Added code contributed in #3901 to filter IdPs by entity categories

bb024689 · Lukas Haemmerle · 589c6318 · bb024689 · bb024689 · bb024689
Commit bb024689 authored Sep 27, 2018 by Lukas Haemmerle
Showing with 49 additions and 2 deletions

CHANGES.md CHANGES.md +4 -1

bin/update-metadata.php bin/update-metadata.php +11 -0

etc/config.dist.php etc/config.dist.php +6 -0

lib/readMetadata.php lib/readMetadata.php +28 -1

No files found.
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -6,7 +6,7 @@ See LICENSE file for details.
 SWITCHwayf Changes
 ==================

-SWITCHwayf version: v1.22
+SWITCHwayf version: v1.3
 Bundled with:

 * JQuery v3.2.1
@@ -41,6 +41,8 @@ SWITCHwayf Version History
   - Changed structure of directory and files
     Added update-metadata.php for handling metadata.
     Code provided by Guillaume Rousse.
+   - Added code to filter IdPs by entity categories.
+     Code provided by Michael Simon

 * Version 1.21 - Release date: 19. January 2018
  - Allow loading configuration from a path in a 
@@ -297,6 +299,7 @@ alphabetically.
 - Martins Purins from Latvijas Universitates (LV)
 - Olivier Salaün from RENATER (FR)
 - Tom Scavo from Internet2 (US)
+- Michael Simon from KIT (DE)
 - Andrew Sokolov, Saint Petersburg State University (RU)
 - Mika Suvanto from CSC (FI)
 - Huân Thebault from Centre de Calcul de l'IN2P3 (FR)

--- a/bin/update-metadata.php
+++ b/bin/update-metadata.php
@@ -34,6 +34,10 @@ Argument Description
 --min-idp-count <count>     Minimum expected number of IdPs in metadata
 --min-sp-count <count>      Minimum expected number of SPs in metadata
 --language <locale>         Language locale, e.g. 'en', 'jp', ...
+--filter-idps-by-ec         Only process IdPs that are in given 
+                            entity category. Multiple categories
+                            can be provided space separated. 
+                            If the IdP is in none, the IdP is ignored.
 --syslog                    Use syslog for reporting
 --syslog-id <id>            Process identity for syslog messages
 --verbose | -v              Verbose mode
@@ -55,6 +59,7 @@ $longopts = array(
    "metadata-sp-file:",
    "min-idp-count:",
    "min-sp-count:",
+    "filter-idps-by-ec:",
    "language:",
    "verbose",
    "syslog",
@@ -141,6 +146,12 @@ if (isset($options['min-idp-count'])) {
 	$minIDPCount = 0;
 }

+if(isset($options['filter-idps-by-ec'])){
+	$filterEntityCategory = $options['filter-idps-by-ec'];
+} else {
+	$filterEntityCategory = false;
+}
+
 // Input validation
 if (isset($metadataURL) && $metadataURL) {
 	$metadataFile = tempnam(sys_get_temp_dir(), 'metadata');

--- a/etc/config.dist.php
+++ b/etc/config.dist.php
@@ -161,6 +161,12 @@
 // be manually added using the Embedded WAYF.
 //$supportHideFromDiscoveryEntityCategory = true;

+// Only process IDPs with a particular entity category. All
+// others are ignored and not taken into account.
+// Multiple entity category identifiers can be provided 
+// space separated. If the IdP is in none of them, 
+// the IdP is ignored.
+//$filterEntityCategory = 'http://example.com/category/example-member';

 // Whether or not to add the entityID of the preselected IdP to the
 // exported JSON/Text/PHP Code

--- a/lib/readMetadata.php
+++ b/lib/readMetadata.php
@@ -216,7 +216,7 @@ function parseMetadata($metadataFile, $defaultLanguage){
 // Processes an IDPRoleDescriptor XML node and returns an IDP entry or false if 
 // something went wrong
 function processIDPRoleDescriptor($IDPRoleDescriptorNode){
-	global $defaultLanguage, $supportHideFromDiscoveryEntityCategory;
+	global $defaultLanguage, $supportHideFromDiscoveryEntityCategory, $filterEntityCategory;
 	
 	$IDP = Array();
 	$Profiles = Array();
@@ -229,6 +229,13 @@ function processIDPRoleDescriptor($IDPRoleDescriptorNode){
 		}
 	}
 	
+	// Skip if IdPs should be filtered by entity category
+	if (isset($filterEntityCategory) && $filterEntityCategory){
+		if (!hasSpecificEntityCategory($IDPRoleDescriptorNode, $filterEntityCategory)){
+			return false;
+		}
+	}
+	
 	// Get SSO URL
 	$SSOServices = $IDPRoleDescriptorNode->getElementsByTagNameNS( 'urn:oasis:names:tc:SAML:2.0:metadata', 'SingleSignOnService' );
 	foreach( $SSOServices as $SSOService ){
@@ -621,3 +628,23 @@ function hasHideFromDiscoveryEntityCategory($IDPRoleDescriptorNode){
 	
 	return false;
 }
+
+// Returns true if IdP has specific entity category attribute
+function hasSpecificEntityCategory($IDPRoleDescriptorNode, $filterEntityCategory){
+	// Get SAML Attributes for this entity
+	$AttributeValues = $IDPRoleDescriptorNode->parentNode->getElementsByTagNameNS('urn:oasis:names:tc:SAML:2.0:assertion', 'AttributeValue');
+	
+	if (!$AttributeValues || $AttributeValues->length < 1){
+		return false;
+	}
+	
+	$entityCategories = explode(' ', $filterEntityCategory);
+	foreach( $AttributeValues as $AttributeValue ){
+		$thisCategory = trim($AttributeValue->nodeValue);
+		if (in_array($thisCategory, $entityCategories)){
+			return true;
+		}
+	}
+	
+	return false;
+}
\ No newline at end of file