You are here

class SamlSPController in SAML Service Provider 3.x

Same name and namespace in other branches
  1. 8.3 src/Controller/SamlSPController.php \Drupal\saml_sp\Controller\SamlSPController
  2. 8.2 src/Controller/SamlSPController.php \Drupal\saml_sp\Controller\SamlSPController
  3. 7.8 src/Controller/SamlSPController.php \Drupal\saml_sp\Controller\SamlSPController
  4. 4.x src/Controller/SamlSPController.php \Drupal\saml_sp\Controller\SamlSPController

Provides route responses for the SAML SP module.

Hierarchy

Expanded class hierarchy of SamlSPController

File

src/Controller/SamlSPController.php, line 16

Namespace

Drupal\saml_sp\Controller
View source
class SamlSPController extends ControllerBase {

  /**
   * Generate the XMl metadata for the given IdP.
   */
  public function metadata($return_string = FALSE) {
    list($metadata, $errors) = saml_sp__get_metadata();
    $output = $metadata;
    if ($return_string) {
      return $output;
    }
    $response = new Response();
    $response
      ->setContent($metadata);
    $response->headers
      ->set('Content-Type', 'text/xml');
    return $response;
  }

  /**
   * Receive data back from the IdP.
   */
  public function consume() {
    if (!$this
      ->validAuthenticationResponse()) {
      return new RedirectResponse(Url::fromRoute('<front>')
        ->toString());
    }

    // The \OneLogin\Saml2\Response object uses the settings to verify the
    // validity of a request, in \OneLogin\Saml2\Response::isValid(), via
    // XMLSecurityDSig. Extract the incoming ID (the `inresponseto` parameter
    // of the `<samlp:response` XML node).
    if ($inbound_id = _saml_sp__extract_inbound_id($_POST['SAMLResponse'])) {
      if ($request = saml_sp__get_tracked_request($inbound_id)) {
        $idp = saml_sp_idp_load($request['idp']);

        // Try to check the validity of the samlResponse.
        try {
          $certs = $idp
            ->getX509Cert();
          if (!is_array($certs)) {
            $certs = [
              $certs,
            ];
          }
          $is_valid = FALSE;

          // Go through each cert and see if any provides a valid response.
          foreach ($certs as $cert) {
            if ($is_valid) {
              continue;
            }
            $idp
              ->setX509Cert([
              $cert,
            ]);
            $settings = saml_sp__get_settings($idp);

            // Creating Saml2 Settings object from array:
            $saml_settings = new Settings($settings);
            $saml_response = new Saml2_Response($saml_settings, $_POST['SAMLResponse']);

            // $saml_response->isValid() will throw various exceptions
            // to communicate any errors. Sadly, these are all of type
            // Exception - no subclassing.
            $is_valid = $saml_response
              ->isValid();
          }
        } catch (Exception $e) {

          // @TODO: Inspect the Exceptions, and log a meaningful error condition.
          \Drupal::logger('saml_sp')
            ->error('Invalid response, %exception', [
            '%exception' => $e->message,
          ]);
          $is_valid = FALSE;
        }

        // Remove the now-expired tracked request.
        $store = saml_sp_get_tempstore('track_request');
        $store
          ->delete($inbound_id);
        if (!$is_valid) {
          $error = $saml_response
            ->getError();
          list($problem) = array_reverse(explode(' ', $error));
          switch ($problem) {
            case 'Responder':
              $message = t('There was a problem with the response from @idp_name. Please try again later.', [
                '@idp_name' => $idp
                  ->label(),
              ]);
              break;
            case 'Requester':
              $message = t('There was an issue with the request made to @idp_name. Please try again later.', [
                '@idp_name' => $idp
                  ->label(),
              ]);
              break;
            case 'VersionMismatch':
              $message = t('SAML VersionMismatch between @idp_name and @site_name. Please try again later.', [
                '@idp_name' => $idp
                  ->label(),
                '@site_name' => variable_get('site_name', 'Drupal'),
              ]);
              break;
          }
          if (!empty($message)) {
            \Drupal::messenger()
              ->addMessage($message, MessengerInterface::TYPE_ERROR);
          }
          \Drupal::logger('saml_sp')
            ->error('Invalid response, @error: <pre>@response</pre>', [
            '@error' => $error,
            '@response' => print_r($saml_response->response, TRUE),
          ]);
        }

        // Invoke the callback function.
        $callback = $request['callback'];
        $result = $callback($is_valid, $saml_response, $idp);

        // The callback *should* redirect the user to a valid page.
        // Provide a fail-safe just in case it doesn't.
        if (empty($result)) {
          return new RedirectResponse(Url::fromRoute('user.page')
            ->toString());
        }
        else {
          return $result;
        }
      }
      else {
        \Drupal::logger('saml_sp')
          ->error('Request with inbound ID @id not found.', [
          '@id' => $inbound_id,
        ]);
      }
    }

    // Failover: redirect to the homepage.
    \Drupal::logger('saml_sp')
      ->warning('Failover: redirect to the homepage. No inbound ID or something.');
    return new RedirectResponse(Url::fromRoute('<front>')
      ->toString());
  }

  /**
   * Check that a request is a valid SAML authentication response.
   *
   * @return bool
   *   TRUE if the response is valid.
   */
  private function validAuthenticationResponse() {
    return $_SERVER['REQUEST_METHOD'] == 'POST' && !empty($_POST['SAMLResponse']);
  }

  /**
   * Log the user out.
   */
  public function logout() {
  }

}

Members

Namesort descending Modifiers Type Description Overrides
ControllerBase::$configFactory protected property The configuration factory.
ControllerBase::$currentUser protected property The current user service. 1
ControllerBase::$entityFormBuilder protected property The entity form builder.
ControllerBase::$entityTypeManager protected property The entity type manager.
ControllerBase::$formBuilder protected property The form builder. 2
ControllerBase::$keyValue protected property The key-value storage. 1
ControllerBase::$languageManager protected property The language manager. 1
ControllerBase::$moduleHandler protected property The module handler. 2
ControllerBase::$stateService protected property The state service.
ControllerBase::cache protected function Returns the requested cache bin.
ControllerBase::config protected function Retrieves a configuration object.
ControllerBase::container private function Returns the service container.
ControllerBase::create public static function Instantiates a new instance of this class. Overrides ContainerInjectionInterface::create 46
ControllerBase::currentUser protected function Returns the current user. 1
ControllerBase::entityFormBuilder protected function Retrieves the entity form builder.
ControllerBase::entityTypeManager protected function Retrieves the entity type manager.
ControllerBase::formBuilder protected function Returns the form builder service. 2
ControllerBase::keyValue protected function Returns a key/value storage collection. 1
ControllerBase::languageManager protected function Returns the language manager service. 1
ControllerBase::moduleHandler protected function Returns the module handler. 2
ControllerBase::redirect protected function Returns a redirect response object for the specified route.
ControllerBase::state protected function Returns the state storage service.
LoggerChannelTrait::$loggerFactory protected property The logger channel factory service.
LoggerChannelTrait::getLogger protected function Gets the logger for a specific channel.
LoggerChannelTrait::setLoggerFactory public function Injects the logger channel factory.
MessengerTrait::$messenger protected property The messenger. 27
MessengerTrait::messenger public function Gets the messenger. 27
MessengerTrait::setMessenger public function Sets the messenger.
RedirectDestinationTrait::$redirectDestination protected property The redirect destination service. 1
RedirectDestinationTrait::getDestinationArray protected function Prepares a 'destination' URL query parameter for use with \Drupal\Core\Url.
RedirectDestinationTrait::getRedirectDestination protected function Returns the redirect destination service.
RedirectDestinationTrait::setRedirectDestination public function Sets the redirect destination service.
SamlSPController::consume public function Receive data back from the IdP.
SamlSPController::logout public function Log the user out.
SamlSPController::metadata public function Generate the XMl metadata for the given IdP.
SamlSPController::validAuthenticationResponse private function Check that a request is a valid SAML authentication response.
StringTranslationTrait::$stringTranslation protected property The string translation service. 4
StringTranslationTrait::formatPlural protected function Formats a string containing a count of items.
StringTranslationTrait::getNumberOfPlurals protected function Returns the number of plurals supported by a given language.
StringTranslationTrait::getStringTranslation protected function Gets the string translation service.
StringTranslationTrait::setStringTranslation public function Sets the string translation service to use. 2
StringTranslationTrait::t protected function Translates a string to the current language or to a given language.