Update php-saml library to 2.10.0

Author: pitbulk

onelogin-saml-sso/php/lib/Saml2/Auth.php

@@ -102,7 +102,10 @@ public function getSettings()
      */
     public function setStrict($value)
     {
-        assert('is_bool($value)');
+        if (! (is_bool($value))) {
+            throw new Exception('Invalid value passed to setStrict()');
+        }
+
         $this->_settings->setStrict($value);
     }
 
@@ -196,7 +199,7 @@ public function processSLO($keepLocalSession = false, $requestId = null, $retrie
 
                 $security = $this->_settings->getSecurityData();
                 if (isset($security['logoutResponseSigned']) && $security['logoutResponseSigned']) {
-                    $signature = $this->buildResponseSignature($logoutResponse, $parameters['RelayState'], $security['signatureAlgorithm']);
+                    $signature = $this->buildResponseSignature($logoutResponse, isset($parameters['RelayState'])? $parameters['RelayState']: null, $security['signatureAlgorithm']);
                     $parameters['SigAlg'] = $security['signatureAlgorithm'];
                     $parameters['Signature'] = $signature;
                 }
@@ -472,9 +475,20 @@ public function buildRequestSignature($samlRequest, $relayState, $signAlgorithm
         $objKey = new XMLSecurityKey($signAlgorithm, array('type' => 'private'));
         $objKey->loadKey($key, false);
 
-        $msg = 'SAMLRequest='.urlencode($samlRequest);
-        $msg .= '&RelayState='.urlencode($relayState);
-        $msg .= '&SigAlg=' . urlencode($signAlgorithm);
+        $security = $this->_settings->getSecurityData();
+        if ($security['lowercaseUrlencoding']) {
+            $msg = 'SAMLRequest='.rawurlencode($samlRequest);
+            if (isset($relayState)) {
+                $msg .= '&RelayState='.rawurlencode($relayState);
+            }
+            $msg .= '&SigAlg=' . rawurlencode($signAlgorithm);
+        } else {
+            $msg = 'SAMLRequest='.urlencode($samlRequest);
+            if (isset($relayState)) {
+                $msg .= '&RelayState='.urlencode($relayState);
+            }
+            $msg .= '&SigAlg=' . urlencode($signAlgorithm);
+        }
         $signature = $objKey->signData($msg);
         return base64_encode($signature);
     }
@@ -505,9 +519,20 @@ public function buildResponseSignature($samlResponse, $relayState, $signAlgorith
         $objKey = new XMLSecurityKey($signAlgorithm, array('type' => 'private'));
         $objKey->loadKey($key, false);
 
-        $msg = 'SAMLResponse='.urlencode($samlResponse);
-        $msg .= '&RelayState='.urlencode($relayState);
-        $msg .= '&SigAlg=' . urlencode($signAlgorithm);
+        $security = $this->_settings->getSecurityData();
+        if ($security['lowercaseUrlencoding']) {
+            $msg = 'SAMLResponse='.rawurlencode($samlResponse);
+            if (isset($relayState)) {
+                $msg .= '&RelayState='.rawurlencode($relayState);
+            }
+            $msg .= '&SigAlg=' . rawurlencode($signAlgorithm);
+        } else {
+            $msg = 'SAMLResponse='.urlencode($samlResponse);
+            if (isset($relayState)) {
+                $msg .= '&RelayState='.urlencode($relayState);
+            }
+            $msg .= '&SigAlg=' . urlencode($signAlgorithm);
+        }
         $signature = $objKey->signData($msg);
         return base64_encode($signature);
     }

onelogin-saml-sso/php/lib/Saml2/AuthnRequest.php

@@ -137,12 +137,22 @@ public function __construct(OneLogin_Saml2_Settings $settings, $forceAuthn = fal
 
     /**
      * Returns deflated, base64 encoded, unsigned AuthnRequest.
-     *
+     * 
+     * @param bool|null $deflate Whether or not we should 'gzdeflate' the request body before we return it.
      */
-    public function getRequest()
+    public function getRequest($deflate = null)
     {
-        $deflatedRequest = gzdeflate($this->_authnRequest);
-        $base64Request = base64_encode($deflatedRequest);
+        $subject = $this->_authnRequest;
+
+        if (is_null($deflate)) {
+            $deflate = $this->_settings->shouldCompressRequests();
+        }
+
+        if ($deflate) {
+            $subject = gzdeflate($this->_authnRequest);
+        }
+
+        $base64Request = base64_encode($subject);
         return $base64Request;
     }
 

onelogin-saml-sso/php/lib/Saml2/LogoutRequest.php

@@ -55,7 +55,7 @@ public function __construct(OneLogin_Saml2_Settings $settings, $request = null,
 
             $nameIdValue = OneLogin_Saml2_Utils::generateUniqueID();
             $issueInstant = OneLogin_Saml2_Utils::parseTime2SAML(time());
-            
+
             $cert = null;
             if (isset($security['nameIdEncrypted']) && $security['nameIdEncrypted']) {
                 $cert = $idpData['x509cert'];
@@ -110,12 +110,23 @@ public function __construct(OneLogin_Saml2_Settings $settings, $request = null,
     /**
      * Returns the Logout Request defated, base64encoded, unsigned
      *
+     * @param bool|null $deflate Whether or not we should 'gzdeflate' the request body before we return it.
+     *
      * @return string Deflated base64 encoded Logout Request
      */
-    public function getRequest()
+    public function getRequest($deflate = null)
     {
-        $deflatedRequest = gzdeflate($this->_logoutRequest);
-        return base64_encode($deflatedRequest);
+        $subject = $this->_logoutRequest;
+
+        if (is_null($deflate)) {
+            $deflate = $this->_settings->shouldCompressRequests();
+        }
+
+        if ($deflate) {
+            $subject = gzdeflate($this->_logoutRequest);
+        }
+
+        return base64_encode($subject);
     }
 
     /**
@@ -143,7 +154,7 @@ public static function getID($request)
      *
      * @param string|DOMDocument $request Logout Request Message
      * @param string|null        $key     The SP key
-     *     
+     *
      * @return array Name ID Data (Value, Format, NameQualifier, SPNameQualifier)
      *
      * @throws Exception
@@ -235,11 +246,11 @@ public static function getIssuer($request)
     /**
      * Gets the SessionIndexes from the Logout Request.
      * Notice: Our Constructor only support 1 SessionIndex but this parser
-     *         extracts an array of all the  SessionIndex found on a  
+     *         extracts an array of all the  SessionIndex found on a
      *         Logout Request, that could be many.
      *
      * @param string|DOMDocument $request Logout Request Message
-     * 
+     *
      * @return array The SessionIndex value
      */
     public static function getSessionIndexes($request)
@@ -283,7 +294,7 @@ public function isValid($retrieveParametersFromServer=false)
                         throw new Exception("Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd");
                     }
                 }
-                
+
                 $currentURL = OneLogin_Saml2_Utils::getSelfRoutedURLNoQuery();
 
                 // Check NotOnOrAfter
@@ -375,7 +386,7 @@ public function isValid($retrieveParametersFromServer=false)
 
     /* After execute a validation process, if fails this method returns the cause
      *
-     * @return string Cause 
+     * @return string Cause
      */
     public function getError()
     {

onelogin-saml-sso/php/lib/Saml2/LogoutResponse.php

@@ -71,13 +71,13 @@ public function getIssuer()
 
     /**
      * Gets the Status of the Logout Response.
-     * 
+     *
      * @return string The Status
      */
     public function getStatus()
     {
         $entries = $this->_query('/samlp:LogoutResponse/samlp:Status/samlp:StatusCode');
-        if ($entries->length == 0) {
+        if ($entries->length != 1) {
             return null;
         }
         $status = $entries->item(0)->getAttribute('Value');
@@ -213,7 +213,7 @@ private function _query($query)
     /**
      * Generates a Logout Response object.
      *
-     * @param string $inResponseTo InResponseTo value for the Logout Response. 
+     * @param string $inResponseTo InResponseTo value for the Logout Response.
      */
     public function build($inResponseTo)
     {
@@ -244,18 +244,28 @@ public function build($inResponseTo)
 
     /**
      * Returns a Logout Response object.
-     *
+     * 
+     * @param bool|null $deflate Whether or not we should 'gzdeflate' the response body before we return it.
+     *                           
      * @return string Logout Response deflated and base64 encoded
      */
-    public function getResponse()
+    public function getResponse($deflate = null)
     {
-        $deflatedResponse = gzdeflate($this->_logoutResponse);
-        return base64_encode($deflatedResponse);
+        $subject = $this->_logoutResponse;
+
+        if (is_null($deflate)) {
+            $deflate = $this->_settings->shouldCompressResponses();
+        }
+
+        if ($deflate) {
+            $subject = gzdeflate($this->_logoutResponse);
+        }
+        return base64_encode($subject);
     }
 
     /* After execute a validation process, if fails this method returns the cause.
      *
-     * @return string Cause 
+     * @return string Cause
      */
     public function getError()
     {

onelogin-saml-sso/php/lib/Saml2/Metadata.php

@@ -1,5 +1,5 @@
 <?php
- 
+
 /**
  * Metadata lib of OneLogin PHP Toolkit
  *
@@ -58,6 +58,7 @@ public static function builder($sp, $authnsign = false, $wsign = false, $validUn
         }
 
         $strOrganization = '';
+
         if (!empty($organization)) {
             $organizationInfoNames = array();
             $organizationInfoDisplaynames = array();
@@ -96,6 +97,58 @@ public static function builder($sp, $authnsign = false, $wsign = false, $validUn
             $strContacts = "\n".implode("\n", $contactsInfo);
         }
 
+        $strAttributeConsumingService = '';
+        if (isset($sp['attributeConsumingService'])) {
+            $attrCsDesc = '';
+            if (isset($sp['attributeConsumingService']['serviceDescription'])) {
+                $attrCsDesc = sprintf(
+                    '            <md:ServiceDescription xml:lang="en">%s</md:ServiceDescription>' . PHP_EOL,
+                    $sp['attributeConsumingService']['serviceDescription']
+                );
+            }
+            if (!isset($sp['attributeConsumingService']['serviceName'])) {
+                $sp['attributeConsumingService']['serviceName'] = 'Service';
+            }
+            $requestedAttributeData = array();
+            foreach ($sp['attributeConsumingService']['requestedAttributes'] as $attribute) {
+                $requestedAttributeStr = sprintf('            <md:RequestedAttribute Name="%s"', $attribute['name']);
+                if (isset($attribute['nameFormat'])) {
+                    $requestedAttributeStr .= sprintf(' NameFormat="%s"', $attribute['nameFormat']);
+                }
+                if (isset($attribute['friendlyName'])) {
+                    $requestedAttributeStr .= sprintf(' FriendlyName="%s"', $attribute['friendlyName']);
+                }
+                if (isset($attribute['isRequired'])) {
+                    $requestedAttributeStr .= sprintf(' isRequired="%s"', $attribute['isRequired'] === true ? 'true' : 'false');
+                }
+                $reqAttrAuxStr = " />";
+
+                if (isset($attribute['attributeValue']) && !empty($attribute['attributeValue'])) {
+                    $reqAttrAuxStr = '>';
+                    if (is_string($attribute['attributeValue'])) {
+                        $attribute['attributeValue'] = array($attribute['attributeValue']);
+                    }                    
+                    foreach ($attribute['attributeValue'] as $attrValue) {
+                        $reqAttrAuxStr .=<<<ATTRIBUTEVALUE
+
+                <saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">{$attrValue}</saml:AttributeValue>
+ATTRIBUTEVALUE;
+                    }
+                    $reqAttrAuxStr .= "\n            </md:RequestedAttribute>";
+                }
+
+                $requestedAttributeData[] = $requestedAttributeStr . $reqAttrAuxStr;
+            }
+
+            $requestedAttributeStr = implode(PHP_EOL, $requestedAttributeData);
+            $strAttributeConsumingService = <<<METADATA_TEMPLATE
+<md:AttributeConsumingService index="1">
+            <md:ServiceName xml:lang="en">{$sp['attributeConsumingService']['serviceName']}</md:ServiceName>
+{$attrCsDesc}{$requestedAttributeStr}
+        </md:AttributeConsumingService>
+METADATA_TEMPLATE;
+        }
+
         $metadata = <<<METADATA_TEMPLATE
 <?xml version="1.0"?>
 <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
@@ -107,6 +160,7 @@ public static function builder($sp, $authnsign = false, $wsign = false, $validUn
         <md:AssertionConsumerService Binding="{$sp['assertionConsumerService']['binding']}"
                                      Location="{$sp['assertionConsumerService']['url']}"
                                      index="1" />
+        {$strAttributeConsumingService}
     </md:SPSSODescriptor>{$strOrganization}{$strContacts}
 </md:EntityDescriptor>
 METADATA_TEMPLATE;
@@ -159,7 +213,7 @@ public static function addX509KeyDescriptors($metadata, $cert, $wantsEncrypted =
 
         $keyInfo = $xml->createElementNS(OneLogin_Saml2_Constants::NS_DS, 'ds:KeyInfo');
         $keyInfo->appendChild($keyData);
-        
+
         $keyDescriptor = $xml->createElementNS(OneLogin_Saml2_Constants::NS_MD, "md:KeyDescriptor");
 
         $SPSSODescriptor = $xml->getElementsByTagName('SPSSODescriptor')->item(0);