Provide for an expiry date on assertions

Author: ghalse

.travis.yml

@@ -17,11 +17,14 @@ services:
 # Set up a test database we can use for the the unit tests
 before_install:
   - mysql -e 'CREATE DATABASE IF NOT EXISTS simplesamlphp;'
-  - mysql -e 'CREATE TABLE `AttributeFromSQL` (
+  - mysql -e 'CREATE TABLE IF NOT EXISTS `AttributeFromSQL` (
+        `id` INT UNSIGNED NOT NULL AUTO_INCREMENT,
         `uid` VARCHAR(100) NOT NULL,
         `sp` VARCHAR(250) DEFAULT "%",
         `attribute` VARCHAR(30) NOT NULL,
-        `value` TEXT
+        `value` TEXT,
+        `expires` DATE DEFAULT "9999-12-31",
+        PRIMARY KEY (`id`)
     ) DEFAULT CHARSET=utf8;
     GRANT ALL ON `simplesamlphp`.* TO `phpunit`@`localhost` IDENTIFIED BY "phpunit";
     ' simplesamlphp
@@ -30,6 +33,7 @@ before_install:
     INSERT INTO AttributeFromSQL (uid, sp, attribute, value) VALUES ('user@example.org', 'https://idp.example.org/idp/shibboleth', 'eduPersonEntitlement', 'urn:mace:grnet.gr:eduroam:admin');
     INSERT INTO AttributeFromSQL (uid, sp, attribute, value) VALUES ('user@example.org', '%', 'eduPersonAffiliation', 'faculty');
     INSERT INTO AttributeFromSQL (uid, attribute, value) VALUES ('user@example.org', 'mail', 'user@example.org');
+    INSERT INTO AttributeFromSQL (uid, attribute, value, expires) VALUES ('user@example.org', 'mail', 'marty@example.org', '2015-10-21');
     " simplesamlphp
 
 before_script:

README.md

@@ -26,14 +26,24 @@ available if you want to use a stable version of the module.
 You then need to create the following table in your SQL database:
 
 ```sql
-CREATE TABLE `AttributeFromSQL` (
+CREATE TABLE IF NOT EXISTS `AttributeFromSQL` (
+    `id` INT UNSIGNED NOT NULL AUTO_INCREMENT,
     `uid` VARCHAR(100) NOT NULL,
-	`sp` VARCHAR(250) DEFAULT '%',
+    `sp` VARCHAR(250) DEFAULT '%',
     `attribute` VARCHAR(30) NOT NULL,
-    `value` TEXT
+    `value` TEXT,
+    `expires` DATE DEFAULT '9999-12-31',
+     PRIMARY KEY (`id`)
 ) DEFAULT CHARSET=utf8;
 ```
 
+Note that if you are upgrading from v1.2 or earlier you need to make the following change to your existing database:
+
+```sql
+ALTER TABLE `AttributeFromSQL` ADD `id` INT UNSIGNED NOT NULL AUTO_INCREMENT FIRST, ADD PRIMARY KEY (id);
+ALTER TABLE `AttributeFromSQL` ADD `expires` DATE DEFAULT '9999-12-31';
+```
+
 Usage
 -----
 
@@ -65,6 +75,8 @@ Where the parameters are as follows:
 
 * `replace` - behaviour when an existing attribute of the same name is encountered. If `false` (the default) then new values are pushed into an array, creating a multi-valued attribute. If `true`, then existing attributes of the same name are replaced (deleted).
 
+* `ignoreExpiry` - ignore any expiry date (default is to ignore attributes that are beyond the date in the `expires` column).
+
 * `database` - an array containing information about the data store, with the following parameters:
 
   * `dsn` - the data source name, defaults to _mysql:host=localhost;dbname=simplesamlphp_
@@ -84,7 +96,7 @@ database. This can be done manually with SQL similar to the following:
 ```sql
 INSERT INTO AttributeFromSQL (uid, sp, attribute, value) VALUES ('user@example.org', '%', 'eduPersonEntitlement', 'urn:mace:exampleIdP.org:demoservice:demo-admin');
 INSERT INTO AttributeFromSQL (uid, sp, attribute, value) VALUES ('user@example.org', 'https://idp.example.org/idp/shibboleth', 'eduPersonEntitlement', 'urn:mace:grnet.gr:eduroam:admin');
-INSERT INTO AttributeFromSQL (uid, sp, attribute, value) VALUES ('user@example.org', '%', 'eduPersonAffiliation', 'faculty');
+INSERT INTO AttributeFromSQL (uid, sp, attribute, value, expires) VALUES ('user@example.org', '%', 'eduPersonAffiliation', 'faculty', '2020-12-31');
 INSERT INTO AttributeFromSQL (uid, attribute, value) VALUES ('user@example.org', 'mail', 'user@example.org');
 ```
 

lib/Auth/Process/AttributeFromSQL.php

@@ -33,6 +33,9 @@ class sspmod_sqlattribs_Auth_Process_AttributeFromSQL extends SimpleSAML_Auth_Pr
     /** @var array|null Limit returned attribute set */
     private $limit = null;
 
+    /** @var bool|false Should we ignore expiry */
+    private $ignoreExpiry = false;
+
     /**
      * Initialize this filter, parse configuration.
      *
@@ -83,6 +86,10 @@ public function __construct($config, $reserved)
             }
             $this->limit = $config['limit'];
         }
+
+        if (array_key_exists('ignoreExpiry', $config)) {
+            $this->ignoreExpiry = (bool)$config['ignoreExpiry'];
+        }
     }
 
     /**
@@ -140,7 +147,7 @@ public function process(&$request)
         $db = $this->connect();
 
         try {
-            $sth = $db->prepare('SELECT attribute,value FROM ' . $this->table . ' WHERE uid=? AND (sp=\'%\' OR sp=?);');
+            $sth = $db->prepare('SELECT `attribute`,`value` FROM ' . $this->table . ' WHERE `uid`=? AND (`sp`=\'%\' OR `sp`=?)' . ($this->ignoreExpiry ? '' : ' AND `expires`>CURRENT_DATE') . ';');
         } catch (PDOException $e) {
             throw new SimpleSAML_Error_Exception('AttributeFromSQL: prepare() failed: ' . $e->getMessage());
         }

tests/lib/Auth/Process/AttributeFromSQLTest.php

@@ -19,7 +19,7 @@ private static function processFilter(array $config, array $request)
         $filter->process($request);
         return $request;
     }
-    
+
     protected function setUp()
     {
         \SimpleSAML_Configuration::loadFromArray(array(), '[ARRAY]', 'simplesaml');
@@ -102,4 +102,37 @@ public function testReplace()
         );
         $this->assertEquals($expectedData, $attributes, "Expected data was not correct");
     }
+    /**
+     * Test attribute replacement
+     */
+
+    public function testIgnoreExpires()
+    {
+        $config = array(
+            'attribute' => 'eduPersonPrincipalName',
+            'limit' => array('mail',),
+            'ignoreExpiry' => true,
+            'database' => array(
+                'username' => 'phpunit',
+                'password' => 'phpunit',
+            ),
+        );
+        $request = array(
+            'Attributes' => array(
+                'eduPersonPrincipalName' => array('user@example.org'),
+                'displayName' => array('Example User'),
+            ),
+            'Destination' => array(
+                'entityid' => 'https://idp.example.org/idp/shibboleth',
+            ),
+        );
+        $result = self::processFilter($config, $request);
+        $attributes = $result['Attributes'];
+        $expectedData = array(
+            'eduPersonPrincipalName' => array('user@example.org'),
+            'displayName' => array('Example User'),
+            'mail' => array('user@example.org', 'marty@example.org'),
+        );
+        $this->assertEquals($expectedData, $attributes, "Expected data was not correct");
+    }
 }