Update php-saml library to 2.8.0

SAML-Toolkits · May 12, 2016 · 0ba6f71 · 0ba6f71
1 parent 139ce7a
commit 0ba6f71
Show file tree

Hide file tree

Showing 12 changed files with 444 additions and 329 deletions.
diff --git a/onelogin-saml-sso/php/extlib/xmlseclibs/xmlseclibs.php b/onelogin-saml-sso/php/extlib/xmlseclibs/xmlseclibs.php
diff --git a/onelogin-saml-sso/php/lib/Saml2/Auth.php b/onelogin-saml-sso/php/lib/Saml2/Auth.php
@@ -1,5 +1,5 @@
 <?php
- 
+
 /**
  * Main class of OneLogin's PHP Toolkit
  *
@@ -31,21 +31,21 @@ class OneLogin_Saml2_Auth
     /**
      * If user is authenticated.
      *
-     * @var boolean
+     * @var bool
      */
     private $_authenticated = false;
 
 
     /**
-     * SessionIndex. When the user is logged, this stored it 
+     * SessionIndex. When the user is logged, this stored it
      * from the AuthnStatement of the SAML Response
-     * 
+     *
      * @var string
      */
     private $_sessionIndex;
 
     /**
-     * SessionNotOnOrAfter. When the user is logged, this stored it 
+     * SessionNotOnOrAfter. When the user is logged, this stored it
      * from the AuthnStatement of the SAML Response
      *
      * @var DateTime
@@ -76,7 +76,7 @@ class OneLogin_Saml2_Auth
     /**
      * Initializes the SP SAML instance.
      *
-     * @param array|OneLogin_Saml_Settings $oldSettings Setting data. (OneLogin_Saml_Settings is the settings object of the old implementation)
+     * @param array|object|null $oldSettings Setting data (You can provide a OneLogin_Saml_Settings, the settings object of the Saml folder implementation)
      */
     public function __construct($oldSettings = null)
     {
@@ -86,7 +86,7 @@ public function __construct($oldSettings = null)
     /**
      * Returns the settings info
      *
-     * @return OneLogin_Saml2_Settings  The settings data.
+     * @return OneLogin_Saml2_Settings The settings data.
      */
     public function getSettings()
     {
@@ -96,7 +96,7 @@ public function getSettings()
     /**
      * Set the strict mode active/disable
      *
-     * @param boolean $value Strict parameter
+     * @param bool $value Strict parameter
      *
      * @return array The settings data.
      */
@@ -109,7 +109,9 @@ public function setStrict($value)
     /**
      * Process the SAML Response sent by the IdP.
      *
-     * @param string $requestId The ID of the AuthNRequest sent by this SP to the IdP
+     * @param string|null $requestId The ID of the AuthNRequest sent by this SP to the IdP
+     *
+     * @throws OneLogin_Saml2_Error
      */
     public function processResponse($requestId = null)
     {
@@ -140,13 +142,15 @@ public function processResponse($requestId = null)
     /**
      * Process the SAML Logout Response / Logout Request sent by the IdP.
      *
-     * @param boolean $keepLocalSession             When false will destroy the local session, otherwise will keep it
-     * @param string $requestId                     The ID of the LogoutRequest sent by this SP to the IdP
-     * @param bool $retrieveParametersFromServer
-     * @param callable $cbDeleteSession
-     * @param boolean $stay                         True if we want to stay (returns the url string) False to redirect
+     * @param bool        $keepLocalSession              When false will destroy the local session, otherwise will keep it
+     * @param string|null $requestId                     The ID of the LogoutRequest sent by this SP to the IdP
+     * @param bool        $retrieveParametersFromServer
+     * @param callable    $cbDeleteSession
+     * @param bool        $stay                          True if we want to stay (returns the url string) False to redirect
+     *
      * @return string|void
-     * @throws \OneLogin_Saml2_Error
+     *
+     * @throws OneLogin_Saml2_Error
      */
     public function processSLO($keepLocalSession = false, $requestId = null, $retrieveParametersFromServer = false, $cbDeleteSession = null, $stay=false)
     {
@@ -214,8 +218,9 @@ public function processSLO($keepLocalSession = false, $requestId = null, $retrie
      *
      * @param string $url        The target URL to redirect the user.
      * @param array  $parameters Extra parameters to be passed as part of the url
+     * @param bool   $stay       True if we want to stay (returns the url string) False to redirect
      */
-    public function redirectTo($url = '', $parameters = array())
+    public function redirectTo($url = '', $parameters = array(), $stay = false)
     {
         assert('is_string($url)');
         assert('is_array($parameters)');
@@ -224,13 +229,13 @@ public function redirectTo($url = '', $parameters = array())
             $url = $_REQUEST['RelayState'];
         }
 
-        return OneLogin_Saml2_Utils::redirect($url, $parameters);
+        return OneLogin_Saml2_Utils::redirect($url, $parameters, $stay);
     }
 
     /**
      * Checks if the user is authenticated or not.
      *
-     * @return boolean  True if the user is authenticated
+     * @return bool  True if the user is authenticated
      */
     public function isAuthenticated()
     {
@@ -260,7 +265,7 @@ public function getNameId()
     /**
      * Returns the SessionIndex
      *
-     * @return string  The SessionIndex of the assertion
+     * @return string|null  The SessionIndex of the assertion
      */
     public function getSessionIndex()
     {
@@ -302,7 +307,7 @@ public function getLastErrorReason()
      *
      * @param string $name The requested attribute of the user.
      *
-     * @return NULL || array Requested SAML attribute ($name).
+     * @return array|null Requested SAML attribute ($name).
      */
     public function getAttribute($name)
     {
@@ -318,19 +323,20 @@ public function getAttribute($name)
     /**
      * Initiates the SSO process.
      *
-     * @param string  $returnTo      The target URL the user should be returned to after login.
-     * @param array   $parameters    Extra parameters to be added to the GET
-     * @param bool    $forceAuthn    When true the AuthNReuqest will set the ForceAuthn='true'
-     * @param bool    $isPassive     When true the AuthNReuqest will set the Ispassive='true'
-     * @param boolean $stay          True if we want to stay (returns the url string) False to redirect
+     * @param string|null $returnTo        The target URL the user should be returned to after login.
+     * @param array       $parameters      Extra parameters to be added to the GET
+     * @param bool        $forceAuthn      When true the AuthNReuqest will set the ForceAuthn='true'
+     * @param bool        $isPassive       When true the AuthNReuqest will set the Ispassive='true'
+     * @param bool        $stay            True if we want to stay (returns the url string) False to redirect
+     * @param bool        $setNameIdPolicy When true the AuthNReuqest will set a nameIdPolicy element
      *
      * @return If $stay is True, it return a string with the SLO URL + LogoutRequest + parameters
      */
-    public function login($returnTo = null, $parameters = array(), $forceAuthn = false, $isPassive = false, $stay=false)
+    public function login($returnTo = null, $parameters = array(), $forceAuthn = false, $isPassive = false, $stay=false, $setNameIdPolicy = true)
     {
         assert('is_array($parameters)');
 
-        $authnRequest = new OneLogin_Saml2_AuthnRequest($this->_settings, $forceAuthn, $isPassive);
+        $authnRequest = new OneLogin_Saml2_AuthnRequest($this->_settings, $forceAuthn, $isPassive, $setNameIdPolicy);
 
         $this->_lastRequestID = $authnRequest->getId();
 
@@ -355,13 +361,15 @@ public function login($returnTo = null, $parameters = array(), $forceAuthn = fal
     /**
      * Initiates the SLO process.
      *
-     * @param string  $returnTo      The target URL the user should be returned to after logout.
-     * @param array   $parameters    Extra parameters to be added to the GET
-     * @param string  $nameId        The NameID that will be set in the LogoutRequest.
-     * @param string  $sessionIndex  The SessionIndex (taken from the SAML Response in the SSO process).
-     * @param boolean $stay          True if we want to stay (returns the url string) False to redirect
+     * @param string|null $returnTo      The target URL the user should be returned to after logout.
+     * @param array       $parameters    Extra parameters to be added to the GET
+     * @param string|null $nameId        The NameID that will be set in the LogoutRequest.
+     * @param string|null $sessionIndex  The SessionIndex (taken from the SAML Response in the SSO process).
+     * @param bool        $stay          True if we want to stay (returns the url string) False to redirect
      *
      * @return If $stay is True, it return a string with the SLO URL + LogoutRequest + parameters
+     *
+     * @throws OneLogin_Saml2_Error
      */
     public function logout($returnTo = null, $parameters = array(), $nameId = null, $sessionIndex = null, $stay=false)
     {
@@ -435,7 +443,7 @@ public function getSLOurl()
      */
     public function getLastRequestID()
     {
-        return $_lastRequestID;
+        return $this->_lastRequestID;
     }
 
     /**
@@ -446,6 +454,9 @@ public function getLastRequestID()
      * @param string $signAlgorithm Signature algorithm method
      *
      * @return string A base64 encoded signature
+     *
+     * @throws Exception
+     * @throws OneLogin_Saml2_Error
      */
     public function buildRequestSignature($samlRequest, $relayState, $signAlgorithm = XMLSecurityKey::RSA_SHA1)
     {
@@ -471,11 +482,14 @@ public function buildRequestSignature($samlRequest, $relayState, $signAlgorithm
     /**
      * Generates the Signature for a SAML Response
      *
-     * @param string $samlResponse   The SAML Response
-     * @param string $relayState     The RelayState
+     * @param string $samlResponse  The SAML Response
+     * @param string $relayState    The RelayState
      * @param string $signAlgorithm Signature algorithm method
      *
-     * @return string A base64 encoded signature 
+     * @return string A base64 encoded signature
+     *
+     * @throws Exception
+     * @throws OneLogin_Saml2_Error
      */
     public function buildResponseSignature($samlResponse, $relayState, $signAlgorithm = XMLSecurityKey::RSA_SHA1)
     {

diff --git a/onelogin-saml-sso/php/lib/Saml2/AuthnRequest.php b/onelogin-saml-sso/php/lib/Saml2/AuthnRequest.php
@@ -29,10 +29,11 @@ class OneLogin_Saml2_AuthnRequest
      * Constructs the AuthnRequest object.
      *
      * @param OneLogin_Saml2_Settings $settings Settings
-     * @param bool   $forceAuthn When true the AuthNReuqest will set the ForceAuthn='true'
-     * @param bool   $isPassive  When true the AuthNReuqest will set the Ispassive='true'
+     * @param bool   $forceAuthn      When true the AuthNReuqest will set the ForceAuthn='true'
+     * @param bool   $isPassive       When true the AuthNReuqest will set the Ispassive='true'
+     * @param bool   $setNameIdPolicy When true the AuthNReuqest will set a nameIdPolicy
      */
-    public function __construct(OneLogin_Saml2_Settings $settings, $forceAuthn = false, $isPassive = false)
+    public function __construct(OneLogin_Saml2_Settings $settings, $forceAuthn = false, $isPassive = false, $setNameIdPolicy = true)
     {
         $this->_settings = $settings;
 
@@ -43,11 +44,21 @@ public function __construct(OneLogin_Saml2_Settings $settings, $forceAuthn = fal
         $id = OneLogin_Saml2_Utils::generateUniqueID();
         $issueInstant = OneLogin_Saml2_Utils::parseTime2SAML(time());
 
-        $nameIDPolicyFormat = $spData['NameIDFormat'];
-        if (isset($security['wantNameIdEncrypted']) && $security['wantNameIdEncrypted']) {
-            $nameIDPolicyFormat = OneLogin_Saml2_Constants::NAMEID_ENCRYPTED;
+        $nameIdPolicyStr = '';
+        if ($setNameIdPolicy) {
+            $nameIDPolicyFormat = $spData['NameIDFormat'];
+            if (isset($security['wantNameIdEncrypted']) && $security['wantNameIdEncrypted']) {
+                $nameIDPolicyFormat = OneLogin_Saml2_Constants::NAMEID_ENCRYPTED;
+            }
+
+            $nameIdPolicyStr = <<<NAMEIDPOLICY
+    <samlp:NameIDPolicy
+        Format="{$nameIDPolicyFormat}"
+        AllowCreate="true" />
+NAMEIDPOLICY;
         }
 
+
         $providerNameStr = '';
         $organizationData = $settings->getOrganization();
         if (!empty($organizationData)) {
@@ -115,9 +126,7 @@ public function __construct(OneLogin_Saml2_Settings $settings, $forceAuthn = fal
     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
     AssertionConsumerServiceURL="{$spData['assertionConsumerService']['url']}">
     <saml:Issuer>{$spData['entityId']}</saml:Issuer>
-    <samlp:NameIDPolicy
-        Format="{$nameIDPolicyFormat}"
-        AllowCreate="true" />
+{$nameIdPolicyStr}
 {$requestedAuthnStr}
 </samlp:AuthnRequest>
 AUTHNREQUEST;

diff --git a/onelogin-saml-sso/php/lib/Saml2/Constants.php b/onelogin-saml-sso/php/lib/Saml2/Constants.php
@@ -46,9 +46,12 @@ class OneLogin_Saml2_Constants
     // Auth Context Class
     const AC_UNSPECIFIED = 'urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified';
     const AC_PASSWORD = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Password';
+    const AC_PASSWORD_PROTECTED = 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport';
     const AC_X509 = 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509';
     const AC_SMARTCARD = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard';
     const AC_KERBEROS = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos';
+    const AC_WINDOWS = 'urn:federation:authentication:windows';
+    const AC_TLS = 'urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient';
 
     // Subject Confirmation
     const CM_BEARER = 'urn:oasis:names:tc:SAML:2.0:cm:bearer';

diff --git a/onelogin-saml-sso/php/lib/Saml2/Error.php b/onelogin-saml-sso/php/lib/Saml2/Error.php
@@ -25,9 +25,9 @@ class OneLogin_Saml2_Error extends Exception
     /**
      * Constructor
      *
-        * @param string  $msg  Describes the error.
-        * @param integer $code The code error (defined in the error class).
-        * @param array   $args Arguments used in the message that describes the error.
+     * @param string     $msg  Describes the error.
+     * @param int        $code The code error (defined in the error class).
+     * @param array|null $args Arguments used in the message that describes the error.
      */
     public function __construct($msg, $code = 0, $args = null)
     {

diff --git a/onelogin-saml-sso/php/lib/Saml2/LogoutRequest.php b/onelogin-saml-sso/php/lib/Saml2/LogoutRequest.php
@@ -35,12 +35,11 @@ class OneLogin_Saml2_LogoutRequest
      * Constructs the Logout Request object.
      *
      * @param OneLogin_Saml2_Settings $settings Settings
-     * @param string                  $response A UUEncoded Logout Request.
-     * @param string                  $nameId   The NameID that will be set in the LogoutRequest.
-     * @param string                  $session  The SessionIndex (taken from the SAML Response in the SSO process).
-     *
+     * @param string|null             $request A UUEncoded Logout Request.
+     * @param string|null             $nameId   The NameID that will be set in the LogoutRequest.
+     * @param string|null             $sessionIndex  The SessionIndex (taken from the SAML Response in the SSO process).
      */
-    public function __construct(OneLogin_Saml2_Settings $settings, $request = null, $nameId = null,$sessionIndex = null)
+    public function __construct(OneLogin_Saml2_Settings $settings, $request = null, $nameId = null, $sessionIndex = null)
     {
 
         $this->_settings = $settings;
@@ -143,9 +142,11 @@ public static function getID($request)
      * Gets the NameID Data of the the Logout Request.
      *
      * @param string|DOMDocument $request Logout Request Message
-     * @param string             $key     The SP key
+     * @param string|null        $key     The SP key
      *     
      * @return array Name ID Data (Value, Format, NameQualifier, SPNameQualifier)
+     *
+     * @throws Exception
      */
     public static function getNameIdData($request, $key = null)
     {
@@ -197,7 +198,7 @@ public static function getNameIdData($request, $key = null)
      * Gets the NameID of the Logout Request.
      *
      * @param string|DOMDocument $request Logout Request Message
-     * @param string             $key     The SP key     
+     * @param string|null        $key     The SP key
      *
      * @return string Name ID Value
      */
@@ -261,7 +262,7 @@ public static function getSessionIndexes($request)
     /**
      * Checks if the Logout Request recieved is valid.
      *
-     * @return boolean If the Logout Request is or not valid
+     * @return bool If the Logout Request is or not valid
      */
     public function isValid($retrieveParametersFromServer=false)
     {

diff --git a/onelogin-saml-sso/php/lib/Saml2/LogoutResponse.php b/onelogin-saml-sso/php/lib/Saml2/LogoutResponse.php
@@ -87,10 +87,12 @@ public function getStatus()
     /**
      * Determines if the SAML LogoutResponse is valid
      *
-     * @param string $requestId The ID of the LogoutRequest sent by this SP to the IdP
+     * @param string|null $requestId The ID of the LogoutRequest sent by this SP to the IdP
+     * @param bool $retrieveParametersFromServer
      *
-     * @throws Exception
      * @return bool Returns if the SAML LogoutResponse is or not valid
+     *
+     * @throws Exception
      */
     public function isValid($requestId = null, $retrieveParametersFromServer=false)
     {