shib13/idp: Move to new IdP core.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2069 44740490-163a-0410-bde0-09ae8108e29a

shib13/idp: Move to new IdP core.
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2069 44740490-163a-0410-bde0-09ae8108e29a
be107c51 · Olav Morken · fd523376 · be107c51 · be107c51
Commit be107c51 authored 15 years ago by Olav Morken
--- a/modules/saml/lib/IdP/SAML1.php
+++ b/modules/saml/lib/IdP/SAML1.php
+<?php
+/**
+ * IdP implementation for SAML 1.1 protocol.
+ *
+ * @package simpleSAMLphp
+ * @version $Id$
+ */
+class sspmod_saml_IdP_SAML1 {
+	/**
+	 * Send a response to the SP.
+	 *
+	 * @param array $state  The authentication state.
+	 */
+	public static function sendResponse(array $state) {
+		assert('isset($state["Attributes"])');
+		assert('isset($state["SPMetadata"])');
+		assert('isset($state["saml:shire"])');
+		assert('array_key_exists("saml:target", $state)'); // Can be NULL.
+		$spMetadata = $state["SPMetadata"];
+		$spEntityId = $spMetadata['entityid'];
+		SimpleSAML_Logger::info('Sending SAML 1.1 Response to ' . var_export($spEntityId, TRUE));
+		$attributes = $state['Attributes'];
+		$shire = $state['saml:shire'];
+		$target = $state['saml:target'];
+		$idp = SimpleSAML_IdP::getByState($state);
+		$idpMetadata = $idp->getConfig()->toArray();
+		$config = SimpleSAML_Configuration::getInstance();
+		$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
+		/* Generate and send response. */
+		$ar = new SimpleSAML_XML_Shib13_AuthnResponse();
+		$authnResponseXML = $ar->generate($idpMetadata, $spMetadata, $shire, $attributes);
+		$httppost = new SimpleSAML_Bindings_Shib13_HTTPPost($config, $metadata);
+		$httppost->sendResponse($authnResponseXML, $idpMetadata, $spMetadata, $target, $shire);
+	}
+	/**
+	 * Receive an authentication request.
+	 *
+	 * @param SimpleSAML_IdP $idp  The IdP we are receiving it for.
+	 */
+	public static function receiveAuthnRequest(SimpleSAML_IdP $idp) {
+		if (isset($_REQUEST['cookieTime'])) {
+			$cookieTime = (int)$_REQUEST['cookieTime'];
+			if ($cookieTime + 5 > time()) {
+				/*
+				 * Less than five seconds has passed since we were
+				 * here the last time. Cookies are probably disabled.
+				 */
+				SimpleSAML_Utilities::checkCookie(SimpleSAML_Utilities::selfURL());
+			}
+		}
+		if (!isset($_REQUEST['providerId'])) {
+			throw new SimpleSAML_Error_BadRequest('Missing providerId parameter.');
+		}
+		$spEntityId = (string)$_REQUEST['providerId'];
+		if (!isset($_REQUEST['shire'])) {
+			throw new SimpleSAML_Error_BadRequest('Missing shire parameter.');
+		}
+		$shire = (string)$_REQUEST['shire'];
+		if (isset($_REQUEST['target'])) {
+			$target = $_REQUEST['target'];
+		} else {
+			$target = NULL;
+		}
+		SimpleSAML_Logger::info('Shib1.3 - IdP.SSOService: Got incoming Shib authnRequest from ' . var_export($spEntityId, TRUE) . '.');
+		$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
+		$spMetadata = $metadata->getMetaDataConfig($spEntityId, 'shib13-sp-remote');
+		$found = FALSE;
+		foreach ($spMetadata->getEndpoints('AssertionConsumerService') as $ep) {
+			if ($ep['Binding'] !== 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post') {
+				continue;
+			}
+			if ($ep['Location'] !== $shire) {
+				continue;
+			}
+			$found = TRUE;
+			break;
+		}
+		if (!$found) {
+			throw new Exception('Invalid AssertionConsumerService for SP ' .
