From f4798cc2fb8c8abeac5b2bcfda5003055f3de1ad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20=C3=85kre=20Solberg?= <andreas.solberg@uninett.no>
Date: Thu, 6 Mar 2008 16:49:54 +0000
Subject: [PATCH] Cleaning up authentication request code, and saml 2 sp hosted
 metadata

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@373 44740490-163a-0410-bde0-09ae8108e29a
---
 lib/SimpleSAML/MemcacheStore.php           |   2 +-
 lib/SimpleSAML/XML/SAML20/AuthnRequest.php | 102 +++++++++++++--------
 www/_include.php                           |   2 -
 www/saml2/sp/initSSO.php                   |   2 +-
 4 files changed, 64 insertions(+), 44 deletions(-)

diff --git a/lib/SimpleSAML/MemcacheStore.php b/lib/SimpleSAML/MemcacheStore.php
index 485e029b6..90c7cd1d9 100644
--- a/lib/SimpleSAML/MemcacheStore.php
+++ b/lib/SimpleSAML/MemcacheStore.php
@@ -27,7 +27,7 @@ require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSA
  * have the same clock (as measured by the time()-function). Different clock
  * values will lead to incorrect behaviour.
  *
- * @author Olav Morken, UNINETT AS. <andreas.solberg@uninett.no>
+ * @author Olav Morken, UNINETT AS.
  * @package simpleSAMLphp
  * @version $Id$
  */
diff --git a/lib/SimpleSAML/XML/SAML20/AuthnRequest.php b/lib/SimpleSAML/XML/SAML20/AuthnRequest.php
index fa8f8dbf4..e47922747 100644
--- a/lib/SimpleSAML/XML/SAML20/AuthnRequest.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnRequest.php
@@ -1,13 +1,14 @@
 <?php
  
 require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Configuration.php');
+require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Utilities.php');
 require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Metadata/MetaDataStorageHandler.php');
  
 /**
  * The Shibboleth 1.3 Authentication Request. Not part of SAML 1.1, 
  * but an extension using query paramters no XML.
  *
- * @author Andreas ďż˝kre Solberg, UNINETT AS. <andreas.solberg@uninett.no>
+ * @author Andreas Aakre Solberg, UNINETT AS. <andreas.solberg@uninett.no>
  * @package simpleSAMLphp
  * @version $Id$
  */
@@ -106,58 +107,79 @@ class SimpleSAML_XML_SAML20_AuthnRequest {
 	}
 
 
+	/**
+	 * Generate a new SAML 2.0 Authentication Request
+	 *
+	 * @param $spentityid SP Entity ID
+	 * @param $destination SingleSignOnService endpoint
+	 */
 	public function generate($spentityid, $destination) {
 		$md = $this->metadata->getMetaData($spentityid);
 		
-		$id = self::generateID();
-		$issueInstant = self::generateIssueInstant();
+		$id = SimpleSAML_Utilities::generateID();
+		$issueInstant = SimpleSAML_Utilities::generateTimestamp();
 
-		//$assertionConsumerServiceURL = $md['AssertionConsumerService'];
 		$assertionConsumerServiceURL = $this->metadata->getGenerated('AssertionConsumerService', 'saml20-sp-hosted');
 		
-		$nameidformat = isset($md['NameIDFormat']) ? $md['NameIDFormat'] : 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient';
-		
-		$forceauthn = isset($md['ForceAuthn']) ? $md['ForceAuthn'] : 'false';
-		
-		// TODO: Make an option in the metadata to allow adding a RequestedAuthnContext
-		$requestauthncontext = '<samlp:RequestedAuthnContext Comparison="exact">
-        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
-    </samlp:RequestedAuthnContext>';
+		/*
+		 * Process the SAML 2.0 SP hosted metadata parameter: NameIDFormat
+		 */
+		$nameidformat = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient';
+		if (isset($md['NameIDFormat'])) {
+			if (!is_string($md['NameIDFormat'])) {
+				throw new Exception('SAML 2.0 SP hosted metadata parameter [NameIDFormat] must be a string.');
+			}
+			$nameidformat = $md['NameIDFormat'];
+		}
 		
+		/*
+		 * Process the SAML 2.0 SP hosted metadata parameter: ForceAuthn
+		 */
+		$forceauthn = 'false';
+		if (isset($md['ForceAuthn'])) {
+			if (is_bool($md['ForceAuthn'])) {
+				$forceauthn = ($md['ForceAuthn'] ? 'true' : 'false');
+			} else {
+				throw new Exception('Illegal format of the ForceAuthn parameter in the SAML 2.0 SP hosted metadata for entity [' . $spentityid . ']. This value should be set to a PHP boolean value.');
+			}
+		}
+
+		/*
+		 * Process the SAML 2.0 SP hosted metadata parameter: AuthnContextClassRef
+		 */
+		$requestauthncontext = '';
+		if (!empty($md['AuthnContextClassRef'])) {
+			if (!is_string($md['AuthnContextClassRef'])) {
+				throw new Exception('SAML 2.0 SP hosted metadata parameter [AuthnContextClassRef] must be a string.');
+			}
+			
+			$requestauthncontext = '<samlp:RequestedAuthnContext Comparison="exact">
+		<saml:AuthnContextClassRef>' . $md['AuthnContextClassRef'] . '</saml:AuthnContextClassRef>
+	</samlp:RequestedAuthnContext>';
+		}
+
+		/*
+		 * Create the complete SAML 2.0 Authentication Request
+		 */
 		$authnRequest = '<samlp:AuthnRequest 
-    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-    ID="' . $id . '" Version="2.0"
-    IssueInstant="' . $issueInstant . '" ForceAuthn="' . $forceauthn . '"
-    Destination="' . htmlspecialchars($destination) . '"
-    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-    AssertionConsumerServiceURL="' . htmlspecialchars($assertionConsumerServiceURL) . '">
-    <saml:Issuer >' . htmlspecialchars($spentityid) . '</saml:Issuer>
-    <samlp:NameIDPolicy
-        Format="' . htmlspecialchars($nameidformat) . '"
-        AllowCreate="true"/>
-    '  . '
+	xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+	ID="' . $id . '" Version="2.0"
+	IssueInstant="' . $issueInstant . '" ForceAuthn="' . $forceauthn . '"
+	Destination="' . htmlspecialchars($destination) . '"
+	ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+	AssertionConsumerServiceURL="' . htmlspecialchars($assertionConsumerServiceURL) . '">
+	<saml:Issuer >' . htmlspecialchars($spentityid) . '</saml:Issuer>
+	<samlp:NameIDPolicy
+		Format="' . htmlspecialchars($nameidformat) . '"
+		AllowCreate="true"/>
+	' . $requestauthncontext . '
 </samlp:AuthnRequest>
 ';
-		
-		
-		
+
 		return $authnRequest;
 	}
 	
-	public static function generateID() {
-	
-		$length = 42;
-		$key = "_";
-		for ( $i=0; $i < $length; $i++ )
-		{
-			 $key .= dechex( rand(0,15) );
-		}
-		return $key;
-	}
-	
-	public static function generateIssueInstant() {
-		return gmdate("Y-m-d\TH:i:s\Z");
-	}
+
 	
 }
 
diff --git a/www/_include.php b/www/_include.php
index 9881d005b..b804e3f26 100644
--- a/www/_include.php
+++ b/www/_include.php
@@ -35,8 +35,6 @@ ini_set('include_path', $path);
  */
 //$SIMPLESAML_INCPREFIX = $path_extra . '/';
 
-
-
 require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Configuration.php');
 
 $configdir = dirname(dirname(__FILE__)) . '/config';
diff --git a/www/saml2/sp/initSSO.php b/www/saml2/sp/initSSO.php
index e4756b421..7219e4e1c 100644
--- a/www/saml2/sp/initSSO.php
+++ b/www/saml2/sp/initSSO.php
@@ -73,7 +73,7 @@ try {
 	
 	$httpredirect->sendMessage($req, $spentityid, $idpentityid, $_GET['RelayState']);
 
-} catch(Exception $exception) {		
+} catch(Exception $exception) {
 	SimpleSAML_Utilities::fatalError($session->getTrackID(), 'CREATEREQUEST', $exception);
 }
 
-- 
GitLab