Import the conditional authproc-filters (#1836)

tvdijen · web-flow · commit 901f9bd500e7 · 2023-09-24T14:22:18.000+02:00
* Feature: add optional precondition to authproc-filters to be able to run them conditionally

* Import rule-inserter code from cirrusidentity/simplesamlphp-module-general to accomodate for more complex scenarios
diff --git a/docs/simplesamlphp-authproc.md b/docs/simplesamlphp-authproc.md
@@ -111,6 +111,20 @@ $metadata['https://example.org/saml-idp'] = [
 
 The example above is in `saml20-idp-hosted`.
 
+## Preconditional filters
+
+Any filter can be configured with a precondition that will determine whether or not a filter should run.
+The condition is represented as a string that will be evaluated, similar to the `core:PHP` filter. It also has
+the `$attributes` and `$state` variable available for use.
+The code must return either `true` to run the filter, or `false` to skip it.
+
+```php
+'authproc' => [
+    40 => 'core:TargetedID',
+    '%precondition' => 'return $attributes["displayName"] === "John Doe";',
+],
+```
+
 ## Auth Proc Filters included in the SimpleSAMLphp distribution
 
 The following filters are included in the SimpleSAMLphp distribution:
diff --git a/src/SimpleSAML/Auth/ProcessingChain.php b/src/SimpleSAML/Auth/ProcessingChain.php
@@ -17,6 +17,7 @@
 use function count;
 use function is_array;
 use function is_string;
+use function sprintf;
 use function str_replace;
 use function var_export;
 
@@ -204,7 +205,9 @@ public function processState(array &$state): void
         try {
             while (count($state[self::FILTERS_INDEX]) > 0) {
                 $filter = array_shift($state[self::FILTERS_INDEX]);
-                $filter->process($state);
+                if ($filter->checkPrecondition($state) === true) {
+                    $filter->process($state);
+                }
             }
         } catch (Error\Exception $e) {
             // No need to convert the exception
@@ -319,4 +322,40 @@ public static function fetchProcessedState(string $id): ?array
     {
         return State::loadState($id, self::COMPLETED_STAGE);
     }
+
+
+    /**
+     * @param array $state
+     * @psalm-param array{"\\\SimpleSAML\\\Auth\\\ProcessingChain.filters": array} $state
+     * @param ProcessingFilter[] $authProcs
+     */
+    public static function insertFilters(array &$state, array $authProcs): void
+    {
+        if (count($authProcs) === 0) {
+            return;
+        }
+
+        Logger::debug(sprintf(
+            'ProcessingChainRuleInserter: Adding %d additional filters before remaining %d',
+            count($authProcs),
+            count($state[self::FILTERS_INDEX]),
+        ));
+
+        array_splice($state[self::FILTERS_INDEX], 0, 0, $authProcs);
+    }
+
+
+    /**
+     * @param array $state
+     * @psalm-param array{"\\\SimpleSAML\\\Auth\\\ProcessingChain.filters": array} $state
+     * @param array $authProcConfigs
+     * @return \SimpleSAML\Auth\ProcessingFilter[]
+     */
+    public static function createAndInsertFilters(array &$state, array $authProcConfigs): array
+    {
+        $filters = self::parseFilterList($authProcConfigs);
+        self::insertFilters($state, $filters);
+
+        return $filters;
+    }
 }
diff --git a/src/SimpleSAML/Auth/ProcessingFilter.php b/src/SimpleSAML/Auth/ProcessingFilter.php
@@ -38,6 +38,13 @@ abstract class ProcessingFilter
      */
     public int $priority = 50;
 
+    /**
+     * The condition to run this filter.
+     *
+     * Used to control whether or not to run this filter.
+     */
+    public string $precondition = 'return true;';
+
 
     /**
      * Constructor for a processing filter.
@@ -54,6 +61,30 @@ public function __construct(array &$config, /** @scrutinizer ignore-unused */ mi
             $this->priority = $config['%priority'];
             unset($config['%priority']);
         }
+
+        if (array_key_exists('%precondition', $config)) {
+            $this->precondition = $config['%precondition'];
+            unset($config['%precondition']);
+        }
+    }
+
+
+    /**
+     * Test whether or not this filter must run.
+     *
+     * @param array &$state  The request we are currently processing.
+     * @return bool
+     */
+    public function checkPrecondition(array &$state): bool
+    {
+        $function = /** @return bool */ function (
+            array &$attributes,
+            array &$state
+        ) {
+            return eval($this->precondition);
+        };
+
+        return $function($state['Attributes'], $state) === true;
     }
 
 
diff --git a/tests/src/SimpleSAML/Auth/ProcessingChainTest.php b/tests/src/SimpleSAML/Auth/ProcessingChainTest.php
@@ -0,0 +1,70 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Test\SimpleSAML\Auth;
+
+use PHPUnit\Framework\TestCase;
+use SimpleSAML\Auth\ProcessingChain;
+use SimpleSAML\Configuration;
+use SimpleSAML\Module\core\Auth\Process\AttributeAdd;
+use SimpleSAML\Module\core\Auth\Process\AttributeLimit;
+use SimpleSAML\Module\core\Auth\Process\AttributeMap;
+
+class ProcessingChainTest extends TestCase
+{
+    /**
+     */
+    protected function setUp(): void
+    {
+        Configuration::loadFromArray([], '[ARRAY]', 'simplesaml');
+    }
+
+
+    public function testInsertAuthProcs(): void
+    {
+        $config = [];
+        $authProcs = [
+            new AttributeAdd($config, []),
+            new AttributeMap($config, []),
+        ];
+        $state = [
+            ProcessingChain::FILTERS_INDEX => [
+                new AttributeLimit($config, [])
+            ]
+        ];
+        $this->assertCount(1, $state[ProcessingChain::FILTERS_INDEX], 'Unexpected number of filters preinsert');
+
+        ProcessingChain::insertFilters($state, $authProcs);
+
+        $filterInChain = $state[ProcessingChain::FILTERS_INDEX];
+        $this->assertCount(3, $filterInChain);
+        $this->assertInstanceOf(AttributeAdd::class, $filterInChain[0]);
+        $this->assertInstanceOf(AttributeMap::class, $filterInChain[1]);
+        $this->assertInstanceOf(AttributeLimit::class, $filterInChain[2]);
+    }
+
+    public function testInsertAuthFromConfigs(): void
+    {
+        $config = [];
+        $authProcsConfigs = [
+            [
+                'class' => 'core:AttributeAdd',
+                'source' => ['myidp'],
+            ],
+        ];
+        $state = [
+            ProcessingChain::FILTERS_INDEX => [
+                new AttributeLimit($config, [])
+            ]
+        ];
+        $this->assertCount(1, $state[ProcessingChain::FILTERS_INDEX], 'Unexpected number of filters preinsert');
+
+        ProcessingChain::createAndInsertFilters($state, $authProcsConfigs);
+
+        $filterInChain = $state[ProcessingChain::FILTERS_INDEX];
+        $this->assertCount(2, $filterInChain);
+        $this->assertInstanceOf(AttributeAdd::class, $filterInChain[0]);
+        $this->assertInstanceOf(AttributeLimit::class, $filterInChain[1]);
+    }
+}
diff --git a/tests/src/SimpleSAML/Auth/ProcessingFilterTest.php b/tests/src/SimpleSAML/Auth/ProcessingFilterTest.php
@@ -0,0 +1,98 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Test\Auth\ProcessingFilter;
+
+use Exception;
+use PHPUnit\Framework\TestCase;
+use SimpleSAML\Auth\ProcessingFilter as AuthProcFilter;
+use SimpleSAML\Module\core\Auth\Process\AttributeAlter;
+
+/**
+ * Test for the ProccessingFilter.
+ *
+ * @covers \SimpleSAML\Auth\ProcessingFilter
+ */
+class AttributeAlterTest extends TestCase
+{
+    /**
+     * Helper function to run the filter with a given configuration.
+     *
+     * @param array $config  The filter configuration.
+     * @param array $request  The request state.
+     * @return \SimpleSAML\Auth\ProcessFilter.
+     */
+    private static function processFilter(array $config, array $request): AuthProcFilter
+    {
+        return new AttributeAlter($config, null);
+    }
+
+
+    /**
+     * Test that a filter without precondition will run.
+     */
+    public function testWithoutPrecondition(): void
+    {
+        $config = [
+            'subject' => 'test',
+            'pattern' => '/wrong/',
+            'replacement' => 'right',
+        ];
+
+        $request = [
+            'Attributes' => [
+                 'test' => ['somethingiswrong'],
+             ],
+        ];
+
+        $filter = self::processFilter($config, $request);
+        $this->assertTrue($filter->checkPrecondition($request));
+    }
+
+
+    /**
+     * Test that a filter with a precondition evaluating to true will run.
+     */
+    public function testWithPreconditionTrue(): void
+    {
+        $config = [
+            '%precondition' => 'return true;',
+            'subject' => 'test',
+            'pattern' => '/wrong/',
+            'replacement' => 'right',
+        ];
+
+        $request = [
+            'Attributes' => [
+                 'test' => ['somethingiswrong'],
+             ],
+        ];
+
+        $filter = self::processFilter($config, $request);
+        $this->assertTrue($filter->checkPrecondition($request));
+    }
+
+
+    /**
+     * Test that a filter with a precondition evaluating to false will not run.
+     */
+    public function testWithPreconditionFalse(): void
+    {
+        $config = [
+            '%precondition' => 'return false;',
+            'subject' => 'test',
+            'pattern' => '/wrong/',
+            'replacement' => 'right',
+        ];
+
+        $request = [
+            'Attributes' => [
+                 'test' => ['somethingiswrong'],
+             ],
+        ];
+
+        $filter = self::processFilter($config, $request);
+        $this->assertFalse($filter->checkPrecondition($request));
+    }
+}
