2008-09-12 17:06:58 +02:00
|
|
|
/* $Id$
|
2004-08-24 15:52:06 +02:00
|
|
|
*
|
|
|
|
* Lasso - A free implementation of the Liberty Alliance specifications.
|
|
|
|
*
|
2007-05-30 19:17:45 +02:00
|
|
|
* Copyright (C) 2004-2007 Entr'ouvert
|
2004-08-24 15:52:06 +02:00
|
|
|
* http://lasso.entrouvert.org
|
2008-09-12 17:06:58 +02:00
|
|
|
*
|
2005-01-22 16:57:56 +01:00
|
|
|
* Authors: See AUTHORS file in top-level directory.
|
2004-08-24 15:52:06 +02:00
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
|
|
* (at your option) any later version.
|
2008-09-12 17:06:58 +02:00
|
|
|
*
|
2004-08-24 15:52:06 +02:00
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
2008-09-12 17:06:58 +02:00
|
|
|
*
|
2004-08-24 15:52:06 +02:00
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
|
|
*/
|
|
|
|
|
2008-05-15 23:17:44 +02:00
|
|
|
/**
|
|
|
|
* SECTION:defederation
|
|
|
|
* @short_description: Federation Termination Notification Profile (ID-FF)
|
|
|
|
*
|
|
|
|
**/
|
|
|
|
|
2009-03-27 16:04:26 +01:00
|
|
|
#include "../xml/private.h"
|
2009-08-26 17:14:32 +02:00
|
|
|
#include "defederation.h"
|
2004-08-24 17:55:12 +02:00
|
|
|
|
2009-08-26 17:14:32 +02:00
|
|
|
#include "providerprivate.h"
|
|
|
|
#include "sessionprivate.h"
|
|
|
|
#include "identityprivate.h"
|
|
|
|
#include "profileprivate.h"
|
|
|
|
#include "serverprivate.h"
|
2009-03-27 16:05:57 +01:00
|
|
|
#include "../xml/private.h"
|
|
|
|
#include "../utils.h"
|
2004-12-31 12:51:11 +01:00
|
|
|
|
2004-08-24 15:52:06 +02:00
|
|
|
/*****************************************************************************/
|
|
|
|
/* public methods */
|
|
|
|
/*****************************************************************************/
|
|
|
|
|
|
|
|
/**
|
|
|
|
* lasso_defederation_build_notification_msg:
|
2005-01-20 14:24:04 +01:00
|
|
|
* @defederation: a #LassoDefederation
|
2008-09-12 17:06:58 +02:00
|
|
|
*
|
2005-01-20 14:24:04 +01:00
|
|
|
* Builds the federation termination notification message.
|
2008-09-12 17:06:58 +02:00
|
|
|
*
|
2004-10-27 11:49:13 +02:00
|
|
|
* It gets the federation termination notification protocol profile and:
|
2005-01-20 14:24:04 +01:00
|
|
|
* <itemizedlist>
|
|
|
|
* <listitem><para>
|
|
|
|
* if it is a SOAP method, then it builds the federation termination
|
2005-01-21 11:51:24 +01:00
|
|
|
* notification SOAP message, optionally signs the notification node, sets
|
|
|
|
* @msg_body, gets the SoapEndpoint url and sets @msg_url of the federation
|
|
|
|
* termination object.
|
2005-01-20 14:24:04 +01:00
|
|
|
* </para></listitem>
|
|
|
|
* <listitem><para>
|
|
|
|
* if it is a HTTP-Redirect method, then it builds the federation termination
|
2005-01-20 14:25:11 +01:00
|
|
|
* notification QUERY message (optionally signs the notification message),
|
2004-10-27 11:49:13 +02:00
|
|
|
* builds the federation termination notification url with federation
|
2005-01-21 11:51:24 +01:00
|
|
|
* termination service url, sets @msg_url in the federation termination
|
|
|
|
* object, sets @msg_body to NULL.
|
2005-01-20 14:24:04 +01:00
|
|
|
* </para></listitem>
|
|
|
|
* </itemizedlist>
|
2008-09-12 17:06:58 +02:00
|
|
|
*
|
2005-01-20 14:24:04 +01:00
|
|
|
* Return value: 0 on success; or a negative value otherwise.
|
2004-08-24 15:52:06 +02:00
|
|
|
**/
|
|
|
|
gint
|
|
|
|
lasso_defederation_build_notification_msg(LassoDefederation *defederation)
|
|
|
|
{
|
2004-12-19 12:07:22 +01:00
|
|
|
LassoProfile *profile;
|
|
|
|
LassoProvider *remote_provider;
|
|
|
|
gchar *url, *query;
|
2004-10-27 11:49:13 +02:00
|
|
|
|
|
|
|
g_return_val_if_fail(LASSO_IS_DEFEDERATION(defederation),
|
|
|
|
LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
|
|
|
|
|
|
|
|
profile = LASSO_PROFILE(defederation);
|
2007-01-05 14:40:07 +01:00
|
|
|
lasso_profile_clean_msg_info(profile);
|
2004-10-27 11:49:13 +02:00
|
|
|
|
2006-01-23 16:30:00 +01:00
|
|
|
if (profile->remote_providerID == NULL) {
|
2006-11-02 11:51:13 +01:00
|
|
|
/* this means lasso_defederation_init_notification was not called before */
|
2006-01-23 16:30:00 +01:00
|
|
|
return critical_error(LASSO_PROFILE_ERROR_MISSING_REMOTE_PROVIDERID);
|
|
|
|
}
|
|
|
|
|
2004-10-27 11:49:13 +02:00
|
|
|
/* get the remote provider object */
|
|
|
|
remote_provider = g_hash_table_lookup(profile->server->providers,
|
|
|
|
profile->remote_providerID);
|
|
|
|
if (LASSO_IS_PROVIDER(remote_provider) == FALSE) {
|
2005-02-05 17:15:53 +01:00
|
|
|
return critical_error(LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND);
|
2004-10-27 11:49:13 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/* get the protocol profile type */
|
|
|
|
|
|
|
|
/* build the federation termination notification message (SOAP or HTTP-Redirect) */
|
|
|
|
if (profile->http_request_method == LASSO_HTTP_METHOD_SOAP) {
|
|
|
|
/* build the logout request message */
|
ID-FF 1.2: Use new macros in logout, defederation and lecp
* lasso/id-ff/logout.c:
- (lasso_logout_build_response_msg, lasso_logout_init_request,
lasso_logout_process_request_msg, lasso_logout_process_response_msg,
lasso_logout_validate_request) use lasso_assign_new_object,
lasso_assign_string, lasso_release and lasso_assign_new_string when
possible.
