lemonldap-ng/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm

## @file
# SAML Issuer file

## @class
# SAML Issuer class
package Lemonldap::NG::Portal::IssuerDBSAML;

use strict;
use Lemonldap::NG::Portal::Simple;
use Lemonldap::NG::Portal::_SAML;
our @ISA = qw(Lemonldap::NG::Portal::_SAML);

our $VERSION = '0.01';

## @method void issuerDBInit()
# Load and check SAML configuration
# @return Lemonldap::NG::Portal error code
sub issuerDBInit {
    my $self = shift;

    # Load SAML service
    return PE_ERROR unless $self->loadService();

    # Load SAML identity providers
    return PE_ERROR unless $self->loadSPs();

    PE_OK;
}

## @apmethod int issuerForUnAuthUser()
# TODO
# Check if there is an SAML authentication request.
# Called only for unauthenticated users, it store SAML request in
# $self->{url}
# @return Lemonldap::NG::Portal error code
sub issuerForUnAuthUser {
    my $self   = shift;
    my $server = $self->{_lassoServer};

    # Get configuration parameter
    my $saml_sso_soap_url =
      $self->getMetaDataURL( "samlIDPSSODescriptorSingleSignOnServiceSOAP", 1 );
    my $saml_sso_soap_url_ret =
      $self->getMetaDataURL( "samlIDPSSODescriptorSingleSignOnServiceSOAP", 2 );
    my $saml_sso_get_url =
      $self->getMetaDataURL( "samlIDPSSODescriptorSingleSignOnServiceHTTP", 1 );
    my $saml_sso_get_url_ret =
      $self->getMetaDataURL( "samlIDPSSODescriptorSingleSignOnServiceHTTP", 2 );

    # Get HTTP request informations to know
    # if we are receving SAML request or response
    my $url            = $self->url();
    my $request_method = $self->request_method();
    my $content_type   = $self->content_type();

    if ( $url =~ /^($saml_sso_soap_url|$saml_sso_get_url)$/i ) {

        $self->lmLog( "URL $url detected as an SSO request URL", 'debug' );

        # Check message
        my ( $request, $response, $method, $relaystate, $artifact ) =
          $self->checkMessage( $url, $request_method, $content_type );

        # Process the request
        if ($request) {

            # Create Login object
            my $login = $self->createLogin($server);

            # Process authentication request
            my $result;
            if ($artifact) {
                $result = $self->processArtRequestMsg( $login, $request );
            }
            else {
                $result = $self->processAuthnRequestMsg( $login, $request );
            }

            unless ($result) {
                $self->lmLog( "SSO: Fail to process authentication request",
                    'error' );
                return PE_ERROR;
            }

            $self->lmLog( "SSO: authentication request is valid", 'debug' );

            # Get SAML request
            my $saml_request = $login->request();
            unless ($saml_request) {
                $self->lmLog( "No SAML request found", 'error' );
                return PE_ERROR;
            }

            # Check isPassive flag
            my $isPassive = $saml_request->IsPassive();

            if ($isPassive) {
                $self->lmLog(
"Found isPassive flag in SAML request, not compatible with unauthenticated user",
                    'error'
                );
                return PE_ERROR;
            }

        }

    }

    PE_OK;
}

## @apmethod int issuerForAuthUser()
# TODO
# Check if there is an SAML authentication request for an authenticated user
# and build assertions
# @return Lemonldap::NG::Portal error code
sub issuerForAuthUser {
    my $self = shift;
    my $server = $self->{_lassoServer};

    # Get configuration parameter
    my $saml_sso_soap_url =
      $self->getMetaDataURL( "samlIDPSSODescriptorSingleSignOnServiceSOAP", 1 );
    my $saml_sso_soap_url_ret =
      $self->getMetaDataURL( "samlIDPSSODescriptorSingleSignOnServiceSOAP", 2 );
    my $saml_sso_get_url =
      $self->getMetaDataURL( "samlIDPSSODescriptorSingleSignOnServiceHTTP", 1 );
    my $saml_sso_get_url_ret =
      $self->getMetaDataURL( "samlIDPSSODescriptorSingleSignOnServiceHTTP", 2 );

    # Get HTTP request informations to know
    # if we are receving SAML request or response
    my $url            = $self->url();
    my $request_method = $self->request_method();
    my $content_type   = $self->content_type();

    if ( $url =~ /^($saml_sso_soap_url|$saml_sso_get_url)$/i ) {

        $self->lmLog( "URL $url detected as an SSO request URL", 'debug' );

        # Check message
        my ( $request, $response, $method, $relaystate, $artifact ) =
          $self->checkMessage( $url, $request_method, $content_type );

        # Process the request
        if ($request) {

            # Create Login object
            my $login = $self->createLogin($server);

            # Process authentication request
            my $result;
            if ($artifact) {
                $result = $self->processArtRequestMsg( $login, $request );
            }
            else {
                $result = $self->processAuthnRequestMsg( $login, $request );
            }

            unless ($result) {
                $self->lmLog( "SSO: Fail to process authentication request",
                    'error' );
                return PE_ERROR;
            }

            $self->lmLog( "SSO: authentication request is valid", 'debug' );

        }

    }

    PE_OK;
}

## @apmethod int issuerLogout()
# TODO
# @return Lemonldap::NG::Portal error code
sub issuerLogout {
    my $self = shift;

    print STDERR "IssuerDBSAML: issuerLogout\n";

    PE_OK;
}

1;

__END__

=head1 NAME

=encoding utf8

Lemonldap::NG::Portal::IssuerDBSAML - SAML IssuerDB for Lemonldap::NG

=head1 SYNOPSIS

  use Lemonldap::NG::Portal::IssuerDBSAML;
  #TODO

=head1 DESCRIPTION

SAML IssuerDB for Lemonldap::NG

=head1 SEE ALSO

L<Lemonldap::NG::Portal>

=head1 AUTHOR

Clément Oudot, E<lt>coudot@linagora.comE<gt>

=head1 COPYRIGHT AND LICENSE

Copyright (C) 2009 by Clément Oudot

This library is free software; you can redistribute it and/or modify
it under the same terms as Perl itself, either Perl version 5.10.0 or,
at your option, any later version of Perl 5 you may have available.

=cut
SAML skeleton 2009-04-07 22:38:24 +02:00			`## @file`
Replace SAML* methods by IssuerDB* methods, allowing use of other IssuerDB modules 2009-12-10 18:03:57 +01:00			`# SAML Issuer file`
SAML skeleton 2009-04-07 22:38:24 +02:00
			`## @class`
Replace SAML* methods by IssuerDB* methods, allowing use of other IssuerDB modules 2009-12-10 18:03:57 +01:00			`# SAML Issuer class`
			`package Lemonldap::NG::Portal::IssuerDBSAML;`
SAML skeleton 2009-04-07 22:38:24 +02:00
			`use strict;`
			`use Lemonldap::NG::Portal::Simple;`
* Inheritance instead of @EXPORT * Purge CGI::Session dependency (LA) 2010-02-26 11:53:43 +01:00			`use Lemonldap::NG::Portal::_SAML;`
			`our @ISA = qw(Lemonldap::NG::Portal::_SAML);`
SAML skeleton 2009-04-07 22:38:24 +02:00
			`our $VERSION = '0.01';`

Replace SAML* methods by IssuerDB* methods, allowing use of other IssuerDB modules 2009-12-10 18:03:57 +01:00			`## @method void issuerDBInit()`
			`# Load and check SAML configuration`
			`# @return Lemonldap::NG::Portal error code`
			`sub issuerDBInit {`
SAML skeleton 2009-04-07 22:38:24 +02:00			`my $self = shift;`
SAML: work in progress in IssuerDBSAML 2010-03-25 12:24:52 +01:00
			`# Load SAML service`
			`return PE_ERROR unless $self->loadService();`

			`# Load SAML identity providers`
			`return PE_ERROR unless $self->loadSPs();`

			`PE_OK;`
SAML skeleton 2009-04-07 22:38:24 +02:00			`}`

Replace SAML* methods by IssuerDB* methods, allowing use of other IssuerDB modules 2009-12-10 18:03:57 +01:00			`## @apmethod int issuerForUnAuthUser()`
SAML skeleton 2009-04-07 22:38:24 +02:00			`# TODO`
			`# Check if there is an SAML authentication request.`
			`# Called only for unauthenticated users, it store SAML request in`
			`# $self->{url}`
			`# @return Lemonldap::NG::Portal error code`
Replace SAML* methods by IssuerDB* methods, allowing use of other IssuerDB modules 2009-12-10 18:03:57 +01:00			`sub issuerForUnAuthUser {`
SAML: was set too late 2010-03-26 17:47:17 +01:00			`my $self = shift;`
SAML: implementing issuerForUnAuthUser 2010-03-26 14:56:37 +01:00			`my $server = $self->{_lassoServer};`

SAML: - Move part of the code into _SAML.pm so that it could be reused; - Create the method checkMessage that check SAML requests and responses. 2010-03-26 17:02:27 +01:00			`# Get configuration parameter`
SAML: implementing issuerForUnAuthUser 2010-03-26 14:56:37 +01:00			`my $saml_sso_soap_url =`
			`$self->getMetaDataURL( "samlIDPSSODescriptorSingleSignOnServiceSOAP", 1 );`
			`my $saml_sso_soap_url_ret =`
			`$self->getMetaDataURL( "samlIDPSSODescriptorSingleSignOnServiceSOAP", 2 );`
			`my $saml_sso_get_url =`
			`$self->getMetaDataURL( "samlIDPSSODescriptorSingleSignOnServiceHTTP", 1 );`
			`my $saml_sso_get_url_ret =`
			`$self->getMetaDataURL( "samlIDPSSODescriptorSingleSignOnServiceHTTP", 2 );`

SAML: was set too late 2010-03-26 17:47:17 +01:00			`# Get HTTP request informations to know`
			`# if we are receving SAML request or response`
			`my $url = $self->url();`
			`my $request_method = $self->request_method();`
			`my $content_type = $self->content_type();`
SAML: implementing issuerForUnAuthUser 2010-03-26 14:56:37 +01:00
SAML: was set too late 2010-03-26 17:47:17 +01:00			`if ( $url =~ /^($saml_sso_soap_url\|$saml_sso_get_url)$/i ) {`
SAML: implementing issuerForUnAuthUser 2010-03-26 14:56:37 +01:00
SAML: was set too late 2010-03-26 17:47:17 +01:00			`$self->lmLog( "URL $url detected as an SSO request URL", 'debug' );`
SAML: implementing issuerForUnAuthUser 2010-03-26 14:56:37 +01:00
SAML: - Move part of the code into _SAML.pm so that it could be reused; - Create the method checkMessage that check SAML requests and responses. 2010-03-26 17:02:27 +01:00			`# Check message`
			`my ( $request, $response, $method, $relaystate, $artifact ) =`
SAML: was set too late 2010-03-26 17:47:17 +01:00			`$self->checkMessage( $url, $request_method, $content_type );`
SAML: implementing issuerForUnAuthUser 2010-03-26 14:56:37 +01:00
SAML: - Move part of the code into _SAML.pm so that it could be reused; - Create the method checkMessage that check SAML requests and responses. 2010-03-26 17:02:27 +01:00			`# Process the request`
SAML: was set too late 2010-03-26 17:47:17 +01:00			`if ($request) {`
SAML: implementing issuerForUnAuthUser 2010-03-26 14:56:37 +01:00
SAML: - Move part of the code into _SAML.pm so that it could be reused; - Create the method checkMessage that check SAML requests and responses. 2010-03-26 17:02:27 +01:00			`# Create Login object`
SAML: was set too late 2010-03-26 17:47:17 +01:00			`my $login = $self->createLogin($server);`
SAML: - Move part of the code into _SAML.pm so that it could be reused; - Create the method checkMessage that check SAML requests and responses. 2010-03-26 17:02:27 +01:00
SAML: implementing issuerForUnAuthUser 2010-03-26 14:56:37 +01:00			`# Process authentication request`
			`my $result;`
			`if ($artifact) {`
			`$result = $self->processArtRequestMsg( $login, $request );`
			`}`
			`else {`
			`$result = $self->processAuthnRequestMsg( $login, $request );`
			`}`

			`unless ($result) {`
			`$self->lmLog( "SSO: Fail to process authentication request",`
			`'error' );`
			`return PE_ERROR;`
			`}`

			`$self->lmLog( "SSO: authentication request is valid", 'debug' );`

			`# Get SAML request`
			`my $saml_request = $login->request();`
			`unless ($saml_request) {`
			`$self->lmLog( "No SAML request found", 'error' );`
			`return PE_ERROR;`
			`}`

			`# Check isPassive flag`
			`my $isPassive = $saml_request->IsPassive();`

			`if ($isPassive) {`
SAML: trust hidden fields when they are present 2010-04-07 12:11:21 +02:00			`$self->lmLog(`
			`"Found isPassive flag in SAML request, not compatible with unauthenticated user",`
			`'error'`
			`);`
SAML: implementing issuerForUnAuthUser 2010-03-26 14:56:37 +01:00			`return PE_ERROR;`
			`}`

			`}`

			`}`

SAML skeleton 2009-04-07 22:38:24 +02:00			`PE_OK;`
			`}`

Replace SAML* methods by IssuerDB* methods, allowing use of other IssuerDB modules 2009-12-10 18:03:57 +01:00			`## @apmethod int issuerForAuthUser()`
SAML skeleton 2009-04-07 22:38:24 +02:00			`# TODO`
			`# Check if there is an SAML authentication request for an authenticated user`
			`# and build assertions`
			`# @return Lemonldap::NG::Portal error code`
Replace SAML* methods by IssuerDB* methods, allowing use of other IssuerDB modules 2009-12-10 18:03:57 +01:00			`sub issuerForAuthUser {`
SAML skeleton in progress... 2009-04-08 18:31:13 +02:00			`my $self = shift;`
SAML: first work on issuerForAuthUser into IssuerDBSAML.pm 2010-04-02 18:19:10 +02:00			`my $server = $self->{_lassoServer};`

			`# Get configuration parameter`
			`my $saml_sso_soap_url =`
			`$self->getMetaDataURL( "samlIDPSSODescriptorSingleSignOnServiceSOAP", 1 );`
			`my $saml_sso_soap_url_ret =`
			`$self->getMetaDataURL( "samlIDPSSODescriptorSingleSignOnServiceSOAP", 2 );`
			`my $saml_sso_get_url =`
			`$self->getMetaDataURL( "samlIDPSSODescriptorSingleSignOnServiceHTTP", 1 );`
			`my $saml_sso_get_url_ret =`
			`$self->getMetaDataURL( "samlIDPSSODescriptorSingleSignOnServiceHTTP", 2 );`

			`# Get HTTP request informations to know`
			`# if we are receving SAML request or response`
			`my $url = $self->url();`
			`my $request_method = $self->request_method();`
			`my $content_type = $self->content_type();`

			`if ( $url =~ /^($saml_sso_soap_url\|$saml_sso_get_url)$/i ) {`

			`$self->lmLog( "URL $url detected as an SSO request URL", 'debug' );`

			`# Check message`
			`my ( $request, $response, $method, $relaystate, $artifact ) =`
			`$self->checkMessage( $url, $request_method, $content_type );`
SAML: implementing issuerForUnAuthUser 2010-03-26 14:56:37 +01:00
SAML: first work on issuerForAuthUser into IssuerDBSAML.pm 2010-04-02 18:19:10 +02:00			`# Process the request`
SAML: trust hidden fields when they are present 2010-04-07 12:11:21 +02:00			`if ($request) {`
SAML: first work on issuerForAuthUser into IssuerDBSAML.pm 2010-04-02 18:19:10 +02:00
			`# Create Login object`
			`my $login = $self->createLogin($server);`

			`# Process authentication request`
			`my $result;`
			`if ($artifact) {`
			`$result = $self->processArtRequestMsg( $login, $request );`
			`}`
			`else {`
			`$result = $self->processAuthnRequestMsg( $login, $request );`
			`}`

			`unless ($result) {`
			`$self->lmLog( "SSO: Fail to process authentication request",`
			`'error' );`
			`return PE_ERROR;`
			`}`

			`$self->lmLog( "SSO: authentication request is valid", 'debug' );`

			`}`

			`}`
SAML: implementing issuerForUnAuthUser 2010-03-26 14:56:37 +01:00
SAML skeleton 2009-04-07 22:38:24 +02:00			`PE_OK;`
			`}`

Replace SAML* methods by IssuerDB* methods, allowing use of other IssuerDB modules 2009-12-10 18:03:57 +01:00			`## @apmethod int issuerLogout()`
SAML skeleton in progress... 2009-04-08 18:31:13 +02:00			`# TODO`
Replace SAML* methods by IssuerDB* methods, allowing use of other IssuerDB modules 2009-12-10 18:03:57 +01:00			`# @return Lemonldap::NG::Portal error code`
			`sub issuerLogout {`
SAML skeleton in progress... 2009-04-08 18:31:13 +02:00			`my $self = shift;`
SAML: implementing issuerForUnAuthUser 2010-03-26 14:56:37 +01:00
			`print STDERR "IssuerDBSAML: issuerLogout\n";`

Replace SAML* methods by IssuerDB* methods, allowing use of other IssuerDB modules 2009-12-10 18:03:57 +01:00			`PE_OK;`
SAML skeleton in progress... 2009-04-08 18:31:13 +02:00			`}`

SAML skeleton 2009-04-07 22:38:24 +02:00			`1;`
Replace SAML* methods by IssuerDB* methods, allowing use of other IssuerDB modules 2009-12-10 18:03:57 +01:00
SAML skeleton 2009-04-07 22:38:24 +02:00			`__END__`

			`=head1 NAME`

POD updates : * spelling errors found by Lintian * encoding utf8 2010-01-03 09:09:59 +01:00			`=encoding utf8`

* Update Perl and Debian dependencies, and debian/rules for the new manager * Add pod skeleton for Manager.pm * correct pod for IssuerDB* 2009-12-13 16:40:33 +01:00			`Lemonldap::NG::Portal::IssuerDBSAML - SAML IssuerDB for Lemonldap::NG`
SAML skeleton 2009-04-07 22:38:24 +02:00
			`=head1 SYNOPSIS`

Replace SAML* methods by IssuerDB* methods, allowing use of other IssuerDB modules 2009-12-10 18:03:57 +01:00			`use Lemonldap::NG::Portal::IssuerDBSAML;`
SAML skeleton 2009-04-07 22:38:24 +02:00			`#TODO`

			`=head1 DESCRIPTION`

* Update Perl and Debian dependencies, and debian/rules for the new manager * Add pod skeleton for Manager.pm * correct pod for IssuerDB* 2009-12-13 16:40:33 +01:00			`SAML IssuerDB for Lemonldap::NG`
SAML skeleton 2009-04-07 22:38:24 +02:00
			`=head1 SEE ALSO`

			`L<Lemonldap::NG::Portal>`

			`=head1 AUTHOR`

* Update Perl and Debian dependencies, and debian/rules for the new manager * Add pod skeleton for Manager.pm * correct pod for IssuerDB* 2009-12-13 16:40:33 +01:00			`Clément Oudot, E<lt>coudot@linagora.comE<gt>`
SAML skeleton 2009-04-07 22:38:24 +02:00
			`=head1 COPYRIGHT AND LICENSE`

* Update Perl and Debian dependencies, and debian/rules for the new manager * Add pod skeleton for Manager.pm * correct pod for IssuerDB* 2009-12-13 16:40:33 +01:00			`Copyright (C) 2009 by Clément Oudot`
SAML skeleton 2009-04-07 22:38:24 +02:00
			`This library is free software; you can redistribute it and/or modify`
			`it under the same terms as Perl itself, either Perl version 5.10.0 or,`
			`at your option, any later version of Perl 5 you may have available.`

			`=cut`