vendor/onelogin/php-saml/src/Saml2/Settings.php line 141

Open in your IDE?
  1. <?php
  2. /**
  3.  * This file is part of php-saml.
  4.  *
  5.  * (c) OneLogin Inc
  6.  *
  7.  * For the full copyright and license information, please view the LICENSE
  8.  * file that was distributed with this source code.
  9.  *
  10.  * @package OneLogin
  11.  * @author  OneLogin Inc <saml-info@onelogin.com>
  12.  * @license MIT https://github.com/onelogin/php-saml/blob/master/LICENSE
  13.  * @link    https://github.com/onelogin/php-saml
  14.  */
  16. namespace OneLogin\Saml2;
  18. use RobRichards\XMLSecLibs\XMLSecurityKey;
  19. use RobRichards\XMLSecLibs\XMLSecurityDSig;
  21. use DOMDocument;
  22. use Exception;
  24. /**
  25.  * Configuration of the OneLogin PHP Toolkit
  26.  */
  27. class Settings
  28. {
  29.     /**
  30.      * List of paths.
  31.      *
  32.      * @var array
  33.      */
  34.     private $_paths = array();
  36.     /**
  37.      * @var string
  38.      */
  39.     private $_baseurl;
  41.     /**
  42.      * Strict. If active, PHP Toolkit will reject unsigned or unencrypted messages
  43.      * if it expects them signed or encrypted. If not, the messages will be accepted
  44.      * and some security issues will be also relaxed.
  45.      *
  46.      * @var bool
  47.      */
  48.     private $_strict true;
  50.     /**
  51.      * Activate debug mode
  52.      *
  53.      * @var bool
  54.      */
  55.     private $_debug false;
  57.     /**
  58.      * SP data.
  59.      *
  60.      * @var array
  61.      */
  62.     private $_sp = array();
  64.     /**
  65.      * IdP data.
  66.      *
  67.      * @var array
  68.      */
  69.     private $_idp = array();
  71.     /**
  72.      * Compression settings that determine
  73.      * whether gzip compression should be used.
  74.      *
  75.      * @var array
  76.      */
  77.     private $_compress = array();
  79.     /**
  80.      * Security Info related to the SP.
  81.      *
  82.      * @var array
  83.      */
  84.     private $_security = array();
  86.     /**
  87.      * Setting contacts.
  88.      *
  89.      * @var array
  90.      */
  91.     private $_contacts = array();
  93.     /**
  94.      * Setting organization.
  95.      *
  96.      * @var array
  97.      */
  98.     private $_organization = array();
  100.     /**
  101.      * Setting errors.
  102.      *
  103.      * @var array
  104.      */
  105.     private $_errors = array();
  107.     /**
  108.      * Valitate SP data only flag
  109.      *
  110.      * @var bool
  111.      */
  112.     private $_spValidationOnly false;
  114.     /**
  115.      * Initializes the settings:
  116.      * - Sets the paths of the different folders
  117.      * - Loads settings info from settings file or array/object provided
  118.      *
  119.      * @param array|null $settings         SAML Toolkit Settings
  120.      * @param bool       $spValidationOnly Validate or not the IdP data
  121.      *
  122.      * @throws Error If any settings parameter is invalid
  123.      * @throws Exception If Settings is incorrectly supplied
  124.      */
  125.     public function __construct(array $settings null$spValidationOnly false)
  126.     {
  127.         $this->_spValidationOnly $spValidationOnly;
  128.         $this->_loadPaths();
  130.         if (!isset($settings)) {
  131.             if (!$this->_loadSettingsFromFile()) {
  132.                 throw new Error(
  133.                     'Invalid file settings: %s',
  134.                     Error::SETTINGS_INVALID,
  135.                     array(implode(', '$this->_errors))
  136.                 );
  137.             }
  138.             $this->_addDefaultValues();
  139.         } else {
  140.             if (!$this->_loadSettingsFromArray($settings)) {
  141.                 throw new Error(
  142.                     'Invalid array settings: %s',
  143.                     Error::SETTINGS_INVALID,
  144.                     array(implode(', '$this->_errors))
  145.                 );
  146.             }
  147.         }
  149.         $this->formatIdPCert();
  150.         $this->formatSPCert();
  151.         $this->formatSPKey();
  152.         $this->formatSPCertNew();
  153.         $this->formatIdPCertMulti();
  154.     }
  156.     /**
  157.      * Sets the paths of the different folders
  158.      * @suppress PhanUndeclaredConstant
  159.      */
  160.     private function _loadPaths()
  161.     {
  162.         $basePath dirname(dirname(__DIR__)) . '/';
  163.         $this->_paths = array(
  164.             'base' => $basePath,
  165.             'config' => $basePath,
  166.             'cert' => $basePath.'certs/',
  167.             'lib' => __DIR__ '/',
  168.         );
  170.         if (defined('ONELOGIN_CUSTOMPATH')) {
  171.             $this->_paths['config'] = ONELOGIN_CUSTOMPATH;
  172.             $this->_paths['cert'] = ONELOGIN_CUSTOMPATH 'certs/';
  173.         }
  174.     }
  176.     /**
  177.      * Returns base path.
  178.      *
  179.      * @return string  The base toolkit folder path
  180.      */
  181.     public function getBasePath()
  182.     {
  183.         return $this->_paths['base'];
  184.     }
  186.     /**
  187.      * Returns cert path.
  188.      *
  189.      * @return string The cert folder path
  190.      */
  191.     public function getCertPath()
  192.     {
  193.         return $this->_paths['cert'];
  194.     }
  196.     /**
  197.      * Returns config path.
  198.      *
  199.      * @return string The config folder path
  200.      */
  201.     public function getConfigPath()
  202.     {
  203.         return $this->_paths['config'];
  204.     }
  206.     /**
  207.      * Returns lib path.
  208.      *
  209.      * @return string The library folder path
  210.      */
  211.     public function getLibPath()
  212.     {
  213.         return $this->_paths['lib'];
  214.     }
  216.     /**
  217.      * Returns schema path.
  218.      *
  219.      * @return string  The external library folder path
  220.      */
  221.     public function getSchemasPath()
  222.     {
  223.         if (isset($this->_paths['schemas'])) {
  224.             return $this->_paths['schemas'];
  225.         }
  226.         return __DIR__ '/schemas/';
  227.     }
  229.     /**
  230.      * Set schemas path
  231.      *
  232.      * @param string $path
  233.      * @return $this
  234.      */
  235.     public function setSchemasPath($path)
  236.     {
  237.         $this->_paths['schemas'] = $path;
  238.     }
  240.     /**
  241.      * Loads settings info from a settings Array
  242.      *
  243.      * @param array $settings SAML Toolkit Settings
  244.      *
  245.      * @return bool True if the settings info is valid
  246.      */
  247.     private function _loadSettingsFromArray(array $settings)
  248.     {
  249.         if (isset($settings['sp'])) {
  250.             $this->_sp $settings['sp'];
  251.         }
  252.         if (isset($settings['idp'])) {
  253.             $this->_idp $settings['idp'];
  254.         }
  256.         $errors $this->checkSettings($settings);
  257.         if (empty($errors)) {
  258.             $this->_errors = array();
  260.             if (isset($settings['strict'])) {
  261.                 $this->_strict $settings['strict'];
  262.             }
  263.             if (isset($settings['debug'])) {
  264.                 $this->_debug $settings['debug'];
  265.             }
  267.             if (isset($settings['baseurl'])) {
  268.                 $this->_baseurl $settings['baseurl'];
  269.             }
  271.             if (isset($settings['compress'])) {
  272.                 $this->_compress $settings['compress'];
  273.             }
  275.             if (isset($settings['security'])) {
  276.                 $this->_security $settings['security'];
  277.             }
  279.             if (isset($settings['contactPerson'])) {
  280.                 $this->_contacts $settings['contactPerson'];
  281.             }
  283.             if (isset($settings['organization'])) {
  284.                 $this->_organization $settings['organization'];
  285.             }
  287.             $this->_addDefaultValues();
  288.             return true;
  289.         } else {
  290.             $this->_errors $errors;
  291.             return false;
  292.         }
  293.     }
  295.     /**
  296.      * Loads settings info from the settings file
  297.      *
  298.      * @return bool True if the settings info is valid
  299.      *
  300.      * @throws Error
  301.      *
  302.      * @suppress PhanUndeclaredVariable
  303.      */
  304.     private function _loadSettingsFromFile()
  305.     {
  306.         $filename $this->getConfigPath().'settings.php';
  308.         if (!file_exists($filename)) {
  309.             throw new Error(
  310.                 'Settings file not found: %s',
  311.                 Error::SETTINGS_FILE_NOT_FOUND,
  312.                 array($filename)
  313.             );
  314.         }
  316.         /** @var array $settings */
  317.         include $filename;
  319.         // Add advance_settings if exists
  320.         $advancedFilename $this->getConfigPath().'advanced_settings.php';
  322.         if (file_exists($advancedFilename)) {
  323.             /** @var array $advancedSettings */
  324.             include $advancedFilename;
  325.             $settings array_merge($settings$advancedSettings);
  326.         }
  329.         return $this->_loadSettingsFromArray($settings);
  330.     }
  332.     /**
  333.      * Add default values if the settings info is not complete
  334.      */
  335.     private function _addDefaultValues()
  336.     {
  337.         if (!isset($this->_sp['assertionConsumerService']['binding'])) {
  338.             $this->_sp['assertionConsumerService']['binding'] = Constants::BINDING_HTTP_POST;
  339.         }
  340.         if (isset($this->_sp['singleLogoutService']) && !isset($this->_sp['singleLogoutService']['binding'])) {
  341.             $this->_sp['singleLogoutService']['binding'] = Constants::BINDING_HTTP_REDIRECT;
  342.         }
  344.         if (!isset($this->_compress['requests'])) {
  345.             $this->_compress['requests'] = true;
  346.         }
  348.         if (!isset($this->_compress['responses'])) {
  349.             $this->_compress['responses'] = true;
  350.         }
  352.         // Related to nameID
  353.         if (!isset($this->_sp['NameIDFormat'])) {
