/** * lasso_login_assertion_add_discovery: * @login: a #LassoLogin object * @assertion: a #LassoSamlAssertion object * * Adds AttributeStatement and ResourceOffering attributes to @assertion of a @login object if there * is a discovery service registerered in the @LassoLogin.server field. * . **/ void lasso_login_assertion_add_discovery(LassoLogin *login, LassoSamlAssertion *assertion) { LassoProfile *profile = LASSO_PROFILE(login); LassoDiscoResourceOffering *resourceOffering; LassoDiscoServiceInstance *serviceInstance, *newServiceInstance; LassoSamlAttributeStatement *attributeStatement; LassoSamlAttribute *attribute; LassoSamlAttributeValue *attributeValue; serviceInstance = lasso_server_get_service(profile->server, LASSO_DISCO_HREF); if (LASSO_IS_DISCO_SERVICE_INSTANCE(serviceInstance) && login->private_data->resourceId) { newServiceInstance = lasso_disco_service_instance_copy(serviceInstance); resourceOffering = lasso_disco_resource_offering_new(newServiceInstance); lasso_release_gobject(newServiceInstance); lasso_assign_gobject(resourceOffering->ResourceID, login->private_data->resourceId); attributeValue = lasso_saml_attribute_value_new(); lasso_list_add_new_gobject(attributeValue->any, resourceOffering); attribute = lasso_saml_attribute_new(); lasso_assign_string(attribute->attributeName, "DiscoveryResourceOffering"); lasso_assign_string(attribute->attributeNameSpace, LASSO_DISCO_HREF); lasso_list_add_new_gobject(attribute->AttributeValue, attributeValue); attributeStatement = lasso_saml_attribute_statement_new(); lasso_list_add_new_gobject(attributeStatement->Attribute, attribute); lasso_assign_new_gobject(assertion->AttributeStatement, attributeStatement); /* FIXME: Add CredentialsRef and saml:Advice Assertions */ } }
/** * lasso_server_new_from_buffers: * @metadata: NULL terminated string containing the content of an ID-FF 1.2 metadata file * @private_key_content:(allow-none): NULL terminated string containing a PEM formatted private key * @private_key_password:(allow-none): a NULL terminated string which is the optional password of * the private key * @certificate_content:(allow-none): NULL terminated string containing a PEM formatted X509 * certificate * * Creates a new #LassoServer. * * Return value: a newly created #LassoServer object; or NULL if an error occured */ LassoServer* lasso_server_new_from_buffers(const char *metadata, const char *private_key_content, const char *private_key_password, const char *certificate_content) { LassoServer *server; server = g_object_new(LASSO_TYPE_SERVER, NULL); /* metadata can be NULL (if server is a LECP) */ if (metadata != NULL) { if (lasso_provider_load_metadata_from_buffer(LASSO_PROVIDER(server), metadata) == FALSE) { message(G_LOG_LEVEL_CRITICAL, "Failed to load metadata from preloaded buffer"); lasso_node_destroy(LASSO_NODE(server)); return NULL; } } lasso_assign_string(server->certificate, certificate_content); if (private_key_content) { lasso_assign_string(server->private_key, private_key_content); lasso_assign_string(server->private_key_password, private_key_password); server->private_data->encryption_private_key = lasso_xmlsec_load_private_key_from_buffer(private_key_content, strlen(private_key_content), private_key_password); if (! server->private_data->encryption_private_key) { message(G_LOG_LEVEL_WARNING, "Cannot load the private key"); lasso_release_gobject(server); } } lasso_provider_load_public_key(&server->parent, LASSO_PUBLIC_KEY_SIGNING); lasso_provider_load_public_key(&server->parent, LASSO_PUBLIC_KEY_ENCRYPTION); return server; }
/** * lasso_server_new_from_dump: * @dump: XML server dump * * Restores the @dump to a new #LassoServer. * * Return value: a newly created #LassoServer; or NULL if an error occured **/ LassoServer* lasso_server_new_from_dump(const gchar *dump) { LassoServer *server; server = (LassoServer*)lasso_node_new_from_dump(dump); if (! LASSO_IS_SERVER(server)) { lasso_release_gobject(server); } return server; }
/** * lasso_identity_new_from_dump: * @dump: XML server dump * * Restores the @dump to a new #LassoIdentity. * * Return value: a newly created #LassoIdentity; or NULL if an error occured **/ LassoIdentity* lasso_identity_new_from_dump(const gchar *dump) { LassoIdentity *identity; identity = (LassoIdentity*)lasso_node_new_from_dump(dump); if (! LASSO_IS_IDENTITY(identity)) { lasso_release_gobject(identity); } return identity; }
static lasso_error_t lasso_saml20_server_load_metadata_entity(LassoServer *server, LassoProviderRole role, xmlDoc *doc, xmlNode *entity, GList *blacklisted_entity_ids, GList **loaded_end, xmlSecKeysMngr *keys_mngr, LassoServerLoadMetadataFlag flags) { LassoProvider *provider = NULL; gboolean check_signature = flags & LASSO_SERVER_LOAD_METADATA_FLAG_CHECK_ENTITY_DESCRIPTOR_SIGNATURE; if (role == LASSO_PROVIDER_ROLE_IDP && ! _lasso_test_idp_descriptor(entity)) { return 0; } if (role == LASSO_PROVIDER_ROLE_SP && ! _lasso_test_sp_descriptor(entity)) { return 0; } if (keys_mngr && check_signature) { lasso_error_t result; result = lasso_verify_signature(entity, doc, "ID", keys_mngr, NULL, EMPTY_URI, NULL); if (result != 0) { debug_report_signature_error(entity, result); return result; } } provider = lasso_provider_new_from_xmlnode(role, entity); if (provider) { char *name = provider->ProviderID; if (g_list_find_custom(blacklisted_entity_ids, name, (GCompareFunc) g_strcmp0)) { lasso_release_gobject(provider); return LASSO_SERVER_ERROR_NO_PROVIDER_LOADED; } if (*loaded_end) { GList *l = *loaded_end; l->next = g_new0(GList, 1); l->next->prev = l; l->next->data = g_strdup(name); *loaded_end = l->next; } g_hash_table_insert(server->providers, g_strdup(name), provider); return 0; } else { return LASSO_SERVER_ERROR_NO_PROVIDER_LOADED; } }
/** * lasso_assertion_query_process_response_msg: * @assertion_query: a #LassoAssertionQuery * @response_msg: the response message * * Parses the response message and builds the corresponding response object. * * Return value: 0 on success; or a negative value otherwise. **/ gint lasso_assertion_query_process_response_msg( LassoAssertionQuery *assertion_query, gchar *response_msg) { LassoProfile *profile = NULL; LassoSamlp2StatusResponse *response = NULL; int rc = 0; lasso_bad_param(ASSERTION_QUERY, assertion_query); profile = &assertion_query->parent; lasso_check_good_rc(lasso_saml20_profile_process_soap_response(profile, response_msg)); cleanup: lasso_release_gobject(response); return rc; }
static gboolean init_from_query(LassoNode *node, char **query_fields) { LassoLibAuthnRequest *request = LASSO_LIB_AUTHN_REQUEST(node); gboolean rc; request->RequestAuthnContext = lasso_lib_request_authn_context_new(); /* XXX needs code for Scoping, IDPList, IDPEntries... */ rc = parent_class->init_from_query(node, query_fields); if (request->RequestAuthnContext->AuthnContextClassRef == NULL && request->RequestAuthnContext->AuthnContextStatementRef == NULL && request->RequestAuthnContext->AuthnContextComparison == NULL) { lasso_release_gobject(request->RequestAuthnContext); } if (request->ProviderID == NULL) return FALSE; return rc; }
/** * lasso_assertion_query_validate_request: * @assertion_query: a #LassoAssertionQuery * * Processes a Assertion query or request; caller must add assertions to the * response afterwards. * * Return value: 0 on success; or a negative value otherwise. **/ int lasso_assertion_query_validate_request(LassoAssertionQuery *assertion_query) { LassoProfile *profile; LassoProvider *remote_provider; LassoSamlp2StatusResponse *response; int rc = 0; g_return_val_if_fail(LASSO_IS_ASSERTION_QUERY(assertion_query), LASSO_PARAM_ERROR_INVALID_VALUE); profile = LASSO_PROFILE(assertion_query); response = (LassoSamlp2StatusResponse*) lasso_samlp2_response_new(); lasso_check_good_rc(lasso_saml20_profile_validate_request(profile, FALSE, response, &remote_provider)); cleanup: lasso_release_gobject(response); return rc; }
