From 8d1c3d6c23a34a52b4669c1c86426632ce3d8957 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Tue, 13 Mar 2012 09:40:25 +0000
Subject: [PATCH] consent: Allow disabling of consent from SP metadata.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3044 44740490-163a-0410-bde0-09ae8108e29a
---
 modules/consent/docs/consent.txt             | 49 ++++++++++++++------
 modules/consent/lib/Auth/Process/Consent.php |  8 +++-
 2 files changed, 42 insertions(+), 15 deletions(-)

diff --git a/modules/consent/docs/consent.txt b/modules/consent/docs/consent.txt
index 2c5757409..bd78b73b0 100644
--- a/modules/consent/docs/consent.txt
+++ b/modules/consent/docs/consent.txt
@@ -187,26 +187,49 @@ The following options can/ be set in other places in simpleSAMLphp
 Disabling consent
 -----------------
 
-It is possible to disable consent for a given service. You can add an option
-in the metadata on the IdP, that will disable consent for the given service.
-Add 'consent.disable' array option and enter the entityids of the services,
-that you do not want consent for.
+Consent can be disabled either in the IdP metadata or in the SP metadata.
+To disable consent for one or more SPs for a given IdP, add the
+`consent.disable`-option to the IdP metadata. To disable consent for one or
+more IdPs for a given SP, add the `consent.disable`-option to the SP metadata.
 
-Example:
+### Examples ###
+
+Disable consent for a given IdP:
+
+    $metadata['https://idp.example.org/'] = array(
+        [...],
+        'consent.disable' => TRUE,
+    );
+
+Disable consent for some SPs connected to a given IdP:
 
-    'consent.disable' => array(
-        'sp.example.com',
-        'sp2.example.com',
-        ...
+    $metadata['https://idp.example.org/'] = array(
+        [...],
+        'consent.disable' => array(
+            'https://sp1.example.org/',
+            'https://sp2.example.org/',
+        ),
+    );
+
+
+Disable consent for a given SP:
+
+    $metadata['https://sp.example.org'] = array(
+        [...]
+        'consent.disable' => TRUE,
     ),
 
-It is also possible to disable consent for all SPs for a given IdP by setting
-the 'consent.disable' option to TRUE:
+Disable consent for some IdPs for a given SP:
 
-    'consent.disable' => TRUE,
+    $metadata['https://sp.example.org'] = array(
+        [...]
+        'consent.disable' => array(
+            'https://idp1.example.org/',
+            'https://idp2.example.org/',
+        ),
+    ),
 
 
-   
 Attribute presentation
 ----------------------
  
diff --git a/modules/consent/lib/Auth/Process/Consent.php b/modules/consent/lib/Auth/Process/Consent.php
index d343506bd..eff89c438 100644
--- a/modules/consent/lib/Auth/Process/Consent.php
+++ b/modules/consent/lib/Auth/Process/Consent.php
@@ -181,9 +181,13 @@ class sspmod_consent_Auth_Process_Consent extends SimpleSAML_Auth_ProcessingFilt
             $state['Source'] = $idpmeta;
         }
 
-        // Do not use consent if disabled on source entity
+        // Do not use consent if disabled
         if (isset($state['Source']['consent.disable']) && self::checkDisable($state['Source']['consent.disable'], $spEntityId)) {
-            SimpleSAML_Logger::debug('Consent: Consent disabled for entity ' . $spEntityId);
+            SimpleSAML_Logger::debug('Consent: Consent disabled for entity ' . $spEntityId . ' with IdP ' . $idpEntityId);
+            return;
+        }
+        if (isset($state['Destination']['consent.disable']) && self::checkDisable($state['Destination']['consent.disable'], $idpEntityId)) {
+            SimpleSAML_Logger::debug('Consent: Consent disabled for entity ' . $spEntityId . ' with IdP ' . $idpEntityId);
             return;
         }
 
-- 
GitLab