diff options
author | Valery Febvre <vfebvre at easter-eggs.com> | 2004-06-29 17:02:30 +0000 |
---|---|---|
committer | Valery Febvre <vfebvre at easter-eggs.com> | 2004-06-29 17:02:30 +0000 |
commit | 9532d9d383ff889e780f77545875085c7a482d1b (patch) | |
tree | 048d7cabb489715169168a0f08cb0361dce74d98 | |
parent | 5202492aebef2b51cc6c33d7f49d57d0875e1444 (diff) | |
download | lasso-9532d9d383ff889e780f77545875085c7a482d1b.tar.gz lasso-9532d9d383ff889e780f77545875085c7a482d1b.tar.xz lasso-9532d9d383ff889e780f77545875085c7a482d1b.zip |
*** empty log message ***
-rw-r--r-- | lasso/Attic/protocols/authn_response.c | 21 | ||||
-rw-r--r-- | lasso/id-ff/authentication.c | 387 | ||||
-rw-r--r-- | lasso/id-ff/authentication.h | 7 | ||||
-rw-r--r-- | lasso/id-ff/profile_context.h | 1 |
4 files changed, 225 insertions, 191 deletions
diff --git a/lasso/Attic/protocols/authn_response.c b/lasso/Attic/protocols/authn_response.c index d938df6a..20a31404 100644 --- a/lasso/Attic/protocols/authn_response.c +++ b/lasso/Attic/protocols/authn_response.c @@ -28,6 +28,27 @@ //static GObjectClass *parent_class = NULL; +xmlChar * +lasso_authn_response_get_status(LassoAuthnResponse *response) { + LassoNode *status_code; + xmlChar *res; + + status_code = lasso_node_get_child(response, "StatusCode", NULL); + if (status_code != NULL) + return lasso_node_get_attr_value(statusCode, "Value"); + else + return(NULL); +} + +/* + lasso_authn_response_get_nameIdentifier + lasso_authn_response_get_idpProvidedNameIdentifier + + assertion = lasso_node_get_child(response, "Assertion", NULL); + nameIdentifier = lasso_node_get_child(assertion, "NameIdentifier", NULL); + idpProvidedNameIdentifier = lasso_node_get_child(assertion, "IDPProvidedNameIdentifier", NULL); +*/ + static void lasso_authn_response_set_status(LassoAuthnResponse *response, const xmlChar *statusCodeValue) { diff --git a/lasso/id-ff/authentication.c b/lasso/id-ff/authentication.c index bc4aa46e..4d26df6d 100644 --- a/lasso/id-ff/authentication.c +++ b/lasso/id-ff/authentication.c @@ -37,145 +37,120 @@ /*****************************************************************************/ gchar * -lasso_authentication_build_request(LassoAuthentication *authn) +lasso_authentication_build_request_msg(LassoAuthentication *authn) { LassoProvider *provider; xmlChar *request_protocolProfile, *url, *query; - gchar *str; + gchar *request_msg; provider = lasso_server_get_provider(LASSO_PROFILE_CONTEXT(authn)->server, LASSO_PROFILE_CONTEXT(authn)->local_providerID); if (provider == NULL) { return (NULL); } - - /* build the request object */ - LASSO_PROFILE_CONTEXT(authn)->request = lasso_authn_request_new(LASSO_PROFILE_CONTEXT(authn)->local_providerID); - - /* optional values */ -/* if (protocolProfile != NULL) { */ -/* lasso_lib_authn_request_set_protocolProfile(LASSO_LIB_AUTHN_REQUEST(LASSO_PROFILE_CONTEXT(authn)->request), */ -/* protocolProfile); */ -/* } */ -/* if (nameIDPolicy != NULL) { */ -/* lasso_lib_authn_request_set_nameIDPolicy(LASSO_LIB_AUTHN_REQUEST(LASSO_PROFILE_CONTEXT(authn)->request), */ -/* nameIDPolicy); */ -/* } */ -/* lasso_lib_authn_request_set_isPassive(LASSO_LIB_AUTHN_REQUEST(LASSO_PROFILE_CONTEXT(authn)->request), isPassive); */ -/* lasso_lib_authn_request_set_forceAuthn(LASSO_LIB_AUTHN_REQUEST(LASSO_PROFILE_CONTEXT(authn)->request), forceAuthn); */ - /* export request depending on the request protocol profile */ + /* export request depending on the request ProtocolProfile */ request_protocolProfile = lasso_provider_get_singleSignOnProtocolProfile(provider); if (xmlStrEqual(request_protocolProfile, lassoLibProtocolProfileSSOGet)) { + /* GET -> query */ url = lasso_provider_get_singleSignOnServiceUrl(provider); query = lasso_node_export_to_query(LASSO_PROFILE_CONTEXT(authn)->request, 1, NULL); - str = (gchar *) g_new(gchar, strlen(url) + strlen(query) + 2); // +2 for the ? character and the end line character - g_sprintf(str, "%s?