/**
* lasso_login_assertion_add_discovery:
* @login: a #LassoLogin object
* @assertion: a #LassoSamlAssertion object
*
* Adds AttributeStatement and ResourceOffering attributes to @assertion of a @login object if there
* is a discovery service registerered in the @LassoLogin.server field.
* .
**/
void
lasso_login_assertion_add_discovery(LassoLogin *login, LassoSamlAssertion *assertion)
{
LassoProfile *profile = LASSO_PROFILE(login);
LassoDiscoResourceOffering *resourceOffering;
LassoDiscoServiceInstance *serviceInstance, *newServiceInstance;
LassoSamlAttributeStatement *attributeStatement;
LassoSamlAttribute *attribute;
LassoSamlAttributeValue *attributeValue;
serviceInstance = lasso_server_get_service(profile->server, LASSO_DISCO_HREF);
if (LASSO_IS_DISCO_SERVICE_INSTANCE(serviceInstance) &&
login->private_data->resourceId) {
newServiceInstance = lasso_disco_service_instance_copy(serviceInstance);
resourceOffering = lasso_disco_resource_offering_new(newServiceInstance);
lasso_release_gobject(newServiceInstance);
lasso_assign_gobject(resourceOffering->ResourceID, login->private_data->resourceId);
attributeValue = lasso_saml_attribute_value_new();
lasso_list_add_new_gobject(attributeValue->any, resourceOffering);
attribute = lasso_saml_attribute_new();
lasso_assign_string(attribute->attributeName, "DiscoveryResourceOffering");
lasso_assign_string(attribute->attributeNameSpace, LASSO_DISCO_HREF);
lasso_list_add_new_gobject(attribute->AttributeValue, attributeValue);
attributeStatement = lasso_saml_attribute_statement_new();
lasso_list_add_new_gobject(attributeStatement->Attribute, attribute);
lasso_assign_new_gobject(assertion->AttributeStatement, attributeStatement);
/* FIXME: Add CredentialsRef and saml:Advice Assertions */
}
}
/**
* lasso_assertion_query_build_response_msg:
* @assertion_query: a #LassoAssertionQuery
*
* Builds the Response message.
*
* Return value: 0 on success; or a negative value otherwise.
**/
int
lasso_assertion_query_build_response_msg(LassoAssertionQuery *assertion_query)
{
LassoProfile *profile;
LassoSamlp2StatusResponse *response;
int rc = 0;
g_return_val_if_fail(LASSO_IS_ASSERTION_QUERY(assertion_query),
LASSO_PARAM_ERROR_INVALID_VALUE);
profile = LASSO_PROFILE(assertion_query);
lasso_profile_clean_msg_info(profile);
if (profile->response == NULL) {
/* no response set here means request denied */
response = (LassoSamlp2StatusResponse*) lasso_samlp2_response_new();
lasso_check_good_rc(lasso_saml20_profile_init_response(
profile,
response,
LASSO_SAML2_STATUS_CODE_RESPONDER,
LASSO_SAML2_STATUS_CODE_REQUEST_DENIED));
return 0;
}
/* build logout response message */
rc = lasso_saml20_profile_build_response_msg(profile,
NULL,
profile->http_request_method,
NULL);
cleanup:
return rc;
}
/**
* lasso_ecp_new
*
* Creates a new #LassoEcp.
*
* Return value: a newly created #LassoEcp object; or NULL if an error
* occured
**/
LassoEcp*
lasso_ecp_new(LassoServer *server)
{
LassoEcp *ecp;
ecp = g_object_new(LASSO_TYPE_ECP, NULL);
LASSO_PROFILE(ecp)->server = g_object_ref(server);
return ecp;
}
/**
* lasso_assertion_query_new:
* @server: the #LassoServer
*
* Creates a new #LassoAssertionQuery.
*
* Return value: a newly created #LassoAssertionQuery object; or NULL if
* an error occured
**/
LassoAssertionQuery*
lasso_assertion_query_new(LassoServer *server)
{
LassoAssertionQuery *assertion_query;
g_return_val_if_fail(LASSO_IS_SERVER(server), NULL);
assertion_query = g_object_new(LASSO_TYPE_ASSERTION_QUERY, NULL);
LASSO_PROFILE(assertion_query)->server = lasso_ref(server);
return assertion_query;
}
/**
* lasso_assertion_query_validate_request:
* @assertion_query: a #LassoAssertionQuery
*
* Processes a Assertion query or request; caller must add assertions to the
* response afterwards.
