Merge pull request #942 from pradtke/655/php-edit-state

#655 allow core:php to manipulate all of the state

Merge pull request #942 from pradtke/655/php-edit-state
#655 allow core:php to manipulate all of the state
d65d2f52 · Thijs Kinkhorst · GitHub · 4c345710 · 57bc4f5f · d65d2f52
Unverified Commit d65d2f52 authored 6 years ago by Thijs Kinkhorst Committed by GitHub 6 years ago
--- a/modules/core/docs/authproc_php.md
+++ b/modules/core/docs/authproc_php.md
 `core:PHP`
 ==========

-This is a filter which makes it possible to run arbitrary PHP code to modify the attributes of an user.
+This is a filter which makes it possible to run arbitrary PHP code to modify the attributes or state of an user.

 Parameters
 ----------
@@ -11,8 +11,14 @@ Parameters
    It must be `'core:PHP'`.

 `code`
-:   The PHP code that should be run. This code will have only one variable available: `$attributes`.
+:   The PHP code that should be run. This code will have two variables available: 
+
+* `$attributes`.
    This is an associative array of attributes, and can be modified to add or remove attributes.
+    
+* `$state`.
+    This is an associative array of request state. It can be modified to adjust data related to the authentication
+    such as desired NameId, requested Attributes, authnContextRef and many more.

 Examples
 --------
@@ -43,3 +49,10 @@ Create a random number variable:
            );
        ',
    ),
+
+Force a specific NameIdFormat. Useful if an SP misbehaves and requests (or publishes) an incorrect NameId
+
+    90 => array(
+         'class' => 'core:PHP',
+         'code' => '$state["saml:NameIDFormat"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient";'
+    ),
\ No newline at end of file
--- a/modules/core/lib/Auth/Process/PHP.php
+++ b/modules/core/lib/Auth/Process/PHP.php
@@ -49,9 +49,9 @@ class PHP extends \SimpleSAML\Auth\ProcessingFilter
        assert(is_array($request));
        assert(array_key_exists('Attributes', $request));

-        $function = function (/** @scrutinizer ignore-unused */ &$attributes) {
+        $function = function (/** @scrutinizer ignore-unused */ &$attributes, &$state) {
            eval($this->code);
        };
-        $function($request['Attributes']);
+        $function($request['Attributes'], $request);
    }
 }
--- a/tests/modules/core/lib/Auth/Process/PHPTest.php
+++ b/tests/modules/core/lib/Auth/Process/PHPTest.php
@@ -111,4 +111,42 @@ class Test_Core_Auth_Process_PHP extends TestCase
        );
        $this->processFilter($config, $request);
    }
+
+    /**
+     * Check that the entire state can be adjusted.
+     */
+    public function testStateCanBeModified()
+    {
+
+        $config = array(
+            'code' => '
+                $attributes["orig2"] = array("value0");
+                $state["newKey"] = ["newValue"];
+                $state["Destination"]["attributes"][] = "givenName";
+            ',
+        );
+        $request = array(
+            'Attributes' => array(
+                'orig1' => array('value1', 'value2'),
+                'orig2' => array('value3'),
+                'orig3' => array('value4')
+            ),
+            'Destination' => [
+                'attributes' => ['eduPersonPrincipalName']
+            ],
+        );
+        $expected = array(
+            'Attributes' => array(
+                'orig1' => array('value1', 'value2'),
+                'orig2' => array('value0'),
+                'orig3' => array('value4')
+            ),
+            'Destination' => [
+                'attributes' => ['eduPersonPrincipalName', 'givenName']
+            ],
+            'newKey' => ['newValue']
+        );
+
+        $this->assertEquals($expected, $this->processFilter($config, $request));
+    }
 }