Merge for release 2.3

.travis.yml

@@ -9,6 +9,7 @@ php:
   - hhvm
 
 matrix:
+  fast_finish: true
   allow_failures:
     - php: hhvm
 

src/SAML2/Assertion.php

@@ -4,6 +4,7 @@
 
 use RobRichards\XMLSecLibs\XMLSecEnc;
 use RobRichards\XMLSecLibs\XMLSecurityKey;
+use SAML2\Exception\RuntimeException;
 use SAML2\Utilities\Temporal;
 use SAML2\XML\Chunk;
 use SAML2\XML\saml\SubjectConfirmation;
@@ -152,10 +153,21 @@ class Assertion implements SignedElement
     private $AuthenticatingAuthority;
 
     /**
-     * The attributes, as an associative array.
+     * The attributes, as an associative array, indexed by attribute name
      *
-     * @var array multi-dimensional array, indexed by attribute name with each value representing the attribute value
-     *            of that attribute. This value is an array of \DOMNodeList|string|int
+     * To ease handling, all attribute values are represented as an array of values, also for values with a multiplicity
+     * of single. There are 4 possible variants of datatypes for the values: a string, an integer, an array or
+     * a DOMNodeList
+     *
+     * If the attribute is an eduPersonTargetedID, the values will be arrays that are created by @see Utils::parseNameId
+     *    and compatible with @see Utils::addNameID
+     * If the attribute value has an type-definition (xsi:string or xsi:int), the values will be of that type.
+     * If the attribute value contains a nested XML structure, the values will be a DOMNodeList
+     * In all other cases the values are treated as strings
+     *
+     * **WARNING** a DOMNodeList cannot be serialized without data-loss and should be handled explicitly
+     *
+     * @var array multi-dimensional array of \DOMNodeList|string|int|array
      */
     private $attributes;
 
@@ -287,21 +299,20 @@ private function parseSubject(\DOMElement $xml)
             $subject,
             './saml_assertion:NameID | ./saml_assertion:EncryptedID/xenc:EncryptedData'
         );
-        if (empty($nameId)) {
-            throw new \Exception('Missing <saml:NameID> or <saml:EncryptedID> in <saml:Subject>.');
-        } elseif (count($nameId) > 1) {
-            throw new \Exception('More than one <saml:NameID> or <saml:EncryptedD> in <saml:Subject>.');
-        }
-        $nameId = $nameId[0];
-        if ($nameId->localName === 'EncryptedData') {
-            /* The NameID element is encrypted. */
-            $this->encryptedNameId = $nameId;
-        } else {
-            $this->nameId = Utils::parseNameId($nameId);
+        if (count($nameId) > 1) {
+            throw new \Exception('More than one <saml:NameID> or <saml:EncryptedID> in <saml:Subject>.');
+        } elseif (!empty($nameId)) {
+            $nameId = $nameId[0];
+            if ($nameId->localName === 'EncryptedData') {
+                /* The NameID element is encrypted. */
+                $this->encryptedNameId = $nameId;
+            } else {
+                $this->nameId = Utils::parseNameId($nameId);
+            }
         }
 
         $subjectConfirmation = Utils::xpQuery($subject, './saml_assertion:SubjectConfirmation');
-        if (empty($subjectConfirmation)) {
+        if (empty($subjectConfirmation) && empty($nameId)) {
             throw new \Exception('Missing <saml:SubjectConfirmation> in <saml:Subject>.');
         }
 
@@ -388,7 +399,7 @@ private function parseAuthnStatement(\DOMElement $xml)
 
             return;
         } elseif (count($authnStatements) > 1) {
-            throw new \Exception('More that one <saml:AuthnStatement> in <saml:Assertion> not supported.');
+            throw new \Exception('More than one <saml:AuthnStatement> in <saml:Assertion> not supported.');
         }
         $authnStatement = $authnStatements[0];
 
@@ -512,7 +523,27 @@ private function parseAttributes(\DOMElement $xml)
      */
     private function parseAttributeValue($attribute, $attributeName)
     {
+        /** @var \DOMElement[] $values */
         $values = Utils::xpQuery($attribute, './saml_assertion:AttributeValue');
+
+        if ($attributeName === Constants::EPTI_URN_MACE || $attributeName === Constants::EPTI_URN_OID) {
+            foreach ($values as $index => $eptiAttributeValue) {
+                $eptiNameId = Utils::xpQuery($eptiAttributeValue, './saml:NameID');
+
+                if (count($eptiNameId) !== 1) {
+                    throw new RuntimeException(sprintf(
+                        'A "%s" (EPTI) attribute value must be a NameID, none found for value no. "%d"',
+                        $attributeName,
+                        $index
+                    ));
+                }
+
+                $this->attributes[$attributeName][] = Utils::parseNameId($eptiNameId[0]);
+            }
+
+            return;
+        }
+
         foreach ($values as $value) {
             $hasNonTextChildElements = false;
             foreach ($value->childNodes as $childNode) {
@@ -582,7 +613,7 @@ private function parseSignature(\DOMElement $xml)
      */
     public function validate(XMLSecurityKey $key)
     {
-        assert('$key->type === XMLSecurityKey::RSA_SHA1');
+        assert('$key->type === \RobRichards\XMLSecLibs\XMLSecurityKey::RSA_SHA1');
 
         if ($this->signatureData === null) {
             return false;
@@ -1469,6 +1500,16 @@ private function addAttributeStatement(\DOMElement $root)
                 $attribute->setAttribute('NameFormat', $this->nameFormat);
             }
 
+            if ($name === Constants::EPTI_URN_MACE || $name === Constants::EPTI_URN_OID) {
+                foreach ($values as $eptiValue) {
+                    $attributeValue = $document->createElementNS(Constants::NS_SAML, 'saml:AttributeValue');
+                    $attribute->appendChild($attributeValue);
+                    Utils::addNameId($attributeValue, $eptiValue);
+                }
+
+                continue;
+            }
+
             foreach ($values as $value) {
                 if (is_string($value)) {
                     $type = 'xs:string';

src/SAML2/Assertion/Transformer/NameIdDecryptionTransformer.php

@@ -40,6 +40,7 @@ public function __construct(
         LoggerInterface $logger,
         PrivateKeyLoader $privateKeyLoader
     ) {
+        $this->logger = $logger;
         $this->privateKeyLoader = $privateKeyLoader;
     }
 

src/SAML2/AuthnRequest.php

@@ -714,8 +714,8 @@ public function toUnsignedXML()
             if (array_key_exists('SPNameQualifier', $this->nameIdPolicy)) {
                 $nameIdPolicy->setAttribute('SPNameQualifier', $this->nameIdPolicy['SPNameQualifier']);
             }
-            if (array_key_exists('AllowCreate', $this->nameIdPolicy) && $this->nameIdPolicy['AllowCreate']) {
-                $nameIdPolicy->setAttribute('AllowCreate', 'true');
+            if (array_key_exists('AllowCreate', $this->nameIdPolicy) && is_bool($this->nameIdPolicy['AllowCreate'])) {
+                $nameIdPolicy->setAttribute('AllowCreate', ($this->nameIdPolicy['AllowCreate']) ? 'true' : 'false');
             }
             $root->appendChild($nameIdPolicy);
         }

src/SAML2/Certificate/Fingerprint.php

@@ -6,6 +6,8 @@
 
 /**
  * Simple representation of the fingerprint of a certificate
+ *
+ * @deprecated Please use full certificates instead.
  */
 class Fingerprint
 {
@@ -16,6 +18,8 @@ class Fingerprint
 
     /**
      * @param string $fingerPrint
+     *
+     * @deprecated Please use full certificates instead.
      */
     public function __construct($fingerPrint)
     {

src/SAML2/Certificate/FingerprintCollection.php

@@ -7,13 +7,16 @@
 
 /**
  * Simple collection object for transporting keys
+ * @deprecated Please load full certificates instead.
  */
 class FingerprintCollection extends ArrayCollection
 {
     /**
      * Add a key to the collection
      *
      * @param \SAML2\Certificate\Fingerprint $fingerprint
+     *
+     * @deprecated
      */
     public function add($fingerprint)
     {
@@ -31,6 +34,8 @@ public function add($fingerprint)
      * @param \SAML2\Certificate\Fingerprint $otherFingerprint
      *
      * @return bool
+     *
+     * @deprecated
      */
     public function contains(Fingerprint $otherFingerprint)
     {

src/SAML2/Certificate/FingerprintLoader.php

@@ -5,6 +5,9 @@
 use SAML2\Configuration\CertificateProvider;
 use SAML2\Exception\InvalidArgumentException;
 
+/**
+ * @deprecated Please load full certificates instead.
+ */
 class FingerprintLoader
 {
     /**
@@ -13,6 +16,8 @@ class FingerprintLoader
      * @param \SAML2\Configuration\CertificateProvider $configuration
      *
      * @return \SAML2\Certificate\FingerprintCollection
+     *
+     * @deprecated
      */
     public static function loadFromConfiguration(CertificateProvider $configuration)
     {
@@ -27,6 +32,8 @@ public static function loadFromConfiguration(CertificateProvider $configuration)
      * @param \SAML2\Configuration\CertificateProvider $configuration
      *
      * @return \SAML2\Certificate\FingerprintCollection
+     *
+     * @deprecated
      */
     public function loadFingerprints(CertificateProvider $configuration)
     {

src/SAML2/Certificate/KeyLoader.php

@@ -90,7 +90,7 @@ public function loadKeysFromConfiguration(
     public function loadKeys(array $configuredKeys, $usage)
     {
         foreach ($configuredKeys as $keyData) {
-            if (isset($key['X509Certificate'])) {
+            if (isset($keyData['X509Certificate'])) {
                 $key = new X509($keyData);
             } else {
                 $key = new Key($keyData);

src/SAML2/Certificate/PrivateKeyLoader.php

@@ -46,13 +46,13 @@ public function loadDecryptionKeys(
             return $decryptionKeys;
         }
 
-        $newPrivateKey = $serviceProvider->getPrivateKey(PrivateKey::NAME_NEW);
+        $newPrivateKey = $serviceProvider->getPrivateKey(PrivateKeyConfiguration::NAME_NEW);
         if ($newPrivateKey instanceof PrivateKey) {
             $loadedKey = $this->loadPrivateKey($newPrivateKey);
             $decryptionKeys->add($this->convertPrivateKeyToRsaKey($loadedKey));
         }
 
-        $privateKey = $serviceProvider->getPrivateKey(PrivateKey::NAME_DEFAULT, true);
+        $privateKey = $serviceProvider->getPrivateKey(PrivateKeyConfiguration::NAME_DEFAULT, true);
         $loadedKey  = $this->loadPrivateKey($privateKey);
         $decryptionKeys->add($this->convertPrivateKeyToRsaKey($loadedKey));
 

src/SAML2/Certificate/X509.php

@@ -50,6 +50,8 @@ public function getCertificate()
 
     /**
      * @return \SAML2\Certificate\Fingerprint
+     *
+     * @deprecated Please use full certificates instead.
      */
     public function getFingerprint()
     {

src/SAML2/Compat/Ssp/Logger.php

@@ -3,7 +3,6 @@
 namespace SAML2\Compat\Ssp;
 
 use Psr\Log\LoggerInterface;
-use SimpleSAML_Logger;
 
 class Logger implements LoggerInterface
 {
@@ -16,7 +15,7 @@ class Logger implements LoggerInterface
      */
     public function emergency($message, array $context = array())
     {
-        SimpleSAML_Logger::emergency($message . var_export($context, true));
+        \SimpleSAML\Logger::emergency($message . var_export($context, true));
     }
 
     /**
@@ -31,7 +30,7 @@ public function emergency($message, array $context = array())
      */
     public function alert($message, array $context = array())
     {
-        SimpleSAML_Logger::alert($message . var_export($context, true));
+        \SimpleSAML\Logger::alert($message . var_export($context, true));
     }
 
     /**
@@ -45,7 +44,7 @@ public function alert($message, array $context = array())
      */
     public function critical($message, array $context = array())
     {
-        SimpleSAML_Logger::critical($message . var_export($context, true));
+        \SimpleSAML\Logger::critical($message . var_export($context, true));
     }
 
     /**
@@ -58,7 +57,7 @@ public function critical($message, array $context = array())
      */
     public function error($message, array $context = array())
     {
-        SimpleSAML_Logger::error($message . var_export($context, true));
+        \SimpleSAML\Logger::error($message . var_export($context, true));
     }
 
     /**
@@ -73,7 +72,7 @@ public function error($message, array $context = array())
      */
     public function warning($message, array $context = array())
     {
-        SimpleSAML_Logger::warning($message . var_export($context, true));
+        \SimpleSAML\Logger::warning($message . var_export($context, true));
     }
 
     /**
@@ -85,7 +84,7 @@ public function warning($message, array $context = array())
      */
     public function notice($message, array $context = array())
     {
-        SimpleSAML_Logger::notice($message . var_export($context, true));
+        \SimpleSAML\Logger::notice($message . var_export($context, true));
     }
 
     /**
@@ -99,7 +98,7 @@ public function notice($message, array $context = array())
      */
     public function info($message, array $context = array())
     {
-        SimpleSAML_Logger::info($message . var_export($context, true));
+        \SimpleSAML\Logger::info($message . var_export($context, true));
     }
 
     /**
@@ -111,7 +110,7 @@ public function info($message, array $context = array())
      */
     public function debug($message, array $context = array())
     {
-        SimpleSAML_Logger::debug($message . var_export($context, true));
+        \SimpleSAML\Logger::debug($message . var_export($context, true));
     }
 
     /**
@@ -125,29 +124,29 @@ public function debug($message, array $context = array())
     public function log($level, $message, array $context = array())
     {
         switch ($level) {
-            case SimpleSAML_Logger::ALERT:
-                SimpleSAML_Logger::alert($message);
+            case \SimpleSAML\Logger::ALERT:
+                \SimpleSAML\Logger::alert($message);
                 break;
-            case SimpleSAML_Logger::CRIT:
-                SimpleSAML_Logger::critical($message);
+            case \SimpleSAML\Logger::CRIT:
+                \SimpleSAML\Logger::critical($message);
                 break;
-            case SimpleSAML_Logger::DEBUG:
-                SimpleSAML_Logger::debug($message);
+            case \SimpleSAML\Logger::DEBUG:
+                \SimpleSAML\Logger::debug($message);
                 break;
-            case SimpleSAML_Logger::EMERG:
-                SimpleSAML_Logger::emergency($message);
+            case \SimpleSAML\Logger::EMERG:
+                \SimpleSAML\Logger::emergency($message);
                 break;
-            case SimpleSAML_Logger::ERR:
-                SimpleSAML_Logger::error($message);
+            case \SimpleSAML\Logger::ERR:
+                \SimpleSAML\Logger::error($message);
                 break;
-            case SimpleSAML_Logger::INFO:
-                SimpleSAML_Logger::info($message);
+            case \SimpleSAML\Logger::INFO:
+                \SimpleSAML\Logger::info($message);
                 break;
-            case SimpleSAML_Logger::NOTICE:
-                SimpleSAML_Logger::notice($message);
+            case \SimpleSAML\Logger::NOTICE:
+                \SimpleSAML\Logger::notice($message);
                 break;
-            case SimpleSAML_Logger::WARNING:
-                SimpleSAML_Logger::warning($message);
+            case \SimpleSAML\Logger::WARNING:
+                \SimpleSAML\Logger::warning($message);
         }
     }
 }

src/SAML2/Configuration/CertificateProvider.php

@@ -36,6 +36,8 @@ public function getCertificateFile();
      * fingerprint is a string containing the certificate fingerprint.
      *
      * @return null|array|\Traversable
+     *
+     * @deprecated Please use getCertifiateFile() or getCertificateData()
      */
     public function getCertificateFingerprints();
 }