Skip to content

Commit

Permalink
Release 1.5.0
Browse files Browse the repository at this point in the history
  • Loading branch information
@pitbulk
pitbulk committed May 3, 2017
1 parent 9407577 commit 7afd674
Show file tree
Hide file tree
Showing 14 changed files with 966 additions and 173 deletions.
Binary file modified onelogin.zip
View file
Binary file not shown.
164 changes: 150 additions & 14 deletions onelogin/lib/Saml2/Auth.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@
*/
class OneLogin_Saml2_Auth
{

/**
* Settings data.
*
Expand All @@ -28,6 +27,13 @@ class OneLogin_Saml2_Auth
*/
private $_nameid;

/**
* NameID Format
*
* @var string
*/
private $_nameidFormat;

/**
* If user is authenticated.
*
Expand All @@ -52,6 +58,28 @@ class OneLogin_Saml2_Auth
*/
private $_sessionExpiration;

/**
* The ID of the last message processed
*
* @var string
*/
private $_lastMessageId;

/**
* The ID of the last assertion processed
*
* @var string
*/
private $_lastAssertionId;

/**
* The NotOnOrAfter value of the valid SubjectConfirmationData
* node (if any) of the last assertion processed
*
* @var DateTime
*/
private $_lastAssertionNotOnOrAfter;

/**
* If any error.
*
Expand All @@ -73,6 +101,23 @@ class OneLogin_Saml2_Auth
*/
private $_lastRequestID;

/**
* The most recently-constructed/processed XML SAML request
* (AuthNRequest, LogoutRequest)
*
* @var string
*/
private $_lastRequest;

/**
* The most recently-constructed/processed XML SAML response
* (SAMLResponse, LogoutResponse). If the SAMLResponse was
* encrypted, by default tries to return the decrypted XML
*
* @var string
*/
private $_lastResponse;

/**
* Initializes the SP SAML instance.
*
Expand Down Expand Up @@ -103,7 +148,10 @@ public function getSettings()
public function setStrict($value)
{
if (! (is_bool($value))) {
throw new Exception('Invalid value passed to setStrict()');
throw new OneLogin_Saml2_Error(
'Invalid value passed to setStrict()',
OneLogin_Saml2_Error::SETTINGS_INVALID_SYNTAX
);
}

$this->_settings->setStrict($value);
Expand All @@ -119,16 +167,22 @@ public function setStrict($value)
public function processResponse($requestId = null)
{
$this->_errors = array();
$this->_errorReason = null;
if (isset($_POST) && isset($_POST['SAMLResponse'])) {
// AuthnResponse -- HTTP_POST Binding
$response = new OneLogin_Saml2_Response($this->_settings, $_POST['SAMLResponse']);
$this->_lastResponse = $response->getXMLDocument();

if ($response->isValid($requestId)) {
$this->_attributes = $response->getAttributes();
$this->_nameid = $response->getNameId();
$this->_nameidFormat = $response->getNameIdFormat();
$this->_authenticated = true;
$this->_sessionIndex = $response->getSessionIndex();
$this->_sessionExpiration = $response->getSessionNotOnOrAfter();
$this->_lastMessageId = $response->getId();
$this->_lastAssertionId = $response->getAssertionId();
$this->_lastAssertionNotOnOrAfter = $response->getAssertionNotOnOrAfter();
} else {
$this->_errors[] = 'invalid_response';
$this->_errorReason = $response->getError();
Expand All @@ -155,17 +209,20 @@ public function processResponse($requestId = null)
*
* @throws OneLogin_Saml2_Error
*/
public function processSLO($keepLocalSession = false, $requestId = null, $retrieveParametersFromServer = false, $cbDeleteSession = null, $stay=false)
public function processSLO($keepLocalSession = false, $requestId = null, $retrieveParametersFromServer = false, $cbDeleteSession = null, $stay = false)
{
$this->_errors = array();
$this->_errorReason = null;
if (isset($_GET) && isset($_GET['SAMLResponse'])) {
$logoutResponse = new OneLogin_Saml2_LogoutResponse($this->_settings, $_GET['SAMLResponse']);
$this->_lastResponse = $logoutResponse->getXML();
if (!$logoutResponse->isValid($requestId, $retrieveParametersFromServer)) {
$this->_errors[] = 'invalid_logout_response';
$this->_errorReason = $logoutResponse->getError();
} else if ($logoutResponse->getStatus() !== OneLogin_Saml2_Constants::STATUS_SUCCESS) {
$this->_errors[] = 'logout_not_success';
} else {
$this->_lastMessageId = $logoutResponse->id;
if (!$keepLocalSession) {
if ($cbDeleteSession === null) {
OneLogin_Saml2_Utils::deleteLocalSession();
Expand All @@ -176,6 +233,7 @@ public function processSLO($keepLocalSession = false, $requestId = null, $retrie
}
} else if (isset($_GET) && isset($_GET['SAMLRequest'])) {
$logoutRequest = new OneLogin_Saml2_LogoutRequest($this->_settings, $_GET['SAMLRequest']);
$this->_lastRequest = $logoutRequest->getXML();
if (!$logoutRequest->isValid($retrieveParametersFromServer)) {
$this->_errors[] = 'invalid_logout_request';
$this->_errorReason = $logoutRequest->getError();
Expand All @@ -188,8 +246,11 @@ public function processSLO($keepLocalSession = false, $requestId = null, $retrie
}
}
$inResponseTo = $logoutRequest->id;
$this->_lastMessageId = $logoutRequest->id;
$responseBuilder = new OneLogin_Saml2_LogoutResponse($this->_settings);
$responseBuilder->build($inResponseTo);
$this->_lastResponse = $responseBuilder->getXML();

$logoutResponse = $responseBuilder->getResponse();

$parameters = array('SAMLResponse' => $logoutResponse);
Expand Down Expand Up @@ -265,6 +326,16 @@ public function getNameId()
return $this->_nameid;
}

/**
* Returns the nameID Format
*
* @return string The nameID Format of the assertion
*/
public function getNameIdFormat()
{
return $this->_nameidFormat;
}

/**
* Returns the SessionIndex
*
Expand Down Expand Up @@ -335,12 +406,13 @@ public function getAttribute($name)
*
* @return If $stay is True, it return a string with the SLO URL + LogoutRequest + parameters
*/
public function login($returnTo = null, $parameters = array(), $forceAuthn = false, $isPassive = false, $stay=false, $setNameIdPolicy = true)
public function login($returnTo = null, $parameters = array(), $forceAuthn = false, $isPassive = false, $stay = false, $setNameIdPolicy = true)
{
assert('is_array($parameters)');

$authnRequest = new OneLogin_Saml2_AuthnRequest($this->_settings, $forceAuthn, $isPassive, $setNameIdPolicy);

$this->_lastRequest = $authnRequest->getXML();
$this->_lastRequestID = $authnRequest->getId();

$samlRequest = $authnRequest->getRequest();
Expand Down Expand Up @@ -369,12 +441,13 @@ public function login($returnTo = null, $parameters = array(), $forceAuthn = fal
* @param string|null $nameId The NameID that will be set in the LogoutRequest.
* @param string|null $sessionIndex The SessionIndex (taken from the SAML Response in the SSO process).
* @param bool $stay True if we want to stay (returns the url string) False to redirect
* @param string|null $nameIdFormat The NameID Format will be set in the LogoutRequest.
*
* @return If $stay is True, it return a string with the SLO URL + LogoutRequest + parameters
*
* @throws OneLogin_Saml2_Error
*/
public function logout($returnTo = null, $parameters = array(), $nameId = null, $sessionIndex = null, $stay=false)
public function logout($returnTo = null, $parameters = array(), $nameId = null, $sessionIndex = null, $stay = false, $nameIdFormat = null)
{
assert('is_array($parameters)');

Expand All @@ -389,9 +462,13 @@ public function logout($returnTo = null, $parameters = array(), $nameId = null,
if (empty($nameId) && !empty($this->_nameid)) {
$nameId = $this->_nameid;
}
if (empty($nameIdFormat) && !empty($this->_nameidFormat)) {
$nameIdFormat = $this->_nameidFormat;
}

$logoutRequest = new OneLogin_Saml2_LogoutRequest($this->_settings, null, $nameId, $sessionIndex);
$logoutRequest = new OneLogin_Saml2_LogoutRequest($this->_settings, null, $nameId, $sessionIndex, $nameIdFormat);

$this->_lastRequest = $logoutRequest->getXML();
$this->_lastRequestID = $logoutRequest->id;

