Fixed casing

Boy Baukema · Boy Baukema · commit d6921bdf2643 · 2012-04-06T10:21:54.000+02:00
diff --git a/src/OneLogin/Saml/AuthRequest.php b/src/OneLogin/Saml/AuthRequest.php
@@ -0,0 +1,76 @@
+<?php
+
+/**
+ * Create a SAML authorization request.
+ */
+class OneLogin_Saml_AuthRequest
+{
+    const ID_PREFIX = 'ONELOGIN';
+
+    /**
+     * A SamlResponse class provided to the constructor.
+     * @var OneLogin_Saml_Settings
+     */
+    private $_settings;
+
+    /**
+     * Construct the response object.
+     *
+     * @param OneLogin_Saml_Settings $settings
+     *   A SamlResponse settings object containing the necessary
+     *   x509 certicate to decode the XML.
+     */
+    public function __construct(OneLogin_Saml_Settings $settings)
+    {
+        $this->_settings = $settings;
+    }
+
+    /**
+     * Generate the request.
+     *
+     * @return string A fully qualified URL that can be redirected to in order to process the authorization request.
+     */
+    public function getRedirectUrl()
+    {
+        $id = $this->_generateUniqueID();
+        $issueInstant = $this->_getTimestamp();
+
+        $request = <<<AUTHNREQUEST
+<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
+       ID="$id" 
+       Version="2.0" 
+       IssueInstant="$issueInstant"
+       ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
+       AssertionConsumerServiceURL="{$this->_settings->spReturnUrl}">
+    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">{$this->_settings->spIssuer}</saml:Issuer>
+    <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+                        Format="{$this->_settings->requestedNameIdFormat}"
+                        AllowCreate="true"></samlp:NameIDPolicy>
+    <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">
+        <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+            >urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
+    </samlp:RequestedAuthnContext>
+</samlp:AuthnRequest>";
+AUTHNREQUEST;
+
+        $deflatedRequest = gzdeflate($request);
+        $base64Request = base64_encode($deflatedRequest);
+        $encodedRequest = urlencode($base64Request);
+
+        return $this->_settings->idpSingleSignOnUrl . "?SAMLRequest=" . $encodedRequest;
+    }
+
+    private function _generateUniqueID()
+    {
+        return self::ID_PREFIX . sha1(uniqid(mt_rand(), TRUE));
+    }
+
+    private function _getTimestamp()
+    {
+        $defaultTimezone = date_default_timezone_get();
+        date_default_timezone_set('UTC');
+        $timestamp = strftime("%Y-%m-%dT%H:%M:%SZ");
+        date_default_timezone_set($defaultTimezone);
+        return $timestamp;
+    }
+}
diff --git a/src/OneLogin/Saml/Response.php b/src/OneLogin/Saml/Response.php
@@ -0,0 +1,98 @@
+<?php
+
+/**
+ * Parse the SAML response and maintain the XML for it.
+ */
+class OneLogin_Saml_Response
+{
+    /**
+     * @var OneLogin_Saml_Settings
+     */
+    private $_settings;
+
+    /**
+     * The decoded, unprocessed XML assertion provided to the constructor.
+     * @var string
+     */
+    public $assertion;
+
+    /**
+     * A DOMDocument class loaded from the $assertion.
+     * @var DomDocument
+     */
+    public $document;
+
+    /**
+     * Construct the response object.
+     *
+     * @param OneLogin_Saml_Settings $settings Settings containing the necessary X.509 certificate to decode the XML.
+     * @param string $assertion A UUEncoded SAML assertion from the IdP.
+     */
+    public function __construct(OneLogin_Saml_Settings $settings, $assertion)
+    {
+        $this->_settings = $settings;
+        $this->assertion = base64_decode($assertion);
+        $this->document = new DOMDocument();
+        $this->document->loadXML($this->assertion);
+    }
+
+    /**
+     * Determine if the SAML Response is valid using the certificate.
+     *
+     * @throws Exception
+     * @return bool Validate the document
+     */
+    public function isValid()
+    {
+        $xmlSec = new OneLogin_Saml_XmlSec($this->_settings, $this);
+        return $xmlSec->isValid();
+    }
+
+    /**
+     * Get the NameID provided by the SAML response from the IdP.
+     */
+    public function getNameId()
+    {
+        $entries = $this->_queryAssertion('/saml:Subject/saml:NameID');
+        return $entries->item(0)->nodeValue;
+    }
+
+    public function getAttributes()
+    {
+        $entries = $this->_queryAssertion('/saml:AttributeStatement/saml:Attribute');
+
+        $attributes = array();
+        /** @var $entry DOMNode */
+        foreach ($entries as $entry) {
+            $attributeName = $entry->attributes->getNamedItem('Name')->nodeValue;
+
+            $attributeValues = array();
+            foreach ($entry->childNodes as $childNode) {
+                if ($childNode->tagName === 'saml:AttributeValue'){
+                    $attributeValues[] = $childNode->nodeValue;
+                }
+            }
+
+            $attributes[$attributeName] = $attributeValues;
+        }
+        return $attributes;
+    }
+
+    /**
+     * @param string $assertionXpath
+     * @return DOMNodeList
+     */
+    private function _queryAssertion($assertionXpath)
+    {
+        $xpath = new DOMXPath($this->document);
+        $xpath->registerNamespace('samlp'   , 'urn:oasis:names:tc:SAML:2.0:protocol');
+        $xpath->registerNamespace('saml'    , 'urn:oasis:names:tc:SAML:2.0:assertion');
+        $xpath->registerNamespace('ds'      , 'http://www.w3.org/2000/09/xmldsig#');
+
+        $signatureQuery = '//ds:Reference[@URI]';
+        $id = substr($xpath->query($signatureQuery)->item(0)->getAttribute('URI'), 1);
+
+        $nameQuery = "/samlp:Response/saml:Assertion[@ID='$id']" . $assertionXpath;
+        return $xpath->query($nameQuery);
+    }
+}
diff --git a/src/OneLogin/Saml/Settings.php b/src/OneLogin/Saml/Settings.php
@@ -0,0 +1,47 @@
+<?php
+
+/**
+ * Holds SAML settings for the SamlResponse and SamlAuthRequest classes.
+ *
+ * These settings need to be filled in by the user prior to being used.
+ */
+class OneLogin_Saml_Settings
+{
+    const NAMEID_EMAIL_ADDRESS                 = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress';
+    const NAMEID_X509_SUBJECT_NAME             = 'urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName';
+    const NAMEID_WINDOWS_DOMAIN_QUALIFIED_NAME = 'urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName';
+    const NAMEID_KERBEROS   = 'urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos';
+    const NAMEID_ENTITY     = 'urn:oasis:names:tc:SAML:2.0:nameid-format:entity';
+    const NAMEID_TRANSIENT  = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient';
+    const NAMEID_PERSISTENT = 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent';
+
+    /**
+     * The URL to submit SAML authentication requests to.
+     * @var string
+     */
+    public $idpSingleSignOnUrl = '';
+
+    /**
+     * The x509 certificate used to authenticate the request.
+     * @var string
+     */
+    public $idpPublicCertificate = '';
+
+    /**
+     * The URL where to the SAML Response/SAML Assertion will be posted.
+     * @var string
+     */
+    public $spReturnUrl = '';
+
+    /**
+     * The name of the application.
+     * @var string
+     */
+    public $spIssuer = 'php-saml';
+
+    /**
+     * Specifies what format to return the authentication token, i.e, the email address.
+     * @var string
+     */
+    public $requestedNameIdFormat = self::NAMEID_EMAIL_ADDRESS;
+}
diff --git a/src/OneLogin/Saml/XmlSec.php b/src/OneLogin/Saml/XmlSec.php
@@ -0,0 +1,108 @@
+<?php
+
+/**
+ * Determine if the SAML response is valid using a provided x509 certificate.
+ */
+class OneLogin_Saml_XmlSec
+{
+    /**
+     * A SamlResponse class provided to the constructor.
+     * @var OneLogin_Saml_Settings
+     */
+    private $_settings;
+
+    /**
+     * The document to be tested.
+     * @var DomDocument
+     */
+    private $_document;
+
+    /**
+     * Construct the SamlXmlSec object.
+     *
+     * @param OneLogin_Saml_Settings $settings A SamlResponse settings object containing the necessary
+     *                                          x509 certicate to test the document.
+     * @param OneLogin_Saml_Response $response The document to test.
+     */
+    public function __construct(OneLogin_Saml_Settings $settings, OneLogin_Saml_Response $response)
+    {
+        $this->_settings = $settings;
+        $this->_document = $response->document;
+    }
+
+    /**
+     * Verify that the document only contains a single Assertion
+     *
+     * @return bool TRUE if the document passes.
+     */
+    public function validateNumAssertions()
+    {
+        $rootNode = $this->_document;
+        $assertionNodes = $rootNode->getElementsByTagName('Assertion');
+        return ($assertionNodes->length == 1);
+    }
+
+    /**
+     * Verify that the document is still valid according
+     *
+     * @return bool
+     */
+    public function validateTimestamps()
+    {
+        $rootNode = $this->_document;
+        $timestampNodes = $rootNode->getElementsByTagName('Conditions');
+        for ($i = 0; $i < $timestampNodes->length; $i++) {
+            $nbAttribute = $timestampNodes->item($i)->attributes->getNamedItem("NotBefore");
+            $naAttribute = $timestampNodes->item($i)->attributes->getNamedItem("NotOnOrAfter");
+            if ($nbAttribute && strtotime($nbAttribute->textContent) > time()) {
+                return false;
+            }
+            if ($naAttribute && strtotime($naAttribute->textContent) <= time()) {
+                return false;
+            }
+        }
+        return true;
+    }
+
+    /**
+     * @return bool
+     * @throws Exception
+     */
+    public function isValid()
+    {
+        $objXMLSecDSig = new XMLSecurityDSig();
+
+        $objDSig = $objXMLSecDSig->locateSignature($this->_document);
+        if (!$objDSig) {
+            throw new Exception("Cannot locate Signature Node");
+        }
+        $objXMLSecDSig->canonicalizeSignedInfo();
+        $objXMLSecDSig->idKeys = array('ID');
+
+        $retVal = $objXMLSecDSig->validateReference();
+        if (!$retVal) {
+            throw new Exception("Reference Validation Failed");
+        }
+
+        $singleAssertion = $this->validateNumAssertions();
+        if (!$singleAssertion) {
+            throw new Exception("Only one SAMLAssertion allowed");
+        }
+
+        $validTimestamps = $this->validateTimestamps();
+        if (!$validTimestamps) {
+            throw new Exception("SAMLAssertion conditions not met");
+        }
+
+        $objKey = $objXMLSecDSig->locateKey();
+        if (!$objKey) {
+            throw new Exception("We have no idea about the key");
+        }
+
+        XMLSecEnc::staticLocateKeyInfo($objKey, $objDSig);
+
+        $objKey->loadKey($this->_settings->idpPublicCertificate, FALSE, TRUE);
+
+        return ($objXMLSecDSig->verify($objKey) === 1);
+    }
+}
