static LassoSaml2Attribute*
lasso_assertion_query_lookup_attribute(LassoAssertionQuery *assertion_query, char *format, char *name)
{
LassoSaml2Attribute *result = NULL;
LassoSamlp2AttributeQuery *query = NULL;
g_return_val_if_fail(LASSO_IS_ASSERTION_QUERY(assertion_query) || ! format || ! name,
NULL);
query = (LassoSamlp2AttributeQuery*) assertion_query->parent.request;
g_return_val_if_fail(LASSO_IS_SAMLP2_ATTRIBUTE_QUERY(query), NULL);
lasso_foreach_full_begin(LassoSaml2Attribute*, attribute, it, query->Attribute)
{
if (LASSO_IS_SAML2_ATTRIBUTE(attribute) &&
lasso_strisequal(attribute->NameFormat,format) &&
lasso_strisequal(attribute->Name,name))
{
result = attribute;
break;
}
}
lasso_foreach_full_end()
return result;
}
/**
* lasso_wsa_endpoint_reference_get_token_by_usage:
* @epr: a #LassoWsAddrEndpointReference object
* @security_mech_predicate: (allow-none): a predicate to test for security mechanism
* @security_mech_id: (allow-none): a security mechanism identifier
* @usage: the usage to make of the token
*
* Try to find a token for the given usage and security mechanism, the security can be chosen by
* name or by a predicate.
*
* Return value: a #LassoNode object or a subclass, representing the token.
*/
static LassoNode*
lasso_wsa_endpoint_reference_get_token_by_usage(
const LassoWsAddrEndpointReference *epr,
gboolean (*sec_mech_predicate)(const char *),
const char *security_mech_id, const char* usage)
{
LassoIdWsf2DiscoSecurityContext *security_context;
security_context =
lasso_wsa_endpoint_reference_get_idwsf2_security_context_for_security_mechanism(
epr, sec_mech_predicate, security_mech_id, TRUE);
lasso_foreach_full_begin (LassoIdWsf2SecToken*, token, iter, security_context->Token);
if (LASSO_IS_IDWSF2_SEC_TOKEN (token)) {
if (usage && lasso_strisequal(token->usage,usage)) {
if (LASSO_IS_NODE(token->any)) {
return (LassoNode*)token->any;
} else if (token->ref) {
message(G_LOG_LEVEL_WARNING, "sec:Token ref attribute is not supported");
return NULL;
}
}
}
lasso_foreach_full_end();
return NULL;
}
/**
* lasso_wsa_endpoint_reference_get_idwsf2_security_context_for_security_mechanism:
* @epr: a #LassoWsAddrEndpointReference object
* @security_mech_predicate: (allow-none): a predicate to test for security mechanism
* @security_mech_id: (allow-none): a security mechanism identifier
* @create: allow to create the element if none if found, @security_mech_id is mandatory when create
* is TRUE.
*
* Return value: (transfer none): a #LassoIdWsf2DiscoSecurityContext, or NULL if none was found and
* created is FALSE.
*/
LassoIdWsf2DiscoSecurityContext*
lasso_wsa_endpoint_reference_get_idwsf2_security_context_for_security_mechanism(
const LassoWsAddrEndpointReference *epr,
gboolean (*sech_mech_predicate)(const char *),
const char *security_mech_id,
gboolean create)
{
LassoIdWsf2DiscoSecurityContext *created = NULL;
LassoMiscTextNode *new_security_mech_id_declaration;
if (! LASSO_IS_WSA_ENDPOINT_REFERENCE (epr) || epr->Metadata == NULL)
return NULL;
lasso_foreach_full_begin(LassoIdWsf2DiscoSecurityContext*, context, it1, epr->Metadata->any);
if (LASSO_IS_IDWSF2_DISCO_SECURITY_CONTEXT (context)) {
lasso_foreach_full_begin(char*, textnode, it2, context->SecurityMechID);
if (lasso_strisequal(textnode,security_mech_id) || sech_mech_predicate(textnode)) {
return context;
}
lasso_foreach_full_end()
}
lasso_foreach_full_end();
if (create && security_mech_id) {
created = lasso_idwsf2_disco_security_context_new();
new_security_mech_id_declaration =
lasso_misc_text_node_new_with_string(security_mech_id);
new_security_mech_id_declaration->name = "SecurityMechID";
new_security_mech_id_declaration->ns_href = LASSO_IDWSF2_DISCOVERY_HREF;
new_security_mech_id_declaration->ns_prefix = LASSO_IDWSF2_DISCOVERY_PREFIX;
lasso_list_add_new_gobject (created->SecurityMechID,
new_security_mech_id_declaration);
lasso_list_add_new_gobject (epr->Metadata->any, created);
}
if (create && ! security_mech_id) {
message(G_LOG_LEVEL_WARNING, "cannot create a LassoIdWsf2DiscoSecurityContext withou a security_mech_id");
}
return created;
}
END_TEST
START_TEST(test02_serviceProviderLogin)
{
char *serviceProviderContextDump, *identityProviderContextDump;
LassoServer *spContext, *idpContext;
LassoLogin *spLoginContext, *idpLoginContext;
LassoLibAuthnRequest *request;
int rc = 0;
char *relayState;
char *authnRequestUrl, *authnRequestQuery;
char *responseUrl, *responseQuery;
char *idpIdentityContextDump, *idpSessionContextDump;
char *serviceProviderId, *soapRequestMsg, *soapResponseMsg;
char *spIdentityContextDump;
char *spSessionDump;
char *spLoginDump;
int requestType;
char *found;
serviceProviderContextDump = generateServiceProviderContextDump();
spContext = lasso_server_new_from_dump(serviceProviderContextDump);
spLoginContext = lasso_login_new(spContext);
fail_unless(spLoginContext != NULL,
"lasso_login_new() shouldn't have returned NULL");
rc = lasso_login_init_authn_request(spLoginContext, "https://idp1/metadata",
LASSO_HTTP_METHOD_REDIRECT);
fail_unless(rc == 0, "lasso_login_init_authn_request failed");
request = LASSO_LIB_AUTHN_REQUEST(LASSO_PROFILE(spLoginContext)->request);
fail_unless(LASSO_IS_LIB_AUTHN_REQUEST(request), "request should be authn_request");
request->IsPassive = 0;
request->NameIDPolicy = g_strdup(LASSO_LIB_NAMEID_POLICY_TYPE_FEDERATED);
request->consent = g_strdup(LASSO_LIB_CONSENT_OBTAINED);
relayState = "fake[]";
request->RelayState = g_strdup(relayState);
rc = lasso_login_build_authn_request_msg(spLoginContext);
fail_unless(rc == 0, "lasso_login_build_authn_request_msg failed");
authnRequestUrl = LASSO_PROFILE(spLoginContext)->msg_url;
fail_unless(authnRequestUrl != NULL,
"authnRequestUrl shouldn't be NULL");
authnRequestQuery = strchr(authnRequestUrl, '?')+1;
fail_unless(strlen(authnRequestQuery) > 0,
"authnRequestQuery shouldn't be an empty string");
spLoginDump = lasso_node_dump(LASSO_NODE(spLoginContext));
fail_unless(strstr(authnRequestQuery, "RelayState") != NULL,
"authnRequestQuery should contain a RelayState parameter");
fail_unless(strstr(authnRequestQuery, "fake%5B%5D") != NULL,
"authnRequestQuery RelayState parameter should be encoded");
/* Identity provider singleSignOn, for a user having no federation. */
identityProviderContextDump = generateIdentityProviderContextDump();
idpContext = lasso_server_new_from_dump(identityProviderContextDump);
idpLoginContext = lasso_login_new(idpContext);
fail_unless(idpLoginContext != NULL,
"lasso_login_new() shouldn't have returned NULL");
rc = lasso_login_process_authn_request_msg(idpLoginContext, authnRequestQuery);
fail_unless(rc == 0, "lasso_login_process_authn_request_msg failed");
fail_unless(lasso_login_must_authenticate(idpLoginContext),
"lasso_login_must_authenticate() should be TRUE");
fail_unless(idpLoginContext->protocolProfile == LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_ART,
"protocoleProfile should be ProfileBrwsArt");
fail_unless(! lasso_login_must_ask_for_consent(idpLoginContext),
"lasso_login_must_ask_for_consent() should be FALSE");
fail_unless(idpLoginContext->parent.msg_relayState != NULL,
"lasso_login_process_authn_request_msg should restore the RelayState parameter");
fail_unless(lasso_strisequal(idpLoginContext->parent.msg_relayState,relayState),
"lasso_login_process_authn_request_msg should restore the same RelayState thant sent in the request");
rc = lasso_login_validate_request_msg(idpLoginContext,
1, /* authentication_result */
0 /* is_consent_obtained */
);
rc = lasso_login_build_assertion(idpLoginContext,
LASSO_SAML_AUTHENTICATION_METHOD_PASSWORD,
"FIXME: authenticationInstant",
"FIXME: reauthenticateOnOrAfter",
"FIXME: notBefore",
"FIXME: notOnOrAfter");
rc = lasso_login_build_artifact_msg(idpLoginContext, LASSO_HTTP_METHOD_REDIRECT);
fail_unless(rc == 0, "lasso_login_build_artifact_msg failed");
idpIdentityContextDump = lasso_identity_dump(LASSO_PROFILE(idpLoginContext)->identity);
fail_unless(idpIdentityContextDump != NULL,
"lasso_identity_dump shouldn't return NULL");
idpSessionContextDump = lasso_session_dump(LASSO_PROFILE(idpLoginContext)->session);
fail_unless(idpSessionContextDump != NULL,
"lasso_session_dump shouldn't return NULL");
responseUrl = LASSO_PROFILE(idpLoginContext)->msg_url;
fail_unless(responseUrl != NULL, "responseUrl shouldn't be NULL");
responseQuery = strchr(responseUrl, '?')+1;
fail_unless(strlen(responseQuery) > 0,
"responseQuery shouldn't be an empty string");
fail_unless(strstr(responseQuery, "RelayState") != NULL,
"responseQuery should contain a RelayState parameter");
fail_unless(strstr(responseQuery, "fake%5B%5D") != NULL,
"responseQuery RelayState parameter should be encoded");
serviceProviderId = g_strdup(LASSO_PROFILE(idpLoginContext)->remote_providerID);
fail_unless(serviceProviderId != NULL,
"lasso_profile_get_remote_providerID shouldn't return NULL");
/* Service provider assertion consumer */
lasso_server_destroy(spContext);
lasso_login_destroy(spLoginContext);
spContext = lasso_server_new_from_dump(serviceProviderContextDump);
spLoginContext = lasso_login_new_from_dump(spContext, spLoginDump);
rc = lasso_login_init_request(spLoginContext,
responseQuery,
LASSO_HTTP_METHOD_REDIRECT);
fail_unless(spLoginContext->parent.msg_relayState != NULL,
"lasso_login_init_request should restore the RelayState parameter");
fail_unless(lasso_strisequal(spLoginContext->parent.msg_relayState,relayState),
"lasso_login_init_request should restore the same RelayState thant sent in the request");
fail_unless(rc == 0, "lasso_login_init_request failed");
rc = lasso_login_build_request_msg(spLoginContext);
fail_unless(rc == 0, "lasso_login_build_request_msg failed");
soapRequestMsg = LASSO_PROFILE(spLoginContext)->msg_body;
fail_unless(soapRequestMsg != NULL, "soapRequestMsg must not be NULL");
/* Identity provider SOAP endpoint */
lasso_server_destroy(idpContext);
lasso_login_destroy(idpLoginContext);
requestType = lasso_profile_get_request_type_from_soap_msg(soapRequestMsg);
fail_unless(requestType == LASSO_REQUEST_TYPE_LOGIN,
"requestType should be LASSO_REQUEST_TYPE_LOGIN");
idpContext = lasso_server_new_from_dump(identityProviderContextDump);
idpLoginContext = lasso_login_new(idpContext);
rc = lasso_login_process_request_msg(idpLoginContext, soapRequestMsg);
fail_unless(rc == 0, "lasso_login_process_request_msg failed");
rc = lasso_profile_set_session_from_dump(LASSO_PROFILE(idpLoginContext),
idpSessionContextDump);
fail_unless(rc == 0, "lasso_login_set_assertion_from_dump failed");
rc = lasso_login_build_response_msg(idpLoginContext, serviceProviderId);
fail_unless(rc == 0, "lasso_login_build_response_msg failed");
soapResponseMsg = LASSO_PROFILE(idpLoginContext)->msg_body;
fail_unless(soapResponseMsg != NULL, "soapResponseMsg must not be NULL");
/* Service provider assertion consumer (step 2: process SOAP response) */
rc = lasso_login_process_response_msg(spLoginContext, soapResponseMsg);
fail_unless(rc == 0, "lasso_login_process_response_msg failed");
rc = lasso_login_accept_sso(spLoginContext);
fail_unless(rc == 0, "lasso_login_accept_sso failed");
fail_unless(LASSO_PROFILE(spLoginContext)->identity != NULL,
"spLoginContext has no identity");
spIdentityContextDump = lasso_identity_dump(LASSO_PROFILE(spLoginContext)->identity);
fail_unless(spIdentityContextDump != NULL, "lasso_identity_dump failed");
spSessionDump = lasso_session_dump(LASSO_PROFILE(spLoginContext)->session);
/* Test InResponseTo checking */
found = strstr(soapResponseMsg, "Assertion");
fail_unless(found != NULL, "We must find an Assertion");
found = strstr(found, "InResponseTo=\"");
fail_unless(found != NULL, "We must find an InResponseTo attribute");
found[sizeof("InResponseTo=\"")] = '?';
lasso_set_flag("no-verify-signature");
rc = lasso_login_process_response_msg(spLoginContext, soapResponseMsg);
lasso_set_flag("verify-signature");
fail_unless(rc != 0, "lasso_login_process_response_msg must fail");
rc = lasso_login_accept_sso(spLoginContext);
fail_unless(rc == 0, "lasso_login_accept_sso must fail");
g_free(spLoginDump);
g_free(serviceProviderId);
g_free(serviceProviderContextDump);
g_free(identityProviderContextDump);
g_free(idpSessionContextDump);
g_free(idpIdentityContextDump);
g_free(spIdentityContextDump);
g_free(spSessionDump);
g_object_unref(spContext);
g_object_unref(idpContext);
g_object_unref(spLoginContext);
g_object_unref(idpLoginContext);
}
