diff --git a/.github/workflows/phpunit-mysql.yml b/.github/workflows/phpunit-mysql.yml index 7ffce83c0..bd26d2be5 100644 --- a/.github/workflows/phpunit-mysql.yml +++ b/.github/workflows/phpunit-mysql.yml @@ -9,6 +9,7 @@ on: pull_request: paths: - '.github/workflows/**' + - '3rdparty/**' - 'appinfo/**' - 'lib/**' - 'templates/**' diff --git a/.github/workflows/phpunit-oci.yml b/.github/workflows/phpunit-oci.yml index 91e1672a2..8ab60b1e3 100644 --- a/.github/workflows/phpunit-oci.yml +++ b/.github/workflows/phpunit-oci.yml @@ -9,6 +9,7 @@ on: pull_request: paths: - '.github/workflows/**' + - '3rdparty/**' - 'appinfo/**' - 'lib/**' - 'templates/**' @@ -39,7 +40,7 @@ env: jobs: phpunit-oci: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 strategy: matrix: @@ -48,10 +49,24 @@ jobs: services: oracle: - image: deepdiver/docker-oracle-xe-11g # 'wnameless/oracle-xe-11g-r2' + image: ghcr.io/gvenzl/oracle-xe:11 + + # Provide passwords and other environment variables to container + env: + ORACLE_RANDOM_PASSWORD: true + APP_USER: autotest + APP_USER_PASSWORD: owncloud + ports: - 1521:1521/tcp + # Provide healthcheck script options for startup + options: >- + --health-cmd healthcheck.sh + --health-interval 10s + --health-timeout 5s + --health-retries 10 + steps: - name: Set app env run: | diff --git a/.github/workflows/phpunit-pgsql.yml b/.github/workflows/phpunit-pgsql.yml index a69432919..645aa22c5 100644 --- a/.github/workflows/phpunit-pgsql.yml +++ b/.github/workflows/phpunit-pgsql.yml @@ -9,6 +9,7 @@ on: pull_request: paths: - '.github/workflows/**' + - '3rdparty/**' - 'appinfo/**' - 'lib/**' - 'templates/**' diff --git a/.github/workflows/phpunit-sqlite.yml b/.github/workflows/phpunit-sqlite.yml index ad3d02931..5dcf35364 100644 --- a/.github/workflows/phpunit-sqlite.yml +++ b/.github/workflows/phpunit-sqlite.yml @@ -9,6 +9,7 @@ on: pull_request: paths: - '.github/workflows/**' + - '3rdparty/**' - 'appinfo/**' - 'lib/**' - 'templates/**' diff --git a/3rdparty/composer.lock b/3rdparty/composer.lock index 5cae56feb..876ada205 100644 --- a/3rdparty/composer.lock +++ b/3rdparty/composer.lock @@ -55,21 +55,21 @@ }, { "name": "onelogin/php-saml", - "version": "4.1.0", + "version": "4.3.1", "source": { "type": "git", - "url": "https://github.com/onelogin/php-saml.git", - "reference": "b22a57ebd13e838b90df5d3346090bc37056409d" + "url": "https://github.com/SAML-Toolkits/php-saml.git", + "reference": "b009f160e4ac11f49366a45e0d45706b48429353" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/onelogin/php-saml/zipball/b22a57ebd13e838b90df5d3346090bc37056409d", - "reference": "b22a57ebd13e838b90df5d3346090bc37056409d", + "url": "https://api.github.com/repos/SAML-Toolkits/php-saml/zipball/b009f160e4ac11f49366a45e0d45706b48429353", + "reference": "b009f160e4ac11f49366a45e0d45706b48429353", "shasum": "" }, "require": { "php": ">=7.3", - "robrichards/xmlseclibs": ">=3.1.1" + "robrichards/xmlseclibs": ">=3.1.4" }, "require-dev": { "pdepend/pdepend": "^2.8.0", @@ -95,32 +95,40 @@ "license": [ "MIT" ], - "description": "OneLogin PHP SAML Toolkit", - "homepage": "https://developers.onelogin.com/saml/php", + "description": "PHP SAML Toolkit", + "homepage": "https://github.com/SAML-Toolkits/php-saml", "keywords": [ + "Federation", "SAML2", - "onelogin", + "SSO", + "identity", "saml" ], "support": { - "email": "sixto.garcia@onelogin.com", - "issues": "https://github.com/onelogin/php-saml/issues", - "source": "https://github.com/onelogin/php-saml/" + "email": "sixto.martin.garcia@gmail.com", + "issues": "https://github.com/onelogin/SAML-Toolkits/issues", + "source": "https://github.com/onelogin/SAML-Toolkits/" }, - "time": "2022-07-15T20:44:36+00:00" + "funding": [ + { + "url": "https://github.com/SAML-Toolkits", + "type": "github" + } + ], + "time": "2025-12-09T10:50:49+00:00" }, { "name": "robrichards/xmlseclibs", - "version": "3.1.1", + "version": "3.1.4", "source": { "type": "git", "url": "https://github.com/robrichards/xmlseclibs.git", - "reference": "f8f19e58f26cdb42c54b214ff8a820760292f8df" + "reference": "bc87389224c6de95802b505e5265b0ec2c5bcdbd" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/robrichards/xmlseclibs/zipball/f8f19e58f26cdb42c54b214ff8a820760292f8df", - "reference": "f8f19e58f26cdb42c54b214ff8a820760292f8df", + "url": "https://api.github.com/repos/robrichards/xmlseclibs/zipball/bc87389224c6de95802b505e5265b0ec2c5bcdbd", + "reference": "bc87389224c6de95802b505e5265b0ec2c5bcdbd", "shasum": "" }, "require": { @@ -147,21 +155,21 @@ ], "support": { "issues": "https://github.com/robrichards/xmlseclibs/issues", - "source": "https://github.com/robrichards/xmlseclibs/tree/3.1.1" + "source": "https://github.com/robrichards/xmlseclibs/tree/3.1.4" }, - "time": "2020-09-05T13:00:25+00:00" + "time": "2025-12-08T11:57:53+00:00" } ], "packages-dev": [], "aliases": [], "minimum-stability": "stable", - "stability-flags": [], + "stability-flags": {}, "prefer-stable": false, "prefer-lowest": false, - "platform": [], - "platform-dev": [], + "platform": {}, + "platform-dev": {}, "platform-overrides": { "php": "7.3" }, - "plugin-api-version": "2.3.0" + "plugin-api-version": "2.9.0" } diff --git a/3rdparty/vendor/autoload.php b/3rdparty/vendor/autoload.php index 9b2099d25..4c74c7bcf 100644 --- a/3rdparty/vendor/autoload.php +++ b/3rdparty/vendor/autoload.php @@ -14,10 +14,7 @@ echo $err; } } - trigger_error( - $err, - E_USER_ERROR - ); + throw new RuntimeException($err); } require_once __DIR__ . '/composer/autoload_real.php'; diff --git a/3rdparty/vendor/composer/ClassLoader.php b/3rdparty/vendor/composer/ClassLoader.php index a72151c77..7824d8f7e 100644 --- a/3rdparty/vendor/composer/ClassLoader.php +++ b/3rdparty/vendor/composer/ClassLoader.php @@ -45,35 +45,34 @@ class ClassLoader /** @var \Closure(string):void */ private static $includeFile; - /** @var ?string */ + /** @var string|null */ private $vendorDir; // PSR-4 /** - * @var array[] - * @psalm-var array> + * @var array> */ private $prefixLengthsPsr4 = array(); /** - * @var array[] - * @psalm-var array> + * @var array> */ private $prefixDirsPsr4 = array(); /** - * @var array[] - * @psalm-var array + * @var list */ private $fallbackDirsPsr4 = array(); // PSR-0 /** - * @var array[] - * @psalm-var array> + * List of PSR-0 prefixes + * + * Structured as array('F (first letter)' => array('Foo\Bar (full prefix)' => array('path', 'path2'))) + * + * @var array>> */ private $prefixesPsr0 = array(); /** - * @var array[] - * @psalm-var array + * @var list */ private $fallbackDirsPsr0 = array(); @@ -81,8 +80,7 @@ class ClassLoader private $useIncludePath = false; /** - * @var string[] - * @psalm-var array + * @var array */ private $classMap = array(); @@ -90,21 +88,20 @@ class ClassLoader private $classMapAuthoritative = false; /** - * @var bool[] - * @psalm-var array + * @var array */ private $missingClasses = array(); - /** @var ?string */ + /** @var string|null */ private $apcuPrefix; /** - * @var self[] + * @var array */ private static $registeredLoaders = array(); /** - * @param ?string $vendorDir + * @param string|null $vendorDir */ public function __construct($vendorDir = null) { @@ -113,7 +110,7 @@ public function __construct($vendorDir = null) } /** - * @return string[] + * @return array> */ public function getPrefixes() { @@ -125,8 +122,7 @@ public function getPrefixes() } /** - * @return array[] - * @psalm-return array> + * @return array> */ public function getPrefixesPsr4() { @@ -134,8 +130,7 @@ public function getPrefixesPsr4() } /** - * @return array[] - * @psalm-return array + * @return list */ public function getFallbackDirs() { @@ -143,8 +138,7 @@ public function getFallbackDirs() } /** - * @return array[] - * @psalm-return array + * @return list */ public function getFallbackDirsPsr4() { @@ -152,8 +146,7 @@ public function getFallbackDirsPsr4() } /** - * @return string[] Array of classname => path - * @psalm-return array + * @return array Array of classname => path */ public function getClassMap() { @@ -161,8 +154,7 @@ public function getClassMap() } /** - * @param string[] $classMap Class to filename map - * @psalm-param array $classMap + * @param array $classMap Class to filename map * * @return void */ @@ -179,24 +171,25 @@ public function addClassMap(array $classMap) * Registers a set of PSR-0 directories for a given prefix, either * appending or prepending to the ones previously set for this prefix. * - * @param string $prefix The prefix - * @param string[]|string $paths The PSR-0 root directories - * @param bool $prepend Whether to prepend the directories + * @param string $prefix The prefix + * @param list|string $paths The PSR-0 root directories + * @param bool $prepend Whether to prepend the directories * * @return void */ public function add($prefix, $paths, $prepend = false) { + $paths = (array) $paths; if (!$prefix) { if ($prepend) { $this->fallbackDirsPsr0 = array_merge( - (array) $paths, + $paths, $this->fallbackDirsPsr0 ); } else { $this->fallbackDirsPsr0 = array_merge( $this->fallbackDirsPsr0, - (array) $paths + $paths ); } @@ -205,19 +198,19 @@ public function add($prefix, $paths, $prepend = false) $first = $prefix[0]; if (!isset($this->prefixesPsr0[$first][$prefix])) { - $this->prefixesPsr0[$first][$prefix] = (array) $paths; + $this->prefixesPsr0[$first][$prefix] = $paths; return; } if ($prepend) { $this->prefixesPsr0[$first][$prefix] = array_merge( - (array) $paths, + $paths, $this->prefixesPsr0[$first][$prefix] ); } else { $this->prefixesPsr0[$first][$prefix] = array_merge( $this->prefixesPsr0[$first][$prefix], - (array) $paths + $paths ); } } @@ -226,9 +219,9 @@ public function add($prefix, $paths, $prepend = false) * Registers a set of PSR-4 directories for a given namespace, either * appending or prepending to the ones previously set for this namespace. * - * @param string $prefix The prefix/namespace, with trailing '\\' - * @param string[]|string $paths The PSR-4 base directories - * @param bool $prepend Whether to prepend the directories + * @param string $prefix The prefix/namespace, with trailing '\\' + * @param list|string $paths The PSR-4 base directories + * @param bool $prepend Whether to prepend the directories * * @throws \InvalidArgumentException * @@ -236,17 +229,18 @@ public function add($prefix, $paths, $prepend = false) */ public function addPsr4($prefix, $paths, $prepend = false) { + $paths = (array) $paths; if (!$prefix) { // Register directories for the root namespace. if ($prepend) { $this->fallbackDirsPsr4 = array_merge( - (array) $paths, + $paths, $this->fallbackDirsPsr4 ); } else { $this->fallbackDirsPsr4 = array_merge( $this->fallbackDirsPsr4, - (array) $paths + $paths ); } } elseif (!isset($this->prefixDirsPsr4[$prefix])) { @@ -256,18 +250,18 @@ public function addPsr4($prefix, $paths, $prepend = false) throw new \InvalidArgumentException("A non-empty PSR-4 prefix must end with a namespace separator."); } $this->prefixLengthsPsr4[$prefix[0]][$prefix] = $length; - $this->prefixDirsPsr4[$prefix] = (array) $paths; + $this->prefixDirsPsr4[$prefix] = $paths; } elseif ($prepend) { // Prepend directories for an already registered namespace. $this->prefixDirsPsr4[$prefix] = array_merge( - (array) $paths, + $paths, $this->prefixDirsPsr4[$prefix] ); } else { // Append directories for an already registered namespace. $this->prefixDirsPsr4[$prefix] = array_merge( $this->prefixDirsPsr4[$prefix], - (array) $paths + $paths ); } } @@ -276,8 +270,8 @@ public function addPsr4($prefix, $paths, $prepend = false) * Registers a set of PSR-0 directories for a given prefix, * replacing any others previously set for this prefix. * - * @param string $prefix The prefix - * @param string[]|string $paths The PSR-0 base directories + * @param string $prefix The prefix + * @param list|string $paths The PSR-0 base directories * * @return void */ @@ -294,8 +288,8 @@ public function set($prefix, $paths) * Registers a set of PSR-4 directories for a given namespace, * replacing any others previously set for this namespace. * - * @param string $prefix The prefix/namespace, with trailing '\\' - * @param string[]|string $paths The PSR-4 base directories + * @param string $prefix The prefix/namespace, with trailing '\\' + * @param list|string $paths The PSR-4 base directories * * @throws \InvalidArgumentException * @@ -481,9 +475,9 @@ public function findFile($class) } /** - * Returns the currently registered loaders indexed by their corresponding