d2/d8a/SOAPClient_8php_source.html

<?php


namespace SAML2;


use RobRichards\XMLSecLibs\XMLSecurityKey;

use SAML2\Exception\RuntimeException;

use SimpleSAML_Configuration;

use SimpleSAML_Utilities;


class SOAPClient

{

    const START_SOAP_ENVELOPE = '<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/"><soap-env:Header/><soap-env:Body>';

    const END_SOAP_ENVELOPE = '</soap-env:Body></soap-env:Envelope>';


    public function send(Message $msg, SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata = null)

    {

        $issuer = $msg->getIssuer();


        $ctxOpts = array(

            'ssl' => array(

                'capture_peer_cert' => true,

                'allow_self_signed' => true

            ),

        );


        // Determine if we are going to do a MutualSSL connection between the IdP and SP  - Shoaib

        if ($srcMetadata->hasValue('saml.SOAPClient.certificate')) {

            $cert = $srcMetadata->getValue('saml.SOAPClient.certificate');

            if ($cert !== false) {

                $ctxOpts['ssl']['local_cert'] = SimpleSAML_Utilities::resolveCert(

                    $srcMetadata->getString('saml.SOAPClient.certificate')

                );

                if ($srcMetadata->hasValue('saml.SOAPClient.privatekey_pass')) {

                    $ctxOpts['ssl']['passphrase'] = $srcMetadata->getString('saml.SOAPClient.privatekey_pass');

                }

            }

        } else {

            /* Use the SP certificate and privatekey if it is configured. */

            $privateKey = SimpleSAML_Utilities::loadPrivateKey($srcMetadata);

            $publicKey = SimpleSAML_Utilities::loadPublicKey($srcMetadata);

            if ($privateKey !== null && $publicKey !== null && isset($publicKey['PEM'])) {

                $keyCertData = $privateKey['PEM'] . $publicKey['PEM'];

                $file = SimpleSAML_Utilities::getTempDir() . '/' . sha1($keyCertData) . '.pem';

                if (!file_exists($file)) {

                    SimpleSAML_Utilities::writeFile($file, $keyCertData);

                }

                $ctxOpts['ssl']['local_cert'] = $file;

                if (isset($privateKey['password'])) {

                    $ctxOpts['ssl']['passphrase'] = $privateKey['password'];

                }

            }

        }


        // do peer certificate verification

        if ($dstMetadata !== null) {

            $peerPublicKeys = $dstMetadata->getPublicKeys('signing', true);

            $certData = '';

            foreach ($peerPublicKeys as $key) {

                if ($key['type'] !== 'X509Certificate') {

                    continue;

                }

                $certData .= "-----BEGIN CERTIFICATE-----\n" .

                    chunk_split($key['X509Certificate'], 64) .

                    "-----END CERTIFICATE-----\n";

            }

            $peerCertFile = SimpleSAML_Utilities::getTempDir() . '/' . sha1($certData) . '.pem';

            if (!file_exists($peerCertFile)) {

                SimpleSAML_Utilities::writeFile($peerCertFile, $certData);

            }

            // create ssl context

            $ctxOpts['ssl']['verify_peer'] = true;

            $ctxOpts['ssl']['verify_depth'] = 1;

            $ctxOpts['ssl']['cafile'] = $peerCertFile;

        }


        if ($srcMetadata->hasValue('saml.SOAPClient.stream_context.ssl.peer_name')) {

            $ctxOpts['ssl']['peer_name'] = $srcMetadata->getString('saml.SOAPClient.stream_context.ssl.peer_name');

        }


        $context = stream_context_create($ctxOpts);

        if ($context === null) {

            throw new \Exception('Unable to create SSL stream context');

        }


        $options = array(

            'uri' => $issuer,

            'location' => $msg->getDestination(),

            'stream_context' => $context,

        );


        if ($srcMetadata->hasValue('saml.SOAPClient.proxyhost')) {

            $options['proxy_host'] = $srcMetadata->getValue('saml.SOAPClient.proxyhost');

        }


        if ($srcMetadata->hasValue('saml.SOAPClient.proxyport')) {

            $options['proxy_port'] = $srcMetadata->getValue('saml.SOAPClient.proxyport');

        }


        $x = new \SoapClient(null, $options);


        // Add soap-envelopes

        $request = $msg->toSignedXML();

        $request = self::START_SOAP_ENVELOPE . $request->ownerDocument->saveXML($request) . self::END_SOAP_ENVELOPE;


        Utils::getContainer()->debugMessage($request, 'out');


        $action = 'http://www.oasis-open.org/committees/security';

        $version = '1.1';

        $destination = $msg->getDestination();


        /* Perform SOAP Request over HTTP */

        $soapresponsexml = $x->__doRequest($request, $destination, $action, $version);

        if ($soapresponsexml === null || $soapresponsexml === "") {

            throw new \Exception('Empty SOAP response, check peer certificate.');

        }


        Utils::getContainer()->debugMessage($soapresponsexml, 'in');


        // Convert to SAML2\Message (\DOMElement)

        try {

            $dom = DOMDocumentFactory::fromString($soapresponsexml);

        } catch (RuntimeException $e) {

            throw new \Exception('Not a SOAP response.', 0, $e);

        }


        $soapfault = $this->getSOAPFault($dom);

        if (isset($soapfault)) {

            throw new \Exception($soapfault);

        }

        //Extract the message from the response

        $samlresponse = Utils::xpQuery($dom->firstChild, '/soap-env:Envelope/soap-env:Body/*[1]');

        $samlresponse = Message::fromXML($samlresponse[0]);


        /* Add validator to message which uses the SSL context. */

        self::addSSLValidator($samlresponse, $context);


        Utils::getContainer()->getLogger()->debug("Valid ArtifactResponse received from IdP");


        return $samlresponse;

    }


    private static function addSSLValidator(Message $msg, $context)

    {

        $options = stream_context_get_options($context);

        if (!isset($options['ssl']['peer_certificate'])) {

            return;

        }


        //$out = '';

        //openssl_x509_export($options['ssl']['peer_certificate'], $out);


        $key = openssl_pkey_get_public($options['ssl']['peer_certificate']);

        if ($key === false) {

            Utils::getContainer()->getLogger()->warning('Unable to get public key from peer certificate.');


            return;

        }


        $keyInfo = openssl_pkey_get_details($key);

        if ($keyInfo === false) {

            Utils::getContainer()->getLogger()->warning('Unable to get key details from public key.');


            return;

        }


        if (!isset($keyInfo['key'])) {

            Utils::getContainer()->getLogger()->warning('Missing key in public key details.');


            return;

        }


        $msg->addValidator(array('\SAML2\SOAPClient', 'validateSSL'), $keyInfo['key']);

    }


    public static function validateSSL($data, XMLSecurityKey $key)

    {

        assert(is_string($data));


        $keyInfo = openssl_pkey_get_details($key->key);

        if ($keyInfo === false) {

            throw new \Exception('Unable to get key details from XMLSecurityKey.');

        }


        if (!isset($keyInfo['key'])) {

            throw new \Exception('Missing key in public key details.');

        }


        if ($keyInfo['key'] !== $data) {

            Utils::getContainer()->getLogger()->debug('Key on SSL connection did not match key we validated against.');


            return;

        }


        Utils::getContainer()->getLogger()->debug('Message validated based on SSL certificate.');

    }


    /*

     * Extracts the SOAP Fault from SOAP message

     * @param $soapmessage Soap response needs to be type DOMDocument

     * @return $soapfaultstring string|null

     */

    private function getSOAPFault($soapMessage)

    {

        $soapFault = Utils::xpQuery($soapMessage->firstChild, '/soap-env:Envelope/soap-env:Body/soap-env:Fault');


        if (empty($soapFault)) {

            /* No fault. */


            return null;

        }

        $soapFaultElement = $soapFault[0];

        // There is a fault element but we haven't found out what the fault string is

        $soapFaultString = "Unknown fault string found";

        // find out the fault string

        $faultStringElement =   Utils::xpQuery($soapFaultElement, './soap-env:faultstring') ;

        if (!empty($faultStringElement)) {

            return $faultStringElement[0]->textContent;

        }


        return $soapFaultString;

    }

}

$issuer
catch(Exception $e) if(!($request instanceof \SAML2\ArtifactResolve)) $issuer
Definition: ArtifactResolutionService.php:48

$request
foreach($paths as $path) $request
Definition: asyncclient.php:32

$version
$version
Definition: build.php:27

php
An exception for terminatinating execution or to throw for unit testing.

RobRichards\XMLSecLibs\XMLSecurityKey
xmlseclibs.php
Definition: XMLSecurityKey.php:48

SAML2\Exception\RuntimeException
Named exception.
Definition: RuntimeException.php:9

SAML2\Message
Base class for all SAML 2 messages.
Definition: Message.php:19

SAML2\Message\toSignedXML
toSignedXML()
Convert this message to a signed XML document.
Definition: Message.php:481

SAML2\Message\getDestination
getDestination()
Retrieve the destination of this message.
Definition: Message.php:323

SAML2\Message\addValidator
addValidator($function, $data)
Add a method for validating this message.
Definition: Message.php:225

SAML2\Message\getIssuer
getIssuer()
Retrieve the issuer if this message.
Definition: Message.php:375

SAML2\SOAPClient
Definition: SOAPClient.php:17

SAML2\SOAPClient\validateSSL
static validateSSL($data, XMLSecurityKey $key)
Validate a SOAP message against the certificate on the SSL connection.
Definition: SOAPClient.php:203

SAML2\SOAPClient\send
send(Message $msg, SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata=null)
This function sends the SOAP message to the service location and returns SOAP response.
Definition: SOAPClient.php:30

SAML2\SOAPClient\getSOAPFault
getSOAPFault($soapMessage)
Definition: SOAPClient.php:230

SAML2\SOAPClient\addSSLValidator
static addSSLValidator(Message $msg, $context)
Add a signature validator based on a SSL context.
Definition: SOAPClient.php:163

SimpleSAML_Configuration
Definition: Configuration.php:12

SimpleSAML_Configuration\getString
getString($name, $default=self::REQUIRED_OPTION)
This function retrieves a string configuration option.
Definition: Configuration.php:702

SimpleSAML_Configuration\getValue
getValue($name, $default=null)
Retrieve a configuration option set in config.php.
Definition: Configuration.php:433

SimpleSAML_Configuration\hasValue
hasValue($name)
Check whether a key in the configuration exists or not.
Definition: Configuration.php:457

SimpleSAML_Utilities
Definition: Utilities.php:13

SimpleSAML_Utilities\loadPrivateKey
static loadPrivateKey(SimpleSAML_Configuration $metadata, $required=false, $prefix='')
Definition: Utilities.php:475

SimpleSAML_Utilities\loadPublicKey
static loadPublicKey(SimpleSAML_Configuration $metadata, $required=false, $prefix='')
Definition: Utilities.php:466

SimpleSAML_Utilities\resolveCert
static resolveCert($path)
Definition: Utilities.php:457

SimpleSAML_Utilities\writeFile
static writeFile($filename, $data, $mode=0600)
Definition: Utilities.php:602

SimpleSAML_Utilities\getTempDir
static getTempDir()
Definition: Utilities.php:611

$x
$x
Definition: complexTest.php:9

$action
$action
Definition: consentAdmin.php:140

$key
$key
Definition: croninfo.php:18

$destination
$destination
Definition: saml2-logout.php:50

PHPMailer\PHPMailer\$options
$options
Definition: get_oauth_token.php:91

SAML2
Definition: ArtifactResolve.php:3

$data
$data
Definition: bench.php:6

$context
$context
Definition: webdav.php:25