sspmod_core_Auth_Process_AttributeLimit Class Reference

Inheritance diagram for sspmod_core_Auth_Process_AttributeLimit:

Collaboration diagram for sspmod_core_Auth_Process_AttributeLimit:

Public Member Functions
	__construct ($config, $reserved)
	process (&$request)
Public Member Functions inherited from SimpleSAML_Auth_ProcessingFilter
	__construct (&$config, $reserved)
	Constructor for a processing filter. More...
	process (&$request)
	Process a request. More...

Private Member Functions
	filterAttributeValues (array $values, array $allowedConfigValues)
	Perform the filtering of attributes. More...

Static Private Member Functions
static	getSPIdPAllowed (array &$request)
	Get list of allowed from the SP/IdP config. More...

Private Attributes
	$allowedAttributes = array()
	List of attributes which this filter will allow through. More...
	$isDefault = false

Additional Inherited Members
Data Fields inherited from SimpleSAML_Auth_ProcessingFilter
	$priority = 50
	Priority of this filter. More...

Detailed Description

Definition at line 9 of file AttributeLimit.php.

Constructor & Destructor Documentation

__construct()

sspmod_core_Auth_Process_AttributeLimit::__construct	(		$config,
			$reserved
	)

Initialize this filter.

@param array $config  Configuration information about this filter.
@param mixed $reserved  For future use

Exceptions

SimpleSAML_Error_Exception

If invalid configuration is found.

Definition at line 32 of file AttributeLimit.php.

                                                        {
                parent::__construct($config, $reserved);
 
                assert(is_array($config));
 
                foreach ($config as $index => $value) {
                        if ($index === 'default') {
                                $this->isDefault = (bool)$value;
                        } elseif (is_int($index)) {
                                if (!is_string($value)) {
                                        throw new SimpleSAML_Error_Exception('AttributeLimit: Invalid attribute name: ' .
                        var_export($value, TRUE));
                                }
                                $this->allowedAttributes[] = $value;
            } elseif (is_string($index)) {
                if (!is_array($value)) {
                    throw new SimpleSAML_Error_Exception('AttributeLimit: Values for ' . var_export($index, TRUE) .
                        ' must be specified in an array.');
                }
                $this->allowedAttributes[$index] = $value;
                        } else {
                                throw new SimpleSAML_Error_Exception('AttributeLimit: Invalid option: ' . var_export($index, TRUE));
                        }
                }
        }

References $config, and $index.

Member Function Documentation

filterAttributeValues()

sspmod_core_Auth_Process_AttributeLimit::filterAttributeValues ( array  $values, array  $allowedConfigValues  )

private

Perform the filtering of attributes.

Parameters

array	$values	The current values for a given attribute
array	$allowedConfigValues	The allowed values, and possibly configuration options.

Returns

array The filtered values

Definition at line 133 of file AttributeLimit.php.

    {
        if (array_key_exists('regex', $allowedConfigValues) && $allowedConfigValues['regex'] === true) {
            $matchedValues = array();
            foreach ($allowedConfigValues as $option => $pattern) {
                if (!is_int($option)) {
                    // Ignore any configuration options in $allowedConfig. e.g. regex=>true
                    continue;
                }
                foreach ($values as $index => $attributeValue) {
                    /* Suppress errors in preg_match since phpunit is set to fail on warnings, which
                       prevents us from testing with invalid regex.
                    */
                    $regexResult = @preg_match($pattern, $attributeValue);
                    if ($regexResult === false) {
                        \SimpleSAML\Logger::warning("Error processing regex '$pattern' on value '$attributeValue'");
                        break;
                    } elseif ($regexResult === 1) {
                        $matchedValues[] = $attributeValue;
                        // Remove matched value incase a subsequent regex also matches it.
                        unset($values[$index]);
                    }
                }
            }
            return $matchedValues;
        } elseif (array_key_exists('ignoreCase', $allowedConfigValues) && $allowedConfigValues['ignoreCase'] === true) {
            unset($allowedConfigValues['ignoreCase']);
            return array_uintersect($values, $allowedConfigValues, "strcasecmp");
        }
        // The not true values for these options shouldn't leak through to array_intersect
        unset($allowedConfigValues['ignoreCase']);
        unset($allowedConfigValues['regex']);
 
        return array_intersect($values, $allowedConfigValues);
    }

References $index, $values, and SimpleSAML\Logger\warning().

Referenced by process().

Here is the call graph for this function:

Here is the caller graph for this function:

getSPIdPAllowed()

static sspmod_core_Auth_Process_AttributeLimit::getSPIdPAllowed ( array &  $request )

staticprivate

Get list of allowed from the SP/IdP config.

Parameters

array

&$request

The current request.

Returns

array|NULL Array with attribute names, or NULL if no limit is placed.

Definition at line 65 of file AttributeLimit.php.

                                                                 {
 
                if (array_key_exists('attributes', $request['Destination'])) {
                        // SP Config
                        return $request['Destination']['attributes'];
                }
                if (array_key_exists('attributes', $request['Source'])) {
                        // IdP Config
                        return $request['Source']['attributes'];
                }
                return NULL;
        }

References $request.

Referenced by process().

Here is the caller graph for this function:

process()

sspmod_core_Auth_Process_AttributeLimit::process

(

&

$request

)

Apply filter to remove attributes.

Removes all attributes which aren't one of the allowed attributes.

@param array &$request  The current request

Exceptions

SimpleSAML_Error_Exception

If invalid configuration is found.

Reimplemented from SimpleSAML_Auth_ProcessingFilter.

Definition at line 87 of file AttributeLimit.php.

                                           {
                assert(is_array($request));
                assert(array_key_exists('Attributes', $request));
 
                if ($this->isDefault) {
                        $allowedAttributes = self::getSPIdPAllowed($request);
                        if ($allowedAttributes === NULL) {
                                $allowedAttributes = $this->allowedAttributes;
                        }
                } elseif (!empty($this->allowedAttributes)) {
                        $allowedAttributes = $this->allowedAttributes;
                } else {
                        $allowedAttributes = self::getSPIdPAllowed($request);
                        if ($allowedAttributes === NULL) {
                                return; /* No limit on attributes. */
                        }
                }
 
                $attributes =& $request['Attributes'];
 
                foreach ($attributes as $name => $values) {
                        if (!in_array($name, $allowedAttributes, TRUE)) {
                // the attribute name is not in the array of allowed attributes
                if (array_key_exists($name, $allowedAttributes)) {
                    // but it is an index of the array
                    if (!is_array($allowedAttributes[$name])) {
                        throw new SimpleSAML_Error_Exception('AttributeLimit: Values for ' . var_export($name, TRUE) .
                            ' must be specified in an array.');
                    }
                    $attributes[$name] = $this->filterAttributeValues($attributes[$name], $allowedAttributes[$name]);
                    if (!empty($attributes[$name])) {
                        continue;
                    }
                }
                unset($attributes[$name]);
                        }
                }
 
        }

References $allowedAttributes, $attributes, $name, $request, $values, filterAttributeValues(), and getSPIdPAllowed().

Here is the call graph for this function:

Field Documentation

$allowedAttributes

sspmod_core_Auth_Process_AttributeLimit::$allowedAttributes = array()

private

List of attributes which this filter will allow through.

Definition at line 14 of file AttributeLimit.php.

Referenced by process().

$isDefault

sspmod_core_Auth_Process_AttributeLimit::$isDefault = false

private

Definition at line 22 of file AttributeLimit.php.

---

The documentation for this class was generated from the following file:

• libs/composer/vendor/simplesamlphp/simplesamlphp/modules/core/lib/Auth/Process/AttributeLimit.php