entrouvert
/
lasso
16
0
Fork 0
Code Issues Pull Requests Releases Activity
lasso/lasso/saml-2.0/logout.c

412 lines
14 KiB
C
Raw Blame History

/* $Id$
*
* Lasso - A free implementation of the Liberty Alliance specifications.
*
* Copyright (C) 2004-2007 Entr'ouvert
* http://lasso.entrouvert.org
*
* Authors: See AUTHORS file in top-level directory.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "../xml/private.h"
#include "providerprivate.h"
#include "logoutprivate.h"
#include "profileprivate.h"
#include "federationprivate.h"
#include "../id-ff/providerprivate.h"
#include "../id-ff/logout.h"
#include "../id-ff/logoutprivate.h"
#include "../id-ff/sessionprivate.h"
#include "../id-ff/profileprivate.h"
#include "../id-ff/serverprivate.h"
#include "../xml/xml_enc.h"
#include "../xml/saml-2.0/samlp2_logout_request.h"
#include "../xml/saml-2.0/samlp2_logout_response.h"
#include "../xml/saml-2.0/saml2_assertion.h"
#include "../xml/saml-2.0/saml2_authn_statement.h"
#include "../utils.h"
static void check_soap_support(gchar *key, LassoProvider *provider, LassoProfile *profile);
static char*
_lasso_saml2_assertion_get_session_index(LassoSaml2Assertion *assertion)
{
if (! LASSO_IS_SAML2_AUTHN_STATEMENT(assertion->AuthnStatement->data))
return NULL;
return((LassoSaml2AuthnStatement*)assertion->AuthnStatement->data)->SessionIndex;
}
int
lasso_saml20_logout_init_request(LassoLogout *logout, LassoProvider *remote_provider,
LassoHttpMethod http_method)
{
LassoProfile *profile = &logout->parent;
LassoNode *assertion_n = NULL;
LassoSaml2Assertion *assertion = NULL;
LassoSession *session = NULL;
LassoSamlp2LogoutRequest *logout_request = NULL;
int rc = 0;
logout_request = (LassoSamlp2LogoutRequest*) lasso_samlp2_logout_request_new();
lasso_check_good_rc(lasso_saml20_profile_init_request(profile,
remote_provider->ProviderID,
FALSE,
&logout_request->parent,
http_method,
LASSO_MD_PROTOCOL_TYPE_SINGLE_LOGOUT));
/* session existence has been checked in id-ff/ */
session = lasso_profile_get_session(profile);
assertion_n = lasso_session_get_assertion(session, profile->remote_providerID);
if (LASSO_IS_SAML2_ASSERTION(assertion_n) == FALSE) {
return critical_error(LASSO_PROFILE_ERROR_MISSING_ASSERTION);
}
lasso_ref(assertion_n);
assertion = (LassoSaml2Assertion*)assertion_n;
/* set the nameid */
lasso_assign_gobject(logout_request->NameID, profile->nameIdentifier);
/* Encrypt NameID */
if (lasso_provider_get_encryption_mode(remote_provider) == LASSO_ENCRYPTION_MODE_NAMEID) {
lasso_check_good_rc(lasso_saml20_profile_setup_encrypted_node(remote_provider,
(LassoNode**)&logout_request->NameID,
(LassoNode**)&logout_request->EncryptedID));
}
/* set the session index if one is found */
lasso_assign_string(logout_request->SessionIndex,
_lasso_saml2_assertion_get_session_index(assertion));
cleanup:
/* all is going well, remove the assertion */
if (rc == 0) {
lasso_session_remove_assertion(session,
profile->remote_providerID);
}
lasso_release_gobject(logout_request);
lasso_release_gobject(assertion_n);
return rc;
}
int
lasso_saml20_logout_build_request_msg(LassoLogout *logout)
{
LassoProfile *profile = &logout->parent;
return lasso_saml20_profile_build_request_msg(profile, "SingleLogoutService",
logout->parent.http_request_method, NULL);
}
int
lasso_saml20_logout_process_request_msg(LassoLogout *logout, char *request_msg)
{
LassoProfile *profile = NULL;
LassoSamlp2LogoutRequest *logout_request = NULL;
int rc1 = 0, rc2 = 0, rc = 0;
lasso_bad_param(LOGOUT, logout);
lasso_null_param(request_msg);
profile = LASSO_PROFILE(logout);
logout_request = (LassoSamlp2LogoutRequest*) lasso_samlp2_logout_request_new();
rc1 = lasso_saml20_profile_process_any_request(profile, (LassoNode*)logout_request,
request_msg);
goto_cleanup_if_fail_with_rc(rc1 == 0, rc1);
/* remember initial request method, for setting it for generating response */
logout->initial_http_request_method = profile->http_request_method;
rc2 = lasso_saml20_profile_process_name_identifier_decryption(profile,
&logout_request->NameID,
&logout_request->EncryptedID);
goto_cleanup_if_fail_with_rc(rc2 == 0, rc2);
lasso_check_good_rc(lasso_saml20_profile_check_signature_status(profile));
cleanup:
lasso_release_gobject(logout_request);
return rc;
}
int
lasso_saml20_logout_validate_request(LassoLogout *logout)
{
LassoProfile *profile = LASSO_PROFILE(logout);
LassoProvider *remote_provider;
LassoSamlp2StatusResponse *response;
LassoSaml2NameID *name_id;
LassoNode *assertion_n;
LassoSaml2Assertion *assertion;
LassoSamlp2LogoutRequest *logout_request;
char *assertion_SessionIndex = NULL;
int rc = 0;
if (LASSO_IS_SAMLP2_LOGOUT_REQUEST(profile->request) == FALSE)
return LASSO_PROFILE_ERROR_MISSING_REQUEST;
logout_request = (LassoSamlp2LogoutRequest*)profile->request;
/* check the issuer */
lasso_assign_string(profile->remote_providerID,
logout_request->parent.Issuer->content);
remote_provider = lasso_server_get_provider(profile->server, profile->remote_providerID);
if (LASSO_IS_PROVIDER(remote_provider) == FALSE) {
return critical_error(LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND);
}
/* create the response */
response = (LassoSamlp2StatusResponse*)lasso_samlp2_logout_response_new();
lasso_check_good_rc(lasso_saml20_profile_init_response(profile, response,
LASSO_SAML2_STATUS_CODE_SUCCESS, NULL));
/* Get the name identifier */
name_id = LASSO_SAMLP2_LOGOUT_REQUEST(profile->request)->NameID;
if (name_id == NULL) {
lasso_saml20_profile_set_response_status_responder(
profile, LASSO_LIB_STATUS_CODE_FEDERATION_DOES_NOT_EXIST);
return LASSO_PROFILE_ERROR_NAME_IDENTIFIER_NOT_FOUND;
}
if (profile->session == NULL) {
lasso_saml20_profile_set_response_status_responder(profile,
LASSO_SAML2_STATUS_CODE_REQUEST_DENIED);
return critical_error(LASSO_PROFILE_ERROR_SESSION_NOT_FOUND);
}
/* verify authentication */
assertion_n = lasso_session_get_assertion(profile->session, profile->remote_providerID);
if (LASSO_IS_SAML2_ASSERTION(assertion_n) == FALSE) {
lasso_saml20_profile_set_response_status_responder(profile,
LASSO_SAML2_STATUS_CODE_REQUEST_DENIED);
return LASSO_PROFILE_ERROR_MISSING_ASSERTION;
}
assertion = LASSO_SAML2_ASSERTION(assertion_n);
/* Verify name identifier and session matching */
if (assertion->Subject == NULL) {
lasso_saml20_profile_set_response_status(profile,
LASSO_SAML2_STATUS_CODE_RESPONDER,
"http://lasso.entrouvert.org/error/MalformedAssertion");
return LASSO_PROFILE_ERROR_MISSING_SUBJECT;
}
if (lasso_saml2_name_id_equals(name_id, assertion->Subject->NameID) != TRUE) {
lasso_saml20_profile_set_response_status_responder(profile,
LASSO_SAML2_STATUS_CODE_UNKNOWN_PRINCIPAL);
return LASSO_LOGOUT_ERROR_UNKNOWN_PRINCIPAL;
}
/* verify session index */
if (assertion->AuthnStatement) {
if (! LASSO_IS_SAML2_AUTHN_STATEMENT(assertion->AuthnStatement->data)) {
lasso_saml20_profile_set_response_status(profile,
LASSO_SAML2_STATUS_CODE_RESPONDER, "http://lasso.entrouvert.org/error/MalformedAssertion");
return LASSO_PROFILE_ERROR_BAD_SESSION_DUMP;
}
assertion_SessionIndex =
((LassoSaml2AuthnStatement*)assertion->AuthnStatement->data)->SessionIndex;
if (lasso_strisnotequal(logout_request->SessionIndex,assertion_SessionIndex)) {
lasso_saml20_profile_set_response_status_responder(profile,
LASSO_SAML2_STATUS_CODE_REQUEST_DENIED);
return LASSO_LOGOUT_ERROR_UNKNOWN_PRINCIPAL;
}
}
/* if SOAP request method at IDP then verify all the remote service providers support
SOAP protocol profile. If one remote authenticated principal service provider doesn't
support SOAP then return UnsupportedProfile to original service provider */
if (remote_provider->role == LASSO_PROVIDER_ROLE_SP &&
profile->http_request_method == LASSO_HTTP_METHOD_SOAP) {
logout->private_data->all_soap = TRUE;
g_hash_table_foreach(profile->server->providers,
(GHFunc)check_soap_support, profile);
if (logout->private_data->all_soap == FALSE) {
lasso_saml20_profile_set_response_status_responder(profile,
LASSO_LIB_STATUS_CODE_UNSUPPORTED_PROFILE);
return LASSO_LOGOUT_ERROR_UNSUPPORTED_PROFILE;
}
}
/* everything is ok, remove assertion */
lasso_session_remove_assertion(profile->session, profile->remote_providerID);
/* if at IDP and nb sp logged > 1, then backup remote provider id,
* request and response
*/
if (remote_provider->role == LASSO_PROVIDER_ROLE_SP &&
lasso_session_count_assertions(profile->session) >= 1) {
lasso_transfer_string(logout->initial_remote_providerID,
profile->remote_providerID);
lasso_transfer_gobject(logout->initial_request, profile->request);
lasso_transfer_gobject(logout->initial_response, profile->response);
}
cleanup:
lasso_release_gobject(response);
return rc;
}
static void
check_soap_support(G_GNUC_UNUSED gchar *key, LassoProvider *provider, LassoProfile *profile)
{
const GList *supported_profiles;
LassoSaml2Assertion *assertion;
LassoNode *assertion_n;
if (strcmp(provider->ProviderID, profile->remote_providerID) == 0)
return; /* original service provider (initiated logout) */
assertion_n = lasso_session_get_assertion(profile->session, provider->ProviderID);
if (LASSO_IS_SAML2_ASSERTION(assertion_n) == FALSE) {
return; /* not authenticated with this provider */
}
assertion = LASSO_SAML2_ASSERTION(assertion_n);
supported_profiles = lasso_provider_get_metadata_list(provider,
"SingleLogoutService SOAP");
if (supported_profiles)
return; /* provider support profile */
LASSO_LOGOUT(profile)->private_data->all_soap = FALSE;
}
/* If at IDP and if there is no more assertion, IDP has logged out every SPs, return the initial
* response to initial SP. Caution: We can't use the test (remote_provider->role ==
* LASSO_PROVIDER_ROLE_SP) to know whether the server is acting as an IDP or a SP, because it can be
* a proxy. So we have to use the role of the initial remote provider instead.
*/
static void
lasso_saml20_logout_restore_initial_state(LassoLogout *logout) {
LassoProfile *profile = &logout->parent;
if (logout->initial_remote_providerID) {
lasso_transfer_string(profile->remote_providerID,
logout->initial_remote_providerID);
lasso_transfer_gobject(profile->request, logout->initial_request);
lasso_transfer_gobject(profile->response, logout->initial_response);
/* if some of the logout failed, set a partial logout status code */
if (logout->private_data->partial_logout ||
lasso_session_count_assertions(profile->session) > 0) {
/* reset the partial logout status */
logout->private_data->partial_logout = FALSE;
lasso_saml20_profile_set_response_status(profile,
LASSO_SAML2_STATUS_CODE_SUCCESS,
LASSO_SAML2_STATUS_CODE_PARTIAL_LOGOUT);
}
}
}
int
lasso_saml20_logout_build_response_msg(LassoLogout *logout)
{
LassoProfile *profile = LASSO_PROFILE(logout);
LassoSamlp2StatusResponse *response = NULL;
int rc = 0;
/* SP initiated logout */
lasso_saml20_logout_restore_initial_state(logout);
if (! LASSO_IS_SAMLP2_STATUS_RESPONSE(profile->response)) {
/* no response set here means request denied */
response = (LassoSamlp2StatusResponse*) lasso_samlp2_logout_response_new();
/* verify signature status */
if (lasso_saml20_profile_check_signature_status(profile) != 0) {
lasso_check_good_rc(lasso_saml20_profile_init_response(profile, response,
LASSO_SAML2_STATUS_CODE_REQUESTER,
LASSO_LIB_STATUS_CODE_INVALID_SIGNATURE));
} else {
lasso_check_good_rc(lasso_saml20_profile_init_response(profile, response,
LASSO_SAML2_STATUS_CODE_RESPONDER,
LASSO_SAML2_STATUS_CODE_REQUEST_DENIED));
}
}
/* build logout response message */
/* FIXME: should allow to override default response method, should just match that
* request/response are of the same type synchronous or asynchronous */
rc = lasso_saml20_profile_build_response_msg(profile, "SingleLogoutService",
logout->initial_http_request_method, NULL);
cleanup:
lasso_release_gobject(response);
return rc;
}
int
lasso_saml20_logout_process_response_msg(LassoLogout *logout, const char *response_msg)
{
LassoProfile *profile = &logout->parent;
LassoHttpMethod response_method;
LassoProvider *remote_provider = NULL;
LassoSamlp2StatusResponse *response = NULL;
int rc = 0;
response = (LassoSamlp2StatusResponse*) lasso_samlp2_logout_response_new();
lasso_check_good_rc(lasso_saml20_profile_process_any_response(profile, response,
&response_method, response_msg));
/* only if asked we report, otherwise we do not care */
if (profile->signature_status && lasso_profile_get_signature_verify_hint(profile) ==
LASSO_PROFILE_SIGNATURE_HINT_FORCE)
{
goto_cleanup_with_rc(profile->signature_status);
}
remote_provider = lasso_server_get_provider(logout->parent.server,
logout->parent.remote_providerID);
goto_cleanup_if_fail_with_rc(LASSO_IS_PROVIDER(remote_provider),
LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND);
cleanup:
/* Not Success find finer error */
while (rc == LASSO_PROFILE_ERROR_STATUS_NOT_SUCCESS) {
LassoSamlp2StatusCode *sub_status_code;
char *value;
logout->private_data->partial_logout = TRUE;
sub_status_code = response->Status->StatusCode->StatusCode;
if (! sub_status_code)
break;
value = sub_status_code->Value;
if (lasso_strisequal(value,LASSO_SAML2_STATUS_CODE_REQUEST_DENIED)) {
rc = LASSO_LOGOUT_ERROR_REQUEST_DENIED;
break;
}
if (lasso_strisequal(value,LASSO_SAML2_STATUS_CODE_UNKNOWN_PRINCIPAL)) {
rc = LASSO_LOGOUT_ERROR_UNKNOWN_PRINCIPAL;
break;
}
break;
}
if (lasso_session_count_assertions(profile->session) == 0) {
lasso_saml20_logout_restore_initial_state(logout);
}
lasso_release_gobject(response);
return rc;
}
View Git Blame Copy Permalink