ILIAS  release_5-3 Revision v5.3.23-19-g915713cf615
Consent.php
Go to the documentation of this file.
1<?php
2
3
12class sspmod_consent_Auth_Process_Consent extends SimpleSAML_Auth_ProcessingFilter
13{
14
20 private $_focus = null;
21
27 private $_includeValues = false;
28
34 private $_checked = false;
35
41 private $_store = null;
42
48 private $_hiddenAttributes = array();
49
55 private $_noconsentattributes = array();
56
62 private $_showNoConsentAboutService = true;
63
64
75 public function __construct($config, $reserved)
76 {
77 assert('is_array($config)');
78 parent::__construct($config, $reserved);
79
80 if (array_key_exists('includeValues', $config)) {
81 if (!is_bool($config['includeValues'])) {
82 throw new SimpleSAML_Error_Exception(
83 'Consent: includeValues must be boolean. '.
84 var_export($config['includeValues'], true).' given.'
85 );
86 }
87 $this->_includeValues = $config['includeValues'];
88 }
89
90 if (array_key_exists('checked', $config)) {
91 if (!is_bool($config['checked'])) {
92 throw new SimpleSAML_Error_Exception(
93 'Consent: checked must be boolean. '.
94 var_export($config['checked'], true).' given.'
95 );
96 }
97 $this->_checked = $config['checked'];
98 }
99
100 if (array_key_exists('focus', $config)) {
101 if (!in_array($config['focus'], array('yes', 'no'), true)) {
102 throw new SimpleSAML_Error_Exception(
103 'Consent: focus must be a string with values `yes` or `no`. '.
104 var_export($config['focus'], true).' given.'
105 );
106 }
107 $this->_focus = $config['focus'];
108 }
109
110 if (array_key_exists('hiddenAttributes', $config)) {
111 if (!is_array($config['hiddenAttributes'])) {
112 throw new SimpleSAML_Error_Exception(
113 'Consent: hiddenAttributes must be an array. '.
114 var_export($config['hiddenAttributes'], true).' given.'
115 );
116 }
117 $this->_hiddenAttributes = $config['hiddenAttributes'];
118 }
119
120 if (array_key_exists('noconsentattributes', $config)) {
121 if (!is_array($config['noconsentattributes'])) {
122 throw new SimpleSAML_Error_Exception(
123 'Consent: noconsentattributes must be an array. '.
124 var_export($config['noconsentattributes'], true).' given.'
125 );
126 }
127 $this->_noconsentattributes = $config['noconsentattributes'];
128 }
129
130 if (array_key_exists('store', $config)) {
131 try {
132 $this->_store = sspmod_consent_Store::parseStoreConfig($config['store']);
133 } catch (Exception $e) {
134 SimpleSAML\Logger::error(
135 'Consent: Could not create consent storage: '.
136 $e->getMessage()
137 );
138 }
139 }
140
141 if (array_key_exists('showNoConsentAboutService', $config)) {
142 if (!is_bool($config['showNoConsentAboutService'])) {
143 throw new SimpleSAML_Error_Exception('Consent: showNoConsentAboutService must be a boolean.');
144 }
145 $this->_showNoConsentAboutService = $config['showNoConsentAboutService'];
146 }
147 }
148
149
158 private static function checkDisable($option, $entityId)
159 {
160 if (is_array($option)) {
161 // Check if consent.disable array has one element that is an array
162 if (count($option) === count($option, COUNT_RECURSIVE)) {
163 // Array is not multidimensional. Simple in_array search suffices
164 return in_array($entityId, $option, true);
165 }
166
167 // Array contains at least one element that is an array, verify both possibilities
168 if (in_array($entityId, $option, true)) {
169 return true;
170 }
171
172 // Search in multidimensional arrays
173 foreach ($option as $optionToTest) {
174 if (!is_array($optionToTest)) {
175 continue; // bad option
176 }
177
178 if (!array_key_exists('type', $optionToTest)) {
179 continue; // option has no type
180 }
181
182 // Option has a type - switch processing depending on type value :
183 if ($optionToTest['type'] === 'regex') {
184 // regex-based consent disabling
185
186 if (!array_key_exists('pattern', $optionToTest)) {
187 continue; // no pattern defined
188 }
189
190 if (preg_match($optionToTest['pattern'], $entityId) === 1) {
191 return true;
192 }
193 } else {
194 // option type is not supported
195 continue;
196 }
197 } // end foreach
198
199 // Base case : no match
200 return false;
201 } else {
202 return (boolean) $option;
203 }
204 }
205
206
219 public function process(&$state)
220 {
221 assert('is_array($state)');
222 assert('array_key_exists("UserID", $state)');
223 assert('array_key_exists("Destination", $state)');
224 assert('array_key_exists("entityid", $state["Destination"])');
225 assert('array_key_exists("metadata-set", $state["Destination"])');
226 assert('array_key_exists("entityid", $state["Source"])');
227 assert('array_key_exists("metadata-set", $state["Source"])');
228
229 $spEntityId = $state['Destination']['entityid'];
230 $idpEntityId = $state['Source']['entityid'];
231
232 $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
233
240 if (isset($state['saml:sp:IdP'])) {
241 $idpEntityId = $state['saml:sp:IdP'];
242 $idpmeta = $metadata->getMetaData($idpEntityId, 'saml20-idp-remote');
243 $state['Source'] = $idpmeta;
244 }
245
246 $statsData = array('spEntityID' => $spEntityId);
247
248 // Do not use consent if disabled
249 if (isset($state['Source']['consent.disable']) &&
250 self::checkDisable($state['Source']['consent.disable'], $spEntityId)
251 ) {
252 SimpleSAML\Logger::debug('Consent: Consent disabled for entity '.$spEntityId.' with IdP '.$idpEntityId);
253 SimpleSAML_Stats::log('consent:disabled', $statsData);
254 return;
255 }
256 if (isset($state['Destination']['consent.disable']) &&
257 self::checkDisable($state['Destination']['consent.disable'], $idpEntityId)
258 ) {
259 SimpleSAML\Logger::debug('Consent: Consent disabled for entity '.$spEntityId.' with IdP '.$idpEntityId);
260 SimpleSAML_Stats::log('consent:disabled', $statsData);
261 return;
262 }
263
264 if ($this->_store !== null) {
265 $source = $state['Source']['metadata-set'].'|'.$idpEntityId;
266 $destination = $state['Destination']['metadata-set'].'|'.$spEntityId;
267 $attributes = $state['Attributes'];
268
269 // Remove attributes that do not require consent
270 foreach ($attributes as $attrkey => $attrval) {
271 if (in_array($attrkey, $this->_noconsentattributes, true)) {
272 unset($attributes[$attrkey]);
273 }
274 }
275
276 SimpleSAML\Logger::debug('Consent: userid: '.$state['UserID']);
277 SimpleSAML\Logger::debug('Consent: source: '.$source);
278 SimpleSAML\Logger::debug('Consent: destination: '.$destination);
279
280 $userId = self::getHashedUserID($state['UserID'], $source);
281 $targetedId = self::getTargetedID($state['UserID'], $source, $destination);
282 $attributeSet = self::getAttributeHash($attributes, $this->_includeValues);
283
284 SimpleSAML\Logger::debug(
285 'Consent: hasConsent() ['.$userId.'|'.$targetedId.'|'.
286 $attributeSet.']'
287 );
288
289 try {
290 if ($this->_store->hasConsent($userId, $targetedId, $attributeSet)) {
291 // Consent already given
292 SimpleSAML\Logger::stats('consent found');
293 SimpleSAML_Stats::log('consent:found', $statsData);
294 return;
295 }
296
297 SimpleSAML\Logger::stats('consent notfound');
298 SimpleSAML_Stats::log('consent:notfound', $statsData);
299
300 $state['consent:store'] = $this->_store;
301 $state['consent:store.userId'] = $userId;
302 $state['consent:store.destination'] = $targetedId;
303 $state['consent:store.attributeSet'] = $attributeSet;
304 } catch (Exception $e) {
305 SimpleSAML\Logger::error('Consent: Error reading from storage: '.$e->getMessage());
306 SimpleSAML\Logger::stats('Ccnsent failed');
307 SimpleSAML_Stats::log('consent:failed', $statsData);
308 }
309 } else {
310 SimpleSAML\Logger::stats('consent nostorage');
311 SimpleSAML_Stats::log('consent:nostorage', $statsData);
312 }
313
314 $state['consent:focus'] = $this->_focus;
315 $state['consent:checked'] = $this->_checked;
316 $state['consent:hiddenAttributes'] = $this->_hiddenAttributes;
317 $state['consent:noconsentattributes'] = $this->_noconsentattributes;
318 $state['consent:showNoConsentAboutService'] = $this->_showNoConsentAboutService;
319
320 // user interaction necessary. Throw exception on isPassive request
321 if (isset($state['isPassive']) && $state['isPassive'] === true) {
322 SimpleSAML_Stats::log('consent:nopassive', $statsData);
323 throw new SimpleSAML_Error_NoPassive('Unable to give consent on passive request.');
324 }
325
326 // Save state and redirect
327 $id = SimpleSAML_Auth_State::saveState($state, 'consent:request');
328 $url = SimpleSAML\Module::getModuleURL('consent/getconsent.php');
329 \SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('StateId' => $id));
330 }
331
332
341 public static function getHashedUserID($userid, $source)
342 {
343 return hash('sha1', $userid.'|'.SimpleSAML\Utils\Config::getSecretSalt().'|'.$source);
344 }
345
346
356 public static function getTargetedID($userid, $source, $destination)
357 {
358 return hash('sha1', $userid.'|'.SimpleSAML\Utils\Config::getSecretSalt().'|'.$source.'|'.$destination);
359 }
360
361
373 public static function getAttributeHash($attributes, $includeValues = false)
374 {
375 $hashBase = null;
376 if ($includeValues) {
377 ksort($attributes);
378 $hashBase = serialize($attributes);
379 } else {
380 $names = array_keys($attributes);
381 sort($names);
382 $hashBase = implode('|', $names);
383 }
384 return hash('sha1', $hashBase);
385 }
386}
$metadata
$metadata['__DYNAMIC:1__']
Definition: adfs-idp-hosted.php:3
$spEntityId
$spEntityId
Definition: attributeserver.php:14
$source
$source
Definition: linkback.php:22
$state
if(!array_key_exists('stateid', $_REQUEST)) $state
Handle linkback() response from LinkedIn.