/** * lasso_assertion_query_init_request: * @assertion_query: a #LassoAssertionQuery * @remote_provider_id: (allow-none): the providerID of the remote provider. * @http_method: if set, then it get the protocol profile in metadata * corresponding of this HTTP request method. * @query_request_type: the type of request. * * Initializes a new Assertion Query Request. * For the AssertionID request type, the remote_provider_id is mandatory, for all other kind of * request it is optional if we can find a provider supporting the associated role, i.e. * IDP; authentication, attribute and authorization authority. * * Return value: 0 on success; or a negative value otherwise. **/ gint lasso_assertion_query_init_request(LassoAssertionQuery *assertion_query, char *remote_provider_id, LassoHttpMethod http_method, LassoAssertionQueryRequestType query_request_type) { LassoProfile *profile; LassoNode *request; gint rc = 0; g_return_val_if_fail(http_method == LASSO_HTTP_METHOD_ANY || http_method == LASSO_HTTP_METHOD_SOAP, LASSO_PARAM_ERROR_INVALID_VALUE); g_return_val_if_fail(LASSO_IS_ASSERTION_QUERY(assertion_query), LASSO_PARAM_ERROR_INVALID_VALUE); profile = LASSO_PROFILE(assertion_query); /* set the remote provider id */ profile->remote_providerID = NULL; if (remote_provider_id) { profile->remote_providerID = g_strdup(remote_provider_id); } else { LassoProviderRole role = LASSO_PROVIDER_ROLE_NONE; switch (query_request_type) { case LASSO_ASSERTION_QUERY_REQUEST_TYPE_AUTHN: role = LASSO_PROVIDER_ROLE_AUTHN_AUTHORITY; break; case LASSO_ASSERTION_QUERY_REQUEST_TYPE_ATTRIBUTE: role = LASSO_PROVIDER_ROLE_ATTRIBUTE_AUTHORITY; break; case LASSO_ASSERTION_QUERY_REQUEST_TYPE_AUTHZ_DECISION: role = LASSO_PROVIDER_ROLE_AUTHZ_AUTHORITY; break; /* other request types should not happen or should not go there */ default: return critical_error(LASSO_PARAM_ERROR_INVALID_VALUE); } profile->remote_providerID = lasso_server_get_first_providerID_by_role(profile->server, role); } g_return_val_if_fail(profile->remote_providerID != NULL, LASSO_PARAM_ERROR_INVALID_VALUE); assertion_query->private_data->query_request_type = query_request_type; switch (query_request_type) { case LASSO_ASSERTION_QUERY_REQUEST_TYPE_ASSERTION_ID: request = lasso_samlp2_assertion_id_request_new(); break; case LASSO_ASSERTION_QUERY_REQUEST_TYPE_AUTHN: request = lasso_samlp2_authn_query_new(); break; case LASSO_ASSERTION_QUERY_REQUEST_TYPE_ATTRIBUTE: request = lasso_samlp2_attribute_query_new(); break; case LASSO_ASSERTION_QUERY_REQUEST_TYPE_AUTHZ_DECISION: request = lasso_samlp2_authz_decision_query_new(); break; default: return critical_error(LASSO_PARAM_ERROR_INVALID_VALUE); } /* Setup usual request attributes */ if (LASSO_IS_SAMLP2_SUBJECT_QUERY_ABSTRACT(request)) { LassoSamlp2SubjectQueryAbstract *sqa; sqa = (LassoSamlp2SubjectQueryAbstract*)request; sqa->Subject = (LassoSaml2Subject*)lasso_saml2_subject_new(); } lasso_check_good_rc(lasso_saml20_profile_init_request(profile, profile->remote_providerID, TRUE, (LassoSamlp2RequestAbstract*)request, http_method, _lasso_assertion_query_type_to_protocol_type(query_request_type))); cleanup: lasso_release_gobject(request); return rc; }
/** * lasso_assertion_query_destroy: * @assertion_query: a #LassoAssertionQuery * * Destroys a #LassoAssertionQuery object. **/ void lasso_assertion_query_destroy(LassoAssertionQuery *assertion_query) { lasso_release_gobject(assertion_query); }