From 3c957a3f8acda7e1f937cdc3b862a27bec437c35 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20=C3=85kre=20Solberg?= <andreas.solberg@uninett.no>
Date: Mon, 3 Mar 2008 08:48:17 +0000
Subject: [PATCH] Adding option for protecting metadata. Default is that
 metadata is not protected (publicly available)

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@340 44740490-163a-0410-bde0-09ae8108e29a
---
 config/config-template.php                  | 1 +
 lib/SimpleSAML/XML/SAML20/AuthnResponse.php | 2 +-
 www/saml2/idp/metadata.php                  | 9 ++++++++-
 www/saml2/sp/metadata.php                   | 9 +++++++++
 www/shib13/idp/metadata.php                 | 9 ++++++++-
 www/shib13/sp/metadata.php                  | 8 ++++++++
 6 files changed, 35 insertions(+), 3 deletions(-)

diff --git a/config/config-template.php b/config/config-template.php
index 5e31f2fe6..baaf2b4eb 100644
--- a/config/config-template.php
+++ b/config/config-template.php
@@ -48,6 +48,7 @@ $config = array (
 	 */
 	'auth.adminpassword'		=> '123',
 	'admin.protectindexpage'	=> false,
+	'admin.protectmetadata'		=> false,
 	
 	/*
 	 * Some information about the technical persons running this installation.
diff --git a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
index 8da4453c5..388577998 100644
--- a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
@@ -8,7 +8,7 @@ require_once('SimpleSAML/XML/AuthnResponse.php');
 require_once('SimpleSAML/XML/Validator.php');
 
 require_once('xmlseclibs.php');
- 
+
 /**
  * An SAML 2.0 Authentication Response
  *
diff --git a/www/saml2/idp/metadata.php b/www/saml2/idp/metadata.php
index 19e320831..2a75154d1 100644
--- a/www/saml2/idp/metadata.php
+++ b/www/saml2/idp/metadata.php
@@ -17,7 +17,14 @@ $session = SimpleSAML_Session::getInstance(true);
 if (!$config->getValue('enable.saml20-idp', false))
 	SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NOACCESS');
 
-
+/* Check if valid local session exists.. */
+if ($config->getValue('admin.protectmetadata', false)) {
+	if (!isset($session) || !$session->isValid('login-admin') ) {
+		SimpleSAML_Utilities::redirect('/' . $config->getBaseURL() . 'auth/login-admin.php',
+			array('RelayState' => SimpleSAML_Utilities::selfURL())
+		);
+	}
+}
 
 
 try {
diff --git a/www/saml2/sp/metadata.php b/www/saml2/sp/metadata.php
index 7ebe40ba1..fea3f5ee2 100644
--- a/www/saml2/sp/metadata.php
+++ b/www/saml2/sp/metadata.php
@@ -16,6 +16,15 @@ $session = SimpleSAML_Session::getInstance(TRUE);
 if (!$config->getValue('enable.saml20-sp', false))
 	SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NOACCESS');
 
+/* Check if valid local session exists.. */
+if ($config->getValue('admin.protectmetadata', false)) {
+	if (!isset($session) || !$session->isValid('login-admin') ) {
+		SimpleSAML_Utilities::redirect('/' . $config->getBaseURL() . 'auth/login-admin.php',
+			array('RelayState' => SimpleSAML_Utilities::selfURL())
+		);
+	}
+}
+
 
 /**
  * Preconfigured to help out some federations. This makes it easier for users to report metadata
diff --git a/www/shib13/idp/metadata.php b/www/shib13/idp/metadata.php
index d13013353..6e09d8c7a 100644
--- a/www/shib13/idp/metadata.php
+++ b/www/shib13/idp/metadata.php
@@ -17,7 +17,14 @@ $session = SimpleSAML_Session::getInstance(true);
 if (!$config->getValue('enable.shib13-idp', false))
 	SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NOACCESS');
 
-
+/* Check if valid local session exists.. */
+if ($config->getValue('admin.protectmetadata', false)) {
+	if (!isset($session) || !$session->isValid('login-admin') ) {
+		SimpleSAML_Utilities::redirect('/' . $config->getBaseURL() . 'auth/login-admin.php',
+			array('RelayState' => SimpleSAML_Utilities::selfURL())
+		);
+	}
+}
 
 
 try {
diff --git a/www/shib13/sp/metadata.php b/www/shib13/sp/metadata.php
index e7a71c472..75deaa7d8 100644
--- a/www/shib13/sp/metadata.php
+++ b/www/shib13/sp/metadata.php
@@ -16,6 +16,14 @@ $session = SimpleSAML_Session::getInstance(TRUE);
 if (!$config->getValue('enable.shib13-sp', false))
 	SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NOACCESS');
 
+/* Check if valid local session exists.. */
+if ($config->getValue('admin.protectmetadata', false)) {
+	if (!isset($session) || !$session->isValid('login-admin') ) {
+		SimpleSAML_Utilities::redirect('/' . $config->getBaseURL() . 'auth/login-admin.php',
+			array('RelayState' => SimpleSAML_Utilities::selfURL())
+		);
+	}
+}
 
 
 try {
-- 
GitLab