11<?php
2+
3+
24/**
35 * Consent Authentication Processing filter
46 *
911 */
1012class sspmod_consent_Auth_Process_Consent extends SimpleSAML_Auth_ProcessingFilter
1113{
14+
1215 /**
1316 * Button to receive focus
1417 *
@@ -58,13 +61,16 @@ class sspmod_consent_Auth_Process_Consent extends SimpleSAML_Auth_ProcessingFilt
5861 */
5962 private $ _showNoConsentAboutServicetrue ;
6063
64+
6165 /**
62- * Initialize consent filter
66+ * Initialize consent filter.
67+ *
68+ * Validates and parses the configuration.
6369 *
64- * Validates and parses the configuration
70+ * @param array $config Configuration information.
71+ * @param mixed $reserved For future use.
6572 *
66- * @param array $config Configuration information
67- * @param mixed $reserved For future use
73+ * @throws SimpleSAML_Error_Exception if the configuration is not valid.
6874 */
6975 public function __construct ($ config$ reserved
7076 {
@@ -74,8 +80,8 @@ public function __construct($config, $reserved)
7480 if (array_key_exists ('includeValues ' , $ config
7581 if (!is_bool ($ config'includeValues ' ])) {
7682 throw new SimpleSAML_Error_Exception (
77- 'Consent: includeValues must be boolean. ' .
78- var_export ($ config'includeValues ' ], true ) . ' given. '
83+ 'Consent: includeValues must be boolean. ' .
84+ var_export ($ config'includeValues ' ], true ). ' given. '
7985 );
8086 }
8187 $ this _includeValues = $ config'includeValues ' ];
@@ -84,8 +90,8 @@ public function __construct($config, $reserved)
8490 if (array_key_exists ('checked ' , $ config
8591 if (!is_bool ($ config'checked ' ])) {
8692 throw new SimpleSAML_Error_Exception (
87- 'Consent: checked must be boolean. ' .
88- var_export ($ config'checked ' ], true ) . ' given. '
93+ 'Consent: checked must be boolean. ' .
94+ var_export ($ config'checked ' ], true ). ' given. '
8995 );
9096 }
9197 $ this _checked = $ config'checked ' ];
@@ -94,8 +100,8 @@ public function __construct($config, $reserved)
94100 if (array_key_exists ('focus ' , $ config
95101 if (!in_array ($ config'focus ' ], array ('yes ' , 'no ' ), true )) {
96102 throw new SimpleSAML_Error_Exception (
97- 'Consent: focus must be a string with values `yes` or `no`. ' .
98- var_export ($ config'focus ' ], true ) . ' given. '
103+ 'Consent: focus must be a string with values `yes` or `no`. ' .
104+ var_export ($ config'focus ' ], true ). ' given. '
99105 );
100106 }
101107 $ this _focus = $ config'focus ' ];
@@ -104,8 +110,8 @@ public function __construct($config, $reserved)
104110 if (array_key_exists ('hiddenAttributes ' , $ config
105111 if (!is_array ($ config'hiddenAttributes ' ])) {
106112 throw new SimpleSAML_Error_Exception (
107- 'Consent: hiddenAttributes must be an array. ' .
108- var_export ($ config'hiddenAttributes ' ], true ) . ' given. '
113+ 'Consent: hiddenAttributes must be an array. ' .
114+ var_export ($ config'hiddenAttributes ' ], true ). ' given. '
109115 );
110116 }
111117 $ this _hiddenAttributes = $ config'hiddenAttributes ' ];
@@ -114,41 +120,43 @@ public function __construct($config, $reserved)
114120 if (array_key_exists ('noconsentattributes ' , $ config
115121 if (!is_array ($ config'noconsentattributes ' ])) {
116122 throw new SimpleSAML_Error_Exception (
117- 'Consent: noconsentattributes must be an array. ' .
118- var_export ($ config'noconsentattributes ' ], true ) . ' given. '
123+ 'Consent: noconsentattributes must be an array. ' .
124+ var_export ($ config'noconsentattributes ' ], true ). ' given. '
119125 );
120126 }
121127 $ this _noconsentattributes = $ config'noconsentattributes ' ];
122128 }
123-
129+
124130 if (array_key_exists ('store ' , $ config
125131 try {
126132 $ this _store = sspmod_consent_Store::parseStoreConfig ($ config'store ' ]);
127- } catch (Exception $ e
133+ } catch (Exception $ e
128134 SimpleSAML \Logger::error (
129- 'Consent: Could not create consent storage: ' .
135+ 'Consent: Could not create consent storage: ' .
130136 $ egetMessage ()
131137 );
132138 }
133- }
139+ }
134140
135141 if (array_key_exists ('showNoConsentAboutService ' , $ config
136142 if (!is_bool ($ config'showNoConsentAboutService ' ])) {
137143 throw new SimpleSAML_Error_Exception ('Consent: showNoConsentAboutService must be a boolean. ' );
138144 }
139145 $ this _showNoConsentAboutService = $ config'showNoConsentAboutService ' ];
140146 }
141-
142147 }
143148
149+
144150 /**
145151 * Helper function to check whether consent is disabled.
146152 *
147- * @param mixed $option The consent.disable option. Either an array of array, an array or a boolean.
148- * @param string $entityIdD The entityID of the SP/IdP.
149- * @return boolean TRUE if disabled, FALSE if not.
153+ * @param mixed $option The consent.disable option. Either an array of array, an array or a boolean.
154+ * @param string $entityId The entityID of the SP/IdP.
155+ *
156+ * @return boolean True if disabled, false if not.
150157 */
151- private static function checkDisable ($ option$ entityId
158+ private static function checkDisable ($ option$ entityId
159+ {
152160 if (is_array ($ option
153161 // Check if consent.disable array has one element that is an array
154162 if (count ($ optioncount ($ optionCOUNT_RECURSIVE )) {
@@ -160,7 +168,7 @@ private static function checkDisable($option, $entityId) {
160168 if (in_array ($ entityId$ optiontrue )) {
161169 return true ;
162170 }
163-
171+
164172 // Search in multidimensional arrays
165173 foreach ($ optionas $ optionToTest
166174 if (!is_array ($ optionToTest
@@ -182,41 +190,39 @@ private static function checkDisable($option, $entityId) {
182190 if (preg_match ($ optionToTest'pattern ' ], $ entityId1 ) {
183191 return true ;
184192 }
185-
186193 } else {
187194 // option type is not supported
188195 continue ;
189196 }
190-
191197 } // end foreach
192198
193199 // Base case : no match
194200 return false ;
195-
196201 } else {
197- return (boolean )$ option
202+ return (boolean ) $ option
198203 }
199204 }
200205
206+
201207 /**
202208 * Process a authentication response
203209 *
204- * This function saves the state, and redirects the user to the page where
205- * the user can authorize the release of the attributes.
206- * If storage is used and the consent has already been given the user is
207- * passed on.
210+ * This function saves the state, and redirects the user to the page where the user can authorize the release of
211+ * the attributes. If storage is used and the consent has already been given the user is passed on.
208212 *
209213 * @param array &$state The state of the response.
210214 *
211215 * @return void
216+ *
217+ * @throws SimpleSAML_Error_NoPassive if the request was passive and consent is needed.
212218 */
213219 public function process (&$ state
214220 {
215221 assert ('is_array($state) ' );
216222 assert ('array_key_exists("UserID", $state) ' );
217223 assert ('array_key_exists("Destination", $state) ' );
218224 assert ('array_key_exists("entityid", $state["Destination"]) ' );
219- assert ('array_key_exists("metadata-set", $state["Destination"]) ' );
225+ assert ('array_key_exists("metadata-set", $state["Destination"]) ' );
220226 assert ('array_key_exists("entityid", $state["Source"]) ' );
221227 assert ('array_key_exists("metadata-set", $state["Source"]) ' );
222228
@@ -233,48 +239,51 @@ public function process(&$state)
233239 */
234240 if (isset ($ state'saml:sp:IdP ' ])) {
235241 $ idpEntityId$ state'saml:sp:IdP ' ];
236- $ idpmeta = $ metadatagetMetaData ($ idpEntityId'saml20-idp-remote ' );
242+ $ idpmeta$ metadatagetMetaData ($ idpEntityId'saml20-idp-remote ' );
237243 $ state'Source ' ] = $ idpmeta
238244 }
239245
240246 $ statsDataarray ('spEntityID ' => $ spEntityId
241247
242248 // Do not use consent if disabled
243- if (isset ($ state'Source ' ]['consent.disable ' ]) && self ::checkDisable ($ state'Source ' ]['consent.disable ' ], $ spEntityId
244- SimpleSAML \Logger::debug ('Consent: Consent disabled for entity ' . $ spEntityId' with IdP ' . $ idpEntityId
249+ if (isset ($ state'Source ' ]['consent.disable ' ]) &&
250+ self ::checkDisable ($ state'Source ' ]['consent.disable ' ], $ spEntityId
251+ ) {
252+ SimpleSAML \Logger::debug ('Consent: Consent disabled for entity ' .$ spEntityId' with IdP ' .$ idpEntityId
245253 SimpleSAML_Stats::log ('consent:disabled ' , $ statsData
246254 return ;
247255 }
248- if (isset ($ state'Destination ' ]['consent.disable ' ]) && self ::checkDisable ($ state'Destination ' ]['consent.disable ' ], $ idpEntityId
249- SimpleSAML \Logger::debug ('Consent: Consent disabled for entity ' . $ spEntityId' with IdP ' . $ idpEntityId
256+ if (isset ($ state'Destination ' ]['consent.disable ' ]) &&
257+ self ::checkDisable ($ state'Destination ' ]['consent.disable ' ], $ idpEntityId
258+ ) {
259+ SimpleSAML \Logger::debug ('Consent: Consent disabled for entity ' .$ spEntityId' with IdP ' .$ idpEntityId
250260 SimpleSAML_Stats::log ('consent:disabled ' , $ statsData
251261 return ;
252262 }
253263
254264 if ($ this _store !== null ) {
255-
256- $ source$ state'Source ' ]['metadata-set ' ] . '| ' . $ idpEntityId
257- $ destination$ state'Destination ' ]['metadata-set ' ] . '| ' . $ spEntityId
258- $ attributes$ state'Attributes ' ];
265+ $ source$ state'Source ' ]['metadata-set ' ].'| ' .$ idpEntityId
266+ $ destination$ state'Destination ' ]['metadata-set ' ].'| ' .$ spEntityId
267+ $ attributes$ state'Attributes ' ];
259268
260269 // Remove attributes that do not require consent
261- foreach ($ attributesAS $ attrkey$ attrval
270+ foreach ($ attributesas $ attrkey$ attrval
262271 if (in_array ($ attrkey$ this _noconsentattributes )) {
263272 unset($ attributes$ attrkey
264273 }
265274 }
266275
267- SimpleSAML \Logger::debug ('Consent: userid: ' . $ state'UserID ' ]);
268- SimpleSAML \Logger::debug ('Consent: source: ' . $ source
269- SimpleSAML \Logger::debug ('Consent: destination: ' . $ destination
276+ SimpleSAML \Logger::debug ('Consent: userid: ' . $ state'UserID ' ]);
277+ SimpleSAML \Logger::debug ('Consent: source: ' . $ source
278+ SimpleSAML \Logger::debug ('Consent: destination: ' . $ destination
270279
271- $ userId = self ::getHashedUserID ($ state'UserID ' ], $ source
272- $ targetedId = self ::getTargetedID ($ state'UserID ' ], $ source$ destination
280+ $ userIdself ::getHashedUserID ($ state'UserID ' ], $ source
281+ $ targetedIdself ::getTargetedID ($ state'UserID ' ], $ source$ destination
273282 $ attributeSetself ::getAttributeHash ($ attributes$ this _includeValues );
274283
275284 SimpleSAML \Logger::debug (
276- 'Consent: hasConsent() [ ' . $ userId . '| ' . $ targetedId . '| ' .
277- $ attributeSet . '] '
285+ 'Consent: hasConsent() [ ' . $ userId. '| ' . $ targetedId. '| ' .
