Re-implement lasso_profile_saml20_build_paos_request_msg() and
lasso_saml20_login_process_paos_response_msg() to use the
functionality introduced by earlier patches and to assure they are
functionally complete.
Signed-off-by: John Dennis <jdennis@redhat.com>
License: MIT
ECP does not require an SP to know the remote IdP provider. Existing
code made the assumption the remote provider always was
necessary. Determination and setting of the remote consumer URL is
different in the presence of ECP. Rework the logic to reflect
differing requirements.
Signed-off-by: John Dennis <jdennis@redhat.com>
License: MIT
The existing lasso_saml20_profile_process_soap_response() assumed
there were no SOAP headers (prior to ECP none of the SOAP messages
contained headers). A new function
lasso_saml20_profile_process_soap_response_with_headers() was
implemented that serializes from the XML SOAP headers into a
LassoSoapHeader node and optionally will return the LassoSoapHeader
node.
The functionality in lasso_saml20_profile_process_soap_response() was
moved into the new
lasso_saml20_profile_process_soap_response_with_headers() and now
lasso_saml20_profile_process_soap_response() simply calls
lasso_saml20_profile_process_soap_response_with_headers() passing NULL
for the header return.
Signed-off-by: John Dennis <jdennis@redhat.com>
License: MIT
Clang was wrong on one instance, a value must be initialized to its NULL
state before using any lasso_assign_ macro with it.
Bug introduced in 4789e8d4d6.
Ina number of cases function inputs are not checked for NULL although
values may end up with a NULL value and then they are dereferenced
directly.
Check values in the function (or the caller) if appropriate.
License: MIT
Signed-off-by: Simo Sorce <simo@redhat.com>
Instad of referring to an old FSF address, point the reader to the FSF
website where the latest licenses and addresses are published.
Signed-off-by: Simo Sorce <simo@redhat.com>
* lasso/saml-2.0/profile.c: add new argument role to lasso_saml20_profile_init_artifact_resolve()
for looking up ArtifactResolutionService location; extract endpoint index
from artifact and use it to resolve the endpoint location.
* login.c: pass new argument ; force msg_url as it is preinitialized by
lasso_saml20_profile_init_artifact_resolve()
This commit complements the support for multiple signing certificate
support in the metadata files. The use-case is still key roll-over.
The structure LassoServerPrivateData was changed to accomodate multiple
decryption keys, and so:
xmlSecKey *encryption_private_key
became:
GList *encryption_private_keys
All uses of this key were replaced by a loop over this list, terminating
with the first key to be able to decrypt the content.
The private key passed to lasso_server_new() or
lasso_server_new_from_buffers() is first added to the list of decryption
keys. Any other call to
lasso_server_set_encryption_private_key_with_password() or
lasso_server_set_encryption_private_key() will add a new key to the
list.
In lasso_saml20_profile_process_artifact_resolve, we know take a short
path with an error when the remote provider is unknown and we also
respect the lasso_profile_get_signature_verify_hint() when checking the
signature on the artifact resolve message.
The check was missing for processing of logout requests, name id
management request and assertion query responses.
A new internal function lasso_saml20_profile_check_signature_status is
added.
Previously content was stored as the result of lasso_node_dump method
then reloaded, and then serialized again as part of the ArtifactResponse
message. lasso_node_dump was ignoring all hint to sign node, but keeping
the needed parameters around. That's not what must be done, the
signature should happen at the generation of the artifact and the result
must manipulated as is (i.e. XML content) and never moved back to the
land of LassoNode objects.
Now the content is:
- first removed of any signature at the message level, because the
ArtifactResponse will take care of this, (any signature under this
level (like at the assertion) is kept),
- serialized using lasso_node_export_to_xml,
- reloaded using lasso_xml_parse_memory,
- and put into the ArtifactResponse using a
lasso_misc_text_node_new_with_xml_node.
* support private key with new internal API in signature setting
methods
Plug lasso_node_set_signature into
lasso_profile_saml20_setup_message_signature and
lasso_server_saml2_assertion_setup_signature.
* also use lasso_node_get_signature in has_signature
* add forgottent LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE in switch
cases
For AuthnResponse checking the semantic is now that if HINT_FORCE is
used we verify message signature *and* assertion signature. If
HINT_MAYBE is used we check the assertion signature if its issuer
differs from the message issuer.
* lasso/id-ff/profile.h:
- add end symbol for enum LassoProfileSignatureVerifyHint
* lasso/id-ff/profile.c:
- fix documentation of lasso_profile_set_signature_verify_hint
- do not allow to set or return invalid value for the
signature_verify_hint attribute.
* lasso/saml-2.0/login.c:
- handle new enum value
* lasso/saml-2.0/profile.c:
- handle new enum value
- fix missing catch of signature error reporting when
signature_verify_hint is IGNORE.
* docs/reference/lasso/lasso-sections.txt:
- export enums LassoProfileSignatureHint and
LassoProfileSignatureVerifyHint
* tests/metadata_tests.c:
- fix test of all Role enumerations
* lasso/saml-2.0/profile.c:
this change make Lasso respect paragraphs 3.4.5.2 (HTTP-Redirect
binding securit considerations ) and 3.5.5.2 (the same for HTTP-Post)
of the saml-bindings-2.0-os.pdf document, and should allow our Authn
Requests to be accepted by shiboleth IdP.
* lasso/saml-2.0/profile.c:
dump for already signed assertion containing an EncryptedID as
Subject does not work as before, the decrypted NameID is no more
included in it, so instead of trying to plug it in the NameID field
we resort to really deciphering the EncryptedID.
That could be a performance problem if the session object is stuffed
with a lot of assertions.
* lasso/saml-2.0/profile.c:
Issuer is not a mandatory element of SAML 2.0 response,
but if we do not remember which issuer we sent the request (of if
the response is spontaneous) then we will receive a provider not found
error when trying to check the message signature.
Benjamin Dauvergne
John Dennis
Simo Sorce