added support for IsPassive flag in Consent module and in

SSOService. If IsPassive is set and Consent requires user interaction an SimpleSAML_Error_NoPassive exception is thrown. SSOService now catches the exception and returns an AuthResponse with NoPassive (which SSP currently can't handle in an orderly way). We expect all processing modules to throw SimpleSAML_Error_NoPassive exceptions if isPassive is true in the state and they require user interaction. ProcessingChain is updated with a new method - processStatePassive which drives the processing filters with isPassive set to true and ignores all SimpleSAML_Error_NoPassive exceptions. This will be used in a forthcoming release of a consent administration module. Written by Jacob Christiansen and Mads Freek from wayf.dk. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1237 44740490-163a-0410-bde0-09ae8108e29a

added support for IsPassive flag in Consent module and in
SSOService. If IsPassive is set and Consent requires user interaction an SimpleSAML_Error_NoPassive exception is thrown. SSOService now catches the exception and returns an AuthResponse with NoPassive (which SSP currently can't handle in an orderly way). We expect all processing modules to throw SimpleSAML_Error_NoPassive exceptions if isPassive is true in the state and they require user interaction. ProcessingChain is updated with a new method - processStatePassive which drives the processing filters with isPassive set to true and ignores all SimpleSAML_Error_NoPassive exceptions. This will be used in a forthcoming release of a consent administration module. Written by Jacob Christiansen and Mads Freek from wayf.dk. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1237 44740490-163a-0410-bde0-09ae8108e29a
f9e8fe2d · Mads Freek Petersen · 7d499ed6 · f9e8fe2d · f9e8fe2d · f9e8fe2d
Commit f9e8fe2d authored 16 years ago by Mads Freek Petersen
--- a/lib/SimpleSAML/Auth/ProcessingChain.php
+++ b/lib/SimpleSAML/Auth/ProcessingChain.php
@@ -213,6 +213,40 @@ class SimpleSAML_Auth_ProcessingChain {
 		SimpleSAML_Utilities::redirect($state['ReturnURL'], array(self::AUTHPARAM => $id));
 	}
+	/**
+	 * Process the given state passivly.
+	 *
+	 * Modules with user interaction are expected to throw an SimpleSAML_Error_NoPassive exception
+	 * which are silently ignored. Exceptions of other types are passed further up the call stack.
+	 *
+	 * This function will only return if processing completes.
+	 *
+	 * @param array &$state  The state we are processing.
+	 */
+	public function processStatePassive(&$state) {
+		assert('is_array($state)');
+		// Should not be set when calling this method
+		assert('!array_key_exists("ReturnURL", $state)');
+		// Notify filters about passive request
+		$state['isPassive'] = TRUE;
+		$state[self::FILTERS_INDEX] = $this->filters;
+		if (!array_key_exists('UserID', $state)) {
+			/* No unique user ID present. Attempt to add one. */
+			self::addUserID($state);
+		}
+		while (count($state[self::FILTERS_INDEX]) > 0) {
+			$filter = array_shift($state[self::FILTERS_INDEX]);
+			try {
+				$filter->process($state);
+			// Ignore SimpleSAML_Error_NoPassive exceptions
+			} catch (SimpleSAML_Error_NoPassive $e) { }
+		}
+	}
 	/**
 	 * Retrieve a state which has finished processing.

--- a/modules/consent/lib/Auth/Process/Consent.php
+++ b/modules/consent/lib/Auth/Process/Consent.php
@@ -163,6 +163,11 @@ class sspmod_consent_Auth_Process_Consent extends SimpleSAML_Auth_ProcessingFilt
 		$state['consent:focus'] = $this->focus;
 		$state['consent:checked'] = $this->checked;
+		/* User interaction nessesary. Throw exception on isPassive request */	
+		if (isset($state['isPassive']) && $state['isPassive'] == TRUE) {
+			throw new SimpleSAML_Error_NoPassive('noPassive');
+		}
 		/* Save state and redirect. */
 		$id = SimpleSAML_Auth_State::saveState($state, 'consent:request');
 		$url = SimpleSAML_Module::getModuleURL('consent/getconsent.php');

--- a/www/saml2/idp/SSOService.php
+++ b/www/saml2/idp/SSOService.php
@@ -284,9 +284,32 @@ if($needAuth && !$isPassive) {
 				'Attributes' => $attributes,
 				'Destination' => $spmetadata,
 				'Source' => $idpmetadata,
+				'isPassive' => $isPassive,
 			);
-			$pc->processState($authProcState);
+			try {
+				$pc->processState($authProcState);
+			} catch (SimpleSAML_Error_NoPassive $e) {
+				/* Any user interaction is considered harmfull if isPassive is set to TRUE - even
+				 * giving consent.
+				 * If the user is authenticated but a processing filter needs user interaction 
+				 * we expect a SimpleSAML_Error_NoPassive exception to be thrown. We then send 
+				 * back the proper respons.
+				 */
+				try {
+					/* Generate an SAML 2.0 AuthNResponse message
+					 * With statusCode: urn:oasis:names:tc:SAML:2.0:status:NoPassive
+					 */
+					$ar = new SimpleSAML_XML_SAML20_AuthnResponse($config, $metadata);
+					$authnResponseXML = $ar->generate($idpentityid, $requestcache['Issuer'], $requestcache['RequestID'], NULL, NULL, 'NoPassive');
+					/* Sending the AuthNResponse using HTTP-Post SAML 2.0 binding. */
+					$httppost = new SimpleSAML_Bindings_SAML20_HTTPPost($config, $metadata);
+					$httppost->sendResponse($authnResponseXML, $idpentityid, $requestcache['Issuer'], $requestcache['RelayState']);
+				} catch(Exception $exception) {
+					SimpleSAML_Utilities::fatalError($session->getTrackID(), 'GENERATEAUTHNRESPONSE', $exception);
+				}
+			}
 			$requestcache['AuthProcState'] = $authProcState;
 		}