286+ $ attributeSet. '] '
278287 );
279288
280289 try {
@@ -288,12 +297,12 @@ public function process(&$state)
288297 SimpleSAML \Logger::stats ('Consent: Consent notfound ' );
289298 SimpleSAML_Stats::log ('consent:notfound ' , $ statsData
290299
291- $ state'consent:store ' ] = $ this _store ;
292- $ state'consent:store.userId ' ] = $ userId
293- $ state'consent:store.destination ' ] = $ targetedId
300+ $ state'consent:store ' ] = $ this _store ;
301+ $ state'consent:store.userId ' ] = $ userId
302+ $ state'consent:store.destination ' ] = $ targetedId
294303 $ state'consent:store.attributeSet ' ] = $ attributeSet
295304 } catch (Exception $ e
296- SimpleSAML \Logger::error ('Consent: Error reading from storage: ' . $ egetMessage ());
305+ SimpleSAML \Logger::error ('Consent: Error reading from storage: ' . $ egetMessage ());
297306 SimpleSAML \Logger::stats ('Consent: Failed ' );
298307 SimpleSAML_Stats::log ('consent:failed ' , $ statsData
299308 }
@@ -302,69 +311,68 @@ public function process(&$state)
302311 SimpleSAML_Stats::log ('consent:nostorage ' , $ statsData
303312 }
304313
305- $ state'consent:focus ' ] = $ this _focus ;
306- $ state'consent:checked ' ] = $ this _checked ;
307- $ state'consent:hiddenAttributes ' ] = $ this _hiddenAttributes ;
314+ $ state'consent:focus ' ] = $ this _focus ;
315+ $ state'consent:checked ' ] = $ this _checked ;
316+ $ state'consent:hiddenAttributes ' ] = $ this _hiddenAttributes ;
308317 $ state'consent:noconsentattributes ' ] = $ this _noconsentattributes ;
309318 $ state'consent:showNoConsentAboutService ' ] = $ this _showNoConsentAboutService ;
310319
311- // User interaction nessesary . Throw exception on isPassive request
320+ // user interaction necessary . Throw exception on isPassive request
312321 if (isset ($ state'isPassive ' ]) && $ state'isPassive ' ] === true ) {
313322 SimpleSAML_Stats::log ('consent:nopassive ' , $ statsData
314- throw new SimpleSAML_Error_NoPassive (
315- 'Unable to give consent on passive request. '
316- );
323+ throw new SimpleSAML_Error_NoPassive ('Unable to give consent on passive request. ' );
317324 }
318325
319326 // Save state and redirect
320- $ id = SimpleSAML_Auth_State::saveState ($ state'consent:request ' );
327+ $ idsaveState ($ state'consent:request ' );
321328 $ urlSimpleSAML \Module::getModuleURL ('consent/getconsent.php ' );
322329 \SimpleSAML \Utils \HTTP ::redirectTrustedURL ($ urlarray ('StateId ' => $ id
323330 }
324331
332+
325333 /**
326- * Generate a unique identifier of the user
327- *
328- * @param string $userid The user id
329- * @param string $source The source id
334+ * Generate a unique identifier of the user.
335+ *
336+ * @param string $userid The user id.
337+ * @param string $source The source id.
330338 *
331- * @return string SHA1 of the user id, source id and salt
339+ * @return string SHA1 of the user id, source id and salt.
332340 */
333341 public static function getHashedUserID ($ userid$ source
334342 {
335- return hash ('sha1 ' , $ userid . '| ' . SimpleSAML \Utils \Config::getSecretSalt () . '| ' . $ source
343+ return hash ('sha1 ' , $ userid. '| ' . SimpleSAML \Utils \Config::getSecretSalt (). '| ' . $ source
336344 }
337345
346+
338347 /**
339- * Generate a unique targeted identifier
348+ * Generate a unique targeted identifier.
340349 *
341- * @param string $userid The user id
342- * @param string $source The source id
343- * @param string $destination The destination id
350+ * @param string $userid The user id.
351+ * @param string $source The source id.
352+ * @param string $destination The destination id.
344353 *
345- * @return string SHA1 of the user id, source id, destination id and salt
354+ * @return string SHA1 of the user id, source id, destination id and salt.
346355 */
347356 public static function getTargetedID ($ userid$ source$ destination
348357 {
349- return hash ('sha1 ' , $ userid . '| ' . SimpleSAML \Utils \Config::getSecretSalt () . '| ' . $ source . '| ' . $ destination
358+ return hash ('sha1 ' , $ userid. '| ' . SimpleSAML \Utils \Config::getSecretSalt (). '| ' . $ source. '| ' . $ destination
350359 }
351360
361+
352362 /**
353- * Generate unique identitier for attributes
363+ * Generate unique identifier for attributes.
354364 *
355- * Create a hash value for the attributes that changes when attributes are
356- * added or removed. If the attribute values are included in the hash, the
357- * hash will change if the values change.
365+ * Create a hash value for the attributes that changes when attributes are added or removed. If the attribute
366+ * values are included in the hash, the hash will change if the values change.
358367 *
359- * @param string $attributes The attributes
360- * @param bool $includeValues Whether or not to include the attribute
361- * value in the generation of the hash.
368+ * @param string $attributes The attributes.
369+ * @param bool $includeValues Whether or not to include the attribute value in the generation of the hash.
362370 *
363- * @return string SHA1 of the user id, source id, destination id and salt
371+ * @return string SHA1 of the user id, source id, destination id and salt.
364372 */
365373 public static function getAttributeHash ($ attributes$ includeValuesfalse )
366374 {
367- $ hashBasenull ;
375+ $ hashBasenull ;
368376 if ($ includeValues
369377 ksort ($ attributes
370378 $ hashBaseserialize ($ attributes
0 commit comments