saml2: Use SAML library for handling logout messages from IdP.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1609 44740490-163a-0410-bde0-09ae8108e29a

modules/saml2/lib/Message.php

@@ -181,6 +181,34 @@ class sspmod_saml2_Message {
 	}
 
 
+	/**
+	 * Check signature on a SAML2 message if enabled.
+	 *
+	 * @param SimpleSAML_Configuration $srcMetadata  The metadata of the sender.
+	 * @param SimpleSAML_Configuration $dstMetadata  The metadata of the recipient.
+	 * @param SAML2_Message $message  The message we should check the signature on.
+	 */
+	public static function validateMessage(
+		SimpleSAML_Configuration $srcMetadata,
+		SimpleSAML_Configuration $dstMetadata,
+		SAML2_Message $message
+		) {
+
+		$enabled = $srcMetadata->getBoolean('redirect.validate', NULL);
+		if ($enabled === NULL) {
+			$enabled = $dstMetadata->getBoolean('redirect.validate', FALSE);
+		}
+
+		if (!$enabled) {
+			return;
+		}
+
+		if (!self::checkSign($srcMetadata, $message)) {
+			throw new SimpleSAML_Error_Exception('Validation of received messages enabled, but no signature found on message.');
+		}
+	}
+
+
 	/**
 	 * Decrypt an assertion.
 	 *
@@ -293,6 +321,30 @@ class sspmod_saml2_Message {
 	}
 
 
+	/**
+	 * Build a logout response based on information in the metadata.
+	 *
+	 * @param SimpleSAML_Configuration $srcMetadata  The metadata of the sender.
+	 * @param SimpleSAML_Configuration $dstpMetadata  The metadata of the recipient.
+	 */
+	public static function buildLogoutResponse(SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata) {
+
+		$lr = new SAML2_LogoutResponse();
+
+		$lr->setIssuer($srcMetadata->getString('entityid'));
+
+		$dst = $dstMetadata->getString('SingleLogoutServiceResponse', NULL);
+		if ($dst === NULL) {
+			$dst = $dstMetadata->getString('SingleLogoutService');
+		}
+		$lr->setDestination($dst);
+
+		self::addSign($srcMetadata, $dstMetadata, $lr);
+
+		return $lr;
+	}
+
+
 	/**
 	 * Process a response message.
 	 *

modules/saml2/www/sp/logout.php

@@ -17,57 +17,54 @@ if ($source === NULL) {
 	throw new Exception('Could not find authentication source with id ' . $sourceId);
 }
 
+$binding = SAML2_Binding::getCurrentBinding();
+$message = $binding->receive();
 
-$config = SimpleSAML_Configuration::getInstance();
-$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
+$idpEntityId = $message->getIssuer();
+if ($idpEntityId === NULL) {
+	/* Without an issuer we have no way to respond to the message. */
+	throw new SimpleSAML_Error_BadRequest('Received message on logout endpoint without issuer.');
+}
 
-if (array_key_exists('SAMLResponse', $_GET)) {
+$spEntityId = $source->getEntityId();
 
-	$binding = new SimpleSAML_Bindings_SAML20_HTTPRedirect($config, $metadata);
-	$response = $binding->decodeLogoutResponse($_GET);
+$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
+$idpMetadata = $metadata->getMetaDataConfig($idpEntityId, 'saml20-idp-remote');
+$spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-hosted');
 
-	if ($binding->validateQuery($response->getIssuer(), 'SP', 'SAMLResponse')) {
-		SimpleSAML_Logger::debug('module/saml2/sp/logout: Valid signature found on response');
-	}
+sspmod_saml2_Message::validateMessage($idpMetadata, $spMetadata, $message);
 
-	if (!array_key_exists('RelayState', $_REQUEST)) {
+if ($message instanceof SAML2_LogoutResponse) {
+
+	$relayState = $message->getRelayState();
+	if ($relayState === NULL) {
+		/* Somehow, our RelayState has been lost. */
 		throw new SimpleSAML_Error_BadRequest('Missing RelayState in logout response.');
 	}
 
-	$stateId = $_REQUEST['RelayState'];
-	$state = SimpleSAML_Auth_State::loadState($_REQUEST['RelayState'], sspmod_saml2_Auth_Source_SP::STAGE_LOGOUTSENT);
-
-
-	SimpleSAML_Auth_Source::completeLogout($state);
-
-} elseif (array_key_exists('SAMLRequest', $_GET)) {
-
-	$binding = new SimpleSAML_Bindings_SAML20_HTTPRedirect($config, $metadata);
-
-	$request = $binding->decodeLogoutRequest($_GET);
-
-	$requestId = $request->getRequestID();
-	$idpEntityId = $request->getIssuer();
-	$relayState = $request->getRelayState();
-
-	if ($binding->validateQuery($idpEntityId, 'SP')) {
-		SimpleSAML_Logger::debug('module/saml2/sp/logout: Valid signature found on request');
+	if (!$message->isSuccess()) {
+		SimpleSAML_Logger::warning('Unsuccessful logout. Status was: ' . sspmod_saml2_Message::getResponseError($message));
 	}
 
+	$state = SimpleSAML_Auth_State::loadState($relayState, sspmod_saml2_Auth_Source_SP::STAGE_LOGOUTSENT);
+	SimpleSAML_Auth_Source::completeLogout($state);
 
-	$spEntityId = $source->getEntityId();
+} elseif ($message instanceof SAML2_LogoutRequest) {
 
-	SimpleSAML_Logger::debug('module/saml2/sp/logout: Request from ' . $idpEntityId . ' with request id ' . $requestId);
+	SimpleSAML_Logger::debug('module/saml2/sp/logout: Request from ' . $idpEntityId);
 	SimpleSAML_Logger::stats('saml20-idp-SLO idpinit ' . $spEntityId . ' ' . $idpEntityId);
 
 	/* Notify source of logout, so that it may call logout callbacks. */
 	$source->onLogout($idpEntityId);
 
 	/* Create an send response. */
-	$lr = new SimpleSAML_XML_SAML20_LogoutResponse($config, $metadata);
-	$responseXML = $lr->generate($spEntityId, $idpEntityId, $requestId, 'SP');
-	$binding->sendMessage($responseXML, $spEntityId, $idpEntityId, $relayState, 'SingleLogoutServiceResponse', 'SAMLResponse');
+	$lr = sspmod_saml2_Message::buildLogoutResponse($spMetadata, $idpMetadata);
+	$lr->setRelayState($message->getRelayState());
+	$lr->setInResponseTo($message->getId());
 
+	$binding = new SAML2_HTTPRedirect();
+	$binding->setDestination(sspmod_SAML2_Message::getDebugDestination());
+	$binding->send($lr);
 } else {
-	throw new SimpleSAML_Error_BadRequest('Missing request or response to logout endpoint');
+	throw new SimpleSAML_Error_BadRequest('Unknown message received on logout endpoint: ' . get_class($message));
 }