diff --git a/config-templates/config.php b/config-templates/config.php
index 3242cb516728d88cd0fd6db63cb72acd99576fe8..8e18cbf2031aa62f04215a1cfbc878645c6e0f51 100644
--- a/config-templates/config.php
+++ b/config-templates/config.php
@@ -274,28 +274,6 @@ $config = array (
61 => array('class' => 'core:AttributeAdd', 'groups' => array('users', 'members')),
),
-
-
- /*
- * Configuration of Consent storage used for attribute consent.
- * connect, user and passwd is used with PDO (in example Mysql)
- */
- 'consent_usestorage' => FALSE,
- 'consent_userid' => 'eduPersonPrincipalName',
- 'consent_salt' => 'sdkfjhsidu87werwe8r79w8e7r',
- 'consent_pdo_connect' => 'mysql:host=sql.example.org;dbname=simplesamlconsent',
- 'consent_pdo_user' => 'simplesamluser',
- 'consent_pdo_passwd' => 'xxxx',
-
- /*
- * This option controls the initial focus in the consent form.
- * It has three possible values:
- * - NULL No initial focus.
- * - 'yes' The "yes"-button has focus.
- * - 'no' The "no"-button has focus.
- */
- 'consent_autofocus' => 'yes',
-
/*
* This option configures the metadata sources. The metadata sources is given as an array with
diff --git a/lib/SimpleSAML/Consent/Consent.php b/lib/SimpleSAML/Consent/Consent.php
deleted file mode 100644
index b5056464816876f29ca30547bf4cec9a0da6f596..0000000000000000000000000000000000000000
--- a/lib/SimpleSAML/Consent/Consent.php
+++ /dev/null
@@ -1,177 +0,0 @@
-<?php
-
-/**
- * The Consent class is used for Attribute Release consent.
- *
- * @author Mads, Lasse, David, Peter and Andreas.
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SimpleSAML_Consent_Consent {
-
-
- private $config;
- private $session;
- private $spentityid;
- private $idpentityid;
-
- private $salt;
-
- private $attributes;
- private $filteredattributes;
- private $consent_cookie;
-
- private $storageerror;
-
- /**
- * Constructor
- */
- public function __construct($config, $session, $spentityid, $idpentityid, $attributes, $filteredattributes, $consent_cookie) {
-
- $this->config = $config;
- $this->salt = $this->config->getValue('consent_salt');
-
- if (!isset($this->salt)) {
- throw new Exception('Configuration parameter [consent_salt] is not set.');
- }
-
- $this->attributes = $attributes;
- $this->filteredattributes = $filteredattributes;
- $this->session = $session;
- $this->spentityid = $spentityid;
- $this->idpentityid = $idpentityid;
- $this->consent_cookie = $consent_cookie;
-
- $this->storageerror = false;
- }
-
- /**
- * An identifier for the federation (IdP). Will use SAML 2.0 IdP remote if running in bridge
- * mode. If running as a standalone IdP, use the hosted IdP entity ID.
- *
- * @return Identifier of the IdP
- */
- private function getIdPID() {
-
- if ($this->session->getAuthority() === 'saml2') {
- return $this->session->getIdP();
- }
-
- // from the local idp
- return $this->idpentityid;
- }
-
- /**
- * Generate a globally unique identifier of the user. Will also be anonymous (hashed).
- *
- * @return hash( eduPersonPrincipalName + salt + IdP-identifier )
- */
- public function getHashedUserID() {
- $userid_attributename = $this->config->getValue('consent_userid', 'eduPersonPrincipalName');
-
- if (empty($this->attributes[$userid_attributename])) {
- throw new Exception('Could not generate useridentifier for storing consent. Attribute [' .
- $userid_attributename . '] was not available.');
- }
-
- $userid = $this->attributes[$userid_attributename][0];
-
- return hash('sha1', $userid . $this->salt . $this->getIdPID() );
- }
-
- /**
- * Get a targeted ID. An identifier that is unique per SP entity ID.
- */
- public function getTargetedID($hashed_userid) {
-
- return hash('sha1', $hashed_userid . $this->salt . $this->spentityid);
-
- }
-
- /**
- * Get a hash value that changes when attributes are added or attribute values changed.
- */
- public function getAttributeHash() {
- return hash('sha1', serialize($this->filteredattributes));
- }
-
- public function useStorage() {
- if ($this->storageerror) return false;
- return $this->config->getValue('consent_usestorage', false);
- }
-
-
- public function consent() {
-
-
- if (isset($_GET['consent']) ) {
-
- if ($_GET['consent'] != $this->consent_cookie) {
- throw new Exception('Consent cookie set to wrong value.');
- }
-
- }
-
- /**
- * The user has manually accepted consent and chosen not to store the consent
- * for later.
- */
- if (isset($_GET['consent']) && !isset($_GET['saveconsent'])) {
- return true;
- }
-
- if (!$this->useStorage() ) {
- return false;
- }
-
- /*
- * Generate identifiers and hashes
- */
- $hashed_user_id = $this->getHashedUserID();
- $targeted_id = $this->getTargetedID($hashed_user_id);
- $attribute_hash = $this->getAttributeHash();
-
-
-
- try {
- // Create a consent storage.
- $consent_storage = new SimpleSAML_Consent_Storage($this->config);
-
- } catch (Exception $e ) {
- SimpleSAML_Logger::error('Library - Consent: Error connceting to storage: ' . $e->getMessage() );
- $this->storageerror = true;
- return false;
- }
-
- /**
- * User has given cosent and asked for storing it for later.
- */
- if (isset($_GET['consent']) && isset($_GET['saveconsent'])) {
- try {
- $consent_storage->store($hashed_user_id, $targeted_id, $attribute_hash);
- } catch (Exception $e) {
- SimpleSAML_Logger::error('Library - Consent: Error connceting to storage: ' . $e->getMessage() );
- }
- return true;
- }
-
- /**
- * Check if consent exists in storage, and if it does update the usage time stamp
- * and return true.
- */
- try {
- if ($consent_storage->lookup($hashed_user_id, $targeted_id, $attribute_hash)) {
- SimpleSAML_Logger::notice('Library - Consent consent(): Found stored consent.');
- return true;
- }
- } catch (Exception $e) {
- SimpleSAML_Logger::error('Library - Consent: Error connceting to storage: ' . $e->getMessage() );
- }
-
- return false;
- }
-
-
-}
-
-?>
\ No newline at end of file
diff --git a/lib/SimpleSAML/Consent/Storage.php b/lib/SimpleSAML/Consent/Storage.php
deleted file mode 100644
index 64d805f2afd19e9558e98b6b0f5a147e415d0851..0000000000000000000000000000000000000000
--- a/lib/SimpleSAML/Consent/Storage.php
+++ /dev/null
@@ -1,137 +0,0 @@
-<?php
-
-/**
- * The Consent Storage class is used for storing Attribute Release consents.
- *
- * CREATE TABLE consent (
- * hashed_user_id varchar(128) NOT NULL,
- * service_id varchar(128) NOT NULL,
- * attribute varchar(128) NOT NULL,
- * consent_date datetime NOT NULL,
- * usage_date datetime NOT NULL,
- * PRIMARY KEY USING BTREE (hashed_user_id, service_id)
- * );
- *
- * @author Mads, Lasse, David, Peter and Andreas.
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SimpleSAML_Consent_Storage {
-
- private $config;
- private $dbh;
-
- /**
- * Constructor
- */
- public function __construct($config) {
-
- $this->config = $config;
-
- $pdo_connect = $config->getValue('consent_pdo_connect');
- $pdo_user = $config->getValue('consent_pdo_user');
- $pdo_passwd = $config->getValue('consent_pdo_passwd');
-
- try {
- $this->dbh = new PDO($pdo_connect, $pdo_user, $pdo_passwd);
- } catch(Exception $exception) {
- $session = SimpleSAML_Session::getInstance();
- SimpleSAML_Utilities::fatalError($session->getTrackID(), 'PROCESSASSERTION', $exception);
- }
- //$this->dbh->setAttribute('PDO::ATTR_TIMEOUT', 5);
-
- }
-
-
- /**
- * Lookup consent database for an entry, and update the timestamp.
- *
- * @return Will return true if consent is stored, and false if consent is not stored.
- */
- public function lookup($user_id, $targeted_id, $attribute_hash) {
- $stmt = $this->dbh->prepare("UPDATE consent SET usage_date = NOW() WHERE hashed_user_id = ? AND service_id = ? AND attribute = ?");
- $stmt->execute(array($user_id, $targeted_id, $attribute_hash));
- $rows = $stmt->rowCount();
-
- SimpleSAML_Logger::debug('Library - ConsentStorage get(): user_id : ' . $user_id);
- SimpleSAML_Logger::debug('Library - ConsentStorage get(): targeted_id : ' . $targeted_id);
- SimpleSAML_Logger::debug('Library - ConsentStorage get(): attribute_hash : ' . $attribute_hash);
-
- SimpleSAML_Logger::debug('Library - ConsentStorage get(): Number of rows : [' . $rows . ']');
-
- return ($rows === 1);
- }
-
-
-
- /**
- * Lookup consent database for an entry, and update the timestamp.
- *
- * @return Will return true if consent is stored, and false if consent is not stored.
- */
- public function getList($user_id) {
- $stmt = $this->dbh->prepare("SELECT * FROM consent WHERE hashed_user_id = ?");
- $stmt->execute(array($user_id));
-
- SimpleSAML_Logger::debug('Library - ConsentStorage getList(): Getting list of all consent entries for a user');
-
- return $stmt->fetchAll(PDO::FETCH_ASSOC);
- }
-
-
- /**
- * Store user consent in database
- */
- public function store($user_id, $targeted_id, $attribute_hash) {
- /**
- * insert new entry into consent storage.
- */
- $stmt = $this->dbh->prepare("INSERT INTO consent VALUES (?,?,?,NOW(),NOW())");
- $stmt->execute(array($user_id, $targeted_id, $attribute_hash));
- $rows = $stmt->rowCount();
-
- SimpleSAML_Logger::debug('Library - ConsentStorage store(): user_id : ' . $user_id);
- SimpleSAML_Logger::debug('Library - ConsentStorage store(): targeted_id : ' . $targeted_id);
- SimpleSAML_Logger::debug('Library - ConsentStorage store(): attribute_hash : ' . $attribute_hash);
-
- SimpleSAML_Logger::debug('Library - ConsentStorage store(): Number of rows : [' . $rows . ']');
-
- return ($rows === 1);
- }
-
- /**
- * Delete specific user consent in database
- */
- public function delete($user_id, $targeted_id, $attribute_hash) {
-
- SimpleSAML_Logger::debug('Library - ConsentStorage delete(): user_id : ' . $user_id);
- SimpleSAML_Logger::debug('Library - ConsentStorage delete(): targeted_id : ' . $targeted_id);
- SimpleSAML_Logger::debug('Library - ConsentStorage delete(): attribute_hash : ' . $attribute_hash);
-
- /**
- * delete specific entry from consent storage.
- */
- $stmt = $this->dbh->prepare("DELETE FROM consent WHERE hashed_user_id = ? AND service_id = ? AND attribute = ?");
- $stmt->execute(array($user_id, $targeted_id, $attribute_hash));
-
- return $stmt->rowCount();
- }
-
- /**
- * Delete user consent in database
- */
- public function deleteUserConsent($user_id) {
-
- SimpleSAML_Logger::debug('Library - ConsentStorage deleteUserConsent(): user_id : ' . $user_id);
-
- /**
- * delete specific entry from consent storage.
- */
- $stmt = $this->dbh->prepare("DELETE FROM consent WHERE hashed_user_id = ?");
- $stmt->execute(array($user_id));
-
- return $stmt->rowCount();
- }
-}
-
-?>
\ No newline at end of file
diff --git a/templates/default/consent.php b/templates/default/consent.php
deleted file mode 100644
index d54d8439fde6ec4bab12bb8eb370e6b6acdb5b2d..0000000000000000000000000000000000000000
--- a/templates/default/consent.php
+++ /dev/null
@@ -1,65 +0,0 @@
-<?php
- $this->includeAtTemplateBase('includes/header.php');
-
- $this->includeLanguageFile('consent.php');
- $this->includeInlineTranslation('SPNAME', $this->data['sp_name']);
- $this->includeInlineTranslation('IDPNAME', $this->data['idp_name']);
- $this->includeInlineTranslation('SPDESC', $this->data['sp_description']);
-?>
-
-
- <p>
- <?php echo $this->t('consent_accept', array('SPNAME' => '', 'IDPNAME' => '', 'SPDESC' => '')) ?>
- </p>
-
- <?php if ($this->data['sppp'] !== FALSE) {
- echo "<p>" . htmlspecialchars($this->t('consent_privacypolicy')) . " ";
- echo "<a target='_new_window' href='" . htmlspecialchars($this->data['sppp']) . "'>" . htmlspecialchars($this->t('spname')) . "</a>";
- echo "</p>";
- } ?>
-
- <form style="display: inline" action="<?php echo htmlspecialchars($this->data['consenturl']); ?>">
- <input type="submit" id="yesbutton" value="<?php echo htmlspecialchars($this->t('yes')) ?>" />
- <input type="hidden" name="consent" value="<?php echo htmlspecialchars($this->data['consent_cookie']); ?>" />
- <input type="hidden" name="RequestID" value="<?php echo htmlspecialchars($this->data['requestid']); ?>" />
- <?php if($this->data['usestorage']) { ?>
- <input type="checkbox" name="saveconsent" id="saveconsent" value="1" /> <?php echo htmlspecialchars($this->t('remember')) ?>
- <?php } ?>
- </form>
- <form style="display: inline; margin-left: .5em;" action="<?php echo htmlspecialchars($this->data['noconsent']); ?>" method="GET">
-<?php
-if(array_key_exists('noconsent_data', $this->data)) {
- foreach($this->data['noconsent_data'] as $name => $value) {
- echo('<input type="hidden" name="' . htmlspecialchars($name) . '" value="' . htmlspecialchars($value) . '" />');
- }
-}
-?>
- <input type="submit" id="nobutton" value="<?php echo htmlspecialchars($this->t('no')) ?>" />
- </form>
- <p>
-
- <table style="font-size: x-small">
-<?php
- $attributes = $this->data['attributes'];
- foreach ($attributes AS $name => $value) {
-
- if (isset($this->data['attribute_' . htmlspecialchars(strtolower($name)) ])) {
- $name = $this->data['attribute_' . htmlspecialchars(strtolower($name))];
- }
- $name = $this->t('attribute_'.strtolower($name)); // translate
- if (sizeof($value) > 1) {
- echo '<tr><td>' . htmlspecialchars($name) . '</td><td><ul>';
- foreach ($value AS $v) {
- echo '<li>' . htmlspecialchars($v) . '</li>';
- }
- echo '</ul></td></tr>';
- } else {
- echo '<tr><td>' . htmlspecialchars($name) . '</td><td>' . htmlspecialchars($value[0]) . '</td></tr>';
- }
- }
-
-?>
- </table>
-
-
-<?php $this->includeAtTemplateBase('includes/footer.php'); ?>
\ No newline at end of file
diff --git a/templates/default/noconsent.php b/templates/default/noconsent.php
deleted file mode 100644
index 88d1d9a59faa64fdace8f298a4fe0091298f20b0..0000000000000000000000000000000000000000
--- a/templates/default/noconsent.php
+++ /dev/null
@@ -1,20 +0,0 @@
-<?php
- $this->data['header'] = $this->t('{consent:noconsent_title}');;
- $this->data['icon'] = 'bomb_l.png';
- $this->includeAtTemplateBase('includes/header.php');
-?>
-
-
-
- <h2><?php echo($this->data['header']); ?></h2>
- <p><?php echo($this->t('{consent:noconsent_text}')); ?></p>
-
-<?php
- if($this->data['resumeFrom']) {
- echo('<p><a href="' . htmlspecialchars($this->data['resumeFrom']) . '">');
- echo($this->t('{consent:noconsent_return}'));
- echo('</a></p>');
- }
-?>
-
-<?php $this->includeAtTemplateBase('includes/footer.php'); ?>
\ No newline at end of file
diff --git a/www/saml2/idp/SSOService.php b/www/saml2/idp/SSOService.php
index b067f9a6262a2600053d32db95cf1187c0fdd437..dc24094f5ed0b1b9cfb9b011825885532d2c3a4f 100644
--- a/www/saml2/idp/SSOService.php
+++ b/www/saml2/idp/SSOService.php
@@ -57,7 +57,6 @@ if (isset($_GET['SAMLRequest'])) {
$requestcache = array(
'RequestID' => $requestid,
'Issuer' => $issuer,
- 'ConsentCookie' => SimpleSAML_Utilities::generateID(),
'RelayState' => $authnrequest->getRelayState()
);
@@ -301,79 +300,7 @@ if($needAuth && !$isPassive) {
}
$filteredattributes = $authProcState['Attributes'];
-
-
-
- /*
- * Dealing with attribute release consent.
- */
- $requireconsent = false;
- if (isset($idpmetadata['requireconsent'])) {
- if (is_bool($idpmetadata['requireconsent'])) {
- $requireconsent = $idpmetadata['requireconsent'];
- } else {
- throw new Exception('SAML 2.0 IdP hosted metadata parameter [requireconsent] is in illegal format, must be a PHP boolean type.');
- }
- }
- if ($requireconsent) {
-
- $consent = new SimpleSAML_Consent_Consent($config, $session, $spentityid, $idpentityid, $attributes, $filteredattributes, $requestcache['ConsentCookie']);
-
- if (!$consent->consent()) {
- /* Save the request information. */
- $authId = SimpleSAML_Utilities::generateID();
- $session->setAuthnRequest('saml2', $authId, $requestcache);
-
- $t = new SimpleSAML_XHTML_Template($config, 'consent.php', 'attributes');
- $t->data['header'] = 'Consent';
- $t->data['sp_name'] = $sp_name;
- $t->data['sp_description'] = (isset($spmetadata['description']) ? $spmetadata['description'] : "SP DESCRIPTION");
- $t->data['idp_name'] = (isset($idpmetadata['name']) ? $idpmetadata['name'] : $idpentityid);
- $t->data['spentityid'] = $spentityid;
- $t->data['spmetadata'] = $spmetadata;
- $t->data['attributes'] = $filteredattributes;
- $t->data['consenturl'] = SimpleSAML_Utilities::selfURLNoQuery();
- $t->data['requestid'] = $authId;
- $t->data['consent_cookie'] = $requestcache['ConsentCookie'];
- $t->data['usestorage'] = $consent->useStorage();
- $t->data['noconsent'] = '/' . $config->getBaseURL() . 'noconsent.php';
- $t->data['noconsent_data'] = array(
- 'sptype' => 'saml20-sp-remote',
- 'spentityid' => $spentityid,
- 'resumeFrom' => SimpleSAML_Utilities::selfURL(),
- );
-
- if (array_key_exists('privacypolicy', $spmetadata)) {
- $privacypolicy = $spmetadata['privacypolicy'];
- } elseif (array_key_exists('privacypolicy', $idpmetadata)) {
- $privacypolicy = $idpmetadata['privacypolicy'];
- } else {
- $privacypolicy = FALSE;
- }
- if($privacypolicy !== FALSE) {
- $privacypolicy = str_replace('%SPENTITYID%', urlencode($spentityid),
- $privacypolicy);
- }
- $t->data['sppp'] = $privacypolicy;
-
- switch($config->getValueValidate('consent_autofocus', array(NULL, 'yes', 'no'), NULL)) {
- case NULL:
- break;
- case 'yes':
- $t->data['autofocus'] = 'yesbutton';
- break;
- case 'no':
- $t->data['autofocus'] = 'nobutton';
- break;
- }
-
- $t->show();
- exit;
- }
- }
- // END ATTRIBUTE CONSENT CODE
-
// Adding this service provider to the list of sessions.
