Initial import

Author: tvdijen

.codecov.yml

@@ -0,0 +1,11 @@
+coverage:
+  status:
+    project: yes
+
+comment:
+  layout: "diff"
+  behavior: once
+  require_changes: true
+  require_base: no
+  require_head: yes
+  branches: null

.php_cs.dist

@@ -0,0 +1,15 @@
+<?php
+$finder = PhpCsFixer\Finder::create()
+    ->in([
+        __DIR__ . '/tests',
+        __DIR__ . '/www',
+    ])
+;
+return PhpCsFixer\Config::create()
+    ->setRules([
+        '@PSR2' => true,
+        '@PSR4' => true,
+        '@PSR5' => true,
+    ])
+    ->setFinder($finder)
+;

.travis.yml

@@ -0,0 +1,35 @@
+sudo: required
+
+language: php
+
+php:
+  - 5.6
+  - 7.0
+  - 7.1
+  - 7.2
+  - 7.3
+
+env:
+  - SIMPLESAMLPHP_VERSION=1.17.*
+  
+matrix:
+  allow_failures:
+    - php: 7.3
+
+before_script:
+  - composer require "simplesamlphp/simplesamlphp:${SIMPLESAMLPHP_VERSION}" --no-update
+  - composer update --no-interaction
+  - if [[ "$TRAVIS_PHP_VERSION" == "7.3" ]]; then composer require --dev vimeo/psalm:1.1.9; fi
+
+script:
+  - bin/check-syntax.sh
+  - if [[ "$TRAVIS_PHP_VERSION" == "5.6" ]]; then php vendor/phpunit/phpunit/phpunit; else php vendor/phpunit/phpunit/phpunit --no-coverage; fi
+  - if [[ "$TRAVIS_PHP_VERSION" == "7.3" ]]; then vendor/bin/psalm; fi
+
+after_success:
+  # Codecov, need to edit bash uploader for incorrect TRAVIS_PYTHON_VERSION environment variable matching, at least until codecov/codecov-bash#133 is resolved
+  - curl -s https://codecov.io/bash > .codecov
+  - sed -i -e 's/TRAVIS_.*_VERSION/^TRAVIS_.*_VERSION=/' .codecov
+  - chmod +x .codecov
+  - if [[ $TRAVIS_PHP_VERSION == "5.6" ]]; then ./.codecov -X gcov; fi
+# - if [[ "$TRAVIS_PHP_VERSION" == "5.6" ]]; then bash <(curl -s https://codecov.io/bash); fi

bin/check-syntax.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+PHP='/usr/bin/env php'
+RETURN=0
+
+# check PHP files
+for FILE in `find tests www -name "*.php"`; do
+    $PHP -l $FILE > /dev/null 2>&1
+    if [ $? -ne 0 ]; then
+        echo "Syntax check failed for ${FILE}"
+        RETURN=`expr ${RETURN} + 1`
+    fi
+done
+
+exit $RETURN

composer.json

@@ -0,0 +1,41 @@
+{
+    "name": "simplesamlphp/simplesamlphp-module-exampleattributeserver",
+    "description": "An example for SAML attributes queries",
+    "type": "simplesamlphp-module",
+    "keywords": ["simplesamlphp", "exampleattributeserver"],
+    "license": "LGPL-3.0-or-later",
+    "authors": [
+        {
+            "name": "Olav Morken",
+            "email": "olavmrk@gmail.com"
+        }
+    ],
+    "config": {
+        "preferred-install": {
+            "simplesamlphp/simplesamlphp": "source",
+            "*": "dist"
+        }
+    },
+    "autoload": {
+        "psr-4": {
+            "SimpleSAML\\Module\\exampleattributeserver\\": "lib/"
+        }
+    },
+    "autoload-dev": {
+        "psr-4": {
+            "SimpleSAML\\Test\\Utils\\": "vendor/simplesamlphp/simplesamlphp/tests/Utils"
+        }
+    },
+    "require": {
+        "php": ">=5.6",
+        "simplesamlphp/composer-module-installer": "~1.1"
+    },
+    "require-dev": {
+        "simplesamlphp/simplesamlphp": "^1.17",
+        "phpunit/phpunit": "~5.7"
+    },
+    "support": {
+        "issues": "https://github.com/tvdijen/simplesamlphp-module-exampleattributeserver/issues",
+        "source": "https://github.com/tvdijen/simplesamlphp-module-exampleattributeserver"
+    }
+}

default-enable

@@ -0,0 +1,3 @@
+This file indicates that the default state of this module
+is enabled. To disable, create a file named disable in the
+same directory as this file.

phpunit.xml

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<phpunit bootstrap="tests/bootstrap.php">
+    <testsuites>
+        <testsuite name="The project's test suite">
+            <directory>tests/</directory>
+        </testsuite>
+    </testsuites>
+    <filter>
+        <whitelist processUncoveredFilesFromWhitelist="true">
+            <directory suffix=".php">./lib</directory>
+        </whitelist>
+    </filter>
+    <logging>
+        <log type="coverage-text" target="php://stdout" showUncoveredFiles="true" />
+        <log type="coverage-html" target="build/coverage" title="PHP Coveralls" charset="UTF-8" yui="true" highlight="true" lowUpperBound="35" highLowerBound="70" />
+        <log type="coverage-clover" target="build/logs/clover.xml" />
+    </logging>
+</phpunit>
+

psalm.xml

@@ -0,0 +1,30 @@
+<?xml version="1.0"?>
+<psalm
+    name="SimpleSAMLphp exampleattributeserver module"
+    useDocblockTypes="true"
+    totallyTyped="false"
+>
+    <projectFiles>
+        <directory name="www" />
+    </projectFiles>
+
+    <issueHandlers>
+        <LessSpecificReturnType errorLevel="info" />
+
+        <!-- level 3 issues - slightly lazy code writing, but probably low false-negatives -->
+        <DeprecatedMethod errorLevel="info" />
+
+        <MissingClosureReturnType errorLevel="info" />
+        <MissingReturnType errorLevel="info" />
+        <MissingPropertyType errorLevel="info" />
+        <InvalidDocblock errorLevel="info" />
+        <MisplacedRequiredParam errorLevel="info" />
+
+        <PropertyNotSetInConstructor errorLevel="info" />
+        <MissingConstructor errorLevel="info" />
+        <MissingClosureParamType errorLevel="info" />
+        <MissingParamType errorLevel="info" />
+        <UnusedClass errorLevel="info" />
+        <PossiblyUnusedMethod errorLevel="info" />
+    </issueHandlers>
+</psalm>

tests/bootstrap.php

@@ -0,0 +1,11 @@
+<?php
+
+$projectRoot = dirname(__DIR__);
+require_once($projectRoot.'/vendor/autoload.php');
+
+// Symlink module into ssp vendor lib so that templates and urls can resolve correctly
+$linkPath = $projectRoot.'/vendor/simplesamlphp/simplesamlphp/modules/exampleattributeserver';
+if (file_exists($linkPath) === false) {
+    echo "Linking '$linkPath' to '$projectRoot'\n";
+    symlink($projectRoot, $linkPath);
+}

www/attributeserver.php

@@ -0,0 +1,93 @@
+<?php
+
+$metadata = \SimpleSAML\Metadata\MetaDataStorageHandler::getMetadataHandler();
+
+$binding = \SAML2\Binding::getCurrentBinding();
+$query = $binding->receive();
+if (!($query instanceof \SAML2\AttributeQuery)) {
+    throw new \SimpleSAML\Error\BadRequest('Invalid message received to AttributeQuery endpoint.');
+}
+
+$idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
+
+$issuer = $query->getIssuer();
+if ($issuer === null) {
+    throw new \SimpleSAML\Error\BadRequest('Missing <saml:Issuer> in <samlp:AttributeQuery>.');
+} elseif (is_string($issuer)) {
+    $spEntityId = $issuer;
+} else {
+    $spEntityId = $issuer->getValue();
+}
+
+$idpMetadata = $metadata->getMetaDataConfig($idpEntityId, 'saml20-idp-hosted');
+$spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote');
+
+// The endpoint we should deliver the message to
+$endpoint = $spMetadata->getString('testAttributeEndpoint');
+
+// The attributes we will return
+$attributes = [
+    'name' => ['value1', 'value2', 'value3'],
+    'test' => ['test'],
+];
+
+// The name format of the attributes
+$attributeNameFormat = \SAML2\Constants::NAMEFORMAT_UNSPECIFIED;
+
+// Determine which attributes we will return
+$returnAttributes = array_keys($query->getAttributes());
+if (count($returnAttributes) === 0) {
+    SimpleSAML\Logger::debug('No attributes requested - return all attributes.');
+    $returnAttributes = $attributes;
+} elseif ($query->getAttributeNameFormat() !== $attributeNameFormat) {
+    SimpleSAML\Logger::debug('Requested attributes with wrong NameFormat - no attributes returned.');
+    $returnAttributes = [];
+} else {
+    foreach ($returnAttributes as $name => $values) {
+        /** @var array $values */
+        if (!array_key_exists($name, $attributes)) {
+            // We don't have this attribute
+            unset($returnAttributes[$name]);
+            continue;
+        }
+        if (count($values) === 0) {
+            // Return all attributes
+            $returnAttributes[$name] = $attributes[$name];
+            continue;
+        }
+
+        // Filter which attribute values we should return
+        $returnAttributes[$name] = array_intersect($values, $attributes[$name]);
+    }
+}
+
+// $returnAttributes contains the attributes we should return. Send them
+$assertion = new \SAML2\Assertion();
+$assertion->setIssuer($idpEntityId);
+$assertion->setNameId($query->getNameId());
+$assertion->setNotBefore(time());
+$assertion->setNotOnOrAfter(time() + 300); // 60*5 = 5min
+$assertion->setValidAudiences([$spEntityId]);
+$assertion->setAttributes($returnAttributes);
+$assertion->setAttributeNameFormat($attributeNameFormat);
+
+$sc = new \SAML2\XML\saml\SubjectConfirmation();
+$sc->Method = \SAML2\Constants::CM_BEARER;
+$sc->SubjectConfirmationData = new \SAML2\XML\saml\SubjectConfirmationData();
+$sc->SubjectConfirmationData->setNotOnOrAfter(time() + 300); // 60*5 = 5min
+$sc->SubjectConfirmationData->setRecipient($endpoint);
+$sc->SubjectConfirmationData->setInResponseTo($query->getId());
+$assertion->setSubjectConfirmation([$sc]);
+
+\SimpleSAML\Module\saml\Message::addSign($idpMetadata, $spMetadata, $assertion);
+
+$response = new \SAML2\Response();
+$response->setRelayState($query->getRelayState());
+$response->setDestination($endpoint);
+$response->setIssuer($idpEntityId);
+$response->setInResponseTo($query->getId());
+$response->setAssertions([$assertion]);
+\SimpleSAML\Module\saml\Message::addSign($idpMetadata, $spMetadata, $response);
+
+$binding = new \SAML2\HTTPPost();
+$binding->send($response);