You are here

private function CasValidator::verifyProxyChain in CAS 2.x

Same name and namespace in other branches
  1. 8 src/Service/CasValidator.php \Drupal\cas\Service\CasValidator::verifyProxyChain()

Verify a proxy chain from the CAS Server.

Proxy chains from CAS Server responses are compared against the config to ensure only allowed proxy chains are validated.

Parameters

\DOMNodeList $proxy_chain: An XML element containing proxy values, from most recent to first.

Throws

\Drupal\cas\Exception\CasValidateException Thrown if the proxy chain did not match the allowed list from settings.

1 call to CasValidator::verifyProxyChain()
CasValidator::validateVersion2 in src/Service/CasValidator.php
Validation of a service ticket for Version 2 of the CAS protocol.

File

src/Service/CasValidator.php, line 311

Class

CasValidator
The CAS ticket validator service.

Namespace

Drupal\cas\Service

Code

private function verifyProxyChain(\DOMNodeList $proxy_chain) {
  $allowed_proxy_chains_raw = $this->settings
    ->get('proxy.proxy_chains');
  $allowed_proxy_chains = $this
    ->parseAllowedProxyChains($allowed_proxy_chains_raw);
  $server_chain = $this
    ->parseServerProxyChain($proxy_chain);
  $this->casHelper
    ->log(LogLevel::DEBUG, "Attempting to verify supplied proxy chain: %chain", [
    '%chain' => print_r($server_chain, TRUE),
  ]);

  // Loop through the allowed chains, checking the supplied chain for match.
  foreach ($allowed_proxy_chains as $chain) {

    // If the lengths mismatch, cannot be a match.
    if (count($chain) != count($server_chain)) {
      continue;
    }

    // Loop through regex in the chain, matching against supplied URL.
    $flag = TRUE;
    foreach ($chain as $index => $regex) {
      if (preg_match('/^\\/.*\\/[ixASUXu]*$/s', $regex)) {
        if (!preg_match($regex, $server_chain[$index])) {
          $flag = FALSE;
          $this->casHelper
            ->log(LogLevel::DEBUG, "Failed to match %regex with supplied %chain", [
            '%regex' => $regex,
            '%chain' => $server_chain[$index],
          ]);
          break;
        }
      }
      else {
        if (!(strncasecmp($regex, $server_chain[$index], strlen($regex)) == 0)) {
          $flag = FALSE;
          $this->casHelper
            ->log(LogLevel::DEBUG, "Failed to match %regex with supplied %chain", [
            '%regex' => $regex,
            '%chain' => $server_chain[$index],
          ]);
          break;
        }
      }
    }

    // If we have a match, return.
    if ($flag == TRUE) {
      $this->casHelper
        ->log(LogLevel::DEBUG, "Matched allowed chain: %chain", [
        '%chain' => print_r($chain, TRUE),
      ]);
      return;
    }
  }

  // If we've reached this point, no chain was validated, so throw exception.
  throw new CasValidateException("Proxy chain did not match allowed list.");
}