- (lasso_logout_process_response_msg) move the tranfer of the relaystate
from XML object to profile object.
* lasso/id-ff/defederation.c:
- (lasso_defederation_build_notification_msg,
lasso_defederation_init_notification,
lasso_defederation_process_notification_msg,
lasso_defederation_validate_notification): idem
* lasso/id-ff/lecp.c:
- (lasso_lecp_build_authn_request_envelope_msg,
lasso_lecp_build_authn_request_msg,lasso_lecp_build_authn_response_msg,
lasso_lecp_build_authn_response_envelope_msg) idem
2009-03-27 16:06:21 +01:00
|
|
|
lasso_assign_new_string(profile->msg_url, lasso_provider_get_metadata_one(
|
|
|
|
remote_provider, "SoapEndpoint"));
|
|
|
|
lasso_assign_string(LASSO_SAMLP_REQUEST_ABSTRACT(profile->request)->private_key_file,
|
|
|
|
profile->server->private_key);
|
|
|
|
lasso_assign_string(LASSO_SAMLP_REQUEST_ABSTRACT(profile->request)->certificate_file,
|
|
|
|
profile->server->certificate);
|
|
|
|
lasso_assign_new_string(profile->msg_body, lasso_node_export_to_soap(LASSO_NODE(profile->request)));
|
2004-12-14 22:41:57 +01:00
|
|
|
return 0;
|
2004-10-27 11:49:13 +02:00
|
|
|
}
|
2004-12-14 22:41:57 +01:00
|
|
|
|
2004-10-27 11:49:13 +02:00
|
|
|
if (profile->http_request_method == LASSO_HTTP_METHOD_REDIRECT) {
|
2005-01-20 14:25:11 +01:00
|
|
|
/* build and optionally sign the query message and build the
|
2004-10-27 11:49:13 +02:00
|
|
|
* federation termination notification url */
|
|
|
|
url = lasso_provider_get_metadata_one(remote_provider,
|
|
|
|
"FederationTerminationServiceURL");
|
|
|
|
if (url == NULL) {
|
2004-12-14 22:41:57 +01:00
|
|
|
return critical_error(LASSO_PROFILE_ERROR_UNKNOWN_PROFILE_URL);
|
2004-10-27 11:49:13 +02:00
|
|
|
}
|
2004-12-28 13:44:22 +01:00
|
|
|
query = lasso_node_export_to_query(LASSO_NODE(profile->request),
|
2004-10-27 11:49:13 +02:00
|
|
|
profile->server->signature_method,
|
|
|
|
profile->server->private_key);
|
|
|
|
|
|
|
|
if (query == NULL) {
|
ID-FF 1.2: Use new macros in logout, defederation and lecp
* lasso/id-ff/logout.c:
- (lasso_logout_build_response_msg, lasso_logout_init_request,
lasso_logout_process_request_msg, lasso_logout_process_response_msg,
lasso_logout_validate_request) use lasso_assign_new_object,
lasso_assign_string, lasso_release and lasso_assign_new_string when
possible.
- (lasso_logout_process_response_msg) move the tranfer of the relaystate
from XML object to profile object.
* lasso/id-ff/defederation.c:
- (lasso_defederation_build_notification_msg,
lasso_defederation_init_notification,
lasso_defederation_process_notification_msg,
lasso_defederation_validate_notification): idem
* lasso/id-ff/lecp.c:
- (lasso_lecp_build_authn_request_envelope_msg,
lasso_lecp_build_authn_request_msg,lasso_lecp_build_authn_response_msg,
lasso_lecp_build_authn_response_envelope_msg) idem
2009-03-27 16:06:21 +01:00
|
|
|
lasso_release(url);
|
2004-12-15 12:07:34 +01:00
|
|
|
return critical_error(LASSO_PROFILE_ERROR_BUILDING_QUERY_FAILED);
|
2004-10-27 11:49:13 +02:00
|
|
|
}
|
|
|
|
|
ID-FF 1.2: Use new macros in logout, defederation and lecp
* lasso/id-ff/logout.c:
- (lasso_logout_build_response_msg, lasso_logout_init_request,
lasso_logout_process_request_msg, lasso_logout_process_response_msg,
lasso_logout_validate_request) use lasso_assign_new_object,
lasso_assign_string, lasso_release and lasso_assign_new_string when
possible.
- (lasso_logout_process_response_msg) move the tranfer of the relaystate
from XML object to profile object.
* lasso/id-ff/defederation.c:
- (lasso_defederation_build_notification_msg,
lasso_defederation_init_notification,
lasso_defederation_process_notification_msg,
lasso_defederation_validate_notification): idem
* lasso/id-ff/lecp.c:
- (lasso_lecp_build_authn_request_envelope_msg,
lasso_lecp_build_authn_request_msg,lasso_lecp_build_authn_response_msg,
lasso_lecp_build_authn_response_envelope_msg) idem
2009-03-27 16:06:21 +01:00
|
|
|
lasso_assign_new_string(profile->msg_url, lasso_concat_url_query(url, query));
|
|
|
|
lasso_release(profile->msg_body);
|
|
|
|
lasso_release(url);
|
|
|
|
lasso_release(query);
|
2004-10-27 11:49:13 +02:00
|
|
|
|
2004-12-14 22:41:57 +01:00
|
|
|
return 0;
|
2004-10-27 11:49:13 +02:00
|
|
|
}
|
|
|
|
|
2004-12-14 22:41:57 +01:00
|
|
|
return critical_error(LASSO_PROFILE_ERROR_INVALID_HTTP_METHOD);
|
2004-08-24 15:52:06 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* lasso_defederation_destroy:
|
2005-01-20 14:24:04 +01:00
|
|
|
* @defederation: a #LassoDefederation
|
2008-09-12 17:06:58 +02:00
|
|
|
*
|
2005-01-20 14:24:04 +01:00
|
|
|
* Destroys a #LassoDefederation object.
|
2004-08-24 15:52:06 +02:00
|
|
|
**/
|
|
|
|
void
|
|
|
|
lasso_defederation_destroy(LassoDefederation *defederation)
|
|
|
|
{
|
2007-11-22 13:42:47 +01:00
|
|
|
lasso_node_destroy(LASSO_NODE(defederation));
|
2004-08-24 15:52:06 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* lasso_defederation_init_notification:
|
2004-12-22 22:38:06 +01:00
|
|
|
* @defederation: a #LassoDefederation
|
2004-10-27 11:49:13 +02:00
|
|
|
* @remote_providerID: the provider id of the federation termination notified
|
2004-12-22 22:38:06 +01:00
|
|
|
* provider.
|
|
|
|
* @http_method: the HTTP method to send the message.
|
2004-08-24 15:52:06 +02:00
|
|
|
*
|
2004-12-22 22:38:06 +01:00
|
|
|
* Sets a new federation termination notification to the remote provider id
|
|
|
|
* with the provider id of the requester (from the server object) and the name
|
|
|
|
* identifier of the federated principal.
|
2008-09-12 17:06:58 +02:00
|
|
|
*
|
2004-12-22 22:38:06 +01:00
|
|
|
* Return value: 0 on success; or a negative value otherwise.
|
2004-08-24 15:52:06 +02:00
|
|
|
**/
|
|
|
|
gint
|
2004-10-27 11:49:13 +02:00
|
|
|
lasso_defederation_init_notification(LassoDefederation *defederation, gchar *remote_providerID,
|
2004-12-31 19:33:23 +01:00
|
|
|
LassoHttpMethod http_method)
|
2004-08-24 15:52:06 +02:00
|
|
|
{
|
2004-10-27 11:49:13 +02:00
|
|
|
LassoProfile*profile;
|
|
|
|
LassoProvider *remote_provider;
|
|
|
|
LassoFederation *federation;
|
2004-12-19 12:07:22 +01:00
|
|
|
LassoSamlNameIdentifier *nameIdentifier;
|
2005-11-21 19:51:52 +01:00
|
|
|
LassoNode *nameIdentifier_n;
|
2004-10-27 11:49:13 +02:00
|
|
|
|
|
|
|
g_return_val_if_fail(LASSO_IS_DEFEDERATION(defederation),
|
|
|
|
LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
|
|
|
|
|
|
|
|
profile = LASSO_PROFILE(defederation);
|
|
|
|
|
ID-FF 1.2: Use new macros in logout, defederation and lecp
* lasso/id-ff/logout.c:
- (lasso_logout_build_response_msg, lasso_logout_init_request,
lasso_logout_process_request_msg, lasso_logout_process_response_msg,
lasso_logout_validate_request) use lasso_assign_new_object,
lasso_assign_string, lasso_release and lasso_assign_new_string when
possible.
- (lasso_logout_process_response_msg) move the tranfer of the relaystate
from XML object to profile object.
* lasso/id-ff/defederation.c:
- (lasso_defederation_build_notification_msg,
lasso_defederation_init_notification,
lasso_defederation_process_notification_msg,
lasso_defederation_validate_notification): idem
* lasso/id-ff/lecp.c:
- (lasso_lecp_build_authn_request_envelope_msg,
lasso_lecp_build_authn_request_msg,lasso_lecp_build_authn_response_msg,
lasso_lecp_build_authn_response_envelope_msg) idem
2009-03-27 16:06:21 +01:00
|
|
|
lasso_release(profile->remote_providerID);
|
|
|
|
lasso_release_gobject(profile->request);
|
2007-11-12 11:49:18 +01:00
|
|
|
|
|
|
|
if (remote_providerID != NULL) {
|
ID-FF 1.2: Use new macros in logout, defederation and lecp
* lasso/id-ff/logout.c:
- (lasso_logout_build_response_msg, lasso_logout_init_request,
lasso_logout_process_request_msg, lasso_logout_process_response_msg,
lasso_logout_validate_request) use lasso_assign_new_object,
lasso_assign_string, lasso_release and lasso_assign_new_string when
possible.
- (lasso_logout_process_response_msg) move the tranfer of the relaystate
from XML object to profile object.
