| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
This makes instanciating the Translate/Template-class unnecessary.
|
| |
|
|
| |
For #455
|
| |
|
|
| |
For #455
|
| |\
| |
| | |
Deprecate the certFingerprint option.
|
| | |
| |
| |
| |
| |
| | |
Issue a notice when the option is used nonetheless.
Closes: #432
|
| | | |
|
| | |
| |
| |
| | |
SimpleSAML_Error_ProxyCountExceeded exceptions.
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
It is possible that the current script ($_SERVER['SCRIPT_FILENAME']) is inside SimpleSAMLphp's 'www' directory. However, even if that's the case, we should not enforce our base URL (as set in the 'baseurlpath' configuration option) if the request URI ($_SERVER['REQUEST_URI']) does not contain the relative path to the script. This is the case of AuthMemCookie, for example, where accessing a random URL protected by Apache, leads to the execution of a SimpleSAMLphp script, where SimpleSAML\Utils\HTTP::getSelfURL() must not try to be smart when guessing the current URL.
|
| | |
| |
| |
| |
| |
| |
| | |
- Bugfix: the modules/saml/www/proxy/invalid_session.php shouldn't call directly the error handler in sspmod_saml_IdP_SAML2. Instead, it should use the SimpleSAML_Auth_State::throwException() method to let it handle the exception appropriately (in this case, it should always return back to the requester).
- The standard specifies that a "urn:oasis:names:tc:SAML:2.0:status:NoSupportedIDP" or "urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP" second-level status code should be returned to the requester in case an error occurs. Add a couple of exceptions to represent both statuses, and use them to set the right status code in the response.
- We shouldn't ask the user to logout in case the IDPList does not offer an IdP we recognize, or in case the proxy enforces the use of an IdP ('idp' configuration option in the auth source) and such IdP is in the IDPList.
- Similarly, these two cases should also handled in case we are authenticating for the first time, not only when reauthenticating.
|
| | |
| |
| |
| | |
This was due to incorrect use of the SimpleSAML_SessionHandler::setCookie() method to set the cookie, instead of SimpleSAML\Utils\HTTP::setCookie().
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Some things, like logging of SAML messages or backtraces, are controlled with the 'debug' configuration option. However, it might be possible that we don't want one while we want the other, but that's impossible with just one option.
This commit allows us to configure debugging options independently, but groupping all of them together. This is particularly useful if we want to log backtraces to debug errors, for example, but we don't want to log SAML messages to keep the privacy of the users. This also allows us to get rid of the 'debug.validatexml' configuration option, and group it with other debug options.
This changes are backwards-compatible. Old and new configurations will work at the same time.
|
| | |
| |
| |
| | |
It's not very useful to log backtraces always as debug, since that implies getting all the log messages, while backtraces would still help debug a particular error.
|
| |/ |
|
| |
|
|
|
|
| |
contents.
This way, we avoid completely any possible XXE attack, and simplify the code as we don't need to deal directly with the DOM. The entire AttributeValue will be saved to the backend as XML, and then recovered back when unserializing.
|
| |
|
|
|
|
|
|
| |
A recent change in simplesamlphp/saml2#60 made the library return a DOMNodeList object when the contents of the AttributeValue element are not text. This lead to a bug, since the returned value is not serializable, and when storing it in the session it will go away as soon as we serialize the session to store it in the backend (whatever that is). This is always, as the SP will always redirect to the URL originating authentication. The result was an empty DOMNodeList object where there should be some value.
This commit makes the SimpleSAML_Session to implement the Serializable interface. When obtaining the attributes during login (doLogin() method), the code will now look for DOMNodeList objects, and dump them as a string with the XML representation of their contents in the 'RawAttributes' array inside $this->authData[$authority]. This allows us to parse the XML back when unserializing, and restore the original DOMNodeList object as the value of the attribute.
The issue was reported originally in the mailing list by Enrico Cavalli, affecting eduPersonTargetedID. This resolves #424.
|
| |
|
|
| |
Use the recently added SimpleSAML_Configuration::getBasePath() instead. It guarantees the path prepended with a slash, so no need to do that every time when calling the method. As a side effect, we get rid of buggy invocations (calling getBaseUrl() instead of getBaseURL()), and also of old-style convention for the 'baseurlpath' configuration option, allowing a star at the beginning.
|
| | |
|
| |
|
|
| |
Now we are finally using the 2.x branch of the SAML2 library, which was also migrated to use namespaces. Even though the library provides an autoloader that allows loading the classes with the old names using class aliasing, we need to do the migration in one commit (at least for most part of it). This is due to the way SimpleSAMLphp checks data types, using inheritance to check objects agains abstract or more general classes. Even though class aliasing works, there's no way to replicate those relationships, and type checks that use the old class names will fail because the aliases are virtually new classes that don't inherit from others.
|
| |
|
|
| |
The 2.x branch of XMLSecLibs uses namespaces, so we need to make sure we can still load the XMLSec* classes after updating the dependency. We can do that in the autoloader, looking for the classes with namespaces, and creating class aliases.
|
| |
|
|
|
|
| |
The code was enforcing this option even if a configuration was passed as a parameter to the constructor. If there is something wrong with a configuration and we are passing it to the constructor, we should know if at least the 'baseurlpath' is correct, and if not, fix it somehow.
This bug was producing a default configuration without 'baseurlpath', when no configuration was passed. In that situation, only the default path (/simplesaml) was working correctly.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
third-party script.
Recent fixes for URL guessing and building addressed bugs in the code that were preventing the 'baseurlpath' from being used properly. However, they introduced a new issue, as the code was assuming the current URL would always point to a SimpleSAMLphp script. This is not always true, of course, as any script can invoke our API and end up trying to get its own URL (for example, when calling requireAuth()).
In order to fix this, we monitor mismatches between SimpleSAMLphp's installation path and the absolute, real path to the current script. When there's a mismatch, it means we are running a third-party script outside SimpleSAMLphp, and therefore we should NOT enforce 'baseurlpath'. This introduces an additional issue, as applications behind a reverse proxy may cause trouble to guess the right URL (we will use the URL as seen by SimpleSAMLphp in the server, which is not necessarily the same as the user sees with a reverse proxy in between). For the moment, we'll leave the responsibility to sort that issue out to implementors. It might be a good idea to add a page to the wiki explaining how to do this.
This resolves #418.
|
| |\
| |
| |
| | |
YA Merge
|
| | |
| |
| |
| | |
Both have been migrated to use namespaces.
|
| |\ \
| |/
|/|
| |
| | |
This allows for using twig templates, but does not include code for
localizing twig templates.
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
class, and make the array of languages generated by SimpleSAML_XHTML_Template::generateLanguageBar() a bit more useful.
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| | |
Now works for:
new SimpleSAML_XHTML_Template($globalConfig, 'saml:sp/wrong_authncontextclassref.tpl.php');
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
That is, the following styles work:
* SimpleSAML_XHTML_Template($config, 'hostnames.php');
* SimpleSAML_XHTML_Template($globalConfig, 'negotiate:disable.php');
These do not:
* SimpleSAML_XHTML_Template($this->config, 'discopower:disco-tpl.php', 'disco');
* SimpleSAML_XHTML_Template($globalConfig, 'saml:sp/wrong_authncontextclassref.tpl.php');
* new SimpleSAML_XHTML_Template($config, 'metadata.php', 'admin');
* SimpleSAML_XHTML_Template($config, 'consentAdmin:consentadmin.php', 'consentAdmin:consentadmin');
Loading from themes also not in place
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
SimpleSAML_Session::useTransientSession(). Not needed after all.
|
| | |
| |
| |
| |
| |
| | |
metadata containing the 'entityid' key.
While investigating issue #393, we noticed that these two handlers don't enforce the entity ID of each entity to be set in the 'entityid' key of the metadata array (the Flatfile and XML handlers to enforce this). Since this is the way we propagate the entity ID (code using metadata won't necessarily have access to the key of the metadata array containing the entity ID, or such a thing might not even exist), we need to make sure the entity ID is set inside the array. Otherwise, if the metadata for an entity does not contain it directly, the 'ExpectedIssuer' would be set to null, an error recorded, and authentication would fail as the entity ID of the IdP issuing an assertion would not match.
|
| | |
| |
| |
| |
| |
| | |
Due to recent changes to fix the way we were building URLs (mixing what the 'baseurlpath' configuration option and the current URL, see #396), we introduced another bug by assuming file paths will always use slashes ('/'), which obviously is not true in Windows machines. This commit fixes SimpleSAML_Configuration::getBaseDir() and SimpleSAML\Utils\HTTP::getSelfURL() to take that into account.
This closes #414.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
an exception when a transient session is used due to a misconfiguration or a temporary failure fetching an existing session.
Transient sessions are just an exceptional event, and they shouldn't be treated as regular sessions. Therefore, if we are trying to get the current session and end up with a transient one, that's because an error occurred and we should raise an exception. Since exceptions due to secure cookies trying to be set via an insecure channel are likely to be misconfigurations, we treat them like that, raising a SimpleSAML\Error\CriticalConfigurationError.
Additionally, we capture exceptions in the SimpleSAML\Logger::flush() method, ensuring the error reported in #413 doesn't happen again.
This resolves #356.
|
| | | |
|
| | |
| |
| |
| | |
If it fails for some reason, we clear all the authentication-related data from the session, log an error, and throw again the exception, so that the user does not continue as if anything happened when the auth token is not set.
|
| | |
| |
| |
| | |
Currently, if headers have already been sent, a redirection will fail and generate errors in the error log. The user will be presented with a page containing a link that he or she will need to click on. Checking if headers have already been sent we can avoid errors, and adding a simple javascript to the "onload" event in the body of the page, we can still redirect automatically. That way, only when headers have already been sent and the users have javascript disabled, they will get to see the page.
|
| | |
| |
| |
| | |
insecure channel coincident with the message in SimpleSAML\Utils\HTTP::setCookie().
|
| | | |
|
| | |
| |
| |
| | |
Both SimpleSAML_SessionHandlerPHP::setCookie() and SimpleSAML\Utils\HTTP::setCookie() throw the SimpleSAML\Error\CannotSetCookie exception. Depending on why the error was generated, set the error code in the exception accordingly.
|
| | |
| |
| |
| | |
This way we can discern why we couldn't set a cookie, and act accordingly.
|
| | |
| |
| |
| |
| |
| | |
session handler.
Related to previous commits. The SimpleSAML_Session::updateSessionCookies() updates both the session cookie and the auth token. For the latter, it uses the setCookie() method from the session handler, while it should use the SimpleSAML\Utils\HTTP::setCookie() method instead.
|
| | |
| |
| |
| |
| |
| | |
are using the default value."
This reverts commit cd6278cc2bf0704d130aa2fe66e8b6dc1d007375.
|
| | |
| |
| |
| |
| |
| | |
The hash algorithm to use to calculate signature digests for self metadata was not configurable. Add the 'metadata.sign.algorithm' configuration option to fix that.
This resolves #411.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
session.
Historically, SimpleSAML_SessionHandler::newSessionId() has also created the session, sending the cookies to the browser. This is problematic both because given the name of the method one would not assume such behaviour, and also because even for transient sessions the handler would then try to set cookies. When we are using a transient session, it is likely to be because we cannot set cookies or because there was a temporary error when loading the session. If we try to set the cookies even for transient sessions, we could either get an error because cookies cannot be set, or overwrite the previous session cookies with transient ones, trashing a legitimate session in case a temporary error occurs.
As a side effect, this can also cause behaviours like the one described in issue #413. There's no point in trying to set the cookies when it's not possible, so we shouldn't even try, and save us the errors.
To fix this, we made SimpleSAML_SessionHandler::setCookie() abstract, forcing each extending class to implement it. The former implementation is moved to SimpleSAML_SessionHandlerCookie, and the SimpleSAML_SessionHandlerPHP gets a new method that starts the session, effectively sending the cookie. SimpleSAML_Session would then be responsible to call the setCookie() method of the session handler when creating a regular session, and skip it when creating a transient one. This introduces a bug, since SimpleSAML_Session was trying to set the auth token cookie calling the same setCookie() method in the session handler. We fixed that by using SimpleSAML\Utils\HTTP::setCookie() instead, in 8756835bacc7057734aba7fe349b534e63261253.
This resolves #413.
|
| | |
| |
| |
| | |
If we just called isset() on SimpleSAML_Session::$instance, and it returned false as we continued execution, it makes no sense to get the "previous" instance since it will always be null. We can just check that $instance is not null later.
|
| | |
| |
| |
| | |
the default value.
|
| | |
| |
| |
| | |
This way we can pass an exception that made us use transient sessions, and get the method to throw that exception after getting the transient session.
|
| | |
| |
| |
| |
| |
| | |
SimpleSAML\Utils\HTTP::setCookie(), instead of the setCookie() method provided by session handlers.
The SimpleSAML_SessionHandler::setCookie() method should be used only to set the session cookie, not random cookies. If we want cookies to have the same parameters as session cookies, we can always get the session parameters calling SimpleSAML_SessionHandler::getSessionParams() and pass them to SimpleSAML\Utils\HTTP::setCookie().
|
| | |
| |
| |
| | |
SimpleSAML\Error\CannotSetCookie exception.
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
Recent commits have introduced a new way to obtain the self URL, honouring whatever is specified in 'baseurlpath'. However, this new code breaks when accessing SimpleSAMLphp through a path containing symbolic links in the file system, since the base directory refers always to the real path while the $_SERVER contents reflect what the web server sees (symlinks included). We use realpath() to convert a path with symlinks to a canonical path that we can compare.
|
| | | |
|
| | |
| |
| |
| | |
phpdoc, returning always at least a slash. Fix also the regex that's supposed to catch paths, as it still wants them to end with a slash.
|
| | |
| |
| |
| | |
#364, deprecate getBaseURL() and make sure it generates a warning (and only one) when used.
|
| | |
| |
| |
| | |
was producing an empty parameter with an empty value when the query string was empty.
|
| | |
| |
| |
| | |
getSelfURLNoQuery() to honor the 'baseurlpath' configuration option instead of simply using the environment. They were actually broken since they were using it to build the scheme, host and port, but completely ignoring the path, rendering wrong URLs in between what was configured in 'baseurlpath' and the real information in the environment. This resolves #396, but also affects #5. The changes to getSelfURLNoQuery() in #391 are unnecessary now, since we now basically getting the full URL and remove the query afterwards.
|
| | | |
|
| | |
| |
| |
| | |
when the trailing slash is missing, just add it.
|
| | | |
|
| | |
| |
| |
| | |
php-fpm, common with nginx) where $_SERVER['SCRIPT_NAME'] is already populated with $_SERVER['PATH_INFO'] appended to it. In those cases, we should not blindly append PATH_INFO to SCRIPT_NAME, but check the latter first. This hopefully resolves #5 and closes #391.
|
| | | |
|
| | |
| |
| |
| | |
constraints in the latter. This resolves #399.
|
| | |
| |
| |
| | |
Fixes #379
|
| | | |
|
| | |
| |
| |
| | |
the track ID from the session when running from the command line, where there's obviously no session at all.
|
| | |
| |
| |
| | |
that we don't try to bind with an empty password if none was provided. This fixes #366 and closes #370.
|
| | |
| |
| |
| | |
class matching the 'store.type' configuration option we don't handle the exception, causing a fatal error. Use the new CriticalConfigurationError to fix that. This fixes #369.
|
| | |
| |
| |
| | |
it in the logs.
|
| | |
| |
| |
| | |
before led to blank pages or even worse.
|
| | |
| |
| |
| | |
used to signal an error in a certain configuration, leaving to the user deciding whether it was critical or not, and what to do to deal with it. The other one indicates a configuration exception that we cannot recover from (i.e. missing files), and bootstraps a minimal configuration skeleton that we can use to go on momentarily.
|
| | |
| |
| |
| | |
it makes no sense at all to try to guess the root URI, since there's no such a thing, probably.
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
SimpleSAML_Configuration raising creating a new SimpleSAML_Error_Exception that tries to load the configuration.
|
| | | |
|
| | |
| |
| |
| | |
SimpleSAML_Error_AuthSource exception.
|
| | |
| |
| |
| | |
help much.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
- Exception messages and backtraces are now decoupled, so that they can be logged independently.
- Backtraces are now logged with "debug" log level, and only in case the "debug" configuration option is set.
- A new log() method allows the exception itself to decide which log level to use. This can be used by exceptions overriding this method to change the log level accordingly.
- Add a new parameter to the format() method so that the formatted message is anonymized, safe for display in the browser.
Additionally, this resolves #281.
|
| | |
| |
| |
| | |
printing its parameters.
|
| | |
| |
| |
| | |
supress warnings.
|
| | | |
|
| | |
| |
| |
| | |
existing previously to our own session. This can be used in SimpleSAML_Session to restore the PHP session status previous to calling our API, while also guaranteeing that our session is correctly saved. The documentation has been updated to reflect this and recommend how to deal with conflicting PHP sessions. This closes #244 and resolves #349.
|
