consent according to the value of 'includeValues' configuration in the consent
module. module. Likewise, if you've used the 'noconsentattributes' configuration
option in the consent module, you should also set the 'attributes.exclude'
configuration option here to match.
You should also set the 'returnURL' configuration in order to pass on your You should also set the 'returnURL' configuration in order to pass on your
users when the press the 'Logout' link. users when the press the 'Logout' link.
......
...@@ -22,7 +22,8 @@ function driveProcessingChain( ...@@ -22,7 +22,8 @@ function driveProcessingChain(
$sp_entityid, $sp_entityid,
$attributes, $attributes,
$userid, $userid,
$hashAttributes = false $hashAttributes = false,
$excludeAttributes = array()
) { ) {
/* /*
...@@ -48,6 +49,12 @@ function driveProcessingChain( ...@@ -48,6 +49,12 @@ function driveProcessingChain(
$pc->processStatePassive($authProcState); $pc->processStatePassive($authProcState);
$attributes = $authProcState['Attributes']; $attributes = $authProcState['Attributes'];
// Remove attributes that do not require consent/should be excluded
foreach ($attributes as $attrkey => $attrval) {
if (in_array($attrkey, $excludeAttributes)) {
unset($attributes[$attrkey]);
}
}
/* /*
* Generate identifiers and hashes * Generate identifiers and hashes
...@@ -80,6 +87,8 @@ if (array_key_exists('logout', $_REQUEST)) { ...@@ -80,6 +87,8 @@ if (array_key_exists('logout', $_REQUEST)) {
$hashAttributes = $cA_config->getValue('attributes.hash'); $hashAttributes = $cA_config->getValue('attributes.hash');
$excludeAttributes = $cA_config->getValue('attributes.exclude', array());
// Check if valid local session exists // Check if valid local session exists
$as->requireAuth(); $as->requireAuth();
...@@ -161,7 +170,7 @@ if ($action !== null && $sp_entityid !== null) { ...@@ -161,7 +170,7 @@ if ($action !== null && $sp_entityid !== null) {
// Run AuthProc filters // Run AuthProc filters
list($targeted_id, $attribute_hash, $attributes_new) = driveProcessingChain($idp_metadata, $source, $sp_metadata, list($targeted_id, $attribute_hash, $attributes_new) = driveProcessingChain($idp_metadata, $source, $sp_metadata,
$sp_entityid, $attributes, $userid, $hashAttributes); $sp_entityid, $attributes, $userid, $hashAttributes, $excludeAttributes);
// Add a consent (or update if attributes have changed and old consent for SP and IdP exists) // Add a consent (or update if attributes have changed and old consent for SP and IdP exists)
if ($action == 'true') { if ($action == 'true') {
...@@ -217,7 +226,7 @@ foreach ($all_sp_metadata as $sp_entityid => $sp_values) { ...@@ -217,7 +226,7 @@ foreach ($all_sp_metadata as $sp_entityid => $sp_values) {
// Run attribute filters // Run attribute filters
list($targeted_id, $attribute_hash, $attributes_new) = driveProcessingChain($idp_metadata, $source, $sp_metadata, list($targeted_id, $attribute_hash, $attributes_new) = driveProcessingChain($idp_metadata, $source, $sp_metadata,
$sp_entityid, $attributes, $userid, $hashAttributes); $sp_entityid, $attributes, $userid, $hashAttributes, $excludeAttributes);
// Check if consent exists // Check if consent exists
if (array_key_exists($targeted_id, $user_consent)) { if (array_key_exists($targeted_id, $user_consent)) {
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment