* saml2.inc.php:

- add a relaystate parameter to sso functions * saml_common.inc.php: - add a relaystate parameter to sso functions - complete error handling * endpoints.inc.php: - extract query string - detect HTTP_METHOD - block endpoints from bad methods
0001-01-01 00:00:00 +00:00 · 0001-01-01 00:00:00 +00:00 · 2183d6b9af
parent c0aba95c76
commit 2183d6b9af
2 changed files with 42 additions and 17 deletions
--- a/include/lassospkit_saml2.inc.php
+++ b/include/lassospkit_saml2.inc.php
@ -27,13 +27,13 @@ class LassoSPKitSaml2 extends LassoSPKitSAMLCommon {
        to create a new federation if a persistent
        one is asked for federate = TRUE.
      */
-    function sso($create = TRUE, $federate = TRUE, $passive = FALSE) {
+    function sso($create = TRUE, $federate = TRUE, $passive = FALSE, $relayState = null) {
        if ($federate) {
            $format = LASSO_SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT;
        } else {
            $format = LASSO_SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT;
        }
-        return $this->ssoInit(array('allowCreate' => $create,  'nameIDFormat' => $format, 'isPassive' => $passive));
+        return $this->ssoInit(array('allowCreate' => $create,  'nameIDFormat' => $format, 'isPassive' => $passive, 'relayState' => $relayState));
    }
    function ssoInit($params = array())
    {
@ -44,12 +44,13 @@ class LassoSPKitSaml2 extends LassoSPKitSAMLCommon {
            'method' => LASSO_HTTP_METHOD_REDIRECT,
            'isConsentObtained' => FALSE,
            'forceAuthn' => FALSE,
+            'relayState' => null,
            'isPassive' => FALSE);
        $params = array_merge($default_params, $params);
        extract($params);
        #lassospkit_debuglog("Params isPassive: $isPassive allowCreate: $allowCreate format: $nameIDFormat");
        $login = null;
-        return parent::ssoCommon($login, $remoteID, $method, $isConsentObtained, $forceAuthn, $isPassive, array('nameIDFormat'=>$nameIDFormat, 'allowCreate' => $allowCreate));
+        return parent::ssoCommon($login, $remoteID, $method, $isConsentObtained, $forceAuthn, $isPassive, $relayState, array('nameIDFormat'=>$nameIDFormat, 'allowCreate' => $allowCreate));
    }
    /** Defederation, convert to NameIdManagement protocol **/
    public function initiateFTNotification($method = LASSO_HTTP_METHOD_SOAP,$remoteID = null)
--- a/include/lassospkit_saml_common.inc.php
+++ b/include/lassospkit_saml_common.inc.php
@ -7,15 +7,16 @@ require_once('lassospkit_generic_session.inc.php');
 * TODO: initServer();
 */
 class LassoSPKitSAMLCommon {
-    public $session;
-    public $server;
+    var $session;
+    var $server;

    /** Error handling */
-    public $reset_status = 0;
-    public $human_status = "";
-    public $ret = 0;
-    public $ret_str = "";
-    public $exception = null;
+    var $reset_status = 0;
+    var $human_status = "";
+    var $ret = 0;
+    var $ret_str = "";
+    var $exception = null;
+    var $relay_state;

    public function __construct(LassoSPKitGenericSession $session) {
        $this->session = $session;
@ -107,7 +108,13 @@ class LassoSPKitSAMLCommon {
            lassospkit_errlog("artifactResolve: soapCall result empty");
            $content = "";
        }
-        $retPRM = $profile->processResponseMsg($content);
+        try {
+            $retPRM = $profile->processResponseMsg($content);
+        } catch (Exception $e) {
+            lassospkit_showCode($content);
+            var_dump($e);
+            throw $e;
+        }
        if ($retIR || $retBRM || $retPRM) {
            lassospkit_errlog("artifactResolve: retIR: $retIR retBRM: $retBRM retPRM: $retPRM");
            if ($retIR) {
@ -158,7 +165,9 @@ class LassoSPKitSAMLCommon {
                              $isConsentObtained,
                              $forceAuthn,
                              $isPassive,
+                              $relayState,
                              $blob) {
+        lassospkit_debuglog("isPassive: $isPassive");
        $login = new LassoLogin($this->server);
        $retFF = $this->findFederation($login);
        $retIAR = $login->initAuthnRequest($remoteID,$method);
@ -172,6 +181,9 @@ class LassoSPKitSAMLCommon {
        } else {
            throw new Exception("SSO: Pas d'object NameIDPolicy");
        }
+        if ($relayState && is_string($relayState)) {
+            $request->msgRelayState = $relayState;
+        }
        $retBAR = $login->buildAuthnRequestMsg();
        switch($method) {
            case LASSO_HTTP_METHOD_REDIRECT:
@ -194,6 +206,7 @@ class LassoSPKitSAMLCommon {
                        $method);
                break;
            case LASSO_HTTP_METHOD_POST:
+            case LASSO_HTTP_METHOD_REDIRECT:
                $retPRM = $this->processResponseMsg($message);
                break;
        }
@ -205,6 +218,9 @@ class LassoSPKitSAMLCommon {
            $retPRM == LASSO_LOGIN_ERROR_STATUS_NOT_SUCCESS) {
            $this->setMessage("Request denied");
        }
+        if ($login->msgRelayState) {
+            $this->relay_state = $login->msgRelayState;
+        }
        if ($retAR || $retPRM) {
            lassospkit_errlog("ssoConsumer, retAR: $retAR retPRM: $retPRM");
        } else {
@ -235,7 +251,7 @@ class LassoSPKitSAMLCommon {
                break;
            case LASSO_HTTP_METHOD_SOAP:
                $this->finishSOAPRequest($logout, $response);
-                $this->processResponseSLO($logout, $response);
+                $this->processResponseSLO($method, $response, $logout);
                break;
            case LASSO_HTTP_METHOD_ARTIFACT_GET:
            case LASSO_HTTP_METHOD_ARTIFACT_POST:
@ -245,11 +261,10 @@ class LassoSPKitSAMLCommon {
        }
    }
    public function processRedirectResponseSLO() {
-        $logout = null;
-        $this->processResponseSLO($logout, $_SERVER['QUERY_STRING']);
+        $this->processResponseSLO(LASSO_HTTP_METHOD_REDIRECT, $_SERVER['QUERY_STRING']);
    }
-    public function processResponseSLO(&$logout, $message) {
-        if (! $logout) {
+    public function processResponseSLO($http_method, $message, &$logout = null) {
+        if ($logout == null) {
            $logout = new LassoLogout($this->server);
            $this->findFederation($logout);
        } 
@ -290,7 +305,16 @@ class LassoSPKitSAMLCommon {
        $retBR = $this->finishResponse($logout, $logout->http_request_method);
        $this->session->logout();
        lassospkit_infolog("Logout request handled for nameId: " . $logout->nameID . " retPRM:  $retPRM retVR: $retVR retBR: $retBR");
-        return $ok;
+        if ($retPRM) {
+            return $retPRM;
+        }
+        if ($retVR) {
+            return $retVR;
+        }
+        if ($retBR) {
+            return $retBR;
+        }
+        return 0;
    }
    public function saveFederation(LassoProfile $profile) {
 	LassoSPKitHelper::saveFederation($profile, $this->session);