The check was missing for processing of logout requests, name id
management request and assertion query responses.
A new internal function lasso_saml20_profile_check_signature_status is
added.
Previously content was stored as the result of lasso_node_dump method
then reloaded, and then serialized again as part of the ArtifactResponse
message. lasso_node_dump was ignoring all hint to sign node, but keeping
the needed parameters around. That's not what must be done, the
signature should happen at the generation of the artifact and the result
must manipulated as is (i.e. XML content) and never moved back to the
land of LassoNode objects.
Now the content is:
- first removed of any signature at the message level, because the
ArtifactResponse will take care of this, (any signature under this
level (like at the assertion) is kept),
- serialized using lasso_node_export_to_xml,
- reloaded using lasso_xml_parse_memory,
- and put into the ArtifactResponse using a
lasso_misc_text_node_new_with_xml_node.
* support private key with new internal API in signature setting
methods
Plug lasso_node_set_signature into
lasso_profile_saml20_setup_message_signature and
lasso_server_saml2_assertion_setup_signature.
* also use lasso_node_get_signature in has_signature
* add forgottent LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE in switch
cases
For AuthnResponse checking the semantic is now that if HINT_FORCE is
used we verify message signature *and* assertion signature. If
HINT_MAYBE is used we check the assertion signature if its issuer
differs from the message issuer.
* lasso/id-ff/profile.h:
- add end symbol for enum LassoProfileSignatureVerifyHint
* lasso/id-ff/profile.c:
- fix documentation of lasso_profile_set_signature_verify_hint
- do not allow to set or return invalid value for the
signature_verify_hint attribute.
* lasso/saml-2.0/login.c:
- handle new enum value
* lasso/saml-2.0/profile.c:
- handle new enum value
- fix missing catch of signature error reporting when
signature_verify_hint is IGNORE.
* docs/reference/lasso/lasso-sections.txt:
- export enums LassoProfileSignatureHint and
LassoProfileSignatureVerifyHint
* tests/metadata_tests.c:
- fix test of all Role enumerations
* lasso/saml-2.0/profile.c:
this change make Lasso respect paragraphs 3.4.5.2 (HTTP-Redirect
binding securit considerations ) and 3.5.5.2 (the same for HTTP-Post)
of the saml-bindings-2.0-os.pdf document, and should allow our Authn
Requests to be accepted by shiboleth IdP.
* lasso/saml-2.0/profile.c:
dump for already signed assertion containing an EncryptedID as
Subject does not work as before, the decrypted NameID is no more
included in it, so instead of trying to plug it in the NameID field
we resort to really deciphering the EncryptedID.
That could be a performance problem if the session object is stuffed
with a lot of assertions.
* lasso/saml-2.0/profile.c:
Issuer is not a mandatory element of SAML 2.0 response,
but if we do not remember which issuer we sent the request (of if
the response is spontaneous) then we will receive a provider not found
error when trying to check the message signature.
* lasso/id-ff/profile.c:
if no LassoIdentity is accessible try to get a name identifier
through the assertion in the LassoSession object. This allows the
logout profile to work without an identity object (which is normal
since logout does not modify the federation status).
* lasso/saml-2.0/profile.c:
* lasso/saml-2.0/profileprivate.h:
make lasso_saml20_profile_set_response_status2 the new implementation
of lasso_saml20_profile_set_response_status.
add helper macros to set success, responder and requester first level
status code.
* saml-2.0/assertion_query.c:
* saml-2.0/login.c:
* saml-2.0/logout.c:
* saml-2.0/name_id_management.c:
adapt consumers to the new signature.
* client of LassoServer should use lasso_server_get_provider.
* LASSO_PROFILE_ERRROR_UNKNOWN_PROVIDER was a mistake, it is
superfluous, use LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND.
* nearly all C files: change includes for relative paths.
* lasso/id-wsf/id_wsf.h, lasso/id-wsf-2.0/id_wsf_2.h: add top level
public include files for ID-WSF 1.0 and ID-WSF 2.0.
* lasso/id-ff/server.*, lasso/id-ff/session.*, lasso/id-ff/identity.*:
remove most of the code related to ID-WSF and push into
lasso/id-wsf/id_ff_extensions.* and lasso/id-wsf-2.0/identity.c,
lasso/id-wsf-2.0/server.c, lasso/id-wsf-2.0/session.c.
