From d708ce5d67e11b67504171b71f422bedbe44e79e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaime=20Pe=CC=81rez?= <jaime.perez@uninett.no>
Date: Wed, 31 Aug 2016 13:05:39 +0200
Subject: [PATCH] Use the new SAML error exceptions in the saml module.

Instead of keeping SAML-specific error exceptions in lib/SimpleSAML/Error, it makes more sense to have those in the saml module. Now that we have the recent NoAvailableIDP and NoSupportedIDP errors moved there, it's time to change the code implemented recently that uses them.
---
 modules/saml/lib/Auth/Source/SP.php        | 20 ++++++++++++++++----
 modules/saml/lib/Error.php                 | 14 --------------
 modules/saml/www/proxy/invalid_session.php |  9 +++++++--
 3 files changed, 23 insertions(+), 20 deletions(-)

diff --git a/modules/saml/lib/Auth/Source/SP.php b/modules/saml/lib/Auth/Source/SP.php
index 99827f59c..468f5f8f4 100644
--- a/modules/saml/lib/Auth/Source/SP.php
+++ b/modules/saml/lib/Auth/Source/SP.php
@@ -392,11 +392,17 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source {
 			$intersection = array_intersect($state['saml:IDPList'], array_keys($known_idps));
 
 			if (empty($intersection)) { // all requested IdPs are unknown
-				throw new SimpleSAML\Error\NoSupportedIDP('None of the IdPs requested are supported by this proxy.');
+				throw new SimpleSAML\Module\saml\Error\NoSupportedIDP(
+					\SAML2\Constants::STATUS_REQUESTER,
+					'None of the IdPs requested are supported by this proxy.'
+				);
 			}
 
 			if (!is_null($idp) && !in_array($idp, $intersection)) { // the IdP is enforced but not in the IDPList
-				throw new SimpleSAML\Error\NoAvailableIDP('None of the IdPs requested are available to this proxy.');
+				throw new SimpleSAML\Module\saml\Error\NoAvailableIDP(
+					\SAML2\Constants::STATUS_REQUESTER,
+					'None of the IdPs requested are available to this proxy.'
+				);
 			}
 
 			if (is_null($idp) && sizeof($intersection) === 1) { // only one IdP requested or valid
@@ -447,7 +453,10 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source {
 			$intersection = array_intersect($state['saml:IDPList'], array_keys($known_idps));
 
 			if (empty($intersection)) { // all requested IdPs are unknown
-				throw new SimpleSAML\Error\NoSupportedIDP('None of the IdPs requested are supported by this proxy.');
+				throw new SimpleSAML\Module\saml\Error\NoSupportedIDP(
+					\SAML2\Constants::STATUS_REQUESTER,
+					'None of the IdPs requested are supported by this proxy.'
+				);
 			}
 
 			/*
@@ -455,7 +464,10 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source {
 			 * see if this proxy enforces the use of one single IdP.
 			 */
 			if (!is_null($this->idp) && !in_array($this->idp, $intersection)) { // an IdP is enforced but not requested
-				throw new SimpleSAML\Error\NoAvailableIDP('None of the IdPs requested are available to this proxy.');
+				throw new SimpleSAML\Module\saml\Error\NoAvailableIDP(
+					\SAML2\Constants::STATUS_REQUESTER,
+					'None of the IdPs requested are available to this proxy.'
+				);
 			}
 
 			/*
diff --git a/modules/saml/lib/Error.php b/modules/saml/lib/Error.php
index 8cf0fb15f..0fe406390 100644
--- a/modules/saml/lib/Error.php
+++ b/modules/saml/lib/Error.php
@@ -118,20 +118,6 @@ class sspmod_saml_Error extends SimpleSAML_Error_Exception {
 				$exception->getMessage(),
 				$exception
 			);
-		} elseif ($exception instanceof SimpleSAML\Error\NoAvailableIDP) {
-			$e = new self(
-				\SAML2\Constants::STATUS_RESPONDER,
-				\SAML2\Constants::STATUS_NO_AVAILABLE_IDP,
-				$exception->getMessage(),
-				$exception
-			);
-		} elseif ($exception instanceof SimpleSAML\Error\NoSupportedIDP) {
-			$e = new self(
-				\SAML2\Constants::STATUS_RESPONDER,
-				\SAML2\Constants::STATUS_NO_SUPPORTED_IDP,
-				$exception->getMessage(),
-				$exception
-			);
 		} else {
 			$e = new self(
 				\SAML2\Constants::STATUS_RESPONDER,
diff --git a/modules/saml/www/proxy/invalid_session.php b/modules/saml/www/proxy/invalid_session.php
index 5369ace8a..f110f8beb 100644
--- a/modules/saml/www/proxy/invalid_session.php
+++ b/modules/saml/www/proxy/invalid_session.php
@@ -28,8 +28,13 @@ try {
 
 if (isset($_POST['cancel'])) {
     // the user does not want to logout, cancel login
-    $e = new \SimpleSAML\Error\NoAvailableIDP('User refused to reauthenticate with any of the IdPs requested.');
-    SimpleSAML_Auth_State::throwException($state, $e);
+    SimpleSAML_Auth_State::throwException(
+        $state,
+        new \SimpleSAML\Module\saml\Error\NoAvailableIDP(
+            \SAML2\Constants::STATUS_RESPONDER,
+            'User refused to reauthenticate with any of the IdPs requested.'
+        )
+    );
 }
 
 if (isset($_POST['continue'])) {
-- 
GitLab