1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
<?php
/**
* A filter for limiting which attributes are passed on.
*
* @author Olav Morken, UNINETT AS.
* @package simpleSAMLphp
*/
class sspmod_core_Auth_Process_AttributeLimit extends SimpleSAML_Auth_ProcessingFilter {
/**
* List of attributes which this filter will allow through.
*/
private $allowedAttributes = array();
/**
* Whether the 'attributes' option in the metadata takes precedence.
*
* @var bool
*/
private $isDefault = FALSE;
/**
* Initialize this filter.
*
* @param array $config Configuration information about this filter.
* @param mixed $reserved For future use
* @throws SimpleSAML_Error_Exception If invalid configuration is found.
*/
public function __construct($config, $reserved) {
parent::__construct($config, $reserved);
assert('is_array($config)');
foreach ($config as $index => $value) {
if ($index === 'default') {
$this->isDefault = (bool)$value;
} elseif (is_int($index)) {
if (!is_string($value)) {
throw new SimpleSAML_Error_Exception('AttributeLimit: Invalid attribute name: ' .
var_export($value, TRUE));
}
$this->allowedAttributes[] = $value;
} elseif (is_string($index)) {
if (!is_array($value)) {
throw new SimpleSAML_Error_Exception('AttributeLimit: Values for ' . var_export($index, TRUE) .
' must be specified in an array.');
}
$this->allowedAttributes[$index] = $value;
} else {
throw new SimpleSAML_Error_Exception('AttributeLimit: Invalid option: ' . var_export($index, TRUE));
}
}
}
/**
* Get list of allowed from the SP/IdP config.
*
* @param array &$request The current request.
* @return array|NULL Array with attribute names, or NULL if no limit is placed.
*/
private static function getSPIdPAllowed(array &$request) {
if (array_key_exists('attributes', $request['Destination'])) {
/* SP Config. */
return $request['Destination']['attributes'];
}
if (array_key_exists('attributes', $request['Source'])) {
/* IdP Config. */
return $request['Source']['attributes'];
}
return NULL;
}
/**
* Apply filter to remove attributes.
*
* Removes all attributes which aren't one of the allowed attributes.
*
* @param array &$request The current request
* @throws SimpleSAML_Error_Exception If invalid configuration is found.
*/
public function process(&$request) {
assert('is_array($request)');
assert('array_key_exists("Attributes", $request)');
if ($this->isDefault) {
$allowedAttributes = self::getSPIdPAllowed($request);
if ($allowedAttributes === NULL) {
$allowedAttributes = $this->allowedAttributes;
}
} elseif (!empty($this->allowedAttributes)) {
$allowedAttributes = $this->allowedAttributes;
} else {
$allowedAttributes = self::getSPIdPAllowed($request);
if ($allowedAttributes === NULL) {
return; /* No limit on attributes. */
}
}
$attributes =& $request['Attributes'];
foreach ($attributes as $name => $values) {
if (!in_array($name, $allowedAttributes, TRUE)) {
// the attribute name is not in the array of allowed attributes
if (array_key_exists($name, $allowedAttributes)) {
// but it is an index of the array
if (!is_array($allowedAttributes[$name])) {
throw new SimpleSAML_Error_Exception('AttributeLimit: Values for ' . var_export($name, TRUE) .
' must be specified in an array.');
}
$attributes[$name] = array_intersect($attributes[$name], $allowedAttributes[$name]);
if (!empty($attributes[$name])) {
continue;
}
}
unset($attributes[$name]);
}
}
}
}
|
