line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package Net::SAML2::Protocol::Assertion; |
2
|
10
|
|
|
10
|
|
25985
|
use Moose; |
|
10
|
|
|
|
|
34
|
|
|
10
|
|
|
|
|
84
|
|
3
|
|
|
|
|
|
|
|
4
|
|
|
|
|
|
|
our $VERSION = '0.72'; # TRIAL VERSION |
5
|
|
|
|
|
|
|
|
6
|
10
|
|
|
10
|
|
70325
|
use MooseX::Types::DateTime qw/ DateTime /; |
|
10
|
|
|
|
|
565643
|
|
|
10
|
|
|
|
|
65
|
|
7
|
10
|
|
|
10
|
|
19049
|
use MooseX::Types::Common::String qw/ NonEmptySimpleStr /; |
|
10
|
|
|
|
|
29
|
|
|
10
|
|
|
|
|
94
|
|
8
|
10
|
|
|
10
|
|
26456
|
use DateTime; |
|
10
|
|
|
|
|
25
|
|
|
10
|
|
|
|
|
215
|
|
9
|
10
|
|
|
10
|
|
5347
|
use DateTime::HiRes; |
|
10
|
|
|
|
|
4779
|
|
|
10
|
|
|
|
|
342
|
|
10
|
10
|
|
|
10
|
|
3736
|
use DateTime::Format::XSD; |
|
10
|
|
|
|
|
3649120
|
|
|
10
|
|
|
|
|
407
|
|
11
|
10
|
|
|
10
|
|
120
|
use Net::SAML2::XML::Util qw/ no_comments /; |
|
10
|
|
|
|
|
24
|
|
|
10
|
|
|
|
|
655
|
|
12
|
10
|
|
|
10
|
|
69
|
use Net::SAML2::XML::Sig; |
|
10
|
|
|
|
|
24
|
|
|
10
|
|
|
|
|
93
|
|
13
|
10
|
|
|
10
|
|
6584
|
use XML::Enc; |
|
10
|
|
|
|
|
170603
|
|
|
10
|
|
|
|
|
321
|
|
14
|
10
|
|
|
10
|
|
79
|
use XML::LibXML; |
|
10
|
|
|
|
|
24
|
|
|
10
|
|
|
|
|
54
|
|
15
|
10
|
|
|
10
|
|
1868
|
use List::Util qw(first); |
|
10
|
|
|
|
|
28
|
|
|
10
|
|
|
|
|
641
|
|
16
|
10
|
|
|
10
|
|
64
|
use URN::OASIS::SAML2 qw(STATUS_SUCCESS); |
|
10
|
|
|
|
|
25
|
|
|
10
|
|
|
|
|
465
|
|
17
|
10
|
|
|
10
|
|
59
|
use Carp qw(croak); |
|
10
|
|
|
|
|
29
|
|
|
10
|
|
|
|
|
19115
|
|
18
|
|
|
|
|
|
|
|
19
|
|
|
|
|
|
|
with 'Net::SAML2::Role::ProtocolMessage'; |
20
|
|
|
|
|
|
|
|
21
|
|
|
|
|
|
|
# ABSTRACT: SAML2 assertion object |
22
|
|
|
|
|
|
|
|
23
|
|
|
|
|
|
|
|
24
|
|
|
|
|
|
|
has 'attributes' => (isa => 'HashRef[ArrayRef]', is => 'ro', required => 1); |
25
|
|
|
|
|
|
|
has 'audience' => (isa => NonEmptySimpleStr, is => 'ro', required => 1); |
26
|
|
|
|
|
|
|
has 'not_after' => (isa => DateTime, is => 'ro', required => 1); |
27
|
|
|
|
|
|
|
has 'not_before' => (isa => DateTime, is => 'ro', required => 1); |
28
|
|
|
|
|
|
|
has 'session' => (isa => 'Str', is => 'ro', required => 1); |
29
|
|
|
|
|
|
|
has 'in_response_to' => (isa => 'Str', is => 'ro', required => 1); |
30
|
|
|
|
|
|
|
has 'response_status' => (isa => 'Str', is => 'ro', required => 1); |
31
|
|
|
|
|
|
|
has 'response_substatus' => (isa => 'Str', is => 'ro'); |
32
|
|
|
|
|
|
|
has 'xpath' => (isa => 'XML::LibXML::XPathContext', is => 'ro', required => 1); |
33
|
|
|
|
|
|
|
has 'nameid_object' => ( |
34
|
|
|
|
|
|
|
isa => 'XML::LibXML::Element', |
35
|
|
|
|
|
|
|
is => 'ro', |
36
|
|
|
|
|
|
|
required => 0, |
37
|
|
|
|
|
|
|
init_arg => 'nameid', |
38
|
|
|
|
|
|
|
predicate => 'has_nameid', |
39
|
|
|
|
|
|
|
); |
40
|
|
|
|
|
|
|
has 'authnstatement_object' => ( |
41
|
|
|
|
|
|
|
isa => 'XML::LibXML::Element', |
42
|
|
|
|
|
|
|
is => 'ro', |
43
|
|
|
|
|
|
|
required => 0, |
44
|
|
|
|
|
|
|
init_arg => 'authnstatement', |
45
|
|
|
|
|
|
|
predicate => 'has_authnstatement', |
46
|
|
|
|
|
|
|
); |
47
|
|
|
|
|
|
|
|
48
|
|
|
|
|
|
|
|
49
|
|
|
|
|
|
|
|
50
|
|
|
|
|
|
|
sub _verify_encrypted_assertion { |
51
|
13
|
|
|
13
|
|
31
|
my $self = shift; |
52
|
13
|
|
|
|
|
29
|
my $xml = shift; |
53
|
13
|
|
|
|
|
25
|
my $cacert = shift; |
54
|
13
|
|
|
|
|
26
|
my $key_file = shift; |
55
|
13
|
|
|
|
|
35
|
my $key_name = shift; |
56
|
|
|
|
|
|
|
|
57
|
13
|
|
|
|
|
146
|
my $xpath = XML::LibXML::XPathContext->new($xml); |
58
|
13
|
|
|
|
|
83
|
$xpath->registerNs('saml', 'urn:oasis:names:tc:SAML:2.0:assertion'); |
59
|
13
|
|
|
|
|
58
|
$xpath->registerNs('samlp', 'urn:oasis:names:tc:SAML:2.0:protocol'); |
60
|
13
|
|
|
|
|
63
|
$xpath->registerNs('dsig', 'http://www.w3.org/2000/09/xmldsig#'); |
61
|
13
|
|
|
|
|
51
|
$xpath->registerNs('xenc', 'http://www.w3.org/2001/04/xmlenc#'); |
62
|
|
|
|
|
|
|
|
63
|
13
|
100
|
|
|
|
59
|
return $xml unless $xpath->exists('//saml:EncryptedAssertion'); |
64
|
|
|
|
|
|
|
|
65
|
1
|
50
|
|
|
|
34
|
croak "Encrypted Assertions require key_file" if !defined $key_file; |
66
|
|
|
|
|
|
|
|
67
|
1
|
|
|
|
|
5
|
$xml = $self->_decrypt( |
68
|
|
|
|
|
|
|
$xml, |
69
|
|
|
|
|
|
|
key_file => $key_file, |
70
|
|
|
|
|
|
|
key_name => $key_name, |
71
|
|
|
|
|
|
|
); |
72
|
1
|
|
|
|
|
25862
|
$xpath->setContextNode($xml); |
73
|
|
|
|
|
|
|
|
74
|
1
|
|
|
|
|
4
|
my $assert_nodes = $xpath->findnodes('//saml:Assertion'); |
75
|
1
|
50
|
|
|
|
41
|
return $xml unless $assert_nodes->size; |
76
|
1
|
|
|
|
|
10
|
my $assert = $assert_nodes->get_node(1); |
77
|
|
|
|
|
|
|
|
78
|
1
|
50
|
|
|
|
9
|
return $xml unless $xpath->exists('dsig:Signature', $assert); |
79
|
1
|
|
|
|
|
35
|
my $xml_opts->{ no_xml_declaration } = 1; |
80
|
1
|
|
|
|
|
7
|
my $x = Net::SAML2::XML::Sig->new($xml_opts); |
81
|
1
|
|
|
|
|
135
|
my $ret = $x->verify($assert->toString()); |
82
|
1
|
50
|
|
|
|
2241
|
die "Decrypted Assertion signature check failed" unless $ret; |
83
|
|
|
|
|
|
|
|
84
|
1
|
50
|
|
|
|
4
|
return $xml unless $cacert; |
85
|
1
|
|
|
|
|
5
|
my $cert = $x->signer_cert; |
86
|
1
|
50
|
|
|
|
6
|
