feat: 🎸 AuthProcFilter QualifyNameID

Dominik Frantisek Bucik · Dominik Frantisek Bucik · commit 1f8bd750bb60 · 2022-04-01T20:04:52.000+02:00
Adds configured qualifiers into NameID attribute
diff --git a/config-templates/processFilterConfigurations-example.md b/config-templates/processFilterConfigurations-example.md
@@ -243,3 +243,25 @@ Configuration options:
     'attribute_names' => ['aup', 'eppn', 'eduPersonTargetedID']
 ],
 ```
+
+## QualifyNameID
+
+Adds qualifiers into NameID based on the configuration
+
+Configuration options:
+* `name_id_attribute`: Attribute (NameID) which should be qualified
+* `name_qualifier_attribute`: User attribute with value, which will be set as the NameQualifier part of the NameID. Leave empty to use static value configured via option `name_qualifier`.
+* `name_qualifier`: Static value which will be set as the NameQualifier part of the NameID.
+* `sp_name_qualifier_attribute`: User attribute with value, which will be set as the SPNameQualifier part of the NameID. Leave empty to use static value configured via option `sp_name_qualifier`.
+* `sp_name_qualifier`: Static value which will be set as the SPNameQualifier part of the NameID.
+
+```php
+11 => [
+    'class' => 'perun:QualifyNameID',
+    'name_id_attribute' => 'eduPersonTargetedID',
+    'name_qualifier_attribute' => 'SourceIdPEntityID',
+    'name_qualifier' => 'https://login.cesnet.cz/idp/',
+    'sp_name_qualifier_attribute' => 'ProxyEntityID',
+    'sp_name_qualifier' => 'https://login.cesnet.cz/proxy/',
+],
+```
diff --git a/lib/Auth/Process/QualifyNameID.php b/lib/Auth/Process/QualifyNameID.php
@@ -0,0 +1,107 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\perun\Auth\Process;
+
+use SAML2\XML\saml\NameID;
+use SimpleSAML\Auth\ProcessingFilter;
+use SimpleSAML\Configuration;
+use SimpleSAML\Error\Exception;
+use SimpleSAML\Logger;
+use SimpleSAML\Module\perun\PerunConstants;
+
+/**
+ * Adds qualifiers to the NameID object.
+ */
+class QualifyNameID extends ProcessingFilter
+{
+    public const STAGE = 'perun:QualifyNameID';
+    public const DEBUG_PREFIX = self::STAGE . ' - ';
+
+    public const NAME_ID_CLASS = 'SAML2\XML\saml\NameID';
+
+    public const NAME_ID_ATTRIBUTE = 'name_id_attribute';
+    public const NAME_QUALIFIER = 'name_qualifier';
+    public const NAME_QUALIFIER_ATTRIBUTE = 'name_qualifier_attribute';
+    public const SP_NAME_QUALIFIER = 'sp_name_qualifier';
+    public const SP_NAME_QUALIFIER_ATTRIBUTE = 'sp_name_qualifier_attribute';
+
+    private $targetedIdAttribute;
+    private $nameQualifier;
+    private $nameQualifierAttribute;
+    private $spNameQualifier;
+    private $spNameQualifierAttribute;
+    private $filterConfig;
+
+    public function __construct($config, $reserved)
+    {
+        parent::__construct($config, $reserved);
+        $filterConfig = Configuration::loadFromArray($config);
+
+        $this->targetedIdAttribute = $this->filterConfig->getString(self::NAME_ID_ATTRIBUTE, null);
+        if (empty($this->targetedIdAttribute)) {
+            throw new Exception(
+                self::DEBUG_PREFIX . 'missing mandatory configuration for option \'' . self::NAME_ID_ATTRIBUTE . '\''
+            );
+        }
+
+        $this->nameQualifier = $this->filterConfig->getString(self::NAME_QUALIFIER, null);
+        $this->nameQualifierAttribute = $this->filterConfig->getString(self::NAME_QUALIFIER_ATTRIBUTE, null);
+        if (empty ($this->nameQualifier) && empty($this->nameQualifierAttribute)) {
+            throw new Exception(
+                self::DEBUG_PREFIX . 'missing mandatory configuration for option \''
+                . self::NAME_QUALIFIER . '\' or \'' . self::NAME_QUALIFIER_ATTRIBUTE . '\', one must be configured.'
+            );
+        }
+
+        $this->spNameQualifier = $this->filterConfig->getString(self::SP_NAME_QUALIFIER, null);
+        $this->spNameQualifierAttribute = $this->filterConfig->getString(self::SP_NAME_QUALIFIER_ATTRIBUTE, null);
+        if (empty($this->spNameQualifier) && empty($this->spNameQualifierAttribute)) {
+            throw new Exception(
+                self::DEBUG_PREFIX . 'missing mandatory configuration for option \''
+                . self::SP_NAME_QUALIFIER . '\' or \'' . self::SP_NAME_QUALIFIER_ATTRIBUTE . '\', one must be configured.'
+            );
+        }
+    }
+
+    public function process(&$request)
+    {
+        assert(is_array($request));
+        assert(!empty(PerunConstants::ATTRIBUTES));
+
+        if (!empty($request[PerunConstants::ATTRIBUTES][$this->targetedIdAttribute])) {
+            $attributeValue = &$request[PerunConstants::ATTRIBUTES][$this->targetedIdAttribute][0];
+            if (self::NAME_ID_CLASS === get_class($attributeValue)) {
+                $nameQualifier = $request[PerunConstants::ATTRIBUTES][$this->nameQualifierAttribute][0] ?? $this->nameQualifier;
+                if (empty($nameQualifier)) {
+                    throw new Exception(self::DEBUG_PREFIX . 'NameQualifier is not available');
+                }
+                $spNameQualifier = $request[PerunConstants::ATTRIBUTES][$this->spNameQualifierAttribute][0] ?? $this->spNameQualifier;
+                if (empty($spNameQualifier)) {
+                    throw new Exception(self::DEBUG_PREFIX . 'SPNameQualifier is not available');
+                }
+                $this->qualify($attributeValue, $nameQualifier, $spNameQualifier);
+                Logger::debug(
+                    self::DEBUG_PREFIX . 'Qualification done successfully for attribute \'' . $this->targetedIdAttribute
+                    . '\' (SPNameQualifier: ' . $spNameQualifier . ', NameQualifier: ' . $nameQualifier . ').'
+                );
+            } else {
+                Logger::debug(
+                    self::DEBUG_PREFIX . 'Cannot qualify, class of the attribute \'' . $this->targetedIdAttribute
+                    . '\' (' . get_class($attributeValue) . ') is not equal to ' . self::NAME_ID_CLASS . '.'
+                );
+            }
+        } else {
+            Logger::debug(
+                self::DEBUG_PREFIX . 'Attribute \'' . $this->targetedIdAttribute . '\' not available, cannot qualify.'
+            );
+        }
+    }
+
+    private function qualify(NameID $attributeValue, string $nameQualifier, string $spNameQualifier)
+    {
+        $attributeValue->setNameQualifier($nameQualifier);
+        $attributeValue->setSPNameQualifier($spNameQualifier);
+    }
+}