* lasso/id-ff/defederation.c:
- (lasso_defederation_build_notification_msg,
lasso_defederation_init_notification,
lasso_defederation_process_notification_msg,
lasso_defederation_validate_notification): idem
* lasso/id-ff/lecp.c:
- (lasso_lecp_build_authn_request_envelope_msg,
lasso_lecp_build_authn_request_msg,lasso_lecp_build_authn_response_msg,
lasso_lecp_build_authn_response_envelope_msg) idem
2009-03-27 16:06:21 +01:00
|
|
|
lasso_assign_string(profile->remote_providerID, remote_providerID);
|
2007-11-12 11:49:18 +01:00
|
|
|
} else {
|
ID-FF 1.2: Use new macros in logout, defederation and lecp
* lasso/id-ff/logout.c:
- (lasso_logout_build_response_msg, lasso_logout_init_request,
lasso_logout_process_request_msg, lasso_logout_process_response_msg,
lasso_logout_validate_request) use lasso_assign_new_object,
lasso_assign_string, lasso_release and lasso_assign_new_string when
possible.
- (lasso_logout_process_response_msg) move the tranfer of the relaystate
from XML object to profile object.
* lasso/id-ff/defederation.c:
- (lasso_defederation_build_notification_msg,
lasso_defederation_init_notification,
lasso_defederation_process_notification_msg,
lasso_defederation_validate_notification): idem
* lasso/id-ff/lecp.c:
- (lasso_lecp_build_authn_request_envelope_msg,
lasso_lecp_build_authn_request_msg,lasso_lecp_build_authn_response_msg,
lasso_lecp_build_authn_response_envelope_msg) idem
2009-03-27 16:06:21 +01:00
|
|
|
lasso_assign_new_string(profile->remote_providerID, lasso_server_get_first_providerID(profile->server));
|
2007-11-12 11:49:18 +01:00
|
|
|
if (profile->remote_providerID == NULL) {
|
|
|
|
return critical_error(LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND);
|
|
|
|
}
|
|
|
|
}
|
2004-10-27 11:49:13 +02:00
|
|
|
|
|
|
|
remote_provider = g_hash_table_lookup(
|
|
|
|
profile->server->providers, profile->remote_providerID);
|
2004-12-13 18:46:29 +01:00
|
|
|
if (LASSO_IS_PROVIDER(remote_provider) == FALSE) {
|
2005-02-05 17:15:53 +01:00
|
|
|
return critical_error(LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND);
|
2004-10-27 11:49:13 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/* get federation */
|
2005-06-03 23:38:14 +02:00
|
|
|
if (profile->identity == NULL) {
|
|
|
|
return critical_error(LASSO_PROFILE_ERROR_IDENTITY_NOT_FOUND);
|
|
|
|
}
|
|
|
|
|
2004-10-27 11:49:13 +02:00
|
|
|
federation = g_hash_table_lookup(profile->identity->federations,
|
|
|
|
profile->remote_providerID);
|
|
|
|
if (federation == NULL) {
|
2004-12-15 11:07:09 +01:00
|
|
|
return critical_error(LASSO_PROFILE_ERROR_FEDERATION_NOT_FOUND);
|
2004-10-27 11:49:13 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/* get the nameIdentifier to send the federation termination notification */
|
2005-11-21 19:51:52 +01:00
|
|
|
nameIdentifier_n = lasso_profile_get_nameIdentifier(profile);
|
2006-12-20 14:47:42 +01:00
|
|
|
if (nameIdentifier_n == NULL) {
|
2004-12-15 11:14:27 +01:00
|
|
|
return critical_error(LASSO_PROFILE_ERROR_NAME_IDENTIFIER_NOT_FOUND);
|
2004-10-27 11:49:13 +02:00
|
|
|
}
|
2005-11-21 19:51:52 +01:00
|
|
|
nameIdentifier = LASSO_SAML_NAME_IDENTIFIER(nameIdentifier_n);
|
2004-10-27 11:49:13 +02:00
|
|
|
|
2005-05-12 18:47:07 +02:00
|
|
|
if (federation->local_nameIdentifier) {
|
ID-FF 1.2: Use new macros in logout, defederation and lecp
* lasso/id-ff/logout.c:
- (lasso_logout_build_response_msg, lasso_logout_init_request,
lasso_logout_process_request_msg, lasso_logout_process_response_msg,
lasso_logout_validate_request) use lasso_assign_new_object,
lasso_assign_string, lasso_release and lasso_assign_new_string when
possible.
- (lasso_logout_process_response_msg) move the tranfer of the relaystate
from XML object to profile object.
* lasso/id-ff/defederation.c:
- (lasso_defederation_build_notification_msg,
lasso_defederation_init_notification,
lasso_defederation_process_notification_msg,
lasso_defederation_validate_notification): idem
* lasso/id-ff/lecp.c:
- (lasso_lecp_build_authn_request_envelope_msg,
lasso_lecp_build_authn_request_msg,lasso_lecp_build_authn_response_msg,
lasso_lecp_build_authn_response_envelope_msg) idem
2009-03-27 16:06:21 +01:00
|
|
|
lasso_assign_gobject(profile->nameIdentifier, federation->local_nameIdentifier);
|
2005-05-12 18:47:07 +02:00
|
|
|
} else {
|
2009-03-27 16:06:29 +01:00
|
|
|
lasso_assign_gobject(profile->nameIdentifier, LASSO_NODE(nameIdentifier));
|
2005-05-12 18:47:07 +02:00
|
|
|
}
|
|
|
|
|
2004-10-27 11:49:13 +02:00
|
|
|
/* get / verify http method */
|
|
|
|
if (http_method == LASSO_HTTP_METHOD_ANY) {
|
|
|
|
http_method = lasso_provider_get_first_http_method(
|
|
|
|
LASSO_PROVIDER(profile->server),
|
|
|
|
remote_provider,
|
|
|
|
LASSO_MD_PROTOCOL_TYPE_FEDERATION_TERMINATION);
|
|
|
|
} else {
|
|
|
|
if (lasso_provider_accept_http_method(LASSO_PROVIDER(profile->server),
|
|
|
|
remote_provider,
|
|
|
|
LASSO_MD_PROTOCOL_TYPE_FEDERATION_TERMINATION,
|
|
|
|
http_method,
|
|
|
|
TRUE) == FALSE) {
|
2004-12-14 16:46:25 +01:00
|
|
|
return critical_error(LASSO_PROFILE_ERROR_UNSUPPORTED_PROFILE);
|
2004-10-27 11:49:13 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* build the request */
|
|
|
|
if (http_method == LASSO_HTTP_METHOD_SOAP) {
|
|
|
|
profile->request = lasso_lib_federation_termination_notification_new_full(
|
|
|
|
LASSO_PROVIDER(profile->server)->ProviderID,
|
|
|
|
nameIdentifier,
|
2008-09-12 17:06:58 +02:00
|
|
|
profile->server->certificate ?
|
2005-03-07 15:16:16 +01:00
|
|
|
LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
|
2004-10-27 11:49:13 +02:00
|
|
|
LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
2004-12-19 12:07:22 +01:00
|
|
|
if (profile->msg_relayState) {
|
|
|
|
message(G_LOG_LEVEL_WARNING,
|
|
|
|
"RelayState was defined but can't be used "\
|
2009-01-24 10:33:40 +01:00
|
|
|
"in SOAP Federation Termination Notification", NULL);
|
2004-12-19 12:07:22 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
} else { /* LASSO_HTTP_METHOD_REDIRECT */
|
2004-10-27 11:49:13 +02:00
|
|
|
profile->request = lasso_lib_federation_termination_notification_new_full(
|
|
|
|
LASSO_PROVIDER(profile->server)->ProviderID,
|
|
|
|
nameIdentifier,
|
|
|
|
LASSO_SIGNATURE_TYPE_NONE,
|
|
|
|
0);
|
ID-FF 1.2: Use new macros in logout, defederation and lecp
* lasso/id-ff/logout.c:
- (lasso_logout_build_response_msg, lasso_logout_init_request,
lasso_logout_process_request_msg, lasso_logout_process_response_msg,
lasso_logout_validate_request) use lasso_assign_new_object,
lasso_assign_string, lasso_release and lasso_assign_new_string when
possible.
- (lasso_logout_process_response_msg) move the tranfer of the relaystate
from XML object to profile object.
* lasso/id-ff/defederation.c:
- (lasso_defederation_build_notification_msg,
lasso_defederation_init_notification,
lasso_defederation_process_notification_msg,
lasso_defederation_validate_notification): idem
* lasso/id-ff/lecp.c:
- (lasso_lecp_build_authn_request_envelope_msg,
lasso_lecp_build_authn_request_msg,lasso_lecp_build_authn_response_msg,
lasso_lecp_build_authn_response_envelope_msg) idem
2009-03-27 16:06:21 +01:00
|
|
|
lasso_assign_string(LASSO_LIB_FEDERATION_TERMINATION_NOTIFICATION(profile->request)->RelayState,
|
|
|
|
profile->msg_relayState);
|
2004-10-27 11:49:13 +02:00
|
|
|
}
|
|
|
|
|
2005-11-20 16:38:19 +01:00
|
|
|
if (lasso_provider_get_protocol_conformance(remote_provider) < LASSO_PROTOCOL_LIBERTY_1_2) {
|
|
|
|
LASSO_SAMLP_REQUEST_ABSTRACT(profile->request)->MajorVersion = 1;
|
|
|
|
LASSO_SAMLP_REQUEST_ABSTRACT(profile->request)->MinorVersion = 1;
|
2005-01-28 14:29:14 +01:00
|
|
|
}
|
|
|
|
|
2004-10-27 11:49:13 +02:00
|
|
|
/* remove federation with remote provider id */
|
|
|
|
if (profile->identity == NULL) {
|
2004-12-15 11:07:09 +01:00
|
|
|
return critical_error(LASSO_PROFILE_ERROR_IDENTITY_NOT_FOUND);
|
2004-10-27 11:49:13 +02:00
|
|
|
}
|
|
|
|
lasso_identity_remove_federation(profile->identity, profile->remote_providerID);
|
|
|
|
|
|
|
|
/* remove assertion from session */
|
|
|
|
if (profile->session)
|
|
|
|
lasso_session_remove_assertion(profile->session, profile->remote_providerID);
|
|
|
|
|
|
|
|
/* Save notification method */
|
|
|
|
profile->http_request_method = http_method;
|
|
|
|
|
|
|
|
return 0;
|
2004-08-24 15:52:06 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* lasso_defederation_process_notification_msg:
|
|
|
|
* @defederation: the federation termination object
|
|
|
|
* @notification_msg: the federation termination notification message
|
2008-09-12 17:06:58 +02:00
|
|
|
*
|
2005-01-20 14:24:04 +01:00
|
|
|
* Processes a lib:FederationTerminationNotification message. Rebuilds a
|
|
|
|
* request object from the message and optionally verifies its signature.
|
2008-09-12 17:06:58 +02:00
|
|
|
*
|
2004-10-27 11:49:13 +02:00
|
|
|
* Set the msg_nameIdentifier attribute with the NameIdentifier content of the
|
2005-01-20 14:25:11 +01:00
|
|
|
* notification object and optionally set the msg_relayState attribute with the
|
2005-01-20 14:24:04 +01:00
|
|
|
* RelayState content of the notification object.
|
2004-08-24 15:52:06 +02:00
|
|
|
*
|
2005-01-20 14:24:04 +01:00
|
|
|
* Return value: 0 on success; or a negative value otherwise.
