From cabc973775fe3486152c7cf912ac97396b9fb77e Mon Sep 17 00:00:00 2001
From: Jaime Perez Crespo <jaime.perez@uninett.no>
Date: Thu, 16 Apr 2015 15:48:54 +0200
Subject: [PATCH] Move SimpleSAML_Utilities::generateID() to
SimpleSAML_Utils_Random::generateID(). Deprecate the former and schedule it
for removal in 2.0.
---
lib/SimpleSAML/Auth/State.php | 2 +-
lib/SimpleSAML/Bindings/Shib13/Artifact.php | 2 +-
lib/SimpleSAML/Session.php | 2 +-
lib/SimpleSAML/Utilities.php | 11 +++++---
lib/SimpleSAML/Utils/Random.php | 25 +++++++++++++++++++
lib/SimpleSAML/XML/Shib13/AuthnResponse.php | 6 ++---
modules/adfs/lib/IdP/ADFS.php | 4 +--
modules/casserver/www/login.php | 2 +-
modules/casserver/www/proxy.php | 2 +-
modules/casserver/www/serviceValidate.php | 4 +--
modules/consent/templates/consentform.php | 2 +-
modules/oauth/lib/OAuthStore.php | 6 ++---
modules/oauth/www/registry.edit.php | 4 +--
.../saml/lib/Auth/Process/TransientNameID.php | 2 +-
modules/saml/lib/IdP/SAML2.php | 6 ++---
modules/saml/lib/SP/LogoutStore.php | 2 +-
www/authmemcookie.php | 2 +-
17 files changed, 56 insertions(+), 28 deletions(-)
create mode 100644 lib/SimpleSAML/Utils/Random.php
diff --git a/lib/SimpleSAML/Auth/State.php b/lib/SimpleSAML/Auth/State.php
index 4684f5d8f..88d8f8589 100644
--- a/lib/SimpleSAML/Auth/State.php
+++ b/lib/SimpleSAML/Auth/State.php
@@ -105,7 +105,7 @@ class SimpleSAML_Auth_State {
assert('is_bool($rawId)');
if (!array_key_exists(self::ID, $state)) {
- $state[self::ID] = SimpleSAML_Utilities::generateID();
+ $state[self::ID] = SimpleSAML_Utils_Random::generateID();
}
$id = $state[self::ID];
diff --git a/lib/SimpleSAML/Bindings/Shib13/Artifact.php b/lib/SimpleSAML/Bindings/Shib13/Artifact.php
index 3e8f7d392..d2118512c 100644
--- a/lib/SimpleSAML/Bindings/Shib13/Artifact.php
+++ b/lib/SimpleSAML/Bindings/Shib13/Artifact.php
@@ -48,7 +48,7 @@ class SimpleSAML_Bindings_Shib13_Artifact {
$msg = '<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">' .
'<SOAP-ENV:Body>' .
'<samlp:Request xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"' .
- ' RequestID="' . SimpleSAML_Utilities::generateID() . '"' .
+ ' RequestID="' . SimpleSAML_Utils_Random::generateID() . '"' .
' MajorVersion="1" MinorVersion="1"' .
' IssueInstant="' . SimpleSAML_Utilities::generateTimestamp() . '"' .
'>';
diff --git a/lib/SimpleSAML/Session.php b/lib/SimpleSAML/Session.php
index df4343545..d4bbaac00 100644
--- a/lib/SimpleSAML/Session.php
+++ b/lib/SimpleSAML/Session.php
@@ -408,7 +408,7 @@ class SimpleSAML_Session
$this->authData[$authority] = $data;
- $this->authToken = SimpleSAML_Utilities::generateID();
+ $this->authToken = SimpleSAML_Utils_Random::generateID();
$sessionHandler = SimpleSAML_SessionHandler::getSessionHandler();
if (!$this->transient && (!empty($data['RememberMe']) || $this->rememberMeExpire) &&
diff --git a/lib/SimpleSAML/Utilities.php b/lib/SimpleSAML/Utilities.php
index b71a6e2a7..148be6ea1 100644
--- a/lib/SimpleSAML/Utilities.php
+++ b/lib/SimpleSAML/Utilities.php
@@ -381,10 +381,13 @@ class SimpleSAML_Utilities {
}
+ /**
+ * @deprecated This function will be removed in SSP 2.0. Please use SimpleSAML_Utils_Random::generateID() instead.
+ */
public static function generateID() {
- return '_' . bin2hex(openssl_random_pseudo_bytes(21));
+ return SimpleSAML_Utils_Random::generateID();
}
-
+
/**
* This function generates a timestamp on the form used by the SAML protocols.
@@ -1465,7 +1468,7 @@ class SimpleSAML_Utilities {
if ($httpRedirect && preg_match("#^http:#", $destination) && self::isHTTPS()) {
$url = self::createHttpPostRedirectLink($destination, $post);
} else {
- $postId = SimpleSAML_Utilities::generateID();
+ $postId = SimpleSAML_Utils_Random::generateID();
$postData = array(
'post' => $post,
'url' => $destination,
@@ -1492,7 +1495,7 @@ class SimpleSAML_Utilities {
assert('is_string($destination)');
assert('is_array($post)');
- $postId = SimpleSAML_Utilities::generateID();
+ $postId = SimpleSAML_Utils_Random::generateID();
$postData = array(
'post' => $post,
'url' => $destination,
diff --git a/lib/SimpleSAML/Utils/Random.php b/lib/SimpleSAML/Utils/Random.php
new file mode 100644
index 000000000..11b8a1983
--- /dev/null
+++ b/lib/SimpleSAML/Utils/Random.php
@@ -0,0 +1,25 @@
+<?php
+
+
+/**
+ * Utility class for random data generation and manipulation.
+ *
+ * @package SimpleSAMLphp
+ */
+class SimpleSAML_Utils_Random
+{
+
+ /**
+ * Generate a random identifier, 22 bytes long.
+ *
+ * @return string A 22-bytes long string with a random, hex string.
+ *
+ * @author Andreas Solberg, UNINETT AS <andreas.solberg@uninett.no>
+ * @author Olav Morken, UNINETT AS <olav.morken@uninett.no>
+ * @author Jaime Perez, UNINETT AS <jaime.perez@uninett.no>
+ */
+ public static function generateID()
+ {
+ return '_'.bin2hex(openssl_random_pseudo_bytes(21));
+ }
+}
\ No newline at end of file
diff --git a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
index 2d65be5d9..563882e94 100644
--- a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
@@ -304,7 +304,7 @@ class SimpleSAML_XML_Shib13_AuthnResponse {
$scopedAttributes = array();
}
- $id = SimpleSAML_Utilities::generateID();
+ $id = SimpleSAML_Utils_Random::generateID();
$issueInstant = SimpleSAML_Utilities::generateTimestamp();
@@ -313,7 +313,7 @@ class SimpleSAML_XML_Shib13_AuthnResponse {
$assertionExpire = SimpleSAML_Utilities::generateTimestamp(time() + 60 * 5);# 5 minutes
- $assertionid = SimpleSAML_Utilities::generateID();
+ $assertionid = SimpleSAML_Utils_Random::generateID();
$spEntityId = $sp->getString('entityid');
@@ -321,7 +321,7 @@ class SimpleSAML_XML_Shib13_AuthnResponse {
$base64 = $sp->getBoolean('base64attributes', FALSE);
$namequalifier = $sp->getString('NameQualifier', $spEntityId);
- $nameid = SimpleSAML_Utilities::generateID();
+ $nameid = SimpleSAML_Utils_Random::generateID();
$subjectNode =
'<Subject>' .
'<NameIdentifier' .
diff --git a/modules/adfs/lib/IdP/ADFS.php b/modules/adfs/lib/IdP/ADFS.php
index 39b2a3049..cdb23f957 100644
--- a/modules/adfs/lib/IdP/ADFS.php
+++ b/modules/adfs/lib/IdP/ADFS.php
@@ -50,7 +50,7 @@ class sspmod_adfs_IdP_ADFS {
$issueInstant = SimpleSAML_Utilities::generateTimestamp();
$notBefore = SimpleSAML_Utilities::generateTimestamp(time() - 30);
$assertionExpire = SimpleSAML_Utilities::generateTimestamp(time() + 60 * 5);
- $assertionID = SimpleSAML_Utilities::generateID();
+ $assertionID = SimpleSAML_Utils_Random::generateID();
$nameidFormat = 'http://schemas.xmlsoap.org/claims/UPN';
$result =
'<wst:RequestSecurityTokenResponse xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
@@ -141,7 +141,7 @@ class sspmod_adfs_IdP_ADFS {
}
$nameid = $attributes[$nameidattribute][0];
} else {
- $nameid = SimpleSAML_Utilities::generateID();
+ $nameid = SimpleSAML_Utils_Random::generateID();
}
$idp = SimpleSAML_IdP::getByState($state);
diff --git a/modules/casserver/www/login.php b/modules/casserver/www/login.php
index ebbaec3f5..deb179945 100644
--- a/modules/casserver/www/login.php
+++ b/modules/casserver/www/login.php
@@ -41,7 +41,7 @@ $attributes = $as->getAttributes();
