Inheritance diagram for sspmod_consent_Auth_Process_Consent:

Collaboration diagram for sspmod_consent_Auth_Process_Consent:

Public Member Functions
	__construct ($config, $reserved)
	Initialize consent filter. More...

	process (&$state)
	Process a authentication response. More...

Public Member Functions inherited from SimpleSAML_Auth_ProcessingFilter
	__construct (&$config, $reserved)
	Constructor for a processing filter. More...

	process (&$request)
	Process a request. More...

Static Public Member Functions
static	getHashedUserID ($userid, $source)
	Generate a unique identifier of the user. More...

static	getTargetedID ($userid, $source, $destination)
	Generate a unique targeted identifier. More...

static	getAttributeHash ($attributes, $includeValues=false)
	Generate unique identifier for attributes. More...

Static Private Member Functions
static	checkDisable ($option, $entityId)
	Helper function to check whether consent is disabled. More...

Private Attributes
	$_focus = null

	$_includeValues = false

	$_checked = false

	$_store = null

	$_hiddenAttributes = array()

	$_noconsentattributes = array()

	$_showNoConsentAboutService = true

Additional Inherited Members
Data Fields inherited from SimpleSAML_Auth_ProcessingFilter
	$priority = 50
	Priority of this filter. More...

Detailed Description

Definition at line 12 of file Consent.php.

Constructor & Destructor Documentation

◆ __construct()

sspmod_consent_Auth_Process_Consent::__construct	(	$config,
		$reserved
	)

Initialize consent filter.

Validates and parses the configuration.

Parameters

array	$config	Configuration information.
mixed	$reserved	For future use.

Exceptions

SimpleSAML_Error_Exception if the configuration is not valid.

Definition at line 75 of file Consent.php.

    {
        assert('is_array($config)');
        parent::__construct($config, $reserved);
 
        if (array_key_exists('includeValues', $config)) {
            if (!is_bool($config['includeValues'])) {
                throw new SimpleSAML_Error_Exception(
                    'Consent: includeValues must be boolean. '.
                    var_export($config['includeValues'], true).' given.'
                );
            }
            $this->_includeValues = $config['includeValues'];
        }
 
        if (array_key_exists('checked', $config)) {
            if (!is_bool($config['checked'])) {
                throw new SimpleSAML_Error_Exception(
                    'Consent: checked must be boolean. '.
                    var_export($config['checked'], true).' given.'
                );
            }
            $this->_checked = $config['checked'];
        }
 
        if (array_key_exists('focus', $config)) {
            if (!in_array($config['focus'], array('yes', 'no'), true)) {
                throw new SimpleSAML_Error_Exception(
                    'Consent: focus must be a string with values `yes` or `no`. '.
                    var_export($config['focus'], true).' given.'
                );
            }
            $this->_focus = $config['focus'];
        }
 
        if (array_key_exists('hiddenAttributes', $config)) {
            if (!is_array($config['hiddenAttributes'])) {
                throw new SimpleSAML_Error_Exception(
                    'Consent: hiddenAttributes must be an array. '.
                    var_export($config['hiddenAttributes'], true).' given.'
                );
            }
            $this->_hiddenAttributes = $config['hiddenAttributes'];
        }
 
        if (array_key_exists('noconsentattributes', $config)) {
            if (!is_array($config['noconsentattributes'])) {
                throw new SimpleSAML_Error_Exception(
                    'Consent: noconsentattributes must be an array. '.
                    var_export($config['noconsentattributes'], true).' given.'
                );
            }
            $this->_noconsentattributes = $config['noconsentattributes'];
        }
 
        if (array_key_exists('store', $config)) {
            try {
                $this->_store = sspmod_consent_Store::parseStoreConfig($config['store']);
            } catch (Exception $e) {
                SimpleSAML\Logger::error(
                    'Consent: Could not create consent storage: '.
                    $e->getMessage()
                );
            }
        }
 
        if (array_key_exists('showNoConsentAboutService', $config)) {
            if (!is_bool($config['showNoConsentAboutService'])) {
                throw new SimpleSAML_Error_Exception('Consent: showNoConsentAboutService must be a boolean.');
            }
            $this->_showNoConsentAboutService = $config['showNoConsentAboutService'];
        }
    }

References $config, SimpleSAML\Logger\error(), and sspmod_consent_Store\parseStoreConfig().

Here is the call graph for this function:

Member Function Documentation

◆ checkDisable()

static sspmod_consent_Auth_Process_Consent::checkDisable	(	$option,
		$entityId
	)

staticprivate

Helper function to check whether consent is disabled.

Parameters

mixed	$option	The consent.disable option. Either an array of array, an array or a boolean.
string	$entityId	The entityID of the SP/IdP.

Returns: boolean True if disabled, false if not.

Definition at line 158 of file Consent.php.

    {
        if (is_array($option)) {
            // Check if consent.disable array has one element that is an array
            if (count($option) === count($option, COUNT_RECURSIVE)) {
                // Array is not multidimensional.  Simple in_array search suffices
                return in_array($entityId, $option, true);
            }
 
            // Array contains at least one element that is an array, verify both possibilities
            if (in_array($entityId, $option, true)) {
                return true;
            }
 
            // Search in multidimensional arrays
            foreach ($option as $optionToTest) {
                if (!is_array($optionToTest)) {
                    continue; // bad option
                }
 
                if (!array_key_exists('type', $optionToTest)) {
                    continue; // option has no type
                }
 
                // Option has a type - switch processing depending on type value :
                if ($optionToTest['type'] === 'regex') {
                    // regex-based consent disabling
 
                    if (!array_key_exists('pattern', $optionToTest)) {
                        continue; // no pattern defined
                    }
 
                    if (preg_match($optionToTest['pattern'], $entityId) === 1) {
                        return true;
                    }
                } else {
                    // option type is not supported
                    continue;
                }
            } // end foreach
 
            // Base case : no match
            return false;
        } else {
            return (boolean) $option;
        }
    }

References $entityId.

◆ getAttributeHash()

static sspmod_consent_Auth_Process_Consent::getAttributeHash	(	$attributes,
		$includeValues = `false`
	)

static

Generate unique identifier for attributes.

Create a hash value for the attributes that changes when attributes are added or removed. If the attribute values are included in the hash, the hash will change if the values change.

Parameters

string	$attributes	The attributes.
bool	$includeValues	Whether or not to include the attribute value in the generation of the hash.

Returns: string SHA1 of the user id, source id, destination id and salt.

Definition at line 373 of file Consent.php.

    {
        $hashBase = null;
        if ($includeValues) {
            ksort($attributes);
            $hashBase = serialize($attributes);
        } else {
            $names = array_keys($attributes);
            sort($names);
            $hashBase = implode('|', $names);
        }
        return hash('sha1', $hashBase);
    }

References $attributes, $names, and GuzzleHttp\Psr7\hash().

Referenced by driveProcessingChain(), and process().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ getHashedUserID()

static sspmod_consent_Auth_Process_Consent::getHashedUserID	(	$userid,
		$source
	)

static

Generate a unique identifier of the user.

Parameters

string	$userid	The user id.
string	$source	The source id.

Returns: string SHA1 of the user id, source id and salt.

Definition at line 341 of file Consent.php.

    {
        return hash('sha1', $userid.'|'.SimpleSAML\Utils\Config::getSecretSalt().'|'.$source);
    }

References $source, $userid, and GuzzleHttp\Psr7\hash().

Referenced by process().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ getTargetedID()

static sspmod_consent_Auth_Process_Consent::getTargetedID	(	$userid,
		$source,
		$destination
	)

static

Generate a unique targeted identifier.

Parameters

string	$userid	The user id.
string	$source	The source id.
string	$destination	The destination id.

Returns: string SHA1 of the user id, source id, destination id and salt.

Definition at line 356 of file Consent.php.

    {
        return hash('sha1', $userid.'|'.SimpleSAML\Utils\Config::getSecretSalt().'|'.$source.'|'.$destination);
    }

References $destination, $source, $userid, and GuzzleHttp\Psr7\hash().

Referenced by driveProcessingChain(), and process().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ process()

sspmod_consent_Auth_Process_Consent::process ( & $state )

Process a authentication response.

This function saves the state, and redirects the user to the page where the user can authorize the release of the attributes. If storage is used and the consent has already been given the user is passed on.

Parameters

array &$state The state of the response.

Returns: void

Exceptions

SimpleSAML_Error_NoPassive if the request was passive and consent is needed.

If the consent module is active on a bridge $state['saml:sp:IdP'] will contain an entry id for the remote IdP. If not, then the consent module is active on a local IdP and nothing needs to be done.

Reimplemented from SimpleSAML_Auth_ProcessingFilter.

Definition at line 219 of file Consent.php.

    {
        assert('is_array($state)');
        assert('array_key_exists("UserID", $state)');
        assert('array_key_exists("Destination", $state)');
        assert('array_key_exists("entityid", $state["Destination"])');
        assert('array_key_exists("metadata-set", $state["Destination"])');
        assert('array_key_exists("entityid", $state["Source"])');
        assert('array_key_exists("metadata-set", $state["Source"])');
 
        $spEntityId = $state['Destination']['entityid'];
        $idpEntityId = $state['Source']['entityid'];
 
        $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
 
        if (isset($state['saml:sp:IdP'])) {
            $idpEntityId = $state['saml:sp:IdP'];
            $idpmeta = $metadata->getMetaData($idpEntityId, 'saml20-idp-remote');
            $state['Source'] = $idpmeta;
        }
 
        $statsData = array('spEntityID' => $spEntityId);
 