diff --git a/www/shib13/idp/SSOService.php b/www/shib13/idp/SSOService.php
index 7a5f84145c4b1bf14a6ce6ccfb8d9f084986f3de..3f3b958c1f526c7070c4486e3bb8c204d09d8ac9 100644
--- a/www/shib13/idp/SSOService.php
+++ b/www/shib13/idp/SSOService.php
@@ -54,7 +54,6 @@ if (isset($_GET['shire'])) {
'Issuer' => $authnrequest->getIssuer(),
'shire' => $authnrequest->getShire(),
'RelayState' => $authnrequest->getRelayState(),
- 'ConsentCookie' => SimpleSAML_Utilities::generateID(),
);
SimpleSAML_Logger::info('Shib1.3 - IdP.SSOService: Got incomming Shib authnRequest requestid: '.$requestid);
@@ -219,76 +218,7 @@ if (!$session->isAuthenticated($authority) ) {
$filteredattributes = $authProcState['Attributes'];
-
- /*
- * Dealing with attribute release consent.
- */
- $requireconsent = false;
- if (isset($idpmetadata['requireconsent'])) {
- if (is_bool($idpmetadata['requireconsent'])) {
- $requireconsent = $idpmetadata['requireconsent'];
- } else {
- throw new Exception('Shib1.3 IdP hosted metadata parameter [requireconsent] is in illegal format, must be a PHP boolean type.');
- }
- }
- if ($requireconsent) {
-
- $consent = new SimpleSAML_Consent_Consent($config, $session, $spentityid, $idpentityid, $attributes, $filteredattributes, $requestcache['ConsentCookie']);
-
- if (!$consent->consent()) {
- /* Save the request information. */
- $authId = SimpleSAML_Utilities::generateID();
- $session->setAuthnRequest('shib13', $authId, $requestcache);
-
- $t = new SimpleSAML_XHTML_Template($config, 'consent.php', 'attributes');
- $t->data['header'] = 'Consent';
- $t->data['sp_name'] = $sp_name;
- $t->data['sp_description'] = (isset($spmetadata['description']) ? $spmetadata['description'] : "SP DESCRIPTION");
- $t->data['idp_name'] = (isset($idpmetadata['name']) ? $idpmetadata['name'] : $idpentityid);
- $t->data['spentityid'] = $spentityid;
- $t->data['spmetadata'] = $spmetadata;
- $t->data['attributes'] = $filteredattributes;
- $t->data['consenturl'] = SimpleSAML_Utilities::selfURLNoQuery();
- $t->data['requestid'] = $authId;
- $t->data['consent_cookie'] = $requestcache['ConsentCookie'];
- $t->data['usestorage'] = $consent->useStorage();
- $t->data['noconsent'] = '/' . $config->getBaseURL() . 'noconsent.php';
- $t->data['noconsent_data'] = array(
- 'sptype' => 'shib13-sp-remote',
- 'spentityid' => $spentityid,
- 'resumeFrom' => SimpleSAML_Utilities::selfURL(),
- );
-
- if (array_key_exists('privacypolicy', $spmetadata)) {
- $privacypolicy = $spmetadata['privacypolicy'];
- } elseif (array_key_exists('privacypolicy', $idpmetadata)) {
- $privacypolicy = $idpmetadata['privacypolicy'];
- } else {
- $privacypolicy = FALSE;
- }
- if($privacypolicy !== FALSE) {
- $privacypolicy = str_replace('%SPENTITYID%', urlencode($spentityid),
- $privacypolicy);
- }
- $t->data['sppp'] = $privacypolicy;
-
- switch($config->getValueValidate('consent_autofocus', array(NULL, 'yes', 'no'), NULL)) {
- case NULL:
- break;
- case 'yes':
- $t->data['autofocus'] = 'yesbutton';
- break;
- case 'no':
- $t->data['autofocus'] = 'nobutton';
- break;
- }
-
- $t->show();
- exit;
- }
- }
- // END ATTRIBUTE CONSENT CODE
// Generating a Shibboleth 1.3 Response.