, Jacob Christiansen */ /* * Runs the processingchain and ignores all filter which have user * interaction. */ function driveProcessingChain($idp_metadata, $source, $sp_metadata, $sp_entityid, $attributes, $userid, $hashAttributes = FALSE) { /* * Create a new processing chain */ $pc = new SimpleSAML_Auth_ProcessingChain($idp_metadata, $sp_metadata, 'idp'); /* * Construct the state. * REMEMBER: Do not set Return URL if you are calling processStatePassive */ $authProcState = array( 'Attributes' => $attributes, 'Destination' => $sp_metadata, 'Source' => $idp_metadata, 'isPassive' => TRUE, ); /* * Call processStatePAssive. * We are not interested in any user interaction, only modifications to the attributes */ $pc->processStatePassive($authProcState); $attributes = $authProcState['Attributes']; /* * Generate identifiers and hashes */ $destination = $sp_metadata['metadata-set'] . '|' . $sp_entityid; $targeted_id = sspmod_consent_Auth_Process_Consent::getTargetedID($userid, $source, $destination); $attribute_hash = sspmod_consent_Auth_Process_Consent::getAttributeHash($attributes, $hashAttributes); SimpleSAML_Logger::info('consentAdmin: user: ' . $userid); SimpleSAML_Logger::info('consentAdmin: target: ' . $targeted_id); SimpleSAML_Logger::info('consentAdmin: attribute: ' . $attribute_hash); /* Return values */ return array($targeted_id, $attribute_hash, $attributes); } // Get config object $config = SimpleSAML_Configuration::getInstance(); $cA_config = SimpleSAML_Configuration::getConfig('module_consentAdmin.php'); $authority = $cA_config->getValue('authority'); $as = new SimpleSAML_Auth_Simple($authority); // If request is a logout request if(array_key_exists('logout', $_REQUEST)) { $returnURL = $cA_config->getValue('returnURL'); $as->logout($returnURL); } $hashAttributes = $cA_config->getValue('attributes.hash'); /* Check if valid local session exists */ $as->requireAuth(); // Get released attributes $attributes = $as->getAttributes(); // Get metadata storage handler $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); /* * Get IdP id and metadata */ $local_idp_entityid = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted'); $local_idp_metadata = $metadata->getMetaData($local_idp_entityid, 'saml20-idp-hosted'); if($as->getAuthData('saml:sp:IdP') !== NULL) { /* * From a remote idp (as bridge) */ $idp_entityid = $as->getAuthData('saml:sp:IdP'); $idp_metadata = $metadata->getMetaData($idp_entityid, 'saml20-idp-remote'); } else { /* * from the local idp */ $idp_entityid = $local_idp_entityid; $idp_metadata = $local_idp_metadata; } // Get user ID $userid_attributename = (isset($local_idp_metadata['userid.attribute']) && is_string($local_idp_metadata['userid.attribute'])) ? $local_idp_metadata['userid.attribute'] : 'eduPersonPrincipalName'; $userids = $attributes[$userid_attributename]; if (empty($userids)) { throw new Exception('Could not generate useridentifier for storing consent. Attribute [' . $userid_attributename . '] was not available.'); } $userid = $userids[0]; // Get all SP metadata $all_sp_metadata = $metadata->getList('saml20-sp-remote'); // Parse action, if any $action = null; $sp_entityid = null; if (!empty($_GET['cv'])) { $sp_entityid=$_GET['cv']; } if (!empty($_GET['action'])) { $action=$_GET["action"]; } SimpleSAML_Logger::critical('consentAdmin: sp: ' .$sp_entityid.' action: '.$action); // Remove services, whitch have consent disabled if(isset($idp_metadata['consent.disable'])) { foreach($idp_metadata['consent.disable'] AS $disable) { if(array_key_exists($disable, $all_sp_metadata)) { unset($all_sp_metadata[$disable]); } } } SimpleSAML_Logger::info('consentAdmin: '.$idp_entityid); // Calc correct source $source = $idp_metadata['metadata-set'] . '|' . $idp_entityid; // Parse consent config $consent_storage = sspmod_consent_Store::parseStoreConfig($cA_config->getValue('consentadmin')); // Calc correct user ID hash $hashed_user_id = sspmod_consent_Auth_Process_Consent::getHashedUserID($userid, $source); // If a checkbox have been clicked if ($action != null && $sp_entityid != null) { // Get SP metadata $sp_metadata = $metadata->getMetaData($sp_entityid, 'saml20-sp-remote'); // Run AuthProc filters list($targeted_id, $attribute_hash, $attributes_new) = driveProcessingChain($idp_metadata, $source, $sp_metadata, $sp_entityid, $attributes, $userid, $hashAttributes); // Add a consent (or update if attributes have changed and old consent for SP and IdP exists) if($action == 'true') { $isStored = $consent_storage->saveConsent($hashed_user_id, $targeted_id, $attribute_hash); if($isStored) { $res = "added"; } else { $res = "updated"; } // Remove consent } else if($action == 'false') { // Got consent, so this is a request to remove it $rowcount = $consent_storage->deleteConsent($hashed_user_id, $targeted_id, $attribute_hash); if($rowcount > 0) { $res = "removed"; } // Unknown action (should not happen) } else { SimpleSAML_Logger::info('consentAdmin: unknown action'); $res = "unknown"; } /* * Init template to enable translation of status messages */ $et = new SimpleSAML_XHTML_Template($config, 'consentAdmin:consentadminajax.php', 'consentAdmin:consentadmin'); $et->data['res'] = $res; $et->show(); exit; } // Get all consents for user $user_consent_list = $consent_storage->getConsents($hashed_user_id); // Parse list of consents $user_consent = array(); foreach ($user_consent_list as $c) { $user_consent[$c[0]]=$c[1]; } $template_sp_content = array(); // Init template $et = new SimpleSAML_XHTML_Template($config, 'consentAdmin:consentadmin.php', 'consentAdmin:consentadmin'); $sp_empty_name = $et->getTag('sp_empty_name'); $sp_empty_description = $et->getTag('sp_empty_description'); // Process consents for all SP foreach ($all_sp_metadata as $sp_entityid => $sp_values) { // Get metadata for SP $sp_metadata = $metadata->getMetaData($sp_entityid, 'saml20-sp-remote'); // Run attribute filters list($targeted_id, $attribute_hash, $attributes_new) = driveProcessingChain($idp_metadata, $source, $sp_metadata, $sp_entityid, $attributes, $userid, $hashAttributes); // Check if consent exists if (array_key_exists($targeted_id, $user_consent)) { $sp_status = "changed"; SimpleSAML_Logger::info('consentAdmin: changed'); // Check if consent is valid. (Possible that attributes has changed) if ($user_consent[$targeted_id] == $attribute_hash) { SimpleSAML_Logger::info('consentAdmin: ok'); $sp_status = "ok"; } // Consent does not exists } else { SimpleSAML_Logger::info('consentAdmin: none'); $sp_status = "none"; } // Set name of SP if(isset($sp_values['name']) && is_array($sp_values['name'])) { $sp_name = $sp_metadata['name']; } else if(isset($sp_values['name']) && is_string($sp_values['name'])) { $sp_name = $sp_metadata['name']; } elseif(isset($sp_values['OrganizationDisplayName']) && is_array($sp_values['OrganizationDisplayName'])) { $sp_name = $sp_metadata['OrganizationDisplayName']; } else { $sp_name = $sp_empty_name; } // Set description of SP if(empty($sp_metadata['description']) || !is_array($sp_metadata['description'])) { $sp_description = $sp_empty_description; } else { $sp_description = $sp_metadata['description']; } // Add a URL to the service if present in metadata $sp_service_url = isset($sp_metadata['ServiceURL']) ? $sp_metadata['ServiceURL'] : null; // Fill out array for the template $sp_list[$sp_entityid] = array( 'spentityid' => $sp_entityid, 'name' => $sp_name, 'description' => $sp_description, 'consentStatus' => $sp_status, 'consentValue' => $sp_entityid, 'attributes_by_sp' => $attributes_new, 'serviceurl' => $sp_service_url, ); } $et->data['header'] = 'Consent Administration'; $et->data['spList'] = $sp_list; $et->data['showDescription'] = $cA_config->getValue('showDescription'); $et->show(); ?>