diff --git a/lib/SimpleSAML/Auth/ProcessingChain.php b/lib/SimpleSAML/Auth/ProcessingChain.php index 1477203f73d366b8e0aa9463e3f6b6bb92f933cc..832ab7f707b47e0ccb0fb244fc89f989eb7ddf70 100644 --- a/lib/SimpleSAML/Auth/ProcessingChain.php +++ b/lib/SimpleSAML/Auth/ProcessingChain.php @@ -1,5 +1,4 @@ <?php - /** * Class for implementing authentication processing chains for IdPs. * @@ -7,38 +6,31 @@ * submitting a response to a SP. Examples of additional steps can be additional authentication * checks, or attribute consent requirements. * - * @author Olav Morken, UNINETT AS. * @package SimpleSAMLphp */ class SimpleSAML_Auth_ProcessingChain { - - /** * The list of remaining filters which should be applied to the state. */ const FILTERS_INDEX = 'SimpleSAML_Auth_ProcessingChain.filters'; - /** * The stage we use for completed requests. */ const COMPLETED_STAGE = 'SimpleSAML_Auth_ProcessingChain.completed'; - /** * The request parameter we will use to pass the state identifier when we redirect after * having completed processing of the state. */ const AUTHPARAM = 'AuthProcId'; - /** * All authentication processing filters, in the order they should be applied. */ private $filters; - /** * Initialize an authentication processing chain for the given service provider * and identity provider. @@ -46,11 +38,8 @@ class SimpleSAML_Auth_ProcessingChain * @param array $idpMetadata The metadata for the IdP. * @param array $spMetadata The metadata for the SP. */ - public function __construct($idpMetadata, $spMetadata, $mode = 'idp') + public function __construct(array $idpMetadata, array $spMetadata, $mode = 'idp') { - assert(is_array($idpMetadata)); - assert(is_array($spMetadata)); - $this->filters = array(); $config = SimpleSAML_Configuration::getInstance(); @@ -71,12 +60,10 @@ class SimpleSAML_Auth_ProcessingChain self::addFilters($this->filters, $spFilters); } - SimpleSAML\Logger::debug('Filter config for ' . $idpMetadata['entityid'] . '->' . $spMetadata['entityid'] . ': ' . str_replace("\n", '', var_export($this->filters, true))); } - /** * Sort & merge filter configuration * @@ -85,11 +72,8 @@ class SimpleSAML_Auth_ProcessingChain * @param array &$target Target filter list. This list must be sorted. * @param array $src Source filters. May be unsorted. */ - private static function addFilters(&$target, $src) + private static function addFilters(array &$target, array $src) { - assert(is_array($target)); - assert(is_array($src)); - foreach ($src as $filter) { $fp = $filter->priority; @@ -105,17 +89,14 @@ class SimpleSAML_Auth_ProcessingChain } } - /** * Parse an array of authentication processing filters. * * @param array $filterSrc Array with filter configuration. * @return array Array of SimpleSAML_Auth_ProcessingFilter objects. */ - private static function parseFilterList($filterSrc) + private static function parseFilterList(array $filterSrc) { - assert(is_array($filterSrc)); - $parsedFilters = array(); foreach ($filterSrc as $priority => $filter) { @@ -134,7 +115,6 @@ class SimpleSAML_Auth_ProcessingChain return $parsedFilters; } - /** * Parse an authentication processing filter. * @@ -143,10 +123,8 @@ class SimpleSAML_Auth_ProcessingChain * definition.) * @return SimpleSAML_Auth_ProcessingFilter The parsed filter. */ - private static function parseFilter($config, $priority) + private static function parseFilter(array $config, $priority) { - assert(is_array($config)); - if (!array_key_exists('class', $config)) { throw new Exception('Authentication processing filter without name given.'); } @@ -157,7 +135,6 @@ class SimpleSAML_Auth_ProcessingChain return new $className($config, null); } - /** * Process the given state. * @@ -178,7 +155,7 @@ class SimpleSAML_Auth_ProcessingChain * * @param array &$state The state we are processing. */ - public function processState(&$state) + public function processState(array &$state) { assert(is_array($state)); assert(array_key_exists('ReturnURL', $state) || array_key_exists('ReturnCall', $state)); @@ -211,7 +188,6 @@ class SimpleSAML_Auth_ProcessingChain // Completed } - /** * Continues processing of the state. * @@ -223,10 +199,8 @@ class SimpleSAML_Auth_ProcessingChain * * @param array $state The state we are processing. */ - public static function resumeProcessing($state) + public static function resumeProcessing(array $state) { - assert(is_array($state)); - while (count($state[self::FILTERS_INDEX]) > 0) { $filter = array_shift($state[self::FILTERS_INDEX]); try { @@ -244,7 +218,6 @@ class SimpleSAML_Auth_ProcessingChain assert(array_key_exists('ReturnURL', $state) || array_key_exists('ReturnCall', $state)); assert(!array_key_exists('ReturnURL', $state) || !array_key_exists('ReturnCall', $state)); - if (array_key_exists('ReturnURL', $state)) { /* * Save state information, and redirect to the URL specified @@ -266,7 +239,6 @@ class SimpleSAML_Auth_ProcessingChain } } - /** * Process the given state passivly. * @@ -277,9 +249,8 @@ class SimpleSAML_Auth_ProcessingChain * * @param array &$state The state we are processing. */ - public function processStatePassive(&$state) + public function processStatePassive(array &$state) { - assert(is_array($state)); // Should not be set when calling this method assert(!array_key_exists('ReturnURL', $state)); diff --git a/lib/SimpleSAML/Auth/ProcessingFilter.php b/lib/SimpleSAML/Auth/ProcessingFilter.php index e6126da1de01bd040d39c5a8feff6f813761b290..9833e586e01e6cb3cc2d178b9a0895e447696871 100644 --- a/lib/SimpleSAML/Auth/ProcessingFilter.php +++ b/lib/SimpleSAML/Auth/ProcessingFilter.php @@ -1,6 +1,4 @@ <?php - - /** * Base class for authentication processing filters. * @@ -15,12 +13,10 @@ * information in it, it should have a name on the form 'module:filter:attributename', to avoid name * collisions. * - * @author Olav Morken, UNINETT AS. * @package SimpleSAMLphp */ abstract class SimpleSAML_Auth_ProcessingFilter { - /** * Priority of this filter. * @@ -32,7 +28,6 @@ abstract class SimpleSAML_Auth_ProcessingFilter */ public $priority = 50; - /** * Constructor for a processing filter. * @@ -42,10 +37,8 @@ abstract class SimpleSAML_Auth_ProcessingFilter * @param array &$config Configuration for this filter. * @param mixed $reserved For future use. */ - public function __construct(&$config, $reserved) + public function __construct(array &$config, $reserved) { - assert(is_array($config)); - if (array_key_exists('%priority', $config)) { $this->priority = $config['%priority']; if (!is_int($this->priority)) { @@ -55,7 +48,6 @@ abstract class SimpleSAML_Auth_ProcessingFilter } } - /** * Process a request. * @@ -63,5 +55,5 @@ abstract class SimpleSAML_Auth_ProcessingFilter * * @param array &$request The request we are currently processing. */ - abstract public function process(&$request); + abstract public function process(array &$request); } diff --git a/lib/SimpleSAML/Auth/Simple.php b/lib/SimpleSAML/Auth/Simple.php index 9ad8e86a2d575cc8ab3a5edd289c4b4266ae8fc9..fffd73a756f47a93f5dd624e1fec4d735cccd621 100644 --- a/lib/SimpleSAML/Auth/Simple.php +++ b/lib/SimpleSAML/Auth/Simple.php @@ -17,7 +17,6 @@ use \SimpleSAML\Utils\HTTP; */ class Simple { - /** * The id of the authentication source we are accessing. * @@ -219,7 +218,6 @@ class Simple self::logoutCompleted($params); } - /** * Called when logout operation completes. * @@ -227,9 +225,8 @@ class Simple * * @param array $state The state after the logout. */ - public static function logoutCompleted($state) + public static function logoutCompleted(array $state) { - assert(is_array($state)); assert(isset($state['ReturnTo']) || isset($state['ReturnCallback'])); if (isset($state['ReturnCallback'])) { @@ -246,7 +243,6 @@ class Simple } } - /** * Retrieve attributes of the current user. * @@ -257,7 +253,6 @@ class Simple */ public function getAttributes() { - if (!$this->isAuthenticated()) { // Not authenticated return array(); @@ -268,7 +263,6 @@ class Simple return $session->getAuthData($this->authSource, 'Attributes'); } - /** * Retrieve authentication data. * @@ -288,7 +282,6 @@ class Simple return $session->getAuthData($this->authSource, $name); } - /** * Retrieve all authentication data. * @@ -296,7 +289,6 @@ class Simple */ public function getAuthDataArray() { - if (!$this->isAuthenticated()) { return null; } @@ -305,7 +297,6 @@ class Simple return $session->getAuthState($this->authSource); } - /** * Retrieve a URL that can be used to log the user in. * @@ -330,7 +321,6 @@ class Simple return $login; } - /** * Retrieve a URL that can be used to log the user out. * @@ -355,7 +345,6 @@ class Simple return $logout; } - /** * Process a URL and modify it according to the application/baseURL configuration option, if present. * diff --git a/lib/SimpleSAML/Auth/Source.php b/lib/SimpleSAML/Auth/Source.php index 44cd69a727cb0788a46837ef38a3725785c69275..9bb14ee8bce881052cfe6b3cfcb37adcc2e483fe 100644 --- a/lib/SimpleSAML/Auth/Source.php +++ b/lib/SimpleSAML/Auth/Source.php @@ -7,13 +7,10 @@ use SimpleSAML\Auth\SourceFactory; * * An authentication source is any system which somehow authenticate the user. * - * @author Olav Morken, UNINETT AS. * @package SimpleSAMLphp */ abstract class SimpleSAML_Auth_Source { - - /** * The authentication source identifier. This identifier can be used to look up this object, for example when * returning from a login form. @@ -22,7 +19,6 @@ abstract class SimpleSAML_Auth_Source */ protected $authId; - /** * Constructor for an authentication source. * @@ -32,16 +28,12 @@ abstract class SimpleSAML_Auth_Source * @param array $info Information about this authentication source. * @param array &$config Configuration for this authentication source. */ - public function __construct($info, &$config) + public function __construct(array $info, array &$config) { - assert(is_array($info)); - assert(is_array($config)); - assert(array_key_exists('AuthId', $info)); $this->authId = $info['AuthId']; } - /** * Get sources of a specific type. * @@ -85,7 +77,6 @@ abstract class SimpleSAML_Auth_Source return $this->authId; } - /** * Process a request. * @@ -100,11 +91,10 @@ abstract class SimpleSAML_Auth_Source * * @param array &$state Information about the current authentication. */ - abstract public function authenticate(&$state); - + abstract public function authenticate(array &$state); /** - * Reauthenticate an user. + * Reauthenticate a user. * * This function is called by the IdP to give the authentication source a chance to * interact with the user even in the case when the user is already authenticated. @@ -123,7 +113,6 @@ abstract class SimpleSAML_Auth_Source } } - /** * Complete authentication. * @@ -133,9 +122,8 @@ abstract class SimpleSAML_Auth_Source * * @param array &$state Information about the current authentication. */ - public static function completeAuth(&$state) + public static function completeAuth(array &$state) { - assert(is_array($state)); assert(array_key_exists('LoginCompletedHandler', $state)); SimpleSAML_Auth_State::deleteState($state); @@ -147,7 +135,6 @@ abstract class SimpleSAML_Auth_Source assert(false); } - /** * Start authentication. * @@ -201,7 +188,6 @@ abstract class SimpleSAML_Auth_Source self::loginCompleted($state); } - /** * Called when a login operation has finished. * @@ -209,9 +195,8 @@ abstract class SimpleSAML_Auth_Source * * @param array $state The state after the login has completed. */ - public static function loginCompleted($state) + public static function loginCompleted(array $state) { - assert(is_array($state)); assert(array_key_exists('SimpleSAML_Auth_Source.Return', $state)); assert(array_key_exists('SimpleSAML_Auth_Source.id', $state)); assert(array_key_exists('Attributes', $state)); @@ -232,7 +217,6 @@ abstract class SimpleSAML_Auth_Source assert(false); } - /** * Log out from this authentication source. * @@ -246,9 +230,8 @@ abstract class SimpleSAML_Auth_Source * * @param array &$state Information about the current logout operation. */ - public function logout(&$state) + public function logout(array &$state) { - assert(is_array($state)); // default logout handler which doesn't do anything } @@ -262,9 +245,8 @@ abstract class SimpleSAML_Auth_Source * * @param array &$state Information about the current authentication. */ - public static function completeLogout(&$state) + public static function completeLogout(array &$state) { - assert(is_array($state)); assert(array_key_exists('LogoutCompletedHandler', $state)); SimpleSAML_Auth_State::deleteState($state); @@ -276,7 +258,6 @@ abstract class SimpleSAML_Auth_Source assert(false); } - /** * Create authentication source object from configuration array. * @@ -289,10 +270,9 @@ abstract class SimpleSAML_Auth_Source * @return SimpleSAML_Auth_Source The parsed authentication source. * @throws Exception If the authentication source is invalid. */ - private static function parseAuthSource($authId, $config) + private static function parseAuthSource($authId, array $config) { assert(is_string($authId)); - assert(is_array($config)); self::validateSource($config, $authId); @@ -318,7 +298,6 @@ abstract class SimpleSAML_Auth_Source return $authSource; } - /** * Retrieve authentication source. * @@ -370,15 +349,13 @@ abstract class SimpleSAML_Auth_Source ); } - /** * Called when the authentication source receives an external logout request. * * @param array $state State array for the logout operation. */ - public static function logoutCallback($state) + public static function logoutCallback(array $state) { - assert(is_array($state)); assert(array_key_exists('SimpleSAML_Auth_Source.logoutSource', $state)); $source = $state['SimpleSAML_Auth_Source.logoutSource']; @@ -395,7 +372,6 @@ abstract class SimpleSAML_Auth_Source $session->doLogout($source); } - /** * Add a logout callback association. * @@ -408,10 +384,9 @@ abstract class SimpleSAML_Auth_Source * @param string $assoc The identifier for this logout association. * @param array $state The state array passed to the authenticate-function. */ - protected function addLogoutCallback($assoc, $state) + protected function addLogoutCallback($assoc, array $state) { assert(is_string($assoc)); - assert(is_array($state)); if (!array_key_exists('LogoutCallback', $state)) { // the authentication requester doesn't have a logout callback @@ -441,7 +416,6 @@ abstract class SimpleSAML_Auth_Source ); } - /** * Call a logout callback based on association. * @@ -479,7 +453,6 @@ abstract class SimpleSAML_Auth_Source call_user_func($callback, $callbackState); } - /** * Retrieve list of authentication sources. * @@ -501,7 +474,7 @@ abstract class SimpleSAML_Auth_Source * * @throws Exception If the first element of $source is not an identifier for the auth source. */ - protected static function validateSource($source, $id) + protected static function validateSource(array $source, $id) { if (!array_key_exists(0, $source) || !is_string($source[0])) { throw new Exception( diff --git a/lib/SimpleSAML/Auth/State.php b/lib/SimpleSAML/Auth/State.php index 06bee7ae8e48058d0e5f9cffd29d0fc2f857373f..f86657b4fa6a4d945e029aeaf9b0d4017698106a 100644 --- a/lib/SimpleSAML/Auth/State.php +++ b/lib/SimpleSAML/Auth/State.php @@ -1,6 +1,5 @@ <?php - /** * This is a helper class for saving and loading state information. * @@ -25,74 +24,61 @@ * be passed to the handler defined by the EXCEPTION_HANDLER_URL or EXCEPTION_HANDLER_FUNC * elements of the state array. * - * @author Olav Morken, UNINETT AS. * @package SimpleSAMLphp */ class SimpleSAML_Auth_State { - - /** * The index in the state array which contains the identifier. */ const ID = 'SimpleSAML_Auth_State.id'; - /** * The index in the cloned state array which contains the identifier of the * original state. */ const CLONE_ORIGINAL_ID = 'SimpleSAML_Auth_State.cloneOriginalId'; - /** * The index in the state array which contains the current stage. */ const STAGE = 'SimpleSAML_Auth_State.stage'; - /** * The index in the state array which contains the restart URL. */ const RESTART = 'SimpleSAML_Auth_State.restartURL'; - /** * The index in the state array which contains the exception handler URL. */ const EXCEPTION_HANDLER_URL = 'SimpleSAML_Auth_State.exceptionURL'; - /** * The index in the state array which contains the exception handler function. */ const EXCEPTION_HANDLER_FUNC = 'SimpleSAML_Auth_State.exceptionFunc'; - /** * The index in the state array which contains the exception data. */ const EXCEPTION_DATA = 'SimpleSAML_Auth_State.exceptionData'; - /** * The stage of a state with an exception. */ const EXCEPTION_STAGE = 'SimpleSAML_Auth_State.exceptionStage'; - /** * The URL parameter which contains the exception state id. */ const EXCEPTION_PARAM = 'SimpleSAML_Auth_State_exceptionId'; - /** * State timeout. */ private static $stateTimeout = null; - /** * Get the persistent authentication state from the state array. * @@ -131,7 +117,6 @@ class SimpleSAML_Auth_State return $persistent; } - /** * Retrieve the ID of a state array. * @@ -142,9 +127,8 @@ class SimpleSAML_Auth_State * * @return string Identifier which can be used to retrieve the state later. */ - public static function getStateId(&$state, $rawId = false) + public static function getStateId(array &$state, $rawId = false) { - assert(is_array($state)); assert(is_bool($rawId)); if (!array_key_exists(self::ID, $state)) { @@ -162,7 +146,6 @@ class SimpleSAML_Auth_State return $id.':'.$state[self::RESTART]; } - /** * Retrieve state timeout. * @@ -178,7 +161,6 @@ class SimpleSAML_Auth_State return self::$stateTimeout; } - /** * Save the state. * @@ -191,9 +173,8 @@ class SimpleSAML_Auth_State * * @return string Identifier which can be used to retrieve the state later. */ - public static function saveState(&$state, $stage, $rawId = false) + public static function saveState(array &$state, $stage, $rawId = false) { - assert(is_array($state)); assert(is_string($stage)); assert(is_bool($rawId)); @@ -213,7 +194,6 @@ class SimpleSAML_Auth_State return $return; } - /** * Clone the state. * @@ -239,7 +219,6 @@ class SimpleSAML_Auth_State return $clonedState; } - /** * Retrieve saved state. * @@ -308,7 +287,6 @@ class SimpleSAML_Auth_State return $state; } - /** * Delete state. * @@ -316,10 +294,8 @@ class SimpleSAML_Auth_State * * @param array &$state The state which should be deleted. */ - public static function deleteState(&$state) + public static function deleteState(array &$state) { - assert(is_array($state)); - if (!array_key_exists(self::ID, $state)) { // This state hasn't been saved return; @@ -331,7 +307,6 @@ class SimpleSAML_Auth_State $session->deleteData('SimpleSAML_Auth_State', $state[self::ID]); } - /** * Throw exception to the state exception handler. * @@ -340,10 +315,8 @@ class SimpleSAML_Auth_State * * @throws SimpleSAML_Error_Exception If there is no exception handler defined, it will just throw the $exception. */ - public static function throwException($state, SimpleSAML_Error_Exception $exception) + public static function throwException(array $state, SimpleSAML_Error_Exception $exception) { - assert(is_array($state)); - if (array_key_exists(self::EXCEPTION_HANDLER_URL, $state)) { // Save the exception $state[self::EXCEPTION_DATA] = $exception; @@ -369,7 +342,6 @@ class SimpleSAML_Auth_State } } - /** * Retrieve an exception state. * @@ -395,7 +367,6 @@ class SimpleSAML_Auth_State return $state; } - /** * Get the ID and (optionally) a URL embedded in a StateID, in the form 'id:url'. * @@ -403,9 +374,6 @@ class SimpleSAML_Auth_State * * @return array A hashed array with the ID and the URL (if any), in the 'id' and 'url' keys, respectively. If * there's no URL in the input parameter, NULL will be returned as the value for the 'url' key. - * - * @author Andreas Solberg, UNINETT AS <andreas.solberg@uninett.no> - * @author Jaime Perez, UNINETT AS <jaime.perez@uninett.no> */ public static function parseStateID($stateId) { diff --git a/modules/authX509/lib/Auth/Process/ExpiryWarning.php b/modules/authX509/lib/Auth/Process/ExpiryWarning.php index 0a6fe5bf9bb48df307d7baa78ff918c83762f179..ece6156ab6bb1e1e0163109100e8d54538dd46d9 100644 --- a/modules/authX509/lib/Auth/Process/ExpiryWarning.php +++ b/modules/authX509/lib/Auth/Process/ExpiryWarning.php @@ -11,7 +11,6 @@ * ), * </code> * - * @author Joost van Dijk, SURFnet. <Joost.vanDijk@surfnet.nl> * @package SimpleSAMLphp */ class sspmod_authX509_Auth_Process_ExpiryWarning extends SimpleSAML_Auth_ProcessingFilter @@ -26,12 +25,10 @@ class sspmod_authX509_Auth_Process_ExpiryWarning extends SimpleSAML_Auth_Process * @param array $config Configuration information about this filter. * @param mixed $reserved For future use. */ - public function __construct($config, $reserved) + public function __construct(array $config, $reserved) { parent::__construct($config, $reserved); - assert(is_array($config)); - if (array_key_exists('warndaysbefore', $config)) { $this->warndaysbefore = $config['warndaysbefore']; if (!is_string($this->warndaysbefore)) { @@ -55,10 +52,8 @@ class sspmod_authX509_Auth_Process_ExpiryWarning extends SimpleSAML_Auth_Process * * @param array $state The state of the response. */ - public function process(&$state) + public function process(array &$state) { - assert(is_array($state)); - if (isset($state['isPassive']) && $state['isPassive'] === true) { // We have a passive request. Skip the warning return; diff --git a/modules/authX509/lib/Auth/Source/X509userCert.php b/modules/authX509/lib/Auth/Source/X509userCert.php index 36f93a48f7a11d6c1d660132a3e83622d7f42a77..ac90b07222d272c29f48074e732463d4101797d3 100644 --- a/modules/authX509/lib/Auth/Source/X509userCert.php +++ b/modules/authX509/lib/Auth/Source/X509userCert.php @@ -35,11 +35,8 @@ class sspmod_authX509_Auth_Source_X509userCert extends SimpleSAML_Auth_Source * @param array $info Information about this authentication source. * @param array &$config Configuration for this authentication source. */ - public function __construct($info, &$config) + public function __construct(array $info, array &$config) { - assert(is_array($info)); - assert(is_array($config)); - if (isset($config['authX509:x509attributes'])) { $this->x509attributes = $config['authX509:x509attributes']; } @@ -66,7 +63,7 @@ class sspmod_authX509_Auth_Source_X509userCert extends SimpleSAML_Auth_Source * * @param array &$state Information about the current authentication. */ - public function authFailed(&$state) + public function authFailed(array &$state) { $config = SimpleSAML_Configuration::getInstance(); @@ -87,9 +84,8 @@ class sspmod_authX509_Auth_Source_X509userCert extends SimpleSAML_Auth_Source * * @param array &$state Information about the current authentication. */ - public function authenticate(&$state) + public function authenticate(array &$state) { - assert(is_array($state)); $ldapcf = $this->ldapcf; if (!isset($_SERVER['SSL_CLIENT_CERT']) || @@ -196,7 +192,7 @@ class sspmod_authX509_Auth_Source_X509userCert extends SimpleSAML_Auth_Source * * @param array &$state Information about the current authentication. */ - public function authSuccesful(&$state) + public function authSuccesful(array &$state) { SimpleSAML_Auth_Source::completeAuth($state); diff --git a/modules/authYubiKey/lib/Auth/Source/YubiKey.php b/modules/authYubiKey/lib/Auth/Source/YubiKey.php index 2d19aa507d2e0d52b675c254a01f37d0593e774e..88607a541cbbccde9046669b1f9327f04c9e1c03 100644 --- a/modules/authYubiKey/lib/Auth/Source/YubiKey.php +++ b/modules/authYubiKey/lib/Auth/Source/YubiKey.php @@ -1,28 +1,4 @@ <?php - -/* - * Copyright (C) 2009 Andreas Ã…kre Solberg <andreas.solberg@uninett.no> - * Copyright (C) 2009 Simon Josefsson <simon@yubico.com>. - * - * This file is part of SimpleSAMLphp - * - * SimpleSAMLphp is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public License - * as published by the Free Software Foundation; either version 3 of - * the License, or (at your option) any later version. - * - * SimpleSAMLphp is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License License along with GNU SASL Library; if not, write to the - * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, - * Boston, MA 02110-1301, USA. - * - */ - /** * YubiKey authentication module, see http://www.yubico.com/developers/intro/ * * @@ -70,11 +46,8 @@ class sspmod_authYubiKey_Auth_Source_YubiKey extends SimpleSAML_Auth_Source * @param array $info Information about this authentication source. * @param array $config Configuration. */ - public function __construct($info, $config) + public function __construct(array $info, array $config) { - assert(is_array($info)); - assert(is_array($config)); - // Call the parent constructor first, as required by the interface parent::__construct($info, $config); @@ -96,10 +69,8 @@ class sspmod_authYubiKey_Auth_Source_YubiKey extends SimpleSAML_Auth_Source * * @param array &$state Information about the current authentication. */ - public function authenticate(&$state) + public function authenticate(array &$state) { - assert(is_array($state)); - // We are going to need the authId in order to retrieve this authentication source later $state[self::AUTHID] = $this->authId; diff --git a/modules/authcrypt/lib/Auth/Source/Hash.php b/modules/authcrypt/lib/Auth/Source/Hash.php index 1aca115745fddf89ddbfb2d4951cc8b827021594..2a7bb4433f79698b138187a25e7f3f385c904bee 100644 --- a/modules/authcrypt/lib/Auth/Source/Hash.php +++ b/modules/authcrypt/lib/Auth/Source/Hash.php @@ -1,26 +1,20 @@ <?php - - /** * Authentication source for username & hashed password. * * This class is an authentication source which stores all username/hashes in an array, * and authenticates users against this array. * - * @author Dyonisius Visser, TERENA. * @package SimpleSAMLphp */ class sspmod_authcrypt_Auth_Source_Hash extends sspmod_core_Auth_UserPassBase { - - /** * Our users, stored in an associative array. The key of the array is "<username>:<passwordhash>", * while the value of each element is a new array with the attributes for each user. */ private $users; - /** * Constructor for this authentication source. * @@ -29,11 +23,8 @@ class sspmod_authcrypt_Auth_Source_Hash extends sspmod_core_Auth_UserPassBase * * @throws Exception in case of a configuration error. */ - public function __construct($info, $config) + public function __construct(array $info, array $config) { - assert(is_array($info)); - assert(is_array($config)); - // Call the parent constructor first, as required by the interface parent::__construct($info, $config); @@ -66,7 +57,6 @@ class sspmod_authcrypt_Auth_Source_Hash extends sspmod_core_Auth_UserPassBase } } - /** * Attempt to log in using the given username and password. * diff --git a/modules/authcrypt/lib/Auth/Source/Htpasswd.php b/modules/authcrypt/lib/Auth/Source/Htpasswd.php index 84bc7ea3efdd1fc0d05d2eacaab6c4e755eada19..56e05d0d8e526c5d9ba135b49b2c63382f705db0 100644 --- a/modules/authcrypt/lib/Auth/Source/Htpasswd.php +++ b/modules/authcrypt/lib/Auth/Source/Htpasswd.php @@ -1,9 +1,7 @@ <?php - /** * Authentication source for Apache 'htpasswd' files. * - * @author Dyonisius (Dick) Visser, TERENA. * @package SimpleSAMLphp */ @@ -11,8 +9,6 @@ use WhiteHat101\Crypt\APR1_MD5; class sspmod_authcrypt_Auth_Source_Htpasswd extends sspmod_core_Auth_UserPassBase { - - /** * Our users, stored in an array, where each value is "<username>:<passwordhash>". * @@ -27,7 +23,6 @@ class sspmod_authcrypt_Auth_Source_Htpasswd extends sspmod_core_Auth_UserPassBas */ private $attributes = array(); - /** * Constructor for this authentication source. * @@ -36,11 +31,8 @@ class sspmod_authcrypt_Auth_Source_Htpasswd extends sspmod_core_Auth_UserPassBas * * @throws Exception if the htpasswd file is not readable or the static_attributes array is invalid. */ - public function __construct($info, $config) + public function __construct(array $info, array $config) { - assert(is_array($info)); - assert(is_array($config)); - // Call the parent constructor first, as required by the interface parent::__construct($info, $config); @@ -60,7 +52,6 @@ class sspmod_authcrypt_Auth_Source_Htpasswd extends sspmod_core_Auth_UserPassBas } } - /** * Attempt to log in using the given username and password. * diff --git a/modules/authfacebook/lib/Auth/Source/Facebook.php b/modules/authfacebook/lib/Auth/Source/Facebook.php index 