jazzsequence
diff --git a/‎onelogin-saml-sso/php/configuration.php‎
Lines changed: 46 additions & 0 deletions b/‎onelogin-saml-sso/php/configuration.php‎
Lines changed: 46 additions & 0 deletions
diff --git a/‎onelogin-saml-sso/php/lib/Saml2/Auth.php‎
Lines changed: 150 additions & 14 deletions b/‎onelogin-saml-sso/php/lib/Saml2/Auth.php‎
Lines changed: 150 additions & 14 deletions
@@ -8,6 +8,7 @@
 
 require_once "compatibility.php";
 require_once (dirname(__FILE__) . "/lib/Saml2/Constants.php");
+require_once (dirname(__FILE__) . "/extlib/xmlseclibs/xmlseclibs.php");
 
 
 	function onelogin_saml_configuration_render() {
@@ -173,6 +174,12 @@ function onelogin_saml_configuration() {
 
 		register_setting($option_group, 'onelogin_saml_advanced_settings_sp_privatekey');
 		add_settings_field('onelogin_saml_advanced_settings_sp_privatekey', __('Service Provider Private Key', 'onelogin-saml-sso'), "plugin_setting_string_onelogin_saml_advanced_settings_sp_privatekey", $option_group, 'advanced_settings');
+
+		register_setting($option_group, 'onelogin_saml_advanced_signaturealgorithm');
+		add_settings_field('onelogin_saml_advanced_signaturealgorithm', __('Signature Algorithm', 'onelogin-saml-sso'), "plugin_setting_select_onelogin_saml_advanced_signaturealgorithm", $option_group, 'advanced_settings');
+
+		register_setting($option_group, 'onelogin_saml_advanced_digestalgorithm');
+		add_settings_field('onelogin_saml_advanced_digestalgorithm', __('Digest Algorithm', 'onelogin-saml-sso'), "plugin_setting_select_onelogin_saml_advanced_digestalgorithm", $option_group, 'advanced_settings');
 	}
 
 	function plugin_setting_string_onelogin_saml_idp_entityid() {
@@ -504,6 +511,45 @@ function plugin_setting_select_onelogin_saml_advanced_requestedauthncontext() {
 
 	}
 
+	function plugin_setting_select_onelogin_saml_advanced_signaturealgorithm() {
+		$signaturealgorithm_value = get_option('onelogin_saml_advanced_signaturealgorithm');
+		$posible_signaturealgorithm_values = array(
+			'RSA_SHA1' => XMLSecurityKey::RSA_SHA1,
+			'DSA_SHA1' => XMLSecurityKey::DSA_SHA1,
+			'RSA_SHA256' => XMLSecurityKey::RSA_SHA256,
+			'RSA_SHA384' => XMLSecurityKey::RSA_SHA384,
+			'RSA_SHA512' => XMLSecurityKey::RSA_SHA512
+		);
+
+		echo '<select name="onelogin_saml_advanced_signaturealgorithm" id="onelogin_saml_advanced_signaturealgorithm">';
+
+		foreach ($posible_signaturealgorithm_values as $key => $value) {
+			echo '<option value='.$key.' '.($key == $signaturealgorithm_value ? 'selected="selected"': '').' >'.$value.'</option>';
+		}
+
+		echo '</select>'.
+			 '<p class="description">'.__("Algorithm that will be used on signing process").'</p>';
+	}
+
+	function plugin_setting_select_onelogin_saml_advanced_digestalgorithm() {
+		$digestalgorithm_value = get_option('onelogin_saml_advanced_digestalgorithm');
+		$posible_digestalgorithm_values = array(
+			'SHA1' => XMLSecurityDSig::SHA1,
+			'SHA256' => XMLSecurityDSig::SHA256,
+			'SHA384' => XMLSecurityDSig::SHA384,
+			'SHA512' => XMLSecurityDSig::SHA512
+		);
+
+		echo '<select name="onelogin_saml_advanced_digestalgorithm" id="onelogin_saml_advanced_digestalgorithm">';
+
+		foreach ($posible_digestalgorithm_values as $key => $value) {
+			echo '<option value='.$key.' '.($key == $digestalgorithm_value ? 'selected="selected"': '').' >'.$value.'</option>';
+		}
+
+		echo '</select>'.
+			 '<p class="description">'.__("Algorithm that will be used on digest process").'</p>';
+	}
+
 	function plugin_section_idp_text() {
 		echo "<p>".__("Set information relating to the IdP that will be connected with our WordPress. You can find these values at the Onelogin's platform inside WordPress on the Single Sign-On tab.", 'onelogin-saml-sso')."</p>";
 	}
 
@@ -6,7 +6,6 @@
  */
 class OneLogin_Saml2_Auth
 {
-
     /**
      * Settings data.
      *
@@ -28,6 +27,13 @@ class OneLogin_Saml2_Auth
      */
     private $_nameid;
 
+    /**
+     * NameID Format
+     *
+     * @var string
+     */
+    private $_nameidFormat;
+
     /**
      * If user is authenticated.
      *
@@ -52,6 +58,28 @@ class OneLogin_Saml2_Auth
      */
     private $_sessionExpiration;
 
+    /**
+     * The ID of the last message processed
+     *
+     * @var string
+     */
+    private $_lastMessageId;
+
+    /**
+     * The ID of the last assertion processed
+     *
+     * @var string
+     */
+    private $_lastAssertionId;
+
+    /**
+     * The NotOnOrAfter value of the valid SubjectConfirmationData
+     * node (if any) of the last assertion processed
+     *
+     * @var DateTime
+     */
+    private $_lastAssertionNotOnOrAfter;
+
     /**
      * If any error.
      *
@@ -73,6 +101,23 @@ class OneLogin_Saml2_Auth
      */
     private $_lastRequestID;
 
+    /**
+     * The most recently-constructed/processed XML SAML request
+     * (AuthNRequest, LogoutRequest)
+     *
+     * @var string
+     */
+    private $_lastRequest;
+
+    /**
+     * The most recently-constructed/processed XML SAML response
+     * (SAMLResponse, LogoutResponse). If the SAMLResponse was
+     * encrypted, by default tries to return the decrypted XML
+     *
+     * @var string
+     */
+    private $_lastResponse;
+
     /**
      * Initializes the SP SAML instance.
      *
@@ -103,7 +148,10 @@ public function getSettings()
     public function setStrict($value)
     {
         if (! (is_bool($value))) {
-            throw new Exception('Invalid value passed to setStrict()');
+            throw new OneLogin_Saml2_Error(
+                'Invalid value passed to setStrict()',
+                OneLogin_Saml2_Error::SETTINGS_INVALID_SYNTAX
+            );
         }
 
         $this->_settings->setStrict($value);
@@ -119,16 +167,22 @@ public function setStrict($value)
     public function processResponse($requestId = null)
     {
         $this->_errors = array();
+        $this->_errorReason = null;
         if (isset($_POST) && isset($_POST['SAMLResponse'])) {
             // AuthnResponse -- HTTP_POST Binding
             $response = new OneLogin_Saml2_Response($this->_settings, $_POST['SAMLResponse']);
+            $this->_lastResponse = $response->getXMLDocument();
 
