Update code for SSP 2.0

tvdijen · thijskh · commit 94b4a00f1825 · 2022-08-17T17:00:29.000+02:00
diff --git a/lib/Auth/Process/SFO.php b/lib/Auth/Process/SFO.php
@@ -1,18 +1,44 @@
 <?php
 
-use \SimpleSAML_Configuration as Configuration;
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\stepup-sfo;
+
+use Exception;
+use SAML2\AuthnRequest;
+use SAML2\Binding;
+use SAML2\Constants as C;
+use SAML2\XML\saml\NameID;
+use SimpleSAML\Auth;
+use SimpleSAML\Configuration;
+use SimpleSAML\Error;
+use SimpleSAML\Logger;
+use SimpleSAML\Metadata\MetaDataStorageHandler;
+use SimpleSAML\Module;
+use SimpleSAML\Module\saml\Message;
+
+use function in_array;
+use function sprintf;
+use function substr;
+use function var_export;
 
 /**
  * @package SimpleSAMLphp
  */
-class sspmod_stepupsfo_Auth_Process_SFO extends SimpleSAML_Auth_ProcessingFilter
+class SFO extends Auth\ProcessingFilter
 {
+    /** @var array */
+    private array $metadata;
 
-    private $metadata;
-    private $idpMetadata;
+    /** @var array */
+    private array $idpMetadata;
+
+    /** @var string */
+    private string $subjectidattribute;
+
+    /** @var array */
+    private array $skipentities = [];
 
-    private $subjectidattribute;
-    private $skipentities = [];
 
     /**
      * Initialize this filter.
@@ -25,7 +51,7 @@ public function __construct(array $config, $reserved)
         parent::__construct($config, $reserved);
 
         $this->subjectidattribute = $config['subjectattribute'];
-        if ( isset($config['skipentities']) ) {
+        if (isset($config['skipentities']) ) {
             $this->skipentities = $config['skipentities'];
         }
 
@@ -35,96 +61,100 @@ public function __construct(array $config, $reserved)
         $this->metadata = Configuration::loadFromArray($config);
     }
 
+
     /**
      * Process an authentication response.
      *
      * @param array $state  The state of the response.
      */
-    public function process(&$state)
+    public function process(array &$state): void
     {
         foreach($this->skipentities as $skip) {
             if ($skip === $state['SPMetadata']['entityid'] || in_array($skip, $state['saml:RequesterID'], true)) {
-                SimpleSAML\Logger::info('SFO - skipping SFO for entity ' . var_export($skip, true));
+                Logger::info('SFO - skipping SFO for entity ' . var_export($skip, true));
                 return;
             }
         }
 
         $state['sfo:sp:metadata'] = $this->metadata;
         $state['sfo:idp:entityid'] = $this->idpMetadata->getString('entityid');
-        $samlstateid = SimpleSAML_Auth_State::saveState($state, 'stepupsfo:pre');
+        $samlstateid = Auth\State::saveState($state, 'stepupsfo:pre');
 
-        if ( empty($state['Attributes'][$this->subjectidattribute]) ) {
+        if (empty($state['Attributes'][$this->subjectidattribute]) ) {
             throw new Exception("Subjectid " . $this->subjectidattribute . " not found in attributes.");
         }
 
         $subjectid = $state['Attributes'][$this->subjectidattribute][0];
-        if ( substr($subjectid,0,18) !== 'urn:collab:person:' ) {
+        if (substr($subjectid,0,18) !== 'urn:collab:person:' ) {
             throw new Exception("Subjectid " . var_export($subjectid,true) . " does not start with urn:collab:person:");
         }
 
-        $nameid = new \SAML2\XML\saml\NameID();
+        $nameid = new NameID();
         $nameid->setValue($subjectid);
 
         // Start the authentication request
         $this->startSFO($this->idpMetadata, $nameid, $samlstateid);
     }
 
+
     /**
      * Retrieve the metadata of an IdP.
      *
      * @param string $entityId  The entity id of the IdP.
-     * @return SimpleSAML_Configuration  The metadata of the IdP.
+     * @return \SimpleSAML\Configuration  The metadata of the IdP.
      */
-    public function getIdPMetadata($entityId)
+    public function getIdPMetadata(string $entityId): Configuration
     {
-        assert(is_string($entityId));
-
-        $metadataHandler = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
+        $metadataHandler = MetaDataStorageHandler::getMetadataHandler();
 
         try {
             return $metadataHandler->getMetaDataConfig($entityId, 'saml20-idp-remote');
         } catch (Exception $e) {
             /* Metadata wasn't found. */
-            SimpleSAML\Logger::debug('getIdpMetadata: ' . $e->getMessage());
+            Logger::debug('getIdpMetadata: ' . $e->getMessage());
         }
 
         /* Not found. */
-        throw new SimpleSAML_Error_Exception('Could not find the metadata of an IdP with entity ID ' .
-            var_export($entityId, true));
+        throw new Error\Exception(sprintf(
+            'Could not find the metadata of an IdP with entity ID %s',
+            var_export($entityId, true)
+        );
     }
 
+
     /**
      * Send a SAML2 SSO request to the SFO IdP.
      *
-     * @param SimpleSAML_Configuration $idpMetadata  The metadata of the IdP.
+     * @param \SimpleSAML\Configuration $idpMetadata  The metadata of the IdP.
      * @param \SAML2\XML\saml\NameID $nameid The unspecified NameID of the principal to perform SFO for.
      * @param string $relay  RelayState to pass
      */
-    private function startSFO(SimpleSAML_Configuration $idpMetadata, \SAML2\XML\saml\NameID $nameid, $relay)
+    private function startSFO(Configuration $idpMetadata, NameID $nameid, $relay): void
     {
-        $ar = sspmod_saml_Message::buildAuthnRequest($this->metadata, $idpMetadata);
+        $ar = Message::buildAuthnRequest($this->metadata, $idpMetadata);
 
-        $ar->setAssertionConsumerServiceURL(SimpleSAML\Module::getModuleURL('stepupsfo/acs.php'));
+        $ar->setAssertionConsumerServiceURL(Module::getModuleURL('stepupsfo/acs.php'));
 
         $ar->setNameId($nameid);
         $ar->setRelayState($relay);
 
-        SimpleSAML\Logger::debug('Sending SAML 2 SFO AuthnRequest for ' . $nameid->getValue() .  ' to ' .
+        Logger::debug('Sending SAML 2 SFO AuthnRequest for ' . $nameid->getValue() .  ' to ' .
             var_export($idpMetadata->getString('entityid'), true). ' with id ' . $ar->getId());
 
         $dst = $idpMetadata->getEndpointPrioritizedByBinding('SingleSignOnService',
-                [ \SAML2\Constants::BINDING_HTTP_REDIRECT ]
+                [C::BINDING_HTTP_REDIRECT]
             );
 
         $ar->setDestination($dst['Location']);
 
-        $b = \SAML2\Binding::getBinding($dst['Binding']);
+        $b = Binding::getBinding($dst['Binding']);
 
         $this->sendSAML2AuthnRequest($b, $ar);
 
         assert(false);
     }
 
+
     /**
      * Function to actually send the authentication request.
      *
@@ -133,7 +163,7 @@ private function startSFO(SimpleSAML_Configuration $idpMetadata, \SAML2\XML\saml
      * @param \SAML2\Binding $binding  The binding.
      * @param \SAML2\AuthnRequest  $ar  The authentication request.
      */
-    private function sendSAML2AuthnRequest(\SAML2\Binding $binding, \SAML2\AuthnRequest $ar)
+    private function sendSAML2AuthnRequest(Binding $binding, AuthnRequest $ar): void
     {
         $binding->send($ar);
         assert(false);
diff --git a/templates/handlestatus.php b/templates/handlestatus.php
diff --git a/www/acs.php b/www/acs.php
@@ -1,5 +1,6 @@
 <?php
-use \SimpleSAML_Configuration as Configuration;
+
+use \SimpleSAML\Configuration;
 