865e152c38db35e7569b7678e3ea4ce627c76c56..8a7684b0ef7989e334d9d66caa4f8413fc8d82f4 100644 --- a/modules/authfacebook/lib/Auth/Source/Facebook.php +++ b/modules/authfacebook/lib/Auth/Source/Facebook.php @@ -1,143 +1,125 @@ <?php - /** * Authenticate using Facebook Platform. * - * @author Andreas Ã…kre Solberg, UNINETT AS. * @package SimpleSAMLphp */ -class sspmod_authfacebook_Auth_Source_Facebook extends SimpleSAML_Auth_Source { - - - /** - * The string used to identify our states. - */ - const STAGE_INIT = 'facebook:init'; - - - /** - * The key of the AuthId field in the state. - */ - const AUTHID = 'facebook:AuthId'; - - - /** - * Facebook App ID or API Key - */ - private $api_key; - - - /** - * Facebook App Secret - */ - private $secret; - - - /** - * Which additional data permissions to request from user - */ - private $req_perms; - - - /** - * A comma-separated list of user profile fields to request. - * - * Note that some user fields require appropriate permissions. For - * example, to retrieve the user's primary email address, "email" must - * be specified in both the req_perms and the user_fields parameter. - * - * When empty, only the app-specific user id and name will be returned. - * - * See the Graph API specification for all available user fields: - * https://developers.facebook.com/docs/graph-api/reference/v2.6/user - */ - private $user_fields; - - - /** - * Constructor for this authentication source. - * - * @param array $info Information about this authentication source. - * @param array $config Configuration. - */ - public function __construct($info, $config) { - assert(is_array($info)); - assert(is_array($config)); - - // Call the parent constructor first, as required by the interface - parent::__construct($info, $config); - - $cfgParse = SimpleSAML_Configuration::loadFromArray($config, 'authsources[' . var_export($this->authId, TRUE) . ']'); - - $this->api_key = $cfgParse->getString('api_key'); - $this->secret = $cfgParse->getString('secret'); - $this->req_perms = $cfgParse->getString('req_perms', NULL); - $this->user_fields = $cfgParse->getString('user_fields', NULL); - } - - - /** - * Log-in using Facebook platform - * - * @param array &$state Information about the current authentication. - */ - public function authenticate(&$state) { - assert(is_array($state)); - - // We are going to need the authId in order to retrieve this authentication source later - $state[self::AUTHID] = $this->authId; - SimpleSAML_Auth_State::saveState($state, self::STAGE_INIT); - - $facebook = new sspmod_authfacebook_Facebook(array('appId' => $this->api_key, 'secret' => $this->secret), $state); - $facebook->destroySession(); - - $linkback = SimpleSAML\Module::getModuleURL('authfacebook/linkback.php'); - $url = $facebook->getLoginUrl(array('redirect_uri' => $linkback, 'scope' => $this->req_perms)); - SimpleSAML_Auth_State::saveState($state, self::STAGE_INIT); - - \SimpleSAML\Utils\HTTP::redirectTrustedURL($url); - } - - - public function finalStep(&$state) { - assert(is_array($state)); - - $facebook = new sspmod_authfacebook_Facebook(array('appId' => $this->api_key, 'secret' => $this->secret), $state); - $uid = $facebook->getUser(); - - if (isset($uid) && $uid) { - try { - $info = $facebook->api("/" . $uid . ($this->user_fields ? "?fields=" . $this->user_fields : "")); - } catch (FacebookApiException $e) { - throw new SimpleSAML_Error_AuthSource($this->authId, 'Error getting user profile.', $e); - } - } - - if (!isset($info)) { - throw new SimpleSAML_Error_AuthSource($this->authId, 'Error getting user profile.'); - } - - $attributes = array(); - foreach($info AS $key => $value) { - if (is_string($value) && !empty($value)) { - $attributes['facebook.' . $key] = array((string)$value); - } - } - - if (array_key_exists('third_party_id', $info)) { - $attributes['facebook_user'] = array($info['third_party_id'] . '@facebook.com'); - } else { - $attributes['facebook_user'] = array($uid . '@facebook.com'); - } - - $attributes['facebook_targetedID'] = array('http://facebook.com!' . $uid); - $attributes['facebook_cn'] = array($info['name']); - - SimpleSAML\Logger::debug('Facebook Returned Attributes: '. implode(", ", array_keys($attributes))); - - $state['Attributes'] = $attributes; - - $facebook->destroySession(); - } - +class sspmod_authfacebook_Auth_Source_Facebook extends SimpleSAML_Auth_Source +{ + /** + * The string used to identify our states. + */ + const STAGE_INIT = 'facebook:init'; + + /** + * The key of the AuthId field in the state. + */ + const AUTHID = 'facebook:AuthId'; + + /** + * Facebook App ID or API Key + */ + private $api_key; + + /** + * Facebook App Secret + */ + private $secret; + + /** + * Which additional data permissions to request from user + */ + private $req_perms; + + /** + * A comma-separated list of user profile fields to request. + * + * Note that some user fields require appropriate permissions. For + * example, to retrieve the user's primary email address, "email" must + * be specified in both the req_perms and the user_fields parameter. + * + * When empty, only the app-specific user id and name will be returned. + * + * See the Graph API specification for all available user fields: + * https://developers.facebook.com/docs/graph-api/reference/v2.6/user + */ + private $user_fields; + + /** + * Constructor for this authentication source. + * + * @param array $info Information about this authentication source. + * @param array $config Configuration. + */ + public function __construct(array $info, array $config) + { + // Call the parent constructor first, as required by the interface + parent::__construct($info, $config); + + $cfgParse = SimpleSAML_Configuration::loadFromArray($config, 'authsources[' . var_export($this->authId, true) . ']'); + + $this->api_key = $cfgParse->getString('api_key'); + $this->secret = $cfgParse->getString('secret'); + $this->req_perms = $cfgParse->getString('req_perms', null); + $this->user_fields = $cfgParse->getString('user_fields', null); + } + + /** + * Log-in using Facebook platform + * + * @param array &$state Information about the current authentication. + */ + public function authenticate(array &$state) { + // We are going to need the authId in order to retrieve this authentication source later + $state[self::AUTHID] = $this->authId; + SimpleSAML_Auth_State::saveState($state, self::STAGE_INIT); + + $facebook = new sspmod_authfacebook_Facebook(array('appId' => $this->api_key, 'secret' => $this->secret), $state); + $facebook->destroySession(); + + $linkback = SimpleSAML\Module::getModuleURL('authfacebook/linkback.php'); + $url = $facebook->getLoginUrl(array('redirect_uri' => $linkback, 'scope' => $this->req_perms)); + SimpleSAML_Auth_State::saveState($state, self::STAGE_INIT); + + \SimpleSAML\Utils\HTTP::redirectTrustedURL($url); + } + + public function finalStep(array &$state) { + $facebook = new sspmod_authfacebook_Facebook(array('appId' => $this->api_key, 'secret' => $this->secret), $state); + $uid = $facebook->getUser(); + + if (isset($uid) && $uid) { + try { + $info = $facebook->api("/" . $uid . ($this->user_fields ? "?fields=" . $this->user_fields : "")); + } catch (FacebookApiException $e) { + throw new SimpleSAML_Error_AuthSource($this->authId, 'Error getting user profile.', $e); + } + } + + if (!isset($info)) { + throw new SimpleSAML_Error_AuthSource($this->authId, 'Error getting user profile.'); + } + + $attributes = array(); + foreach($info AS $key => $value) { + if (is_string($value) && !empty($value)) { + $attributes['facebook.' . $key] = array((string)$value); + } + } + + if (array_key_exists('third_party_id', $info)) { + $attributes['facebook_user'] = array($info['third_party_id'] . '@facebook.com'); + } else { + $attributes['facebook_user'] = array($uid . '@facebook.com'); + } + + $attributes['facebook_targetedID'] = array('http://facebook.com!' . $uid); + $attributes['facebook_cn'] = array($info['name']); + + SimpleSAML\Logger::debug('Facebook Returned Attributes: '. implode(", ", array_keys($attributes))); + + $state['Attributes'] = $attributes; + + $facebook->destroySession(); + } } diff --git a/modules/authlinkedin/lib/Auth/Source/LinkedIn.php b/modules/authlinkedin/lib/Auth/Source/LinkedIn.php index ff961df0c66492fe1d03c0ed10ceedb7f350aa16..5ef5b8ca1b394563cb6637fdda4e94edcffaa100 100644 --- a/modules/authlinkedin/lib/Auth/Source/LinkedIn.php +++ b/modules/authlinkedin/lib/Auth/Source/LinkedIn.php @@ -5,12 +5,10 @@ require_once(dirname(dirname(dirname(dirname(dirname(__FILE__))))) . '/oauth/lib /** * Authenticate using LinkedIn. * - * @author Brook Schofield, TERENA. * @package SimpleSAMLphp */ class sspmod_authlinkedin_Auth_Source_LinkedIn extends SimpleSAML_Auth_Source { - /** * The string used to identify our states. */ @@ -32,11 +30,8 @@ class sspmod_authlinkedin_Auth_Source_LinkedIn extends SimpleSAML_Auth_Source * @param array $info Information about this authentication source. * @param array $config Configuration. */ - public function __construct($info, $config) + public function __construct(array $info, array $config) { - assert(is_array($info)); - assert(is_array($config)); - // Call the parent constructor first, as required by the interface parent::__construct($info, $config); @@ -58,17 +53,14 @@ class sspmod_authlinkedin_Auth_Source_LinkedIn extends SimpleSAML_Auth_Source } } - /** * Log-in using LinkedIn platform * Documentation at: http://developer.linkedin.com/docs/DOC-1008 * * @param array &$state Information about the current authentication. */ - public function authenticate(&$state) + public function authenticate(array &$state) { - assert(is_array($state)); - // We are going to need the authId in order to retrieve this authentication source later $state[self::AUTHID] = $this->authId; @@ -97,8 +89,7 @@ class sspmod_authlinkedin_Auth_Source_LinkedIn extends SimpleSAML_Auth_Source $consumer->getAuthorizeRequest('https://www.linkedin.com/uas/oauth/authenticate', $requestToken); } - - public function finalStep(&$state) + public function finalStep(array &$state) { $requestToken = $state['authlinkedin:requestToken']; @@ -167,7 +158,7 @@ class sspmod_authlinkedin_Auth_Source_LinkedIn extends SimpleSAML_Auth_Source * * @return array the array with the new concatenated keys */ - protected function flatten($array, $prefix = '') + protected function flatten(array $array, $prefix = '') { $result = array(); foreach ($array as $key => $value) { diff --git a/modules/authorize/lib/Auth/Process/Authorize.php b/modules/authorize/lib/Auth/Process/Authorize.php index 68c5ad009f1f712359baf7878934847593e032af..c6c19fc6c99069e7cdf2568f1189b5659646dc64 100644 --- a/modules/authorize/lib/Auth/Process/Authorize.php +++ b/modules/authorize/lib/Auth/Process/Authorize.php @@ -1,133 +1,129 @@ <?php - /** * Filter to authorize only certain users. * See docs directory. * - * @author Ernesto Revilla, Yaco Sistemas SL., Ryan Panning * @package SimpleSAMLphp */ -class sspmod_authorize_Auth_Process_Authorize extends SimpleSAML_Auth_ProcessingFilter { - - /** - * Flag to deny/unauthorize the user a attribute filter IS found - * - * @var bool - */ - protected $deny = FALSE; - - /** - * Flag to turn the REGEX pattern matching on or off - * - * @var bool - */ - protected $regex = TRUE; - - /** - * Array of valid users. Each element is a regular expression. You should - * user \ to escape special chars, like '.' etc. - * - */ - protected $valid_attribute_values = array(); - - - /** - * Initialize this filter. - * Validate configuration parameters. - * - * @param array $config Configuration information about this filter. - * @param mixed $reserved For future use. - */ - public function __construct($config, $reserved) { - parent::__construct($config, $reserved); - - assert(is_array($config)); - - // Check for the deny option, get it and remove it - // Must be bool specifically, if not, it might be for a attrib filter below - if (isset($config['deny']) && is_bool($config['deny'])) { - $this->deny = $config['deny']; - unset($config['deny']); - } - - // Check for the regex option, get it and remove it - // Must be bool specifically, if not, it might be for a attrib filter below - if (isset($config['regex']) && is_bool($config['regex'])) { - $this->regex = $config['regex']; - unset($config['regex']); - } - - foreach ($config as $attribute => $values) { - if (is_string($values)) - $values = array($values); - if (!is_array($values)) - throw new Exception('Filter Authorize: Attribute values is neither string nor array: ' . var_export($attribute, TRUE)); - foreach ($values as $value){ - if(!is_string($value)) { - throw new Exception('Filter Authorize: Each value should be a string for attribute: ' . var_export($attribute, TRUE) . ' value: ' . var_export($value, TRUE) . ' Config is: ' . var_export($config, TRUE)); - } - } - $this->valid_attribute_values[$attribute] = $values; - } - } - - - /** - * Apply filter to validate attributes. - * - * @param array &$request The current request - */ - public function process(&$request) { - $authorize = $this->deny; - assert(is_array($request)); - assert(array_key_exists('Attributes', $request)); - - $attributes =& $request['Attributes']; - - foreach ($this->valid_attribute_values as $name => $patterns) { - if(array_key_exists($name, $attributes)) { - foreach ($patterns as $pattern){ - $values = $attributes[$name]; - if (!is_array($values)) - $values = array($values); - foreach ($values as $value){ - if ($this->regex) { - $matched = preg_match($pattern, $value); - } else { - $matched = ($value == $pattern); - } - if ($matched) { - $authorize = ($this->deny ? FALSE : TRUE); - break 3; - } - } - } - } - } - if (!$authorize){ - $this->unauthorized($request); - } - } - - - /** - * When the process logic determines that the user is not - * authorized for this service, then forward the user to - * an 403 unauthorized page. - * - * Separated this code into its own method so that child - * classes can override it and change the action. Forward - * thinking in case a "chained" ACL is needed, more complex - * permission logic. - * - * @param array $request - */ - protected function unauthorized(&$request) { - // Save state and redirect to 403 page - $id = SimpleSAML_Auth_State::saveState($request, - 'authorize:Authorize'); - $url = SimpleSAML\Module::getModuleURL( - 'authorize/authorize_403.php'); - \SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('StateId' => $id)); - } +class sspmod_authorize_Auth_Process_Authorize extends SimpleSAML_Auth_ProcessingFilter +{ + /** + * Flag to deny/unauthorize the user a attribute filter IS found + * + * @var bool + */ + protected $deny = false; + + /** + * Flag to turn the REGEX pattern matching on or off + * + * @var bool + */ + protected $regex = true; + + /** + * Array of valid users. Each element is a regular expression. You should + * user \ to escape special chars, like '.' etc. + * + */ + protected $valid_attribute_values = []; + + /** + * Initialize this filter. + * Validate configuration parameters. + * + * @param array $config Configuration information about this filter. + * @param mixed $reserved For future use. + */ + public function __construct(array $config, $reserved) + { + parent::__construct($config, $reserved); + + // Check for the deny option, get it and remove it + // Must be bool specifically, if not, it might be for a attrib filter below + if (isset($config['deny']) && is_bool($config['deny'])) { + $this->deny = $config['deny']; + unset($config['deny']); + } + + // Check for the regex option, get it and remove it + // Must be bool specifically, if not, it might be for a attrib filter below + if (isset($config['regex']) && is_bool($config['regex'])) { + $this->regex = $config['regex']; + unset($config['regex']); + } + + foreach ($config as $attribute => $values) { + if (is_string($values)) + $values = array($values); + if (!is_array($values)) + throw new Exception('Filter Authorize: Attribute values is neither string nor array: ' . var_export($attribute, true)); + foreach ($values as $value){ + if(!is_string($value)) { + throw new Exception('Filter Authorize: Each value should be a string for attribute: ' . var_export($attribute, true) . ' value: ' . var_export($value, true) . ' Config is: ' . var_export($config, true)); + } + } + $this->valid_attribute_values[$attribute] = $values; + } + } + + + /** + * Apply filter to validate attributes. + * + * @param array &$request The current request + */ + public function process(array &$request) + { + $authorize = $this->deny; + assert(array_key_exists('Attributes', $request)); + + $attributes =& $request['Attributes']; + + foreach ($this->valid_attribute_values as $name => $patterns) { + if(array_key_exists($name, $attributes)) { + foreach ($patterns as $pattern){ + $values = $attributes[$name]; + if (!is_array($values)) + $values = array($values); + foreach ($values as $value){ + if ($this->regex) { + $matched = preg_match($pattern, $value); + } else { + $matched = ($value == $pattern); + } + if ($matched) { + $authorize = ($this->deny ? false : true); + break 3; + } + } + } + } + } + if (!$authorize){ + $this->unauthorized($request); + } + } + + /** + * When the process logic determines that the user is not + * authorized for this service, then forward the user to + * an 403 unauthorized page. + * + * Separated this code into its own method so that child + * classes can override it and change the action. Forward + * thinking in case a "chained" ACL is needed, more complex + * permission logic. + * + * @param array $request + */ + protected function unauthorized(array &$request) + { + // Save state and redirect to 403 page + $id = SimpleSAML_Auth_State::saveState($request, + 'authorize:Authorize'); + $url = SimpleSAML\Module::getModuleURL( + 'authorize/authorize_403.php'); + \SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('StateId' => $id)); + } } diff --git a/modules/authtwitter/lib/Auth/Source/Twitter.php b/modules/authtwitter/lib/Auth/Source/Twitter.php index 2b5d68d9328aa4dacbe5ec64e0ee191b54539da9..6ffba993e10a3a7ef1cdc3737af332dea5539846 100644 --- a/modules/authtwitter/lib/Auth/Source/Twitter.php +++ b/modules/authtwitter/lib/Auth/Source/Twitter.php @@ -5,25 +5,24 @@ require_once(dirname(dirname(dirname(dirname(dirname(__FILE__))))) . '/oauth/lib /** * Authenticate using Twitter. * - * @author Andreas Ã…kre Solberg, UNINETT AS. * @package SimpleSAMLphp */ class sspmod_authtwitter_Auth_Source_Twitter extends SimpleSAML_Auth_Source { - /** - * The string used to identify our states. - */ - const STAGE_INIT = 'twitter:init'; + /** + * The string used to identify our states. + */ + const STAGE_INIT = 'twitter:init'; - /** - * The key of the AuthId field in the state. - */ - const AUTHID = 'twitter:AuthId'; + /** + * The key of the AuthId field in the state. + */ + const AUTHID = 'twitter:AuthId'; /** * @var string */ - private $key; + private $key; /** * @var string @@ -33,117 +32,110 @@ class sspmod_authtwitter_Auth_Source_Twitter extends SimpleSAML_Auth_Source /** * @var bool */ - private $force_login; + private $force_login; /** * @var bool */ private $include_email; - /** - * Constructor for this authentication source. - * - * @param array $info Information about this authentication source. - * @param array $config Configuration. - */ - public function __construct($info, $config) + /** + * Constructor for this authentication source. + * + * @param array $info Information about this authentication source. + * @param array $config Configuration. + */ + public function __construct(array $info, array $config) { - assert(is_array($info)); - assert(is_array($config)); - - // Call the parent constructor first, as required by the interface - parent::__construct($info, $config); - - $configObject = SimpleSAML_Configuration::loadFromArray($config, 'authsources[' . var_export($this->authId, true) . ']'); + // Call the parent constructor first, as required by the interface + parent::__construct($info, $config); - $this->key = $configObject->getString('key'); - $this->secret = $configObject->getString('secret'); - $this->force_login = $configObject->getBoolean('force_login', false); - $this->include_email = $configObject->getBoolean('include_email', false); - } + $configObject = SimpleSAML_Configuration::loadFromArray($config, 'authsources[' . var_export($this->authId, true) . ']'); + $this->key = $configObject->getString('key'); + $this->secret = $configObject->getString('secret'); + $this->force_login = $configObject->getBoolean('force_login', false); + $this->include_email = $configObject->getBoolean('include_email', false); + } - /** - * Log-in using Twitter platform - * - * @param array &$state Information about the current authentication. - */ - public function authenticate(&$state) + /** + * Log-in using Twitter platform + * + * @param array &$state Information about the current authentication. + */ + public function authenticate(array &$state) { - assert(is_array($state)); - - // We are going to need the authId in order to retrieve this authentication source later - $state[self::AUTHID] = $this->authId; - - $stateID = SimpleSAML_Auth_State::saveState($state, self::STAGE_INIT); - - $consumer = new sspmod_oauth_Consumer($this->key, $this->secret); - // Get the request token - $linkback = SimpleSAML\Module::getModuleURL('authtwitter/linkback.php', array('AuthState' => $stateID)); - $requestToken = $consumer->getRequestToken('https://api.twitter.com/oauth/request_token', array('oauth_callback' => $linkback)); - SimpleSAML\Logger::debug("Got a request token from the OAuth service provider [" . - $requestToken->key . "] with the secret [" . $requestToken->secret . "]"); - - $state['authtwitter:authdata:requestToken'] = $requestToken; - SimpleSAML_Auth_State::saveState($state, self::STAGE_INIT); - - // Authorize the request token - $url = 'https://api.twitter.com/oauth/authenticate'; - if ($this->force_login) { - $url = \SimpleSAML\Utils\HTTP::addURLParameters($url, array('force_login' => 'true')); - } - $consumer->getAuthorizeRequest($url, $requestToken); - } - - - public function finalStep(&$state) + // We are going to need the authId in order to retrieve this authentication source later + $state[self::AUTHID] = $this->authId; + + $stateID = SimpleSAML_Auth_State::saveState($state, self::STAGE_INIT); + + $consumer = new sspmod_oauth_Consumer($this->key, $this->secret); + // Get the request token + $linkback = SimpleSAML\Module::getModuleURL('authtwitter/linkback.php', array('AuthState' => $stateID)); + $requestToken = $consumer->getRequestToken('https://api.twitter.com/oauth/request_token', array('oauth_callback' => $linkback)); + SimpleSAML\Logger::debug("Got a request token from the OAuth service provider [" . + $requestToken->key . "] with the secret [" . $requestToken->secret . "]"); + + $state['authtwitter:authdata:requestToken'] = $requestToken; + SimpleSAML_Auth_State::saveState($state, self::STAGE_INIT); + + // Authorize the request token + $url = 'https://api.twitter.com/oauth/authenticate'; + if ($this->force_login) { + $url = \SimpleSAML\Utils\HTTP::addURLParameters($url, array('force_login' => 'true')); + } + $consumer->getAuthorizeRequest($url, $requestToken); + } + + public function finalStep(array &$state) { - $requestToken = $state['authtwitter:authdata:requestToken']; - $parameters = array(); - - if (!isset($_REQUEST['oauth_token'])) { - throw new SimpleSAML_Error_BadRequest("Missing oauth_token parameter."); - } - if ($requestToken->key !== (string)$_REQUEST['oauth_token']) { - throw new SimpleSAML_Error_BadRequest("Invalid oauth_token parameter."); - } - - if (!isset($_REQUEST['oauth_verifier'])) { - throw new SimpleSAML_Error_BadRequest("Missing oauth_verifier parameter."); - } - $parameters['oauth_verifier'] = (string)$_REQUEST['oauth_verifier']; - - $consumer = new sspmod_oauth_Consumer($this->key, $this->secret); - - SimpleSAML\Logger::debug("oauth: Using this request token [" . - $requestToken->key . "] with the secret [" . $requestToken->secret . "]"); - - // Replace the request token with an access token - $accessToken = $consumer->getAccessToken('https://api.twitter.com/oauth/access_token', $requestToken, $parameters); - SimpleSAML\Logger::debug("Got an access token from the OAuth service provider [" . - $accessToken->key . "] with the secret [" . $accessToken->secret . "]"); - - $verify_credentials_url = 'https://api.twitter.com/1.1/account/verify_credentials.json'; - if ($this->include_email) { - $verify_credentials_url = $verify_credentials_url . '?include_email=true'; - } - $userdata = $consumer->getUserInfo($verify_credentials_url, $accessToken); - - if (!isset($userdata['id_str']) || !isset($userdata['screen_name'])) { - throw new SimpleSAML_Error_AuthSource($this->authId, 'Authentication error: id_str and screen_name not set.'); - } - - $attributes = array(); - foreach ($userdata as $key => $value) { - if (is_string($value)) { - $attributes['twitter.' . $key] = array((string)$value); + $requestToken = $state['authtwitter:authdata:requestToken']; + $parameters = array(); + + if (!isset($_REQUEST['oauth_token'])) { + throw new SimpleSAML_Error_BadRequest("Missing oauth_token parameter."); + } + if ($requestToken->key !== (string)$_REQUEST['oauth_token']) { + throw new SimpleSAML_Error_BadRequest("Invalid oauth_token parameter."); + } + + if (!isset($_REQUEST['oauth_verifier'])) { + throw new SimpleSAML_Error_BadRequest("Missing oauth_verifier parameter."); + } + $parameters['oauth_verifier'] = (string)$_REQUEST['oauth_verifier']; + + $consumer = new sspmod_oauth_Consumer($this->key, $this->secret); + + SimpleSAML\Logger::debug("oauth: Using this request token [" . + $requestToken->key . "] with the secret [" . $requestToken->secret . "]"); + + // Replace the request token with an access token + $accessToken = $consumer->getAccessToken('https://api.twitter.com/oauth/access_token', $requestToken, $parameters); + SimpleSAML\Logger::debug("Got an access token from the OAuth service provider [" . + $accessToken->key . "] with the secret [" . $accessToken->secret . "]"); + + $verify_credentials_url = 'https://api.twitter.com/1.1/account/verify_credentials.json'; + if ($this->include_email) { + $verify_credentials_url = $verify_credentials_url . '?include_email=true'; + } + $userdata = $consumer->getUserInfo($verify_credentials_url, $accessToken); + + if (!isset($userdata['id_str']) || !isset($userdata['screen_name'])) { + throw new SimpleSAML_Error_AuthSource($this->authId, 'Authentication error: id_str and screen_name not set.'); + } + + $attributes = array(); + foreach ($userdata as $key => $value) { + if (is_string($value)) { + $attributes['twitter.' . $key] = array((string)$value); } - } - - $attributes['twitter_at_screen_name'] = array('@' . $userdata['screen_name']); - $attributes['twitter_screen_n_realm'] = array($userdata['screen_name'] . '@twitter.com'); - $attributes['twitter_targetedID'] = array('http://twitter.com!' . $userdata['id_str']); - - $state['Attributes'] = $attributes; - } + } + + $attributes['twitter_at_screen_name'] = array('@' . $userdata['screen_name']); + $attributes['twitter_screen_n_realm'] = array($userdata['screen_name'] . '@twitter.com'); + $attributes['twitter_targetedID'] = array('http://twitter.com!' . $userdata['id_str']); + + $state['Attributes'] = $attributes; + } } diff --git a/modules/authwindowslive/lib/Auth/Source/LiveID.php b/modules/authwindowslive/lib/Auth/Source/LiveID.php index 39fbfd1595f1762391885cd0b8adf0a80db6d4a4..d3ad06cdb148e4b9d625f5a69a2923480218433b 100644 --- a/modules/authwindowslive/lib/Auth/Source/LiveID.php +++ b/modules/authwindowslive/lib/Auth/Source/LiveID.php @@ -1,15 +1,11 @@ <?php - /** * Authenticate using LiveID. * - * @author Brook Schofield, TERENA. - * @author Guy Halse, TENET. * @package SimpleSAMLphp */ class sspmod_authwindowslive_Auth_Source_LiveID extends SimpleSAML_Auth_Source { - /** * The string used to identify our states. */ @@ -32,11 +28,8 @@ class sspmod_authwindowslive_Auth_Source_LiveID extends SimpleSAML_Auth_Source * * @throws Exception In case of misconfiguration. */ - public function __construct($info, $config) + public function __construct(array $info, array $config) { - assert(is_array($info)); - assert(is_array($config)); - // Call the parent constructor first, as required by the interface parent::__construct($info, $config); @@ -53,13 +46,12 @@ class sspmod_authwindowslive_Auth_Source_LiveID extends SimpleSAML_Auth_Source $this->secret = $config['secret']; } - /** * Log-in using LiveID platform * * @param array &$state Information about the current authentication. */ - public function authenticate(&$state) + public function authenticate(array &$state) { assert(is_array($state)); @@ -85,13 +77,12 @@ class sspmod_authwindowslive_Auth_Source_LiveID extends SimpleSAML_Auth_Source \SimpleSAML\Utils\HTTP::redirectTrustedURL($authorizeURL); } - /** * @param $state * * @throws Exception */ - public function finalStep(&$state) + public function finalStep(array &$state) { SimpleSAML\Logger::debug( "authwindowslive oauth: Using this verification code [".$state['authwindowslive:verification_code']."]" @@ -154,7 +145,6 @@ class sspmod_authwindowslive_Auth_Source_LiveID extends SimpleSAML_Auth_Source } } - SimpleSAML\Logger::debug('LiveID Returned Attributes: '. implode(", ", array_keys($attributes))); $state['Attributes'] = $attributes; diff --git a/modules/cas/lib/Auth/Source/CAS.php b/modules/cas/lib/Auth/Source/CAS.php index db045d3e63a7827ef3ff7967397fc701cf792585..36f15c87cc534d259e3ddcc20354a9b8a9ca83dc 100644 --- a/modules/cas/lib/Auth/Source/CAS.php +++ b/modules/cas/lib/Auth/Source/CAS.php @@ -5,7 +5,6 @@ * * Based on www/auth/login-cas.php by Mads Freek, RUC. * - * @author Danny Bollaert, UGent. * @package SimpleSAMLphp */ diff --git a/modules/cdc/lib/Auth/Process/CDC.php b/modules/cdc/lib/Auth/Process/CDC.php index 9641da2ab90586b1d237ce7fb4aa0ab10d54d46f..421d8f40030cd09e7be1078350b4df7b804eb491 100644 --- a/modules/cdc/lib/Auth/Process/CDC.php +++ b/modules/cdc/lib/Auth/Process/CDC.php @@ -29,10 +29,9 @@ class sspmod_cdc_Auth_Process_CDC extends SimpleSAML_Auth_ProcessingFilter * @param array $config Configuration information about this filter. * @param mixed $reserved For future use. */ - public function __construct($config, $reserved) + public function __construct(array $config, $reserved) { parent::__construct($config, $reserved); - assert(is_array($config)); if (!isset($config['domain'])) { throw new SimpleSAML_Error_Exception('Missing domain option in cdc:CDC filter.'); @@ -48,10 +47,8 @@ class sspmod_cdc_Auth_Process_CDC extends SimpleSAML_Auth_ProcessingFilter * * @param array &$state The request state. */ - public function process(&$state) + public function process(array &$state) { - assert(is_array($state)); - if (!isset($state['Source']['entityid'])) { SimpleSAML\Logger::warning('saml:CDC: Could not find IdP entityID.'); return; diff --git a/modules/consent/lib/Auth/Process/Consent.php b/modules/consent/lib/Auth/Process/Consent.php index 0647ac84f194f457b48e5d83139f23cd30067ddf..ee7ce6f93d2d642639fa20e1bf6807ce50b2e232 100644 --- a/modules/consent/lib/Auth/Process/Consent.php +++ b/modules/consent/lib/Auth/Process/Consent.php @@ -1,6 +1,4 @@ <?php - - /** * Consent Authentication Processing filter * @@ -71,9 +69,8 @@ class sspmod_consent_Auth_Process_Consent extends SimpleSAML_Auth_ProcessingFilt * * @throws SimpleSAML_Error_Exception if the configuration is not valid. */ - public function __construct($config, $reserved) + public function __construct(array $config, $reserved) { - assert(is_array($config)); parent::__construct($config, $reserved); if (array_key_exists('includeValues', $config)) { @@ -215,9 +212,8 @@ class sspmod_consent_Auth_Process_Consent extends SimpleSAML_Auth_ProcessingFilt * * @throws SimpleSAML_Error_NoPassive if the request was passive and consent is needed. */ - public function process(&$state) + public function process(array &$state) { - assert(is_array($state)); assert(array_key_exists('UserID', $state)); assert(array_key_exists('Destination', $state)); assert(array_key_exists('entityid', $state['Destination'])); diff --git a/modules/core/lib/Auth/Process/AttributeAdd.php b/modules/core/lib/Auth/Process/AttributeAdd.php index 63aa03fb2becf34654b18b7f95b7a307c912c7b9..84e3fd09ee2a452d8cbf09b22113176b34329230 100644 --- a/modules/core/lib/Auth/Process/AttributeAdd.php +++ b/modules/core/lib/Auth/Process/AttributeAdd.php @@ -1,85 +1,79 @@ <?php - /** * Filter to add attributes. * * This filter allows you to add attributes to the attribute set being processed. * - * @author Olav Morken, UNINETT AS. * @package SimpleSAMLphp */ -class sspmod_core_Auth_Process_AttributeAdd extends SimpleSAML_Auth_ProcessingFilter { - - /** - * Flag which indicates wheter this filter should append new values or replace old values. - */ - private $replace = FALSE; - - - /** - * Attributes which should be added/appended. - * - * Assiciative array of arrays. - */ - private $attributes = array(); - - - /** - * Initialize this filter. - * - * @param array $config Configuration information about this filter. - * @param mixed $reserved For future use. - */ - public function __construct($config, $reserved) { - parent::__construct($config, $reserved); +class sspmod_core_Auth_Process_AttributeAdd extends SimpleSAML_Auth_ProcessingFilter +{ + /** + * Flag which indicates wheter this filter should append new values or replace old values. + */ + private $replace = false; - assert(is_array($config)); + /** + * Attributes which should be added/appended. + * + * Assiciative array of arrays. + */ + private $attributes = []; - foreach($config as $name => $values) { - if(is_int($name)) { - if($values === '%replace') { - $this->replace = TRUE; - } else { - throw new Exception('Unknown flag: ' . var_export($values, TRUE)); - } - continue; - } + /** + * Initialize this filter. + * + * @param array $config Configuration information about this filter. + * @param mixed $reserved For future use. + */ + public function __construct(array $config, $reserved) + { + parent::__construct($config, $reserved); - if(!is_array($values)) { - $values = array($values); - } - foreach($values as $value) { - if(!is_string($value)) { - throw new Exception('Invalid value for attribute ' . $name . ': ' . - var_export($values, TRUE)); - } - } + foreach($config as $name => $values) { + if(is_int($name)) { + if($values === '%replace') { + $this->replace = true; + } else { + throw new Exception('Unknown flag: ' . var_export($values, true)); + } + continue; + } - $this->attributes[$name] = $values; - } - } + if(!is_array($values)) { + $values = array($values); + } + foreach($values as $value) { + if(!is_string($value)) { + throw new Exception('Invalid value for attribute ' . $name . ': ' . + var_export($values, true)); + } + } + $this->attributes[$name] = $values; + } + } - /** - * Apply filter to add or replace attributes. - * - * Add or replace existing attributes with the configured values. - * - * @param array &$request The current request - */ - public function process(&$request) { - assert(is_array($request)); - assert(array_key_exists('Attributes', $request)); - $attributes =& $request['Attributes']; + /** + * Apply filter to add or replace attributes. + * + * Add or replace existing attributes with the configured values. + * + * @param array &$request The current request + */ + public function process(array &$request) + { + assert(array_key_exists('Attributes', $request)); - foreach($this->attributes as $name => $values) { - if($this->replace === TRUE || !array_key_exists($name, $attributes)) { - $attributes[$name] = $values; - } else { - $attributes[$name] = array_merge($attributes[$name], $values); - } - } - } + $attributes =& $request['Attributes']; + foreach($this->attributes as $name => $values) { + if($this->replace === true || !array_key_exists($name, $attributes)) { + $attributes[$name] = $values; + } else { + $attributes[$name] = array_merge($attributes[$name], $values); + } + } + } } diff --git a/modules/core/lib/Auth/Process/AttributeAlter.php b/modules/core/lib/Auth/Process/AttributeAlter.php index c53625790b57c44990ec666b6bf400cff330fbba..ddc7772134ea5120ebd41f27ffdac8f722ab48cf 100644 --- a/modules/core/lib/Auth/Process/AttributeAlter.php +++ b/modules/core/lib/Auth/Process/AttributeAlter.php @@ -4,7 +4,6 @@ * * This filter can modify or replace attributes given a regular expression. * - * @author Jacob Christiansen, WAYF * @package SimpleSAMLphp */ class sspmod_core_Auth_Process_AttributeAlter extends SimpleSAML_Auth_ProcessingFilter @@ -46,12 +45,10 @@ class sspmod_core_Auth_Process_AttributeAlter extends SimpleSAML_Auth_Processing * @param mixed $reserved For future use. * @throws SimpleSAML_Error_Exception In case of invalid configuration. */ - public function __construct($config, $reserved) + public function __construct(array $config, $reserved) { parent::__construct($config, $reserved); - assert(is_array($config)); - // parse filter configuration foreach ($config as $name => $value) { if (is_int($name)) { @@ -88,8 +85,8 @@ class sspmod_core_Auth_Process_AttributeAlter extends SimpleSAML_Auth_Processing * @param array &$request The current request. * @throws SimpleSAML_Error_Exception In case of invalid configuration. */ - public function process(&$request) { - assert(is_array($request)); + public function process(array &$request) + { assert(array_key_exists('Attributes', $request)); // get attributes from request diff --git a/modules/core/lib/Auth/Process/AttributeCopy.php b/modules/core/lib/Auth/Process/AttributeCopy.php index e2412a45c8d0ff36e41bf9cfc2e51a89d12ec48c..1b62952161e64a7e40c6e969027ec2aeebbc342e 100644 --- a/modules/core/lib/Auth/Process/AttributeCopy.php +++ b/modules/core/lib/Auth/Process/AttributeCopy.php @@ -1,9 +1,7 @@ <?php - /** * Attribute filter for renaming attributes. * - * @author Gyula Szabo MTA SZTAKI * @package SimpleSAMLphp * * You just follow the 'source' => 'destination' schema. In this example user's * cn will be the user's displayName. @@ -15,62 +13,57 @@ * ), * */ -class sspmod_core_Auth_Process_AttributeCopy extends SimpleSAML_Auth_ProcessingFilter { - - /** - * Assosiative array with the mappings of attribute names. - */ - private $map = array(); - - - /** - * Initialize this filter, parse configuration - * - * @param array $config Configuration information about this filter. - * @param mixed $reserved For future use. - */ - public function __construct($config, $reserved) { - parent::__construct($config, $reserved); - - assert(is_array($config)); - - foreach($config as $source => $destination) { +class sspmod_core_Auth_Process_AttributeCopy extends SimpleSAML_Auth_ProcessingFilter +{ + /** + * Assosiative array with the mappings of attribute names. + */ + private $map = []; - if(!is_string($source)) { - throw new Exception('Invalid source attribute name: ' . var_export($source, TRUE)); - } + /** + * Initialize this filter, parse configuration + * + * @param array $config Configuration information about this filter. + * @param mixed $reserved For future use. + */ + public function __construct(array $config, $reserved) { + parent::__construct($config, $reserved); - if(!is_string($destination) && !is_array($destination)) { - throw new Exception('Invalid destination attribute name: ' . var_export($destination, TRUE)); - } + foreach($config as $source => $destination) { + if(!is_string($source)) { + throw new Exception('Invalid source attribute name: ' . var_export($source, true)); + } - $this->map[$source] = $destination; - } - } + if(!is_string($destination) && !is_array($destination)) { + throw new Exception('Invalid destination attribute name: ' . var_export($destination, true)); + } + $this->map[$source] = $destination; + } + } - /** - * Apply filter to rename attributes. - * - * @param array &$request The current request - */ - public function process(&$request) { - assert(is_array($request)); - assert(array_key_exists('Attributes', $request)); - $attributes =& $request['Attributes']; + /** + * Apply filter to rename attributes. + * + * @param array &$request The current request + */ + public function process(array &$request) + { + assert(array_key_exists('Attributes', $request)); - foreach($attributes as $name => $values) { - if (array_key_exists($name,$this->map)){ - if (!is_array($this->map[$name])) { - $attributes[$this->map[$name]] = $values; - } else { - foreach ($this->map[$name] as $to_map) { - $attributes[$to_map] = $values; - } - } - } - } + $attributes =& $request['Attributes']; - } + foreach($attributes as $name => $values) { + if (array_key_exists($name,$this->map)){ + if (!is_array($this->map[$name])) { + $attributes[$this->map[$name]] = $values; + } else { + foreach ($this->map[$name] as $to_map) { + $attributes[$to_map] = $values; + } + } + } + } + } } diff --git a/modules/core/lib/Auth/Process/AttributeLimit.php b/modules/core/lib/Auth/Process/AttributeLimit.php index 0ae3a92770b4b8926731e0a12ccd7b9b79d81334..8b981f5e69e205040259e3a68c591c8183806a58 100644 --- a/modules/core/lib/Auth/Process/AttributeLimit.php +++ b/modules/core/lib/Auth/Process/AttributeLimit.php @@ -1,116 +1,110 @@ <?php - /** * A filter for limiting which attributes are passed on. * - * @author Olav Morken, UNINETT AS. * @package SimpleSAMLphp */ -class sspmod_core_Auth_Process_AttributeLimit extends SimpleSAML_Auth_ProcessingFilter { - - /** - * List of attributes which this filter will allow through. - */ - private $allowedAttributes = array(); - - - /** - * Whether the 'attributes' option in the metadata takes precedence. - * - * @var bool - */ - private $isDefault = false; +class sspmod_core_Auth_Process_AttributeLimit extends SimpleSAML_Auth_ProcessingFilter +{ + /** + * List of attributes which this filter will allow through. + */ + private $allowedAttributes = []; + /** + * Whether the 'attributes' option in the metadata takes precedence. + * + * @var bool + */ + private $isDefault = false; - /** - * Initialize this filter. - * - * @param array $config Configuration information about this filter. - * @param mixed $reserved For future use + /** + * Initialize this filter. + * + * @param array $config Configuration information about this filter. + * @param mixed $reserved For future use * @throws SimpleSAML_Error_Exception If invalid configuration is found. - */ - public function __construct($config, $reserved) { - parent::__construct($config, $reserved); - - assert(is_array($config)); - - foreach ($config as $index => $value) { - if ($index === 'default') { - $this->isDefault = (bool)$value; - } elseif (is_int($index)) { - if (!is_string($value)) { - throw new SimpleSAML_Error_Exception('AttributeLimit: Invalid attribute name: ' . - var_export($value, TRUE)); - } - $this->allowedAttributes[] = $value; + */ + public function __construct(array $config, $reserved) + { + parent::__construct($config, $reserved); + + foreach ($config as $index => $value) { + if ($index === 'default') { + $this->isDefault = (bool)$value; + } elseif (is_int($index)) { + if (!is_string($value)) { + throw new SimpleSAML_Error_Exception('AttributeLimit: Invalid attribute name: ' . + var_export($value, true)); + } + $this->allowedAttributes[] = $value; } elseif (is_string($index)) { if (!is_array($value)) { - throw new SimpleSAML_Error_Exception('AttributeLimit: Values for ' . var_export($index, TRUE) . + throw new SimpleSAML_Error_Exception('AttributeLimit: Values for ' . var_export($index, true) . ' must be specified in an array.'); } $this->allowedAttributes[$index] = $value; - } else { - throw new SimpleSAML_Error_Exception('AttributeLimit: Invalid option: ' . var_export($index, TRUE)); - } - } - } - - - /** - * Get list of allowed from the SP/IdP config. - * - * @param array &$request The current request. - * @return array|NULL Array with attribute names, or NULL if no limit is placed. - */ - private static function getSPIdPAllowed(array &$request) { + } else { + throw new SimpleSAML_Error_Exception('AttributeLimit: Invalid option: ' . var_export($index, true)); + } + } + } - if (array_key_exists('attributes', $request['Destination'])) { - // SP Config - return $request['Destination']['attributes']; - } - if (array_key_exists('attributes', $request['Source'])) { - // IdP Config - return $request['Source']['attributes']; - } - return NULL; - } + /** + * Get list of allowed from the SP/IdP config. + * + * @param array &$request The current request. + * @return array|null Array with attribute names, or null if no limit is placed. + */ + private static function getSPIdPAllowed(array &$request) + { + if (array_key_exists('attributes', $request['Destination'])) { + // SP Config + return $request['Destination']['attributes']; + } + if (array_key_exists('attributes', $request['Source'])) { + // IdP Config + return $request['Source']['attributes']; + } + return null; + } - /** - * Apply filter to remove attributes. - * - * Removes all attributes which aren't one of the allowed attributes. - * - * @param array &$request The current request + /** + * Apply filter to remove attributes. + * + * Removes all attributes which aren't one of the allowed attributes. + * + * @param array &$request The current request * @throws SimpleSAML_Error_Exception If invalid configuration is found. - */ - public function process(&$request) { - assert(is_array($request)); - assert(array_key_exists('Attributes', $request)); + */ + public function process(array &$request) + { + assert(array_key_exists('Attributes', $request)); - if ($this->isDefault) { - $allowedAttributes = self::getSPIdPAllowed($request); - if ($allowedAttributes === NULL) { - $allowedAttributes = $this->allowedAttributes; - } - } elseif (!empty($this->allowedAttributes)) { - $allowedAttributes = $this->allowedAttributes; - } else { - $allowedAttributes = self::getSPIdPAllowed($request); - if ($allowedAttributes === NULL) { - return; /* No limit on attributes. */ - } - } + if ($this->isDefault) { + $allowedAttributes = self::getSPIdPAllowed($request); + if ($allowedAttributes === null) { + $allowedAttributes = $this->allowedAttributes; + } + } elseif (!empty($this->allowedAttributes)) { + $allowedAttributes = $this->allowedAttributes; + } else { + $allowedAttributes = self::getSPIdPAllowed($request); + if ($allowedAttributes === null) { + return; /* No limit on attributes. */ + } + } - $attributes =& $request['Attributes']; + $attributes =& $request['Attributes']; - foreach ($attributes as $name => $values) { - if (!in_array($name, $allowedAttributes, TRUE)) { + foreach ($attributes as $name => $values) { + if (!in_array($name, $allowedAttributes, true)) { // the attribute name is not in the array of allowed attributes if (array_key_exists($name, $allowedAttributes)) { // but it is an index of the array if (!is_array($allowedAttributes[$name])) { - throw new SimpleSAML_Error_Exception('AttributeLimit: Values for ' . var_export($name, TRUE) . + throw new SimpleSAML_Error_Exception('AttributeLimit: Values for ' . var_export($name, true) . ' must be specified in an array.'); } $attributes[$name] = $this->filterAttributeValues($attributes[$name], $allowedAttributes[$name]); @@ -119,10 +113,9 @@ class sspmod_core_Auth_Process_AttributeLimit extends SimpleSAML_Auth_Processing } } unset($attributes[$name]); - } - } - - } + } + } + } /** * Perform the filtering of attributes diff --git a/modules/core/lib/Auth/Process/AttributeMap.php b/modules/core/lib/Auth/Process/AttributeMap.php index 5de07cb24b229f8503adfe6c8150db31423bdbed..a258768a22e4c0d635614375ae356341faeb62bc 100644 --- a/modules/core/lib/Auth/Process/AttributeMap.php +++ b/modules/core/lib/Auth/Process/AttributeMap.php @@ -1,26 +1,21 @@ <?php - - /** * Attribute filter for renaming attributes. * - * @author Olav Morken, UNINETT AS. * @package SimpleSAMLphp */ class sspmod_core_Auth_Process_AttributeMap extends SimpleSAML_Auth_ProcessingFilter { - /** * Associative array with the mappings of attribute names. */ - private $map = array(); + private $map = []; /** * Should attributes be duplicated or renamed. */ private $duplicate = false; - /** * Initialize this filter, parse configuration * @@ -29,11 +24,10 @@ class sspmod_core_Auth_Process_AttributeMap extends SimpleSAML_Auth_ProcessingFi * * @throws Exception If the configuration of the filter is wrong. */ - public function __construct($config, $reserved) + public function __construct(array $config, $reserved) { parent::__construct($config, $reserved); - assert(is_array($config)); $mapFiles = array(); foreach ($config as $origName => $newName) { @@ -64,7 +58,6 @@ class sspmod_core_Auth_Process_AttributeMap extends SimpleSAML_Auth_ProcessingFi } } - /** * Loads and merges in a file with a attribute map. * @@ -104,15 +97,13 @@ class sspmod_core_Auth_Process_AttributeMap extends SimpleSAML_Auth_ProcessingFi } } - /** * Apply filter to rename attributes. * * @param array &$request The current request. */ - public function process(&$request) + public function process(array &$request) { - assert(is_array($request)); assert(array_key_exists('Attributes', $request)); $attributes =& $request['Attributes']; diff --git a/modules/core/lib/Auth/Process/AttributeRealm.php b/modules/core/lib/Auth/Process/AttributeRealm.php index 86c8be1b2f10e25b04873213d573f681e504a0d5..b2f6f299a669ee3780229dce924775820c512c06 100644 --- a/modules/core/lib/Auth/Process/AttributeRealm.php +++ b/modules/core/lib/Auth/Process/AttributeRealm.php @@ -1,15 +1,13 @@ <?php - /** * Filter that will take the user ID on the format 'andreas@uninett.no' * and create a new attribute 'realm' that includes the value after the '@' sign. * - * @author Andreas Ã…kre Solberg, UNINETT AS. * @package SimpleSAMLphp * @deprecated Use ScopeFromAttribute instead. */ -class sspmod_core_Auth_Process_AttributeRealm extends SimpleSAML_Auth_ProcessingFilter { - +class sspmod_core_Auth_Process_AttributeRealm extends SimpleSAML_Auth_ProcessingFilter +{ private $attributename = 'realm'; /** @@ -18,13 +16,12 @@ class sspmod_core_Auth_Process_AttributeRealm extends SimpleSAML_Auth_Processing * @param array $config Configuration information about this filter. * @param mixed $reserved For future use. */ - public function __construct($config, $reserved) { + public function __construct(array $config, $reserved) { parent::__construct($config, $reserved); - assert(is_array($config)); - - if (array_key_exists('attributename', $config)) - $this->attributename = $config['attributename']; + if (array_key_exists('attributename', $config)) { + $this->attributename = $config['attributename']; + } } /** @@ -34,8 +31,8 @@ class sspmod_core_Auth_Process_AttributeRealm extends SimpleSAML_Auth_Processing * * @param array &$request The current request */ - public function process(&$request) { - assert(is_array($request)); + public function process(array &$request) + { assert(array_key_exists('Attributes', $request)); $attributes =& $request['Attributes']; diff --git a/modules/core/lib/Auth/Process/AttributeValueMap.php b/modules/core/lib/Auth/Process/AttributeValueMap.php index 5c69048f69d97ba59fc97c57190f1f7c44582745..121f67ee0ff5f4f0cb95dd4c335268ac45f308f9 100644 --- a/modules/core/lib/Auth/Process/AttributeValueMap.php +++ b/modules/core/lib/Auth/Process/AttributeValueMap.php @@ -5,26 +5,24 @@ namespace SimpleSAML\Module\core\Auth\Process; /** * Filter to create target attribute based on value(s) in source attribute * - * @author Martin van Es, m7 * @package SimpleSAMLphp */ class AttributeValueMap extends \SimpleSAML_Auth_ProcessingFilter { - /** - * The name of the attribute we should assign values to (ie: the target attribute). - */ + * The name of the attribute we should assign values to (ie: the target attribute). + */ private $targetattribute; /** - * The name of the attribute we should create values from. - */ + * The name of the attribute we should create values from. + */ private $sourceattribute; /** - * The required $sourceattribute values and target affiliations. - */ - private $values = array(); + * The required $sourceattribute values and target affiliations. + */ + private $values = []; /** * Whether $sourceattribute should be kept or not. @@ -32,8 +30,8 @@ class AttributeValueMap extends \SimpleSAML_Auth_ProcessingFilter private $keep = false; /** - * Whether $target attribute values should be replaced by new values or not. - */ + * Whether $target attribute values should be replaced by new values or not. + */ private $replace = false; /** @@ -43,12 +41,10 @@ class AttributeValueMap extends \SimpleSAML_Auth_ProcessingFilter * @param mixed $reserved For future use. * @throws \SimpleSAML_Error_Exception If the configuration is not valid. */ - public function __construct($config, $reserved) + public function __construct(array $config, $reserved) { parent::__construct($config, $reserved); - assert(is_array($config)); - // parse configuration foreach ($config as $name => $value) { if (is_int($name)) { @@ -94,17 +90,15 @@ class AttributeValueMap extends \SimpleSAML_Auth_ProcessingFilter } } - /** * Apply filter. * * @param array &$request The current request */ - public function process(&$request) + public function process(array &$request) { \SimpleSAML\Logger::debug('Processing the AttributeValueMap filter.'); - assert(is_array($request)); assert(array_key_exists('Attributes', $request)); $attributes =& $request['Attributes']; diff --git a/modules/core/lib/Auth/Process/Cardinality.php b/modules/core/lib/Auth/Process/Cardinality.php index 88b44f336be99fb4f4ec7ff5a987ea652c1f7f49..2cbb4de49159771bbd4ab4a37f92ff979c20f35e 100644 --- a/modules/core/lib/Auth/Process/Cardinality.php +++ b/modules/core/lib/Auth/Process/Cardinality.php @@ -1,9 +1,7 @@ <?php - /** * Filter to ensure correct cardinality of attributes * - * @author Guy Halse, http://orcid.org/0000-0002-9388-8592 * @package SimpleSAMLphp */ class sspmod_core_Auth_Process_Cardinality extends SimpleSAML_Auth_ProcessingFilter @@ -21,10 +19,9 @@ class sspmod_core_Auth_Process_Cardinality extends SimpleSAML_Auth_ProcessingFil * @param mixed $reserved For future use. * @throws SimpleSAML_Error_Exception */ - public function __construct($config, $reserved) + public function __construct(array $config, $reserved) { parent::__construct($config, $reserved); - assert(is_array($config)); foreach ($config as $attribute => $rules) { if ($attribute === '%ignoreEntities') { @@ -88,9 +85,8 @@ class sspmod_core_Auth_Process_Cardinality extends SimpleSAML_Auth_ProcessingFil * * @param array &$request The current request */ - public function process(&$request) + public function process(array &$request) { - assert(is_array($request)); assert(array_key_exists("Attributes", $request)); $entityid = false; diff --git a/modules/core/lib/Auth/Process/CardinalitySingle.php b/modules/core/lib/Auth/Process/CardinalitySingle.php index a8dbb3c56042dec1d9bf9f7d2503bc91d396237e..b1ed90ec48e08736a23a22e068217d23a68f8fc8 100644 --- a/modules/core/lib/Auth/Process/CardinalitySingle.php +++ b/modules/core/lib/Auth/Process/CardinalitySingle.php @@ -1,12 +1,10 @@ <?php - /** * Filter to ensure correct cardinality of single-valued attributes * * This filter implements a special case of the core:Cardinality filter, and * allows for optional corrections to be made when cardinality errors are encountered. * - * @author Guy Halse, http://orcid.org/0000-0002-9388-8592 * @package SimpleSAMLphp */ class sspmod_core_Auth_Process_CardinalitySingle extends SimpleSAML_Auth_ProcessingFilter @@ -29,13 +27,11 @@ class sspmod_core_Auth_Process_CardinalitySingle extends SimpleSAML_Auth_Process /** * Initialize this filter, parse configuration. * - * @param array $config Configuration information about this filter. * @param mixed $reserved For future use. */ - public function __construct($config, $reserved) + public function __construct(array $config, $reserved) { parent::__construct($config, $reserved); - assert(is_array($config)); if (array_key_exists('singleValued', $config)) { $this->singleValued = $config['singleValued']; @@ -63,9 +59,8 @@ class sspmod_core_Auth_Process_CardinalitySingle extends SimpleSAML_Auth_Process * * @param array &$request The current request */ - public function process(&$request) + public function process(array &$request) { - assert(is_array($request)); assert(array_key_exists("Attributes", $request)); if (array_key_exists('Source', $request) && diff --git a/modules/core/lib/Auth/Process/ExtendIdPSession.php b/modules/core/lib/Auth/Process/ExtendIdPSession.php index faca137a8a80ec1e84ae609d7cb9da09fa38ca6e..81da8a7b409ed523de74f034d2ae3a1cfd1477a4 100644 --- a/modules/core/lib/Auth/Process/ExtendIdPSession.php +++ b/modules/core/lib/Auth/Process/ExtendIdPSession.php @@ -1,47 +1,48 @@ <?php - /** * Extend IdP session and cookies. -*/ -class sspmod_core_Auth_Process_ExtendIdPSession extends SimpleSAML_Auth_ProcessingFilter { - - public function process(&$state) { - assert(is_array($state)); - - if (empty($state['Expire']) || empty($state['Authority'])) { - return; - } - - $now = time(); - $delta = $state['Expire'] - $now; - - $globalConfig = SimpleSAML_Configuration::getInstance(); - $sessionDuration = $globalConfig->getInteger('session.duration', 8*60*60); - - // Extend only if half of session duration already passed - if ($delta >= ($sessionDuration * 0.5)) { - return; - } - - // Update authority expire time - $session = SimpleSAML_Session::getSessionFromRequest(); - $session->setAuthorityExpire($state['Authority']); - - /* Update session cookies duration */ - - /* If remember me is active */ - $rememberMeExpire = $session->getRememberMeExpire(); - if (!empty($state['RememberMe']) && $rememberMeExpire !== NULL && $globalConfig->getBoolean('session.rememberme.enable', FALSE)) { - $session->setRememberMeExpire(); - return; - } - - /* Or if session lifetime is more than zero */ - $sessionHandler = \SimpleSAML\SessionHandler::getSessionHandler(); - $cookieParams = $sessionHandler->getCookieParams(); - if ($cookieParams['lifetime'] > 0) { - $session->updateSessionCookies(); - } - } - + */ +class sspmod_core_Auth_Process_ExtendIdPSession extends SimpleSAML_Auth_ProcessingFilter +{ + /** + * Apply filter to extend IdP session and cookies. + * + * @param array &$request The current request + */ + public function process(array &$request) { + if (empty($request['Expire']) || empty($request['Authority'])) { + return; + } + + $now = time(); + $delta = $request['Expire'] - $now; + + $globalConfig = SimpleSAML_Configuration::getInstance(); + $sessionDuration = $globalConfig->getInteger('session.duration', 8*60*60); + + // Extend only if half of session duration already passed + if ($delta >= ($sessionDuration * 0.5)) { + return; + } + + // Update authority expire time + $session = SimpleSAML_Session::getSessionFromRequest(); + $session->setAuthorityExpire($request['Authority']); + + /* Update session cookies duration */ + + /* If remember me is active */ + $rememberMeExpire = $session->getRememberMeExpire(); + if (!empty($request['RememberMe']) && $rememberMeExpire !== null && $globalConfig->getBoolean('session.rememberme.enable', false)) { + $session->setRememberMeExpire(); + return; + } + + /* Or if session lifetime is more than zero */ + $sessionHandler = \SimpleSAML\SessionHandler::getSessionHandler(); + $cookieParams = $sessionHandler->getCookieParams(); + if ($cookieParams['lifetime'] > 0) { + $session->updateSessionCookies(); + } + } } diff --git a/modules/core/lib/Auth/Process/GenerateGroups.php b/modules/core/lib/Auth/Process/GenerateGroups.php index 17b896e5f28e17f2221f4a9791833cd383d21e3c..c5f9356355d137f2213eb54847451ab2792850d9 100644 --- a/modules/core/lib/Auth/Process/GenerateGroups.php +++ b/modules/core/lib/Auth/Process/GenerateGroups.php @@ -1,142 +1,133 @@ <?php - /** * Filter to generate a groups attribute based on many of the attributes of the user. * - * @author Olav Morken, UNINETT AS. * @package SimpleSAMLphp */ -class sspmod_core_Auth_Process_GenerateGroups extends SimpleSAML_Auth_ProcessingFilter { - - - /** - * The attributes we should generate groups from. - */ - private $generateGroupsFrom; - - - /** - * Initialize this filter. - * - * @param array $config Configuration information about this filter. - * @param mixed $reserved For future use. - */ - public function __construct($config, $reserved) { - parent::__construct($config, $reserved); - - assert(is_array($config)); - - if (count($config) === 0) { - // Use default groups - $this->generateGroupsFrom = array( - 'eduPersonAffiliation', - 'eduPersonOrgUnitDN', - 'eduPersonEntitlement', - ); - - } else { - // Validate configuration - foreach ($config as $attributeName) { - if (!is_string($attributeName)) { - throw new Exception('Invalid attribute name for core:GenerateGroups filter: ' . - var_export($attributeName, TRUE)); - } - } - - $this->generateGroupsFrom = $config; - } - } - - - /** - * Apply filter to add groups attribute. - * - * @param array &$request The current request - */ - public function process(&$request) { - assert(is_array($request)); - assert(array_key_exists('Attributes', $request)); - - $groups = array(); - $attributes =& $request['Attributes']; - - $realm = self::getRealm($attributes); - if ($realm !== NULL) { - $groups[] = 'realm-' . $realm; - } - - - foreach ($this->generateGroupsFrom as $name) { - if (!array_key_exists($name, $attributes)) { - SimpleSAML\Logger::debug('GenerateGroups - attribute \'' . $name . '\' not found.'); - /* Attribute not present. */ - continue; - } - - foreach ($attributes[$name] as $value) { - $value = self::escapeIllegalChars($value); - $groups[] = $name . '-' . $value; - if ($realm !== NULL) { - $groups[] = $name . '-' . $realm . '-' . $value; - } - } - } - - if (count($groups) > 0) { - $attributes['groups'] = $groups; - } - } - - - /** - * Determine which realm the user belongs to. - * - * This function will attempt to determine the realm a user belongs to based on the - * eduPersonPrincipalName attribute if it is present. If it isn't, or if it doesn't contain - * a realm, NULL will be returned. - * - * @param array $attributes The attributes of the user. - * @return string|NULL The realm of the user, or NULL if we are unable to determine the realm. - */ - private static function getRealm($attributes) { - assert(is_array($attributes)); - - if (!array_key_exists('eduPersonPrincipalName', $attributes)) { - return NULL; - } - $eppn = $attributes['eduPersonPrincipalName']; - - if (count($eppn) < 1) { - return NULL; - } - $eppn = $eppn[0]; - - $realm = explode('@', $eppn, 2); - if (count($realm) < 2) { - return NULL; - } - $realm = $realm[1]; - - return self::escapeIllegalChars($realm); - } - - - /** - * Escape special characters in a string. - * - * This function is similar to urlencode, but encodes many more characters. - * This function takes any characters not in [a-zA-Z0-9_@=.] and encodes them with as - * %<hex version>. For example, it will encode '+' as '%2b' and '%' as '%25'. - * - * @param string $string The string which should be escaped. - * @return string The escaped string. - */ - private static function escapeIllegalChars($string) { - assert(is_string($string)); - - return preg_replace_callback('/([^a-zA-Z0-9_@=.])/', - function ($m) { return sprintf("%%%02x", ord($m[1])); }, - $string); - } - +class sspmod_core_Auth_Process_GenerateGroups extends SimpleSAML_Auth_ProcessingFilter +{ + /** + * The attributes we should generate groups from. + */ + private $generateGroupsFrom; + + /** + * Initialize this filter. + * + * @param array $config Configuration information about this filter. + * @param mixed $reserved For future use. + */ + public function __construct(array $config, $reserved) + { + parent::__construct($config, $reserved); + + if (count($config) === 0) { + // Use default groups + $this->generateGroupsFrom = array( + 'eduPersonAffiliation', + 'eduPersonOrgUnitDN', + 'eduPersonEntitlement', + ); + + } else { + // Validate configuration + foreach ($config as $attributeName) { + if (!is_string($attributeName)) { + throw new Exception('Invalid attribute name for core:GenerateGroups filter: ' . + var_export($attributeName, TRUE)); + } + } + + $this->generateGroupsFrom = $config; + } + } + + /** + * Apply filter to add groups attribute. + * + * @param array &$request The current request + */ + public function process(array &$request) + { + assert(array_key_exists('Attributes', $request)); + + $groups = array(); + $attributes =& $request['Attributes']; + + $realm = self::getRealm($attributes); + if ($realm !== NULL) { + $groups[] = 'realm-' . $realm; + } + + foreach ($this->generateGroupsFrom as $name) { + if (!array_key_exists($name, $attributes)) { + SimpleSAML\Logger::debug('GenerateGroups - attribute \'' . $name . '\' not found.'); + /* Attribute not present. */ + continue; + } + + foreach ($attributes[$name] as $value) { + $value = self::escapeIllegalChars($value); + $groups[] = $name . '-' . $value; + if ($realm !== NULL) { + $groups[] = $name . '-' . $realm . '-' . $value; + } + } + } + + if (count($groups) > 0) { + $attributes['groups'] = $groups; + } + } + + + /** + * Determine which realm the user belongs to. + * + * This function will attempt to determine the realm a user belongs to based on the + * eduPersonPrincipalName attribute if it is present. If it isn't, or if it doesn't contain + * a realm, NULL will be returned. + * + * @param array $attributes The attributes of the user. + * @return string|NULL The realm of the user, or NULL if we are unable to determine the realm. + */ + private static function getRealm(array $attributes) + { + if (!array_key_exists('eduPersonPrincipalName', $attributes)) { + return NULL; + } + $eppn = $attributes['eduPersonPrincipalName']; + + if (count($eppn) < 1) { + return NULL; + } + $eppn = $eppn[0]; + + $realm = explode('@', $eppn, 2); + if (count($realm) < 2) { + return NULL; + } + $realm = $realm[1]; + + return self::escapeIllegalChars($realm); + } + + /** + * Escape special characters in a string. + * + * This function is similar to urlencode, but encodes many more characters. + * This function takes any characters not in [a-zA-Z0-9_@=.] and encodes them with as + * %<hex version>. For example, it will encode '+' as '%2b' and '%' as '%25'. + * + * @param string $string The string which should be escaped. + * @return string The escaped string. + */ + private static function escapeIllegalChars($string) + { + assert(is_string($string)); + + return preg_replace_callback('/([^a-zA-Z0-9_@=.])/', + function ($m) { return sprintf("%%%02x", ord($m[1])); }, + $string); + } } diff --git a/modules/core/lib/Auth/Process/LanguageAdaptor.php b/modules/core/lib/Auth/Process/LanguageAdaptor.php index 4a1b381405255b2f441089e95f5595db24243326..a69d8a3545555a00fe1c6a393cbb6df250d9b02f 100644 --- a/modules/core/lib/Auth/Process/LanguageAdaptor.php +++ b/modules/core/lib/Auth/Process/LanguageAdaptor.php @@ -1,66 +1,62 @@ <?php - /** * Filter to set and get language settings from attributes. * - * @author Andreas Ã…kre Solberg, UNINETT AS. * @package SimpleSAMLphp */ -class sspmod_core_Auth_Process_LanguageAdaptor extends SimpleSAML_Auth_ProcessingFilter { - - private $langattr = 'preferredLanguage'; - - - /** - * Initialize this filter. - * - * @param array $config Configuration information about this filter. - * @param mixed $reserved For future use. - */ - public function __construct($config, $reserved) { - parent::__construct($config, $reserved); - assert(is_array($config)); - - if (array_key_exists('attributename', $config)) { - $this->langattr = $config['attributename']; - } +class sspmod_core_Auth_Process_LanguageAdaptor extends SimpleSAML_Auth_ProcessingFilter +{ + private $langattr = 'preferredLanguage'; + + /** + * Initialize this filter. + * + * @param array $config Configuration information about this filter. + * @param mixed $reserved For future use. + */ + public function __construct(array $config, $reserved) + { + parent::__construct($config, $reserved); + + if (array_key_exists('attributename', $config)) { + $this->langattr = $config['attributename']; + } + } + + /** + * Apply filter to add or replace attributes. + * + * Add or replace existing attributes with the configured values. + * + * @param array &$request The current request + */ + public function process(array &$request) + { + assert(array_key_exists('Attributes', $request)); + + $attributes =& $request['Attributes']; + + $attrlang = null; + if (array_key_exists($this->langattr, $attributes)) { + $attrlang = $attributes[$this->langattr][0]; } + $lang = SimpleSAML\Locale\Language::getLanguageCookie(); - /** - * Apply filter to add or replace attributes. - * - * Add or replace existing attributes with the configured values. - * - * @param array &$request The current request - */ - public function process(&$request) { - assert(is_array($request)); - assert(array_key_exists('Attributes', $request)); - - $attributes =& $request['Attributes']; - - $attrlang = NULL; - if (array_key_exists($this->langattr, $attributes)) - $attrlang = $attributes[$this->langattr][0]; - - $lang = SimpleSAML\Locale\Language::getLanguageCookie(); - - - if (isset($attrlang)) - SimpleSAML\Logger::debug('LanguageAdaptor: Language in attribute was set [' . $attrlang . ']'); - if (isset($lang)) - SimpleSAML\Logger::debug('LanguageAdaptor: Language in session was set [' . $lang . ']'); - - - if (isset($attrlang) && !isset($lang)) { - // Language set in attribute but not in cookie - update cookie - SimpleSAML\Locale\Language::setLanguageCookie($attrlang); - } elseif (!isset($attrlang) && isset($lang)) { - // Language set in cookie, but not in attribute. Update attribute - $request['Attributes'][$this->langattr] = array($lang); - } - + if (isset($attrlang)) { + SimpleSAML\Logger::debug('LanguageAdaptor: Language in attribute was set [' . $attrlang . ']'); + } + if (isset($lang)) { + SimpleSAML\Logger::debug('LanguageAdaptor: Language in session was set [' . $lang . ']'); } + + if (isset($attrlang) && !isset($lang)) { + // Language set in attribute but not in cookie - update cookie + SimpleSAML\Locale\Language::setLanguageCookie($attrlang); + } elseif (!isset($attrlang) && isset($lang)) { + // Language set in cookie, but not in attribute. Update attribute + $request['Attributes'][$this->langattr] = array($lang); + } + } } diff --git a/modules/core/lib/Auth/Process/PHP.php b/modules/core/lib/Auth/Process/PHP.php index 5b7f11711bc8507b2dbc68e55d37eebafbe7ed17..be7dd30210a94a8780b155a3f8927a1c4a8bb6dd 100644 --- a/modules/core/lib/Auth/Process/PHP.php +++ b/modules/core/lib/Auth/Process/PHP.php @@ -1,6 +1,4 @@ <?php - - /** * Attribute filter for running arbitrary PHP code. * @@ -8,7 +6,6 @@ */ class sspmod_core_Auth_Process_PHP extends SimpleSAML_Auth_ProcessingFilter { - /** * The PHP code that should be run. * @@ -16,7 +13,6 @@ class sspmod_core_Auth_Process_PHP extends SimpleSAML_Auth_ProcessingFilter */ private $code; - /** * Initialize this filter, parse configuration * @@ -25,27 +21,23 @@ class sspmod_core_Auth_Process_PHP extends SimpleSAML_Auth_ProcessingFilter * * @throws SimpleSAML_Error_Exception if the 'code' option is not defined. */ - public function __construct($config, $reserved) + public function __construct(array $config, $reserved) { parent::__construct($config, $reserved); - assert(is_array($config)); - if (!isset($config['code'])) { throw new SimpleSAML_Error_Exception("core:PHP: missing mandatory configuration option 'code'."); } $this->code = (string) $config['code']; } - /** * Apply the PHP code to the attributes. * * @param array &$request The current request */ - public function process(&$request) + public function process(array &$request) { - assert(is_array($request)); assert(array_key_exists('Attributes', $request)); $function = function(&$attributes) { eval($this->code); }; diff --git a/modules/core/lib/Auth/Process/ScopeAttribute.php b/modules/core/lib/Auth/Process/ScopeAttribute.php index a44ff14de75b7a519af8887da99d309321affb3d..182f9b8ac214967a73b7f7d30bb1d6c276c37774 100644 --- a/modules/core/lib/Auth/Process/ScopeAttribute.php +++ b/modules/core/lib/Auth/Process/ScopeAttribute.php @@ -1,5 +1,4 @@ <?php - /** * Add a scoped variant of an attribute. * @@ -7,101 +6,95 @@ */ class sspmod_core_Auth_Process_ScopeAttribute extends SimpleSAML_Auth_ProcessingFilter { - /** - * The attribute we extract the scope from. - * - * @var string - */ - private $scopeAttribute; - - - /** - * The attribute we want to add scope to. - * - * @var string - */ - private $sourceAttribute; - - - /** - * The attribute we want to add the scoped attributes to. - * - * @var string - */ - private $targetAttribute; - - /** - * Only modify targetAttribute if it doesn't already exist. - * - * @var bool - */ - private $onlyIfEmpty = false; - - - /** - * Initialize this filter, parse configuration - * - * @param array $config Configuration information about this filter. - * @param mixed $reserved For future use. - */ - public function __construct($config, $reserved) + /** + * The attribute we extract the scope from. + * + * @var string + */ + private $scopeAttribute; + + /** + * The attribute we want to add scope to. + * + * @var string + */ + private $sourceAttribute; + + /** + * The attribute we want to add the scoped attributes to. + * + * @var string + */ + private $targetAttribute; + + /** + * Only modify targetAttribute if it doesn't already exist. + * + * @var bool + */ + private $onlyIfEmpty = false; + + /** + * Initialize this filter, parse configuration + * + * @param array $config Configuration information about this filter. + * @param mixed $reserved For future use. + */ + public function __construct(array $config, $reserved) { - parent::__construct($config, $reserved); - assert(is_array($config)); - - $config = SimpleSAML_Configuration::loadFromArray($config, 'ScopeAttribute'); - - $this->scopeAttribute = $config->getString('scopeAttribute'); - $this->sourceAttribute = $config->getString('sourceAttribute'); - $this->targetAttribute = $config->getString('targetAttribute'); - $this->onlyIfEmpty = $config->getBoolean('onlyIfEmpty', false); - } - - - /** - * Apply this filter to the request. - * - * @param array &$request The current request - */ - public function process(&$request) + parent::__construct($config, $reserved); + + $config = SimpleSAML_Configuration::loadFromArray($config, 'ScopeAttribute'); + + $this->scopeAttribute = $config->getString('scopeAttribute'); + $this->sourceAttribute = $config->getString('sourceAttribute'); + $this->targetAttribute = $config->getString('targetAttribute'); + $this->onlyIfEmpty = $config->getBoolean('onlyIfEmpty', false); + } + + /** + * Apply this filter to the request. + * + * @param array &$request The current request + */ + public function process(array &$request) { - assert(is_array($request)); - assert(array_key_exists('Attributes', $request)); + assert(array_key_exists('Attributes', $request)); - $attributes =& $request['Attributes']; + $attributes =& $request['Attributes']; - if (!isset($attributes[$this->scopeAttribute])) { - return; - } + if (!isset($attributes[$this->scopeAttribute])) { + return; + } - if (!isset($attributes[$this->sourceAttribute])) { - return; - } + if (!isset($attributes[$this->sourceAttribute])) { + return; + } - if (!isset($attributes[$this->targetAttribute])) { - $attributes[$this->targetAttribute] = array(); - } + if (!isset($attributes[$this->targetAttribute])) { + $attributes[$this->targetAttribute] = array(); + } - if ($this->onlyIfEmpty && count($attributes[$this->targetAttribute]) > 0) { - return; - } + if ($this->onlyIfEmpty && count($attributes[$this->targetAttribute]) > 0) { + return; + } - foreach ($attributes[$this->scopeAttribute] as $scope) { - if (strpos($scope, '@') !== false) { - $scope = explode('@', $scope, 2); - $scope = $scope[1]; - } + foreach ($attributes[$this->scopeAttribute] as $scope) { + if (strpos($scope, '@') !== false) { + $scope = explode('@', $scope, 2); + $scope = $scope[1]; + } - foreach ($attributes[$this->sourceAttribute] as $value) { - $value = $value . '@' . $scope; + foreach ($attributes[$this->sourceAttribute] as $value) { + $value = $value . '@' . $scope; - if (in_array($value, $attributes[$this->targetAttribute], true)) { - // Already present - continue; - } + if (in_array($value, $attributes[$this->targetAttribute], true)) { + // Already present + continue; + } - $attributes[$this->targetAttribute][] = $value; - } - } - } + $attributes[$this->targetAttribute][] = $value; + } + } + } } diff --git a/modules/core/lib/Auth/Process/ScopeFromAttribute.php b/modules/core/lib/Auth/Process/ScopeFromAttribute.php index 818a24f7657bfcfb77e5bba86ce54790f0056db8..06d8ddc2e7e2cf23b2f697b780cc82856cfbc2e7 100644 --- a/modules/core/lib/Auth/Process/ScopeFromAttribute.php +++ b/modules/core/lib/Auth/Process/ScopeFromAttribute.php @@ -1,5 +1,4 @@ <?php - /** * Retrieve a scope from a source attribute and add it as a virtual target * attribute. @@ -16,74 +15,74 @@ * to add a virtual 'scope' attribute from the eduPersonPrincipalName * attribute. */ -class sspmod_core_Auth_Process_ScopeFromAttribute extends SimpleSAML_Auth_ProcessingFilter { - /** - * The attribute where the scope is taken from - * - * @var string - */ - private $sourceAttribute; - /** - * The name of the attribute which includes the scope - * - * @var string - */ - private $targetAttribute; +class sspmod_core_Auth_Process_ScopeFromAttribute extends SimpleSAML_Auth_ProcessingFilter +{ + /** + * The attribute where the scope is taken from + * + * @var string + */ + private $sourceAttribute; - /** - * Initialize this filter, parse configuration - * - * @param array $config Configuration information about this filter. - * @param mixed $reserved For future use. - */ - public function __construct($config, $reserved) { - parent::__construct($config, $reserved); - assert(is_array($config)); + /** + * The name of the attribute which includes the scope + * + * @var string + */ + private $targetAttribute; - $config = SimpleSAML_Configuration::loadFromArray($config, 'ScopeFromAttribute'); - $this->targetAttribute = $config->getString('targetAttribute'); - $this->sourceAttribute = $config->getString('sourceAttribute'); - } // end constructor + /** + * Initialize this filter, parse configuration + * + * @param array $config Configuration information about this filter. + * @param mixed $reserved For future use. + */ + public function __construct(array $config, $reserved) + { + parent::__construct($config, $reserved); + $config = SimpleSAML_Configuration::loadFromArray($config, 'ScopeFromAttribute'); + $this->targetAttribute = $config->getString('targetAttribute'); + $this->sourceAttribute = $config->getString('sourceAttribute'); + } - /** - * Apply this filter. - * - * @param array &$request The current request - */ - public function process(&$request) { - assert(is_array($request)); - assert(array_key_exists('Attributes', $request)); + /** + * Apply this filter. + * + * @param array &$request The current request + */ + public function process(array &$request) { + assert(array_key_exists('Attributes', $request)); - $attributes =& $request['Attributes']; + $attributes =& $request['Attributes']; - if (!isset($attributes[$this->sourceAttribute])) { - return; - } + if (!isset($attributes[$this->sourceAttribute])) { + return; + } - // will not overwrite existing attribute - if (isset($attributes[$this->targetAttribute])) { - return; - } + // will not overwrite existing attribute + if (isset($attributes[$this->targetAttribute])) { + return; + } - $sourceAttrVal = $attributes[$this->sourceAttribute][0]; + $sourceAttrVal = $attributes[$this->sourceAttribute][0]; - /* the last position of an @ is usually the beginning of the scope - * string */ - $scopeIndex = strrpos($sourceAttrVal, '@'); + /* the last position of an @ is usually the beginning of the scope + * string */ + $scopeIndex = strrpos($sourceAttrVal, '@'); - if ($scopeIndex !== FALSE) { - $attributes[$this->targetAttribute] = array(); - $scope = substr($sourceAttrVal, $scopeIndex+1); - $attributes[$this->targetAttribute][] = $scope; - SimpleSAML\Logger::debug('ScopeFromAttribute: Inserted new attribute ' . - $this->targetAttribute . ', with scope ' . - $scope); - } else { - SimpleSAML\Logger::warning('ScopeFromAttribute: The configured source attribute ' . - $this->sourceAttribute . - ' does not have a scope. Did not add attribute ' . - $this->targetAttribute . '.'); - } - } /* end process */ + if ($scopeIndex !== false) { + $attributes[$this->targetAttribute] = array(); + $scope = substr($sourceAttrVal, $scopeIndex+1); + $attributes[$this->targetAttribute][] = $scope; + SimpleSAML\Logger::debug('ScopeFromAttribute: Inserted new attribute ' . + $this->targetAttribute . ', with scope ' . + $scope); + } else { + SimpleSAML\Logger::warning('ScopeFromAttribute: The configured source attribute ' . + $this->sourceAttribute . + ' does not have a scope. Did not add attribute ' . + $this->targetAttribute . '.'); + } + } } diff --git a/modules/core/lib/Auth/Process/StatisticsWithAttribute.php b/modules/core/lib/Auth/Process/StatisticsWithAttribute.php index 800558cbd51b32f28bc307304c81d5326cecc23c..941bf07b3062532d4ef348fab28a55d5176033a4 100644 --- a/modules/core/lib/Auth/Process/StatisticsWithAttribute.php +++ b/modules/core/lib/Auth/Process/StatisticsWithAttribute.php @@ -1,9 +1,7 @@ <?php - /** * Log a line in the STAT log with one attribute. * - * @author Andreas Ã…kre Solberg, UNINETT AS. * @package SimpleSAMLphp */ class sspmod_core_Auth_Process_StatisticsWithAttribute extends SimpleSAML_Auth_ProcessingFilter @@ -12,7 +10,7 @@ class sspmod_core_Auth_Process_StatisticsWithAttribute extends SimpleSAML_Auth_P * The attribute to log * @var string|null */ - private $attribute = null; + private $attribute = null; /** * @var string @@ -31,12 +29,10 @@ class sspmod_core_Auth_Process_StatisticsWithAttribute extends SimpleSAML_Auth_P * @param array $config Configuration information about this filter. * @param mixed $reserved For future use. */ - public function __construct($config, $reserved) + public function __construct(array $config, $reserved) { parent::__construct($config, $reserved); - assert(is_array($config)); - if (array_key_exists('attributename', $config)) { $this->attribute = $config['attributename']; if (!is_string($this->attribute)) { @@ -56,15 +52,13 @@ class sspmod_core_Auth_Process_StatisticsWithAttribute extends SimpleSAML_Auth_P } } - /** * Log line. * * @param array &$state The current state. */ - public function process(&$state) + public function process(array &$state) { - assert(is_array($state)); assert(array_key_exists('Attributes', $state)); $logAttribute = 'NA'; @@ -91,7 +85,7 @@ class sspmod_core_Auth_Process_StatisticsWithAttribute extends SimpleSAML_Auth_P } SimpleSAML\Logger::stats($isPassive.$this->typeTag.' '.$dest.' '.$source.' '.$logAttribute); - } + } /** * @param string &$direction Either 'Source' or 'Destination'. @@ -99,7 +93,7 @@ class sspmod_core_Auth_Process_StatisticsWithAttribute extends SimpleSAML_Auth_P * * @return string */ - private function setIdentifier($direction, $state) + private function setIdentifier($direction, array $state) { if (array_key_exists($direction, $state)) { if (isset($state[$direction]['core:statistics-id'])) { diff --git a/modules/core/lib/Auth/Process/TargetedID.php b/modules/core/lib/Auth/Process/TargetedID.php index 3b70f02aa4ad20a7468862fa6c3ff89be8ec236a..1b2cb8972f378a27f195111a496fb6d5f4903a22 100644 --- a/modules/core/lib/Auth/Process/TargetedID.php +++ b/modules/core/lib/Auth/Process/TargetedID.php @@ -1,5 +1,4 @@ <?php - /** * Filter to generate the eduPersonTargetedID attribute. * @@ -25,148 +24,138 @@ * ), * </code> * - * @author Olav Morken, UNINETT AS. * @package SimpleSAMLphp */ -class sspmod_core_Auth_Process_TargetedID extends SimpleSAML_Auth_ProcessingFilter { - - - /** - * The attribute we should generate the targeted id from, or NULL if we should use the - * UserID. - */ - private $attribute = NULL; - - - /** - * Whether the attribute should be generated as a NameID value, or as a simple string. - * - * @var boolean - */ - private $generateNameId = FALSE; - - - /** - * Initialize this filter. - * - * @param array $config Configuration information about this filter. - * @param mixed $reserved For future use. - */ - public function __construct($config, $reserved) { - parent::__construct($config, $reserved); - - assert(is_array($config)); - - if (array_key_exists('attributename', $config)) { - $this->attribute = $config['attributename']; - if (!is_string($this->attribute)) { - throw new Exception('Invalid attribute name given to core:TargetedID filter.'); - } - } - - if (array_key_exists('nameId', $config)) { - $this->generateNameId = $config['nameId']; - if (!is_bool($this->generateNameId)) { - throw new Exception('Invalid value of \'nameId\'-option to core:TargetedID filter.'); - } - } - } - - - /** - * Apply filter to add the targeted ID. - * - * @param array &$state The current state. - */ - public function process(&$state) { - assert(is_array($state)); - assert(array_key_exists('Attributes', $state)); - - if ($this->attribute === NULL) { - if (!array_key_exists('UserID', $state)) { - throw new Exception('core:TargetedID: Missing UserID for this user. Please' . - ' check the \'userid.attribute\' option in the metadata against the' . - ' attributes provided by the authentication source.'); - } - - $userID = $state['UserID']; - } else { - if (!array_key_exists($this->attribute, $state['Attributes'])) { - throw new Exception('core:TargetedID: Missing attribute \'' . $this->attribute . - '\', which is needed to generate the targeted ID.'); - } - - $userID = $state['Attributes'][$this->attribute][0]; - } - - - $secretSalt = SimpleSAML\Utils\Config::getSecretSalt(); - - if (array_key_exists('Source', $state)) { - $srcID = self::getEntityId($state['Source']); - } else { - $srcID = ''; - } - - if (array_key_exists('Destination', $state)) { - $dstID = self::getEntityId($state['Destination']); - } else { - $dstID = ''; - } - - $uidData = 'uidhashbase' . $secretSalt; - $uidData .= strlen($srcID) . ':' . $srcID; - $uidData .= strlen($dstID) . ':' . $dstID; - $uidData .= strlen($userID) . ':' . $userID; - $uidData .= $secretSalt; - - $uid = hash('sha1', $uidData); - - if ($this->generateNameId) { - // Convert the targeted ID to a SAML 2.0 name identifier element - $nameId = new \SAML2\XML\saml\NameID(); - $nameId->value = $uid; - $nameId->Format = \SAML2\Constants::NAMEID_PERSISTENT; - - if (isset($state['Source']['entityid'])) { - $nameId->NameQualifier = $state['Source']['entityid']; - } - if (isset($state['Destination']['entityid'])) { - $nameId->SPNameQualifier = $state['Destination']['entityid']; - } - } else { - $nameId = $uid; - } - - $state['Attributes']['eduPersonTargetedID'] = array($nameId); - } - - - /** - * Generate ID from entity metadata. - * - * This function takes in the metadata of an entity, and attempts to generate - * an unique identifier based on that. - * - * @param array $metadata The metadata of the entity. - * @return string The unique identifier for the entity. - */ - private static function getEntityId($metadata) { - assert(is_array($metadata)); - - $id = ''; - - if (array_key_exists('metadata-set', $metadata)) { - $set = $metadata['metadata-set']; - $id .= 'set' . strlen($set) . ':' . $set; - } - - if (array_key_exists('entityid', $metadata)) { - $entityid = $metadata['entityid']; - $id .= 'set' . strlen($entityid) . ':' . $entityid; - } - - return $id; - } - +class sspmod_core_Auth_Process_TargetedID extends SimpleSAML_Auth_ProcessingFilter +{ + /** + * The attribute we should generate the targeted id from, or null if we should use the + * UserID. + */ + private $attribute = null; + + /** + * Whether the attribute should be generated as a NameID value, or as a simple string. + * + * @var boolean + */ + private $generateNameId = false; + + /** + * Initialize this filter. + * + * @param array $config Configuration information about this filter. + * @param mixed $reserved For future use. + */ + public function __construct(array $config, $reserved) + { + parent::__construct($config, $reserved); + + if (array_key_exists('attributename', $config)) { + $this->attribute = $config['attributename']; + if (!is_string($this->attribute)) { + throw new Exception('Invalid attribute name given to core:TargetedID filter.'); + } + } + + if (array_key_exists('nameId', $config)) { + $this->generateNameId = $config['nameId']; + if (!is_bool($this->generateNameId)) { + throw new Exception('Invalid value of \'nameId\'-option to core:TargetedID filter.'); + } + } + } + + /** + * Apply filter to add the targeted ID. + * + * @param array &$state The current state. + */ + public function process(array &$state) + { + assert(array_key_exists('Attributes', $state)); + + if ($this->attribute === null) { + if (!array_key_exists('UserID', $state)) { + throw new Exception('core:TargetedID: Missing UserID for this user. Please' . + ' check the \'userid.attribute\' option in the metadata against the' . + ' attributes provided by the authentication source.'); + } + + $userID = $state['UserID']; + } else { + if (!array_key_exists($this->attribute, $state['Attributes'])) { + throw new Exception('core:TargetedID: Missing attribute \'' . $this->attribute . + '\', which is needed to generate the targeted ID.'); + } + + $userID = $state['Attributes'][$this->attribute][0]; + } + + $secretSalt = SimpleSAML\Utils\Config::getSecretSalt(); + + if (array_key_exists('Source', $state)) { + $srcID = self::getEntityId($state['Source']); + } else { + $srcID = ''; + } + + if (array_key_exists('Destination', $state)) { + $dstID = self::getEntityId($state['Destination']); + } else { + $dstID = ''; + } + + $uidData = 'uidhashbase' . $secretSalt; + $uidData .= strlen($srcID) . ':' . $srcID; + $uidData .= strlen($dstID) . ':' . $dstID; + $uidData .= strlen($userID) . ':' . $userID; + $uidData .= $secretSalt; + + $uid = hash('sha1', $uidData); + + if ($this->generateNameId) { + // Convert the targeted ID to a SAML 2.0 name identifier element + $nameId = new \SAML2\XML\saml\NameID(); + $nameId->value = $uid; + $nameId->Format = \SAML2\Constants::NAMEID_PERSISTENT; + + if (isset($state['Source']['entityid'])) { + $nameId->NameQualifier = $state['Source']['entityid']; + } + if (isset($state['Destination']['entityid'])) { + $nameId->SPNameQualifier = $state['Destination']['entityid']; + } + } else { + $nameId = $uid; + } + + $state['Attributes']['eduPersonTargetedID'] = array($nameId); + } + + /** + * Generate ID from entity metadata. + * + * This function takes in the metadata of an entity, and attempts to generate + * an unique identifier based on that. + * + * @param array $metadata The metadata of the entity. + * @return string The unique identifier for the entity. + */ + private static function getEntityId(array $metadata) + { + $id = ''; + + if (array_key_exists('metadata-set', $metadata)) { + $set = $metadata['metadata-set']; + $id .= 'set' . strlen($set) . ':' . $set; + } + + if (array_key_exists('entityid', $metadata)) { + $entityid = $metadata['entityid']; + $id .= 'set' . strlen($entityid) . ':' . $entityid; + } + + return $id; + } } diff --git a/modules/core/lib/Auth/Process/WarnShortSSOInterval.php b/modules/core/lib/Auth/Process/WarnShortSSOInterval.php index d8ae6fa0a6e9bda49d7d493aaa00997216296b72..59911eb6c0020ecbf32ac0463873cc452e5fd32e 100644 --- a/modules/core/lib/Auth/Process/WarnShortSSOInterval.php +++ b/modules/core/lib/Auth/Process/WarnShortSSOInterval.php @@ -1,52 +1,49 @@ <?php - /** * Give a warning to the user if we receive multiple requests in a short time. * * @package SimpleSAMLphp */ -class sspmod_core_Auth_Process_WarnShortSSOInterval extends SimpleSAML_Auth_ProcessingFilter { - - /** - * Process a authentication response. - * - * This function checks how long it is since the last time the user was authenticated. - * If it is to short a while since, we will show a warning to the user. - * - * @param array $state The state of the response. - */ - public function process(&$state) { - assert(is_array($state)); - - if (!array_key_exists('PreviousSSOTimestamp', $state)) { - /* - * No timestamp from the previous SSO to this SP. This is the first - * time during this session. - */ - return; - } - - $timeDelta = time() - $state['PreviousSSOTimestamp']; - if ($timeDelta >= 10) { - // At least 10 seconds since last attempt - return; - } - - if (array_key_exists('Destination', $state) - && array_key_exists('entityid', $state['Destination'])) { - $entityId = $state['Destination']['entityid']; - } else { - $entityId = 'UNKNOWN'; - } - - SimpleSAML\Logger::warning('WarnShortSSOInterval: Only ' . $timeDelta . - ' seconds since last SSO for this user from the SP ' . - var_export($entityId, TRUE)); - - // Save state and redirect - $id = SimpleSAML_Auth_State::saveState($state, 'core:short_sso_interval'); - $url = SimpleSAML\Module::getModuleURL('core/short_sso_interval.php'); - \SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('StateId' => $id)); - } - +class sspmod_core_Auth_Process_WarnShortSSOInterval extends SimpleSAML_Auth_ProcessingFilter +{ + /** + * Process a authentication response. + * + * This function checks how long it is since the last time the user was authenticated. + * If it is to short a while since, we will show a warning to the user. + * + * @param array $state The state of the response. + */ + public function process(array &$state) + { + if (!array_key_exists('PreviousSSOTimestamp', $state)) { + /* + * No timestamp from the previous SSO to this SP. This is the first + * time during this session. + */ + return; + } + + $timeDelta = time() - $state['PreviousSSOTimestamp']; + if ($timeDelta >= 10) { + // At least 10 seconds since last attempt + return; + } + + if (array_key_exists('Destination', $state) + && array_key_exists('entityid', $state['Destination'])) { + $entityId = $state['Destination']['entityid']; + } else { + $entityId = 'UNKNOWN'; + } + + SimpleSAML\Logger::warning('WarnShortSSOInterval: Only ' . $timeDelta . + ' seconds since last SSO for this user from the SP ' . + var_export($entityId, true)); + + // Save state and redirect + $id = SimpleSAML_Auth_State::saveState($state, 'core:short_sso_interval'); + $url = SimpleSAML\Module::getModuleURL('core/short_sso_interval.php'); + \SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('StateId' => $id)); + } } diff --git a/modules/core/lib/Auth/Source/AdminPassword.php b/modules/core/lib/Auth/Source/AdminPassword.php index 3ba1a821086d5e290b0149445c323562973429df..240ba526fb4c41ea7237cb12358e7b7dcf2ff018 100644 --- a/modules/core/lib/Auth/Source/AdminPassword.php +++ b/modules/core/lib/Auth/Source/AdminPassword.php @@ -1,64 +1,57 @@ <?php - /** * Authentication source which verifies the password against * the 'auth.adminpassword' configuration option. * * @package SimpleSAMLphp */ -class sspmod_core_Auth_Source_AdminPassword extends sspmod_core_Auth_UserPassBase { - - - /** - * Constructor for this authentication source. - * - * @param array $info Information about this authentication source. - * @param array $config Configuration. - */ - public function __construct($info, $config) { - assert(is_array($info)); - assert(is_array($config)); - - // Call the parent constructor first, as required by the interface - parent::__construct($info, $config); - - $this->setForcedUsername("admin"); - } - - - /** - * Attempt to log in using the given username and password. - * - * On a successful login, this function should return the users attributes. On failure, - * it should throw an exception. If the error was caused by the user entering the wrong - * username or password, a SimpleSAML_Error_Error('WRONGUSERPASS') should be thrown. - * - * Note that both the username and the password are UTF-8 encoded. - * - * @param string $username The username the user wrote. - * @param string $password The password the user wrote. - * @return array Associative array with the users attributes. - */ - protected function login($username, $password) { - assert(is_string($username)); - assert(is_string($password)); - - $config = SimpleSAML_Configuration::getInstance(); - $adminPassword = $config->getString('auth.adminpassword', '123'); - if ($adminPassword === '123') { - // We require that the user changes the password - throw new SimpleSAML_Error_Error('NOTSET'); - } - - if ($username !== "admin") { - throw new SimpleSAML_Error_Error('WRONGUSERPASS'); - } - - if (!SimpleSAML\Utils\Crypto::pwValid($adminPassword, $password)) { - throw new SimpleSAML_Error_Error('WRONGUSERPASS'); - } - - return array('user' => array('admin')); - } - +class sspmod_core_Auth_Source_AdminPassword extends sspmod_core_Auth_UserPassBase +{ + /** + * Constructor for this authentication source. + * + * @param array $info Information about this authentication source. + * @param array $config Configuration. + */ + public function __construct(array $info, array $config) { + // Call the parent constructor first, as required by the interface + parent::__construct($info, $config); + + $this->setForcedUsername("admin"); + } + + /** + * Attempt to log in using the given username and password. + * + * On a successful login, this function should return the users attributes. On failure, + * it should throw an exception. If the error was caused by the user entering the wrong + * username or password, a SimpleSAML_Error_Error('WRONGUSERPASS') should be thrown. + * + * Note that both the username and the password are UTF-8 encoded. + * + * @param string $username The username the user wrote. + * @param string $password The password the user wrote. + * @return array Associative array with the users attributes. + */ + protected function login($username, $password) { + assert(is_string($username)); + assert(is_string($password)); + + $config = SimpleSAML_Configuration::getInstance(); + $adminPassword = $config->getString('auth.adminpassword', '123'); + if ($adminPassword === '123') { + // We require that the user changes the password + throw new SimpleSAML_Error_Error('NOTSET'); + } + + if ($username !== "admin") { + throw new SimpleSAML_Error_Error('WRONGUSERPASS'); + } + + if (!SimpleSAML\Utils\Crypto::pwValid($adminPassword, $password)) { + throw new SimpleSAML_Error_Error('WRONGUSERPASS'); + } + + return array('user' => array('admin')); + } } diff --git a/modules/exampleauth/lib/Auth/Process/RedirectTest.php b/modules/exampleauth/lib/Auth/Process/RedirectTest.php index 7e3e93ee03fae8c09354a4af286c8b4ac52ccc7a..4da04c5b770e3973455e1dff5c1e2cf9a0f58b47 100644 --- a/modules/exampleauth/lib/Auth/Process/RedirectTest.php +++ b/modules/exampleauth/lib/Auth/Process/RedirectTest.php @@ -1,28 +1,23 @@ <?php - /** * A simple processing filter for testing that redirection works as it should. - * */ -class sspmod_exampleauth_Auth_Process_RedirectTest extends SimpleSAML_Auth_ProcessingFilter { - - - /** - * Initialize processing of the redirect test. - * - * @param array &$state The state we should update. - */ - public function process(&$state) { - assert(is_array($state)); - assert(array_key_exists('Attributes', $state)); - - // To check whether the state is saved correctly - $state['Attributes']['RedirectTest1'] = array('OK'); +class sspmod_exampleauth_Auth_Process_RedirectTest extends SimpleSAML_Auth_ProcessingFilter +{ + /** + * Initialize processing of the redirect test. + * + * @param array &$state The state we should update. + */ + public function process(array &$state) { + assert(array_key_exists('Attributes', $state)); - // Save state and redirect - $id = SimpleSAML_Auth_State::saveState($state, 'exampleauth:redirectfilter-test'); - $url = SimpleSAML\Module::getModuleURL('exampleauth/redirecttest.php'); - \SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('StateId' => $id)); - } + // To check whether the state is saved correctly + $state['Attributes']['RedirectTest1'] = array('OK'); + // Save state and redirect + $id = SimpleSAML_Auth_State::saveState($state, 'exampleauth:redirectfilter-test'); + $url = SimpleSAML\Module::getModuleURL('exampleauth/redirecttest.php'); + \SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('StateId' => $id)); + } } diff --git a/modules/exampleauth/lib/Auth/Source/External.php b/modules/exampleauth/lib/Auth/Source/External.php index 6b37a541a54a569627074c034959d0d2e2f41fd9..12046c6679fa80232668ca3a8d7a8540be44ea63 100644 --- a/modules/exampleauth/lib/Auth/Source/External.php +++ b/modules/exampleauth/lib/Auth/Source/External.php @@ -20,253 +20,243 @@ * * @package SimpleSAMLphp */ -class sspmod_exampleauth_Auth_Source_External extends SimpleSAML_Auth_Source { - - /** - * Constructor for this authentication source. - * - * @param array $info Information about this authentication source. - * @param array $config Configuration. - */ - public function __construct($info, $config) { - assert(is_array($info)); - assert(is_array($config)); - - // Call the parent constructor first, as required by the interface - parent::__construct($info, $config); - - // Do any other configuration we need here - } - - - /** - * Retrieve attributes for the user. - * - * @return array|NULL The user's attributes, or NULL if the user isn't authenticated. - */ - private function getUser() { - - /* - * In this example we assume that the attributes are - * stored in the users PHP session, but this could be replaced - * with anything. - */ - - if (!session_id()) { - /* session_start not called before. Do it here. */ - session_start(); - } - - if (!isset($_SESSION['uid'])) { - /* The user isn't authenticated. */ - return NULL; - } - - /* - * Find the attributes for the user. - * Note that all attributes in SimpleSAMLphp are multivalued, so we need - * to store them as arrays. - */ - - $attributes = array( - 'uid' => array($_SESSION['uid']), - 'displayName' => array($_SESSION['name']), - 'mail' => array($_SESSION['mail']), - ); - - /* Here we generate a multivalued attribute based on the account type. */ - $attributes['eduPersonAffiliation'] = array( - $_SESSION['type'], /* In this example, either 'student' or 'employee'. */ - 'member', - ); - - return $attributes; - } - - - /** - * Log in using an external authentication helper. - * - * @param array &$state Information about the current authentication. - */ - public function authenticate(&$state) { - assert(is_array($state)); - - $attributes = $this->getUser(); - if ($attributes !== NULL) { - /* - * The user is already authenticated. - * - * Add the users attributes to the $state-array, and return control - * to the authentication process. - */ - $state['Attributes'] = $attributes; - return; - } - - /* - * The user isn't authenticated. We therefore need to - * send the user to the login page. - */ - - /* - * First we add the identifier of this authentication source - * to the state array, so that we know where to resume. - */ - $state['exampleauth:AuthID'] = $this->authId; - - - /* - * We need to save the $state-array, so that we can resume the - * login process after authentication. - * - * Note the second parameter to the saveState-function. This is a - * unique identifier for where the state was saved, and must be used - * again when we retrieve the state. - * - * The reason for it is to prevent - * attacks where the user takes a $state-array saved in one location - * and restores it in another location, and thus bypasses steps in - * the authentication process. - */ - $stateId = SimpleSAML_Auth_State::saveState($state, 'exampleauth:External'); - - /* - * Now we generate a URL the user should return to after authentication. - * We assume that whatever authentication page we send the user to has an - * option to return the user to a specific page afterwards. - */ - $returnTo = SimpleSAML\Module::getModuleURL('exampleauth/resume.php', array( - 'State' => $stateId, - )); - - /* - * Get the URL of the authentication page. - * - * Here we use the getModuleURL function again, since the authentication page - * is also part of this module, but in a real example, this would likely be - * the absolute URL of the login page for the site. - */ - $authPage = SimpleSAML\Module::getModuleURL('exampleauth/authpage.php'); - - /* - * The redirect to the authentication page. - * - * Note the 'ReturnTo' parameter. This must most likely be replaced with - * the real name of the parameter for the login page. - */ - \SimpleSAML\Utils\HTTP::redirectTrustedURL($authPage, array( - 'ReturnTo' => $returnTo, - )); - - /* - * The redirect function never returns, so we never get this far. - */ - assert(false); - } - - - /** - * Resume authentication process. - * - * This function resumes the authentication process after the user has - * entered his or her credentials. - * - * @param array &$state The authentication state. - */ - public static function resume() { - - /* - * First we need to restore the $state-array. We should have the identifier for - * it in the 'State' request parameter. - */ - if (!isset($_REQUEST['State'])) { - throw new SimpleSAML_Error_BadRequest('Missing "State" parameter.'); - } - - /* - * Once again, note the second parameter to the loadState function. This must - * match the string we used in the saveState-call above. - */ - $state = SimpleSAML_Auth_State::loadState($_REQUEST['State'], 'exampleauth:External'); - - /* - * Now we have the $state-array, and can use it to locate the authentication - * source. - */ - $source = SimpleSAML_Auth_Source::getById($state['exampleauth:AuthID']); - if ($source === NULL) { - /* - * The only way this should fail is if we remove or rename the authentication source - * while the user is at the login page. - */ - throw new SimpleSAML_Error_Exception('Could not find authentication source with id ' . $state[self::AUTHID]); - } - - /* - * Make sure that we haven't switched the source type while the - * user was at the authentication page. This can only happen if we - * change config/authsources.php while an user is logging in. - */ - if (! ($source instanceof self)) { - throw new SimpleSAML_Error_Exception('Authentication source type changed.'); - } - - - /* - * OK, now we know that our current state is sane. Time to actually log the user in. - * - * First we check that the user is acutally logged in, and didn't simply skip the login page. - */ - $attributes = $source->getUser(); - if ($attributes === NULL) { - /* - * The user isn't authenticated. - * - * Here we simply throw an exception, but we could also redirect the user back to the - * login page. - */ - throw new SimpleSAML_Error_Exception('User not authenticated after login page.'); - } - - /* - * So, we have a valid user. Time to resume the authentication process where we - * paused it in the authenticate()-function above. - */ - - $state['Attributes'] = $attributes; - SimpleSAML_Auth_Source::completeAuth($state); - - /* - * The completeAuth-function never returns, so we never get this far. - */ - assert(false); - } - - - /** - * This function is called when the user start a logout operation, for example - * by logging out of a SP that supports single logout. - * - * @param array &$state The logout state array. - */ - public function logout(&$state) { - assert(is_array($state)); - - if (!session_id()) { - /* session_start not called before. Do it here. */ - session_start(); - } - - /* - * In this example we simply remove the 'uid' from the session. - */ - unset($_SESSION['uid']); - - /* - * If we need to do a redirect to a different page, we could do this - * here, but in this example we don't need to do this. - */ - } - +class sspmod_exampleauth_Auth_Source_External extends SimpleSAML_Auth_Source +{ + /** + * Constructor for this authentication source. + * + * @param array $info Information about this authentication source. + * @param array $config Configuration. + */ + public function __construct(array $info, array $config) + { + // Call the parent constructor first, as required by the interface + parent::__construct($info, $config); + + // Do any other configuration we need here + } + + /** + * Retrieve attributes for the user. + * + * @return array|null The user's attributes, or null if the user isn't authenticated. + */ + private function getUser() + { + /* + * In this example we assume that the attributes are + * stored in the users PHP session, but this could be replaced + * with anything. + */ + + if (!session_id()) { + /* session_start not called before. Do it here. */ + session_start(); + } + + if (!isset($_SESSION['uid'])) { + /* The user isn't authenticated. */ + return null; + } + + /* + * Find the attributes for the user. + * Note that all attributes in SimpleSAMLphp are multivalued, so we need + * to store them as arrays. + */ + + $attributes = array( + 'uid' => array($_SESSION['uid']), + 'displayName' => array($_SESSION['name']), + 'mail' => array($_SESSION['mail']), + ); + + /* Here we generate a multivalued attribute based on the account type. */ + $attributes['eduPersonAffiliation'] = array( + $_SESSION['type'], /* In this example, either 'student' or 'employee'. */ + 'member', + ); + + return $attributes; + } + + /** + * Log in using an external authentication helper. + * + * @param array &$state Information about the current authentication. + */ + public function authenticate(array &$state) + { + $attributes = $this->getUser(); + if ($attributes !== null) { + /* + * The user is already authenticated. + * + * Add the users attributes to the $state-array, and return control + * to the authentication process. + */ + $state['Attributes'] = $attributes; + return; + } + + /* + * The user isn't authenticated. We therefore need to + * send the user to the login page. + */ + + /* + * First we add the identifier of this authentication source + * to the state array, so that we know where to resume. + */ + $state['exampleauth:AuthID'] = $this->authId; + + /* + * We need to save the $state-array, so that we can resume the + * login process after authentication. + * + * Note the second parameter to the saveState-function. This is a + * unique identifier for where the state was saved, and must be used + * again when we retrieve the state. + * + * The reason for it is to prevent + * attacks where the user takes a $state-array saved in one location + * and restores it in another location, and thus bypasses steps in + * the authentication process. + */ + $stateId = SimpleSAML_Auth_State::saveState($state, 'exampleauth:External'); + + /* + * Now we generate a URL the user should return to after authentication. + * We assume that whatever authentication page we send the user to has an + * option to return the user to a specific page afterwards. + */ + $returnTo = SimpleSAML\Module::getModuleURL('exampleauth/resume.php', array( + 'State' => $stateId, + )); + + /* + * Get the URL of the authentication page. + * + * Here we use the getModuleURL function again, since the authentication page + * is also part of this module, but in a real example, this would likely be + * the absolute URL of the login page for the site. + */ + $authPage = SimpleSAML\Module::getModuleURL('exampleauth/authpage.php'); + + /* + * The redirect to the authentication page. + * + * Note the 'ReturnTo' parameter. This must most likely be replaced with + * the real name of the parameter for the login page. + */ + \SimpleSAML\Utils\HTTP::redirectTrustedURL($authPage, array( + 'ReturnTo' => $returnTo, + )); + + /* + * The redirect function never returns, so we never get this far. + */ + assert(false); + } + + /** + * Resume authentication process. + * + * This function resumes the authentication process after the user has + * entered his or her credentials. + * + * @param array &$state The authentication state. + */ + public static function resume() + { + /* + * First we need to restore the $state-array. We should have the identifier for + * it in the 'State' request parameter. + */ + if (!isset($_REQUEST['State'])) { + throw new SimpleSAML_Error_BadRequest('Missing "State" parameter.'); + } + + /* + * Once again, note the second parameter to the loadState function. This must + * match the string we used in the saveState-call above. + */ + $state = SimpleSAML_Auth_State::loadState($_REQUEST['State'], 'exampleauth:External'); + + /* + * Now we have the $state-array, and can use it to locate the authentication + * source. + */ + $source = SimpleSAML_Auth_Source::getById($state['exampleauth:AuthID']); + if ($source === null) { + /* + * The only way this should fail is if we remove or rename the authentication source + * while the user is at the login page. + */ + throw new SimpleSAML_Error_Exception('Could not find authentication source with id ' . $state[self::AUTHID]); + } + + /* + * Make sure that we haven't switched the source type while the + * user was at the authentication page. This can only happen if we + * change config/authsources.php while an user is logging in. + */ + if (! ($source instanceof self)) { + throw new SimpleSAML_Error_Exception('Authentication source type changed.'); + } + + + /* + * OK, now we know that our current state is sane. Time to actually log the user in. + * + * First we check that the user is acutally logged in, and didn't simply skip the login page. + */ + $attributes = $source->getUser(); + if ($attributes === null) { + /* + * The user isn't authenticated. + * + * Here we simply throw an exception, but we could also redirect the user back to the + * login page. + */ + throw new SimpleSAML_Error_Exception('User not authenticated after login page.'); + } + + /* + * So, we have a valid user. Time to resume the authentication process where we + * paused it in the authenticate()-function above. + */ + + $state['Attributes'] = $attributes; + SimpleSAML_Auth_Source::completeAuth($state); + + /* + * The completeAuth-function never returns, so we never get this far. + */ + assert(false); + } + + /** + * This function is called when the user start a logout operation, for example + * by logging out of a SP that supports single logout. + * + * @param array &$state The logout state array. + */ + public function logout(array &$state) + { + if (!session_id()) { + /* session_start not called before. Do it here. */ + session_start(); + } + + /* + * In this example we simply remove the 'uid' from the session. + */ + unset($_SESSION['uid']); + + /* + * If we need to do a redirect to a different page, we could do this + * here, but in this example we don't need to do this. + */ + } } diff --git a/modules/exampleauth/lib/Auth/Source/Static.php b/modules/exampleauth/lib/Auth/Source/Static.php index 8c5eba05715bceea091c129b8ec79e56f8d722dd..e395978a0cbcb40761c9de82f0ec98373b8ba03a 100644 --- a/modules/exampleauth/lib/Auth/Source/Static.php +++ b/modules/exampleauth/lib/Auth/Source/Static.php @@ -6,52 +6,43 @@ * This class is an example authentication source which will always return a user with * a static set of attributes. * - * @author Olav Morken, UNINETT AS. * @package SimpleSAMLphp */ -class sspmod_exampleauth_Auth_Source_Static extends SimpleSAML_Auth_Source { - - - /** - * The attributes we return. - */ - private $attributes; - - - /** - * Constructor for this authentication source. - * - * @param array $info Information about this authentication source. - * @param array $config Configuration. - */ - public function __construct($info, $config) { - assert(is_array($info)); - assert(is_array($config)); - - // Call the parent constructor first, as required by the interface - parent::__construct($info, $config); - - - // Parse attributes - try { - $this->attributes = SimpleSAML\Utils\Attributes::normalizeAttributesArray($config); - } catch(Exception $e) { - throw new Exception('Invalid attributes for authentication source ' . - $this->authId . ': ' . $e->getMessage()); - } - - } - - - /** - * Log in using static attributes. - * - * @param array &$state Information about the current authentication. - */ - public function authenticate(&$state) { - assert(is_array($state)); - - $state['Attributes'] = $this->attributes; - } - +class sspmod_exampleauth_Auth_Source_Static extends SimpleSAML_Auth_Source +{ + /** + * The attributes we return. + */ + private $attributes; + + /** + * Constructor for this authentication source. + * + * @param array $info Information about this authentication source. + * @param array $config Configuration. + */ + public function __construct(array $info, array $config) + { + // Call the parent constructor first, as required by the interface + parent::__construct($info, $config); + + // Parse attributes + try { + $this->attributes = SimpleSAML\Utils\Attributes::normalizeAttributesArray($config); + } catch(Exception $e) { + throw new Exception('Invalid attributes for authentication source ' . + $this->authId . ': ' . $e->getMessage()); + } + + } + + /** + * Log in using static attributes. + * + * @param array &$state Information about the current authentication. + */ + public function authenticate(array &$state) + { + $state['Attributes'] = $this->attributes; + } } diff --git a/modules/exampleauth/lib/Auth/Source/UserPass.php b/modules/exampleauth/lib/Auth/Source/UserPass.php index 8582d1c7c989a28af3f233d18cb72c806f39d0b8..cc1353d31e5063e2ba77353df1a1fa88e3aa3d58 100644 --- a/modules/exampleauth/lib/Auth/Source/UserPass.php +++ b/modules/exampleauth/lib/Auth/Source/UserPass.php @@ -6,85 +6,79 @@ * This class is an example authentication source which stores all username/passwords in an array, * and authenticates users against this array. * - * @author Olav Morken, UNINETT AS. * @package SimpleSAMLphp */ -class sspmod_exampleauth_Auth_Source_UserPass extends sspmod_core_Auth_UserPassBase { - - - /** - * Our users, stored in an associative array. The key of the array is "<username>:<password>", - * while the value of each element is a new array with the attributes for each user. - */ - private $users; - - - /** - * Constructor for this authentication source. - * - * @param array $info Information about this authentication source. - * @param array $config Configuration. - */ - public function __construct($info, $config) { - assert(is_array($info)); - assert(is_array($config)); - - // Call the parent constructor first, as required by the interface - parent::__construct($info, $config); - - $this->users = array(); - - // Validate and parse our configuration - foreach ($config as $userpass => $attributes) { - if (!is_string($userpass)) { - throw new Exception('Invalid <username>:<password> for authentication source ' . - $this->authId . ': ' . $userpass); - } - - $userpass = explode(':', $userpass, 2); - if (count($userpass) !== 2) { - throw new Exception('Invalid <username>:<password> for authentication source ' . - $this->authId . ': ' . $userpass[0]); - } - $username = $userpass[0]; - $password = $userpass[1]; - - try { - $attributes = SimpleSAML\Utils\Attributes::normalizeAttributesArray($attributes); - } catch(Exception $e) { - throw new Exception('Invalid attributes for user ' . $username . - ' in authentication source ' . $this->authId . ': ' . - $e->getMessage()); - } - - $this->users[$username . ':' . $password] = $attributes; - } - } - - - /** - * Attempt to log in using the given username and password. - * - * On a successful login, this function should return the users attributes. On failure, - * it should throw an exception. If the error was caused by the user entering the wrong - * username or password, a SimpleSAML_Error_Error('WRONGUSERPASS') should be thrown. - * - * Note that both the username and the password are UTF-8 encoded. - * - * @param string $username The username the user wrote. - * @param string $password The password the user wrote. - * @return array Associative array with the users attributes. - */ - protected function login($username, $password) { - assert(is_string($username)); - assert(is_string($password)); - - $userpass = $username . ':' . $password; - if (!array_key_exists($userpass, $this->users)) { - throw new SimpleSAML_Error_Error('WRONGUSERPASS'); - } - - return $this->users[$userpass]; - } - +class sspmod_exampleauth_Auth_Source_UserPass extends sspmod_core_Auth_UserPassBase +{ + /** + * Our users, stored in an associative array. The key of the array is "<username>:<password>", + * while the value of each element is a new array with the attributes for each user. + */ + private $users; + + /** + * Constructor for this authentication source. + * + * @param array $info Information about this authentication source. + * @param array $config Configuration. + */ + public function __construct(array $info, array $config) + { + // Call the parent constructor first, as required by the interface + parent::__construct($info, $config); + + $this->users = array(); + + // Validate and parse our configuration + foreach ($config as $userpass => $attributes) { + if (!is_string($userpass)) { + throw new Exception('Invalid <username>:<password> for authentication source ' . + $this->authId . ': ' . $userpass); + } + + $userpass = explode(':', $userpass, 2); + if (count($userpass) !== 2) { + throw new Exception('Invalid <username>:<password> for authentication source ' . + $this->authId . ': ' . $userpass[0]); + } + $username = $userpass[0]; + $password = $userpass[1]; + + try { + $attributes = SimpleSAML\Utils\Attributes::normalizeAttributesArray($attributes); + } catch(Exception $e) { + throw new Exception('Invalid attributes for user ' . $username . + ' in authentication source ' . $this->authId . ': ' . + $e->getMessage()); + } + + $this->users[$username . ':' . $password] = $attributes; + } + } + + /** + * Attempt to log in using the given username and password. + * + * On a successful login, this function should return the users attributes. On failure, + * it should throw an exception. If the error was caused by the user entering the wrong + * username or password, a SimpleSAML_Error_Error('WRONGUSERPASS') should be thrown. + * + * Note that both the username and the password are UTF-8 encoded. + * + * @param string $username The username the user wrote. + * @param string $password The password the user wrote. + * @return array Associative array with the users attributes. + */ + protected function login($username, $password) + { + assert(is_string($username)); + assert(is_string($password)); + + $userpass = $username . ':' . $password; + if (!array_key_exists($userpass, $this->users)) { + throw new SimpleSAML_Error_Error('WRONGUSERPASS'); + } + + return $this->users[$userpass]; + } } diff --git a/modules/exampleauth/www/authpage.php b/modules/exampleauth/www/authpage.php index 73fcb131ecd9df5ce0bd4b82a41ad5502e0e95a1..13f95a56c6d31c4f319963c90a299ac45b509849 100644 --- a/modules/exampleauth/www/authpage.php +++ b/modules/exampleauth/www/authpage.php @@ -10,7 +10,7 @@ */ if (!isset($_REQUEST['ReturnTo'])) { - die('Missing ReturnTo parameter.'); + die('Missing ReturnTo parameter.'); } $returnTo = \SimpleSAML\Utils\HTTP::checkURLAllowed($_REQUEST['ReturnTo']); @@ -27,7 +27,7 @@ $returnTo = \SimpleSAML\Utils\HTTP::checkURLAllowed($_REQUEST['ReturnTo']); */ if (!preg_match('@State=(.*)@', $returnTo, $matches)) { - die('Invalid ReturnTo URL for this example.'); + die('Invalid ReturnTo URL for this example.'); } SimpleSAML_Auth_State::loadState(urldecode($matches[1]), 'exampleauth:External'); @@ -42,20 +42,20 @@ SimpleSAML_Auth_State::loadState(urldecode($matches[1]), 'exampleauth:External') * Our list of users. */ $users = array( - 'student' => array( - 'password' => 'student', - 'uid' => 'student', - 'name' => 'Student Name', - 'mail' => 'somestudent@example.org', - 'type' => 'student', - ), - 'admin' => array( - 'password' => 'admin', - 'uid' => 'admin', - 'name' => 'Admin Name', - 'mail' => 'someadmin@example.org', - 'type' => 'employee', - ), + 'student' => array( + 'password' => 'student', + 'uid' => 'student', + 'name' => 'Student Name', + 'mail' => 'somestudent@example.org', + 'type' => 'student', + ), + 'admin' => array( + 'password' => 'admin', + 'uid' => 'admin', + 'name' => 'Admin Name', + 'mail' => 'someadmin@example.org', + 'type' => 'employee', + ), ); @@ -64,29 +64,29 @@ $users = array( * Since this is a dummy example, we accept any data. */ -$badUserPass = FALSE; +$badUserPass = false; if ($_SERVER['REQUEST_METHOD'] === 'POST') { - $username = (string)$_REQUEST['username']; - $password = (string)$_REQUEST['password']; + $username = (string)$_REQUEST['username']; + $password = (string)$_REQUEST['password']; - if (!isset($users[$username]) || $users[$username]['password'] !== $password) { - $badUserPass = TRUE; - } else { + if (!isset($users[$username]) || $users[$username]['password'] !== $password) { + $badUserPass = true; + } else { - $user = $users[$username]; + $user = $users[$username]; - if (!session_id()) { - // session_start not called before. Do it here. - session_start(); - } + if (!session_id()) { + // session_start not called before. Do it here. + session_start(); + } - $_SESSION['uid'] = $user['uid']; - $_SESSION['name'] = $user['name']; - $_SESSION['mail'] = $user['mail']; - $_SESSION['type'] = $user['type']; + $_SESSION['uid'] = $user['uid']; + $_SESSION['name'] = $user['name']; + $_SESSION['mail'] = $user['mail']; + $_SESSION['type'] = $user['type']; - \SimpleSAML\Utils\HTTP::redirectTrustedURL($returnTo); - } + \SimpleSAML\Utils\HTTP::redirectTrustedURL($returnTo); + } } diff --git a/modules/exampleauth/www/redirecttest.php b/modules/exampleauth/www/redirecttest.php index 96ff9a50f7bd3d229d9a32ca5f0fd48b9ed14ed0..883f94ab4db9397b93003b2d5e4b8a4a793cba45 100644 --- a/modules/exampleauth/www/redirecttest.php +++ b/modules/exampleauth/www/redirecttest.php @@ -1,14 +1,12 @@ <?php - /** * Request handler for redirect filter test. * - * @author Olav Morken, UNINETT AS. * @package SimpleSAMLphp */ if (!array_key_exists('StateId', $_REQUEST)) { - throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.'); + throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.'); } $state = SimpleSAML_Auth_State::loadState($_REQUEST['StateId'], 'exampleauth:redirectfilter-test'); diff --git a/modules/exampleauth/www/resume.php b/modules/exampleauth/www/resume.php index 08d66dd3f490d198e5467665d21204d8c6afd64b..ec04a028b47f0d84990be2ccf76796fed06ff52b 100644 --- a/modules/exampleauth/www/resume.php +++ b/modules/exampleauth/www/resume.php @@ -1,5 +1,4 @@ <?php - /** * This page serves as the point where the user's authentication * process is resumed after the login page. diff --git a/modules/expirycheck/lib/Auth/Process/ExpiryDate.php b/modules/expirycheck/lib/Auth/Process/ExpiryDate.php index c315169fa97f29ec7079be03d925f06723de3332..a1384eb3383ddf23ff83e7494361d6e8c441f8cc 100644 --- a/modules/expirycheck/lib/Auth/Process/ExpiryDate.php +++ b/modules/expirycheck/lib/Auth/Process/ExpiryDate.php @@ -1,5 +1,4 @@ <?php - /** * Filter which show "about to expire" warning or deny access if netid is expired. * @@ -16,140 +15,130 @@ * ), * </code> * - * @author Alex MihiÄinac, ARNES. <alexm@arnes.si> * @package SimpleSAMLphp */ - -class sspmod_expirycheck_Auth_Process_ExpiryDate extends SimpleSAML_Auth_ProcessingFilter { - - private $warndaysbefore = 0; - private $netid_attr = NULL; - private $expirydate_attr = NULL; - private $date_format = 'd.m.Y'; - - - /** - * Initialize this filter. - * - * @param array $config Configuration information about this filter. - * @param mixed $reserved For future use. - */ - public function __construct($config, $reserved) { - parent::__construct($config, $reserved); - - assert(is_array($config)); - - if (array_key_exists('warndaysbefore', $config)) { - $this->warndaysbefore = $config['warndaysbefore']; - if (!is_string($this->warndaysbefore)) { - throw new Exception('Invalid value for number of days given to expirycheck::ExpiryDate filter.'); - } - } - - if (array_key_exists('netid_attr', $config)) { - $this->netid_attr = $config['netid_attr']; - if (!is_string($this->netid_attr)) { - throw new Exception('Invalid attribute name given as eduPersonPrincipalName to expirycheck::ExpiryDate filter.'); - } - } - - if (array_key_exists('expirydate_attr', $config)) { - $this->expirydate_attr = $config['expirydate_attr']; - if (!is_string($this->expirydate_attr)) { - throw new Exception('Invalid attribute name given as schacExpiryDate to expirycheck::ExpiryDate filter.'); - } - } - - if (array_key_exists('date_format', $config)) { - $this->date_format = $config['date_format']; - if (!is_string($this->date_format)) { - throw new Exception('Invalid date format given to expirycheck::ExpiryDate filter.'); - } - } - } - - /** - * Show expirational warning if remaining days is equal or under defined $warndaysbefore - * @param integer $expireOnDate - * @param integer $warndaysbefore - * @return bool - * - */ - public function shWarning(&$state, $expireOnDate, $warndaysbefore) { - $now = time(); - $end = $expireOnDate; - - if ($expireOnDate >= $now) { - $days = (int)(($end - $now) / (24*60*60)); - if ($days <= $warndaysbefore) { - $state['daysleft'] = $days; - return true; - } - } - return false; - } - - /** - * Check if given date is older than today - * @param integer $expireOnDate - * @return bool - * - */ - public function checkDate($expireOnDate) { - $now = time(); - $end = $expireOnDate; - - if ($now <= $end) { - return true; - } else { - return false; - } - - } - - /** - * Apply filter - * - * @param array &$state The current state. - */ - public function process(&$state) { - /* - * UTC format: 20090527080352Z - */ - $netId = $state['Attributes'][$this->netid_attr][0]; - $expireOnDate = strtotime($state['Attributes'][$this->expirydate_attr][0]); - - if (self::shWarning($state, $expireOnDate, $this->warndaysbefore)) { - assert(is_array($state)); - if (isset($state['isPassive']) && $state['isPassive'] === TRUE) { - // We have a passive request. Skip the warning. - return; - } - - SimpleSAML\Logger::warning('expirycheck: NetID ' . $netId . - ' is about to expire!'); - - // Save state and redirect - $state['expireOnDate'] = date($this->date_format, $expireOnDate); - $state['netId'] = $netId; - $id = SimpleSAML_Auth_State::saveState($state, 'expirywarning:about2expire'); - $url = SimpleSAML\Module::getModuleURL('expirycheck/about2expire.php'); - \SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('StateId' => $id)); - } - - if (!self::checkDate($expireOnDate)) { - SimpleSAML\Logger::error('expirycheck: NetID ' . $netId . - ' has expired [' . date($this->date_format, $expireOnDate) . ']. Access denied!'); - - /* Save state and redirect. */ - $state['expireOnDate'] = date($this->date_format, $expireOnDate); - $state['netId'] = $netId; - $id = SimpleSAML_Auth_State::saveState($state, 'expirywarning:expired'); - $url = SimpleSAML\Module::getModuleURL('expirycheck/expired.php'); - \SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('StateId' => $id)); - - } - } - - +class sspmod_expirycheck_Auth_Process_ExpiryDate extends SimpleSAML_Auth_ProcessingFilter +{ + private $warndaysbefore = 0; + private $netid_attr = null; + private $expirydate_attr = null; + private $date_format = 'd.m.Y'; + + /** + * Initialize this filter. + * + * @param array $config Configuration information about this filter. + * @param mixed $reserved For future use. + */ + public function __construct(array $config, $reserved) + { + parent::__construct($config, $reserved); + + if (array_key_exists('warndaysbefore', $config)) { + $this->warndaysbefore = $config['warndaysbefore']; + if (!is_string($this->warndaysbefore)) { + throw new Exception('Invalid value for number of days given to expirycheck::ExpiryDate filter.'); + } + } + + if (array_key_exists('netid_attr', $config)) { + $this->netid_attr = $config['netid_attr']; + if (!is_string($this->netid_attr)) { + throw new Exception('Invalid attribute name given as eduPersonPrincipalName to expirycheck::ExpiryDate filter.'); + } + } + + if (array_key_exists('expirydate_attr', $config)) { + $this->expirydate_attr = $config['expirydate_attr']; + if (!is_string($this->expirydate_attr)) { + throw new Exception('Invalid attribute name given as schacExpiryDate to expirycheck::ExpiryDate filter.'); + } + } + + if (array_key_exists('date_format', $config)) { + $this->date_format = $config['date_format']; + if (!is_string($this->date_format)) { + throw new Exception('Invalid date format given to expirycheck::ExpiryDate filter.'); + } + } + } + + /** + * Show expirational warning if remaining days is equal or under defined $warndaysbefore + * @param array $state Current authenticaton state. + * @param integer $expireOnDate + * @param integer $warndaysbefore + * @return bool + */ + private function shWarning(array &$state, $expireOnDate, $warndaysbefore) { + $now = time(); + $end = $expireOnDate; + + if ($expireOnDate >= $now) { + $days = (int)(($end - $now) / (24*60*60)); + if ($days <= $warndaysbefore) { + $state['daysleft'] = $days; + return true; + } + } + return false; + } + + /** + * Check if given date is older than today + * @param integer $expireOnDate + * @return bool + * + */ + private function checkDate($expireOnDate) + { + $now = time(); + $end = $expireOnDate; + + return ($now <= $end); + } + + /** + * Apply filter + * + * @param array &$state The current state. + */ + public function process(array &$state) + { + /* + * UTC format: 20090527080352Z + */ + $netId = $state['Attributes'][$this->netid_attr][0]; + $expireOnDate = strtotime($state['Attributes'][$this->expirydate_attr][0]); + + if (self::shWarning($state, $expireOnDate, $this->warndaysbefore)) { + assert(is_array($state)); + if (isset($state['isPassive']) && $state['isPassive'] === true) { + // We have a passive request. Skip the warning. + return; + } + + SimpleSAML\Logger::warning('expirycheck: NetID ' . $netId . + ' is about to expire!'); + + // Save state and redirect + $state['expireOnDate'] = date($this->date_format, $expireOnDate); + $state['netId'] = $netId; + $id = SimpleSAML_Auth_State::saveState($state, 'expirywarning:about2expire'); + $url = SimpleSAML\Module::getModuleURL('expirycheck/about2expire.php'); + \SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('StateId' => $id)); + } + + if (!self::checkDate($expireOnDate)) { + SimpleSAML\Logger::error('expirycheck: NetID ' . $netId . + ' has expired [' . date($this->date_format, $expireOnDate) . ']. Access denied!'); + + /* Save state and redirect. */ + $state['expireOnDate'] = date($this->date_format, $expireOnDate); + $state['netId'] = $netId; + $id = SimpleSAML_Auth_State::saveState($state, 'expirywarning:expired'); + $url = SimpleSAML\Module::getModuleURL('expirycheck/expired.php'); + \SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('StateId' => $id)); + } + } } diff --git a/modules/ldap/lib/Auth/Process/AttributeAddFromLDAP.php b/modules/ldap/lib/Auth/Process/AttributeAddFromLDAP.php index e788d268906f944afddb984aa30d039c405d754a..35d25f71d38ba24dd5ae5d96c8128b5d072bb098 100644 --- a/modules/ldap/lib/Auth/Process/AttributeAddFromLDAP.php +++ b/modules/ldap/lib/Auth/Process/AttributeAddFromLDAP.php @@ -1,40 +1,11 @@ <?php - /** * Filter to add attributes to the identity by executing a query against an LDAP directory * - * Original Author: Steve Moitozo II <steve_moitozo@jaars.org> - * Created: 20100513 - * Updated: 20100920 Steve Moitozo II - * - incorporated feedback from Olav Morken to prep code for inclusion in SimpleSAMLphp distro - * - moved call to ldap_set_options() inside test for $ds - * - added the output of ldap_error() to the exceptions - * - reduced some of the nested ifs - * - added support for multiple values - * - added support for anonymous binds - * - added escaping of search filter and attribute - * Updated: 20111118 Ryan Panning - * - Updated the class to use BaseFilter which reuses LDAP connection features - * - Added conversion of original filter option names for backwards-compatibility - * - Updated the constructor to use the new config method - * - Updated the process method to use the new config variable names - * Updated: 20131119 Yørn de Jong / Jaime Perez - * - Added support for retrieving multiple values at once from LDAP - * - Don't crash but fail silently on LDAP errors; the plugin is to complement attributes - * Updated: 20161223 Remy Blom <remy.blom@hku.nl> - * - Adjusted the silent fail so it does show a warning in log when $this->getLdap() fails - * - * @author Yørn de Jong - * @author Jaime Perez - * @author Steve Moitozo - * @author JAARS, Inc. - * @author Ryan Panning - * @author Remy Blom <remy.blom@hku.nl> * @package SimpleSAMLphp */ class sspmod_ldap_Auth_Process_AttributeAddFromLDAP extends sspmod_ldap_Auth_Process_BaseFilter { - /** * LDAP attributes to add to the request attributes * @@ -42,7 +13,6 @@ class sspmod_ldap_Auth_Process_AttributeAddFromLDAP extends sspmod_ldap_Auth_Pro */ protected $search_attributes; - /** * LDAP search filter to use in the LDAP query * @@ -50,7 +20,6 @@ class sspmod_ldap_Auth_Process_AttributeAddFromLDAP extends sspmod_ldap_Auth_Pro */ protected $search_filter; - /** * What to do with attributes when the target already exists. Either replace, merge or add. * @@ -64,7 +33,7 @@ class sspmod_ldap_Auth_Process_AttributeAddFromLDAP extends sspmod_ldap_Auth_Pro * @param array $config Configuration information about this filter. * @param mixed $reserved For future use. */ - public function __construct($config, $reserved) + public function __construct(array $config, $reserved) { /* * For backwards compatibility, check for old config names @@ -135,9 +104,8 @@ class sspmod_ldap_Auth_Process_AttributeAddFromLDAP extends sspmod_ldap_Auth_Pro * * @param array &$request The current request */ - public function process(&$request) + public function process(array &$request) { - assert(is_array($request)); assert(array_key_exists('Attributes', $request)); $attributes =& $request['Attributes']; diff --git a/modules/ldap/lib/Auth/Process/AttributeAddUsersGroups.php b/modules/ldap/lib/Auth/Process/AttributeAddUsersGroups.php index 8fa7c2ccf2a9b9661434ba9917942f11513ecde7..7fd1d7820363a6e6f4c0d475c85d84e1064fd899 100644 --- a/modules/ldap/lib/Auth/Process/AttributeAddUsersGroups.php +++ b/modules/ldap/lib/Auth/Process/AttributeAddUsersGroups.php @@ -1,11 +1,9 @@ <?php - /** * Does a reverse membership lookup on the logged in user, * looking for groups it is a member of and adds them to * a defined attribute, in DN format. * - * @author Ryan Panning <panman@traileyes.com> * @package SimpleSAMLphp */ class sspmod_ldap_Auth_Process_AttributeAddUsersGroups extends sspmod_ldap_Auth_Process_BaseFilter @@ -17,11 +15,10 @@ class sspmod_ldap_Auth_Process_AttributeAddUsersGroups extends sspmod_ldap_Auth_ * are then added to the request attributes. * * @throws SimpleSAML_Error_Exception - * @param $request + * @param array $request */ - public function process(&$request) + public function process(array &$request) { - assert(is_array($request)); assert(array_key_exists('Attributes', $request)); // Log the process @@ -61,7 +58,6 @@ class sspmod_ldap_Auth_Process_AttributeAddUsersGroups extends sspmod_ldap_Auth_ ); } - /** * This section of code was broken out because the child * filter AuthorizeByGroup can use this method as well. @@ -73,7 +69,7 @@ class sspmod_ldap_Auth_Process_AttributeAddUsersGroups extends sspmod_ldap_Auth_ * @param array $attributes * @return array */ - protected function getGroups($attributes) + protected function getGroups(array $attributes) { // Log the request SimpleSAML\Logger::debug( @@ -124,7 +120,6 @@ class sspmod_ldap_Auth_Process_AttributeAddUsersGroups extends sspmod_ldap_Auth_ return $groups; } - /** * OpenLDAP optimized search * using the required attribute values from the user to @@ -134,7 +129,7 @@ class sspmod_ldap_Auth_Process_AttributeAddUsersGroups extends sspmod_ldap_Auth_ * @param array $attributes * @return array */ - protected function getGroupsOpenLdap($attributes) + protected function getGroupsOpenLdap(array $attributes) { // Log the OpenLDAP specific search SimpleSAML\Logger::debug( @@ -166,7 +161,6 @@ class sspmod_ldap_Auth_Process_AttributeAddUsersGroups extends sspmod_ldap_Auth_ return $groups; } - /** * Active Directory optimized search * using the required attribute values from the user to @@ -176,7 +170,7 @@ class sspmod_ldap_Auth_Process_AttributeAddUsersGroups extends sspmod_ldap_Auth_ * @param array $attributes * @return array */ - protected function getGroupsActiveDirectory($attributes) + protected function getGroupsActiveDirectory(array $attributes) { // Log the AD specific search SimpleSAML\Logger::debug( @@ -214,10 +208,8 @@ class sspmod_ldap_Auth_Process_AttributeAddUsersGroups extends sspmod_ldap_Auth_ * @param array $memberof * @return array */ - protected function search($memberof) + protected function search(array $memberof) { - assert(is_array($memberof)); - // Used to determine what DN's have already been searched static $searched = array(); @@ -284,7 +276,6 @@ class sspmod_ldap_Auth_Process_AttributeAddUsersGroups extends sspmod_ldap_Auth_ return array_unique($groups); } - /** * Searches LDAP using a ActiveDirectory specific filter, * looking for group membership for the users DN. Returns