update of logout with better support of propagation from idp

9 files changed, 182 insertions, 48 deletions

diff --git a/lasso/Attic/protocols/logout_response.c b/lasso/Attic/protocols/logout_response.c
index 3eaac369..6f2a2fc2 100644
--- a/lasso/Attic/protocols/logout_response.c
+++ b/lasso/Attic/protocols/logout_response.c
@@ -256,8 +256,16 @@ lasso_logout_response_new_from_soap(gchar *buffer)
   response = LASSO_NODE(g_object_new(LASSO_TYPE_LOGOUT_RESPONSE, NULL));
 
   envelope = lasso_node_new_from_dump(buffer);
-  lassoNode_response = lasso_node_get_child(envelope, "LogoutResponse", lassoLibHRef);
-     
+  if(envelope==NULL){
+    debug(ERROR, "Error while parsing the soap msg\n");
+    return(NULL);
+  }
+
+  lassoNode_response = lasso_node_get_child(envelope, "LogoutResponse", NULL);
+  if(lassoNode_response==NULL){
+    debug(ERROR, "LogoutResponse node not found\n");
+    return(NULL);
+  }
   class = LASSO_NODE_GET_CLASS(lassoNode_response);
   xmlNode_response = xmlCopyNode(class->get_xmlNode(LASSO_NODE(lassoNode_response)), 1);
   lasso_node_destroy(lassoNode_response);
diff --git a/lasso/id-ff/logout.c b/lasso/id-ff/logout.c
index 34231913..c187943f 100644
--- a/lasso/id-ff/logout.c
+++ b/lasso/id-ff/logout.c
@@ -34,8 +34,7 @@ static GObjectClass *parent_class = NULL;
 gchar *
 lasso_logout_dump(LassoLogout *logout)
 {
-  LassoProfileContext *profileContext;
-  gchar *dump;
+  gchar *dump = NULL;
 
   g_return_val_if_fail(LASSO_IS_LOGOUT(logout), NULL);
 
@@ -47,7 +46,7 @@ lasso_logout_build_request_msg(LassoLogout *logout)
 {
   LassoProfileContext *profileContext;
   LassoProvider *provider;
-  xmlChar *protocolProfile, *singleLogoutServiceURL;
+  xmlChar *protocolProfile;
 
   g_return_val_if_fail(LASSO_IS_LOGOUT(logout), -1);
   
@@ -99,7 +98,6 @@ lasso_logout_build_response_msg(LassoLogout *logout)
   LassoProfileContext *profileContext;
   LassoProvider *provider;
   xmlChar *protocolProfile;
-  int codeError = 0;
   
   if(!LASSO_IS_LOGOUT(logout)){
     debug(ERROR, "Not a Logout object\n");
@@ -143,6 +141,34 @@ lasso_logout_destroy(LassoLogout *logout)
   g_object_unref(G_OBJECT(logout));
 }
 
+gchar*
+lasso_logout_get_next_providerID(LassoLogout *logout)
+{
+  LassoProfileContext *profileContext;
+  gchar *current_provider_id;
+  int i;
+
+
+  g_return_val_if_fail(LASSO_IS_LOGOUT(logout), NULL);
+
+  profileContext = LASSO_PROFILE_CONTEXT(logout);
+
+  /* if a ProviderID from a SP request, pass it and return the next provider id found */
+  for(i = 0; i<profileContext->user->assertion_providerIDs->len; i++){
+    current_provider_id = g_strdup(g_ptr_array_index(profileContext->user->assertion_providerIDs, i));
+    if(logout->first_remote_providerID!=NULL){
+      if(xmlStrEqual(current_provider_id, logout->first_remote_providerID)){
+	/* debug(INFO, "It's the ProviderID of the SP requester (%s) : %s, pass it\n", logout->first_remote_providerID, current_provider_id); */
+	xmlFree(current_provider_id);
+	continue;
+      }
+    }
+    return(current_provider_id);
+  }
+
+  return(NULL);
+}
+
 gint
 lasso_logout_init_request(LassoLogout *logout,
 			  gchar       *remote_providerID)
@@ -150,7 +176,6 @@ lasso_logout_init_request(LassoLogout *logout,
   LassoProfileContext *profileContext;
   LassoNode           *nameIdentifier;
   LassoIdentity       *identity;
-  LassoLogoutRequest  *request;
 
   xmlChar *content, *nameQualifier, *format;
 
@@ -159,11 +184,11 @@ lasso_logout_init_request(LassoLogout *logout,
   profileContext = LASSO_PROFILE_CONTEXT(logout);
 
   if(remote_providerID==NULL){
-    debug(INFO, "No remote provider id, get the next assertion peer provider id\n");
+    /* debug(INFO, "No remote provider id, get the next assertion peer provider id\n"); */
     profileContext->remote_providerID = lasso_user_get_next_assertion_remote_providerID(profileContext->user);
   }
   else{
-    debug(INFO, "A remote provider id for logout request : %s\n", remote_providerID);
+    /* debug(INFO, "A remote provider id for logout request : %s\n", remote_providerID); */
     profileContext->remote_providerID = g_strdup(remote_providerID);
   }
 
@@ -286,7 +311,7 @@ lasso_logout_process_request_msg(LassoLogout      *logout,
     return(-7);
   }
 
-  /* verify authentication (if ok, delete assertion) */
+  /* verify authentication */
   if(profileContext->user==NULL){
     debug(WARNING, "User environ not found\n");
     statusCode_class->set_prop(statusCode, "Value", lassoSamlStatusCodeRequestDenied);
@@ -313,6 +338,27 @@ lasso_logout_process_request_msg(LassoLogout      *logout,
     return(-10);
   }
 
+  switch(profileContext->provider_type){
+  case lassoProviderTypeSp:
+    /* at sp, everything is ok, delete the assertion */
+    lasso_user_remove_assertion(profileContext->user, profileContext->remote_providerID);
+    break;
+  case lassoProviderTypeIdp:
+    /* at idp, backup original infos of the sp requester */
+    logout->first_request = profileContext->request;
+    profileContext->request = NULL;
+    
+    logout->first_response = profileContext->response;
+    profileContext->response = NULL;
+
+    logout->first_remote_providerID = profileContext->remote_providerID;
+    profileContext->remote_providerID = NULL;
+
+    break;
+  default:
+    debug(ERROR, "Uknown provider type\n");
+  }
+
   return(0);
 }
 
@@ -342,11 +388,45 @@ lasso_logout_process_response_msg(LassoLogout      *logout,
     debug(ERROR, "Unknown response method\n");
     return(-3);
   }
- 
+
+  if(profileContext->response==NULL){
+    debug(ERROR, "LogoutResponse is NULL\n");
+    return(-1);
+  }
   statusCode = lasso_node_get_child(profileContext->response, "StatusCode", NULL);
+
+  if(statusCode==NULL){
+    debug(ERROR, "StatusCode node not found\n");
+    return(-1);
+  }
+
   statusCodeValue = lasso_node_get_attr_value(statusCode, "Value", NULL);
+
   if(!xmlStrEqual(statusCodeValue, lassoSamlStatusCodeSuccess)){
-    return(-4);
+    return(-1);
+  }
+
+  profileContext->remote_providerID = lasso_node_get_child_content(profileContext->response, "ProviderID", NULL);
+  /* response is ok, so delete the assertion */
+  switch(profileContext->provider_type){
+  case lassoProviderTypeSp:
+    break;
+  case lassoProviderTypeIdp:
+    /* response os ok, delete the assertion */
+    lasso_user_remove_assertion(profileContext->user, profileContext->remote_providerID);
+    debug(INFO, "Remove assertion for %s\n", profileContext->remote_providerID);
+
+    /* if no more assertion for other providers, remove assertion of the original provider */
+    if(profileContext->user->assertion_providerIDs->len == 1){
+      debug(WARNING, "remove assertion of the original provider\n");
+      lasso_user_remove_assertion(profileContext->user, logout->first_remote_providerID);
+
+      printf("%s\n", lasso_user_dump(profileContext->user));
+    }
+
+    break;
+  default:
+    debug(ERROR, "Unkown provider type\n");
   }
 
   return(0);
diff --git a/lasso/id-ff/logout.h b/lasso/id-ff/logout.h
index b3cc028b..bf86fd26 100644
--- a/lasso/id-ff/logout.h
+++ b/lasso/id-ff/logout.h
@@ -47,6 +47,11 @@ typedef struct _LassoLogoutClass LassoLogoutClass;
 
 struct _LassoLogout {
   LassoProfileContext parent;
+  
+  LassoNode *first_request;
+  LassoNode *first_response;
+  gchar     *first_remote_providerID;
+  /*< public >*/
 
   /*< private >*/
 };
@@ -68,6 +73,8 @@ LASSO_EXPORT gint         lasso_logout_build_response_msg      (LassoLogout *log
 
 LASSO_EXPORT void         lasso_logout_destroy                 (LassoLogout *logout);
 
+LASSO_EXPORT gchar*       lasso_logout_get_next_providerID     (LassoLogout *logout);
+
 LASSO_EXPORT gint         lasso_logout_init_request            (LassoLogout *logout,
 								gchar       *remote_providerID);
 
diff --git a/python/environs/py_logout.c b/python/environs/py_logout.c
index 7e444a07..35fa483e 100644
--- a/python/environs/py_logout.c
+++ b/python/environs/py_logout.c
@@ -138,6 +138,25 @@ PyObject *logout_destroy(PyObject *self, PyObject *args){
   return(Py_None);
 }
 
+PyObject *logout_get_next_providerID(PyObject *self, PyObject *args) {
+  PyObject  *logout_obj;
+  gchar     *remote_providerID;
+
+  if (CheckArgs(args, "O:logout_get_next_providerID")) {
+    if(!PyArg_ParseTuple(args, (char *) "O:logout_get_next_providerID", &logout_obj))
+      return NULL;
+  }
+  else return NULL;
+
+  remote_providerID = lasso_logout_get_next_providerID(LassoLogout_get(logout_obj));
+  if(remote_providerID==NULL){
+    Py_INCREF(Py_None);
+    return (Py_None);
+  }
+
+  return (charPtr_wrap(remote_providerID));
+}
+
 PyObject *logout_init_request(PyObject *self, PyObject *args) {
   PyObject *logout_obj;
   gchar    *remote_providerID;
diff --git a/python/environs/py_logout.h b/python/environs/py_logout.h
index 479f0764..773ec548 100644
--- a/python/environs/py_logout.h
+++ b/python/environs/py_logout.h
@@ -44,6 +44,7 @@ PyObject *logout_getattr(PyObject *self, PyObject *args);
 PyObject *logout_build_request_msg(PyObject *self, PyObject *args);
 PyObject *logout_build_response_msg(PyObject *self, PyObject *args);
 PyObject *logout_destroy(PyObject *self, PyObject *args);
+PyObject *logout_get_next_providerID(PyObject *self, PyObject *args);
 PyObject *logout_init_request(PyObject *self, PyObject *args);
 PyObject *logout_new(PyObject *self, PyObject *args);
 PyObject *logout_process_request_msg(PyObject *self, PyObject *args);
diff --git a/python/examples/logout-from-idp.py b/python/examples/logout-from-idp.py
index 398b9695..f1e21b05 100644
--- a/python/examples/logout-from-idp.py
+++ b/python/examples/logout-from-idp.py
@@ -43,7 +43,9 @@ while(next_provider_id):
     print 'url : ', logout.msg_url
     print 'body : ', logout.msg_body
 
-    user.remove_assertion(next_provider_id)
+    # use the fake response :
+    lasso_logout_process_response_msg()
+
     next_provider_id = user.get_next_assertion_remote_providerID()
 
 print "End of logout ..."
diff --git a/python/examples/logout.py b/python/examples/logout.py
index efdbcb96..c4f13254 100644
--- a/python/examples/logout.py
+++ b/python/examples/logout.py
@@ -6,55 +6,68 @@ import lasso
 
 lasso.init()
 
-spserver = lasso.Server.new("../../examples/sp.xml",
+# SP1 server and user :
+sp1server = lasso.Server.new("../../examples/sp1.xml",
 			    "../../examples/rsapub.pem", "../../examples/rsakey.pem", "../../examples/rsacert.pem",
 			    lasso.signatureMethodRsaSha1)
+sp1server.add_provider("../../examples/idp.xml", None, None)
 
-spserver.add_provider("../../examples/idp.xml", None, None)
-spserver.add_provider("../../examples/idp2.xml", None, None)
+sp1user_dump = "<LassoUser><LassoAssertions><LassoAssertion RemoteProviderID=\"https://identity-provider:2003/liberty-alliance/metadata\"><Assertion AssertionID=\"C9DS8CD7CSD6CDSCKDKCS\"></Assertion></LassoAssertion></LassoAssertions><LassoIdentities><LassoIdentity RemoteProviderID=\"https://identity-provider:2003/liberty-alliance/metadata\"><LassoRemoteNameIdentifier><NameIdentifier NameQualifier=\"qualifier.com\" Format=\"federated\">11111111111111111111111111</NameIdentifier></LassoRemoteNameIdentifier></LassoIdentity></LassoIdentities></LassoUser>"
 
-spuser_dump = "<LassoUser><LassoAssertions><LassoAssertion RemoteProviderID=\"https://identity-provider:2003/liberty-alliance/metadata\"><Assertion AssertionID=\"CD8SCD7SC6SDCD5CDSDCD88SDCDSD\"></Assertion></LassoAssertion></LassoAssertions><LassoIdentities><LassoIdentity RemoteProviderID=\"https://identity-provider:2003/liberty-alliance/metadata\"><LassoLocalNameIdentifier><NameIdentifier NameQualifier=\"qualifier.com\" Format=\"federated\">11111111111111111111111111</NameIdentifier></LassoLocalNameIdentifier></LassoIdentity><LassoIdentity RemoteProviderID=\"https://identity-provider2:2003/liberty-alliance/metadata\"><LassoLocalNameIdentifier><NameIdentifier NameQualifier=\"qualifier.com\" Format=\"federated\">22222222222222222222222222</NameIdentifier></LassoLocalNameIdentifier></LassoIdentity></LassoIdentities></LassoUser>"
+# SP2 server and user :
+sp2server = lasso.Server.new("../../examples/sp2.xml",
+			    "../../examples/rsapub.pem", "../../examples/rsakey.pem", "../../examples/rsacert.pem",
+			    lasso.signatureMethodRsaSha1)
+sp2server.add_provider("../../examples/idp.xml", None, None)
 
-spuser = lasso.User.new_from_dump(spuser_dump)
+sp2user_dump = "<LassoUser><LassoAssertions><LassoAssertion RemoteProviderID=\"https://identity-provider:2003/liberty-alliance/metadata\"><Assertion AssertionID=\"4IK43JCJSDCSDKCSCSDL\"></Assertion></LassoAssertion></LassoAssertions><LassoIdentities><LassoIdentity RemoteProviderID=\"https://identity-provider:2003/liberty-alliance/metadata\"><LassoRemoteNameIdentifier><NameIdentifier NameQualifier=\"qualifier.com\" Format=\"federated\">222222222222222222222222</NameIdentifier></LassoRemoteNameIdentifier></LassoIdentity></LassoIdentities></LassoUser>"
 
-# LogoutRequest :
-splogout = lasso.Logout.new(spserver, spuser, lasso.providerTypeSp)
-splogout.init_request()
-splogout.build_request_msg()
+# IDP server and user :
+idpserver = lasso.Server.new("../../examples/idp.xml",
+			    "../../examples/rsapub.pem", "../../examples/rsakey.pem", "../../examples/rsacert.pem",
+			    lasso.signatureMethodRsaSha1)
+idpserver.add_provider("../../examples/sp1.xml", None, None)
+idpserver.add_provider("../../examples/sp2.xml", None, None)
+idpserver.add_provider("../../examples/sp3.xml", None, None)
 
-request_msg = splogout.msg_body
-msg_url  = splogout.msg_url
-msg_body = splogout.msg_body
+idpuser_dump = "<LassoUser><LassoAssertions><LassoAssertion RemoteProviderID=\"https://service-provider1:2003/liberty-alliance/metadata\"><Assertion AssertionID=\"C9DS8CD7CSD6CDSCKDKCS\"></Assertion></LassoAssertion><LassoAssertion RemoteProviderID=\"https://service-provider2:2003/liberty-alliance/metadata\"><Assertion AssertionID=\"4IK43JCJSDCSDKCSCSDL\"></Assertion></LassoAssertion></LassoAssertions><LassoIdentities><LassoIdentity RemoteProviderID=\"https://service-provider1:2003/liberty-alliance/metadata\"><LassoLocalNameIdentifier><NameIdentifier NameQualifier=\"qualifier.com\" Format=\"federated\">11111111111111111111111111</NameIdentifier></LassoLocalNameIdentifier></LassoIdentity><LassoIdentity RemoteProviderID=\"https://service-provider2:2003/liberty-alliance/metadata\"><LassoLocalNameIdentifier><NameIdentifier NameQualifier=\"qualifier.com\" Format=\"federated\">222222222222222222222222</NameIdentifier></LassoLocalNameIdentifier></LassoIdentity></LassoIdentities></LassoUser>"
 
-splogout.destroy()
 
-print 'request url : ', msg_url
-print 'request body : ', msg_body
 
-request_type = lasso.get_request_type_from_soap_msg(msg_body)
-if request_type == lasso.requestTypeLogout:
-    print "it's a LogoutRequest !"
+# SP1 build a request :
+sp1user = lasso.User.new_from_dump(sp1user_dump)
 
+sp1logout = lasso.Logout.new(sp1server, sp1user, lasso.providerTypeSp)
+sp1logout.init_request()
+sp1logout.build_request_msg()
 
-# LogoutResponse :
-idpserver = lasso.Server.new("../../examples/idp.xml",
-			    "../../examples/rsapub.pem", "../../examples/rsakey.pem", "../../examples/rsacert.pem",
-			    lasso.signatureMethodRsaSha1)
-idpserver.add_provider("../../examples/sp.xml", None, None)
+msg_url  = sp1logout.msg_url
+msg_body = sp1logout.msg_body
 
-idpuser_dump = "<LassoUser><LassoAssertions></LassoAssertions><LassoIdentities></LassoIdentities></LassoUser>"
-idpuser = lasso.User.new_from_dump(idpuser_dump)
+sp1logout.destroy()
 
+# IDP process request and return a response :
+idpuser = lasso.User.new_from_dump(idpuser_dump)
 idplogout = lasso.Logout.new(idpserver, idpuser, lasso.providerTypeIdp)
-idplogout.process_request_msg(request_msg, lasso.httpMethodSoap)
-idplogout.build_response_msg()
 
-msg_url  = idplogout.msg_url
-msg_body = idplogout.msg_body
-print 'body : ', idplogout.msg_body
 
-# process the response :
-splogout = lasso.Logout.new(spserver, spuser, lasso.providerTypeSp)
-splogout.process_response_msg(msg_body, lasso.httpMethodSoap)
+if lasso.get_request_type_from_soap_msg(msg_body)==lasso.requestTypeLogout:
+    print "it's a logout request !"
+
+#fake response, only for test !
+response_msg_body = "<Envelope><LogoutResponse><ProviderID>https://service-provider2:2003/liberty-alliance/metadata</ProviderID><Status><StatusCode Value=\"Samlp:Success\"></StatusCode></Status></LogoutResponse></Envelope>"
+
+idplogout.process_request_msg(msg_body, lasso.httpMethodSoap)
+next_provider_id = idplogout.get_next_providerID()
+while next_provider_id:
+    idplogout.init_request(next_provider_id)
+    idplogout.build_request_msg()
+
+    print "send soap msg to url", idplogout.msg_url
+    # remote SP send back a LogoutResponse, process it.
+    idplogout.process_response_msg(response_msg_body, lasso.httpMethodSoap)
+
+    next_provider_id = idplogout.get_next_providerID()
+
 
-lasso.shutdown()
+print "End of logout"
diff --git a/python/lasso.py b/python/lasso.py
index 000709c3..855ba163 100644
--- a/python/lasso.py
+++ b/python/lasso.py
@@ -1017,7 +1017,10 @@ class Logout:
 	return lassomod.logout_build_response_msg(self)
 
     def destroy(self):
-	pass
+	lassomod.logout_destroy(self);
+
+    def get_next_providerID(self):
+	return lassomod.logout_get_next_providerID(self);
 
     def init_request(self, remote_providerID = None):
 	return lassomod.logout_init_request(self, remote_providerID);
diff --git a/python/lassomod.c b/python/lassomod.c
index 47e66c69..171abf92 100644
--- a/python/lassomod.c
+++ b/python/lassomod.c
@@ -237,6 +237,7 @@ static PyMethodDef lasso_methods[] = {
   {"logout_build_request_msg",    logout_build_request_msg,    METH_VARARGS},
   {"logout_build_response_msg",   logout_build_response_msg,   METH_VARARGS},
   {"logout_destroy",              logout_destroy,              METH_VARARGS},
+  {"logout_get_next_providerID",  logout_get_next_providerID,  METH_VARARGS},
   {"logout_init_request",         logout_init_request,         METH_VARARGS},
   {"logout_process_request_msg",  logout_process_request_msg,  METH_VARARGS},
   {"logout_process_response_msg", logout_process_response_msg, METH_VARARGS},