  354.             $this->_sp['NameIDFormat'] = Constants::NAMEID_UNSPECIFIED;
  355.         }
  356.         if (!isset($this->_security['nameIdEncrypted'])) {
  357.             $this->_security['nameIdEncrypted'] = false;
  358.         }
  359.         if (!isset($this->_security['requestedAuthnContext'])) {
  360.             $this->_security['requestedAuthnContext'] = true;
  361.         }
  363.         // sign provided
  364.         if (!isset($this->_security['authnRequestsSigned'])) {
  365.             $this->_security['authnRequestsSigned'] = false;
  366.         }
  367.         if (!isset($this->_security['logoutRequestSigned'])) {
  368.             $this->_security['logoutRequestSigned'] = false;
  369.         }
  370.         if (!isset($this->_security['logoutResponseSigned'])) {
  371.             $this->_security['logoutResponseSigned'] = false;
  372.         }
  373.         if (!isset($this->_security['signMetadata'])) {
  374.             $this->_security['signMetadata'] = false;
  375.         }
  377.         // sign expected
  378.         if (!isset($this->_security['wantMessagesSigned'])) {
  379.             $this->_security['wantMessagesSigned'] = false;
  380.         }
  381.         if (!isset($this->_security['wantAssertionsSigned'])) {
  382.             $this->_security['wantAssertionsSigned'] = false;
  383.         }
  385.         // NameID element expected
  386.         if (!isset($this->_security['wantNameId'])) {
  387.             $this->_security['wantNameId'] = true;
  388.         }
  390.         // Relax Destination validation
  391.         if (!isset($this->_security['relaxDestinationValidation'])) {
  392.             $this->_security['relaxDestinationValidation'] = false;
  393.         }
  395.         // Strict Destination match validation
  396.         if (!isset($this->_security['destinationStrictlyMatches'])) {
  397.             $this->_security['destinationStrictlyMatches'] = false;
  398.         }
  400.         // Allow duplicated Attribute Names
  401.         if (!isset($this->_security['allowRepeatAttributeName'])) {
  402.             $this->_security['allowRepeatAttributeName'] = false;
  403.         }
  405.         // InResponseTo
  406.         if (!isset($this->_security['rejectUnsolicitedResponsesWithInResponseTo'])) {
  407.             $this->_security['rejectUnsolicitedResponsesWithInResponseTo'] = false;
  408.         }
  410.         // encrypt expected
  411.         if (!isset($this->_security['wantAssertionsEncrypted'])) {
  412.             $this->_security['wantAssertionsEncrypted'] = false;
  413.         }
  414.         if (!isset($this->_security['wantNameIdEncrypted'])) {
  415.             $this->_security['wantNameIdEncrypted'] = false;
  416.         }
  418.         // XML validation
  419.         if (!isset($this->_security['wantXMLValidation'])) {
  420.             $this->_security['wantXMLValidation'] = true;
  421.         }
  423.         // SignatureAlgorithm
  424.         if (!isset($this->_security['signatureAlgorithm'])) {
  425.             $this->_security['signatureAlgorithm'] = XMLSecurityKey::RSA_SHA256;
  426.         }
  428.         // DigestAlgorithm
  429.         if (!isset($this->_security['digestAlgorithm'])) {
  430.             $this->_security['digestAlgorithm'] = XMLSecurityDSig::SHA256;
  431.         }
  433.         // EncryptionAlgorithm
  434.         if (!isset($this->_security['encryption_algorithm'])) {
  435.             $this->_security['encryption_algorithm'] = XMLSecurityKey::AES128_CBC;
  436.         }
  438.         if (!isset($this->_security['lowercaseUrlencoding'])) {
  439.             $this->_security['lowercaseUrlencoding'] = false;
  440.         }
  442.         // Certificates / Private key /Fingerprint
  443.         if (!isset($this->_idp['x509cert'])) {
  444.             $this->_idp['x509cert'] = '';
  445.         }
  446.         if (!isset($this->_idp['certFingerprint'])) {
  447.             $this->_idp['certFingerprint'] = '';
  448.         }
  449.         if (!isset($this->_idp['certFingerprintAlgorithm'])) {
  450.             $this->_idp['certFingerprintAlgorithm'] = 'sha1';
  451.         }
  453.         if (!isset($this->_sp['x509cert'])) {
  454.             $this->_sp['x509cert'] = '';
  455.         }
  456.         if (!isset($this->_sp['privateKey'])) {
  457.             $this->_sp['privateKey'] = '';
  458.         }
  459.     }
  461.     /**
  462.      * Checks the settings info.
  463.      *
  464.      * @param array $settings Array with settings data
  465.      *
  466.      * @return array $errors  Errors found on the settings data
  467.      */
  468.     public function checkSettings(array $settings)
  469.     {
  470.         if (empty($settings)) {
  471.             $errors = array('invalid_syntax');
  472.         } else {
  473.             $errors = array();
  474.             if (!$this->_spValidationOnly) {
  475.                 $idpErrors $this->checkIdPSettings($settings);
  476.                 $errors array_merge($idpErrors$errors);
  477.             }
  478.             $spErrors $this->checkSPSettings($settings);
  479.             $errors array_merge($spErrors$errors);
  481.             $compressErrors $this->checkCompressionSettings($settings);
  482.             $errors array_merge($compressErrors$errors);
  483.         }
  485.         return $errors;
  486.     }
  488.     /**
  489.      * Checks the compression settings info.
  490.      *
  491.      * @param array $settings Array with settings data
  492.      *
  493.      * @return array $errors  Errors found on the settings data
  494.      */
  495.     public function checkCompressionSettings($settings)
  496.     {
  497.         $errors = array();
  499.         if (isset($settings['compress'])) {
  500.             if (!is_array($settings['compress'])) {
  501.                 $errors[] = "invalid_syntax";
  502.             } else if (isset($settings['compress']['requests'])
  503.                 && $settings['compress']['requests'] !== true
  504.                 && $settings['compress']['requests'] !== false
  505.             ) {
  506.                 $errors[] = "'compress'=>'requests' values must be true or false.";
  507.             } else if (isset($settings['compress']['responses'])
  508.                 && $settings['compress']['responses'] !== true
  509.                 && $settings['compress']['responses'] !== false
  510.             ) {
  511.                 $errors[] = "'compress'=>'responses' values must be true or false.";
  512.             }
  513.         }
  514.         return $errors;
  515.     }
  517.     /**
  518.      * Checks the IdP settings info.
  519.      *
  520.      * @param array $settings Array with settings data
  521.      *
  522.      * @return array $errors  Errors found on the IdP settings data
  523.      */
  524.     public function checkIdPSettings(array $settings)
  525.     {
  526.         if (empty($settings)) {
  527.             return array('invalid_syntax');
  528.         }
  530.         $errors = array();
  532.         if (!isset($settings['idp']) || empty($settings['idp'])) {
  533.             $errors[] = 'idp_not_found';
  534.         } else {
  535.             $idp $settings['idp'];
  536.             if (!isset($idp['entityId']) || empty($idp['entityId'])) {
  537.                 $errors[] = 'idp_entityId_not_found';
  538.             }
  540.             if (!isset($idp['singleSignOnService'])
  541.                 || !isset($idp['singleSignOnService']['url'])
  542.                 || empty($idp['singleSignOnService']['url'])
  543.             ) {
  544.                 $errors[] = 'idp_sso_not_found';
  545.             } else if (!filter_var($idp['singleSignOnService']['url'], FILTER_VALIDATE_URL)) {
  546.                 $errors[] = 'idp_sso_url_invalid';
  547.             }
  549.             if (isset($idp['singleLogoutService'])
  550.                 && isset($idp['singleLogoutService']['url'])
  551.                 && !empty($idp['singleLogoutService']['url'])
  552.                 && !filter_var($idp['singleLogoutService']['url'], FILTER_VALIDATE_URL)
  553.             ) {
  554.                 $errors[] = 'idp_slo_url_invalid';
  555.             }
  557.             if (isset($idp['singleLogoutService'])
  558.                 && isset($idp['singleLogoutService']['responseUrl'])
  559.                 && !empty($idp['singleLogoutService']['responseUrl'])
  560.                 && !filter_var($idp['singleLogoutService']['responseUrl'], FILTER_VALIDATE_URL)
  561.             ) {
  562.                 $errors[] = 'idp_slo_response_url_invalid';
  563.             }
  565.             $existsX509 = isset($idp['x509cert']) && !empty($idp['x509cert']);
  566.             $existsMultiX509Sign = isset($idp['x509certMulti']) && isset($idp['x509certMulti']['signing']) && !empty($idp['x509certMulti']['signing']);
  567.             $existsFingerprint = isset($idp['certFingerprint']) && !empty($idp['certFingerprint']);
  568.             if (!($existsX509 || $existsFingerprint || $existsMultiX509Sign)
  569.             ) {
  570.                 $errors[] = 'idp_cert_or_fingerprint_not_found_and_required';
  571.             }
  573.             if (isset($settings['security'])) {
  574.                 $existsMultiX509Enc = isset($idp['x509certMulti']) && isset($idp['x509certMulti']['encryption']) && !empty($idp['x509certMulti']['encryption']);
  576.                 if ((isset($settings['security']['nameIdEncrypted']) && $settings['security']['nameIdEncrypted'] == true)
  577.                     && !($existsX509 || $existsMultiX509Enc)
  578.                 ) {
  579.                     $errors[] = 'idp_cert_not_found_and_required';
  580.                 }
  581.             }
  582.         }
  584.         return $errors;
  585.     }
  587.     /**
  588.      * Checks the SP settings info.
  589.      *
  590.      * @param array $settings Array with settings data
  591.      *
  592.      * @return array $errors  Errors found on the SP settings data
  593.      */
  594.     public function checkSPSettings(array $settings)
  595.     {
  596.         if (empty($settings)) {
  597.             return array('invalid_syntax');
  598.         }
  600.         $errors = array();
  602.         if (!isset($settings['sp']) || empty($settings['sp'])) {
  603.             $errors[] = 'sp_not_found';
  604.         } else {
  605.             $sp $settings['sp'];
  606.             $security = array();
  607.             if (isset($settings['security'])) {
  608.                 $security $settings['security'];
  609.             }
  611.             if (!isset($sp['entityId']) || empty($sp['entityId'])) {
  612.                 $errors[] = 'sp_entityId_not_found';
  613.             }
  615.             if (!isset($sp['assertionConsumerService'])
  616.                 || !isset($sp['assertionConsumerService']['url'])
  617.                 || empty($sp['assertionConsumerService']['url'])
  618.             ) {
  619.                 $errors[] = 'sp_acs_not_found';
  620.             } else if (!filter_var($sp['assertionConsumerService']['url'], FILTER_VALIDATE_URL)) {
  621.                 $errors[] = 'sp_acs_url_invalid';
  622.             }
  624.             if (isset($sp['singleLogoutService'])
  625.                 && isset($sp['singleLogoutService']['url'])
  626.                 && !filter_var($sp['singleLogoutService']['url'], FILTER_VALIDATE_URL)
  627.             ) {
  628.                 $errors[] = 'sp_sls_url_invalid';
  629.             }
  631.             if (isset($security['signMetadata']) && is_array($security['signMetadata'])) {
  632.                 if ((!isset($security['signMetadata']['keyFileName'])
  633.                     || !isset($security['signMetadata']['certFileName'])) &&
  634.                     (!isset($security['signMetadata']['privateKey'])
  635.                     || !isset($security['signMetadata']['x509cert']))
  636.                 ) {
  637.                     $errors[] = 'sp_signMetadata_invalid';
  638.                 }
  639.             }
  641.             if (((isset($security['authnRequestsSigned']) && $security['authnRequestsSigned'] == true)
  642.                 || (isset($security['logoutRequestSigned']) && $security['logoutRequestSigned'] == true)
  643.                 || (isset($security['logoutResponseSigned']) && $security['logoutResponseSigned'] == true)
  644.                 || (isset($security['wantAssertionsEncrypted']) && $security['wantAssertionsEncrypted'] == true)
  645.                 || (isset($security['wantNameIdEncrypted']) && $security['wantNameIdEncrypted'] == true))
  646.                 && !$this->checkSPCerts()
  647.             ) {
  648.                 $errors[] = 'sp_certs_not_found_and_required';
  649.             }
  650.         }
  652.         if (isset($settings['contactPerson'])) {
  653.             $types array_keys($settings['contactPerson']);
  654.             $validTypes = array('technical''support''administrative''billing''other');
  655.             foreach ($types as $type) {
  656.                 if (!in_array($type$validTypes)) {
  657.                     $errors[] = 'contact_type_invalid';
  658.                     break;
  659.                 }
  660.             }
  662.             foreach ($settings['contactPerson'] as $type => $contact) {
  663.                 if (!isset($contact['givenName']) || empty($contact['givenName'])
  664.                     || !isset($contact['emailAddress']) || empty($contact['emailAddress'])
  665.                 ) {
  666.                     $errors[] = 'contact_not_enought_data';
  667.                     break;
  668.                 }
  669.             }
  670.         }
  672.         if (isset($settings['organization'])) {
  673.             foreach ($settings['organization'] as $organization) {
  674.                 if (!isset($organization['name']) || empty($organization['name'])
  675.                     || !isset($organization['displayname']) || empty($organization['displayname'])
  676.                     || !isset($organization['url']) || empty($organization['url'])
  677.                 ) {
  678.                     $errors[] = 'organization_not_enought_data';
  679.                     break;
  680.                 }
  681.             }
  682.         }
  684.         return $errors;
  685.     }
  687.     /**
  688.      * Checks if the x509 certs of the SP exists and are valid.
  689.      *
  690.      * @return bool
  691.      */
  692.     public function checkSPCerts()
  693.     {
  694.         $key $this->getSPkey();
  695.         $cert $this->getSPcert();
  696.         return (!empty($key) && !empty($cert));
  697.     }
  699.     /**
  700.      * Returns the x509 private key of the SP.
  701.      *
  702.      * @return string SP private key
  703.      */
  704.     public function getSPkey()
  705.     {
  706.         $key null;
  707.         if (isset($this->_sp['privateKey']) && !empty($this->_sp['privateKey'])) {
  708.             $key $this->_sp['privateKey'];
  709.         } else {
  710.             $keyFile $this->_paths['cert'].'sp.key';
  712.             if (file_exists($keyFile)) {
  713.                 $key file_get_contents($keyFile);
  714.             }
  715.         }
  716.         return $key;
  717.     }
  719.     /**
  720.      * Returns the x509 public cert of the SP.
  721.      *
  722.      * @return string SP public cert
  723.      */
  724.     public function getSPcert()
  725.     {
  726.         $cert null;
  728.         if (isset($this->_sp['x509cert']) && !empty($this->_sp['x509cert'])) {
  729.             $cert $this->_sp['x509cert'];
  730.         } else {
  731.             $certFile $this->_paths['cert'].'sp.crt';
  733.             if (file_exists($certFile)) {
  734.                 $cert file_get_contents($certFile);
  735.             }
  736.         }
  737.         return $cert;
  738.     }
  740.     /**
  741.      * Returns the x509 public of the SP that is
  742.      * planed to be used soon instead the other
  743.      * public cert
  744.      *
  745.      * @return string SP public cert New
  746.      */
  747.     public function getSPcertNew()
  748.     {
  749.         $cert null;
  751.         if (isset($this->_sp['x509certNew']) && !empty($this->_sp['x509certNew'])) {
  752.             $cert $this->_sp['x509certNew'];
  753.         } else {
  754.             $certFile $this->_paths['cert'].'sp_new.crt';
  756.             if (file_exists($certFile)) {
  757.                 $cert file_get_contents($certFile);
  758.             }
  759.         }
  760.         return $cert;
  761.     }
  763.     /**
  764.      * Gets the IdP data.
  765.      *
  766.      * @return array  IdP info
  767.      */
  768.     public function getIdPData()
  769.     {
  770.         return $this->_idp;
  771.     }
  773.     /**
  774.      * Gets the SP data.
  775.      *
  776.      * @return array  SP info
  777.      */
  778.     public function getSPData()
  779.     {
  780.         return $this->_sp;
  781.     }
  783.     /**
  784.      * Gets security data.
  785.      *
  786.      * @return array  SP info
  787.      */
  788.     public function getSecurityData()
  789.     {
  790.         return $this->_security;
  791.     }
  793.     /**
  794.      * Gets contact data.
  795.      *
  796.      * @return array  SP info
  797.      */
  798.     public function getContacts()
  799.     {
  800.         return $this->_contacts;
  801.     }
  803.     /**
  804.      * Gets organization data.
  805.      *
  806.      * @return array  SP info
  807.      */
  808.     public function getOrganization()
  809.     {
  810.         return $this->_organization;
  811.     }
  813.     /**
  814.      * Should SAML requests be compressed?
  815.      *
  816.      * @return bool Yes/No as True/False
  817.      */
  818.     public function shouldCompressRequests()
  819.     {
  820.         return $this->_compress['requests'];
  821.     }
  823.     /**
  824.      * Should SAML responses be compressed?
  825.      *
  826.      * @return bool Yes/No as True/False
  827.      */
  828.     public function shouldCompressResponses()
  829.     {
  830.         return $this->_compress['responses'];
  831.     }
  833.     /**
  834.      * Gets the IdP SSO url.
  835.      *
  836.      * @return string|null The url of the IdP Single Sign On Service
  837.      */
  838.     public function getIdPSSOUrl()
  839.     {
  840.         $ssoUrl null;
  841.         if (isset($this->_idp['singleSignOnService']) && isset($this->_idp['singleSignOnService']['url'])) {
  842.             $ssoUrl $this->_idp['singleSignOnService']['url'];
  843.         }
  844.         return $ssoUrl;
  845.     }
  847.     /**
  848.      * Gets the IdP SLO url.
  849.      *
  850.      * @return string|null The request url of the IdP Single Logout Service
  851.      */
  852.     public function getIdPSLOUrl()
  853.     {
  854.         $sloUrl null;
  855.         if (isset($this->_idp['singleLogoutService']) && isset($this->_idp['singleLogoutService']['url'])) {
  856.             $sloUrl $this->_idp['singleLogoutService']['url'];
  857.         }
  858.         return $sloUrl;
  859.     }
  861.     /**
  862.      * Gets the IdP SLO response url.
  863.      *
  864.      * @return string|null The response url of the IdP Single Logout Service
  865.      */
  866.     public function getIdPSLOResponseUrl()
  867.     {
  868.         if (isset($this->_idp['singleLogoutService']) && isset($this->_idp['singleLogoutService']['responseUrl'])) {
  869.             return $this->_idp['singleLogoutService']['responseUrl'];
  870.         }
  871.         return $this->getIdPSLOUrl();
  872.     }
  874.     /**
  875.      * Gets the SP metadata. The XML representation.
  876.      *
  877.      * @param bool $alwaysPublishEncryptionCert When 'true', the returned
  878.      * metadata will always include an 'encryption' KeyDescriptor. Otherwise,
  879.      * the 'encryption' KeyDescriptor will only be included if
  880.      * $advancedSettings['security']['wantNameIdEncrypted'] or
  881.      * $advancedSettings['security']['wantAssertionsEncrypted'] are enabled.
  882.      * @param int|null      $validUntil    Metadata's valid time
  883.      * @param int|null      $cacheDuration Duration of the cache in seconds
  884.      *
  885.      * @return string  SP metadata (xml)
  886.      * @throws Exception
  887.      * @throws Error
  888.      */
  889.     public function getSPMetadata($alwaysPublishEncryptionCert false$validUntil null$cacheDuration null)
  890.     {
  891.         $metadata Metadata::builder($this->_sp$this->_security['authnRequestsSigned'], $this->_security['wantAssertionsSigned'], $validUntil$cacheDuration$this->getContacts(), $this->getOrganization());
  893.         $certNew $this->getSPcertNew();
  894.         if (!empty($certNew)) {
  895.             $metadata Metadata::addX509KeyDescriptors(
  896.                 $metadata,
  897.                 $certNew,
  898.                 $alwaysPublishEncryptionCert || $this->_security['wantNameIdEncrypted'] || $this->_security['wantAssertionsEncrypted']
  899.             );
  900.         }
  902.         $cert $this->getSPcert();
  903.         if (!empty($cert)) {
  904.             $metadata Metadata::addX509KeyDescriptors(
  905.                 $metadata,
  906.                 $cert,
  907.                 $alwaysPublishEncryptionCert || $this->_security['wantNameIdEncrypted'] || $this->_security['wantAssertionsEncrypted']
  908.             );
  909.         }
  911.         //Sign Metadata
  912.         if (isset($this->_security['signMetadata']) && $this->_security['signMetadata'] != false) {
  913.             if ($this->_security['signMetadata'] === true) {
  914.                 $keyMetadata $this->getSPkey();
  915.                 $certMetadata $cert;
  917.                 if (!$keyMetadata) {
  918.                     throw new Error(
  919.                         'SP Private key not found.',
  920.                         Error::PRIVATE_KEY_FILE_NOT_FOUND
  921.                     );
  922.                 }
  924.                 if (!$certMetadata) {
  925.                     throw new Error(
  926.                         'SP Public cert not found.',
  927.                         Error::PUBLIC_CERT_FILE_NOT_FOUND
  928.                     );
  929.                 }
  930.             } else if (isset($this->_security['signMetadata']['keyFileName']) &&
  931.                 isset($this->_security['signMetadata']['certFileName'])) {
  932.                 $keyFileName $this->_security['signMetadata']['keyFileName'];
  933.                 $certFileName $this->_security['signMetadata']['certFileName'];
  935.                 $keyMetadataFile $this->_paths['cert'].$keyFileName;
  936.                 $certMetadataFile $this->_paths['cert'].$certFileName;
  938.                 if (!file_exists($keyMetadataFile)) {
  939.                     throw new Error(
  940.                         'SP Private key file not found: %s',
  941.                         Error::PRIVATE_KEY_FILE_NOT_FOUND,
  942.                         array($keyMetadataFile)
  943.                     );
  944.                 }
  946.                 if (!file_exists($certMetadataFile)) {
  947.                     throw new Error(
  948.                         'SP Public cert file not found: %s',
  949.                         Error::PUBLIC_CERT_FILE_NOT_FOUND,
  950.                         array($certMetadataFile)
  951.                     );
  952.                 }
  953.                 $keyMetadata file_get_contents($keyMetadataFile);
  954.                 $certMetadata file_get_contents($certMetadataFile);
  955.             } else if (isset($this->_security['signMetadata']['privateKey']) &&
  956.                 isset($this->_security['signMetadata']['x509cert'])) {
  957.                 $keyMetadata Utils::formatPrivateKey($this->_security['signMetadata']['privateKey']);
  958.                 $certMetadata Utils::formatCert($this->_security['signMetadata']['x509cert']);
  959.                 if (!$keyMetadata) {
  960.                     throw new Error(
  961.                         'Private key not found.',
  962.                         Error::PRIVATE_KEY_FILE_NOT_FOUND
  963.                     );
  964.                 }
  966.                 if (!$certMetadata) {
  967.                     throw new Error(
  968.                         'Public cert not found.',
  969.                         Error::PUBLIC_CERT_FILE_NOT_FOUND
  970.                     );
  971.                 }
  972.             } else {
  973.                 throw new Error(
  974.                     'Invalid Setting: signMetadata value of the sp is not valid',
  975.                     Error::SETTINGS_INVALID_SYNTAX
  976.                 );
  978.             }
  980.             $signatureAlgorithm $this->_security['signatureAlgorithm'];
  981.             $digestAlgorithm $this->_security['digestAlgorithm'];
  982.             $metadata Metadata::signMetadata($metadata$keyMetadata$certMetadata$signatureAlgorithm$digestAlgorithm);
  983.         }
  984.         return $metadata;
  985.     }
  987.     /**
  988.      * Validates an XML SP Metadata.
  989.      *
  990.      * @param string $xml Metadata's XML that will be validate
  991.      *
  992.      * @return array The list of found errors
  993.      *
  994.      * @throws Exception
  995.      */
  996.     public function validateMetadata($xml)
  997.     {
  998.         assert(is_string($xml));
  1000.         $errors = array();
  1001.         $res Utils::validateXML($xml'saml-schema-metadata-2.0.xsd'$this->_debug$this->getSchemasPath());
  1002.         if (!$res instanceof DOMDocument) {
  1003.             $errors[] = $res;
  1004.         } else {
  1005.             $dom $res;
  1006.             $element $dom->documentElement;
  1007.             if ($element->tagName !== 'md:EntityDescriptor') {
  1008.                 $errors[] = 'noEntityDescriptor_xml';
  1009.             } else {
  1010.                 $validUntil $cacheDuration $expireTime null;
  1012.                 if ($element->hasAttribute('validUntil')) {
  1013.                     $validUntil Utils::parseSAML2Time($element->getAttribute('validUntil'));
  1014.                 }
  1015.                 if ($element->hasAttribute('cacheDuration')) {
  1016.                     $cacheDuration $element->getAttribute('cacheDuration');
  1017.                 }
  1019.                 $expireTime Utils::getExpireTime($cacheDuration$validUntil);
  1020.                 if (isset($expireTime) && time() > $expireTime) {
  1021.                     $errors[] = 'expired_xml';
  1022.                 }
  1023.             }
  1024.         }
  1026.         // TODO: Support Metadata Sign Validation
  1028.         return $errors;
  1029.     }
  1031.     /**
  1032.      * Formats the IdP cert.
  1033.      */
  1034.     public function formatIdPCert()
  1035.     {
  1036.         if (isset($this->_idp['x509cert'])) {
  1037.             $this->_idp['x509cert'] = Utils::formatCert($this->_idp['x509cert']);
  1038.         }
  1039.     }
  1041.     /**
  1042.      * Formats the Multple IdP certs.
  1043.      */
  1044.     public function formatIdPCertMulti()
  1045.     {
  1046.         if (isset($this->_idp['x509certMulti'])) {
  1047.             if (isset($this->_idp['x509certMulti']['signing'])) {
  1048.                 foreach ($this->_idp['x509certMulti']['signing'] as $i => $cert) {
  1049.                     $this->_idp['x509certMulti']['signing'][$i] = Utils::formatCert($cert);
  1050.                 }
  1051.             }
  1052.             if (isset($this->_idp['x509certMulti']['encryption'])) {
  1053.                 foreach ($this->_idp['x509certMulti']['encryption'] as $i => $cert) {
  1054.                     $this->_idp['x509certMulti']['encryption'][$i] = Utils::formatCert($cert);
  1055.                 }
  1056.             }
  1057.         }
  1058.     }
  1060.     /**
  1061.      * Formats the SP cert.
  1062.      */
  1063.     public function formatSPCert()
  1064.     {
  1065.         if (isset($this->_sp['x509cert'])) {
  1066.             $this->_sp['x509cert'] = Utils::formatCert($this->_sp['x509cert']);
  1067.         }
  1068.     }
  1070.     /**
  1071.      * Formats the SP cert.
  1072.      */
  1073.     public function formatSPCertNew()
  1074.     {
  1075.         if (isset($this->_sp['x509certNew'])) {
  1076.             $this->_sp['x509certNew'] = Utils::formatCert($this->_sp['x509certNew']);
  1077.         }
  1078.     }
  1080.     /**
  1081.      * Formats the SP private key.
  1082.      */
  1083.     public function formatSPKey()
  1084.     {
  1085.         if (isset($this->_sp['privateKey'])) {
  1086.             $this->_sp['privateKey'] = Utils::formatPrivateKey($this->_sp['privateKey']);
  1087.         }
  1088.     }
  1090.     /**
  1091.      * Returns an array with the errors, the array is empty when the settings is ok.
  1092.      *
  1093.      * @return array Errors
  1094.      */
  1095.     public function getErrors()
  1096.     {
  1097.         return $this->_errors;
  1098.     }
  1100.     /**
  1101.      * Activates or deactivates the strict mode.
  1102.      *
  1103.      * @param bool $value Strict parameter
  1104.      *
  1105.      * @throws Exception
  1106.      */
  1107.     public function setStrict($value)
  1108.     {
  1109.         if (!is_bool($value)) {
  1110.             throw new Exception('Invalid value passed to setStrict()');
  1111.         }
  1113.         $this->_strict $value;
  1114.     }
  1116.     /**
  1117.      * Returns if the 'strict' mode is active.
  1118.      *
  1119.      * @return bool Strict parameter
  1120.      */
  1121.     public function isStrict()
  1122.     {
  1123.         return $this->_strict;
  1124.     }
  1126.     /**
  1127.      * Returns if the debug is active.
  1128.      *
  1129.      * @return bool Debug parameter
  1130.      */
  1131.     public function isDebugActive()
  1132.     {
  1133.         return $this->_debug;
  1134.     }
  1136.     /**
  1137.      * Set a baseurl value.
  1138.      *
  1139.      * @param string $baseurl Base URL.
  1140.      */
  1141.     public function setBaseURL($baseurl)
  1142.     {
  1143.         $this->_baseurl $baseurl;
  1144.     }
  1146.     /**
  1147.      * Returns the baseurl set on the settings if any.
  1148.      *
  1149.      * @return null|string The baseurl
  1150.      */
  1151.     public function getBaseURL()
  1152.     {
  1153.         return $this->_baseurl;
  1154.     }
  1156.     /**
  1157.      * Sets the IdP certificate.
  1158.      *
  1159.      * @param string $cert IdP certificate
  1160.      */
  1161.     public function setIdPCert($cert)
  1162.     {
  1163.         $this->_idp['x509cert'] = $cert;
  1164.         $this->formatIdPCert();
  1165.     }
  1166. }