ILIAS  release_5-4 Revision v5.4.26-12-gabc799a52e6
AttributeLimit.php
Go to the documentation of this file.
1 <?php
2 
9 class sspmod_core_Auth_Process_AttributeLimit extends SimpleSAML_Auth_ProcessingFilter {
10 
14  private $allowedAttributes = array();
15 
16 
22  private $isDefault = false;
23 
24 
32  public function __construct($config, $reserved) {
33  parent::__construct($config, $reserved);
34 
35  assert(is_array($config));
36 
37  foreach ($config as $index => $value) {
38  if ($index === 'default') {
39  $this->isDefault = (bool)$value;
40  } elseif (is_int($index)) {
41  if (!is_string($value)) {
42  throw new SimpleSAML_Error_Exception('AttributeLimit: Invalid attribute name: ' .
43  var_export($value, TRUE));
44  }
45  $this->allowedAttributes[] = $value;
46  } elseif (is_string($index)) {
47  if (!is_array($value)) {
48  throw new SimpleSAML_Error_Exception('AttributeLimit: Values for ' . var_export($index, TRUE) .
49  ' must be specified in an array.');
50  }
51  $this->allowedAttributes[$index] = $value;
52  } else {
53  throw new SimpleSAML_Error_Exception('AttributeLimit: Invalid option: ' . var_export($index, TRUE));
54  }
55  }
56  }
57 
58 
65  private static function getSPIdPAllowed(array &$request) {
66 
67  if (array_key_exists('attributes', $request['Destination'])) {
68  // SP Config
69  return $request['Destination']['attributes'];
70  }
71  if (array_key_exists('attributes', $request['Source'])) {
72  // IdP Config
73  return $request['Source']['attributes'];
74  }
75  return NULL;
76  }
77 
78 
87  public function process(&$request) {
88  assert(is_array($request));
89  assert(array_key_exists('Attributes', $request));
90 
91  if ($this->isDefault) {
92  $allowedAttributes = self::getSPIdPAllowed($request);
93  if ($allowedAttributes === NULL) {
94  $allowedAttributes = $this->allowedAttributes;
95  }
96  } elseif (!empty($this->allowedAttributes)) {
97  $allowedAttributes = $this->allowedAttributes;
98  } else {
99  $allowedAttributes = self::getSPIdPAllowed($request);
100  if ($allowedAttributes === NULL) {
101  return; /* No limit on attributes. */
102  }
103  }
104 
105  $attributes =& $request['Attributes'];
106 
107  foreach ($attributes as $name => $values) {
108  if (!in_array($name, $allowedAttributes, TRUE)) {
109  // the attribute name is not in the array of allowed attributes
110  if (array_key_exists($name, $allowedAttributes)) {
111  // but it is an index of the array
112  if (!is_array($allowedAttributes[$name])) {
113  throw new SimpleSAML_Error_Exception('AttributeLimit: Values for ' . var_export($name, TRUE) .
114  ' must be specified in an array.');
115  }
116  $attributes[$name] = $this->filterAttributeValues($attributes[$name], $allowedAttributes[$name]);
117  if (!empty($attributes[$name])) {
118  continue;
119  }
120  }
121  unset($attributes[$name]);
122  }
123  }
124 
125  }
126 
133  private function filterAttributeValues(array $values, array $allowedConfigValues)
134  {
135  if (array_key_exists('regex', $allowedConfigValues) && $allowedConfigValues['regex'] === true) {
136  $matchedValues = array();
137  foreach ($allowedConfigValues as $option => $pattern) {
138  if (!is_int($option)) {
139  // Ignore any configuration options in $allowedConfig. e.g. regex=>true
140  continue;
141  }
142  foreach ($values as $index => $attributeValue) {
143  /* Suppress errors in preg_match since phpunit is set to fail on warnings, which
144  prevents us from testing with invalid regex.
145  */
146  $regexResult = @preg_match($pattern, $attributeValue);
147  if ($regexResult === false) {
148  \SimpleSAML\Logger::warning("Error processing regex '$pattern' on value '$attributeValue'");
149  break;
150  } elseif ($regexResult === 1) {
151  $matchedValues[] = $attributeValue;
152  // Remove matched value incase a subsequent regex also matches it.
153  unset($values[$index]);
154  }
155  }
156  }
157  return $matchedValues;
158  } elseif (array_key_exists('ignoreCase', $allowedConfigValues) && $allowedConfigValues['ignoreCase'] === true) {
159  unset($allowedConfigValues['ignoreCase']);
160  return array_uintersect($values, $allowedConfigValues, "strcasecmp");
161  }
162  // The not true values for these options shouldn't leak through to array_intersect
163  unset($allowedConfigValues['ignoreCase']);
164  unset($allowedConfigValues['regex']);
165 
166  return array_intersect($values, $allowedConfigValues);
167  }
168 }
$config
$config
Definition: bootstrap.php:15
$request
foreach($paths as $path) $request
Definition: asyncclient.php:32
sspmod_core_Auth_Process_AttributeLimit\getSPIdPAllowed
static getSPIdPAllowed(array &$request)
Get list of allowed from the SP/IdP config.
Definition: AttributeLimit.php:65
sspmod_core_Auth_Process_AttributeLimit\process
process(&$request)
Apply filter to remove attributes.
Definition: AttributeLimit.php:87
SimpleSAML_Error_Exception
Definition: Exception.php:12
$index
$index
Definition: metadata.php:60
sspmod_core_Auth_Process_AttributeLimit\$isDefault
$isDefault
Definition: AttributeLimit.php:22
SimpleSAML\Logger\warning
static warning($string)
Definition: Logger.php:177
$values
$values
Definition: testOperations.php:7
$attributes
if(array_key_exists('yes', $_REQUEST)) $attributes
Definition: getconsent.php:85
sspmod_core_Auth_Process_AttributeLimit\$allowedAttributes
$allowedAttributes
List of attributes which this filter will allow through.
Definition: AttributeLimit.php:14
$name
$name
Definition: client_example.php:35
sspmod_core_Auth_Process_AttributeLimit
Definition: AttributeLimit.php:9
sspmod_core_Auth_Process_AttributeLimit\__construct
__construct($config, $reserved)
Initialize this filter.
Definition: AttributeLimit.php:32
SimpleSAML_Auth_ProcessingFilter
Definition: ProcessingFilter.php:21
sspmod_core_Auth_Process_AttributeLimit\filterAttributeValues
filterAttributeValues(array $values, array $allowedConfigValues)
Perform the filtering of attributes.
Definition: AttributeLimit.php:133