44
55use SimpleSAML \Error \Exception ;
66use SimpleSAML \Logger ;
7+ use SimpleSAML \Configuration ;
78
89/**
910 * Class sspmod_perun_Auth_Process_ProxyFilter
1011 *
11- * This filter allows to disable nested filter for particular SP.
12+ * This filter allows to disable nested filter for particular SP
13+ * or for users with one of (black)listed attribute values.
14+ * When any of the values matches, the nested filter is NOT run.
1215 * SPs are defined by theirs entityID in property 'filterSPs'.
13- * nested filter is defined in property config as regular filter.
16+ * User attributes are defined as a map 'attrName'=>['value1','value2']
17+ * in property 'filterAttributes'.
18+ * Nested filter is defined in property config as regular filter.
1419 *
1520 * example usage:
1621 *
1722 * 10 => [
1823 * 'class' => 'perun:ProxyFilter',
1924 * 'filterSPs' => ['disableSpEntityId01', 'disableSpEntityId02'],
25+ * 'filterAttributes' => [
26+ * 'eduPersonPrincipalName' => ['[email protected] '], 27+ * 'eduPersonAffiliation' => ['affiliate','member'],
28+ * ],
2029 * 'config' => [
2130 * 'class' => 'perun:NestedFilter',
22- * ...
31+ * // ...
2332 * ],
2433 * ]
2534 *
@@ -31,44 +40,56 @@ class ProxyFilter extends \SimpleSAML\Auth\ProcessingFilter
3140 private $ config
3241 private $ nestedClass
3342 private $ filterSPs
43+ private $ filterAttributes
3444 private $ reserved
3545
3646 public function __construct ($ config$ reserved
3747 {
3848 parent ::__construct ($ config$ reserved
3949
40- if (!isset ($ config'config ' ])) {
41- throw new Exception (
42- "perun:ProxyFilter: missing mandatory configuration option 'config' "
43- );
44- }
45- if (!isset ($ config'config ' ]['class ' ])) {
46- throw new Exception (
47- "perun:ProxyFilter: missing mandatory configuration option config['class'] "
48- );
49- }
50- if (!isset ($ config'filterSPs ' ])) {
51- throw new Exception (
52- "perun:ProxyFilter: missing mandatory configuration option 'filterSPs'. "
53- );
54- }
50+ $ confloadFromArray ($ config
51+ $ this config = $ confgetArray ('config ' );
52+ $ this nestedClass = Configuration::loadFromArray ($ this config )->getString ('class ' );
53+ unset($ this config ['class ' ]);
54+ $ this filterSPs = $ confgetArray ('filterSPs ' , []);
55+ $ this filterAttributes = $ confgetArray ('filterAttributes ' , []);
5556
56- $ this nestedClass = (string )$ config'config ' ]['class ' ];
57- unset($ config'config ' ]['class ' ]);
58- $ this config = (array )$ config'config ' ];
59- $ this filterSPs = (array )$ config'filterSPs ' ];
6057 $ this reserved = (array )$ reserved
6158 }
6259
6360 public function process (&$ request
6461 {
6562 assert ('is_array($request) ' );
6663
64+ foreach ($ this filterAttributes as $ attr$ values
65+ if (!isset ($ request'Attributes ' ][$ attris_array ($ request'Attributes ' ][$ attr
66+ continue ;
67+ }
68+ foreach ($ valuesas $ value
69+ if (in_array ($ value$ request'Attributes ' ][$ attr
70+ Logger::info (
71+ sprintf (
72+ "perun.ProxyFilter: Filtering out filter %s because %s contains %s " ,
73+ $ this nestedClass ,
74+ $ attr
75+ $ value
76+ )
77+ );
78+
79+ return ;
80+ }
81+ }
82+ }
83+
6784 foreach ($ this filterSPs as $ sp
6885 $ currentSp$ request'Destination ' ]['entityid ' ];
6986 if ($ sp$ currentSp
7087 Logger::info (
71- "perun.ProxyFilter: Filtering out filter $ this nestedClass for SP $ currentSp
88+ sprintf (
89+ "perun.ProxyFilter: Filtering out filter %s for SP %s " ,
90+ $ this nestedClass ,
91+ $ currentSp
92+ )
7293 );
7394
7495 return ;
0 commit comments