Possibility to configure subjectConfirmation notOnOrAfter (#737)

11 years ago · b4bda626de
parent 757ac6f15d
commit b4bda626de
5 changed files with 43 additions and 20 deletions
--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/SubAttributes.pm
+++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/SubAttributes.pm
@ -207,6 +207,13 @@ has 'samlSPMetaDataOptionsNameIDFormat' => (
    documentation => 'SAML SP option NameID format',
 );

+has 'samlSPMetaDataOptionsNotOnOrAfterTimeout' => (
+    is            => 'rw',
+    isa           => 'Int',
+    default       => '72000',
+    documentation => 'SAML SP option notOnOrAfter timeout',
+);
+
 has 'samlSPMetaDataOptionsOneTimeUse' => (
    is            => 'rw',
    isa           => 'Bool',
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
@ -203,7 +203,7 @@ sub cstruct {

                        samlSPMetaDataOptionsAuthnResponse => {
                            _nodes => [
-                                qw(samlSPMetaDataOptionsNameIDFormat samlSPMetaDataOptionsNameIDSessionKey samlSPMetaDataOptionsOneTimeUse samlSPMetaDataOptionsSessionNotOnOrAfterTimeout)
+                                qw(samlSPMetaDataOptionsNameIDFormat samlSPMetaDataOptionsNameIDSessionKey samlSPMetaDataOptionsOneTimeUse samlSPMetaDataOptionsSessionNotOnOrAfterTimeout samlSPMetaDataOptionsNotOnOrAfterTimeout)
                            ],

                            samlSPMetaDataOptionsNameIDFormat =>
@ -215,6 +215,8 @@ sub cstruct {
 "bool:/samlSPMetaDataOptions/$k2/samlSPMetaDataOptionsOneTimeUse",
                            samlSPMetaDataOptionsSessionNotOnOrAfterTimeout =>
 "int:/samlSPMetaDataOptions/$k2/samlSPMetaDataOptionsSessionNotOnOrAfterTimeout",
+                            samlSPMetaDataOptionsNotOnOrAfterTimeout =>
+"int:/samlSPMetaDataOptions/$k2/samlSPMetaDataOptionsNotOnOrAfterTimeout",
                        },

                        samlSPMetaDataOptionsSignature => {
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
@ -478,13 +478,14 @@ sub en {
        samlSPMetaDataOptionsNameIDSessionKey => 'Force NameID session key',
        samlSPMetaDataOptionsSessionNotOnOrAfterTimeout =>
          'sessionNotOnOrAfter duration',
-        samlServiceMetaData         => 'SAML 2 Service',
-        samlEntityID                => 'Entity Identifier',
-        samlOrganization            => 'Organization',
-        samlOrganizationDisplayName => 'Display Name',
-        samlOrganizationName        => 'Name',
-        samlOrganizationURL         => 'URL',
-        samlSPSSODescriptor         => 'Service Provider',
+        samlSPMetaDataOptionsNotOnOrAfterTimeout => 'notOnOrAfter duration',
+        samlServiceMetaData                      => 'SAML 2 Service',
+        samlEntityID                             => 'Entity Identifier',
+        samlOrganization                         => 'Organization',
+        samlOrganizationDisplayName              => 'Display Name',
+        samlOrganizationName                     => 'Name',
+        samlOrganizationURL                      => 'URL',
+        samlSPSSODescriptor                      => 'Service Provider',
        samlSPSSODescriptorAuthnRequestsSigned =>
          'Signed Authentication Request',
        samlSPSSODescriptorWantAssertionsSigned => 'Want Assertions Signed',
@ -992,13 +993,14 @@ sub fr {
          "Forcer la clé de session NameID",
        samlSPMetaDataOptionsSessionNotOnOrAfterTimeout =>
          'Durée sessionNotOnOrAfter',
-        samlServiceMetaData         => 'Service SAML 2',
-        samlEntityID                => 'Identifiant d\'entité',
-        samlOrganization            => 'Organisation',
-        samlOrganizationDisplayName => 'Nom affiché',
-        samlOrganizationName        => 'Nom',
-        samlOrganizationURL         => 'URL',
-        samlSPSSODescriptor         => 'Fournisseur de service',
+        samlSPMetaDataOptionsNotOnOrAfterTimeout => 'Durée notOnOrAfter',
+        samlServiceMetaData                      => 'Service SAML 2',
+        samlEntityID                             => 'Identifiant d\'entité',
+        samlOrganization                         => 'Organisation',
+        samlOrganizationDisplayName              => 'Nom affiché',
+        samlOrganizationName                     => 'Nom',
+        samlOrganizationURL                      => 'URL',
+        samlSPSSODescriptor                      => 'Fournisseur de service',
        samlSPSSODescriptorAuthnRequestsSigned =>
          'Requêtes d\'authentification signées',
        samlSPSSODescriptorWantAssertionsSigned =>
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm
@ -1478,8 +1478,18 @@ sub issuerForAuthUser {

            $self->lmLog( "Authentication context is $authn_context", 'debug' );

+            # Get SP options notOnOrAfterTimeout
+            my $notOnOrAfterTimeout =
+              $self->{samlSPMetaDataOptions}->{$spConfKey}
+              ->{samlSPMetaDataOptionsNotOnOrAfterTimeout};
+
            # Build Assertion
-            unless ( $self->buildAssertion( $login, $authn_context ) ) {
+            unless (
+                $self->buildAssertion(
+                    $login, $authn_context, $notOnOrAfterTimeout
+                )
+              )
+            {
                $self->lmLog( "Unable to build assertion", 'error' );
                return PE_SAML_SSO_ERROR;
            }
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
@ -22,7 +22,7 @@ use URI;                   # Get metadata URL path
 #inherits Lemonldap::NG::Common::Conf::SAML::Metadata protected service_metadata

 our @ISA     = (qw(Lemonldap::NG::Portal::_Browser));
-our $VERSION = '1.4.0';
+our $VERSION = '1.4.1';
 our $samlCache;
 our $initGlibDone;

@ -1056,17 +1056,19 @@ sub buildArtifactMsg {
    return $self->checkLassoError($@);
 }

-## @method boolean buildAssertion(Lasso::Login login, string authn_context)
+## @method boolean buildAssertion(Lasso::Login login, string authn_context, int notOnOrAfterTimeout)
 # Build assertion
 # @param login Lasso::Login object
 # @param authn_context SAML2 authentication context
+# @param notOnOrAfterTimeout Timeout to apply to notOnOrAfter
 # @return boolean result
 sub buildAssertion {
-    my ( $self, $login, $authn_context ) = splice @_;
+    my ( $self, $login, $authn_context, $notOnOrAfterTimeout ) = splice @_;
+    $notOnOrAfterTimeout ||= $self->{timeout};

    # Dates
    my $time                    = $self->{sessionInfo}->{_utime} || time();
-    my $timeout                 = $time + $self->{timeout};
+    my $timeout                 = $time + $notOnOrAfterTimeout;
    my $authenticationInstant   = $self->timestamp2samldate($time);
    my $reauthenticateOnOrAfter = $self->timestamp2samldate($timeout);
    my $notBefore               = $authenticationInstant;