dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

SAML:

Browse Source 
* Check values of requested attributes (#85)
* Refactor some code in _SAML (createAttribute and createAttributeValue)
This commit is contained in:
Clément Oudot 2010-06-04 14:23:41 +00:00
parent 346d901a15
commit dd615d0678
2 changed files with 137 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

116
modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm
View File

@ -541,6 +541,15 @@ sub issuerForUnAuthUser {
"Attribute $rname is linked to $sp_attr session key", "Attribute $rname is linked to $sp_attr session key",
'debug' ); 'debug' );
# Check if values are given
my $rvalue =
$self->getAttributeValue( $rname, $rformat, $rfriendly_name,
[$req_attr] );
$self->lmLog( "Some values are explicitely requested: $rvalue",
'debug' )
if defined $rvalue;
# Get session value # Get session value
if ( $sessionInfo->{$sp_attr} ) { if ( $sessionInfo->{$sp_attr} ) {
@ -548,49 +557,60 @@ sub issuerForUnAuthUser {
$sessionInfo->{$sp_attr}; $sessionInfo->{$sp_attr};
my @saml2values; my @saml2values;
# SAML2 attribute
my $ret_attr =
$self->createAttribute( $rname, $rformat,
$rfriendly_name );
unless ($ret_attr) {
$self->lmLog( "Unable to create a new SAML attribute",
'error' );
$self->returnSOAPMessage();
}
foreach (@values) { foreach (@values) {
# TODO check if values were set in requested attribute my $local_value = $_;
# Check if values were set in requested attribute
# In this case, only requested values can be returned # In this case, only requested values can be returned
if (
$rvalue
and !map( /^$local_value$/,
split( $self->{multiValuesSeparator}, $rvalue )
)
)
{
$self->lmLog(
"$local_value value is not in requested values, it will not be sent",
'warn'
);
next;
}
# SAML2 attribute value # SAML2 attribute value
my $saml2value; my $saml2value =
$self->createAttributeValue($local_value);
eval { unless ($saml2value) {
$saml2value = Lasso::Saml2AttributeValue->new(); $self->lmLog(
}; "Unable to create a new SAML attribute value",
if ($@) { 'error' );
$self->checkLassoError($@);
$self->returnSOAPMessage(); $self->returnSOAPMessage();
} }
my @any;
my $textNode;
eval { $textNode = Lasso::MiscTextNode->new(); };
if ($@) {
$self->checkLassoError($@);
$self->returnSOAPMessage();
}
$textNode->text_child(1);
$textNode->content($_);
push @any, $textNode;
$saml2value->any(@any);
push @saml2values, $saml2value; push @saml2values, $saml2value;
$self->lmLog( "Push $_ in SAML attribute $name", $self->lmLog(
"Push $local_value in SAML attribute $name",
'debug' ); 'debug' );
} }
$req_attr->AttributeValue(@saml2values); $ret_attr->AttributeValue(@saml2values);
# Push attribute in attribute list # Push attribute in attribute list
push @returned_attributes, $req_attr; push @returned_attributes, $ret_attr;
} }
else { else {
@ -611,7 +631,7 @@ sub issuerForUnAuthUser {
} }
# Register attributes in attribute statement # Register attributes in attribute statement
$attribute_statement->Attribute(@requested_attributes); $attribute_statement->Attribute(@returned_attributes);
# Create assetion # Create assetion
my $assertion; my $assertion;
@ -922,23 +942,15 @@ sub issuerForAuthUser {
'debug' ); 'debug' );
# SAML2 attribute # SAML2 attribute
my $attribute; my $attribute =
$self->createAttribute( $name, $format, $friendly_name );
eval { $attribute = Lasso::Saml2Attribute->new(); }; unless ($attribute) {
if ($@) { $self->lmLog( "Unable to create a new SAML attribute",
$self->checkLassoError($@); 'error' );
return PE_ERROR; return PE_ERROR;
} }
# Default values
$friendly_name ||= $name;
$format ||= Lasso::Constants::SAML2_ATTRIBUTE_NAME_FORMAT_BASIC;
# Set attribute properties
$attribute->Name($name);
$attribute->NameFormat($format);
$attribute->FriendlyName($friendly_name);
# Set attribute value(s) # Set attribute value(s)
my @values = split $self->{multiValuesSeparator}, $value; my @values = split $self->{multiValuesSeparator}, $value;
my @saml2values; my @saml2values;
@ -946,30 +958,16 @@ sub issuerForAuthUser {
foreach (@values) { foreach (@values) {
# SAML2 attribute value # SAML2 attribute value
my $saml2value; my $saml2value = $self->createAttributeValue($_);
eval { $saml2value = Lasso::Saml2AttributeValue->new(); }; unless ($saml2value) {
if ($@) { $self->lmLog(
"Unable to create a new SAML attribute value",
'error' );
$self->checkLassoError($@); $self->checkLassoError($@);
return PE_ERROR; return PE_ERROR;
} }
my @any;
my $textNode;
eval { $textNode = Lasso::MiscTextNode->new(); };
if ($@) {
$self->checkLassoError($@);
return PE_ERROR;
}
$textNode->text_child(1);
$textNode->content($_);
push @any, $textNode;
$saml2value->any(@any);
push @saml2values, $saml2value; push @saml2values, $saml2value;
$self->lmLog( "Push $_ in SAML attribute $name", 'debug' ); $self->lmLog( "Push $_ in SAML attribute $name", 'debug' );

81
modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
View File

@ -1727,7 +1727,8 @@ sub createAttributeRequest {
return; return;
} }
$self->lmLog("Set NameID ".$nameid->dump." in assertion query", 'debug'); $self->lmLog( "Set NameID " . $nameid->dump . " in assertion query",
'debug' );
# Store attributes in request # Store attributes in request
my @requested_attributes; my @requested_attributes;
@ -2504,6 +2505,76 @@ sub getSamlSession {
return \%h; return \%h;
} }
## @method Lasso::Saml2Attribute createAttribute(string name, string format, string friendly_name)
# Create a new SAML attribute
# @param name Attribute name
# @param format optional Attribute format
# @param friendly_name optional Attribute friendly name
# @return SAML attribute
sub createAttribute {
my ( $self, $name, $format, $friendly_name ) = splice @_;
my $attribute;
# Name is required
return unless defined $name;
# SAML2 attribute
eval { $attribute = Lasso::Saml2Attribute->new(); };
if ($@) {
$self->checkLassoError($@);
return;
}
# Default values
$friendly_name ||= $name;
$format ||= Lasso::Constants::SAML2_ATTRIBUTE_NAME_FORMAT_BASIC;
# Set attribute properties
$attribute->Name($name);
$attribute->NameFormat($format);
$attribute->FriendlyName($friendly_name);
return $attribute;
}
## @method Lasso::Saml2AttributeValue createAttributeValue(string value)
# Create a new SAML attribute value
# @param value Value to store
# @return SAML attribute value
sub createAttributeValue {
my ( $self, $value ) = splice @_;
my $saml2value;
# Value is required
return unless defined $value;
# SAML2 attribute value
eval { $saml2value = Lasso::Saml2AttributeValue->new(); };
if ($@) {
$self->checkLassoError($@);
return;
}
my @any;
# Text node
my $textNode;
eval { $textNode = Lasso::MiscTextNode->new(); };
if ($@) {
$self->checkLassoError($@);
return;
}
$textNode->text_child(1);
$textNode->content($value);
push @any, $textNode;
$saml2value->any(@any);
return $saml2value;
}
1; 1;
__END__ __END__
@ -2829,6 +2900,14 @@ If SAML Destination attribute is present, check it
Try to recover the SAML session corresponding to id and return session datas Try to recover the SAML session corresponding to id and return session datas
=head2 createAttribute
Create a new SAML attribute
=head2 createAttributeValue
Create a new SAML attribute value
=head1 SEE ALSO =head1 SEE ALSO
L<Lemonldap::NG::Portal::AuthSAML>, L<Lemonldap::NG::Portal::UserDBSAML> L<Lemonldap::NG::Portal::AuthSAML>, L<Lemonldap::NG::Portal::UserDBSAML>