*
* Return value: 0 on success; or a negative value otherwise.
**/
int
lasso_assertion_query_validate_request(LassoAssertionQuery *assertion_query)
{
LassoProfile *profile;
LassoProvider *remote_provider;
LassoSamlp2StatusResponse *response;
int rc = 0;
g_return_val_if_fail(LASSO_IS_ASSERTION_QUERY(assertion_query),
LASSO_PARAM_ERROR_INVALID_VALUE);
profile = LASSO_PROFILE(assertion_query);
response = (LassoSamlp2StatusResponse*) lasso_samlp2_response_new();
lasso_check_good_rc(lasso_saml20_profile_validate_request(profile,
FALSE,
response,
&remote_provider));
cleanup:
lasso_release_gobject(response);
return rc;
}
/**
* lasso_assertion_query_process_request_msg:
* @assertion_query: a #LassoAssertionQuery
* @request_msg: the Assertion query or request message
*
* Processes a Assertion query or request message. Rebuilds a request object
* from the message and check its signature.
*
* Return value: 0 on success; or a negative value otherwise.
**/
gint
lasso_assertion_query_process_request_msg(LassoAssertionQuery *assertion_query,
char *request_msg)
{
LassoProfile *profile = NULL;
LassoSamlp2SubjectQueryAbstract *subject_query = NULL;
LassoSaml2Subject *subject = NULL;
int rc = 0;
g_return_val_if_fail(LASSO_IS_ASSERTION_QUERY(assertion_query),
LASSO_PARAM_ERROR_INVALID_VALUE);
profile = LASSO_PROFILE(assertion_query);
lasso_check_good_rc(lasso_saml20_profile_process_soap_request(profile, request_msg));
lasso_extract_node_or_fail(subject_query, profile->request, SAMLP2_SUBJECT_QUERY_ABSTRACT,
LASSO_PROFILE_ERROR_INVALID_MSG);
lasso_extract_node_or_fail(subject, subject_query->Subject, SAML2_SUBJECT,
LASSO_PROFILE_ERROR_MISSING_SUBJECT);
lasso_check_good_rc(lasso_saml20_profile_process_name_identifier_decryption(profile, &subject->NameID, &subject->EncryptedID));
cleanup:
return rc;
}
END_TEST
START_TEST(test03_serviceProviderLogin)
{
char *serviceProviderContextDump, *identityProviderContextDump;
LassoServer *spContext, *idpContext;
LassoLogin *spLoginContext, *idpLoginContext;
LassoLibAuthnRequest *request;
int rc = 0;
char *relayState;
char *authnRequestUrl, *authnRequestQuery;
char *responseUrl, *responseQuery;
char *idpIdentityContextDump, *idpSessionContextDump;
char *serviceProviderId, *soapRequestMsg, *soapResponseMsg;
char *spIdentityContextDump;
char *spSessionDump;
int requestType;
serviceProviderContextDump = generateServiceProviderContextDump();
spContext = lasso_server_new_from_dump(serviceProviderContextDump);
spLoginContext = lasso_login_new(spContext);
fail_unless(spLoginContext != NULL,
"lasso_login_new() shouldn't have returned NULL");
rc = lasso_login_init_authn_request(spLoginContext, "https://idp1/metadata",
LASSO_HTTP_METHOD_REDIRECT);
fail_unless(rc == 0, "lasso_login_init_authn_request failed");
request = LASSO_LIB_AUTHN_REQUEST(LASSO_PROFILE(spLoginContext)->request);
fail_unless(LASSO_IS_LIB_AUTHN_REQUEST(request), "request should be authn_request");
request->IsPassive = 0;
request->NameIDPolicy = g_strdup(LASSO_LIB_NAMEID_POLICY_TYPE_FEDERATED);
request->consent = g_strdup(LASSO_LIB_CONSENT_OBTAINED);
relayState = "fake";
request->RelayState = g_strdup(relayState);
rc = lasso_login_build_authn_request_msg(spLoginContext);
fail_unless(rc == 0, "lasso_login_build_authn_request_msg failed");
authnRequestUrl = LASSO_PROFILE(spLoginContext)->msg_url;
fail_unless(authnRequestUrl != NULL,
"authnRequestUrl shouldn't be NULL");
authnRequestQuery = strchr(authnRequestUrl, '?')+1;
fail_unless(strlen(authnRequestQuery) > 0,
"authnRequestRequest shouldn't be an empty string");
/* Identity provider singleSignOn, for a user having no federation. */
identityProviderContextDump = generateIdentityProviderContextDumpMemory();
idpContext = lasso_server_new_from_dump(identityProviderContextDump);
idpLoginContext = lasso_login_new(idpContext);
fail_unless(idpLoginContext != NULL,
"lasso_login_new() shouldn't have returned NULL");
rc = lasso_login_process_authn_request_msg(idpLoginContext, authnRequestQuery);
fail_unless(rc == 0, "lasso_login_process_authn_request_msg failed");
fail_unless(lasso_login_must_authenticate(idpLoginContext),
"lasso_login_must_authenticate() should be TRUE");
fail_unless(idpLoginContext->protocolProfile == LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_ART,
"protocoleProfile should be ProfileBrwsArt");
fail_unless(! lasso_login_must_ask_for_consent(idpLoginContext),
"lasso_login_must_ask_for_consent() should be FALSE");
rc = lasso_login_validate_request_msg(idpLoginContext,
1, /* authentication_result */
0 /* is_consent_obtained */
);
rc = lasso_login_build_assertion(idpLoginContext,
LASSO_SAML_AUTHENTICATION_METHOD_PASSWORD,
"FIXME: authenticationInstant",
"FIXME: reauthenticateOnOrAfter",
"FIXME: notBefore",
"FIXME: notOnOrAfter");
rc = lasso_login_build_artifact_msg(idpLoginContext, LASSO_HTTP_METHOD_REDIRECT);
fail_unless(rc == 0, "lasso_login_build_artifact_msg failed");
idpIdentityContextDump = lasso_identity_dump(LASSO_PROFILE(idpLoginContext)->identity);
fail_unless(idpIdentityContextDump != NULL,
"lasso_identity_dump shouldn't return NULL");
idpSessionContextDump = lasso_session_dump(LASSO_PROFILE(idpLoginContext)->session);
fail_unless(idpSessionContextDump != NULL,
"lasso_session_dump shouldn't return NULL");
responseUrl = LASSO_PROFILE(idpLoginContext)->msg_url;
fail_unless(responseUrl != NULL, "responseUrl shouldn't be NULL");
responseQuery = strchr(responseUrl, '?')+1;
fail_unless(strlen(responseQuery) > 0,
"responseQuery shouldn't be an empty string");
serviceProviderId = g_strdup(LASSO_PROFILE(idpLoginContext)->remote_providerID);
fail_unless(serviceProviderId != NULL,
"lasso_profile_get_remote_providerID shouldn't return NULL");
/* Service provider assertion consumer */
lasso_server_destroy(spContext);
lasso_login_destroy(spLoginContext);
spContext = lasso_server_new_from_dump(serviceProviderContextDump);
spLoginContext = lasso_login_new(spContext);
rc = lasso_login_init_request(spLoginContext,
responseQuery,
LASSO_HTTP_METHOD_REDIRECT);
fail_unless(rc == 0, "lasso_login_init_request failed");
rc = lasso_login_build_request_msg(spLoginContext);
fail_unless(rc == 0, "lasso_login_build_request_msg failed");
soapRequestMsg = LASSO_PROFILE(spLoginContext)->msg_body;
fail_unless(soapRequestMsg != NULL, "soapRequestMsg must not be NULL");
/* Identity provider SOAP endpoint */
lasso_server_destroy(idpContext);
lasso_login_destroy(idpLoginContext);
requestType = lasso_profile_get_request_type_from_soap_msg(soapRequestMsg);
fail_unless(requestType == LASSO_REQUEST_TYPE_LOGIN,
"requestType should be LASSO_REQUEST_TYPE_LOGIN");
idpContext = lasso_server_new_from_dump(identityProviderContextDump);
idpLoginContext = lasso_login_new(idpContext);
rc = lasso_login_process_request_msg(idpLoginContext, soapRequestMsg);
fail_unless(rc == 0, "lasso_login_process_request_msg failed");
rc = lasso_profile_set_session_from_dump(LASSO_PROFILE(idpLoginContext),
idpSessionContextDump);
fail_unless(rc == 0, "lasso_login_set_assertion_from_dump failed");
rc = lasso_login_build_response_msg(idpLoginContext, serviceProviderId);
fail_unless(rc == 0, "lasso_login_build_response_msg failed");
soapResponseMsg = LASSO_PROFILE(idpLoginContext)->msg_body;
fail_unless(soapResponseMsg != NULL, "soapResponseMsg must not be NULL");
/* Service provider assertion consumer (step 2: process SOAP response) */
rc = lasso_login_process_response_msg(spLoginContext, soapResponseMsg);
fail_unless(rc == 0, "lasso_login_process_response_msg failed");
rc = lasso_login_accept_sso(spLoginContext);
fail_unless(rc == 0, "lasso_login_accept_sso failed");
fail_unless(LASSO_PROFILE(spLoginContext)->identity != NULL,
"spLoginContext has no identity");
spIdentityContextDump = lasso_identity_dump(LASSO_PROFILE(spLoginContext)->identity);
fail_unless(spIdentityContextDump != NULL, "lasso_identity_dump failed");
spSessionDump = lasso_session_dump(LASSO_PROFILE(spLoginContext)->session);
g_free(serviceProviderId);
g_free(serviceProviderContextDump);
g_free(identityProviderContextDump);
g_free(idpSessionContextDump);
g_free(idpIdentityContextDump);
g_free(spIdentityContextDump);
g_free(spSessionDump);
g_object_unref(spContext);
g_object_unref(idpContext);
g_object_unref(spLoginContext);
g_object_unref(idpLoginContext);
}
int
lasso_ecp_process_response_msg(LassoEcp *ecp, const char *response_msg)
{
xmlDoc *doc;
xmlXPathContext *xpathCtx;
xmlXPathObject *xpathObj;
xmlNode *new_envelope, *header, *paos_response, *ecp_relay_state;
xmlNode *body = NULL;
xmlNs *soap_env_ns, *ecp_ns;
g_return_val_if_fail(LASSO_IS_ECP(ecp), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
g_return_val_if_fail(response_msg != NULL, LASSO_PARAM_ERROR_INVALID_VALUE);
doc = lasso_xml_parse_memory(response_msg, strlen(response_msg));
xpathCtx = xmlXPathNewContext(doc);
xmlXPathRegisterNs(xpathCtx, (xmlChar*)"s", (xmlChar*)LASSO_SOAP_ENV_HREF);
xpathObj = xmlXPathEvalExpression((xmlChar*)"//s:Body", xpathCtx);
if (xpathObj && xpathObj->nodesetval && xpathObj->nodesetval->nodeNr) {
body = xmlCopyNode(xpathObj->nodesetval->nodeTab[0], 1);
}
xmlXPathFreeObject(xpathObj);
xmlXPathRegisterNs(xpathCtx, (xmlChar*)"ecp", (xmlChar*)LASSO_ECP_HREF);
xpathObj = xmlXPathEvalExpression((xmlChar*)"//ecp:Response", xpathCtx);
if (xpathObj && xpathObj->nodesetval && xpathObj->nodesetval->nodeNr) {
ecp->assertionConsumerURL = (char*)xmlGetProp(
xpathObj->nodesetval->nodeTab[0], (xmlChar*)"AssertionConsumerURL");
}
xmlXPathFreeObject(xpathObj);
xmlXPathFreeContext(xpathCtx);
xpathCtx = NULL;
xpathObj = NULL;
new_envelope = xmlNewNode(NULL, (xmlChar*)"Envelope");
xmlSetNs(new_envelope, xmlNewNs(new_envelope,
(xmlChar*)LASSO_SOAP_ENV_HREF, (xmlChar*)LASSO_SOAP_ENV_PREFIX));
xmlNewNs(new_envelope,
(xmlChar*)LASSO_SAML_ASSERTION_HREF, (xmlChar*)LASSO_SAML_ASSERTION_PREFIX);
header = xmlNewTextChild(new_envelope, NULL, (xmlChar*)"Header", NULL);
/* PAOS request header block */
soap_env_ns = xmlNewNs(new_envelope,
(xmlChar*)LASSO_SOAP_ENV_HREF, (xmlChar*)LASSO_SOAP_ENV_PREFIX);
paos_response = xmlNewNode(NULL, (xmlChar*)"Response");
xmlSetNs(paos_response, xmlNewNs(paos_response,
(xmlChar*)LASSO_PAOS_HREF, (xmlChar*)LASSO_PAOS_PREFIX));
xmlSetNsProp(paos_response, soap_env_ns, (xmlChar*)"mustUnderstand", (xmlChar*)"1");
xmlSetNsProp(paos_response, soap_env_ns, (xmlChar*)"actor",
(xmlChar*)LASSO_SOAP_ENV_ACTOR);
if (ecp->private_data->messageID) {
xmlSetNsProp(paos_response, soap_env_ns, (xmlChar*)"refToMessageID",
(xmlChar*)ecp->private_data->messageID);
}
xmlAddChild(header, paos_response);
/* ECP relay state block */
if (ecp->private_data->relay_state) {
ecp_relay_state = xmlNewNode(NULL, (xmlChar*)"RelayState");
xmlNodeSetContent(ecp_relay_state, (xmlChar*)ecp->private_data->relay_state);
ecp_ns = xmlNewNs(ecp_relay_state, (xmlChar*)LASSO_ECP_HREF,
(xmlChar*)LASSO_ECP_PREFIX);
xmlSetNs(ecp_relay_state, ecp_ns);
xmlSetNsProp(ecp_relay_state, soap_env_ns, (xmlChar*)"mustUnderstand",
(xmlChar*)"1");
xmlSetNsProp(ecp_relay_state, soap_env_ns, (xmlChar*)"actor",
(xmlChar*)LASSO_SOAP_ENV_ACTOR);
xmlAddChild(header, ecp_relay_state);
}
xmlAddChild(new_envelope, body);
lasso_assign_new_string(LASSO_PROFILE(ecp)->msg_body,
lasso_xmlnode_to_string(new_envelope, 0, 0))
lasso_release_doc(doc);
return 0;
}
int
lasso_ecp_process_authn_request_msg(LassoEcp *ecp, const char *authn_request_msg)
{
xmlDoc *doc;
xmlXPathContext *xpathCtx;
xmlXPathObject *xpathObj;
xmlNode *xmlnode;
LassoProfile *profile;
LassoProvider *remote_provider;
g_return_val_if_fail(LASSO_IS_ECP(ecp), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
g_return_val_if_fail(authn_request_msg != NULL, LASSO_PARAM_ERROR_INVALID_VALUE);
profile = LASSO_PROFILE(ecp);
doc = lasso_xml_parse_memory(authn_request_msg, strlen(authn_request_msg));
xpathCtx = xmlXPathNewContext(doc);
xmlXPathRegisterNs(xpathCtx, (xmlChar*)"ecp", (xmlChar*)LASSO_ECP_HREF);
xpathObj = xmlXPathEvalExpression((xmlChar*)"//ecp:RelayState", xpathCtx);
if (xpathObj && xpathObj->nodesetval && xpathObj->nodesetval->nodeNr) {
xmlnode = xpathObj->nodesetval->nodeTab[0];
ecp->private_data->relay_state = xmlNodeGetContent(xmlnode);
}
xmlXPathFreeObject(xpathObj);
xmlXPathRegisterNs(xpathCtx, (xmlChar*)"paos", (xmlChar*)LASSO_PAOS_HREF);
xpathObj = xmlXPathEvalExpression((xmlChar*)"//paos:Request", xpathCtx);
if (xpathObj && xpathObj->nodesetval && xpathObj->nodesetval->nodeNr) {
ecp->private_data->messageID = xmlGetProp(
xpathObj->nodesetval->nodeTab[0], (xmlChar*)"messageID");
}
xmlXPathFreeObject(xpathObj);
xmlXPathRegisterNs(xpathCtx, (xmlChar*)"s", (xmlChar*)LASSO_SOAP_ENV_HREF);
xpathObj = xmlXPathEvalExpression((xmlChar*)"//s:Header", xpathCtx);
if (xpathObj && xpathObj->nodesetval && xpathObj->nodesetval->nodeNr) {
xmlnode = xpathObj->nodesetval->nodeTab[0];
xmlUnlinkNode(xmlnode);
xmlFreeNode(xmlnode);
}
xmlXPathFreeObject(xpathObj);
xmlXPathFreeContext(xpathCtx);
xpathCtx = NULL;
xpathObj = NULL;
xmlnode = xmlDocGetRootElement(doc);
lasso_assign_new_string(LASSO_PROFILE(ecp)->msg_body,
lasso_xmlnode_to_string(xmlnode, 0, 0))
lasso_release_doc(doc);
profile->remote_providerID = lasso_server_get_first_providerID_by_role(profile->server, LASSO_PROVIDER_ROLE_IDP);
if (profile->remote_providerID == NULL) {
return critical_error(LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND);
}
remote_provider = lasso_server_get_provider(profile->server, profile->remote_providerID);
if (LASSO_IS_PROVIDER(remote_provider) == FALSE) {
return critical_error(LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND);
}
profile->msg_url = lasso_provider_get_metadata_one(remote_provider,
"SingleSignOnService SOAP");
if (profile->msg_url == NULL) {
return critical_error(LASSO_PROFILE_ERROR_UNKNOWN_PROFILE_URL);
}
return 0;
}
/**
* lasso_assertion_query_init_request:
* @assertion_query: a #LassoAssertionQuery
* @remote_provider_id: (allow-none): the providerID of the remote provider.
