Add a specific timeout parameter for SAML RelayState sessions (#524)

2013-10-24 12:35:58 +00:00 · 2013-10-24 12:35:58 +00:00 · ce581e75e9
commit ce581e75e9
parent 4e9a4e9789
4 changed files with 15 additions and 3 deletions
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
@ -1314,7 +1314,7 @@ sub struct {
            # ADVANCED SAML PARAMETERS
            samlAdvanced => {
                _nodes => [
-                    qw(samlIdPResolveCookie samlMetadataForceUTF8 samlStorage cn:samlStorageOptions n:samlCommonDomainCookie)
+                    qw(samlIdPResolveCookie samlMetadataForceUTF8 samlStorage cn:samlStorageOptions samlRelayStateTimeout n:samlCommonDomainCookie)
                ],
                _help => 'samlServiceAdvanced',

@ -1327,6 +1327,7 @@ sub struct {
                    _js   => 'hashRoot',
                    _help => 'samlServiceAdvanced',
                },
+                samlRelayStateTimeout  => 'int:/samlRelayStateTimeout',
                samlCommonDomainCookie => {
                    _nodes => [
                        qw(samlCommonDomainCookieActivation samlCommonDomainCookieDomain samlCommonDomainCookieReader samlCommonDomainCookieWriter)
@ -1823,6 +1824,7 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
            test    => Lemonldap::NG::Common::Regexp::HTTP_URI(),
            msgFail => 'Bad URI',
        },
+        samlRelayStateTimeout => $integer,

        # SSL
        SSLAuthnLevel => $integer,
@ -2198,6 +2200,7 @@ sub defaultConf {
        samlAuthnContextMapTLSClient                  => 5,
        samlAuthnContextMapKerberos                   => 4,
        samlCommonDomainCookieActivation              => 0,
+        samlRelayStateTimeout                         => 600,

        # Authentication levels
        ldapAuthnLevel      => 2,
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
@ -515,6 +515,7 @@ sub en {
        samlCommonDomainCookieDomain     => 'Common domain',
        samlCommonDomainCookieReader     => 'Reader URL',
        samlCommonDomainCookieWriter     => 'Writer URL',
+        samlRelayStateTimeout            => 'RelayState session timeout',
    };
 }

@ -1005,6 +1006,7 @@ sub fr {
        samlCommonDomainCookieDomain     => 'Domaine commun',
        samlCommonDomainCookieReader     => 'URL de lecture',
        samlCommonDomainCookieWriter     => 'URL d\'écriture',
+        samlRelayStateTimeout => 'Durée de vie d\'une session RelayState',
    };
 }

--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
@ -626,6 +626,8 @@ sub setDefaultValues {
      unless defined $self->{samlAuthnContextMapTLSClient};
    $self->{samlAuthnContextMapKerberos} = 4
      unless defined $self->{samlAuthnContextMapKerberos};
+    $self->{samlRelayStateTimeout} = 600
+      unless defined $self->{samlRelayStateTimeout};

    # CAS
    $self->{casStorage} ||= $self->{globalStorage};
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
@ -1178,8 +1178,13 @@ sub storeRelayState {
    # Session type
    $samlSessionInfo->{_type} = "relaystate";

-    # UNIX time
-    $samlSessionInfo->{_utime} = time();
+    # Set _utime for session autoremove
+    # Use default session timeout and relayState session timeout to compute it
+    my $time                  = time();
+    my $timeout               = $self->{timeout};
+    my $samlRelayStateTimeout = $self->{samlRelayStateTimeout} || $timeout;
+
+    $samlSessionInfo->{_utime} = $time + ( $samlRelayStateTimeout - $timeout );

    # Store infos in relaystate session
    foreach ( keys %$infos ) {