|
1 <?php |
|
2 /** |
|
3 * Zend Framework |
|
4 * |
|
5 * LICENSE |
|
6 * |
|
7 * This source file is subject to the new BSD license that is bundled |
|
8 * with this package in the file LICENSE.txt. |
|
9 * It is also available through the world-wide-web at this URL: |
|
10 * http://framework.zend.com/license/new-bsd |
|
11 * If you did not receive a copy of the license and are unable to |
|
12 * obtain it through the world-wide-web, please send an email |
|
13 * to license@zend.com so we can send you a copy immediately. |
|
14 * |
|
15 * @category Zend |
|
16 * @package Zend_InfoCard |
|
17 * @subpackage Zend_InfoCard_Xml |
|
18 * @copyright Copyright (c) 2005-2010 Zend Technologies USA Inc. (http://www.zend.com) |
|
19 * @license http://framework.zend.com/license/new-bsd New BSD License |
|
20 * @version $Id: Saml.php 20096 2010-01-06 02:05:09Z bkarwin $ |
|
21 */ |
|
22 |
|
23 /** |
|
24 * Zend_InfoCard_Xml_Element |
|
25 */ |
|
26 require_once 'Zend/InfoCard/Xml/Element.php'; |
|
27 |
|
28 /** |
|
29 * Zend_InfoCard_Xml_Assertion_Interface |
|
30 */ |
|
31 require_once 'Zend/InfoCard/Xml/Assertion/Interface.php'; |
|
32 |
|
33 /** |
|
34 * A Xml Assertion Document in SAML Token format |
|
35 * |
|
36 * @category Zend |
|
37 * @package Zend_InfoCard |
|
38 * @subpackage Zend_InfoCard_Xml |
|
39 * @copyright Copyright (c) 2005-2010 Zend Technologies USA Inc. (http://www.zend.com) |
|
40 * @license http://framework.zend.com/license/new-bsd New BSD License |
|
41 */ |
|
42 class Zend_InfoCard_Xml_Assertion_Saml |
|
43 extends Zend_InfoCard_Xml_Element |
|
44 implements Zend_InfoCard_Xml_Assertion_Interface |
|
45 { |
|
46 |
|
47 /** |
|
48 * Audience Restriction Condition |
|
49 */ |
|
50 const CONDITION_AUDIENCE = 'AudienceRestrictionCondition'; |
|
51 |
|
52 /** |
|
53 * The URI for a 'bearer' confirmation |
|
54 */ |
|
55 const CONFIRMATION_BEARER = 'urn:oasis:names:tc:SAML:1.0:cm:bearer'; |
|
56 |
|
57 /** |
|
58 * The amount of time in seconds to buffer when checking conditions to ensure |
|
59 * that differences between client/server clocks don't interfer too much |
|
60 */ |
|
61 const CONDITION_TIME_ADJ = 3600; // +- 5 minutes |
|
62 |
|
63 protected function _getServerName() { |
|
64 return $_SERVER['SERVER_NAME']; |
|
65 } |
|
66 |
|
67 protected function _getServerPort() { |
|
68 return $_SERVER['SERVER_PORT']; |
|
69 } |
|
70 |
|
71 /** |
|
72 * Validate the conditions array returned from the getConditions() call |
|
73 * |
|
74 * @param array $conditions An array of condtions for the assertion taken from getConditions() |
|
75 * @return mixed Boolean true on success, an array of condition, error message on failure |
|
76 */ |
|
77 public function validateConditions(Array $conditions) |
|
78 { |
|
79 |
|
80 $currentTime = time(); |
|
81 |
|
82 if(!empty($conditions)) { |
|
83 |
|
84 foreach($conditions as $condition => $conditionValue) { |
|
85 switch(strtolower($condition)) { |
|
86 case 'audiencerestrictioncondition': |
|
87 |
|
88 $serverName = $this->_getServerName(); |
|
89 $serverPort = $this->_getServerPort(); |
|
90 |
|
91 $self_aliases[] = $serverName; |
|
92 $self_aliases[] = "{{$serverName}:{$serverPort}"; |
|
93 |
|
94 $found = false; |
|
95 if(is_array($conditionValue)) { |
|
96 foreach($conditionValue as $audience) { |
|
97 |
|
98 list(,,$audience) = explode('/', $audience); |
|
99 if(in_array($audience, $self_aliases)) { |
|
100 $found = true; |
|
101 break; |
|
102 } |
|
103 } |
|
104 } |
|
105 |
|
106 if(!$found) { |
|
107 return array($condition, 'Could not find self in allowed audience list'); |
|
108 } |
|
109 |
|
110 break; |
|
111 case 'notbefore': |
|
112 $notbeforetime = strtotime($conditionValue); |
|
113 |
|
114 if($currentTime < $notbeforetime) { |
|
115 if($currentTime + self::CONDITION_TIME_ADJ < $notbeforetime) { |
|
116 return array($condition, 'Current time is before specified window'); |
|
117 } |
|
118 } |
|
119 |
|
120 break; |
|
121 case 'notonorafter': |
|
122 $notonoraftertime = strtotime($conditionValue); |
|
123 |
|
124 if($currentTime >= $notonoraftertime) { |
|
125 if($currentTime - self::CONDITION_TIME_ADJ >= $notonoraftertime) { |
|
126 return array($condition, 'Current time is after specified window'); |
|
127 } |
|
128 } |
|
129 |
|
130 break; |
|
131 |
|
132 } |
|
133 } |
|
134 } |
|
135 return true; |
|
136 } |
|
137 |
|
138 /** |
|
