SAML: conditions validation
This commit is contained in:
parent
88b81bf2aa
commit
d5d56f7649
|
@ -170,8 +170,15 @@ sub extractFormInfo {
|
||||||
# 1.3 ARTEFACT (SOAP)
|
# 1.3 ARTEFACT (SOAP)
|
||||||
# TODO
|
# TODO
|
||||||
|
|
||||||
# Replay protection if assertion is a response to a created authn request
|
# Get SAML response
|
||||||
my $assertion_responded = $login->response()->InResponseTo;
|
my $saml_response = $login->response();
|
||||||
|
unless ($saml_response) {
|
||||||
|
$self->lmLog( "No SAML response found", 'error' );
|
||||||
|
return PE_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Replay protection if this is a response to a created authn request
|
||||||
|
my $assertion_responded = $saml_response->InResponseTo;
|
||||||
if ($assertion_responded) {
|
if ($assertion_responded) {
|
||||||
my $assertion_sessions =
|
my $assertion_sessions =
|
||||||
$self->{globalStorage}->searchOn( $self->{globalStorageOptions},
|
$self->{globalStorage}->searchOn( $self->{globalStorageOptions},
|
||||||
|
@ -229,7 +236,35 @@ sub extractFormInfo {
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
# TODO check conditions
|
# Get SAML assertion
|
||||||
|
my $assertion = $self->getAssertion($login);
|
||||||
|
|
||||||
|
unless ($assertion) {
|
||||||
|
$self->lmLog( "No assertion found", 'error' );
|
||||||
|
return PE_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Check conditions - time validity
|
||||||
|
unless ( $self->validateConditions($assertion) ) {
|
||||||
|
$self->lmLog( "Time conditions not validated", 'error' );
|
||||||
|
return PE_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Check conditions - audience
|
||||||
|
unless (
|
||||||
|
$self->validateConditions( $assertion, $self->{samlEntityID} ) )
|
||||||
|
{
|
||||||
|
$self->lmLog( "Audience conditions not validated", 'error' );
|
||||||
|
return PE_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
|
$self->lmLog( "Conditions validated", 'debug' );
|
||||||
|
|
||||||
|
# Check OneTimeUse flag
|
||||||
|
# TODO
|
||||||
|
|
||||||
|
# Check ProxyRestriction flag
|
||||||
|
# TODO
|
||||||
|
|
||||||
# Extract RelayState information
|
# Extract RelayState information
|
||||||
if ( $self->extractRelayState($login) ) {
|
if ( $self->extractRelayState($login) ) {
|
||||||
|
|
|
@ -15,7 +15,7 @@ our @EXPORT = qw(
|
||||||
createAuthnRequest createLogin getHttpMethod initAuthnRequest
|
createAuthnRequest createLogin getHttpMethod initAuthnRequest
|
||||||
buildAuthnRequestMsg processAuthnResponseMsg getNameIdentifier
|
buildAuthnRequestMsg processAuthnResponseMsg getNameIdentifier
|
||||||
createIdentity createSession acceptSSO extractRelayState
|
createIdentity createSession acceptSSO extractRelayState
|
||||||
getAssertion getAttributeValue
|
getAssertion getAttributeValue validateConditions
|
||||||
);
|
);
|
||||||
|
|
||||||
our $VERSION = '0.01';
|
our $VERSION = '0.01';
|
||||||
|
@ -505,6 +505,34 @@ sub getAttributeValue {
|
||||||
return $value;
|
return $value;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
## @method boolean validateConditions(Lasso::Saml2::Assertion assertion, string entityID)
|
||||||
|
# Validate conditions
|
||||||
|
# @param assertion SAML2 assertion
|
||||||
|
# @param entityID relaying party entity ID
|
||||||
|
# @return result
|
||||||
|
sub validateConditions {
|
||||||
|
my ( $self, $assertion, $entityID ) = splice @_;
|
||||||
|
$entityID ||= 'none';
|
||||||
|
my $status;
|
||||||
|
|
||||||
|
eval {
|
||||||
|
$status =
|
||||||
|
Lasso::Saml2Assertion::validate_conditions( $assertion, $entityID );
|
||||||
|
};
|
||||||
|
|
||||||
|
if ($@) {
|
||||||
|
$self->checkLassoError($@);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
unless ( $status eq Lasso::Constants::SAML2_ASSERTION_VALID ) {
|
||||||
|
$self->lmLog( "Conditions validations result: $status", 'error' );
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
1;
|
1;
|
||||||
|
|
||||||
__END__
|
__END__
|
||||||
|
@ -603,6 +631,10 @@ Get assertion in Lasso::Login object
|
||||||
Get SAML attribute value corresponding to name, format and friendly_name
|
Get SAML attribute value corresponding to name, format and friendly_name
|
||||||
Multivaluated values are separated by ';'
|
Multivaluated values are separated by ';'
|
||||||
|
|
||||||
|
=head2 validateConditions
|
||||||
|
|
||||||
|
Validate conditions
|
||||||
|
|
||||||
=head1 SEE ALSO
|
=head1 SEE ALSO
|
||||||
|
|
||||||
L<Lemonldap::NG::Portal::AuthSAML>, L<Lemonldap::NG::Portal::UserDBSAML>
|
L<Lemonldap::NG::Portal::AuthSAML>, L<Lemonldap::NG::Portal::UserDBSAML>
|
||||||
|
|
Loading…
Reference in New Issue
Block a user