SAML: add an IDP option to force attribute value in UTF-8 (#72)

15 years ago · c0edd943db
parent 6964b09eb2
commit c0edd943db
5 changed files with 26 additions and 7 deletions
--- a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
+++ b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
@ -60,7 +60,7 @@ sub cstruct {
                      . ":samlIDPMetaDataXML:filearea",
                    samlIDPMetaDataOptions => {
                        _nodes => [
-                            qw(samlIDPMetaDataOptionsNameIDFormat samlIDPMetaDataOptionsForceAuthn samlIDPMetaDataOptionsIsPassive samlIDPMetaDataOptionsAllowProxiedAuthn samlIDPMetaDataOptionsSSOBinding samlIDPMetaDataOptionsSLOBinding samlIDPMetaDataOptionsResolutionRule samlIDPMetaDataOptionsAllowLoginFromIDP samlIDPMetaDataOptionsAdaptSessionUtime samlIDPMetaDataOptionsSignSSOMessage samlIDPMetaDataOptionsCheckSSOMessageSignature samlIDPMetaDataOptionsSignSLOMessage samlIDPMetaDataOptionsCheckSLOMessageSignature samlIDPMetaDataOptionsRequestedAuthnContext)
+                            qw(samlIDPMetaDataOptionsNameIDFormat samlIDPMetaDataOptionsForceAuthn samlIDPMetaDataOptionsIsPassive samlIDPMetaDataOptionsAllowProxiedAuthn samlIDPMetaDataOptionsSSOBinding samlIDPMetaDataOptionsSLOBinding samlIDPMetaDataOptionsResolutionRule samlIDPMetaDataOptionsAllowLoginFromIDP samlIDPMetaDataOptionsAdaptSessionUtime samlIDPMetaDataOptionsSignSSOMessage samlIDPMetaDataOptionsCheckSSOMessageSignature samlIDPMetaDataOptionsSignSLOMessage samlIDPMetaDataOptionsCheckSLOMessageSignature samlIDPMetaDataOptionsRequestedAuthnContext samlIDPMetaDataOptionsForceUTF8)
                        ],
                        samlIDPMetaDataOptionsNameIDFormat =>
 "text:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsNameIDFormat"
@ -94,6 +94,8 @@ sub cstruct {
                        samlIDPMetaDataOptionsRequestedAuthnContext =>
 "text:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsRequestedAuthnContext"
                          . ":default:authnContextParams",
+                        samlIDPMetaDataOptionsForceUTF8 =>
+"bool:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsForceUTF8",
                    },
                }
            }
@ -1303,6 +1305,7 @@ sub defaultConf {
        samlIDPMetaDataOptionsSignSLOMessage           => '1',
        samlIDPMetaDataOptionsCheckSLOMessageSignature => '1',
        samlIDPMetaDataOptionsRequestedAuthnContext    => '',
+        samlIDPMetaDataOptionsForceUTF8                => '0',
        samlSPMetaDataOptionsNameIDFormat              => '',
        samlSPMetaDataOptionsOneTimeUse                => '0',
        samlSPMetaDataOptionsSignSSOMessage            => '1',
--- a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
+++ b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
@ -246,6 +246,7 @@ sub en {
        samlIDPMetaDataOptionsResolutionRule => 'Resolution rule',
        samlIDPMetaDataOptionsRequestedAuthnContext =>
          'Requested authentication context',
+        samlIDPMetaDataOptionsForceUTF8     => 'Force UTF-8',
        samlSPMetaDataNode               => 'SAML service providers',
        samlSPMetaDataXML                => 'Metadata',
        samlSPMetaDataExportedAttributes => 'Exported attributes',
@ -516,6 +517,7 @@ sub fr {
        samlIDPMetaDataOptionsResolutionRule => 'Règle de résolution',
        samlIDPMetaDataOptionsRequestedAuthnContext =>
          'Contexte d\'authentification demandé',
+        samlIDPMetaDataOptionsForceUTF8     => 'Forcer l\'UTF-8',
        samlSPMetaDataNode               => 'Fournisseurs de service SAML',
        samlSPMetaDataXML                => 'Metadonnées',
        samlSPMetaDataExportedAttributes => 'Attributs exportés',
--- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm
@ -984,6 +984,11 @@ sub setAuthSessionInfo {
        return PE_ERROR;
    }

+    # Force UTF-8
+    my $force_utf8 =
+      $self->{samlIDPMetaDataOptions}->{$idpConfKey}
+      ->{samlIDPMetaDataOptionsForceUTF8};
+
    # Try to get attributes if attribute statement is present in assertion
    my $attr_statement = $assertion->AttributeStatement();
    if ($attr_statement) {
@ -1006,7 +1011,7 @@ sub setAuthSessionInfo {
            # Try to get value
            my $value =
              $self->getAttributeValue( $name, $format, $friendly_name,
-                \@attributes );
+                \@attributes, $force_utf8 );

            # Store value in sessionInfo
            $self->{sessionInfo}->{$_} = $value if defined $value;
--- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/UserDBSAML.pm
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/UserDBSAML.pm
@ -42,9 +42,15 @@ sub setSessionInfo {
    my $server = $self->{_lassoServer};
    my $login  = $self->{_lassoLogin};
    my $idp    = $self->{_idp};
+    my $idpConfKey = $self->{_idpConfKey};

    my $exportedAttr;

+    # Force UTF-8
+    my $force_utf8 =
+      $self->{samlIDPMetaDataOptions}->{$idpConfKey}
+      ->{samlIDPMetaDataOptionsForceUTF8};
+
    # Get all required attributes, not already set
    # in setAuthSessionInfo()
    foreach ( keys %{ $self->{samlIDPMetaDataExportedAttributes}->{$idp} } ) {
@ -121,7 +127,7 @@ sub setSessionInfo {

        # Try to get value
        my $value = $self->getAttributeValue( $name, $format, $friendly_name,
-            \@response_attributes );
+            \@response_attributes, $force_utf8 );

        unless ($value) {
            $self->lmLog(
--- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
@ -1010,15 +1010,18 @@ sub getAssertion {
    return $assertion;
 }

-## @method string getAttributeValue(string name, string format, string friendly_name, array_ref attributes)
+## @method string getAttributeValue(string name, string format, string friendly_name, array_ref attributes, boolean force_utf8)
 # Get SAML attribute value corresponding to name, format and friendly_name
 # Multivaluated values are separated by multiValuesSeparator
+# If force_utf8 flag is set, value is encoded in UTF-8
 # @param name SAML attribute name
 # @param format optional SAML attribute format
 # @param friendly_name optional SAML attribute friendly name
+# @param force_utf8 optional flag to force value in UTF-8
 # @return attribute value
 sub getAttributeValue {
-    my ( $self, $name, $format, $friendly_name, $attributes ) = splice @_;
+    my ( $self, $name, $format, $friendly_name, $attributes, $force_utf8 ) =
+      splice @_;
    my $value;

    # Loop on attributes
@ -1045,8 +1048,8 @@ sub getAttributeValue {
        }
        $value =~ s/\Q$self->{multiValuesSeparator}\E$//;

-        # Force UTF-8
-        $value = encode( "utf-8", $value );
+        # Encode UTF-8 if force_utf8 flag
+        $value = encode( "utf8", $value ) if $force_utf8;

    }