forked from russellhaering/gosaml2
-
Notifications
You must be signed in to change notification settings - Fork 5
/
build_logout_response.go
158 lines (133 loc) · 5.21 KB
/
build_logout_response.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
// Copyright 2016 Russell Haering et al.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package saml2
import (
"bytes"
"encoding/base64"
"html/template"
"github.com/beevik/etree"
"github.com/mattermost/gosaml2/uuid"
)
func (sp *SAMLServiceProvider) buildLogoutResponse(statusCodeValue string, reqID string, includeSig bool) (*etree.Document, error) {
logoutResponse := &etree.Element{
Space: "samlp",
Tag: "LogoutResponse",
}
logoutResponse.CreateAttr("xmlns:samlp", "urn:oasis:names:tc:SAML:2.0:protocol")
logoutResponse.CreateAttr("xmlns:saml", "urn:oasis:names:tc:SAML:2.0:assertion")
arId := uuid.NewV4()
logoutResponse.CreateAttr("ID", "_"+arId.String())
logoutResponse.CreateAttr("Version", "2.0")
logoutResponse.CreateAttr("IssueInstant", sp.Clock.Now().UTC().Format(issueInstantFormat))
logoutResponse.CreateAttr("Destination", sp.IdentityProviderSLOURL)
logoutResponse.CreateAttr("InResponseTo", reqID)
// NOTE(russell_h): In earlier versions we mistakenly sent the IdentityProviderIssuer
// in the AuthnRequest. For backwards compatibility we will fall back to that
// behavior when ServiceProviderIssuer isn't set.
if sp.ServiceProviderIssuer != "" {
logoutResponse.CreateElement("saml:Issuer").SetText(sp.ServiceProviderIssuer)
} else {
logoutResponse.CreateElement("saml:Issuer").SetText(sp.IdentityProviderIssuer)
}
status := logoutResponse.CreateElement("samlp:Status")
statusCode := status.CreateElement("samlp:StatusCode")
statusCode.CreateAttr("Value", statusCodeValue)
doc := etree.NewDocument()
// Only POST binding includes <Signature> in <AuthnRequest> (includeSig)
if includeSig {
signed, err := sp.SignLogoutResponse(logoutResponse)
if err != nil {
return nil, err
}
doc.SetRoot(signed)
} else {
doc.SetRoot(logoutResponse)
}
return doc, nil
}
func (sp *SAMLServiceProvider) BuildLogoutResponseDocument(status string, reqID string) (*etree.Document, error) {
return sp.buildLogoutResponse(status, reqID, true)
}
func (sp *SAMLServiceProvider) BuildLogoutResponseDocumentNoSig(status string, reqID string) (*etree.Document, error) {
return sp.buildLogoutResponse(status, reqID, false)
}
func (sp *SAMLServiceProvider) SignLogoutResponse(el *etree.Element) (*etree.Element, error) {
ctx := sp.SigningContext()
sig, err := ctx.ConstructSignature(el, true)
if err != nil {
return nil, err
}
ret := el.Copy()
var children []etree.Token
children = append(children, ret.Child[0]) // issuer is always first
children = append(children, sig) // next is the signature
children = append(children, ret.Child[1:]...) // then all other children
ret.Child = children
return ret, nil
}
func (sp *SAMLServiceProvider) buildLogoutResponseBodyPostFromDocument(relayState string, doc *etree.Document) ([]byte, error) {
respBuf, err := doc.WriteToBytes()
if err != nil {
return nil, err
}
encodedRespBuf := base64.StdEncoding.EncodeToString(respBuf)
var tmpl *template.Template
var rv bytes.Buffer
if relayState != "" {
tmpl = template.Must(template.New("saml-post-form").Parse(`<html>` +
`<form method="post" action="{{.URL}}" id="SAMLResponseForm">` +
`<input type="hidden" name="SAMLResponse" value="{{.SAMLResponse}}" />` +
`<input type="hidden" name="RelayState" value="{{.RelayState}}" />` +
`<input id="SAMLSubmitButton" type="submit" value="Continue" />` +
`</form>` +
`<script>document.getElementById('SAMLSubmitButton').style.visibility='hidden';</script>` +
`<script>document.getElementById('SAMLResponseForm').submit();</script>` +
`</html>`))
data := struct {
URL string
SAMLResponse string
RelayState string
}{
URL: sp.IdentityProviderSLOURL,
SAMLResponse: encodedRespBuf,
RelayState: relayState,
}
if err = tmpl.Execute(&rv, data); err != nil {
return nil, err
}
} else {
tmpl = template.Must(template.New("saml-post-form").Parse(`<html>` +
`<form method="post" action="{{.URL}}" id="SAMLResponseForm">` +
`<input type="hidden" name="SAMLResponse" value="{{.SAMLResponse}}" />` +
`<input id="SAMLSubmitButton" type="submit" value="Continue" />` +
`</form>` +
`<script>document.getElementById('SAMLSubmitButton').style.visibility='hidden';</script>` +
`<script>document.getElementById('SAMLResponseForm').submit();</script>` +
`</html>`))
data := struct {
URL string
SAMLResponse string
}{
URL: sp.IdentityProviderSLOURL,
SAMLResponse: encodedRespBuf,
}
if err = tmpl.Execute(&rv, data); err != nil {
return nil, err
}
}
return rv.Bytes(), nil
}
func (sp *SAMLServiceProvider) BuildLogoutResponseBodyPostFromDocument(relayState string, doc *etree.Document) ([]byte, error) {
return sp.buildLogoutResponseBodyPostFromDocument(relayState, doc)
}