File: ExpiryWarning.php

package info (click to toggle)
simplesamlphp 1.14.11-1%2Bdeb9u2
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 15,024 kB
  • sloc: php: 72,337; xml: 1,078; python: 376; sh: 220; perl: 185; makefile: 57
file content (93 lines) | stat: -rw-r--r-- 3,170 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
 
<?php

/**
 * Filter which shows a warning if the user's client certificate is about to expire.
 *
 ** <code>
 * // show about2xpire warning if client certificate is about to expire
 * 10 => array(
 *     'class' => 'authX509:ExpiryWarning',
 *     'warndaysbefore' => '30',
 * ),
 * </code>
 *
 * @author Joost van Dijk, SURFnet. <Joost.vanDijk@surfnet.nl>
 * @package SimpleSAMLphp
 */
class sspmod_authX509_Auth_Process_ExpiryWarning extends SimpleSAML_Auth_ProcessingFilter {

    private $warndaysbefore = 30;
    private $renewurl = null;

    /**
     * Initialize this filter.
     *
     * @param array $config  Configuration information about this filter.
     * @param mixed $reserved  For future use.
     */
    public function __construct($config, $reserved) {
        parent::__construct($config, $reserved);

        assert('is_array($config)');

        if (array_key_exists('warndaysbefore', $config)) {
            $this->warndaysbefore = $config['warndaysbefore'];
            if (!is_string($this->warndaysbefore)) {
                throw new Exception('Invalid value for \'warndaysbefore\'-option to authX509::ExpiryWarning filter.');
            }
        }

        if (array_key_exists('renewurl', $config)) {
            $this->renewurl = $config['renewurl'];
            if (!is_string($this->renewurl)) {
                throw new Exception('Invalid value for \'renewurl\'-option to authX509::ExpiryWarning filter.');
            }
        }
    }

    /**
     * Process an authentication response.
     *
     * This function saves the state, and if necessary redirects the user to the page where the user
     * is informed about the expiry date of his/her certificate.
     *
     * @param array $state  The state of the response.
     */
    public function process(&$state) {
        assert('is_array($state)');

        if (isset($state['isPassive']) && $state['isPassive'] === TRUE) {
            // We have a passive request. Skip the warning
            return;
        }

        if (!isset($_SERVER['SSL_CLIENT_CERT']) ||
            ($_SERVER['SSL_CLIENT_CERT'] == '')) {
            return;
        }

        $client_cert = $_SERVER['SSL_CLIENT_CERT'];
        $client_cert_data = openssl_x509_parse($client_cert);
        if ($client_cert_data == FALSE) {
            SimpleSAML_Logger::error('authX509: invalid cert');
            return;
        }
        $validTo = $client_cert_data['validTo_time_t'];
        $now = time();
        $daysleft = (int)(($validTo - $now) / (24*60*60));
        if ($daysleft > $this->warndaysbefore) {
            // We have a certificate that will be valid for some time. Skip the warning
            return;
        }

        SimpleSAML_Logger::warning('authX509: user certificate expires in ' . $daysleft . ' days');
        $state['daysleft'] = $daysleft;
        $state['renewurl'] = $this->renewurl;

        /* Save state and redirect. */
        $id = SimpleSAML_Auth_State::saveState($state, 'warning:expire');
        $url = SimpleSAML_Module::getModuleURL('authX509/expirywarning.php');
        \SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('StateId' => $id));
    }

}