sspmod_consent_Auth_Process_Consent Class Reference

Inheritance diagram for sspmod_consent_Auth_Process_Consent:

Collaboration diagram for sspmod_consent_Auth_Process_Consent:

Public Member Functions
	__construct ($config, $reserved)
	Initialize consent filter. More...
	process (&$state)
	Process a authentication response. More...
Public Member Functions inherited from SimpleSAML_Auth_ProcessingFilter
	__construct (&$config, $reserved)
	Constructor for a processing filter. More...
	process (&$request)
	Process a request. More...

Static Public Member Functions
static	getHashedUserID ($userid, $source)
	Generate a unique identifier of the user. More...
static	getTargetedID ($userid, $source, $destination)
	Generate a unique targeted identifier. More...
static	getAttributeHash ($attributes, $includeValues=false)
	Generate unique identifier for attributes. More...

Static Private Member Functions
static	checkDisable ($option, $entityId)
	Helper function to check whether consent is disabled. More...

Private Attributes
	$_focus = null
	$_includeValues = false
	$_checked = false
	$_store = null
	$_hiddenAttributes = array()
	$_noconsentattributes = array()
	$_showNoConsentAboutService = true

Additional Inherited Members
Data Fields inherited from SimpleSAML_Auth_ProcessingFilter
	$priority = 50
	Priority of this filter. More...

Detailed Description

Definition at line 12 of file Consent.php.

Constructor & Destructor Documentation

__construct()

sspmod_consent_Auth_Process_Consent::__construct	(		$config,
			$reserved
	)

Initialize consent filter.

Validates and parses the configuration.

Parameters

array	$config	Configuration information.
mixed	$reserved	For future use.

Exceptions

SimpleSAML_Error_Exception

if the configuration is not valid.

Definition at line 74 of file Consent.php.

References $config, SimpleSAML\Logger\error(), sspmod_consent_Store\parseStoreConfig(), and SimpleSAML\Logger\warning().

    {
        assert(is_array($config));
        parent::__construct($config, $reserved);

        if (array_key_exists('includeValues', $config)) {
            if (!is_bool($config['includeValues'])) {
                throw new SimpleSAML_Error_Exception(
                    'Consent: includeValues must be boolean. '.
                    var_export($config['includeValues'], true).' given.'
                );
            }
            $this->_includeValues = $config['includeValues'];
        }

        if (array_key_exists('checked', $config)) {
            if (!is_bool($config['checked'])) {
                throw new SimpleSAML_Error_Exception(
                    'Consent: checked must be boolean. '.
                    var_export($config['checked'], true).' given.'
                );
            }
            $this->_checked = $config['checked'];
        }

        if (array_key_exists('focus', $config)) {
            if (!in_array($config['focus'], array('yes', 'no'), true)) {
                throw new SimpleSAML_Error_Exception(
                    'Consent: focus must be a string with values `yes` or `no`. '.
                    var_export($config['focus'], true).' given.'
                );
            }
            $this->_focus = $config['focus'];
        }

        if (array_key_exists('hiddenAttributes', $config)) {
            if (!is_array($config['hiddenAttributes'])) {
                throw new SimpleSAML_Error_Exception(
                    'Consent: hiddenAttributes must be an array. '.
                    var_export($config['hiddenAttributes'], true).' given.'
                );
            }
            $this->_hiddenAttributes = $config['hiddenAttributes'];
        }

        if (array_key_exists('attributes.exclude', $config)) {
            if (!is_array($config['attributes.exclude'])) {
                throw new SimpleSAML_Error_Exception(
                    'Consent: attributes.exclude must be an array. '.
                    var_export($config['attributes.exclude'], true).' given.'
                );
            }
            $this->_noconsentattributes = $config['attributes.exclude'];
        } elseif (array_key_exists('noconsentattributes', $config)) {
            SimpleSAML\Logger::warning("The 'noconsentattributes' option has been deprecated in favour of 'attributes.exclude'.");
            if (!is_array($config['noconsentattributes'])) {
                throw new SimpleSAML_Error_Exception(
                    'Consent: noconsentattributes must be an array. '.
                    var_export($config['noconsentattributes'], true).' given.'
                );
            }
            $this->_noconsentattributes = $config['noconsentattributes'];
        }