diff --git a/modules/ldap/lib/Auth/Process/BaseFilter.php b/modules/ldap/lib/Auth/Process/BaseFilter.php index d7116a2d835ec3b6c101b2f4d882123631809093..1f4270184c66a1bf8d8724a4dba7f1be7e57c3eb 100644 --- a/modules/ldap/lib/Auth/Process/BaseFilter.php +++ b/modules/ldap/lib/Auth/Process/BaseFilter.php @@ -1,20 +1,13 @@ <?php - /** * This base LDAP filter class can be extended to enable real * filter classes direct access to the authsource ldap config * and connects to the ldap server. * - * Updated: 20161223 Remy Blom - * - Wrapped the building of authsource config with issets - * - * @author Ryan Panning <panman@traileyes.com> - * @author Remy Blom <remy.blom@hku.nl> * @package SimpleSAMLphp */ abstract class sspmod_ldap_Auth_Process_BaseFilter extends SimpleSAML_Auth_ProcessingFilter { - /** * List of attribute "alias's" linked to the real attribute * name. Used for abstraction / configuration of the LDAP @@ -24,7 +17,6 @@ abstract class sspmod_ldap_Auth_Process_BaseFilter extends SimpleSAML_Auth_Proce */ protected $attribute_map; - /** * The base DN of the LDAP connection. Used when searching * the LDAP server. @@ -33,7 +25,6 @@ abstract class sspmod_ldap_Auth_Process_BaseFilter extends SimpleSAML_Auth_Proce */ protected $base_dn; - /** * The construct method will change the filter config into * a SimpleSAML_Configuration object and store it here for @@ -43,7 +34,6 @@ abstract class sspmod_ldap_Auth_Process_BaseFilter extends SimpleSAML_Auth_Proce */ protected $config; - /** * Instance, object of the ldap connection. Stored here to * be access later during processing. @@ -52,7 +42,6 @@ abstract class sspmod_ldap_Auth_Process_BaseFilter extends SimpleSAML_Auth_Proce */ private $ldap; - /** * Many times a LDAP product specific query can be used to * speed up or reduce the filter process. This helps the @@ -63,7 +52,6 @@ abstract class sspmod_ldap_Auth_Process_BaseFilter extends SimpleSAML_Auth_Proce */ protected $product; - /** * The class "title" used in logging and exception messages. * This should be prepended to the beginning of the message. @@ -72,7 +60,6 @@ abstract class sspmod_ldap_Auth_Process_BaseFilter extends SimpleSAML_Auth_Proce */ protected $title = 'ldap:BaseFilter : '; - /** * List of LDAP object types, used to determine the type of * object that a DN references. @@ -81,7 +68,6 @@ abstract class sspmod_ldap_Auth_Process_BaseFilter extends SimpleSAML_Auth_Proce */ protected $type_map; - /** * Checks the authsource, if defined, for configuration values * to the LDAP server. Then sets up the LDAP connection for the @@ -91,7 +77,7 @@ abstract class sspmod_ldap_Auth_Process_BaseFilter extends SimpleSAML_Auth_Proce * @param array $config * @param $reserved */ - public function __construct(&$config, $reserved) + public function __construct(array &$config, $reserved) { parent::__construct($config, $reserved); diff --git a/modules/ldap/lib/Auth/Source/LDAP.php b/modules/ldap/lib/Auth/Source/LDAP.php index 2e2144b8f54351dc56585460db44c528cb8beef6..08d51cdd1ee26406aaa10f4a8303e11f0b00408f 100644 --- a/modules/ldap/lib/Auth/Source/LDAP.php +++ b/modules/ldap/lib/Auth/Source/LDAP.php @@ -12,24 +12,19 @@ */ class sspmod_ldap_Auth_Source_LDAP extends sspmod_core_Auth_UserPassBase { - /** * A LDAP configuration object. */ private $ldapConfig; - /** * Constructor for this authentication source. * * @param array $info Information about this authentication source. * @param array $config Configuration. */ - public function __construct($info, $config) + public function __construct(array $info, array $config) { - assert(is_array($info)); - assert(is_array($config)); - // Call the parent constructor first, as required by the interface parent::__construct($info, $config); @@ -37,7 +32,6 @@ class sspmod_ldap_Auth_Source_LDAP extends sspmod_core_Auth_UserPassBase 'Authentication source ' . var_export($this->authId, true)); } - /** * Attempt to log in using the given username and password. * @@ -53,5 +47,4 @@ class sspmod_ldap_Auth_Source_LDAP extends sspmod_core_Auth_UserPassBase return $this->ldapConfig->login($username, $password, $sasl_args); } - } diff --git a/modules/ldap/lib/Auth/Source/LDAPMulti.php b/modules/ldap/lib/Auth/Source/LDAPMulti.php index c11a43e469f0b9145d02051361a7e29618a6e7fd..6cf4f3570072d77a7114ab42ce8431d5a4c3d6a9 100644 --- a/modules/ldap/lib/Auth/Source/LDAPMulti.php +++ b/modules/ldap/lib/Auth/Source/LDAPMulti.php @@ -12,7 +12,6 @@ */ class sspmod_ldap_Auth_Source_LDAPMulti extends sspmod_core_Auth_UserPassOrgBase { - /** * An array with descriptions for organizations. */ @@ -28,25 +27,20 @@ class sspmod_ldap_Auth_Source_LDAPMulti extends sspmod_core_Auth_UserPassOrgBase */ private $includeOrgInUsername; - /** * Constructor for this authentication source. * * @param array $info Information about this authentication source. * @param array $config Configuration. */ - public function __construct($info, $config) + public function __construct(array $info, array $config) { - assert(is_array($info)); - assert(is_array($config)); - // Call the parent constructor first, as required by the interface parent::__construct($info, $config); $cfgHelper = SimpleSAML_Configuration::loadFromArray($config, 'Authentication source ' . var_export($this->authId, true)); - $this->orgs = array(); $this->ldapOrgs = array(); foreach ($config as $name => $value) { @@ -81,7 +75,6 @@ class sspmod_ldap_Auth_Source_LDAPMulti extends sspmod_core_Auth_UserPassOrgBase } } - /** * Attempt to log in using the given username and password. * @@ -111,7 +104,6 @@ class sspmod_ldap_Auth_Source_LDAPMulti extends sspmod_core_Auth_UserPassOrgBase return $this->ldapOrgs[$org]->login($username, $password, $sasl_args); } - /** * Retrieve list of organizations. * diff --git a/modules/multiauth/lib/Auth/Source/MultiAuth.php b/modules/multiauth/lib/Auth/Source/MultiAuth.php index f63bcce9d4c26e1d7b61548e320e777a89551a10..f22918ab6fad94cd1d23ffa0162b18a715d07f61 100644 --- a/modules/multiauth/lib/Auth/Source/MultiAuth.php +++ b/modules/multiauth/lib/Auth/Source/MultiAuth.php @@ -1,234 +1,223 @@ <?php - /** * Authentication source which let the user chooses among a list of * other authentication sources * - * @author Lorenzo Gil, Yaco Sistemas S.L. * @package SimpleSAMLphp */ - -class sspmod_multiauth_Auth_Source_MultiAuth extends SimpleSAML_Auth_Source { - - /** - * The key of the AuthId field in the state. - */ - const AUTHID = 'sspmod_multiauth_Auth_Source_MultiAuth.AuthId'; - - /** - * The string used to identify our states. - */ - const STAGEID = 'sspmod_multiauth_Auth_Source_MultiAuth.StageId'; - - /** - * The key where the sources is saved in the state. - */ - const SOURCESID = 'sspmod_multiauth_Auth_Source_MultiAuth.SourceId'; - - /** - * The key where the selected source is saved in the session. - */ - const SESSION_SOURCE = 'multiauth:selectedSource'; - - /** - * Array of sources we let the user chooses among. - */ - private $sources; - - /** - * Constructor for this authentication source. - * - * @param array $info Information about this authentication source. - * @param array $config Configuration. - */ - public function __construct($info, $config) { - assert(is_array($info)); - assert(is_array($config)); - - // Call the parent constructor first, as required by the interface - parent::__construct($info, $config); - - if (!array_key_exists('sources', $config)) { - throw new Exception('The required "sources" config option was not found'); - } - - $globalConfiguration = SimpleSAML_Configuration::getInstance(); - $defaultLanguage = $globalConfiguration->getString('language.default', 'en'); - $authsources = SimpleSAML_Configuration::getConfig('authsources.php'); - $this->sources = array(); - foreach($config['sources'] as $source => $info) { - - if (is_int($source)) { // Backwards compatibility - $source = $info; - $info = array(); - } - - if (array_key_exists('text', $info)) { - $text = $info['text']; - } else { - $text = array($defaultLanguage => $source); - } - - if (array_key_exists('css-class', $info)) { - $css_class = $info['css-class']; - } else { - // Use the authtype as the css class - $authconfig = $authsources->getArray($source, NULL); - if (!array_key_exists(0, $authconfig) || !is_string($authconfig[0])) { - $css_class = ""; - } else { - $css_class = str_replace(":", "-", $authconfig[0]); - } - } - - $this->sources[] = array( - 'source' => $source, - 'text' => $text, - 'css_class' => $css_class, - ); - } - } - - /** - * Prompt the user with a list of authentication sources. - * - * This method saves the information about the configured sources, - * and redirects to a page where the user must select one of these - * authentication sources. - * - * This method never return. The authentication process is finished - * in the delegateAuthentication method. - * - * @param array &$state Information about the current authentication. - */ - public function authenticate(&$state) { - assert(is_array($state)); - - $state[self::AUTHID] = $this->authId; - $state[self::SOURCESID] = $this->sources; - - /* Save the $state array, so that we can restore if after a redirect */ - $id = SimpleSAML_Auth_State::saveState($state, self::STAGEID); - - /* Redirect to the select source page. We include the identifier of the - saved state array as a parameter to the login form */ - $url = SimpleSAML\Module::getModuleURL('multiauth/selectsource.php'); - $params = array('AuthState' => $id); - - // Allowes the user to specify the auth souce to be used - if(isset($_GET['source'])) { - $params['source'] = $_GET['source']; - } - - \SimpleSAML\Utils\HTTP::redirectTrustedURL($url, $params); - - /* The previous function never returns, so this code is never - executed */ - assert(false); - } - - /** - * Delegate authentication. - * - * This method is called once the user has choosen one authentication - * source. It saves the selected authentication source in the session - * to be able to logout properly. Then it calls the authenticate method - * on such selected authentication source. - * - * @param string $authId Selected authentication source - * @param array $state Information about the current authentication. - */ - public static function delegateAuthentication($authId, $state) { - assert(is_string($authId)); - assert(is_array($state)); - - $as = SimpleSAML_Auth_Source::getById($authId); - $valid_sources = array_map( - function($src) { - return $src['source']; - }, - $state[self::SOURCESID] +class sspmod_multiauth_Auth_Source_MultiAuth extends SimpleSAML_Auth_Source +{ + /** + * The key of the AuthId field in the state. + */ + const AUTHID = 'sspmod_multiauth_Auth_Source_MultiAuth.AuthId'; + + /** + * The string used to identify our states. + */ + const STAGEID = 'sspmod_multiauth_Auth_Source_MultiAuth.StageId'; + + /** + * The key where the sources is saved in the state. + */ + const SOURCESID = 'sspmod_multiauth_Auth_Source_MultiAuth.SourceId'; + + /** + * The key where the selected source is saved in the session. + */ + const SESSION_SOURCE = 'multiauth:selectedSource'; + + /** + * Array of sources we let the user chooses among. + */ + private $sources; + + /** + * Constructor for this authentication source. + * + * @param array $info Information about this authentication source. + * @param array $config Configuration. + */ + public function __construct(array $info, array $config) { + // Call the parent constructor first, as required by the interface + parent::__construct($info, $config); + + if (!array_key_exists('sources', $config)) { + throw new Exception('The required "sources" config option was not found'); + } + + $globalConfiguration = SimpleSAML_Configuration::getInstance(); + $defaultLanguage = $globalConfiguration->getString('language.default', 'en'); + $authsources = SimpleSAML_Configuration::getConfig('authsources.php'); + $this->sources = array(); + foreach($config['sources'] as $source => $info) { + + if (is_int($source)) { // Backwards compatibility + $source = $info; + $info = array(); + } + + if (array_key_exists('text', $info)) { + $text = $info['text']; + } else { + $text = array($defaultLanguage => $source); + } + + if (array_key_exists('css-class', $info)) { + $css_class = $info['css-class']; + } else { + // Use the authtype as the css class + $authconfig = $authsources->getArray($source, NULL); + if (!array_key_exists(0, $authconfig) || !is_string($authconfig[0])) { + $css_class = ""; + } else { + $css_class = str_replace(":", "-", $authconfig[0]); + } + } + + $this->sources[] = array( + 'source' => $source, + 'text' => $text, + 'css_class' => $css_class, + ); + } + } + + /** + * Prompt the user with a list of authentication sources. + * + * This method saves the information about the configured sources, + * and redirects to a page where the user must select one of these + * authentication sources. + * + * This method never return. The authentication process is finished + * in the delegateAuthentication method. + * + * @param array &$state Information about the current authentication. + */ + public function authenticate(array &$state) { + $state[self::AUTHID] = $this->authId; + $state[self::SOURCESID] = $this->sources; + + /* Save the $state array, so that we can restore if after a redirect */ + $id = SimpleSAML_Auth_State::saveState($state, self::STAGEID); + + /* Redirect to the select source page. We include the identifier of the + saved state array as a parameter to the login form */ + $url = SimpleSAML\Module::getModuleURL('multiauth/selectsource.php'); + $params = array('AuthState' => $id); + + // Allowes the user to specify the auth souce to be used + if(isset($_GET['source'])) { + $params['source'] = $_GET['source']; + } + + \SimpleSAML\Utils\HTTP::redirectTrustedURL($url, $params); + + /* The previous function never returns, so this code is never + executed */ + assert(false); + } + + /** + * Delegate authentication. + * + * This method is called once the user has choosen one authentication + * source. It saves the selected authentication source in the session + * to be able to logout properly. Then it calls the authenticate method + * on such selected authentication source. + * + * @param string $authId Selected authentication source + * @param array $state Information about the current authentication. + */ + public static function delegateAuthentication($authId, array $state) { + assert(is_string($authId)); + + $as = SimpleSAML_Auth_Source::getById($authId); + $valid_sources = array_map( + function($src) { + return $src['source']; + }, + $state[self::SOURCESID] + ); + if ($as === NULL || !in_array($authId, $valid_sources, true)) { + throw new Exception('Invalid authentication source: ' . $authId); + } + + /* Save the selected authentication source for the logout process. */ + $session = SimpleSAML_Session::getSessionFromRequest(); + $session->setData(self::SESSION_SOURCE, $state[self::AUTHID], $authId, SimpleSAML_Session::DATA_TIMEOUT_SESSION_END); + + try { + $as->authenticate($state); + } catch (SimpleSAML_Error_Exception $e) { + SimpleSAML_Auth_State::throwException($state, $e); + } catch (Exception $e) { + $e = new SimpleSAML_Error_UnserializableException($e); + SimpleSAML_Auth_State::throwException($state, $e); + } + SimpleSAML_Auth_Source::completeAuth($state); + } + + /** + * Log out from this authentication source. + * + * This method retrieves the authentication source used for this + * session and then call the logout method on it. + * + * @param array &$state Information about the current logout operation. + */ + public function logout(array &$state) { + /* Get the source that was used to authenticate */ + $session = SimpleSAML_Session::getSessionFromRequest(); + $authId = $session->getData(self::SESSION_SOURCE, $this->authId); + + $source = SimpleSAML_Auth_Source::getById($authId); + if ($source === NULL) { + throw new Exception('Invalid authentication source during logout: ' . $source); + } + /* Then, do the logout on it */ + $source->logout($state); + } + + /** + * Set the previous authentication source. + * + * This method remembers the authentication source that the user selected + * by storing its name in a cookie. + * + * @param string $source Name of the authentication source the user selected. + */ + public function setPreviousSource($source) { + assert(is_string($source)); + + $cookieName = 'multiauth_source_' . $this->authId; + + $config = SimpleSAML_Configuration::getInstance(); + $params = array( + /* We save the cookies for 90 days. */ + 'lifetime' => (60*60*24*90), + /* The base path for cookies. + This should be the installation directory for SimpleSAMLphp. */ + 'path' => $config->getBasePath(), + 'httponly' => FALSE, ); - if ($as === NULL || !in_array($authId, $valid_sources, true)) { - throw new Exception('Invalid authentication source: ' . $authId); - } - - /* Save the selected authentication source for the logout process. */ - $session = SimpleSAML_Session::getSessionFromRequest(); - $session->setData(self::SESSION_SOURCE, $state[self::AUTHID], $authId, SimpleSAML_Session::DATA_TIMEOUT_SESSION_END); - - try { - $as->authenticate($state); - } catch (SimpleSAML_Error_Exception $e) { - SimpleSAML_Auth_State::throwException($state, $e); - } catch (Exception $e) { - $e = new SimpleSAML_Error_UnserializableException($e); - SimpleSAML_Auth_State::throwException($state, $e); - } - SimpleSAML_Auth_Source::completeAuth($state); - } - - /** - * Log out from this authentication source. - * - * This method retrieves the authentication source used for this - * session and then call the logout method on it. - * - * @param array &$state Information about the current logout operation. - */ - public function logout(&$state) { - assert(is_array($state)); - - /* Get the source that was used to authenticate */ - $session = SimpleSAML_Session::getSessionFromRequest(); - $authId = $session->getData(self::SESSION_SOURCE, $this->authId); - - $source = SimpleSAML_Auth_Source::getById($authId); - if ($source === NULL) { - throw new Exception('Invalid authentication source during logout: ' . $source); - } - /* Then, do the logout on it */ - $source->logout($state); - } - - /** - * Set the previous authentication source. - * - * This method remembers the authentication source that the user selected - * by storing its name in a cookie. - * - * @param string $source Name of the authentication source the user selected. - */ - public function setPreviousSource($source) { - assert(is_string($source)); - - $cookieName = 'multiauth_source_' . $this->authId; - - $config = SimpleSAML_Configuration::getInstance(); - $params = array( - /* We save the cookies for 90 days. */ - 'lifetime' => (60*60*24*90), - /* The base path for cookies. - This should be the installation directory for SimpleSAMLphp. */ - 'path' => $config->getBasePath(), - 'httponly' => FALSE, - ); \SimpleSAML\Utils\HTTP::setCookie($cookieName, $source, $params, FALSE); - } - - /** - * Get the previous authentication source. - * - * This method retrieves the authentication source that the user selected - * last time or NULL if this is the first time or remembering is disabled. - */ - public function getPreviousSource() { - $cookieName = 'multiauth_source_' . $this->authId; - if(array_key_exists($cookieName, $_COOKIE)) { - return $_COOKIE[$cookieName]; - } else { - return NULL; - } - } + } + + /** + * Get the previous authentication source. + * + * This method retrieves the authentication source that the user selected + * last time or NULL if this is the first time or remembering is disabled. + */ + public function getPreviousSource() { + $cookieName = 'multiauth_source_' . $this->authId; + if(array_key_exists($cookieName, $_COOKIE)) { + return $_COOKIE[$cookieName]; + } else { + return NULL; + } + } } diff --git a/modules/negotiate/lib/Auth/Source/Negotiate.php b/modules/negotiate/lib/Auth/Source/Negotiate.php index c1d56500d63e94d16a741d793fbb059a3c64be1e..573e1c4cdfab1c52ac01a551613b3756b79fbf9b 100644 --- a/modules/negotiate/lib/Auth/Source/Negotiate.php +++ b/modules/negotiate/lib/Auth/Source/Negotiate.php @@ -1,6 +1,4 @@ <?php - - /** * The Negotiate module. Allows for password-less, secure login by Kerberos and Negotiate. * @@ -9,7 +7,6 @@ */ class sspmod_negotiate_Auth_Source_Negotiate extends SimpleSAML_Auth_Source { - // Constants used in the module const STAGEID = 'sspmod_negotiate_Auth_Source_Negotiate.StageId'; @@ -29,7 +26,6 @@ class sspmod_negotiate_Auth_Source_Negotiate extends SimpleSAML_Auth_Source protected $admin_pw = null; protected $attributes = null; - /** * Constructor for this authentication source. * @@ -38,11 +34,8 @@ class sspmod_negotiate_Auth_Source_Negotiate extends SimpleSAML_Auth_Source * * @throws Exception If the KRB5 extension is not installed or active. */ - public function __construct($info, $config) + public function __construct(array $info, array $config) { - assert(is_array($info)); - assert(is_array($config)); - if (!extension_loaded('krb5')) { throw new Exception('KRB5 Extension not installed'); } @@ -68,7 +61,6 @@ class sspmod_negotiate_Auth_Source_Negotiate extends SimpleSAML_Auth_Source $this->attributes = $config->getArray('attributes', null); } - /** * The inner workings of the module. * @@ -80,10 +72,8 @@ class sspmod_negotiate_Auth_Source_Negotiate extends SimpleSAML_Auth_Source * * @param array &$state Information about the current authentication. */ - public function authenticate(&$state) + public function authenticate(array &$state) { - assert(is_array($state)); - // set the default backend to config $state['LogoutState'] = array( 'negotiate:backend' => $this->backend, @@ -185,8 +175,7 @@ class sspmod_negotiate_Auth_Source_Negotiate extends SimpleSAML_Auth_Source assert(false); } - - public function spDisabledInMetadata($spMetadata) + public function spDisabledInMetadata(array $spMetadata) { if (array_key_exists('negotiate:disable', $spMetadata)) { if ($spMetadata['negotiate:disable'] == true) { @@ -235,7 +224,7 @@ class sspmod_negotiate_Auth_Source_Negotiate extends SimpleSAML_Auth_Source * * @param array $params additional parameters to the URL in the URL in the body. */ - protected function sendNegotiate($params) + protected function sendNegotiate(array $params) { $url = htmlspecialchars(SimpleSAML\Module::getModuleURL('negotiate/backend.php', $params)); $json_url = json_encode($url); @@ -265,7 +254,7 @@ EOF; * @throws SimpleSAML_Error_Exception * @throws Exception */ - public static function fallBack(&$state) + public static function fallBack(array &$state) { $authId = $state['LogoutState']['negotiate:backend']; @@ -287,7 +276,6 @@ EOF; self::loginCompleted($state); } - /** * Strips away the realm of the Kerberos identifier, looks up what attributes to fetch from SP metadata and * searches the directory. @@ -315,7 +303,6 @@ EOF; } } - /** * Elevates the LDAP connection to allow restricted lookups if * so configured. Does nothing if not. @@ -337,7 +324,6 @@ EOF; } } - /** * Log out from this authentication source. * @@ -346,9 +332,8 @@ EOF; * * @param array &$state Information about the current logout operation. */ - public function logout(&$state) + public function logout(array &$state) { - assert(is_array($state)); // get the source that was used to authenticate $authId = $state['negotiate:backend']; SimpleSAML\Logger::debug('Negotiate - logout has the following authId: "'.$authId.'"'); diff --git a/modules/preprodwarning/lib/Auth/Process/Warning.php b/modules/preprodwarning/lib/Auth/Process/Warning.php index 9ece3fa4bd5532eff56e96a36dfb66c6c5ede471..271cadd70667af47e6c08f9dad12af681231e6bb 100644 --- a/modules/preprodwarning/lib/Auth/Process/Warning.php +++ b/modules/preprodwarning/lib/Auth/Process/Warning.php @@ -1,36 +1,28 @@ <?php - /** * Give a warning that the user is accessing a test system, not a production system. * * @package SimpleSAMLphp */ -class sspmod_preprodwarning_Auth_Process_Warning extends SimpleSAML_Auth_ProcessingFilter { - - - - /** - * Process a authentication response. - * - * This function saves the state, and redirects the user to the page where the user - * can authorize the release of the attributes. - * - * @param array $state The state of the response. - */ - public function process(&$state) { - assert(is_array($state)); - - if (isset($state['isPassive']) && $state['isPassive'] === TRUE) { - // We have a passive request. Skip the warning - return; - } - - // Save state and redirect. - $id = SimpleSAML_Auth_State::saveState($state, 'warning:request'); - $url = SimpleSAML\Module::getModuleURL('preprodwarning/showwarning.php'); - \SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('StateId' => $id)); - } - - - +class sspmod_preprodwarning_Auth_Process_Warning extends SimpleSAML_Auth_ProcessingFilter +{ + /** + * Process a authentication response. + * + * This function saves the state, and redirects the user to the page where the user + * can authorize the release of the attributes. + * + * @param array $state The state of the response. + */ + public function process(array &$state) { + if (isset($state['isPassive']) && $state['isPassive'] === true) { + // We have a passive request. Skip the warning + return; + } + + // Save state and redirect. + $id = SimpleSAML_Auth_State::saveState($state, 'warning:request'); + $url = SimpleSAML\Module::getModuleURL('preprodwarning/showwarning.php'); + \SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('StateId' => $id)); + } } diff --git a/modules/radius/lib/Auth/Source/Radius.php b/modules/radius/lib/Auth/Source/Radius.php index 649df807b768dcdc4f0abd3e9e8fe6d007bd1cab..b730f897dbb291f96a8af31ad99301d721862794 100644 --- a/modules/radius/lib/Auth/Source/Radius.php +++ b/modules/radius/lib/Auth/Source/Radius.php @@ -71,11 +71,8 @@ class sspmod_radius_Auth_Source_Radius extends sspmod_core_Auth_UserPassBase * @param array $info Information about this authentication source. * @param array $config Configuration. */ - public function __construct($info, $config) + public function __construct(array $info, array $config) { - assert(is_array($info)); - assert(is_array($config)); - // Call the parent constructor first, as required by the interface parent::__construct($info, $config); diff --git a/modules/saml/lib/Auth/Process/AttributeNameID.php b/modules/saml/lib/Auth/Process/AttributeNameID.php index 1bb86a74e9669cc0af8a7ef9297bb5b746cd4a86..6b6e6b58c8d862be99618c4b07fbb52feb7d305b 100644 --- a/modules/saml/lib/Auth/Process/AttributeNameID.php +++ b/modules/saml/lib/Auth/Process/AttributeNameID.php @@ -1,6 +1,4 @@ <?php - - /** * Authentication processing filter to create a NameID from an attribute. * @@ -8,7 +6,6 @@ */ class sspmod_saml_Auth_Process_AttributeNameID extends sspmod_saml_BaseNameIDGenerator { - /** * The attribute we should use as the NameID. * @@ -16,7 +13,6 @@ class sspmod_saml_Auth_Process_AttributeNameID extends sspmod_saml_BaseNameIDGen */ private $attribute; - /** * Initialize this filter, parse configuration. * @@ -25,10 +21,9 @@ class sspmod_saml_Auth_Process_AttributeNameID extends sspmod_saml_BaseNameIDGen * * @throws SimpleSAML_Error_Exception If the required options 'Format' or 'attribute' are missing. */ - public function __construct($config, $reserved) + public function __construct(array $config, $reserved) { parent::__construct($config, $reserved); - assert(is_array($config)); if (!isset($config['Format'])) { throw new SimpleSAML_Error_Exception("AttributeNameID: Missing required option 'Format'."); @@ -41,7 +36,6 @@ class sspmod_saml_Auth_Process_AttributeNameID extends sspmod_saml_BaseNameIDGen $this->attribute = (string) $config['attribute']; } - /** * Get the NameID value. * @@ -50,7 +44,6 @@ class sspmod_saml_Auth_Process_AttributeNameID extends sspmod_saml_BaseNameIDGen */ protected function getValue(array &$state) { - if (!isset($state['Attributes'][$this->attribute]) || count($state['Attributes'][$this->attribute]) === 0) { SimpleSAML\Logger::warning( 'Missing attribute '.var_export($this->attribute, true). @@ -78,5 +71,4 @@ class sspmod_saml_Auth_Process_AttributeNameID extends sspmod_saml_BaseNameIDGen return $value; } - } diff --git a/modules/saml/lib/Auth/Process/AuthnContextClassRef.php b/modules/saml/lib/Auth/Process/AuthnContextClassRef.php index d1ebbf0efe3dc582a02bf92cd5d9e37b27504dbd..5e7436016d4df937962bc681e6cf7ea670be29f3 100644 --- a/modules/saml/lib/Auth/Process/AuthnContextClassRef.php +++ b/modules/saml/lib/Auth/Process/AuthnContextClassRef.php @@ -1,6 +1,4 @@ <?php - - /** * Filter for setting the AuthnContextClassRef in the response. * @@ -16,7 +14,6 @@ class sspmod_saml_Auth_Process_AuthnContextClassRef extends SimpleSAML_Auth_Proc */ private $authnContextClassRef; - /** * Initialize this filter. * @@ -25,10 +22,9 @@ class sspmod_saml_Auth_Process_AuthnContextClassRef extends SimpleSAML_Auth_Proc * * @throws SimpleSAML_Error_Exception if the mandatory 'AuthnContextClassRef' option is missing. */ - public function __construct($config, $reserved) + public function __construct(array $config, $reserved) { parent::__construct($config, $reserved); - assert(is_array($config)); if (!isset($config['AuthnContextClassRef'])) { throw new SimpleSAML_Error_Exception('Missing AuthnContextClassRef option in processing filter.'); @@ -37,16 +33,13 @@ class sspmod_saml_Auth_Process_AuthnContextClassRef extends SimpleSAML_Auth_Proc $this->authnContextClassRef = (string) $config['AuthnContextClassRef']; } - /** * Set the AuthnContextClassRef in the SAML 2 response. * * @param array &$state The state array for this request. */ - public function process(&$state) + public function process(array &$state) { - assert(is_array($state)); - $state['saml:AuthnContextClassRef'] = $this->authnContextClassRef; } } diff --git a/modules/saml/lib/Auth/Process/ExpectedAuthnContextClassRef.php b/modules/saml/lib/Auth/Process/ExpectedAuthnContextClassRef.php index b8e77dc709c354a7d9ed0b4a0583bed1604fa80a..3d41d13715d68054968ca5514ac3e4e918013d69 100644 --- a/modules/saml/lib/Auth/Process/ExpectedAuthnContextClassRef.php +++ b/modules/saml/lib/Auth/Process/ExpectedAuthnContextClassRef.php @@ -1,6 +1,4 @@ <?php - - /** * Attribute filter to validate AuthnContextClassRef values. * @@ -18,21 +16,18 @@ */ class sspmod_saml_Auth_Process_ExpectedAuthnContextClassRef extends SimpleSAML_Auth_ProcessingFilter { - /** * Array of accepted AuthnContextClassRef * @var array */ private $accepted; - /** * AuthnContextClassRef of the assertion * @var string */ private $AuthnContextClassRef; - /** * Initialize this filter, parse configuration * @@ -41,11 +36,10 @@ class sspmod_saml_Auth_Process_ExpectedAuthnContextClassRef extends SimpleSAML_A * * @throws SimpleSAML_Error_Exception if the mandatory 'accepted' configuration option is missing. */ - public function __construct($config, $reserved) + public function __construct(array $config, $reserved) { parent::__construct($config, $reserved); - assert(is_array($config)); if (empty($config['accepted'])) { SimpleSAML\Logger::error( 'ExpectedAuthnContextClassRef: Configuration error. There is no accepted AuthnContextClassRef.' @@ -57,14 +51,12 @@ class sspmod_saml_Auth_Process_ExpectedAuthnContextClassRef extends SimpleSAML_A $this->accepted = $config['accepted']; } - /** * * @param array &$request The current request */ - public function process(&$request) + public function process(array &$request) { - assert(is_array($request)); assert(array_key_exists('Attributes', $request)); $this->AuthnContextClassRef = $request['saml:sp:State']['saml:sp:AuthnContext']; @@ -74,7 +66,6 @@ class sspmod_saml_Auth_Process_ExpectedAuthnContextClassRef extends SimpleSAML_A } } - /** * When the process logic determines that the user is not * authorized for this service, then forward the user to @@ -87,7 +78,7 @@ class sspmod_saml_Auth_Process_ExpectedAuthnContextClassRef extends SimpleSAML_A * * @param array $request */ - protected function unauthorized(&$request) + protected function unauthorized(array &$request) { SimpleSAML\Logger::error( 'ExpectedAuthnContextClassRef: Invalid authentication context: '.$this->AuthnContextClassRef. diff --git a/modules/saml/lib/Auth/Process/FilterScopes.php b/modules/saml/lib/Auth/Process/FilterScopes.php index 3f497e1e96cdc9d7ab404ba636271a89d9df23e7..d5bec1ca41ea2d1f74441a134358c69e0ead86d5 100644 --- a/modules/saml/lib/Auth/Process/FilterScopes.php +++ b/modules/saml/lib/Auth/Process/FilterScopes.php @@ -7,13 +7,10 @@ use SimpleSAML\Logger; /** * Filter to remove attribute values which are not properly scoped. * - * @author Adam Lantos, NIIF / Hungarnet - * @author Jaime Pérez Crespo, UNINETT AS <jaime.perez@uninett.no> * @package SimpleSAMLphp */ class FilterScopes extends \SimpleSAML_Auth_ProcessingFilter { - /** * Stores any pre-configured scoped attributes which come from the filter configuration. */ @@ -22,30 +19,27 @@ class FilterScopes extends \SimpleSAML_Auth_ProcessingFilter 'eduPersonPrincipalName' ); - /** * Constructor for the processing filter. * * @param array &$config Configuration for this filter. * @param mixed $reserved For future use. */ - public function __construct(&$config, $reserved) + public function __construct(array &$config, $reserved) { parent::__construct($config, $reserved); - assert(is_array($config)); if (array_key_exists('attributes', $config) && !empty($config['attributes'])) { $this->scopedAttributes = $config['attributes']; } } - /** * This method applies the filter, removing any values * * @param array &$request the current request */ - public function process(&$request) + public function process(array &$request) { $src = $request['Source']; if (!count($this->scopedAttributes)) { diff --git a/modules/saml/lib/Auth/Process/NameIDAttribute.php b/modules/saml/lib/Auth/Process/NameIDAttribute.php index c3c6bf4706130939ee5c789dae26b037434d097e..35f0d3be3bd19be092971b250ec7b05513935894 100644 --- a/modules/saml/lib/Auth/Process/NameIDAttribute.php +++ b/modules/saml/lib/Auth/Process/NameIDAttribute.php @@ -1,6 +1,4 @@ <?php - - /** * Authentication processing filter to create an attribute from a NameID. * @@ -8,7 +6,6 @@ */ class sspmod_saml_Auth_Process_NameIDAttribute extends SimpleSAML_Auth_ProcessingFilter { - /** * The attribute we should save the NameID in. * @@ -16,7 +13,6 @@ class sspmod_saml_Auth_Process_NameIDAttribute extends SimpleSAML_Auth_Processin */ private $attribute; - /** * The format of the NameID in the attribute. * @@ -24,17 +20,15 @@ class sspmod_saml_Auth_Process_NameIDAttribute extends SimpleSAML_Auth_Processin */ private $format; - /** * Initialize this filter, parse configuration. * * @param array $config Configuration information about this filter. * @param mixed $reserved For future use. */ - public function __construct($config, $reserved) + public function __construct(array $config, $reserved) { parent::__construct($config, $reserved); - assert(is_array($config)); if (isset($config['attribute'])) { $this->attribute = (string) $config['attribute']; @@ -51,7 +45,6 @@ class sspmod_saml_Auth_Process_NameIDAttribute extends SimpleSAML_Auth_Processin $this->format = self::parseFormat($format); } - /** * Parse a NameID format string into an array. * @@ -97,15 +90,13 @@ class sspmod_saml_Auth_Process_NameIDAttribute extends SimpleSAML_Auth_Processin return $ret; } - /** * Convert NameID to attribute. * * @param array &$state The request state. */ - public function process(&$state) + public function process(array &$state) { - assert(is_array($state)); assert(isset($state['Source']['entityid'])); assert(isset($state['Destination']['entityid'])); diff --git a/modules/saml/lib/Auth/Process/PersistentNameID.php b/modules/saml/lib/Auth/Process/PersistentNameID.php index 4d6d0bc2260ac4e8e72a458066cb888f4f9f6539..bb825077ecb7b001fe11298920316729d49f26b4 100644 --- a/modules/saml/lib/Auth/Process/PersistentNameID.php +++ b/modules/saml/lib/Auth/Process/PersistentNameID.php @@ -1,6 +1,4 @@ <?php - - /** * Authentication processing filter to generate a persistent NameID. * @@ -8,7 +6,6 @@ */ class sspmod_saml_Auth_Process_PersistentNameID extends sspmod_saml_BaseNameIDGenerator { - /** * Which attribute contains the unique identifier of the user. * @@ -16,7 +13,6 @@ class sspmod_saml_Auth_Process_PersistentNameID extends sspmod_saml_BaseNameIDGe */ private $attribute; - /** * Initialize this filter, parse configuration. * @@ -25,10 +21,9 @@ class sspmod_saml_Auth_Process_PersistentNameID extends sspmod_saml_BaseNameIDGe * * @throws SimpleSAML_Error_Exception If the required option 'attribute' is missing. */ - public function __construct($config, $reserved) + public function __construct(array $config, $reserved) { parent::__construct($config, $reserved); - assert(is_array($config)); $this->format = \SAML2\Constants::NAMEID_PERSISTENT; @@ -38,7 +33,6 @@ class sspmod_saml_Auth_Process_PersistentNameID extends sspmod_saml_BaseNameIDGe $this->attribute = $config['attribute']; } - /** * Get the NameID value. * @@ -47,7 +41,6 @@ class sspmod_saml_Auth_Process_PersistentNameID extends sspmod_saml_BaseNameIDGe */ protected function getValue(array &$state) { - if (!isset($state['Destination']['entityid'])) { SimpleSAML\Logger::warning('No SP entity ID - not generating persistent NameID.'); return null; diff --git a/modules/saml/lib/Auth/Process/PersistentNameID2TargetedID.php b/modules/saml/lib/Auth/Process/PersistentNameID2TargetedID.php index 604c2214713adf5edee4694b93289b6e845bf13d..4b315d7b7391d7f8ea743c744e39e8f6375fc1bc 100644 --- a/modules/saml/lib/Auth/Process/PersistentNameID2TargetedID.php +++ b/modules/saml/lib/Auth/Process/PersistentNameID2TargetedID.php @@ -1,6 +1,5 @@ <?php - /** * Authentication processing filter to create the eduPersonTargetedID attribute from the persistent NameID. * @@ -8,7 +7,6 @@ */ class sspmod_saml_Auth_Process_PersistentNameID2TargetedID extends SimpleSAML_Auth_ProcessingFilter { - /** * The attribute we should save the NameID in. * @@ -16,7 +14,6 @@ class sspmod_saml_Auth_Process_PersistentNameID2TargetedID extends SimpleSAML_Au */ private $attribute; - /** * Whether we should insert it as an saml:NameID element. * @@ -24,17 +21,15 @@ class sspmod_saml_Auth_Process_PersistentNameID2TargetedID extends SimpleSAML_Au */ private $nameId; - /** * Initialize this filter, parse configuration. * * @param array $config Configuration information about this filter. * @param mixed $reserved For future use. */ - public function __construct($config, $reserved) + public function __construct(array $config, $reserved) { parent::__construct($config, $reserved); - assert(is_array($config)); if (isset($config['attribute'])) { $this->attribute = (string) $config['attribute']; @@ -49,16 +44,13 @@ class sspmod_saml_Auth_Process_PersistentNameID2TargetedID extends SimpleSAML_Au } } - /** * Store a NameID to attribute. * * @param array &$state The request state. */ - public function process(&$state) + public function process(array &$state) { - assert(is_array($state)); - if (!isset($state['saml:NameID'][\SAML2\Constants::NAMEID_PERSISTENT])) { SimpleSAML\Logger::warning( 'Unable to generate eduPersonTargetedID because no persistent NameID was available.' diff --git a/modules/saml/lib/Auth/Process/SQLPersistentNameID.php b/modules/saml/lib/Auth/Process/SQLPersistentNameID.php index 00891824a7ce7cafb972820a222a3aa96cf50d1d..b2011eeb2ca93f75b25e9cc52620e04f64d6611d 100644 --- a/modules/saml/lib/Auth/Process/SQLPersistentNameID.php +++ b/modules/saml/lib/Auth/Process/SQLPersistentNameID.php @@ -1,6 +1,4 @@ <?php - - /** * Authentication processing filter to generate a persistent NameID. * @@ -8,7 +6,6 @@ */ class sspmod_saml_Auth_Process_SQLPersistentNameID extends sspmod_saml_BaseNameIDGenerator { - /** * Which attribute contains the unique identifier of the user. * @@ -37,7 +34,6 @@ class sspmod_saml_Auth_Process_SQLPersistentNameID extends sspmod_saml_BaseNameI */ private $alwaysCreate = false; - /** * Initialize this filter, parse configuration. * @@ -46,10 +42,9 @@ class sspmod_saml_Auth_Process_SQLPersistentNameID extends sspmod_saml_BaseNameI * * @throws SimpleSAML_Error_Exception If the 'attribute' option is not specified. */ - public function __construct($config, $reserved) + public function __construct(array $config, $reserved) { parent::__construct($config, $reserved); - assert(is_array($config)); $this->format = \SAML2\Constants::NAMEID_PERSISTENT; @@ -71,7 +66,6 @@ class sspmod_saml_Auth_Process_SQLPersistentNameID extends sspmod_saml_BaseNameI } } - /** * Get the NameID value. * @@ -82,7 +76,6 @@ class sspmod_saml_Auth_Process_SQLPersistentNameID extends sspmod_saml_BaseNameI */ protected function getValue(array &$state) { - if (!isset($state['saml:NameIDFormat']) && !$this->allowUnspecified) { SimpleSAML\Logger::debug( 'SQLPersistentNameID: Request did not specify persistent NameID format, '. diff --git a/modules/saml/lib/Auth/Process/TransientNameID.php b/modules/saml/lib/Auth/Process/TransientNameID.php index c43c19a00a6501c3a91f4abb9d2ec31800640797..672eadba8764b1b3a90df0bb51457f0f695e30e1 100644 --- a/modules/saml/lib/Auth/Process/TransientNameID.php +++ b/modules/saml/lib/Auth/Process/TransientNameID.php @@ -1,6 +1,4 @@ <?php - - /** * Authentication processing filter to generate a transient NameID. * @@ -8,22 +6,19 @@ */ class sspmod_saml_Auth_Process_TransientNameID extends sspmod_saml_BaseNameIDGenerator { - /** * Initialize this filter, parse configuration * * @param array $config Configuration information about this filter. * @param mixed $reserved For future use. */ - public function __construct($config, $reserved) + public function __construct(array $config, $reserved) { parent::__construct($config, $reserved); - assert(is_array($config)); $this->format = \SAML2\Constants::NAMEID_TRANSIENT; } - /** * Get the NameID value. * diff --git a/modules/saml/lib/Auth/Source/SP.php b/modules/saml/lib/Auth/Source/SP.php index 6d325025483f3bd798484467ca7218f4e4e71cd4..b63ed1c4eee526d3df67ca99817fa44f50c7ee01 100644 --- a/modules/saml/lib/Auth/Source/SP.php +++ b/modules/saml/lib/Auth/Source/SP.php @@ -36,11 +36,8 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source * @param array $info Information about this authentication source. * @param array $config Configuration. */ - public function __construct($info, $config) + public function __construct(array $info, array $config) { - assert(is_array($info)); - assert(is_array($config)); - // Call the parent constructor first, as required by the interface parent::__construct($info, $config); @@ -378,10 +375,8 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source * * @param array &$state Information about the current authentication. */ - public function authenticate(&$state) + public function authenticate(array &$state) { - assert(is_array($state)); - /* We are going to need the authId in order to retrieve this authentication source later. */ $state['saml:sp:AuthId'] = $this->authId; @@ -438,8 +433,6 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source */ public function reauthenticate(array &$state) { - assert(is_array($state)); - $session = SimpleSAML_Session::getSessionFromRequest(); $data = $session->getAuthState($this->authId); foreach ($data as $k => $v) { @@ -611,9 +604,8 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source * * @param array $state The logout state. */ - public function startSLO2(&$state) + public function startSLO2(array &$state) { - assert(is_array($state)); assert(array_key_exists('saml:logout:IdP', $state)); assert(array_key_exists('saml:logout:NameID', $state)); assert(array_key_exists('saml:logout:SessionIndex', $state)); @@ -659,9 +651,8 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source * * @param array $state The logout state. */ - public function logout(&$state) + public function logout(array &$state) { - assert(is_array($state)); assert(array_key_exists('saml:logout:Type', $state)); $logoutType = $state['saml:logout:Type']; diff --git a/modules/smartattributes/lib/Auth/Process/SmartID.php b/modules/smartattributes/lib/Auth/Process/SmartID.php index 67dba450b972ea3b4ee86f97342a5571a4057085..d9ae21230a82975771f195e0893e3c4fcb4369f3 100644 --- a/modules/smartattributes/lib/Auth/Process/SmartID.php +++ b/modules/smartattributes/lib/Auth/Process/SmartID.php @@ -1,117 +1,112 @@ <?php -class sspmod_smartattributes_Auth_Process_SmartID extends SimpleSAML_Auth_ProcessingFilter { - - /** - * Which attributes to use as identifiers? - * - * IMPORTANT: If you use the (default) attributemaps (twitter2name, facebook2name, - * etc., be sure to comment out the entries that map xxx_targetedID to - * eduPersonTargetedID, or there will be no way to see its origin any more. - */ - private $_candidates = array( - 'eduPersonTargetedID', - 'eduPersonPrincipalName', - 'openid', - 'facebook_targetedID', - 'twitter_targetedID', - 'windowslive_targetedID', - 'myspace_targetedID', - 'linkedin_targetedID', - ); - - /** - * The name of the generated ID attribute. - */ - private $_id_attribute = 'smart_id'; - - /** - * Whether to append the AuthenticatingAuthority, separated by '!' - * This only works when SSP is used as a gateway. - */ - private $_add_authority = true; - - /** - * Whether to prepend the CandidateID, separated by ':' - */ - private $_add_candidate = true; - - /** - * Attributes which should be added/appended. - * - * Associative array of arrays. - */ - private $attributes = array(); - - - public function __construct($config, $reserved) { - parent::__construct($config, $reserved); - - assert(is_array($config)); - - if (array_key_exists('candidates', $config)) { - $this->_candidates = $config['candidates']; - if (!is_array($this->_candidates)) { - throw new Exception('SmartID authproc configuration error: \'candidates\' should be an array.'); - } - } - - if (array_key_exists('id_attribute', $config)) { - $this->_id_attribute = $config['id_attribute']; - if (!is_string($this->_id_attribute)) { - throw new Exception('SmartID authproc configuration error: \'id_attribute\' should be a string.'); - } - } - - if (array_key_exists('add_authority', $config)) { - $this->_add_authority = $config['add_authority']; - if (!is_bool($this->_add_authority)) { - throw new Exception('SmartID authproc configuration error: \'add_authority\' should be a boolean.'); - } - } - - if (array_key_exists('add_candidate', $config)) { - $this->_add_candidate = $config['add_candidate']; - if (!is_bool($this->_add_candidate)) { - throw new Exception('SmartID authproc configuration error: \'add_candidate\' should be a boolean.'); - } - } - - } - - private function addID($attributes, $request) { - foreach ($this->_candidates as $idCandidate) { - if (isset($attributes[$idCandidate][0])) { - if(($this->_add_authority) && (isset($request['saml:AuthenticatingAuthority'][0]))) { - return ($this->_add_candidate ? $idCandidate.':' : '').$attributes[$idCandidate][0] . '!' . $request['saml:AuthenticatingAuthority'][0]; - } else { - return ($this->_add_candidate ? $idCandidate.':' : '').$attributes[$idCandidate][0]; - } - } - } - /* - * At this stage no usable id_candidate has been detected. - */ - throw new SimpleSAML_Error_Exception('This service needs at least one of the following - attributes to identity users: '.implode(', ', $this->_candidates).'. Unfortunately not - one of them was detected. Please ask your institution administrator to release one of - them, or try using another identity provider.'); - } - - - /** - * Apply filter to add or replace attributes. - * - * Add or replace existing attributes with the configured values. - * - * @param array &$request The current request - */ - public function process(&$request) { - assert(is_array($request)); - assert(array_key_exists('Attributes', $request)); - - $ID = $this->addID($request['Attributes'], $request); - - if(isset($ID)) $request['Attributes'][$this->_id_attribute] = array($ID); - } +class sspmod_smartattributes_Auth_Process_SmartID extends SimpleSAML_Auth_ProcessingFilter +{ + /** + * Which attributes to use as identifiers? + * + * IMPORTANT: If you use the (default) attributemaps (twitter2name, facebook2name, + * etc., be sure to comment out the entries that map xxx_targetedID to + * eduPersonTargetedID, or there will be no way to see its origin any more. + */ + private $_candidates = array( + 'eduPersonTargetedID', + 'eduPersonPrincipalName', + 'openid', + 'facebook_targetedID', + 'twitter_targetedID', + 'windowslive_targetedID', + 'myspace_targetedID', + 'linkedin_targetedID', + ); + + /** + * The name of the generated ID attribute. + */ + private $_id_attribute = 'smart_id'; + + /** + * Whether to append the AuthenticatingAuthority, separated by '!' + * This only works when SSP is used as a gateway. + */ + private $_add_authority = true; + + /** + * Whether to prepend the CandidateID, separated by ':' + */ + private $_add_candidate = true; + + /** + * Attributes which should be added/appended. + * + * Associative array of arrays. + */ + private $attributes = array(); + + public function __construct(array $config, $reserved) { + parent::__construct($config, $reserved); + + if (array_key_exists('candidates', $config)) { + $this->_candidates = $config['candidates']; + if (!is_array($this->_candidates)) { + throw new Exception('SmartID authproc configuration error: \'candidates\' should be an array.'); + } + } + + if (array_key_exists('id_attribute', $config)) { + $this->_id_attribute = $config['id_attribute']; + if (!is_string($this->_id_attribute)) { + throw new Exception('SmartID authproc configuration error: \'id_attribute\' should be a string.'); + } + } + + if (array_key_exists('add_authority', $config)) { + $this->_add_authority = $config['add_authority']; + if (!is_bool($this->_add_authority)) { + throw new Exception('SmartID authproc configuration error: \'add_authority\' should be a boolean.'); + } + } + + if (array_key_exists('add_candidate', $config)) { + $this->_add_candidate = $config['add_candidate']; + if (!is_bool($this->_add_candidate)) { + throw new Exception('SmartID authproc configuration error: \'add_candidate\' should be a boolean.'); + } + } + + } + + private function addID(array $attributes, array $request) { + foreach ($this->_candidates as $idCandidate) { + if (isset($attributes[$idCandidate][0])) { + if(($this->_add_authority) && (isset($request['saml:AuthenticatingAuthority'][0]))) { + return ($this->_add_candidate ? $idCandidate.':' : '').$attributes[$idCandidate][0] . '!' . $request['saml:AuthenticatingAuthority'][0]; + } else { + return ($this->_add_candidate ? $idCandidate.':' : '').$attributes[$idCandidate][0]; + } + } + } + /* + * At this stage no usable id_candidate has been detected. + */ + throw new SimpleSAML_Error_Exception('This service needs at least one of the following + attributes to identity users: '.implode(', ', $this->_candidates).'. Unfortunately not + one of them was detected. Please ask your institution administrator to release one of + them, or try using another identity provider.'); + } + + /** + * Apply filter to add or replace attributes. + * + * Add or replace existing attributes with the configured values. + * + * @param array &$request The current request + */ + public function process(array &$request) { + assert(array_key_exists('Attributes', $request)); + + $ID = $this->addID($request['Attributes'], $request); + + if(isset($ID)) $request['Attributes'][$this->_id_attribute] = array($ID); + } } diff --git a/modules/smartattributes/lib/Auth/Process/SmartName.php b/modules/smartattributes/lib/Auth/Process/SmartName.php index 44323f9196a22ab4ae2597eb76a117e95c493162..bb0f41cfb3a235402ee016cfd1183e798a7be2e3 100644 --- a/modules/smartattributes/lib/Auth/Process/SmartName.php +++ b/modules/smartattributes/lib/Auth/Process/SmartName.php @@ -1,76 +1,80 @@ <?php - /** * Filter to set name in a smart way, based on available name attributes. * - * @author Andreas Ã…kre Solberg, UNINETT AS. * @package SimpleSAMLphp */ -class sspmod_smartattributes_Auth_Process_SmartName extends SimpleSAML_Auth_ProcessingFilter { - - /** - * Attributes which should be added/appended. - * - * Assiciative array of arrays. - */ - private $attributes = array(); - +class sspmod_smartattributes_Auth_Process_SmartName extends SimpleSAML_Auth_ProcessingFilter +{ + /** + * Attributes which should be added/appended. + * + * Associative array of arrays. + */ + private $attributes = []; - private function getFullName($attributes) { - if (isset($attributes['displayName'])) - return $attributes['displayName'][0]; - - if (isset($attributes['cn'])) { - if (count(explode(' ', $attributes['cn'][0])) > 1) - return $attributes['cn'][0]; - } - - if (isset($attributes['sn']) && isset($attributes['givenName'])) - return $attributes['givenName'][0] . ' ' . $attributes['sn'][0]; + private function getFullName(array $attributes) { + if (isset($attributes['displayName'])) { + return $attributes['displayName'][0]; + } + if (isset($attributes['cn'])) { + if (count(explode(' ', $attributes['cn'][0])) > 1) { + return $attributes['cn'][0]; + } + } + + if (isset($attributes['sn']) && isset($attributes['givenName'])) { + return $attributes['givenName'][0] . ' ' . $attributes['sn'][0]; + } - if (isset($attributes['cn'])) - return $attributes['cn'][0]; + if (isset($attributes['cn'])) { + return $attributes['cn'][0]; + } - if (isset($attributes['sn'])) - return $attributes['sn'][0]; + if (isset($attributes['sn'])) { + return $attributes['sn'][0]; + } - if (isset($attributes['givenName'])) - return $attributes['givenName'][0]; - - if (isset($attributes['eduPersonPrincipalName'])) { - $localname = $this->getLocalUser($attributes['eduPersonPrincipalName'][0]); - if (isset($localname)) return $localname; - } - - return NULL; - } - - private function getLocalUser($userid) { - if (strpos($userid, '@') === FALSE) return NULL; - $decomposed = explode('@', $userid); - if(count($decomposed) === 2) { - return $decomposed[0]; - } - return NULL; - } + if (isset($attributes['givenName'])) { + return $attributes['givenName'][0]; + } + + if (isset($attributes['eduPersonPrincipalName'])) { + $localname = $this->getLocalUser($attributes['eduPersonPrincipalName'][0]); + if (isset($localname)) return $localname; + } + + return null; + } + + private function getLocalUser($userid) + { + if (strpos($userid, '@') === false) return null; - /** - * Apply filter to add or replace attributes. - * - * Add or replace existing attributes with the configured values. - * - * @param array &$request The current request - */ - public function process(&$request) { - assert(is_array($request)); - assert(array_key_exists('Attributes', $request)); + $decomposed = explode('@', $userid); + if(count($decomposed) === 2) { + return $decomposed[0]; + } + return null; + } - $attributes =& $request['Attributes']; - - $fullname = $this->getFullName($attributes); - - if(isset($fullname)) $request['Attributes']['smartname-fullname'] = array($fullname); - - } + /** + * Apply filter to add or replace attributes. + * + * Add or replace existing attributes with the configured values. + * + * @param array &$request The current request + */ + public function process(array &$request) + { + assert(array_key_exists('Attributes', $request)); + $attributes =& $request['Attributes']; + + $fullname = $this->getFullName($attributes); + + if(isset($fullname)) { + $request['Attributes']['smartname-fullname'] = array($fullname); + } + } } diff --git a/modules/sqlauth/lib/Auth/Source/SQL.php b/modules/sqlauth/lib/Auth/Source/SQL.php index 67995ab63bdcc5ebe1adf0a8ed6c2440753e7355..39dfe244f24eed5210406df46d850b2a5831fad5 100644 --- a/modules/sqlauth/lib/Auth/Source/SQL.php +++ b/modules/sqlauth/lib/Auth/Source/SQL.php @@ -1,5 +1,4 @@ <?php - /** * Simple SQL authentication source * @@ -44,11 +43,8 @@ class sspmod_sqlauth_Auth_Source_SQL extends sspmod_core_Auth_UserPassBase * @param array $info Information about this authentication source. * @param array $config Configuration. */ - public function __construct($info, $config) + public function __construct(array $info, array $config) { - assert(is_array($info)); - assert(is_array($config)); - // Call the parent constructor first, as required by the interface parent::__construct($info, $config); @@ -76,7 +72,6 @@ class sspmod_sqlauth_Auth_Source_SQL extends sspmod_core_Auth_UserPassBase } } - /** * Create a database connection. * @@ -111,7 +106,6 @@ class sspmod_sqlauth_Auth_Source_SQL extends sspmod_core_Auth_UserPassBase return $db; } - /** * Attempt to log in using the given username and password. *