[core] add a blacklisted_entity_ids parameter to lasso_server_load_federation
The goal is to prevent loading of provider known to have problems.
This commit is contained in:
parent
70562db09a
commit
a0aba29273
|
|
@ -756,6 +756,8 @@ lasso_server_get_encryption_private_key(LassoServer *server)
|
|||
* @federation_file: a C string formatted as SAML 2.0 metadata XML content,
|
||||
* @trusted_roots:(allow-none): a PEM encoded files containing the certificates to check signatures
|
||||
* on the metadata files (optional)
|
||||
* @blacklisted_entity_ids:(allow-none)(element-type string): a list of EntityID which should not be
|
||||
* loaded, can be NULL.
|
||||
*
|
||||
* Load all the SAML 2.0 entities from @federation_file which contain a declaration for @role. If
|
||||
* @trusted_roots is non-NULL, use it to check a signature on the metadata file.
|
||||
|
|
@ -773,7 +775,7 @@ lasso_server_get_encryption_private_key(LassoServer *server)
|
|||
*/
|
||||
lasso_error_t
|
||||
lasso_server_load_federation(LassoServer *server, LassoProviderRole role, const gchar *federation_metadata, const gchar
|
||||
*trusted_roots)
|
||||
*trusted_roots, GList *blacklisted_entity_ids)
|
||||
{
|
||||
xmlDoc *doc = NULL;
|
||||
xmlNode *root = NULL;
|
||||
|
|
@ -806,7 +808,7 @@ lasso_server_load_federation(LassoServer *server, LassoProviderRole role, const
|
|||
}
|
||||
/* TODO: branch to the SAML2 version of this function */
|
||||
if (lasso_strisequal((char*)root->ns->href, LASSO_SAML2_METADATA_HREF)) {
|
||||
lasso_check_good_rc(lasso_saml20_server_load_federation(server, role, root));
|
||||
lasso_check_good_rc(lasso_saml20_server_load_federation(server, role, root, blacklisted_entity_ids));
|
||||
} else {
|
||||
/* TODO: iterate SPDescriptor and IDPDescriptor, choose which one to parse by looking at the role enum.
|
||||
* */
|
||||
|
|
|
|||
|
|
@ -104,7 +104,7 @@ LASSO_EXPORT lasso_error_t lasso_server_set_encryption_private_key_with_password
|
|||
const gchar *filename_or_buffer, const gchar *password);
|
||||
|
||||
LASSO_EXPORT lasso_error_t lasso_server_load_federation(LassoServer *server, LassoProviderRole role,
|
||||
const gchar *federation_file, const gchar *trusted_roots);
|
||||
const gchar *federation_file, const gchar *trusted_roots, GList *blacklisted_entity_ids);
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
|
|
|
|||
|
|
@ -103,7 +103,7 @@ _lasso_test_idp_descriptor(xmlNode *node) {
|
|||
}
|
||||
|
||||
lasso_error_t
|
||||
lasso_saml20_server_load_federation(LassoServer *server, LassoProviderRole role, xmlNode *root_node)
|
||||
lasso_saml20_server_load_federation(LassoServer *server, LassoProviderRole role, xmlNode *root_node, GList *blacklisted_entity_ids)
|
||||
{
|
||||
xmlNode *child;
|
||||
lasso_error_t rc = 0;
|
||||
|
|
@ -111,6 +111,8 @@ lasso_saml20_server_load_federation(LassoServer *server, LassoProviderRole role,
|
|||
child = xmlSecGetNextElementNode(root_node->children);
|
||||
/* first parse the providers... */
|
||||
while (child) {
|
||||
LassoProvider *provider = NULL;
|
||||
|
||||
if (! xmlSecCheckNodeName(child,
|
||||
BAD_CAST LASSO_SAML2_METADATA_ELEMENT_ENTITY_DESCRIPTOR,
|
||||
BAD_CAST LASSO_SAML2_METADATA_HREF)) {
|
||||
|
|
@ -122,12 +124,16 @@ lasso_saml20_server_load_federation(LassoServer *server, LassoProviderRole role,
|
|||
if (role == LASSO_PROVIDER_ROLE_SP && ! _lasso_test_sp_descriptor(child)) {
|
||||
goto next;
|
||||
}
|
||||
LassoProvider *provider;
|
||||
|
||||
provider = lasso_provider_new_from_xmlnode(role, child);
|
||||
if (provider) {
|
||||
char *name = g_strdup(provider->ProviderID);
|
||||
|
||||
if (g_list_find_custom(blacklisted_entity_ids, name,
|
||||
(GCompareFunc) g_strcmp0)) {
|
||||
lasso_release_gobject(provider);
|
||||
goto next;
|
||||
}
|
||||
g_hash_table_insert(server->providers, name, provider);
|
||||
}
|
||||
next:
|
||||
|
|
|
|||
|
|
@ -33,7 +33,8 @@ extern "C" {
|
|||
#include "../id-ff/server.h"
|
||||
|
||||
int lasso_saml20_server_load_affiliation(LassoServer *server, xmlNode *node);
|
||||
lasso_error_t lasso_saml20_server_load_federation(LassoServer *server, LassoProviderRole role, xmlNode *root_node);
|
||||
lasso_error_t lasso_saml20_server_load_federation(LassoServer *server, LassoProviderRole role,
|
||||
xmlNode *root_node, GList *blacklisted_entity_ids);
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1946,6 +1946,7 @@ START_TEST(test13_test_lasso_server_load_federation)
|
|||
{
|
||||
LassoServer *server = NULL;
|
||||
char *metadata_content;
|
||||
GList blacklisted_1 = { .data = "https://identities.univ-jfc.fr/idp/prod", .next = NULL };
|
||||
|
||||
check_not_null(server = lasso_server_new(
|
||||
TESTSDATADIR "/idp5-saml2/metadata.xml",
|
||||
|
|
@ -1955,7 +1956,8 @@ START_TEST(test13_test_lasso_server_load_federation)
|
|||
check_true(g_file_get_contents(TESTSDATADIR "/renater-metadata.xml", &metadata_content,
|
||||
NULL, NULL));
|
||||
check_good_rc(lasso_server_load_federation(server, LASSO_PROVIDER_ROLE_IDP,
|
||||
metadata_content, TESTSDATADIR "/metadata-federation-renater.crt"));
|
||||
metadata_content, TESTSDATADIR "/metadata-federation-renater.crt", &blacklisted_1));
|
||||
check_true(g_hash_table_size(server->providers) == 101);
|
||||
lasso_release_string(metadata_content);
|
||||
lasso_release_gobject(server);
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue