From 33840c2aa1b39b708025ea3703f10ab7ffb37032 Mon Sep 17 00:00:00 2001
From: Thijs Kinkhorst <thijs@kinkhorst.com>
Date: Wed, 9 Sep 2020 13:15:07 +0000
Subject: [PATCH] saml idp endpoints: check early and consistently whether the
 SAML IdP is enabled

They are outside of the module so can be called when the module is
disabled, which gives an error somewhere deep in the call stack.
Check for all endpoints whether saml2-idp is enabled in config
and whether the module is enabled before doing anything else.
---
 www/saml2/idp/ArtifactResolutionService.php |  4 ++--
 www/saml2/idp/SSOService.php                |  7 ++++++-
 www/saml2/idp/SingleLogoutService.php       |  6 ++++++
 www/saml2/idp/initSLO.php                   | 11 +++++++++--
 www/saml2/idp/metadata.php                  | 17 +++++++++--------
 5 files changed, 32 insertions(+), 13 deletions(-)

diff --git a/www/saml2/idp/ArtifactResolutionService.php b/www/saml2/idp/ArtifactResolutionService.php
index 98d5b4986..12ebdb152 100644
--- a/www/saml2/idp/ArtifactResolutionService.php
+++ b/www/saml2/idp/ArtifactResolutionService.php
@@ -23,8 +23,8 @@ use SimpleSAML\Metadata;
 use SimpleSAML\Store;
 
 $config = Configuration::getInstance();
-if (!$config->getBoolean('enable.saml20-idp', false)) {
-    throw new Error\Error('NOACCESS');
+if (!$config->getBoolean('enable.saml20-idp', false) || !Module::isModuleEnabled('saml')) {
+    throw new Error\Error('NOACCESS', null, 403);
 }
 
 $metadata = Metadata\MetaDataStorageHandler::getMetadataHandler();
diff --git a/www/saml2/idp/SSOService.php b/www/saml2/idp/SSOService.php
index 747e9c333..ef1686c1d 100644
--- a/www/saml2/idp/SSOService.php
+++ b/www/saml2/idp/SSOService.php
@@ -5,7 +5,6 @@
  * from a SAML 2.0 SP, parses, and process it, and then authenticates the user and sends the user back
  * to the SP with an Authentication Response.
  *
- * @author Andreas Ă…kre Solberg, UNINETT AS. <andreas.solberg@uninett.no>
  * @package SimpleSAMLphp
  */
 
@@ -13,6 +12,7 @@ require_once('../../_include.php');
 
 use Exception;
 use SimpleSAML\Assert\Assert;
+use SimpleSAML\Configuration;
 use SimpleSAML\Error;
 use SimpleSAML\IdP;
 use SimpleSAML\Logger;
@@ -21,6 +21,11 @@ use SimpleSAML\Module;
 
 Logger::info('SAML2.0 - IdP.SSOService: Accessing SAML 2.0 IdP endpoint SSOService');
 
+$config = Configuration::getInstance();
+if (!$config->getBoolean('enable.saml20-idp', false) || !Module::isModuleEnabled('saml')) {
+    throw new Error\Error('NOACCESS', null, 403);
+}
+
 $metadata = Metadata\MetaDataStorageHandler::getMetadataHandler();
 $idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
 $idp = IdP::getById('saml2:' . $idpEntityId);
diff --git a/www/saml2/idp/SingleLogoutService.php b/www/saml2/idp/SingleLogoutService.php
index 0f0c2fe45..f4bb144ff 100644
--- a/www/saml2/idp/SingleLogoutService.php
+++ b/www/saml2/idp/SingleLogoutService.php
@@ -12,6 +12,7 @@ require_once('../../_include.php');
 
 use Exception;
 use SimpleSAML\Assert\Assert;
+use SimpleSAML\Configuration;
 use SimpleSAML\Error;
 use SimpleSAML\IdP;
 use SimpleSAML\Logger;
@@ -21,6 +22,11 @@ use SimpleSAML\Utils;
 
 Logger::info('SAML2.0 - IdP.SingleLogoutService: Accessing SAML 2.0 IdP endpoint SingleLogoutService');
 
