/* Called by: zxid_map_val_ss, zxid_mk_usr_a7n_to_sp, zxid_xacml_az_cd1_do x2, zxid_xacml_az_do x2 */ zxid_a7n* zxid_mk_a7n(zxid_conf* cf, struct zx_str* audience, struct zx_sa_Subject_s* subj, struct zx_sa_AuthnStatement_s* an_stmt, struct zx_sa_AttributeStatement_s* at_stmt) { zxid_a7n* a7n = zx_NEW_sa_Assertion(cf->ctx,0); a7n->Version = zx_dup_attr(cf->ctx, &a7n->gg, zx_Version_ATTR, SAML2_VERSION); a7n->ID = zxid_mk_id_attr(cf, &a7n->gg, zx_ID_ATTR, "A", ZXID_ID_BITS); a7n->IssueInstant = zxid_date_time_attr(cf, &a7n->gg, zx_IssueInstant_ATTR, time(0)); a7n->Issuer = zxid_my_issuer(cf, &a7n->gg); a7n->Subject = subj; if (subj) zx_add_kid(&a7n->gg, &subj->gg); a7n->Conditions = zx_NEW_sa_Conditions(cf->ctx, &a7n->gg); a7n->Conditions->NotOnOrAfter = zxid_date_time_attr(cf, &a7n->Conditions->gg, zx_NotOnOrAfter_ATTR, time(0) + cf->a7nttl); a7n->Conditions->NotBefore = zxid_date_time_attr(cf, &a7n->Conditions->gg, zx_NotBefore_ATTR, time(0)); if (audience) { a7n->Conditions->AudienceRestriction = zx_NEW_sa_AudienceRestriction(cf->ctx, &a7n->Conditions->gg); a7n->Conditions->AudienceRestriction->Audience = zx_new_str_elem(cf->ctx, &a7n->Conditions->AudienceRestriction->gg, zx_sa_Audience_ELEM, audience); } a7n->AuthnStatement = an_stmt; if (an_stmt) zx_add_kid(&a7n->gg, &an_stmt->gg); a7n->AttributeStatement = at_stmt; if (at_stmt) zx_add_kid(&a7n->gg, &at_stmt->gg); zx_reverse_elem_lists(&a7n->gg); return a7n; }
/* Called by: zxid_as_call_ses, zxid_az_soap, zxid_idp_soap, zxid_soap_call_body, zxid_sp_deref_art, zxid_sp_soap */ struct zx_root_s* zxid_soap_call_hdr_body(zxid_conf* cf, struct zx_str* url, struct zx_e_Header_s* hdr, struct zx_e_Body_s* body) { struct zx_root_s* r; struct zx_e_Envelope_s* env = zx_NEW_e_Envelope(cf->ctx,0); env->Header = hdr; env->Body = body; zx_add_kid(&env->gg, &body->gg); if (hdr) zx_add_kid(&env->gg, &hdr->gg); r = zxid_soap_call_raw(cf, url, env, 0); return r; }
/* Called by: zxid_mni_do, zxid_mni_do_ss */ struct zx_sp_ManageNameIDResponse_s* zxid_mk_mni_resp(zxid_conf* cf, struct zx_sp_Status_s* st, struct zx_str* req_id) { struct zx_sp_ManageNameIDResponse_s* r = zx_NEW_sp_ManageNameIDResponse(cf->ctx,0); r->Issuer = zxid_my_issuer(cf, &r->gg); r->ID = zxid_mk_id_attr(cf, &r->gg, zx_ID_ATTR, "r", ZXID_ID_BITS); r->Version = zx_ref_attr(cf->ctx, &r->gg, zx_Version_ATTR, SAML2_VERSION); r->IssueInstant = zxid_date_time_attr(cf, &r->gg, zx_IssueInstant_ATTR, time(0)); if (req_id) r->InResponseTo = zx_ref_len_attr(cf->ctx, &r->gg,zx_InResponseTo_ATTR, req_id->len,req_id->s); zx_add_kid(&r->gg, &st->gg); r->Status = st; return r; }
/* Called by: zxid_idp_soap_dispatch x2, zxid_sp_soap_dispatch x8 */ int zxid_soap_cgi_resp_body(zxid_conf* cf, zxid_ses* ses, struct zx_e_Body_s* body) { struct zx_e_Envelope_s* env = zx_NEW_e_Envelope(cf->ctx,0); struct zx_str* ss; struct zx_str* logpath; env->Body = body; zx_add_kid(&env->gg, &body->gg); env->Header = zx_NEW_e_Header(cf->ctx, &env->gg); if (ses && ses->curflt) { D("Detected curflt, abandoning previous Body content. %d", 0); /* *** LEAK: Should free previous body content */ env->Body = (struct zx_e_Body_s*)zx_replace_kid(&env->gg, (struct zx_elem_s*)zx_NEW_e_Body(cf->ctx, 0)); ZX_ADD_KID(env->Body, Fault, ses->curflt); } zxid_wsf_decor(cf, ses, env, 1, 0); ss = zx_easy_enc_elem_opt(cf, &env->gg); if (cf->log_issue_msg) { logpath = zxlog_path(cf, ses->issuer, ss, ZXLOG_ISSUE_DIR, ZXLOG_WIR_KIND, 1); if (logpath) { if (zxlog_dup_check(cf, logpath, "cgi_resp")) { ERR("Duplicate wire msg(%.*s) (Simple Sign)", ss->len, ss->s); #if 0 if (cf->dup_msg_fatal) { ERR("FATAL (by configuration): Duplicate wire msg(%.*s) (cgi_resp)", ss->len, ss->s); zxlog_blob(cf, 1, logpath, ss, "cgi_resp dup"); zx_str_free(cf->ctx, logpath); return 0; } #endif } zxlog_blob(cf, 1, logpath, ss, "cgi_resp"); zxlogwsp(cf, ses, "K", "CGIRESP", 0, "logpath(%.*s)", logpath->len, logpath->s); zx_str_free(cf->ctx, logpath); } } if (errmac_debug & ERRMAC_INOUT) INFO("SOAP_RESP(%.*s)", ss->len, ss->s); fprintf(stdout, "CONTENT-TYPE: text/xml" CRLF "CONTENT-LENGTH: %d" CRLF2 "%.*s", ss->len, ss->len, ss->s); fflush(stdout); D("^^^^^^^^^^^^^^ Done (%d chars returned) ^^^^^^^^^^^^^", ss->len); return ZXID_REDIR_OK; }
/* Called by: zxid_idp_sso x4, zxid_ssos_anreq, zxid_xacml_az_cd1_do x2, zxid_xacml_az_do x2 */ struct zx_sp_Response_s* zxid_mk_saml_resp(zxid_conf* cf, zxid_a7n* a7n, zxid_entity* enc_meta) { struct zx_sp_Response_s* r = zx_NEW_sp_Response(cf->ctx,0); r->Version = zx_dup_attr(cf->ctx, &r->gg, zx_Version_ATTR, SAML2_VERSION); r->ID = zxid_mk_id_attr(cf, &r->gg, zx_ID_ATTR, "R", ZXID_ID_BITS); r->Issuer = zxid_my_issuer(cf, &r->gg); r->IssueInstant = zxid_date_time_attr(cf, &r->gg, zx_IssueInstant_ATTR, time(0)); r->Status = zxid_OK(cf, &r->gg); if (a7n) { if (enc_meta) { /* See saml-bindings-2.0-os.pdf, sec 3.5.5.2 Security Considerations, p.24, ll.847-851 * After publication it was understood that the SHOULD NOT could be eliminated * if EncryptedAssertion is used. */ r->EncryptedAssertion = zxid_mk_enc_a7n(cf, &r->gg, a7n, enc_meta); } else { r->Assertion = a7n; zx_add_kid(&r->gg, &a7n->gg); } } zx_reverse_elem_lists(&r->gg); return r; }