%s", url, query); - + /* alloc returned string +2 for the ? and \0 */ + request_msg = (gchar *) g_new(gchar, strlen(url) + strlen(query) + 2); + g_sprintf(request_msg, "%s?%s", url, query); + gfree(url); + gfree(query); LASSO_PROFILE_CONTEXT(authn)->request_protocol_method = lassoProfileContextMethodGet; } else if (xmlStrEqual(request_protocolProfile, lassoLibProtocolProfileSSOPost)) { + /* POST -> formular */ printf("TODO - export the AuthnRequest in a formular\n"); - } - - return (str); -} -xmlChar* -lasso_authentication_process_artifact(LassoAuthentication *authn, - gchar *artifact) -{ - LASSO_PROFILE_CONTEXT(authn)->request = lasso_request_new(artifact); - return (lasso_node_export_to_soap(LASSO_PROFILE_CONTEXT(authn)->request)); -} - -gboolean -lasso_authentication_process_response(LassoAuthentication *authn, - xmlChar *response) -{ - LassoNode *statusCode, *assertion; - LassoNode *nameIdentifier, *idpProvidedNameIdentifier; - char *artifact, *statusCodeValue; - - printf("DEBUG - POST response, process the authnResponse\n"); - LASSO_PROFILE_CONTEXT(authn)->response = LASSO_NODE(lasso_authn_response_new_from_export(response, 0)); - - /* process the status code value */ - statusCode = lasso_node_get_child(LASSO_PROFILE_CONTEXT(authn)->response, "StatusCode", NULL); - statusCodeValue = lasso_node_get_attr_value(statusCode, "Value"); - if(strcmp(statusCodeValue, lassoSamlStatusCodeSuccess)) - return(FALSE); - - /* process the assertion */ - assertion = lasso_node_get_child(LASSO_PROFILE_CONTEXT(authn)->response, "Assertion", NULL); - if(!assertion) - return(FALSE); - - /* set the name identifiers */ - nameIdentifier = lasso_node_get_child(assertion, "NameIdentifier", NULL); - printf("name identifier %s(%s)\n", lasso_node_get_content(nameIdentifier), lasso_node_export(nameIdentifier)); - - idpProvidedNameIdentifier = lasso_node_get_child(assertion, "IDPProvidedNameIdentifier", NULL); + LASSO_PROFILE_CONTEXT(authn)->request_protocol_method = lassoProfileContextMethodPost; + } - return(TRUE); + return (request_msg); } -gboolean +static void lasso_authentication_process_request(LassoAuthentication *authn, - gchar *request, - gint request_method, - gboolean is_authenticated) + gchar *request_msg) { - LassoProvider *provider; - xmlChar *protocolProfile; - gboolean must_authenticate = TRUE; - gboolean isPassive = TRUE; - gboolean forceAuthn = FALSE; - gboolean signature_status; + LassoProvider *sp; + gboolean must_verify_signature, signature_status; - switch (request_method) { + /* rebuild request */ + switch (authn->request_method) { case lassoProfileContextMethodGet: - LASSO_PROFILE_CONTEXT(authn)->request = LASSO_NODE(lasso_authn_request_new_from_query(request)); - LASSO_PROFILE_CONTEXT(authn)->remote_providerID = lasso_node_get_child_content(LASSO_PROFILE_CONTEXT(authn)->request, + LASSO_PROFILE_CONTEXT(authn)->request = LASSO_NODE(lasso_authn_request_new_from_query(request_msg)); + break; + case lassoProfileContextMethodPost: + /* request_msg is a LibAuthnRequest send by method POST */ + printf("TODO - lasso_authentication_process_authnRequest() - implement the parsing of the post request\n"); + break; + case lassoProfileContextMethodSoap: + /* TODO request_msg is a SamlpRequest -> get SamlpResponse in user part */ + //LASSO_PROFILE_CONTEXT(authn)->response = ; + return; + break; + } + + authn->protocolProfile = lasso_node_get_child_content(LASSO_PROFILE_CONTEXT(authn)->request, + "ProtocolProfile", NULL); + LASSO_PROFILE_CONTEXT(authn)->remote_providerID = lasso_node_get_child_content(LASSO_PROFILE_CONTEXT(authn)->request, "ProviderID", NULL); + sp = lasso_server_get_provider(LASSO_PROFILE_CONTEXT(authn)->server, + LASSO_PROFILE_CONTEXT(authn)->remote_providerID); + must_verify_signature = xmlStrEqual(lasso_node_get_child_content(sp->metadata, "AuthnRequestsSigned", NULL), "true"); - protocolProfile = lasso_node_get_child_content(LASSO_PROFILE_CONTEXT(authn)->request, "ProtocolProfile", NULL); - if (xmlStrEqual(protocolProfile, lassoLibProtocolProfilePost)) { - LASSO_PROFILE_CONTEXT(authn)->response = lasso_authn_response_new(LASSO_PROFILE_CONTEXT(authn)->local_providerID, - LASSO_PROFILE_CONTEXT(authn)->request); - } - else { - LASSO_PROFILE_CONTEXT(authn)->response = lasso_response_new(); - } + /* build response */ + if (xmlStrEqual(authn->protocolProfile, lassoLibProtocolProfilePost)) { + /* create LibAuthnResponse */ + LASSO_PROFILE_CONTEXT(authn)->response = lasso_authn_response_new(LASSO_PROFILE_CONTEXT(authn)->local_providerID, + LASSO_PROFILE_CONTEXT(authn)->request); + } + else if (xmlStrEqual(protocolProfile, lassoLibProtocolProfileArtifact)) { + /* create SamlpResponse */ + LASSO_PROFILE_CONTEXT(authn)->response = lasso_response_new(); + } - provider = lasso_server_get_provider(LASSO_PROFILE_CONTEXT(authn)->server, - LASSO_PROFILE_CONTEXT(authn)->remote_providerID); - if (xmlStrEqual(lasso_node_get_child_content(provider->metadata, "AuthnRequestsSigned", NULL), "true")) { + /* verify signature */ + if (must_verify_signature) { + switch (authn->request_method) { + case lassoProfileContextMethodGet: signature_status = lasso_query_verify_signature(request, provider->public_key, LASSO_PROFILE_CONTEXT(authn)->server->private_key); - /* Status & StatusCode */ - if (signature_status == 0 || signature_status == 2) { - switch (signature_status) { - case 0: // Invalid Signature - lasso_profile_context_set_response_status(LASSO_PROFILE_CONTEXT(authn), - lassoLibStatusCodeInvalidSignature); - break; - case 2: // Unsigned AuthnRequest - lasso_profile_context_set_response_status(LASSO_PROFILE_CONTEXT(authn), - lassoLibStatusCodeUnsignedAuthnRequest); - break; - } + break; + case lassoProfileContextMethodPost: + // TODO use lasso_node_verify_signature + break; + } + + /* Modify StatusCode if signature is not OK */ + if (signature_status == 0 || signature_status == 2) { + switch (signature_status) { + case 0: // Invalid Signature + lasso_profile_context_set_response_status(LASSO_PROFILE_CONTEXT(authn), + lassoLibStatusCodeInvalidSignature); + break; + case 2: // Unsigned AuthnRequest + lasso_profile_context_set_response_status(LASSO_PROFILE_CONTEXT(authn), + lassoLibStatusCodeUnsignedAuthnRequest); + break; } } - break; - case lassoProfileContextMethodPost: - printf("TODO - lasso_authentication_process_authnRequest() - implement the parsing of the post request\n"); - break; - default: - printf("ERROR - lasso_authentication_process_authnRequest() - Unknown protocol method\n"); } - +} + +gboolean +lasso_authentication_must_authenticate(LassoAuthentication *authn, + gboolean is_user_authenticated) +{ + gboolean must_authenticate = TRUE; + gboolean isPassive = TRUE; + gboolean forceAuthn = FALSE; + /* verify if the user must be authenticated or not */ if (xmlStrEqual(lasso_node_get_child_content(LASSO_PROFILE_CONTEXT(authn)->request, "IsPassive", NULL), "false")) { isPassive = FALSE; @@ -186,10 +161,10 @@ lasso_authentication_process_request(LassoAuthentication *authn, } /* complex test to authentication process */ - if ((forceAuthn == TRUE || is_authenticated == FALSE) && isPassive == FALSE) { + if ((forceAuthn == TRUE || is_user_authenticated == FALSE) && isPassive == FALSE) { must_authenticate = TRUE; } - else if (is_authenticated == FALSE && isPassive == TRUE) { + else if (is_user_authenticated == FALSE && isPassive == TRUE) { lasso_profile_context_set_response_status(LASSO_PROFILE_CONTEXT(authn), lassoLibStatusCodeNoPassive); must_authenticate = FALSE; @@ -199,9 +174,9 @@ lasso_authentication_process_request(LassoAuthentication *authn, } gchar * -lasso_authentication_process_authentication_result(LassoAuthentication *authn, - gint authentication_result, - const gchar *authentication_method) +lasso_authentication_build_response_msg(LassoAuthentication *authn, + gint authentication_result, + const gchar *authentication_method) { LassoUser *user; xmlChar *str, *nameIDPolicy, *protocolProfile; @@ -209,99 +184,111 @@ lasso_authentication_process_authentication_result(LassoAuthentication *authn, LassoIdentity *identity; - /* process the federation policy */ - /* TODO : implement a get identity */ - - printf("process authentication\n"); - /* verify if a user context exists */ - if (LASSO_PROFILE_CONTEXT(authn)->user == NULL) { - LASSO_PROFILE_CONTEXT(authn)->user = lasso_user_new(); - } - - identity = lasso_user_find_identity(LASSO_PROFILE_CONTEXT(authn)->user, - LASSO_PROFILE_CONTEXT(authn)->remote_providerID); - nameIDPolicy = lasso_node_get_child_content(LASSO_PROFILE_CONTEXT(authn)->request, - "NameIDPolicy", NULL); - printf("NameIDPolicy %s\n", nameIDPolicy); - if (xmlStrEqual(nameIDPolicy, lassoLibNameIDPolicyTypeNone)) { - if (identity == NULL) { + switch (authn->request_method) { + case lassoProfileContextMethodGet: + case lassoProfileContextMethodPost: + /* federation */ + /* verify if a user context exists else create it */ + if (LASSO_PROFILE_CONTEXT(authn)->user == NULL) { + LASSO_PROFILE_CONTEXT(authn)->user = lasso_user_new(); + } + identity = lasso_user_find_identity(LASSO_PROFILE_CONTEXT(authn)->user, + LASSO_PROFILE_CONTEXT(authn)->remote_providerID); + nameIDPolicy = lasso_node_get_child_content(LASSO_PROFILE_CONTEXT(authn)->request, + "NameIDPolicy", NULL); + printf("NameIDPolicy %s\n", nameIDPolicy); + if (xmlStrEqual(nameIDPolicy, lassoLibNameIDPolicyTypeNone)) { + if (identity == NULL) { lasso_profile_context_set_response_status(LASSO_PROFILE_CONTEXT(authn), lassoLibStatusCodeFederationDoesNotExist); + } } - } - else if (xmlStrEqual(nameIDPolicy, lassoLibNameIDPolicyTypeFederated)) { - printf("DEBUG - NameIDPolicy is federated\n"); - if (identity == NULL) { - identity = lasso_identity_new(LASSO_PROFILE_CONTEXT(authn)->remote_providerID); - idpProvidedNameIdentifier = LASSO_NODE(lasso_lib_idp_provided_name_identifier_new(lasso_build_unique_id(32))); - lasso_identity_set_local_name_identifier(identity, idpProvidedNameIdentifier); + else if (xmlStrEqual(nameIDPolicy, lassoLibNameIDPolicyTypeFederated)) { + printf("DEBUG - NameIDPolicy is federated\n"); + if (identity == NULL) { + identity = lasso_identity_new(LASSO_PROFILE_CONTEXT(authn)->remote_providerID); + idpProvidedNameIdentifier = LASSO_NODE(lasso_lib_idp_provided_name_identifier_new(lasso_build_unique_id(32))); + lasso_identity_set_local_name_identifier(identity, idpProvidedNameIdentifier); + } } - } - else if (xmlStrEqual(nameIDPolicy, lassoLibNameIDPolicyTypeOneTime)) { - - } - - /* fill the response with the assertion */ - if (identity) { - printf("DEBUG - an identity found, so build an assertion\n"); - //assertion = lasso_assertion_new(authn->local_providerID, lasso_node_get_attr_value(LASSO_NODE(authn->request), - // "RequestID")); - //authentication_statement = lasso_authentication_statement_new(authentication_method, - // "TODO", - // nameIdentifier, - // "TODO", - // "TODO", - // idpProvidedNameIdentifier, - // "TODO", - // "TODO"); - //lasso_saml_assertion_add_authenticationStatement(assertion, - // authentication_statement); - //lasso_samlp_response_add_assertion(authn->response, assertion); - } - - /* return a response message */ - protocolProfile = lasso_node_get_child_content(LASSO_PROFILE_CONTEXT(authn)->request, - "ProtocolProfile", NULL); - if (xmlStrEqual(protocolProfile, lassoLibProtocolProfilePost)) { - str = lasso_node_export_to_base64(LASSO_PROFILE_CONTEXT(authn)->response); - } - else { - printf("DEBUG - return a artifact message\n"); + else if (xmlStrEqual(nameIDPolicy, lassoLibNameIDPolicyTypeOneTime)) { + + } + + /* fill the response with the assertion */ + if (identity != NULL && authentication_result == 1) { + printf("DEBUG - an identity found, so build an assertion\n"); + assertion = lasso_assertion_new(LASSO_PROFILE_CONTEXT(authn)->local_providerID, + lasso_node_get_attr_value(LASSO_NODE(LASSO_PROFILE_CONTEXT(authn)->request), "RequestID")); + //authentication_statement = lasso_authentication_statement_new(authentication_method, + // "TODO", + // nameIdentifier, + // "TODO", + // "TODO", + // idpProvidedNameIdentifier, + // "TODO", + // "TODO"); + //lasso_saml_assertion_add_authenticationStatement(assertion, + // authentication_statement); + lasso_samlp_response_add_assertion(LASSO_NODE(LASSO_PROFILE_CONTEXT(authn)->response), + assertion); + } + + if (xmlStrEqual(authn->protocolProfile, lassoLibProtocolProfilePost)) { + /* return an authnResponse (base64 encoded) */ + //str = lasso_node_export_to_base64(LASSO_PROFILE_CONTEXT(authn)->response); + } + else if (xmlStrEqual(protocolProfile, lassoLibProtocolProfileArtifact)) { + /* return an artifact */ + switch (authn->response_method) { + case lassoProfileContextMethodRedirect: + /* return query */ + break; + case lassoProfileContextMethodPost: + /* return a formular */ + break; + } + } + break; + case lassoProfileContextMethodSoap: + /* return an SamlpResponse (in a dict indexed with artifact in user)*/ + break; } return(str); } -void -lasso_authentication_set_forceAuthn(LassoAuthentication *authn, - const xmlChar *forceAuthn) +xmlChar* +lasso_authentication_process_artifact(LassoAuthentication *authn, + gchar *artifact) { - lasso_lib_authn_request_set_forceAuthn(LASSO_LIB_AUTHN_REQUEST(LASSO_PROFILE_CONTEXT(authn)->request), - forceAuthn); + LASSO_PROFILE_CONTEXT(authn)->request = lasso_request_new(artifact); + return (lasso_node_export_to_soap(LASSO_PROFILE_CONTEXT(authn)->request)); } -void -lasso_authentication_set_isPassive(LassoAuthentication *authn, - gboolean *isPassive) +gboolean +lasso_authentication_process_response(LassoAuthentication *authn, + xmlChar *response_msg) { - lasso_lib_authn_request_set_isPassive(LASSO_LIB_AUTHN_REQUEST(LASSO_PROFILE_CONTEXT(authn)->request), - isPassive); -} + LassoNode *statusCode, *assertion; + LassoNode *nameIdentifier, *idpProvidedNameIdentifier; + char *artifact, *statusCodeValue; -void -lasso_authentication_set_nameIDPolicy(LassoAuthentication *authn, - const xmlChar *nameIDPolicy) -{ - lasso_lib_authn_request_set_nameIDPolicy(LASSO_LIB_AUTHN_REQUEST(LASSO_PROFILE_CONTEXT(authn)->request), - nameIDPolicy); -} + printf("DEBUG - POST response, process the authnResponse\n"); + LASSO_PROFILE_CONTEXT(authn)->response = LASSO_NODE(lasso_authn_response_new_from_export(response_msg, 0)); + + /* process the assertion */ + assertion = lasso_node_get_child(LASSO_PROFILE_CONTEXT(authn)->response, "Assertion", NULL); + if (!assertion) { + /* TODO ??? */ + return (FALSE); + } + else { + /* TODO verify signature , res in authn->signature_status ? */ -void -lasso_authentication_set_protocolProfile(LassoAuthentication *authn, - const xmlChar *protocolProfile) -{ - lasso_lib_authn_request_set_protocolProfile(LASSO_LIB_AUTHN_REQUEST(LASSO_PROFILE_CONTEXT(authn)->request), - protocolProfile); + } + + return(TRUE); } /*****************************************************************************/ @@ -347,9 +334,12 @@ LassoProfileContext* lasso_authentication_new(LassoServer *server, LassoUser *user, gchar *local_providerID, - gchar *remote_providerID) + gchar *remote_providerID, + gchar *request_msg, + gint request_method, + gchar *response_msg, + gint response_method) { - /* load the ProviderID name or a reference to the provider ? */ g_return_val_if_fail(local_providerID != NULL, NULL); g_return_val_if_fail(remote_providerID != NULL, NULL); @@ -362,5 +352,24 @@ lasso_authentication_new(LassoServer *server, "remote_providerID", remote_providerID, NULL)); + LASSO_AUTHENTICATION(authn)->request_method = request_method; + LASSO_AUTHENTICATION(authn)->response_method = response_method; + + if (request_msg == NULL && response_msg == NULL) { + /* build the request object */ + authn->request = lasso_authn_request_new(authn->local_providerID); + } + else if (request_msg != NULL) { + /* + rebuild request + create response (LibAuthnResponse or SamlpResponse) + verify request signature -> modify response status if need + */ + lasso_authentication_process_request(LASSO_AUTHENTICATION(authn), request_msg); + } + else if (response_msg != NULL) { + lasso_authentication_process_response(authn, response_msg); + } + return (authn); } diff --git a/lasso/id-ff/authentication.h b/lasso/id-ff/authentication.h index c7275b04..b8fbbd95 100644 --- a/lasso/id-ff/authentication.h +++ b/lasso/id-ff/authentication.h @@ -51,6 +51,9 @@ struct _LassoAuthentication { LassoProfileContext parent; /*< public >*/ /*< private >*/ + gchar *protocolProfile; + gint request_method; + gint response_method; }; struct _LassoAuthenticationClass { @@ -82,10 +85,10 @@ LASSO_EXPORT gchar* lasso_authentication_process_authentication_re const char *authentication_method); LASSO_EXPORT void lasso_authentication_set_forceAuthn (LassoAuthentication *authn, - const xmlChar *forceAuthn); + gboolean forceAuthn); LASSO_EXPORT void lasso_authentication_set_isPassive (LassoAuthentication *authn, - gboolean *isPassive); + gboolean isPassive); LASSO_EXPORT void lasso_authentication_set_nameIDPolicy (LassoAuthentication *authn, const xmlChar *nameIDPolicy); diff --git a/lasso/id-ff/profile_context.h b/lasso/id-ff/profile_context.h index 10acfb59..7d014c01 100644 --- a/lasso/id-ff/profile_context.h +++ b/lasso/id-ff/profile_context.h @@ -67,6 +67,7 @@ struct _LassoProfileContext { gchar *remote_providerID; gint request_protocol_method; + gint status; /*< private >*/ }; |