From 20cb8982cca9f2715912fea4009860cdccaf497c Mon Sep 17 00:00:00 2001
From: Guy Halse <guy@tenet.ac.za>
Date: Mon, 28 May 2018 12:47:21 +0200
Subject: [PATCH] Add attributes.exclude option to correspond with the Consent
 module

The Consent module has a (currently undocumented) noconsentattributes
option that allows specified attributes to be removed from the consent
hash calculation. The noconsentattribute option was introduced at
simplesamlphp/simplesamlphp@1efcfa8 but no corresponding option
was added to the consentAdmin module. Thus if people are using the
noconsentattribute option to remove attributes, the consentAdmin module
will *always* show this as attribute values having been changed.

This is a rework of simplesamlphp/simplesamlphp#531 which has gotten corrupted over time.
---
 .../config-templates/module_consentAdmin.php      |  3 +++
 modules/consentAdmin/docs/consentAdmin.md         |  4 +++-
 modules/consentAdmin/www/consentAdmin.php         | 15 ++++++++++++---
 3 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/modules/consentAdmin/config-templates/module_consentAdmin.php b/modules/consentAdmin/config-templates/module_consentAdmin.php
index d7ba69723..627634ba1 100644
--- a/modules/consentAdmin/config-templates/module_consentAdmin.php
+++ b/modules/consentAdmin/config-templates/module_consentAdmin.php
@@ -19,6 +19,9 @@ $config = array(
     // Hash attributes including values or not
     'attributes.hash' => true,
 
+    // If you set noconsentattributes in the consent module, this must match
+    // 'attributes.exclude' => array(),
+
     // Where to direct the user after logout
     // REMEMBER to prefix with http:// otherwise the relaystate is only appended
     // to saml2 logout URL
diff --git a/modules/consentAdmin/docs/consentAdmin.md b/modules/consentAdmin/docs/consentAdmin.md
index 454cd5f47..6a420353c 100644
--- a/modules/consentAdmin/docs/consentAdmin.md
+++ b/modules/consentAdmin/docs/consentAdmin.md
@@ -44,7 +44,9 @@ Setting optional parameters
 In order to make the consentAdmin module work together with the consent
 module correctly, you need to set the configuration 'attributes.hash'
 according to the value of 'includeValues' configuration in the consent
-module.
+module. Likewise, if you've used the 'noconsentattributes' configuration
+option in the consent module, you should also set the 'attributes.exclude'
+configuration option here to match.
 
 You should also set the 'returnURL' configuration in order to pass on your
 users when the press the 'Logout' link.
diff --git a/modules/consentAdmin/www/consentAdmin.php b/modules/consentAdmin/www/consentAdmin.php
index ebc09fc30..a7f760517 100644
--- a/modules/consentAdmin/www/consentAdmin.php
+++ b/modules/consentAdmin/www/consentAdmin.php
@@ -22,7 +22,8 @@ function driveProcessingChain(
     $sp_entityid,
     $attributes,
     $userid,
-    $hashAttributes = false
+    $hashAttributes = false,
+    $excludeAttributes = array()
 ) {
 
     /*
@@ -48,6 +49,12 @@ function driveProcessingChain(
     $pc->processStatePassive($authProcState);
 
     $attributes = $authProcState['Attributes'];
+    // Remove attributes that do not require consent/should be excluded
+    foreach ($attributes as $attrkey => $attrval) {
+        if (in_array($attrkey, $excludeAttributes)) {
+            unset($attributes[$attrkey]);
+        }
+    }
 
     /*
      * Generate identifiers and hashes
@@ -80,6 +87,8 @@ if (array_key_exists('logout', $_REQUEST)) {
 
 $hashAttributes = $cA_config->getValue('attributes.hash');
 
+$excludeAttributes = $cA_config->getValue('attributes.exclude', array());
+
 // Check if valid local session exists
 $as->requireAuth();
 
@@ -161,7 +170,7 @@ if ($action !== null && $sp_entityid !== null) {
 
     // Run AuthProc filters
     list($targeted_id, $attribute_hash, $attributes_new) = driveProcessingChain($idp_metadata, $source, $sp_metadata,
-        $sp_entityid, $attributes, $userid, $hashAttributes);
+        $sp_entityid, $attributes, $userid, $hashAttributes, $excludeAttributes);
 
     // Add a consent (or update if attributes have changed and old consent for SP and IdP exists)
     if ($action == 'true') {
@@ -217,7 +226,7 @@ foreach ($all_sp_metadata as $sp_entityid => $sp_values) {
 
     // Run attribute filters
     list($targeted_id, $attribute_hash, $attributes_new) = driveProcessingChain($idp_metadata, $source, $sp_metadata,
-        $sp_entityid, $attributes, $userid, $hashAttributes);
+        $sp_entityid, $attributes, $userid, $hashAttributes, $excludeAttributes);
 
     // Check if consent exists
     if (array_key_exists($targeted_id, $user_consent)) {
-- 
GitLab