Inheritance diagram for sspmod_core_Auth_Process_AttributeLimit:

Collaboration diagram for sspmod_core_Auth_Process_AttributeLimit:

Public Member Functions
	__construct ($config, $reserved)
	Initialize this filter. More...

	process (&$request)
	Apply filter to remove attributes. More...

Public Member Functions inherited from SimpleSAML_Auth_ProcessingFilter
	__construct (&$config, $reserved)
	Constructor for a processing filter. More...

	process (&$request)
	Process a request. More...

Private Member Functions
	filterAttributeValues (array $values, array $allowedConfigValues)
	Perform the filtering of attributes. More...

Static Private Member Functions
static	getSPIdPAllowed (array &$request)
	Get list of allowed from the SP/IdP config. More...

Private Attributes
	$allowedAttributes = array()
	List of attributes which this filter will allow through. More...

	$isDefault = false

Additional Inherited Members
Data Fields inherited from SimpleSAML_Auth_ProcessingFilter
	$priority = 50
	Priority of this filter. More...

Detailed Description

Definition at line 9 of file AttributeLimit.php.

Constructor & Destructor Documentation

◆ __construct()

sspmod_core_Auth_Process_AttributeLimit::__construct	(	$config,
		$reserved
	)

Initialize this filter.

Parameters

array	$config	Configuration information about this filter.
mixed	$reserved	For future use

Exceptions

SimpleSAML_Error_Exception If invalid configuration is found.

Definition at line 32 of file AttributeLimit.php.

References $config, and $index.

                                                         {
                 parent::__construct($config, $reserved);
 
                 assert(is_array($config));
 
                 foreach ($config as $index => $value) {
                         if ($index === 'default') {
                                 $this->isDefault = (bool)$value;
                         } elseif (is_int($index)) {
                                 if (!is_string($value)) {
                                         throw new SimpleSAML_Error_Exception('AttributeLimit: Invalid attribute name: ' .
                         var_export($value, TRUE));
                                 }
                                 $this->allowedAttributes[] = $value;
             } elseif (is_string($index)) {
                 if (!is_array($value)) {
                     throw new SimpleSAML_Error_Exception('AttributeLimit: Values for ' . var_export($index, TRUE) .
                         ' must be specified in an array.');
                 }
                 $this->allowedAttributes[$index] = $value;
                         } else {
                                 throw new SimpleSAML_Error_Exception('AttributeLimit: Invalid option: ' . var_export($index, TRUE));
                         }
                 }
         }

Member Function Documentation

◆ filterAttributeValues()

sspmod_core_Auth_Process_AttributeLimit::filterAttributeValues	(	array	$values,
		array	$allowedConfigValues
	)

private

Perform the filtering of attributes.

Parameters

array	$values	The current values for a given attribute
array	$allowedConfigValues	The allowed values, and possibly configuration options.

Returns: array The filtered values

Definition at line 133 of file AttributeLimit.php.

References $index, and SimpleSAML\Logger\warning().

Referenced by process().

     {
         if (array_key_exists('regex', $allowedConfigValues) && $allowedConfigValues['regex'] === true) {
             $matchedValues = array();
             foreach ($allowedConfigValues as $option => $pattern) {
                 if (!is_int($option)) {
                     // Ignore any configuration options in $allowedConfig. e.g. regex=>true
                     continue;
                 }
                 foreach ($values as $index => $attributeValue) {
                     /* Suppress errors in preg_match since phpunit is set to fail on warnings, which
                        prevents us from testing with invalid regex.
                     */
                     $regexResult = @preg_match($pattern, $attributeValue);
                     if ($regexResult === false) {
                         \SimpleSAML\Logger::warning("Error processing regex '$pattern' on value '$attributeValue'");
                         break;
                     } elseif ($regexResult === 1) {
                         $matchedValues[] = $attributeValue;
                         // Remove matched value incase a subsequent regex also matches it.
                         unset($values[$index]);
                     }
                 }
             }
             return $matchedValues;
         } elseif (array_key_exists('ignoreCase', $allowedConfigValues) && $allowedConfigValues['ignoreCase'] === true) {
             unset($allowedConfigValues['ignoreCase']);
             return array_uintersect($values, $allowedConfigValues, "strcasecmp");
         }
         // The not true values for these options shouldn't leak through to array_intersect
         unset($allowedConfigValues['ignoreCase']);
         unset($allowedConfigValues['regex']);
 
         return array_intersect($values, $allowedConfigValues);
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ getSPIdPAllowed()

static sspmod_core_Auth_Process_AttributeLimit::getSPIdPAllowed ( array & $request )

staticprivate

Get list of allowed from the SP/IdP config.

Parameters

array &$request The current request.

Returns: array|NULL Array with attribute names, or NULL if no limit is placed.

Definition at line 65 of file AttributeLimit.php.

                                                                  {
 
                 if (array_key_exists('attributes', $request['Destination'])) {
                         // SP Config
                         return $request['Destination']['attributes'];
                 }
                 if (array_key_exists('attributes', $request['Source'])) {
                         // IdP Config
                         return $request['Source']['attributes'];
                 }
                 return NULL;
         }

◆ process()

sspmod_core_Auth_Process_AttributeLimit::process ( & $request )

Apply filter to remove attributes.

Removes all attributes which aren't one of the allowed attributes.

Parameters

array &$request The current request

Exceptions

SimpleSAML_Error_Exception If invalid configuration is found.

Definition at line 87 of file AttributeLimit.php.

References $allowedAttributes, $attributes, $name, $request, $values, and filterAttributeValues().

                                            {
                 assert(is_array($request));
                 assert(array_key_exists('Attributes', $request));
 
                 if ($this->isDefault) {
                         $allowedAttributes = self::getSPIdPAllowed($request);
                         if ($allowedAttributes === NULL) {
                                 $allowedAttributes = $this->allowedAttributes;
                         }
                 } elseif (!empty($this->allowedAttributes)) {
                         $allowedAttributes = $this->allowedAttributes;
                 } else {
                         $allowedAttributes = self::getSPIdPAllowed($request);
                         if ($allowedAttributes === NULL) {
                                 return; /* No limit on attributes. */
                         }
                 }
 
                 $attributes =& $request['Attributes'];
 
                 foreach ($attributes as $name => $values) {
                         if (!in_array($name, $allowedAttributes, TRUE)) {
                 // the attribute name is not in the array of allowed attributes
                 if (array_key_exists($name, $allowedAttributes)) {
                     // but it is an index of the array
                     if (!is_array($allowedAttributes[$name])) {
                         throw new SimpleSAML_Error_Exception('AttributeLimit: Values for ' . var_export($name, TRUE) .
                             ' must be specified in an array.');
                     }
                     $attributes[$name] = $this->filterAttributeValues($attributes[$name], $allowedAttributes[$name]);
                     if (!empty($attributes[$name])) {
                         continue;
                     }
                 }
                 unset($attributes[$name]);
                         }
                 }
 
         }

Here is the call graph for this function:

Field Documentation

◆ $allowedAttributes

sspmod_core_Auth_Process_AttributeLimit::$allowedAttributes = array()

private

List of attributes which this filter will allow through.

Definition at line 14 of file AttributeLimit.php.

Referenced by process().

◆ $isDefault

sspmod_core_Auth_Process_AttributeLimit::$isDefault = false

private

Definition at line 22 of file AttributeLimit.php.

The documentation for this class was generated from the following file:

libs/composer/vendor/simplesamlphp/simplesamlphp/modules/core/lib/Auth/Process/AttributeLimit.php

Public Member Functions

Private Member Functions

Static Private Member Functions

Private Attributes

Additional Inherited Members

Detailed Description

Constructor & Destructor Documentation

◆ __construct()

Member Function Documentation

◆ filterAttributeValues()

◆ getSPIdPAllowed()

◆ process()

Field Documentation

◆ $allowedAttributes

◆ $isDefault