SAML: attribute request in UserDBSAML
This commit is contained in:
parent
8a27aa0ec4
commit
71283e3596
|
@ -913,18 +913,7 @@ sub setAuthSessionInfo {
|
|||
|
||||
# TODO adapt _utime with SessionNotOnOrAfter
|
||||
|
||||
PE_OK;
|
||||
}
|
||||
|
||||
## @apmethod int authenticate()
|
||||
# Accept SSO from IDP
|
||||
# @return PE_OK
|
||||
sub authenticate {
|
||||
my $self = shift;
|
||||
my $server = $self->{_lassoServer};
|
||||
my $login = $self->{_lassoLogin};
|
||||
|
||||
# Accept SSO
|
||||
# Establish federation (required for attribute request in UserDBSAML)
|
||||
unless ( $self->acceptSSO($login) ) {
|
||||
$self->lmLog( "Error while accepting SSO from IDP", 'error' );
|
||||
return PE_ERROR;
|
||||
|
@ -938,6 +927,17 @@ sub authenticate {
|
|||
$self->{sessionInfo}->{_lassoSessionDump} = $session->dump() if $session;
|
||||
$self->{sessionInfo}->{_lassoIdentityDump} = $identity->dump() if $identity;
|
||||
|
||||
$self->{_lassoLogin} = $login;
|
||||
|
||||
PE_OK;
|
||||
}
|
||||
|
||||
## @apmethod int authenticate()
|
||||
# Set authenticationLevel
|
||||
# @return PE_OK
|
||||
sub authenticate {
|
||||
my $self = shift;
|
||||
|
||||
# Set authenticationLevel
|
||||
$self->{sessionInfo}->{authenticationLevel} = 5;
|
||||
|
||||
|
@ -1022,6 +1022,11 @@ sub authLogout {
|
|||
# Send SOAP request and manage response
|
||||
my $response = $self->sendSOAPMessage( $slo_url, $slo_body );
|
||||
|
||||
unless ($response) {
|
||||
$self->lmLog( "No logout response to SOAP request", 'error' );
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
||||
# Create Logout object
|
||||
$logout = $self->createLogout($server);
|
||||
|
||||
|
|
|
@ -40,6 +40,7 @@ sub getUser {
|
|||
sub setSessionInfo {
|
||||
my $self = shift;
|
||||
my $server = $self->{_lassoServer};
|
||||
my $login = $self->{_lassoLogin};
|
||||
my $idp = $self->{_idp};
|
||||
|
||||
my $exportedAttr;
|
||||
|
@ -70,7 +71,68 @@ sub setSessionInfo {
|
|||
}
|
||||
|
||||
# Build Attribute Request
|
||||
#
|
||||
my $IDPentityID = $self->{_idpList}->{$idp}->{entityID};
|
||||
my $query =
|
||||
$self->createAttributeRequest( $server, $login, $IDPentityID,
|
||||
$exportedAttr );
|
||||
|
||||
unless ($query) {
|
||||
$self->lmLog( "Unable to build attribute request for $idp", 'error' );
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
||||
# Use SOAP to send request and get response
|
||||
my $query_url = $query->msg_url;
|
||||
my $query_body = $query->msg_body;
|
||||
|
||||
# Send SOAP request and manage response
|
||||
my $response = $self->sendSOAPMessage( $query_url, $query_body );
|
||||
|
||||
unless ($response) {
|
||||
$self->lmLog( "No attribute response to SOAP request", 'error' );
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
||||
# Manage Attribute Response
|
||||
my $result = $self->processAttributeResponse( $server, $response );
|
||||
|
||||
unless ($result) {
|
||||
$self->lmLog( "Fail to process attribute response", 'error' );
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
||||
# Attributes in response
|
||||
my @response_attributes;
|
||||
eval {
|
||||
@response_attributes =
|
||||
$result->getAssertion()->AttributeStatement()->Attribute();
|
||||
};
|
||||
if ($@) {
|
||||
$self->lmLog( "No attributes defined in attribute response", 'error' );
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
||||
# Check we have all required attributes
|
||||
foreach ( keys %$exportedAttr ) {
|
||||
|
||||
# Extract fields from exportedAttr value
|
||||
my ( $mandatory, $name, $format, $friendly_name ) =
|
||||
split( /;/, $exportedAttr->{$_} );
|
||||
|
||||
# Try to get value
|
||||
my $value = $self->getAttributeValue( $name, $format, $friendly_name,
|
||||
\@response_attributes );
|
||||
|
||||
unless ($value) {
|
||||
$self->lmLog(
|
||||
"Attribute $_ is mandatory, but was not delivered by $idp",
|
||||
'error' );
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
||||
# Store value in sessionInfo
|
||||
$self->{sessionInfo}->{$_} = $value;
|
||||
}
|
||||
|
||||
return PE_OK;
|
||||
|
||||
|
|
|
@ -913,10 +913,132 @@ sub sendSOAPMessage {
|
|||
$response = $soap_answer->content();
|
||||
$self->lmLog( "Get response $response", 'debug' );
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "No response to SOAP request", 'debug' );
|
||||
return;
|
||||
}
|
||||
|
||||
return $response;
|
||||
}
|
||||
|
||||
## @method Lasso::AssertionQuery createAttributeRequest(Lasso::Server server, Lasso::Login login, string idp, hashref attributes)
|
||||
# Create an attribute request
|
||||
# @param server Lasso::Server object
|
||||
# @param login Lasso::Login object
|
||||
# @param idp IDP entityID
|
||||
# @param attributes List of requested attributes
|
||||
# @return assertion request
|
||||
sub createAttributeRequest {
|
||||
my ( $self, $server, $login, $idp, $attributes ) = splice @_;
|
||||
my $query;
|
||||
|
||||
# Create assertion query
|
||||
eval { $query = Lasso::AssertionQuery->new($server); };
|
||||
if ($@) {
|
||||
$self->checkLassoError($@);
|
||||
return;
|
||||
}
|
||||
|
||||
$self->lmLog( "Assertion query created", 'debug' );
|
||||
|
||||
# Set identity
|
||||
eval {
|
||||
Lasso::Profile::set_identity_from_dump( $query,
|
||||
$login->get_identity()->dump );
|
||||
};
|
||||
if ($@) {
|
||||
$self->checkLassoError($@);
|
||||
return;
|
||||
}
|
||||
|
||||
$self->lmLog( "Identity set in query", 'debug' );
|
||||
|
||||
# Init request
|
||||
my $method = Lasso::Constants::HTTP_METHOD_SOAP;
|
||||
my $type = Lasso::Constants::ASSERTION_QUERY_REQUEST_TYPE_ATTRIBUTE;
|
||||
eval {
|
||||
Lasso::AssertionQuery::init_request( $query, $idp, $method, $type );
|
||||
};
|
||||
if ($@) {
|
||||
$self->checkLassoError($@);
|
||||
return;
|
||||
}
|
||||
|
||||
$self->lmLog( "Assertion query request initiated", 'debug' );
|
||||
|
||||
# Store attributes in request
|
||||
my @requested_attributes;
|
||||
foreach ( keys %$attributes ) {
|
||||
|
||||
# Create SAML2 Attribute
|
||||
my $attribute;
|
||||
|
||||
eval { $attribute = Lasso::Saml2Attribute->new(); };
|
||||
if ($@) {
|
||||
$self->checkLassoError($@);
|
||||
return;
|
||||
}
|
||||
|
||||
# Set attribute properties
|
||||
my ( $mandatory, $name, $format, $friendly_name ) =
|
||||
split( /;/, $attributes->{$_} );
|
||||
|
||||
$attribute->Name($name) if defined $name;
|
||||
$attribute->NameFormat($format) if defined $format;
|
||||
$attribute->FriendlyName($friendly_name) if defined $friendly_name;
|
||||
|
||||
# Store attribute
|
||||
push @requested_attributes, $attribute;
|
||||
}
|
||||
|
||||
# Set attributes in request
|
||||
eval { $query->request()->Attribute(@requested_attributes); };
|
||||
if ($@) {
|
||||
$self->checkLassoError($@);
|
||||
return;
|
||||
}
|
||||
|
||||
# Build message
|
||||
eval { Lasso::AssertionQuery::build_request_msg($query); };
|
||||
if ($@) {
|
||||
$self->checkLassoError($@);
|
||||
return;
|
||||
}
|
||||
|
||||
# Return query
|
||||
return $query;
|
||||
}
|
||||
|
||||
## @method Lasso::AssertionQuery processAttributeResponse(Lasso::Server server, string response)
|
||||
# Process an attribute response
|
||||
# @param server Lasso::Server object
|
||||
# @param response Response content
|
||||
# @return assertion query
|
||||
sub processAttributeResponse {
|
||||
my ( $self, $server, $response ) = splice @_;
|
||||
my $query;
|
||||
|
||||
# Create assertion query
|
||||
eval { $query = Lasso::AssertionQuery->new($server); };
|
||||
if ($@) {
|
||||
$self->checkLassoError($@);
|
||||
return;
|
||||
}
|
||||
|
||||
$self->lmLog( "Assertion query created", 'debug' );
|
||||
|
||||
# Process response
|
||||
eval { Lasso::AssertionQuery::process_response_msg( $query, $response ); };
|
||||
if ($@) {
|
||||
$self->checkLassoError($@);
|
||||
return;
|
||||
}
|
||||
|
||||
$self->lmLog( "Attribute response is valid", 'debug' );
|
||||
|
||||
return $query;
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
__END__
|
||||
|
@ -1079,6 +1201,14 @@ Process artifact response message
|
|||
|
||||
Send SOAP message and get response
|
||||
|
||||
=head2 createAttributeRequest
|
||||
|
||||
Create an attribute request
|
||||
|
||||
=head2 processAttributeResponse
|
||||
|
||||
Process an attribute response
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<Lemonldap::NG::Portal::AuthSAML>, L<Lemonldap::NG::Portal::UserDBSAML>
|
||||
|
|
Loading…
Reference in New Issue
Block a user