LCOV - code coverage report
Current view: top level - zxid - zxidmni.c (source / functions) Hit Total Coverage
Test: ZXID Code Coverage Lines: 21 68 30.9 %
Date: 2010-12-19 Functions: 3 4 75.0 %
Branches: 10 76 13.2 %

           Branch data     Line data    Source code
       1                 :            : /* zxidmni.c  -  Handwritten functions for NameID Management logic for SP
       2                 :            :  * Copyright (c) 2010 Sampo Kellomaki (sampo@iki.fi), All Rights Reserved.
       3                 :            :  * Copyright (c) 2006-2009 Symlabs (symlabs@symlabs.com), All Rights Reserved.
       4                 :            :  * Author: Sampo Kellomaki (sampo@iki.fi)
       5                 :            :  * This is confidential unpublished proprietary source code of the author.
       6                 :            :  * NO WARRANTY, not even implied warranties. Contains trade secrets.
       7                 :            :  * Distribution prohibited unless authorized in writing.
       8                 :            :  * Licensed under Apache License 2.0, see file COPYING.
       9                 :            :  * $Id: zxidmni.c,v 1.10 2010-01-08 02:10:09 sampo Exp $
      10                 :            :  *
      11                 :            :  * 12.10.2007, split from zxidslo.c --Sampo
      12                 :            :  * 7.10.2008,  added documentation --Sampo
      13                 :            :  * 12.2.2010,  added locking to lazy loading --Sampo
      14                 :            :  */
      15                 :            : 
      16                 :            : #include "errmac.h"
      17                 :            : #include "zxid.h"
      18                 :            : #include "zxidpriv.h"
      19                 :            : #include "zxidconf.h"
      20                 :            : #include "saml2.h"
      21                 :            : #include "c/zx-const.h"
      22                 :            : #include "c/zx-ns.h"
      23                 :            : #include "c/zx-data.h"
      24                 :            : 
      25                 :            : /* ============== MNI / NID Mgmt / Defederation ============== */
      26                 :            : 
      27                 :            : /*() Change SPNameID (newnym supplied), or Terminate federation (newnym not supplied),
      28                 :            :  * using SAML2 SOAP binding. This is the (SP) client side that contacts the IdP. */
      29                 :            : 
      30                 :            : /* Called by:  a7n_test, zxid_mgmt, zxid_simple_ses_active_cf */
      31                 :            : int zxid_sp_mni_soap(zxid_conf* cf, zxid_cgi* cgi, zxid_ses* ses, struct zx_str* new_nym)
      32                 :          1 : {
      33                 :            :   X509* sign_cert;
      34                 :            :   EVP_PKEY* sign_pkey;
      35                 :            : 
      36                 :          1 :   zxid_get_ses_sso_a7n(cf, ses);
      37         [ -  + ]:          1 :   if (ses->a7n) {
      38                 :            :     struct zxsig_ref refs;
      39                 :            :     struct zx_root_s* r;
      40                 :            :     struct zx_e_Body_s* body;
      41                 :            :     zxid_entity* idp_meta;
      42                 :            : 
      43         [ #  # ]:          0 :     if (cf->log_level>0)
      44   [ #  #  #  #  :          0 :       zxlog(cf, 0, 0, 0, 0, 0, 0, ZX_GET_CONTENT(ses->nameid), "N", "W", "MNISOAP", ses->sid, "newnym(%.*s) loc", new_nym?new_nym->len:0, new_nym?new_nym->s:"");
          #  #  #  #  #  
                      # ]
      45                 :            :     
      46                 :          0 :     idp_meta = zxid_get_ses_idp(cf, ses);
      47         [ #  # ]:          0 :     if (!idp_meta)
      48                 :          0 :       return 0;
      49                 :            : 
      50                 :          0 :     body = zx_NEW_e_Body(cf->ctx,0);
      51                 :          0 :     body->ManageNameIDRequest = zxid_mk_mni(cf, zxid_get_user_nameid(cf, ses->nameid), new_nym, idp_meta);
      52         [ #  # ]:          0 :     if (cf->sso_soap_sign) {
      53                 :          0 :       ZERO(&refs, sizeof(refs));
      54                 :          0 :       refs.id = &body->ManageNameIDRequest->ID->g;
      55                 :          0 :       refs.canon = zx_easy_enc_elem_sig(cf, &body->ManageNameIDRequest->gg);
      56         [ #  # ]:          0 :       if (zxid_lazy_load_sign_cert_and_pkey(cf, &sign_cert, &sign_pkey, "use sign cert mni")) {
      57                 :          0 :         body->ManageNameIDRequest->Signature
      58                 :            :           = zxsig_sign(cf->ctx, 1, &refs, sign_cert, sign_pkey);
      59                 :          0 :         zx_add_kid_after_sa_Issuer(&body->ManageNameIDRequest->gg, &body->ManageNameIDRequest->Signature->gg);
      60                 :            :       }
      61                 :          0 :       zx_str_free(cf->ctx, refs.canon);
      62                 :            :     }
      63                 :          0 :     r = zxid_idp_soap(cf, cgi, ses, idp_meta, ZXID_MNI_SVC, body);
      64         [ #  # ]:          0 :     if (!zxid_saml_ok(cf, cgi, r->Envelope->Body->ManageNameIDResponse->Status, "MniResp"))
      65                 :          0 :       return 0;
      66                 :            :     /* *** Take actual steps to terminate the federation or change the name IDs */
      67                 :          0 :     return 1;
      68                 :            :   }
      69         [ -  + ]:          1 :   if (ses->a7n11) {
      70                 :          0 :     ERR("Not implemented, SAML 1.1 assetion %d", 0);
      71                 :            :   }
      72         [ -  + ]:          1 :   if (ses->a7n12) {
      73                 :          0 :     ERR("Not implemented, ID-FF 1.2 type SAML 1.1 assetion %d", 0);
      74                 :            :   }
      75                 :          1 :   ERR("Session sid(%s) lacks SSO assertion.", ses->sid);
      76                 :          1 :   return 0;
      77                 :            : }
      78                 :            : 
      79                 :            : /*() Change SPNameID (newnym supplied), or Terminate federation (newnym not supplied),
      80                 :            :  * using SAML2 HTTP redirect binding. This is the (SP) client side that contacts the IdP.
      81                 :            :  * Return the HTTP 302 redirect LOCATION header + CRLF2. Returns the URL as string to which
      82                 :            :  * the environment should cause the user (browser) to be redirected. */
      83                 :            : 
      84                 :            : /* Called by:  zxid_mgmt, zxid_simple_ses_active_cf */
      85                 :            : struct zx_str* zxid_sp_mni_redir(zxid_conf* cf, zxid_cgi* cgi, zxid_ses* ses, struct zx_str* new_nym)
      86                 :          0 : {
      87                 :          0 :   zxid_get_ses_sso_a7n(cf, ses);
      88         [ #  # ]:          0 :   if (ses->a7n) {
      89                 :            :     struct zx_sp_ManageNameIDRequest_s* r;
      90                 :            :     struct zx_str* rs;
      91                 :            :     struct zx_str* loc;
      92                 :            :     zxid_entity* idp_meta;
      93                 :            : 
      94         [ #  # ]:          0 :     if (cf->log_level>0)
      95   [ #  #  #  #  :          0 :       zxlog(cf, 0, 0, 0, 0, 0, 0, ZX_GET_CONTENT(ses->nameid), "N", "W", "MNIREDIR", ses->sid, "newnym(%.*s)", new_nym?new_nym->len:0, new_nym?new_nym->s:"");
          #  #  #  #  #  
                      # ]
      96                 :            :     
      97                 :          0 :     idp_meta = zxid_get_ses_idp(cf, ses);
      98         [ #  # ]:          0 :     if (!idp_meta)
      99                 :          0 :       return zx_dup_str(cf->ctx, "* ERR");
     100                 :            : 
     101                 :          0 :     loc = zxid_idp_loc(cf, cgi, ses, idp_meta, ZXID_MNI_SVC, SAML2_REDIR);
     102         [ #  # ]:          0 :     if (!loc)
     103                 :          0 :       return zx_dup_str(cf->ctx, "* ERR");
     104                 :          0 :     r = zxid_mk_mni(cf, zxid_get_user_nameid(cf, ses->nameid), new_nym, 0);
     105                 :          0 :     r->Destination = zx_ref_len_attr(cf->ctx, &r->gg, zx_Destination_ATTR, loc->len, loc->s);
     106                 :          0 :     rs = zx_easy_enc_elem_opt(cf, &r->gg);
     107   [ #  #  #  # ]:          0 :     D("NIReq(%.*s)", rs->len, rs->s);
     108                 :          0 :     return zxid_saml2_redir(cf, loc, rs, 0);
     109                 :            :   }
     110         [ #  # ]:          0 :   if (ses->a7n11) {
     111                 :          0 :     ERR("Not implemented, SAML 1.1 assetion %d", 0);
     112                 :            :   }
     113         [ #  # ]:          0 :   if (ses->a7n12) {
     114                 :          0 :     ERR("Not implemented, ID-FF 1.2 type SAML 1.1 assetion %d", 0);
     115                 :            :   }
     116                 :          0 :   ERR("Session sid(%s) lacks SSO assertion.", ses->sid);
     117                 :          0 :   return zx_dup_str(cf->ctx, "* ERR");
     118                 :            : }
     119                 :            : 
     120                 :            : /*() Process <ManageNameIDRequest>, presumably received from IdP. This is very rarely
     121                 :            :  * used. */
     122                 :            : 
     123                 :            : /* Called by:  zxid_idp_soap_dispatch, zxid_mni_do_ss, zxid_sp_soap_dispatch */
     124                 :            : struct zx_sp_ManageNameIDResponse_s* zxid_mni_do(zxid_conf* cf, zxid_cgi* cgi, zxid_ses* ses, struct zx_sp_ManageNameIDRequest_s* mni)
     125                 :          1 : {
     126                 :            :   zxid_nid* nid;
     127                 :            :   struct zx_str* newnym;
     128                 :            :   
     129         [ -  + ]:          1 :   if (!zxid_chk_sig(cf, cgi, ses, &mni->gg, mni->Signature, mni->Issuer, 0, "ManageNameIDRequest"))
     130                 :          0 :     return 0;
     131                 :            :   
     132                 :          1 :   nid = zxid_decrypt_nameid(cf, mni->NameID, mni->EncryptedID);
     133   [ +  -  +  -  :          1 :   if (!ZX_GET_CONTENT(nid)) {
                   -  + ]
     134                 :          0 :     ERR("MNI failed: request does not have NameID. %p", nid);
     135                 :          0 :     return 0;
     136                 :            :   }
     137                 :            :   
     138   [ -  +  #  #  :          1 :   newnym = zxid_decrypt_newnym(cf, ZX_GET_CONTENT(mni->NewID), mni->NewEncryptedID);
                   #  # ]
     139         [ -  + ]:          1 :   if (!newnym) {
     140   [ #  #  #  # ]:          0 :     D("MNI Terminate %d",0);
     141                 :            :   } else {
     142   [ -  +  #  # ]:          1 :     D("MNI Change newnym(%.*s)", newnym->len, newnym->s);
     143                 :          1 :     zxid_user_change_nameid(cf, nid, newnym);
     144                 :            :   }
     145                 :          1 :   return zxid_mk_mni_resp(cf, zxid_OK(cf,0), &mni->ID->g);
     146                 :            : }
     147                 :            : 
     148                 :            : /*() Wrapper for zxid_mni_do(), which see. */
     149                 :            : 
     150                 :            : /* Called by:  a7n_test, zxid_idp_dispatch, zxid_sp_dispatch */
     151                 :            : struct zx_str* zxid_mni_do_ss(zxid_conf* cf, zxid_cgi* cgi, zxid_ses* ses, struct zx_sp_ManageNameIDRequest_s* mni, struct zx_str* loc)
     152                 :          1 : {
     153                 :            :   struct zx_sp_ManageNameIDResponse_s* res;
     154                 :          1 :   res = zxid_mk_mni_resp(cf, zxid_OK(cf,0), &mni->ID->g);
     155                 :          1 :   res = zxid_mni_do(cf, cgi, ses, mni);
     156                 :          1 :   res->Destination = zx_ref_len_attr(cf->ctx, &res->gg, zx_Destination_ATTR, loc->len, loc->s);
     157                 :          1 :   return zx_easy_enc_elem_opt(cf, &res->gg);
     158                 :            : }
     159                 :            : 
     160                 :            : /* EOF  --  zxidmni.c */

Generated by: LCOV version 1.9