Commit 62528e8b authored by Xavier Guimard's avatar Xavier Guimard

Add SAML-SP rule (#1161)

parent 830f15f7
Bad usage of "safe":
* lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/SAML.pm: must be compiled in
init() and have parameters
* lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Notifications/XML.pm: must
have parameters
Other:
* securize SOAP session creation by cipher
* Verify securedCookie=3 (strange)
* Test ForceAuth
......
......@@ -99,6 +99,7 @@ sub portalTab {
81 => 'PE_NOTOKEN',
82 => 'PE_TOKENEXPIRED',
83 => 'PE_U2FFAILED',
84 => 'PE_UNAUTHORIZEDPARTNER',
};
}
......
......@@ -296,6 +296,7 @@ t/30-Auth-and-issuer-SAML-POST-IdP-initiated.t
t/30-Auth-and-issuer-SAML-POST.t
t/30-Auth-and-issuer-SAML-Redirect-IdP-initiated.t
t/30-Auth-and-issuer-SAML-Redirect.t
t/30-SAML-SP-rule.t
t/31-Auth-and-issuer-CAS.t
t/32-Auth-and-issuer-OIDC-authorization_code-OP-logout.t
t/32-Auth-and-issuer-OIDC-authorization_code.t
......
......@@ -1413,7 +1413,6 @@ sub getIDP {
# Case 4: check all IDP resolution rules
# The first match win
# TODO: this is a bad safe usage => change it
else {
foreach ( keys %{ $self->idpList } ) {
my $idpConfKey = $self->idpList->{$_}->{confKey};
......
......@@ -11,6 +11,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
PE_SAML_SLO_ERROR
PE_SAML_SSO_ERROR
PE_SAML_UNKNOWN_ENTITY
PE_UNAUTHORIZEDPARTNER
);
our $VERSION = '2.0.0';
......@@ -322,8 +323,13 @@ sub run {
$self->logger->debug("$sp match $spConfKey SP in configuration");
$req->env->{llng_saml_spconfkey} = $spConfKey;
if(defined $self->conf->{samlSPMetaDataOptions}->{$spConfKey}->{samlSPMetaDataOptionsRule}) {
# TODO:
if ( my $rule = $self->spRules->{$sp} ) {
unless ( $rule->( $req->sessionInfo ) ) {
$self->userLogger->warn( 'User '
. $req->sessionInfo->{ $self->conf->{whatToTrace} }
. "was not authorizated to access to $sp" );
return PE_UNAUTHORIZEDPARTNER;
}
}
# Do we check signature?
......
......@@ -27,6 +27,7 @@ has lassoServer => ( is => 'rw' );
has spList => ( is => 'rw', default => sub { {} } );
has idpList => ( is => 'rw', default => sub { {} } );
has idpRules => ( is => 'rw', default => sub { {} } );
has spRules => ( is => 'rw', default => sub { {} } );
# return LWP::UserAgent object
has ua => (
......@@ -262,12 +263,13 @@ sub loadIDPs {
return 0;
}
if(my $cond = $self->conf->{samlIDPMetaDataOptions}->{$_}
->{samlIDPMetaDataOptionsResolutionRule}) {
my $cond = $self->conf->{samlIDPMetaDataOptions}->{$_}
->{samlIDPMetaDataOptionsResolutionRule};
if ( length $cond ) {
$cond = $self->p->HANDLER->substitute($cond);
unless( $cond = $self->p->HANDLER->buildSub($cond) ) {
unless ( $cond = $self->p->HANDLER->buildSub($cond) ) {
$self->error( 'SAML IdP rule error: '
. $self->p->HANDLER->tsv->{jail}->error );
. $self->p->HANDLER->tsv->{jail}->error );
return 0;
}
$self->idpRules->{$entityID} = $cond;
......@@ -322,8 +324,7 @@ sub loadSPs {
}
# Store SP entityID and Organization Name
my ( $tmp, $entityID ) =
( $sp_metadata =~ /entityID=(['"])(.+?)\1/si );
my ( $tmp, $entityID ) = ( $sp_metadata =~ /entityID=(['"])(.+?)\1/si );
my $name = $self->getOrganizationName( $self->lassoServer, $entityID )
|| ucfirst($_);
$self->spList->{$entityID}->{confKey} = $_;
......@@ -346,6 +347,18 @@ sub loadSPs {
return 0;
}
my $rule = $self->conf->{samlSPMetaDataOptions}->{$_}
->{samlSPMetaDataOptionsRule};
if ( length $rule ) {
$rule = $self->p->HANDLER->substitute($rule);
unless ( $rule = $self->p->HANDLER->buildSub($rule) ) {
$self->error( 'SAML SP rule error: '
. $self->p->HANDLER->tsv->{jail}->error );
return 0;
}
$self->spRules->{$entityID} = $rule;
}
$self->logger->debug("Set encryption mode $encryption_mode on SP $_");
$self->logger->debug("SP $_ added");
......@@ -1161,8 +1174,8 @@ sub extractRelayState {
# Push values in $self
foreach ( keys %{ $samlSessionInfo->data } ) {
next if $_ =~ /(type|_session_id|_utime)/;
if($_ eq 'issuerUrldc') {
$req->urldc($samlSessionInfo->data->{$_});
if ( $_ eq 'issuerUrldc' ) {
$req->urldc( $samlSessionInfo->data->{$_} );
}
else {
$req->{$_} = $samlSessionInfo->data->{$_};
......
......@@ -88,6 +88,7 @@ use constant {
PE_NOTOKEN => 81,
PE_TOKENEXPIRED => 82,
PE_U2FFAILED => 83,
PE_UNAUTHORIZEDPARTNER => 84,
};
# EXPORTER PARAMETERS
......@@ -113,6 +114,7 @@ our @EXPORT_OK = qw( PE_SENDRESPONSE PE_INFO PE_REDIRECT PE_DONE PE_OK
PE_RADIUSCONNECTFAILED PE_MUST_SUPPLY_OLD_PASSWORD PE_FORBIDDENIP
PE_CAPTCHAERROR PE_CAPTCHAEMPTY PE_REGISTERFIRSTACCESS PE_REGISTERFORMEMPTY
PE_REGISTERALREADYEXISTS PE_NOTOKEN PE_TOKENEXPIRED HANDLER PE_U2FFAILED
PE_UNAUTHORIZEDPARTNER
);
our %EXPORT_TAGS = ( 'all' => [ @EXPORT_OK, 'import' ], );
......
......@@ -83,6 +83,7 @@
"PE81":"Invalid authentication attempt",
"PE82":"Exceeded authentication timeout",
"PE83":"U2F verification failed",
"PE84":"You're not authorizated to access to this host",
"PM8":"Select your Identity Provider",
"PM10":"Remember my choice",
"PM11":"Logout from service providers...",
......
......@@ -83,6 +83,7 @@
"PE81":"Tentative d'authentification invalide",
"PE82":"Délai d'authentification dépassé",
"PE83":"La vérification U2F a échoué",
"PE84":"Vous n'êtes pas autorisé à accéder à ce site",
"PM8":"Choisissez votre fournisseur d'identité",
"PM10":"Se souvenir de mon choix",
"PM11":"Déconnexion des services...",
......
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment