1 /* $Id$ * * Lasso - A free implementation of the Liberty Alliance specifications.
2 *
3 * Copyright (C) 2004-2007 Entr'ouvert
4 * http://lasso.entrouvert.org
5 *
6 * Authors: See AUTHORS file in top-level directory.
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
20 */
21
22 /**
23 * SECTION:logout
24 * @short_description: Single Logout Profile
25 *
26 * This profile Send logout notifications between providers. Any receiving provider must retransmit
27 * the notification to any other providers with which it shares the current identity by any means
28 * supported by the two, that is any provider federated with the current provider. There can be
29 * partial failures if no binding can be found to notify a federating partner or if a partner fails
30 * to respond.
31 *
32 * <para>It is generally advised to apply the local logout transaction before sending a logout request to
33 * a partner. In short:
34 * <itemizedlist>
35 * <listitem><para>an identity provider receiving a logout request should kill the local
36 * session before sending logout request to other service provider and proxyied identity
37 * providers.</para></listitem>
38 * <listitem><para>a service provider intitiating a logout request must first kill its local session,
39 * then proceeds with the logout exchange with its identity provider</para></listitem>
40 * </itemizedlist></para>
41 *
42 * <para>The following examples must not be used 'as-is' they lack most of the error checking code
43 * that is needed for a secured and robust program, but they give an idea of how to use the
44 * API</para>
45 *
46 * <example>
47 * <title>Service Provider Initiated Logout</title>
48 * <programlisting>
49 * LassoLogout *logout;
50 * char *session_dump; // must contain the session dump
51 * // for the current user
52 * int rc; // hold return codes
53 * char *soap_response;
54 *
55 * LassoHttpMethod method; // method to use, LASSO_HTTP_METHOD_REDIRECT,
56 * // LASSO_HTTP_METHOD_POST or LASSO_HTTP_METHOD_SOAP,
57 * // other methods are rarely supported
58 *
59 * logout = lasso_logout_new(server);
60 * lasso_profile_set_session_from_dump(&logout->parent, session_dump);
61 * // the second argument can be NULL, lasso_logout_init_request() will automatically choose the
62 * // identity provider from the first assertion int the session
63 * rc = lasso_logout_init_request(logout, "http://identity-provider-id/",
64 * method);
65 * if (rc != 0) {
66 * ... // handle errors, most of them are related to bad initialization
67 * // or unsupported binding
68 * }
69 * rc = lasso_logout_build_request_msg(logout);
70 * if (rc != 0) {
71 * ... // handle errors, most of them are related to bad initialization
72 * // or impossibility to build the query string (missing private keys for signing)
73 * }
74 *
75 * // now send the request
76 * switch (method) {
77 * case LASSO_HTTP_METHOD_REDIRECT:
78 * // LASSO_PROFILE(logout)->msg_url contains the URL where the
79 * // User Agent must be redirected
80 * ...
81 * // save the session and logout object, and store them attached to the RequestID of the
82 * // request, you will need them for handling the response
83 * session_dump = lasso_node_dump((LassoNode*)logout->parent.session);
84 * logout_dump = lasso_node_dump((LassoNode*)logout);
85 * break;
86 * case LASSO_HTTP_METHOD_POST:
87 * // you must build a form with a field name SAMLRequest (SAML 2.0) or LAREQ (ID-FF 1.2)
88 * // with the content of LASSO_PROFILE(logout)->msg_body
89 * // posting to the address LASSO_PROFILE(logout)->msg_url
90 * ...
91 * // save the session and logout object, and store them attached to the RequestID of the
92 * // request, you will need them for handling the response
93 * session_dump = lasso_node_dump((LassoNode*)logout->parent.session);
94 * logout_dump = lasso_node_dump((LassoNode*)logout);
95 * break;
96 * case LASSO_HTTP_SOAP:
97 * // makes a SOAP call, soap_call is NOT a Lasso function
98 * soap_response = soap_call(login->parent.msg_url, login->parent.msg_body);
99 * rc = lasso_logout_process_response_msg(logout, soap_response);
100 * if (rc != 0) {
101 * // handle errors, important ones are LASSO_LOGOUT_ERROR_UNSUPPORTED_PROFILE meaning
102 * // that one other service provider of the current session cannot be contacted by the
103 * // identity provider with the current binding, for example it only accept REDIRECT
104 * (asynchronous-binding) or
105 * // POST an we are using SOAP (synchronous-binding).
106 * ...
107 * }
108 * // everything is ok save the session
109 * session_dump = lasso_node_dump(logout->parent.session);
110 * // nothing to save because you killed the local session already
111 * break;
112 * default:
113 * // other binding neither are frequent or largely supported
114 * // so report an error
115 * break;
116 * }
117 * </programlisting>
118 * </example>
119 *
120 * <para>The next example show the endpoint for handling response to request with asynchronous
121 * binding (POST and Redirect).</para>
122 *
123 * <example>
124 * <title>Service Provider Logout Request Endpoint</title>
125 * <programlisting>
126 * LassoLogout *logout;
127 * char *request_method = getenv("REQUEST_METHOD");
128 *
129 * logout = lasso_logout_new(server);
130 *
131 * if (strcmp(request_method, "GET") == 0) {
132 * char query_string = getenv("QUERY_STRING");
133 * rc = lasso_logout_process_response_msg(logout, query_string);
134 * } elif (strcmp(request_method, "POST") == 0) {
135 * char *message;
136 * // message should contain the content of LARES or SAMLResponse fied, depending if this is an
137 * // ID-FF 1.2 or SAML 2.0 service.
138 * rc = lasso_logout_process_response_msg(logout, message);
139 * }
140 * if (rc != 0) {
141 * // handle errors, as we are already unlogged, those must go to a log file or audit trail,
142 * // because at this time the user do not care anymore. A report about a failure to logout to
143 * // the IdP can be eventually shown.
144 * ...
145 * }
146 * </programlisting>
147 * </example>
148 *
149 * <para>The next snippet show how to implement a logout endpoint, to receive a logout request and
150 * respond.</para>
151 *
152 * <example>
153 * <title>Service Provider Logout Request Endpoint</title>
154 * <programlisting>
155 * LassoLogout *logout;
156 * char *session_dump;
157 * char *request_method = getenv("REQUEST_METHOD");
158 * int rc;
159 * int method;
160 *
161 * logout = lasso_logout_new(server);
162 * // server must be previously initialized, it can be kept around
163 * // and used for many transaction, it is never modified by any profile
164 * if (strcmp(request_method. "GET") == 0) {
165 * method = LASSO_HTTP_METHOD_REDIRECT;
166 * char query_string = getenv("QUERY_STRING");
167 * rc = lasso_logout_process_request_msg(logout, query_string);
168 * if (rc != 0) {
169 * // handle errors
170 * ...
171 * }
172 * } else if (strcmp(request_method, "POST") == 0) {
173 * char *message;
174 * // read submitted content if this is a form, put LAREQ or SAMLRequest field into message and
175 * set method to LASSO_HTTP_METHOD_POST
176 * // if content type is application/xml then put the full body of the POST inside message and
177 * // set method to LASSO_HTTP_METHOD_SOAP
178 * rc = lasso_logout_process_request_msg(logout, message);
179 * if (rc != 0) {
180 * // handle errors
181 * ...
182 * }
183 * }
184 * protocolProfile = lasso_provider_get_protocol_conformance(LASSO_PROVIDER(server));
185 * if (protocolProfile == LASSO_LIBERTY_1_2) {
186 * char *session_index;
187 * LassoSamlNameIdentifier *name_id;
188 * LibLogoutRequest *logout_request;
189 *
190 * logout_request = LIB_LOGOUT_REQUEST(LASSO_PROFILE(logout)->request);
191 * session_index = logout_request->SessionIndex;
192 * name_id = logout_request->NameIdentifier;
193 * // lookup the session dump using session_index and name_id
194 * } else if (protocolProfile == LASSO_SAML_2_0) {
195 * char *session_index;
196 * LassoSaml2NameID *name_id;
197 * LassoSamlp2LogoutRequest *logout_request;
198 *
199 * logout_request = LASSO_SAMLP2_LOGOUT_REQUEST(LASSO_PROFILE(logout)->request);
200 * session_index = logout_request->SessionIndex;
201 * name_id = logout_request->NameID;
202 * // lookup the session dump using session_index and name_id
203 * }
204 * lasso_profile_set_session_from_dump(LASSO_PROFILE(logout), session_dump);
205 * // you can check other property of the request here if you want
206 * //
207 * if (request is accepted) {
208 * rc = lasso_logout_validate_request(logout);
209 * if (rc != 0) {
210 * // handle errors..
211 * ...
212 * } else {
213 * .... // kill the local session
214 * // if local server is an identity provider, then traverse the session using
215 * // lasso_logout_get_next_providerID() and send logout request to all logged
216 * // service providers.
217 * }
218 * }
219 * // if lasso_logout_validate_request() was not called this will automatically create a Failure
220 * // response.
221 * rc = lasso_logout_build_response_msg(logout);
222 * if (rc != 0) {
223 * // handle errors..
224 * ...
225 * }
226 * // the response is produced with the same binding as the request
227 * // see the previous request example for how to send the response
228 * // the only change is for SOAP, you just need to print the msg_body as page content with a
229 * // Content-type of application/xml.
230 * </programlisting>
231 * </example>
232 */
233
234 #include "../xml/private.h"
235 #include "../xml/lib_authentication_statement.h"
236
237 #include "logout.h"
238 #include "logoutprivate.h"
239
240 #include "profileprivate.h"
241 #include "providerprivate.h"
242 #include "sessionprivate.h"
243
244 #include "../saml-2.0/logoutprivate.h"
245 #include "../utils.h"
246
247 static void check_soap_support(gchar *key, LassoProvider *provider, LassoProfile *profile);
248
249 /*****************************************************************************/
250 /* public methods */
251 /*****************************************************************************/
252
253 /**
254 * lasso_logout_build_request_msg:
255 * @logout: a #LassoLogout
256 *
257 * Builds the logout request message.
258 *
259 * It gets the HTTP method retrieved to send the request and:
260 * <itemizedlist>
261 * <listitem><para>
262 * if it is a SOAP method, then it builds the logout request SOAP message,
263 * sets the msg_body attribute, gets the single logout service url and sets
264 * @msg_url in the logout object.
265 * </para></listitem>
266 * <listitem><para>
267 * if it is a HTTP-Redirect method, then it builds the logout request QUERY
268 * message, builds the logout request url, sets @msg_url in the logout
269 * request url, sets @msg_body to NULL.
270 * </para></listitem>
271 * </itemizedlist>
272 *
273 * If private key and certificate are set in server object it will also signs
274 * the message (either with X509 if SOAP or with a simple signature for query
275 * strings).
276 *
277 * Return value: 0 on success; or a negative value otherwise.
278 **/
279 lasso_error_t
lasso_logout_build_request_msg(LassoLogout * logout)280 lasso_logout_build_request_msg(LassoLogout *logout)
281 {
282 LassoProfile *profile = NULL;
283 LassoProvider *remote_provider = NULL;
284 char *url = NULL;
285 char *query = NULL;
286 lasso_error_t rc = 0;
287
288 lasso_bad_param(LOGOUT, logout);
289
290 profile = LASSO_PROFILE(logout);
291 lasso_profile_clean_msg_info(profile);
292
293 IF_SAML2(profile) {
294 return lasso_saml20_logout_build_request_msg(logout);
295 }
296
297 if (profile->remote_providerID == NULL) {
298 /* it means lasso_logout_init_request was not called before */
299 goto_cleanup_with_rc(LASSO_PROFILE_ERROR_MISSING_REMOTE_PROVIDERID);
300 }
301
302 /* get remote provider */
303 remote_provider = lasso_server_get_provider(profile->server, profile->remote_providerID);
304 if (LASSO_IS_PROVIDER(remote_provider) == FALSE) {
305 goto_cleanup_with_rc(LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND);
306 }
307
308 /* build the logout request message */
309 if (logout->initial_http_request_method == LASSO_HTTP_METHOD_SOAP) {
310 /* build the logout request message */
311 lasso_assign_new_string(profile->msg_url, lasso_provider_get_metadata_one(
312 remote_provider, "SoapEndpoint"));
313 /* FIXME: private key file is not owned by the request ? That is potentially a
314 * problem if the server life does not exceed the request */
315 lasso_check_good_rc(lasso_server_set_signature_for_provider_by_name(logout->parent.server,
316 profile->remote_providerID, profile->request));
317 lasso_assign_new_string(profile->msg_body,
318 lasso_node_export_to_soap(profile->request));
319 } else if (logout->initial_http_request_method == LASSO_HTTP_METHOD_REDIRECT) {
320 /* build and optionally sign the logout request QUERY message */
321 url = lasso_provider_get_metadata_one(remote_provider,
322 "SingleLogoutServiceURL");
323 if (url == NULL)
324 goto_cleanup_with_rc(LASSO_PROFILE_ERROR_UNKNOWN_PROFILE_URL);
325 lasso_check_good_rc(lasso_server_export_to_query_for_provider_by_name(profile->server,
326 profile->remote_providerID, profile->request, &query));
327 if (query == NULL)
328 goto_cleanup_with_rc(LASSO_PROFILE_ERROR_BUILDING_QUERY_FAILED);
329 /* build the msg_url */
330 lasso_assign_new_string(profile->msg_url, lasso_concat_url_query(url, query));
331 lasso_release_string(profile->msg_body);
332 } else {
333 goto_cleanup_with_rc(LASSO_PROFILE_ERROR_INVALID_HTTP_METHOD);
334 }
335 cleanup:
336 lasso_release(url);
337 lasso_release(query);
338 return rc;
339 }
340
341
342 /**
343 * lasso_logout_build_response_msg:
344 * @logout: a #LassoLogout
345 *
346 * Builds the logout response message.
347 *
348 * It gets the request message method and:
349 * <itemizedlist>
350 * <listitem><para>
351 * if it is a SOAP method, then it builds the logout response SOAP message,
352 * sets the msg_body attribute, gets the single logout service return url
353 * and sets @msg_url in the logout object.
354 * </para></listitem>
355 * <listitem><para>
356 * if it is a HTTP-Redirect method, then it builds the logout response QUERY message,
357 * builds the logout response url, sets @msg_url with the logout response url,
358 * sets @msg_body to NULL
359 * </para></listitem>
360 * </itemizedlist>
361 *
362 * If private key and certificate are set in server object it will also signs
363 * the message (either with X509 if SOAP or with a simple signature for query
364 * strings).
