diff options
| author | Nicolas Clapies <nclapies@entrouvert.com> | 2004-08-18 14:05:37 +0000 |
|---|---|---|
| committer | Nicolas Clapies <nclapies@entrouvert.com> | 2004-08-18 14:05:37 +0000 |
| commit | 214f02b82cdb71969a25b89dc61db7fa435664b1 (patch) | |
| tree | abbe199d0b742b99de54b5e6060085717a038e51 /lasso/id-ff | |
| parent | d9978fdc4cbdb7f88b48ba5c8e949bd2822e133f (diff) | |
| download | lasso-214f02b82cdb71969a25b89dc61db7fa435664b1.tar.gz lasso-214f02b82cdb71969a25b89dc61db7fa435664b1.tar.xz lasso-214f02b82cdb71969a25b89dc61db7fa435664b1.zip | |
udpate of logout and federation profiles
Diffstat (limited to 'lasso/id-ff')
| -rw-r--r-- | lasso/id-ff/federation_termination.c | 129 | ||||
| -rw-r--r-- | lasso/id-ff/logout.c | 29 | ||||
| -rw-r--r-- | lasso/id-ff/logout.h | 2 |
3 files changed, 117 insertions, 43 deletions
diff --git a/lasso/id-ff/federation_termination.c b/lasso/id-ff/federation_termination.c index 82f425ee..0a5767a0 100644 --- a/lasso/id-ff/federation_termination.c +++ b/lasso/id-ff/federation_termination.c @@ -37,12 +37,12 @@ * * It gets the federation termination notification protocol profile and : * if it is a SOAP method, then it builds the federation termination notification SOAP message, - * set the msg_body attribute, get the federation termination service url - * and set the msg_url attribute of the federation termination object. + * optionaly signs the notification node, set the msg_body attribute, get the federation termination + * service url and set the msg_url attribute of the federation termination object. * - * if it is a HTTP-Redirect method, then it builds the federation termination notification QUERY message, - * builds the federation termination notification url with federation termination service url, - * set the msg_url attribute of the federation termination object, + * if it is a HTTP-Redirect method, then it builds the federation termination notification QUERY message + * ( optionaly signs the notification message ), builds the federation termination notification url + * with federation termination service url, set the msg_url attribute of the federation termination object, * set the msg_body to NULL * * Return value: O of OK else < 0 @@ -53,7 +53,6 @@ lasso_federation_termination_build_notification_msg(LassoFederationTermination * LassoProfile *profile; LassoProvider *provider; xmlChar *protocolProfile; - lassoProviderType provider_type; /* use to get metadata */ gint ret = 0; g_return_val_if_fail(LASSO_IS_FEDERATION_TERMINATION(defederation), -1); @@ -63,23 +62,24 @@ lasso_federation_termination_build_notification_msg(LassoFederationTermination * provider = lasso_server_get_provider_ref(profile->server, profile->remote_providerID, NULL); - if (provider == NULL) { - debug("Provider %s not found\n", profile->remote_providerID); - ret = -1; - goto done; - } + /* get the protocol profile of the remote provider ( if the notifier is a IDP, then get with IDP type else if IDP, SP ) */ if (profile->provider_type == lassoProviderTypeSp) { - provider_type = lassoProviderTypeIdp; + protocolProfile = lasso_provider_get_federationTerminationNotificationProtocolProfile(provider, + lassoProviderTypeIdp, + NULL); + } + else if (profile->provider_type == lassoProviderTypeIdp) { + protocolProfile = lasso_provider_get_federationTerminationNotificationProtocolProfile(provider, + lassoProviderTypeSp, + NULL); } else { - provider_type = lassoProviderTypeSp; + message(G_LOG_LEVEL_CRITICAL, "Invalid provider type\n"); + ret = -1; + goto done; } - /* get the prototocol profile of the federation termination notification */ - protocolProfile = lasso_provider_get_federationTerminationNotificationProtocolProfile(provider, - provider_type, - NULL); if (protocolProfile == NULL) { message(G_LOG_LEVEL_CRITICAL, "Federation termination notification protocol profile not found\n"); ret = -1; @@ -88,6 +88,16 @@ lasso_federation_termination_build_notification_msg(LassoFederationTermination * if (xmlStrEqual(protocolProfile, lassoLibProtocolProfileSloSpSoap) || \ xmlStrEqual(protocolProfile, lassoLibProtocolProfileSloIdpSoap)) { + /* optionaly sign the notification node */ + if (profile->server->private_key != NULL) { + lasso_samlp_request_abstract_set_signature(LASSO_SAMLP_REQUEST_ABSTRACT(profile->request), + profile->server->signature_method, + profile->server->private_key, + profile->server->certificate, + NULL); + } + + /* build the message */ profile->msg_url = lasso_provider_get_federationTerminationServiceURL(provider, lassoProviderTypeIdp, NULL); @@ -100,10 +110,21 @@ lasso_federation_termination_build_notification_msg(LassoFederationTermination * } else if (xmlStrEqual(protocolProfile,lassoLibProtocolProfileSloSpHttp) || \ xmlStrEqual(protocolProfile,lassoLibProtocolProfileSloIdpHttp)) { - profile->msg_url = lasso_node_export_to_query(profile->request, - profile->server->signature_method, - profile->server->private_key); + /* temporary vars to store url, query and separator */ + gchar *url, *query; + const gchar *separator = "?"; + + /* build and optionaly sign the query message and build the federation termination notification url */ + url = lasso_provider_get_federationTerminationServiceURL(provider, + lassoProviderTypeIdp, + NULL); + query = lasso_node_export_to_query(profile->request, + profile->server->signature_method, + profile->server->private_key); + profile->msg_url = g_strjoin(separator, url, query); profile->msg_body = NULL; + xmlFree(url); + xmlFree(query); } else { message(G_LOG_LEVEL_CRITICAL, "Invalid protocol profile\n"); @@ -263,6 +284,7 @@ lasso_federation_termination_process_notification_msg(LassoFederationTermination lassoHttpMethod notification_method) { LassoProfile *profile; + gint ret = 0; g_return_val_if_fail(LASSO_IS_FEDERATION_TERMINATION(defederation), -1); g_return_val_if_fail(notification_msg!=NULL, -1); @@ -280,11 +302,13 @@ lasso_federation_termination_process_notification_msg(LassoFederationTermination break; default: message(G_LOG_LEVEL_CRITICAL, "Invalid notification method\n"); - return(-3); + ret = -1; + goto done; } if (profile->request==NULL) { message(G_LOG_LEVEL_CRITICAL, "Error while building the notification from msg\n"); - return(-4); + ret = -1; + goto done; } /* get the NameIdentifier */ @@ -292,14 +316,17 @@ lasso_federation_termination_process_notification_msg(LassoFederationTermination "NameIdentifier", NULL, NULL); if (profile->nameIdentifier==NULL) { message(G_LOG_LEVEL_CRITICAL, "NameIdentifier not found\n"); - return(-1); + ret = -1; + goto done; } - + /* get the RelayState */ profile->msg_relayState = lasso_node_get_child_content(profile->request, "RelayState", NULL, NULL); - return(0); + done: + + return(ret); } /** @@ -307,8 +334,8 @@ lasso_federation_termination_process_notification_msg(LassoFederationTermination * @defederation: the federation termination object * * Validate the federation termination notification : - * initialises the federation termination notification * verifies the ProviderID + * if HTTP-Redirect method, set msg_url with the federation termination service return url * verifies the federation * verifies the authentication * @@ -318,9 +345,12 @@ gint lasso_federation_termination_validate_notification(LassoFederationTermination *defederation) { LassoProfile *profile; + LassoProvider *provider; LassoFederation *federation; LassoNode *nameIdentifier; gint ret = 0; + gint signature_check; + GError *err = NULL; profile = LASSO_PROFILE(defederation); @@ -331,16 +361,38 @@ lasso_federation_termination_validate_notification(LassoFederationTermination *d } /* set the remote provider id from the request */ - profile->remote_providerID = lasso_node_get_child_content(profile->request, "ProviderID", - NULL, NULL); + profile->remote_providerID = lasso_node_get_child_content(profile->request, + "ProviderID", + NULL, + NULL); if (profile->remote_providerID == NULL) { message(G_LOG_LEVEL_CRITICAL, "Remote provider id not found\n"); ret = -1; goto done; } - nameIdentifier = lasso_node_get_child(profile->request, "NameIdentifier", - NULL, NULL); + /* if HTTP-Redirect protocol profile, set the federation termination service return url */ + provider = lasso_server_get_provider(profile->server, profile->remote_providerID, NULL); + if (provider == NULL) { + message(G_LOG_LEVEL_CRITICAL, "Provider not found\n"); + ret = -1; + goto done; + } + if (profile->http_request_method==lassoHttpMethodRedirect) { + profile->msg_url = lasso_provider_get_federationTerminationServiceReturnURL(provider, + profile->provider_type, + NULL); + if (profile->msg_url) { + message(G_LOG_LEVEL_CRITICAL, "Federation termination service return url not found\n"); + ret = -1; + goto done; + } + } + + nameIdentifier = lasso_node_get_child(profile->request, + "NameIdentifier", + NULL, + NULL); if (nameIdentifier == NULL) { message(G_LOG_LEVEL_CRITICAL, "Name identifier not found in request\n"); ret = -1; @@ -356,13 +408,13 @@ lasso_federation_termination_validate_notification(LassoFederationTermination *d federation = lasso_identity_get_federation(profile->identity, profile->remote_providerID); if (federation == NULL) { - message(G_LOG_LEVEL_WARNING, "No federation for %s\n", profile->remote_providerID); + message(G_LOG_LEVEL_CRITICAL, "No federation for %s\n", profile->remote_providerID); ret = -1; goto done; } if (lasso_federation_verify_nameIdentifier(federation, nameIdentifier) == FALSE) { - message(G_LOG_LEVEL_WARNING, "No name identifier for %s\n", profile->remote_providerID); + message(G_LOG_LEVEL_CRITICAL, "No name identifier for %s\n", profile->remote_providerID); ret = -1; goto done; } @@ -423,6 +475,19 @@ GType lasso_federation_termination_get_type() { * @server: the server object of the provider * @provider_type: the provider type (service provider or identity provider) * + * This function build a new federation termination object to build + * a notification message or to process a notification. + * + * If building a federation termination notification message then call : + * lasso_federation_termination_init_notification() + * lasso_federation_termination_build_notification_msg() + * and get msg_url or msg_body. + * + * If processing a federation termination notification message then call : + * lasso_federation_termination_process_notification_msg() + * lasso_federation_termination_validate_notification() + * and process the returned code. + * * Return value: a new instance of federation termination object or NULL **/ LassoFederationTermination* diff --git a/lasso/id-ff/logout.c b/lasso/id-ff/logout.c index f9c0972e..bea2a08f 100644 --- a/lasso/id-ff/logout.c +++ b/lasso/id-ff/logout.c @@ -117,11 +117,15 @@ lasso_logout_build_request_msg(LassoLogout *logout) if (xmlStrEqual(protocolProfile, lassoLibProtocolProfileSloSpSoap) || \ xmlStrEqual(protocolProfile, lassoLibProtocolProfileSloIdpSoap)) { /* sign the request message */ - lasso_samlp_request_abstract_set_signature(LASSO_SAMLP_REQUEST_ABSTRACT(profile->request), - profile->server->signature_method, - profile->server->private_key, - profile->server->certificate, - NULL); + if (profile->server->private_key) { + lasso_samlp_request_abstract_set_signature(LASSO_SAMLP_REQUEST_ABSTRACT(profile->request), + profile->server->signature_method, + profile->server->private_key, + profile->server->certificate, + NULL); + } + + /* build the logout request message */ profile->msg_url = lasso_provider_get_soapEndpoint(provider, lassoProviderTypeIdp, NULL); @@ -130,10 +134,17 @@ lasso_logout_build_request_msg(LassoLogout *logout) else if (xmlStrEqual(protocolProfile,lassoLibProtocolProfileSloSpHttp) || \ xmlStrEqual(protocolProfile,lassoLibProtocolProfileSloIdpHttp)) { /* TODO - implement HTTP-Redirect */ - gchar *query; + gchar *url, *query; + const gchar *separator = "?"; + + url = lasso_provider_get_singleLogoutServiceURL(provider, profile->provider_type, NULL); query = lasso_node_export_to_query(profile->request, profile->server->signature_method, profile->server->private_key); + profile->msg_url = g_strjoin(separator, url, query); + profile->msg_body = NULL; + xmlFree(url); + xmlFree(query); } done: @@ -419,7 +430,7 @@ gint lasso_logout_process_request_msg(LassoLogout *logout, profile->request = lasso_logout_request_new_from_export(request_msg, lassoNodeExportTypeSoap); - /* verify the signature */ + /* signature verification */ remote_providerID = lasso_node_get_child_content(profile->request, "ProviderID", NULL, NULL); if (remote_providerID == NULL) { message(G_LOG_LEVEL_CRITICAL, "ProviderID not found\n"); @@ -463,7 +474,7 @@ gint lasso_logout_process_request_msg(LassoLogout *logout, } /* set the http request method */ - logout->http_request_method = request_method; + profile->http_request_method = request_method; /* Set the NameIdentifier */ profile->nameIdentifier = lasso_node_get_child_content(profile->request, @@ -593,7 +604,7 @@ lasso_logout_validate_request(LassoLogout *logout) /* if SOAP request method at IDP then verify all the remote service providers support SOAP protocol profile. If one remote authenticated principal service provider doesn't support SOAP then return UnsupportedProfile to original service provider */ - if (profile->provider_type==lassoProviderTypeIdp && logout->http_request_method==lassoHttpMethodSoap) { + if (profile->provider_type==lassoProviderTypeIdp && profile->http_request_method==lassoHttpMethodSoap) { gboolean all_http_soap; LassoProvider *provider; gchar *providerID, *protocolProfile; diff --git a/lasso/id-ff/logout.h b/lasso/id-ff/logout.h index f1c59cd6..824d5dda 100644 --- a/lasso/id-ff/logout.h +++ b/lasso/id-ff/logout.h @@ -55,8 +55,6 @@ struct _LassoLogout { LassoNode *initial_response; gchar *initial_remote_providerID; - lassoHttpMethod http_request_method; - LassoLogoutPrivate *private; }; |