Message.php

Go to the documentation of this file.

<?php
 
namespace SAML2;
 
use RobRichards\XMLSecLibs\XMLSecurityKey;
use SAML2\Utilities\Temporal;
use SAML2\XML\samlp\Extensions;
 
abstract class Message implements SignedElement
{
    protected $extensions;
 
    private $tagName;
 
    private $id;
 
    private $issueInstant;
 
    private $destination;
 
    private $consent = Constants::CONSENT_UNSPECIFIED;
 
    private $issuer;
 
    private $relayState;
 
    protected $document;
 
    private $signatureKey;
 
    protected $messageContainedSignatureUponConstruction = false;
 
    private $certificates;
 
    private $validators;
 
    private $signatureMethod;
 
    protected function __construct($tagName, \DOMElement $xml = null)
    {
        assert(is_string($tagName));
        $this->tagName = $tagName;
 
        $this->id = Utils::getContainer()->generateId();
        $this->issueInstant = Temporal::getTime();
        $this->certificates = array();
        $this->validators = array();
 
        if ($xml === null) {
            return;
        }
 
        if (!$xml->hasAttribute('ID')) {
            throw new \Exception('Missing ID attribute on SAML message.');
        }
        $this->id = $xml->getAttribute('ID');
 
        if ($xml->getAttribute('Version') !== '2.0') {
            /* Currently a very strict check. */
            throw new \Exception('Unsupported version: '.$xml->getAttribute('Version'));
        }
 
        $this->issueInstant = Utils::xsDateTimeToTimestamp($xml->getAttribute('IssueInstant'));
 
        if ($xml->hasAttribute('Destination')) {
            $this->destination = $xml->getAttribute('Destination');
        }
 
        if ($xml->hasAttribute('Consent')) {
            $this->consent = $xml->getAttribute('Consent');
        }
 
        $issuer = Utils::xpQuery($xml, './saml_assertion:Issuer');
        if (!empty($issuer)) {
            $this->issuer = new XML\saml\Issuer($issuer[0]);
            if ($this->issuer->Format === Constants::NAMEID_ENTITY) {
                $this->issuer = $this->issuer->value;
            }
        }
 
        $this->validateSignature($xml);
 
        $this->extensions = Extensions::getList($xml);
    }
 
 
    private function validateSignature(\DOMElement $xml)
    {
        try {
            $signatureMethod = Utils::xpQuery($xml, './ds:Signature/ds:SignedInfo/ds:SignatureMethod/@Algorithm');
 
            $sig = Utils::validateElement($xml);
 
            if ($sig !== false) {
                $this->messageContainedSignatureUponConstruction = true;
                $this->certificates = $sig['Certificates'];
                $this->validators[] = array(
                    'Function' => array('\SAML2\Utils', 'validateSignature'),
                    'Data' => $sig,
                );
                $this->signatureMethod = $signatureMethod[0]->value;
            }
        } catch (\Exception $e) {
            // ignore signature validation errors
        }
    }
 
 
    public function addValidator($function, $data)
    {
        assert(is_callable($function));
 
        $this->validators[] = array(
            'Function' => $function,
            'Data' => $data,
        );
    }
 
    public function validate(XMLSecurityKey $key)
    {
        if (count($this->validators) === 0) {
            return false;
        }
 
        $exceptions = array();
 
        foreach ($this->validators as $validator) {
            $function = $validator['Function'];
            $data = $validator['Data'];
 
            try {
                call_user_func($function, $data, $key);
                /* We were able to validate the message with this validator. */
 
                return true;
            } catch (\Exception $e) {
                $exceptions[] = $e;
            }
        }
 
        /* No validators were able to validate the message. */
        throw $exceptions[0];
    }
 
    public function getId()
    {
        return $this->id;
    }
 
    public function setId($id)
    {
        assert(is_string($id));
 
        $this->id = $id;
    }
 
    public function getIssueInstant()
    {
        return $this->issueInstant;
    }
 
    public function setIssueInstant($issueInstant)
    {
        assert(is_int($issueInstant));
 
        $this->issueInstant = $issueInstant;
    }
 
    public function getDestination()
    {
        return $this->destination;
    }
 
    public function setDestination($destination)
    {
        assert(is_string($destination) || is_null($destination));
 
        $this->destination = $destination;
    }
 
    public function setConsent($consent)
    {
        assert(is_string($consent));
 
        $this->consent = $consent;
    }
 
    public function getConsent()
    {
        return $this->consent;
    }
 
    public function getIssuer()
    {
        if (is_string($this->issuer) || $this->issuer instanceof XML\saml\Issuer) {
            return $this->issuer;
        }
 
        return null;
    }
 
    public function setIssuer($issuer)
    {
        assert(is_string($issuer) || $issuer instanceof XML\saml\Issuer || is_null($issuer));
 
        $this->issuer = $issuer;
    }
 
    public function isMessageConstructedWithSignature()
    {
        return $this->messageContainedSignatureUponConstruction;
    }
 
    public function getRelayState()
    {
        return $this->relayState;
    }
 
    public function setRelayState($relayState)
    {
        assert(is_string($relayState) || is_null($relayState));
 
        $this->relayState = $relayState;
    }
 
    public function toUnsignedXML()
    {
        $this->document = DOMDocumentFactory::create();
 
        $root = $this->document->createElementNS(Constants::NS_SAMLP, 'samlp:'.$this->tagName);
        $this->document->appendChild($root);
 
        /* Ugly hack to add another namespace declaration to the root element. */
        $root->setAttributeNS(Constants::NS_SAML, 'saml:tmp', 'tmp');
        $root->removeAttributeNS(Constants::NS_SAML, 'tmp');
 
        $root->setAttribute('ID', $this->id);
        $root->setAttribute('Version', '2.0');
        $root->setAttribute('IssueInstant', gmdate('Y-m-d\TH:i:s\Z', $this->issueInstant));
 
        if ($this->destination !== null) {
            $root->setAttribute('Destination', $this->destination);
        }
        if ($this->consent !== null && $this->consent !== Constants::CONSENT_UNSPECIFIED) {
            $root->setAttribute('Consent', $this->consent);
        }
 
        if ($this->issuer !== null) {
            if (is_string($this->issuer)) {
                Utils::addString($root, Constants::NS_SAML, 'saml:Issuer', $this->issuer);
            } elseif ($this->issuer instanceof XML\saml\Issuer) {
                $this->issuer->toXML($root);
            }
        }
 
        if (!empty($this->extensions)) {
            Extensions::addList($root, $this->extensions);
        }
 
        return $root;
    }
 
 
    public function toSignedXML()
    {
        $root = $this->toUnsignedXML();
 
        if ($this->signatureKey === null) {
            /* We don't have a key to sign it with. */
 
            return $root;
        }
 
        /* Find the position we should insert the signature node at. */
        if ($this->issuer !== null) {
            /*
             * We have an issuer node. The signature node should come
             * after the issuer node.
             */
            $issuerNode = $root->firstChild;
            $insertBefore = $issuerNode->nextSibling;
        } else {
            /* No issuer node - the signature element should be the first element. */
            $insertBefore = $root->firstChild;
        }
 
        Utils::insertSignature($this->signatureKey, $this->certificates, $root, $insertBefore);
 
        return $root;
    }
 
    public function getSignatureKey()
    {
        return $this->signatureKey;
    }
 
    public function setSignatureKey(XMLSecurityKey $signatureKey = null)
    {
        $this->signatureKey = $signatureKey;
    }
 
    public function setCertificates(array $certificates)
    {
        $this->certificates = $certificates;
    }
 
    public function getCertificates()
    {
        return $this->certificates;
    }
 
    public static function fromXML(\DOMElement $xml)
    {
        if ($xml->namespaceURI !== Constants::NS_SAMLP) {
            throw new \Exception('Unknown namespace of SAML message: '.var_export($xml->namespaceURI, true));
        }
 
        switch ($xml->localName) {
            case 'AttributeQuery':
                return new AttributeQuery($xml);
            case 'AuthnRequest':
                return new AuthnRequest($xml);
            case 'LogoutResponse':
                return new LogoutResponse($xml);
            case 'LogoutRequest':
                return new LogoutRequest($xml);
            case 'Response':
                return new Response($xml);
            case 'ArtifactResponse':
                return new ArtifactResponse($xml);
            case 'ArtifactResolve':
                return new ArtifactResolve($xml);
            default:
                throw new \Exception('Unknown SAML message: '.var_export($xml->localName, true));
        }
    }
 
    public function getExtensions()
    {
        return $this->extensions;
    }
 
    public function setExtensions($extensions)
    {
        assert(is_array($extensions) || is_null($extensions));
 
        $this->extensions = $extensions;
    }
 
    public function getSignatureMethod()
    {
        return $this->signatureMethod;
    }
}