Definition: linkback.php:10
php
An exception for terminatinating execution or to throw for unit testing.
SimpleSAML\Logger\stats
static stats($string)
Definition: Logger.php:224
SimpleSAML\Logger\error
static error($string)
Definition: Logger.php:168
SimpleSAML\Logger\debug
static debug($string)
Definition: Logger.php:213
SimpleSAML\Module\getModuleURL
static getModuleURL($resource, array $parameters=array())
Get absolute URL to a specified module resource.
Definition: Module.php:303
SimpleSAML\Utils\HTTP\redirectTrustedURL
static redirectTrustedURL($url, $parameters=array())
This function redirects to the specified URL without performing any security checks.
Definition: HTTP.php:962
SimpleSAML_Auth_ProcessingFilter
Definition: ProcessingFilter.php:21
SimpleSAML_Auth_State\saveState
static saveState(&$state, $stage, $rawId=false)
Save the state.
Definition: State.php:194
SimpleSAML_Error_Exception
Definition: Exception.php:13
SimpleSAML_Error_NoPassive
Class SimpleSAML_Error_NoPassive.
Definition: NoPassive.php:12
SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler
static getMetadataHandler()
This function retrieves the current instance of the metadata handler.
Definition: MetaDataStorageHandler.php:40
SimpleSAML_Stats\log
static log($event, array $data=array())
Notify about an event.
Definition: Stats.php:71
sspmod_consent_Auth_Process_Consent
Definition: Consent.php:13
sspmod_consent_Auth_Process_Consent\__construct
__construct($config, $reserved)
Initialize consent filter.
Definition: Consent.php:75
sspmod_consent_Auth_Process_Consent\$_checked
$_checked
Definition: Consent.php:34
sspmod_consent_Auth_Process_Consent\$_focus
$_focus
Definition: Consent.php:20
sspmod_consent_Auth_Process_Consent\checkDisable
static checkDisable($option, $entityId)
Helper function to check whether consent is disabled.
Definition: Consent.php:158
sspmod_consent_Auth_Process_Consent\$_includeValues
$_includeValues
Definition: Consent.php:27
sspmod_consent_Auth_Process_Consent\getHashedUserID
static getHashedUserID($userid, $source)
Generate a unique identifier of the user.
Definition: Consent.php:341
sspmod_consent_Auth_Process_Consent\process
process(&$state)
Process a authentication response.
Definition: Consent.php:219
sspmod_consent_Auth_Process_Consent\getTargetedID
static getTargetedID($userid, $source, $destination)
Generate a unique targeted identifier.
Definition: Consent.php:356
sspmod_consent_Auth_Process_Consent\$_store
$_store
Definition: Consent.php:41
sspmod_consent_Auth_Process_Consent\$_hiddenAttributes
$_hiddenAttributes
Definition: Consent.php:48
sspmod_consent_Auth_Process_Consent\$_noconsentattributes
$_noconsentattributes
Definition: Consent.php:55
sspmod_consent_Auth_Process_Consent\$_showNoConsentAboutService
$_showNoConsentAboutService
Definition: Consent.php:62
sspmod_consent_Auth_Process_Consent\getAttributeHash
static getAttributeHash($attributes, $includeValues=false)
Generate unique identifier for attributes.
Definition: Consent.php:373
sspmod_consent_Store\parseStoreConfig
static parseStoreConfig($config)
Parse consent storage configuration.
Definition: Store.php:122
$userid
if(empty($userids)) $userid
Definition: consentAdmin.php:120
$id
if(!array_key_exists('StateId', $_REQUEST)) $id
Definition: expirywarning.php:14
$idpmeta
$idpmeta
Definition: metadata.php:20
$entityId
if( $source===null) if(!($source instanceof sspmod_saml_Auth_Source_SP)) $entityId
Definition: metadata.php:22
$destination
$destination
Definition: saml2-logout.php:50
GuzzleHttp\Psr7\hash
hash(StreamInterface $stream, $algo, $rawOutput=false)
Calculate a hash of a Stream.
Definition: functions.php:406
SimpleSAML
Attribute-related utility methods.
$url
$url
Definition: proxy_ylocal.php:28
$idpEntityId
$idpEntityId
Definition: prp.php:12
$attributes
$attributes
Definition: serviceValidate.php:33