saml idp endpoints: check early and consistently whether the SAML IdP is enabled

They are outside of the module so can be called when the module is disabled, which gives an error somewhere deep in the call stack. Check for all endpoints whether saml2-idp is enabled in config and whether the module is enabled before doing anything else.

saml idp endpoints: check early and consistently whether the SAML IdP is enabled
They are outside of the module so can be called when the module is disabled, which gives an error somewhere deep in the call stack. Check for all endpoints whether saml2-idp is enabled in config and whether the module is enabled before doing anything else.
33840c2a · Thijs Kinkhorst · a22b0b78 · 33840c2a · 33840c2a · 33840c2a
Commit 33840c2a authored 4 years ago by Thijs Kinkhorst
--- a/www/saml2/idp/ArtifactResolutionService.php
+++ b/www/saml2/idp/ArtifactResolutionService.php
@@ -23,8 +23,8 @@ use SimpleSAML\Metadata;
 use SimpleSAML\Store;
 $config = Configuration::getInstance();
-if (!$config->getBoolean('enable.saml20-idp', false)) {
+if (!$config->getBoolean('enable.saml20-idp', false) || !Module::isModuleEnabled('saml')) {
-    throw new Error\Error('NOACCESS');
+    throw new Error\Error('NOACCESS', null, 403);
 }
 $metadata = Metadata\MetaDataStorageHandler::getMetadataHandler();

--- a/www/saml2/idp/SSOService.php
+++ b/www/saml2/idp/SSOService.php
@@ -5,7 +5,6 @@
 * from a SAML 2.0 SP, parses, and process it, and then authenticates the user and sends the user back
 * to the SP with an Authentication Response.
 *
- * @author Andreas Åkre Solberg, UNINETT AS. <andreas.solberg@uninett.no>
 * @package SimpleSAMLphp
 */
@@ -13,6 +12,7 @@ require_once('../../_include.php');
 use Exception;
 use SimpleSAML\Assert\Assert;
+use SimpleSAML\Configuration;
 use SimpleSAML\Error;
 use SimpleSAML\IdP;
 use SimpleSAML\Logger;
@@ -21,6 +21,11 @@ use SimpleSAML\Module;
 Logger::info('SAML2.0 - IdP.SSOService: Accessing SAML 2.0 IdP endpoint SSOService');
+$config = Configuration::getInstance();
+if (!$config->getBoolean('enable.saml20-idp', false) || !Module::isModuleEnabled('saml')) {
+    throw new Error\Error('NOACCESS', null, 403);
+}
 $metadata = Metadata\MetaDataStorageHandler::getMetadataHandler();
 $idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
 $idp = IdP::getById('saml2:' . $idpEntityId);

--- a/www/saml2/idp/SingleLogoutService.php
+++ b/www/saml2/idp/SingleLogoutService.php
@@ -12,6 +12,7 @@ require_once('../../_include.php');
 use Exception;
 use SimpleSAML\Assert\Assert;
+use SimpleSAML\Configuration;
 use SimpleSAML\Error;
 use SimpleSAML\IdP;
 use SimpleSAML\Logger;
@@ -21,6 +22,11 @@ use SimpleSAML\Utils;
 Logger::info('SAML2.0 - IdP.SingleLogoutService: Accessing SAML 2.0 IdP endpoint SingleLogoutService');
+$config = Configuration::getInstance();
+if (!$config->getBoolean('enable.saml20-idp', false) || !Module::isModuleEnabled('saml')) {
+    throw new Error\Error('NOACCESS', null, 403);
+}
 $metadata = Metadata\MetaDataStorageHandler::getMetadataHandler();
 $idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
 $idp = IdP::getById('saml2:' . $idpEntityId);

--- a/www/saml2/idp/initSLO.php
+++ b/www/saml2/idp/initSLO.php
@@ -3,18 +3,25 @@
 require_once('../../_include.php');
 use SimpleSAML\Assert\Assert;
+use SimpleSAML\Configuration;
 use SimpleSAML\Error;
 use SimpleSAML\Idp;
 use SimpleSAML\Logger;
 use SimpleSAML\Metadata;
+use SimpleSAML\Module;
 use SimpleSAML\Utils;
+Logger::info('SAML2.0 - IdP.initSLO: Accessing SAML 2.0 IdP endpoint init Single Logout');
+$config = Configuration::getInstance();
+if (!$config->getBoolean('enable.saml20-idp', false) || !Module::isModuleEnabled('saml')) {
+    throw new Error\Error('NOACCESS', null, 403);
+}
 $metadata = Metadata\MetaDataStorageHandler::getMetadataHandler();
 $idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
 $idp = IdP::getById('saml2:' . $idpEntityId);
-Logger::info('SAML2.0 - IdP.initSLO: Accessing SAML 2.0 IdP endpoint init Single Logout');
 if (!isset($_GET['RelayState'])) {
    throw new Error\Error('NORELAYSTATE');
 }

--- a/www/saml2/idp/metadata.php
+++ b/www/saml2/idp/metadata.php
@@ -6,18 +6,17 @@ use Symfony\Component\VarExporter\VarExporter;
 use SAML2\Constants;
 use SimpleSAML\Assert\Assert;
+use SimpleSAML\Configuration;
+use SimpleSAML\Error;
 use SimpleSAML\Module;
 use SimpleSAML\Utils\Auth as Auth;
 use SimpleSAML\Utils\Crypto as Crypto;
 use SimpleSAML\Utils\HTTP as HTTP;
 use SimpleSAML\Utils\Config\Metadata as Metadata;
-// load SimpleSAMLphp configuration and metadata
+$config = Configuration::getInstance();
-$config = \SimpleSAML\Configuration::getInstance();
+if (!$config->getBoolean('enable.saml20-idp', false) || !Module::isModuleEnabled('saml')) {
-$metadata = \SimpleSAML\Metadata\MetaDataStorageHandler::getMetadataHandler();
+    throw new Error\Error('NOACCESS', null, 403);
-if (!$config->getBoolean('enable.saml20-idp', false)) {
-    throw new \SimpleSAML\Error\Error('NOACCESS');
 }
 // check if valid local session exists
@@ -25,6 +24,8 @@ if ($config->getBoolean('admin.protectmetadata', false)) {
    Auth::requireAdmin();
 }
+$metadata = \SimpleSAML\Metadata\MetaDataStorageHandler::getMetadataHandler();
 try {
    $idpentityid = isset($_GET['idpentityid']) ?
        $_GET['idpentityid'] : $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
@@ -151,7 +152,7 @@ try {
        );
        if (!$idpmeta->hasValue('OrganizationURL')) {
-            throw new \SimpleSAML\Error\Exception(
+            throw new Error\Exception(
                'If OrganizationName is set, OrganizationURL must also be set.'
            );
        }
@@ -246,5 +247,5 @@ try {
        exit(0);
    }
 } catch (\Exception $exception) {
-    throw new \SimpleSAML\Error\Error('METADATA', $exception);
+    throw new Error\Error('METADATA', $exception);
 }