|
2004-08-24 15:52:06 +02:00
|
|
|
**/
|
|
|
|
gint
|
2004-10-27 11:49:13 +02:00
|
|
|
lasso_defederation_process_notification_msg(LassoDefederation *defederation, char *request_msg)
|
2004-08-24 15:52:06 +02:00
|
|
|
{
|
2004-10-27 11:49:13 +02:00
|
|
|
LassoProfile *profile;
|
|
|
|
LassoProvider *remote_provider;
|
|
|
|
LassoMessageFormat format;
|
|
|
|
|
|
|
|
g_return_val_if_fail(LASSO_IS_DEFEDERATION(defederation),
|
|
|
|
LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
|
2006-12-28 18:46:32 +01:00
|
|
|
g_return_val_if_fail(request_msg != NULL, LASSO_PARAM_ERROR_INVALID_VALUE);
|
2004-10-27 11:49:13 +02:00
|
|
|
|
|
|
|
profile = LASSO_PROFILE(defederation);
|
|
|
|
|
ID-FF 1.2: Use new macros in logout, defederation and lecp
* lasso/id-ff/logout.c:
- (lasso_logout_build_response_msg, lasso_logout_init_request,
lasso_logout_process_request_msg, lasso_logout_process_response_msg,
lasso_logout_validate_request) use lasso_assign_new_object,
lasso_assign_string, lasso_release and lasso_assign_new_string when
possible.
- (lasso_logout_process_response_msg) move the tranfer of the relaystate
from XML object to profile object.
* lasso/id-ff/defederation.c:
- (lasso_defederation_build_notification_msg,
lasso_defederation_init_notification,
lasso_defederation_process_notification_msg,
lasso_defederation_validate_notification): idem
* lasso/id-ff/lecp.c:
- (lasso_lecp_build_authn_request_envelope_msg,
lasso_lecp_build_authn_request_msg,lasso_lecp_build_authn_response_msg,
lasso_lecp_build_authn_response_envelope_msg) idem
2009-03-27 16:06:21 +01:00
|
|
|
lasso_assign_new_gobject(profile->request, lasso_lib_federation_termination_notification_new());
|
2004-12-28 13:44:22 +01:00
|
|
|
format = lasso_node_init_from_message(LASSO_NODE(profile->request), request_msg);
|
2004-11-22 14:13:16 +01:00
|
|
|
if (format == LASSO_MESSAGE_FORMAT_UNKNOWN || format == LASSO_MESSAGE_FORMAT_ERROR) {
|
2004-12-14 16:46:25 +01:00
|
|
|
return critical_error(LASSO_PROFILE_ERROR_INVALID_MSG);
|
2004-10-27 11:49:13 +02:00
|
|
|
}
|
|
|
|
|
2009-03-27 16:05:56 +01:00
|
|
|
if (format == LASSO_MESSAGE_FORMAT_QUERY) {
|
|
|
|
lasso_assign_new_string(profile->msg_relayState,
|
|
|
|
lasso_get_relaystate_from_query(request_msg));
|
|
|
|
}
|
|
|
|
|
ID-FF 1.2: Use new macros in logout, defederation and lecp
* lasso/id-ff/logout.c:
- (lasso_logout_build_response_msg, lasso_logout_init_request,
lasso_logout_process_request_msg, lasso_logout_process_response_msg,
lasso_logout_validate_request) use lasso_assign_new_object,
lasso_assign_string, lasso_release and lasso_assign_new_string when
possible.
- (lasso_logout_process_response_msg) move the tranfer of the relaystate
from XML object to profile object.
* lasso/id-ff/defederation.c:
- (lasso_defederation_build_notification_msg,
lasso_defederation_init_notification,
lasso_defederation_process_notification_msg,
lasso_defederation_validate_notification): idem
* lasso/id-ff/lecp.c:
- (lasso_lecp_build_authn_request_envelope_msg,
lasso_lecp_build_authn_request_msg,lasso_lecp_build_authn_response_msg,
lasso_lecp_build_authn_response_envelope_msg) idem
2009-03-27 16:06:21 +01:00
|
|
|
lasso_assign_string(profile->remote_providerID, LASSO_LIB_FEDERATION_TERMINATION_NOTIFICATION(
|
2004-10-27 11:49:13 +02:00
|
|
|
profile->request)->ProviderID);
|
|
|
|
remote_provider = g_hash_table_lookup(profile->server->providers,
|
|
|
|
profile->remote_providerID);
|
|
|
|
if (LASSO_IS_PROVIDER(remote_provider) == FALSE) {
|
2005-02-05 17:15:53 +01:00
|
|
|
return critical_error(LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND);
|
2004-10-27 11:49:13 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
profile->signature_status = lasso_provider_verify_signature(
|
2004-12-10 01:30:01 +01:00
|
|
|
remote_provider, request_msg, "RequestID", format);
|
2004-10-27 11:49:13 +02:00
|
|
|
|
|
|
|
/* set the http request method */
|
|
|
|
if (format == LASSO_MESSAGE_FORMAT_SOAP)
|
|
|
|
profile->http_request_method = LASSO_HTTP_METHOD_SOAP;
|
|
|
|
if (format == LASSO_MESSAGE_FORMAT_QUERY)
|
|
|
|
profile->http_request_method = LASSO_HTTP_METHOD_REDIRECT;
|
|
|
|
|
2009-03-27 16:06:29 +01:00
|
|
|
lasso_assign_gobject(profile->nameIdentifier, LASSO_NODE(LASSO_LIB_FEDERATION_TERMINATION_NOTIFICATION(
|
|
|
|
profile->request)->NameIdentifier));
|
2004-10-27 11:49:13 +02:00
|
|
|
|
2004-11-29 11:50:59 +01:00
|
|
|
/* get the RelayState (only available in redirect mode) */
|
|
|
|
if (LASSO_LIB_FEDERATION_TERMINATION_NOTIFICATION(profile->request)->RelayState)
|
2009-03-27 16:06:23 +01:00
|
|
|
lasso_assign_string(profile->msg_relayState,
|
2004-11-29 11:50:59 +01:00
|
|
|
LASSO_LIB_FEDERATION_TERMINATION_NOTIFICATION(
|
|
|
|
profile->request)->RelayState);
|
2004-10-27 11:49:13 +02:00
|
|
|
|
|
|
|
return profile->signature_status;
|
2004-08-24 15:52:06 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* lasso_defederation_validate_notification:
|
2005-01-20 14:24:04 +01:00
|
|
|
* @defederation: a #LassoDefederation
|
2008-09-12 17:06:58 +02:00
|
|
|
*
|
2005-01-20 14:24:04 +01:00
|
|
|
* Checks notification with regards to message status and principal
|
|
|
|
* federations; update them accordingly.
|
2008-09-12 17:06:58 +02:00
|
|
|
*
|
2005-01-20 14:24:04 +01:00
|
|
|
* Return value: 0 on success; or a negative value otherwise.
|
2004-08-24 15:52:06 +02:00
|
|
|
**/
|
|
|
|
gint
|
|
|
|
lasso_defederation_validate_notification(LassoDefederation *defederation)
|
|
|
|
{
|
2004-10-27 11:49:13 +02:00
|
|
|
LassoProfile *profile;
|
|
|
|
LassoProvider *remote_provider;
|
|
|
|
LassoFederation *federation = NULL;
|
|
|
|
LassoSamlNameIdentifier *nameIdentifier;
|
|
|
|
|
|
|
|
g_return_val_if_fail(LASSO_IS_DEFEDERATION(defederation),
|
|
|
|
LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
|
|
|
|
|
|
|
|
profile = LASSO_PROFILE(defederation);
|
|
|
|
|
|
|
|
/* verify the federation termination notification */
|
|
|
|
if (LASSO_IS_LIB_FEDERATION_TERMINATION_NOTIFICATION(profile->request) == FALSE)
|
|
|
|
return LASSO_PROFILE_ERROR_MISSING_REQUEST;
|
|
|
|
|
|
|
|
/* If SOAP notification, then msg_url and msg_body are NULL */
|
|
|
|
/* if HTTP-Redirect notification, set msg_url with the federation
|
|
|
|
* termination service return url, and set msg_body to NULL */
|
ID-FF 1.2: Use new macros in logout, defederation and lecp
* lasso/id-ff/logout.c:
- (lasso_logout_build_response_msg, lasso_logout_init_request,
lasso_logout_process_request_msg, lasso_logout_process_response_msg,
lasso_logout_validate_request) use lasso_assign_new_object,
lasso_assign_string, lasso_release and lasso_assign_new_string when
possible.
- (lasso_logout_process_response_msg) move the tranfer of the relaystate
from XML object to profile object.
* lasso/id-ff/defederation.c:
- (lasso_defederation_build_notification_msg,
lasso_defederation_init_notification,
lasso_defederation_process_notification_msg,
lasso_defederation_validate_notification): idem
* lasso/id-ff/lecp.c:
- (lasso_lecp_build_authn_request_envelope_msg,
lasso_lecp_build_authn_request_msg,lasso_lecp_build_authn_response_msg,
lasso_lecp_build_authn_response_envelope_msg) idem
2009-03-27 16:06:21 +01:00
|
|
|
lasso_release(profile->msg_url)
|
|
|
|
lasso_release(profile->msg_body)
|
2004-10-27 11:49:13 +02:00
|
|
|
|
|
|
|
if (profile->http_request_method == LASSO_HTTP_METHOD_REDIRECT) {
|
|
|
|
remote_provider = g_hash_table_lookup(profile->server->providers,
|
|
|
|
profile->remote_providerID);
|
2004-12-13 18:46:29 +01:00
|
|
|
if (LASSO_IS_PROVIDER(remote_provider) == FALSE) {
|
2005-02-05 17:15:53 +01:00
|
|
|
return critical_error(LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND);
|
2004-10-27 11:49:13 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/* build the QUERY and the url. Dont need to sign the query,
|
|
|
|
* only the relay state is optinaly added and it is crypted
|
|
|
|
* by the notifier */
|
|
|
|
profile->msg_url = lasso_provider_get_metadata_one(remote_provider,
|
|
|
|
"FederationTerminationServiceReturnURL");
|
|
|
|
if (profile->msg_url == NULL) {
|
2004-12-14 22:41:57 +01:00
|
|
|
return critical_error(LASSO_PROFILE_ERROR_UNKNOWN_PROFILE_URL);
|
2004-10-27 11:49:13 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/* if a relay state, then build the query part */
|
|
|
|
if (profile->msg_relayState) {
|
|
|
|
gchar *url;
|
2006-11-07 13:44:32 +01:00
|
|
|
gchar *query = g_strdup_printf("RelayState=%s", profile->msg_relayState);
|
|
|
|
url = lasso_concat_url_query(profile->msg_url, query);
|
|
|
|
g_free(query);
|
ID-FF 1.2: Use new macros in logout, defederation and lecp
* lasso/id-ff/logout.c:
- (lasso_logout_build_response_msg, lasso_logout_init_request,
lasso_logout_process_request_msg, lasso_logout_process_response_msg,
lasso_logout_validate_request) use lasso_assign_new_object,
lasso_assign_string, lasso_release and lasso_assign_new_string when
possible.
- (lasso_logout_process_response_msg) move the tranfer of the relaystate
from XML object to profile object.
* lasso/id-ff/defederation.c:
- (lasso_defederation_build_notification_msg,
lasso_defederation_init_notification,
lasso_defederation_process_notification_msg,
lasso_defederation_validate_notification): idem
* lasso/id-ff/lecp.c:
- (lasso_lecp_build_authn_request_envelope_msg,
lasso_lecp_build_authn_request_msg,lasso_lecp_build_authn_response_msg,
lasso_lecp_build_authn_response_envelope_msg) idem
2009-03-27 16:06:21 +01:00
|
|
|
lasso_assign_new_string(profile->msg_url, url);
|
2004-10-27 11:49:13 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* get the name identifier */
|
|
|
|
nameIdentifier = LASSO_LIB_FEDERATION_TERMINATION_NOTIFICATION(
|
|
|
|
profile->request)->NameIdentifier;
|
|
|
|
if (nameIdentifier == NULL) {
|
2004-12-16 15:04:43 +01:00
|
|
|
return critical_error(LASSO_DEFEDERATION_ERROR_MISSING_NAME_IDENTIFIER);
|
2004-10-27 11:49:13 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Verify federation */
|
|
|
|
if (profile->identity == NULL) {
|
2004-12-15 11:07:09 +01:00
|
|
|
return critical_error(LASSO_PROFILE_ERROR_IDENTITY_NOT_FOUND);
|
2004-10-27 11:49:13 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
federation = g_hash_table_lookup(profile->identity->federations,
|
|
|
|
profile->remote_providerID);
|
|
|
|
if (federation == NULL) {
|
2004-12-15 11:07:09 +01:00
|
|
|
return critical_error(LASSO_PROFILE_ERROR_FEDERATION_NOT_FOUND);
|
2004-10-27 11:49:13 +02:00
|
|
|
}
|
|
|
|
|
2005-11-21 19:51:52 +01:00
|
|
|
if (lasso_federation_verify_name_identifier(federation,
|
|
|
|
LASSO_NODE(nameIdentifier)) == FALSE) {
|
2004-12-16 15:04:43 +01:00
|
|
|
return critical_error(LASSO_PROFILE_ERROR_NAME_IDENTIFIER_NOT_FOUND);
|
2004-10-27 11:49:13 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/* remove federation of the remote provider */
|
|
|
|
lasso_identity_remove_federation(profile->identity, profile->remote_providerID);
|
|
|
|
|
|
|
|
/* if defederation has a session and if there is an assertion for remote provider id,
|
|
|
|
then remove assertion too */
|
|
|
|
if (profile->session != NULL) {
|
|
|
|
lasso_session_remove_assertion(profile->session, profile->remote_providerID);
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
2004-08-24 15:52:06 +02:00
|
|
|
}
|
|
|
|
|
2004-10-27 11:49:13 +02:00
|
|
|
|
|
|
|
|
2004-08-24 15:52:06 +02:00
|
|
|
/*****************************************************************************/
|
|
|
|
/* instance and class init functions */
|
|
|
|
/*****************************************************************************/
|
|
|
|
|
2004-10-27 11:49:13 +02:00
|
|
|
GType
|
|
|
|
lasso_defederation_get_type()
|
|
|
|
{
|
|
|
|
static GType this_type = 0;
|
|
|
|
|
|
|
|
if (!this_type) {
|
|
|
|
static const GTypeInfo this_info = {
|
|
|
|
sizeof (LassoDefederationClass),
|
2004-12-10 00:14:15 +01:00
|
|
|
NULL, NULL, NULL, NULL, NULL,
|
2004-10-27 11:49:13 +02:00
|
|
|
sizeof(LassoDefederation),
|
|
|
|
0,
|
2004-12-10 00:14:15 +01:00
|
|
|
NULL,
|
2009-01-24 10:33:40 +01:00
|
|
|
NULL
|
2004-10-27 11:49:13 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
this_type = g_type_register_static(LASSO_TYPE_PROFILE,
|
|
|
|
"LassoDefederation", &this_info, 0);
|
|
|
|
}
|
|
|
|
return this_type;
|
2004-08-24 15:52:06 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* lasso_defederation_new:
|
2005-01-20 14:24:04 +01:00
|
|
|
* @server: the #LassoServer
|
2008-09-12 17:06:58 +02:00
|
|
|
*
|
2005-01-20 14:24:04 +01:00
|
|
|
* Creates a new #LassoDefederation.
|
2004-08-24 15:52:06 +02:00
|
|
|
*
|
2005-01-20 14:24:04 +01:00
|
|
|
* Return value: a newly created #LassoDefederation object; or NULL if an error
|
|
|
|
* occured
|
2004-08-24 15:52:06 +02:00
|
|
|
**/
|
|
|
|
LassoDefederation*
|
2004-10-27 11:49:13 +02:00
|
|
|
lasso_defederation_new(LassoServer *server)
|
2004-08-24 15:52:06 +02:00
|
|
|
{
|
2004-10-27 11:49:13 +02:00
|
|
|
LassoDefederation *defederation;
|
2004-08-24 15:52:06 +02:00
|
|
|
|
2004-10-27 11:49:13 +02:00
|
|
|
g_return_val_if_fail(LASSO_IS_SERVER(server), NULL);
|
2004-08-24 15:52:06 +02:00
|
|
|
|
2004-10-27 11:49:13 +02:00
|
|
|
defederation = g_object_new(LASSO_TYPE_DEFEDERATION, NULL);
|
2004-12-30 17:47:35 +01:00
|
|
|
LASSO_PROFILE(defederation)->server = g_object_ref(server);
|
2004-08-24 15:52:06 +02:00
|
|
|
|
2004-10-27 11:49:13 +02:00
|
|
|
return defederation;
|
2004-08-24 15:52:06 +02:00
|
|
|
}
|