Skip to content
Snippets Groups Projects
Commit 671b6f8f authored by Tim van Dijen's avatar Tim van Dijen
Browse files

Fix SubjectID/PairwiseID authprocs; do not fail on non-fatal errors. Just silently continue

parent dda7aeb3
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
modules/core/lib/Auth/Process/PairwiseID.php
+ 5
0
View file @ 671b6f8f
...@@ -73,6 +73,11 @@ class PairwiseID extends SubjectID ...@@ -73,6 +73,11 @@ class PairwiseID extends SubjectID
$userID = $this->getIdentifyingAttribute($state); $userID = $this->getIdentifyingAttribute($state);
$scope = $this->getScopeAttribute($state); $scope = $this->getScopeAttribute($state);
if ($scope === null || $userID === null) {
// Attributes missing, precondition not met
return;
}
if (!empty($state['saml:RequesterID'])) { if (!empty($state['saml:RequesterID'])) {
// Proxied request - use actual SP entity ID // Proxied request - use actual SP entity ID
$sp_entityid = $state['saml:RequesterID'][0]; $sp_entityid = $state['saml:RequesterID'][0];
......
modules/core/lib/Auth/Process/SubjectID.php
+ 29
23
View file @ 671b6f8f
...@@ -116,6 +116,11 @@ class SubjectID extends Auth\ProcessingFilter ...@@ -116,6 +116,11 @@ class SubjectID extends Auth\ProcessingFilter
$userID = $this->getIdentifyingAttribute($state); $userID = $this->getIdentifyingAttribute($state);
$scope = $this->getScopeAttribute($state); $scope = $this->getScopeAttribute($state);
if ($scope === null || $userID === null) {
// Attributes missing, precondition not met
return;
}
$value = strtolower($userID . '@' . $scope); $value = strtolower($userID . '@' . $scope);
$this->validateGeneratedIdentifier($value); $this->validateGeneratedIdentifier($value);
...@@ -127,20 +132,21 @@ class SubjectID extends Auth\ProcessingFilter ...@@ -127,20 +132,21 @@ class SubjectID extends Auth\ProcessingFilter
* Retrieve the identifying attribute from the state and test it for erroneous conditions * Retrieve the identifying attribute from the state and test it for erroneous conditions
* *
* @param array $state * @param array $state
* @return string * @return string|null
* @throws \SimpleSAML\Assert\AssertionFailedException if the pre-conditions are not met * @throws \SimpleSAML\Assert\AssertionFailedException if the pre-conditions are not met
*/ */
protected function getIdentifyingAttribute(array $state): string protected function getIdentifyingAttribute(array $state): ?string
{ {
Assert::keyExists($state, 'Attributes'); if (!array_key_exists('Attributes', $state) || !array_key_exists($this->identifyingAttribute, $state['Attributes'])) {
Assert::keyExists( $this->logger::warning(
$state['Attributes'], sprintf(
$this->identifyingAttribute, "core:" . static::NAME . ": Missing attribute '%s', which is needed to generate the ID.",
sprintf( $this->identifyingAttribute
"core:" . static::NAME . ": Missing attribute '%s', which is needed to generate the ID.", )
$this->identifyingAttribute );
)
); return null;
}
$userID = $state['Attributes'][$this->identifyingAttribute][0]; $userID = $state['Attributes'][$this->identifyingAttribute][0];
Assert::stringNotEmpty($userID, 'core' . static::NAME . ': \'identifyingAttribute\' cannot be an empty string.'); Assert::stringNotEmpty($userID, 'core' . static::NAME . ': \'identifyingAttribute\' cannot be an empty string.');
...@@ -153,20 +159,21 @@ class SubjectID extends Auth\ProcessingFilter ...@@ -153,20 +159,21 @@ class SubjectID extends Auth\ProcessingFilter
* Retrieve the scope attribute from the state and test it for erroneous conditions * Retrieve the scope attribute from the state and test it for erroneous conditions
* *
* @param array $state * @param array $state
* @return string * @return string|null
* @throws \SimpleSAML\Assert\AssertionFailedException if the pre-conditions are not met * @throws \SimpleSAML\Assert\AssertionFailedException if the pre-conditions are not met
*/ */
protected function getScopeAttribute(array $state): string protected function getScopeAttribute(array $state): ?string
{ {
Assert::keyExists($state, 'Attributes'); if (!array_key_exists('Attributes', $state) || !array_key_exists($this->scopeAttribute, $state['Attributes'])) {
Assert::keyExists( $this->logger::warning(
$state['Attributes'], sprintf(
$this->scopeAttribute, "core:" . static::NAME . ": Missing attribute '%s', which is needed to generate the ID.",
sprintf( $this->scopeAttribute
"core:" . static::NAME . ": Missing attribute '%s', which is needed to generate the ID.", )
$this->scopeAttribute );
)
); return null;
}
$scope = $state['Attributes'][$this->scopeAttribute][0]; $scope = $state['Attributes'][$this->scopeAttribute][0];
Assert::stringNotEmpty($scope, 'core' . static::NAME . ': \'scopeAttribute\' cannot be an empty string.'); Assert::stringNotEmpty($scope, 'core' . static::NAME . ': \'scopeAttribute\' cannot be an empty string.');
...@@ -183,7 +190,6 @@ class SubjectID extends Auth\ProcessingFilter ...@@ -183,7 +190,6 @@ class SubjectID extends Auth\ProcessingFilter
'core:' . static::NAME . ': \'scopeAttribute\' contains illegal characters.' 'core:' . static::NAME . ': \'scopeAttribute\' contains illegal characters.'
// ProtocolViolationException::class // ProtocolViolationException::class
); );
return $scope; return $scope;
} }
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment