From c3b26d40347b285477beac2389ce0d78281a6489 Mon Sep 17 00:00:00 2001 From: Markus Staab Date: Tue, 23 Apr 2024 09:26:12 +0200 Subject: [PATCH 01/54] Declare conditional return type --- lib/Saml2/Utils.php | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/Saml2/Utils.php b/lib/Saml2/Utils.php index 24ecbd58..1a7f85f3 100644 --- a/lib/Saml2/Utils.php +++ b/lib/Saml2/Utils.php @@ -300,6 +300,7 @@ public static function getStringBetween($str, $start, $end) * @param bool $stay True if we want to stay (returns the url string) False to redirect * * @return string|null $url + * @phpstan-return ($stay is true ? string : never) * * @throws OneLogin_Saml2_Error */ From 1d2d16e1bc76f05bdeae47664a84b7f5b9a0e6ce Mon Sep 17 00:00:00 2001 From: Markus Staab Date: Tue, 23 Apr 2024 09:28:34 +0200 Subject: [PATCH 02/54] Declare conditional return types in Auth --- lib/Saml2/Auth.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/Saml2/Auth.php b/lib/Saml2/Auth.php index c8a1c6f0..bb882cd0 100644 --- a/lib/Saml2/Auth.php +++ b/lib/Saml2/Auth.php @@ -246,6 +246,7 @@ public function processResponse($requestId = null) * @param bool $stay True if we want to stay (returns the url string) False to redirect * * @return string|null + * @phpstan-return ($stay is true ? string : never) * * @throws OneLogin_Saml2_Error */ @@ -498,6 +499,7 @@ public function getAttributeWithFriendlyName($friendlyName) * @param string $nameIdValueReq Indicates to the IdP the subject that should be authenticated * * @return string|null If $stay is True, it return a string with the SLO URL + LogoutRequest + parameters + * @phpstan-return ($stay is true ? string : never) * * @throws OneLogin_Saml2_Error */ @@ -540,6 +542,7 @@ public function login($returnTo = null, $parameters = array(), $forceAuthn = fal * @param string|null $nameIdNameQualifier The NameID NameQualifier will be set in the LogoutRequest. * * @return string|null If $stay is True, it return a string with the SLO URL + LogoutRequest + parameters + * @phpstan-return ($stay is true ? string : never) * * @throws OneLogin_Saml2_Error */ From 9156d1d298240a2812f7eadf20a7daa56a2b1821 Mon Sep 17 00:00:00 2001 From: "Duffey, Cliff" Date: Wed, 24 Apr 2024 15:19:55 -0400 Subject: [PATCH 03/54] Add argument for setting whether to validate peer SSL certificate --- lib/Saml2/IdPMetadataParser.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/Saml2/IdPMetadataParser.php b/lib/Saml2/IdPMetadataParser.php index 195b5691..c2121ac1 100644 --- a/lib/Saml2/IdPMetadataParser.php +++ b/lib/Saml2/IdPMetadataParser.php @@ -25,7 +25,7 @@ class OneLogin_Saml2_IdPMetadataParser * * @return array metadata info in php-saml settings format */ - public static function parseRemoteXML($url, $entityId = null, $desiredNameIdFormat = null, $desiredSSOBinding = OneLogin_Saml2_Constants::BINDING_HTTP_REDIRECT, $desiredSLOBinding = OneLogin_Saml2_Constants::BINDING_HTTP_REDIRECT) + public static function parseRemoteXML($url, $entityId = null, $desiredNameIdFormat = null, $desiredSSOBinding = OneLogin_Saml2_Constants::BINDING_HTTP_REDIRECT, $desiredSLOBinding = OneLogin_Saml2_Constants::BINDING_HTTP_REDIRECT, $validatePeer = false) { $metadataInfo = array(); @@ -37,7 +37,7 @@ public static function parseRemoteXML($url, $entityId = null, $desiredNameIdForm curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "GET"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); - curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); + curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, $validatePeer); curl_setopt($ch, CURLOPT_FAILONERROR, 1); $xml = curl_exec($ch); From 3553bc4d18b3f187ee1e5cb67369776fc39ac25f Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Sat, 27 Apr 2024 00:48:37 +0200 Subject: [PATCH 04/54] Fix not_before_failed payload --- tests/data/responses/invalids/not_before_failed.xml.base64 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data/responses/invalids/not_before_failed.xml.base64 b/tests/data/responses/invalids/not_before_failed.xml.base64 index de62f5e4..fc102046 100644 --- a/tests/data/responses/invalids/not_before_failed.xml.base64 +++ b/tests/data/responses/invalids/not_before_failed.xml.base64 @@ -1 +1 @@ -PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGU0MjcxNTkzLTJiNzctOTE4ZS1hNTMxLTdmODljMjVjYTJlZiIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDItMTlUMDE6MDU6NDlaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9leGFtcGxlLmNvbS9uZXdvbmVsb2dpbi9kZW1vMS9pbmRleC5waHA/YWNzIiBJblJlc3BvbnNlVG89Ik9ORUxPR0lOX2FmM2Q0YTcxMGZjOGIzMDU4ODRiOTZkMDA5NGFiNjI4ODAyZjU2OTIiPjxzYW1sOklzc3Vlcj5odHRwczovL2V4YW1wbGUuY29tL3NpbXBsZXNhbWwvc2FtbDIvaWRwL21ldGFkYXRhLnBocDwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+DQogIDxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+DQogICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPg0KICA8ZHM6UmVmZXJlbmNlIFVSST0iI3BmeGU0MjcxNTkzLTJiNzctOTE4ZS1hNTMxLTdmODljMjVjYTJlZiI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+eDJWa3BENml0ek5WRDh6cHhwZXZhRTU4cW4wPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5kc3R6cEdYcFFNL0hzdHU4TmFzWFJad2wxcjh6TC81TXlhbFhYS2xZUWZ3R2s3ZEE4S0Z5T1E1ajRneERFMFRjQmdwUVo0U0REOUl6SFNiOUNZTFFzR2lyVVVBTERNVUNjTHlXcndzQ01zUEpheVltRTJBUkdMc2IvTWIxK0FkaVZSTUhNL05NUVpoaTBFYnNqN2Nod1FRTWNuUXhiaG92a0g5cWVBdHp0UGc9PC9kczpTaWduYXR1cmVWYWx1ZT4NCjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUNnVENDQWVvQ0NRQ2JPbHJXRGRYN0ZUQU5CZ2txaGtpRzl3MEJBUVVGQURDQmhERUxNQWtHQTFVRUJoTUNUazh4R0RBV0JnTlZCQWdURDBGdVpISmxZWE1nVTI5c1ltVnlaekVNTUFvR0ExVUVCeE1EUm05dk1SQXdEZ1lEVlFRS0V3ZFZUa2xPUlZSVU1SZ3dGZ1lEVlFRREV3OW1aV2xrWlM1bGNteGhibWN1Ym04eElUQWZCZ2txaGtpRzl3MEJDUUVXRW1GdVpISmxZWE5BZFc1cGJtVjBkQzV1YnpBZUZ3MHdOekEyTVRVeE1qQXhNelZhRncwd056QTRNVFF4TWpBeE16VmFNSUdFTVFzd0NRWURWUVFHRXdKT1R6RVlNQllHQTFVRUNCTVBRVzVrY21WaGN5QlRiMnhpWlhKbk1Rd3dDZ1lEVlFRSEV3TkdiMjh4RURBT0JnTlZCQW9UQjFWT1NVNUZWRlF4R0RBV0JnTlZCQU1URDJabGFXUmxMbVZ5YkdGdVp5NXViekVoTUI4R0NTcUdTSWIzRFFFSkFSWVNZVzVrY21WaGMwQjFibWx1WlhSMExtNXZNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0JnUURpdmJoUjdQNTE2eC9TM0JxS3h1cFFlMExPTm9saXVwaUJPZXNDTzNTSGJEcmwzK3E5SWJmbmZtRTA0ck51TWNQc0l4QjE2MVRkRHBJZXNMQ243YzhhUEhJU0tPdFBsQWVUWlNuYjhRQXU3YVJqWnEzK1BiclA1dVczVGNmQ0dQdEtUeXRIT2dlL09sSmJvMDc4ZFZoWFExNGQxRUR3WEpXMXJSWHVVdDRDOFFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQlFVQUE0R0JBQ0RWZnA4NkhPYnFZK2U4QlVvV1E5K1ZNUXgxQVNEb2hCandPc2cyV3lrVXFSWEYrZExmY1VIOWRXUjYzQ3RaSUtGRGJTdE5vbVBuUXo3bmJLK29ueWd3QnNwVkVibkh1VWloWnEzWlVkbXVtUXFDdzRVdnMvMVV2cTNvck9vL1dKVmhUeXZMZ0ZWSzJRYXJRNC82N09aZkhkN1IrUE9CWGhvcGhTTXYxWk9vPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDdlNDhmZDc1LWNlMmItNjBlZC0yOWVlLWU3OTg0NmM5NTljNiIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDItMTlUMDE6MDU6NDlaIj48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9leGFtcGxlLmNvbS9zaW1wbGVzYW1sL3NhbWwyL2lkcC9tZXRhZGF0YS5waHA8L3NhbWw6SXNzdWVyPg0KPHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgU1BOYW1lUXVhbGlmaWVyPSJodHRwczovL2V4YW1wbGUuY29tL25ld29uZWxvZ2luL2RlbW8xL21ldGFkYXRhLnBocCIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPjQ5Mjg4MjYxNWFjZjMxYzgwOTZiNjI3MjQ1ZDc2YWU1MzAzNmMwOTA8L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjI5OTMtMDItMTlUMDE6MTA6NDlaIiBSZWNpcGllbnQ9Imh0dHBzOi8vZXhhbXBsZS5jb20vbmV3b25lbG9naW4vZGVtbzEvaW5kZXgucGhwP2FjcyIgSW5SZXNwb25zZVRvPSJPTkVMT0dJTl9hZjNkNGE3MTBmYzhiMzA1ODg0Yjk2ZDAwOTRhYjYyODgwMmY1NjkyIi8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMjQtMDItMTlUMDE6MDU6MTlaIiBOb3RPbk9yQWZ0ZXI9IjI5OTMtMDItMTlUMDE6MTA6NDlaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPmh0dHBzOi8vZXhhbXBsZS5jb20vbmV3b25lbG9naW4vZGVtbzEvbWV0YWRhdGEucGhwPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNC0wMi0xOFQxOTo0MjoyMFoiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjI5OTMtMDItMTlUMDk6MDU6NDlaIiBTZXNzaW9uSW5kZXg9Il8wZjRmMTg4ZGMxYmZkM2JmZWEzNmExNjM0YTc0NDE1ODNhZmMzYjM3ODEiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlIE5hbWU9InVpZCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+dXNlcjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj51c2VyQGV4YW1wbGUuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9ImNuIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj50ZXN0PC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9InNuIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj51c2VyPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9ImVkdVBlcnNvbkFmZmlsaWF0aW9uIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj51c2VyPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPmFkbWluPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+ +PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGU0MjcxNTkzLTJiNzctOTE4ZS1hNTMxLTdmODljMjVjYTJlZiIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDItMTlUMDE6MDU6NDlaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9leGFtcGxlLmNvbS9uZXdvbmVsb2dpbi9kZW1vMS9pbmRleC5waHA/YWNzIiBJblJlc3BvbnNlVG89Ik9ORUxPR0lOX2FmM2Q0YTcxMGZjOGIzMDU4ODRiOTZkMDA5NGFiNjI4ODAyZjU2OTIiPjxzYW1sOklzc3Vlcj5odHRwczovL2V4YW1wbGUuY29tL3NpbXBsZXNhbWwvc2FtbDIvaWRwL21ldGFkYXRhLnBocDwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+DQogIDxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+DQogICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPg0KICA8ZHM6UmVmZXJlbmNlIFVSST0iI3BmeGU0MjcxNTkzLTJiNzctOTE4ZS1hNTMxLTdmODljMjVjYTJlZiI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+eDJWa3BENml0ek5WRDh6cHhwZXZhRTU4cW4wPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5kc3R6cEdYcFFNL0hzdHU4TmFzWFJad2wxcjh6TC81TXlhbFhYS2xZUWZ3R2s3ZEE4S0Z5T1E1ajRneERFMFRjQmdwUVo0U0REOUl6SFNiOUNZTFFzR2lyVVVBTERNVUNjTHlXcndzQ01zUEpheVltRTJBUkdMc2IvTWIxK0FkaVZSTUhNL05NUVpoaTBFYnNqN2Nod1FRTWNuUXhiaG92a0g5cWVBdHp0UGc9PC9kczpTaWduYXR1cmVWYWx1ZT4NCjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUNnVENDQWVvQ0NRQ2JPbHJXRGRYN0ZUQU5CZ2txaGtpRzl3MEJBUVVGQURDQmhERUxNQWtHQTFVRUJoTUNUazh4R0RBV0JnTlZCQWdURDBGdVpISmxZWE1nVTI5c1ltVnlaekVNTUFvR0ExVUVCeE1EUm05dk1SQXdEZ1lEVlFRS0V3ZFZUa2xPUlZSVU1SZ3dGZ1lEVlFRREV3OW1aV2xrWlM1bGNteGhibWN1Ym04eElUQWZCZ2txaGtpRzl3MEJDUUVXRW1GdVpISmxZWE5BZFc1cGJtVjBkQzV1YnpBZUZ3MHdOekEyTVRVeE1qQXhNelZhRncwd056QTRNVFF4TWpBeE16VmFNSUdFTVFzd0NRWURWUVFHRXdKT1R6RVlNQllHQTFVRUNCTVBRVzVrY21WaGN5QlRiMnhpWlhKbk1Rd3dDZ1lEVlFRSEV3TkdiMjh4RURBT0JnTlZCQW9UQjFWT1NVNUZWRlF4R0RBV0JnTlZCQU1URDJabGFXUmxMbVZ5YkdGdVp5NXViekVoTUI4R0NTcUdTSWIzRFFFSkFSWVNZVzVrY21WaGMwQjFibWx1WlhSMExtNXZNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0JnUURpdmJoUjdQNTE2eC9TM0JxS3h1cFFlMExPTm9saXVwaUJPZXNDTzNTSGJEcmwzK3E5SWJmbmZtRTA0ck51TWNQc0l4QjE2MVRkRHBJZXNMQ243YzhhUEhJU0tPdFBsQWVUWlNuYjhRQXU3YVJqWnEzK1BiclA1dVczVGNmQ0dQdEtUeXRIT2dlL09sSmJvMDc4ZFZoWFExNGQxRUR3WEpXMXJSWHVVdDRDOFFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQlFVQUE0R0JBQ0RWZnA4NkhPYnFZK2U4QlVvV1E5K1ZNUXgxQVNEb2hCandPc2cyV3lrVXFSWEYrZExmY1VIOWRXUjYzQ3RaSUtGRGJTdE5vbVBuUXo3bmJLK29ueWd3QnNwVkVibkh1VWloWnEzWlVkbXVtUXFDdzRVdnMvMVV2cTNvck9vL1dKVmhUeXZMZ0ZWSzJRYXJRNC82N09aZkhkN1IrUE9CWGhvcGhTTXYxWk9vPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDdlNDhmZDc1LWNlMmItNjBlZC0yOWVlLWU3OTg0NmM5NTljNiIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDItMTlUMDE6MDU6NDlaIj48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9leGFtcGxlLmNvbS9zaW1wbGVzYW1sL3NhbWwyL2lkcC9tZXRhZGF0YS5waHA8L3NhbWw6SXNzdWVyPg0KPHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgU1BOYW1lUXVhbGlmaWVyPSJodHRwczovL2V4YW1wbGUuY29tL25ld29uZWxvZ2luL2RlbW8xL21ldGFkYXRhLnBocCIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPjQ5Mjg4MjYxNWFjZjMxYzgwOTZiNjI3MjQ1ZDc2YWU1MzAzNmMwOTA8L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjI5OTMtMDItMTlUMDE6MTA6NDlaIiBSZWNpcGllbnQ9Imh0dHBzOi8vZXhhbXBsZS5jb20vbmV3b25lbG9naW4vZGVtbzEvaW5kZXgucGhwP2FjcyIgSW5SZXNwb25zZVRvPSJPTkVMT0dJTl9hZjNkNGE3MTBmYzhiMzA1ODg0Yjk2ZDAwOTRhYjYyODgwMmY1NjkyIi8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjI5OTMtMDItMTlUMDE6MDU6MTlaIiBOb3RPbk9yQWZ0ZXI9IjI5OTMtMDItMTlUMDE6MTA6NDlaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPmh0dHBzOi8vZXhhbXBsZS5jb20vbmV3b25lbG9naW4vZGVtbzEvbWV0YWRhdGEucGhwPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNC0wMi0xOFQxOTo0MjoyMFoiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjI5OTMtMDItMTlUMDk6MDU6NDlaIiBTZXNzaW9uSW5kZXg9Il8wZjRmMTg4ZGMxYmZkM2JmZWEzNmExNjM0YTc0NDE1ODNhZmMzYjM3ODEiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlIE5hbWU9InVpZCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+dXNlcjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj51c2VyQGV4YW1wbGUuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9ImNuIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj50ZXN0PC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9InNuIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj51c2VyPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9ImVkdVBlcnNvbkFmZmlsaWF0aW9uIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj51c2VyPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPmFkbWluPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+ From 2cc05760ca04bab315da773be2113ca2e9fa44e3 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Mon, 13 May 2024 13:12:47 +0200 Subject: [PATCH 05/54] #577 Allow empty NameID value when no strict or wantNameId is false --- lib/Saml2/Response.php | 10 +-- .../invalids/no_value_nameid.xml.base64 | 1 + tests/src/OneLogin/Saml2/ResponseTest.php | 65 +++++++++++++++++++ 3 files changed, 71 insertions(+), 5 deletions(-) create mode 100644 tests/data/responses/invalids/no_value_nameid.xml.base64 diff --git a/lib/Saml2/Response.php b/lib/Saml2/Response.php index 1b57400e..3fb1dc52 100644 --- a/lib/Saml2/Response.php +++ b/lib/Saml2/Response.php @@ -165,7 +165,7 @@ public function isValid($requestId = null) } $currentURL = OneLogin_Saml2_Utils::getSelfRoutedURLNoQuery(); - + $responseInResponseTo = null; if ($this->document->documentElement->hasAttribute('InResponseTo')) { $responseInResponseTo = $this->document->documentElement->getAttribute('InResponseTo'); @@ -357,7 +357,7 @@ public function isValid($requestId = null) OneLogin_Saml2_ValidationError::NO_SIGNED_ASSERTION ); } - + if ($security['wantMessagesSigned'] && !$hasSignedResponse) { throw new OneLogin_Saml2_ValidationError( "The Message of the Response is not signed and the SP requires it", @@ -600,8 +600,8 @@ public function getNameIdData() $nameIdData = array(); + $security = $this->_settings->getSecurityData(); if (!isset($nameId)) { - $security = $this->_settings->getSecurityData(); if ($security['wantNameId']) { throw new OneLogin_Saml2_ValidationError( "NameID not found in the assertion of the Response", @@ -609,7 +609,7 @@ public function getNameIdData() ); } } else { - if ($this->_settings->isStrict() && empty($nameId->nodeValue)) { + if ($this->_settings->isStrict() && $security['wantNameId'] && empty($nameId->nodeValue)) { throw new OneLogin_Saml2_ValidationError( "An empty NameID value found", OneLogin_Saml2_ValidationError::EMPTY_NAMEID @@ -1129,7 +1129,7 @@ protected function _decryptAssertion($dom) $objKeyInfo->loadKey($pem, false, false); } } - + if (empty($objKey->key)) { $objKey->loadKey($key); } diff --git a/tests/data/responses/invalids/no_value_nameid.xml.base64 b/tests/data/responses/invalids/no_value_nameid.xml.base64 new file mode 100644 index 00000000..6213ba73 --- /dev/null +++ b/tests/data/responses/invalids/no_value_nameid.xml.base64 @@ -0,0 +1 @@ +PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGQxODhjZWE0LWUyOWEtYTAwOC01ZmUxLTAwN2Q2MmJhN2E5NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDItMTlUMDE6Mzc6MDFaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9waXRidWxrLm5vLWlwLm9yZy9uZXdvbmVsb2dpbi9kZW1vMS9pbmRleC5waHA/YWNzIiBJblJlc3BvbnNlVG89Ik9ORUxPR0lOXzVmZTlkNmU0OTliMmYwOTEzMjA2YWFiM2Y3MTkxNzI5MDQ5YmI4MDciPjxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+DQogIDxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+DQogICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPg0KICA8ZHM6UmVmZXJlbmNlIFVSST0iI3BmeGQxODhjZWE0LWUyOWEtYTAwOC01ZmUxLTAwN2Q2MmJhN2E5NyI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+dUhibVBSRVBheWx5czEvWXR2Wi91a3hJNnFJPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5HaHJveEZZbnVhNFhXYkZYOHJ3ZlYxeWFpZDFnMHloTnA2KzVQOWFHU3dOcEJiMTZqYUFwSUFwbFBZYllPYVBEZm9uOUd0dUlGQm9sQXQyb3NKNEFQYjgvd2J5ZDNpQlRJM3l4NkVZRkRQamxxeE5lbER0bXFYam9RZnpwWUdpcjRBS3FOaDkyYi9tc1dzVFVFUUVUL3FRWlpMSjNqTFNMVzgxeHo4QXZLZmc9PC9kczpTaWduYXR1cmVWYWx1ZT4NCjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUNnVENDQWVvQ0NRQ2JPbHJXRGRYN0ZUQU5CZ2txaGtpRzl3MEJBUVVGQURDQmhERUxNQWtHQTFVRUJoTUNUazh4R0RBV0JnTlZCQWdURDBGdVpISmxZWE1nVTI5c1ltVnlaekVNTUFvR0ExVUVCeE1EUm05dk1SQXdEZ1lEVlFRS0V3ZFZUa2xPUlZSVU1SZ3dGZ1lEVlFRREV3OW1aV2xrWlM1bGNteGhibWN1Ym04eElUQWZCZ2txaGtpRzl3MEJDUUVXRW1GdVpISmxZWE5BZFc1cGJtVjBkQzV1YnpBZUZ3MHdOekEyTVRVeE1qQXhNelZhRncwd056QTRNVFF4TWpBeE16VmFNSUdFTVFzd0NRWURWUVFHRXdKT1R6RVlNQllHQTFVRUNCTVBRVzVrY21WaGN5QlRiMnhpWlhKbk1Rd3dDZ1lEVlFRSEV3TkdiMjh4RURBT0JnTlZCQW9UQjFWT1NVNUZWRlF4R0RBV0JnTlZCQU1URDJabGFXUmxMbVZ5YkdGdVp5NXViekVoTUI4R0NTcUdTSWIzRFFFSkFSWVNZVzVrY21WaGMwQjFibWx1WlhSMExtNXZNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0JnUURpdmJoUjdQNTE2eC9TM0JxS3h1cFFlMExPTm9saXVwaUJPZXNDTzNTSGJEcmwzK3E5SWJmbmZtRTA0ck51TWNQc0l4QjE2MVRkRHBJZXNMQ243YzhhUEhJU0tPdFBsQWVUWlNuYjhRQXU3YVJqWnEzK1BiclA1dVczVGNmQ0dQdEtUeXRIT2dlL09sSmJvMDc4ZFZoWFExNGQxRUR3WEpXMXJSWHVVdDRDOFFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQlFVQUE0R0JBQ0RWZnA4NkhPYnFZK2U4QlVvV1E5K1ZNUXgxQVNEb2hCandPc2cyV3lrVXFSWEYrZExmY1VIOWRXUjYzQ3RaSUtGRGJTdE5vbVBuUXo3bmJLK29ueWd3QnNwVkVibkh1VWloWnEzWlVkbXVtUXFDdzRVdnMvMVV2cTNvck9vL1dKVmhUeXZMZ0ZWSzJRYXJRNC82N09aZkhkN1IrUE9CWGhvcGhTTXYxWk9vPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeGEzNTI4ZGZiLTVlZTQtZTM2ZS0xMDQ5LWJhMmI2NTI2OWUyNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDItMTlUMDE6Mzc6MDFaIj48c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPg0KICA8ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPg0KICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4NCiAgPGRzOlJlZmVyZW5jZSBVUkk9IiNwZnhhMzUyOGRmYi01ZWU0LWUzNmUtMTA0OS1iYTJiNjUyNjllMjQiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPms4THduYXpCMSthUUhBTDZUTSsxSXJDbDVFND08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+cnlxUGJENTQxNDdzQ2FkOHZHcFZsaGdSTXI1ZlVqWW1LR3IzekZBaVlFbFozSDA0ZXBOZzJzd3VTazBPbzI5ODhPeURNdmF6OGFyamN0VUtsZGd4cmhGdDRhTlJEYUhlNEx5OEw4djNIaHpPT3RxNXNyRmdRa0ZpL3lCNDVYVmlBZysydVhoT0tQME5yYU4yUStheGVPUUFvejJqbjBVa0ZDeHYvUnpSeXBZPTwvZHM6U2lnbmF0dXJlVmFsdWU+DQo8ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlDZ1RDQ0Flb0NDUUNiT2xyV0RkWDdGVEFOQmdrcWhraUc5dzBCQVFVRkFEQ0JoREVMTUFrR0ExVUVCaE1DVGs4eEdEQVdCZ05WQkFnVEQwRnVaSEpsWVhNZ1UyOXNZbVZ5WnpFTU1Bb0dBMVVFQnhNRFJtOXZNUkF3RGdZRFZRUUtFd2RWVGtsT1JWUlVNUmd3RmdZRFZRUURFdzltWldsa1pTNWxjbXhoYm1jdWJtOHhJVEFmQmdrcWhraUc5dzBCQ1FFV0VtRnVaSEpsWVhOQWRXNXBibVYwZEM1dWJ6QWVGdzB3TnpBMk1UVXhNakF4TXpWYUZ3MHdOekE0TVRReE1qQXhNelZhTUlHRU1Rc3dDUVlEVlFRR0V3Sk9UekVZTUJZR0ExVUVDQk1QUVc1a2NtVmhjeUJUYjJ4aVpYSm5NUXd3Q2dZRFZRUUhFd05HYjI4eEVEQU9CZ05WQkFvVEIxVk9TVTVGVkZReEdEQVdCZ05WQkFNVEQyWmxhV1JsTG1WeWJHRnVaeTV1YnpFaE1COEdDU3FHU0liM0RRRUpBUllTWVc1a2NtVmhjMEIxYm1sdVpYUjBMbTV2TUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FEaXZiaFI3UDUxNngvUzNCcUt4dXBRZTBMT05vbGl1cGlCT2VzQ08zU0hiRHJsMytxOUliZm5mbUUwNHJOdU1jUHNJeEIxNjFUZERwSWVzTENuN2M4YVBISVNLT3RQbEFlVFpTbmI4UUF1N2FSalpxMytQYnJQNXVXM1RjZkNHUHRLVHl0SE9nZS9PbEpibzA3OGRWaFhRMTRkMUVEd1hKVzFyUlh1VXQ0QzhRSURBUUFCTUEwR0NTcUdTSWIzRFFFQkJRVUFBNEdCQUNEVmZwODZIT2JxWStlOEJVb1dROStWTVF4MUFTRG9oQmp3T3NnMld5a1VxUlhGK2RMZmNVSDlkV1I2M0N0WklLRkRiU3ROb21QblF6N25iSytvbnlnd0JzcFZFYm5IdVVpaFpxM1pVZG11bVFxQ3c0VXZzLzFVdnEzb3JPby9XSlZoVHl2TGdGVksyUWFyUTQvNjdPWmZIZDdSK1BPQlhob3BoU012MVpPbzwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6ZW1haWxBZGRyZXNzIi8+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjk5My0wOC0yM1QwNjo1NzowMVoiIFJlY2lwaWVudD0iaHR0cHM6Ly9waXRidWxrLm5vLWlwLm9yZy9uZXdvbmVsb2dpbi9kZW1vMS9pbmRleC5waHA/YWNzIiBJblJlc3BvbnNlVG89Ik9ORUxPR0lOXzVmZTlkNmU0OTliMmYwOTEzMjA2YWFiM2Y3MTkxNzI5MDQ5YmI4MDciLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNC0wMi0xOVQwMTozNjozMVoiIE5vdE9uT3JBZnRlcj0iMjk5My0wOC0yM1QwNjo1NzowMVoiPjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PHNhbWw6QXVkaWVuY2U+aHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvbWV0YWRhdGEucGhwPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNC0wMi0xOVQwMTozNzowMVoiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjI5OTMtMDItMTlUMDk6Mzc6MDFaIiBTZXNzaW9uSW5kZXg9Il82MjczZDc3YjhjZGUwYzMzM2VjNzlkMjJhOWZhMDAwM2I5ZmUyZDc1Y2IiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlIE5hbWU9InVpZCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+c21hcnRpbjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5zbWFydGluQHlhY28uZXM8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iY24iIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPlNpeHRvMzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJzbiIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+TWFydGluMjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJlZHVQZXJzb25BZmZpbGlhdGlvbiIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+dXNlcjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5hZG1pbjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg== diff --git a/tests/src/OneLogin/Saml2/ResponseTest.php b/tests/src/OneLogin/Saml2/ResponseTest.php index 8c63e055..806d8802 100644 --- a/tests/src/OneLogin/Saml2/ResponseTest.php +++ b/tests/src/OneLogin/Saml2/ResponseTest.php @@ -405,6 +405,71 @@ public function testGetNameIdData() } catch (OneLogin_Saml2_ValidationError $e) { $this->assertContains('An empty NameID value found', $e->getMessage()); } + + $xml7 = file_get_contents(TEST_ROOT . '/data/responses/invalids/no_value_nameid.xml.base64'); + $response11 = new OneLogin_Saml2_Response($this->_settings, $xml7); + $nameIdData12 = $response11->getNameIdData(); + $expectedNameIdData10 = array( + 'Value' => "", + 'Format' => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" + ); + $this->assertEquals($expectedNameIdData10, $nameIdData12); + + $settingsDir = TEST_ROOT .'/settings/'; + include $settingsDir.'settings1.php'; + + $settingsInfo['strict'] = true; + $settingsInfo['security']['wantNameId'] = true; + + $settings = new OneLogin_Saml2_Settings($settingsInfo); + $response12 = new OneLogin_Saml2_Response($settings, $xml7); + + try { + $nameIdData13 = $response12->getNameIdData(); + $this->fail('OneLogin_Saml2_ValidationError was not raised'); + } catch (OneLogin_Saml2_ValidationError $e) { + $this->assertContains('An empty NameID value found', $e->getMessage()); + } + + $settingsInfo['security']['wantNameId'] = false; + + $settings = new OneLogin_Saml2_Settings($settingsInfo); + $response13 = new OneLogin_Saml2_Response($settings, $xml7); + + $nameIdData14 = $response13->getNameIdData(); + + $expectedNameIdData11 = array( + 'Value' => "", + 'Format' => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" + ); + $this->assertEquals($expectedNameIdData11, $nameIdData14); + + $settingsInfo['strict'] = false; + $settingsInfo['security']['wantNameId'] = true; + + $settings = new OneLogin_Saml2_Settings($settingsInfo); + $response14 = new OneLogin_Saml2_Response($settings, $xml7); + + $nameIdData15 = $response14->getNameIdData(); + + $expectedNameIdData12 = array( + 'Value' => "", + 'Format' => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" + ); + $this->assertEquals($expectedNameIdData12, $nameIdData15); + + $settingsInfo['security']['wantNameId'] = false; + + $settings = new OneLogin_Saml2_Settings($settingsInfo); + $response15 = new OneLogin_Saml2_Response($settings, $xml7); + + $nameIdData16 = $response15->getNameIdData(); + + $expectedNameIdData13 = array( + 'Value' => "", + 'Format' => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" + ); + $this->assertEquals($expectedNameIdData13, $nameIdData16); } /** From a08c1686a5aa95d11e666887808185afc03862e4 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Mon, 20 May 2024 01:01:37 +0200 Subject: [PATCH 06/54] Support X509 cert comments --- lib/Saml2/Utils.php | 34 ++++++++-------- tests/certs/with.comment.crt | 17 ++++++++ tests/src/OneLogin/Saml2/AuthTest.php | 56 ++++++++++---------------- tests/src/OneLogin/Saml2/UtilsTest.php | 7 +++- 4 files changed, 63 insertions(+), 51 deletions(-) create mode 100644 tests/certs/with.comment.crt diff --git a/lib/Saml2/Utils.php b/lib/Saml2/Utils.php index 1a7f85f3..c0e35346 100644 --- a/lib/Saml2/Utils.php +++ b/lib/Saml2/Utils.php @@ -208,27 +208,29 @@ public static function treeCopyReplace(DomNode $targetNode, DomNode $sourceNode, /** * Returns a x509 cert (adding header & footer if required). * - * @param string $cert A x509 unformated cert - * @param bool $heads True if we want to include head and footer + * @param string $x509cert A x509 unformated cert + * @param bool $heads True if we want to include head and footer * * @return string $x509 Formatted cert */ + public static function formatCert($x509cert, $heads = true) + { + if (is_null($x509cert)) { + return; + } - public static function formatCert($cert, $heads = true) - { - $x509cert = str_replace(array("\x0D", "\r", "\n"), "", $cert); - if (!empty($x509cert)) { - $x509cert = str_replace('-----BEGIN CERTIFICATE-----', "", $x509cert); - $x509cert = str_replace('-----END CERTIFICATE-----', "", $x509cert); - $x509cert = str_replace(' ', '', $x509cert); - - if ($heads) { - $x509cert = "-----BEGIN CERTIFICATE-----\n".chunk_split($x509cert, 64, "\n")."-----END CERTIFICATE-----\n"; - } + if (strpos($x509cert, '-----BEGIN CERTIFICATE-----') !== false) { + $x509cert = static::getStringBetween($x509cert, '-----BEGIN CERTIFICATE-----', '-----END CERTIFICATE-----'); + } - } - return $x509cert; - } + $x509cert = str_replace(array("\x0d", "\r", "\n", " "), '', $x509cert); + + if ($heads && $x509cert !== '') { + $x509cert = "-----BEGIN CERTIFICATE-----\n".chunk_split($x509cert, 64, "\n")."-----END CERTIFICATE-----\n"; + } + + return $x509cert; + } /** * Returns a private key (adding header & footer if required). diff --git a/tests/certs/with.comment.crt b/tests/certs/with.comment.crt new file mode 100644 index 00000000..ed0e9729 --- /dev/null +++ b/tests/certs/with.comment.crt @@ -0,0 +1,17 @@ +# certificate comments should be ignored +-----BEGIN CERTIFICATE----- +MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMC +Tk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYD +VQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG +9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4 +MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xi +ZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2Zl +aWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5v +MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LO +NoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHIS +KOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d +1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8 +BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7n +bK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2Qar +Q4/67OZfHd7R+POBXhophSMv1ZOo +-----END CERTIFICATE----- diff --git a/tests/src/OneLogin/Saml2/AuthTest.php b/tests/src/OneLogin/Saml2/AuthTest.php index 908a7994..86d4e30b 100644 --- a/tests/src/OneLogin/Saml2/AuthTest.php +++ b/tests/src/OneLogin/Saml2/AuthTest.php @@ -817,22 +817,16 @@ public function testProcessSLORequestRelayState() $_GET['SAMLRequest'] = $message; $_GET['RelayState'] = 'http://relaystate.com/'; - try { - $this->_auth->setStrict(true); - $this->_auth->processSLO(false); - $this->assertFalse(true); - } catch (Exception $e) { - $this->assertContains('Cannot modify header information', $e->getMessage()); - $trace = $e->getTrace(); - $targetUrl = getUrlFromRedirect($trace); - $parsedQuery = getParamsFromUrl($targetUrl); + $this->_auth->setStrict(true); + $targetUrl = $this->_auth->processSLO(false, null, false, null, true); - $sloUrl = $this->_settingsInfo['idp']['singleLogoutService']['url']; - $this->assertContains($sloUrl, $targetUrl); - $this->assertArrayHasKey('SAMLResponse', $parsedQuery); - $this->assertArrayHasKey('RelayState', $parsedQuery); - $this->assertEquals('http://relaystate.com/', $parsedQuery['RelayState']); - } + $parsedQuery = getParamsFromUrl($targetUrl); + + $sloResponseUrl = $this->_settingsInfo['idp']['singleLogoutService']['responseUrl']; + $this->assertContains($sloResponseUrl, $targetUrl); + $this->assertArrayHasKey('SAMLResponse', $parsedQuery); + $this->assertArrayHasKey('RelayState', $parsedQuery); + $this->assertEquals('http://relaystate.com/', $parsedQuery['RelayState']); } /** @@ -860,28 +854,22 @@ public function testProcessSLORequestSignedResponse() $plainMessage = str_replace('http://stuff.com/endpoints/endpoints/sls.php', $currentURL, $plainMessage); $message = base64_encode(gzdeflate($plainMessage)); + unset($_GET['SAMLResponse']); $_GET['SAMLRequest'] = $message; $_GET['RelayState'] = 'http://relaystate.com/'; - try { - $auth->setStrict(true); - $auth->processSLO(false); - $this->assertFalse(true); - } catch (Exception $e) { - $this->assertContains('Cannot modify header information', $e->getMessage()); - $trace = $e->getTrace(); - $targetUrl = getUrlFromRedirect($trace); - $parsedQuery = getParamsFromUrl($targetUrl); - - $sloUrl = $settingsInfo['idp']['singleLogoutService']['url']; - $this->assertContains($sloUrl, $targetUrl); - $this->assertArrayHasKey('SAMLResponse', $parsedQuery); - $this->assertArrayHasKey('RelayState', $parsedQuery); - $this->assertArrayHasKey('SigAlg', $parsedQuery); - $this->assertArrayHasKey('Signature', $parsedQuery); - $this->assertEquals('http://relaystate.com/', $parsedQuery['RelayState']); - $this->assertEquals(XMLSecurityKey::RSA_SHA1, $parsedQuery['SigAlg']); - } + $auth->setStrict(true); + $targetUrl = $auth->processSLO(false, null, false, null, true); + $parsedQuery = getParamsFromUrl($targetUrl); + + $sloUrl = $settingsInfo['idp']['singleLogoutService']['responseUrl']; + $this->assertContains($sloUrl, $targetUrl); + $this->assertArrayHasKey('SAMLResponse', $parsedQuery); + $this->assertArrayHasKey('RelayState', $parsedQuery); + $this->assertArrayHasKey('SigAlg', $parsedQuery); + $this->assertArrayHasKey('Signature', $parsedQuery); + $this->assertEquals('http://relaystate.com/', $parsedQuery['RelayState']); + $this->assertEquals(XMLSecurityKey::RSA_SHA1, $parsedQuery['SigAlg']); } /** diff --git a/tests/src/OneLogin/Saml2/UtilsTest.php b/tests/src/OneLogin/Saml2/UtilsTest.php index c3226c36..b2fcbb8b 100644 --- a/tests/src/OneLogin/Saml2/UtilsTest.php +++ b/tests/src/OneLogin/Saml2/UtilsTest.php @@ -46,7 +46,7 @@ public function testLoadXML() try { $res1 = OneLogin_Saml2_Utils::loadXML($dom, $metadataUnloaded); $this->assertFalse($res1); - } catch (Exception $e) { + } catch (\Exception $e) { $this->assertEquals('DOMDocument::loadXML(): Premature end of data in tag EntityDescriptor line 1 in Entity, line: 1', $e->getMessage()); } @@ -206,6 +206,11 @@ public function testFormatCert() $this->assertNotContains('-----END CERTIFICATE-----', $formatedCert6); $this->assertEquals(strlen($cert2), 860); + $cert = file_get_contents(TEST_ROOT.'/certs/with.comment.crt'); + $formatedCert7 = OneLogin_Saml2_Utils::formatCert($cert, true); + $this->assertContains('-----BEGIN CERTIFICATE-----', $formatedCert7); + $this->assertContains('-----END CERTIFICATE-----', $formatedCert7); + $this->assertNotContains('comments', $formatedCert7); } /** From f43b38875b09371c34c8a21bf358335aa97e83dc Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Mon, 27 May 2024 01:42:33 +0200 Subject: [PATCH 07/54] Add parameter to exclude validUntil on SP Metadata XML --- lib/Saml2/Metadata.php | 23 +++++++++++++++++------ tests/src/OneLogin/Saml2/MetadataTest.php | 4 ++++ 2 files changed, 21 insertions(+), 6 deletions(-) diff --git a/lib/Saml2/Metadata.php b/lib/Saml2/Metadata.php index 9343ac44..303184b3 100644 --- a/lib/Saml2/Metadata.php +++ b/lib/Saml2/Metadata.php @@ -21,10 +21,11 @@ class OneLogin_Saml2_Metadata * @param array $contacts Contacts info * @param array $organization Organization ingo * @param array $attributes + * @param bool $ignoreValidUntil exclude the validUntil tag from metadata * * @return string SAML Metadata XML */ - public static function builder($sp, $authnsign = false, $wsign = false, $validUntil = null, $cacheDuration = null, $contacts = array(), $organization = array(), $attributes = array()) + public static function builder($sp, $authnsign = false, $wsign = false, $validUntil = null, $cacheDuration = null, $contacts = array(), $organization = array(), $attributes = array(), $ignoreValidUntil = false) { if (!isset($validUntil)) { @@ -144,27 +145,37 @@ public static function builder($sp, $authnsign = false, $wsign = false, $validUn $requestedAttributeStr = implode(PHP_EOL, $requestedAttributeData); $strAttributeConsumingService = << + + {$sp['attributeConsumingService']['serviceName']} {$attrCsDesc}{$requestedAttributeStr} METADATA_TEMPLATE; } + if ($ignoreValidUntil) { + $timeStr = << {$sls} {$sp['NameIDFormat']} - {$strAttributeConsumingService} + index="1" />{$strAttributeConsumingService} {$strOrganization}{$strContacts} METADATA_TEMPLATE; diff --git a/tests/src/OneLogin/Saml2/MetadataTest.php b/tests/src/OneLogin/Saml2/MetadataTest.php index c6a8e6d1..5ce3e471 100644 --- a/tests/src/OneLogin/Saml2/MetadataTest.php +++ b/tests/src/OneLogin/Saml2/MetadataTest.php @@ -41,6 +41,7 @@ public function testBuilder() $this->assertContains('sp_test', $metadata); $this->assertContains('', $metadata); $this->assertContains('technical_name', $metadata); + $this->assertContains('validUntil', $metadata); $security['authnRequestsSigned'] = true; $security['wantAssertionsSigned'] = true; @@ -55,6 +56,9 @@ public function testBuilder() $this->assertNotContains('assertNotContains(' Location="http://stuff.com/endpoints/endpoints/sls.php"/>', $metadata2); + + $metadata3 = OneLogin_Saml2_Metadata::builder($spData, $security['authnRequestsSigned'], $security['wantAssertionsSigned'], null, null, $contacts, $organization, array(), true); + $this->assertNotContains('validUntil=', $metadata3); } /** From d86ee7d2a1fab1d631c0a264da16e929252a6931 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Thu, 30 May 2024 12:42:26 +0200 Subject: [PATCH 08/54] Add more tests to cover spValidationOnly param --- lib/Saml2/Auth.php | 4 ++-- tests/src/OneLogin/Saml2/AuthTest.php | 29 +++++++++++++++++++++++ tests/src/OneLogin/Saml2/SettingsTest.php | 29 +++++++++++++++++++++++ 3 files changed, 60 insertions(+), 2 deletions(-) diff --git a/lib/Saml2/Auth.php b/lib/Saml2/Auth.php index bb882cd0..956c5052 100644 --- a/lib/Saml2/Auth.php +++ b/lib/Saml2/Auth.php @@ -143,8 +143,8 @@ class OneLogin_Saml2_Auth /** * Initializes the SP SAML instance. * - * @param array|object|null $oldSettings Setting data (You can provide a OneLogin_Saml_Settings, the settings object of the Saml folder implementation) - * @param bool $spValidationOnly if you only as an SP , you should set it to false if not you should set it to true + * @param array|object|null $oldSettings Setting data (You can provide a OneLogin_Saml_Settings, the settings object of the Saml folder implementation) + * @param bool $spValidationOnly If true, The library will only validate the SAML SP settings * * @throws OneLogin_Saml2_Error */ diff --git a/tests/src/OneLogin/Saml2/AuthTest.php b/tests/src/OneLogin/Saml2/AuthTest.php index 86d4e30b..172509eb 100644 --- a/tests/src/OneLogin/Saml2/AuthTest.php +++ b/tests/src/OneLogin/Saml2/AuthTest.php @@ -39,6 +39,35 @@ public function testGetSettings() $this->assertEquals($authSettings, $settings); } + /** + * Tests the use of the spValidationOnly at OneLogin_Saml2_Auth + * + * @covers OneLogin_Saml2_Auth + */ + public function testSpValidateOnly() + { + $settingsDir = TEST_ROOT .'/settings/'; + include $settingsDir.'settings2.php'; + unset($settingsInfo['idp']); + + $auth = new OneLogin_Saml2_Auth($settingsInfo, true); + $this->assertEmpty($auth->getErrors()); + + try { + $auth2 = new OneLogin_Saml2_Auth($settingsInfo, false); + $this->fail('Error was not raised'); + } catch (OneLogin_Saml2_Error $e) { + $this->assertContains('idp_not_found', $e->getMessage()); + } + + try { + $auth3 = new OneLogin_Saml2_Auth($settingsInfo); + $this->fail('Error was not raised'); + } catch (OneLogin_Saml2_Error $e) { + $this->assertContains('idp_not_found', $e->getMessage()); + } + } + /** * Tests the getLastRequestID method of the OneLogin_Saml2_Auth class * diff --git a/tests/src/OneLogin/Saml2/SettingsTest.php b/tests/src/OneLogin/Saml2/SettingsTest.php index be03fe76..c32b079c 100644 --- a/tests/src/OneLogin/Saml2/SettingsTest.php +++ b/tests/src/OneLogin/Saml2/SettingsTest.php @@ -74,6 +74,35 @@ public function testLoadSettingsFromFile() $this->assertEmpty($settings->getErrors()); } + /** + * Tests the use of the spValidationOnly at OneLogin_Saml2_Settings + * + * @covers OneLogin_Saml2_Settings + */ + public function testSpValidateOnly() + { + $settingsDir = TEST_ROOT .'/settings/'; + include $settingsDir.'settings2.php'; + unset($settingsInfo['idp']); + + $settings = new OneLogin_Saml2_Settings($settingsInfo, true); + $this->assertEmpty($settings->getErrors()); + + try { + $settings2 = new OneLogin_Saml2_Settings($settingsInfo, false); + $this->fail('Error was not raised'); + } catch (OneLogin_Saml2_Error $e) { + $this->assertContains('idp_not_found', $e->getMessage()); + } + + try { + $settings3 = new OneLogin_Saml2_Settings($settingsInfo); + $this->fail('Error was not raised'); + } catch (OneLogin_Saml2_Error $e) { + $this->assertContains('idp_not_found', $e->getMessage()); + } + } + /** * Tests getCertPath method of the OneLogin_Saml2_Settings * From 03d14fba914eb1a1bb13bfbc3d6ab305905e961b Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Thu, 30 May 2024 13:45:40 +0200 Subject: [PATCH 09/54] Update xmlseclibs --- extlib/xmlseclibs/xmlseclibs.php | 76 +++++++++++++++++++------------- 1 file changed, 46 insertions(+), 30 deletions(-) diff --git a/extlib/xmlseclibs/xmlseclibs.php b/extlib/xmlseclibs/xmlseclibs.php index d1095c8a..5139d62d 100644 --- a/extlib/xmlseclibs/xmlseclibs.php +++ b/extlib/xmlseclibs/xmlseclibs.php @@ -37,7 +37,7 @@ * @author Robert Richards * @copyright 2007-2019 Robert Richards * @license http://www.opensource.org/licenses/bsd-license.php BSD License - * @version 3.0.4 modified + * @version 3.1.2 modified */ class XMLSecurityKey { @@ -198,13 +198,13 @@ public function getSymmetricKeySize() { } return $this->cryptParams['keysize']; } - + public function generateSessionKey() { if (!isset($this->cryptParams['keysize'])) { throw new Exception('Unknown key size for type "' . $this->type . '".'); } $keysize = $this->cryptParams['keysize']; - + if (function_exists('openssl_random_pseudo_bytes')) { /* We have PHP >= 5.3 - use openssl to generate session key. */ $key = openssl_random_pseudo_bytes($keysize); @@ -212,7 +212,7 @@ public function generateSessionKey() { /* Generating random key using iv generation routines */ $key = mcrypt_create_iv($keysize, MCRYPT_RAND); } - + if ($this->type === XMLSecurityKey::TRIPLEDES_CBC) { /* Make sure that the generated key has the proper parity bits set. * Mcrypt doesn't care about the parity bits, but others may care. @@ -227,7 +227,7 @@ public function generateSessionKey() { $key[$i] = chr($byte); } } - + $this->key = $key; return $key; } @@ -281,6 +281,10 @@ public function loadKey($key, $isFile=false, $isCert = false) { $this->key = openssl_get_publickey($this->key); } else { $this->key = openssl_get_privatekey($this->key, $this->passphrase); + + if ($this->key === false) { + throw new Exception('Unable to extract private key (invalid key or passphrase): ' . openssl_error_string()); + } } } else if (isset($this->cryptParams['cipher']) && $this->cryptParams['cipher'] == MCRYPT_RIJNDAEL_128) { /* Check key length */ @@ -469,7 +473,7 @@ static function convertRSA($modulus, $exponent) { public function serializeKey($parent) { } - + /** @@ -557,7 +561,7 @@ public function __construct() { private function resetXPathObj() { $this->xPathCtx = null; } - + private function getXPathObj() { if (empty($this->xPathCtx) && ! empty($this->sigNode)) { $xpath = new DOMXPath($this->sigNode->ownerDocument); @@ -654,7 +658,7 @@ private function canonicalizeData($node, $canonicalmethod, $arXPath=null, $prefi $withComments = true; break; } - + if (is_null($arXPath) && ($node instanceof DOMNode) && ($node->ownerDocument !== null) && $node->isSameNode($node->ownerDocument->documentElement)) { /* Check for any PI or comments as they would have been excluded */ $element = $node; @@ -668,7 +672,7 @@ private function canonicalizeData($node, $canonicalmethod, $arXPath=null, $prefi $node = $node->ownerDocument; } } - + return $node->C14N($exclusive, $withComments, $arXPath, $prefixList); } @@ -686,10 +690,22 @@ public function canonicalizeSignedInfo() { if ($signInfoNode = $nodeset->item(0)) { $query = "./secdsig:CanonicalizationMethod"; $nodeset = $xpath->query($query, $signInfoNode); + $prefixList = null; if ($canonNode = $nodeset->item(0)) { $canonicalmethod = $canonNode->getAttribute('Algorithm'); + foreach ($canonNode->childNodes as $node) + { + if ($node->localName == 'InclusiveNamespaces') { + if ($pfx = $node->getAttribute('PrefixList')) { + $arpfx = array_filter(explode(' ', $pfx)); + if (count($arpfx) > 0) { + $prefixList = array_merge($prefixList ? $prefixList : array(), $arpfx); + } + } + } + } } - $this->signedInfo = $this->canonicalizeData($signInfoNode, $canonicalmethod); + $this->signedInfo = $this->canonicalizeData($signInfoNode, $canonicalmethod, null, $prefixList); return $this->signedInfo; } } @@ -918,10 +934,10 @@ public function validateReference() { if ($nodeset->length == 0) { throw new Exception("Reference nodes not found"); } - + /* Initialize/reset the list of validated nodes. */ $this->validatedNodes = array(); - + foreach ($nodeset AS $refNode) { if (! $this->processRefNode($refNode)) { /* Clear the list of validated nodes. */ @@ -976,8 +992,8 @@ private function addRefInternal($sinfoNode, $node, $algorithm, $arTransforms=nul foreach ($arTransforms AS $transform) { $transNode = $this->createNewSignNode('Transform'); $transNodes->appendChild($transNode); - if (is_array($transform) && - (! empty($transform['http://www.w3.org/TR/1999/REC-xpath-19991116'])) && + if (is_array($transform) && + (! empty($transform['http://www.w3.org/TR/1999/REC-xpath-19991116'])) && (! empty($transform['http://www.w3.org/TR/1999/REC-xpath-19991116']['query']))) { $transNode->setAttribute('Algorithm', 'http://www.w3.org/TR/1999/REC-xpath-19991116'); $XPathNode = $this->createNewSignNode('XPath', $transform['http://www.w3.org/TR/1999/REC-xpath-19991116']['query']); @@ -1134,7 +1150,7 @@ public function appendKey($objKey, $parent=null) { * * @param $node The node the signature element should be inserted into. * @param $beforeNode The node the signature element should be located before. - * + * * @return DOMNode The signature element node */ public function insertSignature($node, $beforeNode = null) { @@ -1196,9 +1212,9 @@ static function staticAdd509Cert($parentRef, $cert, $isPEMFormat=true, $isURL=fa if (! $parentRef instanceof DOMElement) { throw new Exception('Invalid parent Node parameter'); } - + list($parentRef, $keyInfo) = self::auxKeyInfo($parentRef, $xpath); - + // Add all certs if there are more than one $certs = XMLSecurityDSig::staticGet509XCerts($cert, $isPEMFormat); @@ -1217,7 +1233,7 @@ static function staticAdd509Cert($parentRef, $cert, $isPEMFormat=true, $isURL=fa $subjectName = true; } } - + // Attach all certificate nodes and any additional data foreach ($certs as $X509Cert){ if ($issuerSerial || $subjectName) { @@ -1236,7 +1252,7 @@ static function staticAdd509Cert($parentRef, $cert, $isPEMFormat=true, $isURL=fa } $subjectNameValue = implode(',', $parts); } else { - $subjectNameValue = $certData['issuer']; + $subjectNameValue = $certData['subject']; } $x509SubjectNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509SubjectName', $subjectNameValue); $x509DataNode->appendChild($x509SubjectNode); @@ -1251,17 +1267,17 @@ static function staticAdd509Cert($parentRef, $cert, $isPEMFormat=true, $isURL=fa } else { $issuerName = $certData['issuer']; } - + $x509IssuerNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509IssuerSerial'); $x509DataNode->appendChild($x509IssuerNode); - + $x509Node = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509IssuerName', $issuerName); $x509IssuerNode->appendChild($x509Node); $x509Node = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509SerialNumber', $certData['serialNumber']); $x509IssuerNode->appendChild($x509Node); } } - + } $x509CertNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509Certificate', $X509Cert); $x509DataNode->appendChild($x509CertNode); @@ -1273,14 +1289,14 @@ public function add509Cert($cert, $isPEMFormat=true, $isURL=false, $options=null self::staticAdd509Cert($this->sigNode, $cert, $isPEMFormat, $isURL, $xpath, $options); } } - + /** * This function appends a node to the KeyInfo. * * The KeyInfo element will be created if one does not exist in the document. * * @param DOMNode $node The node to append to the KeyInfo. - * + * * @return DOMNode The KeyInfo element node */ public function appendToKeyInfo($node) { @@ -1289,12 +1305,12 @@ public function appendToKeyInfo($node) { $xpath = $this->getXPathObj(); list($parentRef, $keyInfo) = self::auxKeyInfo($parentRef, $xpath); - + $keyInfo->appendChild($node); - + return $keyInfo; } - + static function auxKeyInfo($parentRef, $xpath=null) { $baseDoc = $parentRef->ownerDocument; @@ -1302,7 +1318,7 @@ static function auxKeyInfo($parentRef, $xpath=null) $xpath = new DOMXPath($parentRef->ownerDocument); $xpath->registerNamespace('secdsig', XMLSecurityDSig::XMLDSIGNS); } - + $query = "./secdsig:KeyInfo"; $nodeset = $xpath->query($query, $parentRef); $keyInfo = $nodeset->item(0); @@ -1507,7 +1523,7 @@ public function getCipherValue() { * @params XMLSecurityKey $objKey The decryption key that should be used when decrypting the node. * @params boolean $replace Whether we should replace the encrypted node in the XML document with the decrypted data. The default is true. * @return string|DOMElement The decrypted data. - */ + */ public function decryptNode($objKey, $replace=true) { if (! $objKey instanceof XMLSecurityKey) { throw new Exception('Invalid Key'); @@ -1707,7 +1723,7 @@ static function staticLocateKeyInfo($objBaseKey=null, $node=null) { if ($x509certNodes = $child->getElementsByTagName('X509Certificate')) { if ($x509certNodes->length > 0) { $x509cert = $x509certNodes->item(0)->textContent; - $x509cert = str_replace(array("\r", "\n", " "), "", $x509cert); + $x509cert = str_replace(array("\r", "\n", " ", "\t"), "", $x509cert); $x509cert = "-----BEGIN CERTIFICATE-----\n".chunk_split($x509cert, 64, "\n")."-----END CERTIFICATE-----\n"; $objBaseKey->loadKey($x509cert, false, true); } From 17d9a81791243bc80658983bd5dc6c90e106b3f5 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Thu, 30 May 2024 17:11:58 +0200 Subject: [PATCH 10/54] Prepare release 2.20.0 --- CHANGELOG | 24 +++++++++++++++++++++++- lib/Saml2/version.json | 4 ++-- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 08a1a53a..dc1389b3 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,27 @@ CHANGELOG ========= + + +v.2.20.0 +* [#586](https://github.com/SAML-Toolkits/php-saml/pull/586) IdPMetadataParser::parseRemoteXML - Add argument for setting whether to validate peer SSL certificate +* [#585](https://github.com/SAML-Toolkits/php-saml/pull/585) Declare conditional return types +* Make Saml2\Auth can accept a param $spValidationOnly +* [#577](https://github.com/SAML-Toolkits/php-saml/pull/577) Allow empty NameID value when no strict or wantNameId is false +* [#570](https://github.com/SAML-Toolkits/php-saml/pull/570) Support X509 cert comments +* [#569](https://github.com/SAML-Toolkits/php-saml/pull/569) Add parameter to exclude validUntil on SP Metadata XML +* [#551](https://github.com/SAML-Toolkits/php-saml/pull/551) Fix compatibility with proxies that extends HTTP_X_FORWARDED_HOST +* [#487](https://github.com/SAML-Toolkits/php-saml/issues/487) Enable strict check on in_array method +* Fix typos on readme. +* [#480](https://github.com/SAML-Toolkits/php-saml/pull/480) Fix typo on SPNameQualifier mismatch error message +* Add $spValidationOnly param to Auth +* Update xmlseclibs (3.1.2 without AES-GCM and OAEP support) +* Add warning about Open Redirect and Reply attacks +* Add warning about the use of IdpMetadataParser class. If Metadata URLs + are provided by 3rd parties, the URL inputs MUST be validated to avoid issues like SSRF +* Update dependencies +* Fix test payloads +* Remove references to OneLogin. + v.2.19.1 * [#467](https://github.com/onelogin/php-saml/issues/467) Fix bug on getSelfRoutedURLNoQuery method @@ -176,7 +198,7 @@ v.2.7.0 * Fix PHP 7 error (used continue outside a loop/switch). * Fix bug on organization element of the SP metadata builder. * Fix typos on documentation. Fix ALOWED Misspell. -* Be able to extract RequestID. Add RequestID validation on demo1. +* Be able to extract RequestID. Add RequestID validation on demo1. * Add $stay parameter to login, logout and processSLO method. v.2.6.1 diff --git a/lib/Saml2/version.json b/lib/Saml2/version.json index ac6f7011..1beb2b6e 100644 --- a/lib/Saml2/version.json +++ b/lib/Saml2/version.json @@ -1,6 +1,6 @@ { "php-saml": { - "version": "2.19.1", - "released": "02/03/2021" + "version": "2.20.0", + "released": "30/05/2024" } } From 0de0875b14e463db7f97c459a1d7a6899403b026 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Thu, 30 May 2024 17:33:19 +0200 Subject: [PATCH 11/54] Add reference to 4.X branch on Readme --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d7b6cf12..020da37c 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,9 @@ Add SAML support to your PHP software using this library. -**The 3.X branch is compatible with PHP > 7.1, so if you are using that PHP version, use it and not the 2.X or the master branch** +**The 3.X branch is compatible with PHP 7.0, PHP 7.1, PHP 7.2 , so if you are using that PHP version, use it and not the 2.X or the master branch** + +**The 4.X branch is compatible with PHP >= 7.3 and PHP 8.X** Warning ------- From cadabb78de2590e82fbacbb01351acf60ab26042 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Thu, 20 Jun 2024 17:03:24 +0200 Subject: [PATCH 12/54] Run CI on 3.X and 4.X branch --- .github/workflows/php-package.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/php-package.yml b/.github/workflows/php-package.yml index ea1b48bb..4f12009f 100644 --- a/.github/workflows/php-package.yml +++ b/.github/workflows/php-package.yml @@ -5,9 +5,9 @@ name: php-saml package on: push: - branches: [ master, 2.* ] + branches: [ master, 3.*, 4.* ] pull_request: - branches: [ master, 2.* ] + branches: [ master, 3.*, 4.* ] jobs: test: From 3305ba9724be81a6adc45f1edab618d0e96a07b2 Mon Sep 17 00:00:00 2001 From: Jeff Puckett <84726901+jpuckett-di@users.noreply.github.com> Date: Wed, 17 Jul 2024 14:38:54 -0400 Subject: [PATCH 13/54] doc fix typos --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 020da37c..027d9330 100644 --- a/README.md +++ b/README.md @@ -191,14 +191,14 @@ a trusted and expected URL. Read more about Open Redirect [CWE-601](https://cwe.mitre.org/data/definitions/601.html). -### Avoiding Reply attacks ### +### Avoiding Replay attacks ### -A reply attack is basically try to reuse an intercepted valid SAML Message in order to impersonate a SAML action (SSO or SLO). +A replay attack is basically try to reuse an intercepted valid SAML Message in order to impersonate a SAML action (SSO or SLO). SAML Messages have a limited timelife (NotBefore, NotOnOrAfter) that make harder this kind of attacks, but they are still possible. -In order to avoid them, the SP can keep a list of SAML Messages or Assertion IDs alredy valdidated and processed. Those values only need +In order to avoid them, the SP can keep a list of SAML Messages or Assertion IDs alredy validated and processed. Those values only need to be stored the amount of time of the SAML Message life time, so we don't need to store all processed message/assertion Ids, but the most recent ones. From aab9c54b84f5dfab2c4ed6897502691e8065c615 Mon Sep 17 00:00:00 2001 From: mrbrown8 Date: Tue, 20 Aug 2024 09:21:03 -0600 Subject: [PATCH 14/54] mispelings --- demo1/index.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/demo1/index.php b/demo1/index.php index 8e1babd9..d1d8bbcb 100644 --- a/demo1/index.php +++ b/demo1/index.php @@ -105,7 +105,7 @@ $auth->processSLO(false, $requestID); $errors = $auth->getErrors(); if (empty($errors)) { - echo '

Sucessfully logged out

'; + echo '

Successfully logged out

'; } else { echo '

', htmlentities(implode(', ', $errors)), '

'; if ($auth->getSettings()->isDebugActive()) { From 2f5d8642bb0a95c27d3b09a9e5e7be4bc8167e74 Mon Sep 17 00:00:00 2001 From: mrbrown8 Date: Tue, 20 Aug 2024 09:23:03 -0600 Subject: [PATCH 15/54] mispelings --- demo1/Readme.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/demo1/Readme.txt b/demo1/Readme.txt index d8810676..392ae176 100644 --- a/demo1/Readme.txt +++ b/demo1/Readme.txt @@ -43,7 +43,7 @@ How it works notice that a RelayState parameter is set to the url that initiated the process, the index.php view. - 2.2 in the second link we access to (attrs.php) have the same process described at 2.1 with the diference that as RelayState is set the attrs.php + 2.2 in the second link we access to (attrs.php) have the same process described at 2.1 with the difference that as RelayState is set the attrs.php 3. The SAML Response is processed in the ACS (index.php?acs), if the Response is not valid, the process stop here and a message is showed. Otherwise we @@ -64,7 +64,7 @@ How it works side, the logout process is initiated at the idP, sends a Logout Request to the SP (SLS endpoint, index.php?sls). The SLS endpoint of the SP process the Logout Request and if is valid, close the session of the user at the local app and send a Logout Response to the IdP (to the SLS endpoint - of the IdP). The IdP recieve the Logout Response, process it and close the + of the IdP). The IdP receive the Logout Response, process it and close the session at of the IdP. Notice that the SLO Workflow starts and ends at the IdP. Notice that all the SAML Requests and Responses are handler at a unique file, From cd75650d4b253ec91c66c9c32ceb7fc4fca7b1a9 Mon Sep 17 00:00:00 2001 From: mrbrown8 Date: Tue, 20 Aug 2024 10:03:44 -0600 Subject: [PATCH 16/54] mispelings --- demo2/Readme.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/demo2/Readme.txt b/demo2/Readme.txt index 7a34800f..1be1ab01 100644 --- a/demo2/Readme.txt +++ b/demo2/Readme.txt @@ -54,7 +54,7 @@ demo1, only changes the targets. 3. We are logged in the app and the user attributes are showed. At this point, we can test the single log out functionality. - 4. The single log out funcionality could be tested by 2 ways. + 4. The single log out functionality could be tested by 2 ways. 4.1 SLO Initiated by SP. Click on the "logout" link at the SP, after that we are redirected to the slo.php view and there a Logout Request is sent @@ -69,7 +69,7 @@ demo1, only changes the targets. Request to the SP (SLS endpoint sls.php of the endpoint folder). The SLS endpoint of the SP process the Logout Request and if is valid, close the session of the user at the local app and sends a Logout Response - to the IdP (to the SLS endpoint of the IdP).The IdP recieves the Logout + to the IdP (to the SLS endpoint of the IdP).The IdP receives the Logout Response, process it and close the session at of the IdP. Notice that the SLO Workflow starts and ends at the IdP. From 249746cf0c1543c471843d93093ffe5c9820d4af Mon Sep 17 00:00:00 2001 From: mrbrown8 Date: Tue, 20 Aug 2024 10:06:02 -0600 Subject: [PATCH 17/54] mispelings --- endpoints/sls.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/endpoints/sls.php b/endpoints/sls.php index 7dd508ba..909376e3 100644 --- a/endpoints/sls.php +++ b/endpoints/sls.php @@ -14,7 +14,7 @@ $errors = $auth->getErrors(); if (empty($errors)) { - echo 'Sucessfully logged out'; + echo 'Successfully logged out'; } else { echo htmlentities(implode(', ', $errors)); } From c1d65128eb90b8d6972c9c0e374284bf5d663f43 Mon Sep 17 00:00:00 2001 From: mrbrown8 Date: Tue, 20 Aug 2024 10:25:11 -0600 Subject: [PATCH 18/54] mispelings --- lib/Saml2/schemas/saml-schema-authn-context-types-2.0.xsd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/Saml2/schemas/saml-schema-authn-context-types-2.0.xsd b/lib/Saml2/schemas/saml-schema-authn-context-types-2.0.xsd index 8513959a..12ef3d42 100644 --- a/lib/Saml2/schemas/saml-schema-authn-context-types-2.0.xsd +++ b/lib/Saml2/schemas/saml-schema-authn-context-types-2.0.xsd @@ -63,7 +63,7 @@ - Refers to those characterstics that describe how the + Refers to those characteristics that describe how the 'secret' (the knowledge or possession of which allows the Principal to authenticate to the Authentication Authority) is kept secure @@ -429,7 +429,7 @@ This element indicates that the Authenticator has been - transmitted using a transport mechnanism protected by an SSL or TLS + transmitted using a transport mechanism protected by an SSL or TLS session. From ea9837f91bc1069a30b3929b92a4e0f7fa95c4fe Mon Sep 17 00:00:00 2001 From: mrbrown8 Date: Tue, 20 Aug 2024 11:09:24 -0600 Subject: [PATCH 19/54] mispelings --- lib/Saml2/Response.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/Saml2/Response.php b/lib/Saml2/Response.php index 3fb1dc52..229bb3a7 100644 --- a/lib/Saml2/Response.php +++ b/lib/Saml2/Response.php @@ -218,7 +218,7 @@ public function isValid($requestId = null) ); } - // Validate Asserion timestamps + // Validate Assertion timestamps $this->validateTimestamps(); // Validate AuthnStatement element exists and is unique @@ -1068,7 +1068,7 @@ protected function _queryAssertion($assertionXpath) } /** - * Extracts nodes that match the query from the DOMDocument (Response Menssage) + * Extracts nodes that match the query from the DOMDocument (Response Message) * * @param string $query Xpath Expresion * From dc1bcf9075ba2242bdd1bcfa3903a076918f70d7 Mon Sep 17 00:00:00 2001 From: mrbrown8 Date: Tue, 20 Aug 2024 11:11:40 -0600 Subject: [PATCH 20/54] mispelings --- lib/Saml2/LogoutResponse.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/Saml2/LogoutResponse.php b/lib/Saml2/LogoutResponse.php index 21c1adad..763ee0ca 100644 --- a/lib/Saml2/LogoutResponse.php +++ b/lib/Saml2/LogoutResponse.php @@ -213,7 +213,7 @@ public function isValid($requestId = null, $retrieveParametersFromServer = false } /** - * Extracts a node from the DOMDocument (Logout Response Menssage) + * Extracts a node from the DOMDocument (Logout Response Message) * * @param string $query Xpath Expresion * From e4ca41610c79b7028b5f56698a1fbd4496d2b2d5 Mon Sep 17 00:00:00 2001 From: mrbrown8 Date: Tue, 20 Aug 2024 11:12:50 -0600 Subject: [PATCH 21/54] mispelings --- lib/Saml2/LogoutRequest.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/Saml2/LogoutRequest.php b/lib/Saml2/LogoutRequest.php index 882a8daf..2a4a6a1e 100644 --- a/lib/Saml2/LogoutRequest.php +++ b/lib/Saml2/LogoutRequest.php @@ -136,7 +136,7 @@ public function __construct(OneLogin_Saml2_Settings $settings, $request = null, /** - * Returns the Logout Request defated, base64encoded, unsigned + * Returns the Logout Request deflated, base64encoded, unsigned * * @param bool|null $deflate Whether or not we should 'gzdeflate' the request body before we return it. * From ee5666df32b43fe66895dd851ee43c668bfdad60 Mon Sep 17 00:00:00 2001 From: mrbrown8 Date: Tue, 20 Aug 2024 11:23:00 -0600 Subject: [PATCH 22/54] mispelings --- lib/Saml2/Settings.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/Saml2/Settings.php b/lib/Saml2/Settings.php index 358bf5ea..660f56cc 100644 --- a/lib/Saml2/Settings.php +++ b/lib/Saml2/Settings.php @@ -672,7 +672,7 @@ public function checkSPSettings($settings) if (!isset($contact['givenName']) || empty($contact['givenName']) || !isset($contact['emailAddress']) || empty($contact['emailAddress']) ) { - $errors[] = 'contact_not_enought_data'; + $errors[] = 'contact_not_enough_data'; break; } } @@ -684,7 +684,7 @@ public function checkSPSettings($settings) || !isset($organization['displayname']) || empty($organization['displayname']) || !isset($organization['url']) || empty($organization['url']) ) { - $errors[] = 'organization_not_enought_data'; + $errors[] = 'organization_not_enough_data'; break; } } @@ -1040,7 +1040,7 @@ public function formatIdPCert() } /** - * Formats the Multple IdP certs. + * Formats the Multiple IdP certs. */ public function formatIdPCertMulti() { From 44c8a56c744c7cfc1c63cff9f05401abfc9c0509 Mon Sep 17 00:00:00 2001 From: mrbrown8 Date: Tue, 20 Aug 2024 11:24:53 -0600 Subject: [PATCH 23/54] mispelings --- lib/Saml2/Response.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/Saml2/Response.php b/lib/Saml2/Response.php index 229bb3a7..a74a0e22 100644 --- a/lib/Saml2/Response.php +++ b/lib/Saml2/Response.php @@ -983,9 +983,9 @@ public function validateSignedElements($signedElements) $responseTag = '{'.OneLogin_Saml2_Constants::NS_SAMLP.'}Response'; $assertionTag = '{'.OneLogin_Saml2_Constants::NS_SAML.'}Assertion'; - $ocurrence = array_count_values($signedElements); - if ((in_array($responseTag, $signedElements) && $ocurrence[$responseTag] > 1) || - (in_array($assertionTag, $signedElements) && $ocurrence[$assertionTag] > 1) || + $occurrence = array_count_values($signedElements); + if ((in_array($responseTag, $signedElements) && $occurrence[$responseTag] > 1) || + (in_array($assertionTag, $signedElements) && $occurrence[$assertionTag] > 1) || !in_array($responseTag, $signedElements) && !in_array($assertionTag, $signedElements) ) { return false; From ecaad90b37c6d5681aa7cc5475dd34a1a86e844d Mon Sep 17 00:00:00 2001 From: mrbrown8 Date: Tue, 20 Aug 2024 11:35:44 -0600 Subject: [PATCH 24/54] mispelings --- tests/ZendModStandard/Sniffs/Debug/CodeAnalyzerSniff.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/ZendModStandard/Sniffs/Debug/CodeAnalyzerSniff.php b/tests/ZendModStandard/Sniffs/Debug/CodeAnalyzerSniff.php index d926ee38..675d86f3 100644 --- a/tests/ZendModStandard/Sniffs/Debug/CodeAnalyzerSniff.php +++ b/tests/ZendModStandard/Sniffs/Debug/CodeAnalyzerSniff.php @@ -75,11 +75,11 @@ public function process(PHP_CodeSniffer_File $phpcsFile, $stackPtr) // There is the possibility to pass "--ide" as an option to the analyzer. // This would result in an output format which would be easier to parse. - // The problem here is that no cleartext error messages are returnwd; only + // The problem here is that no cleartext error messages are returned; only // error-code-labels. So for a start we go for cleartext output. $exitCode = exec($cmd, $output, $retval); - // $exitCode is the last line of $output if no error occures, on error it + // $exitCode is the last line of $output if no error occurs, on error it // is numeric. Try to handle various error conditions and provide useful // error reporting. if (is_numeric($exitCode) === true && $exitCode > 0) { From d356ee12874300d89ca7937bcdab82d4e0a7fb8c Mon Sep 17 00:00:00 2001 From: mrbrown8 Date: Tue, 20 Aug 2024 13:25:39 -0600 Subject: [PATCH 25/54] mispelings --- tests/ZendModStandard/ruleset.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/ZendModStandard/ruleset.xml b/tests/ZendModStandard/ruleset.xml index 80c14224..2a3eddc4 100644 --- a/tests/ZendModStandard/ruleset.xml +++ b/tests/ZendModStandard/ruleset.xml @@ -1,6 +1,6 @@ - A coding standard based on an early Zend Framework coding standard. Note that this standard is out of date. And removed the line lenght limitation + A coding standard based on an early Zend Framework coding standard. Note that this standard is out of date. And removed the line length limitation From 21b336f91a4fbd423713169cfe91f8e7a9e180fd Mon Sep 17 00:00:00 2001 From: mrbrown8 Date: Tue, 20 Aug 2024 14:23:20 -0600 Subject: [PATCH 26/54] mispelings --- tests/data/metadata/idp/idp_metadata_multi_certs.xml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/data/metadata/idp/idp_metadata_multi_certs.xml b/tests/data/metadata/idp/idp_metadata_multi_certs.xml index f993f64a..90d36ff0 100644 --- a/tests/data/metadata/idp/idp_metadata_multi_certs.xml +++ b/tests/data/metadata/idp/idp_metadata_multi_certs.xml @@ -1,5 +1,5 @@ - + @@ -68,8 +68,8 @@ WQO0LPxPqRiUqUzyhDhLo/xXNrHCu4VbMw== - + urn:oasis:names:tc:SAML:2.0:nameid-format:transient - + - \ No newline at end of file + From 19e06db757a8f1f544449b51b50c7d1c6daef367 Mon Sep 17 00:00:00 2001 From: mrbrown8 Date: Tue, 20 Aug 2024 14:24:51 -0600 Subject: [PATCH 27/54] mispelings --- .../data/metadata/idp/idp_metadata_multi_signing_certs.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/data/metadata/idp/idp_metadata_multi_signing_certs.xml b/tests/data/metadata/idp/idp_metadata_multi_signing_certs.xml index 0cba257a..ef436f68 100644 --- a/tests/data/metadata/idp/idp_metadata_multi_signing_certs.xml +++ b/tests/data/metadata/idp/idp_metadata_multi_signing_certs.xml @@ -1,5 +1,5 @@ - + @@ -68,8 +68,8 @@ WQO0LPxPqRiUqUzyhDhLo/xXNrHCu4VbMw== - + urn:oasis:names:tc:SAML:2.0:nameid-format:transient - + From 04c7ddb897507d5aefc42a18bf0862edb71b6f82 Mon Sep 17 00:00:00 2001 From: mrbrown8 Date: Tue, 20 Aug 2024 14:25:36 -0600 Subject: [PATCH 28/54] mispelings --- tests/data/metadata/idp/metadata.xml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/data/metadata/idp/metadata.xml b/tests/data/metadata/idp/metadata.xml index c2ca6739..0e24b2cc 100644 --- a/tests/data/metadata/idp/metadata.xml +++ b/tests/data/metadata/idp/metadata.xml @@ -1,5 +1,5 @@ - + @@ -68,8 +68,8 @@ WQO0LPxPqRiUqUzyhDhLo/xXNrHCu4VbMw== - + urn:oasis:names:tc:SAML:2.0:nameid-format:transient - + - \ No newline at end of file + From 55adac86f8b9e06e23ad86e5870217794d76ec2e Mon Sep 17 00:00:00 2001 From: mrbrown8 Date: Tue, 20 Aug 2024 14:28:34 -0600 Subject: [PATCH 29/54] mispelings and decorative repair --- tests/data/metadata/idp/shib_metadata.xml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/data/metadata/idp/shib_metadata.xml b/tests/data/metadata/idp/shib_metadata.xml index 5196db56..c28814c3 100644 --- a/tests/data/metadata/idp/shib_metadata.xml +++ b/tests/data/metadata/idp/shib_metadata.xml @@ -1,7 +1,7 @@