diff options
| author | Vincent Rioux <vrioux@ctech.ca> | 2016-08-18 09:01:54 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-08-18 09:01:54 -0400 |
| commit | 6e46f7cca83063c307c84fcb54cad81cf1da37c8 (patch) | |
| tree | ccf88df070e80bf1e5c3ce9e31f786bcd5bdb195 | |
| parent | e20a75b3dab280fbfa0403d9c8f0ba3dab03f3d6 (diff) | |
| download | simplesamlphp-6e46f7cca83063c307c84fcb54cad81cf1da37c8.zip simplesamlphp-6e46f7cca83063c307c84fcb54cad81cf1da37c8.tar.gz simplesamlphp-6e46f7cca83063c307c84fcb54cad81cf1da37c8.tar.bz2 | |
Add support for regex in consent.disable
Add support for regular expressions in consent.disable to make it easy to disable consent requirement for an entire domain or for trusted domains. We have over 100 SP defines internally and would like to have consent disabled for all of them easily and without having to update the IDP metadata each time we add a new SP.
Example consent.disable in IDP metadata :
// Disable consent for our SPs
'consent.disable' => array(
'https://mysp.mypartner.com',
array('type'=>'regex', 'pattern'=>'/.*\.mycompany\.com.*/i'),
),
| -rw-r--r-- | modules/consent/lib/Auth/Process/Consent.php | 25 |
1 files changed, 23 insertions, 2 deletions
diff --git a/modules/consent/lib/Auth/Process/Consent.php b/modules/consent/lib/Auth/Process/Consent.php index 572bb35..33cc0e9 100644 --- a/modules/consent/lib/Auth/Process/Consent.php +++ b/modules/consent/lib/Auth/Process/Consent.php @@ -144,13 +144,34 @@ class sspmod_consent_Auth_Process_Consent extends SimpleSAML_Auth_ProcessingFilt /** * Helper function to check whether consent is disabled. * - * @param mixed $option The consent.disable option. Either an array or a boolean. + * @param mixed $option The consent.disable option. Either an array of array, an array or a boolean. * @param string $entityIdD The entityID of the SP/IdP. * @return boolean TRUE if disabled, FALSE if not. */ private static function checkDisable($option, $entityId) { if (is_array($option)) { - return in_array($entityId, $option, TRUE); + // Check if consent.disable array has one element that is an array + if (count($option) == count($option, COUNT_RECURSIVE)) { + // Array is not multidimensional. Simple in_array search suffices + return in_array($entityId, $option, TRUE); + } else { + // Array contains at least one element that is an array, verify both possibilities + if (in_array($entityId, $option, TRUE)) { + return true; + } else { + // Search in multidimensional arrays + foreach($optionToTest in $option) { + if (is_array($optionToTest)) { + if ($optionToTest['type'] == 'regex') { + // Evaluate regular expression and return true if entityId matches + if (preg_match($optionToTest['pattern'], $entityId) === 1) return true; + } + } + } + // Base case : no match + return false; + } + } } else { return (boolean)$option; } |