static LassoSaml2Attribute* lasso_assertion_query_lookup_attribute(LassoAssertionQuery *assertion_query, char *format, char *name) { LassoSaml2Attribute *result = NULL; LassoSamlp2AttributeQuery *query = NULL; g_return_val_if_fail(LASSO_IS_ASSERTION_QUERY(assertion_query) || ! format || ! name, NULL); query = (LassoSamlp2AttributeQuery*) assertion_query->parent.request; g_return_val_if_fail(LASSO_IS_SAMLP2_ATTRIBUTE_QUERY(query), NULL); lasso_foreach_full_begin(LassoSaml2Attribute*, attribute, it, query->Attribute) { if (LASSO_IS_SAML2_ATTRIBUTE(attribute) && lasso_strisequal(attribute->NameFormat,format) && lasso_strisequal(attribute->Name,name)) { result = attribute; break; } } lasso_foreach_full_end() return result; }
/** * lasso_wsa_endpoint_reference_get_token_by_usage: * @epr: a #LassoWsAddrEndpointReference object * @security_mech_predicate: (allow-none): a predicate to test for security mechanism * @security_mech_id: (allow-none): a security mechanism identifier * @usage: the usage to make of the token * * Try to find a token for the given usage and security mechanism, the security can be chosen by * name or by a predicate. * * Return value: a #LassoNode object or a subclass, representing the token. */ static LassoNode* lasso_wsa_endpoint_reference_get_token_by_usage( const LassoWsAddrEndpointReference *epr, gboolean (*sec_mech_predicate)(const char *), const char *security_mech_id, const char* usage) { LassoIdWsf2DiscoSecurityContext *security_context; security_context = lasso_wsa_endpoint_reference_get_idwsf2_security_context_for_security_mechanism( epr, sec_mech_predicate, security_mech_id, TRUE); lasso_foreach_full_begin (LassoIdWsf2SecToken*, token, iter, security_context->Token); if (LASSO_IS_IDWSF2_SEC_TOKEN (token)) { if (usage && lasso_strisequal(token->usage,usage)) { if (LASSO_IS_NODE(token->any)) { return (LassoNode*)token->any; } else if (token->ref) { message(G_LOG_LEVEL_WARNING, "sec:Token ref attribute is not supported"); return NULL; } } } lasso_foreach_full_end(); return NULL; }
/** * lasso_wsa_endpoint_reference_get_idwsf2_security_context_for_security_mechanism: * @epr: a #LassoWsAddrEndpointReference object * @security_mech_predicate: (allow-none): a predicate to test for security mechanism * @security_mech_id: (allow-none): a security mechanism identifier * @create: allow to create the element if none if found, @security_mech_id is mandatory when create * is TRUE. * * Return value: (transfer none): a #LassoIdWsf2DiscoSecurityContext, or NULL if none was found and * created is FALSE. */ LassoIdWsf2DiscoSecurityContext* lasso_wsa_endpoint_reference_get_idwsf2_security_context_for_security_mechanism( const LassoWsAddrEndpointReference *epr, gboolean (*sech_mech_predicate)(const char *), const char *security_mech_id, gboolean create) { LassoIdWsf2DiscoSecurityContext *created = NULL; LassoMiscTextNode *new_security_mech_id_declaration; if (! LASSO_IS_WSA_ENDPOINT_REFERENCE (epr) || epr->Metadata == NULL) return NULL; lasso_foreach_full_begin(LassoIdWsf2DiscoSecurityContext*, context, it1, epr->Metadata->any); if (LASSO_IS_IDWSF2_DISCO_SECURITY_CONTEXT (context)) { lasso_foreach_full_begin(char*, textnode, it2, context->SecurityMechID); if (lasso_strisequal(textnode,security_mech_id) || sech_mech_predicate(textnode)) { return context; } lasso_foreach_full_end() } lasso_foreach_full_end(); if (create && security_mech_id) { created = lasso_idwsf2_disco_security_context_new(); new_security_mech_id_declaration = lasso_misc_text_node_new_with_string(security_mech_id); new_security_mech_id_declaration->name = "SecurityMechID"; new_security_mech_id_declaration->ns_href = LASSO_IDWSF2_DISCOVERY_HREF; new_security_mech_id_declaration->ns_prefix = LASSO_IDWSF2_DISCOVERY_PREFIX; lasso_list_add_new_gobject (created->SecurityMechID, new_security_mech_id_declaration); lasso_list_add_new_gobject (epr->Metadata->any, created); } if (create && ! security_mech_id) { message(G_LOG_LEVEL_WARNING, "cannot create a LassoIdWsf2DiscoSecurityContext withou a security_mech_id"); } return created; }
END_TEST START_TEST(test02_serviceProviderLogin) { char *serviceProviderContextDump, *identityProviderContextDump; LassoServer *spContext, *idpContext; LassoLogin *spLoginContext, *idpLoginContext; LassoLibAuthnRequest *request; int rc = 0; char *relayState; char *authnRequestUrl, *authnRequestQuery; char *responseUrl, *responseQuery; char *idpIdentityContextDump, *idpSessionContextDump; char *serviceProviderId, *soapRequestMsg, *soapResponseMsg; char *spIdentityContextDump; char *spSessionDump; char *spLoginDump; int requestType; char *found; serviceProviderContextDump = generateServiceProviderContextDump(); spContext = lasso_server_new_from_dump(serviceProviderContextDump); spLoginContext = lasso_login_new(spContext); fail_unless(spLoginContext != NULL, "lasso_login_new() shouldn't have returned NULL"); rc = lasso_login_init_authn_request(spLoginContext, "https://idp1/metadata", LASSO_HTTP_METHOD_REDIRECT); fail_unless(rc == 0, "lasso_login_init_authn_request failed"); request = LASSO_LIB_AUTHN_REQUEST(LASSO_PROFILE(spLoginContext)->request); fail_unless(LASSO_IS_LIB_AUTHN_REQUEST(request), "request should be authn_request"); request->IsPassive = 0; request->NameIDPolicy = g_strdup(LASSO_LIB_NAMEID_POLICY_TYPE_FEDERATED); request->consent = g_strdup(LASSO_LIB_CONSENT_OBTAINED); relayState = "fake[]"; request->RelayState = g_strdup(relayState); rc = lasso_login_build_authn_request_msg(spLoginContext); fail_unless(rc == 0, "lasso_login_build_authn_request_msg failed"); authnRequestUrl = LASSO_PROFILE(spLoginContext)->msg_url; fail_unless(authnRequestUrl != NULL, "authnRequestUrl shouldn't be NULL"); authnRequestQuery = strchr(authnRequestUrl, '?')+1; fail_unless(strlen(authnRequestQuery) > 0, "authnRequestQuery shouldn't be an empty string"); spLoginDump = lasso_node_dump(LASSO_NODE(spLoginContext)); fail_unless(strstr(authnRequestQuery, "RelayState") != NULL, "authnRequestQuery should contain a RelayState parameter"); fail_unless(strstr(authnRequestQuery, "fake%5B%5D") != NULL, "authnRequestQuery RelayState parameter should be encoded"); /* Identity provider singleSignOn, for a user having no federation. */ identityProviderContextDump = generateIdentityProviderContextDump(); idpContext = lasso_server_new_from_dump(identityProviderContextDump); idpLoginContext = lasso_login_new(idpContext); fail_unless(idpLoginContext != NULL, "lasso_login_new() shouldn't have returned NULL"); rc = lasso_login_process_authn_request_msg(idpLoginContext, authnRequestQuery); fail_unless(rc == 0, "lasso_login_process_authn_request_msg failed"); fail_unless(lasso_login_must_authenticate(idpLoginContext), "lasso_login_must_authenticate() should be TRUE"); fail_unless(idpLoginContext->protocolProfile == LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_ART, "protocoleProfile should be ProfileBrwsArt"); fail_unless(! lasso_login_must_ask_for_consent(idpLoginContext), "lasso_login_must_ask_for_consent() should be FALSE"); fail_unless(idpLoginContext->parent.msg_relayState != NULL, "lasso_login_process_authn_request_msg should restore the RelayState parameter"); fail_unless(lasso_strisequal(idpLoginContext->parent.msg_relayState,relayState), "lasso_login_process_authn_request_msg should restore the same RelayState thant sent in the request"); rc = lasso_login_validate_request_msg(idpLoginContext, 1, /* authentication_result */ 0 /* is_consent_obtained */ ); rc = lasso_login_build_assertion(idpLoginContext, LASSO_SAML_AUTHENTICATION_METHOD_PASSWORD, "FIXME: authenticationInstant", "FIXME: reauthenticateOnOrAfter", "FIXME: notBefore", "FIXME: notOnOrAfter"); rc = lasso_login_build_artifact_msg(idpLoginContext, LASSO_HTTP_METHOD_REDIRECT); fail_unless(rc == 0, "lasso_login_build_artifact_msg failed"); idpIdentityContextDump = lasso_identity_dump(LASSO_PROFILE(idpLoginContext)->identity); fail_unless(idpIdentityContextDump != NULL, "lasso_identity_dump shouldn't return NULL"); idpSessionContextDump = lasso_session_dump(LASSO_PROFILE(idpLoginContext)->session); fail_unless(idpSessionContextDump != NULL, "lasso_session_dump shouldn't return NULL"); responseUrl = LASSO_PROFILE(idpLoginContext)->msg_url; fail_unless(responseUrl != NULL, "responseUrl shouldn't be NULL"); responseQuery = strchr(responseUrl, '?')+1; fail_unless(strlen(responseQuery) > 0, "responseQuery shouldn't be an empty string"); fail_unless(strstr(responseQuery, "RelayState") != NULL, "responseQuery should contain a RelayState parameter"); fail_unless(strstr(responseQuery, "fake%5B%5D") != NULL, "responseQuery RelayState parameter should be encoded"); serviceProviderId = g_strdup(LASSO_PROFILE(idpLoginContext)->remote_providerID); fail_unless(serviceProviderId != NULL, "lasso_profile_get_remote_providerID shouldn't return NULL"); /* Service provider assertion consumer */ lasso_server_destroy(spContext); lasso_login_destroy(spLoginContext); spContext = lasso_server_new_from_dump(serviceProviderContextDump); spLoginContext = lasso_login_new_from_dump(spContext, spLoginDump); rc = lasso_login_init_request(spLoginContext, responseQuery, LASSO_HTTP_METHOD_REDIRECT); fail_unless(spLoginContext->parent.msg_relayState != NULL, "lasso_login_init_request should restore the RelayState parameter"); fail_unless(lasso_strisequal(spLoginContext->parent.msg_relayState,relayState), "lasso_login_init_request should restore the same RelayState thant sent in the request"); fail_unless(rc == 0, "lasso_login_init_request failed"); rc = lasso_login_build_request_msg(spLoginContext); fail_unless(rc == 0, "lasso_login_build_request_msg failed"); soapRequestMsg = LASSO_PROFILE(spLoginContext)->msg_body; fail_unless(soapRequestMsg != NULL, "soapRequestMsg must not be NULL"); /* Identity provider SOAP endpoint */ lasso_server_destroy(idpContext); lasso_login_destroy(idpLoginContext); requestType = lasso_profile_get_request_type_from_soap_msg(soapRequestMsg); fail_unless(requestType == LASSO_REQUEST_TYPE_LOGIN, "requestType should be LASSO_REQUEST_TYPE_LOGIN"); idpContext = lasso_server_new_from_dump(identityProviderContextDump); idpLoginContext = lasso_login_new(idpContext); rc = lasso_login_process_request_msg(idpLoginContext, soapRequestMsg); fail_unless(rc == 0, "lasso_login_process_request_msg failed"); rc = lasso_profile_set_session_from_dump(LASSO_PROFILE(idpLoginContext), idpSessionContextDump); fail_unless(rc == 0, "lasso_login_set_assertion_from_dump failed"); rc = lasso_login_build_response_msg(idpLoginContext, serviceProviderId); fail_unless(rc == 0, "lasso_login_build_response_msg failed"); soapResponseMsg = LASSO_PROFILE(idpLoginContext)->msg_body; fail_unless(soapResponseMsg != NULL, "soapResponseMsg must not be NULL"); /* Service provider assertion consumer (step 2: process SOAP response) */ rc = lasso_login_process_response_msg(spLoginContext, soapResponseMsg); fail_unless(rc == 0, "lasso_login_process_response_msg failed"); rc = lasso_login_accept_sso(spLoginContext); fail_unless(rc == 0, "lasso_login_accept_sso failed"); fail_unless(LASSO_PROFILE(spLoginContext)->identity != NULL, "spLoginContext has no identity"); spIdentityContextDump = lasso_identity_dump(LASSO_PROFILE(spLoginContext)->identity); fail_unless(spIdentityContextDump != NULL, "lasso_identity_dump failed"); spSessionDump = lasso_session_dump(LASSO_PROFILE(spLoginContext)->session); /* Test InResponseTo checking */ found = strstr(soapResponseMsg, "Assertion"); fail_unless(found != NULL, "We must find an Assertion"); found = strstr(found, "InResponseTo=\""); fail_unless(found != NULL, "We must find an InResponseTo attribute"); found[sizeof("InResponseTo=\"")] = '?'; lasso_set_flag("no-verify-signature"); rc = lasso_login_process_response_msg(spLoginContext, soapResponseMsg); lasso_set_flag("verify-signature"); fail_unless(rc != 0, "lasso_login_process_response_msg must fail"); rc = lasso_login_accept_sso(spLoginContext); fail_unless(rc == 0, "lasso_login_accept_sso must fail"); g_free(spLoginDump); g_free(serviceProviderId); g_free(serviceProviderContextDump); g_free(identityProviderContextDump); g_free(idpSessionContextDump); g_free(idpIdentityContextDump); g_free(spIdentityContextDump); g_free(spSessionDump); g_object_unref(spContext); g_object_unref(idpContext); g_object_unref(spLoginContext); g_object_unref(idpLoginContext); }