* lasso/id-wsf-2.0/saml2_login.c,
lasso/id-wsf-2.0/saml2_login_private.h: same change but for ID-WSF
2.0 support in SAML2 SSO profile.
* id-ff/session.h: seal public fields.
* id-ff/session.c, id-ff/sessionprivate.h: add accessors for reading
the is_dirty flag and counting store assertions.
* id-ff/logout.c, id-ff/login.c, saml-2.0/login.c, saml-2.0/logout.c,
saml-2.0/profile.c: use the new accessors.
* id-ff/profile.c: include the private header file, use the new
accessors, and remove unnecessary setting of is_dirty to FALSE (it
should be false at instanciation).
* utils.h: add a macro to access private content, prepare for using
G_TYPE_INSTANCE_GET_PRIVATE and the GObject infrastructure for
private structures eventually.
* lasso/saml-2.0/profile.c:
HTTP Redirect binding mandate to remove signature at the SAML message
level, but signatures at the assertion, especially if the SP asked for
it, must be preserved.
* lasso/saml-2.0/login.c:
* lasso/saml-2.0/logout.c:
* lasso/saml-2.0/name_id_management.c:
* lasso/saml-2.0/profile.c:
* lasso/saml-2.0/provider.c:
do not mix g_malloc strings with libxml strings, use the
string/gobject handling macros as much as possible, be a good memory
citizen, don't put your elbows on the table.
* lasso/saml-2.0/profile.c:
in lasso_saml20_profile_process_any_request and
lasso_saml20_profile_process_any_response do not make signature
validation failure as call failure, just store the result in
profile->signature_status and let the upper level functions handle
what to do with it. also add documentation about those two functions.
* lasso/saml-2.0/logout.c:
* lasso/saml-2.0/name_id_management.c:
handle new signature_status semantic.
* lasso/saml-2.0/login.c:
add internal documentation for
lasso_saml20_login_process_authn_response_msg.
* lasso/saml-2.0/profile.c:
in lasso_saml20_profile_build_redirect_request_msg and
lasso_saml20_profile_build_redirect_response, use new function
lasso_saml20_profile_build_http_redirect.
* lasso/saml-2.0/login.c: In
lasso_saml20_login_process_authn_request_msg change handling of
relayState do not rely upon parsing by the node object, but extract
directly from the query string. Use new function
lasso_get_relaystate_from_query.
* lasso/saml-2.0/logout.c: In lasso_saml20_logout_process_request_msg
change handling of relayState do not rely upon parsing by the node
object, but extract directly from the query string.
* lasso/saml-2.0/profile.c: In
lasso_saml20_profile_init_artifact_resolve, add handling of the
relayState transmitted to the assertion consumer URL.
* lasso/saml-2.0/name_id_management.c: In
lasso_name_id_management_process_request_msg change handling of
relayState do not rely upon parsing by the node
object, but extract directly from the query string.
* lasso/saml-2.0/profile.c, lasso/saml-2.0/profileprivate.h:
- remove_all_signature traverse a tree of LassoNode objects to unset
all signature_type field in on nodes supporting signature
generation.
- lasso_saml20_profile_export_to_query does the job of generateing
the url containing the message content and the relaystate, then
sign it using lasso_query_sign.
- lasso_saml20_profile_build_http_redirect use those two functions
and the metadatas to build the signed redirect url.
* lasso/saml-2.0/profile.c:
* lasso/saml-2.0/profileprivate.h:
the current effort is to simplify implementation code in saml-2.0 and
much of the other frameworks. Those new methods:
lasso_saml20_init_request
lasso_saml20_profile_process_name_identifier_decryption
lasso_saml20_profile_process_soap_request
lasso_saml20_profile_process_soap_response
lasso_saml20_profile_process_any_request
lasso_saml20_profile_process_any_response
lasso_saml20_profile_setup_request_signing
lasso_saml20_profile_build_request_msg
lasso_saml20_profile_build_response
lasso_saml20_profile_init_response
should help reduce code in login.c, logout.c, name_id_management.c
and assertion_query.c. They should also permit to make all profiles
at the same level of binding support
(GET,REDIRECT,POST,ARTIFACT_GET,ARTIFACT_POST).
Those function centralize error code handling, initialization of
commong class (LassoSamlp2StatusResponse and
LassoSamlp2RequestAbstract) and also the handling of NameID
decryption.
Benjamin Dauvergne