SAML: conditions validation
This commit is contained in:
Clément Oudot
parent
88b81bf2aa
commit
d5d56f7649
|
|
@ -170,8 +170,15 @@ sub extractFormInfo {
|
|||
# 1.3 ARTEFACT (SOAP)
|
||||
# TODO
|
||||
|
||||
# Replay protection if assertion is a response to a created authn request
|
||||
my $assertion_responded = $login->response()->InResponseTo;
|
||||
# Get SAML response
|
||||
my $saml_response = $login->response();
|
||||
unless ($saml_response) {
|
||||
$self->lmLog( "No SAML response found", 'error' );
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
||||
# Replay protection if this is a response to a created authn request
|
||||
my $assertion_responded = $saml_response->InResponseTo;
|
||||
if ($assertion_responded) {
|
||||
my $assertion_sessions =
|
||||
$self->{globalStorage}->searchOn( $self->{globalStorageOptions},
|
||||
|
|
@ -229,7 +236,35 @@ sub extractFormInfo {
|
|||
);
|
||||
}
|
||||
|
||||
# TODO check conditions
|
||||
# Get SAML assertion
|
||||
my $assertion = $self->getAssertion($login);
|
||||
|
||||
unless ($assertion) {
|
||||
$self->lmLog( "No assertion found", 'error' );
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
||||
# Check conditions - time validity
|
||||
unless ( $self->validateConditions($assertion) ) {
|
||||
$self->lmLog( "Time conditions not validated", 'error' );
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
||||
# Check conditions - audience
|
||||
unless (
|
||||
$self->validateConditions( $assertion, $self->{samlEntityID} ) )
|
||||
{
|
||||
$self->lmLog( "Audience conditions not validated", 'error' );
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
||||
$self->lmLog( "Conditions validated", 'debug' );
|
||||
|
||||
# Check OneTimeUse flag
|
||||
# TODO
|
||||
|
||||
# Check ProxyRestriction flag
|
||||
# TODO
|
||||
|
||||
# Extract RelayState information
|
||||
if ( $self->extractRelayState($login) ) {
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ our @EXPORT = qw(
|
|||
createAuthnRequest createLogin getHttpMethod initAuthnRequest
|
||||
buildAuthnRequestMsg processAuthnResponseMsg getNameIdentifier
|
||||
createIdentity createSession acceptSSO extractRelayState
|
||||
getAssertion getAttributeValue
|
||||
getAssertion getAttributeValue validateConditions
|
||||
);
|
||||
|
||||
our $VERSION = '0.01';
|
||||
|
|
@ -505,6 +505,34 @@ sub getAttributeValue {
|
|||
return $value;
|
||||
}
|
||||
|
||||
## @method boolean validateConditions(Lasso::Saml2::Assertion assertion, string entityID)
|
||||
# Validate conditions
|
||||
# @param assertion SAML2 assertion
|
||||
# @param entityID relaying party entity ID
|
||||
# @return result
|
||||
sub validateConditions {
|
||||
my ( $self, $assertion, $entityID ) = splice @_;
|
||||
$entityID ||= 'none';
|
||||
my $status;
|
||||
|
||||
eval {
|
||||
$status =
|
||||
Lasso::Saml2Assertion::validate_conditions( $assertion, $entityID );
|
||||
};
|
||||
|
||||
if ($@) {
|
||||
$self->checkLassoError($@);
|
||||
return 0;
|
||||
}
|
||||
|
||||
unless ( $status eq Lasso::Constants::SAML2_ASSERTION_VALID ) {
|
||||
$self->lmLog( "Conditions validations result: $status", 'error' );
|
||||
return 0;
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
__END__
|
||||
|
|
@ -603,6 +631,10 @@ Get assertion in Lasso::Login object
|
|||
Get SAML attribute value corresponding to name, format and friendly_name
|
||||
Multivaluated values are separated by ';'
|
||||
|
||||
=head2 validateConditions
|
||||
|
||||
Validate conditions
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<Lemonldap::NG::Portal::AuthSAML>, L<Lemonldap::NG::Portal::UserDBSAML>
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user