entrouvert
/
spkitlasso
Archived
17
0
Fork 0
Code Issues Pull Requests Releases Activity

remove all superfluous error handling code, handling of error code only where necessary

This commit is contained in:
<bdauvergne@entrouvert.com> 1207326377 +0200 0001-01-01 00:00:00 +00:00
parent 2091b68c0b
commit 2f84b62f55
2 changed files with 134 additions and 215 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

97
include/lassospkit_saml2.inc.php
View File

@ -19,6 +19,14 @@ class LassoSPKitSaml2 extends LassoSPKitSAMLCommon {
$nameidpolicy->format = $blob['nameIDFormat'];
$nameidpolicy->allowCreate = $blob['allowCreate'];
}
/** Initiate a SSO exchange with a redirect.
The federate parameter defines if we wish to get a
persistent (federate = TRUE) or a transient federation
(federate = FALSE).
The create parameter specify if the IdP is allower
to create a new federation if a persistent
one is asked for federate = TRUE.
*/
public function sso($create = TRUE, $federate = TRUE) {
if ($federate) {
$format = LASSO_SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT;
@ -49,20 +57,21 @@ class LassoSPKitSaml2 extends LassoSPKitSAMLCommon {
/** Name Id Management, SP inititated */
/* Request */
public function initiateNameIdManagement($newNameID, $method = LASSO_HTTP_METHOD_SOAP, $remoteID = null) {
$ret = 0;
lassospkit_debuglog("initiateNIDManagement NNID: $newNameID Meth: $method RID: $remoteID ");
$ok = 1 && $nidmanagement = new LassoNameIdManagement($this->server);
$nidmanagement = new LassoNameIdManagement($this->server);
$this->findFederation($nidmanagement);
$ok = $ok && ! $ret = $nidmanagement->initRequest($remoteID, $newNameID, $method);
$ok = $ok && ! $ret = $nidmanagement->buildRequestMsg();
$retIR = $nidmanagement->initRequest($remoteID, $newNameID, $method);
$retBRM = $nidmanagement->buildRequestMsg();
if ($retIR || $retBRM) {
lassospkit_errlog("initiateNIDManagement: retIR: $retIR retBRM: $retBRM");
}
switch ($method) {
case LASSO_HTTP_METHOD_REDIRECT:
$this->keepProfile($nidmanagement);
$this->finishRedirectRequest($nidmanagement, $ret, $ok);
$this->finishRedirectRequest($nidmanagement);
break;
case LASSO_HTTP_METHOD_SOAP:
$this->finishSOAPRequest($nidmanagement, $ret, $ok, $response);
$ok = $ok && $this->processResponseNameIdManagement($response, $nidmanagement);
$this->finishSOAPRequest($nidmanagement, $response);
$this->processResponseNameIdManagement($response, $nidmanagement);
break;
case LASSO_HTTP_METHOD_ARTIFACT_GET:
case LASSO_HTTP_METHOD_ARTIFACT_POST:
@ -70,38 +79,20 @@ class LassoSPKitSaml2 extends LassoSPKitSAMLCommon {
default:
LassoSPKitHelper::notImplemented();
}
if (! $ok) {
lassospkit_debuglog("NID failed Ret: $ret Exp: " . $this->exception);
$this->status = gettext('La défédération a échoué');
}
return $ok;
}
function processRedirectResponseNameIdManagement() {
$ret = 0;
$nidmanagement = null;
$ok = $this->processResponseNameIdManagement($_SERVER['QUERY_STRING'], $nidmanagement);
return $ok;
$this->processResponseNameIdManagement($_SERVER['QUERY_STRING'], $nidmanagement);
}
/** Response **/
public function processResponseNameIdManagement($message, &$nidmanagement)
{
$ret = 0;
$ok = 1;
lassospkit_debuglog("NameIdManagement SP initiated Response");
if ($nidmanagement == null) {
$ok = $ok && $nidmanagement = LassoNameIdManagement::newFromDump($this->server, $this->restoreProfile());
if ($ok) {
$this->findFederation($nidmanagement);
}
$nidmanagement = LassoNameIdManagement::newFromDump($this->server, $this->restoreProfile());
$this->findFederation($nidmanagement);
}
$ok = $ok && ! $ret = $nidmanagement->processResponseMsg($message);
if ($ok || $ret > 0) {
$this->changeFederation($nidmanagement);
}
if ($ret != 0) {
$this->setRet($ret);
}
return $ok;
$retPRM = $nidmanagement->processResponseMsg($message);
$this->changeFederation($nidmanagement);
}
/** Name Id Management request IdP iniated */
public function processRedirectRequestNameIdManagement() {
@ -115,38 +106,22 @@ class LassoSPKitSaml2 extends LassoSPKitSAMLCommon {
}
public function processRequestNameIdManagement($method, $message)
{
lassospkit_debuglog("NameIdManagement request handling");
$ret = 0;
$ok = 1;
$ok = $ok && $nidmanagement = new LassoNameIdManagement($this->server);
if (! $ok) {
lassospkit_debuglog("Cannot build nameidManagement profile");
return;
$nidmanagement = new LassoNameIdManagement($this->server);
$retPRM = $nidmanagement->processRequestMsg($message);
$this->findFederation($nidmanagement);
$retVR = $nidmanagement->validateRequest();
if ($retPRM || $retVR) {
lassospkit_errlog("initiateNIDManagement: retPRM: $retPRM retVR: $retVR");
}
lassospkit_debuglog("NID Request init ok: $ok ret: $ret " . strError($ret));
$ok = $ok && ! $ret = $nidmanagement->processRequestMsg($message);
lassospkit_debuglog("NID Request processRequestMsg ok: $ok ret: $ret " . strError($ret));
if ($ok) {
$this->findFederation($nidmanagement);
}
$ok = $ok && ! $ret = $nidmanagement->validateRequest();
lassospkit_debuglog("NID Request validateRequest ok: $ok ret: $ret " . strError($ret));
lassospkit_debuglog("NID request type: " . var_export($nidmanagement, 1));
// if ($ok) {
// $newid = null;
// if (isset($nidmanagement->request) && isset($nidmanagement->request->NewID)) {
// $newid = $nidmanagement->request->NewID;
// }
//// LassoSPKitHelper::changeFederation($nidmanagement, $this->session, $newid);
// }
lassospkit_debuglog("NID request just before finishResponse");
$this->finishResponse($nidmanagement, $method, $ret, $ok);
if (! $ok) {
$this->status = gettext('La requête de défédération a échoué');
}
return $ok;
$this->changeFederation($nidmanagement);
$this->finishResponse($nidmanagement, $method);
}
/** Change federation with respect to nidmanagement request content.
If a response is present
*/
function changeFederation(LassoNameIdManagement $nidmanagement) {
LassoSPKitHelper::changeFederation($nidmanagement, $this->session, $nidmanagement->request->NewID);
LassoSPKitHelper::changeFederation($nidmanagement,
$this->session,
$nidmanagement->request->NewID);
}
}

252
include/lassospkit_saml_common.inc.php
View File

@ -84,18 +84,13 @@ class LassoSPKitSAMLCommon {
}
/** Return a normal HTTP response, for SOAP Response binding */
public function doResponse(LassoProfile $profile) {
lassospkit_debuglog("doResponse for profile");
lassospkit_debuglog("with content " . $profile->msgBody);
$this->session->doResponse('text/xml', $profile->msgBody);
}
/** Read a soap message from stdin */
public function receiveSOAPMessage() {
lassospkit_debuglog("Receiving a SOAP message");
$contents = @file_get_contents("php://input");
if ($contents === FALSE) {
lassospkit_debuglog("Problem Receiving a SOAP message2");
} else {
lassospkit_debuglog("Received a SOAP message");
lassospkit_errlog("Problem Receiving a SOAP message2");
}
return $contents;
}
@ -104,37 +99,45 @@ class LassoSPKitSAMLCommon {
This method makes a soap call to resolve the artifact, it is synchronous
so can potentially take times.
*/
public function artifactResolve(LassoProfile $profile, $query, $method, &$ok, &$ret) {
$ok = $ok && ! $ret = $profile->initRequest($query, $method);
$ok = $ok && ! $ret = $profile->buildRequestMsg();
$ok = $ok && $content = LassoSPKitHelper::SoapCallWithProfile($profile);
$ok = $ok && ! $ret = $profile->processResponseMsg($content);
if (! $ok) {
$this->setRet($ret);
public function artifactResolve(LassoProfile $profile, $query, $method) {
$retIR = $profile->initRequest($query, $method);
$retBRM = $profile->buildRequestMsg();
$content = @LassoSPKitHelper::SoapCallWithProfile($profile);
if ($content === FALSE) {
lassospkit_errlog("artifactResolve: soapCall result empty");
$content = "";
}
return $ok;
$retPRM = $profile->processResponseMsg($content);
if ($retIR || $retBRM || $retPRM) {
lassospkit_errlog("artifactResolve: retIR: $retIR retBRM: $retBRM retPRM: $retPRM");
if ($retIR) {
return $retIR;
}
if ($retBRM) {
return $retBRM;
}
if ($retPRM) {
return $retPRM;
}
}
return 0;
}
/** Finish a request with a redirect transport */
public function finishRedirectRequest(LassoProfile $profile, &$ret, &$ok) {
if ($ok) {
$this->doRedirect($profile);
}
public function finishRedirectRequest(LassoProfile $profile) {
$this->doRedirect($profile);
}
/** Finish a request with a SOAP transport */
public function finishSOAPRequest(LassoProfile $profile, &$ret, &$ok, &$response) {
if ($ok) {
public function finishSOAPRequest(LassoProfile $profile, &$response) {
$response = LassoSPKitHelper::SoapCallWithProfile($profile);
}
}
public function finishResponse(LassoProfile $profile, $method, &$ret, &$ok) {
public function finishResponse(LassoProfile $profile, $method) {
$ret = $profile->buildResponseMsg();
switch ($method) {
case LASSO_HTTP_METHOD_REDIRECT:
$this->doRedirect($profile);
break;
case LASSO_HTTP_METHOD_SOAP:
lassospkit_debuglog("Finishing response with method SOAP");
$this->doResponse($profile);
break;
default:
@ -150,173 +153,120 @@ class LassoSPKitSAMLCommon {
Calls ssoNameIdPolicyConfig on the session object to initialize.
*/
public function ssoCommon(&$login,
$remoteID,
$method,
$isConsentObtained,
$forceAuthn,
$isPassive,
$blob) {
lassospkit_debuglog("SSO request initiated RID: $remoteID Meth: $method Consent: $isConsentObtained ForceAuthn: $forceAuthn Passive: $isPassive " . var_export($blob,1) );
$ok = 1 && $login = new LassoLogin($this->server);
$this->findFederation($login);
$ok = $ok && ! $ret = $login->initAuthnRequest($remoteID,$method);
$ok = $ok && $request = $login->request;
$ok = $ok && $nameidpolicy = $request->NameIDPolicy;
if ($ok) {
$remoteID,
$method,
$isConsentObtained,
$forceAuthn,
$isPassive,
$blob) {
$login = new LassoLogin($this->server);
$retFF = $this->findFederation($login);
$retIAR = $login->initAuthnRequest($remoteID,$method);
$request = @$login->request;
$nameidpolicy = @$request->NameIDPolicy;
if ($nameidpolicy) {
$this->ssoNameIdPolicyConfig($login, $blob);
$request->consent = $isConsentObtained;
$request->ForceAuthn = $forceAuthn;
$request->IsPassive = $isPassive;
}
$ok = $ok && ! $ret = $login->buildAuthnRequestMsg();
if (! $ok) {
lassospkit_debuglog("SSO request failed ErrCode: $ret");
$this->setStatus("Erreur durant l'authentification");
$this->setRet($ret);
} else {
switch($method) {
case LASSO_HTTP_METHOD_REDIRECT:
$this->doRedirect($login);
break;
default:
LassoSPKitHelper::notImplemented();
}
throw new Exception("SSO: Pas d'object NameIDPolicy");
}
$retBAR = $login->buildAuthnRequestMsg();
switch($method) {
case LASSO_HTTP_METHOD_REDIRECT:
$this->doRedirect($login);
break;
default:
LassoSPKitHelper::notImplemented();
}
return $ok;
}
/** Method to consume response to auth requests. */
function ssoConsumer($method, $message) {
$ret = 0;
lassospkit_debuglog("Consuming SSO assertion");
$ok = 1 && $login = new LassoLogin($this->server);
$login = new LassoLogin($this->server);
$retPRM = 0;
$retAR = 0;
switch ($method) {
case LASSO_HTTP_METHOD_ARTIFACT_GET:
case LASSO_HTTP_METHOD_ARTIFACT_POST:
$ok = $ok && $this->artifactResolve($login,
$retAR = $this->artifactResolve($login,
$message,
$method, $ok, $ret);
$method);
break;
case LASSO_HTTP_METHOD_POST:
$ok = $ok && ! $ret = $this->processResponseMsg($message);
$retPRM = $this->processResponseMsg($message);
break;
}
if ($ok) {
try {
$this->findFederation($login);
} catch (LassoProfileFederationNotFoundError $error) {
} catch (LassoProfileNameIdentifierNotFoundError $error) {
$ok = 0;
$ret = LASSO_PROFILE_ERROR_NAME_IDENTIFIER_NOT_FOUND;
if ($retAR == LASSO_LOGIN_ERROR_FEDERATION_NOT_FOUND
|| $retPRM == LASSO_LOGIN_ERROR_FEDERATION_NOT_FOUND) {
$this->setMessage("Federation not found");
}
if ($retAR || $retPRM) {
lassospkit_errlog("ssoConsumer, retAR: $retAR retPRM: $retPRM");
} else {
$retFF = $this->findFederation($login);
$retASSO = $login->acceptSso();
if ($retASSO) {
lassospkit_errlog("ssoConsumer, retASSO: $retASSO retFF: $retFF");
}
}
$ok = $ok && ! $ret = $login->acceptSso();
$this->saveFederation($login);
if ($login->assertion) {
LassoSPKitHelper::assertionExtractAttributes($login->assertion, $attributes);
$this->session->processAttributes($attributes);
}
if ($ok) {
$this->saveFederation($login);
}
if (! $ok) {
$this->setStatus("Le SSO a échoué");
$this->setRet($ret);
}
return $ok;
}
/** Web SLO methods */
/* SP initiated */
public function initiateSLO($method = LASSO_HTTP_METHOD_SOAP, $remoteID = null)
{
$ret = 0;
lassospkit_debuglog("SLO SP initiated request");
$ok = 1 && $logout = new LassoLogout($this->server);
$logout = new LassoLogout($this->server);
$this->findFederation($logout);
$ok = $ok && ! $ret = $logout->initRequest($remoteID, $method);
$ok = $ok && ! $ret = $logout->buildRequestMsg();
if ($ok) {
switch ($method) {
case LASSO_HTTP_METHOD_REDIRECT:
$this->finishRedirectRequest($logout, $ret, $ok);
break;
case LASSO_HTTP_METHOD_SOAP:
$this->finishSOAPRequest($logout, $ret, $ok, $response);
$ok = $ok && $this->processResponseSLO($logout, $response);
break;
case LASSO_HTTP_METHOD_ARTIFACT_GET:
case LASSO_HTTP_METHOD_ARTIFACT_POST:
case LASSO_HTTP_METHOD_POST:
default:
LassoSPKitHelper::notImplemented();
}
$retIR = $logout->initRequest($remoteID, $method);
$retBRM = $logout->buildRequestMsg();
switch ($method) {
case LASSO_HTTP_METHOD_REDIRECT:
$this->finishRedirectRequest($logout);
break;
case LASSO_HTTP_METHOD_SOAP:
$this->finishSOAPRequest($logout, $response);
$this->processResponseSLO($logout, $response);
break;
case LASSO_HTTP_METHOD_ARTIFACT_GET:
case LASSO_HTTP_METHOD_ARTIFACT_POST:
case LASSO_HTTP_METHOD_POST:
default:
LassoSPKitHelper::notImplemented();
}
if (! $ok) {
lassospkit_debuglog("SLO SP initiated request failed ErrCode: $ret");
$this->setStatus("Le SSO a échoué");
$this->setRet($ret);
}
return $ok;
}
public function processRedirectResponseSLO() {
$ret = 0;
$logout = null;
$ok = $this->processResponseSLO($logout, $_SERVER['QUERY_STRING']);
if (! $ok) {
lassospkit_debuglog("SLO SP initiated response failed ErrCode: $ret");
$this->setStatus("Le SLO a échoué");
$this->setRet($ret);
}
return $ok;
$this->processResponseSLO($logout, $_SERVER['QUERY_STRING']);
}
public function processResponseSLO(&$logout, $message) {
$ret = 0;
$ok = 1;
lassospkit_debuglog("SLO SP initiated Response");
if (! $logout) {
$ok = $ok && $logout = new LassoLogout($this->server);
$logout = new LassoLogout($this->server);
$this->findFederation($logout);
}
$ok = $ok && ! $ret = $logout->processResponseMsg($message);
$prefix = "";
switch ($ret) {
$retPRM = $logout->processResponseMsg($message);
switch ($retPRM) {
case 0:
break;
default:
case LASSO_DS_ERROR_INVALID_SIGNATURE:
lassospkit_debuglog("Logout warn: invalid signature");
$prefix = "Warning: ";
$ok = 1;
break;
case LASSO_LOGOUT_ERROR_REQUEST_DENIED:
lassospkit_debuglog("Logout warn: request denied");
$prefix = "Warning: ";
$ok = 1;
$this->setMessage("Logout request denied by IdP");
break;
case LASSO_LOGOUT_ERROR_UNKNOWN_PRINCIPAL:
lassospkit_debuglog("Unknown principal on logout, probably session stopped already on IdP");
$prefix = "Warning: ";
$ok = 1;
$this->setMessage("IdP said 'unknown principal'");
break;
case LASSO_PROFILE_ERROR_INVALID_QUERY:
lassospkit_debuglog("Invalid response");
$prefix = "Error: ";
$ok = 0;
break;
default:
lassospkit_debuglog("SLO Response ErrCode: $ret");
$prefix = "Error: ";
$ok = 0;
$this->setMessage("IdP said 'logout request is invalid'");
break;
}
if ($ok == 1) {
$this->saveFederation($logout);
$this->session->logout();
}
if ($ret != 0) {
$this->setRet($ret, $prefix);
lassospkit_debuglog("SLO Res Code: $ret");
}
return $ok;
$this->saveFederation($logout);
$this->session->logout();
}
/** IDP initiated SLO **/
public function processRedirectRequestSLO() {
@ -329,29 +279,20 @@ class LassoSPKitSAMLCommon {
$contents);
}
public function processRequestSLO($method, $message) {
$ret = 0;
$ok = 1 && $logout = new LassoLogout($this->server);
if (! $ok) {
lassospkit_errlog("processRequestSLO: Cannot build logout profile");
return;
}
$logout = new LassoLogout($this->server);
$retPRM = $logout->processRequestMsg($message);
if ($ret != 0) {
lassospkit_warnlog("processResquestSLO: processRequestMsg returned non-0: " . strError($ret) . "($ret)");
}
$this->findFederation($logout);
$retVR = $logout->validateRequest();
$retBR = $this->finishResponse($logout, $logout->http_request_method, $ret, $ok);
// if ($retBR != 0) {
$retBR = $this->finishResponse($logout, $logout->http_request_method);
$this->session->logout();
// }
lassospkit_infolog("Logout request handled for nameId: " . $logout->nameID . " retPRM: $retPRM retVR: $retVR retBR: $retBR");
return $ok;
}
public function saveFederation(LassoProfile $profile) {
LassoSPKitHelper::saveFederation($profile, $this->session);
}
public function findFederation(LassoProfile $profile) {
LassoSPKitHelper::findFederation($profile, $this->session);
return LassoSPKitHelper::findFederation($profile, $this->session);
}
/** Federation termination **/
public function initiateFTNotification($method = LASSO_HTTP_METHOD_SOAP, $remoteID = null) {
@ -384,4 +325,7 @@ class LassoSPKitSAMLCommon {
LassoSPKitUtilsSession::setFederation(serialize($fed));
return $profile;
}
function setMessage($message) {
LassoSPKitUtilsSession::setLastError($message);
}
}