Added error checks and error messages

Added signature element in lib:AuthnRequest (POST method) and in samlp:Request
author: Valery Febvre <vfebvre at easter-eggs.com> 2004-08-13 00:33:51 +0000
committer: Valery Febvre <vfebvre at easter-eggs.com> 2004-08-13 00:33:51 +0000
commit: a8125cf026c17969b3cb67cdec3cea1494ea3e89 (patch)
tree: 14b1480e30df7ad6281df05fedeec2f5b5848f0b /lasso/id-ff
parent: b91e6fb81f4e08ceefd3d4222851027aeb20d614 (diff)
download: lasso-a8125cf026c17969b3cb67cdec3cea1494ea3e89.tar.gz
lasso-a8125cf026c17969b3cb67cdec3cea1494ea3e89.tar.xz
lasso-a8125cf026c17969b3cb67cdec3cea1494ea3e89.zip
1 files changed, 130 insertions, 28 deletions
diff --git a/lasso/id-ff/login.c b/lasso/id-ff/login.c
index 3464057d..5c2cc633 100644
--- a/lasso/id-ff/login.c
+++ b/lasso/id-ff/login.c
@@ -58,7 +58,7 @@ struct _LassoLoginPrivate
  * If both contents are NULL or NameIdentifier elements are missing then
  * returns NULL.
  * 
- * Return value: a string or NULL
+ * Return value: a newly allocated string or NULL
  **/
 static gchar*
 lasso_login_get_assertion_nameIdentifier(LassoNode  *assertion,
@@ -66,7 +66,18 @@ lasso_login_get_assertion_nameIdentifier(LassoNode  *assertion,
 {
   xmlChar *ni, *idp_ni;
 
-  g_return_val_if_fail (err == NULL || *err == NULL, NULL);
+  if (err != NULL && *err != NULL) {
+    g_set_error(err, g_quark_from_string("Lasso"),
+		LASSO_PARAM_ERROR_ERR_CHECK_FAILED,
+		lasso_strerror(LASSO_PARAM_ERROR_ERR_CHECK_FAILED));
+    g_return_val_if_fail (err == NULL || *err == NULL, NULL);
+  }
+  if (LASSO_IS_NODE(assertion) == FALSE) {
+    g_set_error(err, g_quark_from_string("Lasso"),
+		LASSO_PARAM_ERROR_BADTYPE_OR_NULL_OBJ,
+		lasso_strerror(LASSO_PARAM_ERROR_BADTYPE_OR_NULL_OBJ));
+    g_return_val_if_fail(LASSO_IS_NODE(assertion), NULL);
+  }
 
   ni = lasso_node_get_child_content(assertion, "NameIdentifier", NULL, NULL);
   idp_ni = lasso_node_get_child_content(assertion, "IDPProvidedNameIdentifier",
@@ -98,11 +109,12 @@ lasso_login_get_assertion_nameIdentifier(LassoNode  *assertion,
  * @reauthenticateOnOrAfter: the reauthenticate on or after time
  * 
  * Adds an assertion into the samlp:Response.
- * Assertion is also stored in login->session. If login->session
+ * Assertion is also stored in session property. If session property
  * is NULL, a new session is build before.
- * The NameIdentifier of the assertion is stored into login->nameIdentifier.
+ * The NameIdentifier of the assertion is stored into nameIdentifier
+ * proprerty.
  * 
- * Return value: 0 on success and a negative value otherwise.
+ * Return value: 0 on success or a negative value otherwise.
  **/
 static gint
 lasso_login_add_response_assertion(LassoLogin      *login,
@@ -115,6 +127,10 @@ lasso_login_add_response_assertion(LassoLogin      *login,
   GError *err = NULL;
   gint ret = 0;
 
+  g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BADTYPE_OR_NULL_OBJ);
+  g_return_val_if_fail (LASSO_IS_FEDERATION(federation),
+			LASSO_PARAM_ERROR_BADTYPE_OR_NULL_OBJ);
+
   /* get RequestID to build Assertion */
   requestID = lasso_node_get_attr_value(LASSO_NODE(LASSO_PROFILE(login)->request),
 					"RequestID", &err);
@@ -191,6 +207,8 @@ lasso_login_process_federation(LassoLogin *login)
   gint ret = 0;
   GError *err = NULL;
 
+  g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BADTYPE_OR_NULL_OBJ);
+
   /* verify if a identity exists else create it */
   if (LASSO_PROFILE(login)->identity == NULL) {
     LASSO_PROFILE(login)->identity = lasso_identity_new();
@@ -271,6 +289,8 @@ lasso_login_process_response_status_and_assertion(LassoLogin *login) {
   gint ret = 0;
   GError *err = NULL;
 
+  g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BADTYPE_OR_NULL_OBJ);
+
   assertion = lasso_node_get_child(LASSO_PROFILE(login)->response,
 				   "Assertion",
 				   lassoLibHRef,
@@ -368,6 +388,8 @@ lasso_login_accept_sso(LassoLogin *login)
   LassoFederation *federation = NULL;
   gint ret = 0;
 
+  g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BADTYPE_OR_NULL_OBJ);
+
   if(LASSO_PROFILE(login)->identity == NULL) {
     LASSO_PROFILE(login)->identity = lasso_identity_new();    
   }
@@ -448,7 +470,9 @@ lasso_login_build_artifact_msg(LassoLogin      *login,
   xmlChar *assertionHandle, *identityProviderSuccinctID;
   gint i;
 
-  g_return_val_if_fail(authenticationMethod != NULL && reauthenticateOnOrAfter != NULL, -1);
+  g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BADTYPE_OR_NULL_OBJ);
+  g_return_val_if_fail(authenticationMethod != NULL && reauthenticateOnOrAfter != NULL,
+		       LASSO_PARAM_ERROR_INVALID_VALUE);
 
   if (method != lassoHttpMethodRedirect && method != lassoHttpMethodPost) {
     message(G_LOG_LEVEL_CRITICAL, "Invalid HTTP method, it could be REDIRECT or POST\n.");
@@ -488,8 +512,6 @@ lasso_login_build_artifact_msg(LassoLogin      *login,
 						  NULL);
   /* liberty-idff-bindings-profiles-v1.2.pdf p.25 */
   url = lasso_provider_get_assertionConsumerServiceURL(remote_provider, lassoProviderTypeSp, NULL);
-  /* identityProviderSuccinctID = lasso_str_hash(LASSO_PROFILE(login)->server->providerID, */
-  /* 	      			      LASSO_PROFILE(login)->server->private_key); */
   identityProviderSuccinctID = lasso_sha1(LASSO_PROFILE(login)->server->providerID);
   assertionHandle = lasso_build_random_sequence(20);
 
@@ -546,7 +568,8 @@ lasso_login_build_authn_request_msg(LassoLogin  *login,
   gint ret = 0;
   GError *err = NULL;
 
-  g_return_val_if_fail(remote_providerID != NULL, -1);
+  g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BADTYPE_OR_NULL_OBJ);
+  g_return_val_if_fail(remote_providerID != NULL, LASSO_PARAM_ERROR_INVALID_VALUE);
   
   LASSO_PROFILE(login)->remote_providerID = g_strdup(remote_providerID);
   
@@ -576,13 +599,11 @@ lasso_login_build_authn_request_msg(LassoLogin  *login,
 
   /* export request depending on the request ProtocolProfile */
   request_protocolProfile = lasso_provider_get_singleSignOnProtocolProfile(remote_provider, &err);
+  /* SingleSignOnProtocolProfile metadata is required */
   if (request_protocolProfile == NULL) {
-    /* SingleSignOnProtocolProfile metadata is required */
-    if (request_protocolProfile == NULL) {
-      message(G_LOG_LEVEL_CRITICAL, err->message);
-      ret = err->code;
-      g_error_free(err);
-    }
+    message(G_LOG_LEVEL_CRITICAL, err->message);
+    ret = err->code;
+    g_error_free(err);
     goto done;
   }
 
@@ -595,7 +616,7 @@ lasso_login_build_authn_request_msg(LassoLogin  *login,
     g_error_free(err);
     goto done;
   }
-
+  
   if (xmlStrEqual(request_protocolProfile, lassoLibProtocolProfileSSOGet)) {
     /* GET -> query */
     if (must_sign) {
@@ -624,6 +645,20 @@ lasso_login_build_authn_request_msg(LassoLogin  *login,
   }
   else if (xmlStrEqual(request_protocolProfile, lassoLibProtocolProfileSSOPost)) {
     /* POST -> formular */
+    if (must_sign) {
+      lasso_samlp_request_abstract_set_signature(LASSO_SAMLP_REQUEST_ABSTRACT(LASSO_PROFILE(login)->request),
+						 LASSO_PROFILE(login)->server->signature_method,
+						 LASSO_PROFILE(login)->server->private_key,
+						 LASSO_PROFILE(login)->server->certificate,
+						 &err);
+    }
+    if (err != NULL) {
+      message(G_LOG_LEVEL_CRITICAL, err->message);
+      ret = err->code;
+      g_error_free(err);
+      goto done;
+    }
+    printf("%s\n", lasso_node_export(LASSO_PROFILE(login)->request));
     lareq = lasso_node_export_to_base64(LASSO_PROFILE(login)->request);
     if (lareq != NULL) {
       LASSO_PROFILE(login)->msg_url = g_strdup(url);
@@ -634,6 +669,9 @@ lasso_login_build_authn_request_msg(LassoLogin  *login,
       ret = -5;
     }
   }
+  else {
+    message(G_LOG_LEVEL_CRITICAL, "Invalid SingleSignOnProtocolProfile.\n");
+  }
 
  done:
   xmlFree(url);
@@ -651,6 +689,8 @@ lasso_login_build_authn_response_msg(LassoLogin  *login,
   LassoProvider *remote_provider;
   LassoFederation *federation;
 
+  g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BADTYPE_OR_NULL_OBJ);
+
   /* ProtocolProfile must be BrwsPost */
   if (login->protocolProfile != lassoLoginProtocolProfileBrwsPost) {
     message(G_LOG_LEVEL_CRITICAL, "Failed to build AuthnResponse message, an Artifact is required by ProtocolProfile.\n");
@@ -692,15 +732,41 @@ gint
 lasso_login_build_request_msg(LassoLogin *login)
 {
   LassoProvider *remote_provider;
+  gint ret = 0;
+  GError *err = NULL;
+
+  g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BADTYPE_OR_NULL_OBJ);
+
+  /* sign request */
+  lasso_samlp_request_abstract_set_signature(LASSO_SAMLP_REQUEST_ABSTRACT(LASSO_PROFILE(login)->request),
+					     LASSO_PROFILE(login)->server->signature_method,
+					     LASSO_PROFILE(login)->server->private_key,
+					     LASSO_PROFILE(login)->server->certificate,
+					     &err);
+  if (err != NULL) {
+    goto done;
+  }
+  LASSO_PROFILE(login)->msg_body = lasso_node_export_to_soap(LASSO_PROFILE(login)->request);
 
+  /* get msg_url (SOAP Endpoint) */
   remote_provider = lasso_server_get_provider_ref(LASSO_PROFILE(login)->server,
 						  LASSO_PROFILE(login)->remote_providerID,
-						  NULL);
-  LASSO_PROFILE(login)->msg_body = lasso_node_export_to_soap(LASSO_PROFILE(login)->request);
+						  &err);
+  if (err != NULL) {
+    goto done;
+  }
   LASSO_PROFILE(login)->msg_url = lasso_provider_get_soapEndpoint(remote_provider,
-								  lassoProviderTypeIdp, NULL);
-
+								  lassoProviderTypeIdp, &err);
+  if (err != NULL) {
+    goto done;
+  }
   return (0);
+
+ done:
+  message(G_LOG_LEVEL_CRITICAL, err->message);
+  ret = err->code;
+  g_error_free(err);
+  return (ret);
 }
 
 void
@@ -714,7 +780,9 @@ lasso_login_dump(LassoLogin *login)
 {
   LassoNode *node;
   gchar *parent_dump, *dump;
-  gchar *protocolProfile = g_new0(gchar, 6);
+  gchar protocolProfile[6];
+
+  g_return_val_if_fail(LASSO_IS_LOGIN(login), NULL);
 
   parent_dump = lasso_profile_dump(LASSO_PROFILE(login), "Login");
   node = lasso_node_new_from_dump(parent_dump);
@@ -722,7 +790,6 @@ lasso_login_dump(LassoLogin *login)
 
   g_sprintf(protocolProfile, "%d", login->protocolProfile);
   LASSO_NODE_GET_CLASS(node)->new_child(node, "ProtocolProfile", protocolProfile, FALSE);
-  g_free(protocolProfile);
 
   if (login->assertionArtifact != NULL) {
     LASSO_NODE_GET_CLASS(node)->new_child(node, "AssertionArtifact", login->assertionArtifact, FALSE);
@@ -740,6 +807,8 @@ lasso_login_dump(LassoLogin *login)
 gint
 lasso_login_init_authn_request(LassoLogin  *login)
 {
+  g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BADTYPE_OR_NULL_OBJ);
+
   LASSO_PROFILE(login)->request = lasso_authn_request_new(LASSO_PROFILE(login)->server->providerID);
   LASSO_PROFILE(login)->request_type = lassoMessageTypeAuthnRequest;
 
@@ -763,7 +832,8 @@ lasso_login_init_from_authn_request_msg(LassoLogin      *login,
   gint ret = 0;
   GError *err = NULL;
 
-  g_return_val_if_fail(authn_request_msg != NULL, -1);
+  g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BADTYPE_OR_NULL_OBJ);
+  g_return_val_if_fail(authn_request_msg != NULL, LASSO_PARAM_ERROR_INVALID_VALUE);
 
   if (authn_request_method != lassoHttpMethodRedirect && \
       authn_request_method != lassoHttpMethodPost && \
@@ -856,7 +926,6 @@ lasso_login_init_from_authn_request_msg(LassoLogin      *login,
     switch (authn_request_method) {
     case lassoHttpMethodGet:
     case lassoHttpMethodRedirect:
-      debug("Query signature has been verified\n");
       ret = lasso_query_verify_signature(authn_request_msg,
 					 remote_provider->public_key,
 					 LASSO_PROFILE(login)->server->private_key);
@@ -896,8 +965,8 @@ lasso_login_init_request(LassoLogin      *login,
   gint ret = 0;
   GError *err = NULL;
 
-  g_return_val_if_fail(LASSO_IS_LOGIN(login), -1);
-  g_return_val_if_fail(response_msg != NULL, -1);
+  g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BADTYPE_OR_NULL_OBJ);
+  g_return_val_if_fail(response_msg != NULL, LASSO_PARAM_ERROR_INVALID_VALUE);
 
   if (response_method != lassoHttpMethodRedirect && \
       response_method != lassoHttpMethodPost) {
@@ -956,6 +1025,8 @@ lasso_login_must_authenticate(LassoLogin *login)
   gboolean  forceAuthn = FALSE;
   gchar    *str;
 
+  g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BADTYPE_OR_NULL_OBJ);
+
   /* verify if the user must be authenticated or not */
   str = lasso_node_get_child_content(LASSO_PROFILE(login)->request, "IsPassive",
 				     NULL, NULL);
@@ -993,6 +1064,9 @@ lasso_login_process_authn_response_msg(LassoLogin *login,
   gint ret1 = 0, ret2 = 0;
   GError *err = NULL;
 
+  g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BADTYPE_OR_NULL_OBJ);
+  g_return_val_if_fail(authn_response_msg != NULL, LASSO_PARAM_ERROR_INVALID_VALUE);
+
   LASSO_PROFILE(login)->response = lasso_authn_response_new_from_export(authn_response_msg,
 									lassoNodeExportTypeBase64);
   LASSO_PROFILE(login)->response_type = lassoMessageTypeAuthnResponse;
@@ -1016,23 +1090,48 @@ gint
 lasso_login_process_request_msg(LassoLogin *login,
 				gchar      *request_msg)
 {
+  gint ret = 0;
+  GError *err = NULL;
+
+  g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BADTYPE_OR_NULL_OBJ);
+  g_return_val_if_fail(request_msg != NULL, LASSO_PARAM_ERROR_INVALID_VALUE);
+
+  /* rebuild samlp:Request with request_msg */
   LASSO_PROFILE(login)->request = lasso_request_new_from_export(request_msg,
 								lassoNodeExportTypeSoap);
+  if (LASSO_PROFILE(login)->request == NULL) {
+    message(G_LOG_LEVEL_CRITICAL, "Failed to rebuild samlp:Request with request message.\n");
+    return (LASSO_ERROR_UNDEFINED);
+  }
   LASSO_PROFILE(login)->request_type = lassoMessageTypeRequest;
 
+  /* get AssertionArtifact */
   login->assertionArtifact = lasso_node_get_child_content(LASSO_PROFILE(login)->request,
 							  "AssertionArtifact",
-							  lassoSamlProtocolHRef, NULL);
+							  lassoSamlProtocolHRef, &err);
+  if (err != NULL) {
+    message(G_LOG_LEVEL_CRITICAL, err->message);
+    ret = err->code;
+    g_error_free(err);
+  }
 
-  return (0);
+  return (ret);
 }
 
 gint
 lasso_login_process_response_msg(LassoLogin  *login,
 				 gchar       *response_msg)
 {
+  g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BADTYPE_OR_NULL_OBJ);
+  g_return_val_if_fail(response_msg != NULL, LASSO_PARAM_ERROR_INVALID_VALUE);
+
+  /* rebuild samlp:Response with response_msg */
   LASSO_PROFILE(login)->response = lasso_response_new_from_export(response_msg,
 								  lassoNodeExportTypeSoap);
+  if (LASSO_PROFILE(login)->response == NULL) {
+    message(G_LOG_LEVEL_CRITICAL, "Failed to rebuild samlp:Response with response message.\n");
+    return (LASSO_ERROR_UNDEFINED);
+  }
   LASSO_PROFILE(login)->response_type = lassoMessageTypeResponse;
 
   return (lasso_login_process_response_status_and_assertion(login));
@@ -1144,6 +1243,9 @@ lasso_login_new_from_dump(LassoServer *server,
   LassoNode *node_dump, *request_node, *response_node;
   gchar *protocolProfile, *export, *type;
 
+  g_return_val_if_fail(LASSO_IS_SERVER(server), NULL);
+  g_return_val_if_fail(dump != NULL, NULL);
+
   login = LASSO_LOGIN(g_object_new(LASSO_TYPE_LOGIN,
 				   "server", lasso_server_copy(server),
 				   NULL));
author	Valery Febvre <vfebvre at easter-eggs.com>	2004-08-13 00:33:51 +0000
committer	Valery Febvre <vfebvre at easter-eggs.com>	2004-08-13 00:33:51 +0000
commit	a8125cf026c17969b3cb67cdec3cea1494ea3e89 (patch)
tree	14b1480e30df7ad6281df05fedeec2f5b5848f0b /lasso/id-ff
parent	b91e6fb81f4e08ceefd3d4222851027aeb20d614 (diff)
download	lasso-a8125cf026c17969b3cb67cdec3cea1494ea3e89.tar.gz lasso-a8125cf026c17969b3cb67cdec3cea1494ea3e89.tar.xz lasso-a8125cf026c17969b3cb67cdec3cea1494ea3e89.zip