Allow specifying a default AuthnContext for the default source

tvdijen · tvdijen · commit 077d5dc99325 · 2023-05-01T21:06:35.000+02:00
diff --git a/docs/simplesamlphp-changelog.md b/docs/simplesamlphp-changelog.md
@@ -13,6 +13,7 @@ Released TBD
 * The zone that was selected by the SourceIPSelector is now available in the state.
 * The defaultSource for the SourceIPSelector can now be set to `null`. If none of the zones
   are matched, a NotFound exception will be thrown.
+* It is now possible to set a default AuthnContext in the RequestedAuthnContextSelector.
 
 ## Version 2.0.3
 
diff --git a/modules/core/docs/authsource_selector.md b/modules/core/docs/authsource_selector.md
@@ -53,7 +53,7 @@ An example configuration would look like this:
 The RequestedAuthnContextSelector is an implementation of the `AbstractSourceSelector` that
 uses the RequestedAuthnContext to decide what Authentication Source is called.
 It works by defining AuthnContexts with their corresponding Authentication
-Sources. The 'default' will be used as a fallback when no RequestedAuthnContext
+Sources. The 'default' key will be used as a default when no RequestedAuthnContext
 is passed in the request.
 
 An example configuration would look like this:
@@ -63,17 +63,20 @@ An example configuration would look like this:
         'core:RequestedAuthnContextSelector',
 
         'contexts' => [
-            'userpass' => [
+            10 => [
                 'identifier' => 'urn:x-simplesamlphp:loa1',
                 'source' => 'ldap',
             ],
 
-            'mfa' => [
+            20 => [
                 'identifier' => 'urn:x-simplesamlphp:loa2',
                 'source' => 'radius',
             ],
 
-            'default' => 'ldap',
+            'default' => [
+                'identifier' => 'urn:x-simplesamlphp:loa0',
+                'source' => 'sql',
+            ],
         ],
     ],
 ```
diff --git a/modules/core/src/Auth/Source/RequestedAuthnContextSelector.php b/modules/core/src/Auth/Source/RequestedAuthnContextSelector.php
@@ -35,24 +35,26 @@ class RequestedAuthnContextSelector extends AbstractSourceSelector
      */
     public const SOURCESID = '\SimpleSAML\Module\core\Auth\Source\RequestedAuthnContextSelector.SourceId';
 
+
     /**
      * @var string  The default authentication source to use when no RequestedAuthnContext is passed
      * @psalm-suppress PropertyNotSetInConstructor
      */
     protected string $defaultSource;
 
     /**
-     * @var array<int, array>  An array of AuthnContexts, indexed by its weight (higher = better).
+     * @var array<int, array>  An array of AuthnContexts, indexed by a numeric key.
      *   Each entry is in the format of:
-     *   `weight` => [`identifier` => 'identifier', `source` => 'source']
+     *   `loa` => [`identifier` => 'identifier', `source` => 'source']
      *
      *   i.e.:
      *
-     *   '10' => [
+     *   10 => [
      *       'identifier' => 'urn:x-simplesamlphp:loa1',
      *       'source' => 'exampleauth',
      *   ],
-     *   '20' => [
+     *
+     *   20 => [
      *       'identifier' => 'urn:x-simplesamlphp:loa2',
      *       'source' => 'exampleauth-mfa',
      *   ]
@@ -73,19 +75,25 @@ public function __construct(array $info, array $config)
 
         Assert::keyExists($config, 'contexts');
         Assert::keyExists($config['contexts'], 'default');
-        Assert::stringNotEmpty($config['contexts']['default']);
-        $this->defaultSource = $config['contexts']['default'];
-        unset($config['contexts']['default']);
+
+        if (!is_array($config['contexts']['default'])) {
+            Assert::stringNotEmpty($config['contexts']['default']);
+            $this->defaultSource = $config['contexts']['default'];
+            unset($config['contexts']['default']);
+        }
 
         foreach ($config['contexts'] as $key => $context) {
-            Assert::natural($key);
+            ($key !== 'default') && Assert::natural($key);
+
             if (!array_key_exists('identifier', $context)) {
                 throw new Exception(sprintf("Incomplete context '%d' due to missing `identifier` key.", $key));
             } elseif (!array_key_exists('source', $context)) {
                 throw new Exception(sprintf("Incomplete context '%d' due to missing `source` key.", $key));
-            } else {
-                $this->contexts[$key] = $context;
             }
+
+            Assert::stringNotEmpty($context['identifier']);
+            Assert::stringNotEmpty($context['source']);
+            $this->contexts[$key] = $context;
         }
     }
 
@@ -103,6 +111,12 @@ protected function selectAuthSource(array &$state): string
             Logger::info(
                 "core:RequestedAuthnContextSelector:  no RequestedAuthnContext provided; selecting default authsource"
             );
+
+            if (array_key_exists('default', $this->contexts)) {
+                $state['saml:AuthnContextClassRef'] = $this->contexts['default']['identifier'];
+                return $this->contexts['default']['source'];
+            }
+
             return $this->defaultSource;
         }
 
diff --git a/tests/modules/core/src/Auth/Source/RequestedAuthnContextSelectorTest.php b/tests/modules/core/src/Auth/Source/RequestedAuthnContextSelectorTest.php
@@ -162,6 +162,62 @@ public static function doAuthentication(Auth\Source $as, array $state): void
     }
 
 
+    /**
+     * Array-syntax
+     */
+    public function testArraySyntaxWorks(): void
+    {
+        $sourceConfig = Configuration::loadFromArray([
+            'selector' => [
+                'core:RequestedAuthnContextSelector',
+
+                'contexts' => [
+                    20 => [
+                        'identifier' => 'urn:x-simplesamlphp:loa2',
+                        'source' => 'loa2',
+                    ],
+                    'default' => [
+                        'identifier' => 'urn:x-simplesamlphp:loa1',
+                        'source' => 'loa1',
+                    ],
+                ],
+            ],
+
+            'loa1' => [
+                'core:AdminPassword',
+            ],
+        ]);
+
+        Configuration::setPreLoadedConfig($sourceConfig, 'authsources.php');
+
+        $info = ['AuthId' => 'selector'];
+        $config = $sourceConfig->getArray('selector');
+
+        $selector = new class ($info, $config) extends RequestedAuthnContextSelector {
+            /**
+             * @param \SimpleSAML\Auth\Source $as
+             * @param array $state
+             * @return void
+             */
+            public static function doAuthentication(Auth\Source $as, array $state): void
+            {
+                // Dummy
+            }
+        };
+
+        $state = [
+            'saml:RequestedAuthnContext' => [
+                'AuthnContextClassRef' => ['urn:x-simplesamlphp:loa1'],
+                'Comparison' => 'exact',
+            ],
+        ];
+
+        $selector->authenticate($state);
+        $this->assertArrayHasKey('saml:AuthnContextClassRef', $state);
+        $this->assertEquals('urn:x-simplesamlphp:loa1', $state['saml:AuthnContextClassRef']);
+    }
+
+
     /**
      * Missing source
      */
