entrouvert
/
spkitlasso
Archived
17
0
Fork 0
Code Issues Pull Requests Releases Activity

slo idp initiated still not working

This commit is contained in:
<bdauvergne@entrouvert.com> 1206630442 +0100 0001-01-01 00:00:00 +00:00
parent 770ff3e143
commit db0c492287
8 changed files with 92 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
endpoints/saml2.php
View File

@ -62,6 +62,7 @@ function finishResponse($profileSTR, $session, $ret) {
if (! $ret) {
$session->doRedirect(LassoSPKitUtilsSession::getRelayState($profileSTR));
} else {
LassoSPKitUtilsSession::setLastError("Erreur: $ret");
$session->doRedirect(LassoSPKitUtilsSession::getRelayState('error'));
}
}
@ -105,7 +106,7 @@ function ssoAssertionConsumer() {
function slo() {
$session = getSession();
$saml2 = new LassoSPKitSAML2($session);
$method = LASSO_HTTP_METHOD_REDIRECT;
$method = LASSO_HTTP_METHOD_SOAP;
$ret = $saml2->initiateSLO($method);
$headers = headers_list();
finishRequest($method, 'slo', $session, $ret);
@ -113,9 +114,13 @@ function slo() {
function sloSoap() {
$session = getSession();
$saml2 = new LassoSPKitSAML2($session);
try {
if ($saml2->processSOAPRequestSLO() == 0) {
lassospkit_debuglog("SLO SOAP Request handler: fatal error");
}
} catch (Exception $e) {
lassospkit_debuglog("Problem in $e");
}
}
function sloRedirect() {
}
@ -128,7 +133,7 @@ function sloResponse() {
function defederate() {
$session = getSession();
$saml2 = new LassoSPKitSAML2($session);
$method = LASSO_HTTP_METHOD_REDIRECT;
$method = LASSO_HTTP_METHOD_SOAP;
$ret = $saml2->initiateFTNotification($method);
finishRequest($method, 'defederation', $session, $ret);
LassoSPKitUtilsSession::setRelayState('nidmanagement',LassoSPKitUtilsSession::getRelayState('defederation'));
@ -144,9 +149,8 @@ function nidManagementRedirect() {
function nidManagementResponse() {
$session = getSession();
$saml2 = new LassoSPKitSAML2($session);
$method = LASSO_HTTP_METHOD_REDIRECT;
$ret = $saml2->processRedirectResponseNameIdManagement();
finishResponse('defederation', $session, $ret);
finishResponse('nidmanagement', $session, $ret);
}
function metadata() {
$datadir = LassoSPKitHelper::getMetadataDir(LASSO_PROTOCOL_SAML_2_0);

2
exemples/index.php
View File

@ -1,10 +1,10 @@
<?php
session_start();
echo '<?xml version="1.0" encoding="UTF-8"?>';
require_once('spkitlasso/include/lassospkit_public_api.inc.php');
require_once('spkitlasso/include/lassospkit_debug.inc.php');
require_once('spkitlasso/include/lassospkit_utils.inc.php');
echo '<?xml version="1.0" encoding="UTF-8"?>';
function show($a) {
echo "<li><a href='$a'>";

28
include/lassospkit_autopersistentsession.inc.php
View File

@ -6,7 +6,7 @@ require_once('lassospkit_file.inc.php');
require_once('lassospkit_config.inc.php');
require_once('lassospkit_generic_session.inc.php');
class LassoSPKitAutoPersistentSession extends LassoSPKitGenericSession {
class LassoSPKitAutoPersistentSession extends LassoSPKitDummySession {
private $storage;
function __construct() {
$storage_class = "LassoSPKit" . LassoSPKitConfig::get('storage') . "Store";
@ -16,25 +16,26 @@ class LassoSPKitAutoPersistentSession extends LassoSPKitGenericSession {
}
}
function findFederation($nameID) {
lassospkit_debuglog("looking for session for $nameID");
if (! $nameID) {
$nameID = array_pop(LassoSPKitUtilsSession::getNameID());
}
$federation = $this->storage->get($nameID);
if ($federation == null) {
return 0;
}
$blob = $this->storage->get($nameID);
if ($blob == null) {
return 0;
}
return $this->explodeFederationBlob($blob);
$this->explodeFederation($federation);
return 1;
}
function saveFederation() {
$nameIDs = $this->getNameIDs();
$firstID = array_pop($nameIDs);
if ($firstID == null) {
throw new Exception("save federation has no nameIDs to create keys");
}
$blob = $this->getFederationBlob();
$this->storage->set($firstID, $blob);
foreach ($nameIDs as $otherID) {
$this->storage->alias($firstID, $otherID);
if ($firstID) {
$federation = $this->getFederationArray();
$this->storage->set($firstID, $federation);
foreach ($nameIDs as $otherID) {
$this->storage->alias($firstID, $otherID);
}
}
parent::saveFederation();
}
@ -44,5 +45,6 @@ class LassoSPKitAutoPersistentSession extends LassoSPKitGenericSession {
} else {
$this->storage->delete($oldID);
}
parent::saveFederation();
}
}

