From d579e8591d78c53a6573c37ef10765a93ec4730f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20=C3=85kre=20Solberg?= <andreas.solberg@uninett.no>
Date: Fri, 2 Nov 2007 13:46:23 +0000
Subject: [PATCH] Adding support for handling the shire parameter, and do a
 prefix match on the AssertionConsumerURL parameter in the sp remote metadata.
 This request come from Ajay in RedIRIS.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@65 44740490-163a-0410-bde0-09ae8108e29a
---
 lib/SimpleSAML/Bindings/Shib13/HTTPPost.php | 14 ++++++++++++--
 lib/SimpleSAML/XML/Shib13/AuthnRequest.php  | 11 +++++++++++
 www/shib13/idp/SSOService.php               | 12 ++++++------
 www/shib13/sp/AssertionConsumerService.php  |  8 ++++----
 4 files changed, 33 insertions(+), 12 deletions(-)

diff --git a/lib/SimpleSAML/Bindings/Shib13/HTTPPost.php b/lib/SimpleSAML/Bindings/Shib13/HTTPPost.php
index 376889379..0b4b07206 100644
--- a/lib/SimpleSAML/Bindings/Shib13/HTTPPost.php
+++ b/lib/SimpleSAML/Bindings/Shib13/HTTPPost.php
@@ -66,17 +66,27 @@ class SimpleSAML_Bindings_Shib13_HTTPPost {
 		</html>';
 	}
 	
-	public function sendResponse($response, $idpentityid, $spentityid, $relayState = null) {
+	public function sendResponse($response, $idpentityid, $spentityid, $relayState = null, $claimedacs = null) {
 
 		$idpmd = $this->metadata->getMetaData($idpentityid, 'shib13-idp-hosted');
 		$spmd = $this->metadata->getMetaData($spentityid, 'shib13-sp-remote');
 		
 		$destination = $spmd['AssertionConsumerService'];
+		
+		if (!isset($destination) or $destination == '') 
+			throw new Exception('Could not find AssertionConsumerService for SP entity ID [' . $spentityid. ']. ' . 
+				'Claimed ACS is: ' . (isset($claimedacs) ? $claimedacs : 'N/A'));
 	
 		$privatekey = $this->configuration->getValue('basedir') . '/cert/' . $idpmd['privatekey'];
 		$publiccert = $this->configuration->getValue('basedir') . '/cert/' . $idpmd['certificate'];
 
-
+		
+		if (strstr($claimedacs, $destination) == 0) {
+			$destination = $claimedacs;
+		} else {
+			throw new Exception('Claimed ACS (shire) and ACS in SP Metadata do not match. [' . $claimedacs. '] [' . $destination . ']');
+		}
+		
 		
 		/*
 		 * XMLDSig. Sign the complete request with the key stored in cert/server.pem
diff --git a/lib/SimpleSAML/XML/Shib13/AuthnRequest.php b/lib/SimpleSAML/XML/Shib13/AuthnRequest.php
index 5265cf0cb..a90526bb5 100644
--- a/lib/SimpleSAML/XML/Shib13/AuthnRequest.php
+++ b/lib/SimpleSAML/XML/Shib13/AuthnRequest.php
@@ -23,6 +23,7 @@ class SimpleSAML_XML_Shib13_AuthnRequest {
 	private $metadata = null;
 	
 	private $issuer = null;
+	private $shire = null;
 	private $relayState = null;
 	
 	private $requestid = null;
@@ -46,6 +47,14 @@ class SimpleSAML_XML_Shib13_AuthnRequest {
 		return $this->relayState;
 	}
 	
+	public function setShire($shire) {
+		$this->shire = $shire;
+	}
+	
+	public function getShire() {
+		return $this->shire;
+	}
+	
 	public function setIssuer($issuer) {
 		$this->issuer = $issuer;
 	}
@@ -62,6 +71,8 @@ class SimpleSAML_XML_Shib13_AuthnRequest {
 
 		$this->setIssuer($get['providerId']);
 		$this->setRelayState($get['target']);
+		
+		$this->setShire($get['shire']);
 
 	}
 	
diff --git a/www/shib13/idp/SSOService.php b/www/shib13/idp/SSOService.php
index d3b0986b8..b7ccdd2b0 100644
--- a/www/shib13/idp/SSOService.php
+++ b/www/shib13/idp/SSOService.php
@@ -12,11 +12,6 @@ require_once('SimpleSAML/XML/Shib13/AuthnRequest.php');
 require_once('SimpleSAML/XML/Shib13/AuthnResponse.php');
 require_once('SimpleSAML/Bindings/Shib13/HTTPPost.php');
 
-//require_once('SimpleSAML/XML/SAML20/AuthnRequest.php');
-//require_once('SimpleSAML/XML/SAML20/AuthnResponse.php');
-//require_once('SimpleSAML/Bindings/SAML20/HTTPRedirect.php');
-//require_once('SimpleSAML/Bindings/SAML20/HTTPPost.php');
-
 require_once('SimpleSAML/XHTML/Template.php');
 
 
@@ -149,8 +144,13 @@ if (!$session->isAuthenticated() ) {
 		
 		//echo 'Relaystate[' . $authnrequest->getRelayState() . ']';
 		
+		$issuer = $authnrequest->getIssuer();
+		$shire = $authnrequest->getShire();
+		if ($issuer == null || $issuer == '')
+			throw new Exception('Could not retrieve issuer of the AuthNRequest (ProviderID)');
+		
 		$httppost->sendResponse($authnResponseXML, 
-			$idpentityid, $authnrequest->getIssuer(), $authnrequest->getRelayState());
+			$idpentityid, $issuer, $authnrequest->getRelayState(), $shire);
 			
 	} catch(Exception $exception) {
 		
diff --git a/www/shib13/sp/AssertionConsumerService.php b/www/shib13/sp/AssertionConsumerService.php
index 20daca2af..0d71ddf58 100644
--- a/www/shib13/sp/AssertionConsumerService.php
+++ b/www/shib13/sp/AssertionConsumerService.php
@@ -30,10 +30,10 @@ try {
 
 	$xml = $authnResponse->getXML();
 	/*
-	echo '<pre>';
-	echo $xml;
-	echo '</pre>';
-*/
+		echo '<pre>';
+		echo $xml;
+		echo '</pre>';
+	*/
 
 	$authnResponse->validate();
 	$session = $authnResponse->createSession();
-- 
GitLab