summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* debian: disable php7 (#28608)HEADmasterBenjamin Dauvergne2019-09-092-2/+3
|
* Modify .gitignore for PHP 7 binding (#28608)Tomohiro "Tomo-p" KATO2019-09-091-0/+3
| | | | License: MIT
* Add PHP 7 binding (#28608)Tomohiro "Tomo-p" KATO2019-09-0919-5/+2150
| | | | License: MIT
* Fix tests broken by new DEBUG logs (#12829)Benjamin Dauvergne2019-09-091-2/+1
|
* Improve error logging during node parsing (#12829)Benjamin Dauvergne2019-09-061-19/+47
|
* Improve configure compatibility (#32425)Benjamin Dauvergne2019-09-061-1/+1
|
* Improve compatibility with Solaris (#32425)Benjamin Dauvergne2019-09-061-0/+2
|
* Fix reference count in lasso_server_add_provider2 (fixes #35061)Benjamin Dauvergne2019-09-051-15/+17
| | | | | | | | | | As implemented lasso_server_add_provider2 could not be used as a publik API as it dit not increase the reference count of the LassoProvider object before adding it to the providers hashtable. lasso_server_add_provider_helper had to be modified to decrement the reference count of the new LassoProvider object after using lasso_server_add_provider2.
* Fix python multi-version builds on jessie and stretchBenjamin Dauvergne2019-09-053-54/+32
| | | | | | | | debian/rules supposed that lasso Makefile would always prefer python2 to python3, it's not the case anymore. Also recent python3 improvements to bindings scripts did not work with python 3.5 on jessie (on jessie/3.5 default open() encoding is still ASCII not UTF-8 as with the default UTF-8 of later python3 versions).
* docs/xsltproc: do not use Internet to fetch DTDs, entities or documents (#35590)Thomas NOEL2019-08-271-1/+1
|
* fix missing include <strings.h> for index() (fixes #33791)Benjamin Dauvergne2019-07-041-0/+1
| | | | | | | tests/basic_tests.c:2141:7: warning: implicit declaration of function 'index' [-Wimplicit-function-declaration] qs = index(authnRequestUrl, '?') + 1; ^~~~~ tests/basic_tests.c:2141:7: warning: incompatible implicit declaration of built-in function 'index'
* PAOS: Do not populate "Destination" attributeDmitrii Shcherbakov2019-07-032-10/+18
| | | | | | | | | | | | | | | | | When ECP profile (saml-ecp-v2.0-cs01) is used with PAOS binding Lasso populates an AuthnRequest with the "Destination" attribute set to AssertionConsumerURL of an SP - this leads to IdP-side errors because the destination attribute in the request does not match the IdP URL. The "Destination" attribute is mandatory only for HTTP Redirect and HTTP Post bindings when AuthRequests are signed per saml-bindings-2.0-os (sections 3.4.5.2 and 3.5.5.2). Specifically for PAOS it makes sense to avoid setting that optional attribute because an ECP decides which IdP to use, not the SP. Fixes Bug: 34409 License: MIT Signed-off-by: Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
* export symbol lasso_log (#33784)Benjamin Dauvergne2019-07-021-2/+2
| | | | | The symbol lasso_log has to be exported, otherwise Solaris run-time linker fails due to an unresolved symbol dependency.
* tests: use self-generated certificate to sign federation metadata file (#33823)Benjamin Dauvergne2019-06-1110-54/+192
| | | | | | | | | | | | | Generation procedure : openssl genrsa -out rootCA.key 4096 openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 99999 -out rootCA.crt openssl genrsa -out lasso.key 2048 openssl req -new -sha256 -key lasso.key -subj "/C=FR/CN=Lasso" -out lasso.csr openssl x509 -req -in lasso.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out lasso.crt -days 99999 -sha256 openssl pkcs12 -export -inkey lasso.key -password pass: -in lasso.crt -name lasso -out lasso.pkcs12 xmlsec1 --sign --output renater.xml --trusted-pem rootCA.crt --pwd "" --pkcs12 lasso.pkcs12 metadata/renater-metadata.xml xmlsec1 --verify --trusted-pem rootCA.crt metadata/renater-metadata.xml
* Do not ignore WantAuthnRequestSigned value with hint MAYBE (fixes #33354)Benjamin Dauvergne2019-05-231-2/+2
| | | | Bug introduced in commit 394680712.
* Use io.open(encoding=utf8) in extract_symbols/sections.py (fixes #33360)Benjamin Dauvergne2019-05-232-4/+5
|
* xml: adapt schema in saml2:AuthnContext (#29340)Benjamin Dauvergne2019-01-191-0/+4
| | | | | | | | saml2:AuthnContext XML schema indicate that AuthenticatingAuthority is an optional unbounded list of nodes, but the current Lasso schema only handle an unique element. To prevent Lasso from refusing perfectly legal messages, we add a rule to the Lasso ignoring other nodes after the first one.
* Fix ECP signature not found error when only assertion is signed (#26828)John Dennis2019-01-113-33/+95
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With a SAML Authn Response either the message or the assertion contained in the response message or both can be signed. Most IdP's sign the message. This fixes a bug when processing an ECP authn response when only the assertion is signed. lasso_saml20_profile_process_soap_response_with_headers() performs a signature check on the SAML message. A signature can also appear on the assertion which is checked by lasso_saml20_login_process_response_status_and_assertion() The problem occurred when the message was not signed and lasso_saml20_profile_process_soap_response_with_headers() returned LASSO_DS_ERROR_SIGNATURE_NOT_FOUND as an error code which is not actually an error because we haven't checked the signature on the assertion yet. We were returning the first LASSO_DS_ERROR_SIGNATURE_NOT_FOUND error when in fact the subsequent signature check in lasso_saml20_login_process_response_status_and_assertion() succeeded. The ECP unit tests were enhanced to cover these cases. The enhanced unit test revealed a problem in two switch statements operating on the return value of lasso_profile_get_signature_verify_hint() which were missing a case statement for LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE which caused an abort due to an unknown enumeration value. Fixes Bug: 26828 License: MIT Signed-off-by: John Dennis <jdennis@redhat.com>
* extract_types.py: force io to use UTF-8 encoding (fixes #27332)Benjamin Dauvergne2018-10-151-14/+14
|
* add JenkinsfileBenjamin Dauvergne2018-10-141-0/+33
|
* xml: fix parsing of saml:AuthnContext (fixes #25640)Benjamin Dauvergne2018-10-141-1/+1
| | | | | Decl/DeclRef are alternatives, when matching a Decl we should jump over the DeclRef.
* Remove -Werror from --enable-debugging (fixes #24771)Benjamin Dauvergne2018-07-241-1/+1
| | | | | GCC 8 has better warnings and it breaks the build on platform already using it and wanting debugging symbols.
* Move AC_SUBST declaration for AM_CFLAGS with alike (#24771)Benjamin Dauvergne2018-07-241-1/+1
| | | | Just to reorder things properly in configure.ac.
* Clean python cache when building python3 bindingBenjamin Dauvergne2018-07-241-0/+3
| | | | | | Python3 store .pyc cache in hidden directory __pycache__, distcheck complained that the source directory was not completely clean after a distclean.
* Configure should search for versioned Python interpreter.John Dennis2018-07-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Following the guidelines in Python PEP 394 with regards to the python command on UNIX like systems preference should be given to explicitly versioned command interpreter as opposed to unversioned and that an unversioned python command should (but might not) refer to Python2. Also in some environments unversioned Python interpreters (e.g. /usr/bin/python) do not even exist, onlyh their explicitly versioned variants are (e.g. /usr/bin/python2 and /usr/bin/python3). Therefore the AC_CHECK_PROGS directive in configure.ac should not rely exclusively on an unversioned Python interpreter as it does not, rather it should search in priority order. First for python3, then for an unversionsed python because some distributions have already moved the default unversioned python to python3, and then finally search for python2. In the scenario where unversioned python is still pointing to python2 it's equivalent to selecting the last prority option of python2, but if unversioned python is pointing to python3 you get instead. The net result is always preferring python3 but gracefully falling back to python2 not matter how the environment exports it's Python. If AC_CHECK_PROGS for python does not check for the versioned variants the build fails in environments that only have versioned variants with this error: configure: error: Python must be installed to compile lasso License: MIT Signed-off-by: John Dennis <jdennis@redhat.com>
* Make more Python scripts compatible with both Py2 and Py3John Dennis2018-07-2413-109/+139
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | While porting other Python code in the repo to run under Py3 (as well as Py2) it was discovered there were a number of other Python scripts which also needed porting. However these scripts are never invoked during a build so there was no easy way to test the porting work. I assume these scripts are for developers only and/or are historical. Because there was no way for me to test the porting changes on these scripts I did not want to include the changes in the patch for the Py3 porting which fixed scripts that are invoked during the build (the former patch is mandatory, this patch is optional at the moment). I did verify the scripts compile cleanly under both Py2 and Py3, however it's possible I missed porting something or the error does not show up until run-time. Examples of the required changes are: * Replace use of the built-in function file() with open(). file() does not exist in Py3, open works in both Py2 and Py3. The code was also modified to use a file context manager (e.g. with open(xxx) as f:). This assures open files are properly closed when the code block using the file goes out of scope. This is a standard modern Python idiom. * Replace all use of the print keyword with the six.print_() function, which itself is an emulation of Py3's print function. Py3 no longer has a print keyword, only a print() function. * The dict methods .keys(), .values(), .items() no longer return a list in Py3, instead they return a "view" object which is an iterator whose result is an unordered set. The most notable consequence is you cannot index the result of these functions like your could in Py2 (e.g. dict.keys()[0] will raise a run time exception). * Replace use of StringIO.StringIO and cStringIO with six.StringIO. Py3 no longer has cStringIO and the six variant handles the correct import. * Py3 no longer allows the "except xxx, variable" syntax, where variable appering after the comma is assigned the exception object, you must use the "as" keyword to perform the variable assignment (e.g. execpt xxx as variable) * Python PEP 3113 removed tuple parameter unpacking. Therefore you can no longer define a formal parameter list that contains tuple notation representing a single parameter that is unpacked into multiple arguments. License: MIT Signed-off-by: John Dennis <jdennis@redhat.com>
* Downcase UTF-8 file encoding nameJohn Dennis2018-07-246-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Python and Emacs (and others?) recognize a special directive line in a file that identifies what encoding the file is encoded in. See Python PEP 263. For example: The general form of the directive is: where xxx is the name of a codec. Python codec names are lower case with underscores used to seperate words. In both Python and Emacs one can create aliases for the codecs so you can use an alternate name to refer to the same codec. Python is forgiving with respect to case, underscore and hyphens. Python will automatically create an alias for a codec name by downcasing it and replacing hyphens with underscores, thus "UTF-8" is actually an alias for the "utf_8" codec. Unfortunately emacs does not automatically create such aliases, although one can add aliases via a custom initialization file, but doing so requires every user using emacs to edit the files to manually create their own aliases. If you try to write a file in emacs with the "UTF-8" codec name it won't recognize it as "utf-8", instead you'll get errors like this: Warning (mule): Invalid coding system ‘UTF-8’ is specified for the current buffer/file by the :coding tag. It is highly recommended to fix it before writing to a file. and you must force the file to be written by responding to additional propmpts. This patch simply downcases the the "UTF-8" codec name to "utf-8" so that both Python and Emacs will accept the codec name. License: MIT Signed-off-by: John Dennis <jdennis@redhat.com>
* fix duplicate definition of LogoutTestCase and logoutSuiteJohn Dennis2018-07-241-18/+16
| | | | | | | | | | | | | | | | | | | Commit 6f617027e added a duplicate definition of the LogoutTestCase class containing only 1 test which shaddowed the original LogoutTestCase containing 4 tests. The logoutSuite variable was also shadowed and the allTests variable contained a duplicate of logoutSuite causing the 2nd definition of LogoutTestCase to be run twice. Not only were the original 4 tests not being run but the entire unit test in profiles_tests.py was failing under Python3. This is because the unittest code in Py3 deletes a test from it's list of tests to run once it's been run. The second time the logoutSuite was invoked it no longer contained any tests which caused an exception to be raised because there were no tests to be run. License: MIT Signed-off-by: John Dennis <jdennis@redhat.com>
* Make Python scripts compatible with both Py2 and Py3John Dennis2018-07-244-44/+46
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | During the build if the Python3 interpreter is used a number of scripts will fail because they were never ported from Py2 to Py3. In general we want Python code to be compatible with both Py2 and Py3. This patch brings the scripts up to date with Py3 but retains backwards compatibility with Py2 (specifically Py 2.7, the last Py2 release). Examples of the required changes are: * Replace use of the built-in function file() with open(). file() does not exist in Py3, open works in both Py2 and Py3. The code was also modified to use a file context manager (e.g. with open(xxx) as f:). This assures open files are properly closed when the code block using the file goes out of scope. This is a standard modern Python idiom. * Replace all use of the print keyword with the six.print_() function, which itself is an emulation of Py3's print function. Py3 no longer has a print keyword, only a print() function. * The dict methods .keys(), .values(), .items() no longer return a list in Py3, instead they return a "view" object which is an iterator whose result is an unordered set. The most notable consequence is you cannot index the result of these functions like your could in Py2 (e.g. dict.keys()[0] will raise a run time exception). * Replace use of StringIO.StringIO and cStringIO with six.StringIO. Py3 no longer has cStringIO and the six variant handles the correct import. * Py3 no longer allows the "except xxx, variable" syntax, where variable appering after the comma is assigned the exception object, you must use the "as" keyword to perform the variable assignment (e.g. execpt xxx as variable) Note: the modifications in this patch are the minimum necessary to get the build to run with the Py3 interpreter. There are numerous other Python scripts in the repo which need Py3 porting as well but because they are not invoked during a build they will be updated in a subsequent patch. License: MIT Signed-off-by: John Dennis <jdennis@redhat.com>
* Use python interpreter specified configure scriptJohn Dennis2018-07-244-3/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | The configure script allows you to specify the python interpreter to use via the --with-python option. There were several places where the python interpreter was implicity invoked without using the specified version. This can create a number of problems in an environment with multiple python versions as is the case during the transition from Python 2 to Python 3. Python 2 is not compatible with Python 3. Lasso's Python code is supposed to be compatible with both versions. But during the build and when running the unit tests it is essential the same interpreter be used consistently otherwise you can have problems. This patch assures whenever python is invoked it does so via the $(PYTHON) configuration variable. What about shebang lines (e.g #/usr/bin/python) at the top of scripts? Python PEP 394 (https://www.python.org/dev/peps/pep-0394/) covers this. Basically it says if a script is compatible only with Py2 the shebang should be #/usr/bin/python2, if only compatible with Py3 the shebang should be #/usr/bin/python3. However, if the script is compatible with both versions it can continue to use the compatible with both Py2 and Py3. License: MIT Signed-off-by: John Dennis <jdennis@redhat.com>
* tools: set output buffer size in lasso_inflate to 20 times the input size ↵Benjamin Dauvergne2018-06-281-2/+2
| | | | (fixes #24853)
* jenkins.sh: add a make clean to prevent previous build to break new onesBenjamin Dauvergne2018-06-281-0/+1
|
* tools: fix segfault in lasso_get_saml_message (fixes #24830)Benjamin Dauvergne2018-06-282-4/+11
| | | | | | We reuse the "message" local variable but we should not. Also fix a segfault in lasso_xmltextreader_from_message() when getting the length of "message" before checking if it is NULL or not.
* python: add a classmethod for lasso.profileGetIssuer (#24831)Frédéric Péters2018-06-282-3/+8
|
* faq: fix references to lasso.profileGetIssuer (#24832)Frédéric Péters2018-06-271-3/+3
|
* debian: sync with debian package (#24595)Frédéric Péters2018-06-279-21/+625
|
* website: add news about 2.6.0 releaseBenjamin Dauvergne2018-06-141-0/+15
|
* Release 2.6.0v2.6.0v2.5.99Benjamin Dauvergne2018-05-304-2/+42
|
* perl/tests: build Makefile.perl before running the testsBenjamin Dauvergne2018-05-301-0/+2
|
* deprecate loading PEM formatted public keys in lasso_xmlsec_load_key_infoBenjamin Dauvergne2018-05-0116-490/+116
| | | | | | Also ensure work-around bug[1] in libxmlsec 1.2.24 and 1.2.25. [1]: https://github.com/lsh123/xmlsec/issues/164
* add a pem-public-key runtime flagBenjamin Dauvergne2018-05-012-0/+10
| | | | | | We want to deprecate support for loading PEM formatted key from ds:KeyValue nodes, before final removal it will have to be activated through a runtime flag (using LASSO_FLAG environment variable).
* Replace xmlSecSoap functions with lasso implementationsJohn Dennis2018-04-306-128/+153
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | xmlsec has removed support for SOAP. The missing xmlSecSoap* functions and their dependent utiliity functions were added to Lasso following the model of the existing xmlSec implmentations. Note: Lasso tried to accommodate both SOAP 1.1 and SOAP 1.2 but SAML2 *only* uses SOAP 1.1 thus the SOAP 1.2 support was superfluous and confused matters. Therefire the SOAP 1.2 support was removed. The following new functions were added to Lasso to support SOAP: * lasso_xml_next_element_node * lasso_xml_get_node_ns_href * lasso_xml_is_element_node * lasso_xml_soap11_get_header * lasso_xml_soap11_get_body The following is the mapping from the deprecated xmlSecSoap symbols to the new Lasso symbols: xmlSecSoap11Ns -> LASSO_SOAP_ENV_HREF xmlSecGetNextElementNode -> lasso_xml_next_element_node xmlSecGetNodeNsHref -> lasso_xml_get_node_ns_href xmlSecCheckNodeName -> lasso_xml_is_element_node xmlSecSoap11GetHeader -> lasso_xml_soap11_get_header xmlSecSoap11GetBody -> lasso_xml_soap11_get_body This patch also extends the automake version support in autogen.sh to the current 1.16 version. License: MIT Signed-off-by: John Dennis <jdennis@redhat.com>
* perl: set DESTDIR and PREFIX at Makefile's creationBenjamin Dauvergne2018-04-301-2/+2
|
* perl: force use of the in-tree lasso when running tests (fixes #23276)Benjamin Dauvergne2018-04-291-1/+1
|
* python: route logs for libxml2 and libxmlsec2 to their own loggerBenjamin Dauvergne2018-04-291-4/+4
|
* add xmlsec_soap.h to MakefileBenjamin Dauvergne2018-04-061-0/+1
|
* java: stop setting a bytecode version targetBenjamin Dauvergne2018-04-061-1/+0
|
* tests: prevent crash in glib caused by abort on recursive loggingBenjamin Dauvergne2018-04-062-9/+30
| | | | | | The fail() function from libcheck is doing a longjump() from inside the logging subsystem, preventing the depth counter to be reinitialised to 0. (Seen with g_private_get(&g_log_depth) in a gdb session).
* route logs from libxml2 and libxmlsec through GLib loggingBenjamin Dauvergne2018-04-064-18/+24
|
* fix get_issuer and get_in_response_toBenjamin Dauvergne2018-04-068-62/+199
|