        // Do not use consent if disabled
        if (isset($state['Source']['consent.disable']) &&
            self::checkDisable($state['Source']['consent.disable'], $spEntityId)
        ) {
            SimpleSAML\Logger::debug('Consent: Consent disabled for entity '.$spEntityId.' with IdP '.$idpEntityId);
            SimpleSAML_Stats::log('consent:disabled', $statsData);
            return;
        }
        if (isset($state['Destination']['consent.disable']) &&
            self::checkDisable($state['Destination']['consent.disable'], $idpEntityId)
        ) {
            SimpleSAML\Logger::debug('Consent: Consent disabled for entity '.$spEntityId.' with IdP '.$idpEntityId);
            SimpleSAML_Stats::log('consent:disabled', $statsData);
            return;
        }
 
        if ($this->_store !== null) {
            $source = $state['Source']['metadata-set'].'|'.$idpEntityId;
            $destination = $state['Destination']['metadata-set'].'|'.$spEntityId;
            $attributes = $state['Attributes'];
 
            // Remove attributes that do not require consent
            foreach ($attributes as $attrkey => $attrval) {
                if (in_array($attrkey, $this->_noconsentattributes, true)) {
                    unset($attributes[$attrkey]);
                }
            }
 
            SimpleSAML\Logger::debug('Consent: userid: '.$state['UserID']);
            SimpleSAML\Logger::debug('Consent: source: '.$source);
            SimpleSAML\Logger::debug('Consent: destination: '.$destination);
 
            $userId = self::getHashedUserID($state['UserID'], $source);
            $targetedId = self::getTargetedID($state['UserID'], $source, $destination);
            $attributeSet = self::getAttributeHash($attributes, $this->_includeValues);
 
            SimpleSAML\Logger::debug(
                'Consent: hasConsent() ['.$userId.'|'.$targetedId.'|'.
                $attributeSet.']'
            );
 
            try {
                if ($this->_store->hasConsent($userId, $targetedId, $attributeSet)) {
                    // Consent already given
                    SimpleSAML\Logger::stats('consent found');
                    SimpleSAML_Stats::log('consent:found', $statsData);
                    return;
                }
 
                SimpleSAML\Logger::stats('consent notfound');
                SimpleSAML_Stats::log('consent:notfound', $statsData);
 
                $state['consent:store'] = $this->_store;
                $state['consent:store.userId'] = $userId;
                $state['consent:store.destination'] = $targetedId;
                $state['consent:store.attributeSet'] = $attributeSet;
            } catch (Exception $e) {
                SimpleSAML\Logger::error('Consent: Error reading from storage: '.$e->getMessage());
                SimpleSAML\Logger::stats('Ccnsent failed');
                SimpleSAML_Stats::log('consent:failed', $statsData);
            }
        } else {
            SimpleSAML\Logger::stats('consent nostorage');
            SimpleSAML_Stats::log('consent:nostorage', $statsData);
        }
 
        $state['consent:focus'] = $this->_focus;
        $state['consent:checked'] = $this->_checked;
        $state['consent:hiddenAttributes'] = $this->_hiddenAttributes;
        $state['consent:noconsentattributes'] = $this->_noconsentattributes;
        $state['consent:showNoConsentAboutService'] = $this->_showNoConsentAboutService;
 
        // user interaction necessary. Throw exception on isPassive request
        if (isset($state['isPassive']) && $state['isPassive'] === true) {
            SimpleSAML_Stats::log('consent:nopassive', $statsData);
            throw new SimpleSAML_Error_NoPassive('Unable to give consent on passive request.');
        }
 
        // Save state and redirect
        $id = SimpleSAML_Auth_State::saveState($state, 'consent:request');
        $url = SimpleSAML\Module::getModuleURL('consent/getconsent.php');
        \SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('StateId' => $id));
    }

References $_checked, $_focus, $_hiddenAttributes, $_noconsentattributes, $_showNoConsentAboutService, $_store, $attributes, $destination, $id, $idpEntityId, $idpmeta, $metadata, $source, $spEntityId, $state, $url, SimpleSAML\Logger\debug(), SimpleSAML\Logger\error(), getAttributeHash(), getHashedUserID(), SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler(), SimpleSAML\Module\getModuleURL(), getTargetedID(), SimpleSAML_Stats\log(), SimpleSAML\Utils\HTTP\redirectTrustedURL(), SimpleSAML_Auth_State\saveState(), and SimpleSAML\Logger\stats().

Here is the call graph for this function:

The documentation for this class was generated from the following file:

libs/composer/vendor/simplesamlphp/simplesamlphp/modules/consent/lib/Auth/Process/Consent.php

Public Member Functions

Static Public Member Functions

Static Private Member Functions

Private Attributes

Additional Inherited Members

Detailed Description

Constructor & Destructor Documentation

◆ __construct()

Member Function Documentation

◆ checkDisable()

◆ getAttributeHash()

◆ getHashedUserID()

◆ getTargetedID()

◆ process()

Field Documentation

◆ $_checked

◆ $_focus

◆ $_hiddenAttributes

◆ $_includeValues

◆ $_noconsentattributes

◆ $_showNoConsentAboutService

◆ $_store