Skip to content

Commit 60a3592

Browse files
timleggetimlegge
committed
testapp: only enable supported IdP logout bindings
1 parent cfc5351 commit 60a3592

File tree

5 files changed

+146
-14
lines changed

5 files changed

+146
-14
lines changed

xt/testapp/lib/Saml2Test.pm

Lines changed: 87 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ use URN::OASIS::SAML2 qw(:bindings :urn);
2121

2222
our $VERSION = '0.2';
2323

24-
get '/' => sub {
24+
sub load_idps {
2525
if ( ! -x './IdPs' ) {
2626
return "<html><pre>You must have a xt/testapp/IdPs directory</pre></html>";
2727
}
@@ -44,7 +44,17 @@ get '/' => sub {
4444
push @idps, \%tempidp;
4545
}
4646

47-
template 'index', { 'idps' => \@idps, 'sign_metadata' => config->{sign_metadata} };
47+
return @idps;
48+
}
49+
50+
get '/' => sub {
51+
my @idps = load_idps();
52+
53+
template 'index', {
54+
'idps' => \@idps,
55+
'sign_metadata' => config->{sign_metadata},
56+
(defined params->{logout}) ? ('logout' => params->{logout}) : (),
57+
};
4858
};
4959

5060
get '/login' => sub {
@@ -71,6 +81,8 @@ get '/login' => sub {
7181
defined (config->{is_passive}) ? (is_passive => config->{is_passive}) : (),
7282
);
7383

84+
config->{slo_urls} = $idp->slo_urls();
85+
7486
my $authnreq = $sp->authn_request(
7587
$idp->sso_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'),
7688
$idp->format || '', # default format.
@@ -85,7 +97,7 @@ get '/login' => sub {
8597
};
8698

8799
get '/logout-local' => sub {
88-
redirect '/', 302;
100+
redirect '/?logout=local', 302;
89101
};
90102

91103
get '/logout-redirect' => sub {
@@ -144,7 +156,7 @@ get '/logout-soap' => sub {
144156
);
145157

146158
my $logoutreq = $sp->logout_request(
147-
$idp->entityid, params->{nameid}, $idp->format, params->{session},
159+
$slo_url, params->{nameid}, $idp->format || undef, params->{session},
148160
\%logout_params
149161
)->as_xml;
150162

@@ -164,7 +176,19 @@ get '/logout-soap' => sub {
164176

165177
my $res = $soap->request($logoutreq);
166178

167-
redirect '/', 302;
179+
if ($res) {
180+
my $logout = Net::SAML2::Protocol::LogoutResponse->new_from_xml(
181+
xml => $res
182+
);
183+
if ($logout->success) {
184+
print STDERR "\nLogout Success Status - $logout->{issuer}\n";
185+
}
186+
}
187+
else {
188+
return "<html><pre>Bad Logout Response</pre></html>";
189+
}
190+
191+
redirect '/?logout=SOAP', 302;
168192
return "Redirected\n";
169193
};
170194

@@ -186,10 +210,14 @@ post '/consumer-post' => sub {
186210
my $name_qualifier = $assertion->nameid_name_qualifier();
187211
my $sp_name_qualifier = $assertion->nameid_sp_name_qualifier();
188212

213+
my $slo_urls = config->{slo_urls};
214+
189215
template 'user', {
190216
assertion => $assertion,
191217
(defined $name_qualifier ? (name_qualifier => $name_qualifier) : ()),
192218
(defined $sp_name_qualifier ? (sp_name_qualifier => $sp_name_qualifier) : ()),
219+
slo_urls => ($slo_urls ? $slo_urls : ()),
220+
message => 'Successful Login via POST',
193221
};
194222
}
195223
else {
@@ -228,13 +256,21 @@ get '/consumer-artifact' => sub {
228256
xml => $response
229257
);
230258

259+
if ( ! $assertion->valid(config->{issuer})) {
260+
return '<html><pre>Bad Assertion</pre></html>';
261+
}
262+
231263
my $name_qualifier = $assertion->nameid_name_qualifier();
232264
my $sp_name_qualifier = $assertion->nameid_sp_name_qualifier();
233265

266+
my $slo_urls = config->{slo_urls};
267+
234268
template 'user', {
235269
assertion => $assertion,
236270
($name_qualifier ? (name_qualifier => $name_qualifier) : ()),
237271
($sp_name_qualifier ? (sp_name_qualifier => $sp_name_qualifier) : ()),
272+
slo_urls => ($slo_urls ? $slo_urls : ()),
273+
message => 'Successful Login via SOAP',
238274
};
239275
}
240276
else {
@@ -255,14 +291,14 @@ get '/sls-redirect-response' => sub {
255291
my $logout = Net::SAML2::Protocol::LogoutResponse->new_from_xml(
256292
xml => $response
257293
);
258-
if ($logout->status eq 'urn:oasis:names:tc:SAML:2.0:status:Success') {
294+
if ($logout->success) {
259295
print STDERR "\nLogout Success Status - $logout->{issuer}\n";
260296
}
261297
}
262298
else {
263299
return "<html><pre>Bad Logout Response</pre></html>";
264300
}
265-
redirect $relaystate || '/', 302;
301+
redirect $relaystate || '/?logout=redirect', 302;
266302
return "Redirected\n";
267303
};
268304

@@ -281,15 +317,57 @@ post '/sls-post-response' => sub {
281317
my $logout = Net::SAML2::Protocol::LogoutResponse->new_from_xml(
282318
xml => decode_base64(params->{SAMLResponse})
283319
);
284-
if ($logout->status eq 'urn:oasis:names:tc:SAML:2.0:status:Success') {
320+
if ($logout->success) {
321+
print STDERR "\nLogout Success Status - $logout->{issuer}\n";
322+
}
323+
}
324+
else {
325+
return "<html><pre>Bad Logout Response</pre></html>";
326+
}
327+
328+
redirect "/?logout=POST", 302;
329+
return "Redirected\n";
330+
};
331+
332+
get '/sls-consumer-artifact' => sub {
333+
my $idp = _idp();
334+
my $idp_cert = $idp->cert('signing');
335+
my $art_url = $idp->art_url('urn:oasis:names:tc:SAML:2.0:bindings:SOAP');
336+
337+
my $artifact = params->{SAMLart};
338+
339+
my $sp = _sp();
340+
my $request = $sp->artifact_request($art_url, $artifact)->as_xml;
341+
342+
my $ua = LWP::UserAgent->new;
343+
344+
require LWP::Protocol::https;
345+
$ua->ssl_opts( (verify_hostname => config->{ssl_verify_hostname}));
346+
347+
my $soap = Net::SAML2::Binding::SOAP->new(
348+
ua => $ua,
349+
url => $art_url,
350+
key => config->{key},
351+
cert => config->{cert},
352+
idp_cert => $idp_cert,
353+
);
354+
355+
my $response = $soap->request($request);
356+
357+
if ($response) {
358+
my $logout = Net::SAML2::Protocol::LogoutResponse->new_from_xml(
359+
xml => $response,
360+
);
361+
362+
if ($logout->success) {
285363
print STDERR "\nLogout Success Status - $logout->{issuer}\n";
286364
}
287365
}
288366
else {
289367
return "<html><pre>Bad Logout Response</pre></html>";
290368
}
291369

292-
redirect '/', 302;
370+
redirect "/?logout=SOAP-ARTIFACT", 302;
293371
return "Redirected\n";
294372
};
295373

xt/testapp/public/css/style.css

Lines changed: 35 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,36 @@
1-
body {
1+
html, body {
22
font-family: Lucida,sans-serif;
33
color: #eee;
44
background-color: #1f1b1a;
5+
height:100%;
6+
width:100%;
7+
margin:0;
8+
padding:0;
9+
}
10+
#hideMe {
11+
-moz-animation: cssAnimation 0s ease-in 5s forwards;
12+
/* Firefox */
13+
-webkit-animation: cssAnimation 0s ease-in 5s forwards;
14+
/* Safari and Chrome */
15+
-o-animation: cssAnimation 0s ease-in 5s forwards;
16+
/* Opera */
17+
animation: cssAnimation 0s ease-in 5s forwards;
18+
-webkit-animation-fill-mode: forwards;
19+
animation-fill-mode: forwards;
20+
}
21+
@keyframes cssAnimation {
22+
to {
23+
width:0;
24+
height:0;
25+
overflow:hidden;
26+
}
27+
}
28+
@-webkit-keyframes cssAnimation {
29+
to {
30+
width:0;
31+
height:0;
32+
visibility:hidden;
33+
}
534
}
635

736
#content {
@@ -13,13 +42,17 @@ body {
1342
}
1443

1544
a {
16-
color: #a5ec02;
45+
color: #0066ff;
1746
}
1847

1948
h1 {
2049
color: #a5ec02;
2150
}
2251

52+
h2 {
53+
color: #000000;
54+
}
55+
2356
footer {
2457
border-top: 1px solid #aba29c;
2558
margin-top: 2em;

xt/testapp/views/index.tt

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,9 @@
1818
</ol>
1919
<% end %>
2020

21+
<% if logout %>
22+
<div id="hideMe"><p>Successful logout via: <% logout %></p></div>
23+
<% end %>
2124
<h2>Download SP Metadata</h2>
2225

2326
<form action="/metadata.xml">

xt/testapp/views/layouts/main.tt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,4 +14,4 @@
1414
Powered by <a href="http://perldancer.org/">Dancer</a> 1.1811
1515
</footer>
1616
</body>
17-
</html>
17+
</html>

xt/testapp/views/user.tt

Lines changed: 20 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,29 @@
1-
<h1>NameID: <% assertion.nameid %></h1>
1+
<h2>NameID: <% assertion.nameid %></h2>
22

3+
<% FOREACH type IN slo_urls.keys.sort %>
4+
<% slo_url = slo_urls.$type %>
5+
<% if type == 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' %>
36
<p><a href="/logout-redirect?nameid=<% assertion.nameid | html %>&name_qualifier=<% name_qualifier | html %>&sp_name_qualifier=<% sp_name_qualifier | html %>&session=<% assertion.session | html %>">Logout (redirect binding)</a></p>
4-
7+
<% end %>
8+
<% if type == 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP' %>
59
<p><a href="/logout-soap?nameid=<% assertion.nameid | html %>&name_qualifier=<% name_qualifier | html %>&sp_name_qualifier=<% sp_name_qualifier | html %>&session=<% assertion.session | html %>">Logout (soap binding)</a></p>
10+
<% end %>
11+
<% if type == 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' %>
12+
<p>Logout (post binding) - Unsupported</p>
13+
<% end %>
14+
<% if type == 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact' %>
15+
<!-- <p><a href="/logout-soap?nameid=<% assertion.nameid | html %>&name_qualifier=<% name_qualifier | html %>&sp_name_qualifier=<% sp_name_qualifier | html %>&session=<% assertion.session | html %>">Logout (soap artifact)</a></p> -->
16+
<p>Logout (Artifact binding) - Unsupported</p>
17+
<% end %>
18+
19+
<% END %>
620

721
<p><a href="/logout-local?nameid=<% assertion.nameid | html %>&name_qualifier=<% name_qualifier | html %>&sp_name_qualifier=<% sp_name_qualifier | html %>&session=<% assertion.session | html %>">Logout (local)</a></p>
822

23+
<% if message %>
24+
<div id="hideMe"><p><% message %></p></div>
25+
<% end %>
26+
927
<h2>Attributes</h2>
1028

1129
<table>

0 commit comments

Comments
 (0)