* @http_method: if set, then it get the protocol profile in metadata
* corresponding of this HTTP request method.
* @query_request_type: the type of request.
*
* Initializes a new Assertion Query Request.
* For the AssertionID request type, the remote_provider_id is mandatory, for all other kind of
* request it is optional if we can find a provider supporting the associated role, i.e.
* IDP; authentication, attribute and authorization authority.
*
* Return value: 0 on success; or a negative value otherwise.
**/
gint
lasso_assertion_query_init_request(LassoAssertionQuery *assertion_query,
char *remote_provider_id,
LassoHttpMethod http_method,
LassoAssertionQueryRequestType query_request_type)
{
LassoProfile *profile;
LassoNode *request;
gint rc = 0;
g_return_val_if_fail(http_method == LASSO_HTTP_METHOD_ANY ||
http_method == LASSO_HTTP_METHOD_SOAP,
LASSO_PARAM_ERROR_INVALID_VALUE);
g_return_val_if_fail(LASSO_IS_ASSERTION_QUERY(assertion_query),
LASSO_PARAM_ERROR_INVALID_VALUE);
profile = LASSO_PROFILE(assertion_query);
/* set the remote provider id */
profile->remote_providerID = NULL;
if (remote_provider_id) {
profile->remote_providerID = g_strdup(remote_provider_id);
} else {
LassoProviderRole role = LASSO_PROVIDER_ROLE_NONE;
switch (query_request_type) {
case LASSO_ASSERTION_QUERY_REQUEST_TYPE_AUTHN:
role = LASSO_PROVIDER_ROLE_AUTHN_AUTHORITY;
break;
case LASSO_ASSERTION_QUERY_REQUEST_TYPE_ATTRIBUTE:
role = LASSO_PROVIDER_ROLE_ATTRIBUTE_AUTHORITY;
break;
case LASSO_ASSERTION_QUERY_REQUEST_TYPE_AUTHZ_DECISION:
role = LASSO_PROVIDER_ROLE_AUTHZ_AUTHORITY;
break;
/* other request types should not happen or should not go there */
default:
return critical_error(LASSO_PARAM_ERROR_INVALID_VALUE);
}
profile->remote_providerID =
lasso_server_get_first_providerID_by_role(profile->server,
role);
}
g_return_val_if_fail(profile->remote_providerID != NULL,
LASSO_PARAM_ERROR_INVALID_VALUE);
assertion_query->private_data->query_request_type = query_request_type;
switch (query_request_type) {
case LASSO_ASSERTION_QUERY_REQUEST_TYPE_ASSERTION_ID:
request = lasso_samlp2_assertion_id_request_new();
break;
case LASSO_ASSERTION_QUERY_REQUEST_TYPE_AUTHN:
request = lasso_samlp2_authn_query_new();
break;
case LASSO_ASSERTION_QUERY_REQUEST_TYPE_ATTRIBUTE:
request = lasso_samlp2_attribute_query_new();
break;
case LASSO_ASSERTION_QUERY_REQUEST_TYPE_AUTHZ_DECISION:
request = lasso_samlp2_authz_decision_query_new();
break;
default:
return critical_error(LASSO_PARAM_ERROR_INVALID_VALUE);
}
/* Setup usual request attributes */
if (LASSO_IS_SAMLP2_SUBJECT_QUERY_ABSTRACT(request)) {
LassoSamlp2SubjectQueryAbstract *sqa;
sqa = (LassoSamlp2SubjectQueryAbstract*)request;
sqa->Subject = (LassoSaml2Subject*)lasso_saml2_subject_new();
}
lasso_check_good_rc(lasso_saml20_profile_init_request(profile,
profile->remote_providerID,
TRUE,
(LassoSamlp2RequestAbstract*)request,
http_method,
_lasso_assertion_query_type_to_protocol_type(query_request_type)));
cleanup:
lasso_release_gobject(request);
return rc;
}
/**
* lasso_assertion_query_build_request_msg:
* @assertion_query: a #LassoAssertionQuery
*
* Build an Assertion Query profile request message.
*
* Return value: 0 on success; or a negative value otherwise.
**/
gint
lasso_assertion_query_build_request_msg(LassoAssertionQuery *assertion_query)
{
LassoProfile *profile;
LassoProvider *remote_provider;
gint rc = 0;
g_return_val_if_fail(LASSO_IS_ASSERTION_QUERY(assertion_query),
LASSO_PARAM_ERROR_INVALID_VALUE);
profile = LASSO_PROFILE(assertion_query);
lasso_profile_clean_msg_info(profile);
remote_provider = lasso_server_get_provider(profile->server, profile->remote_providerID);
if (LASSO_IS_PROVIDER(remote_provider) == FALSE) {
return critical_error(LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND);
}
/* fill and encrypt <Subject> if necessary */
if (LASSO_IS_SAMLP2_SUBJECT_QUERY_ABSTRACT(profile->request)) do {
LassoSaml2NameID *nameID = NULL;
LassoSamlp2SubjectQueryAbstract *subject_query;
subject_query = (LassoSamlp2SubjectQueryAbstract*)profile->request;
if (! LASSO_IS_SAML2_SUBJECT(subject_query->Subject)) {
lasso_assign_new_gobject(subject_query->Subject,
lasso_saml2_subject_new());
}
/* verify that there is a NameID */
if ( (! LASSO_IS_SAML2_NAME_ID(subject_query->Subject->NameID) &&
! LASSO_IS_SAML2_ENCRYPTED_ELEMENT(subject_query->Subject->EncryptedID)))
{
/* if not try to get the local profile one */
nameID = (LassoSaml2NameID*)profile->nameIdentifier;
if (! LASSO_IS_SAML2_NAME_ID(nameID))
nameID = (LassoSaml2NameID*)lasso_profile_get_nameIdentifier(profile);
/* if none found, try to get the identity object or session object one */
if (! LASSO_IS_SAML2_NAME_ID(nameID))
return LASSO_PROFILE_ERROR_MISSING_NAME_IDENTIFIER;
lasso_assign_gobject(subject_query->Subject->NameID, nameID);
}
lasso_check_good_rc(lasso_saml20_profile_setup_subject(profile,
subject_query->Subject));
} while(FALSE);
if (profile->http_request_method == LASSO_HTTP_METHOD_SOAP) {
LassoAssertionQueryRequestType type;
const char *url;
/* XXX: support only SOAP */
static const gchar *servicepoints[LASSO_ASSERTION_QUERY_REQUEST_TYPE_LAST] = {
NULL,
NULL,
"AuthnQueryService SOAP",
"AttributeService SOAP",
"AuthzService SOAP",
};
static const LassoProviderRole roles[LASSO_ASSERTION_QUERY_REQUEST_TYPE_LAST] = {
LASSO_PROVIDER_ROLE_NONE,
LASSO_PROVIDER_ROLE_NONE,
LASSO_PROVIDER_ROLE_AUTHN_AUTHORITY,
LASSO_PROVIDER_ROLE_ATTRIBUTE_AUTHORITY,
LASSO_PROVIDER_ROLE_AUTHZ_AUTHORITY,
};
type = assertion_query->private_data->query_request_type;
if (type == LASSO_ASSERTION_QUERY_REQUEST_TYPE_ASSERTION_ID) {
return LASSO_ERROR_UNDEFINED;
}
if (type < LASSO_ASSERTION_QUERY_REQUEST_TYPE_ASSERTION_ID ||
type > LASSO_ASSERTION_QUERY_REQUEST_TYPE_AUTHZ_DECISION) {
return LASSO_PARAM_ERROR_INVALID_VALUE;
}
url = lasso_provider_get_metadata_one_for_role(remote_provider, roles[type], servicepoints[type]);
return lasso_saml20_profile_build_request_msg(&assertion_query->parent,
NULL,
LASSO_HTTP_METHOD_SOAP, url);
}
cleanup:
return rc;
}
