From c980d3479ace6ec9dcefeaf3c1a08e259ec03df8 Mon Sep 17 00:00:00 2001
From: damikael <michele.damico@linfaservice.it>
Date: Thu, 4 May 2023 09:39:12 +0200
Subject: [PATCH] fix: CIE AuthnContextClassRef (Decreto 8 settembre 2022)

---
 setup/metadata/saml20-idp-remote-cie.ptpl |  2 --
 setup/sdk/proxy.tpl                       | 11 ++++-----
 setup/sdk/spid-php.tpl                    | 27 +++++++++++++++--------
 3 files changed, 24 insertions(+), 16 deletions(-)

diff --git a/setup/metadata/saml20-idp-remote-cie.ptpl b/setup/metadata/saml20-idp-remote-cie.ptpl
index abfc1a2..aee05a4 100644
--- a/setup/metadata/saml20-idp-remote-cie.ptpl
+++ b/setup/metadata/saml20-idp-remote-cie.ptpl
@@ -92,7 +92,6 @@ $metadata['https://idserver.servizicie.interno.gov.it/idp/profile/SAML2/POST/SSO
     'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
     'AllowCreate' => true,
   ),
-  'AuthnContextClassRef' => 'https://www.spid.gov.it/SpidL3',
   'certData' => 'MIIDdTCCAl2gAwIBAgIUU79XEfveueyClDtLkqUlSPZ2o8owDQYJKoZIhvcNAQELBQAwLTErMCkGA1UEAwwiaWRzZXJ2ZXIuc2Vydml6aWNpZS5pbnRlcm5vLmdvdi5pdDAeFw0xODEwMTkwODM1MDVaFw0zODEwMTkwODM1MDVaMC0xKzApBgNVBAMMImlkc2VydmVyLnNlcnZpemljaWUuaW50ZXJuby5nb3YuaXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHraj3iOTCIILTlOzicSEuFt03kKvQDqGWRd5o7s1W7SP2EtcTmg3xron/sbrLEL/eMUQV/Biz6J4pEGoFpMZQHGxOVypmO7Nc8pkFot7yUTApr6Ikuy4cUtbx0g5fkQLNb3upIg0Vg1jSnRXEvUCygr/9EeKCUOi/2ptmOVSLad+dT7TiRsZTwY3FvRWcleDfyYwcIMgz5dLSNLMZqwzQZK1DzvWeD6aGtBKCYPRftacHoESD+6bhukHZ6w95foRMJLOaBpkp+XfugFQioYvrM0AB1YQZ5DCQRhhc8jejwdY+bOB3eZ1lJY7Oannfu6XPW2fcknelyPt7PGf22rNfAgMBAAGjgYwwgYkwHQYDVR0OBBYEFK3Ah+Do3/zB9XjZ66i4biDpUEbAMGgGA1UdEQRhMF+CImlkc2VydmVyLnNlcnZpemljaWUuaW50ZXJuby5nb3YuaXSGOWh0dHBzOi8vaWRzZXJ2ZXIuc2Vydml6aWNpZS5pbnRlcm5vLmdvdi5pdC9pZHAvc2hpYmJvbGV0aDANBgkqhkiG9w0BAQsFAAOCAQEAVtpn/s+lYVf42pAtdgJnGTaSIy8KxHeZobKNYNFEY/XTaZEt9QeV5efUMBVVhxKTTHN0046DR96WFYXs4PJ9Fpyq6Hmy3k/oUdmHJ1c2bwWF/nZ82CwOO081Yg0GBcfPEmKLUGOBK8T55ncW+RSZadvWTyhTtQhLUtLKcWyzKB5aS3kEE5LSzR8sw3owln9P41Mz+QtL3WeNESRHW0qoQkFotYXXW6Rvh69+GyzJLxvq2qd7D1qoJgOMrarshBKKPk+ABaLYoEf/cru4e0RDIp2mD0jkGOGDkn9XUl+3ddALq/osTki6CEawkhiZEo6ABEAjEWNkH9W3/ZzvJnWo6Q==',
 );
 
@@ -190,6 +189,5 @@ $metadata['https://preproduzione.idserver.servizicie.interno.gov.it/idp/profile/
     'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
     'AllowCreate' => true,
   ),
-  'AuthnContextClassRef' => 'https://www.spid.gov.it/SpidL3',
   'certData' => 'MIIDdTCCAl2gAwIBAgIUU79XEfveueyClDtLkqUlSPZ2o8owDQYJKoZIhvcNAQELBQAwLTErMCkGA1UEAwwiaWRzZXJ2ZXIuc2Vydml6aWNpZS5pbnRlcm5vLmdvdi5pdDAeFw0xODEwMTkwODM1MDVaFw0zODEwMTkwODM1MDVaMC0xKzApBgNVBAMMImlkc2VydmVyLnNlcnZpemljaWUuaW50ZXJuby5nb3YuaXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHraj3iOTCIILTlOzicSEuFt03kKvQDqGWRd5o7s1W7SP2EtcTmg3xron/sbrLEL/eMUQV/Biz6J4pEGoFpMZQHGxOVypmO7Nc8pkFot7yUTApr6Ikuy4cUtbx0g5fkQLNb3upIg0Vg1jSnRXEvUCygr/9EeKCUOi/2ptmOVSLad+dT7TiRsZTwY3FvRWcleDfyYwcIMgz5dLSNLMZqwzQZK1DzvWeD6aGtBKCYPRftacHoESD+6bhukHZ6w95foRMJLOaBpkp+XfugFQioYvrM0AB1YQZ5DCQRhhc8jejwdY+bOB3eZ1lJY7Oannfu6XPW2fcknelyPt7PGf22rNfAgMBAAGjgYwwgYkwHQYDVR0OBBYEFK3Ah+Do3/zB9XjZ66i4biDpUEbAMGgGA1UdEQRhMF+CImlkc2VydmVyLnNlcnZpemljaWUuaW50ZXJuby5nb3YuaXSGOWh0dHBzOi8vaWRzZXJ2ZXIuc2Vydml6aWNpZS5pbnRlcm5vLmdvdi5pdC9pZHAvc2hpYmJvbGV0aDANBgkqhkiG9w0BAQsFAAOCAQEAVtpn/s+lYVf42pAtdgJnGTaSIy8KxHeZobKNYNFEY/XTaZEt9QeV5efUMBVVhxKTTHN0046DR96WFYXs4PJ9Fpyq6Hmy3k/oUdmHJ1c2bwWF/nZ82CwOO081Yg0GBcfPEmKLUGOBK8T55ncW+RSZadvWTyhTtQhLUtLKcWyzKB5aS3kEE5LSzR8sw3owln9P41Mz+QtL3WeNESRHW0qoQkFotYXXW6Rvh69+GyzJLxvq2qd7D1qoJgOMrarshBKKPk+ABaLYoEf/cru4e0RDIp2mD0jkGOGDkn9XUl+3ddALq/osTki6CEawkhiZEo6ABEAjEWNkH9W3/ZzvJnWo6Q==',
 );
diff --git a/setup/sdk/proxy.tpl b/setup/sdk/proxy.tpl
index 6d18229..dd5efcb 100644
--- a/setup/sdk/proxy.tpl
+++ b/setup/sdk/proxy.tpl
@@ -28,6 +28,7 @@
     const TOKEN_PRIVATE_KEY = "{{SDKHOME}}/cert/spid-sp.pem";
     const TOKEN_PUBLIC_CERT = "{{SDKHOME}}/cert/spid-sp.crt";
     const DEFAULT_SPID_LEVEL = 2;
+    const DEFAULT_CIE_LEVEL = 3;
     const DEFAULT_ATCS_INDEX = 0;
     const DEFAULT_EIDAS_ATCS_INDEX = 100;
     const DEFAULT_SECRET = "";
@@ -48,8 +49,8 @@
 
         case "login":
 
-            $service = "spid";
-            if($idp=="CIE" || $idp=="CIE TEST") $service = "cie";
+            $isCIE = ($idp=="CIE" || $idp=="CIE TEST");
+            $service = $isCIE? "cie" : "spid";
         
             $spidsdk = new SPID_PHP($production, $service);
 
@@ -102,16 +103,16 @@
                         die();
                 
                     } else {
-                        $spid_level = $clients[$client_id]['level'];
+                        $spidcie_level = $clients[$client_id]['level'];
                         $atcs_index = $clients[$client_id]['atcs_index'];
-                        if($spid_level==null || !in_array($spid_level, [1,2,3])) $spid_level = DEFAULT_SPID_LEVEL;
+                        if($spidcie_level==null || !in_array($spidcie_level, [1,2,3])) $spidcie_level = $isCIE? DEFAULT_CIE_LEVEL : DEFAULT_SPID_LEVEL;
                         if($atcs_index==null || !is_numeric($atcs_index)) $atcs_index = DEFAULT_ATCS_INDEX;
 
                         if($idp=="EIDAS" || $idp=="EIDAS QA") $atcs_index = DEFAULT_EIDAS_ATCS_INDEX;
 
                         $returnTo = $_SERVER['SCRIPT_URI'].'?action=login&idp='.$idp.'&client_id='.$client_id.'&redirect_uri='.$redirect_uri.'&state='.$state;
                         setcookie('SPIDPHP_PROXYRETURNTO', $returnTo, time()+60*5, '/');
-                        $spidsdk->login($idp, $spid_level, $_SERVER['SCRIPT_URI'], $atcs_index);
+                        $spidsdk->login($idp, $spidcie_level, $_SERVER['SCRIPT_URI'], $atcs_index);
                         die();
                     }
 
diff --git a/setup/sdk/spid-php.tpl b/setup/sdk/spid-php.tpl
index 5117c3d..8811007 100644
--- a/setup/sdk/spid-php.tpl
+++ b/setup/sdk/spid-php.tpl
@@ -96,22 +96,31 @@
         }
     
         public function login($idp, $l, $returnTo="", $attributeIndex=null, $post=false) {
-            // default for SPID
-            $l = ($l=="2" || $l=="3")? $l : "1";
-            $post = $post;
+            // common for SPID & CIE
             $comparison = \SAML2\Constants::COMPARISON_MINIMUM;
 
             // override for CIE
             $isCIEIdP = $this->isCIEKey($idp);
-            $l = $isCIEIdP? "3" : $l;
-            $post = $isCIEIdP? true : $post;
-            $comparison = $isCIEIdP? \SAML2\Constants::COMPARISON_EXACT : \SAML2\Constants::COMPARISON_MINIMUM;
-            
-            $spidlevel = "https://www.spid.gov.it/SpidL" . $l;
+            if($isCIEIdP) {
+                $l = ($l=="1" || $l=="2")? $l : "3";
+                $post = true;
+
+                /*
+                * Decreto 8 settembre 2022 “Modalità di impiego della carta di identità elettronica” art. 4
+                * consente l'utilizzo di CIE a livello 1 e 2
+                * impostato di default a 3 se non specificato
+                */
+                //$comparison = $isCIEIdP? \SAML2\Constants::COMPARISON_EXACT : \SAML2\Constants::COMPARISON_MINIMUM;
+
+            } else {
+                $l = ($l=="1" || $l=="3")? $l : "2";
+            }
+
+            $spidcie_level = "https://www.spid.gov.it/SpidL" . $l;
             $binding = $post? \SAML2\Constants::BINDING_HTTP_POST : \SAML2\Constants::BINDING_HTTP_REDIRECT;
 
             $config = array(
-                'saml:AuthnContextClassRef' => $spidlevel,
+                'saml:AuthnContextClassRef' => $spidcie_level,
                 'saml:AuthnContextComparison' => $comparison,
                 'saml:idp' => $this->idps[$idp],
                 'saml:NameIDPolicy' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',