SAML:
- Move part of the code into _SAML.pm so that it could be reused; - Create the method checkMessage that check SAML requests and responses.
This commit is contained in:
Thomas CHEMINEAU
parent
408fe2a82d
commit
ba6bb76549
@ -37,21 +37,8 @@ sub issuerDBInit {
|
||||
sub issuerForUnAuthUser {
|
||||
my $self = shift;
|
||||
my $server = $self->{_lassoServer};
|
||||
my $login;
|
||||
my $logout;
|
||||
my $idp;
|
||||
my $method;
|
||||
my $request;
|
||||
my $response;
|
||||
my $artifact;
|
||||
my $relaystate;
|
||||
|
||||
# 1. Get HTTP request informations to know
|
||||
# if we are receving SAML request or response
|
||||
my $url = $self->url();
|
||||
my $request_method = $self->request_method();
|
||||
my $content_type = $self->content_type();
|
||||
|
||||
# Get configuration parameter
|
||||
my $saml_sso_soap_url =
|
||||
$self->getMetaDataURL( "samlIDPSSODescriptorSingleSignOnServiceSOAP", 1 );
|
||||
my $saml_sso_soap_url_ret =
|
||||
@ -61,91 +48,27 @@ sub issuerForUnAuthUser {
|
||||
my $saml_sso_get_url_ret =
|
||||
$self->getMetaDataURL( "samlIDPSSODescriptorSingleSignOnServiceHTTP", 2 );
|
||||
|
||||
# 1.1 SSO request
|
||||
if ( $url =~ /^($saml_sso_soap_url|$saml_sso_get_url)$/i )
|
||||
{
|
||||
|
||||
$self->lmLog( "URL $url detected as an SSO request URL", 'debug' );
|
||||
|
||||
# Create Login object
|
||||
$login = $self->createLogin($server);
|
||||
# Get HTTP request informations to know
|
||||
# if we are receving SAML request or response
|
||||
my $url = $self->url();
|
||||
my $request_method = $self->request_method();
|
||||
my $content_type = $self->content_type();
|
||||
|
||||
# Get relayState
|
||||
$relaystate = $self->param('RelayState');
|
||||
|
||||
# 1.1.1 HTTP REDIRECT
|
||||
if ( $request_method =~ /^GET$/ ) {
|
||||
|
||||
$method = Lasso::Constants::HTTP_METHOD_REDIRECT;
|
||||
$self->lmLog( "SSO method: HTTP-REDIRECT", 'debug' );
|
||||
|
||||
if ( $self->param('SAMLResponse') ) {
|
||||
|
||||
# Response in query string
|
||||
$response = $self->query_string();
|
||||
$self->lmLog( "HTTP-REDIRECT: SAML Response $response",
|
||||
'debug' );
|
||||
|
||||
}
|
||||
|
||||
if ( $self->param('SAMLRequest') ) {
|
||||
|
||||
# Request in query string
|
||||
$request = $self->query_string();
|
||||
$self->lmLog( "HTTP-REDIRECT: SAML Request $request", 'debug' );
|
||||
|
||||
}
|
||||
|
||||
if ( $self->param('SAMLart') ) {
|
||||
|
||||
# Artifcat in query string
|
||||
$artifact = $self->query_string();
|
||||
$self->lmLog( "HTTP-REDIRECT: SAML Artifact $artifact",
|
||||
'debug' );
|
||||
|
||||
# Resolve Artifact
|
||||
$method = Lasso::Constants::HTTP_METHOD_ARTIFACT_GET;
|
||||
my $message =
|
||||
$self->resolveArtifact( $login, $artifact, $method );
|
||||
|
||||
# Request or response ?
|
||||
if ( $message =~ /samlp:response/i ) {
|
||||
$response = $message;
|
||||
}
|
||||
else {
|
||||
$request = $message;
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
# 1.2.1 HTTP POST AND SOAP
|
||||
elsif ( $request_method =~ /^POST$/ ) {
|
||||
|
||||
# 1.2.2 POST
|
||||
if ( $content_type !~ /xml/ ) {
|
||||
|
||||
$method = Lasso::Constants::HTTP_METHOD_POST;
|
||||
$self->lmLog( "SSO method: HTTP-POST", 'debug' );
|
||||
|
||||
}
|
||||
|
||||
# 1.2.3 SOAP
|
||||
else {
|
||||
|
||||
$method = Lasso::Constants::HTTP_METHOD_SOAP;
|
||||
$self->lmLog( "SSO method: HTTP-SOAP", 'debug' );
|
||||
|
||||
# SOAP is always a request
|
||||
$request = $self->param('POSTDATA');
|
||||
$self->lmLog( "HTTP-SOAP: SAML Request $request", 'debug' );
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
# Check message
|
||||
my ( $request, $response, $method, $relaystate, $artifact ) =
|
||||
$self->checkMessage($url, $request_method, $content_type);
|
||||
|
||||
# Process the request
|
||||
if ( $request ) {
|
||||
|
||||
# Create Login object
|
||||
my $login = $self->createLogin( $server );
|
||||
|
||||
# Process authentication request
|
||||
my $result;
|
||||
if ($artifact) {
|
||||
|
||||
@ -253,6 +253,144 @@ sub loadSPs {
|
||||
return 1;
|
||||
}
|
||||
