Skip to content
Snippets Groups Projects
Commit 83e18ffb authored by Jaime Perez Crespo's avatar Jaime Perez Crespo
Browse files

Reformat sspmod_saml_Auth_Process_SQLPersistentNameID.

parent cc9e7621
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
modules/saml/lib/Auth/Process/SQLPersistentNameID.php
+ 159
130
View file @ 83e18ffb
<?php <?php
/** /**
* Authproc filter to generate a persistent NameID. * Authentication processing filter to generate a persistent NameID.
* *
* @package simpleSAMLphp * @package SimpleSAMLphp
*/ */
class sspmod_saml_Auth_Process_SQLPersistentNameID extends sspmod_saml_BaseNameIDGenerator { class sspmod_saml_Auth_Process_SQLPersistentNameID extends sspmod_saml_BaseNameIDGenerator
{
/** /**
* Which attribute contains the unique identifier of the user. * Which attribute contains the unique identifier of the user.
...@@ -19,21 +21,21 @@ class sspmod_saml_Auth_Process_SQLPersistentNameID extends sspmod_saml_BaseNameI ...@@ -19,21 +21,21 @@ class sspmod_saml_Auth_Process_SQLPersistentNameID extends sspmod_saml_BaseNameI
* *
* @var boolean * @var boolean
*/ */
private $allowUnspecified; private $allowUnspecified = false;
/** /**
* Whether we should create a persistent NameID if a different format is requested. * Whether we should create a persistent NameID if a different format is requested.
* *
* @var boolean * @var boolean
*/ */
private $allowDifferent; private $allowDifferent = false;
/** /**
* Whether we should ignore allowCreate in the NameID policy * Whether we should ignore allowCreate in the NameID policy
* *
* @var boolean * @var boolean
*/ */
private $alwaysCreate; private $alwaysCreate = false;
/** /**
...@@ -41,34 +43,31 @@ class sspmod_saml_Auth_Process_SQLPersistentNameID extends sspmod_saml_BaseNameI ...@@ -41,34 +43,31 @@ class sspmod_saml_Auth_Process_SQLPersistentNameID extends sspmod_saml_BaseNameI
* *
* @param array $config Configuration information about this filter. * @param array $config Configuration information about this filter.
* @param mixed $reserved For future use. * @param mixed $reserved For future use.
*
* @throws SimpleSAML_Error_Exception If the 'attribute' option is not specified.
*/ */
public function __construct($config, $reserved) { public function __construct($config, $reserved)
{
parent::__construct($config, $reserved); parent::__construct($config, $reserved);
assert('is_array($config)'); assert('is_array($config)');
$this->format = SAML2_Const::NAMEID_PERSISTENT; $this->format = SAML2_Const::NAMEID_PERSISTENT;
if (!isset($config['attribute'])) { if (!isset($config['attribute'])) {
throw new SimpleSAML_Error_Exception('PersistentNameID: Missing required option \'attribute\'.'); throw new SimpleSAML_Error_Exception("PersistentNameID: Missing required option 'attribute'.");
} }
$this->attribute = $config['attribute']; $this->attribute = $config['attribute'];
if (isset($config['allowUnspecified'])) { if (isset($config['allowUnspecified'])) {
$this->allowUnspecified = (bool) $config['allowUnspecified']; $this->allowUnspecified = (bool) $config['allowUnspecified'];
} else {
$this->allowUnspecified = FALSE;
} }
if (isset($config['allowDifferent'])) { if (isset($config['allowDifferent'])) {
$this->allowDifferent = (bool) $config['allowDifferent']; $this->allowDifferent = (bool) $config['allowDifferent'];
} else {
$this->allowDifferent = FALSE;
} }
if (isset($config['alwaysCreate'])) { if (isset($config['alwaysCreate'])) {
$this->alwaysCreate = (bool) $config['alwaysCreate']; $this->alwaysCreate = (bool) $config['alwaysCreate'];
} else {
$this->alwaysCreate = FALSE;
} }
} }
...@@ -76,61 +75,91 @@ class sspmod_saml_Auth_Process_SQLPersistentNameID extends sspmod_saml_BaseNameI ...@@ -76,61 +75,91 @@ class sspmod_saml_Auth_Process_SQLPersistentNameID extends sspmod_saml_BaseNameI
/** /**
* Get the NameID value. * Get the NameID value.
* *
* @return string|NULL The NameID value. * @param array $state The state array.
* @return string|null The NameID value.
*
* @throws sspmod_saml_Error if the NameID creation policy is invalid.
*/ */
protected function getValue(array &$state) { protected function getValue(array &$state)
{
if (!isset($state['saml:NameIDFormat']) && !$this->allowUnspecified) { if (!isset($state['saml:NameIDFormat']) && !$this->allowUnspecified) {
SimpleSAML_Logger::debug('SQLPersistentNameID: Request did not specify persistent NameID format - not generating persistent NameID.'); SimpleSAML_Logger::debug(
return NULL; 'SQLPersistentNameID: Request did not specify persistent NameID format, '.
'not generating persistent NameID.'
);
return null;
} }
$validNameIdFormats = @array_filter(array($state['saml:NameIDFormat'], $state['SPMetadata']['NameIDPolicy'], $state['SPMetadata']['NameIDFormat'])); $validNameIdFormats = @array_filter(array(
$state['saml:NameIDFormat'],
$state['SPMetadata']['NameIDPolicy'],
$state['SPMetadata']['NameIDFormat']
));
if (count($validNameIdFormats) && !in_array($this->format, $validNameIdFormats) && !$this->allowDifferent) { if (count($validNameIdFormats) && !in_array($this->format, $validNameIdFormats) && !$this->allowDifferent) {
SimpleSAML_Logger::debug('SQLPersistentNameID: SP expects different NameID format (' . implode(', ', $validNameIdFormats) . ') - not generating persistent NameID.'); SimpleSAML_Logger::debug(
return NULL; 'SQLPersistentNameID: SP expects different NameID format ('.
implode(', ', $validNameIdFormats).'), not generating persistent NameID.'
);
return null;
} }
if (!isset($state['Destination']['entityid'])) { if (!isset($state['Destination']['entityid'])) {
SimpleSAML_Logger::warning('SQLPersistentNameID: No SP entity ID - not generating persistent NameID.'); SimpleSAML_Logger::warning('SQLPersistentNameID: No SP entity ID - not generating persistent NameID.');
return NULL; return null;
} }
$spEntityId = $state['Destination']['entityid']; $spEntityId = $state['Destination']['entityid'];
if (!isset($state['Source']['entityid'])) { if (!isset($state['Source']['entityid'])) {
SimpleSAML_Logger::warning('SQLPersistentNameID: No IdP entity ID - not generating persistent NameID.'); SimpleSAML_Logger::warning('SQLPersistentNameID: No IdP entity ID - not generating persistent NameID.');
return NULL; return null;
} }
$idpEntityId = $state['Source']['entityid']; $idpEntityId = $state['Source']['entityid'];
if (!isset($state['Attributes'][$this->attribute]) || count($state['Attributes'][$this->attribute]) === 0) { if (!isset($state['Attributes'][$this->attribute]) || count($state['Attributes'][$this->attribute]) === 0) {
SimpleSAML_Logger::warning('SQLPersistentNameID: Missing attribute ' . var_export($this->attribute, TRUE) . ' on user - not generating persistent NameID.'); SimpleSAML_Logger::warning(
return NULL; 'SQLPersistentNameID: Missing attribute '.var_export($this->attribute, true).
' on user - not generating persistent NameID.'
);
return null;
} }
if (count($state['Attributes'][$this->attribute]) > 1) { if (count($state['Attributes'][$this->attribute]) > 1) {
SimpleSAML_Logger::warning('SQLPersistentNameID: More than one value in attribute ' . var_export($this->attribute, TRUE) . ' on user - not generating persistent NameID.'); SimpleSAML_Logger::warning(
return NULL; 'SQLPersistentNameID: More than one value in attribute '.var_export($this->attribute, true).
' on user - not generating persistent NameID.'
);
return null;
} }
$uid = array_values($state['Attributes'][$this->attribute]); /* Just in case the first index is no longer 0. */ $uid = array_values($state['Attributes'][$this->attribute]); // just in case the first index is no longer 0
$uid = $uid[0]; $uid = $uid[0];
$value = sspmod_saml_IdP_SQLNameID::get($idpEntityId, $spEntityId, $uid); $value = sspmod_saml_IdP_SQLNameID::get($idpEntityId, $spEntityId, $uid);
if ($value !== NULL) { if ($value !== null) {
SimpleSAML_Logger::debug('SQLPersistentNameID: Found persistent NameID ' . var_export($value, TRUE) . ' for user ' . var_export($uid, TRUE) . '.'); SimpleSAML_Logger::debug(
'SQLPersistentNameID: Found persistent NameID '.var_export($value, true).' for user '.
var_export($uid, true).'.'
);
return $value; return $value;
} }
if ((!isset($state['saml:AllowCreate']) || !$state['saml:AllowCreate']) && !$this->alwaysCreate) { if ((!isset($state['saml:AllowCreate']) || !$state['saml:AllowCreate']) && !$this->alwaysCreate) {
SimpleSAML_Logger::warning('SQLPersistentNameID: Did not find persistent NameID for user, and not allowed to create new NameID.'); SimpleSAML_Logger::warning(
throw new sspmod_saml_Error(SAML2_Const::STATUS_RESPONDER, 'urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy'); 'SQLPersistentNameID: Did not find persistent NameID for user, and not allowed to create new NameID.'
);
throw new sspmod_saml_Error(
SAML2_Const::STATUS_RESPONDER,
'urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy'
);
} }
$value = bin2hex(openssl_random_pseudo_bytes(20)); $value = bin2hex(openssl_random_pseudo_bytes(20));
SimpleSAML_Logger::debug('SQLPersistentNameID: Created persistent NameID ' . var_export($value, TRUE) . ' for user ' . var_export($uid, TRUE) . '.'); SimpleSAML_Logger::debug(
'SQLPersistentNameID: Created persistent NameID '.var_export($value, true).' for user '.
var_export($uid, true).'.'
);
sspmod_saml_IdP_SQLNameID::add($idpEntityId, $spEntityId, $uid, $value); sspmod_saml_IdP_SQLNameID::add($idpEntityId, $spEntityId, $uid, $value);
return $value; return $value;
} }
} }
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment