diff --git a/1 b/1
new file mode 100644
index 0000000000000000000000000000000000000000..8c7b168cdc979051478171febc8fdbedbccdf61c
--- /dev/null
+++ b/1
@@ -0,0 +1,25 @@
+# This is a combination of 2 commits.
+# This is the 1st commit message:
+
+#Secure cookies by default
+
+# This is the commit message #2:
+
+Secure cookies by default
+
+# Please enter the commit message for your changes. Lines starting
+# with '#' will be ignored, and an empty message aborts the commit.
+#
+# Date: Wed Mar 24 18:03:43 2021 +0100
+#
+# interactive rebase in progress; onto f75e76700
+# Last commands done (3 commands done):
+# pick f241edbab Secure cookies by default
+# squash 37d852866 Secure cookies by default
+# No commands remaining.
+# You are currently rebasing branch 'simplesamlphp-1.19' on 'f75e76700'.
+#
+# Changes to be committed:
+# modified: config-templates/config.php
+# modified: docs/simplesamlphp-upgrade-notes-1.19.md
+#
diff --git a/composer.json b/composer.json
index 9314b1111bd447f76e7692b023d419bad5d395cc..8d4c7537d9bf5d6be6721759de5f931abe5bb6c4 100644
--- a/composer.json
+++ b/composer.json
@@ -46,6 +46,7 @@
"gettext/gettext": "^4.8",
"phpmailer/phpmailer": "^6.1",
"robrichards/xmlseclibs": "^3.1",
+ "simplesamlphp/assert": "^0.0.13",
"simplesamlphp/saml2": "^4.1",
"simplesamlphp/simplesamlphp-module-adfs": "^0.9",
"simplesamlphp/simplesamlphp-module-authcrypt": "^0.9",
diff --git a/docs/simplesamlphp-changelog.md b/docs/simplesamlphp-changelog.md
index 51eb1dea99c22c8e23bb71106c77515561e9f7e5..a2cc24cf11ce7035034e0c4779f7911db724d7c9 100644
--- a/docs/simplesamlphp-changelog.md
+++ b/docs/simplesamlphp-changelog.md
@@ -10,6 +10,7 @@ See the upgrade notes for specific information about upgrading.
Released TBD
+ * Added authproc-filters for generating the subject-id and pairwise-id (#1435)
* Restore support for custom error messages (#1326)
* Fixed a bug in the Artifact Resolution Service (#1428)
* Fixed compatibility with Composer pre 1.8.5 (Debian 10) (#1427)
diff --git a/modules/core/docs/authproc_pairwiseid.md b/modules/core/docs/authproc_pairwiseid.md
new file mode 100644
index 0000000000000000000000000000000000000000..254aa85bdddb00be48e02597217f92e771ee6f05
--- /dev/null
+++ b/modules/core/docs/authproc_pairwiseid.md
@@ -0,0 +1,19 @@
+`core:PairwiseID`
+===================
+
+Filter to insert a pairwise-id that complies with the following specification;
+http://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/saml-subject-id-attr-v1.0.pdf
+
+This filter will take an attribute and a scope as input and transforms this into a anonymized and scoped
+identifier that is globally unique for a given user & service provider combination.
+
+Examples
+--------
+
+ 'authproc' => [
+ 50 => [
+ 'class' => 'core:PairwiseID',
+ 'identifyingAttribute' => 'uid',
+ 'scope' => 'example.org',
+ ],
+ ],
diff --git a/modules/core/docs/authproc_subjectid.md b/modules/core/docs/authproc_subjectid.md
new file mode 100644
index 0000000000000000000000000000000000000000..21852fb45e2842bf1a8a4d5ad1bbc174f22b2db2
--- /dev/null
+++ b/modules/core/docs/authproc_subjectid.md
@@ -0,0 +1,22 @@
+`core:SubjectID`
+===================
+
+Filter to insert a subject-id that complies with the following specification;
+http://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/saml-subject-id-attr-v1.0.pdf
+
+This filter will take an attribute and a scope as input and transforms this into a scoped identifier that is globally unique for a given user.
+
+Note:
+-----
+If privacy is of your concern, you may want to use the PairwiseID-filter instead.
+
+Examples
+--------
+
+ 'authproc' => [
+ 50 => [
+ 'class' => 'core:SubjectID',
+ 'identifyingAttribute' => 'uid',
+ 'scope' => 'example.org',
+ ],
+ ],
diff --git a/modules/core/lib/Auth/Process/PairwiseID.php b/modules/core/lib/Auth/Process/PairwiseID.php
new file mode 100644
index 0000000000000000000000000000000000000000..4bd5ed0cb0363f443ec8a9ce042daf6df23c2f08
--- /dev/null
+++ b/modules/core/lib/Auth/Process/PairwiseID.php
@@ -0,0 +1,86 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\core\Auth\Process;
+
+use Exception;
+use SAML2\Constants;
+use SAML2\XML\saml\NameID;
+use SimpleSAML\Assert\Assert;
+use SimpleSAML\Auth;
+use SimpleSAML\Utils;
+
+/**
+ * Filter to generate the Pairwise ID attribute.
+ *
+ * See: http://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/csprd01/saml-subject-id-attr-v1.0-csprd01.html
+ *
+ * By default, this filter will generate the ID based on the UserID of the current user.
+ * This is generated from the attribute configured in 'identifyingAttribute' in the
+ * authproc-configuration.
+ *
+ * Example - generate from attribute:
+ * <code>
+ * 'authproc' => [
+ * 50 => [
+ * 'core:PairwiseID',
+ * 'identifyingAttribute' => 'uid',
+ * 'scope' => 'example.org',
+ * ]
+ * ]
+ * </code>
+ *
+ * @package SimpleSAMLphp
+ */
+class PairwiseID extends SubjectID
+{
+ /**
+ * The name for this class
+ */
+ public const NAME = 'PairwiseID';
+
+ /**
+ * @psalm-var \SimpleSAML\Utils\Config|class-string
+ * @var \SimpleSAML\Utils\Config
+ */
+ protected $configUtils = Utils\Config::class;
+
+
+ /**
+ * Apply filter to add the Pairwise ID.
+ *
+ * @param array &$state The current state.
+ */
+ public function process(&$state): void
+ {
+ $userID = $this->getIdentifyingAttribute($state);
+
+ if (!empty($state['saml:RequesterID'])) {
+ // Proxied request - use actual SP entity ID
+ $sp_entityid = $state['saml:RequesterID'][0];
+ } else {
+ $sp_entityid = $state['core:SP'];
+ }
+
+ // Calculate hash
+ $salt = $this->configUtils::getSecretSalt();
+ $hash = hash('sha256', $salt . '|' . $userID . '|' . $sp_entityid, false);
+
+ $value = strtolower($hash . '@' . $this->scope);
+ $this->validateGeneratedIdentifier($value);
+
+ $state['Attributes'][Constants::ATTR_PAIRWISE_ID] = [$value];
+ }
+
+
+ /**
+ * Inject the \SimpleSAML\Utils\Config dependency.
+ *
+ * @param \SimpleSAML\Utils\Config $configUtils
+ */
+ public function setConfigUtils(Utils\Config $configUtils): void
+ {
+ $this->configUtils = $configUtils;
+ }
+}
diff --git a/modules/core/lib/Auth/Process/SubjectID.php b/modules/core/lib/Auth/Process/SubjectID.php
new file mode 100644
index 0000000000000000000000000000000000000000..3f6129863bd8aa7f1e44af363b23354f99c41285
--- /dev/null
+++ b/modules/core/lib/Auth/Process/SubjectID.php
@@ -0,0 +1,182 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\core\Auth\Process;
+
+use Exception;
+use SAML2\Constants;
+use SAML2\XML\saml\NameID;
+use SimpleSAML\Assert\Assert;
+use SimpleSAML\Auth;
+use SimpleSAML\Logger;
+
+/**
+ * Filter to generate the subject ID attribute.
+ *
+ * See: http://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/csprd01/saml-subject-id-attr-v1.0-csprd01.html
+ *
+ * By default, this filter will generate the ID based on the UserID of the current user.
+ * This is generated from the attribute configured in 'identifyingAttribute' in the
+ * authproc-configuration.
+ *
+ * Example - generate from attribute:
+ * <code>
+ * 'authproc' => [
+ * 50 => [
+ * 'core:SubjectID',
+ * 'identifyingAttribute' => 'uid',
+ * 'scope' => 'example.org',
+ * ]
+ * ]
+ * </code>
+ *
+ * @package SimpleSAMLphp
+ */
+class SubjectID extends Auth\ProcessingFilter
+{
+ /**
+ * The name for this class
+ */
+ public const NAME = 'SubjectID';
+
+ /**
+ * The regular expression to match the scope
+ *
+ * @var string
+ */
+ public const SCOPE_PATTERN = '/^[a-z0-9][a-z0-9.-]{0,126}$/i';
+
+ /**
+ * The regular expression to match the specifications
+ *
+ * @var string
+ */
+ public const SPEC_PATTERN = '/^[a-z0-9][a-z0-9=-]{0,126}@[a-z0-9][a-z0-9.-]{0,126}$/i';
+
+ /**
+ * The regular expression to match worrisome identifiers that need to raise a warning
+ *
+ * @var string
+ */
+ public const WARN_PATTERN = '/^[a-z0-9][a-z0-9=-]{3,126}@[a-z0-9][a-z0-9.-]{3,126}$/i';
+
+ /**
+ * The attribute we should generate the subject id from.
+ *
+ * @var string
+ */
+ protected $identifyingAttribute;
+
+ /**
+ * The scope to use for this attribute.
+ *
+ * @var string
+ */
+ protected $scope;
+
+ /**
+ * @var \SimpleSAML\Logger|string
+ * @psalm-var \SimpleSAML\Logger|class-string
+ */
+ protected $logger = Logger::class;
+
+
+ /**
+ * Initialize this filter.
+ *
+ * @param array &$config Configuration information about this filter.
+ * @param mixed $reserved For future use.
+ */
+ public function __construct(array &$config, $reserved)
+ {
+ parent::__construct($config, $reserved);
+
+ Assert::keyExists($config, 'identifyingAttribute', "Missing mandatory 'identifyingAttribute' config setting.");
+ Assert::keyExists($config, 'scope', "Missing mandatory 'scope' config setting.");
+ Assert::stringNotEmpty($config['identifyingAttribute']);
+ Assert::regex(
+ $config['scope'],
+ self::SCOPE_PATTERN,
+ 'core:' . static::NAME . ': \'scope\' contains illegal characters.'
+ );
+
+ $this->identifyingAttribute = $config['identifyingAttribute'];
+ $this->scope = $config['scope'];
+ }
+
+
+ /**
+ * Apply filter to add the subject ID.
+ *
+ * @param array &$state The current state.
+ */
+ public function process(&$state): void
+ {
+ $userID = $this->getIdentifyingAttribute($state);
+
+ $value = strtolower($userID . '@' . $this->scope);
+ $this->validateGeneratedIdentifier($value);
+
+ $state['Attributes'][Constants::ATTR_SUBJECT_ID] = [$value];
+ }
+
+
+ /**
+ * Retrieve the identifying attribute from the state and test it for erroneous conditions
+ *
+ * @param array $state
+ * @return string
+ * @throws \SimpleSAML\Assert\AssertionFailedException if the pre-conditions are not met
+ */
+ protected function getIdentifyingAttribute(array $state): string
+ {
+ Assert::keyExists($state, 'Attributes');
+ Assert::keyExists(
+ $state['Attributes'],
+ $this->identifyingAttribute,
+ sprintf(
+ "core:" . static::NAME . ": Missing attribute '%s', which is needed to generate the ID.",
+ $this->identifyingAttribute
+ )
+ );
+
+ $userID = $state['Attributes'][$this->identifyingAttribute][0];
+ Assert::stringNotEmpty($userID, 'core' . static::NAME . ': \'identifyingAttribute\' cannot be an empty string.');
+
+ return $userID;
+ }
+
+
+ /**
+ * Test the generated identifier to ensure compliancy with the specifications.
+ * Log a warning when the generated value is considered to be weak
+ *
+ * @param string $value
+ * @return void
+ * @throws \SimpleSAML\Assert\AssertionFailedException if the post-conditions are not met
+ */
+ protected function validateGeneratedIdentifier(string $value): void
+ {
+ Assert::regex(
+ $value,
+ self::SPEC_PATTERN,
+ 'core:' . static::NAME . ': Generated ID \'' . $value . '\' contains illegal characters.'
+ );
+
+ if (preg_match(self::WARN_PATTERN, $value) === 0) {
+ $this->logger::warning('core:' . static::NAME . ': Generated ID \'' . $value . '\' can hardly be considered globally unique.');
+ }
+ }
+
+
+ /**
+ * Inject the \SimpleSAML\Logger dependency.
+ *
+ * @param \SimpleSAML\Logger $logger
+ */
+ public function setLogger(Logger $logger): void
+ {
+ $this->logger = $logger;
+ }
+}
diff --git a/tests/modules/core/lib/Auth/Process/PairwiseIDTest.php b/tests/modules/core/lib/Auth/Process/PairwiseIDTest.php
new file mode 100644
index 0000000000000000000000000000000000000000..2e870a0a1b053b83e5c0ff8c81381ca5cd84822b
--- /dev/null
+++ b/tests/modules/core/lib/Auth/Process/PairwiseIDTest.php
@@ -0,0 +1,317 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Test\Module\core\Auth\Process;
+
+use PHPUnit\Framework\TestCase;
+use RuntimeException;
+use SAML2\Constants;
+use SAML2\XML\saml\NameID;
+use SimpleSAML\Assert\AssertionFailedException;
+use SimpleSAML\Configuration;
+use SimpleSAML\Logger;
+use SimpleSAML\Module\core\Auth\Process\PairwiseID;
+use SimpleSAML\Utils;
+
+/**
+ * Test for the core:PairwiseID filter.
+ *
+ * @covers \SimpleSAML\Module\core\Auth\Process\PairwiseID
+ */
+class PairwiseIDTest extends TestCase
+{
+ /** @var \SimpleSAML\Configuration */
+ protected $config;
+
+ /** @var \SimpleSAML\Utils\Config */
+ protected static $configUtils;
+
+ /** @var \SimpleSAML\Logger */
+ protected static $logger;
+
+
+ /**
+ * Set up for each test.
+ */
+ protected function setUp(): void
+ {
+ parent::setUp();
+
+ self::$configUtils = new class () extends Utils\Config {
+ public static function getSecretSalt()
+ {
+ // stub
+ return 'secretsalt';
+ }
+ };
+
+ self::$logger = new class () extends Logger {
+ public static function warning($string)
+ {
+ // stub
+ throw new RuntimeException($string);
+ }
+ };
+ }
+
+
+ /**
+ * Helper function to run the filter with a given configuration.
+ *
+ * @param array $config The filter configuration.
+ * @param array $request The request state.
+ * @return array The state array after processing.
+ */
+ private static function processFilter(array $config, array $request): array
+ {
+ $filter = new PairwiseID($config, null);
+ $filter->setConfigUtils(self::$configUtils);
+ $filter->setLogger(self::$logger);
+ $filter->process($request);
+ return $request;
+ }
+
+
+ /**
+ * Test the most basic functionality
+ */
+ public function testBasic(): void
+ {
+ $config = ['identifyingAttribute' => 'uid', 'scope' => 'ex-ample.org'];
+ $request = [
+ 'Attributes' => ['uid' => ['u=se-r2']],
+ 'core:SP' => 'urn:sp',
+ ];
+ $result = self::processFilter($config, $request);
+ $attributes = $result['Attributes'];
+ $this->assertArrayHasKey(Constants::ATTR_PAIRWISE_ID, $attributes);
+ $this->assertRegExp(
+ PairwiseID::SPEC_PATTERN,
+ $attributes[Constants::ATTR_PAIRWISE_ID][0]
+ );
+ $this->assertEquals(
+ '53d4f7fe57fb597ada481e81e0f15048bc610774cbb5614ea38f08ea918ba199@ex-ample.org',
+ $attributes[Constants::ATTR_PAIRWISE_ID][0]
+ );
+ }
+
+
+ /**
+ * Test the most basic functionality on proxied request
+ */
+ public function testBasicProxiedRequest(): void
+ {
+ $config = ['identifyingAttribute' => 'uid', 'scope' => 'ex-ample.org'];
+ $request = [
+ 'Attributes' => ['uid' => ['u=se-r2']],
+ 'saml:RequesterID' => [0 => 'urn:sp'],
+ ];
+ $result = self::processFilter($config, $request);
+ $attributes = $result['Attributes'];
+ $this->assertArrayHasKey(Constants::ATTR_PAIRWISE_ID, $attributes);
+ $this->assertRegExp(
+ PairwiseID::SPEC_PATTERN,
+ $attributes[Constants::ATTR_PAIRWISE_ID][0]
+ );
+ $this->assertEquals(
+ '53d4f7fe57fb597ada481e81e0f15048bc610774cbb5614ea38f08ea918ba199@ex-ample.org',
+ $attributes[Constants::ATTR_PAIRWISE_ID][0]
+ );
+ }
+
+
+ /**
+ * Test the proxied request with multiple hops
+ */
+ public function testProxiedRequestMultipleHops(): void
+ {
+ $config = ['identifyingAttribute' => 'uid', 'scope' => 'ex-ample.org'];
+ $request = [
+ 'Attributes' => ['uid' => ['u=se-r2']],
+ 'saml:RequesterID' => [0 => 'urn:sp', 1 => 'urn:some:sp', 2 => 'urn:some:other:sp'],
+ ];
+ $result = self::processFilter($config, $request);
+ $attributes = $result['Attributes'];
+ $this->assertArrayHasKey(Constants::ATTR_PAIRWISE_ID, $attributes);
+ $this->assertRegExp(
+ PairwiseID::SPEC_PATTERN,
+ $attributes[Constants::ATTR_PAIRWISE_ID][0]
+ );
+ $this->assertEquals(
+ '53d4f7fe57fb597ada481e81e0f15048bc610774cbb5614ea38f08ea918ba199@ex-ample.org',
+ $attributes[Constants::ATTR_PAIRWISE_ID][0]
+ );
+ }
+
+
+ /**
+ * Test that illegal characters in scope throws an exception.
+ */
+ public function testScopeIllegalCharacterThrowsException(): void
+ {
+ $config = ['identifyingAttribute' => 'uid', 'scope' => 'ex%ample.org'];
+ $request = [
+ 'Attributes' => ['uid' => ['user2']],
+ 'core:SP' => 'urn:sp',
+ ];
+
+ $this->expectException(AssertionFailedException::class);
+ self::processFilter($config, $request);
+ }
+
+
+ /**
+ * Test that generated ID's for the same user, but different SP's are NOT equal
+ */
+ public function testUniqueIdentifierPerSPSameUser(): void
+ {
+ $config = ['identifyingAttribute' => 'uid', 'scope' => 'example.org'];
+ $request = [
+ 'Attributes' => ['uid' => ['user1']],
+ 'core:SP' => 'urn:sp',
+ ];
+
+ // Generate first ID
+ $result = self::processFilter($config, $request);
+ $attributes = $result['Attributes'];
+ $this->assertArrayHasKey(Constants::ATTR_PAIRWISE_ID, $attributes);
+ $value1 = $attributes[Constants::ATTR_PAIRWISE_ID][0];
+
+ // Switch SP
+ $request['core:SP'] = 'urn:some:other:sp';
+
+ // Generate second ID
+ $result = self::processFilter($config, $request);
+ $attributes = $result['Attributes'];
+ $this->assertArrayHasKey(Constants::ATTR_PAIRWISE_ID, $attributes);
+ $value2 = $attributes[Constants::ATTR_PAIRWISE_ID][0];
+
+ $this->assertNotSame($value1, $value2);
+ }
+
+
+ /**
+ * Test that generated ID's for different users, but the same SP's are NOT equal
+ */
+ public function testUniqueIdentifierPerUserSameSP(): void
+ {
+ $config = ['identifyingAttribute' => 'uid', 'scope' => 'example.org'];
+ $request = [
+ 'Attributes' => ['uid' => ['user1']],
+ 'core:SP' => 'urn:sp',
+ ];
+
+ // Generate first ID
+ $result = self::processFilter($config, $request);
+ $attributes = $result['Attributes'];
+ $this->assertArrayHasKey(Constants::ATTR_PAIRWISE_ID, $attributes);
+ $value1 = $attributes[Constants::ATTR_PAIRWISE_ID][0];
+
+ // Switch user
+ $request['Attributes'] = ['uid' => ['user2']];
+
+ // Generate second ID
+ $result = self::processFilter($config, $request);
+ $attributes = $result['Attributes'];
+ $this->assertArrayHasKey(Constants::ATTR_PAIRWISE_ID, $attributes);
+ $value2 = $attributes[Constants::ATTR_PAIRWISE_ID][0];
+
+ $this->assertNotSame($value1, $value2);
+ }
+
+
+ /**
+ * Test that generated ID's for the same user and same SP, but with a different salt are NOT equal
+ */
+ public function testUniqueIdentifierDifferentSalts(): void
+ {
+ $config = ['identifyingAttribute' => 'uid', 'scope' => 'example.org'];
+ $request = [
+ 'Attributes' => ['uid' => ['user1']],
+ 'core:SP' => 'urn:sp',
+ ];
+
+ // Generate first ID
+ $result = self::processFilter($config, $request);
+ $attributes = $result['Attributes'];
+ $this->assertArrayHasKey(Constants::ATTR_PAIRWISE_ID, $attributes);
+ $value1 = $attributes[Constants::ATTR_PAIRWISE_ID][0];
+
+ // Change the salt
+ self::$configUtils = new class () extends Utils\Config {
+ public static function getSecretSalt()
+ {
+ // stub
+ return 'pepper';
+ }
+ };
+
+ // Generate second ID
+ $result = self::processFilter($config, $request);
+ $attributes = $result['Attributes'];
+ $this->assertArrayHasKey(Constants::ATTR_PAIRWISE_ID, $attributes);
+ $value2 = $attributes[Constants::ATTR_PAIRWISE_ID][0];
+
+ $this->assertNotSame($value1, $value2);
+ }
+
+
+ /**
+ * Test that generated ID's for the same user and same SP, but with a different scope are NOT equal
+ */
+ public function testUniqueIdentifierDifferentScopes(): void
+ {
+ $config = ['identifyingAttribute' => 'uid', 'scope' => 'example.org'];
+ $request = [
+ 'Attributes' => ['uid' => ['user1']],
+ 'core:SP' => 'urn:sp',
+ ];
+
+ // Generate first ID
+ $result = self::processFilter($config, $request);
+ $attributes = $result['Attributes'];
+ $this->assertArrayHasKey(Constants::ATTR_PAIRWISE_ID, $attributes);
+ $value1 = $attributes[Constants::ATTR_PAIRWISE_ID][0];
+
+ // Change the scope
+ $config['scope'] = 'example.edu';
+
+ // Generate second ID
+ $result = self::processFilter($config, $request);
+ $attributes = $result['Attributes'];
+ $this->assertArrayHasKey(Constants::ATTR_PAIRWISE_ID, $attributes);
+ $value2 = $attributes[Constants::ATTR_PAIRWISE_ID][0];
+
+ $this->assertNotSame($value1, $value2);
+
+ $this->assertRegExp(
+ '/@example.org$/i',
+ $value1
+ );
+ $this->assertRegExp(
+ '/@example.edu$/i',
+ $value2
+ );
+ }
+
+
+ /**
+ * Test that weak identifiers log a warning
+ */
+ public function testWeakIdentifierLogsWarning(): void
+ {
+ $config = ['identifyingAttribute' => 'uid', 'scope' => 'b'];
+ $request = [
+ 'Attributes' => ['uid' => ['a']],
+ 'core:SP' => 'urn:sp',
+ ];
+
+ $this->expectException(RuntimeException::class);
+ $this->expectExceptionMessage(
+ 'core:PairwiseID: Generated ID \'c5b54935db5e291a6b94688921fa77ced8ce425ce8c61a448bd4997f494dbebe@b\' can hardly be considered globally unique.'
+ );
+
+ self::processFilter($config, $request);
+ }
+}
diff --git a/tests/modules/core/lib/Auth/Process/SubjectIDTest.php b/tests/modules/core/lib/Auth/Process/SubjectIDTest.php
new file mode 100644
index 0000000000000000000000000000000000000000..44dcc3e3ccc611346e2c85e18e612c88d19d864d
--- /dev/null
+++ b/tests/modules/core/lib/Auth/Process/SubjectIDTest.php
@@ -0,0 +1,196 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Test\Module\core\Auth\Process;
+
+use PHPUnit\Framework\TestCase;
+use RuntimeException;
+use SAML2\Constants;
+use SAML2\XML\saml\NameID;
+use SimpleSAML\Assert\AssertionFailedException;
+use SimpleSAML\Configuration;
+use SimpleSAML\Logger;
+use SimpleSAML\Module\core\Auth\Process\SubjectID;
+use SimpleSAML\Utils;
+
+/**
+ * Test for the core:SubjectID filter.
+ *
+ * @covers \SimpleSAML\Module\core\Auth\Process\SubjectID
+ */
+class SubjectIDTest extends TestCase
+{
+ /** @var \SimpleSAML\Configuration */
+ protected $config;
+
+ /** @var \SimpleSAML\Logger */
+ protected static $logger;
+
+
+ /**
+ * Set up for each test.
+ */
+ protected function setUp(): void
+ {
+ parent::setUp();
+
+ self::$logger = new class () extends Logger {
+ public static function warning($string)
+ {
+ // stub
+ throw new RuntimeException($string);
+ }
+ };
+ }
+
+
+ /**
+ * Helper function to run the filter with a given configuration.
+ *
+ * @param array $config The filter configuration.
+ * @param array $request The request state.
+ * @return array The state array after processing.
+ */
+ private static function processFilter(array $config, array $request): array
+ {
+ $filter = new SubjectID($config, null);
+ $filter->setLogger(self::$logger);
+ $filter->process($request);
+ return $request;
+ }
+
+
+ /**
+ * Test the most basic functionality
+ */
+ public function testBasic(): void
+ {
+ $config = ['identifyingAttribute' => 'uid', 'scope' => 'ex-ample.org'];
+ $request = [
+ 'Attributes' => ['uid' => ['u=se-r2']],
+ ];
+ $result = self::processFilter($config, $request);
+ $attributes = $result['Attributes'];
+ $this->assertArrayHasKey(Constants::ATTR_SUBJECT_ID, $attributes);
+ $this->assertRegExp(
+ SubjectID::SPEC_PATTERN,
+ $attributes[Constants::ATTR_SUBJECT_ID][0]
+ );
+ $this->assertEquals('u=se-r2@ex-ample.org', $attributes[Constants::ATTR_SUBJECT_ID][0]);
+ }
+
+
+ /**
+ * Test that illegal characters in userID throws an exception.
+ */
+ public function testUserIDIllegalCharacterThrowsException(): void
+ {
+ $config = ['identifyingAttribute' => 'uid', 'scope' => 'example.org'];
+ $request = [
+ 'Attributes' => ['uid' => ['u=se+r2']],
+ ];
+
+ $this->expectException(AssertionFailedException::class);
+ self::processFilter($config, $request);
+ }
+
+
+ /**
+ * Test that illegal characters in scope throws an exception.
+ */
+ public function testScopeIllegalCharacterThrowsException(): void
+ {
+ $config = ['identifyingAttribute' => 'uid', 'scope' => 'ex%ample.org'];
+ $request = [
+ 'Attributes' => ['uid' => ['user2']],
+ ];
+
+ $this->expectException(AssertionFailedException::class);
+ self::processFilter($config, $request);
+ }
+
+
+ /**
+ * Test that generated ID's for different users, but the same SP's are NOT equal
+ */
+ public function testUniqueIdentifierPerUserSameSP(): void
+ {
+ $config = ['identifyingAttribute' => 'uid', 'scope' => 'example.org'];
+ $request = [
+ 'Attributes' => ['uid' => ['user1']],
+ ];
+
+ // Generate first ID
+ $result = self::processFilter($config, $request);
+ $attributes = $result['Attributes'];
+ $this->assertArrayHasKey(Constants::ATTR_SUBJECT_ID, $attributes);
+ $value1 = $attributes[Constants::ATTR_SUBJECT_ID][0];
+
+ // Switch user
+ $request['Attributes'] = ['uid' => ['user2']];
+
+ // Generate second ID
+ $result = self::processFilter($config, $request);
+ $attributes = $result['Attributes'];
+ $this->assertArrayHasKey(Constants::ATTR_SUBJECT_ID, $attributes);
+ $value2 = $attributes[Constants::ATTR_SUBJECT_ID][0];
+
+ $this->assertNotSame($value1, $value2);
+ }
+
+
+ /**
+ * Test that generated ID's for the same user and same SP, but with a different scope are NOT equal
+ */
+ public function testUniqueIdentifierDifferentScopes(): void
+ {
+ $config = ['identifyingAttribute' => 'uid', 'scope' => 'example.org'];
+ $request = [
+ 'Attributes' => ['uid' => ['user1']],
+ ];
+
+ // Generate first ID
+ $result = self::processFilter($config, $request);
+ $attributes = $result['Attributes'];
+ $this->assertArrayHasKey(Constants::ATTR_SUBJECT_ID, $attributes);
+ $value1 = $attributes[Constants::ATTR_SUBJECT_ID][0];
+
+ // Change the scope
+ $config['scope'] = 'example.edu';
+
+ // Generate second ID
+ $result = self::processFilter($config, $request);
+ $attributes = $result['Attributes'];
+ $this->assertArrayHasKey(Constants::ATTR_SUBJECT_ID, $attributes);
+ $value2 = $attributes[Constants::ATTR_SUBJECT_ID][0];
+
+ $this->assertNotSame($value1, $value2);
+
+ $this->assertRegExp(
+ '/@example.org$/i',
+ $value1
+ );
+ $this->assertRegExp(
+ '/@example.edu$/i',
+ $value2
+ );
+ }
+
+
+ /**
+ * Test that weak identifiers log a warning
+ */
+ public function testWeakIdentifierLogsWarning(): void
+ {
+ $config = ['identifyingAttribute' => 'uid', 'scope' => 'b'];
+ $request = [
+ 'Attributes' => ['uid' => ['a']],
+ ];
+
+ $this->expectException(RuntimeException::class);
+ $this->expectExceptionMessage('core:SubjectID: Generated ID \'a@b\' can hardly be considered globally unique.');
+
+ self::processFilter($config, $request);
+ }
+}