Move the createPostRedirectLink(), postRedirect() and...

Move the createPostRedirectLink(), postRedirect() and createHttpPostRedirectLink() methods in SimpleSAML_Utilities to \SimpleSAML\Utils\HTTP. The last one is made private, the others are renamed to submitPOSTData() and getPOSTRedirectURL(), respectively. Deprecate the three old ones.

Move the createPostRedirectLink(), postRedirect() and...
d4829fef · Jaime Perez Crespo · c58dc381 · d4829fef · d4829fef · d4829fef
Commit d4829fef authored 10 years ago by Jaime Perez Crespo
--- a/lib/SimpleSAML/Auth/Simple.php
+++ b/lib/SimpleSAML/Auth/Simple.php
@@ -114,7 +114,7 @@ class SimpleSAML_Auth_Simple {
 		}

 		if (is_string($returnTo) && $keepPost && $_SERVER['REQUEST_METHOD'] === 'POST') {
-			$returnTo = SimpleSAML_Utilities::createPostRedirectLink($returnTo, $_POST);
+			$returnTo = \SimpleSAML\Utils\HTTP::getPOSTRedirectURL($returnTo, $_POST);
 		}

 		if (array_key_exists('ErrorURL', $params)) {

--- a/lib/SimpleSAML/Bindings/Shib13/HTTPPost.php
+++ b/lib/SimpleSAML/Bindings/Shib13/HTTPPost.php
@@ -80,7 +80,7 @@ class SimpleSAML_Bindings_Shib13_HTTPPost {

 		SimpleSAML_Utilities::debugMessage($response, 'out');

-		SimpleSAML_Utilities::postRedirect($shire, array(
+		\SimpleSAML\Utils\HTTP::submitPOSTData($shire, array(
 			'TARGET' => $relayState,
 			'SAMLResponse' => base64_encode($response),
 		));

--- a/lib/SimpleSAML/Utilities.php
+++ b/lib/SimpleSAML/Utilities.php
@@ -675,72 +675,22 @@ class SimpleSAML_Utilities {


 	/**
-	 * Do a POST redirect to a page.
-	 *
-	 * This function never returns.
-	 *
-	 * @param string $destination  The destination URL.
-	 * @param array $post  An array of name-value pairs which will be posted.
+	 * @deprecated This method will be removed in SSP 2.0. Please use SimpleSAML\Utils\HTTP::submitPOSTData() instead.
 	 */
 	public static function postRedirect($destination, $post) {
-		assert('is_string($destination)');
-		assert('is_array($post)');
-
-		$config = SimpleSAML_Configuration::getInstance();
-		$httpRedirect = $config->getBoolean('enable.http_post', FALSE);
-
-		if ($httpRedirect && preg_match("#^http:#", $destination) && self::isHTTPS()) {
-			$url = self::createHttpPostRedirectLink($destination, $post);
-			self::redirect($url);
-			assert('FALSE');
-		}
-
-		$p = new SimpleSAML_XHTML_Template($config, 'post.php');
-		$p->data['destination'] = $destination;
-		$p->data['post'] = $post;
-		$p->show();
-		exit(0);
+		\SimpleSAML\Utils\HTTP::submitPOSTData($destination, $post);
 	}

 	/**
-	 * Create a link which will POST data.
-	 *
-	 * @param string $destination  The destination URL.
-	 * @param array $post  The name-value pairs which will be posted to the destination.
-	 * @return string  A URL which can be accessed to post the data.
+	 * @deprecated This method will be removed in SSP 2.0. PLease use SimpleSAML\Utils\HTTP::getPOSTRedirectURL() instead.
 	 */
 	public static function createPostRedirectLink($destination, $post) {
-		assert('is_string($destination)');
-		assert('is_array($post)');
-
-		$config = SimpleSAML_Configuration::getInstance();
-		$httpRedirect = $config->getBoolean('enable.http_post', FALSE);
-
-		if ($httpRedirect && preg_match("#^http:#", $destination) && self::isHTTPS()) {
-			$url = self::createHttpPostRedirectLink($destination, $post);
-		} else {
-			$postId = SimpleSAML\Utils\Random::generateID();
-			$postData = array(
-				'post' => $post,
-				'url' => $destination,
-			);
-
-			$session = SimpleSAML_Session::getSessionFromRequest();
-			$session->setData('core_postdatalink', $postId, $postData);
-
-			$url = SimpleSAML_Module::getModuleURL('core/postredirect.php', array('RedirId' => $postId));
-		}
-
-		return $url;
+		return \SimpleSAML\Utils\HTTP::getPOSTRedirectURL($destination, $post);
 	}


 	/**
-	 * Create a link which will POST data to HTTP in a secure way.
-	 *
-	 * @param string $destination  The destination URL.
-	 * @param array $post  The name-value pairs which will be posted to the destination.
-	 * @return string  A URL which can be accessed to post the data.
+	 * @deprecated This method will be removed in SSP 2.0. Please use SimpleSAML\Utils\HTTP::getPOSTRedirectURL() instead.
 	 */
 	public static function createHttpPostRedirectLink($destination, $post) {
 		assert('is_string($destination)');

--- a/lib/SimpleSAML/Utils/HTTP.php
+++ b/lib/SimpleSAML/Utils/HTTP.php
@@ -10,6 +10,29 @@ namespace SimpleSAML\Utils;
 class HTTP
 {

