Skip to content
Snippets Groups Projects
Commit 671b6f8f authored by Tim van Dijen's avatar Tim van Dijen
Browse files

Fix SubjectID/PairwiseID authprocs; do not fail on non-fatal errors. Just silently continue

parent dda7aeb3
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
modules/core/lib/Auth/Process/PairwiseID.php
+ 5
0
View file @ 671b6f8f
......@@ -73,6 +73,11 @@ class PairwiseID extends SubjectID
$userID = $this->getIdentifyingAttribute($state);
$scope = $this->getScopeAttribute($state);
if ($scope === null || $userID === null) {
// Attributes missing, precondition not met
return;
}
if (!empty($state['saml:RequesterID'])) {
// Proxied request - use actual SP entity ID
$sp_entityid = $state['saml:RequesterID'][0];
......
modules/core/lib/Auth/Process/SubjectID.php
+ 29
23
View file @ 671b6f8f
......@@ -116,6 +116,11 @@ class SubjectID extends Auth\ProcessingFilter
$userID = $this->getIdentifyingAttribute($state);
$scope = $this->getScopeAttribute($state);
if ($scope === null || $userID === null) {
// Attributes missing, precondition not met
return;
}
$value = strtolower($userID . '@' . $scope);
$this->validateGeneratedIdentifier($value);
......@@ -127,20 +132,21 @@ class SubjectID extends Auth\ProcessingFilter
* Retrieve the identifying attribute from the state and test it for erroneous conditions
*
* @param array $state
* @return string
* @return string|null
* @throws \SimpleSAML\Assert\AssertionFailedException if the pre-conditions are not met
*/
protected function getIdentifyingAttribute(array $state): string
protected function getIdentifyingAttribute(array $state): ?string
{
Assert::keyExists($state, 'Attributes');
Assert::keyExists(
$state['Attributes'],
$this->identifyingAttribute,
sprintf(
"core:" . static::NAME . ": Missing attribute '%s', which is needed to generate the ID.",
$this->identifyingAttribute
)
);
if (!array_key_exists('Attributes', $state) || !array_key_exists($this->identifyingAttribute, $state['Attributes'])) {
$this->logger::warning(
sprintf(
"core:" . static::NAME . ": Missing attribute '%s', which is needed to generate the ID.",
$this->identifyingAttribute
)
);
return null;
}
$userID = $state['Attributes'][$this->identifyingAttribute][0];
Assert::stringNotEmpty($userID, 'core' . static::NAME . ': \'identifyingAttribute\' cannot be an empty string.');
......@@ -153,20 +159,21 @@ class SubjectID extends Auth\ProcessingFilter
* Retrieve the scope attribute from the state and test it for erroneous conditions
*
* @param array $state
* @return string
* @return string|null
* @throws \SimpleSAML\Assert\AssertionFailedException if the pre-conditions are not met
*/
protected function getScopeAttribute(array $state): string
protected function getScopeAttribute(array $state): ?string
{
Assert::keyExists($state, 'Attributes');
Assert::keyExists(
$state['Attributes'],
$this->scopeAttribute,
sprintf(
"core:" . static::NAME . ": Missing attribute '%s', which is needed to generate the ID.",
$this->scopeAttribute
)
);
if (!array_key_exists('Attributes', $state) || !array_key_exists($this->scopeAttribute, $state['Attributes'])) {
$this->logger::warning(
sprintf(
"core:" . static::NAME . ": Missing attribute '%s', which is needed to generate the ID.",
$this->scopeAttribute
)
);
return null;
}
$scope = $state['Attributes'][$this->scopeAttribute][0];
Assert::stringNotEmpty($scope, 'core' . static::NAME . ': \'scopeAttribute\' cannot be an empty string.');
......@@ -183,7 +190,6 @@ class SubjectID extends Auth\ProcessingFilter
'core:' . static::NAME . ': \'scopeAttribute\' contains illegal characters.'
// ProtocolViolationException::class
);
return $scope;
}
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment