SAML: use get_signature_status from Lasso::Profile

2010-05-03 21:12:14 +00:00 · 2010-05-03 21:12:14 +00:00 · 1b81ccd96f
commit 1b81ccd96f
parent c4ea39fae4
2 changed files with 40 additions and 12 deletions
--- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm
@ -37,10 +37,9 @@ sub extractFormInfo {

    # TODO: seems to be unused (redefined later)
    my (
-        $login,      $logout,     $idp,
-        $idpConfKey, $request,    $response,
-        $artifact,   $relaystate, $signature_status,
-	$method
+        $login,            $logout,   $idp,      $idpConfKey,
+        $request,          $response, $artifact, $relaystate,
+        $signature_status, $method
    );

    # 1. Get HTTP request informations to know
@ -127,10 +126,13 @@ sub extractFormInfo {
              ->{samlIDPMetaDataOptionsCheckSSOMessageSignature};

            if ($checkSSOMessageSignature) {
-
-              # TODO
-              #$signature_status = $login->signature_status;
-              #$self->lmLog( "Signature status is $signature_status", 'debug' );
+                unless ( $self->checkSignatureStatus($login) ) {
+                    $self->lmLog( "Signature is not valid", 'error' );
+                    return PE_ERROR;
+                }
+                else {
+                    $self->lmLog( "Signature is valid", 'debug' );
+                }
            }
            else {
                $self->lmLog( "Message signature will not be checked",
@ -348,8 +350,13 @@ sub extractFormInfo {
              ->{samlIDPMetaDataOptionsCheckSLOMessageSignature};

            if ($checkSLOMessageSignature) {
-
-                # TODO
+                unless ( $self->checkSignatureStatus($logout) ) {
+                    $self->lmLog( "Signature is not valid", 'error' );
+                    return PE_ERROR;
+                }
+                else {
+                    $self->lmLog( "Signature is valid", 'debug' );
+                }
            }
            else {
                $self->lmLog( "Message signature will not be checked",
@ -421,8 +428,13 @@ sub extractFormInfo {
              ->{samlIDPMetaDataOptionsCheckSLOMessageSignature};

            if ($checkSLOMessageSignature) {
-
-                # TODO
+                unless ( $self->checkSignatureStatus($logout) ) {
+                    $self->lmLog( "Signature is not valid", 'error' );
+                    return PE_ERROR;
+                }
+                else {
+                    $self->lmLog( "Signature is valid", 'debug' );
+                }
            }
            else {
                $self->lmLog( "Message signature will not be checked",
--- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
@ -2218,6 +2218,18 @@ sub sendLogoutRequestToServiceProvider {

 }

+## @method boolean checkSignatureStatus(Lasso::Profile profile)
+# Check signature status
+# @param profile Lasso::Profile object
+# @return result
+sub checkSignatureStatus {
+    my ( $self, $profile ) = splice @_;
+
+    eval { Lasso::Profile::get_signature_status($profile); };
+
+    return $self->checkLassoError($@);
+}
+
 1;

 __END__
@ -2492,6 +2504,10 @@ Send logout response issue from a logout request

 Send logout request to a service provider

+=head2 checkSignatureStatus
+
+Check signature status
+
 =head1 SEE ALSO

 L<Lemonldap::NG::Portal::AuthSAML>, L<Lemonldap::NG::Portal::UserDBSAML>