RequestedAuthnContext source selector (#1749)

tvdijen · web-flow · commit 23bdd57e8ae7 · 2023-01-28T20:21:20.000+01:00
* Fix missing state parameter

* Slightly rationalize naming convention for selectors

* Add RequestedAuthnContextSelector

* Allow source-selector to return multiple sources

* Fix docs

* Revert return-type change

* Throw exception for incomplete config

* Remove test-data for non-implemented cases

* Codesniffer fix
diff --git a/modules/core/docs/authsource_selector.md b/modules/core/docs/authsource_selector.md
@@ -11,9 +11,9 @@ act as an Authentication Source. Any derivative classes must implement the
 abstract `selectAuthSource` method. This method must return the name of the
 Authentication Source to use, based on whatever logic is necessary.
 
-## IPSourceSelector
+## SourceIPSelector
 
-The IPSourceSelector is an implementation of the `AbstractSourceSelector` and
+The SourceIPSelector is an implementation of the `AbstractSourceSelector` that
 uses the client IP to decide what Authentication Source is called.
 It works by defining zones with corresponding IP-ranges and Authentication
 Sources. The 'default' zone is required and acts as a fallback when none
@@ -23,7 +23,7 @@ An example configuration would look like this:
 
 ```php
     'selector' => [
-        'core:IPSourceSelector',
+        'core:SourceIPSelector',
 
         'zones' => [
             'internal' => [
@@ -47,6 +47,36 @@ An example configuration would look like this:
     ],
 ```
 
+## RequestedAuthnContextSelector
+
+The RequestedAuthnContextSelector is an implementation of the `AbstractSourceSelector` that
+uses the RequestedAuthnContext to decide what Authentication Source is called.
+It works by defining AuthnContexts with their corresponding Authentication
+Sources. The 'default' will be used as a fallback when no RequestedAuthnContext
+is passed in the request.
+
+An example configuration would look like this:
+
+```php
+    'selector' => [
+        'core:RequestedAuthnContextSelector',
+
+        'contexts' => [
+            'userpass' => [
+                'identifier' => 'urn:x-simplesamlphp:loa1',
+                'source' => 'ldap',
+            ],
+
+            'mfa' => [
+                'identifier' => 'urn:x-simplesamlphp:loa2',
+                'source' => 'radius',
+            ],
+
+            'default' => 'ldap',
+        ],
+    ],
+```
+
 ## YourCustomSourceSelector
 
 If you have a use-case for a custom Authentication source selector, all you
diff --git a/modules/core/src/Auth/Source/AbstractSourceSelector.php b/modules/core/src/Auth/Source/AbstractSourceSelector.php
@@ -58,9 +58,8 @@ public function __construct(array $info, array $config)
      */
     public function authenticate(array &$state): void
     {
-        $source = $this->selectAuthSource();
+        $source = $this->selectAuthSource($state);
         $as = Auth\Source::getById($source);
-
         if ($as === null || !in_array($source, $this->validSources, true)) {
             throw new Exception('Invalid authentication source: ' . $source);
         }
@@ -95,5 +94,5 @@ public static function doAuthentication(Auth\Source $as, array $state): void
      * @param array &$state Information about the current authentication.
      * @return string
      */
-    abstract protected function selectAuthSource(): string;
+    abstract protected function selectAuthSource(array &$state): string;
 }
diff --git a/modules/core/src/Auth/Source/Selector/RequestedAuthnContextSelector.php b/modules/core/src/Auth/Source/Selector/RequestedAuthnContextSelector.php
@@ -0,0 +1,140 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\core\Auth\Source\Selector;
+
+use SAML2\Constants as C;
+use SAML2\Exception\Protocol\NoAuthnContextException;
+use SimpleSAML\Assert\Assert;
+use SimpleSAML\Error;
+use SimpleSAML\Logger;
+use SimpleSAML\Module\core\Auth\Source\AbstractSourceSelector;
+
+use function array_key_exists;
+use function sprintf;
+
+/**
+ * Authentication source which delegates authentication to secondary
+ * authentication sources based on the RequestedAuthnContext
+ *
+ * @package simplesamlphp/simplesamlphp
+ */
+class RequestedAuthnContextSelector extends AbstractSourceSelector
+{
+    /**
+     * The key of the AuthId field in the state.
+     */
+    public const AUTHID = '\SimpleSAML\Module\core\Auth\Source\Selector\RequestedAuthnContextSelector.AuthId';
+
+    /**
+     * The string used to identify our states.
+     */
+    public const STAGEID = '\SimpleSAML\Module\core\Auth\Source\Selector\RequestedAuthnContextSelector.StageId';
+
+    /**
+     * The key where the sources is saved in the state.
+     */
+    public const SOURCESID = '\SimpleSAML\Module\core\Auth\Source\Selector\RequestedAuthnContextSelector.SourceId';
+
+    /**
+     * @var string  The default authentication source to use when no RequestedAuthnContext is passed
+     * @psalm-suppress PropertyNotSetInConstructor
+     */
+    protected string $defaultSource;
+
+    /**
+     * @var array<int, array>  An array of AuthnContexts, indexed by its weight (higher = better).
+     *   Each entry is in the format of:
+     *   `weight` => [`identifier` => 'identifier', `source` => 'source']
+     *
+     *   i.e.:
+     *
+     *   '10' => [
+     *       'identifier' => 'urn:x-simplesamlphp:loa1',
+     *       'source' => 'exampleauth',
+     *   ],
+     *   '20' => [
+     *       'identifier' => 'urn:x-simplesamlphp:loa2',
+     *       'source' => 'exampleauth-mfa',
+     *   ]
+     */
+    protected array $contexts = [];
+
+
+    /**
+     * Constructor for this authentication source.
+     *
+     * @param array $info Information about this authentication source.
+     * @param array $config Configuration.
+     */
+    public function __construct(array $info, array $config)
+    {
+        // Call the parent constructor first, as required by the interface
+        parent::__construct($info, $config);
+
+        Assert::keyExists($config, 'contexts');
+
+        foreach ($config['contexts'] as $key => $context) {
+            if ($key === 'default') {
+                Assert::stringNotEmpty($config['contexts']['default']);
+                $this->defaultSource = $config['contexts']['default'];
+            } else {
+                Assert::natural($key);
+                if (!array_key_exists('identifier', $context)) {
+                    throw new Exception(sprintf("Incomplete context '%d' due to missing `identifier` key.", $key));
+                } elseif (!array_key_exists('source', $context)) {
+                    throw new Exception(sprintf("Incomplete context '%d' due to missing `source` key.", $key));
+                } else {
+                    $this->contexts[$key] = $context;
+                }
+            }
+        }
+    }
+
+
+    /**
+     * Decide what authsource to use.
+     *
+     * @param array &$state Information about the current authentication.
+     * @return string
+     */
+    protected function selectAuthSource(array &$state): string
+    {
+        $requestedContexts = $state['saml:RequestedAuthnContext'];
+        if ($requestedContexts['AuthnContextClassRef'] === null) {
+            Logger::info(
+                "core:RequestedAuthnContextSelector:  no RequestedAuthnContext provided; selecting default authsource"
+            );
+            return $this->defaultSource;
+        }
+
+        Assert::isArray($requestedContexts['AuthnContextClassRef']);
+        $comparison = $requestedContexts['Comparison'] ?? 'exact';
+        Assert::oneOf($comparison, ['exact', 'minimum', 'maximum', 'better']);
+
+        /**
+         * The set of supplied references MUST be evaluated as an ordered set, where the first element
+         * is the most preferred authentication context class or declaration.
+         */
+        $index = false;
+        foreach ($requestedContexts['AuthnContextClassRef'] as $requestedContext) {
+            switch ($comparison) {
+                case 'exact':
+                    foreach ($this->contexts as $index => $context) {
+                        if ($context['identifier'] === $requestedContext) {
+                            return $context['source'];
+                        }
+                    }
+                    break 2;
+                case 'minimum':
+                case 'maximum':
+                case 'better':
+                    // Not implemented
+                    throw new Error\Exception('Not implemented.');
+            }
+        }
+
+        throw new NoAuthnContextException();
+    }
+}
diff --git a/modules/core/src/Auth/Source/Selector/SourceIPSelector.php b/modules/core/src/Auth/Source/Selector/SourceIPSelector.php
@@ -2,40 +2,38 @@
 
 declare(strict_types=1);
 
-namespace SimpleSAML\Module\core\Auth\Source;
+namespace SimpleSAML\Module\core\Auth\Source\Selector;
 
-use Exception;
 use SimpleSAML\Assert\Assert;
-use SimpleSAML\Auth;
-use SimpleSAML\Configuration;
-use SimpleSAML\Error;
-use SimpleSAML\HTTP\RunnableResponse;
 use SimpleSAML\Logger;
-use SimpleSAML\Session;
+use SimpleSAML\Module\core\Auth\Source\AbstractSourceSelector;
 use SimpleSAML\Utils;
 
+use function array_key_exists;
+use function sprintf;
+
 /**
  * Authentication source which delegates authentication to secondary
  * authentication sources based on the client's source IP
  *
  * @package simplesamlphp/simplesamlphp
  */
-class IPSourceSelector extends AbstractSourceSelector
+class SourceIPSelector extends AbstractSourceSelector
 {
     /**
      * The key of the AuthId field in the state.
      */
-    public const AUTHID = '\SimpleSAML\Module\core\Auth\Source\IPSourceSelector.AuthId';
+    public const AUTHID = '\SimpleSAML\Module\core\Auth\Source\Selector\SourceIPSelector.AuthId';
 
     /**
      * The string used to identify our states.
      */
-    public const STAGEID = '\SimpleSAML\Module\core\Auth\Source\IPSourceSelector.StageId';
+    public const STAGEID = '\SimpleSAML\Module\core\Auth\Source\Selector\SourceIPSelector.StageId';
 
     /**
      * The key where the sources is saved in the state.
      */
-    public const SOURCESID = '\SimpleSAML\Module\core\Auth\Source\IPSourceSelector.SourceId';
+    public const SOURCESID = '\SimpleSAML\Module\core\Auth\Source\Selector\SourceIPSelector.SourceId';
 
     /**
      * @param string  The default authentication source to use when none of the zones match
@@ -71,9 +69,9 @@ public function __construct(array $info, array $config)
 
         foreach ($zones as $key => $zone) {
             if (!array_key_exists('source', $zone)) {
-                Logger::warning(sprintf('Discarding zone %s due to missing `source` key.', $key));
+                throw new Exception(sprintf("Incomplete zone-configuration '%s' due to missing `source` key.", $key));
             } elseif (!array_key_exists('subnet', $zone)) {
-                Logger::warning(sprintf('Discarding zone %s due to missing `subnet` key.', $key));
+                throw new Exception(sprintf("Incomplete zone-configuration '%s' due to missing `subnet` key.", $key));
             } else {
                 $this->zones[$key] = $zone;
             }
@@ -87,7 +85,7 @@ public function __construct(array $info, array $config)
      * @param array &$state Information about the current authentication.
      * @return string
      */
-    protected function selectAuthSource(): string
+    protected function selectAuthSource(/** @scrutinizer ignore-unused */ array &$state): string
     {
         $netUtils = new Utils\Net();
         $ip = $_SERVER['REMOTE_ADDR'];
@@ -98,7 +96,7 @@ protected function selectAuthSource(): string
                 if ($netUtils->ipCIDRcheck($subnet, $ip)) {
                     // Client's IP is in one of the ranges for the secondary auth source
                     Logger::info(sprintf(
-                        "core:IPSourceSelector:  Selecting zone `%s` based on client IP %s",
+                        "core:SourceIPSelector:  Selecting zone `%s` based on client IP %s",
                         $name,
                         $ip
                     ));
@@ -109,7 +107,7 @@ protected function selectAuthSource(): string
         }
 
         if ($source === $this->defaultSource) {
-            Logger::info("core:IPSourceSelector:  no match on client IP; selecting default zone");
+            Logger::info("core:SourceIPSelector:  no match on client IP; selecting default zone");
         }
 
         return $source;
diff --git a/tests/modules/core/src/Auth/Source/Selector/RequestedAuthnContextSelectorTest.php b/tests/modules/core/src/Auth/Source/Selector/RequestedAuthnContextSelectorTest.php
diff --git a/tests/modules/core/src/Auth/Source/Selector/SourceIPSelectorTest.php b/tests/modules/core/src/Auth/Source/Selector/SourceIPSelectorTest.php

Original file line number	Diff line number	Diff line change
`@@ -58,9 +58,8 @@ public function __construct(array $info, array $config)`
`58`	`58`	`*/`
`59`	`59`	`public function authenticate(array &$state): void`
`60`	`60`	`{`
`61`		`- $source = $this->selectAuthSource();`
	`61`	`+ $source = $this->selectAuthSource($state);`
`62`	`62`	`$as = Auth\Source::getById($source);`
`63`		`-`
`64`	`63`	`if ($as === null \|\| !in_array($source, $this->validSources, true)) {`
`65`	`64`	`throw new Exception('Invalid authentication source: ' . $source);`
`66`	`65`	`}`
`@@ -95,5 +94,5 @@ public static function doAuthentication(Auth\Source $as, array $state): void`
`95`	`94`	`* @param array &$state Information about the current authentication.`
`96`	`95`	`* @return string`
`97`	`96`	`*/`
`98`		`- abstract protected function selectAuthSource(): string;`
	`97`	`+ abstract protected function selectAuthSource(array &$state): string;`
`99`	`98`	`}`