Commit 4d0e9f69 authored by Piers Harding's avatar Piers Harding Committed by Robert Lyon
Browse files

Bug 1707535: Auth/SAML - fix ACS endpoints

behatnotneeded

Change-Id: I09c20bd1b030b7976f2128f4476b2a9f4b7c623b
parent c01b02cb
...@@ -66,7 +66,7 @@ $config = array ( ...@@ -66,7 +66,7 @@ $config = array (
* Setup the following parameters to match the directory of your installation. * Setup the following parameters to match the directory of your installation.
* See the user manual for more details. * See the user manual for more details.
*/ */
'baseurlpath' => 'simplesaml/', 'baseurlpath' => get_config('wwwroot') . 'auth/saml/sp/',
'certdir' => 'cert/', 'certdir' => 'cert/',
'loggingdir' => '/tmp/', 'loggingdir' => '/tmp/',
'datadir' => 'data/', 'datadir' => 'data/',
......
...@@ -73,7 +73,7 @@ $slosvcdefault = array( ...@@ -73,7 +73,7 @@ $slosvcdefault = array(
); );
$slob = $spconfig->getArray('SingleLogoutServiceBinding', $slosvcdefault); $slob = $spconfig->getArray('SingleLogoutServiceBinding', $slosvcdefault);
$slol = get_config('wwwroot') . "auth/saml/sp/saml2-logout.php/{$sourceId}"; $slol = get_config('wwwroot') . "auth/saml/sp/module.php/saml/sp/saml2-logout.php/{$sourceId}";
foreach ($slob as $binding) { foreach ($slob as $binding) {
if ($binding == SAML2_Const::BINDING_SOAP && !($store instanceof SimpleSAML_Store_SQL)) { if ($binding == SAML2_Const::BINDING_SOAP && !($store instanceof SimpleSAML_Store_SQL)) {
...@@ -107,23 +107,23 @@ foreach ($assertionsconsumerservices as $services) { ...@@ -107,23 +107,23 @@ foreach ($assertionsconsumerservices as $services) {
switch ($services) { switch ($services) {
case 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': case 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST':
$acsArray['Binding'] = SAML2_Const::BINDING_HTTP_POST; $acsArray['Binding'] = SAML2_Const::BINDING_HTTP_POST;
$acsArray['Location'] = get_config('wwwroot') . "auth/saml/sp/saml2-acs.php/{$sourceId}"; $acsArray['Location'] = get_config('wwwroot') . "auth/saml/sp/module.php/saml/sp/saml2-acs.php/{$sourceId}";
break; break;
case 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post': case 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post':
$acsArray['Binding'] = 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post'; $acsArray['Binding'] = 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post';
$acsArray['Location'] = get_config('wwwroot') . "auth/saml/sp/saml1-acs.php/{$sourceId}"; $acsArray['Location'] = get_config('wwwroot') . "auth/saml/sp/module.php/saml/sp/saml1-acs.php/{$sourceId}";
break; break;
case 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact': case 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact':
$acsArray['Binding'] = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact'; $acsArray['Binding'] = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact';
$acsArray['Location'] = get_config('wwwroot') . "auth/saml/sp/saml2-acs.php/{$sourceId}"; $acsArray['Location'] = get_config('wwwroot') . "auth/saml/sp/module.php/saml/sp/saml2-acs.php/{$sourceId}";
break; break;
case 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01': case 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01':
$acsArray['Binding'] = 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01'; $acsArray['Binding'] = 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01';
$acsArray['Location'] = get_config('wwwroot') . "auth/saml/sp/saml1-acs.php/{$sourceId}".'/artifact'; $acsArray['Location'] = get_config('wwwroot') . "auth/saml/sp/module.php/saml/sp/saml1-acs.php/{$sourceId}".'/artifact';
break; break;
