Merge branch 'release/4.6'

Boy Baukema · Boy Baukema · commit 46b9967488a0 · 2015-12-17T11:20:14.000+01:00
# Conflicts:
#	composer.json
#	composer.lock
#	vendor/openconext/engineblock-metadata/composer.lock
diff --git a/application/modules/Api/Controller/Connections.php b/application/modules/Api/Controller/Connections.php
@@ -1,47 +1,15 @@
 <?php
 
 use OpenConext\Component\EngineBlockMetadata\Entity\Assembler\JanusPushMetadataAssembler;
-use OpenConext\Component\EngineBlockMetadata\Entity\IdentityProvider;
-use OpenConext\Component\EngineBlockMetadata\Entity\ServiceProvider;
 use OpenConext\Component\EngineBlockMetadata\MetadataRepository\DoctrineMetadataRepository;
-use OpenConext\Component\EngineBlockMetadata\Service\JanusPushMetadataSynchronizer;
 
 class Api_Controller_Connections extends EngineBlock_Controller_Abstract
 {
     public function indexAction()
     {
         $this->setNoRender();
 
-        $configuration = EngineBlock_ApplicationSingleton::getInstance()->getConfigurationValue('engineApi');
-
-        if (!$configuration) {
-            throw new EngineBlock_Exception('API access disabled');
-        }
-
-        if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW'])) {
-            header('WWW-Authenticate: Basic realm="EngineBlock API"');
-            header('HTTP/1.1 401 Unauthorized');
-            echo json_encode('Unauthenticated');
-            exit;
-        }
-
-        if ($_SERVER['PHP_AUTH_USER'] !== $configuration->user) {
-            header('WWW-Authenticate: Basic realm="EngineBlock API"');
-            header('HTTP/1.1 401 Unauthorized');
-            echo json_encode('Invalid credentials');
-            exit;
-        }
-
-        if ($_SERVER['PHP_AUTH_PW'] !== $configuration->password) {
-            header('WWW-Authenticate: Basic realm="EngineBlock API"');
-            header('HTTP/1.1 401 Unauthorized');
-            echo json_encode('Invalid credentials');
-            exit;
-        }
-
-        if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
-            header('HTTP/1.1 400 Bad Request');
-            echo json_encode('Not a POST request');
+        if (!$this->requireApiAuth()) {
             return;
         }
 
@@ -58,15 +26,19 @@ public function indexAction()
         $connections = json_decode($body);
 
         if (!$connections) {
-            header('HTTP/1.1 400 Bad Request');
-            echo json_encode('Unable to decode body as JSON');
-            exit;
+            $this->_getResponse()->setStatus(400, 'Bad Request');
+            $this->_getResponse()->setBody(
+              json_encode('Unable to decode body as JSON')
+            );
+            return;
         }
 
         if (!is_object($connections) || !isset($connections->connections) && !is_object($connections->connections)) {
-            header('HTTP/1.1 400 Bad Request');
-            echo json_encode('Unrecognized structure for JSON');
-            exit;
+            $this->_getResponse()->setStatus(400, 'Bad Request');
+            $this->_getResponse()->setBody(
+              json_encode('Unrecognized structure for JSON')
+            );
+            return;
         }
 
         $assembler = new JanusPushMetadataAssembler();
@@ -78,6 +50,57 @@ public function indexAction()
         );
         $result = $doctrineRepository->synchronize($roles);
 
-        echo json_encode($result);
+        $this->_getResponse()->setBody(json_encode($result));
+    }
+
+    public function testAction()
+    {
+        if (!$this->requireApiAuth()) {
+            return;
+        }
+    }
+
+    private function requireApiAuth()
+    {
+        $configuration = EngineBlock_ApplicationSingleton::getInstance()->getConfigurationValue('engineApi');
+
+        if (!$configuration) {
+            throw new EngineBlock_Exception('API access disabled');
+        }
+
+        if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW'])) {
+            $this->setNoRender();
+            $this->_getResponse()->setHeader(
+              'WWW-Authenticate',
+              'Basic realm="EngineBlock API'
+            );
+            $this->_getResponse()->setStatus(401, 'Unauthorized');
+            $this->_getResponse()->setBody(json_encode('Unauthenticated'));
+            return false;
+        }
+
+        if ($_SERVER['PHP_AUTH_USER'] !== $configuration->user) {
+            $this->setNoRender();
+            $this->_getResponse()->setHeader(
+              'WWW-Authenticate',
+              'Basic realm="EngineBlock API'
+            );
+            $this->_getResponse()->setStatus(401, 'Unauthorized');
+            $this->_getResponse()->setBody(json_encode('Invalid credentials'));
+            return false;
+        }
+
+        if ($_SERVER['PHP_AUTH_PW'] !== $configuration->password) {
+            $this->setNoRender();
+            $this->_getResponse()->setHeader(
+              'WWW-Authenticate',
+              'Basic realm="EngineBlock API'
+            );
+            $this->_getResponse()->setStatus(401, 'Unauthorized');
+            $this->_getResponse()->setBody(json_encode('Invalid credentials'));
+            return false;
+        }
+
+        return true;
     }
 }
diff --git a/application/modules/Api/View/Connections/Test.phtml b/application/modules/Api/View/Connections/Test.phtml
@@ -0,0 +1,21 @@
+<div style="text-align: center; margin-bottom: 1rem">
+  <button class="submit c-button" style="padding: 1em">PUSH</button>
+</div>
+
+<label for="connections-json" style="font-size: large; font-weight: bolder; display: block">JSON:</label>
+<textarea id="connections-json" rows="50" cols="120"></textarea>
+
+<div style="text-align: center; margin-top: 1rem">
+  <button class="submit c-button" style="padding: 1em">PUSH</button>
+</div>
+
+<script>
+  window.setTimeout(
+    function() {
+      $('button').on('click', function() {
+        $.post('index', $('textarea').val());
+      });
+    },
+    3000
+  );
+</script>
diff --git a/application/modules/Api/View/Index/Index.phtml b/application/modules/Api/View/Index/Index.phtml
@@ -15,9 +15,11 @@ $layout->footerText = $this->t('footer');
         <div class="main">
             <h1>Welcome to the EngineBlock API index page!</h1>
             <p>
-                We currently only support 1 action, pushing metadata configuration.
-                To do this POST a valid JSON document with 'connections' to /connections,
-                using the engineApi.user and engineApi.password in HTTP Basic authentication.
+                We currently only support 1 action, pushing metadata configuration. <br>
+                To do this POST a valid JSON document with 'connections' to /connections, <br>
+                using the engineApi.user and engineApi.password in HTTP Basic authentication. <br><br>
+
+                To test this go here: <a href="/api/connections/test">/api/connections/test</a>
             </p>
         </div>
     </div>
diff --git a/docs/release_notes/4.6.4.md b/docs/release_notes/4.6.4.md
@@ -0,0 +1,9 @@
+# OpenConext EngineBlock v4.6.4 Release Notes #
+
+Push Metadata improvements.
+
+* Downgrade notice about multivalued attributes to info
+* [Remove `libxml_disable_entity_loader()` call #180](https://github.com/OpenConext/OpenConext-engineblock/issues/180)
+* [error while pushing metadata #212](https://github.com/OpenConext/OpenConext-engineblock/issues/212)
+* [Metadata Push: DisplayName missing #223](https://github.com/OpenConext/OpenConext-engineblock/issues/223)
+* Added metadata push test client on `/api/connections/test`.
diff --git a/library/EngineBlock/Application/Bootstrapper.php b/library/EngineBlock/Application/Bootstrapper.php
@@ -186,8 +186,6 @@ protected function _bootstrapPhpSettings()
     {
         $settings = $this->_application->getConfiguration()->phpSettings->toArray();
         $this->_setIniSettings($settings);
-        // prevent any XXE attacks when processing XML
-        libxml_disable_entity_loader();
     }
 
     protected function _setIniSettings($settings, $prefix = '')
diff --git a/library/EngineBlock/Corto/Filter/Command/AddEduPersonTargettedId.php b/library/EngineBlock/Corto/Filter/Command/AddEduPersonTargettedId.php
@@ -34,8 +34,7 @@ public function execute()
         );
 
         // EPTID requires us to embed the <saml:NameID> element instead of just the value, so we generate that here.
-        $document = new DOMDocument();
-        $document->loadXML('<base />');
+        $document = SAML2_DOMDocumentFactory::fromString('<base />');
         SAML2_Utils::addNameId($document->documentElement, $nameId);
 
         // Add the eduPersonTargetedId attribute.
diff --git a/library/EngineBlock/Corto/Mapper/Legacy/ResponseTranslator.php b/library/EngineBlock/Corto/Mapper/Legacy/ResponseTranslator.php
@@ -43,8 +43,7 @@ public function fromOldFormat(array $legacyResponse)
         $legacyResponse = EngineBlock_Corto_XmlToArray::registerNamespaces($legacyResponse);
         $xml = EngineBlock_Corto_XmlToArray::array2xml($legacyResponse);
 
-        $document = new DOMDocument();
-        $document->loadXML($xml);
+        $document = SAML2_DOMDocumentFactory::fromString($xml);
 
         $response = new SAML2_Response($document->firstChild);
         $annotatedResponse = new EngineBlock_Saml2_ResponseAnnotationDecorator($response);
diff --git a/library/EngineBlock/Corto/Module/Bindings.php b/library/EngineBlock/Corto/Module/Bindings.php
@@ -460,8 +460,7 @@ protected function validateXml($xml)
     {
         $schemaUrl = 'http://docs.oasis-open.org/security/saml/v2.0/saml-schema-protocol-2.0.xsd';
         if ($this->_server->getConfig('debug') && ini_get('allow_url_fopen') && file_exists($schemaUrl)) {
-            $dom = new DOMDocument();
-            $dom->loadXML($xml);
+            $dom = SAML2_DOMDocumentFactory::fromString($xml);
             if (!$dom->schemaValidate($schemaUrl)) {
                 throw new Exception('Message XML doesnt validate against XSD at Oasis-open.org?!');
             }
diff --git a/library/EngineBlock/Corto/ProxyServer.php b/library/EngineBlock/Corto/ProxyServer.php
@@ -925,7 +925,7 @@ public function sign(array $element)
         );
 
         // Convert the XMl object to actual XML and get a reference to what we're about to sign
-        $canonicalXmlDom = new DOMDocument();
+        $canonicalXmlDom = SAML2_DOMDocumentFactory::create();
         $canonicalXmlDom->loadXML(EngineBlock_Corto_XmlToArray::array2xml($element));
 
         // Note that the current element may not be the first or last, because we might include comments, so look for
@@ -948,8 +948,9 @@ public function sign(array $element)
 
         // Now we start the actual signing, instead of signing the entire (possibly large) document,
         // we only sign the 'SignedInfo' which includes the 'Reference' hash
-        $canonicalXml2Dom = new DOMDocument();
-        $canonicalXml2Dom->loadXML(EngineBlock_Corto_XmlToArray::array2xml($signature['ds:SignedInfo']));
+        $canonicalXml2Dom = SAML2_DOMDocumentFactory::fromString(
+          EngineBlock_Corto_XmlToArray::array2xml($signature['ds:SignedInfo'])
+        );
         $canonicalXml2 = $canonicalXml2Dom->firstChild->C14N(true, false);
 
         $signatureValue = null;
diff --git a/library/EngineBlock/Saml2/MessageSerializer.php b/library/EngineBlock/Saml2/MessageSerializer.php
@@ -28,8 +28,7 @@ public function serialize(SAML2_Message $samlMessage)
     public function deserialize($samlMessageXml, $class)
     {
         $elementName = $this->getElementForClass($class);
-        $document = new DOMDocument();
-        $document->loadXML($samlMessageXml);
+        $document = SAML2_DOMDocumentFactory::fromString($samlMessageXml);
         $messageDomElement = $document->getElementsByTagNameNs('urn:oasis:names:tc:SAML:2.0:protocol', $elementName)->item(0);
         if ($class === 'SAML2_AuthnRequest') {
             return SAML2_AuthnRequest::fromXML($messageDomElement);
diff --git a/library/EngineBlock/Xml/Validator.php b/library/EngineBlock/Xml/Validator.php
@@ -34,8 +34,7 @@ public function validate($xml)
 
         $schemaXml = $this->_absolutizeSchemaLocations($schemaXml, $this->_schemaLocation);
 
-        $dom = new DOMDocument();
-        $dom->loadXML($xml);
+        $dom = SAML2_DOMDocumentFactory::fromString($xml);
         if (!@$dom->schemaValidateSource($schemaXml)) {
             $errorInfo = error_get_last();
             $errorMessage = $errorInfo['message'];

Original file line number	Diff line number	Diff line change
`@@ -186,8 +186,6 @@ protected function _bootstrapPhpSettings()`
`186`	`186`	`{`
`187`	`187`	`$settings = $this->_application->getConfiguration()->phpSettings->toArray();`
`188`	`188`	`$this->_setIniSettings($settings);`
`189`		`- // prevent any XXE attacks when processing XML`
`190`		`- libxml_disable_entity_loader();`
`191`	`189`	`}`
`192`	`190`
`193`	`191`	`protected function _setIniSettings($settings, $prefix = '')`
Original file line number	Diff line number	Diff line change
`@@ -460,8 +460,7 @@ protected function validateXml($xml)`
`460`	`460`	`{`
`461`	`461`	`$schemaUrl = 'http://docs.oasis-open.org/security/saml/v2.0/saml-schema-protocol-2.0.xsd';`
`462`	`462`	`if ($this->_server->getConfig('debug') && ini_get('allow_url_fopen') && file_exists($schemaUrl)) {`
`463`		`- $dom = new DOMDocument();`
`464`		`- $dom->loadXML($xml);`
	`463`	`+ $dom = SAML2_DOMDocumentFactory::fromString($xml);`
`465`	`464`	`if (!$dom->schemaValidate($schemaUrl)) {`
`466`	`465`	`throw new Exception('Message XML doesnt validate against XSD at Oasis-open.org?!');`
`467`	`466`	`}`