365 *
366 * Return value: 0 on success; or a negative value otherwise.
367 **/
368 lasso_error_t
lasso_logout_build_response_msg(LassoLogout * logout)369 lasso_logout_build_response_msg(LassoLogout *logout)
370 {
371 LassoProfile *profile = NULL;
372 LassoProvider *provider = NULL;
373 gchar *url = NULL;
374 gchar *query = NULL;
375 lasso_error_t rc = 0;
376
377 lasso_bad_param(LOGOUT, logout);
378 profile = &logout->parent;
379 lasso_profile_clean_msg_info(profile);
380
381 if (! profile->private_data || ! logout->private_data) {
382 return LASSO_PARAM_ERROR_NON_INITIALIZED_OBJECT;
383 }
384
385 IF_SAML2(profile) {
386 return lasso_saml20_logout_build_response_msg(logout);
387 }
388
389 if (profile->response == NULL) {
390 if (profile->http_request_method == LASSO_HTTP_METHOD_SOAP) {
391 lasso_assign_new_gobject(profile->response,
392 lasso_lib_logout_response_new_full(
393 LASSO_PROVIDER(profile->server)->ProviderID,
394 LASSO_SAML_STATUS_CODE_REQUEST_DENIED,
395 LASSO_LIB_LOGOUT_REQUEST(profile->request),
396 profile->server->certificate ?
397 LASSO_SIGNATURE_TYPE_WITHX509 :
398 LASSO_SIGNATURE_TYPE_SIMPLE,
399 LASSO_SIGNATURE_METHOD_RSA_SHA1));
400 } else if (profile->http_request_method == LASSO_HTTP_METHOD_REDIRECT) {
401 lasso_assign_new_gobject(profile->response,
402 lasso_lib_logout_response_new_full(
403 LASSO_PROVIDER(profile->server)->ProviderID,
404 LASSO_SAML_STATUS_CODE_REQUEST_DENIED,
405 LASSO_LIB_LOGOUT_REQUEST(profile->request),
406 LASSO_SIGNATURE_TYPE_NONE,
407 0));
408 }
409 }
410
411 if (profile->remote_providerID == NULL || profile->response == NULL) {
412 /* no remote provider id set or no response set, this means
413 * this function got called before validate_request, probably
414 * because there were no active session */
415 goto_cleanup_with_rc(LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND);
416 }
417
418 /* Set the RelayState */
419 lasso_assign_string(LASSO_LIB_STATUS_RESPONSE(profile->response)->RelayState,
420 profile->msg_relayState);
421
422 /* build logout response message */
423 if (profile->http_request_method == LASSO_HTTP_METHOD_SOAP) {
424 lasso_release_string(profile->msg_url);
425 lasso_check_good_rc(lasso_server_set_signature_for_provider_by_name(logout->parent.server,
426 profile->remote_providerID, profile->response));
427 lasso_assign_new_string(profile->msg_body,
428 lasso_node_export_to_soap(profile->response));
429 } else if (profile->http_request_method == LASSO_HTTP_METHOD_REDIRECT) {
430 lasso_release_string(profile->msg_body);
431 provider = lasso_server_get_provider(profile->server, profile->remote_providerID);
432 if (provider == NULL)
433 goto_cleanup_with_rc(LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND);
434
435 url = lasso_provider_get_metadata_one(provider, "SingleLogoutServiceReturnURL");
436 if (url == NULL)
437 goto_cleanup_with_rc(LASSO_PROFILE_ERROR_UNKNOWN_PROFILE_URL);
438 lasso_check_good_rc(lasso_server_export_to_query_for_provider_by_name(profile->server,
439 profile->remote_providerID, profile->response, &query));
440 if (query == NULL)
441 goto_cleanup_with_rc(LASSO_PROFILE_ERROR_BUILDING_QUERY_FAILED);
442 lasso_assign_new_string(profile->msg_url, lasso_concat_url_query(url, query));
443 } else {
444 goto_cleanup_with_rc(LASSO_PROFILE_ERROR_INVALID_HTTP_METHOD);
445 }
446
447 cleanup:
448 lasso_release_string(url);
449 lasso_release_string(query);
450 return rc;
451 }
452
453 /**
454 * lasso_logout_destroy:
455 * @logout: a #LassoLogout
456 *
457 * Destroys a logout object.
458 **/
459 void
lasso_logout_destroy(LassoLogout * logout)460 lasso_logout_destroy(LassoLogout *logout)
461 {
462 lasso_node_destroy(LASSO_NODE(logout));
463 }
464
465 /**
466 * lasso_logout_get_next_providerID:
467 * @logout: a #LassoLogout
468 *
469 * Returns the provider id from providerID_index in list of providerIDs in
470 * principal session with the exception of initial service provider ID.
471 *
472 * Return value:(transfer full): a newly allocated string or NULL
473 **/
474 gchar*
lasso_logout_get_next_providerID(LassoLogout * logout)475 lasso_logout_get_next_providerID(LassoLogout *logout)
476 {
477 LassoProfile *profile;
478 gchar *providerID;
479
480 g_return_val_if_fail(LASSO_IS_LOGOUT(logout), NULL);
481 profile = LASSO_PROFILE(logout);
482
483 if (profile->session == NULL) {
484 return NULL;
485 }
486
487 providerID = lasso_session_get_provider_index(
488 profile->session, logout->providerID_index);
489 logout->providerID_index++;
490 /* if it is the provider id of the SP requester, then get the next */
491 if (logout->initial_remote_providerID && providerID &&
492 strcmp(providerID, logout->initial_remote_providerID) == 0) {
493 providerID = lasso_session_get_provider_index(
494 profile->session, logout->providerID_index);
495 logout->providerID_index++;
496 }
497
498 return providerID;
499 }
500
501 /**
502 * lasso_logout_init_request:
503 * @logout: a #LassoLogout
504 * @remote_providerID: the providerID of the identity provider. If NULL the
505 * first identity provider is used.
506 * @request_method: if set, then it get the protocol profile in metadata
507 * corresponding of this HTTP request method.
508 *
509 * Initializes a new SLO request.
510 *
511 * Return value: 0 on success; or a negative value otherwise.
512 **/
513 gint
lasso_logout_init_request(LassoLogout * logout,char * remote_providerID,LassoHttpMethod http_method)514 lasso_logout_init_request(LassoLogout *logout, char *remote_providerID,
515 LassoHttpMethod http_method)
516 {
517 LassoProfile *profile;
518 LassoProvider *remote_provider;
519 LassoSamlNameIdentifier *nameIdentifier = NULL;
520 gboolean is_http_redirect_get_method = FALSE;
521 LassoSession *session;
522 GList *name_ids = NULL;
523 GList *session_indexes = NULL;
524 LassoLibLogoutRequest *lib_logout_request = NULL;
525 LassoSamlpRequestAbstract *request_abstract = NULL;
526 int rc = 0;
527
528 g_return_val_if_fail(LASSO_IS_LOGOUT(logout), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
529
530 profile = LASSO_PROFILE(logout);
531
532 /* verify if session exists */
533 session = lasso_profile_get_session(profile);
534 if (session == NULL) {
535 return critical_error(LASSO_PROFILE_ERROR_SESSION_NOT_FOUND);
536 }
537
538 /* get the remote provider id
539 If remote_providerID is NULL, then get the first remote provider id in session */
540 lasso_release(profile->remote_providerID);
541 if (remote_providerID == NULL) {
542 lasso_assign_new_string(profile->remote_providerID, lasso_session_get_provider_index(session, 0));
543 } else {
544 lasso_assign_string(profile->remote_providerID, remote_providerID);
545 }
546 if (profile->remote_providerID == NULL) {
547 goto_cleanup_with_rc(LASSO_PROFILE_ERROR_MISSING_REMOTE_PROVIDERID);
548 }
549
550 /* get the provider */
551 remote_provider = lasso_server_get_provider(profile->server, profile->remote_providerID);
552 if (LASSO_IS_PROVIDER(remote_provider) == FALSE) {
553 goto_cleanup_with_rc(LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND);
554 }
555
556 IF_SAML2(profile) {
557 return lasso_saml20_logout_init_request(logout, remote_provider, http_method);
558 }
559
560 name_ids = lasso_session_get_name_ids(session, profile->remote_providerID);
561 if (! name_ids) {
562 goto_cleanup_with_rc(LASSO_PROFILE_ERROR_MISSING_NAME_IDENTIFIER);
563 }
564 nameIdentifier = name_ids->data;
565 lasso_assign_gobject(profile->nameIdentifier, nameIdentifier);
566 session_indexes = lasso_session_get_session_indexes(session,
567 profile->remote_providerID, profile->nameIdentifier);
568
569 /* get / verify http method */
570 if (http_method == LASSO_HTTP_METHOD_ANY) {
571 http_method = lasso_provider_get_first_http_method(
572 LASSO_PROVIDER(profile->server),
573 remote_provider,
574 LASSO_MD_PROTOCOL_TYPE_SINGLE_LOGOUT);
575 /* XXX: check it found a valid http method */
576 } else {
577 if (lasso_provider_accept_http_method(LASSO_PROVIDER(profile->server),
578 remote_provider,
579 LASSO_MD_PROTOCOL_TYPE_SINGLE_LOGOUT,
580 http_method,
581 TRUE) == FALSE) {
582 if (http_method == LASSO_HTTP_METHOD_REDIRECT) {
583 /* it was probably used as last resort, and
584 * failed, since the remote provider doesn't
585 * support any logout. remove assertion
586 * unconditionnaly. */
587 lasso_session_remove_assertion(session,
588 profile->remote_providerID);
589 if (logout->initial_remote_providerID && logout->initial_request) {
590 lasso_assign_string(profile->remote_providerID,
591 logout->initial_remote_providerID);
592 lasso_assign_new_gobject(profile->response, lasso_lib_logout_response_new_full(
593 LASSO_PROVIDER(profile->server)->ProviderID,
594 LASSO_SAML_STATUS_CODE_SUCCESS,
595 LASSO_LIB_LOGOUT_REQUEST(logout->initial_request),
596 LASSO_SIGNATURE_TYPE_NONE,
597 0));
598 }
599 }
600 goto_cleanup_with_rc(LASSO_PROFILE_ERROR_UNSUPPORTED_PROFILE);
601 }
602 }
603
604 /* build a new request object from http method */
605 if (http_method == LASSO_HTTP_METHOD_SOAP) {
606 lib_logout_request = (LassoLibLogoutRequest*)lasso_lib_logout_request_new_full(
607 LASSO_PROVIDER(profile->server)->ProviderID,
608 nameIdentifier,
609 profile->server->certificate ?
610 LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
611 LASSO_SIGNATURE_METHOD_RSA_SHA1);
612 } else { /* http_method == LASSO_HTTP_METHOD_REDIRECT */
613 is_http_redirect_get_method = TRUE;
614 lib_logout_request = (LassoLibLogoutRequest*)lasso_lib_logout_request_new_full(
615 LASSO_PROVIDER(profile->server)->ProviderID,
616 nameIdentifier,
617 LASSO_SIGNATURE_TYPE_NONE,
618 0);
619 }
620 request_abstract = &lib_logout_request->parent;
621
622 if (lasso_provider_get_protocol_conformance(remote_provider) < LASSO_PROTOCOL_LIBERTY_1_2) {
623 request_abstract->MajorVersion = 1;
624 request_abstract->MinorVersion = 1;
625 }
626
627 lasso_lib_logout_request_set_session_indexes(lib_logout_request, session_indexes);
628 lasso_assign_string(lib_logout_request->RelayState, profile->msg_relayState);
629
630 /* if logout request from a SP and if an HTTP Redirect/GET method, then remove assertion */
631 if (remote_provider->role == LASSO_PROVIDER_ROLE_IDP && is_http_redirect_get_method) {
632 lasso_session_remove_assertion(session, profile->remote_providerID);
633 }
634
635 /* Save the http method */
636 logout->initial_http_request_method = http_method;
637 lasso_assign_gobject(profile->request, lib_logout_request);
638 cleanup:
639 lasso_release_gobject(lib_logout_request);
640 lasso_release_list_of_strings(session_indexes);
641 lasso_release_list_of_gobjects(name_ids);
642 return rc;
643 }
644
645 /**
646 * lasso_logout_process_request_msg:
647 * @logout: a #LassoLogout
648 * @request_msg: the logout request message
649 *
650 * Processes a SLO LogoutRequest message. Rebuilds a request object from the
651 * message and optionally verifies its signature.
652 *
653 * Return value: 0 on success; or a negative value otherwise.
654 **/
655 gint
lasso_logout_process_request_msg(LassoLogout * logout,char * request_msg)656 lasso_logout_process_request_msg(LassoLogout *logout, char *request_msg)
657 {
658 LassoProfile *profile;
659 LassoProvider *remote_provider;
660 LassoMessageFormat format;
661 LassoLibLogoutRequest *logout_request;
662
663 g_return_val_if_fail(LASSO_IS_LOGOUT(logout), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
664 g_return_val_if_fail(request_msg != NULL, LASSO_PARAM_ERROR_INVALID_VALUE);
665
666 profile = LASSO_PROFILE(logout);
667
668 IF_SAML2(profile) {
669 return lasso_saml20_logout_process_request_msg(logout, request_msg);
670 }
671
672 lasso_assign_new_gobject(profile->request, lasso_lib_logout_request_new());
673 format = lasso_node_init_from_message(LASSO_NODE(profile->request), request_msg);
674 if (format == LASSO_MESSAGE_FORMAT_UNKNOWN || format == LASSO_MESSAGE_FORMAT_ERROR || ! LASSO_IS_LIB_LOGOUT_REQUEST(profile->request)) {
675 return critical_error(LASSO_PROFILE_ERROR_INVALID_MSG);
676 }
677
678 logout_request = LASSO_LIB_LOGOUT_REQUEST(profile->request);
679
680 /* Validate some schema constraints */
681 if (logout_request->ProviderID == NULL
682 || LASSO_IS_SAML_NAME_IDENTIFIER(logout_request->NameIdentifier) == FALSE) {
683 return critical_error(LASSO_PROFILE_ERROR_INVALID_MSG);
684 }
685 lasso_assign_string(profile->msg_relayState,
686 logout_request->RelayState);
687 lasso_assign_string(profile->remote_providerID,
688 logout_request->ProviderID);
689
690 remote_provider = lasso_server_get_provider(profile->server, profile->remote_providerID);
691 if (LASSO_IS_PROVIDER(remote_provider) == FALSE) {
692 return critical_error(LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND);
693 }
694
695 /* verify signatures */
696 profile->signature_status = lasso_provider_verify_signature(
697 remote_provider, request_msg, "RequestID", format);
698
699 switch (format) {
700 case LASSO_MESSAGE_FORMAT_SOAP:
701 profile->http_request_method = LASSO_HTTP_METHOD_SOAP;
702 break;
703 case LASSO_MESSAGE_FORMAT_QUERY:
704 profile->http_request_method = LASSO_HTTP_METHOD_REDIRECT;
705 break;
706 default:
707 return critical_error(LASSO_PROFILE_ERROR_INVALID_MSG);
708 }
709
710 lasso_assign_gobject(profile->nameIdentifier,
711 LASSO_NODE(logout_request->NameIdentifier));
712
713 return profile->signature_status;
714 }
715
716
717 /**
718 * lasso_logout_process_response_msg:
719 * @logout: a #LassoLogout
720 * @response_msg: the response message
721 *
722 * Parses the response message and builds the response object.
723 *
724 * Checks the status code value and if it is not success, then if the local
725 * provider is a Service Provider and response method is SOAP, then builds a
726 * new logout request message for HTTP Redirect / GET method and returns the
727 * error code LASSO_LOGOUT_ERROR_UNSUPPORTED_PROFILE.
728 *
729 * If it is a SOAP method or, IDP type and http method is Redirect/GET,
730 * then removes assertion.
731 *
732 * If local server is an Identity Provider and if there is no more assertion
733 * (Identity Provider has logged out every Service Providers), then restores
734 * the initial response.
735 *
736 * Return value: 0 on success; or a negative value otherwise.
737 **/
738 lasso_error_t
lasso_logout_process_response_msg(LassoLogout * logout,gchar * response_msg)739 lasso_logout_process_response_msg(LassoLogout *logout, gchar *response_msg)
740 {
741 LassoProfile *profile = NULL;
742 LassoProvider *remote_provider = NULL;
743 char *statusCodeValue = NULL;
744 LassoHttpMethod response_method;
745 LassoMessageFormat format;
746 LassoLibStatusResponse *response = NULL;
747 lasso_error_t rc = 0;
748 gchar *url = NULL;
749 gchar *query = NULL;
750
751
752 lasso_bad_param(LOGOUT, logout);
753 lasso_null_param(response_msg);
754 profile = &logout->parent;
755
756 IF_SAML2(profile) {
757 return lasso_saml20_logout_process_response_msg(logout, response_msg);
758 }
759
760 lasso_assign_new_gobject(profile->response, lasso_lib_logout_response_new());
761 format = lasso_node_init_from_message(LASSO_NODE(profile->response), response_msg);
762
763 switch (format) {
764 case LASSO_MESSAGE_FORMAT_SOAP:
765 response_method = LASSO_HTTP_METHOD_SOAP;
766 break;
767 case LASSO_MESSAGE_FORMAT_QUERY:
768 response_method = LASSO_HTTP_METHOD_REDIRECT;
769 break;
770 default:
771 goto_cleanup_with_rc(LASSO_PROFILE_ERROR_INVALID_MSG);
772 }
773
774 /* get the RelayState */
775 lasso_assign_string(profile->msg_relayState,
776 LASSO_LIB_STATUS_RESPONSE(profile->response)->RelayState);
777 /* get provider */
778 lasso_assign_string(profile->remote_providerID,
779 LASSO_LIB_STATUS_RESPONSE(profile->response)->ProviderID);
780 if (profile->remote_providerID == NULL)
781 goto_cleanup_with_rc(LASSO_PROFILE_ERROR_MISSING_REMOTE_PROVIDERID);
782 remote_provider = lasso_server_get_provider(profile->server, profile->remote_providerID);
783 if (LASSO_IS_PROVIDER(remote_provider) == FALSE)
784 goto_cleanup_with_rc(LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND);
785
786 /* verify signature */
787 rc = lasso_provider_verify_signature(remote_provider, response_msg, "ResponseID", format);
788 if (rc == LASSO_DS_ERROR_SIGNATURE_NOT_FOUND) {
789 /* This message SHOULD be signed.
790 * -- draft-liberty-idff-protocols-schema-1.2-errata-v2.0.pdf - p38
791 */
792 debug("No signature on logout response");
793 rc = 0;
794 } else {
795 goto cleanup;
796 }
797
798 response = LASSO_LIB_STATUS_RESPONSE(profile->response);
799
800 if (response->Status == NULL || response->Status->StatusCode == NULL
801 || response->Status->StatusCode->Value == NULL) {
802 goto_cleanup_with_rc(LASSO_PROFILE_ERROR_MISSING_STATUS_CODE);
803 }
804 statusCodeValue = response->Status->StatusCode->Value;
805
806 if (strcmp(statusCodeValue, LASSO_SAML_STATUS_CODE_SUCCESS) != 0) {
807 /* At SP, if the request method was a SOAP type, then rebuild the request
808 * message with HTTP method */
809
810 /* takes lower-level StatusCode if available */
811 if (response->Status->StatusCode && response->Status->StatusCode->StatusCode)
812 statusCodeValue = response->Status->StatusCode->StatusCode->Value;
813
814 if (lasso_strisequal(statusCodeValue, LASSO_LIB_STATUS_CODE_UNSUPPORTED_PROFILE) &&
815 remote_provider->role == LASSO_PROVIDER_ROLE_IDP &&
816 logout->initial_http_request_method == LASSO_HTTP_METHOD_SOAP) {
817 /* Build and optionally sign the logout request QUERY message */
818 lasso_release(profile->msg_body);
819 url = lasso_provider_get_metadata_one(remote_provider,
820 "SingleLogoutServiceURL");
821 if (url == NULL)
822 goto_cleanup_with_rc(LASSO_PROFILE_ERROR_UNKNOWN_PROFILE_URL);
823
824 lasso_check_good_rc(lasso_server_export_to_query_for_provider_by_name(profile->server,
825 profile->remote_providerID, profile->request,
826 &query));
827 if (query == NULL)
828 goto_cleanup_with_rc(LASSO_PROFILE_ERROR_BUILDING_QUERY_FAILED);
829 lasso_assign_new_string(profile->msg_url, lasso_concat_url_query(url, query));
830
831 /* send a HTTP Redirect / GET method, so first remove session */
832 lasso_session_remove_assertion(
833 profile->session, profile->remote_providerID);
834
835 goto_cleanup_with_rc(LASSO_LOGOUT_ERROR_UNSUPPORTED_PROFILE);
836 } else if (lasso_strisequal(statusCodeValue, LASSO_SAML_STATUS_CODE_REQUEST_DENIED)) {
837 /* assertion no longer on idp so removing it locally too */
838 lasso_session_remove_assertion(
839 profile->session, profile->remote_providerID);
840 goto_cleanup_with_rc(LASSO_LOGOUT_ERROR_REQUEST_DENIED);
841 } else if (lasso_strisequal(statusCodeValue,
842 LASSO_LIB_STATUS_CODE_FEDERATION_DOES_NOT_EXIST)) {
843 /* how could this happen ? probably error in SP */
844 /* let's remove the assertion nevertheless */
845 lasso_session_remove_assertion(
846 profile->session, profile->remote_providerID);
847 goto_cleanup_with_rc(LASSO_LOGOUT_ERROR_FEDERATION_NOT_FOUND);
848 }
849 error("Status code is not success : %s", statusCodeValue);
850 goto_cleanup_with_rc(LASSO_PROFILE_ERROR_STATUS_NOT_SUCCESS);
851 }
852
853
854 /* if SOAP method or, if IDP provider type and HTTP Redirect, then remove assertion */
855 if ( response_method == LASSO_HTTP_METHOD_SOAP ||
856 (remote_provider->role == LASSO_PROVIDER_ROLE_SP &&
857 response_method == LASSO_HTTP_METHOD_REDIRECT) ) {
858 lasso_session_remove_assertion(profile->session, profile->remote_providerID);
859 }
860
861 /* If at IDP and if there is no more assertion, IDP has logged out
862 * every SPs, return the initial response to initial SP. Caution: We
863 * can't use the test (remote_provider->role == LASSO_PROVIDER_ROLE_SP)
864 * to know whether the server is acting as an IDP or a SP, because it
865 * can be a proxy. So we have to use the role of the initial remote
866 * provider instead.
