From f16cd25ecc3d612e2c587526c4f113ed4f9e4303 Mon Sep 17 00:00:00 2001 From: fpeters <> Date: Thu, 27 Jan 2005 23:52:57 +0000 Subject: [PATCH] updated to lasso 0.6.0; thanks to work on idptech --- configure.ac | 2 +- create-db.sql | 9 ++--- src/auth.c | 5 +-- src/config.c | 6 ++-- src/db_postgresql.c | 27 +++++++-------- src/federation_termination.c | 8 ++--- src/idpc.h | 8 ++--- src/single_logout.c | 13 +++---- src/single_sign_on.c | 67 ++++++++++++++++++------------------ src/soap_end_point.c | 61 +++++++++++++++++--------------- src/utils.c | 18 +++++----- 11 files changed, 113 insertions(+), 111 deletions(-) diff --git a/configure.ac b/configure.ac index d5ccebc..4ed5440 100644 --- a/configure.ac +++ b/configure.ac @@ -18,7 +18,7 @@ dnl Checks for header files. AC_HEADER_STDC dnl Checks for libraries. -PKG_CHECK_MODULES(IDPC, libxml-2.0 neon lasso = 0.4.1 openssl) +PKG_CHECK_MODULES(IDPC, libxml-2.0 neon lasso >= 0.6.0 openssl) AC_SUBST(IDPC_CFLAGS) AC_SUBST(IDPC_LIBS) diff --git a/create-db.sql b/create-db.sql index f186dba..ef3eab6 100644 --- a/create-db.sql +++ b/create-db.sql @@ -13,11 +13,12 @@ session_dump text ); - CREATE TABLE assertions ( - artifact varchar(100), - assertion text + CREATE TABLE artifacts ( + artifact varchar(100) primary key, + user_id varchar(100), + provider_id text ); GRANT DELETE, INSERT, SELECT, UPDATE ON nameidentifiers TO idpc; GRANT DELETE, INSERT, SELECT, UPDATE ON users TO idpc; - GRANT DELETE, INSERT, SELECT, UPDATE ON assertions TO idpc; + GRANT DELETE, INSERT, SELECT, UPDATE ON artifacts TO idpc; diff --git a/src/auth.c b/src/auth.c index 31167aa..9f616ba 100644 --- a/src/auth.c +++ b/src/auth.c @@ -261,8 +261,9 @@ char* http_auth() struct authentication authentications[] = { {"certificate", certificate_auth, - lassoSamlAuthenticationMethodSoftwarePki}, - {"http", http_auth, lassoSamlAuthenticationMethodPassword}, + LASSO_SAML_AUTHENTICATION_METHOD_SOFTWARE_PKI}, + {"http", http_auth, + LASSO_SAML_AUTHENTICATION_METHOD_PASSWORD}, { NULL, NULL, NULL} }; diff --git a/src/config.c b/src/config.c index ba042d6..4861e7a 100644 --- a/src/config.c +++ b/src/config.c @@ -84,10 +84,9 @@ LassoServer* get_config_server() server = lasso_server_new( get_config_string("//idpc:metadataFilePath"), - get_config_string("//idpc:idpPublicKey"), get_config_string("//idpc:idpPrivateKey"), - get_config_string("//idpc:idpCertificate"), - lassoSignatureMethodRsaSha1); + NULL, + get_config_string("//idpc:idpCertificate")); if (server == NULL) { fprintf(stderr, "failure in server_new\n"); return NULL; @@ -105,6 +104,7 @@ LassoServer* get_config_server() break; } rc = lasso_server_add_provider(server, + LASSO_PROVIDER_ROLE_SP, get_config_string(cfg_metadata), get_config_string(cfg_publickey), get_config_string(cfg_cacertificate)); diff --git a/src/db_postgresql.c b/src/db_postgresql.c index 8cec1f5..bb359b1 100644 --- a/src/db_postgresql.c +++ b/src/db_postgresql.c @@ -189,20 +189,18 @@ int db_save_name_identifier(char *name_identifier, char *user_id) return 0; } -int db_save_assertion(char *assertion_artifact, LassoAssertion *assertion) +int db_save_artifact(char *artifact, char *user_id, char *provider_id) { PGresult *res; - const char *params[2]; - char *assertion_dump; + const char *params[3]; - assertion_dump = lasso_node_export(LASSO_NODE(assertion)); - - params[0] = assertion_artifact; - params[1] = assertion_dump; + params[0] = artifact; + params[1] = user_id; + params[2] = provider_id; res = PQexecParams(sqlconn, - "INSERT INTO assertions VALUES ($1, $2)", - 2, NULL, params, NULL, NULL, 1); + "INSERT INTO artifacts VALUES ($1, $2, $3)", + 3, NULL, params, NULL, NULL, 1); if (PQresultStatus(res) != PGRES_COMMAND_OK) { PQclear(res); return 1; @@ -212,7 +210,7 @@ int db_save_assertion(char *assertion_artifact, LassoAssertion *assertion) return 0; } -int db_get_assertion(char *artifact, char **assertion) +int db_get_artifact(char *artifact, char **user_id, char **provider_id) { PGresult *res; const char *params[1]; @@ -220,7 +218,7 @@ int db_get_assertion(char *artifact, char **assertion) params[0] = artifact; res = PQexecParams(sqlconn, - "SELECT assertion from assertions where artifact = $1", + "SELECT user_id, provider_id from artifacts where artifact = $1", 1, NULL, params, NULL, NULL, 1); if (PQresultStatus(res) != PGRES_TUPLES_OK) { PQclear(res); @@ -233,12 +231,13 @@ int db_get_assertion(char *artifact, char **assertion) return 1; } - *assertion = strdup(PQgetvalue(res, 0, 0)); + *user_id = strdup(PQgetvalue(res, 0, 0)); + *provider_id = strdup(PQgetvalue(res, 0, 1)); PQclear(res); return 0; } -int db_remove_assertion(char *artifact) +int db_remove_artifact(char *artifact) { PGresult *res; const char *params[1]; @@ -246,7 +245,7 @@ int db_remove_assertion(char *artifact) params[0] = artifact; res = PQexecParams(sqlconn, - "DELETE from assertions where artifact = $1", + "DELETE from artifacts where artifact = $1", 1, NULL, params, NULL, NULL, 1); if (PQresultStatus(res) != PGRES_COMMAND_OK) { PQclear(res); diff --git a/src/federation_termination.c b/src/federation_termination.c index 12d3142..046e3e2 100644 --- a/src/federation_termination.c +++ b/src/federation_termination.c @@ -35,8 +35,7 @@ int defederation_http(LassoDefederation *termination) LassoIdentity *identity; rc = lasso_defederation_process_notification_msg( - termination, getenv("QUERY_STRING"), - lassoHttpMethodRedirect); + termination, getenv("QUERY_STRING")); if (rc) { return error_page("process_notification_msg failed"); } @@ -113,7 +112,7 @@ int defederation_init(LassoDefederation *termination, } rc = lasso_defederation_init_notification(termination, - serviceProviderId, lassoHttpMethodSoap); + serviceProviderId, LASSO_HTTP_METHOD_SOAP); if (rc) { return error_page("init_notification failed"); } @@ -168,8 +167,7 @@ int defederation() return error_page("Failed to get server configuration"); } - termination = lasso_defederation_new(server, - lassoProviderTypeIdp); + termination = lasso_defederation_new(server); if (termination == NULL) { lasso_server_destroy(server); return error_page("lasso_defederation_new failed"); diff --git a/src/idpc.h b/src/idpc.h index a77910e..c18866b 100644 --- a/src/idpc.h +++ b/src/idpc.h @@ -35,7 +35,7 @@ #include #include #include -#include /* lasso bug; shouldn't have to include this */ +#include /* lasso bug; shouldn't have to include this */ int error_page(char *msg); int handle_args(int argc, char *argv[]); @@ -55,9 +55,9 @@ int db_get_dumps(char *user_id, char **user_dump, char **session_dump); int db_save_identity(char *user_id, char *identity_dump); int db_save_session(char *user_id, char *session_dump); int db_save_name_identifier(char *name_identifier, char *user_id); -int db_save_assertion(char *assertion_artifact, LassoAssertion *assertion); -int db_get_assertion(char *artifact, char **assertion); -int db_remove_assertion(char *artifact); +int db_save_artifact(char *artifact, char *user_id, char *provider_id); +int db_get_artifact(char *artifact, char **user_id, char **provider_id); +int db_remove_artifact(char *artifact); int db_get_user_id(char *name_identifier, char **user_id); void db_finish(); diff --git a/src/single_logout.c b/src/single_logout.c index a87f365..f667fc7 100644 --- a/src/single_logout.c +++ b/src/single_logout.c @@ -39,8 +39,7 @@ int soap_loop(LassoLogout *logout) other_sp = lasso_logout_get_next_providerID(logout); while (other_sp) { fprintf(stderr, "Other SP: %s\n", other_sp); - rc = lasso_logout_init_request(logout, other_sp, - lassoHttpMethodAny); + rc = lasso_logout_init_request(logout, other_sp, LASSO_HTTP_METHOD_ANY); if (rc) { fprintf(stderr, "init_request failed\n"); return 1; @@ -59,8 +58,7 @@ int soap_loop(LassoLogout *logout) return 1; } - rc = lasso_logout_process_response_msg(logout, - soap_answer, lassoHttpMethodSoap); + rc = lasso_logout_process_response_msg(logout, soap_answer); if (rc) { free(soap_answer); fprintf(stderr, "logout_process_response_msg failed\n"); @@ -82,7 +80,7 @@ int soap_loop(LassoLogout *logout) if (other_sp) { /* remaining service provider; redirect */ rc = lasso_logout_init_request(logout, other_sp, - lassoHttpMethodRedirect); + LASSO_HTTP_METHOD_REDIRECT); if (rc) { fprintf(stderr, "lasso_logout_init_request failed\n"); return 0; @@ -184,14 +182,13 @@ int logout_req() return error_page("Failed to get server configuration"); } - logout = lasso_logout_new(server, lassoProviderTypeIdp); + logout = lasso_logout_new(server); if (logout == NULL) { lasso_server_destroy(server); return error_page("lasso_logout_new failed"); } - rc = lasso_logout_process_request_msg(logout, - getenv("QUERY_STRING"), lassoHttpMethodRedirect); + rc = lasso_logout_process_request_msg(logout, getenv("QUERY_STRING")); if (rc == LASSO_PROFILE_ERROR_INVALID_QUERY) { /* unknown query string; initiate logout now */ rc = logout_init(logout); diff --git a/src/single_sign_on.c b/src/single_sign_on.c index c53587c..dd020ff 100644 --- a/src/single_sign_on.c +++ b/src/single_sign_on.c @@ -44,7 +44,7 @@ int lecp_profile(LassoServer *server) soap_msg[clen] = 0; fgets(soap_msg, clen+1, stdin); req_type = lasso_profile_get_request_type_from_soap_msg(soap_msg); - if (req_type != lassoRequestTypeLecp) { + if (req_type != LASSO_REQUEST_TYPE_LECP) { return error_page("soap but req type not LECP"); } @@ -78,10 +78,7 @@ int lecp_profile(LassoServer *server) return error_page("Failed to set profile from dumps"); } - - - rc = lasso_lecp_init_from_authn_request_msg(lecp, soap_msg, - lassoHttpMethodSoap); + rc = lasso_lecp_process_authn_request_msg(lecp, soap_msg); if (!rc) { lasso_lecp_destroy(lecp); return error_page("lecp init failed"); @@ -90,9 +87,7 @@ int lecp_profile(LassoServer *server) reauth_time = strtime(time(NULL) + (get_config_string("//idpc:reauthenticationDelay") ? atoi(get_config_string("//idpc:reauthenticationDelay")) : 7200)); - rc = lasso_lecp_build_authn_response_envelope_msg( - lecp, 1, auth->lasso_name, - reauth_time); + rc = lasso_lecp_build_authn_response_envelope_msg(lecp); free(reauth_time); if (!rc) { lasso_lecp_destroy(lecp); @@ -115,7 +110,6 @@ int single_sign_on() { LassoServer *server; LassoLogin *login; - lassoHttpMethod response_method; char *http_verb, *ct; char *authn_request_msg = NULL; int rc; @@ -137,12 +131,13 @@ int single_sign_on() char *t; t = getenv("QUERY_STRING"); - if (t) { - authn_request_msg = strdup(t); - } else { - authn_request_msg = strdup(""); - } - response_method = lassoHttpMethodRedirect; + if (!t) + return error_page("No authnRequest as query string"); + + if (! lasso_profile_is_liberty_query(t)) + return error_page("Improper query string; not a AuthnRequest"); + + authn_request_msg = strdup(t); } if (strcmp(http_verb, "POST") == 0) { @@ -161,7 +156,6 @@ int single_sign_on() msg = malloc(clen+1); msg[clen] = 0; fgets(msg, clen+1, stdin); - response_method = lassoHttpMethodPost; res = urlencoded_to_strings(msg); for (i=0; res[i]; i++) { @@ -228,8 +222,7 @@ int single_sign_on() return error_page("Failed to set profile from dumps"); } - rc = lasso_login_init_from_authn_request_msg(login, - authn_request_msg, response_method); + rc = lasso_login_process_authn_request_msg(login, authn_request_msg); if (rc) { char msg[100]; sprintf(msg, "Lasso login error, %d", rc); @@ -251,12 +244,22 @@ int single_sign_on() (get_config_string("//idpc:reauthenticationDelay") ? atoi(get_config_string("//idpc:reauthenticationDelay")) : 7200)); - if (login->protocolProfile == lassoLoginProtocolProfileBrwsArt) { + rc = lasso_login_build_assertion(login, + auth->lasso_name, + "", /* authenticationInstant */ + reauth_time, /* reauthenticateOnOrAfter */ + "", /* notBefore */ + ""); /* notOnOrAfter */ + if (rc) { + free(reauth_time); + lasso_login_destroy(login); + lasso_server_destroy(server); + return error_page("build_assertion failed"); + } + + if (login->protocolProfile == LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_ART) { rc = lasso_login_build_artifact_msg(login, - 1, /* user authenticated */ - auth->lasso_name, - reauth_time, - lassoHttpMethodRedirect); + LASSO_HTTP_METHOD_REDIRECT); if (rc) { free(reauth_time); lasso_login_destroy(login); @@ -265,10 +268,7 @@ int single_sign_on() } } else { /* POST profile (lassoLoginProtocolProfileBrwsPost) */ - rc = lasso_login_build_authn_response_msg(login, - 1, /* user authenticated */ - auth->lasso_name, - reauth_time); + rc = lasso_login_build_authn_response_msg(login); if (rc) { free(reauth_time); lasso_login_destroy(login); @@ -279,7 +279,7 @@ int single_sign_on() free(reauth_time); rc = db_save_name_identifier( - LASSO_PROFILE(login)->nameIdentifier, user_id); + LASSO_PROFILE(login)->nameIdentifier->content, user_id); if (rc) { lasso_login_destroy(login); lasso_server_destroy(server); @@ -294,11 +294,10 @@ int single_sign_on() } - if (login->protocolProfile == lassoLoginProtocolProfileBrwsArt) { - LassoAssertion *my_ass; - /* won't be freed; missing lasso_assertion_destroy */ - my_ass = lasso_login_get_assertion(login); - rc = db_save_assertion(login->assertionArtifact, my_ass); + if (login->protocolProfile == LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_ART) { + rc = db_save_artifact(login->assertionArtifact, + user_id, + LASSO_PROFILE(login)->remote_providerID); if (rc) { lasso_login_destroy(login); lasso_server_destroy(server); @@ -333,7 +332,7 @@ int main(int argc, char *argv[]) { int rc; - if (argc > 1 && handle_args(argc, argv) ) { + if (argc > 1 && handle_args(argc, argv)) { return 0; } diff --git a/src/soap_end_point.c b/src/soap_end_point.c index eab71bd..94b9e4f 100644 --- a/src/soap_end_point.c +++ b/src/soap_end_point.c @@ -23,7 +23,7 @@ struct req { - lassoRequestType type; + LassoRequestType type; char* (*request_function) (LassoServer*, char*); }; @@ -34,11 +34,11 @@ char* req_register_name_identifier(LassoServer *server, char *soap_msg); char* req_name_identifier_mapping(LassoServer *server, char *soap_msg); struct req requests[] = { - {lassoRequestTypeLogin, req_login}, - {lassoRequestTypeLogout, req_logout}, - {lassoRequestTypeDefederation, req_defederation}, - {lassoRequestTypeRegisterNameIdentifier, req_register_name_identifier}, - {lassoRequestTypeNameIdentifierMapping, req_name_identifier_mapping}, + {LASSO_REQUEST_TYPE_LOGIN, req_login}, + {LASSO_REQUEST_TYPE_LOGOUT, req_logout}, + {LASSO_REQUEST_TYPE_DEFEDERATION, req_defederation}, + {LASSO_REQUEST_TYPE_NAME_REGISTRATION, req_register_name_identifier}, + {LASSO_REQUEST_TYPE_NAME_IDENTIFIER_MAPPING, req_name_identifier_mapping}, /* {lassoRequestTypeLecp, req_lecp}, */ /* LECP requests go to single sign on service URL */ {0, NULL} @@ -50,8 +50,9 @@ struct req requests[] = { char* req_login(LassoServer *server, char *soap_msg) { LassoLogin *login; - char *assertion_dump = NULL; int rc; + char *user_id = NULL, *provider_id = NULL; + char *identity_dump, *session_dump, *answer; login = lasso_login_new(server); rc = lasso_login_process_request_msg(login, soap_msg); @@ -60,26 +61,33 @@ char* req_login(LassoServer *server, char *soap_msg) return NULL; } - rc = db_get_assertion(login->assertionArtifact, &assertion_dump); + rc = db_get_artifact(login->assertionArtifact, &user_id, &provider_id); if (rc) { - fprintf(stderr, "db_get_assertion failed\n"); + fprintf(stderr, "db_get_artifact failed\n"); } else { - rc = lasso_login_set_assertion_from_dump(login, assertion_dump); + rc = db_remove_artifact(login->assertionArtifact); if (rc) { - fprintf(stderr, "set_assertion_from_dump failed\n"); - } - rc = db_remove_assertion(login->assertionArtifact); - if (rc) { - fprintf(stderr, "db_remove_assertion failed\n"); + fprintf(stderr, "db_remove_artifact failed\n"); } + + rc = db_get_dumps(user_id, &identity_dump, &session_dump); + rc = set_profile_from_dumps(LASSO_PROFILE(login), + identity_dump, session_dump); + free(identity_dump); + free(session_dump); } - rc = lasso_login_build_response_msg(login); - assertion_dump = strdup(LASSO_PROFILE(login)->msg_body); + rc = lasso_login_build_response_msg(login, provider_id); + if (user_id) + free(user_id); + if (provider_id) + free(provider_id); + + answer = strdup(LASSO_PROFILE(login)->msg_body); lasso_login_destroy(login); - return assertion_dump; + return answer; } char* req_logout(LassoServer *server, char *soap_msg) @@ -90,10 +98,9 @@ char* req_logout(LassoServer *server, char *soap_msg) char *answer = NULL; char *soap_answer = NULL; - logout = lasso_logout_new(server, lassoProviderTypeIdp); + logout = lasso_logout_new(server); - rc = lasso_logout_process_request_msg(logout, - soap_msg, lassoHttpMethodSoap); + rc = lasso_logout_process_request_msg(logout, soap_msg); if (rc) { fprintf(stderr, "process_request_msg failed\n"); goto cleanup; @@ -131,7 +138,7 @@ char* req_logout(LassoServer *server, char *soap_msg) while (other_sp) { fprintf(stderr, "Other SP: %s\n", other_sp); rc = lasso_logout_init_request(logout, other_sp, - lassoHttpMethodAny); + LASSO_HTTP_METHOD_ANY); if (rc) { fprintf(stderr, "init_request failed\n"); goto cleanup; @@ -149,8 +156,7 @@ char* req_logout(LassoServer *server, char *soap_msg) goto cleanup; } - rc = lasso_logout_process_response_msg(logout, - soap_answer, lassoHttpMethodSoap); + rc = lasso_logout_process_response_msg(logout, soap_answer); if (rc) { free(soap_answer); fprintf(stderr, "logout_process_response_msg failed\n"); @@ -183,10 +189,9 @@ char* req_defederation(LassoServer *server, char *soap_msg) LassoIdentity *identity; int rc; - termination = lasso_defederation_new(server, lassoProviderTypeIdp); + termination = lasso_defederation_new(server); - rc = lasso_defederation_process_notification_msg( - termination, soap_msg, lassoHttpMethodSoap); + rc = lasso_defederation_process_notification_msg(termination, soap_msg); if (rc) { fprintf(stderr, "process_notifification_msg failed\n"); return NULL; @@ -233,7 +238,7 @@ int soap_end_point() int clen = 0; char *soap_msg, *soap_answer = NULL; char *http_verb; - lassoRequestType req_type; + LassoRequestType req_type; int i; http_verb = getenv("REQUEST_METHOD"); diff --git a/src/utils.c b/src/utils.c index 8431fac..a1209e2 100644 --- a/src/utils.c +++ b/src/utils.c @@ -125,23 +125,23 @@ int set_profile_auto(LassoProfile *profile) { int rc; char *user_id; - char *user_dump, *session_dump; + char *identity_dump, *session_dump; - rc = db_get_user_id(profile->nameIdentifier, &user_id); + rc = db_get_user_id(profile->nameIdentifier->content, &user_id); if (rc) { fprintf(stderr, "db_get_user_id failed\n"); return 1; } - rc = db_get_dumps(user_id, &user_dump, &session_dump); + rc = db_get_dumps(user_id, &identity_dump, &session_dump); free(user_id); if (rc) { fprintf(stderr, "Error getting dumps from db\n"); return 1; } - rc = set_profile_from_dumps(profile, user_dump, session_dump); - free(user_dump); + rc = set_profile_from_dumps(profile, identity_dump, session_dump); + free(identity_dump); free(session_dump); return rc; } @@ -163,7 +163,7 @@ int save_profile_dumps(LassoProfile *profile) char *user_id; - rc = db_get_user_id(profile->nameIdentifier, &user_id); + rc = db_get_user_id(profile->nameIdentifier->content, &user_id); if (rc) { fprintf(stderr, "db_get_user_id failed\n"); return 1; @@ -172,8 +172,9 @@ int save_profile_dumps(LassoProfile *profile) if (lasso_profile_is_identity_dirty(profile)) { LassoIdentity *identity; identity = lasso_profile_get_identity(profile); - dump = identity ? lasso_identity_dump(identity) : ""; + dump = identity ? lasso_identity_dump(identity) : strdup(""); rc = db_save_identity(user_id, dump); + free(dump); lasso_identity_destroy(identity); if (rc) { free(user_id); @@ -184,8 +185,9 @@ int save_profile_dumps(LassoProfile *profile) if (lasso_profile_is_session_dirty(profile)) { LassoSession *session; session = lasso_profile_get_session(profile); - dump = session ? lasso_session_dump(session) : ""; + dump = session ? lasso_session_dump(session) : strdup(""); rc = db_save_session(user_id, dump); + free(dump); lasso_session_destroy(session); if (rc) { free(user_id);