When receiving new entities, EB should check attribute manipulations for parse/syntax errors

[baszoetekouw]

Entities that are pushed to /api/connection may contain an attribute manipulation (AMs). This is configurable PHP code that is eval()ed in the login flow for the specified entity.

This PHP code is typically typed by hand in a plain text web field in Manage, without syntax checking or anything, so AMs regularly contain typos or syntax errors. In the current setup, these are not detected or discovered until someone tries to log in, the code gets eval()ed en an exception is thrown.

To preempt such errors, we would like to introduce a basic syntax check when new entities are received and parsed in /api/connections. There, for all entities that contain an AM, implement a simple check like this:

try {
    @eval($am);
} catch (ParseError $e) {
    echo "Dat ging dus mis. Want: " . $e->getMessage();
    exit(1);
}

(as suggested by @thijskh in OpenConext/OpenConext-manage#136).

If this fails, simply return a 400 with an explanation of which entity failed to validate, and do no import any of the entities.

[baszoetekouw]

Example of an attribute manipulation:

// Provide the next mapping
// Non standard SAML attribute 'cytricSystemValue' with the CustomerID

# attributes to let through (ARP)
$requiredAttributes = array(
  'urn:mace:dir:attribute-def:uid',
  'urn:mace:terena.org:attribute-def:schacHomeOrganization',
  'cytricSystemValue'
) ;

# set nameid based on UID
if (isset($attributes) and ($attributes !== FALSE)) {
  if (!empty($attributes['urn:mace:dir:attribute-def:uid'][0])) {
    $subjectId = $attributes['urn:mace:dir:attribute-def:uid'][0] ;
  }
};

# Set cytricSystemValue to ApplicationID conditional to schacHomeOrganization
if (isset($attributes) and ($attributes !== FALSE))
{
    if (!empty($attributes['urn:mace:terena.org:attribute-def:schacHomeOrganization'][0]))
    {
        switch ($attributes['urn:mace:terena.org:attribute-def:schacHomeOrganization'][0]) {
        // HU
        case 'cataherijecollege.nl':
            $attributes['cytricSystemValue'] = array("ama-vck-Catharijne-Utrecht");
            break;
        // UFraneker
        case 'uni-franeker.nl':
            $attributes['cytricSystemValue'] = array("ama-vck-UNIVERSITEITFRANEKER_hen");
            break;
        // UniHarderwijk
        case 'uni-Harderwijk.nl':
            $attributes['cytricSystemValue'] = array("ama-vck-harderwijk");
            if (!empty($attributes['urn:mace:dir:attribute-def:uid'][0]) and !empty($attributes['urn:mace:terena.org:attribute-def:schacHomeOrganization'][0])) {
                $subjectId = $attributes['urn:mace:dir:attribute-def:uid'][0] . "@" . $attributes['urn:mace:terena.org:attribute-def:schacHomeOrganization'][0] ;
                }
            break;
        }
    }
}

# Remove all unrequied attributes
foreach ($attributes as $k => $v) {
  if (!in_array($k, $requiredAttributes)) {
    unset($attributes[$k]);
  }
}

[johanib]

Discussed: Step 1: Determine how, estimate time.
Can we use eval? If so, it should be straightforward. Otherwise, use phpstan for example?

Does the development manage have php code?