        if (array_key_exists('store', $config)) {
            try {
                $this->_store = sspmod_consent_Store::parseStoreConfig($config['store']);
            } catch (Exception $e) {
                SimpleSAML\Logger::error(
                    'Consent: Could not create consent storage: '.
                    $e->getMessage()
                );
            }
        }

        if (array_key_exists('showNoConsentAboutService', $config)) {
            if (!is_bool($config['showNoConsentAboutService'])) {
                throw new SimpleSAML_Error_Exception('Consent: showNoConsentAboutService must be a boolean.');
            }
            $this->_showNoConsentAboutService = $config['showNoConsentAboutService'];
        }
    }

Here is the call graph for this function:

Member Function Documentation

checkDisable()

static sspmod_consent_Auth_Process_Consent::checkDisable (   $option,   $entityId  )

staticprivate

Helper function to check whether consent is disabled.

Parameters

mixed	$option	The consent.disable option. Either an array of array, an array or a boolean.
string	$entityId	The entityID of the SP/IdP.

Returns

boolean True if disabled, false if not.

Definition at line 166 of file Consent.php.

References $entityId.

    {
        if (is_array($option)) {
            // Check if consent.disable array has one element that is an array
            if (count($option) === count($option, COUNT_RECURSIVE)) {
                // Array is not multidimensional.  Simple in_array search suffices
                return in_array($entityId, $option, true);
            }

            // Array contains at least one element that is an array, verify both possibilities
            if (in_array($entityId, $option, true)) {
                return true;
            }

            // Search in multidimensional arrays
            foreach ($option as $optionToTest) {
                if (!is_array($optionToTest)) {
                    continue; // bad option
                }

                if (!array_key_exists('type', $optionToTest)) {
                    continue; // option has no type
                }

                // Option has a type - switch processing depending on type value :
                if ($optionToTest['type'] === 'regex') {
                    // regex-based consent disabling

                    if (!array_key_exists('pattern', $optionToTest)) {
                        continue; // no pattern defined
                    }

                    if (preg_match($optionToTest['pattern'], $entityId) === 1) {
                        return true;
                    }
                } else {
                    // option type is not supported
                    continue;
                }
            } // end foreach

            // Base case : no match
            return false;
        } else {
            return (boolean) $option;
        }
    }

getAttributeHash()

static sspmod_consent_Auth_Process_Consent::getAttributeHash (   $attributes,   $includeValues = false  )

static

Generate unique identifier for attributes.

Create a hash value for the attributes that changes when attributes are added or removed. If the attribute values are included in the hash, the hash will change if the values change.

Parameters

string	$attributes	The attributes.
bool	$includeValues	Whether or not to include the attribute value in the generation of the hash.

Returns

string SHA1 of the user id, source id, destination id and salt.

Definition at line 384 of file Consent.php.

References $attributes, $values, and GuzzleHttp\Psr7\hash().

Referenced by driveProcessingChain().

    {
        if ($includeValues) {
            foreach ($attributes as &$values) {
                sort($values);
            }
            ksort($attributes);
            $hashBase = serialize($attributes);
        } else {
            $names = array_keys($attributes);
            sort($names);
            $hashBase = implode('|', $names);
        }
        return hash('sha1', $hashBase);
    }

Here is the call graph for this function:

Here is the caller graph for this function:

getHashedUserID()

static sspmod_consent_Auth_Process_Consent::getHashedUserID (   $userid,   $source  )

static

Generate a unique identifier of the user.

Parameters

string	$userid	The user id.
string	$source	The source id.

Returns

string SHA1 of the user id, source id and salt.

Definition at line 352 of file Consent.php.

References $source, $userid, and GuzzleHttp\Psr7\hash().

    {
        return hash('sha1', $userid.'|'.SimpleSAML\Utils\Config::getSecretSalt().'|'.$source);
    }

Here is the call graph for this function:

getTargetedID()

static sspmod_consent_Auth_Process_Consent::getTargetedID (   $userid,   $source,   $destination  )

static

Generate a unique targeted identifier.

Parameters

string	$userid	The user id.
string	$source	The source id.
string	$destination	The destination id.

Returns

string SHA1 of the user id, source id, destination id and salt.

Definition at line 367 of file Consent.php.

References $destination, $source, $userid, and GuzzleHttp\Psr7\hash().

Referenced by driveProcessingChain().

    {
        return hash('sha1', $userid.'|'.SimpleSAML\Utils\Config::getSecretSalt().'|'.$source.'|'.$destination);
    }

Here is the call graph for this function:

Here is the caller graph for this function:

process()

sspmod_consent_Auth_Process_Consent::process

(

&

$state

)

Process a authentication response.

This function saves the state, and redirects the user to the page where the user can authorize the release of the attributes. If storage is used and the consent has already been given the user is passed on.

Parameters

array

&$state

The state of the response.

Returns

void

Exceptions

SimpleSAML_Error_NoPassive

if the request was passive and consent is needed.

If the consent module is active on a bridge $state['saml:sp:IdP'] will contain an entry id for the remote IdP. If not, then the consent module is active on a local IdP and nothing needs to be done.

Definition at line 227 of file Consent.php.

References $_checked, $_focus, $_hiddenAttributes, $_noconsentattributes, $_showNoConsentAboutService, $_store, $attributes, $destination, $id, $idpEntityId, $idpmeta, $metadata, $source, $spEntityId, $state, $url, SimpleSAML\Logger\debug(), SimpleSAML\Logger\error(), SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler(), SimpleSAML\Module\getModuleURL(), SimpleSAML_Stats\log(), SimpleSAML\Utils\HTTP\redirectTrustedURL(), SimpleSAML_Auth_State\saveState(), and SimpleSAML\Logger\stats().

    {
        assert(is_array($state));
        assert(array_key_exists('UserID', $state));
        assert(array_key_exists('Destination', $state));
        assert(array_key_exists('entityid', $state['Destination']));
        assert(array_key_exists('metadata-set', $state['Destination']));
        assert(array_key_exists('entityid', $state['Source']));
        assert(array_key_exists('metadata-set', $state['Source']));

        $spEntityId = $state['Destination']['entityid'];
        $idpEntityId = $state['Source']['entityid'];

        $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();

        if (isset($state['saml:sp:IdP'])) {
            $idpEntityId = $state['saml:sp:IdP'];
            $idpmeta = $metadata->getMetaData($idpEntityId, 'saml20-idp-remote');
            $state['Source'] = $idpmeta;
        }

        $statsData = array('spEntityID' => $spEntityId);

        // Do not use consent if disabled
        if (isset($state['Source']['consent.disable']) &&
            self::checkDisable($state['Source']['consent.disable'], $spEntityId)
        ) {
            SimpleSAML\Logger::debug('Consent: Consent disabled for entity '.$spEntityId.' with IdP '.$idpEntityId);
            SimpleSAML_Stats::log('consent:disabled', $statsData);
            return;
        }
        if (isset($state['Destination']['consent.disable']) &&
            self::checkDisable($state['Destination']['consent.disable'], $idpEntityId)
        ) {
            SimpleSAML\Logger::debug('Consent: Consent disabled for entity '.$spEntityId.' with IdP '.$idpEntityId);
            SimpleSAML_Stats::log('consent:disabled', $statsData);
            return;
        }

        if ($this->_store !== null) {
            $source = $state['Source']['metadata-set'].'|'.$idpEntityId;
            $destination = $state['Destination']['metadata-set'].'|'.$spEntityId;
            $attributes = $state['Attributes'];

            // Remove attributes that do not require consent
            foreach ($attributes as $attrkey => $attrval) {
                if (in_array($attrkey, $this->_noconsentattributes, true)) {
                    unset($attributes[$attrkey]);
                }
            }