$path = $casconfig->resolvePath($casconfig->getValue('ticketcache', '/tmp'));
-$ticket = str_replace( '_', 'ST-', SimpleSAML_Utilities::generateID() );
+$ticket = str_replace( '_', 'ST-', SimpleSAML_Utils_Random::generateID() );
storeTicket($ticket, $path, array('service' => $service,
'forceAuthn' => $forceAuthn,
'attributes' => $attributes,
diff --git a/modules/casserver/www/proxy.php b/modules/casserver/www/proxy.php
index 7b88e413c..b4f08d55d 100644
--- a/modules/casserver/www/proxy.php
+++ b/modules/casserver/www/proxy.php
@@ -26,7 +26,7 @@ $path = $casconfig->resolvePath($casconfig->getValue('ticketcache', 'ticketcache
$ticket = retrieveTicket($pgt, $path, false);
if ($ticket['validbefore'] > time()) {
- $pt = str_replace( '_', 'PT-', SimpleSAML_Utilities::generateID() );
+ $pt = str_replace( '_', 'PT-', SimpleSAML_Utils_Random::generateID() );
storeTicket($pt, $path, array(
'service' => $targetService,
'forceAuthn' => false,
diff --git a/modules/casserver/www/serviceValidate.php b/modules/casserver/www/serviceValidate.php
index ffb20bb0b..5a30ec115 100644
--- a/modules/casserver/www/serviceValidate.php
+++ b/modules/casserver/www/serviceValidate.php
@@ -41,8 +41,8 @@ try {
if (isset($_GET['pgtUrl'])) {
$pgtUrl = $_GET['pgtUrl'];
- $pgtiou = str_replace( '_', 'PGTIOU-', SimpleSAML_Utilities::generateID());
- $pgt = str_replace( '_', 'PGT-', SimpleSAML_Utilities::generateID());
+ $pgtiou = str_replace( '_', 'PGTIOU-', SimpleSAML_Utils_Random::generateID());
+ $pgt = str_replace( '_', 'PGT-', SimpleSAML_Utils_Random::generateID());
$content = array(
'attributes' => $attributes,
'forceAuthn' => false,
diff --git a/modules/consent/templates/consentform.php b/modules/consent/templates/consentform.php
index 65056c56f..004a91e98 100644
--- a/modules/consent/templates/consentform.php
+++ b/modules/consent/templates/consentform.php
@@ -167,7 +167,7 @@ function present_attributes($t, $attributes, $nameParent)
$isHidden = in_array($nameraw, $t->data['hiddenAttributes'], true);
if ($isHidden) {
- $hiddenId = SimpleSAML_Utilities::generateID();
+ $hiddenId = SimpleSAML_Utils_Random::generateID();
$str .= '<div class="attrvalue" style="display: none;" id="hidden_' . $hiddenId . '">';
} else {
diff --git a/modules/oauth/lib/OAuthStore.php b/modules/oauth/lib/OAuthStore.php
index cd8e0d616..881daf7ad 100644
--- a/modules/oauth/lib/OAuthStore.php
+++ b/modules/oauth/lib/OAuthStore.php
@@ -62,7 +62,7 @@ class sspmod_oauth_OAuthStore extends OAuthDataStore {
if ($oConsumer && ($oConsumer->callback_url)) $url = $oConsumer->callback_url;
- $verifier = SimpleSAML_Utilities::generateID();
+ $verifier = SimpleSAML_Utils_Random::generateID();
$url = SimpleSAML_Utilities::addURLparameter($url, array("oauth_verifier"=>$verifier));
$this->store->set('authorized', $requestTokenKey, $verifier, $data, $this->config->getValue('requestTokenDuration', 60*30) );
@@ -138,7 +138,7 @@ class sspmod_oauth_OAuthStore extends OAuthDataStore {
$lifetime = $this->config->getValue('requestTokenDuration', 60*30);
- $token = new OAuthToken(SimpleSAML_Utilities::generateID(), SimpleSAML_Utilities::generateID());
+ $token = new OAuthToken(SimpleSAML_Utils_Random::generateID(), SimpleSAML_Utils_Random::generateID());
$token->callback = $callback; // OAuth1.0-RevA
$this->store->set('request', $token->key, $consumer->key, $token, $lifetime);
@@ -158,7 +158,7 @@ class sspmod_oauth_OAuthStore extends OAuthDataStore {
function new_access_token($requestToken, $consumer, $verifier = null) {
SimpleSAML_Logger::info('OAuth new_access_token(' . $requestToken . ',' . $consumer . ')');
- $accestoken = new OAuthToken(SimpleSAML_Utilities::generateID(), SimpleSAML_Utilities::generateID());
+ $accestoken = new OAuthToken(SimpleSAML_Utils_Random::generateID(), SimpleSAML_Utils_Random::generateID());
// SimpleSAML_Logger::info('OAuth new_access_token(' . $requestToken . ',' . $consumer . ',' . $accestoken . ')');
$this->store->set('access', $accestoken->key, $consumer->key, $accestoken, $this->config->getValue('accessTokenDuration', 60*60*24) );
return $accestoken;
diff --git a/modules/oauth/www/registry.edit.php b/modules/oauth/www/registry.edit.php
index 1b752cdc7..ee69a1e59 100644
--- a/modules/oauth/www/registry.edit.php
+++ b/modules/oauth/www/registry.edit.php
@@ -37,8 +37,8 @@ if (array_key_exists('editkey', $_REQUEST)) {
} else {
$entry = array(
'owner' => $userid,
- 'key' => SimpleSAML_Utilities::generateID(),
- 'secret' => SimpleSAML_Utilities::generateID(),
+ 'key' => SimpleSAML_Utils_Random::generateID(),
+ 'secret' => SimpleSAML_Utils_Random::generateID(),
);
}
diff --git a/modules/saml/lib/Auth/Process/TransientNameID.php b/modules/saml/lib/Auth/Process/TransientNameID.php
index c51d8ca4e..7451e45e2 100644
--- a/modules/saml/lib/Auth/Process/TransientNameID.php
+++ b/modules/saml/lib/Auth/Process/TransientNameID.php
@@ -28,7 +28,7 @@ class sspmod_saml_Auth_Process_TransientNameID extends sspmod_saml_BaseNameIDGen
*/
protected function getValue(array &$state) {
- return SimpleSAML_Utilities::generateID();
+ return SimpleSAML_Utils_Random::generateID();
}
}
diff --git a/modules/saml/lib/IdP/SAML2.php b/modules/saml/lib/IdP/SAML2.php
index e6337fc6f..934a14063 100644
--- a/modules/saml/lib/IdP/SAML2.php
+++ b/modules/saml/lib/IdP/SAML2.php
@@ -809,7 +809,7 @@ class sspmod_saml_IdP_SAML2 {
$sessionLifetime = $config->getInteger('session.duration', 8*60*60);
$a->setSessionNotOnOrAfter(time() + $sessionLifetime);
- $a->setSessionIndex(SimpleSAML_Utilities::generateID());
+ $a->setSessionIndex(SimpleSAML_Utils_Random::generateID());
$sc = new SAML2_XML_saml_SubjectConfirmation();
$sc->SubjectConfirmationData = new SAML2_XML_saml_SubjectConfirmationData();
@@ -892,7 +892,7 @@ class sspmod_saml_IdP_SAML2 {
if ($nameIdFormat === SAML2_Const::NAMEID_TRANSIENT) {
/* generate a random id */
- $nameIdValue = SimpleSAML_Utilities::generateID();
+ $nameIdValue = SimpleSAML_Utils_Random::generateID();
} else {
/* this code will end up generating either a fixed assigned id (via nameid.attribute)
or random id if not assigned/configured */
@@ -900,7 +900,7 @@ class sspmod_saml_IdP_SAML2 {
if ($nameIdValue === NULL) {
SimpleSAML_Logger::warning('Falling back to transient NameID.');
$nameIdFormat = SAML2_Const::NAMEID_TRANSIENT;
- $nameIdValue = SimpleSAML_Utilities::generateID();
+ $nameIdValue = SimpleSAML_Utils_Random::generateID();
}
}
diff --git a/modules/saml/lib/SP/LogoutStore.php b/modules/saml/lib/SP/LogoutStore.php
index 6f79f7b62..7a3d36a86 100644
--- a/modules/saml/lib/SP/LogoutStore.php
+++ b/modules/saml/lib/SP/LogoutStore.php
@@ -167,7 +167,7 @@ class sspmod_saml_SP_LogoutStore {
* it supports SLO, but we don't want an LogoutRequest with a specific
* SessionIndex to match this session. We therefore generate our own session index.
*/
- $sessionIndex = SimpleSAML_Utilities::generateID();
+ $sessionIndex = SimpleSAML_Utils_Random::generateID();
}
$store = SimpleSAML_Store::getInstance();
diff --git a/www/authmemcookie.php b/www/authmemcookie.php
index 8acd30794..ca9450f36 100644
--- a/www/authmemcookie.php
+++ b/www/authmemcookie.php
@@ -31,7 +31,7 @@ try {
$s->requireAuth();
/* Generate session id and save it in a cookie. */
- $sessionID = SimpleSAML_Utilities::generateID();
+ $sessionID = SimpleSAML_Utils_Random::generateID();
$cookieName = $amc->getCookieName();
--
GitLab