SAML:

* IDP Option to check conditions (#98) * Extend SAML date format (add milliseconds)
2010-06-10 15:01:05 +00:00 · 2010-06-10 15:01:05 +00:00 · 2b7cbd4d83
commit 2b7cbd4d83
parent a2921f9d10
4 changed files with 17 additions and 5 deletions
--- a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
+++ b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
@ -60,7 +60,7 @@ sub cstruct {
                      . ":samlIDPMetaDataXML:filearea",
                    samlIDPMetaDataOptions => {
                        _nodes => [
-                            qw(samlIDPMetaDataOptionsNameIDFormat samlIDPMetaDataOptionsForceAuthn samlIDPMetaDataOptionsIsPassive samlIDPMetaDataOptionsAllowProxiedAuthn samlIDPMetaDataOptionsSSOBinding samlIDPMetaDataOptionsSLOBinding samlIDPMetaDataOptionsResolutionRule samlIDPMetaDataOptionsAllowLoginFromIDP samlIDPMetaDataOptionsAdaptSessionUtime samlIDPMetaDataOptionsSignSSOMessage samlIDPMetaDataOptionsCheckSSOMessageSignature samlIDPMetaDataOptionsSignSLOMessage samlIDPMetaDataOptionsCheckSLOMessageSignature samlIDPMetaDataOptionsRequestedAuthnContext samlIDPMetaDataOptionsForceUTF8 samlIDPMetaDataOptionsEncryptionMode)
+                            qw(samlIDPMetaDataOptionsNameIDFormat samlIDPMetaDataOptionsForceAuthn samlIDPMetaDataOptionsIsPassive samlIDPMetaDataOptionsAllowProxiedAuthn samlIDPMetaDataOptionsSSOBinding samlIDPMetaDataOptionsSLOBinding samlIDPMetaDataOptionsResolutionRule samlIDPMetaDataOptionsAllowLoginFromIDP samlIDPMetaDataOptionsAdaptSessionUtime samlIDPMetaDataOptionsSignSSOMessage samlIDPMetaDataOptionsCheckSSOMessageSignature samlIDPMetaDataOptionsSignSLOMessage samlIDPMetaDataOptionsCheckSLOMessageSignature samlIDPMetaDataOptionsRequestedAuthnContext samlIDPMetaDataOptionsForceUTF8 samlIDPMetaDataOptionsEncryptionMode samlIDPMetaDataOptionsCheckConditions)
                        ],
                        samlIDPMetaDataOptionsNameIDFormat =>
 "text:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsNameIDFormat"
@ -98,6 +98,8 @@ sub cstruct {
 "bool:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsForceUTF8",
                        samlIDPMetaDataOptionsEncryptionMode =>
 "text:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsEncryptionMode:default:encryptionModeParams",
+                        samlIDPMetaDataOptionsCheckConditions =>
+"bool:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsCheckConditions",
                    },
                }
            }
@ -1295,6 +1297,7 @@ sub defaultConf {
        samlIDPMetaDataOptionsRequestedAuthnContext    => '',
        samlIDPMetaDataOptionsForceUTF8                => '0',
        samlIDPMetaDataOptionsEncryptionMode           => 'none',
+        samlIDPMetaDataOptionsCheckConditions          => '1',
        samlSPMetaDataOptionsNameIDFormat              => '',
        samlSPMetaDataOptionsOneTimeUse                => '0',
        samlSPMetaDataOptionsSignSSOMessage            => '1',
--- a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
+++ b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
@ -247,6 +247,7 @@ sub en {
          'Requested authentication context',
        samlIDPMetaDataOptionsForceUTF8     => 'Force UTF-8',
        samlIDPMetaDataOptionsEncryptionMode => 'Encryption mode',
+        samlIDPMetaDataOptionsCheckConditions => 'Check conditions',
        samlSPMetaDataNode               => 'SAML service providers',
        samlSPMetaDataXML                => 'Metadata',
        samlSPMetaDataExportedAttributes => 'Exported attributes',
@ -515,6 +516,7 @@ sub fr {
          'Contexte d\'authentification demandé',
        samlIDPMetaDataOptionsForceUTF8     => 'Forcer l\'UTF-8',
        samlIDPMetaDataOptionsEncryptionMode => 'Mode de chiffrement',
+        samlIDPMetaDataOptionsCheckConditions => 'Vérifier les conditions',
        samlSPMetaDataNode               => 'Fournisseurs de service SAML',
        samlSPMetaDataXML                => 'Metadonnées',
        samlSPMetaDataExportedAttributes => 'Attributs exportés',
--- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm
@ -180,9 +180,16 @@ sub extractFormInfo {
                return PE_ERROR;
            }

+            # Do we check conditions?
+            my $checkConditions =
+              $self->{samlIDPMetaDataOptions}->{$idpConfKey}
+              ->{samlIDPMetaDataOptionsCheckConditions};
+
            # Check conditions - time and audience
-            unless (
-                $self->validateConditions( $assertion, $self->{samlEntityID} ) )
+            if ( $checkConditions
+                and
+                !$self->validateConditions( $assertion, $self->{samlEntityID} )
+              )
            {
                $self->lmLog( "Conditions not validated", 'error' );
                return PE_ERROR;
--- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
@ -2106,8 +2106,8 @@ sub timestamp2samldate {
 sub samldate2timestamp {
    my ( $self, $samldate ) = splice @_;

-    my ( $year, $mon, $mday, $hour, $min, $sec, $ztime ) =
-      ( $samldate =~ /(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})(Z)?/ );
+    my ( $year, $mon, $mday, $hour, $min, $sec, $msec, $ztime ) =
+      ( $samldate =~ /(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})(\.\d+)?(Z)?/ );

    my $timestamp =
      timegm( $sec, $min, $hour, $mday, $mon - 1, $year - 1900, 0 );