             if ($response->isValid($requestId)) {
                 $this->_attributes = $response->getAttributes();
                 $this->_nameid = $response->getNameId();
+                $this->_nameidFormat = $response->getNameIdFormat();
                 $this->_authenticated = true;
                 $this->_sessionIndex = $response->getSessionIndex();
                 $this->_sessionExpiration = $response->getSessionNotOnOrAfter();
+                $this->_lastMessageId = $response->getId();
+                $this->_lastAssertionId = $response->getAssertionId();
+                $this->_lastAssertionNotOnOrAfter = $response->getAssertionNotOnOrAfter();
             } else {
                 $this->_errors[] = 'invalid_response';
                 $this->_errorReason = $response->getError();
@@ -155,17 +209,20 @@ public function processResponse($requestId = null)
      *
      * @throws OneLogin_Saml2_Error
      */
-    public function processSLO($keepLocalSession = false, $requestId = null, $retrieveParametersFromServer = false, $cbDeleteSession = null, $stay=false)
+    public function processSLO($keepLocalSession = false, $requestId = null, $retrieveParametersFromServer = false, $cbDeleteSession = null, $stay = false)
     {
         $this->_errors = array();
+        $this->_errorReason = null;
         if (isset($_GET) && isset($_GET['SAMLResponse'])) {
             $logoutResponse = new OneLogin_Saml2_LogoutResponse($this->_settings, $_GET['SAMLResponse']);
+            $this->_lastResponse = $logoutResponse->getXML();
             if (!$logoutResponse->isValid($requestId, $retrieveParametersFromServer)) {
                 $this->_errors[] = 'invalid_logout_response';
                 $this->_errorReason = $logoutResponse->getError();
             } else if ($logoutResponse->getStatus() !== OneLogin_Saml2_Constants::STATUS_SUCCESS) {
                 $this->_errors[] = 'logout_not_success';
             } else {
+                $this->_lastMessageId = $logoutResponse->id;
                 if (!$keepLocalSession) {
                     if ($cbDeleteSession === null) {
                         OneLogin_Saml2_Utils::deleteLocalSession();
@@ -176,6 +233,7 @@ public function processSLO($keepLocalSession = false, $requestId = null, $retrie
             }
         } else if (isset($_GET) && isset($_GET['SAMLRequest'])) {
             $logoutRequest = new OneLogin_Saml2_LogoutRequest($this->_settings, $_GET['SAMLRequest']);
+            $this->_lastRequest = $logoutRequest->getXML();
             if (!$logoutRequest->isValid($retrieveParametersFromServer)) {
                 $this->_errors[] = 'invalid_logout_request';
                 $this->_errorReason = $logoutRequest->getError();
@@ -188,8 +246,11 @@ public function processSLO($keepLocalSession = false, $requestId = null, $retrie
                     }
                 }
                 $inResponseTo = $logoutRequest->id;
+                $this->_lastMessageId = $logoutRequest->id;
                 $responseBuilder = new OneLogin_Saml2_LogoutResponse($this->_settings);
                 $responseBuilder->build($inResponseTo);
+                $this->_lastResponse = $responseBuilder->getXML();
+
                 $logoutResponse = $responseBuilder->getResponse();
 
                 $parameters = array('SAMLResponse' => $logoutResponse);
@@ -265,6 +326,16 @@ public function getNameId()
         return $this->_nameid;
     }
 
+    /**
+     * Returns the nameID Format
+     *
+     * @return string  The nameID Format of the assertion
+     */
+    public function getNameIdFormat()
+    {
+        return $this->_nameidFormat;
+    }
+
     /**
      * Returns the SessionIndex
      *
@@ -335,12 +406,13 @@ public function getAttribute($name)
      *
      * @return If $stay is True, it return a string with the SLO URL + LogoutRequest + parameters
      */
-    public function login($returnTo = null, $parameters = array(), $forceAuthn = false, $isPassive = false, $stay=false, $setNameIdPolicy = true)
+    public function login($returnTo = null, $parameters = array(), $forceAuthn = false, $isPassive = false, $stay = false, $setNameIdPolicy = true)
     {
         assert('is_array($parameters)');
 
         $authnRequest = new OneLogin_Saml2_AuthnRequest($this->_settings, $forceAuthn, $isPassive, $setNameIdPolicy);
 
+        $this->_lastRequest = $authnRequest->getXML();
         $this->_lastRequestID = $authnRequest->getId();
 
         $samlRequest = $authnRequest->getRequest();
@@ -369,12 +441,13 @@ public function login($returnTo = null, $parameters = array(), $forceAuthn = fal
      * @param string|null $nameId        The NameID that will be set in the LogoutRequest.
      * @param string|null $sessionIndex  The SessionIndex (taken from the SAML Response in the SSO process).
      * @param bool        $stay          True if we want to stay (returns the url string) False to redirect
+     * @param string|null $nameIdFormat  The NameID Format will be set in the LogoutRequest.
      *
      * @return If $stay is True, it return a string with the SLO URL + LogoutRequest + parameters
      *
      * @throws OneLogin_Saml2_Error
      */
-    public function logout($returnTo = null, $parameters = array(), $nameId = null, $sessionIndex = null, $stay=false)
+    public function logout($returnTo = null, $parameters = array(), $nameId = null, $sessionIndex = null, $stay = false, $nameIdFormat = null)
     {
         assert('is_array($parameters)');
 
@@ -389,9 +462,13 @@ public function logout($returnTo = null, $parameters = array(), $nameId = null,
         if (empty($nameId) && !empty($this->_nameid)) {
             $nameId = $this->_nameid;
         }
+        if (empty($nameIdFormat) && !empty($this->_nameidFormat)) {
+            $nameIdFormat = $this->_nameidFormat;
+        }
 
-        $logoutRequest = new OneLogin_Saml2_LogoutRequest($this->_settings, null, $nameId, $sessionIndex);
+        $logoutRequest = new OneLogin_Saml2_LogoutRequest($this->_settings, null, $nameId, $sessionIndex, $nameIdFormat);
 
+        $this->_lastRequest = $logoutRequest->getXML();
         $this->_lastRequestID = $logoutRequest->id;
 
         $samlRequest = $logoutRequest->getRequest();
@@ -463,10 +540,11 @@ public function getLastRequestID()
      */
     public function buildRequestSignature($samlRequest, $relayState, $signAlgorithm = XMLSecurityKey::RSA_SHA1)
     {
-        if (!$this->_settings->checkSPCerts()) {
+        $key = $this->_settings->getSPkey();
+        if (empty($key)) {
             throw new OneLogin_Saml2_Error(
-                "Trying to sign the SAML Request but can't load the SP certs",
-                OneLogin_Saml2_Error::SP_CERTS_NOT_FOUND
+                "Trying to sign the SAML Request but can't load the SP private key",
+                OneLogin_Saml2_Error::PRIVATE_KEY_NOT_FOUND
             );
         }
 
@@ -507,15 +585,14 @@ public function buildRequestSignature($samlRequest, $relayState, $signAlgorithm
      */
     public function buildResponseSignature($samlResponse, $relayState, $signAlgorithm = XMLSecurityKey::RSA_SHA1)
     {
-        if (!$this->_settings->checkSPCerts()) {
+        $key = $this->_settings->getSPkey();
+        if (empty($key)) {
             throw new OneLogin_Saml2_Error(
-                "Trying to sign the SAML Response but can't load the SP certs",
-                OneLogin_Saml2_Error::SP_CERTS_NOT_FOUND
+                "Trying to sign the SAML Response but can't load the SP private key",
+                OneLogin_Saml2_Error::PRIVATE_KEY_NOT_FOUND
             );
         }
 
-        $key = $this->_settings->getSPkey();
-
         $objKey = new XMLSecurityKey($signAlgorithm, array('type' => 'private'));
         $objKey->loadKey($key, false);
 
@@ -536,4 +613,63 @@ public function buildResponseSignature($samlResponse, $relayState, $signAlgorith
         $signature = $objKey->signData($msg);
         return base64_encode($signature);
     }
+
+    /**
+     * @return string The ID of the last message processed
+     */
+    public function getLastMessageId()
+    {
+        return $this->_lastMessageId;
+    }
+
+    /**
+     * @return string The ID of the last assertion processed
+     */
+    public function getLastAssertionId()
+    {
+        return $this->_lastAssertionId;
+    }
+
+    /**
+     * @return The NotOnOrAfter value of the valid
+     *         SubjectConfirmationData node (if any)
+     *         of the last assertion processed
+     */
+    public function getLastAssertionNotOnOrAfter()
+    {
+        return $this->_lastAssertionNotOnOrAfter;
+    }
+
+    /**
+     * Returns the most recently-constructed/processed
+     * XML SAML request (AuthNRequest, LogoutRequest)
+     *
+     * @return string The Request XML
+     */
+    public function getLastRequestXML()
+    {
+        return $this->_lastRequest;
+    }
+
+    /**
+     * Returns the most recently-constructed/processed
+     * XML SAML response (SAMLResponse, LogoutResponse).
+     * If the SAMLResponse was encrypted, by default tries
+     * to return the decrypted XML.
+     *
+     * @return string The Response XML
+     */
+    public function getLastResponseXML()
+    {
+        $response = null;
+        if (isset($this->_lastResponse)) {
+            if (is_string($this->_lastResponse)) {
+                $response = $this->_lastResponse;
+            } else {
+                $response = $this->_lastResponse->saveXML();
+            }
+        }
+        
+        return $response;
+    }
 }