[id-ff] move LassoLogin to use LassoSignatureContext

This commit is contained in:
Benjamin Dauvergne 2011-12-02 19:30:31 +01:00
parent 5e5c38b451
commit 641702b346
1 changed files with 49 additions and 92 deletions

View File

@ -338,6 +338,7 @@ lasso_login_build_assertion(LassoLogin *login,
LassoProvider *provider = NULL;
LassoSaml2EncryptedElement *encrypted_element = NULL;
LassoSamlSubjectStatementAbstract *ss;
lasso_error_t rc = 0;
g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
@ -400,14 +401,9 @@ lasso_login_build_assertion(LassoLogin *login,
assertion->AuthenticationStatement = LASSO_SAML_AUTHENTICATION_STATEMENT(as);
/* Save signing material in assertion private datas to be able to sign later */
if (profile->server->certificate) {
assertion->sign_type = LASSO_SIGNATURE_TYPE_WITHX509;
} else {
assertion->sign_type = LASSO_SIGNATURE_TYPE_SIMPLE;
}
assertion->sign_method = profile->server->signature_method;
lasso_assign_string(assertion->private_key_file, profile->server->private_key);
lasso_assign_string(assertion->certificate_file, profile->server->certificate);
lasso_check_good_rc(lasso_server_set_signature_for_provider_by_name(login->parent.server,
profile->remote_providerID, (LassoNode*)assertion));
if (login->protocolProfile == LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_POST || \
login->protocolProfile == LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_LECP) {
@ -424,7 +420,7 @@ lasso_login_build_assertion(LassoLogin *login,
if (profile->session == NULL) {
profile->session = lasso_session_new();
}
lasso_assign_new_gobject(login->assertion, LASSO_SAML_ASSERTION(assertion));
lasso_assign_gobject(login->assertion, LASSO_SAML_ASSERTION(assertion));
lasso_session_add_assertion(profile->session, profile->remote_providerID,
LASSO_NODE(assertion));
@ -454,7 +450,9 @@ lasso_login_build_assertion(LassoLogin *login,
}
}
return 0;
cleanup:
lasso_release_gobject(assertion);
return rc;
}
/**
@ -1078,15 +1076,15 @@ lasso_login_build_artifact_msg(LassoLogin *login, LassoHttpMethod http_method)
* </para></listitem>
* </itemizedlist>
**/
gint
lasso_error_t
lasso_login_build_authn_request_msg(LassoLogin *login)
{
LassoProvider *provider, *remote_provider;
LassoProfile *profile;
char *md_authnRequestsSigned, *url, *query, *lareq, *protocolProfile;
char *md_authnRequestsSigned, *url, *query = NULL, *lareq, *protocolProfile;
LassoProviderRole role, remote_role;
gboolean must_sign;
gint ret = 0;
gint rc = 0;
g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
profile = LASSO_PROFILE(login);
@ -1132,20 +1130,14 @@ lasso_login_build_authn_request_msg(LassoLogin *login)
provider->role = role;
remote_provider->role = remote_role;
if (!must_sign)
LASSO_SAMLP_REQUEST_ABSTRACT(
profile->request)->sign_type = LASSO_SIGNATURE_TYPE_NONE;
if (login->http_method == LASSO_HTTP_METHOD_REDIRECT) {
/* REDIRECT -> query */
if (must_sign) {
query = lasso_node_export_to_query_with_password(LASSO_NODE(profile->request),
profile->server->signature_method,
profile->server->private_key,
profile->server->private_key_password);
lasso_check_good_rc(lasso_server_export_to_query_for_provider_by_name(profile->server,
profile->remote_providerID,
profile->request, &query));
} else {
query = lasso_node_export_to_query_with_password(
LASSO_NODE(profile->request), 0, NULL, NULL);
query = lasso_node_build_query(LASSO_NODE(profile->request));
}
if (query == NULL) {
return critical_error(LASSO_PROFILE_ERROR_BUILDING_QUERY_FAILED);
@ -1164,14 +1156,9 @@ lasso_login_build_authn_request_msg(LassoLogin *login)
}
if (login->http_method == LASSO_HTTP_METHOD_POST) {
if (must_sign) {
/* XXX: private_key_file is not declared within request
* snippets so it is not freed on destroy, so it is
* normal to not strdup() it; nevertheless it would
* probably be more clean not to to it this way */
LASSO_SAMLP_REQUEST_ABSTRACT(profile->request)->private_key_file =
profile->server->private_key;
LASSO_SAMLP_REQUEST_ABSTRACT(profile->request)->certificate_file =
profile->server->certificate;
lasso_server_set_signature_for_provider_by_name(profile->server,
profile->remote_providerID,
profile->request);
}
lareq = lasso_node_export_to_base64(profile->request);
@ -1184,7 +1171,8 @@ lasso_login_build_authn_request_msg(LassoLogin *login)
lasso_assign_new_string(profile->msg_body, lareq);
}
return ret;
cleanup:
return rc;
}
/**
@ -1244,8 +1232,9 @@ lasso_login_build_authn_request_msg(LassoLogin *login)
gint
lasso_login_build_authn_response_msg(LassoLogin *login)
{
LassoProvider *remote_provider;
LassoProfile *profile;
LassoProvider *remote_provider = NULL;
LassoProfile *profile = NULL;
lasso_error_t rc = 0;
g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
@ -1274,22 +1263,14 @@ lasso_login_build_authn_response_msg(LassoLogin *login)
/* Countermeasure: The issuer should sign <lib:AuthnResponse> messages.
* (binding and profiles (1.2errata2, page 65) */
if (profile->server->certificate) {
LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->sign_type =
LASSO_SIGNATURE_TYPE_WITHX509;
} else {
LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->sign_type =
LASSO_SIGNATURE_TYPE_SIMPLE;
}
LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->sign_method =
LASSO_SIGNATURE_METHOD_RSA_SHA1;
LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->private_key_file =
profile->server->private_key;
LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->certificate_file =
profile->server->certificate;
lasso_check_good_rc(lasso_server_set_signature_for_provider_by_name(
profile->server,
profile->remote_providerID,
profile->response));
/* build an lib:AuthnResponse base64 encoded */
lasso_assign_new_string(profile->msg_body, lasso_node_export_to_base64(LASSO_NODE(profile->response)));
lasso_assign_new_string(profile->msg_body,
lasso_node_export_to_base64(LASSO_NODE(profile->response)));
remote_provider = lasso_server_get_provider(profile->server, profile->remote_providerID);
if (LASSO_IS_PROVIDER(remote_provider) == FALSE)
@ -1299,8 +1280,8 @@ lasso_login_build_authn_response_msg(LassoLogin *login)
if (profile->msg_url == NULL) {
return LASSO_PROFILE_ERROR_UNKNOWN_PROFILE_URL;
}
return 0;
cleanup:
return rc;
}
/**
@ -1327,6 +1308,7 @@ lasso_login_build_request_msg(LassoLogin *login)
{
LassoProvider *remote_provider;
LassoProfile *profile;
lasso_error_t rc = 0;
g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
@ -1342,10 +1324,10 @@ lasso_login_build_request_msg(LassoLogin *login)
return critical_error(LASSO_PROFILE_ERROR_MISSING_REMOTE_PROVIDERID);
}
LASSO_SAMLP_REQUEST_ABSTRACT(profile->request)->private_key_file =
profile->server->private_key;
LASSO_SAMLP_REQUEST_ABSTRACT(profile->request)->certificate_file =
profile->server->certificate;
lasso_check_good_rc(lasso_server_set_signature_for_provider_by_name(
profile->server,
profile->remote_providerID,
profile->request));
lasso_assign_new_string(profile->msg_body, lasso_node_export_to_soap(profile->request));
remote_provider = lasso_server_get_provider(profile->server, profile->remote_providerID);
@ -1353,7 +1335,8 @@ lasso_login_build_request_msg(LassoLogin *login)
return critical_error(LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND);
}
lasso_assign_new_string(profile->msg_url, lasso_provider_get_metadata_one(remote_provider, "SoapEndpoint"));
return 0;
cleanup:
return rc;
}
/**
@ -1379,7 +1362,7 @@ lasso_login_build_response_msg(LassoLogin *login, gchar *remote_providerID)
{
LassoProvider *remote_provider;
LassoProfile *profile;
gint ret = 0;
lasso_error_t rc = 0;
g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
profile = LASSO_PROFILE(login);
@ -1398,38 +1381,28 @@ lasso_login_build_response_msg(LassoLogin *login, gchar *remote_providerID)
LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->MinorVersion = 0;
}
if (profile->server->certificate) {
LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->sign_type =
LASSO_SIGNATURE_TYPE_WITHX509;
} else {
LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->sign_type =
LASSO_SIGNATURE_TYPE_SIMPLE;
}
LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->sign_method =
LASSO_SIGNATURE_METHOD_RSA_SHA1;
if (remote_providerID != NULL) {
lasso_assign_string(profile->remote_providerID, remote_providerID);
remote_provider = lasso_server_get_provider(profile->server, profile->remote_providerID);
ret = lasso_provider_verify_signature(remote_provider,
rc = lasso_provider_verify_signature(remote_provider,
login->private_data->soap_request_msg,
"RequestID", LASSO_MESSAGE_FORMAT_SOAP);
lasso_release_string(login->private_data->soap_request_msg);
/* lasso_profile_set_session_from_dump has not been called */
if (profile->session == NULL) {
ret = LASSO_PROFILE_ERROR_SESSION_NOT_FOUND;
rc = LASSO_PROFILE_ERROR_SESSION_NOT_FOUND;
}
/* change status code into RequestDenied if signature is
* invalid or not found or if an error occurs during
* verification */
if (ret != 0) {
if (rc != 0) {
lasso_profile_set_response_status(profile,
LASSO_SAML_STATUS_CODE_REQUEST_DENIED);
}
if (ret == 0) {
if (rc == 0) {
/* get assertion in session and add it in response */
LassoSamlAssertion *assertion;
LassoSamlpStatus *status;
@ -1456,13 +1429,14 @@ lasso_login_build_response_msg(LassoLogin *login, gchar *remote_providerID)
lasso_profile_set_response_status(profile, LASSO_SAML_STATUS_CODE_REQUEST_DENIED);
}
LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->private_key_file =
profile->server->private_key;
LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->certificate_file =
profile->server->certificate;
lasso_check_good_rc(lasso_server_set_signature_for_provider_by_name(
profile->server,
profile->remote_providerID,
profile->response));
lasso_assign_new_string(profile->msg_body, lasso_node_export_to_soap(profile->response));
return ret;
cleanup:
return rc;
}
/**
@ -1567,15 +1541,6 @@ lasso_login_init_authn_request(LassoLogin *login, const gchar *remote_providerID
lasso_assign_string(LASSO_LIB_AUTHN_REQUEST(profile->request)->RelayState,
profile->msg_relayState);
if (http_method == LASSO_HTTP_METHOD_POST) {
request->sign_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
if (profile->server->certificate) {
request->sign_type = LASSO_SIGNATURE_TYPE_WITHX509;
} else {
request->sign_type = LASSO_SIGNATURE_TYPE_SIMPLE;
}
}
return 0;
}
@ -1709,15 +1674,7 @@ lasso_login_init_request(LassoLogin *login, gchar *response_msg,
request->MajorVersion = LASSO_SAML_MAJOR_VERSION_N;
request->MinorVersion = LASSO_SAML_MINOR_VERSION_N;
lasso_assign_new_string(request->IssueInstant, lasso_get_current_time());
LASSO_SAMLP_REQUEST(request)->AssertionArtifact = artifact_b64;
if (profile->server->certificate) {
request->sign_type = LASSO_SIGNATURE_TYPE_WITHX509;
} else {
request->sign_type = LASSO_SIGNATURE_TYPE_SIMPLE;
}
request->sign_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
lasso_assign_new_gobject(profile->request, LASSO_NODE(request));
return ret;