Fix build as a side effect. When vimeo/psalm tries to resolve dependencies, it now fails with this.

See issue #593 for a problem description.
SimpleSamlPHP makes use of unsafe inline Javascript and CSS elements.
Although most generated HTML uses SimpleSamlPHP's own headers, the
keepPost option in an authentication request uses the headers of
the PHP application it is sent from. This forces web applications
using SimpleSamlPHP to allow 'unsafe-inline' in their Content
Security Policy.

This commit fixes this issue for the keepPost page ''only'', to
allow PHP applications using SimpleSamlPHP to use a more strict
Content Security Policy. This does not take away from possible
XSS vulnerabilities in other parts of SimpleSamlPHP.

Fix #618. Remove hack introduced in #359 and don't mess up XHTML validity introduced in #479 by using a CSS class on the cells for the loginicon.

bugfix: Allow exception messages different than "You have not yet created the SimpleSAMLphp configuration files.".

Right now, that's the only error message that you will ever get if something goes wrong with the configuration, no matter what. The message should not be hardcoded, but use the one from the captured exception instead.

ParseError errors in PHP 7 have a code of 0, which will always be masked. Avoid that by forcing error codes of 0 to be E_ERROR instead.

For #455

This is due to the update of the SAML2 library, that caused several other bugs, mainly with attributes like eduPersonTargetedID, which should always be an SAML NameID.

This reverts commit ce040885.

This was due to incorrect use of the SimpleSAML_SessionHandler::setCookie() method to set the cookie, instead of SimpleSAML\Utils\HTTP::setCookie().

Now we are finally using the 2.x branch of the SAML2 library, which was also migrated to use namespaces. Even though the library provides an autoloader that allows loading the classes with the old names using class aliasing, we need to do the migration in one commit (at least for most part of it). This is due to the way SimpleSAMLphp checks data types, using inheritance to check objects agains abstract or more general classes. Even though class aliasing works, there's no way to replicate those relationships, and type checks that use the old class names will fail because the aliases are virtually new classes that don't inherit from others.

The www/_include.php script, included by all scripts in www/, checks unconditionally for the existence of the config.php file. However, this prevents us from testing the scripts automatically. Instead of checking for the file, we just try to load the configuration, and live with it if it works. That way we can pre-load the configuration using SimpleSAML_Configuration::loadFromArray(), as we are doing in some tests.

PHP 7 changed the way it handles internal errors. Now, Exception objects inherit from the Throwable interface, as well as the new Error objects. Internal functions throw Error objects now instead of raising an error, so the exception handler would need to handle them as well. Therefore, the exception handler is no longer guaranteed to receive an Exception object. We need now to discern whether the parameter is an exception (and continue our business as usual), or an Error (in case such thing exists, only PHP 7), and in this last case parse it and let the error handler do its stuff.

This should resolve #330.

In line with the previous commit, we now allow hooking in the exception handler, so that a module can implement its own logic to deal with certain exceptions.

The module.php file is the way we allow modules to have their own pages. All those are executed and presented to the user via this script. However, if an exception is thrown by a module, that exception will be captured directly by the module.php script. This prevents us from adding more logic to exception handling, adds code duplication, and makes the exception handling non-uniform, since we could end up handling the same exception differently depending on whether it was thrown by a module or by a regular page.

Now we no longer intercept exceptions in module.php, allowing the exception handler to kick in. That way exceptions are always handled uniformly, and we can also implement additional logic that we may want (i.e. adding a hook to the exception handler so that modules could handle exceptions the way they want).

Fix another issue with URLs not being validated before displaying them into a page. Reported by John Page (hyp3rlinx).

Fix an issue with some PHP environments (mostly related to FastCGI or php-fpm, common with nginx) where $_SERVER['SCRIPT_NAME'] is already populated with $_SERVER['PATH_INFO'] appended to it. In those cases, we should not blindly append PATH_INFO to SCRIPT_NAME, but check the latter first. This hopefully resolves #5 and closes #391.

Start using the new configuration exceptions, handling error situations that before led to blank pages or even worse.

Resolve #359. The login button was disappearing in mobile devices. Reordered the form a bit too for those devices, so that the view is better.

Rename Utils\HTTP::getSelfHostWithoutPort() to Utils\HTTP::getSelfHostWithNonStandardPort(), change the logic, and reimplement Utils\HTTP::getSelfHost() to depend on use the former. Complete the tests to include the case of port 443 while using HTTPS.

Move the error-reporting logic in SimpleSAML_Utilities to the SimpleSAML_Logger class, and add a new method there to evaluate whether an error would be masked or not according to its level.