|
||||
## @method checkMessage
|
||||
# Check SAML requests and responses
|
||||
# @param string url
|
||||
# @param string request method
|
||||
# @param string content type
|
||||
# @return ( $request, $response, $method, $relaystate )
|
||||
sub checkMessage {
|
||||
my $self = shift;
|
||||
my $url = shift;
|
||||
my $request_method = shift;
|
||||
my $content_type = shift;
|
||||
my $request;
|
||||
my $response;
|
||||
my $method;
|
||||
my $relaystate;
|
||||
my $artifact;
|
||||
|
||||
# Check if SAML service is loaded
|
||||
return ($request, $response, $method, $relaystate)
|
||||
unless $self->{_lassoServer};
|
||||
|
||||
# Create Login object
|
||||
my $login = $self->createLogin( $self->{_lassoServer} );
|
||||
|
||||
# Get relayState
|
||||
$relaystate = $self->param('RelayState');
|
||||
|
||||
# 1. HTTP REDIRECT
|
||||
if ( $request_method =~ /^GET$/ ) {
|
||||
|
||||
$method = Lasso::Constants::HTTP_METHOD_REDIRECT;
|
||||
$self->lmLog( "SSO method: HTTP-REDIRECT", 'debug' );
|
||||
|
||||
if ( $self->param('SAMLResponse') ) {
|
||||
|
||||
# Response in query string
|
||||
$response = $self->query_string();
|
||||
$self->lmLog( "HTTP-REDIRECT: SAML Response $response",
|
||||
'debug' );
|
||||
|
||||
}
|
||||
|
||||
if ( $self->param('SAMLRequest') ) {
|
||||
|
||||
# Request in query string
|
||||
$request = $self->query_string();
|
||||
$self->lmLog( "HTTP-REDIRECT: SAML Request $request", 'debug' );
|
||||
|
||||
}
|
||||
|
||||
if ( $self->param('SAMLart') ) {
|
||||
|
||||
# Artifact in query string
|
||||
$artifact = $self->query_string();
|
||||
$self->lmLog( "HTTP-REDIRECT: SAML Artifact $artifact",
|
||||
'debug' );
|
||||
|
||||
# Resolve Artifact
|
||||
$method = Lasso::Constants::HTTP_METHOD_ARTIFACT_GET;
|
||||
my $message =
|
||||
$self->resolveArtifact( $login, $artifact, $method );
|
||||
|
||||
# Request or response ?
|
||||
if ( $message =~ /samlp:response/i ) {
|
||||
$response = $message;
|
||||
}
|
||||
else {
|
||||
$request = $message;
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
# 2 HTTP POST AND SOAP
|
||||
elsif ( $request_method =~ /^POST$/ ) {
|
||||
|
||||
# 2.1 POST
|
||||
if ( $content_type !~ /xml/ ) {
|
||||
|
||||
$method = Lasso::Constants::HTTP_METHOD_POST;
|
||||
$self->lmLog( "SSO method: HTTP-POST", 'debug' );
|
||||
|
||||
if ( $self->param('SAMLResponse') ) {
|
||||
|
||||
# Response in body part
|
||||
$response = $self->param('SAMLResponse');
|
||||
$self->lmLog( "HTTP-POST: SAML Response $response", 'debug' );
|
||||
|
||||
}
|
||||
|
||||
if ( $self->param('SAMLRequest') ) {
|
||||
|
||||
# Request in body part
|
||||
$request = $self->param('SAMLRequest');
|
||||
$self->lmLog( "HTTP-POST: SAML Request $request", 'debug' );
|
||||
|
||||
}
|
||||
|
||||
if ( $self->param('SAMLart') ) {
|
||||
|
||||
# Artifcat in SAMLart param
|
||||
$artifact = $self->param('SAMLart');
|
||||
$self->lmLog( "HTTP-REDIRECT: SAML Artifact $artifact", 'debug' );
|
||||
|
||||
# Resolve Artifact
|
||||
$method = Lasso::Constants::HTTP_METHOD_ARTIFACT_POST;
|
||||
my $message =
|
||||
$self->resolveArtifact( $login, $artifact, $method );
|
||||
|
||||
# Request or response ?
|
||||
if ( $message =~ /samlp:response/i ) {
|
||||
$response = $message;
|
||||
}
|
||||
else {
|
||||
$request = $message;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
# 2.2 SOAP
|
||||
else {
|
||||
|
||||
$method = Lasso::Constants::HTTP_METHOD_SOAP;
|
||||
$self->lmLog( "SSO method: HTTP-SOAP", 'debug' );
|
||||
|
||||
# SOAP is always a request
|
||||
$request = $self->param('POSTDATA');
|
||||
$self->lmLog( "HTTP-SOAP: SAML Request $request", 'debug' );
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
return ( $request, $response, $method, $relaystate, $artifact ? 1 : 0 );
|
||||
}
|
||||
|
||||
## @method boolean checkLassoError(Lasso::Error error, string level)
|
||||
# Log Lasso error code and message if this is actually a Lasso::Error with code > 0
|
||||
# @param Lasso::Error Lasso error object
|
||||
|
||||
Loading…
Reference in New Issue
Block a user