867 */
868 if (logout->initial_remote_providerID &&
869 lasso_session_count_assertions(profile->session) <= 0) {
870 remote_provider = lasso_server_get_provider(profile->server, profile->remote_providerID);
871 if (remote_provider->role == LASSO_PROVIDER_ROLE_SP) {
872 lasso_transfer_string(profile->remote_providerID,
873 logout->initial_remote_providerID);
874 lasso_transfer_gobject(profile->request, logout->initial_request);
875 lasso_transfer_gobject(profile->response, logout->initial_response);
876 }
877 }
878 cleanup:
879 lasso_release_string(url);
880 lasso_release_string(query);
881 return rc;
882 }
883
884
885 /**
886 * lasso_logout_reset_providerID_index:
887 * @logout: a #LassoLogout
888 *
889 * Reset the providerID_index attribute (set to 0).
890 *
891 * Return value: 0 on success; or a negative value otherwise.
892 **/
lasso_logout_reset_providerID_index(LassoLogout * logout)893 gint lasso_logout_reset_providerID_index(LassoLogout *logout)
894 {
895 g_return_val_if_fail(LASSO_IS_LOGOUT(logout), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
896 lasso_session_init_provider_ids(LASSO_PROFILE(logout)->session);
897 logout->providerID_index = 0;
898 return 0;
899 }
900
901 /**
902 * lasso_logout_validate_request:
903 * @logout: a #LassoLogout
904 *
905 * <itemizedlist>
906 * <listitem><para>
907 * Sets the remote provider id
908 * </para></listitem>
909 * <listitem><para>
910 * Sets a logout response with status code value to success.
911 * </para></listitem>
912 * <listitem><para>
913 * Checks current signature status, if verification failed, stop processing
914 * and set the status code value to failure.
915 * </para></listitem>
916 * <listitem><para>
917 * Verifies federation and authentication.
918 * </para></listitem>
919 * <listitem><para>
920 * If the request http method is a SOAP method, then verifies every other
921 * Service Providers supports SOAP method : if not, then sets status code
922 * value to UnsupportedProfile and returns a code error with
923 * LASSO_LOGOUT_ERROR_UNSUPPORTED_PROFILE.
924 * </para></listitem>
925 * <listitem><para>
926 * Every tests are ok, then removes assertion.
927 * </para></listitem>
928 * <listitem><para>
929 * If local server is an Identity Provider and if there is more than one
930 * Service Provider (except the initial Service Provider), then saves the
931 * initial request, response and remote provider id.
932 * </para></listitem>
933 * </itemizedlist>
934 *
935 * Return value: 0 on success; or
936 * LASSO_PROFILE_ERROR_MISSING_REQUEST if no request has been found -- usually means that
937 * lasso_logout_process_request_msg was not called,
938 * LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND if the requesting provider is not known to the server object,
939 * LASSO_PROFILE_ERROR_BUILDING_RESPONSE_FAILED if creation of the response object failed,
940 * LASSO_PROFILE_ERROR_NAME_IDENTIFIER_NOT_FOUND if the request do not contain a NameID element,
941 * LASSO_PROFILE_ERROR_SESSION_NOT_FOUND if the logout profile object do not contain a session
942 * object,
943 * LASSO_PROFILE_ERROR_MISSING_ASSERTION if no assertion from the requesting provider was found,
944 * LASSO_PROFILE_ERROR_IDENTITY_NOT_FOUND if the logout profile object do not contain an identity
945 * object,
946 * LASSO_PROFILE_ERROR_FEDERATION_NOT_FOUND if no federation for the requesting provider was found,
947 * LASSO_LOGOUT_ERROR_UNSUPPORTED_PROFILE if the requested HTTP method is not supported by all the
948 * remote provider of the current session.
949 *
950 **/
951 gint
lasso_logout_validate_request(LassoLogout * logout)952 lasso_logout_validate_request(LassoLogout *logout)
953 {
954 LassoProfile *profile;
955 LassoFederation *federation = NULL;
956 LassoProvider *remote_provider;
957 LassoSamlNameIdentifier *nameIdentifier;
958 LassoNode *assertion_n;
959 LassoLibLogoutRequest *logout_request = NULL;
960
961 g_return_val_if_fail(LASSO_IS_LOGOUT(logout), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
962
963 profile = LASSO_PROFILE(logout);
964
965 IF_SAML2(profile) {
966 return lasso_saml20_logout_validate_request(logout);
967 }
968
969 /* verify logout request */
970 if (LASSO_IS_LIB_LOGOUT_REQUEST(profile->request) == FALSE) {
971 return LASSO_PROFILE_ERROR_MISSING_REQUEST;
972 }
973 logout_request = LASSO_LIB_LOGOUT_REQUEST(profile->request);
974
975 lasso_assign_string(profile->remote_providerID,
976 logout_request->ProviderID);
977
978 /* get the provider */
979 remote_provider = lasso_server_get_provider(profile->server, profile->remote_providerID);
980 if (LASSO_IS_PROVIDER(remote_provider) == FALSE) {
981 return critical_error(LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND);
982 }
983
984 /* Set LogoutResponse */
985 lasso_release_gobject(profile->response);
986 if (profile->http_request_method == LASSO_HTTP_METHOD_SOAP) {
987 lasso_assign_new_gobject(profile->response, lasso_lib_logout_response_new_full(
988 LASSO_PROVIDER(profile->server)->ProviderID,
989 LASSO_SAML_STATUS_CODE_SUCCESS,
990 logout_request,
991 profile->server->certificate ?
992 LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
993 LASSO_SIGNATURE_METHOD_RSA_SHA1));
994 }
995 if (profile->http_request_method == LASSO_HTTP_METHOD_REDIRECT) {
996 lasso_assign_new_gobject(profile->response, lasso_lib_logout_response_new_full(
997 LASSO_PROVIDER(profile->server)->ProviderID,
998 LASSO_SAML_STATUS_CODE_SUCCESS,
999 logout_request,
1000 LASSO_SIGNATURE_TYPE_NONE,
1001 0));
1002 }
1003 if (LASSO_IS_LIB_LOGOUT_RESPONSE(profile->response) == FALSE) {
1004 return critical_error(LASSO_PROFILE_ERROR_BUILDING_RESPONSE_FAILED);
1005 }
1006
1007 /* copy the RelayState */
1008 lasso_assign_string(LASSO_LIB_STATUS_RESPONSE(profile->response)->RelayState,
1009 profile->msg_relayState);
1010
1011 /* Verify signature status, if signature is invalid, stop validation here */
1012 if (profile->signature_status != 0) {
1013 lasso_profile_set_response_status(profile,
1014 LASSO_LIB_STATUS_CODE_INVALID_SIGNATURE);
1015 return profile->signature_status;
1016 }
1017
1018 /* Get the name identifier */
1019 nameIdentifier = logout_request->NameIdentifier;
1020 if (nameIdentifier == NULL) {
1021 message(G_LOG_LEVEL_CRITICAL, "Name identifier not found in logout request");
1022 lasso_profile_set_response_status(
1023 profile, LASSO_LIB_STATUS_CODE_FEDERATION_DOES_NOT_EXIST);
1024 return LASSO_PROFILE_ERROR_NAME_IDENTIFIER_NOT_FOUND;
1025 }
1026
1027 if (profile->session == NULL) {
1028 lasso_profile_set_response_status(profile, LASSO_SAML_STATUS_CODE_REQUEST_DENIED);
1029 return critical_error(LASSO_PROFILE_ERROR_SESSION_NOT_FOUND);
1030 }
1031
1032 /* verify authentication */
1033 assertion_n = lasso_session_get_assertion(profile->session, profile->remote_providerID);
1034 if (LASSO_IS_SAML_ASSERTION(assertion_n) == FALSE) {
1035 message(G_LOG_LEVEL_WARNING, "%s has no assertion", profile->remote_providerID);
1036 lasso_profile_set_response_status(profile, LASSO_SAML_STATUS_CODE_REQUEST_DENIED);
1037 return LASSO_PROFILE_ERROR_MISSING_ASSERTION;
1038 }
1039
1040 /* If name identifier is federated, then verify federation */
1041 if (strcmp(nameIdentifier->Format, LASSO_LIB_NAME_IDENTIFIER_FORMAT_FEDERATED) == 0) {
1042 if (LASSO_IS_IDENTITY(profile->identity) == FALSE) {
1043 lasso_profile_set_response_status(profile,
1044 LASSO_LIB_STATUS_CODE_FEDERATION_DOES_NOT_EXIST);
1045 return critical_error(LASSO_PROFILE_ERROR_IDENTITY_NOT_FOUND);
1046 }
1047 federation = g_hash_table_lookup(profile->identity->federations,
1048 profile->remote_providerID);
1049 if (LASSO_IS_FEDERATION(federation) == FALSE) {
1050 lasso_profile_set_response_status(profile,
1051 LASSO_LIB_STATUS_CODE_FEDERATION_DOES_NOT_EXIST);
1052 return critical_error(LASSO_PROFILE_ERROR_FEDERATION_NOT_FOUND);
1053 }
1054
1055 if (lasso_federation_verify_name_identifier(federation,
1056 LASSO_NODE(nameIdentifier)) == FALSE) {
1057 message(G_LOG_LEVEL_WARNING, "No name identifier for %s",
1058 profile->remote_providerID);
1059 lasso_profile_set_response_status(profile,
1060 LASSO_LIB_STATUS_CODE_FEDERATION_DOES_NOT_EXIST);
1061 return LASSO_LOGOUT_ERROR_FEDERATION_NOT_FOUND;
1062 }
1063 }
1064
1065 /* if SOAP request method at IDP then verify all the remote service providers support
1066 SOAP protocol profile.
1067 If one remote authenticated principal service provider doesn't support SOAP
1068 then return UnsupportedProfile to original service provider */
1069 if (remote_provider->role == LASSO_PROVIDER_ROLE_SP &&
1070 profile->http_request_method == LASSO_HTTP_METHOD_SOAP) {
1071
1072 logout->private_data->all_soap = TRUE;
1073 g_hash_table_foreach(profile->server->providers,
1074 (GHFunc)check_soap_support, profile);
1075
1076 if (logout->private_data->all_soap == FALSE) {
1077 lasso_profile_set_response_status(profile,
1078 LASSO_LIB_STATUS_CODE_UNSUPPORTED_PROFILE);
1079 return LASSO_LOGOUT_ERROR_UNSUPPORTED_PROFILE;
1080 }
1081 }
1082
1083 /* authentication is ok, federation is ok, propagation support is ok, remove assertion */
1084 lasso_session_remove_assertion(profile->session, profile->remote_providerID);
1085
1086 /* if at IDP and nb sp logged >= 1, then backup remote provider id,
1087 * request and response
1088 */
1089 if (remote_provider->role == LASSO_PROVIDER_ROLE_SP &&
1090 lasso_session_count_assertions(profile->session) >= 1) {
1091 lasso_transfer_string(logout->initial_remote_providerID, profile->remote_providerID);
1092 lasso_transfer_gobject(logout->initial_request, profile->request);
1093 lasso_transfer_gobject(logout->initial_response, profile->response);
1094 }
1095
1096 return 0;
1097 }
1098
1099
1100
1101 /*****************************************************************************/
1102 /* private methods */
1103 /*****************************************************************************/
1104
1105 static struct XmlSnippet schema_snippets[] = {
1106 { "InitialRequest", SNIPPET_NODE_IN_CHILD, G_STRUCT_OFFSET(LassoLogout, initial_request), NULL, NULL, NULL},
1107 { "InitialResponse", SNIPPET_NODE_IN_CHILD,
1108 G_STRUCT_OFFSET(LassoLogout, initial_response), NULL, NULL, NULL},
1109 { "InitialRemoteProviderID", SNIPPET_CONTENT,
1110 G_STRUCT_OFFSET(LassoLogout, initial_remote_providerID), NULL, NULL, NULL},
1111 { "InitialHttpRequestMethod", SNIPPET_CONTENT | SNIPPET_INTEGER,
1112 G_STRUCT_OFFSET(LassoLogout, initial_http_request_method), NULL, NULL, NULL},
1113 { "LogoutDumpVersion", SNIPPET_ATTRIBUTE, 0, NULL, NULL, NULL },
1114 /* "ProviderIdIndex" must not be dumped (since apps assume to get
1115 * it back to 0 after a restore from dump) (maybe this behaviour should
1116 * be fixed)
1117 */
1118 {NULL, 0, 0, NULL, NULL, NULL}
1119 };
1120
1121 static LassoNodeClass *parent_class = NULL;
1122
1123 static void
check_soap_support(G_GNUC_UNUSED gchar * key,LassoProvider * provider,LassoProfile * profile)1124 check_soap_support(G_GNUC_UNUSED gchar *key, LassoProvider *provider, LassoProfile *profile)
1125 {
1126 const GList *supported_profiles;
1127 LassoNode *assertion_n;
1128
1129 if (strcmp(provider->ProviderID, profile->remote_providerID) == 0)
