Commit 2a3001a9 authored by Yadd's avatar Yadd
Browse files

SAML Artifact in progress (#595)

parent 3cd46fee
......@@ -354,6 +354,7 @@ t/26-AuthRemote.t
t/27-AuthProxy.t
t/28-AuthChoice.t
t/29-AuthSSL.t
t/30-Auth-and-issuer-SAML-Artifact.t
t/30-Auth-and-issuer-SAML-POST.t
t/30-Auth-and-issuer-SAML-Redirect.t
t/40-Notifications-DBI.t
......
......@@ -41,7 +41,8 @@ sub init {
my $saml_acs_get_url = $self->getMetaDataURL(
"samlSPSSODescriptorAssertionConsumerServiceHTTPRedirect");
$self->sloAssConsumerRe(
qr/^($saml_acs_art_url|$saml_acs_post_url|$saml_acs_get_url)$/i);
qr/^($saml_acs_art_url|$saml_acs_post_url|$saml_acs_get_url)(?:\?.*)?$/i
);
my $saml_slo_soap_url =
$self->getMetaDataURL( "samlSPSSODescriptorSingleLogoutServiceSOAP", 1 );
my $saml_slo_soap_url_ret =
......@@ -57,12 +58,12 @@ sub init {
$self->getMetaDataURL( "samlSPSSODescriptorSingleLogoutServiceHTTPPost",
2 );
$self->sloRe(
qr/^($saml_slo_soap_url|$saml_slo_soap_url_ret|$saml_slo_get_url|$saml_slo_get_url_ret|$saml_slo_post_url|$saml_slo_post_url_ret)$/i
qr/^($saml_slo_soap_url|$saml_slo_soap_url_ret|$saml_slo_get_url|$saml_slo_get_url_ret|$saml_slo_post_url|$saml_slo_post_url_ret)(?:\?.*)?$/i
);
my $saml_ars_url = $self->getMetaDataURL(
"samlSPSSODescriptorArtifactResolutionServiceArtifact");
$self->artRe(qr/^($saml_ars_url)$/i);
$self->artRe(qr/^($saml_ars_url)(?:\?.*)?$/i);
# Load SAML service and SAML IdP list
return ( $self->SUPER::init and $self->loadIDPs );
......
......@@ -21,6 +21,7 @@ extends 'Lemonldap::NG::Portal::Main::Issuer',
has ssoUrlRe => ( is => 'rw' );
has sloRe => ( is => 'rw' );
has artRe => ( is => 'rw' );
# INITIALIZATION
......@@ -47,8 +48,11 @@ sub init {
my $saml_sso_art_url_ret = $self->getMetaDataURL(
"samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact", 2 );
$self->ssoUrlRe(
qr/^($saml_sso_soap_url|$saml_sso_soap_url_ret|$saml_sso_get_url|$saml_sso_get_url_ret|$saml_sso_post_url|$saml_sso_post_url_ret|$saml_sso_art_url|$saml_sso_art_url_ret)$/i
qr/^($saml_sso_soap_url|$saml_sso_soap_url_ret|$saml_sso_get_url|$saml_sso_get_url_ret|$saml_sso_post_url|$saml_sso_post_url_ret|$saml_sso_art_url|$saml_sso_art_url_ret)(?:\?.*)?$/i
);
my $saml_art_url = $self->getMetaDataURL(
'samlIDPSSODescriptorArtifactResolutionServiceArtifact');
$self->artRe(qr/^$saml_art_url(?:\?.*)?$/i);
my $saml_slo_soap_url =
$self->getMetaDataURL( "samlIDPSSODescriptorSingleLogoutServiceSOAP", 1 );
......@@ -65,7 +69,7 @@ qr/^($saml_sso_soap_url|$saml_sso_soap_url_ret|$saml_sso_get_url|$saml_sso_get_u
$self->getMetaDataURL( "samlIDPSSODescriptorSingleLogoutServiceHTTPPost",
2 );
$self->sloRe(
qr/^($saml_slo_soap_url|$saml_slo_soap_url_ret|$saml_slo_get_url|$saml_slo_get_url_ret|$saml_slo_post_url|$saml_slo_post_url_ret)$/i
qr/^($saml_slo_soap_url|$saml_slo_soap_url_ret|$saml_slo_get_url|$saml_slo_get_url_ret|$saml_slo_post_url|$saml_slo_post_url_ret)(?:\?.*)?$/i
);
return (
......@@ -85,6 +89,18 @@ qr/^($saml_slo_soap_url|$saml_slo_soap_url_ret|$saml_slo_get_url|$saml_slo_get_u
# RUNNING METHODS
# Override _predirect to catch artifact requests
sub _pRedirect {
my ( $self, $req ) = @_;
if ( $req->uri =~ $self->artRe ) {
return $self->artifactServer($req);
}
else {
return $self->SUPER::_pRedirect($req);
}
}
sub run {
my ( $self, $req ) = @_;
my $server = $self->lassoServer;
......@@ -880,7 +896,7 @@ sub run {
$req->{urldc} = $sso_url;
$req->mustRedirect(1);
$req->steps([]);
$req->steps( [] );
return PE_OK;
}
......@@ -1146,6 +1162,50 @@ sub run {
return PE_OK;
}
sub artifactServer {
my ( $self, $req ) = @_;
$self->lmLog(
"URL $req->uri detected as an artifact resolution service URL",
'debug' );
# Artifact request are sent with SOAP trough POST
my $art_request = $req->body;
my $art_response;
# Create Login object
my $login = $self->createLogin( $self->lassoServer );
# Process request message
unless ( $self->processArtRequestMsg( $login, $art_request ) ) {
return $self->p->sendError( $req,
'Unable to process artifact request message', 400 );
}
# Check Destination
unless ( $self->checkDestination( $login->request, $req->uri ) ) {
return $self->p->sendError( $req, 'Bad request', 400 );
}
# Create artifact response
unless ( $art_response = $self->createArtifactResponse($login) ) {
return $self->p->sendError( $req,
"Unable to create artifact response message", 400 );
}
$self->{SOAPMessage} = $art_response;
# Return SOAP message
$self->lmLog( "Send SOAP Message: $art_response", 'debug' );
return [
200,
[
'Content-Type' => 'application/xml',
'Content-Length' => length($art_response)
],
[$art_response]
];
}
sub logout {
}
......
......@@ -1635,7 +1635,7 @@ sub resolveArtifact {
}
my $request = HTTP::Request->new( 'POST' => $profile->msg_url );
$request->content_type('text/xml');
$request->content_type('application/xml');
$request->content( $profile->msg_body );
$self->lmLog(
......@@ -1768,7 +1768,7 @@ sub createArtifactResponse {
$self->lmLog( "Find session_id $session_id in artifact session",
'debug' );
my $session = $self->getApacheSession( $session_id, 1 );
my $session = $self->p->getApacheSession( $session_id, 1 );
unless ($session) {
$self->lmLog( "Unable to open session $session_id", 'error' );
return;
......@@ -2335,7 +2335,7 @@ sub sendLogoutResponseToServiceProvider {
$self->lmLog( "SOAP response $slo_body", 'debug' );
$self->_subProcess(qw(returnSOAPMessage));
$self->returnSOAPMessage;
# If we are here, there was a problem with SOAP response
$self->lmLog( "Logout response was not sent trough SOAP", 'error' );
......
This diff is collapsed.
......@@ -648,11 +648,11 @@ entityID="http://auth.idp.com/saml/metadata">
<NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<AssertionConsumerService isDefault="true" index="0"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="http://auth.idp.com/saml/proxySingleSignOnArtifact" />
<AssertionConsumerService isDefault="false" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://auth.idp.com/saml/proxySingleSignOnPost" />
<AssertionConsumerService isDefault="false" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="http://auth.idp.com/saml/proxySingleSignOnArtifact" />
</SPSSODescriptor>
<AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
......
......@@ -10,16 +10,6 @@ BEGIN {
use_ok('Lemonldap::NG::Portal::Main');
}
no warnings 'redefine';
# Redefine LWP methods for tests
sub LWP::UserAgent::request {
my ( $self, $req ) = @_;
return HTTP::Response->new(500);
}
package main;
our $count = 1;
$Data::Dumper::Deparse = 1;
my $ini;
......@@ -133,30 +123,27 @@ sub getCookies {
return $res;
}
sub getRedirection {
my ( $self, $resp ) = @_;
sub getHeader {
my ( $self, $resp, $hname ) = @_;
my @hdrs = @{ $resp->[1] };
my $res = {};
while ( my $name = shift @hdrs ) {
my $v = shift @hdrs;
if ( $name eq 'Location' ) {
if ( $name eq $hname ) {
return $v;
}
}
return undef
return undef;
}
sub getRedirection {
my ( $self, $resp ) = @_;
return $self->getHeader( $resp, 'Location' );
}
sub getUser {
my ( $self, $resp ) = @_;
my @hdrs = @{ $resp->[1] };
my $res = {};
while ( my $name = shift @hdrs ) {
my $v = shift @hdrs;
if ( $name eq 'Lm-Remote-User' ) {
return $v;
}
}
return undef
return $self->getHeader( $resp, 'Lm-Remote-User' );
}
sub _get {
......@@ -184,7 +171,7 @@ sub _get {
( $args{query} ? ( QUERY_STRING => $args{query} ) : () ),
'SCRIPT_NAME' => '',
'SERVER_NAME' => 'auth.example.com',
'SERVER_PORT' => '8002',
'SERVER_PORT' => '80',
'SERVER_PROTOCOL' => 'HTTP/1.1',
( $args{custom} ? %{ $args{custom} } : () ),
}
......@@ -218,7 +205,7 @@ sub _post {
'REQUEST_URI' => $path . ( $args{query} ? "?$args{query}" : '' ),
'SCRIPT_NAME' => '',
'SERVER_NAME' => 'auth.example.com',
'SERVER_PORT' => '8002',
'SERVER_PORT' => '80',
'SERVER_PROTOCOL' => 'HTTP/1.1',
( $args{custom} ? %{ $args{custom} } : () ),
'psgix.input.buffered' => 1,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment