Processor.php

Go to the documentation of this file.

<?php

namespace SAML2\Response;

use Psr\Log\LoggerInterface;
use SAML2\Assertion\ProcessorBuilder;
use SAML2\Configuration\Destination;
use SAML2\Configuration\IdentityProvider;
use SAML2\Configuration\ServiceProvider;
use SAML2\Response;
use SAML2\Response\Exception\InvalidResponseException;
use SAML2\Response\Exception\NoAssertionsFoundException;
use SAML2\Response\Exception\PreconditionNotMetException;
use SAML2\Response\Exception\UnsignedResponseException;
use SAML2\Response\Validation\PreconditionValidator;
use SAML2\Signature\Validator;

class Processor
{
    private $logger;

    private $preconditionValidator;

    private $signatureValidator;

    private $assertionProcessor;

    private $responseIsSigned = false;

    public function __construct(LoggerInterface $logger)
    {
        $this->logger = $logger;

        $this->signatureValidator = new Validator($logger);
    }

    public function process(
        ServiceProvider $serviceProviderConfiguration,
        IdentityProvider $identityProviderConfiguration,
        Destination $currentDestination,
        Response $response
    ) {
        $this->preconditionValidator = new PreconditionValidator($currentDestination);
        $this->assertionProcessor = ProcessorBuilder::build(
            $this->logger,
            $this->signatureValidator,
            $currentDestination,
            $identityProviderConfiguration,
            $serviceProviderConfiguration,
            $response
        );

        $this->enforcePreconditions($response);
        $this->verifySignature($response, $identityProviderConfiguration);
        return $this->processAssertions($response);
    }

    private function enforcePreconditions(Response $response)
    {
        $result = $this->preconditionValidator->validate($response);

        if (!$result->isValid()) {
            throw PreconditionNotMetException::createFromValidationResult($result);
        }
    }

    private function verifySignature(
        Response $response,
        IdentityProvider $identityProviderConfiguration
    ) {
        if (!$response->isMessageConstructedWithSignature()) {
            $this->logger->info(sprintf(
                'SAMLResponse with id "%s" was not signed at root level, not attempting to verify the signature of the'
                . ' reponse itself',
                $response->getId()
            ));

            return;
        }

        $this->logger->info(sprintf(
            'Attempting to verify the signature of SAMLResponse with id "%s"',
            $response->getId()
        ));

        $this->responseIsSigned = true;

        if (!$this->signatureValidator->hasValidSignature($response, $identityProviderConfiguration)) {
            throw new InvalidResponseException();
        }
    }

    private function processAssertions(Response $response)
    {
        $assertions = $response->getAssertions();
        if (empty($assertions)) {
            throw new NoAssertionsFoundException('No assertions found in response from IdP.');
        }

        if (!$this->responseIsSigned) {
            foreach ($assertions as $assertion) {
                if (!$assertion->getWasSignedAtConstruction()) {
                    throw new UnsignedResponseException(
                        'Both the response and the assertion it contains are not signed.'
                    );
                }
            }
        }

        return $this->assertionProcessor->processAssertions($assertions);
    }
}