8 files changed, 50 insertions, 12 deletions

diff --git a/lasso/id-ff/defederation.c b/lasso/id-ff/defederation.c
index 6d7150ec..4b61771e 100644
--- a/lasso/id-ff/defederation.c
+++ b/lasso/id-ff/defederation.c
@@ -365,13 +365,12 @@ lasso_defederation_init_notification(LassoDefederation *defederation,
  *    from the SOAP message and optionaly verify the signature.
  *
  *    if it is a HTTP-Redirect notification method then it builds the federation termination notication
- *    object from the QUERY message and optionaly verify the signature. If an error occurs,
- *    then it returns the code error LASSO_PROFILE_ERROR_INVALID_QUERY.
+ *    object from the QUERY message and optionaly verify the signature.
  * 
  * Set the msg_nameIdentifier attribute with the NameIdentifier content of the notification object and
  * optionaly set the msg_relayState attribute with the RelayState content of the notifcation object
  *
- * Return value: 0 if OK else LASSO_PROFILE_ERROR_INVALID_QUERY or < 0
+ * Return value: 0 on success or a negative value otherwise.
  **/
 gint
 lasso_defederation_process_notification_msg(LassoDefederation *defederation,
@@ -400,6 +399,7 @@ lasso_defederation_process_notification_msg(LassoDefederation *defederation,
     debug("Build a federation termination notification from query msg\n");
     profile->request = lasso_federation_termination_notification_new_from_export(notification_msg, lassoNodeExportTypeQuery);
     if (LASSO_IS_FEDERATION_TERMINATION_NOTIFICATION(profile->request) == FALSE) {
+      message(G_LOG_LEVEL_CRITICAL, lasso_strerror(LASSO_PROFILE_ERROR_INVALID_QUERY));
       ret = LASSO_PROFILE_ERROR_INVALID_QUERY;
       goto done;
     }
diff --git a/lasso/id-ff/login.c b/lasso/id-ff/login.c
index 891196e5..56b3d6e0 100644
--- a/lasso/id-ff/login.c
+++ b/lasso/id-ff/login.c
@@ -1268,6 +1268,7 @@ lasso_login_process_authn_request_msg(LassoLogin      *login,
     LASSO_PROFILE(login)->request = lasso_authn_request_new_from_export(authn_request_msg,
 									lassoNodeExportTypeQuery);
     if (LASSO_PROFILE(login)->request == NULL) {
+      message(G_LOG_LEVEL_CRITICAL, lasso_strerror(LASSO_PROFILE_ERROR_INVALID_QUERY));
       return LASSO_PROFILE_ERROR_INVALID_QUERY;
     }
     break;
diff --git a/lasso/id-ff/logout.c b/lasso/id-ff/logout.c
index edeb12ce..3ef23636 100644
--- a/lasso/id-ff/logout.c
+++ b/lasso/id-ff/logout.c
@@ -580,13 +580,12 @@ lasso_logout_init_request(LassoLogout    *logout,
  *    from the SOAP message and optionaly verifies the signature of the logout request.
  * 
  *    if it is a HTTP-Redirect request method then it builds the logout request object
- *    from the QUERY message and verify the signature. If there is an error while parsing the query,
- *    then returns the code error LASSO_PROFILE_ERROR_INVALID_QUERY.
+ *    from the QUERY message and verify the signature.
  *
  *    Saves the HTTP request method.
  *    Saves the name identifier.
  *
- * Return value: 0 if OK else LASSO_PROFILE_ERROR_INVALID_QUERY or < 0
+ * Return value: 0 on success or a negative value otherwise.
  **/
 gint lasso_logout_process_request_msg(LassoLogout     *logout,
 				      gchar           *request_msg,
@@ -640,6 +639,7 @@ gint lasso_logout_process_request_msg(LassoLogout     *logout,
 							    lassoNodeExportTypeQuery);
     /* if problem while rebuilding the response, then return invalid query code error */
     if (LASSO_IS_LOGOUT_REQUEST(profile->request) == FALSE) {
+      message(G_LOG_LEVEL_CRITICAL, lasso_strerror(LASSO_PROFILE_ERROR_INVALID_QUERY));
       ret = LASSO_PROFILE_ERROR_INVALID_QUERY;
       goto done;
     }
@@ -673,9 +673,7 @@ gint lasso_logout_process_request_msg(LassoLogout     *logout,
  * @response_msg: the response message
  * @response_method: the response method
  * 
- * Parses the response message and builds the response object :
- *      if there is an error while parsing the HTTP Redirect / GET message,
- *          then returns a LASSO_PROFILE_ERROR_INVALID_QUERY code error.
+ * Parses the response message and builds the response object.
  * Get the status code value :
  *     if it is not success, then if the local provider is a Service Provider and response method is SOAP,
  *         then builds a new logout request message for HTTP Redirect / GET method and returns the code error
@@ -722,6 +720,7 @@ lasso_logout_process_response_msg(LassoLogout     *logout,
     profile->response = lasso_logout_response_new_from_export(response_msg, lassoNodeExportTypeQuery);
     /* if problem while rebuilding the response, then return invalid query code error */
     if (LASSO_IS_LOGOUT_RESPONSE(profile->response) == FALSE) {
+      message(G_LOG_LEVEL_CRITICAL, lasso_strerror(LASSO_PROFILE_ERROR_INVALID_QUERY));
       ret = LASSO_PROFILE_ERROR_INVALID_QUERY;
       goto done;
     }
diff --git a/lasso/id-ff/name_identifier_mapping.c b/lasso/id-ff/name_identifier_mapping.c
index 28bcc8f5..48baafc9 100644
--- a/lasso/id-ff/name_identifier_mapping.c
+++ b/lasso/id-ff/name_identifier_mapping.c
@@ -290,6 +290,7 @@ lasso_name_identifier_mapping_process_request_msg(LassoNameIdentifierMapping *ma
 
   switch(request_method){
   case lassoHttpMethodRedirect:
+    message(G_LOG_LEVEL_CRITICAL, lasso_strerror(LASSO_PROFILE_ERROR_INVALID_QUERY));
     ret = LASSO_PROFILE_ERROR_INVALID_QUERY;
     goto done;
     break;
diff --git a/lasso/id-ff/name_registration.c b/lasso/id-ff/name_registration.c
index a7c5557c..d0bc93cd 100644
--- a/lasso/id-ff/name_registration.c
+++ b/lasso/id-ff/name_registration.c
@@ -514,6 +514,7 @@ gint lasso_name_registration_process_request_msg(LassoNameRegistration *name_reg
   case lassoHttpMethodRedirect:
     profile->request = lasso_register_name_identifier_request_new_from_export(request_msg, lassoNodeExportTypeQuery);
     if (LASSO_IS_REGISTER_NAME_IDENTIFIER_REQUEST(profile->request) == FALSE) {
+      message(G_LOG_LEVEL_CRITICAL, lasso_strerror(LASSO_PROFILE_ERROR_INVALID_QUERY));
       ret = LASSO_PROFILE_ERROR_INVALID_QUERY;
       goto done;
     }
diff --git a/lasso/id-ff/profile.c b/lasso/id-ff/profile.c
index d3cd97f6..16b0408b 100644
--- a/lasso/id-ff/profile.c
+++ b/lasso/id-ff/profile.c
@@ -47,7 +47,7 @@ static GObjectClass *parent_class = NULL;
 /*****************************************************************************/
 
 lassoRequestType
-lasso_profile_get_request_type_from_soap_msg(gchar *soap)
+lasso_profile_get_request_type_from_soap_msg(const gchar *soap)
 {
   LassoNode *soap_node, *body_node, *request_node;
   GPtrArray *children;
@@ -98,6 +98,37 @@ lasso_profile_get_request_type_from_soap_msg(gchar *soap)
   return type;
 }
 
+/**
+ * lasso_profile_is_liberty_query
+ * @query: HTTP query string
+ *
+ * Tests the query string to know if the URL is called as the result of a
+ * Liberty redirect (action initiated elsewhere) or not.
+ *
+ * Returns: TRUE if lasso query, FALSE otherwise
+ **/
+gboolean
+lasso_profile_is_liberty_query(const gchar *query)
+{
+  /* logic is that a lasso query always has some parameters (RequestId,
+   * MajorVersion, MinorVersion, IssueInstant, ProviderID,
+   * NameIdentifier, NameQualifier, Format).  If three of them are there;
+   * it's a lasso query, possibly broken, but a lasso query nevertheless.
+   */
+  gchar *parameters[] = {
+    "RequestId=", "MajorVersion=", "MinorVersion=", "IssueInstant=",
+    "ProviderID=", "NameIdentifier=", "NameQualifier=", "Format=",
+    NULL };
+  gint i, n = 0;
+
+  for (i=0; parameters[i] && n < 3; i++) {
+    if (strstr(query, parameters[i]))
+      n++;
+  }
+
+  return (n == 3);
+}
+
 
 /*****************************************************************************/
 /* public methods                                                            */
diff --git a/lasso/id-ff/profile.h b/lasso/id-ff/profile.h
index bfb9dd3b..5c46d61f 100644
--- a/lasso/id-ff/profile.h
+++ b/lasso/id-ff/profile.h
@@ -114,8 +114,13 @@ struct _LassoProfileClass {
   GObjectClass parent;
 };
 
-LASSO_EXPORT lassoRequestType lasso_profile_get_request_type_from_soap_msg (gchar *soap);
+/* public functions */
 
+LASSO_EXPORT lassoRequestType lasso_profile_get_request_type_from_soap_msg (const gchar *soap);
+
+LASSO_EXPORT gboolean         lasso_profile_is_liberty_query               (const gchar *query);
+
+/* public methods */
 
 LASSO_EXPORT GType          lasso_profile_get_type                       (void);
 
diff --git a/lasso/xml/errors.h b/lasso/xml/errors.h
index 23455575..cab8ea8f 100644
--- a/lasso/xml/errors.h
+++ b/lasso/xml/errors.h
@@ -55,7 +55,7 @@
 #define LASSO_LOGOUT_ERROR_UNSUPPORTED_PROFILE        -301
 
 /* profile */
-#define LASSO_PROFILE_ERROR_INVALID_QUERY              401
+#define LASSO_PROFILE_ERROR_INVALID_QUERY             -401
 #define LASSO_PROFILE_ERROR_INVALID_POST_MSG          -402
 #define LASSO_PROFILE_ERROR_INVALID_SOAP_MSG          -403
 #define LASSO_PROFILE_ERROR_MISSING_REQUEST           -404