SAML: attribute request in UserDBSAML

modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm

@@ -913,18 +913,7 @@ sub setAuthSessionInfo {
 
     # TODO adapt _utime with SessionNotOnOrAfter
 
-    PE_OK;
-}
-
-## @apmethod int authenticate()
-# Accept SSO from IDP
-# @return PE_OK
-sub authenticate {
-    my $self   = shift;
-    my $server = $self->{_lassoServer};
-    my $login  = $self->{_lassoLogin};
-
-    # Accept SSO
+    # Establish federation (required for attribute request in UserDBSAML)
     unless ( $self->acceptSSO($login) ) {
         $self->lmLog( "Error while accepting SSO from IDP", 'error' );
         return PE_ERROR;
@@ -938,6 +927,17 @@ sub authenticate {
     $self->{sessionInfo}->{_lassoSessionDump}  = $session->dump()  if $session;
     $self->{sessionInfo}->{_lassoIdentityDump} = $identity->dump() if $identity;
 
+    $self->{_lassoLogin} = $login;
+
+    PE_OK;
+}
+
+## @apmethod int authenticate()
+# Set authenticationLevel
+# @return PE_OK
+sub authenticate {
+    my $self = shift;
+
     # Set authenticationLevel
     $self->{sessionInfo}->{authenticationLevel} = 5;
 
@@ -1022,6 +1022,11 @@ sub authLogout {
         # Send SOAP request and manage response
         my $response = $self->sendSOAPMessage( $slo_url, $slo_body );
 
+        unless ($response) {
+            $self->lmLog( "No logout response to SOAP request", 'error' );
+            return PE_ERROR;
+        }
+
         # Create Logout object
         $logout = $self->createLogout($server);
 

modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/UserDBSAML.pm

@@ -40,6 +40,7 @@ sub getUser {
 sub setSessionInfo {
     my $self   = shift;
     my $server = $self->{_lassoServer};
+    my $login  = $self->{_lassoLogin};
     my $idp    = $self->{_idp};
 
     my $exportedAttr;
@@ -70,7 +71,68 @@ sub setSessionInfo {
     }
 
     # Build Attribute Request
-    #
+    my $IDPentityID = $self->{_idpList}->{$idp}->{entityID};
+    my $query =
+      $self->createAttributeRequest( $server, $login, $IDPentityID,
+        $exportedAttr );
+
+    unless ($query) {
+        $self->lmLog( "Unable to build attribute request for $idp", 'error' );
+        return PE_ERROR;
+    }
+
+    # Use SOAP to send request and get response
+    my $query_url  = $query->msg_url;
+    my $query_body = $query->msg_body;
+
+    # Send SOAP request and manage response
+    my $response = $self->sendSOAPMessage( $query_url, $query_body );
+
+    unless ($response) {
+        $self->lmLog( "No attribute response to SOAP request", 'error' );
+        return PE_ERROR;
+    }
+
+    # Manage Attribute Response
+    my $result = $self->processAttributeResponse( $server, $response );
+
+    unless ($result) {
+        $self->lmLog( "Fail to process attribute response", 'error' );
+        return PE_ERROR;
+    }
+
+    # Attributes in response
+    my @response_attributes;
+    eval {
+        @response_attributes =
+          $result->getAssertion()->AttributeStatement()->Attribute();
+    };
+    if ($@) {
+        $self->lmLog( "No attributes defined in attribute response", 'error' );
+        return PE_ERROR;
+    }
+
+    # Check we have all required attributes
+    foreach ( keys %$exportedAttr ) {
+
+        # Extract fields from exportedAttr value
+        my ( $mandatory, $name, $format, $friendly_name ) =
+          split( /;/, $exportedAttr->{$_} );
+
+        # Try to get value
+        my $value = $self->getAttributeValue( $name, $format, $friendly_name,
+            \@response_attributes );
+
+        unless ($value) {
+            $self->lmLog(
+                "Attribute $_ is mandatory, but was not delivered by $idp",
+                'error' );
+            return PE_ERROR;
+        }
+
+        # Store value in sessionInfo
+        $self->{sessionInfo}->{$_} = $value;
+    }
 
     return PE_OK;
 

modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm

@@ -913,10 +913,132 @@ sub sendSOAPMessage {
         $response = $soap_answer->content();
         $self->lmLog( "Get response $response", 'debug' );
     }
+    else {
+        $self->lmLog( "No response to SOAP request", 'debug' );
+        return;
+    }
 
     return $response;
 }
 
+## @method Lasso::AssertionQuery createAttributeRequest(Lasso::Server server, Lasso::Login login, string idp, hashref attributes)
+# Create an attribute request
+# @param server Lasso::Server object
+# @param login Lasso::Login object
+# @param idp IDP entityID
+# @param attributes List of requested attributes
+# @return assertion request
+sub createAttributeRequest {
+    my ( $self, $server, $login, $idp, $attributes ) = splice @_;
+    my $query;
+
+    # Create assertion query
+    eval { $query = Lasso::AssertionQuery->new($server); };
+    if ($@) {
+        $self->checkLassoError($@);
+        return;
+    }
+
+    $self->lmLog( "Assertion query created", 'debug' );
+
+    # Set identity
+    eval {
+        Lasso::Profile::set_identity_from_dump( $query,
+            $login->get_identity()->dump );
+    };
+    if ($@) {
+        $self->checkLassoError($@);
+        return;
+    }
+
+    $self->lmLog( "Identity set in query", 'debug' );
+
+    # Init request
+    my $method = Lasso::Constants::HTTP_METHOD_SOAP;
+    my $type   = Lasso::Constants::ASSERTION_QUERY_REQUEST_TYPE_ATTRIBUTE;
+    eval {
+        Lasso::AssertionQuery::init_request( $query, $idp, $method, $type );
+    };
+    if ($@) {
+        $self->checkLassoError($@);
+        return;
+    }
+
+    $self->lmLog( "Assertion query request initiated", 'debug' );
+
+    # Store attributes in request
+    my @requested_attributes;
+    foreach ( keys %$attributes ) {
+
+        # Create SAML2 Attribute
+        my $attribute;
+
+        eval { $attribute = Lasso::Saml2Attribute->new(); };
+        if ($@) {
+            $self->checkLassoError($@);
+            return;
+        }
+
+        # Set attribute properties
+        my ( $mandatory, $name, $format, $friendly_name ) =
+          split( /;/, $attributes->{$_} );
+
+        $attribute->Name($name)                  if defined $name;
+        $attribute->NameFormat($format)          if defined $format;
+        $attribute->FriendlyName($friendly_name) if defined $friendly_name;
+
+        # Store attribute
+        push @requested_attributes, $attribute;
+    }
+
+    # Set attributes in request
+    eval { $query->request()->Attribute(@requested_attributes); };
+    if ($@) {
+        $self->checkLassoError($@);
+        return;
+    }
+
+    # Build message
+    eval { Lasso::AssertionQuery::build_request_msg($query); };
+    if ($@) {
+        $self->checkLassoError($@);
+        return;
+    }
+
+    # Return query
+    return $query;
+}
+
+## @method Lasso::AssertionQuery processAttributeResponse(Lasso::Server server, string response)
+# Process an attribute response
+# @param server Lasso::Server object
+# @param response Response content
+# @return assertion query
+sub processAttributeResponse {
+    my ( $self, $server, $response ) = splice @_;
+    my $query;
+
+    # Create assertion query
+    eval { $query = Lasso::AssertionQuery->new($server); };
+    if ($@) {
+        $self->checkLassoError($@);
+        return;
+    }
+
+    $self->lmLog( "Assertion query created", 'debug' );
+
+    # Process response
+    eval { Lasso::AssertionQuery::process_response_msg( $query, $response ); };
+    if ($@) {
+        $self->checkLassoError($@);
+        return;
+    }
+
+    $self->lmLog( "Attribute response is valid", 'debug' );
+
+    return $query;
+}
+
 1;
 
 __END__
@@ -1079,6 +1201,14 @@ Process artifact response message
 
 Send SOAP message and get response
 
+=head2 createAttributeRequest
+
+Create an attribute request
+
+=head2 processAttributeResponse
+
+Process an attribute response
+
 =head1 SEE ALSO
 
 L<Lemonldap::NG::Portal::AuthSAML>, L<Lemonldap::NG::Portal::UserDBSAML>