From ad056adf3699d7162858ccae0faaacfc5ac24882 Mon Sep 17 00:00:00 2001 From: Frederic Peters Date: Tue, 14 Dec 2004 19:20:20 +0000 Subject: [PATCH] API change in Single Sign On profile (IdP side) to allow the developer to mess with Outlined in http://lists.labs.libre-entreprise.org/pipermail/lasso-devel/2004-December/001119.html --- docs/lasso-book/single-sign-on.process | 38 ++--- lasso/id-ff/lecp.c | 14 +- lasso/id-ff/lecp.h | 9 +- lasso/id-ff/login.c | 199 +++++++++---------------- lasso/id-ff/login.h | 28 ++-- lasso/xml/errors.h | 9 +- swig/Lasso.i | 43 ++++-- tests/login_tests.c | 11 +- 8 files changed, 138 insertions(+), 213 deletions(-) diff --git a/docs/lasso-book/single-sign-on.process b/docs/lasso-book/single-sign-on.process index d04ff539..1678c0f6 100644 --- a/docs/lasso-book/single-sign-on.process +++ b/docs/lasso-book/single-sign-on.process @@ -89,37 +89,17 @@ Single Sign-On and Federation # unserialize with lasso_login_new_from_dump(dump) consentObtained = TRUE # or FALSE if user didn't give its consent - authenticationMethod = LASSO_SAML_AUTHENTICATION_METHOD_PASSWORD - # or LASSO_SAML_AUTHENTICATION_METHOD_SOFTWARE_PKI or others - # (see ...) - # this is how the user has been authenticated + IF lasso_login_validate_request_msg(login, userAuthenticated, consentObtained) == 0: + # build and fill assertion + lasso_login_build_assertion(login, authenticationMethod, + authenticationInstant, reauthenticationTime + assertionIsNotBefore, assertionIsNotOnOrAfter) + # any other change to the assertion can take place here - authenticationInstant = "2004-03-01T00:00:00Z" - # this is when the authentication occured; when NULL Lasso will put current time - - assertionIsNotBefore = "2004-03-01T00:00:00Z" - # this is when assertion starts to be valid; NULL when not used - - assertionIsNotOnOrAfter = "2004-04-01T00:00:00Z" - # this is when assertion stops to be valid; NULL when not used - - reauthenticationTime = "2004-04-01T00:00:00Z" - # this is when the user will have to be reauthenticated; NULL when not used - - IF login->protocolProfile IS lassoLoginProtocolProfileBrwsArt - lasso_login_build_artifact_msg(login, userAuthenticated, - consentObtained, - authenticationMethod, - authenticationInstant, reauthenticationTime, - assertionIsNotBefore, assertionIsNotOnOrAfter, - lassoHttpMethodRedirect) + IF login->protocolProfile IS LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_ART + lasso_login_build_artifact_msg(login, LASSO_HTTP_METHOD_REDIRECT) ELSE # IF login->protocolProfile IS lassoLoginProtocolProfileBrwsPost - lasso_login_build_authn_response_msg(login, userAuthenticated, - consentObtained, - authenticationMethod, - authenticationInstant, reauthenticationTime, - assertionIsNotBefore, assertionIsNotOnOrAfter, - reauthenticationTime) + lasso_login_build_authn_response_msg(login) # map LASSO_PROFILE(login)->nameIdentifier to user and session # (write this down in a database) diff --git a/lasso/id-ff/lecp.c b/lasso/id-ff/lecp.c index 3879a59b..714e19bb 100644 --- a/lasso/id-ff/lecp.c +++ b/lasso/id-ff/lecp.c @@ -127,14 +127,7 @@ lasso_lecp_build_authn_response_msg(LassoLecp *lecp) } gint -lasso_lecp_build_authn_response_envelope_msg(LassoLecp *lecp, - gint authentication_result, - gboolean is_consent_obtained, - const char *authenticationMethod, - const char *authenticationInstant, - const char *reauthenticateOnOrAfter, - const char *notBefore, - const char *notOnOrAfter) +lasso_lecp_build_authn_response_envelope_msg(LassoLecp *lecp) { LassoProfile *profile; LassoProvider *provider; @@ -156,10 +149,7 @@ lasso_lecp_build_authn_response_envelope_msg(LassoLecp *lecp, } /* build lib:AuthnResponse */ - lasso_login_build_authn_response_msg(LASSO_LOGIN(lecp), - authentication_result, is_consent_obtained, - authenticationMethod, authenticationInstant, reauthenticateOnOrAfter, - notBefore, notOnOrAfter); + lasso_login_build_authn_response_msg(LASSO_LOGIN(lecp)); assertionConsumerServiceURL = lasso_provider_get_metadata_one( provider, "AssertionConsumerServiceURL"); diff --git a/lasso/id-ff/lecp.h b/lasso/id-ff/lecp.h index 3aa78b13..9cb480d1 100644 --- a/lasso/id-ff/lecp.h +++ b/lasso/id-ff/lecp.h @@ -70,14 +70,7 @@ LASSO_EXPORT int lasso_lecp_build_authn_request_msg(LassoLecp *lecp); LASSO_EXPORT int lasso_lecp_build_authn_response_msg(LassoLecp *lecp); -LASSO_EXPORT int lasso_lecp_build_authn_response_envelope_msg(LassoLecp *lecp, - int authentication_result, - gboolean is_consent_obtained, - const char *authenticationMethod, - const char *authenticationInstant, - const char *reauthenticateOnOrAfter, - const char *notBefore, - const char *notOnOrAfter); +LASSO_EXPORT int lasso_lecp_build_authn_response_envelope_msg(LassoLecp *lecp); LASSO_EXPORT void lasso_lecp_destroy(LassoLecp *lecp); diff --git a/lasso/id-ff/login.c b/lasso/id-ff/login.c index c55a62fc..82b3ebd1 100644 --- a/lasso/id-ff/login.c +++ b/lasso/id-ff/login.c @@ -44,7 +44,6 @@ struct _LassoLoginPrivate /** * lasso_login_build_assertion: * @login: a Login - * @federation: a federation or NULL * @authenticationMethod: the authentication method. * @authenticationInstant: the time at which the authentication took place or NULL. * @reauthenticateOnOrAfter: the time at, or after which the service provider @@ -61,9 +60,8 @@ struct _LassoLoginPrivate * * Return value: 0 on success or a negative value otherwise. **/ -static gint +int lasso_login_build_assertion(LassoLogin *login, - LassoFederation *federation, const char *authenticationMethod, const char *authenticationInstant, const char *reauthenticateOnOrAfter, @@ -74,12 +72,15 @@ lasso_login_build_assertion(LassoLogin *login, LassoLibAuthenticationStatement *as; LassoSamlNameIdentifier *nameIdentifier; LassoProfile *profile; - gint ret = 0; + LassoFederation *federation; g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ); /* federation MAY be NULL */ profile = LASSO_PROFILE(login); + + federation = g_hash_table_lookup(profile->identity->federations, + profile->remote_providerID); /* get RequestID to build Assertion @@ -111,21 +112,18 @@ lasso_login_build_assertion(LassoLogin *login, federation->local_nameIdentifier); } - if (as == NULL) { - return -1; - } - LASSO_SAML_ASSERTION(assertion)->AuthenticationStatement = LASSO_SAML_AUTHENTICATION_STATEMENT(as); /* FIXME : How to know if the assertion must be signed or unsigned ? */ - /* signature should be added at end */ +#if 0 + /* signature should be added at end (i.e. move this to + * build_response_msg and build_authn_response_msg) */ ret = lasso_saml_assertion_set_signature(LASSO_SAML_ASSERTION(assertion), profile->server->signature_method, profile->server->private_key, profile->server->certificate); - if (ret) - return ret; +#endif if (login->protocolProfile == LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_POST) { /* only add assertion if response is an AuthnResponse */ @@ -136,6 +134,7 @@ lasso_login_build_assertion(LassoLogin *login, if (profile->session == NULL) { profile->session = lasso_session_new(); } + login->assertion = LASSO_SAML_ASSERTION(assertion); lasso_session_add_assertion(profile->session, profile->remote_providerID, LASSO_SAML_ASSERTION(assertion)); return 0; @@ -436,41 +435,17 @@ lasso_login_accept_sso(LassoLogin *login) /** * lasso_login_build_artifact_msg: * @login: a LassoLogin - * @authentication_result: whether the principal is authenticated. - * @is_consent_obtained: whether the principal consents to be federated. - * @authenticationMethod: the authentication method - * @authenticationInstant: the time at which the authentication took place - * @reauthenticateOnOrAfter: the time at, or after which the service provider - * reauthenticates the Principal with the identity provider or NULL - * @notBefore: the earliest time instant at which the assertion is valid - * @notOnOrAfter: the time instant at which the assertion has expired - * * @http_method: the HTTP method to send the artifact (REDIRECT or POST) * * Builds an artifact. Depending of the HTTP method, the data for the sending of * the artifact are stored in msg_url (REDIRECT) or msg_url, msg_body and * msg_relayState (POST). * - * @authenticationMethod, @authenticationInstant, @reauthenticateOnOrAfter, - * @notBefore, @notOnOrAfter should be NULL if @authentication_result is FALSE. - * If @authenticationInstant is NULL, the current time will be set. - * - * Time values must be encoded in UTC. - * * Return value: 0 on success and a negative value otherwise. **/ gint -lasso_login_build_artifact_msg(LassoLogin *login, - gboolean authentication_result, - gboolean is_consent_obtained, - const char *authenticationMethod, - const char *authenticationInstant, - const char *reauthenticateOnOrAfter, - const char *notBefore, - const char *notOnOrAfter, - lassoHttpMethod http_method) +lasso_login_build_artifact_msg(LassoLogin *login, lassoHttpMethod http_method) { - LassoFederation *federation = NULL; LassoProvider *remote_provider; gchar *url; xmlSecByte samlArt[42], *b64_samlArt, *relayState; @@ -488,23 +463,6 @@ lasso_login_build_artifact_msg(LassoLogin *login, return critical_error(LASSO_PROFILE_ERROR_INVALID_PROTOCOLPROFILE); } - /* process federation and build assertion only if signature is OK */ - if (LASSO_PROFILE(login)->signature_status == 0 && authentication_result == TRUE) { - ret = lasso_login_process_federation(login, is_consent_obtained); - if (ret < 0) - return ret; - - /* fill the response with the assertion */ - if (ret == 0) { - federation = g_hash_table_lookup( - LASSO_PROFILE(login)->identity->federations, - LASSO_PROFILE(login)->remote_providerID); - lasso_login_build_assertion(login, federation, authenticationMethod, - authenticationInstant, reauthenticateOnOrAfter, - notBefore, notOnOrAfter); - } - } - if (LASSO_PROFILE(login)->remote_providerID == NULL) return -1; @@ -655,40 +613,17 @@ lasso_login_build_authn_request_msg(LassoLogin *login) /** * lasso_login_build_authn_response_msg: * @login: a LassoLogin - * @authentication_result: whether the principal is authenticated - * @is_consent_obtained: whether the principal consents to be federated - * @authenticationMethod: the method used to authenticate the principal - * @authenticationInstant: the time at which the authentication took place - * @reauthenticateOnOrAfter: the time at, or after which the service provider - * reauthenticates the Principal with the identity provider - * @notBefore: the earliest time instant at which the assertion is valid - * @notOnOrAfter: the time instant at which the assertion has expired * * Builds an authentication response. The data for the sending of the response * are stored in msg_url and msg_body. * - * @authenticationMethod, @authenticationInstant, @reauthenticateOnOrAfter, - * @notBefore, @notOnOrAfter should be NULL if @authentication_result is FALSE. - * If @authenticationInstant is NULL, the current time will be set. - * - * Time values must be encoded in UTC. - * * Return value: 0 on success and a negative value otherwise. **/ gint -lasso_login_build_authn_response_msg(LassoLogin *login, - gboolean authentication_result, - gboolean is_consent_obtained, - const char *authenticationMethod, - const char *authenticationInstant, - const char *reauthenticateOnOrAfter, - const char *notBefore, - const char *notOnOrAfter) +lasso_login_build_authn_response_msg(LassoLogin *login) { - LassoProfile *profile; LassoProvider *remote_provider; - LassoFederation *federation; - gint ret = 0; + LassoProfile *profile; g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ); @@ -699,55 +634,6 @@ lasso_login_build_authn_response_msg(LassoLogin *login, return critical_error(LASSO_PROFILE_ERROR_INVALID_PROTOCOLPROFILE); } - /* create LibAuthnResponse */ - profile->response = lasso_lib_authn_response_new( - LASSO_PROVIDER(profile->server)->ProviderID, - LASSO_LIB_AUTHN_REQUEST(profile->request)); - - /* modify AuthnResponse StatusCode if user authentication is not OK */ - if (authentication_result == FALSE) { - lasso_profile_set_response_status(profile, - LASSO_SAML_STATUS_CODE_REQUEST_DENIED); - } - - /* if signature is not OK => modify AuthnResponse StatusCode */ - if (profile->signature_status == LASSO_DS_ERROR_INVALID_SIGNATURE) { - lasso_profile_set_response_status(profile, - LASSO_LIB_STATUS_CODE_INVALID_SIGNATURE); - } - - if (profile->signature_status == LASSO_DS_ERROR_SIGNATURE_NOT_FOUND) { - /* Unsigned AuthnRequest */ - lasso_profile_set_response_status(profile, - LASSO_LIB_STATUS_CODE_UNSIGNED_AUTHN_REQUEST); - } - - if (profile->signature_status == 0 && authentication_result == TRUE) { - /* process federation */ - ret = lasso_login_process_federation(login, is_consent_obtained); - if (ret < 0) - return ret; - - /* fill the response with the assertion */ - if (ret == 0) { - federation = g_hash_table_lookup( - profile->identity->federations, - profile->remote_providerID); - lasso_login_build_assertion(login, federation, - authenticationMethod, authenticationInstant, - reauthenticateOnOrAfter, - notBefore, notOnOrAfter); - } - } - - if (LASSO_SAMLP_RESPONSE(profile->response)->Status == NULL) { - lasso_profile_set_response_status(profile, - LASSO_SAML_STATUS_CODE_SUCCESS); - } - - remote_provider = g_hash_table_lookup(profile->server->providers, - profile->remote_providerID); - /* XXX: not sure this was signed in Lasso 0.5.0 */ LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->sign_type = LASSO_SIGNATURE_TYPE_WITHX509; LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->sign_method = @@ -756,10 +642,13 @@ lasso_login_build_authn_response_msg(LassoLogin *login, /* build an lib:AuthnResponse base64 encoded */ profile->msg_body = lasso_node_export_to_base64(profile->response, profile->server->private_key, profile->server->certificate); + + remote_provider = g_hash_table_lookup(LASSO_PROFILE(login)->server->providers, + LASSO_PROFILE(login)->remote_providerID); profile->msg_url = lasso_provider_get_metadata_one( remote_provider, "AssertionConsumerServiceURL"); - return ret; + return 0; } /** @@ -1272,6 +1161,7 @@ lasso_login_process_response_msg(LassoLogin *login, gchar *response_msg) static struct XmlSnippet schema_snippets[] = { { "AssertionArtifact", SNIPPET_CONTENT, G_STRUCT_OFFSET(LassoLogin, assertionArtifact) }, { "NameIDPolicy", SNIPPET_CONTENT, G_STRUCT_OFFSET(LassoLogin, nameIDPolicy) }, + { "Assertion", SNIPPET_NODE_IN_CHILD, G_STRUCT_OFFSET(LassoLogin, assertion) }, { NULL, 0, 0} }; @@ -1434,3 +1324,56 @@ lasso_login_dump(LassoLogin *login) return lasso_node_dump(LASSO_NODE(login), NULL, 1); } + +int +lasso_login_validate_request_msg(LassoLogin *login, gboolean authentication_result, + gboolean is_consent_obtained) +{ + LassoProfile *profile; + gint ret = 0; + + g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ); + + profile = LASSO_PROFILE(login); + + /* create LibAuthnResponse */ + profile->response = lasso_lib_authn_response_new( + LASSO_PROVIDER(profile->server)->ProviderID, + LASSO_LIB_AUTHN_REQUEST(profile->request)); + + /* modify AuthnResponse StatusCode if user authentication is not OK */ + if (authentication_result == FALSE) { + lasso_profile_set_response_status(profile, + LASSO_SAML_STATUS_CODE_REQUEST_DENIED); + return LASSO_LOGIN_ERROR_REQUEST_DENIED; + } + + /* if signature is not OK => modify AuthnResponse StatusCode */ + if (profile->signature_status == LASSO_DS_ERROR_INVALID_SIGNATURE) { + lasso_profile_set_response_status(profile, + LASSO_LIB_STATUS_CODE_INVALID_SIGNATURE); + return LASSO_LOGIN_ERROR_INVALID_SIGNATURE; + } + + if (profile->signature_status == LASSO_DS_ERROR_SIGNATURE_NOT_FOUND) { + /* Unsigned AuthnRequest */ + lasso_profile_set_response_status(profile, + LASSO_LIB_STATUS_CODE_UNSIGNED_AUTHN_REQUEST); + return LASSO_LOGIN_ERROR_UNSIGNED_AUTHN_REQUEST; + } + + if (profile->signature_status == 0 && authentication_result == TRUE) { + /* process federation */ + ret = lasso_login_process_federation(login, is_consent_obtained); + if (ret < 0) + return ret; + + /* XXX: what should be done if ret was > 0 ? I would return + * that code */ + } + + lasso_profile_set_response_status(profile, LASSO_SAML_STATUS_CODE_SUCCESS); + + return ret; +} + diff --git a/lasso/id-ff/login.h b/lasso/id-ff/login.h index 3cab7cee..da2f988a 100644 --- a/lasso/id-ff/login.h +++ b/lasso/id-ff/login.h @@ -61,6 +61,7 @@ struct _LassoLogin { lassoLoginProtocolProfile protocolProfile; gchar *assertionArtifact; + LassoSamlAssertion *assertion; /*< private >*/ gchar *nameIDPolicy; @@ -78,26 +79,11 @@ LASSO_EXPORT LassoLogin* lasso_login_new(LassoServer *server); LASSO_EXPORT LassoLogin* lasso_login_new_from_dump(LassoServer *server, const gchar *dump); LASSO_EXPORT gint lasso_login_accept_sso(LassoLogin *login); -LASSO_EXPORT gint lasso_login_build_artifact_msg(LassoLogin *login, - gboolean authentication_result, - gboolean is_consent_obtained, - const char *authenticationMethod, - const char *authenticationInstant, - const char *reauthenticateOnOrAfter, - const char *notBefore, - const char *notOnOrAfter, - lassoHttpMethod http_method); +LASSO_EXPORT gint lasso_login_build_artifact_msg(LassoLogin *login, lassoHttpMethod http_method); LASSO_EXPORT gint lasso_login_build_authn_request_msg(LassoLogin *login); -LASSO_EXPORT gint lasso_login_build_authn_response_msg(LassoLogin *login, - gboolean authentication_result, - gboolean is_consent_obtained, - const char *authenticationMethod, - const char *authenticationInstant, - const char *reauthenticateOnOrAfter, - const char *notBefore, - const char *notOnOrAfter); +LASSO_EXPORT gint lasso_login_build_authn_response_msg(LassoLogin *login); LASSO_EXPORT gint lasso_login_build_request_msg(LassoLogin *login); LASSO_EXPORT gint lasso_login_build_response_msg(LassoLogin *login, gchar *remote_providerID); @@ -124,6 +110,14 @@ LASSO_EXPORT gint lasso_login_process_authn_response_msg(LassoLogin *login, LASSO_EXPORT gint lasso_login_process_request_msg(LassoLogin *login, gchar *request_msg); LASSO_EXPORT gint lasso_login_process_response_msg(LassoLogin *login, gchar *response_msg); +LASSO_EXPORT int lasso_login_validate_request_msg(LassoLogin *login, + gboolean authentication_result, gboolean is_consent_obtained); + +LASSO_EXPORT int lasso_login_build_assertion(LassoLogin *login, + const char *authenticationMethod, const char *authenticationInstant, + const char *reauthenticateOnOrAfter, + const char *notBefore, const char *notOnOrAfter); + #ifdef __cplusplus } #endif /* __cplusplus */ diff --git a/lasso/xml/errors.h b/lasso/xml/errors.h index 022a35a2..821c5d79 100644 --- a/lasso/xml/errors.h +++ b/lasso/xml/errors.h @@ -72,9 +72,12 @@ #define LASSO_PARAM_ERROR_CHECK_FAILED -503 /* login */ -#define LASSO_LOGIN_ERROR_FEDERATION_NOT_FOUND 601 -#define LASSO_LOGIN_ERROR_CONSENT_NOT_OBTAINED 602 -#define LASSO_LOGIN_ERROR_INVALID_NAMEIDPOLICY -603 +#define LASSO_LOGIN_ERROR_FEDERATION_NOT_FOUND 601 +#define LASSO_LOGIN_ERROR_CONSENT_NOT_OBTAINED 602 +#define LASSO_LOGIN_ERROR_INVALID_NAMEIDPOLICY -603 +#define LASSO_LOGIN_ERROR_REQUEST_DENIED 604 +#define LASSO_LOGIN_ERROR_INVALID_SIGNATURE 605 +#define LASSO_LOGIN_ERROR_UNSIGNED_AUTHN_REQUEST 606 /* others */ #define LASSO_ERROR_UNDEFINED -999 diff --git a/swig/Lasso.i b/swig/Lasso.i index 2fef36f1..f346bbbe 100644 --- a/swig/Lasso.i +++ b/swig/Lasso.i @@ -1620,10 +1620,13 @@ typedef struct { END_THROW_ERROR THROW_ERROR - void buildArtifactMsg(gboolean authenticationResult, gboolean isConsentObtained, - char *authenticationMethod, char *authenticationInstant, - char *reauthenticateOnOrAfter, char *notBefore, - char *notOnOrAfter, lassoHttpMethod httpMethod); + void buildArtifactMsg(lassoHttpMethod httpMethod); + END_THROW_ERROR + + THROW_ERROR + int buildAssertion(char *authenticationMethod, char *authenticationInstant, + char *reauthenticateOnOrAfter, + char *notBefore, char *notOnOrAfter); END_THROW_ERROR THROW_ERROR @@ -1631,10 +1634,7 @@ typedef struct { END_THROW_ERROR THROW_ERROR - void buildAuthnResponseMsg(gint authenticationResult, gboolean isConsentObtained, - char *authenticationMethod, char *authenticationInstant, - char *reauthenticateOnOrAfter, char *notBefore, - char *notOnOrAfter); + void buildAuthnResponseMsg(); END_THROW_ERROR THROW_ERROR @@ -1681,6 +1681,11 @@ typedef struct { THROW_ERROR void processResponseMsg(gchar *responseMsg); END_THROW_ERROR + + THROW_ERROR + int validateRequestMsg(gboolean authenticationResult, gboolean isConsentObtained); + END_THROW_ERROR + } } LassoLogin; @@ -1825,6 +1830,7 @@ gint LassoLogin_setSessionFromDump(LassoLogin *self, gchar *dump) { /* Methods implementations */ #define LassoLogin_acceptSso lasso_login_accept_sso +#define LassoLogin_buildAssertion lasso_login_build_assertion #define LassoLogin_buildArtifactMsg lasso_login_build_artifact_msg #define LassoLogin_buildAuthnRequestMsg lasso_login_build_authn_request_msg #define LassoLogin_buildAuthnResponseMsg lasso_login_build_authn_response_msg @@ -1840,6 +1846,7 @@ gint LassoLogin_setSessionFromDump(LassoLogin *self, gchar *dump) { #define LassoLogin_processAuthnResponseMsg lasso_login_process_authn_response_msg #define LassoLogin_processRequestMsg lasso_login_process_request_msg #define LassoLogin_processResponseMsg lasso_login_process_response_msg +#define LassoLogin_validateRequestMsg lasso_login_validate_request_msg %} @@ -2147,6 +2154,18 @@ typedef struct { void setSessionFromDump(gchar *dump); END_THROW_ERROR + /* Methods inherited from LassoLogin */ + + THROW_ERROR + int buildAssertion(char *authenticationMethod, char *authenticationInstant, + char *reauthenticateOnOrAfter, + char *notBefore, char *notOnOrAfter); + END_THROW_ERROR + + THROW_ERROR + int validateRequestMsg(gboolean authenticationResult, gboolean isConsentObtained); + END_THROW_ERROR + /* Methods */ THROW_ERROR @@ -2158,10 +2177,7 @@ typedef struct { END_THROW_ERROR THROW_ERROR - void buildAuthnResponseEnvelopeMsg(gboolean authenticationResult, - gboolean isConsentObtained, char *authenticationMethod, - char *authenticationInstant, char *reauthenticateOnOrAfter, - char *notBefore, char *notOnOrAfter); + void buildAuthnResponseEnvelopeMsg(); END_THROW_ERROR THROW_ERROR @@ -2183,6 +2199,7 @@ typedef struct { THROW_ERROR void processAuthnResponseEnvelopeMsg(gchar *responseMsg); END_THROW_ERROR + } } LassoLecp; @@ -2321,6 +2338,7 @@ gint LassoLecp_setSessionFromDump(LassoLecp *self, gchar *dump) { /* Methods implementations */ +#define LassoLecp_buildAssertion lasso_login_build_assertion #define LassoLecp_buildAuthnRequestEnvelopeMsg lasso_lecp_build_authn_request_envelope_msg #define LassoLecp_buildAuthnRequestMsg lasso_lecp_build_authn_request_msg #define LassoLecp_buildAuthnResponseEnvelopeMsg lasso_lecp_build_authn_response_envelope_msg @@ -2329,6 +2347,7 @@ gint LassoLecp_setSessionFromDump(LassoLecp *self, gchar *dump) { #define LassoLecp_processAuthnRequestEnvelopeMsg lasso_lecp_process_authn_request_envelope_msg #define LassoLecp_processAuthnRequestMsg lasso_lecp_process_authn_request_msg #define LassoLecp_processAuthnResponseEnvelopeMsg lasso_lecp_process_authn_response_envelope_msg +#define LassoLecp_validateRequestMsg lasso_login_validate_request_msg %} diff --git a/tests/login_tests.c b/tests/login_tests.c index 476da514..d1058d86 100644 --- a/tests/login_tests.c +++ b/tests/login_tests.c @@ -136,15 +136,18 @@ START_TEST(test02_serviceProviderLogin) "protocoleProfile should be ProfileBrwsArt"); fail_unless(! lasso_login_must_ask_for_consent(idpLoginContext), "lasso_login_must_ask_for_consent() should be FALSE"); - rc = lasso_login_build_artifact_msg(idpLoginContext, + rc = lasso_login_validate_request_msg(idpLoginContext, 1, /* authentication_result */ - 0, /* is_consent_obtained */ + 0 /* is_consent_obtained */ + ); + + rc = lasso_login_build_assertion(idpLoginContext, LASSO_SAML_AUTHENTICATION_METHOD_PASSWORD, "FIXME: authenticationInstant", "FIXME: reauthenticateOnOrAfter", "FIXME: notBefore", - "FIXME: notOnOrAfter", - LASSO_HTTP_METHOD_REDIRECT); + "FIXME: notOnOrAfter"); + rc = lasso_login_build_artifact_msg(idpLoginContext, LASSO_HTTP_METHOD_REDIRECT); fail_unless(rc == 0, "lasso_login_build_artifact_msg failed"); idpIdentityContextDump = lasso_identity_dump(LASSO_PROFILE(idpLoginContext)->identity);