case 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser': case 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser':
$acsArray['Binding'] = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser'; $acsArray['Binding'] = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser';
$acsArray['Location'] = get_config('wwwroot') . "auth/saml/sp/saml2-acs.php/{$sourceId}"; $acsArray['Location'] = get_config('wwwroot') . "auth/saml/sp/module.php/saml/sp/saml2-acs.php/{$sourceId}";
$acsArray['hoksso:ProtocolBinding'] = SAML2_Const::BINDING_HTTP_REDIRECT; $acsArray['hoksso:ProtocolBinding'] = SAML2_Const::BINDING_HTTP_REDIRECT;
break; break;
} }
......
<?php
/**
* Handler for module requests.
*
* This web page receives requests for web-pages hosted by modules, and directs them to
* the RequestHandler in the module.
*
* @author Olav Morken, UNINETT AS.
* @package SimpleSAMLphp
*/
require_once('../extlib/simplesamlphp/www/_include.php');
$moduleDir = '../';
try {
if (empty($_SERVER['PATH_INFO'])) {
throw new SimpleSAML_Error_NotFound('No PATH_INFO to module.php');
}
$url = $_SERVER['PATH_INFO'];
assert('substr($url, 0, 1) === "/"');
/* clear the PATH_INFO option, so that a script can detect whether it is called with anything following the
*'.php'-ending.
*/
unset($_SERVER['PATH_INFO']);
$modEnd = strpos($url, '/', 1);
if ($modEnd === false) {
// the path must always be on the form /module/
throw new SimpleSAML_Error_NotFound('The URL must at least contain a module name followed by a slash.');
}
$module = substr($url, 1, $modEnd - 1);
$url = substr($url, $modEnd + 1);
if ($url === false) {
$url = '';
}
if (!SimpleSAML_Module::isModuleEnabled($module)) {
throw new SimpleSAML_Error_NotFound('The module \''.$module.'\' was either not found, or wasn\'t enabled.');
}
/* Make sure that the request isn't suspicious (contains references to current directory or parent directory or
* anything like that. Searching for './' in the URL will detect both '../' and './'. Searching for '\' will detect
* attempts to use Windows-style paths.
*/
if (strpos($url, '\\') !== false) {
throw new SimpleSAML_Error_BadRequest('Requested URL contained a backslash.');
}
else if (strpos($url, './') !== false) {
throw new SimpleSAML_Error_BadRequest('Requested URL contained \'./\'.');
}
// check for '.php/' in the path, the presence of which indicates that another php-script should handle the request
for ($phpPos = strpos($url, '.php/'); $phpPos !== false; $phpPos = strpos($url, '.php/', $phpPos + 1)) {
$newURL = substr($url, 0, $phpPos + 4);
$param = substr($url, $phpPos + 4);
if (is_file($moduleDir.$newURL)) {
/* $newPath points to a normal file. Point execution to that file, and
* save the remainder of the path in PATH_INFO.
*/
$url = $newURL;
$_SERVER['PATH_INFO'] = $param;
break;
}
}
$path = $moduleDir.$url;
if (is_dir($path)) {
/* Path is a directory - maybe no index file was found in the previous step, or maybe the path didn't end with
* a slash. Either way, we don't do directory listings.
*/
throw new SimpleSAML_Error_NotFound('Directory listing not available.');
}
if (!file_exists($path)) {
// file not found
SimpleSAML_Logger::info('Could not find file \''.$path.'\'.');
throw new SimpleSAML_Error_NotFound('The URL wasn\'t found in the module.');
}
if (preg_match('#\.php$#D', $path)) {
// PHP file - attempt to run it
$_SERVER['SCRIPT_NAME'] .= '/'.$module.'/'.$url;
require($path);
exit();
}
throw new SimpleSAML_Error_NotFound('The URL wasn\'t found in the module.');
}
catch (SimpleSAML_Error_Error $e) {
$e->show();
}
catch (Exception $e) {
$e = new SimpleSAML_Error_Error('UNHANDLEDEXCEPTION', $e);
$e->show();
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment