allow attribute filters in ProxyFilter

Author: melanger

lib/Auth/Process/ProxyFilter.php

@@ -8,18 +8,26 @@
 /**
  * Class sspmod_perun_Auth_Process_ProxyFilter
  *
- * This filter allows to disable nested filter for particular SP.
+ * This filter allows to disable nested filter for particular SP
+ * or for users with one of (black)listed attribute values.
+ * When any of the values matches, the nested filter is NOT run.
  * SPs are defined by theirs entityID in property 'filterSPs'.
- * nested filter is defined in property config as regular filter.
+ * User attributes are defined as a map 'attrName'=>['value1','value2']
+ * in property 'filterAttributes'.
+ * Nested filter is defined in property config as regular filter.
  *
  * example usage:
  *
  * 10 => [
  *        'class' => 'perun:ProxyFilter',
  *        'filterSPs' => ['disableSpEntityId01', 'disableSpEntityId02'],
+ *        'filterAttributes' => [
+ *            'eduPersonPrincipalName' => ['[email protected]'],
+ *            'eduPersonAffiliation' => ['affiliate','member'],
+ *        ],
  *        'config' => [
  *            'class' => 'perun:NestedFilter',
- *            ...
+ *            // ...
  *        ],
  * ]
  *
@@ -31,44 +39,56 @@ class ProxyFilter extends \SimpleSAML\Auth\ProcessingFilter
     private $config;
     private $nestedClass;
     private $filterSPs;
+    private $filterAttributes;
     private $reserved;
 
     public function __construct($config, $reserved)
     {
         parent::__construct($config, $reserved);
 
-        if (!isset($config['config'])) {
-            throw new Exception(
-                "perun:ProxyFilter: missing mandatory configuration option 'config'"
-            );
-        }
-        if (!isset($config['config']['class'])) {
-            throw new Exception(
-                "perun:ProxyFilter: missing mandatory configuration option config['class']"
-            );
-        }
-        if (!isset($config['filterSPs'])) {
-            throw new Exception(
-                "perun:ProxyFilter: missing mandatory configuration option 'filterSPs'."
-            );
-        }
+        $conf = SimpleSAML\Configuration::loadFromArray($config);
+        $this->config = $conf->getArray('config');
+        $this->nestedClass = SimpleSAML\Configuration::loadFromArray($this->config)->getString('class');
+        unset($this->config['class']);
+        $this->filterSPs = $conf->getArray('filterSPs', []);
+        $this->filterAttributes = $conf->getArray('filterAttributes', []);
 
-        $this->nestedClass = (string)$config['config']['class'];
-        unset($config['config']['class']);
-        $this->config = (array)$config['config'];
-        $this->filterSPs = (array)$config['filterSPs'];
         $this->reserved = (array)$reserved;
     }
 
     public function process(&$request)
     {
         assert('is_array($request)');
 
+        foreach ($this->filterAttributes as $attr => $values) {
+            if (!isset($request['Attributes'][$attr]) || !is_array($request['Attributes'][$attr])) {
+                continue;
+            }
+            foreach ($values as $value) {
+                if (in_array($value, $request['Attributes'][$attr])) {
+                    Logger::info(
+                        sprintf(
+                            "perun.ProxyFilter: Filtering out filter %s because %s contains %s",
+                            $this->nestedClass,
+                            $attr,
+                            $value
+                        );
+                    );
+
+                    return;
+                }
+            }
+        }
+
         foreach ($this->filterSPs as $sp) {
             $currentSp = $request['Destination']['entityid'];
             if ($sp == $currentSp) {
                 Logger::info(
-                    "perun.ProxyFilter: Filtering out filter $this->nestedClass for SP $currentSp"
+                    sprintf(
+                        "perun.ProxyFilter: Filtering out filter %s for SP %s",
+                        $this->nestedClass,
+                        $currentSp
+                    );
                 );
 
                 return;