$samlRequest = $logoutRequest->getRequest();
Expand Down Expand Up @@ -463,10 +540,11 @@ public function getLastRequestID()
*/
public function buildRequestSignature($samlRequest, $relayState, $signAlgorithm = XMLSecurityKey::RSA_SHA1)
{
if (!$this->_settings->checkSPCerts()) {
$key = $this->_settings->getSPkey();
if (empty($key)) {
throw new OneLogin_Saml2_Error(
"Trying to sign the SAML Request but can't load the SP certs",
OneLogin_Saml2_Error::SP_CERTS_NOT_FOUND
"Trying to sign the SAML Request but can't load the SP private key",
OneLogin_Saml2_Error::PRIVATE_KEY_NOT_FOUND
);
}

Expand Down Expand Up @@ -507,15 +585,14 @@ public function buildRequestSignature($samlRequest, $relayState, $signAlgorithm
*/
public function buildResponseSignature($samlResponse, $relayState, $signAlgorithm = XMLSecurityKey::RSA_SHA1)
{
if (!$this->_settings->checkSPCerts()) {
$key = $this->_settings->getSPkey();
if (empty($key)) {
throw new OneLogin_Saml2_Error(
"Trying to sign the SAML Response but can't load the SP certs",
OneLogin_Saml2_Error::SP_CERTS_NOT_FOUND
"Trying to sign the SAML Response but can't load the SP private key",
OneLogin_Saml2_Error::PRIVATE_KEY_NOT_FOUND
);
}

$key = $this->_settings->getSPkey();

$objKey = new XMLSecurityKey($signAlgorithm, array('type' => 'private'));
$objKey->loadKey($key, false);

Expand All @@ -536,4 +613,63 @@ public function buildResponseSignature($samlResponse, $relayState, $signAlgorith
$signature = $objKey->signData($msg);
return base64_encode($signature);
}

/**
* @return string The ID of the last message processed
*/
public function getLastMessageId()
{
return $this->_lastMessageId;
}

/**
* @return string The ID of the last assertion processed
*/
public function getLastAssertionId()
{
return $this->_lastAssertionId;
}

/**
* @return The NotOnOrAfter value of the valid
* SubjectConfirmationData node (if any)
* of the last assertion processed
*/
public function getLastAssertionNotOnOrAfter()
{
return $this->_lastAssertionNotOnOrAfter;
}

/**
* Returns the most recently-constructed/processed
* XML SAML request (AuthNRequest, LogoutRequest)
*
* @return string The Request XML
*/
public function getLastRequestXML()
{
return $this->_lastRequest;
}

/**
* Returns the most recently-constructed/processed
* XML SAML response (SAMLResponse, LogoutResponse).
* If the SAMLResponse was encrypted, by default tries
* to return the decrypted XML.
*
* @return string The Response XML
*/
public function getLastResponseXML()
{
$response = null;
if (isset($this->_lastResponse)) {
if (is_string($this->_lastResponse)) {
$response = $this->_lastResponse;
} else {
$response = $this->_lastResponse->saveXML();
}
}

return $response;
}
}
14 changes: 12 additions & 2 deletions onelogin/lib/Saml2/AuthnRequest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@ public function __construct(OneLogin_Saml2_Settings $settings, $forceAuthn = fal
{$providerNameStr}{$forceAuthnStr}{$isPassiveStr}
IssueInstant="$issueInstant"
Destination="{$idpData['singleSignOnService']['url']}"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ProtocolBinding="{$spData['assertionConsumerService']['binding']}"
AssertionConsumerServiceURL="{$spData['assertionConsumerService']['url']}">
<saml:Issuer>{$spData['entityId']}</saml:Issuer>
{$nameIdPolicyStr}
Expand All @@ -137,7 +137,7 @@ public function __construct(OneLogin_Saml2_Settings $settings, $forceAuthn = fal

/**
* Returns deflated, base64 encoded, unsigned AuthnRequest.
*
*
* @param bool|null $deflate Whether or not we should 'gzdeflate' the request body before we return it.
*/
public function getRequest($deflate = null)
Expand Down Expand Up @@ -165,4 +165,14 @@ public function getId()
{
return $this->_id;
}

/**
* Returns the XML that will be sent as part of the request
*
* @return string
*/
public function getXML()
{
return $this->_authnRequest;
}
}
Loading

0 comments on commit 7afd674

Please sign in to comment.