The new implementations of lasso_node_impl_init_from_xml now validate
namespace of all child nodes befores parsing. It stops on any error. For
node which implement their own parsing of an attribute or a node, it
must declare an XmlSnippet with an offset field set to 0. The 0 value is
invalid for public GObject structure (it's the place of the GObject
machinery like the reference count). The 0 offset can be used for
XmlSnippet in a private structure, so never set the offset to 0 with the
flag SNIPPET_PRIVATE, for a field which is parsed by you get_xmlNode
virtual method.
Other ameliorations in this commit is the possibility to set attributes
with namespace when using the flags SNIPPET_ATTRIBUTE|SNIPPET_ANY. The
syntax for an attribute is inspired by the element tree API from Python:
{namespace}attribute_name
an example:
{http://www.w3.org/2001/XMLSchema-instance}type
for the classic xsi:type attribute.
- added new macros SNIPPET_STRUCT_MEMBER and SNIPPET_STRUCT_MEMBER_P
replaces use of G_STRUCT_MEMBER/_P macros.
- we use the GType of the class containing a given XmlSnippet to find
the proper private structure.
- added flag SNIPPET_PRIVATE to state XmlSnippet whose value
should be extracted from the private structure and not the public
one.
Those two methods allows to associate signature parameters to any node.
They keep it inside the CustomElement quark. Using a private structure
may be more performant.
In order to permit subclass to modify the base xmlNode created by
lasso_node_impl_get_xmlNode we must defer the concrete to the virtual
method wrapper, lasso_node_get_xmlNode.
To do that it whas needed to make id_attribute another virtual field of
LassoNode subclasses (it can be accessed through an offset registered in
the class object).
This commit solves signature validation error since the patch for
managing more than one SessionIndex element in samlp2:LogoutRequest.
It also factorize the creation of signatures in one place.
* We now support the two possible formats for xsdtime XSchema datatype:
- dddd-dd-ddTdd:dd:ddZ
- dddd-dd-ddTdd:dd:dd.d*Z
Where d denotes a digit, and * is the kleene star.
XSD datetime also supports negative years, but as we cannot represent
them with time_t, we can reject it at the lexical level.
* lasso/xml/private.h lasso/xml/xml.c:
add a new primary XmlSnippet type for collecting all namespace
declaration, following parent relation on current node or one of the
child nodes.
* lasso/xml/tools.c lasso/xml/private.h:
lots of functions duplicate this code, so we factorized it there.
It has two parameters, the xmlnode and boolean deciding whether to
format the resulting content (good for reading but bad for
signatures).
* lasso/xml/tools.c:
this new function is a placeholder for the new SAML 2.0 semantic
following query signature validation function. It will start with the
old code of lasso_query_verify_signature.
* tools.c:
add lasso_xml_parse_file, based on g_file_get_contents and
lasso_xml_parse_memory.
add lasso_xml_parse_memory_with_error which instead of logging
errors, can return the xmlError structure.
add lasso_xmlsec_load_key_info, which allows to load keys from
ds:KeyInfo XML nodes. It also support the "Lasso" bug of using
ds:KeyValue directly to store base64 encoded keys and certificates.
* nearly all C files: change includes for relative paths.
* lasso/id-wsf/id_wsf.h, lasso/id-wsf-2.0/id_wsf_2.h: add top level
public include files for ID-WSF 1.0 and ID-WSF 2.0.
* lasso/id-ff/server.*, lasso/id-ff/session.*, lasso/id-ff/identity.*:
remove most of the code related to ID-WSF and push into
lasso/id-wsf/id_ff_extensions.* and lasso/id-wsf-2.0/identity.c,
lasso/id-wsf-2.0/server.c, lasso/id-wsf-2.0/session.c.
* lasso/id-wsf-2.0/saml2_login.c,
lasso/id-wsf-2.0/saml2_login_private.h: same change but for ID-WSF
2.0 support in SAML2 SSO profile.
* lasso/xml/tools.c,lasso/xml/private.h:
- lasso_eval_xpath_expression(xmlXPathContextPtr xpathCtx,
const char *expression, xmlXPathObjectPtr *xpathObjectPtr,
int *xpathErrorCode) is a boolean returning function handling call
to libxml API to evaluate en XPath expression in the xpathCtx
context. It eventually save the returned nodeset in the variable
pointed by xpathObjectPtr if it is not-NULL
(and eventually deallocate previous value)
and if an error happend it copy its code into the variable
pointed to by xpathErrorCode if it is not NULL.
* xml/tools.c:
add lasso_url_add_parameter that concat the string &key=value to an
existing URL where key and value are url-encoded.
* xml/private.h:
declare lasso_url_add_parameter.
* lasso/xml/private.h:
* lasso/xml/tools.c:
replace implementation of lasso_node_decrypt by a new one called
lasso_node_decrypt_xmlnode, and use it where old one was used.
* lasso/id-ff/provider.c:
try to keep some homgeneity between lasso_verify_signature and
lasso_verify_query_signature functions, by having mirror methods
inside the LassoProvider class. this new methods comes with complete
documentation.
* lasso/xml/tools.c:
add a xmlDoc argument to lasso_verify_signature, in order to
reuse an already built message context, and possible problems with
interned string in parsed xml documents.
* lasso/xml/private.h:
* lasso/xml/xml.c:
lasso_node_init_from_message_with_format permit to initialize a node
and to keep the corresponding xml document, in order for example to
validate a signature.
* lasso/xml/tools.c:
lasso_xml_parse_message is able to parse a message of any type, or of
a given type. If a message of another than the one specified is
found, the call fails, and a LASSO_MESSAGE_FORMAT_ERROR is returned.
* lasso/xml/tools.c:
add lasso_xml_is_soap, to verify that a message is SOAP.
add lasso_xml_get_soap_content, to retrieve the first child of the
SOAP body, whatever the SOAP content version.
* lasso/xml/xml_enc.h:
remove old functions
* lasso/xml/private.h:
remove lasso_node_(de/en)crypt from public headers API, they were not
exported anyway. move them to internal header.
* lasso/xml/saml-2.0/saml2_encrypted_element.{c,h}:
add a new decrypt function to convert a EncryptedElement to the
contained encrypted node objects.
* bindings/overrrides.xml:
do not export the new method, wait for implementation of output
arguments.
* lasso/id-ff/server.c:
remove lasso_decrypt_nameid from lasso/id-ff/server.c
* lasso/xml/private.h:
* lasso/xml/xml.h
* lassoi/xml/xml.c:
add an implementation helper for the AttributeValue objects
implementation of get_xmlNode.
make lasso_node_set_original_xmlnode public API.
* lasso/xml/saml-2.0/samlp2_extensions.c:
* lasso/xml/saml-2.0/saml2_attribute_value.c:
* lasso/xml/saml_attribute_value.c:
implement get_xmlNode for the AttributeValue and Extensions objects.
If the any field is empty, use the original_xmlnode value. In order
to support free-style content, you must use the method
lasso_node_set_original_xmlnode, properties and children are
extracted from the given node and added to the node created by the
generic get_xmlNode virtual method.
* private.h:
add the new constant to the enum type
* xml.c:
fix lasso_node_traversal, add support for the new contanst in
lasso_node_imp_init_from_xmlNode.
* lasso/xml/tools.c: in lasso_verify_signature always return success if
lasso_flag_verify_signature is FALSE.
* lasso/xml/private.h: change return type to int.
* lasso/xml/tools.c:
- lasso_saml_constrain_dsigctxt() add constraints following SAML
specifications on XMLDsig signatures to an libxmlsec DSig context.
- lasso_verify_signature() this function given an xmlNode and a key or
a keys manager (for a set of AC or AC chains) validate the
envelopped signature set upon this node. It can be instructed to
follow constraints of the SAML 1.0 specification.
* lots of files: Explicitely set all field of initialized structures,
in order to remove -Wno-missing-field-initilizers from needed
compiler options when using -Wall -Wextra.