+				var_export($spEntityId, TRUE) . ': ' . var_export($shire, TRUE));
+		}
+		$sessionLostURL = SimpleSAML_Utilities::addURLparameter(
+			SimpleSAML_Utilities::selfURL(),
+			array('cookieTime' => time()));
+		$state = array(
+			'Responder' => array('sspmod_saml_IdP_SAML1', 'sendResponse'),
+			'SPMetadata' => $spMetadata->toArray(),
+			'saml:shire' => $shire,
+			'saml:target' => $target,
+		);
+		$idp->handleAuthenticationRequest($state);
+	}
+}
--- a/www/shib13/idp/SSOService.php
+++ b/www/shib13/idp/SSOService.php
@@ -11,206 +11,27 @@
 require_once('../../../www/_include.php');
-$config = SimpleSAML_Configuration::getInstance();
-$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
-$session = SimpleSAML_Session::getInstance();
 SimpleSAML_Logger::info('Shib1.3 - IdP.SSOService: Accessing Shibboleth 1.3 IdP endpoint SSOService');
-if (!$config->getBoolean('enable.shib13-idp', false))
-	SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NOACCESS');
 try {
-	$idpmetadata = $metadata->getMetaDataCurrent('shib13-idp-hosted');
+	$config = SimpleSAML_Configuration::getInstance();
-} catch (Exception $exception) {
+	if (!$config->getBoolean('enable.shib13-idp', FALSE)) {
-	SimpleSAML_Utilities::fatalError($session->getTrackID(), 'METADATA', $exception);
+		throw new SimpleSAML_Error_Error('NOACCESS');
-}
-/*
- * If the shire query parameter is set, we got an incoming Authentication Request
- * at this interface.
- *
- * In this case, what we should do is to process the request and set the neccessary information
- * from the request into the session object to be used later.
- *
- */
-if (isset($_GET['shire'])) {
-	try {
-		$authnrequest = new SimpleSAML_XML_Shib13_AuthnRequest($config, $metadata);
-		$authnrequest->parseGet($_GET);
-		$requestid = $authnrequest->getRequestID();
-		/*
-		 * Create an assoc array of the request to store in the session cache.
-		 */
-		$requestcache = array(
-			'RequestID' => $requestid,
-			'Issuer'    => $authnrequest->getIssuer(),
-			'shire'		=> $authnrequest->getShire(),
-			'RelayState' => $authnrequest->getRelayState(),
-		);
-		SimpleSAML_Logger::info('Shib1.3 - IdP.SSOService: Got incoming Shib authnRequest requestid: ' . $requestid);
-		if (empty($requestcache['Issuer']))
-			throw new Exception('Could not retrieve issuer of the AuthNRequest (ProviderID)');
-	} catch(Exception $exception) {
-		SimpleSAML_Utilities::fatalError($session->getTrackID(), 'PROCESSAUTHNREQUEST', $exception);
 	}
+	$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
+	$idpEntityId = $metadata->getMetaDataCurrentEntityID('shib13-idp-hosted');
+	$idp = SimpleSAML_IdP::getById('saml1:' . $idpEntityId);
+	sspmod_saml_IdP_SAML1::receiveAuthnRequest($idp);
+	assert('FALSE');
-/*
+} catch(SimpleSAML_Error_Error $e) {
- * If we did not get an incoming Authenticaiton Request, we need a RequestID parameter.
- *
- * The RequestID parameter is used to retrieve the information stored in the session object
- * related to the request that was received earlier. Usually the request is processed with
- * code above, then the user is redirected to some login module, and when successfully authenticated
- * the user isredirected back to this endpoint, and then the user will need to have the RequestID
- * parmeter attached.
- */
-} elseif(isset($_GET['RequestID'])) {
-	try {
-		$authId = $_GET['RequestID'];
-		$requestcache = $session->getAuthnRequest('shib13', $authId);
-		SimpleSAML_Logger::info('Shib1.3 - IdP.SSOService: Got incoming RequestID: '. $authId);
-		if (!$requestcache) {
-			throw new Exception('Could not retrieve cached RequestID = ' . $authId);
-		}
-	} catch(Exception $exception) {
+	$e->show();
-		SimpleSAML_Utilities::fatalError($session->getTrackID(), 'CACHEAUTHNREQUEST', $exception);
-	}
-} elseif(isset($_REQUEST[SimpleSAML_Auth_ProcessingChain::AUTHPARAM])) {
-	/* Resume from authentication processing chain. */
+} catch(Exception $e) {
-	$authProcId = $_REQUEST[SimpleSAML_Auth_ProcessingChain::AUTHPARAM];
-	$authProcState = SimpleSAML_Auth_ProcessingChain::fetchProcessedState($authProcId);
-	$requestcache = $authProcState['core:shib13-idp:requestcache'];
-} else {
+	$e = new SimpleSAML_Error_Error('UNHANDLEDEXCEPTION', $e);
-	SimpleSAML_Utilities::fatalError($session->getTrackID(), 'SSOSERVICEPARAMS');
+	$e->show();
-}
-/* Make sure that the issuer is a valid SP. */
-try {
-	$spMetadata = $metadata->getMetaDataConfig($requestcache['Issuer'], 'shib13-sp-remote');
-} catch (Exception $exception) {
-	SimpleSAML_Utilities::fatalError($session->getTrackID(), 'PROCESSAUTHNREQUEST', $exception);
-}
-/* Check whether we should authenticate with an AuthSource. Any time the auth-option matches a
- * valid AuthSource, we assume that this is the case.
- */
-if(SimpleSAML_Auth_Source::getById($idpmetadata['auth']) !== NULL) {
-	/* Authenticate with an AuthSource. */
-	$authSource = TRUE;
-	$authority = $idpmetadata['auth'];
-} else {
-	$authSource = FALSE;
-	$authority = SimpleSAML_Utilities::getAuthority($idpmetadata);
 }
-/*
- * As we have passed the code above, we have an accociated request that is already processed.
- *
- * Now we check whether we have a authenticated session. If we do not have an authenticated session,
- * we look up in the metadata of the IdP, to see what authenticaiton module to use, then we redirect
- * the user to the authentication module, to authenticate. Later the user is redirected back to this
- * endpoint - then the session is authenticated and set, and the user is redirected back with a RequestID
- * parameter so we can retrieve the cached information from the request.
- */
-if (!$session->isValid($authority) ) {
-	$authId = SimpleSAML_Utilities::generateID();
-	$session->setAuthnRequest('shib13', $authId, $requestcache);
-	$redirectTo = SimpleSAML_Utilities::selfURLNoQuery() . '?RequestID=' . urlencode($authId);
-	if($authSource) {
-		/* Authenticate with an AuthSource. */
-		$hints = array(
-			'SPMetadata' => $spMetadata->toArray(),
-			'IdPMetadata' => $idpmetadata,
-		);
-		SimpleSAML_Auth_Default::initLogin($idpmetadata['auth'], $redirectTo, NULL, $hints);
-	} else {
-		$authurl = '/' . $config->getBaseURL() . $idpmetadata['auth'];
-		SimpleSAML_Utilities::redirect($authurl, array(
-			'RelayState' => $redirectTo,
-			'AuthId' => $authId,
-			'protocol' => 'shib13',
-		));
-	}
-}
-/*
- * We got an request, and we hav a valid session. Then we send an AuthenticationResponse back to the
- * service.
- */
-try {
-	/* Validate the Shire the response should be sent to. */
-	$shire = $requestcache['shire'];
-	$foundACS = FALSE;
-	foreach ($spMetadata->getEndpoints('AssertionConsumerService') as $acs) {
-		if ($acs['Binding'] !== 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post') {
-			continue;
-		}
-		if ($acs['Location'] !== $shire) {
-			continue;
-		}
-		SimpleSAML_Logger::info('Shib1.3 - IdP.SSOService: Found AssertionConsumerService: '. $acs);
-		$foundACS = TRUE;
-		break;
-	}
-	if (!$foundACS) {
-		throw new Exception('Invalid AssertionConsumerService for SP ' .
-			var_export($spMetadata->getString('entityid'), TRUE) . ': ' . var_export($shire, TRUE));
-	}
-	$attributes = $session->getAttributes();
-	/* Authentication processing operations. */
-	if (!isset($authProcState)) {
-		/* Not processed. */
-		$pc = new SimpleSAML_Auth_ProcessingChain($idpmetadata, $spMetadata->toArray(), 'idp');
-		$authProcState = array(
-			'core:shib13-idp:requestcache' => $requestcache,
-			'ReturnURL' => SimpleSAML_Utilities::selfURLNoQuery(),
-			'Attributes' => $attributes,
-			'Destination' => $spMetadata->toArray(),
-			'Source' => $idpmetadata,
-			);
-		$pc->processState($authProcState);
-	}
-	$attributes = $authProcState['Attributes'];
-	/* Generate and send response. */
-	$ar = new SimpleSAML_XML_Shib13_AuthnResponse();
-	$authnResponseXML = $ar->generate($idpmetadata, $spMetadata->toArray(), $shire, $attributes);
-	$httppost = new SimpleSAML_Bindings_Shib13_HTTPPost($config, $metadata);
-	$httppost->sendResponse($authnResponseXML, $idpmetadata, $spMetadata->toArray(), $requestcache['RelayState'], $shire);
-} catch(Exception $exception) {
-	SimpleSAML_Utilities::fatalError($session->getTrackID(), 'GENERATEAUTHNRESPONSE', $exception);
-}
-?>
\ No newline at end of file