+    /**
+     * Obtain a URL where we can redirect to securely post a form with the given data to a specific destination.
+     *
+     * @param string $destination The destination URL.
+     * @param array  $data An associative array containing the data to be posted to $destination.
+     *
+     * @return string  A URL which allows to securely post a form to $destination.
+     *
+     * @author Jaime Perez, UNINETT AS <jaime.perez@uninett.no>
+     */
+    private static function getSecurePOSTRedirectURL($destination, $data)
+    {
+        $session = \SimpleSAML_Session::getSessionFromRequest();
+        $id = self::savePOSTData($session, $destination, $data);
+
+        // encrypt the session ID and the random ID
+        $info = base64_encode(Crypto::aesEncrypt($session->getSessionId().':'.$id));
+
+        $url = \SimpleSAML_Module::getModuleURL('core/postredirect.php', array('RedirInfo' => $info));
+        return preg_replace('#^https:#', 'http:', $url);
+    }
+
+
    /**
     * Retrieve Host value from $_SERVER environment variables.
     *
@@ -167,6 +190,34 @@ class HTTP
    }


+    /**
+     * Save the given HTTP POST data and the destination where it should be posted to a given session.
+     *
+     * @param \SimpleSAML_Session $session The session where to temporarily store the data.
+     * @param string $destination The destination URL where the form should be posted.
+     * @param array  $data An associative array with the data to be posted to $destination.
+     *
+     * @return string A random identifier that can be used to retrieve the data from the current session.
+     *
+     * @author Andjelko Horvat
+     * @author Jaime Perez, UNINETT AS <jaime.perez@uninett.no>
+     */
+    private static function savePOSTData(\SimpleSAML_Session $session, $destination, $data)
+    {
+        // generate a random ID to avoid replay attacks
+        $id = Random::generateID();
+        $postData = array(
+            'post' => $data,
+            'url'  => $destination,
+        );
+
+        // save the post data to the session, tied to the random ID
+        $session->setData('core_postdatalink', $id, $postData);
+
+        return $id;
+    }
+
+
    /**
     * Add one or more query parameters to the given URL.
     *
@@ -424,6 +475,40 @@ class HTTP
    }


+    /**
+     * Create a link which will POST data.
+     *
+     * @param string $destination The destination URL.
+     * @param array  $data The name-value pairs which will be posted to the destination.
+     *
+     * @return string  A URL which can be accessed to post the data.
+     * @throws \SimpleSAML_Error_Exception If $destination is not a string or $data is not an array.
+     *
+     * @author Andjelko Horvat
+     * @author Jaime Perez, UNINETT AS <jaime.perez@uninett.no>
+     */
+    public static function getPOSTRedirectURL($destination, $data)
+    {
+        if (!is_string($destination) || !is_array($data)) {
+            throw new \SimpleSAML_Error_Exception('Invalid input parameters.');
+        }
+
+        $config = \SimpleSAML_Configuration::getInstance();
+        $allowed = $config->getBoolean('enable.http_post', false);
+
+        if ($allowed && preg_match("#^http:#", $destination) && self::isHTTPS()) {
+            // we need to post the data to HTTP
+            $url = self::getSecurePOSTRedirectURL($destination, $data);
+        } else { // post the data directly
+            $session = \SimpleSAML_Session::getSessionFromRequest();
+            $id = self::savePOSTData($session, $destination, $data);
+            $url = \SimpleSAML_Module::getModuleURL('core/postredirect.php', array('RedirId' => $id));
+        }
+
+        return $url;
+    }
+
+
    /**
     * Retrieve our own host.
     *
@@ -735,4 +820,40 @@ class HTTP

        return $baseHost.$dir.$tail;
    }
+
+
+    /**
+     * Submit a POST form to a specific destination.
+     *
+     * This function never returns.
+     *
+     * @param string $destination The destination URL.
+     * @param array  $data An associative array with the data to be posted to $destination.
+     *
+     * @throws \SimpleSAML_Error_Exception If $destination is not a string or $data is not an array.
+     *
+     * @author Olav Morken, UNINETT AS <olav.morken@uninett.no>
+     * @author Andjelko Horvat
+     * @author Jaime Perez, UNINETT AS <jaime.perez@uninett.no>
+     */
+    public static function submitPOSTData($destination, $data)
+    {
+        if (!is_string($destination) || !is_array($data)) {
+            throw new \SimpleSAML_Error_Exception('Invalid input parameters.');
+        }
+
+        $config = \SimpleSAML_Configuration::getInstance();
+        $allowed = $config->getBoolean('enable.http_post', false);
+
+        if ($allowed && preg_match("#^http:#", $destination) && self::isHTTPS()) {
+            // we need to post the data to HTTP
+            self::redirect(self::getSecurePOSTRedirectURL($destination, $data));
+        }
+
+        $p = new \SimpleSAML_XHTML_Template($config, 'post.php');
+        $p->data['destination'] = $destination;
+        $p->data['post'] = $data;
+        $p->show();
+        exit(0);
+    }
 }
\ No newline at end of file
--- a/modules/cdc/lib/Server.php
+++ b/modules/cdc/lib/Server.php
@@ -328,7 +328,7 @@ class sspmod_cdc_Server {
 		if (strlen($url) < 2048) {
 			SimpleSAML_Utilities::redirectTrustedURL($url);
 		} else {
-			SimpleSAML_Utilities::postRedirect($to, $params);
+            \SimpleSAML\Utils\HTTP::submitPOSTData($to, $params);
 		}
 	}