 /**
  * Receive an assertion from SFO
@@ -11,9 +12,9 @@ function handleStatusResponse($exception, $selfserviceurl)
 {
     // the status of the response wasn't "success"
     SimpleSAML\Logger::debug('SFO - status response received, showing error page.');
-    $config = SimpleSAML_Configuration::getInstance();
+    $config = SimpleSAML\Configuration::getInstance();
 
-    $t = new SimpleSAML_XHTML_Template($config, 'stepupsfo:handlestatus.php');
+    $t = new SimpleSAML\XHTML\Template($config, 'stepupsfo:handlestatus.php');
     $t->data['status'] = $exception->getStatus();
     $t->data['subStatus'] = $exception->getSubStatus();
     $t->data['statusMessage'] = $exception->getStatusMessage();
@@ -27,12 +28,12 @@ function handleStatusResponse($exception, $selfserviceurl)
 $b = \SAML2\Binding::getCurrentBinding();
 
 if (! $b instanceof \SAML2\HTTPPost) {
-    throw new SimpleSAML_Error_BadRequest('Only HTTP-POST binding supported for SFO.');
+    throw new SimpleSAML\Error\BadRequest('Only HTTP-POST binding supported for SFO.');
 }
 
 $response = $b->receive();
 if (!($response instanceof \SAML2\Response)) {
-    throw new SimpleSAML_Error_BadRequest('Invalid message received to SFO AssertionConsumerService endpoint.');
+    throw new SimpleSAML\Error\BadRequest('Invalid message received to SFO AssertionConsumerService endpoint.');
 }
 
 $issuer = $response->getIssuer();
@@ -43,38 +44,34 @@ function handleStatusResponse($exception, $selfserviceurl)
     ', InResponseTo = ' . var_export($inResponseTo,true));
 SimpleSAML\Logger::debug('SFO - received response; RelayState = ' . $relaystate);
 
-$prestate = SimpleSAML_Auth_State::loadState($relaystate, 'stepupsfo:pre');
+$prestate = SimpleSAML\Auth\State::loadState($relaystate, 'stepupsfo:pre');
 $spMetadata = $prestate['sfo:sp:metadata'];
 $idpEntityId = $prestate['sfo:idp:entityid'];
 
 // check that the issuer is the one we are expecting
 if ($idpEntityId !== $issuer) {
-    throw new SimpleSAML_Error_Exception(
+    throw new SimpleSAML\Error\Exception(
         'The issuer of the response does not match to the SFO identity provider ' .
         'we sent the request to.'
     );
 }
 
 // Look up metadata for the IdP
-$metadataHandler = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
+$metadataHandler = SimpleSAML\Metadata\MetaDataStorageHandler::getMetadataHandler();
 try {
     $idpMetadata = $metadataHandler->getMetaDataConfig($idpEntityId, 'saml20-idp-remote');
 } catch (Exception $e) {
     /* Not found. */
-    throw new SimpleSAML_Error_Exception('Could not find the metadata of SFO IdP with entity ID ' .
+    throw new SimpleSAML\Error\Exception('Could not find the metadata of SFO IdP with entity ID ' .
         var_export($entityId, true));
 }
 
 // Validate the received response
 try {
-    $assertions = sspmod_saml_Message::processResponse($spMetadata, $idpMetadata, $response);
-} catch (sspmod_saml_Error $e) {
-    // the status of the response wasn't "success" (SSP < 1.17)
-    handleStatusResponse($e, $idpMetadata->getString('sfo:selfserviceUrl', ''));
+    $assertions = \SimpleSAML\Module\sam\Message::processResponse($spMetadata, $idpMetadata, $response);
 } catch (SimpleSAML\Module\saml\Error $e) {
-    // the status of the response wasn't "success" (SSP >= 1.17)
     handleStatusResponse($e, $idpMetadata->getString('sfo:selfserviceUrl', ''));
 }
 
 SimpleSAML\Logger::debug('SFO - successful response received, resume processing');
-SimpleSAML_Auth_ProcessingChain::resumeProcessing($prestate);
+SimpleSAML\Auth\ProcessingChain::resumeProcessing($prestate);
