SAML 2.0: Fix many leaks
* lasso/saml-2.0/login.c: * lasso/saml-2.0/logout.c: * lasso/saml-2.0/name_id_management.c: * lasso/saml-2.0/profile.c: * lasso/saml-2.0/provider.c: do not mix g_malloc strings with libxml strings, use the string/gobject handling macros as much as possible, be a good memory citizen, don't put your elbows on the table.
This commit is contained in:
parent
e57e1efc21
commit
c5f5f84329
|
@ -89,7 +89,7 @@ lasso_saml20_login_init_authn_request(LassoLogin *login, LassoHttpMethod http_me
|
|||
|
||||
login->http_method = http_method;
|
||||
|
||||
profile->request = lasso_samlp2_authn_request_new();
|
||||
lasso_assign_new_gobject(profile->request, lasso_samlp2_authn_request_new());
|
||||
if (profile->request == NULL) {
|
||||
return critical_error(LASSO_PROFILE_ERROR_BUILDING_REQUEST_FAILED);
|
||||
}
|
||||
|
@ -97,17 +97,17 @@ lasso_saml20_login_init_authn_request(LassoLogin *login, LassoHttpMethod http_me
|
|||
request = LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request);
|
||||
request->ID = lasso_build_unique_id(32);
|
||||
lasso_assign_string(login->private_data->request_id, request->ID);
|
||||
request->Version = g_strdup("2.0");
|
||||
lasso_assign_string(request->Version, "2.0");
|
||||
request->Issuer = LASSO_SAML2_NAME_ID(lasso_saml2_name_id_new_with_string(
|
||||
LASSO_PROVIDER(profile->server)->ProviderID));
|
||||
request->IssueInstant = lasso_get_current_time();
|
||||
|
||||
LASSO_SAMLP2_AUTHN_REQUEST(request)->NameIDPolicy = LASSO_SAMLP2_NAME_ID_POLICY(
|
||||
lasso_samlp2_name_id_policy_new());
|
||||
LASSO_SAMLP2_AUTHN_REQUEST(request)->NameIDPolicy->Format =
|
||||
g_strdup(LASSO_SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT);
|
||||
LASSO_SAMLP2_AUTHN_REQUEST(request)->NameIDPolicy->SPNameQualifier =
|
||||
g_strdup(request->Issuer->content);
|
||||
lasso_assign_new_gobject(LASSO_SAMLP2_AUTHN_REQUEST(request)->NameIDPolicy,
|
||||
LASSO_SAMLP2_NAME_ID_POLICY( lasso_samlp2_name_id_policy_new()));
|
||||
lasso_assign_string(LASSO_SAMLP2_AUTHN_REQUEST(request)->NameIDPolicy->Format,
|
||||
LASSO_SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT);
|
||||
lasso_assign_string(LASSO_SAMLP2_AUTHN_REQUEST(request)->NameIDPolicy->SPNameQualifier,
|
||||
request->Issuer->content);
|
||||
|
||||
|
||||
if (http_method != LASSO_HTTP_METHOD_REDIRECT) {
|
||||
|
@ -136,23 +136,28 @@ lasso_saml20_login_build_authn_request_msg(LassoLogin *login, LassoProvider *rem
|
|||
must_sign = (md_authnRequestsSigned && strcmp(md_authnRequestsSigned, "true") == 0);
|
||||
g_free(md_authnRequestsSigned);
|
||||
|
||||
if (! lasso_flag_sign_messages && must_sign) {
|
||||
message(G_LOG_LEVEL_WARNING, "AuthnRequest message should normally be signed but \"no-sign-messages\" option is activated");
|
||||
}
|
||||
|
||||
if (login->http_method == LASSO_HTTP_METHOD_REDIRECT) {
|
||||
return lasso_saml20_build_http_redirect_query_simple(profile, profile->request,
|
||||
must_sign, "SingleSignOnService", FALSE);
|
||||
} else {
|
||||
/* POST, SOAP and Artifact-GET|POST */
|
||||
if (must_sign) {
|
||||
LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->private_key_file =
|
||||
g_strdup(profile->server->private_key);
|
||||
LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->certificate_file =
|
||||
g_strdup(profile->server->certificate);
|
||||
if (must_sign && lasso_flag_sign_messages) {
|
||||
lasso_assign_string(LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->private_key_file,
|
||||
profile->server->private_key);
|
||||
lasso_assign_string(LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->certificate_file,
|
||||
profile->server->certificate);
|
||||
}
|
||||
|
||||
if (login->http_method == LASSO_HTTP_METHOD_POST) {
|
||||
char *lareq = lasso_node_export_to_base64(profile->request);
|
||||
profile->msg_url = lasso_provider_get_metadata_one(
|
||||
remote_provider, "SingleSignOnService HTTP-POST");
|
||||
profile->msg_body = lareq;
|
||||
lasso_assign_new_string(profile->msg_url,
|
||||
lasso_provider_get_metadata_one(remote_provider,
|
||||
"SingleSignOnService HTTP-POST"));
|
||||
lasso_assign_new_string(profile->msg_body,
|
||||
lasso_node_export_to_base64(profile->request));
|
||||
} else if (login->http_method == LASSO_HTTP_METHOD_SOAP) {
|
||||
const char *issuer;
|
||||
const char *responseConsumerURL;
|
||||
|
@ -161,10 +166,11 @@ lasso_saml20_login_build_authn_request_msg(LassoLogin *login, LassoProvider *rem
|
|||
responseConsumerURL = \
|
||||
lasso_saml20_login_get_assertion_consumer_service_url(
|
||||
login, LASSO_PROVIDER(profile->server));
|
||||
profile->msg_url = NULL;
|
||||
profile->msg_body = lasso_node_export_to_paos_request(profile->request,
|
||||
lasso_release_string(profile->msg_url);
|
||||
lasso_assign_new_string(profile->msg_body,
|
||||
lasso_node_export_to_paos_request(profile->request,
|
||||
issuer, responseConsumerURL,
|
||||
profile->msg_relayState);
|
||||
profile->msg_relayState));
|
||||
} else {
|
||||
/* artifact method */
|
||||
char *artifact = lasso_saml20_profile_generate_artifact(profile, 0);
|
||||
|
@ -179,7 +185,8 @@ lasso_saml20_login_build_authn_request_msg(LassoLogin *login, LassoProvider *rem
|
|||
} else {
|
||||
query = lasso_url_add_parameters(NULL, 0, "SAMLart", artifact, NULL);
|
||||
}
|
||||
profile->msg_url = lasso_concat_url_query(url, query);
|
||||
lasso_assign_new_string(profile->msg_url,
|
||||
lasso_concat_url_query(url, query));
|
||||
lasso_release_string(query);
|
||||
lasso_release_string(url);
|
||||
} else {
|
||||
|
@ -223,8 +230,8 @@ lasso_saml20_login_process_authn_request_msg(LassoLogin *login, const char *auth
|
|||
|
||||
authn_request = LASSO_SAMLP2_AUTHN_REQUEST(request);
|
||||
|
||||
profile->request = request;
|
||||
profile->remote_providerID = g_strdup(
|
||||
lasso_assign_new_gobject(profile->request, request);
|
||||
lasso_assign_string(profile->remote_providerID,
|
||||
LASSO_SAMLP2_REQUEST_ABSTRACT(request)->Issuer->content);
|
||||
|
||||
protocol_binding = authn_request->ProtocolBinding;
|
||||
|
@ -261,6 +268,7 @@ lasso_saml20_login_process_authn_request_msg(LassoLogin *login, const char *auth
|
|||
} else if (strcmp(binding, "PAOS") == 0) {
|
||||
login->protocolProfile = LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_LECP;
|
||||
}
|
||||
lasso_release_string(binding);
|
||||
} else if (strcmp(protocol_binding, LASSO_SAML2_METADATA_BINDING_ARTIFACT) == 0) {
|
||||
login->protocolProfile = LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_ART;
|
||||
} else if (strcmp(protocol_binding, LASSO_SAML2_METADATA_BINDING_POST) == 0) {
|
||||
|
@ -278,14 +286,14 @@ lasso_saml20_login_process_authn_request_msg(LassoLogin *login, const char *auth
|
|||
|
||||
/* XXX: checks authn request signature */
|
||||
|
||||
profile->response = lasso_samlp2_response_new();
|
||||
lasso_assign_new_gobject(profile->response, lasso_samlp2_response_new());
|
||||
response = LASSO_SAMLP2_STATUS_RESPONSE(profile->response);
|
||||
response->ID = lasso_build_unique_id(32);
|
||||
response->Version = g_strdup("2.0");
|
||||
lasso_assign_string(response->Version, "2.0");
|
||||
response->Issuer = LASSO_SAML2_NAME_ID(lasso_saml2_name_id_new_with_string(
|
||||
LASSO_PROVIDER(profile->server)->ProviderID));
|
||||
response->IssueInstant = lasso_get_current_time();
|
||||
response->InResponseTo = g_strdup(LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->ID);
|
||||
lasso_assign_string(response->InResponseTo, LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->ID);
|
||||
/* XXX: adds signature */
|
||||
|
||||
return 0;
|
||||
|
@ -540,10 +548,7 @@ lasso_saml20_login_process_federation(LassoLogin *login, gboolean is_consent_obt
|
|||
name_id_policy_format = LASSO_SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT;
|
||||
}
|
||||
|
||||
if (login->nameIDPolicy) {
|
||||
g_free(login->nameIDPolicy);
|
||||
}
|
||||
login->nameIDPolicy = g_strdup(name_id_policy_format);
|
||||
lasso_assign_string(login->nameIDPolicy, name_id_policy_format);
|
||||
|
||||
if (name_id_policy_format && strcmp(name_id_policy_format,
|
||||
LASSO_SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT) == 0) {
|
||||
|
@ -580,10 +585,10 @@ lasso_saml20_login_process_federation(LassoLogin *login, gboolean is_consent_obt
|
|||
}
|
||||
|
||||
if (federation && LASSO_SAMLP2_AUTHN_REQUEST(profile->request)->NameIDPolicy == NULL) {
|
||||
LASSO_SAMLP2_AUTHN_REQUEST(profile->request)->NameIDPolicy = \
|
||||
LASSO_SAMLP2_NAME_ID_POLICY(lasso_samlp2_name_id_policy_new());
|
||||
LASSO_SAMLP2_AUTHN_REQUEST(profile->request)->NameIDPolicy->Format =
|
||||
g_strdup(LASSO_SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT);
|
||||
lasso_assign_new_gobject(LASSO_SAMLP2_AUTHN_REQUEST(profile->request)->NameIDPolicy,
|
||||
LASSO_SAMLP2_NAME_ID_POLICY(lasso_samlp2_name_id_policy_new()));
|
||||
lasso_assign_string(LASSO_SAMLP2_AUTHN_REQUEST(profile->request)->NameIDPolicy->Format,
|
||||
LASSO_SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT);
|
||||
}
|
||||
|
||||
if (lasso_saml20_login_must_ask_for_consent_private(login) && !is_consent_obtained) {
|
||||
|
@ -596,12 +601,12 @@ lasso_saml20_login_process_federation(LassoLogin *login, gboolean is_consent_obt
|
|||
LASSO_PROVIDER(profile->server)->ProviderID,
|
||||
LASSO_SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT,
|
||||
NULL);
|
||||
LASSO_SAML2_NAME_ID(federation->local_nameIdentifier)->SPNameQualifier = g_strdup(
|
||||
lasso_assign_string(LASSO_SAML2_NAME_ID(federation->local_nameIdentifier)->SPNameQualifier,
|
||||
name_id_sp_name_qualifier);
|
||||
lasso_identity_add_federation(profile->identity, federation);
|
||||
}
|
||||
|
||||
profile->nameIdentifier = g_object_ref(federation->local_nameIdentifier);
|
||||
lasso_assign_gobject(profile->nameIdentifier, federation->local_nameIdentifier);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
@ -768,7 +773,7 @@ lasso_saml20_login_build_assertion(LassoLogin *login,
|
|||
|
||||
assertion = LASSO_SAML2_ASSERTION(lasso_saml2_assertion_new());
|
||||
assertion->ID = lasso_build_unique_id(32);
|
||||
assertion->Version = g_strdup("2.0");
|
||||
lasso_assign_string(assertion->Version, "2.0");
|
||||
assertion->IssueInstant = lasso_get_current_time();
|
||||
assertion->Issuer = LASSO_SAML2_NAME_ID(lasso_saml2_name_id_new_with_string(
|
||||
LASSO_PROVIDER(profile->server)->ProviderID));
|
||||
|
@ -776,8 +781,8 @@ lasso_saml20_login_build_assertion(LassoLogin *login,
|
|||
|
||||
audience_restriction = LASSO_SAML2_AUDIENCE_RESTRICTION(
|
||||
lasso_saml2_audience_restriction_new());
|
||||
audience_restriction->Audience = g_strdup(profile->remote_providerID);
|
||||
assertion->Conditions->AudienceRestriction = g_list_append(NULL, audience_restriction);
|
||||
lasso_assign_string(audience_restriction->Audience, profile->remote_providerID);
|
||||
lasso_list_add_new_gobject(assertion->Conditions->AudienceRestriction, audience_restriction);
|
||||
|
||||
name_id_policy = LASSO_SAMLP2_AUTHN_REQUEST(profile->request)->NameIDPolicy;
|
||||
assertion->Subject = LASSO_SAML2_SUBJECT(lasso_saml2_subject_new());
|
||||
|
@ -811,9 +816,9 @@ lasso_saml20_login_build_assertion(LassoLogin *login,
|
|||
LASSO_SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED) == 0)) {
|
||||
/* caller must set the name identifier content afterwards */
|
||||
name_id = LASSO_SAML2_NAME_ID(lasso_saml2_name_id_new());
|
||||
name_id->NameQualifier = g_strdup(
|
||||
lasso_assign_string(name_id->NameQualifier,
|
||||
LASSO_PROVIDER(profile->server)->ProviderID);
|
||||
name_id->Format = g_strdup(name_id_policy->Format);
|
||||
lasso_assign_string(name_id->Format, name_id_policy->Format);
|
||||
assertion->Subject->NameID = name_id;
|
||||
} else if (federation == NULL ||
|
||||
(name_id_policy && strcmp(name_id_policy->Format,
|
||||
|
@ -821,9 +826,9 @@ lasso_saml20_login_build_assertion(LassoLogin *login,
|
|||
/* transient -> don't use a federation */
|
||||
name_id = LASSO_SAML2_NAME_ID(lasso_saml2_name_id_new_with_string(
|
||||
lasso_build_unique_id(32)));
|
||||
name_id->NameQualifier = g_strdup(
|
||||
lasso_assign_string(name_id->NameQualifier,
|
||||
LASSO_PROVIDER(profile->server)->ProviderID);
|
||||
name_id->Format = g_strdup(LASSO_SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT);
|
||||
lasso_assign_string(name_id->Format, LASSO_SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT);
|
||||
assertion->Subject->NameID = name_id;
|
||||
} else {
|
||||
if (provider && name_id_policy && strcmp(name_id_policy->Format,
|
||||
|
@ -895,9 +900,9 @@ lasso_saml20_login_build_assertion(LassoLogin *login,
|
|||
LASSO_NODE(assertion));
|
||||
|
||||
response = LASSO_SAMLP2_RESPONSE(profile->response);
|
||||
response->Assertion = g_list_append(NULL, assertion);
|
||||
lasso_list_add_new_gobject(response->Assertion, assertion);
|
||||
|
||||
login->private_data->saml2_assertion = g_object_ref(assertion);
|
||||
lasso_assign_gobject(login->private_data->saml2_assertion, assertion);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
@ -934,7 +939,7 @@ lasso_saml20_login_build_artifact_msg(LassoLogin *login, LassoHttpMethod http_me
|
|||
}
|
||||
|
||||
artifact = lasso_saml20_profile_generate_artifact(profile, 1);
|
||||
login->assertionArtifact = g_strdup(artifact);
|
||||
lasso_assign_string(login->assertionArtifact, artifact);
|
||||
if (http_method == LASSO_HTTP_METHOD_ARTIFACT_GET) {
|
||||
gchar *query;
|
||||
|
||||
|
@ -944,7 +949,7 @@ lasso_saml20_login_build_artifact_msg(LassoLogin *login, LassoHttpMethod http_me
|
|||
} else {
|
||||
query = lasso_url_add_parameters(NULL, 0, "SAMLart", artifact, NULL);
|
||||
}
|
||||
profile->msg_url = lasso_concat_url_query(url, query);
|
||||
lasso_assign_new_string(profile->msg_url, lasso_concat_url_query(url, query));
|
||||
lasso_release_string(query);
|
||||
} else {
|
||||
/* XXX: ARTIFACT POST */
|
||||
|
@ -990,19 +995,19 @@ lasso_saml20_login_build_request_msg(LassoLogin *login)
|
|||
|
||||
profile = LASSO_PROFILE(login);
|
||||
|
||||
LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->private_key_file =
|
||||
g_strdup(profile->server->private_key);
|
||||
LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->certificate_file =
|
||||
g_strdup(profile->server->certificate);
|
||||
profile->msg_body = lasso_node_export_to_soap(profile->request);
|
||||
lasso_assign_string(LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->private_key_file,
|
||||
profile->server->private_key);
|
||||
lasso_assign_string(LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->certificate_file,
|
||||
profile->server->certificate);
|
||||
lasso_assign_new_string(profile->msg_body, lasso_node_export_to_soap(profile->request));
|
||||
|
||||
remote_provider = g_hash_table_lookup(profile->server->providers,
|
||||
profile->remote_providerID);
|
||||
if (LASSO_IS_PROVIDER(remote_provider) == FALSE) {
|
||||
return critical_error(LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND);
|
||||
}
|
||||
profile->msg_url = lasso_provider_get_metadata_one(remote_provider,
|
||||
"ArtifactResolutionService SOAP");
|
||||
lasso_assign_new_string(profile->msg_url, lasso_provider_get_metadata_one(remote_provider,
|
||||
"ArtifactResolutionService SOAP"));
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -1017,7 +1022,7 @@ lasso_saml20_login_process_request_msg(LassoLogin *login, gchar *request_msg)
|
|||
return rc;
|
||||
}
|
||||
/* compat with liberty id-ff code */
|
||||
login->assertionArtifact = lasso_profile_get_artifact(profile);
|
||||
lasso_assign_new_string(login->assertionArtifact, lasso_profile_get_artifact(profile));
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -1041,10 +1046,10 @@ lasso_saml20_login_build_response_msg(LassoLogin *login)
|
|||
LASSO_SAMLP2_STATUS_RESPONSE(profile->response)->sign_method =
|
||||
LASSO_SIGNATURE_METHOD_RSA_SHA1;
|
||||
|
||||
LASSO_SAMLP2_STATUS_RESPONSE(profile->response)->private_key_file =
|
||||
g_strdup(profile->server->private_key);
|
||||
LASSO_SAMLP2_STATUS_RESPONSE(profile->response)->certificate_file =
|
||||
g_strdup(profile->server->certificate);
|
||||
lasso_assign_string(LASSO_SAMLP2_STATUS_RESPONSE(profile->response)->private_key_file,
|
||||
profile->server->private_key);
|
||||
lasso_assign_string(LASSO_SAMLP2_STATUS_RESPONSE(profile->response)->certificate_file,
|
||||
profile->server->certificate);
|
||||
|
||||
remote_provider = g_hash_table_lookup(LASSO_PROFILE(login)->server->providers,
|
||||
LASSO_PROFILE(login)->remote_providerID);
|
||||
|
@ -1061,8 +1066,8 @@ lasso_saml20_login_build_response_msg(LassoLogin *login)
|
|||
}
|
||||
|
||||
/* build an ECP SOAP Response */
|
||||
profile->msg_body = lasso_node_export_to_ecp_soap_response(
|
||||
LASSO_NODE(profile->response), assertionConsumerURL);
|
||||
lasso_assign_new_string(profile->msg_body, lasso_node_export_to_ecp_soap_response(
|
||||
LASSO_NODE(profile->response), assertionConsumerURL));
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -1105,14 +1110,16 @@ lasso_saml20_login_process_authn_response_msg(LassoLogin *login, gchar *authn_re
|
|||
{
|
||||
LassoProfile *profile = NULL;
|
||||
int rc1, rc2, message_signature_status;
|
||||
LassoSamlp2Response *samlp2_response = NULL;
|
||||
|
||||
lasso_bad_param(LOGIN, login);
|
||||
lasso_null_param(authn_response_msg);
|
||||
|
||||
/* parse the message */
|
||||
profile = LASSO_PROFILE(login);
|
||||
samlp2_response = (LassoSamlp2Response*)lasso_samlp2_response_new();
|
||||
rc1 = lasso_saml20_profile_process_any_response(profile,
|
||||
(LassoSamlp2StatusResponse*)lasso_samlp2_response_new(),
|
||||
(LassoSamlp2StatusResponse*)samlp2_response,
|
||||
authn_response_msg);
|
||||
|
||||
message_signature_status = profile->signature_status;
|
||||
|
@ -1120,6 +1127,7 @@ lasso_saml20_login_process_authn_response_msg(LassoLogin *login, gchar *authn_re
|
|||
rc2 = lasso_saml20_login_process_response_status_and_assertion(login);
|
||||
|
||||
/** The more important signature errors */
|
||||
lasso_release_gobject(samlp2_response);
|
||||
if (message_signature_status) {
|
||||
message(G_LOG_LEVEL_WARNING, "Validation of the AuthnResponse message signature failed: %s", lasso_strerror(message_signature_status));
|
||||
}
|
||||
|
@ -1486,18 +1494,18 @@ lasso_saml20_login_build_authn_response_msg(LassoLogin *login)
|
|||
LASSO_SAMLP2_STATUS_RESPONSE(profile->response)->sign_method =
|
||||
LASSO_SIGNATURE_METHOD_RSA_SHA1;
|
||||
|
||||
LASSO_SAMLP2_STATUS_RESPONSE(profile->response)->private_key_file =
|
||||
g_strdup(profile->server->private_key);
|
||||
LASSO_SAMLP2_STATUS_RESPONSE(profile->response)->certificate_file =
|
||||
g_strdup(profile->server->certificate);
|
||||
lasso_assign_string(LASSO_SAMLP2_STATUS_RESPONSE(profile->response)->private_key_file,
|
||||
profile->server->private_key);
|
||||
lasso_assign_string(LASSO_SAMLP2_STATUS_RESPONSE(profile->response)->certificate_file,
|
||||
profile->server->certificate);
|
||||
|
||||
remote_provider = g_hash_table_lookup(profile->server->providers,
|
||||
profile->remote_providerID);
|
||||
if (LASSO_IS_PROVIDER(remote_provider) == FALSE)
|
||||
return critical_error(LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND);
|
||||
|
||||
profile->msg_url = lasso_saml20_login_get_assertion_consumer_service_url(
|
||||
login, remote_provider);
|
||||
lasso_assign_new_string(profile->msg_url, lasso_saml20_login_get_assertion_consumer_service_url(
|
||||
login, remote_provider));
|
||||
if (profile->msg_url == NULL) {
|
||||
return LASSO_PROFILE_ERROR_UNKNOWN_PROFILE_URL;
|
||||
}
|
||||
|
@ -1511,16 +1519,12 @@ lasso_saml20_login_build_authn_response_msg(LassoLogin *login)
|
|||
|
||||
if (login->protocolProfile == LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_POST) {
|
||||
/* build an lib:AuthnResponse base64 encoded */
|
||||
profile->msg_body = lasso_node_export_to_base64(LASSO_NODE(profile->response));
|
||||
lasso_assign_new_string(profile->msg_body, lasso_node_export_to_base64(LASSO_NODE(profile->response)));
|
||||
} else {
|
||||
int rc;
|
||||
char *url;
|
||||
|
||||
url = profile->msg_url;
|
||||
lasso_release_string(profile->msg_url);
|
||||
rc = lasso_saml20_profile_build_http_redirect(profile, profile->response, 1, profile->msg_url);
|
||||
if (profile->msg_url != url) {
|
||||
lasso_release(url);
|
||||
}
|
||||
if (rc != 0) {
|
||||
return rc;
|
||||
}
|
||||
|
@ -1574,12 +1578,9 @@ lasso_saml20_login_init_idp_initiated_authn_request(LassoLogin *login,
|
|||
if (rc)
|
||||
return rc;
|
||||
|
||||
g_free(LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->ID);
|
||||
LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->ID = NULL;
|
||||
|
||||
g_free(LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->Issuer->content);
|
||||
LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->Issuer->content =
|
||||
g_strdup(remote_providerID);
|
||||
lasso_release_string(LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->ID);
|
||||
lasso_assign_string(LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->Issuer->content,
|
||||
remote_providerID);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
|
|
@ -102,13 +102,13 @@ lasso_saml20_logout_init_request(LassoLogout *logout, LassoProvider *remote_prov
|
|||
return critical_error(LASSO_PROFILE_ERROR_NAME_IDENTIFIER_NOT_FOUND);
|
||||
}
|
||||
if (federation->local_nameIdentifier) {
|
||||
profile->nameIdentifier = g_object_ref(federation->local_nameIdentifier);
|
||||
lasso_assign_gobject(profile->nameIdentifier, federation->local_nameIdentifier);
|
||||
} else {
|
||||
profile->nameIdentifier = g_object_ref(name_id_n);
|
||||
lasso_assign_gobject(profile->nameIdentifier, name_id_n);
|
||||
}
|
||||
|
||||
} else {
|
||||
profile->nameIdentifier = g_object_ref(name_id);
|
||||
lasso_assign_gobject(profile->nameIdentifier, name_id);
|
||||
}
|
||||
|
||||
if (http_method == LASSO_HTTP_METHOD_ANY) {
|
||||
|
@ -130,8 +130,7 @@ lasso_saml20_logout_init_request(LassoLogout *logout, LassoProvider *remote_prov
|
|||
lasso_session_remove_assertion(profile->session,
|
||||
profile->remote_providerID);
|
||||
if (logout->initial_remote_providerID && logout->initial_request) {
|
||||
g_free(profile->remote_providerID);
|
||||
profile->remote_providerID = g_strdup(
|
||||
lasso_assign_string(profile->remote_providerID,
|
||||
logout->initial_remote_providerID);
|
||||
/* XXX: create response
|
||||
profile->response = lasso_lib_logout_response_new_full(
|
||||
|
@ -147,21 +146,16 @@ lasso_saml20_logout_init_request(LassoLogout *logout, LassoProvider *remote_prov
|
|||
}
|
||||
}
|
||||
|
||||
/* free profile->request if it was already set */
|
||||
if (LASSO_IS_NODE(profile->request)) {
|
||||
lasso_node_destroy(profile->request);
|
||||
profile->request = NULL;
|
||||
}
|
||||
|
||||
profile->request = lasso_samlp2_logout_request_new();
|
||||
lasso_assign_new_gobject(profile->request, lasso_samlp2_logout_request_new());
|
||||
request = LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request);
|
||||
request->ID = lasso_build_unique_id(32);
|
||||
request->Version = g_strdup("2.0");
|
||||
request->Issuer = LASSO_SAML2_NAME_ID(lasso_saml2_name_id_new_with_string(
|
||||
LASSO_PROVIDER(profile->server)->ProviderID));
|
||||
request->IssueInstant = lasso_get_current_time();
|
||||
lasso_assign_new_string(request->ID, lasso_build_unique_id(32));
|
||||
lasso_assign_string(request->Version, "2.0");
|
||||
lasso_assign_new_gobject(request->Issuer,
|
||||
LASSO_SAML2_NAME_ID(lasso_saml2_name_id_new_with_string(
|
||||
LASSO_PROVIDER(profile->server)->ProviderID)));
|
||||
lasso_assign_new_string(request->IssueInstant, lasso_get_current_time());
|
||||
|
||||
LASSO_SAMLP2_LOGOUT_REQUEST(request)->NameID = g_object_ref(profile->nameIdentifier);
|
||||
lasso_assign_gobject(LASSO_SAMLP2_LOGOUT_REQUEST(request)->NameID, profile->nameIdentifier);
|
||||
|
||||
/* Encrypt NameID */
|
||||
if (remote_provider &&
|
||||
|
@ -172,8 +166,8 @@ lasso_saml20_logout_init_request(LassoLogout *logout, LassoProvider *remote_prov
|
|||
remote_provider->private_data->encryption_public_key,
|
||||
remote_provider->private_data->encryption_sym_key_type));
|
||||
if (encrypted_element != NULL) {
|
||||
LASSO_SAMLP2_LOGOUT_REQUEST(request)->EncryptedID = encrypted_element;
|
||||
LASSO_SAMLP2_LOGOUT_REQUEST(request)->NameID = NULL;
|
||||
lasso_assign_new_gobject(LASSO_SAMLP2_LOGOUT_REQUEST(request)->EncryptedID, encrypted_element);
|
||||
lasso_release_gobject(LASSO_SAMLP2_LOGOUT_REQUEST(request)->NameID)
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -197,17 +191,17 @@ lasso_saml20_logout_build_request_msg(LassoLogout *logout, LassoProvider *remote
|
|||
LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->sign_type =
|
||||
LASSO_SIGNATURE_TYPE_SIMPLE;
|
||||
}
|
||||
LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->private_key_file =
|
||||
g_strdup(profile->server->private_key);
|
||||
LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->certificate_file =
|
||||
g_strdup(profile->server->certificate);
|
||||
lasso_assign_string(LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->private_key_file,
|
||||
profile->server->private_key);
|
||||
lasso_assign_string(LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->certificate_file,
|
||||
profile->server->certificate);
|
||||
|
||||
if (logout->initial_http_request_method == LASSO_HTTP_METHOD_SOAP) {
|
||||
profile->msg_url = lasso_provider_get_metadata_one(remote_provider,
|
||||
"SingleLogoutService SOAP");
|
||||
LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->Destination = g_strdup(
|
||||
lasso_assign_new_string(profile->msg_url,
|
||||
lasso_provider_get_metadata_one(remote_provider, "SingleLogoutService SOAP"));
|
||||
lasso_assign_string(LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->Destination,
|
||||
profile->msg_url);
|
||||
profile->msg_body = lasso_node_export_to_soap(profile->request);
|
||||
lasso_assign_new_string(profile->msg_body, lasso_node_export_to_soap(profile->request));
|
||||
return 0;
|
||||
}
|
||||
if (logout->initial_http_request_method == LASSO_HTTP_METHOD_REDIRECT) {
|
||||
|
@ -231,7 +225,8 @@ lasso_saml20_logout_process_request_msg(LassoLogout *logout, char *request_msg)
|
|||
lasso_null_param(request_msg);
|
||||
|
||||
profile = LASSO_PROFILE(logout);
|
||||
rc1 = lasso_saml20_profile_process_any_request(profile, lasso_samlp2_logout_request_new(),
|
||||
logout_request = (LassoSamlp2LogoutRequest*) lasso_samlp2_logout_request_new();
|
||||
rc1 = lasso_saml20_profile_process_any_request(profile, (LassoNode*)logout_request,
|
||||
request_msg);
|
||||
|
||||
logout_request = (LassoSamlp2LogoutRequest*)profile->request;
|
||||
|
@ -244,6 +239,7 @@ lasso_saml20_logout_process_request_msg(LassoLogout *logout, char *request_msg)
|
|||
&logout_request->EncryptedID);
|
||||
|
||||
|
||||
lasso_release_gobject(logout_request);
|
||||
if (profile->signature_status) {
|
||||
return profile->signature_status;
|
||||
}
|
||||
|
@ -268,11 +264,7 @@ lasso_saml20_logout_validate_request(LassoLogout *logout)
|
|||
if (LASSO_IS_SAMLP2_LOGOUT_REQUEST(profile->request) == FALSE)
|
||||
return LASSO_PROFILE_ERROR_MISSING_REQUEST;
|
||||
|
||||
if (profile->remote_providerID) {
|
||||
g_free(profile->remote_providerID);
|
||||
}
|
||||
|
||||
profile->remote_providerID = g_strdup(
|
||||
lasso_assign_string(profile->remote_providerID,
|
||||
LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->Issuer->content);
|
||||
|
||||
/* get the provider */
|
||||
|
@ -282,18 +274,16 @@ lasso_saml20_logout_validate_request(LassoLogout *logout)
|
|||
return critical_error(LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND);
|
||||
}
|
||||
|
||||
if (profile->response) {
|
||||
lasso_node_destroy(profile->response);
|
||||
}
|
||||
|
||||
profile->response = lasso_samlp2_logout_response_new();
|
||||
lasso_assign_new_gobject(profile->response, lasso_samlp2_logout_response_new());
|
||||
response = LASSO_SAMLP2_STATUS_RESPONSE(profile->response);
|
||||
response->ID = lasso_build_unique_id(32);
|
||||
response->Version = g_strdup("2.0");
|
||||
response->Issuer = LASSO_SAML2_NAME_ID(lasso_saml2_name_id_new_with_string(
|
||||
LASSO_PROVIDER(profile->server)->ProviderID));
|
||||
response->IssueInstant = lasso_get_current_time();
|
||||
response->InResponseTo = g_strdup(LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->ID);
|
||||
lasso_assign_new_string(response->ID, lasso_build_unique_id(32));
|
||||
lasso_assign_string(response->Version, "2.0");
|
||||
lasso_assign_new_gobject(response->Issuer,
|
||||
LASSO_SAML2_NAME_ID(lasso_saml2_name_id_new_with_string(
|
||||
LASSO_PROVIDER(profile->server)->ProviderID)));
|
||||
lasso_assign_new_string(response->IssueInstant, lasso_get_current_time());
|
||||
lasso_assign_string(response->InResponseTo,
|
||||
LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->ID);
|
||||
lasso_saml20_profile_set_response_status(profile, LASSO_SAML2_STATUS_CODE_SUCCESS);
|
||||
|
||||
response->sign_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
|
||||
|
@ -401,13 +391,10 @@ lasso_saml20_logout_validate_request(LassoLogout *logout)
|
|||
*/
|
||||
if (remote_provider->role == LASSO_PROVIDER_ROLE_SP &&
|
||||
g_hash_table_size(profile->session->assertions) >= 1) {
|
||||
logout->initial_remote_providerID = profile->remote_providerID;
|
||||
logout->initial_request = LASSO_NODE(profile->request);
|
||||
logout->initial_response = LASSO_NODE(profile->response);
|
||||
|
||||
profile->remote_providerID = NULL;
|
||||
profile->request = NULL;
|
||||
profile->response = NULL;
|
||||
lasso_transfer_string(logout->initial_remote_providerID,
|
||||
profile->remote_providerID);
|
||||
lasso_transfer_gobject(logout->initial_request, profile->request);
|
||||
lasso_transfer_gobject(logout->initial_response, profile->response);
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
@ -449,15 +436,15 @@ lasso_saml20_logout_build_response_msg(LassoLogout *logout)
|
|||
|
||||
if (profile->response == NULL) {
|
||||
/* no response set here means request denied */
|
||||
profile->response = lasso_samlp2_logout_response_new();
|
||||
lasso_assign_new_gobject(profile->response, lasso_samlp2_logout_response_new());
|
||||
response = LASSO_SAMLP2_STATUS_RESPONSE(profile->response);
|
||||
response->ID = lasso_build_unique_id(32);
|
||||
response->Version = g_strdup("2.0");
|
||||
response->Issuer = LASSO_SAML2_NAME_ID(lasso_saml2_name_id_new_with_string(
|
||||
LASSO_PROVIDER(profile->server)->ProviderID));
|
||||
response->IssueInstant = lasso_get_current_time();
|
||||
lasso_assign_new_string(response->ID, lasso_build_unique_id(32));
|
||||
lasso_assign_string(response->Version, "2.0");
|
||||
lasso_assign_new_gobject(response->Issuer, LASSO_SAML2_NAME_ID(lasso_saml2_name_id_new_with_string(
|
||||
LASSO_PROVIDER(profile->server)->ProviderID)));
|
||||
lasso_assign_new_string(response->IssueInstant, lasso_get_current_time());
|
||||
if (profile->request) {
|
||||
response->InResponseTo = g_strdup(
|
||||
lasso_assign_string(response->InResponseTo,
|
||||
LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->ID);
|
||||
}
|
||||
lasso_saml20_profile_set_response_status(profile,
|
||||
|
@ -469,8 +456,8 @@ lasso_saml20_logout_build_response_msg(LassoLogout *logout)
|
|||
} else {
|
||||
response->sign_type = LASSO_SIGNATURE_TYPE_SIMPLE;
|
||||
}
|
||||
response->private_key_file = g_strdup(profile->server->private_key);
|
||||
response->certificate_file = g_strdup(profile->server->certificate);
|
||||
lasso_assign_string(response->private_key_file, profile->server->private_key);
|
||||
lasso_assign_string(response->certificate_file, profile->server->certificate);
|
||||
}
|
||||
|
||||
if (profile->remote_providerID == NULL || profile->response == NULL) {
|
||||
|
@ -482,8 +469,8 @@ lasso_saml20_logout_build_response_msg(LassoLogout *logout)
|
|||
|
||||
/* build logout response message */
|
||||
if (profile->http_request_method == LASSO_HTTP_METHOD_SOAP) {
|
||||
profile->msg_url = NULL;
|
||||
profile->msg_body = lasso_node_export_to_soap(profile->response);
|
||||
lasso_release_string(profile->msg_url);
|
||||
lasso_assign_new_string(profile->msg_body, lasso_node_export_to_soap(profile->response));
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -505,12 +492,7 @@ lasso_saml20_logout_process_response_msg(LassoLogout *logout, const char *respon
|
|||
char *status_code_value = NULL;
|
||||
int rc;
|
||||
|
||||
if (LASSO_IS_SAMLP2_LOGOUT_RESPONSE(profile->response) == TRUE) {
|
||||
lasso_node_destroy(profile->response);
|
||||
profile->response = NULL;
|
||||
}
|
||||
|
||||
profile->response = lasso_samlp2_logout_response_new();
|
||||
lasso_assign_new_gobject(profile->response, lasso_samlp2_logout_response_new());
|
||||
format = lasso_node_init_from_message(LASSO_NODE(profile->response), response_msg);
|
||||
|
||||
switch (format) {
|
||||
|
@ -524,7 +506,7 @@ lasso_saml20_logout_process_response_msg(LassoLogout *logout, const char *respon
|
|||
return critical_error(LASSO_PROFILE_ERROR_INVALID_MSG);
|
||||
}
|
||||
|
||||
profile->remote_providerID = g_strdup(
|
||||
lasso_assign_string(profile->remote_providerID,
|
||||
LASSO_SAMLP2_STATUS_RESPONSE(profile->response)->Issuer->content);
|
||||
|
||||
/* get the provider */
|
||||
|
@ -597,20 +579,10 @@ lasso_saml20_logout_process_response_msg(LassoLogout *logout, const char *respon
|
|||
remote_provider = g_hash_table_lookup(profile->server->providers,
|
||||
logout->initial_remote_providerID);
|
||||
if (remote_provider->role == LASSO_PROVIDER_ROLE_SP) {
|
||||
if (profile->remote_providerID != NULL)
|
||||
g_free(profile->remote_providerID);
|
||||
if (profile->request != NULL)
|
||||
lasso_node_destroy(LASSO_NODE(profile->request));
|
||||
if (profile->response != NULL)
|
||||
lasso_node_destroy(LASSO_NODE(profile->response));
|
||||
|
||||
profile->remote_providerID = logout->initial_remote_providerID;
|
||||
profile->request = logout->initial_request;
|
||||
profile->response = logout->initial_response;
|
||||
|
||||
logout->initial_remote_providerID = NULL;
|
||||
logout->initial_request = NULL;
|
||||
logout->initial_response = NULL;
|
||||
lasso_transfer_string(profile->remote_providerID,
|
||||
logout->initial_remote_providerID);
|
||||
lasso_transfer_gobject(profile->request, logout->initial_request);
|
||||
lasso_transfer_gobject(profile->response, logout->initial_response);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -133,19 +133,20 @@ lasso_name_id_management_process_request_msg(LassoNameIdManagement *name_id_mana
|
|||
|
||||
/* Parsing */
|
||||
profile = LASSO_PROFILE(name_id_management);
|
||||
request = (LassoSamlp2ManageNameIDRequest*)lasso_samlp2_manage_name_id_request_new();
|
||||
rc1 = lasso_saml20_profile_process_any_request(profile,
|
||||
lasso_samlp2_manage_name_id_request_new(),
|
||||
(LassoNode*)request,
|
||||
request_msg);
|
||||
|
||||
if (! LASSO_IS_SAMLP2_MANAGE_NAME_ID_REQUEST(profile->request)) {
|
||||
return LASSO_PROFILE_ERROR_MISSING_REQUEST;
|
||||
}
|
||||
request = LASSO_SAMLP2_MANAGE_NAME_ID_REQUEST(profile->request);
|
||||
|
||||
/* NameID treatment */
|
||||
rc2 = lasso_saml20_profile_process_name_identifier_decryption(profile,
|
||||
&request->NameID, &request->EncryptedID);
|
||||
|
||||
lasso_release_gobject(request);
|
||||
if (profile->signature_status) {
|
||||
return profile->signature_status;
|
||||
}
|
||||
|
@ -429,6 +430,7 @@ lasso_name_id_management_new(LassoServer *server)
|
|||
g_return_val_if_fail(LASSO_IS_SERVER(server), NULL);
|
||||
|
||||
name_id_management = g_object_new(LASSO_TYPE_NAME_ID_MANAGEMENT, NULL);
|
||||
/* fresh object dont need to check previous value */
|
||||
LASSO_PROFILE(name_id_management)->server = g_object_ref(server);
|
||||
|
||||
return name_id_management;
|
||||
|
@ -464,7 +466,7 @@ lasso_name_id_management_new_from_dump(LassoServer *server, const char *dump)
|
|||
if (dump == NULL)
|
||||
return NULL;
|
||||
|
||||
name_id_management = lasso_name_id_management_new(g_object_ref(server));
|
||||
name_id_management = lasso_name_id_management_new(server);
|
||||
doc = lasso_xml_parse_memory(dump, strlen(dump));
|
||||
lasso_node_init_from_xml(LASSO_NODE(name_id_management), xmlDocGetRootElement(doc));
|
||||
lasso_release_doc(doc);
|
||||
|
|
|
@ -116,12 +116,12 @@ get_response_url(LassoProvider *provider, char *service, char *binding)
|
|||
char*
|
||||
lasso_saml20_profile_generate_artifact(LassoProfile *profile, int part)
|
||||
{
|
||||
profile->private_data->artifact = lasso_saml20_profile_build_artifact(
|
||||
LASSO_PROVIDER(profile->server));
|
||||
lasso_assign_new_string(profile->private_data->artifact,
|
||||
lasso_saml20_profile_build_artifact(LASSO_PROVIDER(profile->server)));
|
||||
if (part == 0) {
|
||||
profile->private_data->artifact_message = lasso_node_dump(profile->request);
|
||||
lasso_assign_new_string(profile->private_data->artifact_message, lasso_node_dump(profile->request));
|
||||
} else if (part == 1) {
|
||||
profile->private_data->artifact_message = lasso_node_dump(profile->response);
|
||||
lasso_assign_new_string(profile->private_data->artifact_message, lasso_node_dump(profile->response));
|
||||
} else {
|
||||
/* XXX: RequestDenied here? */
|
||||
}
|
||||
|
@ -212,23 +212,22 @@ lasso_saml20_profile_init_artifact_resolve(LassoProfile *profile,
|
|||
const char *msg, LassoHttpMethod method)
|
||||
{
|
||||
char **query_fields;
|
||||
char *artifact_b64 = NULL, *provider_succinct_id_b64;
|
||||
char provider_succinct_id[21];
|
||||
char *artifact_b64 = NULL;
|
||||
xmlChar *provider_succinct_id_b64 = NULL;
|
||||
char *provider_succinct_id[21];
|
||||
char artifact[45];
|
||||
LassoSamlp2RequestAbstract *request;
|
||||
int i;
|
||||
LassoSamlp2RequestAbstract *request = NULL;
|
||||
int i = 0;
|
||||
|
||||
if (method == LASSO_HTTP_METHOD_ARTIFACT_GET) {
|
||||
query_fields = urlencoded_to_strings(msg);
|
||||
for (i=0; query_fields[i]; i++) {
|
||||
if (strncmp(query_fields[i], "SAMLart=", 8) != 0) {
|
||||
xmlFree(query_fields[i]);
|
||||
continue;
|
||||
if (strncmp((char*)query_fields[i], "SAMLart=", 8) == 0) {
|
||||
lasso_assign_string(artifact_b64, query_fields[i]+8);
|
||||
}
|
||||
artifact_b64 = g_strdup(query_fields[i]+8);
|
||||
xmlFree(query_fields[i]);
|
||||
}
|
||||
g_free(query_fields);
|
||||
lasso_release(query_fields);
|
||||
if (artifact_b64 == NULL) {
|
||||
return LASSO_PROFILE_ERROR_MISSING_ARTIFACT;
|
||||
}
|
||||
|
@ -240,12 +239,12 @@ lasso_saml20_profile_init_artifact_resolve(LassoProfile *profile,
|
|||
|
||||
i = xmlSecBase64Decode((xmlChar*)artifact_b64, (xmlChar*)artifact, 45);
|
||||
if (i < 0 || i > 44) {
|
||||
g_free(artifact_b64);
|
||||
lasso_release_string(artifact_b64);
|
||||
return LASSO_PROFILE_ERROR_INVALID_ARTIFACT;
|
||||
}
|
||||
|
||||
if (artifact[0] != 0 || artifact[1] != 4) { /* wrong type code */
|
||||
g_free(artifact_b64);
|
||||
lasso_release_string(artifact_b64);
|
||||
return LASSO_PROFILE_ERROR_INVALID_ARTIFACT;
|
||||
}
|
||||
|
||||
|
@ -254,23 +253,20 @@ lasso_saml20_profile_init_artifact_resolve(LassoProfile *profile,
|
|||
memcpy(provider_succinct_id, artifact+4, 20);
|
||||
provider_succinct_id[20] = 0;
|
||||
|
||||
provider_succinct_id_b64 = (char*)xmlSecBase64Encode((xmlChar*)provider_succinct_id, 20, 0);
|
||||
provider_succinct_id_b64 = xmlSecBase64Encode((xmlChar*)provider_succinct_id, 20, 0);
|
||||
|
||||
profile->remote_providerID = lasso_server_get_providerID_from_hash(
|
||||
profile->server, provider_succinct_id_b64);
|
||||
xmlFree(provider_succinct_id_b64);
|
||||
lasso_assign_new_string(profile->remote_providerID, lasso_server_get_providerID_from_hash(
|
||||
profile->server, (char*)provider_succinct_id_b64));
|
||||
lasso_release_xml_string(provider_succinct_id_b64);
|
||||
if (profile->remote_providerID == NULL) {
|
||||
return critical_error(LASSO_PROFILE_ERROR_MISSING_REMOTE_PROVIDERID);
|
||||
}
|
||||
|
||||
if (profile->request) {
|
||||
lasso_node_destroy(profile->request);
|
||||
}
|
||||
profile->request = lasso_samlp2_artifact_resolve_new();
|
||||
lasso_assign_new_gobject(profile->request, lasso_samlp2_artifact_resolve_new());
|
||||
request = LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request);
|
||||
LASSO_SAMLP2_ARTIFACT_RESOLVE(request)->Artifact = artifact_b64;
|
||||
lasso_assign_new_string(LASSO_SAMLP2_ARTIFACT_RESOLVE(request)->Artifact, artifact_b64);
|
||||
request->ID = lasso_build_unique_id(32);
|
||||
request->Version = g_strdup("2.0");
|
||||
lasso_assign_string(request->Version, "2.0");
|
||||
request->Issuer = LASSO_SAML2_NAME_ID(lasso_saml2_name_id_new_with_string(
|
||||
LASSO_PROVIDER(profile->server)->ProviderID));
|
||||
request->IssueInstant = lasso_get_current_time();
|
||||
|
@ -292,11 +288,7 @@ lasso_saml20_profile_process_artifact_resolve(LassoProfile *profile, const char
|
|||
LassoProvider *remote_provider;
|
||||
int rc;
|
||||
|
||||
if (profile->request) {
|
||||
lasso_node_destroy(profile->request);
|
||||
}
|
||||
|
||||
profile->request = lasso_node_new_from_soap(msg);
|
||||
lasso_assign_new_gobject(profile->request, lasso_node_new_from_soap(msg));
|
||||
if (profile->request == NULL) {
|
||||
return critical_error(LASSO_PROFILE_ERROR_INVALID_MSG);
|
||||
}
|
||||
|
@ -304,14 +296,14 @@ lasso_saml20_profile_process_artifact_resolve(LassoProfile *profile, const char
|
|||
return critical_error(LASSO_PROFILE_ERROR_INVALID_MSG);
|
||||
}
|
||||
|
||||
profile->remote_providerID = g_strdup(LASSO_SAMLP2_REQUEST_ABSTRACT(
|
||||
lasso_assign_string(profile->remote_providerID, LASSO_SAMLP2_REQUEST_ABSTRACT(
|
||||
profile->request)->Issuer->content);
|
||||
remote_provider = g_hash_table_lookup(profile->server->providers,
|
||||
profile->remote_providerID);
|
||||
|
||||
rc = lasso_provider_verify_signature(remote_provider, msg, "ID", LASSO_MESSAGE_FORMAT_SOAP);
|
||||
|
||||
profile->private_data->artifact = g_strdup(
|
||||
lasso_assign_string(profile->private_data->artifact,
|
||||
LASSO_SAMLP2_ARTIFACT_RESOLVE(profile->request)->Artifact);
|
||||
|
||||
return rc;
|
||||
|
@ -327,32 +319,32 @@ lasso_saml20_profile_build_artifact_response(LassoProfile *profile)
|
|||
response = LASSO_SAMLP2_STATUS_RESPONSE(lasso_samlp2_artifact_response_new());
|
||||
if (profile->private_data->artifact_message) {
|
||||
resp = lasso_node_new_from_dump(profile->private_data->artifact_message);
|
||||
LASSO_SAMLP2_ARTIFACT_RESPONSE(response)->any = resp;
|
||||
lasso_assign_new_gobject(LASSO_SAMLP2_ARTIFACT_RESPONSE(response)->any, resp);
|
||||
}
|
||||
response->ID = lasso_build_unique_id(32);
|
||||
response->Version = g_strdup("2.0");
|
||||
lasso_assign_string(response->Version, "2.0");
|
||||
response->Issuer = LASSO_SAML2_NAME_ID(lasso_saml2_name_id_new_with_string(
|
||||
LASSO_PROVIDER(profile->server)->ProviderID));
|
||||
response->IssueInstant = lasso_get_current_time();
|
||||
response->InResponseTo = g_strdup(LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->ID);
|
||||
lasso_assign_string(response->InResponseTo, LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->ID);
|
||||
response->sign_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
|
||||
if (profile->server->certificate) {
|
||||
response->sign_type = LASSO_SIGNATURE_TYPE_WITHX509;
|
||||
} else {
|
||||
response->sign_type = LASSO_SIGNATURE_TYPE_SIMPLE;
|
||||
}
|
||||
response->private_key_file = g_strdup(profile->server->private_key);
|
||||
response->certificate_file = g_strdup(profile->server->certificate);
|
||||
|
||||
profile->response = LASSO_NODE(response);
|
||||
lasso_assign_string(response->private_key_file, profile->server->private_key);
|
||||
lasso_assign_string(response->certificate_file, profile->server->certificate);
|
||||
lasso_assign_new_gobject(profile->response, LASSO_NODE(response));
|
||||
|
||||
if (resp == NULL) {
|
||||
lasso_saml20_profile_set_response_status(profile,
|
||||
LASSO_SAML2_STATUS_CODE_REQUESTER);
|
||||
} else {
|
||||
lasso_saml20_profile_set_response_status(profile, LASSO_SAML2_STATUS_CODE_SUCCESS);
|
||||
lasso_saml20_profile_set_response_status(profile,
|
||||
LASSO_SAML2_STATUS_CODE_SUCCESS);
|
||||
}
|
||||
profile->msg_body = lasso_node_export_to_soap(profile->response);
|
||||
lasso_assign_new_string(profile->msg_body, lasso_node_export_to_soap(profile->response));
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -366,17 +358,17 @@ lasso_saml20_profile_process_artifact_response(LassoProfile *profile, const char
|
|||
|
||||
response = lasso_node_new_from_soap(msg);
|
||||
if (!LASSO_IS_SAMLP2_ARTIFACT_RESPONSE(response)) {
|
||||
profile->response = lasso_samlp2_response_new();
|
||||
lasso_assign_new_gobject(profile->response, lasso_samlp2_response_new());
|
||||
return LASSO_PROFILE_ERROR_INVALID_ARTIFACT;
|
||||
}
|
||||
artifact_response = LASSO_SAMLP2_ARTIFACT_RESPONSE(response);
|
||||
|
||||
if (artifact_response->any == NULL) {
|
||||
profile->response = lasso_samlp2_response_new();
|
||||
lasso_assign_new_gobject(profile->response, lasso_samlp2_response_new());
|
||||
return LASSO_PROFILE_ERROR_MISSING_RESPONSE;
|
||||
}
|
||||
profile->response = g_object_ref(artifact_response->any);
|
||||
lasso_node_destroy(response);
|
||||
lasso_assign_gobject(profile->response, artifact_response->any);
|
||||
lasso_release_gobject(response);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
@ -416,10 +408,9 @@ lasso_saml20_profile_set_session_from_dump_decrypt(G_GNUC_UNUSED gpointer key,
|
|||
}
|
||||
|
||||
if (assertion->Subject != NULL && assertion->Subject->EncryptedID != NULL) {
|
||||
assertion->Subject->NameID = g_object_ref(
|
||||
lasso_assign_gobject(assertion->Subject->NameID,
|
||||
assertion->Subject->EncryptedID->original_data);
|
||||
g_object_unref(assertion->Subject->EncryptedID);
|
||||
assertion->Subject->EncryptedID = NULL;
|
||||
lasso_release_gobject(assertion->Subject->EncryptedID);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -595,7 +586,7 @@ lasso_saml20_profile_process_soap_request(LassoProfile *profile,
|
|||
lasso_bad_param(PROFILE, profile);
|
||||
|
||||
profile->signature_status = 0;
|
||||
profile->request = lasso_node_new_from_soap(request_msg);
|
||||
lasso_assign_new_gobject(profile->request, lasso_node_new_from_soap(request_msg));
|
||||
profile->http_request_method = LASSO_HTTP_METHOD_SOAP;
|
||||
lasso_extract_node_or_fail(request_abstract, profile->request, SAMLP2_REQUEST_ABSTRACT,
|
||||
LASSO_PROFILE_ERROR_INVALID_MSG);
|
||||
|
@ -700,7 +691,7 @@ lasso_saml20_init_request(LassoProfile *profile,
|
|||
/* initialize request fields */
|
||||
lasso_assign_new_string(request_abstract->ID, lasso_build_unique_id(32));
|
||||
lasso_assign_string(request_abstract->Version, "2.0");
|
||||
lasso_assign_gobject(request_abstract->Issuer,
|
||||
lasso_assign_new_gobject(request_abstract->Issuer,
|
||||
LASSO_SAML2_NAME_ID(lasso_saml2_name_id_new_with_string(
|
||||
LASSO_PROVIDER(profile->server)->ProviderID)));
|
||||
lasso_assign_new_string(request_abstract->IssueInstant, lasso_get_current_time());
|
||||
|
@ -1260,6 +1251,7 @@ lasso_saml20_profile_process_any_response(LassoProfile *profile,
|
|||
}
|
||||
|
||||
cleanup:
|
||||
lasso_release_doc(doc);
|
||||
if (rc == LASSO_PROFILE_ERROR_MISSING_STATUS_CODE) {
|
||||
message(G_LOG_LEVEL_CRITICAL,
|
||||
"Status Code is missing in a SAML 2.0 protocol response");
|
||||
|
@ -1288,7 +1280,7 @@ lasso_saml20_profile_process_soap_response(LassoProfile *profile,
|
|||
lasso_null_param(response_msg);
|
||||
|
||||
profile->signature_status = 0;
|
||||
profile->response = lasso_node_new_from_soap(response_msg);
|
||||
lasso_assign_new_gobject(profile->response, lasso_node_new_from_soap(response_msg));
|
||||
lasso_extract_node_or_fail(response_abstract, profile->response, SAMLP2_STATUS_RESPONSE,
|
||||
LASSO_PROFILE_ERROR_INVALID_MSG);
|
||||
lasso_extract_node_or_fail(server, profile->server, SERVER,
|
||||
|
|
|
@ -27,6 +27,7 @@
|
|||
|
||||
#include <lasso/saml-2.0/providerprivate.h>
|
||||
#include <lasso/id-ff/providerprivate.h>
|
||||
#include "../utils.h"
|
||||
|
||||
const char *profile_names[] = {
|
||||
"", /* No fedterm in SAML 2.0 */
|
||||
|
@ -152,6 +153,7 @@ gboolean
|
|||
lasso_saml20_provider_load_metadata(LassoProvider *provider, xmlNode *root_node)
|
||||
{
|
||||
xmlNode *node, *descriptor_node;
|
||||
xmlChar *providerID;
|
||||
|
||||
if (strcmp((char*)root_node->name, "EntityDescriptor") == 0) {
|
||||
node = root_node;
|
||||
|
@ -172,7 +174,9 @@ lasso_saml20_provider_load_metadata(LassoProvider *provider, xmlNode *root_node)
|
|||
return FALSE;
|
||||
}
|
||||
|
||||
provider->ProviderID = (char*)xmlGetProp(node, (xmlChar*)"entityID");
|
||||
providerID = xmlGetProp(node, (xmlChar*)"entityID");
|
||||
lasso_assign_string(provider->ProviderID, (char*)providerID);
|
||||
lasso_release_xml_string(providerID);
|
||||
if (provider->ProviderID == NULL) {
|
||||
message (G_LOG_LEVEL_CRITICAL, "lasso_saml20_provider_load_metadata_from_doc: no entityID attribute");
|
||||
return FALSE;
|
||||
|
@ -379,8 +383,6 @@ lasso_saml20_provider_get_assertion_consumer_service_binding(LassoProvider *prov
|
|||
return binding;
|
||||
}
|
||||
|
||||
|
||||
|
||||
gboolean
|
||||
lasso_saml20_provider_accept_http_method(LassoProvider *provider, LassoProvider *remote_provider,
|
||||
LassoMdProtocolType protocol_type, LassoHttpMethod http_method,
|
||||
|
@ -399,6 +401,7 @@ lasso_saml20_provider_accept_http_method(LassoProvider *provider, LassoProvider
|
|||
"HTTP-Artifact",
|
||||
NULL
|
||||
};
|
||||
gboolean rc = FALSE;
|
||||
|
||||
|
||||
initiating_role = remote_provider->role;
|
||||
|
@ -416,8 +419,8 @@ lasso_saml20_provider_accept_http_method(LassoProvider *provider, LassoProvider
|
|||
|
||||
if (lasso_provider_get_metadata_list(provider, protocol_profile) &&
|
||||
lasso_provider_get_metadata_list(remote_provider, protocol_profile)) {
|
||||
return TRUE;
|
||||
rc = TRUE;
|
||||
}
|
||||
|
||||
return FALSE;
|
||||
lasso_release_string(protocol_profile);
|
||||
return rc;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue