This test works as a demonstration on how to test our web interface endpoints.

With this script, which will be executed for every request performed to the built-in server, we can preload the configuration from a temporary file, making it possible to configure SimpleSAMLphp dynamically when testing.

With this class we can run PHP's built-in server specifying the document root (defaulting to the www directory) and a "router" file, which the server will execute for every request received. This is useful to allow testing of the web interfaces as part of our unit testing setup.

Removed unnecessary exception

The www/_include.php script, included by all scripts in www/, checks unconditionally for the existence of the config.php file. However, this prevents us from testing the scripts automatically. Instead of checking for the file, we just try to load the configuration, and live with it if it works. That way we can pre-load the configuration using SimpleSAML_Configuration::loadFromArray(), as we are doing in some tests.

Recent fixes for URL guessing and building addressed bugs in the code that were preventing the 'baseurlpath' from being used properly. However, they introduced a new issue, as the code was assuming the current URL would always point to a SimpleSAMLphp script. This is not always true, of course, as any script can invoke our API and end up trying to get its own URL (for example, when calling requireAuth()).

In order to fix this, we monitor mismatches between SimpleSAMLphp's installation path and the absolute, real path to the current script. When there's a mismatch, it means we are running a third-party script outside SimpleSAMLphp, and therefore we should NOT enforce 'baseurlpath'. This introduces an additional issue, as applications behind a reverse proxy may cause trouble to guess the right URL (we will use the URL as seen by SimpleSAMLphp in the server, which is not necessarily the same as the user sees with a reverse proxy in between). For the moment, we'll leave the responsibility to sort that issue out to implementors. It might be a good idea to add a page to the wiki explaining how to do this.

This resolves #418.

Add a configuration option named 'admin.checkforupdates' to enable or disable this feature.

We shouldn't wait for long when connecting to github's API to check for the latest release. Set a timeout of a couple of seconds. Also, remove commented debugging code.

Now that we have all our releases in github, we can use its API to see of the latest stable release there is newer than the version we are running. In that case, we show a warning in the configuration tab.

YA Merge

This allows for using twig templates, but does not include code for
localizing twig templates.

Both have been migrated to use namespaces.

Revert the change of the signature of SimpleSAML_Session::useTransientSession(). Not needed after all.

Update the authwindowslive:LiveID module to use OAuth 2.0 authorization

Improve the comment around error=user_denied

rather than the discontinued OAuth WRAP. Attributes are now retrieved
from the Microsoft Graph API rather than the Messenger API.

PHP 7 changed the way it handles internal errors. Now, Exception objects inherit from the Throwable interface, as well as the new Error objects. Internal functions throw Error objects now instead of raising an error, so the exception handler would need to handle them as well. Therefore, the exception handler is no longer guaranteed to receive an Exception object. We need now to discern whether the parameter is an exception (and continue our business as usual), or an Error (in case such thing exists, only PHP 7), and in this last case parse it and let the error handler do its stuff.

This should resolve #330.

bugfix: Make sure the PDO and Serialize metadata storage handlers return metadata containing the 'entityid' key.

While investigating issue #393, we noticed that these two handlers don't enforce the entity ID of each entity to be set in the 'entityid' key of the metadata array (the Flatfile and XML handlers to enforce this). Since this is the way we propagate the entity ID (code using metadata won't necessarily have access to the key of the metadata array containing the entity ID, or such a thing might not even exist), we need to make sure the entity ID is set inside the array. Otherwise, if the metadata for an entity does not contain it directly, the 'ExpectedIssuer' would be set to null, an error recorded, and authentication would fail as the entity ID of the IdP issuing an assertion would not match.

Due to recent changes to fix the way we were building URLs (mixing what the 'baseurlpath' configuration option and the current URL, see #396), we introduced another bug by assuming file paths will always use slashes ('/'), which obviously is not true in Windows machines. This commit fixes SimpleSAML_Configuration::getBaseDir() and SimpleSAML\Utils\HTTP::getSelfURL() to take that into account.

This closes #414.

Add an onlyIfEmpty option to core:ScopeAttribute.

bugfix: Make sure SimpleSAML_Session::getSessionFromRequest() always raises an exception when a transient session is used due to a misconfiguration or a temporary failure fetching an existing session.

Transient sessions are just an exceptional event, and they shouldn't be treated as regular sessions. Therefore, if we are trying to get the current session and end up with a transient one, that's because an error occurred and we should raise an exception. Since exceptions due to secure cookies trying to be set via an insecure channel are likely to be misconfigurations, we treat them like that, raising a SimpleSAML\Error\CriticalConfigurationError.

Additionally, we capture exceptions in the SimpleSAML\Logger::flush() method, ensuring the error reported in #413 doesn't happen again.

This resolves #356.

If it fails for some reason, we clear all the authentication-related data from the session, log an error, and throw again the exception, so that the user does not continue as if anything happened when the auth token is not set.

Currently, if headers have already been sent, a redirection will fail and generate errors in the error log. The user will be presented with a page containing a link that he or she will need to click on. Checking if headers have already been sent we can avoid errors, and adding a simple javascript to the "onload" event in the body of the page, we can still redirect automatically. That way, only when headers have already been sent and the users have javascript disabled, they will get to see the page.

Make exception message when setting secure PHP session cookies through an insecure channel coincident with the message in SimpleSAML\Utils\HTTP::setCookie().

Both SimpleSAML_SessionHandlerPHP::setCookie() and SimpleSAML\Utils\HTTP::setCookie() throw the SimpleSAML\Error\CannotSetCookie exception. Depending on why the error was generated, set the error code in the exception accordingly.

This way we can discern why we couldn't set a cookie, and act accordingly.

Related to previous commits. The SimpleSAML_Session::updateSessionCookies() updates both the session cookie and the auth token. For the latter, it uses the setCookie() method from the session handler, while it should use the SimpleSAML\Utils\HTTP::setCookie() method instead.

Revert "Set the session name explicitly in SessionHandlerPHP, even when we are using the default value."

This reverts commit cd6278cc.

The hash algorithm to use to calculate signature digests for self metadata was not configurable. Add the 'metadata.sign.algorithm' configuration option to fix that.

This resolves #411.

Historically, SimpleSAML_SessionHandler::newSessionId() has also created the session, sending the cookies to the browser. This is problematic both because given the name of the method one would not assume such behaviour, and also because even for transient sessions the handler would then try to set cookies. When we are using a transient session, it is likely to be because we cannot set cookies or because there was a temporary error when loading the session. If we try to set the cookies even for transient sessions, we could either get an error because cookies cannot be set, or overwrite the previous session cookies with transient ones, trashing a legitimate session in case a temporary error occurs.

As a side effect, this can also cause behaviours like the one described in issue #413. There's no point in trying to set the cookies when it's not possible, so we shouldn't even try, and save us the errors.

To fix this, we made SimpleSAML_SessionHandler::setCookie() abstract, forcing each extending class to implement it. The former implementation is moved to SimpleSAML_SessionHandlerCookie, and the SimpleSAML_SessionHandlerPHP gets a new method that starts the session, effectively sending the cookie. SimpleSAML_Session would then be responsible to call the setCookie() method of the session handler when creating a regular session, and skip it when creating a transient one. This introduces a bug, since SimpleSAML_Session was trying to set the auth token cookie calling the same setCookie() method in the session handler. We fixed that by using SimpleSAML\Utils\HTTP::setCookie() instead, in 8756835b.

This resolves #413.

If we just called isset() on SimpleSAML_Session::$instance, and it returned false as we continued execution, it makes no sense to get the "previous" instance since it will always be null. We can just check that $instance is not null later.