+$config = Configuration::getInstance();
+if (!$config->getBoolean('enable.saml20-idp', false) || !Module::isModuleEnabled('saml')) {
+    throw new Error\Error('NOACCESS', null, 403);
+}
+
 $metadata = Metadata\MetaDataStorageHandler::getMetadataHandler();
 $idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
 $idp = IdP::getById('saml2:' . $idpEntityId);
diff --git a/www/saml2/idp/initSLO.php b/www/saml2/idp/initSLO.php
index 24f27c470..e6c7f26f6 100644
--- a/www/saml2/idp/initSLO.php
+++ b/www/saml2/idp/initSLO.php
@@ -3,18 +3,25 @@
 require_once('../../_include.php');
 
 use SimpleSAML\Assert\Assert;
+use SimpleSAML\Configuration;
 use SimpleSAML\Error;
 use SimpleSAML\Idp;
 use SimpleSAML\Logger;
 use SimpleSAML\Metadata;
+use SimpleSAML\Module;
 use SimpleSAML\Utils;
 
+Logger::info('SAML2.0 - IdP.initSLO: Accessing SAML 2.0 IdP endpoint init Single Logout');
+
+$config = Configuration::getInstance();
+if (!$config->getBoolean('enable.saml20-idp', false) || !Module::isModuleEnabled('saml')) {
+    throw new Error\Error('NOACCESS', null, 403);
+}
+
 $metadata = Metadata\MetaDataStorageHandler::getMetadataHandler();
 $idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
 $idp = IdP::getById('saml2:' . $idpEntityId);
 
-Logger::info('SAML2.0 - IdP.initSLO: Accessing SAML 2.0 IdP endpoint init Single Logout');
-
 if (!isset($_GET['RelayState'])) {
     throw new Error\Error('NORELAYSTATE');
 }
diff --git a/www/saml2/idp/metadata.php b/www/saml2/idp/metadata.php
index f8e49d881..f9534c48c 100644
--- a/www/saml2/idp/metadata.php
+++ b/www/saml2/idp/metadata.php
@@ -6,18 +6,17 @@ use Symfony\Component\VarExporter\VarExporter;
 
 use SAML2\Constants;
 use SimpleSAML\Assert\Assert;
+use SimpleSAML\Configuration;
+use SimpleSAML\Error;
 use SimpleSAML\Module;
 use SimpleSAML\Utils\Auth as Auth;
 use SimpleSAML\Utils\Crypto as Crypto;
 use SimpleSAML\Utils\HTTP as HTTP;
 use SimpleSAML\Utils\Config\Metadata as Metadata;
 
-// load SimpleSAMLphp configuration and metadata
-$config = \SimpleSAML\Configuration::getInstance();
-$metadata = \SimpleSAML\Metadata\MetaDataStorageHandler::getMetadataHandler();
-
-if (!$config->getBoolean('enable.saml20-idp', false)) {
-    throw new \SimpleSAML\Error\Error('NOACCESS');
+$config = Configuration::getInstance();
+if (!$config->getBoolean('enable.saml20-idp', false) || !Module::isModuleEnabled('saml')) {
+    throw new Error\Error('NOACCESS', null, 403);
 }
 
 // check if valid local session exists
@@ -25,6 +24,8 @@ if ($config->getBoolean('admin.protectmetadata', false)) {
     Auth::requireAdmin();
 }
 
+$metadata = \SimpleSAML\Metadata\MetaDataStorageHandler::getMetadataHandler();
+
 try {
     $idpentityid = isset($_GET['idpentityid']) ?
         $_GET['idpentityid'] : $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
@@ -151,7 +152,7 @@ try {
         );
 
         if (!$idpmeta->hasValue('OrganizationURL')) {
-            throw new \SimpleSAML\Error\Exception(
+            throw new Error\Exception(
                 'If OrganizationName is set, OrganizationURL must also be set.'
             );
         }
@@ -246,5 +247,5 @@ try {
         exit(0);
     }
 } catch (\Exception $exception) {
-    throw new \SimpleSAML\Error\Error('METADATA', $exception);
+    throw new Error\Error('METADATA', $exception);
 }
-- 
GitLab