Commit b36db970 authored by Christophe Maudoux's avatar Christophe Maudoux

Restore SAML activation global rule (#1625)

parent f3bbc0e4
......@@ -12,6 +12,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
PE_SAML_SLO_ERROR
PE_SAML_SSO_ERROR
PE_SAML_UNKNOWN_ENTITY
PE_SAML_SERVICE_NOT_ALLOWED
PE_UNAUTHORIZEDPARTNER
);
......@@ -20,11 +21,11 @@ our $VERSION = '2.0.0';
extends 'Lemonldap::NG::Portal::Main::Issuer',
'Lemonldap::NG::Portal::Lib::SAML';
has rule => ( is => 'rw', default => sub { {} } );
has ssoUrlRe => ( is => 'rw' );
has ssoUrlArtifact => ( is => 'rw' );
has ssoGetUrl => ( is => 'rw' );
use constant sessionKind => 'ISAML';
use constant lsDump => '_lassoSessionDumpI';
use constant liDump => '_lassoIdentityDumpI';
......@@ -39,6 +40,17 @@ use constant beforeAuth => 'storeEnv';
sub init {
my ($self) = @_;
# Parse activation rule
my $hd = $self->p->HANDLER;
$self->logger->debug( "SAML rule -> " . $self->conf->{issuerDBSAMLRule} );
my $rule
= $hd->buildSub( $hd->substitute( $self->conf->{issuerDBSAMLRule} ) );
unless ($rule) {
$self->error( "Bad SAML rule -> " . $hd->tsv->{jail}->error );
return 0;
}
$self->{rule} = $rule;
# Prepare SSO URL catching
my $saml_sso_get_url = $self->ssoGetUrl(
$self->getMetaDataURL(
......@@ -181,6 +193,12 @@ sub run {
my $artifact_method;
my $authn_context;
# Check activation rule
unless ( $self->rule->( $req, $req->sessionInfo ) ) {
$self->userLogger->error('SAML service not authorized');
return PE_SAML_SERVICE_NOT_ALLOWED;
}
# Session ID
my $session_id = $req->{sessionInfo}->{_session_id} || $req->{id};
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment