YA Merge

This allows for using twig templates, but does not include code for
localizing twig templates.

Both have been migrated to use namespaces.

Revert the change of the signature of SimpleSAML_Session::useTransientSession(). Not needed after all.

Update the authwindowslive:LiveID module to use OAuth 2.0 authorization

Improve the comment around error=user_denied

rather than the discontinued OAuth WRAP. Attributes are now retrieved
from the Microsoft Graph API rather than the Messenger API.

PHP 7 changed the way it handles internal errors. Now, Exception objects inherit from the Throwable interface, as well as the new Error objects. Internal functions throw Error objects now instead of raising an error, so the exception handler would need to handle them as well. Therefore, the exception handler is no longer guaranteed to receive an Exception object. We need now to discern whether the parameter is an exception (and continue our business as usual), or an Error (in case such thing exists, only PHP 7), and in this last case parse it and let the error handler do its stuff.

This should resolve #330.

bugfix: Make sure the PDO and Serialize metadata storage handlers return metadata containing the 'entityid' key.

While investigating issue #393, we noticed that these two handlers don't enforce the entity ID of each entity to be set in the 'entityid' key of the metadata array (the Flatfile and XML handlers to enforce this). Since this is the way we propagate the entity ID (code using metadata won't necessarily have access to the key of the metadata array containing the entity ID, or such a thing might not even exist), we need to make sure the entity ID is set inside the array. Otherwise, if the metadata for an entity does not contain it directly, the 'ExpectedIssuer' would be set to null, an error recorded, and authentication would fail as the entity ID of the IdP issuing an assertion would not match.

Due to recent changes to fix the way we were building URLs (mixing what the 'baseurlpath' configuration option and the current URL, see #396), we introduced another bug by assuming file paths will always use slashes ('/'), which obviously is not true in Windows machines. This commit fixes SimpleSAML_Configuration::getBaseDir() and SimpleSAML\Utils\HTTP::getSelfURL() to take that into account.

This closes #414.

Add an onlyIfEmpty option to core:ScopeAttribute.

bugfix: Make sure SimpleSAML_Session::getSessionFromRequest() always raises an exception when a transient session is used due to a misconfiguration or a temporary failure fetching an existing session.

Transient sessions are just an exceptional event, and they shouldn't be treated as regular sessions. Therefore, if we are trying to get the current session and end up with a transient one, that's because an error occurred and we should raise an exception. Since exceptions due to secure cookies trying to be set via an insecure channel are likely to be misconfigurations, we treat them like that, raising a SimpleSAML\Error\CriticalConfigurationError.

Additionally, we capture exceptions in the SimpleSAML\Logger::flush() method, ensuring the error reported in #413 doesn't happen again.

This resolves #356.

If it fails for some reason, we clear all the authentication-related data from the session, log an error, and throw again the exception, so that the user does not continue as if anything happened when the auth token is not set.

Currently, if headers have already been sent, a redirection will fail and generate errors in the error log. The user will be presented with a page containing a link that he or she will need to click on. Checking if headers have already been sent we can avoid errors, and adding a simple javascript to the "onload" event in the body of the page, we can still redirect automatically. That way, only when headers have already been sent and the users have javascript disabled, they will get to see the page.

Make exception message when setting secure PHP session cookies through an insecure channel coincident with the message in SimpleSAML\Utils\HTTP::setCookie().

Both SimpleSAML_SessionHandlerPHP::setCookie() and SimpleSAML\Utils\HTTP::setCookie() throw the SimpleSAML\Error\CannotSetCookie exception. Depending on why the error was generated, set the error code in the exception accordingly.

This way we can discern why we couldn't set a cookie, and act accordingly.

Related to previous commits. The SimpleSAML_Session::updateSessionCookies() updates both the session cookie and the auth token. For the latter, it uses the setCookie() method from the session handler, while it should use the SimpleSAML\Utils\HTTP::setCookie() method instead.

Revert "Set the session name explicitly in SessionHandlerPHP, even when we are using the default value."

This reverts commit cd6278cc.

The hash algorithm to use to calculate signature digests for self metadata was not configurable. Add the 'metadata.sign.algorithm' configuration option to fix that.

This resolves #411.

Historically, SimpleSAML_SessionHandler::newSessionId() has also created the session, sending the cookies to the browser. This is problematic both because given the name of the method one would not assume such behaviour, and also because even for transient sessions the handler would then try to set cookies. When we are using a transient session, it is likely to be because we cannot set cookies or because there was a temporary error when loading the session. If we try to set the cookies even for transient sessions, we could either get an error because cookies cannot be set, or overwrite the previous session cookies with transient ones, trashing a legitimate session in case a temporary error occurs.

As a side effect, this can also cause behaviours like the one described in issue #413. There's no point in trying to set the cookies when it's not possible, so we shouldn't even try, and save us the errors.

To fix this, we made SimpleSAML_SessionHandler::setCookie() abstract, forcing each extending class to implement it. The former implementation is moved to SimpleSAML_SessionHandlerCookie, and the SimpleSAML_SessionHandlerPHP gets a new method that starts the session, effectively sending the cookie. SimpleSAML_Session would then be responsible to call the setCookie() method of the session handler when creating a regular session, and skip it when creating a transient one. This introduces a bug, since SimpleSAML_Session was trying to set the auth token cookie calling the same setCookie() method in the session handler. We fixed that by using SimpleSAML\Utils\HTTP::setCookie() instead, in 8756835b.

This resolves #413.

If we just called isset() on SimpleSAML_Session::$instance, and it returned false as we continued execution, it makes no sense to get the "previous" instance since it will always be null. We can just check that $instance is not null later.

This way we can pass an exception that made us use transient sessions, and get the method to throw that exception after getting the transient session.

SimpleSAML_Session should set the auth token using the SimpleSAML\Utils\HTTP::setCookie(), instead of the setCookie() method provided by session handlers.

The SimpleSAML_SessionHandler::setCookie() method should be used only to set the session cookie, not random cookies. If we want cookies to have the same parameters as session cookies, we can always get the session parameters calling SimpleSAML_SessionHandler::getSessionParams() and pass them to SimpleSAML\Utils\HTTP::setCookie().

Make the SimpleSAML\Utils\HTTP::setCookie() method throw the new SimpleSAML\Error\CannotSetCookie exception.

This makes the filter a little more useful for people who want to generate default values from another attribute only if none alreay exist.

In line with the previous commit, we now allow hooking in the exception handler, so that a module can implement its own logic to deal with certain exceptions.

The module.php file is the way we allow modules to have their own pages. All those are executed and presented to the user via this script. However, if an exception is thrown by a module, that exception will be captured directly by the module.php script. This prevents us from adding more logic to exception handling, adds code duplication, and makes the exception handling non-uniform, since we could end up handling the same exception differently depending on whether it was thrown by a module or by a regular page.

Now we no longer intercept exceptions in module.php, allowing the exception handler to kick in. That way exceptions are always handled uniformly, and we can also implement additional logic that we may want (i.e. adding a hook to the exception handler so that modules could handle exceptions the way they want).

Now that we are using realpath() to try to obtain the URL relative to the base URL path of SSP, we need to use real scripts or realpath() will return an empty string.

Recent commits have introduced a new way to obtain the self URL, honouring whatever is specified in 'baseurlpath'. However, this new code breaks when accessing SimpleSAMLphp through a path containing symbolic links in the file system, since the base directory refers always to the real path while the $_SERVER contents reflect what the web server sees (symlinks included). We use realpath() to convert a path with symlinks to a canonical path that we can compare.