Refactor. Fix PHPDoc

pitbulk · pitbulk · commit 2bf09d719bd0 · 2018-09-13T00:26:03.000+02:00
diff --git a/certs/README b/certs/README
@@ -10,3 +10,5 @@ Also you can use other cert to sign the metadata of the SP using the:
 
  * metadata.key
  * metadata.crt
+
+If you are using composer to install the php-saml toolkit, You should move the certs folder to  vendor/onelogin/php-saml/certs
diff --git a/src/Saml2/Auth.php b/src/Saml2/Auth.php
@@ -161,6 +161,9 @@ class Auth
      * Initializes the SP SAML instance.
      *
      * @param array|null $settings Setting data
+     *
+     * @throws Exception
+     * @throws Error
      */
     public function __construct(array $settings = null)
     {
@@ -186,7 +189,7 @@ public function getSettings()
      */
     public function setStrict($value)
     {
-        if (! (is_bool($value))) {
+        if (!is_bool($value)) {
             throw new Error(
                 'Invalid value passed to setStrict()',
                 Error::SETTINGS_INVALID_SYNTAX
@@ -202,12 +205,13 @@ public function setStrict($value)
      * @param string|null $requestId The ID of the AuthNRequest sent by this SP to the IdP
      *
      * @throws Error
+     * @throws ValidationError
      */
     public function processResponse($requestId = null)
     {
         $this->_errors = array();
         $this->_lastError = $this->_lastErrorException = null;
-        if (isset($_POST) && isset($_POST['SAMLResponse'])) {
+        if (isset($_POST['SAMLResponse'])) {
             // AuthnResponse -- HTTP_POST Binding
             $response = new Response($this->_settings, $_POST['SAMLResponse']);
             $this->_lastResponse = $response->getXMLDocument();
@@ -255,7 +259,7 @@ public function processSLO($keepLocalSession = false, $requestId = null, $retrie
     {
         $this->_errors = array();
         $this->_lastError = $this->_lastErrorException = null;
-        if (isset($_GET) && isset($_GET['SAMLResponse'])) {
+        if (isset($_GET['SAMLResponse'])) {
             $logoutResponse = new LogoutResponse($this->_settings, $_GET['SAMLResponse']);
             $this->_lastResponse = $logoutResponse->getXML();
             if (!$logoutResponse->isValid($requestId, $retrieveParametersFromServer)) {
@@ -275,7 +279,7 @@ public function processSLO($keepLocalSession = false, $requestId = null, $retrie
                     }
                 }
             }
-        } else if (isset($_GET) && isset($_GET['SAMLRequest'])) {
+        } else if (isset($_GET['SAMLRequest'])) {
             $logoutRequest = new LogoutRequest($this->_settings, $_GET['SAMLRequest']);
             $this->_lastRequest = $logoutRequest->getXML();
             if (!$logoutRequest->isValid($retrieveParametersFromServer)) {
@@ -500,6 +504,8 @@ public function getAttributeWithFriendlyName($friendlyName)
      * @param bool        $setNameIdPolicy When true the AuthNRequest will set a nameIdPolicy element
      *
      * @return string|null If $stay is True, it return a string with the SLO URL + LogoutRequest + parameters
+     * 
+     * @throws Error
      */
     public function login($returnTo = null, array $parameters = array(), $forceAuthn = false, $isPassive = false, $stay = false, $setNameIdPolicy = true)
     {
@@ -632,33 +638,7 @@ public function getLastRequestID()
      */
     public function buildRequestSignature($samlRequest, $relayState, $signAlgorithm = XMLSecurityKey::RSA_SHA256)
     {
-        $key = $this->_settings->getSPkey();
-        if (empty($key)) {
-            throw new Error(
-                "Trying to sign the SAML Request but can't load the SP private key",
-                Error::PRIVATE_KEY_NOT_FOUND
-            );
-        }
-
-        $objKey = new XMLSecurityKey($signAlgorithm, array('type' => 'private'));
-        $objKey->loadKey($key, false);
-
-        $security = $this->_settings->getSecurityData();
-        if ($security['lowercaseUrlencoding']) {
-            $msg = 'SAMLRequest='.rawurlencode($samlRequest);
-            if (isset($relayState)) {
-                $msg .= '&RelayState='.rawurlencode($relayState);
-            }
-            $msg .= '&SigAlg=' . rawurlencode($signAlgorithm);
-        } else {
-            $msg = 'SAMLRequest='.urlencode($samlRequest);
-            if (isset($relayState)) {
-                $msg .= '&RelayState='.urlencode($relayState);
-            }
-            $msg .= '&SigAlg=' . urlencode($signAlgorithm);
-        }
-        $signature = $objKey->signData($msg);
-        return base64_encode($signature);
+        return $this->buildMessageSignature($samlRequest, $relayState, $signAlgorithm, "SAMLRequest");
     }
 
     /**
@@ -674,27 +654,48 @@ public function buildRequestSignature($samlRequest, $relayState, $signAlgorithm
      * @throws Error
      */
     public function buildResponseSignature($samlResponse, $relayState, $signAlgorithm = XMLSecurityKey::RSA_SHA256)
+    {
+        return $this->buildMessageSignature($samlResponse, $relayState, $signAlgorithm, "SAMLResponse");
+    }
+
+    /**
+     * Generates the Signature for a SAML Message
+     *
+     * @param string $samlMessage   The SAML Message
+     * @param string $relayState    The RelayState
+     * @param string $signAlgorithm Signature algorithm method
+     * @param string $type          "SAMLRequest" or "SAMLResponse"
+     *
+     * @return string A base64 encoded signature
+     *
+     * @throws Exception
+     * @throws Error
+     */
+    private function buildMessageSignature($samlMessage, $relayState, $signAlgorithm = XMLSecurityKey::RSA_SHA256, $type="SAMLRequest")
     {
         $key = $this->_settings->getSPkey();
         if (empty($key)) {
-            throw new Error(
-                "Trying to sign the SAML Response but can't load the SP private key",
-                Error::PRIVATE_KEY_NOT_FOUND
-            );
+            if ($type == "SAMLRequest") {
+                $errorMsg = "Trying to sign the SAML Request but can't load the SP private key";
+            } else {
+                $errorMsg = "Trying to sign the SAML Response but can't load the SP private key";
+            }
+
+            throw new Error($errorMsg, Error::PRIVATE_KEY_NOT_FOUND);
         }
 
         $objKey = new XMLSecurityKey($signAlgorithm, array('type' => 'private'));
         $objKey->loadKey($key, false);
 
         $security = $this->_settings->getSecurityData();
         if ($security['lowercaseUrlencoding']) {
-            $msg = 'SAMLResponse='.rawurlencode($samlResponse);
+            $msg = $type.'='.rawurlencode($samlMessage);
             if (isset($relayState)) {
                 $msg .= '&RelayState='.rawurlencode($relayState);
             }
             $msg .= '&SigAlg=' . rawurlencode($signAlgorithm);
         } else {
-            $msg = 'SAMLResponse='.urlencode($samlResponse);
+            $msg = $type.'='.urlencode($samlMessage);
             if (isset($relayState)) {
                 $msg .= '&RelayState='.urlencode($relayState);
             }
diff --git a/src/Saml2/IdPMetadataParser.php b/src/Saml2/IdPMetadataParser.php
@@ -101,6 +101,7 @@ public static function parseFileXML($filepath, $entityId = null, $desiredNameIdF
      * @param string $desiredSLOBinding   Parse specific binding SLO endpoint
      *
      * @return array metadata info in php-saml settings format
+     *
      * @throws Exception
      */
     public static function parseXML($xml, $entityId = null, $desiredNameIdFormat = null, $desiredSSOBinding = Constants::BINDING_HTTP_REDIRECT, $desiredSLOBinding = Constants::BINDING_HTTP_REDIRECT)
diff --git a/src/Saml2/LogoutRequest.php b/src/Saml2/LogoutRequest.php
@@ -139,7 +139,7 @@ public function __construct(\OneLogin\Saml2\Settings $settings, $request = null,
             } else {
                 $logoutRequest = $decoded;
             }
-            $this->id = self::getID($logoutRequest);
+            $this->id = static::getID($logoutRequest);
         }
         $this->_logoutRequest = $logoutRequest;
     }
@@ -204,7 +204,9 @@ public static function getID($request)
      *
      * @return array Name ID Data (Value, Format, NameQualifier, SPNameQualifier)
      *
+     * @throws Error
      * @throws Exception
+     * @throws ValidationError
      */
     public static function getNameIdData($request, $key = null)
     {
@@ -265,6 +267,10 @@ public static function getNameIdData($request, $key = null)
      * @param string|null        $key     The SP key
      *
      * @return string Name ID Value
+     * 
+     * @throws Error
+     * @throws Exception
+     * @throws ValidationError
      */
     public static function getNameId($request, $key = null)
     {
@@ -278,6 +284,8 @@ public static function getNameId($request, $key = null)
      * @param string|DOMDocument $request Logout Request Message
      *
      * @return string|null $issuer The Issuer
+     * 
+     * @throws Exception
      */
     public static function getIssuer($request)
     {
@@ -305,6 +313,8 @@ public static function getIssuer($request)
      * @param string|DOMDocument $request Logout Request Message
      *
      * @return array The SessionIndex value
+     * 
+     * @throws Exception
      */
     public static function getSessionIndexes($request)
     {
@@ -329,6 +339,9 @@ public static function getSessionIndexes($request)
      * @param bool $retrieveParametersFromServer True if we want to use parameters from $_SERVER to validate the signature
      *
      * @return bool If the Logout Request is or not valid
+     * 
+     * @throws Exception
+     * @throws ValidationError
      */
     public function isValid($retrieveParametersFromServer = false)
     {
@@ -369,34 +382,30 @@ public function isValid($retrieveParametersFromServer = false)
                 // Check destination
                 if ($dom->documentElement->hasAttribute('Destination')) {
                     $destination = $dom->documentElement->getAttribute('Destination');
-                    if (!empty($destination)) {
-                        if (strpos($destination, $currentURL) === false) {
-                            throw new ValidationError(
-                                "The LogoutRequest was received at $currentURL instead of $destination",
-                                ValidationError::WRONG_DESTINATION
-                            );
-                        }
+                    if (!empty($destination) && strpos($destination, $currentURL) === false) {
+                        throw new ValidationError(
+                            "The LogoutRequest was received at $currentURL instead of $destination",
+                            ValidationError::WRONG_DESTINATION
+                        );
                     }
                 }
 
-                $nameId = $this->getNameId($dom, $this->_settings->getSPkey());
+                $nameId = static::getNameId($dom, $this->_settings->getSPkey());
 
                 // Check issuer
-                $issuer = $this->getIssuer($dom);
+                $issuer = static::getIssuer($dom);
                 if (!empty($issuer) && $issuer != $idPEntityId) {
                     throw new ValidationError(
                         "Invalid issuer in the Logout Request",
                         ValidationError::WRONG_ISSUER
                     );
                 }
 
-                if ($security['wantMessagesSigned']) {
-                    if (!isset($_GET['Signature'])) {
-                        throw new ValidationError(
-                            "The Message of the Logout Request is not signed and the SP require it",
-                            ValidationError::NO_SIGNED_MESSAGE
-                        );
-                    }
+                if ($security['wantMessagesSigned'] && !isset($_GET['Signature'])) {
+                    throw new ValidationError(
+                        "The Message of the Logout Request is not signed and the SP require it",
+                        ValidationError::NO_SIGNED_MESSAGE
+                    );
                 }
             }
 
diff --git a/src/Saml2/LogoutResponse.php b/src/Saml2/LogoutResponse.php
@@ -65,6 +65,10 @@ class LogoutResponse
      *
      * @param Settings $settings Settings.
      * @param string|null             $response An UUEncoded SAML Logout response from the IdP.
+     * 
+     * @throws Error
+     * @throws Exception
+     * 
      */
     public function __construct(\OneLogin\Saml2\Settings $settings, $response = null)
     {
@@ -136,6 +140,8 @@ public function getStatus()
      * @param bool        $retrieveParametersFromServer True if we want to use parameters from $_SERVER to validate the signature
      *
      * @return bool Returns if the SAML LogoutResponse is or not valid
+     * 
+     * @throws ValidationError
      */
     public function isValid($requestId = null, $retrieveParametersFromServer = false)
     {
@@ -182,24 +188,20 @@ public function isValid($requestId = null, $retrieveParametersFromServer = false
                 // Check destination
                 if ($this->document->documentElement->hasAttribute('Destination')) {
                     $destination = $this->document->documentElement->getAttribute('Destination');
-                    if (!empty($destination)) {
-                        if (strpos($destination, $currentURL) === false) {
-                            throw new ValidationError(
-                                "The LogoutResponse was received at $currentURL instead of $destination",
-                                ValidationError::WRONG_DESTINATION
-                            );
-                        }
-                    }
-                }
-
-                if ($security['wantMessagesSigned']) {
-                    if (!isset($_GET['Signature'])) {
+                    if (!empty($destination) && strpos($destination, $currentURL) === false) {
                         throw new ValidationError(
-                            "The Message of the Logout Response is not signed and the SP requires it",
-                            ValidationError::NO_SIGNED_MESSAGE
+                            "The LogoutResponse was received at $currentURL instead of $destination",
+                            ValidationError::WRONG_DESTINATION
                         );
                     }
                 }
+
+                if ($security['wantMessagesSigned'] && !isset($_GET['Signature'])) {
+                    throw new ValidationError(
+                        "The Message of the Logout Response is not signed and the SP requires it",
+                        ValidationError::NO_SIGNED_MESSAGE
+                    );
+                }
             }
 
             if (isset($_GET['Signature'])) {
diff --git a/src/Saml2/Metadata.php b/src/Saml2/Metadata.php
@@ -200,6 +200,8 @@ public static function builder($sp, $authnsign = false, $wsign = false, $validUn
      * @param string $digestAlgorithm Digest algorithm method
      *
      * @return string Signed Metadata
+     * 
+     * @throws Exception
      */
     public static function signMetadata($metadata, $key, $cert, $signAlgorithm = XMLSecurityKey::RSA_SHA256, $digestAlgorithm = XMLSecurityDSig::SHA256)
     {
@@ -215,6 +217,8 @@ public static function signMetadata($metadata, $key, $cert, $signAlgorithm = XML
      * @param bool   $wantsEncrypted Whether to include the KeyDescriptor for encryption
      *
      * @return string Metadata with KeyDescriptors
+     * 
+     * @throws Exception
      */
     public static function addX509KeyDescriptors($metadata, $cert, $wantsEncrypted = true)
     {
diff --git a/src/Saml2/Response.php b/src/Saml2/Response.php
diff --git a/src/Saml2/Settings.php b/src/Saml2/Settings.php
diff --git a/src/Saml2/Utils.php b/src/Saml2/Utils.php

Original file line number	Diff line number	Diff line change
`@@ -101,6 +101,7 @@ public static function parseFileXML($filepath, $entityId = null, $desiredNameIdF`
`101`	`101`	`* @param string $desiredSLOBinding Parse specific binding SLO endpoint`
`102`	`102`	`*`
`103`	`103`	`* @return array metadata info in php-saml settings format`
	`104`	`+ *`
`104`	`105`	`* @throws Exception`
`105`	`106`	`*/`
`106`	`107`	`public static function parseXML($xml, $entityId = null, $desiredNameIdFormat = null, $desiredSSOBinding = Constants::BINDING_HTTP_REDIRECT, $desiredSLOBinding = Constants::BINDING_HTTP_REDIRECT)`
Original file line number	Diff line number	Diff line change
`@@ -139,7 +139,7 @@ public function __construct(\OneLogin\Saml2\Settings $settings, $request = null,`
`139`	`139`	`} else {`
`140`	`140`	`$logoutRequest = $decoded;`
`141`	`141`	`}`
`142`		`- $this->id = self::getID($logoutRequest);`
	`142`	`+ $this->id = static::getID($logoutRequest);`
`143`	`143`	`}`
`144`	`144`	`$this->_logoutRequest = $logoutRequest;`
`145`	`145`	`}`
`@@ -204,7 +204,9 @@ public static function getID($request)`
`204`	`204`	`*`
`205`	`205`	`* @return array Name ID Data (Value, Format, NameQualifier, SPNameQualifier)`
`206`	`206`	`*`
	`207`	`+ * @throws Error`
`207`	`208`	`* @throws Exception`
	`209`	`+ * @throws ValidationError`
`208`	`210`	`*/`
`209`	`211`	`public static function getNameIdData($request, $key = null)`
`210`	`212`	`{`
`@@ -265,6 +267,10 @@ public static function getNameIdData($request, $key = null)`
`265`	`267`	`* @param string\|null $key The SP key`
`266`	`268`	`*`
`267`	`269`	`* @return string Name ID Value`
	`270`	`+ *`
	`271`	`+ * @throws Error`
	`272`	`+ * @throws Exception`
	`273`	`+ * @throws ValidationError`
`268`	`274`	`*/`
`269`	`275`	`public static function getNameId($request, $key = null)`
`270`	`276`	`{`
`@@ -278,6 +284,8 @@ public static function getNameId($request, $key = null)`
`278`	`284`	`* @param string\|DOMDocument $request Logout Request Message`
`279`	`285`	`*`
`280`	`286`	`* @return string\|null $issuer The Issuer`
	`287`	`+ *`
	`288`	`+ * @throws Exception`
`281`	`289`	`*/`
`282`	`290`	`public static function getIssuer($request)`
`283`	`291`	`{`
`@@ -305,6 +313,8 @@ public static function getIssuer($request)`
`305`	`313`	`* @param string\|DOMDocument $request Logout Request Message`
`306`	`314`	`*`
`307`	`315`	`* @return array The SessionIndex value`
	`316`	`+ *`
	`317`	`+ * @throws Exception`
`308`	`318`	`*/`
`309`	`319`	`public static function getSessionIndexes($request)`
`310`	`320`	`{`
`@@ -329,6 +339,9 @@ public static function getSessionIndexes($request)`
`329`	`339`	`* @param bool $retrieveParametersFromServer True if we want to use parameters from $_SERVER to validate the signature`
`330`	`340`	`*`
`331`	`341`	`* @return bool If the Logout Request is or not valid`
	`342`	`+ *`
	`343`	`+ * @throws Exception`
	`344`	`+ * @throws ValidationError`
`332`	`345`	`*/`
`333`	`346`	`public function isValid($retrieveParametersFromServer = false)`
`334`	`347`	`{`
`@@ -369,34 +382,30 @@ public function isValid($retrieveParametersFromServer = false)`
`369`	`382`	`// Check destination`
`370`	`383`	`if ($dom->documentElement->hasAttribute('Destination')) {`
`371`	`384`	`$destination = $dom->documentElement->getAttribute('Destination');`
`372`		`- if (!empty($destination)) {`
`373`		`- if (strpos($destination, $currentURL) === false) {`
`374`		`- throw new ValidationError(`
`375`		`- "The LogoutRequest was received at $currentURL instead of $destination",`
`376`		`- ValidationError::WRONG_DESTINATION`
`377`		`- );`
`378`		`- }`
	`385`	`+ if (!empty($destination) && strpos($destination, $currentURL) === false) {`
	`386`	`+ throw new ValidationError(`
	`387`	`+ "The LogoutRequest was received at $currentURL instead of $destination",`
	`388`	`+ ValidationError::WRONG_DESTINATION`
	`389`	`+ );`
`379`	`390`	`}`
`380`	`391`	`}`
`381`	`392`
`382`		`- $nameId = $this->getNameId($dom, $this->_settings->getSPkey());`
	`393`	`+ $nameId = static::getNameId($dom, $this->_settings->getSPkey());`
`383`	`394`
`384`	`395`	`// Check issuer`
`385`		`- $issuer = $this->getIssuer($dom);`
	`396`	`+ $issuer = static::getIssuer($dom);`
`386`	`397`	`if (!empty($issuer) && $issuer != $idPEntityId) {`
`387`	`398`	`throw new ValidationError(`
`388`	`399`	`"Invalid issuer in the Logout Request",`
`389`	`400`	`ValidationError::WRONG_ISSUER`
`390`	`401`	`);`
`391`	`402`	`}`
`392`	`403`
`393`		`- if ($security['wantMessagesSigned']) {`
`394`		`- if (!isset($_GET['Signature'])) {`
`395`		`- throw new ValidationError(`
`396`		`- "The Message of the Logout Request is not signed and the SP require it",`
`397`		`- ValidationError::NO_SIGNED_MESSAGE`
`398`		`- );`
`399`		`- }`
	`404`	`+ if ($security['wantMessagesSigned'] && !isset($_GET['Signature'])) {`
	`405`	`+ throw new ValidationError(`
	`406`	`+ "The Message of the Logout Request is not signed and the SP require it",`
	`407`	`+ ValidationError::NO_SIGNED_MESSAGE`
	`408`	`+ );`
`400`	`409`	`}`
`401`	`410`	`}`
`402`	`411`
Original file line number	Diff line number	Diff line change
`@@ -200,6 +200,8 @@ public static function builder($sp, $authnsign = false, $wsign = false, $validUn`
`200`	`200`	`* @param string $digestAlgorithm Digest algorithm method`
`201`	`201`	`*`
`202`	`202`	`* @return string Signed Metadata`
	`203`	`+ *`
	`204`	`+ * @throws Exception`
`203`	`205`	`*/`
`204`	`206`	`public static function signMetadata($metadata, $key, $cert, $signAlgorithm = XMLSecurityKey::RSA_SHA256, $digestAlgorithm = XMLSecurityDSig::SHA256)`
`205`	`207`	`{`
`@@ -215,6 +217,8 @@ public static function signMetadata($metadata, $key, $cert, $signAlgorithm = XML`
`215`	`217`	`* @param bool $wantsEncrypted Whether to include the KeyDescriptor for encryption`
`216`	`218`	`*`
`217`	`219`	`* @return string Metadata with KeyDescriptors`
	`220`	`+ *`
	`221`	`+ * @throws Exception`
`218`	`222`	`*/`
`219`	`223`	`public static function addX509KeyDescriptors($metadata, $cert, $wantsEncrypted = true)`
`220`	`224`	`{`