139 * Get the Assertion URI for this type of Assertion |
|
140 * |
|
141 * @return string the Assertion URI |
|
142 */ |
|
143 public function getAssertionURI() |
|
144 { |
|
145 return Zend_InfoCard_Xml_Assertion::TYPE_SAML; |
|
146 } |
|
147 |
|
148 /** |
|
149 * Get the Major Version of the SAML Assertion |
|
150 * |
|
151 * @return integer The major version number |
|
152 */ |
|
153 public function getMajorVersion() |
|
154 { |
|
155 return (int)(string)$this['MajorVersion']; |
|
156 } |
|
157 |
|
158 /** |
|
159 * The Minor Version of the SAML Assertion |
|
160 * |
|
161 * @return integer The minor version number |
|
162 */ |
|
163 public function getMinorVersion() |
|
164 { |
|
165 return (int)(string)$this['MinorVersion']; |
|
166 } |
|
167 |
|
168 /** |
|
169 * Get the Assertion ID of the assertion |
|
170 * |
|
171 * @return string The Assertion ID |
|
172 */ |
|
173 public function getAssertionID() |
|
174 { |
|
175 return (string)$this['AssertionID']; |
|
176 } |
|
177 |
|
178 /** |
|
179 * Get the Issuer URI of the assertion |
|
180 * |
|
181 * @return string the URI of the assertion Issuer |
|
182 */ |
|
183 public function getIssuer() |
|
184 { |
|
185 return (string)$this['Issuer']; |
|
186 } |
|
187 |
|
188 /** |
|
189 * Get the Timestamp of when the assertion was issued |
|
190 * |
|
191 * @return integer a UNIX timestamp representing when the assertion was issued |
|
192 */ |
|
193 public function getIssuedTimestamp() |
|
194 { |
|
195 return strtotime((string)$this['IssueInstant']); |
|
196 } |
|
197 |
|
198 /** |
|
199 * Return an array of conditions which the assertions are predicated on |
|
200 * |
|
201 * @throws Zend_InfoCard_Xml_Exception |
|
202 * @return array an array of conditions |
|
203 */ |
|
204 public function getConditions() |
|
205 { |
|
206 |
|
207 list($conditions) = $this->xpath("//saml:Conditions"); |
|
208 |
|
209 if(!($conditions instanceof Zend_InfoCard_Xml_Element)) { |
|
210 throw new Zend_InfoCard_Xml_Exception("Unable to find the saml:Conditions block"); |
|
211 } |
|
212 |
|
213 $retval = array(); |
|
214 |
|
215 foreach($conditions->children('urn:oasis:names:tc:SAML:1.0:assertion') as $key => $value) { |
|
216 switch($key) { |
|
217 case self::CONDITION_AUDIENCE: |
|
218 foreach($value->children('urn:oasis:names:tc:SAML:1.0:assertion') as $audience_key => $audience_value) { |
|
219 if($audience_key == 'Audience') { |
|
220 $retval[$key][] = (string)$audience_value; |
|
221 } |
|
222 } |
|
223 break; |
|
224 } |
|
225 } |
|
226 |
|
227 $retval['NotBefore'] = (string)$conditions['NotBefore']; |
|
228 $retval['NotOnOrAfter'] = (string)$conditions['NotOnOrAfter']; |
|
229 |
|
230 return $retval; |
|
231 } |
|
232 |
|
233 /** |
|
234 * Get they KeyInfo element for the Subject KeyInfo block |
|
235 * |
|
236 * @todo Not Yet Implemented |
|
237 * @ignore |
|
238 */ |
|
239 public function getSubjectKeyInfo() |
|
240 { |
|
241 /** |
|
242 * @todo Not sure if this is part of the scope for now.. |
|
243 */ |
|
244 |
|
245 if($this->getConfirmationMethod() == self::CONFIRMATION_BEARER) { |
|
246 throw new Zend_InfoCard_Xml_Exception("Cannot get Subject Key Info when Confirmation Method was Bearer"); |
|
247 } |
|
248 } |
|
249 |
|
250 /** |
|
251 * Return the Confirmation Method URI used in the Assertion |
|
252 * |
|
253 * @return string The confirmation method URI |
|
254 */ |
|
255 public function getConfirmationMethod() |
|
256 { |
|
257 list($confirmation) = $this->xPath("//saml:ConfirmationMethod"); |
|
258 return (string)$confirmation; |
|
259 } |
|
260 |
|
261 /** |
|
262 * Return an array of attributes (claims) contained within the assertion |
|
263 * |
|
264 * @return array An array of attributes / claims within the assertion |
|
265 */ |
|
266 public function getAttributes() |
|
267 { |
|
268 $attributes = $this->xPath('//saml:Attribute'); |
|
269 |
|
270 $retval = array(); |
|
271 foreach($attributes as $key => $value) { |
|
272 |
|
273 $retkey = (string)$value['AttributeNamespace'].'/'.(string)$value['AttributeName']; |
|
274 |
|
275 $retval[$retkey]['name'] = (string)$value['AttributeName']; |
|
276 $retval[$retkey]['namespace'] = (string)$value['AttributeNamespace']; |
|
277 |
|
278 list($aValue) = $value->children('urn:oasis:names:tc:SAML:1.0:assertion'); |
|
279 $retval[$retkey]['value'] = (string)$aValue; |
|
280 } |
|
281 |
|
282 return $retval; |
|
283 } |
|
284 } |