You are here

private function SAML2_Assertion::parseConditions in SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider 7

Parse conditions in assertion.

Parameters

DOMElement $xml The assertion XML element.:

Throws

Exception

1 call to SAML2_Assertion::parseConditions()
SAML2_Assertion::__construct in includes/Assertion.php

File

includes/Assertion.php, line 153

Class

SAML2_Assertion

Code

private function parseConditions(DOMElement $xml) {
  $conditions = Utilities::xpQuery($xml, './saml_assertion:Conditions');
  if (empty($conditions)) {

    /* No <saml:Conditions> node. */
    return;
  }
  elseif (count($conditions) > 1) {
    throw new Exception('More than one <saml:Conditions> in <saml:Assertion>.');
  }
  $conditions = $conditions[0];
  if ($conditions
    ->hasAttribute('NotBefore')) {
    $notBefore = Utilities::xsDateTimeToTimestamp($conditions
      ->getAttribute('NotBefore'));
    if ($this->notBefore === NULL || $this->notBefore < $notBefore) {
      $this->notBefore = $notBefore;
    }
  }
  if ($conditions
    ->hasAttribute('NotOnOrAfter')) {
    $notOnOrAfter = Utilities::xsDateTimeToTimestamp($conditions
      ->getAttribute('NotOnOrAfter'));
    if ($this->notOnOrAfter === NULL || $this->notOnOrAfter > $notOnOrAfter) {
      $this->notOnOrAfter = $notOnOrAfter;
    }
  }
  for ($node = $conditions->firstChild; $node !== NULL; $node = $node->nextSibling) {
    if ($node instanceof DOMText) {
      continue;
    }
    if ($node->namespaceURI !== 'urn:oasis:names:tc:SAML:2.0:assertion') {
      throw new Exception('Unknown namespace of condition: ' . var_export($node->namespaceURI, TRUE));
    }
    switch ($node->localName) {
      case 'AudienceRestriction':
        $audiences = Utilities::extractStrings($node, 'urn:oasis:names:tc:SAML:2.0:assertion', 'Audience');
        if ($this->validAudiences === NULL) {

          /* The first (and probably last) AudienceRestriction element. */
          $this->validAudiences = $audiences;
        }
        else {

          /*
           * The set of AudienceRestriction are ANDed together, so we need
           * the subset that are present in all of them.
           */
          $this->validAudiences = array_intersect($this->validAudiences, $audiences);
        }
        break;
      case 'OneTimeUse':

        /* Currently ignored. */
        break;
      case 'ProxyRestriction':

        /* Currently ignored. */
        break;
      default:
        throw new Exception('Unknown condition: ' . var_export($node->localName, TRUE));
    }
  }
}