[SAMLv2] apply the LassoProfileVerifySignatureHint when processing requests

The check was missing for processing of logout requests, name id
management request and assertion query responses.

A new internal function lasso_saml20_profile_check_signature_status is
added.

5 files changed, 45 insertions, 52 deletions

diff --git a/lasso/saml-2.0/assertion_query.c b/lasso/saml-2.0/assertion_query.c
index 3b15d484..2cc6456d 100644
--- a/lasso/saml-2.0/assertion_query.c
+++ b/lasso/saml-2.0/assertion_query.c
@@ -276,22 +276,14 @@ lasso_assertion_query_process_request_msg(LassoAssertionQuery *assertion_query,
 			LASSO_PARAM_ERROR_INVALID_VALUE);
 
 	profile = LASSO_PROFILE(assertion_query);
-	rc1 = lasso_saml20_profile_process_soap_request(profile, request_msg);
-
+	lasso_check_good_rc(lasso_saml20_profile_process_soap_request(profile, request_msg));
 	lasso_extract_node_or_fail(subject_query, profile->request, SAMLP2_SUBJECT_QUERY_ABSTRACT,
 			LASSO_PROFILE_ERROR_INVALID_MSG);
 	lasso_extract_node_or_fail(subject, subject_query->Subject, SAML2_SUBJECT,
 			LASSO_PROFILE_ERROR_MISSING_SUBJECT);
+	lasso_check_good_rc(lasso_saml20_profile_process_name_identifier_decryption(profile, &subject->NameID, &subject->EncryptedID));
 
-	rc2 = lasso_saml20_profile_process_name_identifier_decryption(profile, &subject->NameID, &subject->EncryptedID);
-
-	rc = rc1;
-	if (rc == 0)
-		rc = rc2;
-	if (rc == 0)
-		rc = profile->signature_status;
 cleanup:
-
 	return rc;
 }
 
@@ -390,10 +382,9 @@ lasso_assertion_query_process_response_msg(
 
 	lasso_bad_param(ASSERTION_QUERY, assertion_query);
 	profile = &assertion_query->parent;
-	response = (LassoSamlp2StatusResponse*)lasso_samlp2_response_new();
 
-	lasso_check_good_rc(lasso_saml20_profile_process_any_response(profile,
-				response, NULL, response_msg));
+	lasso_check_good_rc(lasso_saml20_profile_process_soap_response(profile,
+				response_msg));
 
 cleanup:
 	lasso_release_gobject(response);
diff --git a/lasso/saml-2.0/logout.c b/lasso/saml-2.0/logout.c
index fd7f5335..a4b37f2d 100644
--- a/lasso/saml-2.0/logout.c
+++ b/lasso/saml-2.0/logout.c
@@ -121,7 +121,7 @@ lasso_saml20_logout_process_request_msg(LassoLogout *logout, char *request_msg)
 {
 	LassoProfile *profile = NULL;
 	LassoSamlp2LogoutRequest *logout_request = NULL;
-	int rc1 = 0, rc2 = 0;
+	int rc1 = 0, rc2 = 0, rc = 0;
 
 	lasso_bad_param(LOGOUT, logout);
 	lasso_null_param(request_msg);
@@ -130,26 +130,19 @@ lasso_saml20_logout_process_request_msg(LassoLogout *logout, char *request_msg)
 	logout_request = (LassoSamlp2LogoutRequest*) lasso_samlp2_logout_request_new();
 	rc1 = lasso_saml20_profile_process_any_request(profile, (LassoNode*)logout_request,
 			request_msg);
+	goto_cleanup_if_fail_with_rc(rc1 == 0, rc1);
 
-	logout_request = (LassoSamlp2LogoutRequest*)profile->request;
-	if (rc1 && ! logout_request) {
-		return rc1;
-	}
 	/* remember initial request method, for setting it for generating response */
 	logout->initial_http_request_method = profile->http_request_method;
-
 	rc2 = lasso_saml20_profile_process_name_identifier_decryption(profile,
 			&logout_request->NameID,
 			&logout_request->EncryptedID);
+	goto_cleanup_if_fail_with_rc(rc2 == 0, rc2);
+	lasso_check_good_rc(lasso_saml20_profile_check_signature_status(profile));
 
+cleanup:
 	lasso_release_gobject(logout_request);
-	if (profile->signature_status) {
-		return profile->signature_status;
-	}
-	if (rc1) {
-		return rc1;
-	}
-	return rc2;
+	return rc;
 }
 
 int
diff --git a/lasso/saml-2.0/name_id_management.c b/lasso/saml-2.0/name_id_management.c
index 2fdb6754..b10b914d 100644
--- a/lasso/saml-2.0/name_id_management.c
+++ b/lasso/saml-2.0/name_id_management.c
@@ -159,38 +159,24 @@ gint
 lasso_name_id_management_process_request_msg(LassoNameIdManagement *name_id_management,
 		char *request_msg)
 {
-	int rc1 = 0, rc2 = 0;
 	LassoProfile *profile = NULL;
 	LassoSamlp2ManageNameIDRequest *request = NULL;
+	int rc = 0;
 
 	lasso_bad_param(NAME_ID_MANAGEMENT, name_id_management);
 	lasso_null_param(request_msg);
 
-	/* Parsing */
 	profile = LASSO_PROFILE(name_id_management);
 	request = (LassoSamlp2ManageNameIDRequest*)lasso_samlp2_manage_name_id_request_new();
-	rc1 = lasso_saml20_profile_process_any_request(profile,
+	lasso_check_good_rc(lasso_saml20_profile_process_any_request(profile,
 			(LassoNode*)request,
-			request_msg);
-
-	if (! LASSO_IS_SAMLP2_MANAGE_NAME_ID_REQUEST(profile->request)) {
-		return LASSO_PROFILE_ERROR_MISSING_REQUEST;
-	}
-
-	/* NameID treatment */
-	rc2 = lasso_saml20_profile_process_name_identifier_decryption(profile,
-			&request->NameID, &request->EncryptedID);
-
-	lasso_release_gobject(request);
-	if (profile->signature_status) {
-		return profile->signature_status;
-	}
-	if (rc1)
-		return rc1;
-	if (rc2)
-		return rc2;
+			request_msg));
+	lasso_check_good_rc(lasso_saml20_profile_process_name_identifier_decryption(profile,
+			&request->NameID, &request->EncryptedID));
+	lasso_check_good_rc(lasso_saml20_profile_check_signature_status(profile));
 
-	return 0;
+cleanup:
+	return rc;
 }
 
 
diff --git a/lasso/saml-2.0/profile.c b/lasso/saml-2.0/profile.c
index 083d05ac..1140e63c 100644
--- a/lasso/saml-2.0/profile.c
+++ b/lasso/saml-2.0/profile.c
@@ -605,8 +605,9 @@ cleanup:
  * validation fails no error code will be returned, you must explicitely verify the
  * profile->signature_status code.
  *
- * Return value: 0 if parsing is successful (even if signature validation fails), and error code
- * otherwise.
+ * Return value: 0 if parsing is successful (even if signature validation fails), and otherwise,
+ * LASSO_PROFILE_ERROR_INVALID_MSG, LASSO_PROFILE_ERROR_UNSUPPORTED_PROFILE, *
+ * LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND.
  */
 int
 lasso_saml20_profile_process_any_request(LassoProfile *profile,
@@ -704,13 +705,12 @@ lasso_saml20_profile_process_soap_request(LassoProfile *profile,
 			remote_provider, request_msg, "ID", LASSO_MESSAGE_FORMAT_SOAP);
 
 	switch (lasso_profile_get_signature_verify_hint(profile)) {
+		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE:
 		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE:
 			rc = profile->signature_status;
 			break;
 		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE:
 			break;
-		default:
-			g_assert(0);
 	}
 
 cleanup:
@@ -1604,3 +1604,25 @@ lasso_saml20_profile_setup_encrypted_node(LassoProvider *provider,
 	lasso_release_gobject(*node_to_encrypt);
 	return 0;
 }
+
+/**
+ * Check the profile->signature_status flag, if signature validation is activated, report it as an
+ * error, if not not return 0.
+ */
+int
+lasso_saml20_profile_check_signature_status(LassoProfile *profile) {
+	int rc = 0;
+
+	if (profile->signature_status) {
+		switch (lasso_profile_get_signature_verify_hint(profile)) {
+			case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE:
+			case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE:
+				rc = profile->signature_status;
+				break;
+			case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE:
+				break;
+		}
+	}
+
+	return rc;
+}
diff --git a/lasso/saml-2.0/profileprivate.h b/lasso/saml-2.0/profileprivate.h
index 54e3a336..c5b9047c 100644
--- a/lasso/saml-2.0/profileprivate.h
+++ b/lasso/saml-2.0/profileprivate.h
@@ -78,6 +78,7 @@ gint lasso_profile_saml20_setup_message_signature(LassoProfile *profile,
 gint lasso_saml20_profile_setup_encrypted_node(LassoProvider *provider,
 		LassoNode **node_to_encrypt, LassoNode **node_destination);
 int lasso_saml20_profile_setup_subject(LassoProfile *profile, LassoSaml2Subject *subject);
+int lasso_saml20_profile_check_signature_status(LassoProfile *profile);
 
 #ifdef __cplusplus
 }