/* Called by: zxid_map_val_ss, zxid_mk_usr_a7n_to_sp, zxid_xacml_az_cd1_do x2, zxid_xacml_az_do x2 */
zxid_a7n* zxid_mk_a7n(zxid_conf* cf, struct zx_str* audience, struct zx_sa_Subject_s* subj, struct zx_sa_AuthnStatement_s* an_stmt, struct zx_sa_AttributeStatement_s* at_stmt)
{
zxid_a7n* a7n = zx_NEW_sa_Assertion(cf->ctx,0);
a7n->Version = zx_dup_attr(cf->ctx, &a7n->gg, zx_Version_ATTR, SAML2_VERSION);
a7n->ID = zxid_mk_id_attr(cf, &a7n->gg, zx_ID_ATTR, "A", ZXID_ID_BITS);
a7n->IssueInstant = zxid_date_time_attr(cf, &a7n->gg, zx_IssueInstant_ATTR, time(0));
a7n->Issuer = zxid_my_issuer(cf, &a7n->gg);
a7n->Subject = subj;
if (subj)
zx_add_kid(&a7n->gg, &subj->gg);
a7n->Conditions = zx_NEW_sa_Conditions(cf->ctx, &a7n->gg);
a7n->Conditions->NotOnOrAfter = zxid_date_time_attr(cf, &a7n->Conditions->gg, zx_NotOnOrAfter_ATTR, time(0) + cf->a7nttl);
a7n->Conditions->NotBefore = zxid_date_time_attr(cf, &a7n->Conditions->gg, zx_NotBefore_ATTR, time(0));
if (audience) {
a7n->Conditions->AudienceRestriction = zx_NEW_sa_AudienceRestriction(cf->ctx, &a7n->Conditions->gg);
a7n->Conditions->AudienceRestriction->Audience = zx_new_str_elem(cf->ctx, &a7n->Conditions->AudienceRestriction->gg, zx_sa_Audience_ELEM, audience);
}
a7n->AuthnStatement = an_stmt;
if (an_stmt)
zx_add_kid(&a7n->gg, &an_stmt->gg);
a7n->AttributeStatement = at_stmt;
if (at_stmt)
zx_add_kid(&a7n->gg, &at_stmt->gg);
zx_reverse_elem_lists(&a7n->gg);
return a7n;
}
/* Called by: zxid_as_call_ses, zxid_az_soap, zxid_idp_soap, zxid_soap_call_body, zxid_sp_deref_art, zxid_sp_soap */
struct zx_root_s* zxid_soap_call_hdr_body(zxid_conf* cf, struct zx_str* url, struct zx_e_Header_s* hdr, struct zx_e_Body_s* body)
{
struct zx_root_s* r;
struct zx_e_Envelope_s* env = zx_NEW_e_Envelope(cf->ctx,0);
env->Header = hdr;
env->Body = body;
zx_add_kid(&env->gg, &body->gg);
if (hdr)
zx_add_kid(&env->gg, &hdr->gg);
r = zxid_soap_call_raw(cf, url, env, 0);
return r;
}
/* Called by: zxid_mni_do, zxid_mni_do_ss */
struct zx_sp_ManageNameIDResponse_s* zxid_mk_mni_resp(zxid_conf* cf, struct zx_sp_Status_s* st, struct zx_str* req_id)
{
struct zx_sp_ManageNameIDResponse_s* r = zx_NEW_sp_ManageNameIDResponse(cf->ctx,0);
r->Issuer = zxid_my_issuer(cf, &r->gg);
r->ID = zxid_mk_id_attr(cf, &r->gg, zx_ID_ATTR, "r", ZXID_ID_BITS);
r->Version = zx_ref_attr(cf->ctx, &r->gg, zx_Version_ATTR, SAML2_VERSION);
r->IssueInstant = zxid_date_time_attr(cf, &r->gg, zx_IssueInstant_ATTR, time(0));
if (req_id)
r->InResponseTo = zx_ref_len_attr(cf->ctx, &r->gg,zx_InResponseTo_ATTR, req_id->len,req_id->s);
zx_add_kid(&r->gg, &st->gg);
r->Status = st;
return r;
}
/* Called by: zxid_idp_soap_dispatch x2, zxid_sp_soap_dispatch x8 */
int zxid_soap_cgi_resp_body(zxid_conf* cf, zxid_ses* ses, struct zx_e_Body_s* body)
{
struct zx_e_Envelope_s* env = zx_NEW_e_Envelope(cf->ctx,0);
struct zx_str* ss;
struct zx_str* logpath;
env->Body = body;
zx_add_kid(&env->gg, &body->gg);
env->Header = zx_NEW_e_Header(cf->ctx, &env->gg);
if (ses && ses->curflt) {
D("Detected curflt, abandoning previous Body content. %d", 0);
/* *** LEAK: Should free previous body content */
env->Body = (struct zx_e_Body_s*)zx_replace_kid(&env->gg, (struct zx_elem_s*)zx_NEW_e_Body(cf->ctx, 0));
ZX_ADD_KID(env->Body, Fault, ses->curflt);
}
zxid_wsf_decor(cf, ses, env, 1, 0);
ss = zx_easy_enc_elem_opt(cf, &env->gg);
if (cf->log_issue_msg) {
logpath = zxlog_path(cf, ses->issuer, ss, ZXLOG_ISSUE_DIR, ZXLOG_WIR_KIND, 1);
if (logpath) {
if (zxlog_dup_check(cf, logpath, "cgi_resp")) {
ERR("Duplicate wire msg(%.*s) (Simple Sign)", ss->len, ss->s);
#if 0
if (cf->dup_msg_fatal) {
ERR("FATAL (by configuration): Duplicate wire msg(%.*s) (cgi_resp)", ss->len, ss->s);
zxlog_blob(cf, 1, logpath, ss, "cgi_resp dup");
zx_str_free(cf->ctx, logpath);
return 0;
}
#endif
}
zxlog_blob(cf, 1, logpath, ss, "cgi_resp");
zxlogwsp(cf, ses, "K", "CGIRESP", 0, "logpath(%.*s)", logpath->len, logpath->s);
zx_str_free(cf->ctx, logpath);
}
}
if (errmac_debug & ERRMAC_INOUT) INFO("SOAP_RESP(%.*s)", ss->len, ss->s);
fprintf(stdout, "CONTENT-TYPE: text/xml" CRLF "CONTENT-LENGTH: %d" CRLF2 "%.*s", ss->len, ss->len, ss->s);
fflush(stdout);
D("^^^^^^^^^^^^^^ Done (%d chars returned) ^^^^^^^^^^^^^", ss->len);
return ZXID_REDIR_OK;
}
/* Called by: zxid_idp_sso x4, zxid_ssos_anreq, zxid_xacml_az_cd1_do x2, zxid_xacml_az_do x2 */
struct zx_sp_Response_s* zxid_mk_saml_resp(zxid_conf* cf, zxid_a7n* a7n, zxid_entity* enc_meta)
{
struct zx_sp_Response_s* r = zx_NEW_sp_Response(cf->ctx,0);
r->Version = zx_dup_attr(cf->ctx, &r->gg, zx_Version_ATTR, SAML2_VERSION);
r->ID = zxid_mk_id_attr(cf, &r->gg, zx_ID_ATTR, "R", ZXID_ID_BITS);
r->Issuer = zxid_my_issuer(cf, &r->gg);
r->IssueInstant = zxid_date_time_attr(cf, &r->gg, zx_IssueInstant_ATTR, time(0));
r->Status = zxid_OK(cf, &r->gg);
if (a7n) {
if (enc_meta) {
/* See saml-bindings-2.0-os.pdf, sec 3.5.5.2 Security Considerations, p.24, ll.847-851
* After publication it was understood that the SHOULD NOT could be eliminated
* if EncryptedAssertion is used. */
r->EncryptedAssertion = zxid_mk_enc_a7n(cf, &r->gg, a7n, enc_meta);
} else {
r->Assertion = a7n;
zx_add_kid(&r->gg, &a7n->gg);
}
}
zx_reverse_elem_lists(&r->gg);
return r;
}