vendor directories. + * Returns the currently registered loaders keyed by their corresponding vendor directories. * - * @return self[] + * @return array */ public static function getRegisteredLoaders() { diff --git a/3rdparty/vendor/composer/InstalledVersions.php b/3rdparty/vendor/composer/InstalledVersions.php index c6b54af7b..2052022fd 100644 --- a/3rdparty/vendor/composer/InstalledVersions.php +++ b/3rdparty/vendor/composer/InstalledVersions.php @@ -26,12 +26,23 @@ */ class InstalledVersions { + /** + * @var string|null if set (by reflection by Composer), this should be set to the path where this class is being copied to + * @internal + */ + private static $selfDir = null; + /** * @var mixed[]|null * @psalm-var array{root: array{name: string, pretty_version: string, version: string, reference: string|null, type: string, install_path: string, aliases: string[], dev: bool}, versions: array}|array{}|null */ private static $installed; + /** + * @var bool + */ + private static $installedIsLocalDir; + /** * @var bool|null */ @@ -98,7 +109,7 @@ public static function isInstalled($packageName, $includeDevRequirements = true) { foreach (self::getInstalled() as $installed) { if (isset($installed['versions'][$packageName])) { - return $includeDevRequirements || empty($installed['versions'][$packageName]['dev_requirement']); + return $includeDevRequirements || !isset($installed['versions'][$packageName]['dev_requirement']) || $installed['versions'][$packageName]['dev_requirement'] === false; } } @@ -119,7 +130,7 @@ public static function isInstalled($packageName, $includeDevRequirements = true) */ public static function satisfies(VersionParser $parser, $packageName, $constraint) { - $constraint = $parser->parseConstraints($constraint); + $constraint = $parser->parseConstraints((string) $constraint); $provided = $parser->parseConstraints(self::getVersionRanges($packageName)); return $provided->matches($constraint); @@ -309,6 +320,24 @@ public static function reload($data) { self::$installed = $data; self::$installedByVendor = array(); + + // when using reload, we disable the duplicate protection to ensure that self::$installed data is + // always returned, but we cannot know whether it comes from the installed.php in __DIR__ or not, + // so we have to assume it does not, and that may result in duplicate data being returned when listing + // all installed packages for example + self::$installedIsLocalDir = false; + } + + /** + * @return string + */ + private static function getSelfDir() + { + if (self::$selfDir === null) { + self::$selfDir = strtr(__DIR__, '\\', '/'); + } + + return self::$selfDir; } /** @@ -322,17 +351,27 @@ private static function getInstalled() } $installed = array(); + $copiedLocalDir = false; if (self::$canGetVendors) { + $selfDir = self::getSelfDir(); foreach (ClassLoader::getRegisteredLoaders() as $vendorDir => $loader) { + $vendorDir = strtr($vendorDir, '\\', '/'); if (isset(self::$installedByVendor[$vendorDir])) { $installed[] = self::$installedByVendor[$vendorDir]; } elseif (is_file($vendorDir.'/composer/installed.php')) { - $installed[] = self::$installedByVendor[$vendorDir] = require $vendorDir.'/composer/installed.php'; - if (null === self::$installed && strtr($vendorDir.'/composer', '\\', '/') === strtr(__DIR__, '\\', '/')) { - self::$installed = $installed[count($installed) - 1]; + /** @var array{root: array{name: string, pretty_version: string, version: string, reference: string|null, type: string, install_path: string, aliases: string[], dev: bool}, versions: array} $required */ + $required = require $vendorDir.'/composer/installed.php'; + self::$installedByVendor[$vendorDir] = $required; + $installed[] = $required; + if (self::$installed === null && $vendorDir.'/composer' === $selfDir) { + self::$installed = $required; + self::$installedIsLocalDir = true; } } + if (self::$installedIsLocalDir && $vendorDir.'/composer' === $selfDir) { + $copiedLocalDir = true; + } } } @@ -340,12 +379,17 @@ private static function getInstalled() // only require the installed.php file if this file is loaded from its dumped location, // and not from its source location in the composer/composer package, see https://github.com/composer/composer/issues/9937 if (substr(__DIR__, -8, 1) !== 'C') { - self::$installed = require __DIR__ . '/installed.php'; + /** @var array{root: array{name: string, pretty_version: string, version: string, reference: string|null, type: string, install_path: string, aliases: string[], dev: bool}, versions: array} $required */ + $required = require __DIR__ . '/installed.php'; + self::$installed = $required; } else { self::$installed = array(); } } - $installed[] = self::$installed; + + if (self::$installed !== array() && !$copiedLocalDir) { + $installed[] = self::$installed; + } return $installed; } diff --git a/3rdparty/vendor/composer/autoload_static.php b/3rdparty/vendor/composer/autoload_static.php index 052f28c5d..d8fcb1b53 100644 --- a/3rdparty/vendor/composer/autoload_static.php +++ b/3rdparty/vendor/composer/autoload_static.php @@ -7,30 +7,30 @@ class ComposerStaticInitcc75f134f7630c1ee3a8e4d7c86f3bcc { public static $prefixLengthsPsr4 = array ( - 'R' => + 'R' => array ( 'RobRichards\\XMLSecLibs\\' => 23, ), - 'O' => + 'O' => array ( 'OneLogin\\' => 9, ), - 'F' => + 'F' => array ( 'Firebase\\JWT\\' => 13, ), ); public static $prefixDirsPsr4 = array ( - 'RobRichards\\XMLSecLibs\\' => + 'RobRichards\\XMLSecLibs\\' => array ( 0 => __DIR__ . '/..' . '/robrichards/xmlseclibs/src', ), - 'OneLogin\\' => + 'OneLogin\\' => array ( 0 => __DIR__ . '/..' . '/onelogin/php-saml/src', ), - 'Firebase\\JWT\\' => + 'Firebase\\JWT\\' => array ( 0 => __DIR__ . '/..' . '/firebase/php-jwt/src', ), diff --git a/3rdparty/vendor/composer/installed.json b/3rdparty/vendor/composer/installed.json index 68b2aa700..2b8687d5a 100644 --- a/3rdparty/vendor/composer/installed.json +++ b/3rdparty/vendor/composer/installed.json @@ -48,22 +48,22 @@ }, { "name": "onelogin/php-saml", - "version": "4.1.0", - "version_normalized": "4.1.0.0", + "version": "4.3.1", + "version_normalized": "4.3.1.0", "source": { "type": "git", - "url": "https://github.com/onelogin/php-saml.git", - "reference": "b22a57ebd13e838b90df5d3346090bc37056409d" + "url": "https://github.com/SAML-Toolkits/php-saml.git", + "reference": "b009f160e4ac11f49366a45e0d45706b48429353" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/onelogin/php-saml/zipball/b22a57ebd13e838b90df5d3346090bc37056409d", - "reference": "b22a57ebd13e838b90df5d3346090bc37056409d", + "url": "https://api.github.com/repos/SAML-Toolkits/php-saml/zipball/b009f160e4ac11f49366a45e0d45706b48429353", + "reference": "b009f160e4ac11f49366a45e0d45706b48429353", "shasum": "" }, "require": { "php": ">=7.3", - "robrichards/xmlseclibs": ">=3.1.1" + "robrichards/xmlseclibs": ">=3.1.4" }, "require-dev": { "pdepend/pdepend": "^2.8.0", @@ -79,7 +79,7 @@ "ext-openssl": "Install openssl lib in order to handle with x509 certs (require to support sign and encryption)", "ext-zlib": "Install zlib" }, - "time": "2022-07-15T20:44:36+00:00", + "time": "2025-12-09T10:50:49+00:00", "type": "library", "installation-source": "dist", "autoload": { @@ -91,40 +91,48 @@ "license": [ "MIT" ], - "description": "OneLogin PHP SAML Toolkit", - "homepage": "https://developers.onelogin.com/saml/php", + "description": "PHP SAML Toolkit", + "homepage": "https://github.com/SAML-Toolkits/php-saml", "keywords": [ + "Federation", "SAML2", - "onelogin", + "SSO", + "identity", "saml" ], "support": { - "email": "sixto.garcia@onelogin.com", - "issues": "https://github.com/onelogin/php-saml/issues", - "source": "https://github.com/onelogin/php-saml/" + "email": "sixto.martin.garcia@gmail.com", + "issues": "https://github.com/onelogin/SAML-Toolkits/issues", + "source": "https://github.com/onelogin/SAML-Toolkits/" }, + "funding": [ + { + "url": "https://github.com/SAML-Toolkits", + "type": "github" + } + ], "install-path": "../onelogin/php-saml" }, { "name": "robrichards/xmlseclibs", - "version": "3.1.1", - "version_normalized": "3.1.1.0", + "version": "3.1.4", + "version_normalized": "3.1.4.0", "source": { "type": "git", "url": "https://github.com/robrichards/xmlseclibs.git", - "reference": "f8f19e58f26cdb42c54b214ff8a820760292f8df" + "reference": "bc87389224c6de95802b505e5265b0ec2c5bcdbd" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/robrichards/xmlseclibs/zipball/f8f19e58f26cdb42c54b214ff8a820760292f8df", - "reference": "f8f19e58f26cdb42c54b214ff8a820760292f8df", + "url": "https://api.github.com/repos/robrichards/xmlseclibs/zipball/bc87389224c6de95802b505e5265b0ec2c5bcdbd", + "reference": "bc87389224c6de95802b505e5265b0ec2c5bcdbd", "shasum": "" }, "require": { "ext-openssl": "*", "php": ">= 5.4" }, - "time": "2020-09-05T13:00:25+00:00", + "time": "2025-12-08T11:57:53+00:00", "type": "library", "installation-source": "dist", "autoload": { @@ -144,9 +152,13 @@ "xml", "xmldsig" ], + "support": { + "issues": "https://github.com/robrichards/xmlseclibs/issues", + "source": "https://github.com/robrichards/xmlseclibs/tree/3.1.4" + }, "install-path": "../robrichards/xmlseclibs" } ], - "dev": false, + "dev": true, "dev-package-names": [] } diff --git a/3rdparty/vendor/composer/installed.php b/3rdparty/vendor/composer/installed.php index cf7230058..0a18df327 100644 --- a/3rdparty/vendor/composer/installed.php +++ b/3rdparty/vendor/composer/installed.php @@ -3,17 +3,17 @@ 'name' => '__root__', 'pretty_version' => 'dev-master', 'version' => 'dev-master', - 'reference' => '8da41face0959b56353ab6852eb6be224feff3f6', + 'reference' => '50396c39aba1c34373512f0e2fa66e0e55e15e8d', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), - 'dev' => false, + 'dev' => true, ), 'versions' => array( '__root__' => array( 'pretty_version' => 'dev-master', 'version' => 'dev-master', - 'reference' => '8da41face0959b56353ab6852eb6be224feff3f6', + 'reference' => '50396c39aba1c34373512f0e2fa66e0e55e15e8d', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), @@ -29,18 +29,18 @@ 'dev_requirement' => false, ), 'onelogin/php-saml' => array( - 'pretty_version' => '4.1.0', - 'version' => '4.1.0.0', - 'reference' => 'b22a57ebd13e838b90df5d3346090bc37056409d', + 'pretty_version' => '4.3.1', + 'version' => '4.3.1.0', + 'reference' => 'b009f160e4ac11f49366a45e0d45706b48429353', 'type' => 'library', 'install_path' => __DIR__ . '/../onelogin/php-saml', 'aliases' => array(), 'dev_requirement' => false, ), 'robrichards/xmlseclibs' => array( - 'pretty_version' => '3.1.1', - 'version' => '3.1.1.0', - 'reference' => 'f8f19e58f26cdb42c54b214ff8a820760292f8df', + 'pretty_version' => '3.1.4', + 'version' => '3.1.4.0', + 'reference' => 'bc87389224c6de95802b505e5265b0ec2c5bcdbd', 'type' => 'library', 'install_path' => __DIR__ . '/../robrichards/xmlseclibs', 'aliases' => array(), diff --git a/3rdparty/vendor/composer/platform_check.php b/3rdparty/vendor/composer/platform_check.php index 92370c5a0..d826bd13a 100644 --- a/3rdparty/vendor/composer/platform_check.php +++ b/3rdparty/vendor/composer/platform_check.php @@ -19,8 +19,7 @@ echo 'Composer detected issues in your platform:' . PHP_EOL.PHP_EOL . str_replace('You are running '.PHP_VERSION.'.', '', implode(PHP_EOL, $issues)) . PHP_EOL.PHP_EOL; } } - trigger_error( - 'Composer detected issues in your platform: ' . implode(' ', $issues), - E_USER_ERROR + throw new \RuntimeException( + 'Composer detected issues in your platform: ' . implode(' ', $issues) ); } diff --git a/3rdparty/vendor/onelogin/php-saml/.github/workflows/php-package.yml b/3rdparty/vendor/onelogin/php-saml/.github/workflows/php-package.yml new file mode 100644 index 000000000..6321b7ef4 --- /dev/null +++ b/3rdparty/vendor/onelogin/php-saml/.github/workflows/php-package.yml @@ -0,0 +1,54 @@ +# This workflow will install PHP dependencies, run tests and lint with a variety of PHP versions +# For more information see: https://github.com/marketplace/actions/setup-php-action + +name: php-saml 4.x package + +on: + push: + branches: [ 4.* ] + pull_request: + branches: [ 4.* ] + +jobs: + test: + runs-on: ${{ matrix.operating-system }} + strategy: + fail-fast: false + matrix: + operating-system: ['ubuntu-latest'] + php-versions: [7.3, 7.4, 8.0, 8.1, 8.2, 8.3, 8.4] + steps: + - name: Setup PHP, with composer and extensions + uses: shivammathur/setup-php@v2 #https://github.com/shivammathur/setup-php + with: + php-version: ${{ matrix.php-versions }} + extensions: mbstring, intl, mcrypt, xml + tools: composer:v2 + ini-values: post_max_size=256M, max_execution_time=180 + coverage: xdebug + + - name: Set git to use LF + run: | + git config --global core.autocrlf false + git config --global core.eol lf + - uses: actions/checkout@v2 + + - name: Validate composer.json and composer.lock + run: composer validate + + - name: Install Composer dependencies + run: | + composer self-update + composer install --prefer-source --no-interaction + - name: Syntax check PHP + run: | + php vendor/bin/phpcpd --exclude tests --exclude vendor . + php vendor/bin/phploc src/. + mkdir -p tests/build/dependences + php vendor/bin/pdepend --summary-xml=tests/build/logs/dependence-summary.xml --jdepend-chart=tests/build/dependences/jdepend.svg --overview-pyramid=tests/build/dependences/pyramid.svg src/. + + - name: PHP Code Sniffer + run: php vendor/bin/phpcs --standard=tests/ZendModStandard src/Saml2 demo1 demo2 endpoints tests/src + + - name: Run unit tests + run: vendor/bin/phpunit --verbose --debug diff --git a/3rdparty/vendor/onelogin/php-saml/CHANGELOG b/3rdparty/vendor/onelogin/php-saml/CHANGELOG index 27a4b2bd9..572db68bf 100644 --- a/3rdparty/vendor/onelogin/php-saml/CHANGELOG +++ b/3rdparty/vendor/onelogin/php-saml/CHANGELOG @@ -1,8 +1,65 @@ CHANGELOG ========= + +v4.3.1 +* Update xmlseclibs version requirement to 3.1.4 due [CVE-2025-66475](https://github.com/advisories/GHSA-c4cc-x928-vjw9) + +v4.3.0 +* PHP 8.4 Compatibility via #600 and #607. +* [#619](https://github.com/SAML-Toolkits/php-saml/pull/619) Add Parameter checking on validateBinarySign, inspired on CVE-2025-27773 +* [#603](https://github.com/SAML-Toolkits/php-saml/issues/603) Fix typo in ignoreValidUntil that breaks metadata. Add a new parameter to exclude validUntil on Settings getSPMetadata +* [#594](https://github.com/SAML-Toolkits/php-saml/pull/594) Add support for encrypted name id in encrypted assertion +* Fix buildWithBaseURLPath. See #581 +* Doc fix typo +* Remove Travis CI references + +v4.2.0 +* [#586](https://github.com/SAML-Toolkits/php-saml/pull/586) IdPMetadataParser::parseRemoteXML - Add argument for setting whether to validate peer SSL certificate +* [#585](https://github.com/SAML-Toolkits/php-saml/pull/585) Declare conditional return types +* [#577](https://github.com/SAML-Toolkits/php-saml/pull/577) Allow empty NameID value when no strict or wantNameId is false +* [#570](https://github.com/SAML-Toolkits/php-saml/pull/570) Support X509 cert comments +* [#569](https://github.com/SAML-Toolkits/php-saml/pull/569) Add parameter to exclude validUntil on SP Metadata XML +* [#551](https://github.com/SAML-Toolkits/php-saml/pull/551) Fix compatibility with proxies that extends HTTP_X_FORWARDED_HOST +* LogoutRequest and the LogoutResponse object to separate functions +* Make Saml2\Auth can accept a param $spValidationOnly +* Fix typos on readme. +* [#480](https://github.com/SAML-Toolkits/php-saml/pull/480) Fix typo on SPNameQualifier mismatch error message +* Remove unbound version constraints on xmlseclibs +* Update dependencies +* Fix test payloads +* Remove references to OneLogin. + +v4.1.0 +* Add pipe through for the $spValidationOnly setting in the Auth class. + +v4.0.1 +* Add compatibility with PHP 8.1 +* [#487](https://github.com/SAML-Toolkits/php-saml/issues/487) Enable strict check on in_array method +* Add warning about Open Redirect and Reply attacks +* Add warning about the use of IdpMetadataParser class. If Metadata URLs + are provided by 3rd parties, the URL inputs MUST be validated to avoid issues like SSRF + v4.0.0 +* [#467](https://github.com/onelogin/php-saml/issues/467) Fix bug on getSelfRoutedURLNoQuery method * Supports PHP 8.X +v3.7.0 +* [#586](https://github.com/SAML-Toolkits/php-saml/pull/586) IdPMetadataParser::parseRemoteXML - Add argument for setting whether to validate peer SSL certificate +* [#585](https://github.com/SAML-Toolkits/php-saml/pull/585) Declare conditional return types +* Make Saml2\Auth can accept a param $spValidationOnly +* [#577](https://github.com/SAML-Toolkits/php-saml/pull/577) Allow empty NameID value when no strict or wantNameId is false +* [#570](https://github.com/SAML-Toolkits/php-saml/pull/570) Support X509 cert comments +* [#569](https://github.com/SAML-Toolkits/php-saml/pull/569) Add parameter to exclude validUntil on SP Metadata XML +* [#551](https://github.com/SAML-Toolkits/php-saml/pull/551) Fix compatibility with proxies that extends HTTP_X_FORWARDED_HOST +* [#487](https://github.com/SAML-Toolkits/php-saml/issues/487) Enable strict check on in_array method +* Make Saml2\Auth can accept a param $spValidationOnly +* Fix typos on readme. +* Add warning about Open Redirect and Reply attacks +* Add warning about the use of IdpMetadataParser class. If Metadata URLs + are provided by 3rd parties, the URL inputs MUST be validated to avoid issues like SSRF +* Fix test payloads +* Remove references to OneLogin. + v3.6.1 * [#467](https://github.com/onelogin/php-saml/issues/467) Fix bug on getSelfRoutedURLNoQuery method @@ -18,7 +75,7 @@ v3.5.0 * [#433](https://github.com/onelogin/php-saml/issues/443) Fix Incorrect Destination in LogoutResponse when using responseUrl #443 * Update xmlseclibs to 3.1.1 * Add support for SMARTCARD_PKI and RSA_TOKEN Auth Contexts -* Get lib path dinamically +* Get lib path dynamically * Check for x509Cert of the IdP when loading settings, even if the security index was not provided * Support Statements with Attribute elements with the same name enabling the allowRepeatAttributeName setting @@ -41,7 +98,7 @@ v.3.3.1 v.3.3.0 * Set true as the default value for strict setting -* Relax comparision of false on SignMetadata +* Relax comparison of false on SignMetadata * Fix CI v.3.2.1 @@ -61,12 +118,46 @@ v.3.1.1 v.3.1.0 * Security improvement suggested by Nils Engelbertz to prevent DDOS by expansion of internally defined entities (XEE) -* Fix setting_example.php servicename parameter +* Fix setting_example.php servicename parameter v.3.0.0 * Remove mcrypt dependency. Compatible with PHP 7.2 * xmlseclibs now is not part of the toolkit and need to be installed from original source +v.2.20.0 +* [#586](https://github.com/SAML-Toolkits/php-saml/pull/586) IdPMetadataParser::parseRemoteXML - Add argument for setting whether to validate peer SSL certificate +* [#585](https://github.com/SAML-Toolkits/php-saml/pull/585) Declare conditional return types +* Make Saml2\Auth can accept a param $spValidationOnly +* [#577](https://github.com/SAML-Toolkits/php-saml/pull/577) Allow empty NameID value when no strict or wantNameId is false +* [#570](https://github.com/SAML-Toolkits/php-saml/pull/570) Support X509 cert comments +* [#569](https://github.com/SAML-Toolkits/php-saml/pull/569) Add parameter to exclude validUntil on SP Metadata XML +* [#551](https://github.com/SAML-Toolkits/php-saml/pull/551) Fix compatibility with proxies that extends HTTP_X_FORWARDED_HOST +* [#487](https://github.com/SAML-Toolkits/php-saml/issues/487) Enable strict check on in_array method +* Fix typos on readme. +* [#480](https://github.com/SAML-Toolkits/php-saml/pull/480) Fix typo on SPNameQualifier mismatch +* Add $spValidationOnly param to Auth +* Update xmlseclibs (3.1.2 without AES-GCM and OAEP support) +* Add warning about Open Redirect and Reply attacks +* Add warning about the use of IdpMetadataParser class. If Metadata URLs + are provided by 3rd parties, the URL inputs MUST be validated to avoid issues like SSRF +* Update dependencies +* Fix test payloads +* Remove references to OneLogin. + +v.2.19.1 +* [#467](https://github.com/onelogin/php-saml/issues/467) Fix bug on getSelfRoutedURLNoQuery method + +v.2.19.0 +* [#412](https://github.com/onelogin/php-saml/pull/412) Empty instead of unset the $_SESSION variable +* [#433](https://github.com/onelogin/php-saml/issues/443) Fix Incorrect Destination in LogoutResponse when using responseUrl #443 +* Add support for SMARTCARD_PKI and RSA_TOKEN Auth Contexts +* Support Statements with Attribute elements with the same name enabling the allowRepeatAttributeName setting +* Get lib path dinamically +* Check for x509Cert of the IdP when loading settings, even if the security index was not provided + +v.2.18.1 +* Add setSchemasPath to Auth class and fix backward compatibility + v.2.18.0 * Support rejecting unsolicited SAMLResponses. * Support stric destination matching. @@ -123,7 +214,7 @@ v.2.12.0 * [#263](https://github.com/onelogin/php-saml/issues/263) Fix incompatibility with ADFS on SLO. When on php saml settings NameID Format is set as unspecified but the SAMLResponse has no NameID Format, no NameID Format should be specified on LogoutRequest. v.2.11.0 -* [#236](https://github.com/onelogin/php-saml/pull/236) Exclude unnecesary files from Composer production downloads +* [#236](https://github.com/onelogin/php-saml/pull/236) Exclude unnecessary files from Composer production downloads * [#226](https://github.com/onelogin/php-saml/pull/226) Add possibility to handle nameId NameQualifier attribute in SLO Request * Improve logout documentation on Readme. * Improve multi-certificate support @@ -229,14 +320,14 @@ v.2.7.0 * Fix PHP 7 error (used continue outside a loop/switch). * Fix bug on organization element of the SP metadata builder. * Fix typos on documentation. Fix ALOWED Misspell. -* Be able to extract RequestID. Add RequestID validation on demo1. +* Be able to extract RequestID. Add RequestID validation on demo1. * Add $stay parameter to login, logout and processSLO method. v.2.6.1 ------- * Fix bug on cacheDuration of the Metadata XML generated. * Make SPNameQualifier optional on the generateNameId method. Avoid the use of SPNameQualifier when generating the NameID on the LogoutRequest builder. -* Allows the authn comparsion attribute to be set via config. +* Allows the authn comparison attribute to be set via config. * Retrieve Session Timeout after processResponse with getSessionExpiration(). * Improve readme readability. * Allow single log out to work for applications not leveraging php session_start. Added a callback parameter in order to close the session at processSLO. @@ -254,8 +345,8 @@ v.2.6.0 v.2.5.0 ------- -* Do accesible the ID of the object Logout Request (id attribute). -* Add note about the fact that PHP 5.3 is unssuported. +* Do accessible the ID of the object Logout Request (id attribute). +* Add note about the fact that PHP 5.3 is unsupported. * Add fingerprint algorithm support. * Add dependences to composer. @@ -283,7 +374,7 @@ v.2.2.0 ------- * Fix bug with Encrypted nameID on LogoutRequest. * Fixed usability bug. SP will inform about AuthFail status after process a Response. -* Added SessionIndex support on LogoutRequest, and know is accesible from the Auth class. +* Added SessionIndex support on LogoutRequest, and know is accessible from the Auth class. * LogoutRequest and LogoutResponse classes now accept non deflated xml. * Improved the XML metadata/ Decrypted Assertion output. (prettyprint). * Fix bug in formatPrivateKey method, the key could be not RSA. diff --git a/3rdparty/vendor/onelogin/php-saml/LICENSE b/3rdparty/vendor/onelogin/php-saml/LICENSE index dbbca9c6c..c141165ed 100644 --- a/3rdparty/vendor/onelogin/php-saml/LICENSE +++ b/3rdparty/vendor/onelogin/php-saml/LICENSE @@ -1,4 +1,5 @@ -Copyright (c) 2010-2016 OneLogin, Inc. +Copyright (c) 2010-2022 OneLogin, Inc. +Copyright (c) 2023 IAM Digital Services, SL. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation diff --git a/3rdparty/vendor/onelogin/php-saml/README.md b/3rdparty/vendor/onelogin/php-saml/README.md index 99c24c423..91cb2ddcc 100644 --- a/3rdparty/vendor/onelogin/php-saml/README.md +++ b/3rdparty/vendor/onelogin/php-saml/README.md @@ -1,10 +1,8 @@ -# OneLogin's SAML PHP Toolkit Compatible with PHP 7.X & 8.X +# SAML PHP Toolkit Compatible with PHP 7.3,7.4 & 8.X -[![Build Status](https://api.travis-ci.org/onelogin/php-saml.png?branch=master)](http://travis-ci.org/onelogin/php-saml) [![Coverage Status](https://coveralls.io/repos/onelogin/php-saml/badge.png)](https://coveralls.io/r/onelogin/php-saml) [![License](https://poser.pugx.org/onelogin/php-saml/license.png)](https://packagist.org/packages/onelogin/php-saml) +[![php-saml 4.x-dev package](https://github.com/SAML-Toolkits/php-saml/actions/workflows/php-package.yml/badge.svg?branch=4.x-dev)](https://github.com/SAML-Toolkits/php-saml/actions/workflows/php-package.yml) [![Coverage Status](https://coveralls.io/repos/github/SAML-Toolkits/php-saml/badge.svg?branch=4.x-dev)](https://coveralls.io/github/SAML-Toolkits/php-saml?branch=4.x-dev) ![Packagist Dependency Version (specify version)](https://img.shields.io/packagist/dependency-v/onelogin/php-saml/php?version=4.0.0) [![License](https://poser.pugx.org/onelogin/php-saml/license.png)](https://packagist.org/packages/onelogin/php-saml) ![Packagist Downloads](https://img.shields.io/packagist/dm/onelogin/php-saml) ![Packagist Downloads](https://img.shields.io/packagist/dt/onelogin/php-saml?label=Total%20downloads) Add SAML support to your PHP software using this library. -Forget those complicated libraries and use this open source library provided -and supported by OneLogin Inc. Warning @@ -15,7 +13,7 @@ This version is compatible with PHP >=7.3 and 8.X and does not include xmlseclib Security Guidelines ------------------- -If you believe you have discovered a security vulnerability in this toolkit, please report it at https://www.onelogin.com/security with a description. We follow responsible disclosure guidelines, and will work with you to quickly find a resolution. +If you believe you have discovered a security vulnerability in this toolkit, please report it by mail to the maintainer: sixto.martin.garcia+security@gmail.com Why add SAML support to my software? @@ -45,7 +43,7 @@ since 2002, but lately it is becoming popular due its advantages: General description ------------------- -OneLogin's SAML PHP toolkit let you build a SP (Service Provider) over +SAML PHP toolkit let you build a SP (Service Provider) over your PHP application and connect it to any IdP (Identity Provider). Supports: @@ -66,7 +64,7 @@ Key features: * **Easy to use** - Programmer will be allowed to code high-level and low-level programming, 2 easy to use APIs are available. * **Tested** - Thoroughly tested. - * **Popular** - OneLogin's customers use it. Many PHP SAML plugins uses it. + * **Popular** - Developers use it. Many PHP SAML plugins uses it. Integrate your PHP toolkit at OneLogin using this guide: [https://developers.onelogin.com/page/saml-toolkit-for-php](https://developers.onelogin.com/page/saml-toolkit-for-php) @@ -84,17 +82,17 @@ Installation #### Option 1. clone the repository from github #### -git clone git@github.com:onelogin/php-saml.git +git clone git@github.com:SAML-Toolkits/php-saml.git -Then pull the 3.X.X branch/tag +Then pull the 4.X.X branch/tag #### Option 2. Download from github #### The toolkit is hosted on github. You can download it from: - * https://github.com/onelogin/php-saml/releases + * https://github.com/SAML-Toolkits/php-saml/releases -Search for 3.X.X releases +Search for 4.X.X releases Copy the core of the library inside the php application. (each application has its structure so take your time to locate the PHP SAML toolkit in the best place). @@ -126,7 +124,7 @@ Compatibility This 4.X.X supports PHP >=7.3 . -It is not compatible with PHP5.6 or PHP7.0. +It is not compatible with PHP5.6 or PHP7.0, PHP7.1 or PHP7.2 Namespaces ---------- @@ -162,18 +160,18 @@ a trusted and expected URL. Read more about Open Redirect [CWE-601](https://cwe.mitre.org/data/definitions/601.html). -### Avoiding Reply attacks ### +### Avoiding Replay attacks ### -A reply attack is basically try to reuse an intercepted valid SAML Message in order to impersonate a SAML action (SSO or SLO). +A replay attack is basically try to reuse an intercepted valid SAML Message in order to impersonate a SAML action (SSO or SLO). SAML Messages have a limited timelife (NotBefore, NotOnOrAfter) that make harder this kind of attacks, but they are still possible. -In order to avoid them, the SP can keep a list of SAML Messages or Assertion IDs alredy valdidated and processed. Those values only need +In order to avoid them, the SP can keep a list of SAML Messages or Assertion IDs already validated and processed. Those values only need to be stored the amount of time of the SAML Message life time, so we don't need to store all processed message/assertion Ids, but the most recent ones. -The OneLogin_Saml2_Auth class contains the [getLastRequestID](https://github.com/onelogin/php-saml/blob/b8214b74dd72960fa6aa88ab454667c64cea935c/src/Saml2/Auth.php#L657), [getLastMessageId](https://github.com/onelogin/php-saml/blob/b8214b74dd72960fa6aa88ab454667c64cea935c/src/Saml2/Auth.php#L762) and [getLastAssertionId](https://github.com/onelogin/php-saml/blob/b8214b74dd72960fa6aa88ab454667c64cea935c/src/Saml2/Auth.php#L770) methods to retrieve the IDs +The OneLogin\Saml2\Auth class contains the [getLastRequestID](https://github.com/SAML-Toolkits/php-saml/blob/b8214b74dd72960fa6aa88ab454667c64cea935c/src/Saml2/Auth.php#L657), [getLastMessageId](https://github.com/SAML-Toolkits/php-saml/blob/b8214b74dd72960fa6aa88ab454667c64cea935c/src/Saml2/Auth.php#L762) and [getLastAssertionId](https://github.com/SAML-Toolkits/php-saml/blob/b8214b74dd72960fa6aa88ab454667c64cea935c/src/Saml2/Auth.php#L770) methods to retrieve the IDs Checking that the ID of the current Message/Assertion does not exists in the list of the ones already processed will prevent reply attacks. @@ -184,7 +182,7 @@ Getting started ### Knowing the toolkit ### -The new OneLogin SAML Toolkit contains different folders (`certs`, `endpoints`, +The new SAML Toolkit contains different folders (`certs`, `endpoints`, `lib`, `demo`, etc.) and some files. Let's start describing the folders: @@ -310,7 +308,7 @@ $settings = array( // URL Location where the from the IdP will be returned 'url' => '', // SAML protocol binding to be used when returning the - // message. OneLogin Toolkit supports this endpoint for the + // message. SAML Toolkit supports this endpoint for the // HTTP-POST binding only. 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', ), @@ -336,7 +334,7 @@ $settings = array( // URL Location where the from the IdP will be returned 'url' => '', // SAML protocol binding to be used when returning the - // message. OneLogin Toolkit supports the HTTP-Redirect binding + // message. SAML Toolkit supports the HTTP-Redirect binding // only for this endpoint. 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', ), @@ -509,7 +507,7 @@ $advancedSettings = array( // If true, Destination URL should strictly match to the address to // which the response has been sent. - // Notice that if 'relaxDestinationValidation' is true an empty Destintation + // Notice that if 'relaxDestinationValidation' is true an empty Destination // will be accepted. 'destinationStrictlyMatches' => false, @@ -517,7 +515,7 @@ $advancedSettings = array( // contain atribute elements with name duplicated 'allowRepeatAttributeName' => false, - // If true, SAMLResponses with an InResponseTo value will be rejectd if not + // If true, SAMLResponses with an InResponseTo value will be rejected if not // AuthNRequest ID provided to the validation method. 'rejectUnsolicitedResponsesWithInResponseTo' => false, @@ -568,7 +566,7 @@ $advancedSettings = array( ), // Organization information template, the info in en_US lang is - // recomended, add more if required. + // recommended, add more if required. 'organization' => array( 'en-US' => array( 'name' => '', @@ -641,7 +639,7 @@ After that line we will be able to use the classes (and their methods) of the toolkit (because the external and the Saml2 libraries files are loaded). That toolkit depends on [xmlseclibs](https://github.com/robrichards/xmlseclibs) 3.X.X branch, -you will need to get its code and place on your project and reuse the _toolkit_loader.php +you will need to get its code and place on your project and reuse the _toolkit_loader.php file to include xmlseclibs as well. @@ -679,7 +677,7 @@ The login method can receive other six optional parameters: * `$parameters` - An array of parameters that will be added to the `GET` in the HTTP-Redirect. * `$forceAuthn` - When true the `AuthNRequest` will set the `ForceAuthn='true'` * `$isPassive` - When true the `AuthNRequest` will set the `Ispassive='true'` -* `$strict` - True if we want to stay (returns the url string) False to redirect +* `$stay` - True if we want to stay (returns the url string) False to redirect * `$setNameIdPolicy` - When true the AuthNRequest will set a nameIdPolicy element. * `$nameIdValueReq` - Indicates to the IdP the subject that should be authenticated. @@ -911,7 +909,7 @@ $auth->processSLO(false, $requestID); $errors = $auth->getErrors(); if (empty($errors)) { - echo 'Sucessfully logged out'; + echo 'Successfully logged out'; } else { echo implode(', ', $errors); } @@ -1118,7 +1116,7 @@ if (isset($_GET['sso'])) { // SSO action. Will send an AuthNRequest to the I echo '

' . implode(', ', $errors) . '

'; } // This check if the response was - if (!$auth->isAuthenticated()) { // sucessfully validated and the user + if (!$auth->isAuthenticated()) { // successfully validated and the user echo '

Not authenticated

'; // data retrieved or not exit(); } @@ -1133,7 +1131,7 @@ if (isset($_GET['sso'])) { // SSO action. Will send an AuthNRequest to the I $auth->processSLO(); // Process the Logout Request & Logout Response $errors = $auth->getErrors(); // Retrieves possible validation errors if (empty($errors)) { - echo '

Sucessfully logged out

'; + echo '

Successfully logged out

'; } else { echo '

' . htmlentities(implode(', ', $errors)) . '

'; } @@ -1230,7 +1228,7 @@ Lets describe now the classes and methods of the SAML2 library. ##### OneLogin\Saml2\Auth - Auth.php ##### -Main class of OneLogin PHP Toolkit +Main class of SAML PHP Toolkit * `Auth` - Initializes the SP SAML instance * `login` - Initiates the SSO process. @@ -1259,6 +1257,9 @@ Main class of OneLogin PHP Toolkit * `getLastRequestID` - Gets the ID of the last AuthNRequest or LogoutRequest generated by the Service Provider. * `getLastRequestXML` - Returns the most recently-constructed/processed XML SAML request (AuthNRequest, LogoutRequest) * `getLastResponseXML` - Returns the most recently-constructed/processed XML SAML response (SAMLResponse, LogoutResponse). If the SAMLResponse had an encrypted assertion, decrypts it. +* `buildAuthnRequest` - Creates an AuthnRequest +* `buildLogoutRequest` - Creates an LogoutRequest +* `buildLogoutResponse` - Constructs a Logout Response object (Initialize params from settings and if provided load the Logout Response). ##### OneLogin\Saml2\AuthnRequest - `AuthnRequest.php` ##### @@ -1301,7 +1302,7 @@ SAML 2 Authentication Response class SAML 2 Logout Request class * `LogoutRequest` - Constructs the Logout Request object. - * `getRequest` - Returns the Logout Request defated, base64encoded, unsigned + * `getRequest` - Returns the Logout Request deflated, base64encoded, unsigned * `getID` - Returns the ID of the Logout Request. (If you have the object you can access to the id attribute) * `getNameIdData` - Gets the NameID Data of the the Logout Request. * `getNameId` - Gets the NameID of the Logout Request. @@ -1327,7 +1328,7 @@ SAML 2 Logout Response class ##### OneLogin\Saml2\Settings - `Settings.php` ##### -Configuration of the OneLogin PHP Toolkit +Configuration of the SAML PHP Toolkit * `Settings` - Initializes the settings: Sets the paths of the different folders and Loads settings info from settings file or @@ -1368,7 +1369,7 @@ A class that contains functionality related to the metadata of the SP * `builder` - Generates the metadata of the SP based on the settings. * `signmetadata` - Signs the metadata with the key/cert provided -* `addX509KeyDescriptors` - Adds the x509 descriptors (sign/encriptation) to +* `addX509KeyDescriptors` - Adds the x509 descriptors (sign/encryption) to the metadata ##### OneLogin\Saml2\Utils - `Utils.php` ##### @@ -1439,7 +1440,7 @@ Demos require that SP and IdP are well configured before test it. ### SP setup ### -The Onelogin's PHP Toolkit allows you to provide the settings info in two ways: +The SAML PHP Toolkit allows you to provide the settings info in two ways: * Use a `settings.php` file that we should locate at the base folder of the toolkit. @@ -1514,7 +1515,7 @@ must be done. ### SP setup ### -The Onelogin's PHP Toolkit allows you to provide the settings info in two ways: +The SAML PHP Toolkit allows you to provide the settings info in two ways: * Use a `settings.php` file that we should locate at the base folder of the toolkit. @@ -1582,4 +1583,3 @@ demo1, only changes the targets. to the IdP (to the SLS endpoint of the IdP).The IdP receives the Logout Response, process it and close the session at of the IdP. Notice that the SLO Workflow starts and ends at the IdP. - diff --git a/3rdparty/vendor/onelogin/php-saml/advanced_settings_example.php b/3rdparty/vendor/onelogin/php-saml/advanced_settings_example.php index d9c16e289..6336d9654 100644 --- a/3rdparty/vendor/onelogin/php-saml/advanced_settings_example.php +++ b/3rdparty/vendor/onelogin/php-saml/advanced_settings_example.php @@ -87,7 +87,7 @@ // If true, Destination URL should strictly match to the address to // which the response has been sent. - // Notice that if 'relaxDestinationValidation' is true an empty Destintation + // Notice that if 'relaxDestinationValidation' is true an empty Destination // will be accepted. 'destinationStrictlyMatches' => false, @@ -95,7 +95,7 @@ // contain atribute elements with name duplicated 'allowRepeatAttributeName' => false, - // If true, SAMLResponses with an InResponseTo value will be rejectd if not + // If true, SAMLResponses with an InResponseTo value will be rejected if not // AuthNRequest ID provided to the validation method. 'rejectUnsolicitedResponsesWithInResponseTo' => false, @@ -132,7 +132,7 @@ 'lowercaseUrlencoding' => false, ), - // Contact information template, it is recommended to suply a technical and support contacts + // Contact information template, it is recommended to supply a technical and support contacts 'contactPerson' => array( 'technical' => array( 'givenName' => '', @@ -144,7 +144,7 @@ ), ), - // Organization information template, the info in en_US lang is recomended, add more if required + // Organization information template, the info in en_US lang is recommended, add more if required 'organization' => array( 'en-US' => array( 'name' => '', diff --git a/3rdparty/vendor/onelogin/php-saml/composer.json b/3rdparty/vendor/onelogin/php-saml/composer.json index 42290e8e8..9e0efa42d 100644 --- a/3rdparty/vendor/onelogin/php-saml/composer.json +++ b/3rdparty/vendor/onelogin/php-saml/composer.json @@ -1,22 +1,22 @@ { "name": "onelogin/php-saml", - "description": "OneLogin PHP SAML Toolkit", + "description": "PHP SAML Toolkit", "license": "MIT", - "homepage": "https://developers.onelogin.com/saml/php", - "keywords": ["saml", "saml2", "onelogin"], + "homepage": "https://github.com/SAML-Toolkits/php-saml", + "keywords": ["saml", "saml2", "sso", "federation", "identity"], "autoload": { "psr-4": { "OneLogin\\": "src/" } }, "support": { - "email": "sixto.garcia@onelogin.com", - "issues": "https://github.com/onelogin/php-saml/issues", - "source": "https://github.com/onelogin/php-saml/" + "email": "sixto.martin.garcia@gmail.com", + "issues": "https://github.com/onelogin/SAML-Toolkits/issues", + "source": "https://github.com/onelogin/SAML-Toolkits/" }, "require": { "php": ">=7.3", - "robrichards/xmlseclibs": ">=3.1.1" + "robrichards/xmlseclibs": ">=3.1.4" }, "require-dev": { "phpunit/phpunit": "^9.5", diff --git a/3rdparty/vendor/onelogin/php-saml/phpunit.xml b/3rdparty/vendor/onelogin/php-saml/phpunit.xml index 600c3babc..02d64b3af 100644 --- a/3rdparty/vendor/onelogin/php-saml/phpunit.xml +++ b/3rdparty/vendor/onelogin/php-saml/phpunit.xml @@ -12,7 +12,7 @@ - + ./tests/src diff --git a/3rdparty/vendor/onelogin/php-saml/src/Saml2/Auth.php b/3rdparty/vendor/onelogin/php-saml/src/Saml2/Auth.php index e5c4d54cd..a860b3588 100644 --- a/3rdparty/vendor/onelogin/php-saml/src/Saml2/Auth.php +++ b/3rdparty/vendor/onelogin/php-saml/src/Saml2/Auth.php @@ -2,15 +2,13 @@ /** * This file is part of php-saml. * - * (c) OneLogin Inc - * * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. * * @package OneLogin - * @author OneLogin Inc - * @license MIT https://github.com/onelogin/php-saml/blob/master/LICENSE - * @link https://github.com/onelogin/php-saml + * @author Sixto Martin + * @license MIT https://github.com/SAML-Toolkits/php-saml/blob/master/LICENSE + * @link https://github.com/SAML-Toolkits/php-saml */ namespace OneLogin\Saml2; @@ -20,7 +18,7 @@ use Exception; /** - * Main class of OneLogin's PHP Toolkit + * Main class of SAML PHP Toolkit */ class Auth { @@ -173,7 +171,7 @@ class Auth * @throws Exception * @throws Error */ - public function __construct(array $settings = null, bool $spValidationOnly = false) + public function __construct(?array $settings = null, bool $spValidationOnly = false) { $this->_settings = new Settings($settings, $spValidationOnly); } @@ -272,6 +270,7 @@ public function processResponse($requestId = null) * @param bool $stay True if we want to stay (returns the url string) False to redirect * * @return string|null + * @phpstan-return ($stay is true ? string : never) * * @throws Error */ @@ -280,7 +279,7 @@ public function processSLO($keepLocalSession = false, $requestId = null, $retrie $this->_errors = array(); $this->_lastError = $this->_lastErrorException = null; if (isset($_GET['SAMLResponse'])) { - $logoutResponse = new LogoutResponse($this->_settings, $_GET['SAMLResponse']); + $logoutResponse = $this->buildLogoutResponse($this->_settings, $_GET['SAMLResponse']); $this->_lastResponse = $logoutResponse->getXML(); if (!$logoutResponse->isValid($requestId, $retrieveParametersFromServer)) { $this->_errors[] = 'invalid_logout_response'; @@ -300,7 +299,7 @@ public function processSLO($keepLocalSession = false, $requestId = null, $retrie } } } else if (isset($_GET['SAMLRequest'])) { - $logoutRequest = new LogoutRequest($this->_settings, $_GET['SAMLRequest']); + $logoutRequest = $this->buildLogoutRequest($this->_settings, $_GET['SAMLRequest']); $this->_lastRequest = $logoutRequest->getXML(); if (!$logoutRequest->isValid($retrieveParametersFromServer)) { $this->_errors[] = 'invalid_logout_request'; @@ -316,7 +315,7 @@ public function processSLO($keepLocalSession = false, $requestId = null, $retrie } $inResponseTo = $logoutRequest->id; $this->_lastMessageId = $logoutRequest->id; - $responseBuilder = new LogoutResponse($this->_settings); + $responseBuilder = $this->buildLogoutResponse($this->_settings); $responseBuilder->build($inResponseTo); $this->_lastResponse = $responseBuilder->getXML(); @@ -354,6 +353,7 @@ public function processSLO($keepLocalSession = false, $requestId = null, $retrie * @param bool $stay True if we want to stay (returns the url string) False to redirect * * @return string|null + * @phpstan-return ($stay is true ? string : never) */ public function redirectTo($url = '', array $parameters = array(), $stay = false) { @@ -535,6 +535,7 @@ public function getAttributeWithFriendlyName($friendlyName) * @param string $nameIdValueReq Indicates to the IdP the subject that should be authenticated * * @return string|null If $stay is True, it return a string with the SLO URL + LogoutRequest + parameters + * @phpstan-return ($stay is true ? string : never) * * @throws Error */ @@ -575,6 +576,7 @@ public function login($returnTo = null, array $parameters = array(), $forceAuthn * @param string|null $nameIdNameQualifier The NameID NameQualifier will be set in the LogoutRequest. * * @return string|null If $stay is True, it return a string with the SLO URL + LogoutRequest + parameters + * @phpstan-return ($stay is true ? string : never) * * @throws Error */ @@ -595,7 +597,7 @@ public function logout($returnTo = null, array $parameters = array(), $nameId = $nameIdFormat = $this->_nameidFormat; } - $logoutRequest = new LogoutRequest($this->_settings, null, $nameId, $sessionIndex, $nameIdFormat, $nameIdNameQualifier, $nameIdSPNameQualifier); + $logoutRequest = $this->buildLogoutRequest($this->_settings, null, $nameId, $sessionIndex, $nameIdFormat, $nameIdNameQualifier, $nameIdSPNameQualifier); $this->_lastRequest = $logoutRequest->getXML(); $this->_lastRequestID = $logoutRequest->id; @@ -671,11 +673,42 @@ public function getLastRequestID() * * @return AuthnRequest The AuthnRequest object */ - public function buildAuthnRequest($settings, $forceAuthn, $isPassive, $setNameIdPolicy, $nameIdValueReq = null) + public function buildAuthnRequest(Settings $settings, $forceAuthn, $isPassive, $setNameIdPolicy, $nameIdValueReq = null) { return new AuthnRequest($settings, $forceAuthn, $isPassive, $setNameIdPolicy, $nameIdValueReq); } + /** + * Creates an LogoutRequest + * + * @param Settings $settings Settings + * @param string|null $request A UUEncoded Logout Request. + * @param string|null $nameId The NameID that will be set in the LogoutRequest. + * @param string|null $sessionIndex The SessionIndex (taken from the SAML Response in the SSO process). + * @param string|null $nameIdFormat The NameID Format will be set in the LogoutRequest. + * @param string|null $nameIdNameQualifier The NameID NameQualifier will be set in the LogoutRequest. + * @param string|null $nameIdSPNameQualifier The NameID SP NameQualifier will be set in the LogoutRequest. + */ + public function buildLogoutRequest(Settings $settings, $request = null, $nameId = null, $sessionIndex = null, $nameIdFormat = null, $nameIdNameQualifier = null, $nameIdSPNameQualifier = null) + { + return new LogoutRequest($settings, $request, $nameId, $sessionIndex, $nameIdFormat, $nameIdNameQualifier, $nameIdSPNameQualifier); + } + + /** + * Constructs a Logout Response object (Initialize params from settings and if provided + * load the Logout Response. + * + * @param Settings $settings Settings. + * @param string|null $response An UUEncoded SAML Logout response from the IdP. + * + * @throws Error + * @throws Exception + */ + public function buildLogoutResponse(Settings $settings, $response = null) + { + return new LogoutResponse($settings, $response); + } + /** * Generates the Signature for a SAML Request * diff --git a/3rdparty/vendor/onelogin/php-saml/src/Saml2/AuthnRequest.php b/3rdparty/vendor/onelogin/php-saml/src/Saml2/AuthnRequest.php index fd9afb538..cea20fc74 100644 --- a/3rdparty/vendor/onelogin/php-saml/src/Saml2/AuthnRequest.php +++ b/3rdparty/vendor/onelogin/php-saml/src/Saml2/AuthnRequest.php @@ -2,15 +2,13 @@ /** * This file is part of php-saml. * - * (c) OneLogin Inc - * * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. * * @package OneLogin - * @author OneLogin Inc - * @license MIT https://github.com/onelogin/php-saml/blob/master/LICENSE - * @link https://github.com/onelogin/php-saml + * @author Sixto Martin + * @license MIT https://github.com/SAML-Toolkits/php-saml/blob/master/LICENSE + * @link https://github.com/SAML-Toolkits/php-saml */ namespace OneLogin\Saml2; diff --git a/3rdparty/vendor/onelogin/php-saml/src/Saml2/Constants.php b/3rdparty/vendor/onelogin/php-saml/src/Saml2/Constants.php index 1b467dd6c..d9ee73aed 100644 --- a/3rdparty/vendor/onelogin/php-saml/src/Saml2/Constants.php +++ b/3rdparty/vendor/onelogin/php-saml/src/Saml2/Constants.php @@ -2,21 +2,19 @@ /** * This file is part of php-saml. * - * (c) OneLogin Inc - * * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. * * @package OneLogin - * @author OneLogin Inc - * @license MIT https://github.com/onelogin/php-saml/blob/master/LICENSE - * @link https://github.com/onelogin/php-saml + * @author Sixto Martin + * @license MIT https://github.com/SAML-Toolkits/php-saml/blob/master/LICENSE + * @link https://github.com/SAML-Toolkits/php-saml */ namespace OneLogin\Saml2; /** - * Constants of OneLogin PHP Toolkit + * Constants of SAML PHP Toolkit * * Defines all required constants */ diff --git a/3rdparty/vendor/onelogin/php-saml/src/Saml2/Error.php b/3rdparty/vendor/onelogin/php-saml/src/Saml2/Error.php index 211acf486..b6debbb12 100644 --- a/3rdparty/vendor/onelogin/php-saml/src/Saml2/Error.php +++ b/3rdparty/vendor/onelogin/php-saml/src/Saml2/Error.php @@ -2,15 +2,13 @@ /** * This file is part of php-saml. * - * (c) OneLogin Inc - * * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. * * @package OneLogin - * @author OneLogin Inc - * @license MIT https://github.com/onelogin/php-saml/blob/master/LICENSE - * @link https://github.com/onelogin/php-saml + * @author Sixto Martin + * @license MIT https://github.com/SAML-Toolkits/php-saml/blob/master/LICENSE + * @link https://github.com/SAML-Toolkits/php-saml */ namespace OneLogin\Saml2; @@ -18,7 +16,7 @@ use Exception; /** - * Error class of OneLogin PHP Toolkit + * Error class of SAML PHP Toolkit * * Defines the Error class */ @@ -42,6 +40,7 @@ class Error extends Exception const SAML_SINGLE_LOGOUT_NOT_SUPPORTED = 12; const PRIVATE_KEY_NOT_FOUND = 13; const UNSUPPORTED_SETTINGS_OBJECT = 14; + const INVALID_PARAMETER = 15; /** * Constructor diff --git a/3rdparty/vendor/onelogin/php-saml/src/Saml2/IdPMetadataParser.php b/3rdparty/vendor/onelogin/php-saml/src/Saml2/IdPMetadataParser.php index a4fcc30e1..58c7a4105 100644 --- a/3rdparty/vendor/onelogin/php-saml/src/Saml2/IdPMetadataParser.php +++ b/3rdparty/vendor/onelogin/php-saml/src/Saml2/IdPMetadataParser.php @@ -2,15 +2,13 @@ /** * This file is part of php-saml. * - * (c) OneLogin Inc - * * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. * * @package OneLogin - * @author OneLogin Inc - * @license MIT https://github.com/onelogin/php-saml/blob/master/LICENSE - * @link https://github.com/onelogin/php-saml + * @author Sixto Martin + * @license MIT https://github.com/SAML-Toolkits/php-saml/blob/master/LICENSE + * @link https://github.com/SAML-Toolkits/php-saml */ namespace OneLogin\Saml2; @@ -19,7 +17,7 @@ use Exception; /** - * IdP Metadata Parser of OneLogin PHP Toolkit + * IdP Metadata Parser of SAML PHP Toolkit */ class IdPMetadataParser { @@ -38,10 +36,11 @@ class IdPMetadataParser * @param string $desiredNameIdFormat If available on IdP metadata, use that nameIdFormat * @param string $desiredSSOBinding Parse specific binding SSO endpoint * @param string $desiredSLOBinding Parse specific binding SLO endpoint + * @param bool $validatePeer Enable or disable validate peer SSL certificate * * @return array metadata info in php-saml settings format */ - public static function parseRemoteXML($url, $entityId = null, $desiredNameIdFormat = null, $desiredSSOBinding = Constants::BINDING_HTTP_REDIRECT, $desiredSLOBinding = Constants::BINDING_HTTP_REDIRECT) + public static function parseRemoteXML($url, $entityId = null, $desiredNameIdFormat = null, $desiredSSOBinding = Constants::BINDING_HTTP_REDIRECT, $desiredSLOBinding = Constants::BINDING_HTTP_REDIRECT, $validatePeer = false) { $metadataInfo = array(); @@ -53,7 +52,7 @@ public static function parseRemoteXML($url, $entityId = null, $desiredNameIdForm curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "GET"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); - curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); + curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, $validatePeer); curl_setopt($ch, CURLOPT_FAILONERROR, 1); $xml = curl_exec($ch); diff --git a/3rdparty/vendor/onelogin/php-saml/src/Saml2/LogoutRequest.php b/3rdparty/vendor/onelogin/php-saml/src/Saml2/LogoutRequest.php index 108c49bee..1e5391051 100644 --- a/3rdparty/vendor/onelogin/php-saml/src/Saml2/LogoutRequest.php +++ b/3rdparty/vendor/onelogin/php-saml/src/Saml2/LogoutRequest.php @@ -2,17 +2,14 @@ /** * This file is part of php-saml. * - * (c) OneLogin Inc - * * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. * * @package OneLogin - * @author OneLogin Inc - * @license MIT https://github.com/onelogin/php-saml/blob/master/LICENSE - * @link https://github.com/onelogin/php-saml + * @author Sixto Martin + * @license MIT https://github.com/SAML-Toolkits/php-saml/blob/master/LICENSE + * @link https://github.com/SAML-Toolkits/php-saml */ - namespace OneLogin\Saml2; use RobRichards\XMLSecLibs\XMLSecurityKey; @@ -158,7 +155,7 @@ public function __construct(\OneLogin\Saml2\Settings $settings, $request = null, } /** - * Returns the Logout Request defated, base64encoded, unsigned + * Returns the Logout Request deflated, base64encoded, unsigned * * @param bool|null $deflate Whether or not we should 'gzdeflate' the request body before we return it. * @@ -347,7 +344,7 @@ public static function getSessionIndexes($request) } /** - * Checks if the Logout Request recieved is valid. + * Checks if the Logout Request received is valid. * * @param bool $retrieveParametersFromServer True if we want to use parameters from $_SERVER to validate the signature * diff --git a/3rdparty/vendor/onelogin/php-saml/src/Saml2/LogoutResponse.php b/3rdparty/vendor/onelogin/php-saml/src/Saml2/LogoutResponse.php index 9c3f020ee..64e373c19 100644 --- a/3rdparty/vendor/onelogin/php-saml/src/Saml2/LogoutResponse.php +++ b/3rdparty/vendor/onelogin/php-saml/src/Saml2/LogoutResponse.php @@ -2,15 +2,13 @@ /** * This file is part of php-saml. * - * (c) OneLogin Inc - * * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. * * @package OneLogin - * @author OneLogin Inc - * @license MIT https://github.com/onelogin/php-saml/blob/master/LICENSE - * @link https://github.com/onelogin/php-saml + * @author Sixto Martin + * @license MIT https://github.com/SAML-Toolkits/php-saml/blob/master/LICENSE + * @link https://github.com/SAML-Toolkits/php-saml */ namespace OneLogin\Saml2; @@ -237,7 +235,7 @@ public function isValid($requestId = null, $retrieveParametersFromServer = false } /** - * Extracts a node from the DOMDocument (Logout Response Menssage) + * Extracts a node from the DOMDocument (Logout Response Message) * * @param string $query Xpath Expression * diff --git a/3rdparty/vendor/onelogin/php-saml/src/Saml2/Metadata.php b/3rdparty/vendor/onelogin/php-saml/src/Saml2/Metadata.php index 922ad60ba..0057c1759 100644 --- a/3rdparty/vendor/onelogin/php-saml/src/Saml2/Metadata.php +++ b/3rdparty/vendor/onelogin/php-saml/src/Saml2/Metadata.php @@ -2,15 +2,13 @@ /** * This file is part of php-saml. * - * (c) OneLogin Inc - * * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. * * @package OneLogin - * @author OneLogin Inc - * @license MIT https://github.com/onelogin/php-saml/blob/master/LICENSE - * @link https://github.com/onelogin/php-saml + * @author Sixto Martin + * @license MIT https://github.com/SAML-Toolkits/php-saml/blob/master/LICENSE + * @link https://github.com/SAML-Toolkits/php-saml */ namespace OneLogin\Saml2; @@ -22,7 +20,7 @@ use Exception; /** - * Metadata lib of OneLogin PHP Toolkit + * Metadata lib of SAML PHP Toolkit */ class Metadata { @@ -40,10 +38,11 @@ class Metadata * @param array $contacts Contacts info * @param array $organization Organization ingo * @param array $attributes + * @param bool $ignoreValidUntil exclude the validUntil tag from metadata * * @return string SAML Metadata XML */ - public static function builder($sp, $authnsign = false, $wsign = false, $validUntil = null, $cacheDuration = null, $contacts = array(), $organization = array(), $attributes = array()) + public static function builder($sp, $authnsign = false, $wsign = false, $validUntil = null, $cacheDuration = null, $contacts = array(), $organization = array(), $attributes = array(), $ignoreValidUntil = false) { if (!isset($validUntil)) { @@ -163,27 +162,37 @@ public static function builder($sp, $authnsign = false, $wsign = false, $validUn $requestedAttributeStr = implode(PHP_EOL, $requestedAttributeData); $strAttributeConsumingService = << + + {$sp['attributeConsumingService']['serviceName']} {$attrCsDesc}{$requestedAttributeStr} METADATA_TEMPLATE; } + if ($ignoreValidUntil) { + $timeStr = << {$sls} {$sp['NameIDFormat']} - {$strAttributeConsumingService} + index="1" />{$strAttributeConsumingService} {$strOrganization}{$strContacts} METADATA_TEMPLATE; diff --git a/3rdparty/vendor/onelogin/php-saml/src/Saml2/Response.php b/3rdparty/vendor/onelogin/php-saml/src/Saml2/Response.php index 813aa66a1..a3c1859a6 100644 --- a/3rdparty/vendor/onelogin/php-saml/src/Saml2/Response.php +++ b/3rdparty/vendor/onelogin/php-saml/src/Saml2/Response.php @@ -2,15 +2,13 @@ /** * This file is part of php-saml. * - * (c) OneLogin Inc - * * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. * * @package OneLogin - * @author OneLogin Inc - * @license MIT https://github.com/onelogin/php-saml/blob/master/LICENSE - * @link https://github.com/onelogin/php-saml + * @author Sixto Martin + * @license MIT https://github.com/SAML-Toolkits/php-saml/blob/master/LICENSE + * @link https://github.com/SAML-Toolkits/php-saml */ namespace OneLogin\Saml2; @@ -63,6 +61,13 @@ class Response */ public $encrypted = false; + /** + * The response contains an encrypted nameId in the assertion. + * + * @var bool + */ + public $encryptedNameId = false; + /** * After validation, if it fail this var has the cause of the problem * @@ -229,14 +234,12 @@ public function isValid($requestId = null) ); } - if ($security['wantNameIdEncrypted']) { - $encryptedIdNodes = $this->_queryAssertion('/saml:Subject/saml:EncryptedID/xenc:EncryptedData'); - if ($encryptedIdNodes->length != 1) { - throw new ValidationError( - "The NameID of the Response is not encrypted and the SP requires it", - ValidationError::NO_ENCRYPTED_NAMEID - ); - } + $this->encryptedNameId = $this->encryptedNameId || $this->_queryAssertion('/saml:Subject/saml:EncryptedID/xenc:EncryptedData')->length > 0; + if (!$this->encryptedNameId && $security['wantNameIdEncrypted']) { + throw new ValidationError( + "The NameID of the Response is not encrypted and the SP requires it", + ValidationError::NO_ENCRYPTED_NAMEID + ); } // Validate Conditions element exists @@ -247,7 +250,7 @@ public function isValid($requestId = null) ); } - // Validate Asserion timestamps + // Validate Assertion timestamps $this->validateTimestamps(); // Validate AuthnStatement element exists and is unique @@ -298,12 +301,9 @@ public function isValid($requestId = null) // Check audience $validAudiences = $this->getAudiences(); if (!empty($validAudiences) && !in_array($spEntityId, $validAudiences, true)) { + $validAudiencesStr = implode(',', $validAudiences); throw new ValidationError( - sprintf( - "Invalid audience for this Response (expected '%s', got '%s')", - $spEntityId, - implode(',', $validAudiences) - ), + "Invalid audience for this Response (expected '".$spEntityId."', got '".$validAudiencesStr."')", ValidationError::WRONG_AUDIENCE ); } @@ -315,7 +315,7 @@ public function isValid($requestId = null) $trimmedIssuer = trim($issuer); if (empty($trimmedIssuer) || $trimmedIssuer !== $idPEntityId) { throw new ValidationError( - "Invalid issuer in the Assertion/Response (expected '$idPEntityId', got '$trimmedIssuer')", + "Invalid issuer in the Assertion/Response (expected '".$idPEntityId."', got '".$trimmedIssuer."')", ValidationError::WRONG_ISSUER ); } @@ -399,17 +399,6 @@ public function isValid($requestId = null) } } - // Detect case not supported - if ($this->encrypted) { - $encryptedIDNodes = Utils::query($this->decryptedDocument, '/samlp:Response/saml:Assertion/saml:Subject/saml:EncryptedID'); - if ($encryptedIDNodes->length > 0) { - throw new ValidationError( - 'SAML Response that contains an encrypted Assertion with encrypted nameId is not supported.', - ValidationError::NOT_SUPPORTED - ); - } - } - if (empty($signedElements) || (!$hasSignedResponse && !$hasSignedAssertion)) { throw new ValidationError( 'No Signature found. SAML Response rejected', @@ -621,9 +610,16 @@ public function getNameIdData() if ($encryptedIdDataEntries->length == 1) { $encryptedData = $encryptedIdDataEntries->item(0); - $key = $this->_settings->getSPkey(); + $pem = $this->_settings->getSPkey(); + + if (empty($pem)) { + throw new Error( + "No private key available, check settings", + Error::PRIVATE_KEY_NOT_FOUND + ); + } $seckey = new XMLSecurityKey(XMLSecurityKey::RSA_1_5, array('type'=>'private')); - $seckey->loadKey($key); + $seckey->loadKey($pem); $nameId = Utils::decryptElement($encryptedData, $seckey); @@ -636,8 +632,8 @@ public function getNameIdData() $nameIdData = array(); + $security = $this->_settings->getSecurityData(); if (!isset($nameId)) { - $security = $this->_settings->getSecurityData(); if ($security['wantNameId']) { throw new ValidationError( "NameID not found in the assertion of the Response", @@ -645,7 +641,7 @@ public function getNameIdData() ); } } else { - if ($this->_settings->isStrict() && empty($nameId->nodeValue)) { + if ($this->_settings->isStrict() && $security['wantNameId'] && empty($nameId->nodeValue)) { throw new ValidationError( "An empty NameID value found", ValidationError::EMPTY_NAMEID @@ -660,7 +656,7 @@ public function getNameIdData() $spEntityId = $spData['entityId']; if ($spEntityId != $nameId->getAttribute($attr)) { throw new ValidationError( - "The SPNameQualifier value mistmatch the SP entityID value.", + "The SPNameQualifier value mismatch the SP entityID value.", ValidationError::SP_NAME_QUALIFIER_NAME_MISMATCH ); } @@ -1012,9 +1008,9 @@ public function validateSignedElements($signedElements) $responseTag = '{'.Constants::NS_SAMLP.'}Response'; $assertionTag = '{'.Constants::NS_SAML.'}Assertion'; - $ocurrence = array_count_values($signedElements); - if ((in_array($responseTag, $signedElements) && $ocurrence[$responseTag] > 1) - || (in_array($assertionTag, $signedElements) && $ocurrence[$assertionTag] > 1) + $occurrence = array_count_values($signedElements); + if ((in_array($responseTag, $signedElements) && $occurrence[$responseTag] > 1) + || (in_array($assertionTag, $signedElements) && $occurrence[$assertionTag] > 1) || !in_array($responseTag, $signedElements) && !in_array($assertionTag, $signedElements) ) { return false; @@ -1097,7 +1093,7 @@ protected function _queryAssertion($assertionXpath) } /** - * Extracts nodes that match the query from the DOMDocument (Response Menssage) + * Extracts nodes that match the query from the DOMDocument (Response Message) * * @param string $query Xpath Expression * @@ -1173,6 +1169,18 @@ protected function decryptAssertion(\DomNode $dom) if ($check === false) { throw new Exception('Error: string from decrypted assertion could not be loaded into a XML document'); } + + // check if the decrypted assertion contains an encryptedID + $encryptedID = $decrypted->getElementsByTagName('EncryptedID')->item(0); + + if ($encryptedID) { + // decrypt the encryptedID + $this->encryptedNameId = true; + $encryptedData = $encryptedID->getElementsByTagName('EncryptedData')->item(0); + $nameId = $this->decryptNameId($encryptedData, $pem); + Utils::treeCopyReplace($encryptedID, $nameId); + } + if ($encData->parentNode instanceof DOMDocument) { return $decrypted; } else { @@ -1205,6 +1213,46 @@ protected function decryptAssertion(\DomNode $dom) } } + /** + * Decrypt EncryptedID element + * + * @param \DOMElement $encryptedData The encrypted data. + * @param string $key The private key + * + * @return \DOMElement The decrypted element. + */ + private function decryptNameId(\DOMElement $encryptedData, string $pem) + { + $objenc = new XMLSecEnc(); + $encData = $objenc->locateEncryptedData($encryptedData); + $objenc->setNode($encData); + $objenc->type = $encData->getAttribute("Type"); + if (!$objKey = $objenc->locateKey()) { + throw new ValidationError( + "Unknown algorithm", + ValidationError::KEY_ALGORITHM_ERROR + ); + } + + $key = null; + if ($objKeyInfo = $objenc->locateKeyInfo($objKey)) { + if ($objKeyInfo->isEncrypted) { + $objencKey = $objKeyInfo->encryptedCtx; + $objKeyInfo->loadKey($pem, false, false); + $key = $objencKey->decryptKey($objKeyInfo); + } else { + // symmetric encryption key support + $objKeyInfo->loadKey($pem, false, false); + } + } + + if (empty($objKey->key)) { + $objKey->loadKey($key); + } + + return Utils::decryptElement($encryptedData, $objKey); + } + /** * After execute a validation process, if fails this method returns the cause * @@ -1218,13 +1266,19 @@ public function getErrorException() /** * After execute a validation process, if fails this method returns the cause * + * @param bool $escape Apply or not htmlentities to the message. + * * @return null|string Error reason */ - public function getError() + public function getError($escape = true) { $errorMsg = null; if (isset($this->_error)) { - $errorMsg = htmlentities($this->_error->getMessage()); + if ($escape) { + $errorMsg = htmlentities($this->_error->getMessage()); + } else { + $errorMsg = $this->_error->getMessage(); + } } return $errorMsg; } diff --git a/3rdparty/vendor/onelogin/php-saml/src/Saml2/Settings.php b/3rdparty/vendor/onelogin/php-saml/src/Saml2/Settings.php index 4d9b3339f..53261ffbd 100644 --- a/3rdparty/vendor/onelogin/php-saml/src/Saml2/Settings.php +++ b/3rdparty/vendor/onelogin/php-saml/src/Saml2/Settings.php @@ -2,15 +2,13 @@ /** * This file is part of php-saml. * - * (c) OneLogin Inc - * * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. * * @package OneLogin - * @author OneLogin Inc - * @license MIT https://github.com/onelogin/php-saml/blob/master/LICENSE - * @link https://github.com/onelogin/php-saml + * @author Sixto Martin + * @license MIT https://github.com/SAML-Toolkits/php-saml/blob/master/LICENSE + * @link https://github.com/SAML-Toolkits/php-saml */ namespace OneLogin\Saml2; @@ -22,7 +20,7 @@ use Exception; /** - * Configuration of the OneLogin PHP Toolkit + * Configuration of the SAML PHP Toolkit */ class Settings { @@ -122,7 +120,7 @@ class Settings * @throws Error If any settings parameter is invalid * @throws Exception If Settings is incorrectly supplied */ - public function __construct(array $settings = null,bool $spValidationOnly = false) + public function __construct(?array $settings = null,bool $spValidationOnly = false) { $this->_spValidationOnly = $spValidationOnly; $this->_loadPaths(); @@ -663,7 +661,7 @@ public function checkSPSettings(array $settings) if (!isset($contact['givenName']) || empty($contact['givenName']) || !isset($contact['emailAddress']) || empty($contact['emailAddress']) ) { - $errors[] = 'contact_not_enought_data'; + $errors[] = 'contact_not_enough_data'; break; } } @@ -675,7 +673,7 @@ public function checkSPSettings(array $settings) || !isset($organization['displayname']) || empty($organization['displayname']) || !isset($organization['url']) || empty($organization['url']) ) { - $errors[] = 'organization_not_enought_data'; + $errors[] = 'organization_not_enough_data'; break; } } @@ -881,14 +879,15 @@ public function getIdPSLOResponseUrl() * $advancedSettings['security']['wantAssertionsEncrypted'] are enabled. * @param int|null $validUntil Metadata's valid time * @param int|null $cacheDuration Duration of the cache in seconds + * @param bool $ignoreValidUntil exclude the validUntil tag from metadata * * @return string SP metadata (xml) * @throws Exception * @throws Error */ - public function getSPMetadata($alwaysPublishEncryptionCert = false, $validUntil = null, $cacheDuration = null) + public function getSPMetadata($alwaysPublishEncryptionCert = false, $validUntil = null, $cacheDuration = null, $ignoreValidUntil = false) { - $metadata = Metadata::builder($this->_sp, $this->_security['authnRequestsSigned'], $this->_security['wantAssertionsSigned'], $validUntil, $cacheDuration, $this->getContacts(), $this->getOrganization()); + $metadata = Metadata::builder($this->_sp, $this->_security['authnRequestsSigned'], $this->_security['wantAssertionsSigned'], $validUntil, $cacheDuration, $this->getContacts(), $this->getOrganization(), [], $ignoreValidUntil); $certNew = $this->getSPcertNew(); if (!empty($certNew)) { @@ -1039,7 +1038,7 @@ public function formatIdPCert() } /** - * Formats the Multple IdP certs. + * Formats the Multiple IdP certs. */ public function formatIdPCertMulti() { diff --git a/3rdparty/vendor/onelogin/php-saml/src/Saml2/Utils.php b/3rdparty/vendor/onelogin/php-saml/src/Saml2/Utils.php index c6e912c49..9dfa526a2 100644 --- a/3rdparty/vendor/onelogin/php-saml/src/Saml2/Utils.php +++ b/3rdparty/vendor/onelogin/php-saml/src/Saml2/Utils.php @@ -2,15 +2,13 @@ /** * This file is part of php-saml. * - * (c) OneLogin Inc - * * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. * * @package OneLogin - * @author OneLogin Inc - * @license MIT https://github.com/onelogin/php-saml/blob/master/LICENSE - * @link https://github.com/onelogin/php-saml + * @author Sixto Martin + * @license MIT https://github.com/SAML-Toolkits/php-saml/blob/master/LICENSE + * @link https://github.com/SAML-Toolkits/php-saml */ namespace OneLogin\Saml2; @@ -27,7 +25,7 @@ use Exception; /** - * Utils of OneLogin PHP Toolkit + * Utils of SAML PHP Toolkit * * Defines several often used methods */ @@ -214,28 +212,27 @@ public static function treeCopyReplace(DomNode $targetNode, DomNode $sourceNode, /** * Returns a x509 cert (adding header & footer if required). * - * @param string $cert A x509 unformated cert - * @param bool $heads True if we want to include head and footer + * @param string $x509cert A x509 unformated cert + * @param bool $heads True if we want to include head and footer * * @return string $x509 Formatted cert */ - public static function formatCert($cert, $heads = true) + public static function formatCert($x509cert, $heads = true) { - if (is_null($cert)) { + if (is_null($x509cert)) { return; } - $x509cert = str_replace(array("\x0D", "\r", "\n"), "", $cert); - if (!empty($x509cert)) { - $x509cert = str_replace('-----BEGIN CERTIFICATE-----', "", $x509cert); - $x509cert = str_replace('-----END CERTIFICATE-----', "", $x509cert); - $x509cert = str_replace(' ', '', $x509cert); + if (strpos($x509cert, '-----BEGIN CERTIFICATE-----') !== false) { + $x509cert = static::getStringBetween($x509cert, '-----BEGIN CERTIFICATE-----', '-----END CERTIFICATE-----'); + } - if ($heads) { - $x509cert = "-----BEGIN CERTIFICATE-----\n".chunk_split($x509cert, 64, "\n")."-----END CERTIFICATE-----\n"; - } + $x509cert = str_replace(["\x0d", "\r", "\n", " "], '', $x509cert); + if ($heads && $x509cert !== '') { + $x509cert = "-----BEGIN CERTIFICATE-----\n".chunk_split($x509cert, 64, "\n")."-----END CERTIFICATE-----\n"; } + return $x509cert; } @@ -312,6 +309,7 @@ public static function getStringBetween($str, $start, $end) * @param bool $stay True if we want to stay (returns the url string) False to redirect * * @return string|null $url + * @phpstan-return ($stay is true ? string : never) * * @throws Error */ @@ -513,7 +511,7 @@ protected static function getRawHost() if (self::$_host) { $currentHost = self::$_host; } elseif (self::getProxyVars() && array_key_exists('HTTP_X_FORWARDED_HOST', $_SERVER)) { - $currentHost = $_SERVER['HTTP_X_FORWARDED_HOST']; + $currentHost = explode(',', $_SERVER['HTTP_X_FORWARDED_HOST'])[0]; } elseif (array_key_exists('HTTP_HOST', $_SERVER)) { $currentHost = $_SERVER['HTTP_HOST']; } elseif (array_key_exists('SERVER_NAME', $_SERVER)) { @@ -724,8 +722,13 @@ protected static function buildWithBaseURLPath($info) if (!empty($baseURLPath)) { $result = $baseURLPath; if (!empty($info)) { - $path = explode('/', $info); - $extractedInfo = array_pop($path); + $extractedInfo = $info; + if ($baseURLPath != '/') { + // Remove base path from the path info. + $extractedInfo = str_replace($baseURLPath, '', $info); + } + // Remove starting and ending slash. + $extractedInfo = trim($extractedInfo, '/'); if (!empty($extractedInfo)) { $result .= $extractedInfo; } @@ -743,6 +746,10 @@ protected static function buildWithBaseURLPath($info) */ public static function extractOriginalQueryParam($name) { + if (!isset($_SERVER['QUERY_STRING']) || empty($_SERVER['QUERY_STRING'])) { + return ''; + } + $index = strpos($_SERVER['QUERY_STRING'], $name.'='); $substring = substr($_SERVER['QUERY_STRING'], $index + strlen($name) + 1); $end = strpos($substring, '&'); @@ -918,6 +925,7 @@ public static function parseDuration($duration, $timestamp = null) * @param string|int|null $validUntil The valid until date, as a string or as a timestamp * * @return int|null $expireTime The expiration time. + * @phpstan-return ($cacheDuration is true ? string : never) * * @throws Exception */ @@ -953,7 +961,7 @@ public static function getExpireTime($cacheDuration = null, $validUntil = null) * * @return DOMNodeList The queried nodes */ - public static function query(DOMDocument $dom, $query, DOMElement $context = null) + public static function query(DOMDocument $dom, $query, ?DOMElement $context = null) { $xpath = new DOMXPath($dom); $xpath->registerNamespace('samlp', Constants::NS_SAMLP); @@ -1540,13 +1548,43 @@ public static function validateBinarySign($messageType, $getData, $idpData, $ret $signAlg = $getData['SigAlg']; } + if ($retrieveParametersFromServer) { + if (!isset($_SERVER['QUERY_STRING']) || empty($_SERVER['QUERY_STRING'])) { + throw new Error( + "No query string provided", + Error::INVALID_PARAMETER + ); + } + $keys = ["SAMLRequest", "SAMLResponse", "RelayState", "SigAlg", "Signature"]; + foreach ($keys as $key) { + if (substr_count($_SERVER['QUERY_STRING'], $key) > 1) { + throw new Error( + "Duplicate parameter in query string", + Error::INVALID_PARAMETER + ); + } + } + if (substr_count($_SERVER['QUERY_STRING'], "SAMLRequest") > 0 && substr_count($_SERVER['QUERY_STRING'], "SAMLResponse") > 0) { + throw new Error( + "Both SAMLRequest and SAMLResponse provided", + Error::INVALID_PARAMETER + ); + } + $signedQuery = $messageType.'='.Utils::extractOriginalQueryParam($messageType); if (isset($getData['RelayState'])) { $signedQuery .= '&RelayState='.Utils::extractOriginalQueryParam('RelayState'); } $signedQuery .= '&SigAlg='.Utils::extractOriginalQueryParam('SigAlg'); } else { + if (isset($getData['SAMLRequest']) && isset($getData['SAMLResponse'])) { + throw new Error( + "Both SAMLRequest and SAMLResponse provided", + Error::INVALID_PARAMETER + ); + } + $signedQuery = $messageType.'='.urlencode($getData[$messageType]); if (isset($getData['RelayState'])) { $signedQuery .= '&RelayState='.urlencode($getData['RelayState']); @@ -1583,7 +1621,7 @@ public static function validateBinarySign($messageType, $getData, $idpData, $ret $objKey = Utils::castKey($objKey, $signAlg, 'public'); } catch (Exception $e) { $ex = new ValidationError( - "Invalid signAlg in the recieved ".$strMessageType, + "Invalid signAlg in the received ".$strMessageType, ValidationError::INVALID_SIGNATURE ); if (count($multiCerts) == 1) { diff --git a/3rdparty/vendor/onelogin/php-saml/src/Saml2/ValidationError.php b/3rdparty/vendor/onelogin/php-saml/src/Saml2/ValidationError.php index 889f531ca..c731745dc 100644 --- a/3rdparty/vendor/onelogin/php-saml/src/Saml2/ValidationError.php +++ b/3rdparty/vendor/onelogin/php-saml/src/Saml2/ValidationError.php @@ -2,15 +2,13 @@ /** * This file is part of php-saml. * - * (c) OneLogin Inc - * * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. * * @package OneLogin - * @author OneLogin Inc - * @license MIT https://github.com/onelogin/php-saml/blob/master/LICENSE - * @link https://github.com/onelogin/php-saml + * @author Sixto Martin + * @license MIT https://github.com/SAML-Toolkits/php-saml/blob/master/LICENSE + * @link https://github.com/SAML-Toolkits/php-saml */ namespace OneLogin\Saml2; @@ -18,7 +16,7 @@ use Exception; /** - * ValidationError class of OneLogin PHP Toolkit + * ValidationError class of SAML PHP Toolkit * * This class implements another custom Exception handler, * related to exceptions that happens during validation process. @@ -92,8 +90,12 @@ public function __construct($msg, $code = 0, $args = array()) if (!isset($args)) { $args = array(); } - $params = array_merge(array($msg), $args); - $message = call_user_func_array('sprintf', $params); + if (!empty($args)) { + $params = array_merge(array($msg), $args); + $message = call_user_func_array('sprintf', $params); + } else { + $message = $msg; + } parent::__construct($message, $code); } diff --git a/3rdparty/vendor/onelogin/php-saml/src/Saml2/schemas/saml-schema-authn-context-types-2.0.xsd b/3rdparty/vendor/onelogin/php-saml/src/Saml2/schemas/saml-schema-authn-context-types-2.0.xsd index 8513959a5..d669d91b8 100644 --- a/3rdparty/vendor/onelogin/php-saml/src/Saml2/schemas/saml-schema-authn-context-types-2.0.xsd +++ b/3rdparty/vendor/onelogin/php-saml/src/Saml2/schemas/saml-schema-authn-context-types-2.0.xsd @@ -1,5 +1,5 @@ - @@ -10,7 +10,7 @@ Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V2.0 (March, 2005): - New core authentication context schema types for SAML V2.0. + New core authentication context schema types for SAML V2.0. @@ -63,7 +63,7 @@ - Refers to those characterstics that describe how the + Refers to those characteristics that describe how the 'secret' (the knowledge or possession of which allows the Principal to authenticate to the Authentication Authority) is kept secure @@ -402,7 +402,7 @@ - + @@ -429,12 +429,12 @@ This element indicates that the Authenticator has been - transmitted using a transport mechnanism protected by an SSL or TLS + transmitted using a transport mechanism protected by an SSL or TLS session. - + @@ -483,7 +483,7 @@ - + @@ -550,7 +550,7 @@ - + @@ -569,7 +569,7 @@ - + @@ -595,14 +595,14 @@ - + - + @@ -665,7 +665,7 @@ - + @@ -690,41 +690,41 @@ - + - + - + - + - + - + @@ -732,7 +732,7 @@ - + @@ -741,7 +741,7 @@ - + @@ -750,7 +750,7 @@ - + @@ -759,17 +759,17 @@ - + - + - + - + @@ -809,7 +809,7 @@ - + diff --git a/3rdparty/vendor/onelogin/php-saml/src/Saml2/version.json b/3rdparty/vendor/onelogin/php-saml/src/Saml2/version.json index 2c41bd609..ee7679b32 100644 --- a/3rdparty/vendor/onelogin/php-saml/src/Saml2/version.json +++ b/3rdparty/vendor/onelogin/php-saml/src/Saml2/version.json @@ -1,7 +1,6 @@ { "php-saml": { - "version": "4.1.0", - "released": "07/15/2022" + "version": "4.3.1", + "released": "09/12/2025" } } - diff --git a/3rdparty/vendor/robrichards/xmlseclibs/.github/workflows/ci.yml b/3rdparty/vendor/robrichards/xmlseclibs/.github/workflows/ci.yml new file mode 100644 index 000000000..d4d395acf --- /dev/null +++ b/3rdparty/vendor/robrichards/xmlseclibs/.github/workflows/ci.yml @@ -0,0 +1,112 @@ +name: Tests + +on: [push, pull_request] + +jobs: + tests-legacy: + name: PHP ${{ matrix.php-versions }} Tests + runs-on: ${{ matrix.operating-system }} + strategy: + matrix: + operating-system: ['ubuntu-latest'] + php-versions: ['5.4', '5.5', '5.6'] + + steps: + - uses: shivammathur/setup-php@v2 + with: + php-version: ${{ matrix.php-versions }} + extensions: openssl + tools: phpunit:4.8 + + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Run tests + run: phpunit --coverage-clover clover.xml tests + + - uses: codecov/codecov-action@v2 + with: + token: ${{ secrets.CODECOV_TOKEN }} + files: ./clover.xml + + tests-older: + name: PHP ${{ matrix.php-versions }} Tests + runs-on: ${{ matrix.operating-system }} + strategy: + matrix: + operating-system: ['ubuntu-latest'] + php-versions: ['7.0', '7.1'] + + steps: + - uses: shivammathur/setup-php@v2 + with: + php-version: ${{ matrix.php-versions }} + extensions: openssl + tools: phpunit:6.5 + + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Run tests + run: phpunit --coverage-clover clover.xml tests + + - uses: codecov/codecov-action@v2 + with: + token: ${{ secrets.CODECOV_TOKEN }} + files: ./clover.xml + + tests-old: + name: PHP ${{ matrix.php-versions }} Tests + runs-on: ${{ matrix.operating-system }} + strategy: + matrix: + operating-system: ['ubuntu-latest'] + php-versions: ['7.2', '7.3', '7.4'] + + steps: + - uses: shivammathur/setup-php@v2 + with: + php-version: ${{ matrix.php-versions }} + extensions: openssl + tools: phpunit:8.5 + + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Run tests + run: phpunit --coverage-clover clover.xml tests + + - uses: codecov/codecov-action@v2 + with: + token: ${{ secrets.CODECOV_TOKEN }} + files: ./clover.xml + + tests: + name: PHP ${{ matrix.php-versions }} Tests + runs-on: ${{ matrix.operating-system }} + strategy: + matrix: + operating-system: ['ubuntu-latest'] + php-versions: ['8.0', '8.1'] + + steps: + - uses: shivammathur/setup-php@v2 + with: + php-version: ${{ matrix.php-versions }} + extensions: openssl + tools: phpunit/phpunit:9.5 + + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Run tests + run: phpunit --coverage-clover clover.xml tests + + - uses: codecov/codecov-action@v2 + with: + token: ${{ secrets.CODECOV_TOKEN }} + files: ./clover.xml diff --git a/3rdparty/vendor/robrichards/xmlseclibs/CHANGELOG.txt b/3rdparty/vendor/robrichards/xmlseclibs/CHANGELOG.txt index 351b10421..3e86f234b 100644 --- a/3rdparty/vendor/robrichards/xmlseclibs/CHANGELOG.txt +++ b/3rdparty/vendor/robrichards/xmlseclibs/CHANGELOG.txt @@ -1,5 +1,19 @@ xmlseclibs.php ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| +08, Dec 2025, 3.1.4 +Security: +- fix canonicalization bypass error (d0ge) + +20, Nov 2024, 3.1.3 +Bug Fixes: +- remove loadKey check due to BC issues + +20, Nov 2024, 3.1.2 +Improvements: +- Add tab to list of whitespace values to remove from cert. refs #252 +- loadKey should check return value for openssl_get_privatekey (sammarshallou) +- Switch to GitHub actions (SharkMachine) + 05, Sep 2020, 3.1.1 Features: - Support OAEP (iggyvolz) diff --git a/3rdparty/vendor/robrichards/xmlseclibs/LICENSE b/3rdparty/vendor/robrichards/xmlseclibs/LICENSE index 4fe5e5ffb..b516c0093 100644 --- a/3rdparty/vendor/robrichards/xmlseclibs/LICENSE +++ b/3rdparty/vendor/robrichards/xmlseclibs/LICENSE @@ -1,4 +1,4 @@ -Copyright (c) 2007-2019, Robert Richards . +Copyright (c) 2007-2024, Robert Richards . All rights reserved. Redistribution and use in source and binary forms, with or without diff --git a/3rdparty/vendor/robrichards/xmlseclibs/phpunit.xml b/3rdparty/vendor/robrichards/xmlseclibs/phpunit.xml new file mode 100644 index 000000000..4f326275f --- /dev/null +++ b/3rdparty/vendor/robrichards/xmlseclibs/phpunit.xml @@ -0,0 +1,7 @@ + + + + src + + + diff --git a/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecEnc.php b/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecEnc.php index b9df7611f..807f279dc 100644 --- a/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecEnc.php +++ b/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecEnc.php @@ -11,7 +11,7 @@ /** * xmlseclibs.php * - * Copyright (c) 2007-2020, Robert Richards . + * Copyright (c) 2007-2024, Robert Richards . * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -44,7 +44,7 @@ * POSSIBILITY OF SUCH DAMAGE. * * @author Robert Richards - * @copyright 2007-2020 Robert Richards + * @copyright 2007-2024 Robert Richards * @license http://www.opensource.org/licenses/bsd-license.php BSD License */ @@ -485,7 +485,7 @@ public static function staticLocateKeyInfo($objBaseKey=null, $node=null) if ($x509certNodes = $child->getElementsByTagName('X509Certificate')) { if ($x509certNodes->length > 0) { $x509cert = $x509certNodes->item(0)->textContent; - $x509cert = str_replace(array("\r", "\n", " "), "", $x509cert); + $x509cert = str_replace(array("\r", "\n", " ", "\t"), "", $x509cert); $x509cert = "-----BEGIN CERTIFICATE-----\n".chunk_split($x509cert, 64, "\n")."-----END CERTIFICATE-----\n"; $objBaseKey->loadKey($x509cert, false, true); } diff --git a/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecurityDSig.php b/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecurityDSig.php index 9986123e3..5536943f0 100644 --- a/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecurityDSig.php +++ b/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecurityDSig.php @@ -11,7 +11,7 @@ /** * xmlseclibs.php * - * Copyright (c) 2007-2020, Robert Richards . + * Copyright (c) 2007-2024, Robert Richards . * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -44,7 +44,7 @@ * POSSIBILITY OF SUCH DAMAGE. * * @author Robert Richards - * @copyright 2007-2020 Robert Richards + * @copyright 2007-2024 Robert Richards * @license http://www.opensource.org/licenses/bsd-license.php BSD License */ @@ -293,7 +293,11 @@ private function canonicalizeData($node, $canonicalmethod, $arXPath=null, $prefi } } - return $node->C14N($exclusive, $withComments, $arXPath, $prefixList); + $ret = $node->C14N($exclusive, $withComments, $arXPath, $prefixList); + if ($ret === false) { + throw new Exception("Canonicalization failed"); + } + return $ret; } /** @@ -1050,7 +1054,7 @@ public static function staticAdd509Cert($parentRef, $cert, $isPEMFormat=true, $i } $subjectNameValue = implode(',', $parts); } else { - $subjectNameValue = $certData['issuer']; + $subjectNameValue = $certData['subject']; } $x509SubjectNode = $baseDoc->createElementNS(self::XMLDSIGNS, $dsig_pfx.'X509SubjectName', $subjectNameValue); $x509DataNode->appendChild($x509SubjectNode); diff --git a/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php b/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php index 7eed04d22..2fd2a3862 100644 --- a/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php +++ b/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php @@ -7,7 +7,7 @@ /** * xmlseclibs.php * - * Copyright (c) 2007-2020, Robert Richards . + * Copyright (c) 2007-2024, Robert Richards . * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -40,7 +40,7 @@ * POSSIBILITY OF SUCH DAMAGE. * * @author Robert Richards - * @copyright 2007-2020 Robert Richards + * @copyright 2007-2024 Robert Richards * @license http://www.opensource.org/licenses/bsd-license.php BSD License */ diff --git a/3rdparty/vendor/robrichards/xmlseclibs/xmlseclibs.php b/3rdparty/vendor/robrichards/xmlseclibs/xmlseclibs.php index 1c10acc73..05b7a1fe5 100644 --- a/3rdparty/vendor/robrichards/xmlseclibs/xmlseclibs.php +++ b/3rdparty/vendor/robrichards/xmlseclibs/xmlseclibs.php @@ -2,7 +2,7 @@ /** * xmlseclibs.php * - * Copyright (c) 2007-2020, Robert Richards . + * Copyright (c) 2007-2024, Robert Richards . * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -35,9 +35,9 @@ * POSSIBILITY OF SUCH DAMAGE. * * @author Robert Richards - * @copyright 2007-2020 Robert Richards + * @copyright 2007-2024 Robert Richards * @license http://www.opensource.org/licenses/bsd-license.php BSD License - * @version 3.1.1 + * @version 3.1.3 */ $xmlseclibs_srcdir = dirname(__FILE__) . '/src/';