ILIAS  release_5-3 Revision v5.3.23-19-g915713cf615
ProcessingChain.php
Go to the documentation of this file.
1<?php
2
13class SimpleSAML_Auth_ProcessingChain {
14
15
19 const FILTERS_INDEX = 'SimpleSAML_Auth_ProcessingChain.filters';
20
21
25 const COMPLETED_STAGE = 'SimpleSAML_Auth_ProcessingChain.completed';
26
27
32 const AUTHPARAM = 'AuthProcId';
33
34
38 private $filters;
39
40
48 public function __construct($idpMetadata, $spMetadata, $mode = 'idp') {
49 assert('is_array($idpMetadata)');
50 assert('is_array($spMetadata)');
51
52 $this->filters = array();
53
54 $config = SimpleSAML_Configuration::getInstance();
55 $configauthproc = $config->getArray('authproc.' . $mode, NULL);
56
57 if (!empty($configauthproc)) {
58 $configfilters = self::parseFilterList($configauthproc);
59 self::addFilters($this->filters, $configfilters);
60 }
61
62 if (array_key_exists('authproc', $idpMetadata)) {
63 $idpFilters = self::parseFilterList($idpMetadata['authproc']);
64 self::addFilters($this->filters, $idpFilters);
65 }
66
67 if (array_key_exists('authproc', $spMetadata)) {
68 $spFilters = self::parseFilterList($spMetadata['authproc']);
69 self::addFilters($this->filters, $spFilters);
70 }
71
72
73 SimpleSAML\Logger::debug('Filter config for ' . $idpMetadata['entityid'] . '->' .
74 $spMetadata['entityid'] . ': ' . str_replace("\n", '', var_export($this->filters, TRUE)));
75
76 }
77
78
87 private static function addFilters(&$target, $src) {
88 assert('is_array($target)');
89 assert('is_array($src)');
90
91 foreach ($src as $filter) {
92 $fp = $filter->priority;
93
94 // Find insertion position for filter
95 for($i = count($target)-1; $i >= 0; $i--) {
96 if ($target[$i]->priority <= $fp) {
97 // The new filter should be inserted after this one
98 break;
99 }
100 }
101 /* $i now points to the filter which should preceede the current filter. */
102 array_splice($target, $i+1, 0, array($filter));
103 }
104
105 }
106
107
114 private static function parseFilterList($filterSrc) {
115 assert('is_array($filterSrc)');
116
117 $parsedFilters = array();
118
119 foreach ($filterSrc as $priority => $filter) {
120
121 if (is_string($filter)) {
122 $filter = array('class' => $filter);
123 }
124
125 if (!is_array($filter)) {
126 throw new Exception('Invalid authentication processing filter configuration: ' .
127 'One of the filters wasn\'t a string or an array.');
128 }
129
130 $parsedFilters[] = self::parseFilter($filter, $priority);
131 }
132
133 return $parsedFilters;
134 }
135
136
145 private static function parseFilter($config, $priority) {
146 assert('is_array($config)');
147
148 if (!array_key_exists('class', $config))
149 throw new Exception('Authentication processing filter without name given.');
150
151 $className = SimpleSAML\Module::resolveClass($config['class'], 'Auth_Process', 'SimpleSAML_Auth_ProcessingFilter');
152 $config['%priority'] = $priority;
153 unset($config['class']);
154 return new $className($config, NULL);
155 }
156
157
178 public function processState(&$state) {
179 assert('is_array($state)');
180 assert('array_key_exists("ReturnURL", $state) || array_key_exists("ReturnCall", $state)');
181 assert('!array_key_exists("ReturnURL", $state) || !array_key_exists("ReturnCall", $state)');
182
183 $state[self::FILTERS_INDEX] = $this->filters;
184
185 try {
186
187 // TODO: remove this in SSP 2.0
188 if (!array_key_exists('UserID', $state)) {
189 // No unique user ID present. Attempt to add one.
190 self::addUserID($state);
191 }
192
193 while (count($state[self::FILTERS_INDEX]) > 0) {
194 $filter = array_shift($state[self::FILTERS_INDEX]);
195 $filter->process($state);
196 }
197
198 } catch (SimpleSAML_Error_Exception $e) {
199 // No need to convert the exception
200 throw $e;
201 } catch (Exception $e) {
202 /*
203 * To be consistent with the exception we return after an redirect,
204 * we convert this exception before returning it.
205 */
206 throw new SimpleSAML_Error_UnserializableException($e);
207 }
208
209 // Completed
210 }
211
212
224 public static function resumeProcessing($state) {
225 assert('is_array($state)');
226
227 while (count($state[self::FILTERS_INDEX]) > 0) {
228 $filter = array_shift($state[self::FILTERS_INDEX]);
229 try {
230 $filter->process($state);
231 } catch (SimpleSAML_Error_Exception $e) {
232 SimpleSAML_Auth_State::throwException($state, $e);
233 } catch (Exception $e) {
234 $e = new SimpleSAML_Error_UnserializableException($e);
235 SimpleSAML_Auth_State::throwException($state, $e);
236 }
237 }
238
239 // Completed
240
241 assert('array_key_exists("ReturnURL", $state) || array_key_exists("ReturnCall", $state)');
242 assert('!array_key_exists("ReturnURL", $state) || !array_key_exists("ReturnCall", $state)');
243
244
245 if (array_key_exists('ReturnURL', $state)) {
246 /*
247 * Save state information, and redirect to the URL specified
248 * in $state['ReturnURL'].
249 */
250 $id = SimpleSAML_Auth_State::saveState($state, self::COMPLETED_STAGE);
251 \SimpleSAML\Utils\HTTP::redirectTrustedURL($state['ReturnURL'], array(self::AUTHPARAM => $id));
252 } else {
253 /* Pass the state to the function defined in $state['ReturnCall']. */
254
255 // We are done with the state array in the session. Delete it.
256 SimpleSAML_Auth_State::deleteState($state);
257
258 $func = $state['ReturnCall'];
259 assert('is_callable($func)');
260
261 call_user_func($func, $state);
262 assert(FALSE);
263 }
264 }
265
266
277 public function processStatePassive(&$state) {
278 assert('is_array($state)');
279 // Should not be set when calling this method
280 assert('!array_key_exists("ReturnURL", $state)');
281
282 // Notify filters about passive request
283 $state['isPassive'] = TRUE;
284
285 $state[self::FILTERS_INDEX] = $this->filters;
286
287 // TODO: remove this in SSP 2.0
288 if (!array_key_exists('UserID', $state)) {
289 // No unique user ID present. Attempt to add one.
290 self::addUserID($state);
291 }
292
293 while (count($state[self::FILTERS_INDEX]) > 0) {
294 $filter = array_shift($state[self::FILTERS_INDEX]);
295 try {
296 $filter->process($state);
297
298 // Ignore SimpleSAML_Error_NoPassive exceptions
299 } catch (SimpleSAML_Error_NoPassive $e) { }
300 }
301 }
302
310 public static function fetchProcessedState($id) {
311 assert('is_string($id)');
312
313 return SimpleSAML_Auth_State::loadState($id, self::COMPLETED_STAGE);
314 }
315
316
320 private static function addUserID(&$state) {
321 assert('is_array($state)');
322 assert('array_key_exists("Attributes", $state)');
323
324 if (isset($state['Destination']['userid.attribute'])) {
325 $attributeName = $state['Destination']['userid.attribute'];
326 SimpleSAML\Logger::warning("The 'userid.attribute' option has been deprecated.");
327 } elseif (isset($state['Source']['userid.attribute'])) {
328 $attributeName = $state['Source']['userid.attribute'];
329 SimpleSAML\Logger::warning("The 'userid.attribute' option has been deprecated.");
330 } else {
331 // Default attribute
332 $attributeName = 'eduPersonPrincipalName';
333 }
334
335 if (!array_key_exists($attributeName, $state['Attributes'])) {
336 return;
337 }
338
339 $uid = $state['Attributes'][$attributeName];
340 if (count($uid) === 0) {
341 SimpleSAML\Logger::warning('Empty user id attribute [' . $attributeName . '].');
342 return;
343 }
344
345 if (count($uid) > 1) {
346 SimpleSAML\Logger::warning('Multiple attribute values for user id attribute [' . $attributeName . '].');
347 return;
348 }
349
350 // TODO: the attribute value should be trimmed
351 $uid = $uid[0];
352
353 if (empty($uid)) {
354 SimpleSAML\Logger::warning('Empty value in attribute '.$attributeName.". on user. Cannot set UserID.");
355 return;
356 }
357 $state['UserID'] = $uid;
358 }
359
360}
$state
if(!array_key_exists('stateid', $_REQUEST)) $state
Handle linkback() response from LinkedIn.
Definition: linkback.php:10
php
An exception for terminatinating execution or to throw for unit testing.
SimpleSAML\Logger\warning
static warning($string)
Definition: Logger.php:179
SimpleSAML\Logger\debug
static debug($string)
Definition: Logger.php:213
SimpleSAML\Module\resolveClass
static resolveClass($id, $type, $subclass=null)
Resolve module class.
Definition: Module.php:252
SimpleSAML\Utils\HTTP\redirectTrustedURL
static redirectTrustedURL($url, $parameters=array())
This function redirects to the specified URL without performing any security checks.
Definition: HTTP.php:962
SimpleSAML_Auth_ProcessingChain
Definition: ProcessingChain.php:13
SimpleSAML_Auth_ProcessingChain\addUserID
static addUserID(&$state)
Definition: ProcessingChain.php:320
SimpleSAML_Auth_ProcessingChain\AUTHPARAM
const AUTHPARAM
The request parameter we will use to pass the state identifier when we redirect after having complete...
Definition: ProcessingChain.php:32
SimpleSAML_Auth_ProcessingChain\processState
processState(&$state)
Process the given state.
Definition: ProcessingChain.php:178
SimpleSAML_Auth_ProcessingChain\addFilters
static addFilters(&$target, $src)
Sort & merge filter configuration.
Definition: ProcessingChain.php:87
SimpleSAML_Auth_ProcessingChain\processStatePassive
processStatePassive(&$state)
Process the given state passivly.
Definition: ProcessingChain.php:277
SimpleSAML_Auth_ProcessingChain\parseFilterList
static parseFilterList($filterSrc)
Parse an array of authentication processing filters.
Definition: ProcessingChain.php:114
SimpleSAML_Auth_ProcessingChain\__construct
__construct($idpMetadata, $spMetadata, $mode='idp')
Initialize an authentication processing chain for the given service provider and identity provider.
Definition: ProcessingChain.php:48
SimpleSAML_Auth_ProcessingChain\FILTERS_INDEX
const FILTERS_INDEX
The list of remaining filters which should be applied to the state.
Definition: ProcessingChain.php:19
SimpleSAML_Auth_ProcessingChain\parseFilter
static parseFilter($config, $priority)
Parse an authentication processing filter.
Definition: ProcessingChain.php:145
SimpleSAML_Auth_ProcessingChain\fetchProcessedState
static fetchProcessedState($id)
Definition: ProcessingChain.php:310
SimpleSAML_Auth_ProcessingChain\$filters
$filters
All authentication processing filters, in the order they should be applied.
Definition: ProcessingChain.php:38
SimpleSAML_Auth_ProcessingChain\COMPLETED_STAGE
const COMPLETED_STAGE
The stage we use for completed requests.
Definition: ProcessingChain.php:25
SimpleSAML_Auth_ProcessingChain\resumeProcessing
static resumeProcessing($state)
Continues processing of the state.
Definition: ProcessingChain.php:224
SimpleSAML_Auth_State\deleteState
static deleteState(&$state)
Delete state.
Definition: State.php:319
SimpleSAML_Auth_State\throwException
static throwException($state, SimpleSAML_Error_Exception $exception)
Throw exception to the state exception handler.
Definition: State.php:343
SimpleSAML_Auth_State\saveState
static saveState(&$state, $stage, $rawId=false)
Save the state.
Definition: State.php:194
SimpleSAML_Auth_State\loadState
static loadState($id, $stage, $allowMissing=false)
Retrieve saved state.
Definition: State.php:259
SimpleSAML_Configuration\getInstance
static getInstance($instancename='simplesaml')
Get a configuration file by its instance name.
Definition: Configuration.php:297
SimpleSAML_Error_Exception
Definition: Exception.php:13
SimpleSAML_Error_NoPassive
Class SimpleSAML_Error_NoPassive.
Definition: NoPassive.php:12
SimpleSAML_Error_UnserializableException
Definition: UnserializableException.php:15
$i
$i
Definition: disco.tpl.php:19
$id
if(!array_key_exists('StateId', $_REQUEST)) $id
Definition: expirywarning.php:14
$idpMetadata
$idpMetadata
Definition: logout-iframe-post.php:26
$spMetadata
$spMetadata
Definition: logout-iframe-post.php:27