Merge branch 'fix-idp-discohints' of https://github.com/m0ark/simplesamlphp...

Merge branch 'fix-idp-discohints' of https://github.com/m0ark/simplesamlphp into m0ark-fix-idp-discohints

Merge branch 'fix-idp-discohints' of https://github.com/m0ark/simplesamlphp...
Merge branch 'fix-idp-discohints' of https://github.com/m0ark/simplesamlphp into m0ark-fix-idp-discohints
b6a6e297 · Thijs Kinkhorst · de09698f · 854c2127 · b6a6e297
Commit b6a6e297 authored 6 years ago by Thijs Kinkhorst
--- a/lib/SimpleSAML/Metadata/MetaDataStorageSource.php
+++ b/lib/SimpleSAML/Metadata/MetaDataStorageSource.php
@@ -158,7 +158,7 @@ abstract class SimpleSAML_Metadata_MetaDataStorageSource


    /**
-     * This function will go through all the metadata, and check the hint.cidr
+     * This function will go through all the metadata, and check the DiscoHints->IPHint
     * parameter, which defines a network space (ip range) for each remote entry.
     * This function returns the entityID for any of the entities that have an
     * IP range which the IP falls within.
@@ -176,14 +176,26 @@ abstract class SimpleSAML_Metadata_MetaDataStorageSource
        $metadataSet = $this->getMetadataSet($set);

        foreach ($metadataSet as $index => $entry) {
-            if (!array_key_exists('hint.cidr', $entry)) {
-                continue;
+            $cidrHints = array();
+            
+            // support hint.cidr for idp discovery
+            if (array_key_exists('hint.cidr', $entry) && is_array($entry['hint.cidr'])) {
+                $cidrHints = $entry['hint.cidr'];
+            }
+
+            // support discohints in idp metadata for idp discovery
+            if (array_key_exists('DiscoHints', $entry) 
+                && array_key_exists('IPHint', $entry['DiscoHints']) 
+                && is_array($entry['DiscoHints']['IPHint'])) {
+                // merge with hints derived from discohints, but prioritize hint.cidr in case it is used
+                $cidrHints = array_merge($entry['DiscoHints']['IPHint'], $cidrHints);
            }
-            if (!is_array($entry['hint.cidr'])) {
+
+            if (empty($cidrHints)) {
                continue;
            }

-            foreach ($entry['hint.cidr'] as $hint_entry) {
+            foreach ($cidrHints as $hint_entry) {
                if (SimpleSAML\Utils\Net::ipCIDRcheck($hint_entry, $ip)) {
                    if ($type === 'entityid') {
                        return $entry['entityid'];