FIX: Fixed filtering of ACRs in Disco.php (#160)

Dominik František Bučík · vyskocilpavel · commit 93dae972cc7e · 2021-06-02T08:41:06.000+02:00
- wrong conditions in loop caused the filtering not to work at all (cherry picked from commit 5fcb7c7)
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,7 +1,9 @@
 # Change Log
 All notable changes to this project will be documented in this file.
- 
+
 ## [Unreleased]
+#### Fixed
+- Fixed removal of filtered authnContextClassRefs in disco
 
 ## [v5.1.0]
 #### Added
@@ -371,6 +373,7 @@ when storing one Perun attribute to more SAML attribute
 ## [v1.0.0]
 
 [Unreleased]: https://github.com/CESNET/perun-simplesamlphp-module/tree/master
+[v5.1.0]: https://github.com/CESNET/perun-simplesamlphp-module/tree/v5.1.0
 [v5.0.0]: https://github.com/CESNET/perun-simplesamlphp-module/tree/v5.0.0
 [v4.1.1]: https://github.com/CESNET/perun-simplesamlphp-module/tree/v4.1.1
 [v4.1.0]: https://github.com/CESNET/perun-simplesamlphp-module/tree/v4.1.0
diff --git a/lib/Disco.php b/lib/Disco.php
@@ -123,6 +123,7 @@ public function __construct(
                     if (isset($state['IdPMetadata']['entityid'])) {
                         $this->proxyIdpEntityId = $state['IdPMetadata']['entityid'];
                     }
+                    State::saveState($state, self::SAML_SP_SSO);
                 }
                 $e = explode("=", $returnURL)[0];
                 $newReturnURL = $e . "=" . urlencode($id);
@@ -457,11 +458,17 @@ public function removeAuthContextClassRefWithPrefixes(&$state)
         unset($state[self::SAML_REQUESTED_AUTHN_CONTEXT][self::STATE_AUTHN_CONTEXT_CLASS_REF]);
         $filteredAcrs = [];
         foreach ($this->originalAuthnContextClassRef as $acr) {
+            $acr = trim($acr);
+            $retain = true;
             foreach ($prefixes as $prefix) {
-                if (!(substr($acr, 0, strlen($prefix)) === $prefix)) {
-                    array_push($filteredAcrs, $acr);
+                if (substr($acr, 0, strlen($prefix)) === $prefix) {
+                    $retain = false;
+                    break;
                 }
             }
+            if ($retain) {
+                array_push($filteredAcrs, $acr);
+            }
         }
         if (!empty($filteredAcrs)) {
             $state[self::SAML_REQUESTED_AUTHN_CONTEXT][self::STATE_AUTHN_CONTEXT_CLASS_REF] = $filteredAcrs;

Original file line number	Diff line number	Diff line change
`@@ -123,6 +123,7 @@ public function __construct(`
`123`	`123`	`if (isset($state['IdPMetadata']['entityid'])) {`
`124`	`124`	`$this->proxyIdpEntityId = $state['IdPMetadata']['entityid'];`
`125`	`125`	`}`
	`126`	`+ State::saveState($state, self::SAML_SP_SSO);`
`126`	`127`	`}`
`127`	`128`	`$e = explode("=", $returnURL)[0];`
`128`	`129`	`$newReturnURL = $e . "=" . urlencode($id);`
`@@ -457,11 +458,17 @@ public function removeAuthContextClassRefWithPrefixes(&$state)`
`457`	`458`	`unset($state[self::SAML_REQUESTED_AUTHN_CONTEXT][self::STATE_AUTHN_CONTEXT_CLASS_REF]);`
`458`	`459`	`$filteredAcrs = [];`
`459`	`460`	`foreach ($this->originalAuthnContextClassRef as $acr) {`
	`461`	`+ $acr = trim($acr);`
	`462`	`+ $retain = true;`
`460`	`463`	`foreach ($prefixes as $prefix) {`
`461`		`- if (!(substr($acr, 0, strlen($prefix)) === $prefix)) {`
`462`		`- array_push($filteredAcrs, $acr);`
	`464`	`+ if (substr($acr, 0, strlen($prefix)) === $prefix) {`
	`465`	`+ $retain = false;`
	`466`	`+ break;`
`463`	`467`	`}`
`464`	`468`	`}`
	`469`	`+ if ($retain) {`
	`470`	`+ array_push($filteredAcrs, $acr);`
	`471`	`+ }`
`465`	`472`	`}`
`466`	`473`	`if (!empty($filteredAcrs)) {`
`467`	`474`	`$state[self::SAML_REQUESTED_AUTHN_CONTEXT][self::STATE_AUTHN_CONTEXT_CLASS_REF] = $filteredAcrs;`