Accessing a key in an array is not allowed when the array is not a variable but a value returned by a function.

This also required adding an additional argument to
SimpleSAML\Utils\Crypto::loadPrivateKey to ease in testing. Without
this additional argument, SimpleSAML_Configuration::getBaseDir eventually
gets called to determine the private key location.  This doesn't work
well with vfsstream. This argument shouldn't cause too much trouble, and
seems cohesive enough with the function's purpose.

The configuration of the MultiAuth authentication source specifies the auth sources that the user is presented with when asked for authentication. However, there was no proper check for the auth source selected by the user to ensure it is one of those allowed for MultiAuth.

The reason was the lack of conversion to integer for each character of the strings before applying the XOR operator to them. The operator returns always an empty string when applied to two characters, and applying a binary-wise OR between 0 and an empty string, yields 0. Therefore, $diff is always 0, and the function returns true for every two strings with same length, regardless of their contents.

Added tests for SimpleSAMLUtilsSystem

This reverts commit b1b0d0ef.

This reverts commit c441f9c9.

It looks like mb_substr() doesn’t cope well with NULL as the third parameter in PHP 5.3.

First, there’s no reason to obtain the logout URLs only when logout was initiated. If we get them always, we allow templates to do fancy things like using javascript to do everything on the fly, without going through the script, by dynamically loading the iframes.

Second, we should always check the associations against the ones registered in the session. That way, we can log SPs out individually, and if we refresh the page after that, they will still be marked as logged out.

We stopped using the “async” URL mechanism in logout seven years ago.

bugfix: Assigning an array to the data property of a template removes all data added previously during template initialization.

This allows templates to build richer interfaces with more information to display.

Additionally, the “SPs”, “from” and “jquery” data entries have been deprecated and scheduled for removal in 2.0.

This way we we allow those writing themes to use twig extensions, filters, or anything they may need.

The default values are fine if no other applications use PHP sessions. However, when other apps are using PHP sessions, a conflict arises with the defaults, so let's try to make the defaults a bit more resilient.

Added Redis session storage documentation

IVs must be random and one-time (never reused). Additionally, by deriving it from the key, the key length was effectively reduced to 128 bits.

This allows custom themes to inject data for all templates by simply adding a new hook.

Add a check to the constructor of the new redis store to check if predis/predis is available, and throw a critical configuration error if not.

Added Redis as possible session storage mechanism, fixes #574

It actually needs a DOMNode, so it has been renamed to isDOMNodeOfType().

Additionally, some superfluous asserts() have been removed, and SimpleSAML\Utils\XML::getDOMChildren() has also changed its signature, as it should also receive a DOMNode, not a DOMElement.

If something fails, an exception would be thrown, instead of “false” being returned.

Also, at this point we are sure that the return value will be a string, because the call to fetch() does not set the third parameter ($getHeaders) to true.