ILIAS  release_5-4 Revision v5.4.26-12-gabc799a52e6
AttributeLimit.php
Go to the documentation of this file.
1<?php
2
10
14 private $allowedAttributes = array();
15
16
22 private $isDefault = false;
23
24
32 public function __construct($config, $reserved) {
33 parent::__construct($config, $reserved);
34
35 assert(is_array($config));
36
37 foreach ($config as $index => $value) {
38 if ($index === 'default') {
39 $this->isDefault = (bool)$value;
40 } elseif (is_int($index)) {
41 if (!is_string($value)) {
42 throw new SimpleSAML_Error_Exception('AttributeLimit: Invalid attribute name: ' .
43 var_export($value, TRUE));
44 }
45 $this->allowedAttributes[] = $value;
46 } elseif (is_string($index)) {
47 if (!is_array($value)) {
48 throw new SimpleSAML_Error_Exception('AttributeLimit: Values for ' . var_export($index, TRUE) .
49 ' must be specified in an array.');
50 }
51 $this->allowedAttributes[$index] = $value;
52 } else {
53 throw new SimpleSAML_Error_Exception('AttributeLimit: Invalid option: ' . var_export($index, TRUE));
54 }
55 }
56 }
57
58
65 private static function getSPIdPAllowed(array &$request) {
66
67 if (array_key_exists('attributes', $request['Destination'])) {
68 // SP Config
69 return $request['Destination']['attributes'];
70 }
71 if (array_key_exists('attributes', $request['Source'])) {
72 // IdP Config
73 return $request['Source']['attributes'];
74 }
75 return NULL;
76 }
77
78
87 public function process(&$request) {
88 assert(is_array($request));
89 assert(array_key_exists('Attributes', $request));
90
91 if ($this->isDefault) {
93 if ($allowedAttributes === NULL) {
95 }
96 } elseif (!empty($this->allowedAttributes)) {
98 } else {
100 if ($allowedAttributes === NULL) {
101 return; /* No limit on attributes. */
102 }
103 }
104
105 $attributes =& $request['Attributes'];
106
107 foreach ($attributes as $name => $values) {
108 if (!in_array($name, $allowedAttributes, TRUE)) {
109 // the attribute name is not in the array of allowed attributes
110 if (array_key_exists($name, $allowedAttributes)) {
111 // but it is an index of the array
112 if (!is_array($allowedAttributes[$name])) {
113 throw new SimpleSAML_Error_Exception('AttributeLimit: Values for ' . var_export($name, TRUE) .
114 ' must be specified in an array.');
115 }
117 if (!empty($attributes[$name])) {
118 continue;
119 }
120 }
121 unset($attributes[$name]);
122 }
123 }
124
125 }
126
133 private function filterAttributeValues(array $values, array $allowedConfigValues)
134 {
135 if (array_key_exists('regex', $allowedConfigValues) && $allowedConfigValues['regex'] === true) {
136 $matchedValues = array();
137 foreach ($allowedConfigValues as $option => $pattern) {
138 if (!is_int($option)) {
139 // Ignore any configuration options in $allowedConfig. e.g. regex=>true
140 continue;
141 }
142 foreach ($values as $index => $attributeValue) {
143 /* Suppress errors in preg_match since phpunit is set to fail on warnings, which
144 prevents us from testing with invalid regex.
145 */
146 $regexResult = @preg_match($pattern, $attributeValue);
147 if ($regexResult === false) {
148 \SimpleSAML\Logger::warning("Error processing regex '$pattern' on value '$attributeValue'");
149 break;
150 } elseif ($regexResult === 1) {
151 $matchedValues[] = $attributeValue;
152 // Remove matched value incase a subsequent regex also matches it.
153 unset($values[$index]);
154 }
155 }
156 }
157 return $matchedValues;
158 } elseif (array_key_exists('ignoreCase', $allowedConfigValues) && $allowedConfigValues['ignoreCase'] === true) {
159 unset($allowedConfigValues['ignoreCase']);
160 return array_uintersect($values, $allowedConfigValues, "strcasecmp");
161 }
162 // The not true values for these options shouldn't leak through to array_intersect
163 unset($allowedConfigValues['ignoreCase']);
164 unset($allowedConfigValues['regex']);
165
166 return array_intersect($values, $allowedConfigValues);
167 }
168}
foreach($paths as $path) $request
Definition: asyncclient.php:32
An exception for terminatinating execution or to throw for unit testing.
static warning($string)
Definition: Logger.php:177
static getSPIdPAllowed(array &$request)
Get list of allowed from the SP/IdP config.
$allowedAttributes
List of attributes which this filter will allow through.
filterAttributeValues(array $values, array $allowedConfigValues)
Perform the filtering of attributes.
if(array_key_exists('yes', $_REQUEST)) $attributes
Definition: getconsent.php:85
$config
Definition: bootstrap.php:15
$index
Definition: metadata.php:60
$values