Skip to content

Commit

Permalink
First work
Browse files Browse the repository at this point in the history
  • Loading branch information
@tvdijen
tvdijen committed Jul 23, 2024
1 parent a6c2dbe commit 650333a
Show file tree
Hide file tree
Showing 23 changed files with 1,702 additions and 66 deletions.
1 change: 1 addition & 0 deletions phpcs.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@
<exclude-pattern>**/HTTPRedirectTest.php</exclude-pattern>
<exclude-pattern>**/SOAPTest.php</exclude-pattern>
<exclude-pattern>tests/SAML2/Assertion/Validation/AssertionValidatorTest.php</exclude-pattern>
<exclude-pattern>tests/SAML2/Entity/ServiceProviderTest.php</exclude-pattern>
<exclude-pattern>tests/SAML2/XML/saml/AssertionTest.php</exclude-pattern>
<exclude-pattern>tests/SAML2/XML/saml/AttributeValueTest.php</exclude-pattern>
<exclude-pattern>tests/SAML2/XML/saml/AuthnContextTest.php</exclude-pattern>
Expand Down
385 changes: 380 additions & 5 deletions phpstan-baseline-dev.neon
View file

Large diffs are not rendered by default.

333 changes: 309 additions & 24 deletions phpstan-baseline.neon
View file

Large diffs are not rendered by default.

313 changes: 313 additions & 0 deletions src/SAML2/Entity/ServiceProvider.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,313 @@
<?php

declare(strict_types=1);

namespace SimpleSAML\SAML2\Entity;

use Exception;
use Psr\Http\Message\ServerRequestInterface;
use SimpleSAML\Assert\Assert;
use SimpleSAML\SAML2\{Binding, HTTPArtifact, Metadata, StateProviderInterface, Utils};
use SimpleSAML\SAML2\Exception\{MetadataNotFoundException, RemoteException, RuntimeException};
use SimpleSAML\SAML2\Exception\Protocol\{RequestDeniedException, ResourceNotRecognizedException};
use SimpleSAML\SAML2\Process\Validation\ResponseValidator;
use SimpleSAML\SAML2\XML\saml\{
Assertion,
AttributeStatement,
EncryptedAssertion,
EncryptedAttribute,
EncryptedID,
Subject,
};
use SimpleSAML\SAML2\XML\samlp\Response;
use SimpleSAML\XMLSecurity\Alg\Encryption\EncryptionAlgorithmFactory;
use SimpleSAML\XMLSecurity\Exception\SignatureVerificationFailedException;
use SimpleSAML\XMLSecurity\XML\{
EncryptableElementInterface,
EncryptedElementInterface,
SignableElementInterface,
SignedElementInterface,
};

use function sprintf;

/**
* Class representing a SAML 2 Service Provider.
*
* @package simplesamlphp/saml2
*/
final class ServiceProvider
{
protected ?Metadata\MetadataProviderInterface $metadataProvider = null;
protected ?StateProviderInterface $stateProvider = null;
protected ?StorageProviderInterface $storageProvider = null;
protected Metadata\IdentityProvider $idpMetadata;


/**
* @param bool $encryptedAssertions Whether assertions must be encrypted
* @param bool $disableScoping Whether to send the samlp:Scoping element in requests
* @param bool $enableUnsolicited Whether to process unsolicited responses
* @param bool $encryptNameId Whether to encrypt the NameID sent
* @param bool $signAuthnRequest Whether to sign the AuthnRequest sent
* @param bool $signLogout Whether to sign the LogoutRequest/LogoutResponse sent
* @param bool $validateLogout Whether to validate the signature of LogoutRequest/LogoutResponse received
*/
public function __construct(
protected Metadata\ServiceProvider $spMetadata,
protected readonly bool $encryptedAssertions = false,
protected readonly bool $disableScoping = false,
protected readonly bool $enableUnsolicited = false,
protected readonly bool $encryptNameId = false,
protected readonly bool $signAuthnRequest = false,
protected readonly bool $signLogout = false,
protected readonly bool $validateLogout = true,
// Use with caution - will leave any form of signature verification or token decryption up to the implementer
protected readonly bool $bypassResponseVerification = false,
// Use with caution - will leave any form of constraint validation up to the implementer
protected readonly bool $bypassConstraintValidation = false,
) {
}


/**
* Receive a verified, and optionally validated Response.
*
* Upon receiving the response from the binding, the signature will be validated first.
* Once the signature checks out, the assertions are decrypted, their signatures verified
* and then any encrypted NameID's and/or attributes are decrypted.
*
* @param \Psr\Http\Message\ServerRequestInterface $request
* @return \SimpleSAML\SAML2\XML\samlp\Response The validated response.
*
* @throws \SimpleSAML\SAML2\Exception\Protocol\UnsupportedBindingException
*/
public function receiveResponse(ServerRequestInterface $request): Response
{
$binding = Binding::getCurrentBinding($request);

if ($binding instanceof HTTPArtifact) {
if ($this->metadataProvider === null) {
throw new RuntimeException(
"A MetadataProvider is required to use the HTTP-Artifact binding.",
);
} elseif ($this->storageProvider === null) {
throw new RuntimeException(
"A StorageProvider is required to use the HTTP-Artifact binding.",
);
}

$artifact = $binding->receiveArtifact($request);
$this->idpMetadata = $this->metadataProvider->getIdPMetadataForSha1($artifact->getSourceId());

if ($this->idpMetadata === null) {
throw new MetadataNotFoundException(sprintf(
'No metadata found for remote provider with SHA1 ID: %s',
$artifact->getSourceId(),
));
}

$binding->setIdpMetadata($this->idpMetadata);
$binding->setSPMetadata($this->spMetadata);
}

$rawResponse = $binding->receive($request);
Assert::isInstanceOf($rawResponse, Response::class, ResourceNotRecognizedException::class); // Wrong type if msg

// Will return a raw Response prior to any form of verification
if ($this->bypassResponseVerification === true) {
return $rawResponse;
}

// Verify the signature (if any)
$verifiedResponse = $rawResponse->isSigned() ? $this->verifyElementSignature($rawResponse) : $rawResponse;

$state = null;
$stateId = $verifiedResponse->getInResponseTo();

if (!empty($stateId)) {
if ($this->stateProvider === null) {
throw new RuntimeException(
"A StateProvider is required to correlate responses to their initial request.",
);
}

// this should be a response to a request we sent earlier
try {
$state = $this->stateProvider::loadState($stateId, 'saml:sp:sso');
} catch (RuntimeException $e) {
// something went wrong,
Utils::getContainer()->getLogger()->warning(sprintf(
'Could not load state specified by InResponseTo: %s Processing response as unsolicited.',
$e->getMessage(),
));
}
}

if ($state === null && $this->enableUnsolicited === false) {
throw new RequestDeniedException('Unsolicited responses are denied by configuration.');
}

// check that the issuer is the one we are expecting
Assert::keyExists($state, 'ExpectedIssuer');
$issuer = $verifiedResponse->getIssuer()->getValue();

if ($state['ExpectedIssuer'] !== $issuer) {
throw new ResourceNotRecognizedException("Issuer doesn't match the one the AuthnRequest was sent to.");
}

if ($this->metadataProvider === null) {
throw new RuntimeException(
"A MetadataProvider is required to be able to perform token decryption.",
);
}

$this->idpMetadata = $this->metadataProvider->getIdPMetadata($issuer);
if ($this->idpMetadata === null) {
throw new MetadataNotFoundException(sprintf(
'No metadata found for remote identity provider with entityID: %s',
$issuer,
));
}

$responseValidator = ResponseValidator::createResponseValidator(
$this->idpMetadata,
$this->spMetadata,
$binding,
);
$responseValidator->validate($verifiedResponse);

/**
* See paragraph 6.2 of the SAML 2.0 core specifications for the applicable processing rules
*
* Long story short - Decrypt the assertion first, then validate it's signature
* Once the signature is verified, decrypt any BaseID, NameID or Attribute that's encrypted
*/
$unverifiedAssertions = $verifiedResponse->getAssertions();
$verifiedAssertions = [];
foreach ($verifiedResponse->getAssertions() as $i => $assertion) {
// Decrypt the assertions
$decryptedAssertion = ($assertion instanceof EncryptedAssertion)
? $this->decryptElement($assertion)
: $assertion;

// Verify the signature on the assertions (if any)
$verifiedAssertion = $this->verifyElementSignature($decryptedAssertion);

// Decrypt the NameID and replace it inside the assertion's Subject
$nameID = $verifiedAssertion->getSubject()?->getIdentifier();

if ($nameID instanceof EncryptedID) {
$decryptedNameID = $this->decryptElement($nameID);
$subject = new Subject($decryptedNameID, $verifiedAssertion->getSubjectConfirmation());
} else {
$subject = $verifiedAssertion->getSubject();
}

// Decrypt any occurrences of EncryptedAttribute and replace them inside the assertion's AttributeStatement
$statements = $verifiedAssertion->getStatements();
foreach ($verifiedAssertion->getStatements() as $j => $statement) {
if ($statement instanceof AttributeStatement) {
$attributes = $statement->getAttributes();
if ($statement->hasEncryptedAttributes()) {
foreach ($statement->getEncryptedAttributes() as $encryptedAttribute) {
$attributes[] = $this->decryptElement($encryptedAttribute);
}
}

$statements[$j] = new AttributeStatement($attributes);
}
}

$verifiedAssertions[] = new Assertion(
$verifiedAssertion->getIssuer(),
$verifiedAssertion->getIssueInstant(),
$verifiedAssertion->getID(),
$subject,
$verifiedAssertion->getConditions(),
$statements,
);
}

$decryptedResponse = new Response(
$verifiedResponse->getStatus(),
$verifiedResponse->getIssueInstant(),
$verifiedResponse->getIssuer(),
$verifiedResponse->getID(),
$verifiedResponse->getVersion(),
$verifiedResponse->getInResponseTo(),
$verifiedResponse->getDestination(),
$verifiedResponse->getConsent(),
$verifiedResponse->getExtensions(),
$verifiedAssertions,
);

// Will return a verified and fully decrypted Response prior to any form of validation
if ($this->bypassConstraintValidation === true) {
return $decryptedResponse;
}

// TODO: Validate assertions

return $decryptedResponse;
}


/**
* Decrypt the given element using the decryption keys provided to us.
*
* @param \SimpleSAML\XMLSecurity\XML\EncryptedElementInterface $element
* @return \SimpleSAML\XMLSecurity\EncryptableElementInterface
*
* @throws \SimpleSAML\SAML2\Exception\RuntimeException if none of the keys could be used to decrypt the element
*/
protected function decryptElement(EncryptedElementInterface $element): EncryptableElementInterface
{
$factory = $this->spMetadata->getEncryptionAlgorithmFactory();

$encryptionAlgorithm = ($factory instanceof EncryptionAlgorithmFactory)
? $element->getEncryptedData()->getEncryptionMethod()
: $element->getEncryptedKey()->getEncryptionMethod();

foreach ($this->spMetadata->getDecriptionKeys() as $decryptionKey) {
$decryptor = $factory->getAlgorithm($encryptionAlgorithm, $decryptionKey);
try {
return $element->decrypt($decryptor);
} catch (Exception $e) {
continue;
}
}

throw new RuntimeException(sprintf(
'Unable to decrypt %s with any of the available keys.',
$element::class,
));
}


/**
* Verify the signature of an element using the available validation keys.
*
* @param \SimpleSAML\XMLSecurity\XML\SignedElementInterface $element
* @return \SimpleSAML\XMLSecurity\XML\SignableElementInterface The validated element.
*
* @throws \SimpleSAML\XMLSecurity\Exception\SignatureVerificationFailedException
*/
protected function verifyElementSignature(SignedElementInterface $element): SignableElementInterface
{
$factory = $this->spMetadata->getSignatureAlgorithmFactory();
$signatureAlgorithm = $element->getSignature()->getSignedInfo()->getSignatureMethod()->getAlgorithm();

foreach ($this->spMetadata->getValidatingKeys() as $validatingKey) {
$verifier = $factory->getAlgorithm($signatureAlgorithm, $validatingKey);

try {
return $element->verify($verifier);
} catch (SignatureVerificationFailedException $e) {
continue;
}
}

throw new SignatureVerificationFailedException();
}
}
12 changes: 12 additions & 0 deletions src/SAML2/Exception/ConstraintViolationException.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
<?php

declare(strict_types=1);

namespace SimpleSAML\SAML2\Exception;

/**
* Exception to be raised when validation of a constraint fails.
*/
class ConstraintViolationException extends RuntimeException
{
}
12 changes: 12 additions & 0 deletions src/SAML2/Exception/MetadataNotFoundException.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
<?php

declare(strict_types=1);

namespace SimpleSAML\SAML2\Exception;

/**
* Exception to be raised when no metadata was found for a specific entityID
*/
class MetadataNotFoundException extends RuntimeException
{
}
30 changes: 30 additions & 0 deletions src/SAML2/Exception/RemoteException.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
<?php

declare(strict_types=1);

namespace SimpleSAML\SAML2\Exception;

use SimpleSAML\SAML2\XML\samlp\Status;

use function sprintf;

/**
* Exception to be raised when a status other than 'success' was received.
*/
class RemoteException extends RuntimeException
{
public function __construct(Status $status)
{
$statusCode = $status->getStatusCode();
$message = $statusCode->getValue();

// Until proven necessary, we go just one level deep
foreach ($statusCode->getSubCode() as $subCode) {
$message = sprintf("%s / %s", $message, $subCode->getValue());
}

$message = sprintf("%s (%s)", $message, $status->getStatusMessage()->getValue());

parent::__construct($message);
}
}
Loading

0 comments on commit 650333a

Please sign in to comment.