more on single logout

2004-09-08 10:40:32 +00:00 · 2004-09-08 10:40:32 +00:00 · 247d900c46
parent 09ce1abcb5
commit 247d900c46
5 changed files with 190 additions and 16 deletions
--- a/data/idp-metadata.xml
+++ b/data/idp-metadata.xml
@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <EntityDescriptor
-    ProviderID="https://localhost/cgi-bin/idpc"
+    providerID="https://localhost/cgi-bin/idpc"
    xmlns="urn:liberty:metadata:2003-08">
 <IDPDescriptor>
  <SingleLogoutServiceURL>https://localhost/cgi-bin/idpc/auth/singleLogout</SingleLogoutServiceURL>
@ -8,8 +8,11 @@
  <SoapEndpoint>https://localhost/cgi-bin/idpc/soapEndpoint</SoapEndpoint>
  <SingleSignOnServiceURL>https://localhost/cgi-bin/idpc/auth/singleSignOn</SingleSignOnServiceURL>
  <SingleSignOnProtocolProfile>http://projectliberty.org/profiles/sso-get</SingleSignOnProtocolProfile>
+  <SingleLogoutServiceURL>https://localhost/cgi-bin/idpc/auth/singleLogout</SingleSignOnServiceURL>
  <SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-idp-soap</SingleLogoutProtocolProfile>
+  <!--
  <RegisterNameIdentifierServiceURL>https://localhost/cgi-bin/idpc/registerNameIdentifier</RegisterNameIdentifierServiceURL>
+  -->
  <FederationTerminationServiceURL>https://localhost/cgi-bin/idpc/auth/federationTermination</FederationTerminationServiceURL>
  <FederationTerminationNotificationProtocolProfile>http://projectliberty.org/profiles/rni-idp-soap</FederationTerminationNotificationProtocolProfile>
 </IDPDescriptor>
--- a/data/sp-metadata.xml
+++ b/data/sp-metadata.xml
@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <EntityDescriptor
-    ProviderID="https://service-provider:2003/liberty-alliance/metadata"
+    providerID="https://service-provider:2003/liberty-alliance/metadata"
    xmlns="urn:liberty:metadata:2003-08">
 <SPDescriptor>
  <SingleLogoutServiceURL>https://service-provider:2003/liberty-alliance/liberty-alliance/singleLogout</SingleLogoutServiceURL>
@ -8,8 +8,9 @@
  <SoapEndpoint>https://service-provider:2003/liberty-alliance/liberty-alliance/soapEndpoint</SoapEndpoint>
  <SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-idp-soap</SingleLogoutProtocolProfile>
  <RegisterNameIdentifierServiceURL>https://service-provider:2003/liberty-alliance/liberty-alliance/registerNameIdentifier</RegisterNameIdentifierServiceURL>
-  <AssertionConsumerServiceURL id="AssertionConsumerServiceURL1" isDefault="true">https://service-provider:2003/liberty-alliance/liberty-alliance/assertionConsumer</AssertionConsumerServiceURL>
+  <AssertionConsumerServiceURL id="AssertionConsumerServiceURL1" isDefault="true">
+    https://service-provider:2003/liberty-alliance/liberty-alliance/assertionConsumer
+  </AssertionConsumerServiceURL>
  <AuthnRequestsSigned>true</AuthnRequestsSigned>
-  <FederationTerminationNotificationProtocolProfile>http://projectliberty.org/profiles/fedterm-sp-http</FederationTerminationNotificationProtocolProfile>
 </SPDescriptor>
 </EntityDescriptor>
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@ -7,7 +7,7 @@ doc_DATA = manual.txt
 endif

 idpc-manual.html: manual.txt ../INSTALL
-	rest2html manual.txt > idpc-manual.html
+	$(REST2HTML) manual.txt > idpc-manual.html

 EXTRA_DIST = manual.txt default.css

--- a/doc/default.css
+++ b/doc/default.css
@ -13,6 +13,7 @@ pre.literal-block {
 	border: 1px inset black;
 	padding: 2px;
 	margin: auto 10px;
+	overflow: auto;
 }

 h1.title {
@ -35,6 +36,12 @@ div#table-of-contents {
 	max-width: 33%;
 }

+div#building-liberty-services-with-lasso div#table-of-contents {
+	max-width: inherit;
+	float: none;
+	background: white url(lasso.png) bottom right no-repeat;
+}
+
 div#table-of-contents ul {
 	padding-left: 1em;
 	list-style: none;
@ -100,3 +107,13 @@ div.document {
 	background: white url(lasso.png) bottom right no-repeat;
 }

+div.figure {
+	margin: 0 auto;
+	width: 70%;
+	text-align: center;
+}
+
+p.caption {
+	border: 1px solid black;
+	border-top: 0px;
+}
--- a/src/single_logout.c
+++ b/src/single_logout.c
@ -22,18 +22,156 @@
 #include "idpc.h"

 /* the Single Log-Out service URL handles several cases:
- *  1a. initiated by IdP, HTTP-Redirect (fig12, page46)
- *  1b. initiated by IdP, HTTP-GET (fig13, page48)
- *  1c. initiated by IdP, SOAP (fig14, page50)
- *  2a. initiated by SP, HTTP-Redirect (fig15, page52)
+ *  1a. initiated by IdP, HTTP-Redirect (fig12, page47)
+ *  1b. initiated by IdP, HTTP-GET (fig13, page50)
+ *  1c. initiated by IdP, SOAP (fig14, page52)
+ *  2a. initiated by SP, HTTP-Redirect (fig15, page53)
 *  [!2b. initiated by SP, SOAP is handled in soapEndpoint!]
 */

-int single_logout()
+
+int soap_loop(LassoLogout *logout)
 {
+	other_sp = lasso_logout_get_next_providerID(logout);
+	while (other_sp) {
+		fprintf(stderr, "Other SP: %s\n", other_sp);
+		rc = lasso_logout_init_request(logout, other_sp,
+				lassoHttpMethodAny);
+		if (rc) {
+			fprintf(stderr, "init_request failed\n");
+			goto cleanup;
+		}
+		rc = lasso_logout_build_request_msg(logout);
+		if (rc) {
+			fprintf(stderr, "build_request failed\n");
+			goto cleanup;
+		}
+		if (LASSO_PROFILE(logout)->msg_body) {
+			soap_answer = soap_request(
+					LASSO_PROFILE(logout)->msg_url,
+					LASSO_PROFILE(logout)->msg_body, NULL);
+			if (soap_answer == NULL) {
+				fprintf(stderr, "soap_request failed\n");
+				goto cleanup;
+			}
+
+			rc = lasso_logout_process_response_msg(logout,
+					soap_answer, lassoHttpMethodSoap);
+			if (rc) {
+				free(soap_answer);
+				fprintf(stderr, "logout_process_response_msg failed\n");
+				goto cleanup;
+			}
+			free(soap_answer);
+		} else {
+			/* LASSO_PROFILE(logout)->msg_body == NULL
+			 * that means it didn't support SOAP; ignore it for
+			 * now.
+			 */
+		}
+			
+		other_sp = lasso_logout_get_next_providerID(logout);
+	}
+
+	lasso_logout_reset_providerID_index(logout);
+	other_sp = lasso_logout_get_next_providerID(logout);
+	if (other_sp) {
+		/* remaining service provider; redirect */
+		rc = lasso_logout_init_request(logout, other_sp,
+				lassoHttpMethodRedirect);
+		rc = lasso_logout_build_request_msg(logout);
+
+		printf("Location: %s\n\nRedirected",
+				LASSO_PROFILE(logout)->msg_url);
+	} else {
+		/* we're done */
+		rc = lasso_logout_build_request_msg(logout);
+		if (rc == LASSO_PROFILE_ERROR_MISSING_REQUEST) {
+			/* initiated from IdP */
+			printf("Content-type: text/plain\n\nLogged out");
+			return 0;
+		}
+		if (rc) {
+			printf("Location: %s\n\nRedirected",
+					LASSO_PROFILE(logout)->msg_url);
+			return 0;
+		}
+	}
+
+	return 0;
+}
+
+
+int logout_http(LassoLogout *logout)
+{
+	/* SP-initiated; HTTP-Redirect-Based Profile */
 	int rc;
+	LassoIdentity *identity;
+
+	rc = lasso_logout_process_notification_msg(
+			logout, getenv("QUERY_STRING"),
+			lassoHttpMethodRedirect);
+	if (rc) {
+		return error_page("process_notification_msg failed");
+	}
+
+	rc = set_profile_auto(LASSO_PROFILE(logout));
+	if (rc) {
+		return error_page("set_profile_auto failed");
+	}
+
+	/* alternate soap/redirect profile; could use HTTP-GET here */
+	return soap_loop(logout);
+}
+
+
+int logout_init(LassoLogout *logout)
+{
+	/* IdP-initiated */
+	int rc;
+	LassoIdentity *identity;
+	struct authentication *auth;
+	char *user_id;
+	char *user_dump, *session_dump;
+
+	auth = get_authentication(
+			get_config_string("//idpc:authenticationMethod"));
+	if (auth == NULL) {
+		return error_page("Wrong authentication");
+	}
+
+	user_id = auth->auth_function();
+
+	if (user_id == NULL) {
+		/* anyway */
+		return error_page("Error authenticating");
+	}
+
+	/* retrieve user_dump and session_dump */
+	rc = db_get_dumps(user_id, &user_dump, &session_dump);
+	if (rc) {
+		return error_page("Error getting dumps from db");
+	}
+	rc = set_profile_from_dumps(LASSO_PROFILE(logout),
+			user_dump, session_dump);
+	free(user_dump);
+	free(session_dump);
+	if (rc) {
+		return error_page("Error setting dumps");
+	}
+
+	return soap_loop(logout);
+}
+
+
+int logout_req()
+{
+	int i;
+	char **params;
+	char *spId = NULL;
 	LassoLogout *logout;
 	LassoServer *server;
+	int rc;

 	server = get_config_server();
 	if (server == NULL) {
@ -42,18 +180,33 @@ int single_logout()
 	}

 	logout = lasso_logout_new(server, lassoProviderTypeIdp);
+	if (logout == NULL) {
+		lasso_server_destroy(server);
+		return error_page("lasso_logout_new failed");
+	}

 	rc = lasso_logout_process_request_msg(logout,
 			getenv("QUERY_STRING"), lassoHttpMethodRedirect);
-	if (rc) {
-		lasso_logout_destroy(logout);
+	if (rc == LASSO_PROFILE_ERROR_INVALID_QUERY) {
+		/* unknown query string; initiate logout now */
+		rc = logout_init(logout);
+	} else {
+		if (rc) {
+			fprintf(stderr,
+				"lasso_logout_process_request_msg failed\n");
+		} else {
+			/* this is http-redirect profile; coming from SP */
+			rc = logout_http(logout);
+		}
 	}

-	/* XXX to be continued */
+	lasso_logout_destroy(logout);
+	lasso_server_destroy(server);

-	return 1;
+	return rc;
 }

+
 int main(int argc, char *argv[])
 {
 	int rc;
@ -61,7 +214,7 @@ int main(int argc, char *argv[])
 	if (argc > 1 && handle_args(argc, argv) ) {
 		return 0;
 	}
-		
+
 	rc = init_config();
 	if (rc != 0) {
 		return error_page("Failed to init configuration");
@ -72,7 +225,7 @@ int main(int argc, char *argv[])
 		error_page("Failed to init database access");
 		goto shutdown;
 	}
-	rc = single_logout();
+	rc = logout_req();
 shutdown:
 	db_finish();
 	lasso_shutdown();