saml idp endpoints: check early and consistently whether the SAML IdP is enabled

They are outside of the module so can be called when the module is disabled, which gives an error somewhere deep in the call stack. Check for all endpoints whether saml2-idp is enabled in config and whether the module is enabled before doing anything else.

saml idp endpoints: check early and consistently whether the SAML IdP is enabled
They are outside of the module so can be called when the module is disabled, which gives an error somewhere deep in the call stack. Check for all endpoints whether saml2-idp is enabled in config and whether the module is enabled before doing anything else.
8889e793 · Thijs Kinkhorst · Tim van Dijen · e4246a2a · 8889e793 · 8889e793
Commit 8889e793 authored 4 years ago by Thijs Kinkhorst Committed by Tim van Dijen 4 years ago
--- a/www/saml2/idp/ArtifactResolutionService.php
+++ b/www/saml2/idp/ArtifactResolutionService.php
@@ -11,7 +11,7 @@
 require_once('../../_include.php');

 $config = \SimpleSAML\Configuration::getInstance();
-if (!$config->getBoolean('enable.saml20-idp', false)) {
+if (!$config->getBoolean('enable.saml20-idp', false) || !Module::isModuleEnabled('saml')) {
    throw new \SimpleSAML\Error\Error('NOACCESS');
 }


--- a/www/saml2/idp/SSOService.php
+++ b/www/saml2/idp/SSOService.php
@@ -5,7 +5,6 @@
 * from a SAML 2.0 SP, parses, and process it, and then authenticates the user and sends the user back
 * to the SP with an Authentication Response.
 *
- * @author Andreas Åkre Solberg, UNINETT AS. <andreas.solberg@uninett.no>
 * @package SimpleSAMLphp
 */

@@ -14,6 +13,12 @@ require_once('../../_include.php');
 \SimpleSAML\Logger::info('SAML2.0 - IdP.SSOService: Accessing SAML 2.0 IdP endpoint SSOService');

 $metadata = \SimpleSAML\Metadata\MetaDataStorageHandler::getMetadataHandler();
+
+$config = \SimpleSAML\Configuration::getInstance();
+if (!$config->getBoolean('enable.saml20-idp', false) || !\SimpleSAML\Module::isModuleEnabled('saml')) {
+    throw new \SimpleSAML\Error\Error('NOACCESS', null, 403);
+}
+
 $idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
 $idp = \SimpleSAML\IdP::getById('saml2:' . $idpEntityId);


--- a/www/saml2/idp/SingleLogoutService.php
+++ b/www/saml2/idp/SingleLogoutService.php
@@ -13,6 +13,12 @@ require_once('../../_include.php');
 \SimpleSAML\Logger::info('SAML2.0 - IdP.SingleLogoutService: Accessing SAML 2.0 IdP endpoint SingleLogoutService');

 $metadata = \SimpleSAML\Metadata\MetaDataStorageHandler::getMetadataHandler();
+
+$config = \SimpleSAML\Configuration::getInstance();
+if (!$config->getBoolean('enable.saml20-idp', false) || !\SimpleSAML\Module::isModuleEnabled('saml')) {
+    throw new \SimpleSAML\Error\Error('NOACCESS', null, 403);
+}
+
 $idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
 $idp = \SimpleSAML\IdP::getById('saml2:' . $idpEntityId);


--- a/www/saml2/idp/initSLO.php
+++ b/www/saml2/idp/initSLO.php
@@ -3,6 +3,12 @@
 require_once('../../_include.php');

 $metadata = \SimpleSAML\Metadata\MetaDataStorageHandler::getMetadataHandler();
+
+$config = \SimpleSAML\Configuration::getInstance();
+if (!$config->getBoolean('enable.saml20-idp', false) || !\SimpleSAML\Module::isModuleEnabled('saml')) {
+    throw new \SimpleSAML\Error\Error('NOACCESS', null, 403);
+}
+
 $idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
 $idp = \SimpleSAML\IdP::getById('saml2:' . $idpEntityId);


--- a/www/saml2/idp/metadata.php
+++ b/www/saml2/idp/metadata.php
@@ -5,18 +5,17 @@ require_once('../../_include.php');
 use Symfony\Component\VarExporter\VarExporter;

 use SAML2\Constants;
+use SimpleSAML\Configuration;
+use SimpleSAML\Error;
 use SimpleSAML\Module;
 use SimpleSAML\Utils\Auth as Auth;
 use SimpleSAML\Utils\Crypto as Crypto;
 use SimpleSAML\Utils\HTTP as HTTP;
 use SimpleSAML\Utils\Config\Metadata as Metadata;

-// load SimpleSAMLphp configuration and metadata
-$config = \SimpleSAML\Configuration::getInstance();
-$metadata = \SimpleSAML\Metadata\MetaDataStorageHandler::getMetadataHandler();
-
-if (!$config->getBoolean('enable.saml20-idp', false)) {
-    throw new \SimpleSAML\Error\Error('NOACCESS');
+$config = Configuration::getInstance();
+if (!$config->getBoolean('enable.saml20-idp', false) || !Module::isModuleEnabled('saml')) {
+    throw new Error\Error('NOACCESS', null, 403);
 }

 // check if valid local session exists
@@ -24,6 +23,8 @@ if ($config->getBoolean('admin.protectmetadata', false)) {
    Auth::requireAdmin();
 }

+$metadata = \SimpleSAML\Metadata\MetaDataStorageHandler::getMetadataHandler();
+
 try {
    $idpentityid = isset($_GET['idpentityid']) ?
        $_GET['idpentityid'] : $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
@@ -150,7 +151,7 @@ try {
        );

        if (!$idpmeta->hasValue('OrganizationURL')) {
-            throw new \SimpleSAML\Error\Exception(
+            throw new Error\Exception(
                'If OrganizationName is set, OrganizationURL must also be set.'
            );
        }
@@ -245,5 +246,5 @@ try {
        exit(0);
    }
 } catch (\Exception $exception) {
-    throw new \SimpleSAML\Error\Error('METADATA', $exception);
+    throw new Error\Error('METADATA', $exception);
 }