2
include/lassospkit_dummysession.inc.php
View File

@ -7,7 +7,7 @@ class LassoSPKitDummySession extends LassoSPKitGenericSession {
/** Save the federation into the SESSION object */
function saveFederation() {
LassoSPKitUtilsSession::setFederation(
serialize($this->getFederationBlob()));
serialize($this->getFederationArray()));
parent::saveFederation();
}
/** Use the nameID as a hint to validate the stored dumps.

8
include/lassospkit_generic_session.inc.php
View File

@ -51,7 +51,7 @@ class LassoSPKitGenericSession {
$identity_dump = $this->getIdentityDump();
return LassoSPKitHelper::getNameIDsFromDump($identity_dump);
}
function getFederationBlob() {
function getFederationArray() {
$userid = LassoSPKitUtilsSession::getUserID();
return array(
'identity'=> $this->getIdentityDump(),
@ -61,11 +61,15 @@ class LassoSPKitGenericSession {
function explodeFederationBlob($blob) {
$federation = @unserialize($blob);
if ($federation === FALSE) {
$this->debug(FALSE, "Could not unserialize content of key file for key $nameID");
lassospkit_debuglog("LassoSPKitGenericSession: cannot deserialize the federation blob");
return 0;
}
$this->explodeFederation($federation);
}
function explodeFederation($federation) {
$this->setSessionDump($federation['session']);
$this->setIdentityDump($federation['identity']);
LassoSPKitUtilsSession::setUserID($federation['userid']);
return 1;
}
}

6
include/lassospkit_helper.inc.php
View File

@ -76,7 +76,7 @@ class LassoSPKitHelper {
LassoSPKitGenericSession $session) {
$nameID = self::profileGetNameID($profile);
if (self::saveDumps($profile,$session)) {
$session->saveFederation($nameID);
$session->saveFederation();
}
}
/** Contract is that if NewID is null, session should forget about
@ -86,6 +86,7 @@ class LassoSPKitHelper {
LassoSPKitGenericSession $session,
$NewID) {
$nameID = self::profileGetNameID($profile);
self::saveDumps($profile,$session);
$session->changeFederation($nameID, $NewID);
}
/** Try to restore the federation informations from the profile.
@ -96,10 +97,13 @@ class LassoSPKitHelper {
static function findFederation(LassoProfile $profile,
LassoSPKitGenericSession $session) {
$nameID = self::profileGetNameID($profile);
lassospkit_debuglog("SLO request IDP initiated9");
if ($session->findFederation($nameID) == 0) {
if ($nameID) {
lassospkit_debuglog("fed not found");
throw new LassoProfileFederationNotFoundError();
} else {
lassospkit_debuglog("nameid not found");
throw new LassoProfileNameIdentifierNotFoundError($profile->dump());
}
}

14
include/lassospkit_saml2.inc.php
View File

@ -13,7 +13,7 @@ class LassoSPKitSaml2 extends LassoSPKitSAMLCommon {
}
}
/** Overloaded method to serve as callback to common SSO method. */
protected function ssoNameIdPolicyConfig(LassoLogin $login, $blob) {
public function ssoNameIdPolicyConfig(LassoLogin $login, $blob) {
$request = $login->request;
$nameidpolicy = $request->NameIDPolicy;
$nameidpolicy->format = $blob['nameIDFormat'];
@ -96,7 +96,7 @@ class LassoSPKitSaml2 extends LassoSPKitSAMLCommon {
}
$ok = $ok && ! $ret = $nidmanagement->processResponseMsg($message);
if ($ok || $ret > 0) {
$this->saveFederation($nidmanagement);
$this->changeFederation($nidmanagement);
}
if ($ret != 0) {
$this->setRet($ret);
@ -108,12 +108,7 @@ class LassoSPKitSaml2 extends LassoSPKitSAMLCommon {
return processRequestNameIdManagement(LASSO_HTTP_METHOD_REDIRECT,
$_SERVER['QUERY_STRING']);
}
public function processSOAPRequestSLO() {
$contents = $this->receiveSoapMessage();
return processRequestSLO(LASSO_HTTP_METHOD_SOAP,
$contents);
}
private function processRequestNameIdManagement($method, $message)
public function processRequestNameIdManagement($method, $message)
{
lassospkit_debuglog("NameIdManagement request handling");
$ret = 0;
@ -155,4 +150,7 @@ class LassoSPKitSaml2 extends LassoSPKitSAMLCommon {
LassoSPKitUtilsSession::setFederation(serialize($fed));
return $profile;
}
function changeFederation(LassoNameIdManagement $nidmanagement) {
LassoSPKitHelper::changeFederation($nidmanagement, $this->session, $nidmanagement->request->NewID);
}
}

87
include/lassospkit_saml_common.inc.php
View File

@ -7,30 +7,30 @@ require_once('lassospkit_generic_session.inc.php');
* TODO: initServer();
*/
class LassoSPKitSAMLCommon {
protected $session;
protected $server;
public $session;
public $server;
/** Error handling */
protected $reset_status = 0;
protected $human_status = "";
protected $ret = 0;
public $reset_status = 0;
public $human_status = "";
public $ret = 0;
public $ret_str = "";
protected $exception = null;
public $exception = null;
public function __construct(LassoSPKitGenericSession $session) {
$this->session = $session;
}
/* Accessors */
/* Status is a human readable and translatable string. */
protected function setStatus($str) {
public function setStatus($str) {
$this->human_status = gettext($str);
}
protected function getStatus() {
public function getStatus() {
return $this->human_status;
}
/* Ret is the return code from the last error returning
lasso function. */
protected function setRet($ret, $prefix = "") {
public function setRet($ret, $prefix = "") {
$this->ret = $ret;
if ($ret != 0) {
$this->ret_str = strError($ret);
@ -39,7 +39,7 @@ class LassoSPKitSAMLCommon {
$this->ret_str = "";
}
}
protected function getRet() {
public function getRet() {
return $this->ret . ":" . $this->ret_str;
}
/** Create the server object by retrieving the configuration from
@ -67,7 +67,7 @@ class LassoSPKitSAMLCommon {
return $server;
}
}
protected static function checkFile($file) {
public static function checkFile($file) {
if (! file_exists($file)) {
lassospkit_debuglog("File " . $file . " is absent, can't construct server object");
return 0;
@ -75,20 +75,26 @@ class LassoSPKitSAMLCommon {
return 1;
}
/*** Helper functions ***/
protected function ssoNameIdPolicyConfig($blob) {
public function ssoNameIdPolicyConfig($blob) {
throw new Exception("Must be overloaded!!");
}
/** Helper function to do redirects. */
protected function doRedirect(LassoProfile $profile) {
public function doRedirect(LassoProfile $profile) {
$this->session->doRedirect($profile->msgUrl);
}
/** Return a normal HTTP response, for SOAP Response binding */
protected function doResponse(LassoProfile $profile) {
public function doResponse(LassoProfile $profile) {
$this->session->doResponse('text/xml', $profile->msgBody);
}
/** Read a soap message from stdin */
protected function receiveSOAPMessage() {
$contents = file_get_contents("php://input");
public function receiveSOAPMessage() {
lassospkit_debuglog("Receiving a SOAP message");
$contents = @file_get_contents("php://input");
if ($contents === FALSE) {
lassospkit_debuglog("Problem Receiving a SOAP message2");
} else {
lassospkit_debuglog("Received a SOAP message");
}
return $contents;
}
/** Retrieve the response message associated to an artifact string,
@ -96,7 +102,7 @@ class LassoSPKitSAMLCommon {
This method makes a soap call to resolve the artifact, it is synchronous
so can potentially take times.
*/
protected function artifactResolve(LassoProfile $profile, $query, $method, &$ok, &$ret) {
public function artifactResolve(LassoProfile $profile, $query, $method, &$ok, &$ret) {
$ok = $ok && ! $ret = $profile->initRequest($query, $method);
$ok = $ok && ! $ret = $profile->buildRequestMsg();
$ok = $ok && $content = LassoSPKitHelper::SoapCallWithProfile($profile);
@ -107,19 +113,19 @@ class LassoSPKitSAMLCommon {
return $ok;
}
/** Finish a request with a redirect transport */
protected function finishRedirectRequest(LassoProfile $profile, &$ret, &$ok) {
public function finishRedirectRequest(LassoProfile $profile, &$ret, &$ok) {
if ($ok) {
$this->doRedirect($profile);
}
}
/** Finish a request with a SOAP transport */
protected function finishSOAPRequest(LassoProfile $profile, &$ret, &$ok, &$response) {
public function finishSOAPRequest(LassoProfile $profile, &$ret, &$ok, &$response) {
if ($ok) {
$response = LassoSPKitHelper::SoapCallWithProfile($profile);
}
}
protected function finishResponse(LassoProfile $profile, $method, &$ret, &$ok) {
public function finishResponse(LassoProfile $profile, $method, &$ret, &$ok) {
$ok = $ok && ! $ret = $profile->buildResponse();
switch ($method) {
case LASSO_HTTP_METHOD_REDIRECT:
@ -139,7 +145,7 @@ class LassoSPKitSAMLCommon {
the doRedirect method of the session object.
Calls ssoNameIdPolicyConfig on the session object to initialize.
*/
protected function ssoCommon(&$login,
public function ssoCommon(&$login,
$remoteID,
$method,
$isConsentObtained,
@ -258,7 +264,7 @@ class LassoSPKitSAMLCommon {
}
return $ok;
}
protected function processResponseSLO(&$logout, $message) {
public function processResponseSLO(&$logout, $message) {
$ret = 0;
$ok = 1;
lassospkit_debuglog("SLO SP initiated Response");
@ -309,20 +315,25 @@ class LassoSPKitSAMLCommon {
}
/** IDP initiated SLO **/
public function processRedirectRequestSLO() {
return processRequestSLO(LASSO_HTTP_METHOD_REDIRECT,
return $this->processRequestSLO(LASSO_HTTP_METHOD_REDIRECT,
$_SERVER['QUERY_STRING']);
}
public function processSOAPRequestSLO() {
$contents = $this->receiveSoapMessage();
return processRequestSLO(LASSO_HTTP_METHOD_SOAP,
return $this->processRequestSLO(LASSO_HTTP_METHOD_SOAP,
$contents);
}
protected function processRequestSLO(&$method, $message) {
lassospkit_debuglog("SLO Request handling");
public function processRequestSLO($method, $message) {
lassospkit_debuglog("SLO request IDP initiated");
sleep(120);
$ret = 0;
$ok = $ok && $logout = new LassoLogout($this->server);
$ok = $ok && ! $ret = $logout->processRequestMsg($content);
$this->findFederation($logout);
$ok = 1 && $logout = new LassoLogout($this->server);
if (! $ok) {
lassospkit_debuglog("Cannot build logout profile");
return;
}
$ok = $ok && ! $ret = $logout->processRequestMsg($message);
$ok = $ok && $this->findFederation($logout);
$ok = $ok && ! $ret = $logout->validateRequest();
if ($ok) {
if ($method == LASSO_HTTP_METHOD_ANY) {
@ -330,21 +341,23 @@ class LassoSPKitSAMLCommon {
} else {
$ok = ($method == $logout->http_request_method);
}
}
$this->finishResponse($method, $logout, $ret, $ok);
if (! $ok) {
lassospkit_debuglog("SLO Request handling failed ErrCode: $ret");
$this->setStatus("Le SLO a échoué");
$this->setRet($ret);
} else {
lassospkit_debuglog("SLO Request validate failed ErrCode: $ret " . strError($ret));
}
$this->finishResponse($logout, $method, $ret, $ok);
if (! $ok) {
lassospkit_debuglog($message);
} else {
lassospkit_debuglog("SLO request handling validated for nameid " . LassoSPKitHelper::profileGetNameID($logout));
$this->session->logout();
}
return $ok;
}
protected function saveFederation(LassoProfile $profile) {
public function saveFederation(LassoProfile $profile) {
LassoSPKitHelper::saveFederation($profile, $this->session);
}
protected function findFederation(LassoProfile $profile) {
public function findFederation(LassoProfile $profile) {
lassospkit_debuglog("SLO request IDP initiated4");
LassoSPKitHelper::findFederation($profile, $this->session);
}
/** Federation termination **/