From ce581e75e9edc0d4321400a43ff97a7992dec92d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Oudot?= <clement@oodo.net>
Date: Thu, 24 Oct 2013 12:35:58 +0000
Subject: [PATCH] Add a specific timeout parameter for SAML RelayState sessions
 (#524)

---
 lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm | 5 ++++-
 lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm   | 2 ++
 lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm    | 2 ++
 lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm     | 9 +++++++--
 4 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
index ccaa0f32b..187b78191 100644
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
@@ -1314,7 +1314,7 @@ sub struct {
             # ADVANCED SAML PARAMETERS
             samlAdvanced => {
                 _nodes => [
-                    qw(samlIdPResolveCookie samlMetadataForceUTF8 samlStorage cn:samlStorageOptions n:samlCommonDomainCookie)
+                    qw(samlIdPResolveCookie samlMetadataForceUTF8 samlStorage cn:samlStorageOptions samlRelayStateTimeout n:samlCommonDomainCookie)
                 ],
                 _help => 'samlServiceAdvanced',
 
@@ -1327,6 +1327,7 @@ sub struct {
                     _js   => 'hashRoot',
                     _help => 'samlServiceAdvanced',
                 },
+                samlRelayStateTimeout  => 'int:/samlRelayStateTimeout',
                 samlCommonDomainCookie => {
                     _nodes => [
                         qw(samlCommonDomainCookieActivation samlCommonDomainCookieDomain samlCommonDomainCookieReader samlCommonDomainCookieWriter)
@@ -1823,6 +1824,7 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
             test    => Lemonldap::NG::Common::Regexp::HTTP_URI(),
             msgFail => 'Bad URI',
         },
+        samlRelayStateTimeout => $integer,
 
         # SSL
         SSLAuthnLevel => $integer,
@@ -2198,6 +2200,7 @@ sub defaultConf {
         samlAuthnContextMapTLSClient                  => 5,
         samlAuthnContextMapKerberos                   => 4,
         samlCommonDomainCookieActivation              => 0,
+        samlRelayStateTimeout                         => 600,
 
         # Authentication levels
         ldapAuthnLevel      => 2,
diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
index 0d85f1d0d..ce62f8cd2 100644
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
@@ -515,6 +515,7 @@ sub en {
         samlCommonDomainCookieDomain     => 'Common domain',
         samlCommonDomainCookieReader     => 'Reader URL',
         samlCommonDomainCookieWriter     => 'Writer URL',
+        samlRelayStateTimeout            => 'RelayState session timeout',
     };
 }
 
@@ -1005,6 +1006,7 @@ sub fr {
         samlCommonDomainCookieDomain     => 'Domaine commun',
         samlCommonDomainCookieReader     => 'URL de lecture',
         samlCommonDomainCookieWriter     => 'URL d\'écriture',
+        samlRelayStateTimeout => 'Durée de vie d\'une session RelayState',
     };
 }
 
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
index 5b614fbab..783a986c1 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
@@ -626,6 +626,8 @@ sub setDefaultValues {
       unless defined $self->{samlAuthnContextMapTLSClient};
     $self->{samlAuthnContextMapKerberos} = 4
       unless defined $self->{samlAuthnContextMapKerberos};
+    $self->{samlRelayStateTimeout} = 600
+      unless defined $self->{samlRelayStateTimeout};
 
     # CAS
     $self->{casStorage} ||= $self->{globalStorage};
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
index ccfceca80..9fdc9537b 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
@@ -1178,8 +1178,13 @@ sub storeRelayState {
     # Session type
     $samlSessionInfo->{_type} = "relaystate";
 
-    # UNIX time
-    $samlSessionInfo->{_utime} = time();
+    # Set _utime for session autoremove
+    # Use default session timeout and relayState session timeout to compute it
+    my $time                  = time();
+    my $timeout               = $self->{timeout};
+    my $samlRelayStateTimeout = $self->{samlRelayStateTimeout} || $timeout;
+
+    $samlSessionInfo->{_utime} = $time + ( $samlRelayStateTimeout - $timeout );
 
     # Store infos in relaystate session
     foreach ( keys %$infos ) {