168 lines
5.6 KiB
Groovy
168 lines
5.6 KiB
Groovy
import groovy.xml.XmlSlurper
|
|
import groovy.xml.slurpersupport.GPathResult
|
|
import groovy.xml.slurpersupport.NodeChild
|
|
|
|
import java.util.zip.Inflater
|
|
import java.util.zip.InflaterInputStream
|
|
|
|
/**
|
|
* Gets the value of the Referer header.
|
|
* If the header is missing the fallback is returned
|
|
*
|
|
* This method is used when SAML IDP / Dispatch Error Redirect is not set
|
|
*
|
|
* @param fallback - value to return if the Referer header is missing
|
|
* @return value of header or fallback
|
|
*/
|
|
def getReferer(String fallback) {
|
|
return request.getHttpHeader('Referer') ?: fallback
|
|
}
|
|
|
|
def redirect(String url) {
|
|
outargs.put('nevis.transfer.type', 'redirect')
|
|
outargs.put('nevis.transfer.destination', url)
|
|
}
|
|
|
|
/**
|
|
* Extracts the content of the Issuer element from a parsed SAML message.
|
|
* The Issuer is optional according to SAML specification but we need it for dispatching.
|
|
*
|
|
* @param xml - as parsed by Groovy XmlSlurper
|
|
* @return text content of Issuer element converted or null
|
|
*/
|
|
String getIssuer(GPathResult xml) {
|
|
return xml.depthFirst().find { GPathResult node -> {
|
|
node.name().endsWith(":Issuer") || node.name().equalsIgnoreCase("Issuer")
|
|
}
|
|
}?.text()
|
|
}
|
|
|
|
String getIssuer(String value) {
|
|
if (value == null) {
|
|
return
|
|
}
|
|
String text
|
|
byte[] decoded
|
|
def parser = new XmlSlurper()
|
|
// if value is raw xml then continue otherwise try to parse the base64 encoding
|
|
if (value.startsWith("<")) {
|
|
text = new String(value)
|
|
}
|
|
else {
|
|
decoded = value.decodeBase64()
|
|
text = new String(decoded)
|
|
LOG.info("received SAML request $value")
|
|
}
|
|
|
|
// after decoded, if redirect binding, we need to parse string to xml
|
|
if (text.startsWith("<")) {
|
|
LOG.debug("assuming POST/SOAP binding")
|
|
// plain String (POST/SOAP parameter)
|
|
def xml = parser.parseText(text)
|
|
return getIssuer(xml)
|
|
}
|
|
else {
|
|
LOG.debug("assuming redirect binding")
|
|
// should be deflate encoded (query parameter)
|
|
def is = new InflaterInputStream(new ByteArrayInputStream(decoded), new Inflater(true))
|
|
def xml = parser.parse(is)
|
|
return getIssuer(xml)
|
|
}
|
|
}
|
|
|
|
def dispatchIssuer(i2s, String issuer) {
|
|
def result = i2s.get(issuer)
|
|
if (result == null) {
|
|
LOG.info("No SP found for issuer '$issuer'. Hint: check SAML SP Connector patterns.")
|
|
}
|
|
|
|
// dispatch different idp if artifact binding is enabled
|
|
if(parameters.get('epdMode') == 'artifact' && result == 'epd'){
|
|
LOG.debug("EPD: Artifact mode")
|
|
result = result + "_artifact"
|
|
}else{
|
|
LOG.debug("EPD: POST mode")
|
|
}
|
|
response.setResult(result)
|
|
session.put("saml.inbound.issuer", issuer)
|
|
session.put('saml.idp.result', result) // remember decision for sub-sequent requests without a SAML message
|
|
|
|
}
|
|
|
|
def dispatchMessage(i2s, String message) {
|
|
def issuer = getIssuer(message)
|
|
if (issuer == null) {
|
|
LOG.info("No issuer found in incoming SAML message. Giving up.")
|
|
}
|
|
session.put("saml.inbound.issuer", issuer)
|
|
dispatchIssuer(i2s, issuer)
|
|
}
|
|
|
|
if (parameters.get('logoutConfirmation') == 'true' && "stepup" == request.getMethod()) {
|
|
String url = request.currentResource
|
|
def path = new URL(url).getPath()
|
|
if (path.endsWith("/logout")) {
|
|
// next AuthState will show a logout confirmation GUI
|
|
response.setResult('confirm')
|
|
return
|
|
}
|
|
}
|
|
|
|
// ensure session exists
|
|
if (request.getSession(false) == null) {
|
|
session = request.getSession(true).getData()
|
|
}
|
|
|
|
// issuer (any case) -> ResultCond name
|
|
def i2s = new TreeMap<String, String>(String.CASE_INSENSITIVE_ORDER)
|
|
|
|
|
|
i2s.put(parameters.get('atb'), 'main')
|
|
i2s.put(parameters.get('epd_atb'), 'epd')
|
|
|
|
if (parameters.get('spInitiated') == 'true' && inargs.containsKey('SAMLRequest')) { // SP-initiated authentication
|
|
LOG.debug("found SAMLRequest parameter for SP-initiated authentication")
|
|
String message = inargs.get('SAMLRequest')
|
|
dispatchMessage(i2s, message)
|
|
return
|
|
}
|
|
|
|
if (inargs.containsKey('SAMLResponse')) { // response to IDP-initiated SAML Logout
|
|
LOG.debug("found SAMLResponse parameter")
|
|
String message = inargs.get('SAMLResponse')
|
|
dispatchMessage(i2s, message)
|
|
return
|
|
}
|
|
|
|
if (parameters.get('spInitiated') == 'true' && inargs.containsKey('soapheader')) { // SP-initiated SOAP with soapheader
|
|
LOG.debug("found soapheader parameter for SP-initiated")
|
|
String message = inargs.get('soapheader')
|
|
dispatchMessage(i2s, message)
|
|
return
|
|
}
|
|
|
|
if (parameters.get('spInitiated') == 'true' && inargs.containsKey('')) { // SP-initiated SOAP with empty
|
|
LOG.debug("found empty parameter for SP-initiated SOAP message")
|
|
String message = inargs.get('')
|
|
dispatchMessage(i2s, message)
|
|
return
|
|
}
|
|
|
|
String issuer = inargs['Issuer'] ?: inargs['issuer']
|
|
if (parameters.get('idpInitiated') == 'true' && issuer != null) { // IDP-initiated authentication
|
|
LOG.debug("found Issuer parameter for IDP-initiated authentication")
|
|
dispatchIssuer(i2s, issuer)
|
|
return
|
|
}
|
|
|
|
// used as fallback in case of ?logout (we need an IdentityProviderState)
|
|
if (inargs.containsKey("logout") && session.containsKey('saml.idp.result')) {
|
|
def result = session.get('saml.idp.result')
|
|
LOG.debug("dispatching to last used ResultCond: $result")
|
|
response.setResult(result)
|
|
return
|
|
}
|
|
|
|
def location = getReferer('/')
|
|
LOG.info("Unable to dispatch request. Giving up and redirecting (back) to $location")
|
|
redirect(location) |