diff options
| -rw-r--r-- | lasso/id-ff/server.c | 6 | ||||
| -rw-r--r-- | lasso/id-ff/server.h | 2 | ||||
| -rw-r--r-- | lasso/saml-2.0/server.c | 10 | ||||
| -rw-r--r-- | lasso/saml-2.0/serverprivate.h | 3 | ||||
| -rw-r--r-- | tests/basic_tests.c | 4 |
5 files changed, 18 insertions, 7 deletions
diff --git a/lasso/id-ff/server.c b/lasso/id-ff/server.c index b3955b2c..55bf772b 100644 --- a/lasso/id-ff/server.c +++ b/lasso/id-ff/server.c @@ -756,6 +756,8 @@ lasso_server_get_encryption_private_key(LassoServer *server) * @federation_file: a C string formatted as SAML 2.0 metadata XML content, * @trusted_roots:(allow-none): a PEM encoded files containing the certificates to check signatures * on the metadata files (optional) + * @blacklisted_entity_ids:(allow-none)(element-type string): a list of EntityID which should not be + * loaded, can be NULL. * * Load all the SAML 2.0 entities from @federation_file which contain a declaration for @role. If * @trusted_roots is non-NULL, use it to check a signature on the metadata file. @@ -773,7 +775,7 @@ lasso_server_get_encryption_private_key(LassoServer *server) */ lasso_error_t lasso_server_load_federation(LassoServer *server, LassoProviderRole role, const gchar *federation_metadata, const gchar - *trusted_roots) + *trusted_roots, GList *blacklisted_entity_ids) { xmlDoc *doc = NULL; xmlNode *root = NULL; @@ -806,7 +808,7 @@ lasso_server_load_federation(LassoServer *server, LassoProviderRole role, const } /* TODO: branch to the SAML2 version of this function */ if (lasso_strisequal((char*)root->ns->href, LASSO_SAML2_METADATA_HREF)) { - lasso_check_good_rc(lasso_saml20_server_load_federation(server, role, root)); + lasso_check_good_rc(lasso_saml20_server_load_federation(server, role, root, blacklisted_entity_ids)); } else { /* TODO: iterate SPDescriptor and IDPDescriptor, choose which one to parse by looking at the role enum. * */ diff --git a/lasso/id-ff/server.h b/lasso/id-ff/server.h index c5d35af2..75abd438 100644 --- a/lasso/id-ff/server.h +++ b/lasso/id-ff/server.h @@ -104,7 +104,7 @@ LASSO_EXPORT lasso_error_t lasso_server_set_encryption_private_key_with_password const gchar *filename_or_buffer, const gchar *password); LASSO_EXPORT lasso_error_t lasso_server_load_federation(LassoServer *server, LassoProviderRole role, - const gchar *federation_file, const gchar *trusted_roots); + const gchar *federation_file, const gchar *trusted_roots, GList *blacklisted_entity_ids); #ifdef __cplusplus } diff --git a/lasso/saml-2.0/server.c b/lasso/saml-2.0/server.c index 84bc7ef4..9b750701 100644 --- a/lasso/saml-2.0/server.c +++ b/lasso/saml-2.0/server.c @@ -103,7 +103,7 @@ _lasso_test_idp_descriptor(xmlNode *node) { } lasso_error_t -lasso_saml20_server_load_federation(LassoServer *server, LassoProviderRole role, xmlNode *root_node) +lasso_saml20_server_load_federation(LassoServer *server, LassoProviderRole role, xmlNode *root_node, GList *blacklisted_entity_ids) { xmlNode *child; lasso_error_t rc = 0; @@ -111,6 +111,8 @@ lasso_saml20_server_load_federation(LassoServer *server, LassoProviderRole role, child = xmlSecGetNextElementNode(root_node->children); /* first parse the providers... */ while (child) { + LassoProvider *provider = NULL; + if (! xmlSecCheckNodeName(child, BAD_CAST LASSO_SAML2_METADATA_ELEMENT_ENTITY_DESCRIPTOR, BAD_CAST LASSO_SAML2_METADATA_HREF)) { @@ -122,12 +124,16 @@ lasso_saml20_server_load_federation(LassoServer *server, LassoProviderRole role, if (role == LASSO_PROVIDER_ROLE_SP && ! _lasso_test_sp_descriptor(child)) { goto next; } - LassoProvider *provider; provider = lasso_provider_new_from_xmlnode(role, child); if (provider) { char *name = g_strdup(provider->ProviderID); + if (g_list_find_custom(blacklisted_entity_ids, name, + (GCompareFunc) g_strcmp0)) { + lasso_release_gobject(provider); + goto next; + } g_hash_table_insert(server->providers, name, provider); } next: diff --git a/lasso/saml-2.0/serverprivate.h b/lasso/saml-2.0/serverprivate.h index 27d25716..bb2838be 100644 --- a/lasso/saml-2.0/serverprivate.h +++ b/lasso/saml-2.0/serverprivate.h @@ -33,7 +33,8 @@ extern "C" { #include "../id-ff/server.h" int lasso_saml20_server_load_affiliation(LassoServer *server, xmlNode *node); -lasso_error_t lasso_saml20_server_load_federation(LassoServer *server, LassoProviderRole role, xmlNode *root_node); +lasso_error_t lasso_saml20_server_load_federation(LassoServer *server, LassoProviderRole role, + xmlNode *root_node, GList *blacklisted_entity_ids); #ifdef __cplusplus } diff --git a/tests/basic_tests.c b/tests/basic_tests.c index c078c273..9eaabf9a 100644 --- a/tests/basic_tests.c +++ b/tests/basic_tests.c @@ -1946,6 +1946,7 @@ START_TEST(test13_test_lasso_server_load_federation) { LassoServer *server = NULL; char *metadata_content; + GList blacklisted_1 = { .data = "https://identities.univ-jfc.fr/idp/prod", .next = NULL }; check_not_null(server = lasso_server_new( TESTSDATADIR "/idp5-saml2/metadata.xml", @@ -1955,7 +1956,8 @@ START_TEST(test13_test_lasso_server_load_federation) check_true(g_file_get_contents(TESTSDATADIR "/renater-metadata.xml", &metadata_content, NULL, NULL)); check_good_rc(lasso_server_load_federation(server, LASSO_PROVIDER_ROLE_IDP, - metadata_content, TESTSDATADIR "/metadata-federation-renater.crt")); + metadata_content, TESTSDATADIR "/metadata-federation-renater.crt", &blacklisted_1)); + check_true(g_hash_table_size(server->providers) == 101); lasso_release_string(metadata_content); lasso_release_gobject(server); } |