/**
* lasso_login_assertion_add_discovery:
* @login: a #LassoLogin object
* @assertion: a #LassoSamlAssertion object
*
* Adds AttributeStatement and ResourceOffering attributes to @assertion of a @login object if there
* is a discovery service registerered in the @LassoLogin.server field.
* .
**/
void
lasso_login_assertion_add_discovery(LassoLogin *login, LassoSamlAssertion *assertion)
{
LassoProfile *profile = LASSO_PROFILE(login);
LassoDiscoResourceOffering *resourceOffering;
LassoDiscoServiceInstance *serviceInstance, *newServiceInstance;
LassoSamlAttributeStatement *attributeStatement;
LassoSamlAttribute *attribute;
LassoSamlAttributeValue *attributeValue;
serviceInstance = lasso_server_get_service(profile->server, LASSO_DISCO_HREF);
if (LASSO_IS_DISCO_SERVICE_INSTANCE(serviceInstance) &&
login->private_data->resourceId) {
newServiceInstance = lasso_disco_service_instance_copy(serviceInstance);
resourceOffering = lasso_disco_resource_offering_new(newServiceInstance);
lasso_release_gobject(newServiceInstance);
lasso_assign_gobject(resourceOffering->ResourceID, login->private_data->resourceId);
attributeValue = lasso_saml_attribute_value_new();
lasso_list_add_new_gobject(attributeValue->any, resourceOffering);
attribute = lasso_saml_attribute_new();
lasso_assign_string(attribute->attributeName, "DiscoveryResourceOffering");
lasso_assign_string(attribute->attributeNameSpace, LASSO_DISCO_HREF);
lasso_list_add_new_gobject(attribute->AttributeValue, attributeValue);
attributeStatement = lasso_saml_attribute_statement_new();
lasso_list_add_new_gobject(attributeStatement->Attribute, attribute);
lasso_assign_new_gobject(assertion->AttributeStatement, attributeStatement);
/* FIXME: Add CredentialsRef and saml:Advice Assertions */
}
}
/**
* lasso_server_new_from_buffers:
* @metadata: NULL terminated string containing the content of an ID-FF 1.2 metadata file
* @private_key_content:(allow-none): NULL terminated string containing a PEM formatted private key
* @private_key_password:(allow-none): a NULL terminated string which is the optional password of
* the private key
* @certificate_content:(allow-none): NULL terminated string containing a PEM formatted X509
* certificate
*
* Creates a new #LassoServer.
*
* Return value: a newly created #LassoServer object; or NULL if an error occured
*/
LassoServer*
lasso_server_new_from_buffers(const char *metadata, const char *private_key_content, const char
*private_key_password, const char *certificate_content)
{
LassoServer *server;
server = g_object_new(LASSO_TYPE_SERVER, NULL);
/* metadata can be NULL (if server is a LECP) */
if (metadata != NULL) {
if (lasso_provider_load_metadata_from_buffer(LASSO_PROVIDER(server), metadata) == FALSE) {
message(G_LOG_LEVEL_CRITICAL,
"Failed to load metadata from preloaded buffer");
lasso_node_destroy(LASSO_NODE(server));
return NULL;
}
}
lasso_assign_string(server->certificate, certificate_content);
if (private_key_content) {
lasso_assign_string(server->private_key, private_key_content);
lasso_assign_string(server->private_key_password, private_key_password);
server->private_data->encryption_private_key =
lasso_xmlsec_load_private_key_from_buffer(private_key_content,
strlen(private_key_content), private_key_password);
if (! server->private_data->encryption_private_key) {
message(G_LOG_LEVEL_WARNING, "Cannot load the private key");
lasso_release_gobject(server);
}
}
lasso_provider_load_public_key(&server->parent, LASSO_PUBLIC_KEY_SIGNING);
lasso_provider_load_public_key(&server->parent, LASSO_PUBLIC_KEY_ENCRYPTION);
return server;
}
/**
* lasso_server_new_from_dump:
* @dump: XML server dump
*
* Restores the @dump to a new #LassoServer.
*
* Return value: a newly created #LassoServer; or NULL if an error occured
**/
LassoServer*
lasso_server_new_from_dump(const gchar *dump)
{
LassoServer *server;
server = (LassoServer*)lasso_node_new_from_dump(dump);
if (! LASSO_IS_SERVER(server)) {
lasso_release_gobject(server);
}
return server;
}
/**
* lasso_identity_new_from_dump:
* @dump: XML server dump
*
* Restores the @dump to a new #LassoIdentity.
*
* Return value: a newly created #LassoIdentity; or NULL if an error occured
**/
LassoIdentity*
lasso_identity_new_from_dump(const gchar *dump)
{
LassoIdentity *identity;
identity = (LassoIdentity*)lasso_node_new_from_dump(dump);
if (! LASSO_IS_IDENTITY(identity)) {
lasso_release_gobject(identity);
}
return identity;
}
static lasso_error_t
lasso_saml20_server_load_metadata_entity(LassoServer *server, LassoProviderRole role,
xmlDoc *doc, xmlNode *entity, GList *blacklisted_entity_ids, GList **loaded_end,
xmlSecKeysMngr *keys_mngr, LassoServerLoadMetadataFlag flags)
{
LassoProvider *provider = NULL;
gboolean check_signature = flags & LASSO_SERVER_LOAD_METADATA_FLAG_CHECK_ENTITY_DESCRIPTOR_SIGNATURE;
if (role == LASSO_PROVIDER_ROLE_IDP && ! _lasso_test_idp_descriptor(entity)) {
return 0;
}
if (role == LASSO_PROVIDER_ROLE_SP && ! _lasso_test_sp_descriptor(entity)) {
return 0;
}
if (keys_mngr && check_signature) {
lasso_error_t result;
result = lasso_verify_signature(entity, doc, "ID", keys_mngr, NULL, EMPTY_URI,
NULL);
if (result != 0) {
debug_report_signature_error(entity, result);
return result;
}
}
provider = lasso_provider_new_from_xmlnode(role, entity);
if (provider) {
char *name = provider->ProviderID;
if (g_list_find_custom(blacklisted_entity_ids, name,
(GCompareFunc) g_strcmp0)) {
lasso_release_gobject(provider);
return LASSO_SERVER_ERROR_NO_PROVIDER_LOADED;
}
if (*loaded_end) {
GList *l = *loaded_end;
l->next = g_new0(GList, 1);
l->next->prev = l;
l->next->data = g_strdup(name);
*loaded_end = l->next;
}
g_hash_table_insert(server->providers, g_strdup(name), provider);
return 0;
} else {
return LASSO_SERVER_ERROR_NO_PROVIDER_LOADED;
}
}
/**
* lasso_assertion_query_process_response_msg:
* @assertion_query: a #LassoAssertionQuery
* @response_msg: the response message
*
* Parses the response message and builds the corresponding response object.
*
* Return value: 0 on success; or a negative value otherwise.
**/
gint
lasso_assertion_query_process_response_msg(
LassoAssertionQuery *assertion_query,
gchar *response_msg)
{
LassoProfile *profile = NULL;
LassoSamlp2StatusResponse *response = NULL;
int rc = 0;
lasso_bad_param(ASSERTION_QUERY, assertion_query);
profile = &assertion_query->parent;
lasso_check_good_rc(lasso_saml20_profile_process_soap_response(profile,
response_msg));
cleanup:
lasso_release_gobject(response);
return rc;
}
static gboolean
init_from_query(LassoNode *node, char **query_fields)
{
LassoLibAuthnRequest *request = LASSO_LIB_AUTHN_REQUEST(node);
gboolean rc;
request->RequestAuthnContext = lasso_lib_request_authn_context_new();
/* XXX needs code for Scoping, IDPList, IDPEntries... */
rc = parent_class->init_from_query(node, query_fields);
if (request->RequestAuthnContext->AuthnContextClassRef == NULL &&
request->RequestAuthnContext->AuthnContextStatementRef == NULL &&
request->RequestAuthnContext->AuthnContextComparison == NULL) {
lasso_release_gobject(request->RequestAuthnContext);
}
if (request->ProviderID == NULL)
return FALSE;
return rc;
}
/**
* lasso_assertion_query_validate_request:
* @assertion_query: a #LassoAssertionQuery
*
* Processes a Assertion query or request; caller must add assertions to the
* response afterwards.
*
* Return value: 0 on success; or a negative value otherwise.
**/
int
lasso_assertion_query_validate_request(LassoAssertionQuery *assertion_query)
{
LassoProfile *profile;
LassoProvider *remote_provider;
LassoSamlp2StatusResponse *response;
int rc = 0;
g_return_val_if_fail(LASSO_IS_ASSERTION_QUERY(assertion_query),
LASSO_PARAM_ERROR_INVALID_VALUE);
profile = LASSO_PROFILE(assertion_query);
response = (LassoSamlp2StatusResponse*) lasso_samlp2_response_new();
lasso_check_good_rc(lasso_saml20_profile_validate_request(profile,
FALSE,
response,
&remote_provider));
cleanup:
lasso_release_gobject(response);
return rc;
}
/**
* lasso_assertion_query_init_request:
* @assertion_query: a #LassoAssertionQuery
* @remote_provider_id: (allow-none): the providerID of the remote provider.
* @http_method: if set, then it get the protocol profile in metadata
* corresponding of this HTTP request method.
* @query_request_type: the type of request.
*
* Initializes a new Assertion Query Request.
* For the AssertionID request type, the remote_provider_id is mandatory, for all other kind of
* request it is optional if we can find a provider supporting the associated role, i.e.
* IDP; authentication, attribute and authorization authority.
*
* Return value: 0 on success; or a negative value otherwise.
**/
gint
lasso_assertion_query_init_request(LassoAssertionQuery *assertion_query,
char *remote_provider_id,
LassoHttpMethod http_method,
LassoAssertionQueryRequestType query_request_type)
{
LassoProfile *profile;
LassoNode *request;
gint rc = 0;
g_return_val_if_fail(http_method == LASSO_HTTP_METHOD_ANY ||
http_method == LASSO_HTTP_METHOD_SOAP,
LASSO_PARAM_ERROR_INVALID_VALUE);
g_return_val_if_fail(LASSO_IS_ASSERTION_QUERY(assertion_query),
LASSO_PARAM_ERROR_INVALID_VALUE);
profile = LASSO_PROFILE(assertion_query);
/* set the remote provider id */
profile->remote_providerID = NULL;
if (remote_provider_id) {
profile->remote_providerID = g_strdup(remote_provider_id);
} else {
LassoProviderRole role = LASSO_PROVIDER_ROLE_NONE;
switch (query_request_type) {
case LASSO_ASSERTION_QUERY_REQUEST_TYPE_AUTHN:
role = LASSO_PROVIDER_ROLE_AUTHN_AUTHORITY;
break;
case LASSO_ASSERTION_QUERY_REQUEST_TYPE_ATTRIBUTE:
role = LASSO_PROVIDER_ROLE_ATTRIBUTE_AUTHORITY;
break;
case LASSO_ASSERTION_QUERY_REQUEST_TYPE_AUTHZ_DECISION:
role = LASSO_PROVIDER_ROLE_AUTHZ_AUTHORITY;
break;
/* other request types should not happen or should not go there */
default:
return critical_error(LASSO_PARAM_ERROR_INVALID_VALUE);
}
profile->remote_providerID =
lasso_server_get_first_providerID_by_role(profile->server,
role);
}
g_return_val_if_fail(profile->remote_providerID != NULL,
LASSO_PARAM_ERROR_INVALID_VALUE);
assertion_query->private_data->query_request_type = query_request_type;
switch (query_request_type) {
case LASSO_ASSERTION_QUERY_REQUEST_TYPE_ASSERTION_ID:
request = lasso_samlp2_assertion_id_request_new();
break;
case LASSO_ASSERTION_QUERY_REQUEST_TYPE_AUTHN:
request = lasso_samlp2_authn_query_new();
break;
case LASSO_ASSERTION_QUERY_REQUEST_TYPE_ATTRIBUTE:
request = lasso_samlp2_attribute_query_new();
break;
case LASSO_ASSERTION_QUERY_REQUEST_TYPE_AUTHZ_DECISION:
request = lasso_samlp2_authz_decision_query_new();
break;
default:
return critical_error(LASSO_PARAM_ERROR_INVALID_VALUE);
}
/* Setup usual request attributes */
if (LASSO_IS_SAMLP2_SUBJECT_QUERY_ABSTRACT(request)) {
LassoSamlp2SubjectQueryAbstract *sqa;
sqa = (LassoSamlp2SubjectQueryAbstract*)request;
sqa->Subject = (LassoSaml2Subject*)lasso_saml2_subject_new();
}
lasso_check_good_rc(lasso_saml20_profile_init_request(profile,
profile->remote_providerID,
TRUE,
(LassoSamlp2RequestAbstract*)request,
http_method,
_lasso_assertion_query_type_to_protocol_type(query_request_type)));
cleanup:
lasso_release_gobject(request);
return rc;
}
/**
* lasso_assertion_query_destroy:
* @assertion_query: a #LassoAssertionQuery
*
* Destroys a #LassoAssertionQuery object.
**/
void
lasso_assertion_query_destroy(LassoAssertionQuery *assertion_query)
{
lasso_release_gobject(assertion_query);
}
