Add support for hashing unique part of subject-id (#2006)

tvdijen · web-flow · commit a3275b3eb73e · 2024-04-20T17:00:58.000+02:00
* Add support for hashing unique part of subject-id

* Add unit test

* Update docs
diff --git a/modules/saml/docs/authproc_subjectid.md b/modules/saml/docs/authproc_subjectid.md
@@ -10,8 +10,11 @@ This filter will take an attribute and a scope as input and transforms this
 into a scoped identifier that is globally unique for a given user.
 
 **Note**
-If privacy is of your concern, you may want to use the PairwiseID-filter
-instead.
+If privacy is of your concern, you may want to hash the unique part of the subject-id. Hashing also ensures
+that the output is compliant with the specification. If you do not want to hash the unique part, you _have_
+to ensure that the `identifyingAttribute` always contains a value that is in line with the specification!
+
+If you are also worried about correlation of IDs between diffent SP's, use the PairwiseID-filter instead.
 
 **Note**
 Since the subject-id is specified as single-value attribute, only the first
@@ -26,6 +29,7 @@ Examples
             'class' => 'saml:SubjectID',
             'identifyingAttribute' => 'uid',
             'scopeAttribute' => 'scope',
+            'hashed' => true,
         ],
     ],
 ```
diff --git a/modules/saml/src/Auth/Process/PairwiseID.php b/modules/saml/src/Auth/Process/PairwiseID.php
@@ -4,10 +4,8 @@
 
 namespace SimpleSAML\Module\saml\Auth\Process;
 
-use SimpleSAML\{Auth, Utils};
 use SimpleSAML\SAML2\Constants as C;
 
-use function hash_hmac;
 use function strtolower;
 
 /**
@@ -44,11 +42,6 @@ class PairwiseID extends SubjectID
      */
     public const NAME = 'PairwiseID';
 
-    /**
-     * @var \SimpleSAML\Utils\Config
-     */
-    protected Utils\Config $configUtils;
-
 
     /**
      * Initialize this filter.
@@ -59,8 +52,6 @@ class PairwiseID extends SubjectID
     public function __construct(array &$config, $reserved)
     {
         parent::__construct($config, $reserved);
-
-        $this->configUtils = new Utils\Config();
     }
 
 
@@ -87,23 +78,11 @@ public function process(array &$state): void
         }
 
         // Calculate hash
-        $salt = $this->configUtils->getSecretSalt();
-        $hash = hash_hmac('sha256', $userID . '|' . $sp_entityid, $salt, false);
+        $hash = $this->calculateHash($userID . '|' . $sp_entityid);
 
-        $value = $hash . '@' . strtolower($scope);
+        $value = strtolower($hash . '@' . $scope);
         $this->validateGeneratedIdentifier($value);
 
         $state['Attributes'][C::ATTR_PAIRWISE_ID] = [$value];
     }
-
-
-    /**
-     * Inject the \SimpleSAML\Utils\Config dependency.
-     *
-     * @param \SimpleSAML\Utils\Config $configUtils
-     */
-    public function setConfigUtils(Utils\Config $configUtils): void
-    {
-        $this->configUtils = $configUtils;
-    }
 }
diff --git a/modules/saml/src/Auth/Process/SubjectID.php b/modules/saml/src/Auth/Process/SubjectID.php
@@ -4,13 +4,14 @@
 
 namespace SimpleSAML\Module\saml\Auth\Process;
 
-use SimpleSAML\{Auth, Logger};
+use SimpleSAML\{Auth, Logger, Utils};
 use SimpleSAML\Assert\Assert;
 use SimpleSAML\SAML2\Constants as C;
 use SimpleSAML\SAML2\Exception\ProtocolViolationException;
 
 use function array_key_exists;
 use function explode;
+use function hash_hmac;
 use function preg_match;
 use function strpos;
 use function strtolower;
@@ -85,6 +86,18 @@ class SubjectID extends Auth\ProcessingFilter
      */
     protected string $scopeAttribute;
 
+    /**
+     * Whether the unique part of the subject id must be hashed
+     *
+     * @var bool
+     */
+    private bool $hashed = false;
+
+    /**
+     * @var \SimpleSAML\Utils\Config
+     */
+    protected Utils\Config $configUtils;
+
     /**
      * @var \SimpleSAML\Logger|string
      * @psalm-var \SimpleSAML\Logger|class-string
@@ -109,6 +122,13 @@ public function __construct(array &$config, $reserved)
 
         $this->identifyingAttribute = $config['identifyingAttribute'];
         $this->scopeAttribute = $config['scopeAttribute'];
+
+        if (array_key_exists('hashed', $config)) {
+            Assert::boolean($config['hashed']);
+            $this->hashed = $config['hashed'];
+        }
+
+        $this->configUtils = new Utils\Config();
     }
 
 
@@ -127,7 +147,12 @@ public function process(array &$state): void
             return;
         }
 
-        $value = strtolower($userID . '@' . $scope);
+        if ($this->hashed === true) {
+            $value = strtolower($this->calculateHash($userID) . '@' . $scope);
+        } else {
+            $value = strtolower($userID . '@' . $scope);
+        }
+
         $this->validateGeneratedIdentifier($value);
 
         $state['Attributes'][C::ATTR_SUBJECT_ID] = [$value];
@@ -232,6 +257,16 @@ protected function validateGeneratedIdentifier(string $value): void
     }
 
 
+    /**
+     * Calculate the hash for the unique part of the identifier.
+     */
+    protected function calculateHash(string $input): string
+    {
+        $salt = $this->configUtils->getSecretSalt();
+        return hash_hmac('sha256', $input, $salt, false);
+    }
+
+
     /**
      * Inject the \SimpleSAML\Logger dependency.
      *
@@ -241,4 +276,15 @@ public function setLogger(Logger $logger): void
     {
         $this->logger = $logger;
     }
+
+
+    /**
+     * Inject the \SimpleSAML\Utils\Config dependency.
+     *
+     * @param \SimpleSAML\Utils\Config $configUtils
+     */
+    public function setConfigUtils(Utils\Config $configUtils): void
+    {
+        $this->configUtils = $configUtils;
+    }
 }
diff --git a/tests/modules/saml/src/Auth/Process/SubjectIDTest.php b/tests/modules/saml/src/Auth/Process/SubjectIDTest.php
@@ -21,6 +21,9 @@ class SubjectIDTest extends TestCase
     /** @var \SimpleSAML\Configuration */
     protected Configuration $config;
 
+    /** @var \SimpleSAML\Utils\Config */
+    protected static Utils\Config $configUtils;
+
     /** @var \SimpleSAML\Logger */
     protected static Logger $logger;
 
@@ -32,6 +35,14 @@ protected function setUp(): void
     {
         parent::setUp();
 
+        self::$configUtils = new class () extends Utils\Config {
+            public function getSecretSalt(): string
+            {
+                // stub
+                return 'secretsalt';
+            }
+        };
+
         self::$logger = new class () extends Logger {
             public static function warning(string $string): void
             {
@@ -52,8 +63,10 @@ public static function warning(string $string): void
     private static function processFilter(array $config, array $request): array
     {
         $filter = new SubjectID($config, null);
+        $filter->setConfigUtils(self::$configUtils);
         $filter->setLogger(self::$logger);
         $filter->process($request);
+
         return $request;
     }
 
@@ -78,6 +91,29 @@ public function testBasic(): void
     }
 
 
+    /**
+     * Test the most basic functionality with hash
+     */
+    public function testBasicWithHash(): void
+    {
+        $config = ['identifyingAttribute' => 'uid', 'scopeAttribute' => 'scope', 'hashed' => true];
+        $request = [
+            'Attributes' => ['uid' => ['u=se-r2'], 'scope' => ['ex-ample.org']],
+        ];
+        $result = self::processFilter($config, $request);
+        $attributes = $result['Attributes'];
+        $this->assertArrayHasKey(C::ATTR_SUBJECT_ID, $attributes);
+        $this->assertMatchesRegularExpression(
+            SubjectID::SPEC_PATTERN,
+            $attributes[C::ATTR_SUBJECT_ID][0]
+        );
+        $this->assertEquals(
+            '42738d01c2a66c449d010962e79da27c608c5244fd9ec311ed7c013517abf7ee@ex-ample.org',
+            $attributes[C::ATTR_SUBJECT_ID][0],
+        );
+    }
+
+
     /**
      * Test the most basic functionality, but with a scoped scope-attribute
      */
