Merge pull request #129 from timlegge/force_authn

timlegge · web-flow · commit d7abc2c93319 · 2022-11-30T15:39:27.000-05:00
Support ForceAuth and IsPassive for AuthnRequest
diff --git a/Makefile.PL b/Makefile.PL
@@ -76,7 +76,7 @@ my %WriteMakefileArgs = (
     "URI::URL" => 0,
     "XML::LibXML::XPathContext" => 0
   },
-  "VERSION" => "0.61",
+  "VERSION" => "0.62",
   "test" => {
     "TESTS" => "t/*.t t/author/*.t"
   }
diff --git a/README b/README
@@ -2,7 +2,7 @@ NAME
     Net::SAML2 - SAML2 bindings and protocol implementation
 
 VERSION
-    version 0.61
+    version 0.62
 
 SYNOPSIS
       See TUTORIAL.md for implementation documentation and
diff --git a/lib/Net/SAML2.pm b/lib/Net/SAML2.pm
@@ -1,7 +1,7 @@
 use strict;
 use warnings;
 package Net::SAML2;
-our $VERSION = "0.61";
+our $VERSION = "0.62";
 
 require 5.008_001;
 
diff --git a/lib/Net/SAML2/Binding/Redirect.pm b/lib/Net/SAML2/Binding/Redirect.pm
@@ -222,6 +222,8 @@ Accepts an optional RelayState parameter, a string which will be
 returned to the requestor when the user returns from the
 authentication process with the IdP.
 
+Returns the signed (or unsigned) URL for the SAML2 redirect
+
 =cut
 
 sub sign {
@@ -245,6 +247,9 @@ re-encodes URI-escapes in uppercase (C<%3f> becomes C<%3F>, for instance),
 which leads to signature verification failures if the other party uses lower
 case (or mixed case).
 
+Returns an ARRAY of containing the verified request and relaystate (if it exists).
+Croaks on errors.
+
 =cut
 
 sub verify {
diff --git a/lib/Net/SAML2/Protocol/AuthnRequest.pm b/lib/Net/SAML2/Protocol/AuthnRequest.pm
@@ -25,6 +25,8 @@ Net::SAML2::Protocol::AuthnRequest - SAML2 AuthnRequest object
     destination   => $destination,	# Identity Provider (IdP) SSO URL
     provider_name => $provider_name,	# Service Provider (SP) Human Readable Name
     issue_instant => DateTime->now,	# Defaults to Current Time
+    force_authn   => $force_authn,	# Force new authentication (Default: false)
+    is_passive    => $is_passive,	# IdP should not take control of UI (Default: false)
   );
 
   my $request_id = $authnreq->id;	# Store and Compare to InResponseTo
@@ -39,6 +41,8 @@ Net::SAML2::Protocol::AuthnRequest - SAML2 AuthnRequest object
     destination   => $destination,	# Identity Provider (IdP) SSO URL
     provider_name => $provider_name,	# Service Provider (SP) Human Readable Name
     issue_instant => DateTime->now,	# Defaults to Current Time
+    force_authn   => $force_authn,	# Force new authentication (Default: false)
+    is_passive    => $is_passive,	# IdP should not take control of UI (Default: false)
   );
 
 =head1 METHODS
@@ -147,6 +151,20 @@ has 'RequestedAuthnContext_Comparison' => (
     default => 'exact'
 );
 
+has 'force_authn' => (
+    isa     => 'Bool',
+    is      => 'ro',
+    required => 0,
+    predicate => 'has_force_authn',
+);
+
+has 'is_passive' => (
+    isa     => 'Bool',
+    is      => 'ro',
+    required => 0,
+    predicate => 'has_is_passive',
+);
+
 around BUILDARGS => sub {
     my $orig = shift;
     my $self = shift;
@@ -201,12 +219,15 @@ sub as_xml {
         'destination'          => 'Destination',
         'issuer_namequalifier' => 'NameQualifier',
         'issuer_format'        => 'Format',
+        'force_authn'          => 'ForceAuthn',
+        'is_passive'           => 'IsPassive',
     );
 
     my @opts = qw(
         assertion_url assertion_index protocol_binding
         attribute_index provider_name destination
-        issuer_namequalifier issuer_format
+        issuer_namequalifier issuer_format force_authn
+        is_passive
     );
 
     foreach my $opt (@opts) {
@@ -220,6 +241,9 @@ sub as_xml {
         elsif (any { $opt eq $_ } qw(issuer_namequalifier issuer_format)) {
             $issuer_attrs{ $att_map{$opt} } = $val;
         }
+        elsif (any { $opt eq $_ } qw(force_authn is_passive)) {
+            $req_atts{ $att_map{$opt} } = ( $val ? 'true' : 'false' );
+        }
         else {
             $req_atts{ $att_map{$opt} } = $val;
         }
diff --git a/lib/Net/SAML2/SP.pm b/lib/Net/SAML2/SP.pm
@@ -277,20 +277,43 @@ sub _build_cert_text {
     return $text;
 }
 
-=head2 authn_request( $destination, $nameid_format )
+=head2 authn_request( $destination, $nameid_format, %params )
 
 Returns an AuthnRequest object created by this SP, intended for the
 given destination, which should be the identity URI of the IdP.
 
+%params is a hash containing parameters valid for
+Net::SAML2::Protocol::AuthnRequest.  For example:
+
+=over
+
+my %params = (
+        force_authn => 1,
+        is_passive  => 1,
+    )
+
+my $authnreq = authn_request(
+                'https://keycloak.local:8443/realms/Foswiki/protocol/saml',
+                'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
+                %params
+            );
+
+=back
+
 =cut
 
 sub authn_request {
     my $self = shift;
+    my $destination     = shift;
+    my $nameid_format   = shift;
+    my (%params)        = @_;
+
     return Net::SAML2::Protocol::AuthnRequest->new(
         issueinstant  => DateTime->now,
         issuer        => $self->id,
-        destination   => $_[0],
-        nameid_format => $_[1],
+        destination   => $destination,
+        nameid_format => $nameid_format || '',
+        %params,
     );
 
 }
diff --git a/t/09-authn-request.t b/t/09-authn-request.t
@@ -44,6 +44,10 @@ test_xml_attribute_ok(
 test_xml_attribute_ok($xp,
     '/samlp:AuthnRequest/samlp:NameIDPolicy/@AllowCreate', '1');
 
+test_xml_attribute_exists($xp, '/samlp:AuthnRequest/@ForceAuthn', 0);
+
+test_xml_attribute_exists($xp, '/samlp:AuthnRequest/@IsPassive', 0);
+
 my $signer = Net::SAML2::XML::Sig->new({
     key => 't/sign-nopw-cert.pem',
     cert => 't/sign-nopw-cert.pem',
@@ -56,4 +60,91 @@ ok($signed);
 
 my $verify = $signer->verify($signed);
 ok($verify);
+
+$ar = Net::SAML2::Protocol::AuthnRequest->new(
+    issuer        => 'http://some/sp',
+    destination   => 'http://some/idp',
+    nameid_format => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
+    nameid_allow_create => 1,
+    force_authn   => '1',
+    is_passive    => '1'
+
+);
+
+isa_ok($ar, "Net::SAML2::Protocol::AuthnRequest");
+
+$xml = $ar->as_xml;
+
+$xp = get_xpath(
+    $xml,
+    samlp => 'urn:oasis:names:tc:SAML:2.0:protocol',
+    saml  => 'urn:oasis:names:tc:SAML:2.0:assertion',
+);
+
+test_xml_attribute_exists($xp, '/samlp:AuthnRequest/@ForceAuthn', 1);
+test_xml_attribute_ok($xp, '/samlp:AuthnRequest/@ForceAuthn', 'true');
+
+test_xml_attribute_exists($xp, '/samlp:AuthnRequest/@IsPassive', 1);
+test_xml_attribute_ok($xp, '/samlp:AuthnRequest/@IsPassive', 'true');
+
+$ar = Net::SAML2::Protocol::AuthnRequest->new(
+    issuer        => 'http://some/sp',
+    destination   => 'http://some/idp',
+    nameid_format => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
+    nameid_allow_create => 1,
+    force_authn   => '0',
+    is_passive    => '0'
+
+);
+
+isa_ok($ar, "Net::SAML2::Protocol::AuthnRequest");
+
+$xml = $ar->as_xml;
+
+$xp = get_xpath(
+    $xml,
+    samlp => 'urn:oasis:names:tc:SAML:2.0:protocol',
+    saml  => 'urn:oasis:names:tc:SAML:2.0:assertion',
+);
+
+test_xml_attribute_exists($xp, '/samlp:AuthnRequest/@ForceAuthn', 1);
+test_xml_attribute_ok($xp, '/samlp:AuthnRequest/@ForceAuthn', 'false');
+
+test_xml_attribute_exists($xp, '/samlp:AuthnRequest/@IsPassive', 1);
+test_xml_attribute_ok($xp, '/samlp:AuthnRequest/@IsPassive', 'false');
+
+my $sp = net_saml2_sp(
+    authnreq_signed        => 0,
+    want_assertions_signed => 0,
+    slo_url_post           => '/sls-post-response',
+    slo_url_soap           => '/slo-soap',
+);
+
+my %params = (
+    force_authn => 1,
+    is_passive => 0,
+);
+
+my $req = $sp->authn_request(
+    $sp->id,
+    '',
+    %params,
+);
+
+$xml = $req->as_xml;
+
+$xp = get_xpath(
+    $xml,
+    samlp => 'urn:oasis:names:tc:SAML:2.0:protocol',
+    saml  => 'urn:oasis:names:tc:SAML:2.0:assertion',
+);
+
+test_xml_attribute_exists($xp, '/samlp:AuthnRequest/@ForceAuthn', 1);
+test_xml_attribute_ok($xp, '/samlp:AuthnRequest/@ForceAuthn', 'true');
+
+test_xml_attribute_exists($xp, '/samlp:AuthnRequest/@IsPassive', 1);
+test_xml_attribute_ok($xp, '/samlp:AuthnRequest/@IsPassive', 'false');
+
+$xml = $ar->as_xml;
+
 done_testing;
diff --git a/t/lib/Test/Net/SAML2/Util.pm b/t/lib/Test/Net/SAML2/Util.pm
@@ -8,6 +8,7 @@ require Exporter;
 our @ISA    = qw(Exporter);
 our @EXPORT = qw(
     get_xpath
+    test_xml_attribute_exists
     test_xml_attribute_ok
     test_xml_value_ok
     get_single_node_ok
@@ -220,6 +221,14 @@ sub get_single_node_ok {
     return $nodes->get_node(1);
 }
 
+sub test_xml_attribute_exists {
+    my ($xpath, $search, $value) = @_;
+    my $exists = $xpath->exists($search);
+    my $msg = "$search node exists? " . ( $exists ? "true" : "false");
+    is($exists, $value, $msg);
+    return $exists;
+}
+
 sub test_xml_attribute_ok {
     my ($xpath, $search, $value) = @_;
 
diff --git a/xt/testapp/config.yml b/xt/testapp/config.yml
@@ -16,3 +16,7 @@ org_name: "Net::SAML2 Saml2Test"
 org_display_name: "Saml2Test app for Net::SAML2"
 org_contact: "saml2test@example.com"
 error_url: "/error"
+force_authn: 1
+is_passive: 1
+sign_metadata: 1
+authnreq_signed: 1
diff --git a/xt/testapp/lib/Saml2Test.pm b/xt/testapp/lib/Saml2Test.pm
@@ -17,6 +17,7 @@ use Dancer ':syntax';
 use Net::SAML2;
 use MIME::Base64 qw/ decode_base64 /;
 use File::Slurper qw/ read_dir /;
+use URN::OASIS::SAML2 qw(:bindings :urn);
 
 our $VERSION = '0.2';
 
@@ -64,9 +65,16 @@ get '/login' => sub {
     }
     my $idp = _idp();
     my $sp = _sp();
+
+    my %params = (
+        defined (config->{force_authn}) ? (force_authn => config->{force_authn}) : (),
+        defined (config->{is_passive}) ? (is_passive  => config->{is_passive}) : (),
+    );
+
     my $authnreq = $sp->authn_request(
         $idp->sso_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'),
-        $idp->format, # default format.
+        $idp->format || '', # default format.
+        %params,
     )->as_xml;
 
     my $redirect = $sp->sso_redirect_binding($idp, 'SAMLRequest');
@@ -238,6 +246,7 @@ post '/sls-post-response' => sub {
 
 get '/metadata.xml' => sub {
     content_type 'application/octet-stream';
+
     my $sp = _sp();
     return $sp->metadata;
 };
@@ -248,17 +257,31 @@ sub _sp {
         url    => config->{url},
         cert   => config->{cert},
         key    => config->{key},
-        cacert => config->{cacert},
+        cacert => config->{cacert} || '',
         slo_url_soap => config->{slo_url_soap},
         slo_url_redirect => config->{slo_url_redirect},
         slo_url_post => config->{slo_url_post},
-        acs_url_post => config->{acs_url_post},
-        acs_url_artifact => config->{acs_url_artifact},
+        assertion_consumer_service => [
+        {
+            Binding => BINDING_HTTP_POST,
+            Location => config->{slo_url_post},
+            isDefault => 'false',
+            # optionally
+            index => 1,
+        },
+        {
+            Binding => BINDING_HTTP_ARTIFACT,
+            Location => config->{acs_url_artifact},
+            isDefault => 'true',
+            index => 2,
+        }],
         error_url => config->{error_url},
 		
         org_name	 => config->{org_name},
         org_display_name => config->{org_display_name},
         org_contact	 => config->{org_contact},
+        authnreq_signed => config->{authnreq_signed},
+        sign_metadata => config->{sign_metadata},
     );
     return $sp;
 }

Original file line number	Diff line number	Diff line change
`@@ -76,7 +76,7 @@ my %WriteMakefileArgs = (`
`76`	`76`	`"URI::URL" => 0,`
`77`	`77`	`"XML::LibXML::XPathContext" => 0`
`78`	`78`	`},`
`79`		`- "VERSION" => "0.61",`
	`79`	`+ "VERSION" => "0.62",`
`80`	`80`	`"test" => {`
`81`	`81`	`"TESTS" => "t/.t t/author/.t"`
`82`	`82`	`}`