1130 return; /* original service provider (initiated logout) */
1131
1132 assertion_n = lasso_session_get_assertion(profile->session, provider->ProviderID);
1133 if (LASSO_IS_SAML_ASSERTION(assertion_n) == FALSE) {
1134 return; /* not authenticated with this provider */
1135 }
1136
1137 supported_profiles = lasso_provider_get_metadata_list(provider,
1138 "SingleLogoutProtocolProfile");
1139 while (supported_profiles && strcmp(supported_profiles->data,
1140 LASSO_LIB_PROTOCOL_PROFILE_SLO_SP_SOAP) != 0)
1141 supported_profiles = g_list_next(supported_profiles);
1142
1143 if (supported_profiles)
1144 return; /* provider support profile */
1145
1146
1147 LASSO_LOGOUT(profile)->private_data->all_soap = FALSE;
1148 LASSO_LOGOUT(profile)->private_data->partial_logout = FALSE;
1149 }
1150
1151
1152 static xmlNode*
get_xmlNode(LassoNode * node,gboolean lasso_dump)1153 get_xmlNode(LassoNode *node, gboolean lasso_dump)
1154 {
1155 xmlNode *xmlnode;
1156 LassoLogout *logout;
1157
1158 if (! LASSO_IS_LOGOUT(node)) {
1159 return NULL;
1160 }
1161 logout = (LassoLogout*)node;
1162
1163 xmlnode = parent_class->get_xmlNode(node, lasso_dump);
1164 xmlNodeSetName(xmlnode, (xmlChar*)"Logout");
1165 xmlSetProp(xmlnode, (xmlChar*)"LogoutDumpVersion", (xmlChar*)"2");
1166 if (logout->private_data->partial_logout) {
1167 xmlSetProp(xmlnode, (xmlChar*)"PartialLogout", (xmlChar*)"true");
1168 }
1169
1170 return xmlnode;
1171 }
1172
1173 static int
init_from_xml(LassoNode * node,xmlNode * xmlnode)1174 init_from_xml(LassoNode *node, xmlNode *xmlnode)
1175 {
1176 int rc = 0;
1177
1178 rc = parent_class->init_from_xml(node, xmlnode);
1179 if (rc == 0) {
1180 xmlChar *tmp;
1181 tmp = xmlGetProp(xmlnode, (xmlChar*)"PartiaLogout");
1182 if (tmp && strcmp((char*)tmp, "true") == 0) {
1183 ((LassoLogout*)node)->private_data->partial_logout = TRUE;
1184 }
1185 lasso_release_xml_string(tmp);
1186 }
1187 return rc;
1188 }
1189
1190 /*****************************************************************************/
1191 /* overridden parent class methods */
1192 /*****************************************************************************/
1193
1194 static void
dispose(GObject * object)1195 dispose(GObject *object)
1196 {
1197 LassoLogout *logout = LASSO_LOGOUT(object);
1198 if (logout->private_data->dispose_has_run) {
1199 return;
1200 }
1201 logout->private_data->dispose_has_run = TRUE;
1202
1203 G_OBJECT_CLASS(parent_class)->dispose(object);
1204 }
1205
1206 static void
finalize(GObject * object)1207 finalize(GObject *object)
1208 {
1209 LassoLogout *logout = LASSO_LOGOUT(object);
1210 lasso_release(logout->private_data);
1211 G_OBJECT_CLASS(parent_class)->finalize(object);
1212 }
1213
1214 /*****************************************************************************/
1215 /* instance and class init functions */
1216 /*****************************************************************************/
1217
1218 static void
instance_init(LassoLogout * logout)1219 instance_init(LassoLogout *logout)
1220 {
1221 logout->initial_http_request_method = LASSO_HTTP_METHOD_NONE;
1222 logout->private_data = g_new0(LassoLogoutPrivate, 1);
1223 logout->private_data->dispose_has_run = FALSE;
1224 }
1225
1226 static void
class_init(LassoLogoutClass * klass,void * unused G_GNUC_UNUSED)1227 class_init(LassoLogoutClass *klass, void *unused G_GNUC_UNUSED)
1228 {
1229 LassoNodeClass *nclass = LASSO_NODE_CLASS(klass);
1230
1231 parent_class = g_type_class_peek_parent(klass);
1232 nclass->get_xmlNode = get_xmlNode;
1233 nclass->init_from_xml = init_from_xml;
1234 nclass->node_data = g_new0(LassoNodeClassData, 1);
1235 lasso_node_class_set_nodename(nclass, "Logout");
1236 lasso_node_class_set_ns(nclass, LASSO_LASSO_HREF, LASSO_LASSO_PREFIX);
1237 lasso_node_class_add_snippets(nclass, schema_snippets);
1238
1239 G_OBJECT_CLASS(klass)->dispose = dispose;
1240 G_OBJECT_CLASS(klass)->finalize = finalize;
1241 }
1242
1243 GType
lasso_logout_get_type()1244 lasso_logout_get_type()
1245 {
1246 static GType this_type = 0;
1247
1248 if (!this_type) {
1249 static const GTypeInfo this_info = {
1250 sizeof (LassoLogoutClass),
1251 NULL,
1252 NULL,
1253 (GClassInitFunc) class_init,
1254 NULL,
1255 NULL,
1256 sizeof(LassoLogout),
1257 0,
1258 (GInstanceInitFunc) instance_init,
1259 NULL
1260 };
1261
1262 this_type = g_type_register_static(LASSO_TYPE_PROFILE,
1263 "LassoLogout", &this_info, 0);
1264 }
1265 return this_type;
1266 }
1267
1268 /**
1269 * lasso_logout_new:
1270 * @server: the #LassoServer
1271 *
1272 * Creates a new #LassoLogout.
1273 *
1274 * Return value: a newly created #LassoLogout object; or NULL if an error
1275 * occured
1276 **/
1277 LassoLogout*
lasso_logout_new(LassoServer * server)1278 lasso_logout_new(LassoServer *server)
1279 {
1280 LassoLogout *logout;
1281
1282 g_return_val_if_fail(LASSO_IS_SERVER(server), NULL);
1283
1284 logout = g_object_new(LASSO_TYPE_LOGOUT, NULL);
1285 lasso_assign_gobject(LASSO_PROFILE(logout)->server, server);
1286
1287 return logout;
1288 }
1289
1290 /**
1291 * lasso_logout_new_from_dump:
1292 * @server: the #LassoServer
1293 * @dump: XML logout dump
1294 *
1295 * Restores the @dump to a new #LassoLogout.
1296 *
1297 * Return value: a newly created #LassoLogout; or NULL if an error occured
1298 **/
1299 LassoLogout*
lasso_logout_new_from_dump(LassoServer * server,const char * dump)1300 lasso_logout_new_from_dump(LassoServer *server, const char *dump)
1301 {
1302 LassoLogout *logout;
1303
1304 logout = (LassoLogout*)lasso_node_new_from_dump(dump);
1305 if (! LASSO_IS_LOGOUT(logout)) {
1306 lasso_release_gobject(logout);
1307 } else {
1308 lasso_assign_gobject(logout->parent.server, server);
1309 }
1310 return logout;
1311 }
1312
1313 /**
1314 * lasso_logout_dump:
1315 * @logout: a #LassoLogout
1316 *
1317 * Dumps @logout content to an XML string.
1318 *
1319 * Return value:(transfer full): the dump string. It must be freed by the caller.
1320 **/
1321 gchar*
lasso_logout_dump(LassoLogout * logout)1322 lasso_logout_dump(LassoLogout *logout)
1323 {
1324 return lasso_node_dump(LASSO_NODE(logout));
1325 }
1326