            SimpleSAML\Logger::debug('Consent: userid: '.$state['UserID']);
            SimpleSAML\Logger::debug('Consent: source: '.$source);
            SimpleSAML\Logger::debug('Consent: destination: '.$destination);

            $userId = self::getHashedUserID($state['UserID'], $source);
            $targetedId = self::getTargetedID($state['UserID'], $source, $destination);
            $attributeSet = self::getAttributeHash($attributes, $this->_includeValues);

            SimpleSAML\Logger::debug(
                'Consent: hasConsent() ['.$userId.'|'.$targetedId.'|'.
                $attributeSet.']'
            );

            try {
                if ($this->_store->hasConsent($userId, $targetedId, $attributeSet)) {
                    // Consent already given
                    SimpleSAML\Logger::stats('consent found');
                    SimpleSAML_Stats::log('consent:found', $statsData);
                    return;
                }

                SimpleSAML\Logger::stats('consent notfound');
                SimpleSAML_Stats::log('consent:notfound', $statsData);

                $state['consent:store'] = $this->_store;
                $state['consent:store.userId'] = $userId;
                $state['consent:store.destination'] = $targetedId;
                $state['consent:store.attributeSet'] = $attributeSet;
            } catch (Exception $e) {
                SimpleSAML\Logger::error('Consent: Error reading from storage: '.$e->getMessage());
                SimpleSAML\Logger::stats('Ccnsent failed');
                SimpleSAML_Stats::log('consent:failed', $statsData);
            }
        } else {
            SimpleSAML\Logger::stats('consent nostorage');
            SimpleSAML_Stats::log('consent:nostorage', $statsData);
        }

        $state['consent:focus'] = $this->_focus;
        $state['consent:checked'] = $this->_checked;
        $state['consent:hiddenAttributes'] = $this->_hiddenAttributes;
        $state['consent:noconsentattributes'] = $this->_noconsentattributes;
        $state['consent:showNoConsentAboutService'] = $this->_showNoConsentAboutService;

        // user interaction necessary. Throw exception on isPassive request
        if (isset($state['isPassive']) && $state['isPassive'] === true) {
            SimpleSAML_Stats::log('consent:nopassive', $statsData);
            throw new SimpleSAML\Module\saml\Error\NoPassive(
                    \SAML2\Constants::STATUS_REQUESTER,
                    'Unable to give consent on passive request.'
            );
        }

        // Save state and redirect
        $id = SimpleSAML_Auth_State::saveState($state, 'consent:request');
        $url = SimpleSAML\Module::getModuleURL('consent/getconsent.php');
        \SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('StateId' => $id));
    }

Here is the call graph for this function:

Field Documentation

$_checked

sspmod_consent_Auth_Process_Consent::$_checked = false

private

Definition at line 33 of file Consent.php.

Referenced by process().

$_focus

sspmod_consent_Auth_Process_Consent::$_focus = null

private

Definition at line 19 of file Consent.php.

Referenced by process().

$_hiddenAttributes

sspmod_consent_Auth_Process_Consent::$_hiddenAttributes = array()

private

Definition at line 47 of file Consent.php.

Referenced by process().

$_includeValues

sspmod_consent_Auth_Process_Consent::$_includeValues = false

private

Definition at line 26 of file Consent.php.

$_noconsentattributes

sspmod_consent_Auth_Process_Consent::$_noconsentattributes = array()

private

Definition at line 54 of file Consent.php.

Referenced by process().

$_showNoConsentAboutService

sspmod_consent_Auth_Process_Consent::$_showNoConsentAboutService = true

private

Definition at line 61 of file Consent.php.

Referenced by process().

$_store

sspmod_consent_Auth_Process_Consent::$_store = null

private

Definition at line 40 of file Consent.php.

Referenced by process().

---

The documentation for this class was generated from the following file:

• libs/composer/vendor/simplesamlphp/simplesamlphp/modules/consent/lib/Auth/Process/Consent.php