die "Certificate not provided in SAML Response, cannot validate" unless $cert; |
87
|
|
|
|
|
|
|
|
88
|
1
|
|
|
|
|
104
|
my $ca = Crypt::OpenSSL::Verify->new($cacert, { strict_certs => 0 }); |
89
|
1
|
50
|
|
|
|
32
|
die "Unable to verify signer cert with cacert: " . $cert->subject |
90
|
|
|
|
|
|
|
unless $ca->verify($cert); |
91
|
1
|
|
|
|
|
43
|
return $xml; |
92
|
|
|
|
|
|
|
} |
93
|
|
|
|
|
|
|
|
94
|
|
|
|
|
|
|
sub new_from_xml { |
95
|
13
|
|
|
13
|
1
|
9000
|
my($class, %args) = @_; |
96
|
|
|
|
|
|
|
|
97
|
13
|
|
|
|
|
38
|
my $key_file = $args{key_file}; |
98
|
13
|
|
|
|
|
38
|
my $cacert = delete $args{cacert}; |
99
|
|
|
|
|
|
|
|
100
|
13
|
|
|
|
|
358
|
my $xpath = XML::LibXML::XPathContext->new(); |
101
|
13
|
|
|
|
|
262
|
$xpath->registerNs('saml', 'urn:oasis:names:tc:SAML:2.0:assertion'); |
102
|
13
|
|
|
|
|
56
|
$xpath->registerNs('samlp', 'urn:oasis:names:tc:SAML:2.0:protocol'); |
103
|
13
|
|
|
|
|
47
|
$xpath->registerNs('dsig', 'http://www.w3.org/2000/09/xmldsig#'); |
104
|
13
|
|
|
|
|
41
|
$xpath->registerNs('xenc', 'http://www.w3.org/2001/04/xmlenc#'); |
105
|
|
|
|
|
|
|
|
106
|
13
|
|
|
|
|
68
|
my $xml = no_comments($args{xml}); |
107
|
13
|
|
|
|
|
85
|
$xpath->setContextNode($xml); |
108
|
|
|
|
|
|
|
|
109
|
|
|
|
|
|
|
$xml = $class->_verify_encrypted_assertion( |
110
|
|
|
|
|
|
|
$xml, |
111
|
|
|
|
|
|
|
$cacert, |
112
|
|
|
|
|
|
|
$key_file, |
113
|
|
|
|
|
|
|
$args{key_name}, |
114
|
13
|
|
|
|
|
78
|
); |
115
|
|
|
|
|
|
|
|
116
|
|
|
|
|
|
|
my $dec = $class->_decrypt( |
117
|
|
|
|
|
|
|
$xml, |
118
|
|
|
|
|
|
|
key_file => $key_file, |
119
|
|
|
|
|
|
|
key_name => $args{key_name} |
120
|
13
|
|
|
|
|
670
|
); |
121
|
13
|
|
|
|
|
1159
|
$xpath->setContextNode($dec); |
122
|
|
|
|
|
|
|
|
123
|
13
|
|
|
|
|
27
|
my $attributes = {}; |
124
|
13
|
|
|
|
|
53
|
for my $node ($xpath->findnodes('//saml:Assertion/saml:AttributeStatement/saml:Attribute/saml:AttributeValue/..')) |
125
|
|
|
|
|
|
|
{ |
126
|
68
|
|
|
|
|
1894
|
my @values = $xpath->findnodes("saml:AttributeValue", $node); |
127
|
68
|
|
|
|
|
2412
|
$attributes->{$node->getAttribute('Name')} = [map $_->string_value, @values]; |
128
|
|
|
|
|
|
|
} |
129
|
|
|
|
|
|
|
|
130
|
13
|
|
|
|
|
298
|
my $xpath_base = '//samlp:Response/saml:Assertion/saml:Conditions/'; |
131
|
|
|
|
|
|
|
|
132
|
13
|
|
|
|
|
451
|
my $not_before; |
133
|
13
|
100
|
|
|
|
62
|
if (my $value = $xpath->findvalue($xpath_base . '@NotBefore')) { |
|
|
50
|
|
|
|
|
|
134
|
12
|
|
|
|
|
1226
|
$not_before = DateTime::Format::XSD->parse_datetime($value); |
135
|
|
|
|
|
|
|
} |
136
|
|
|
|
|
|
|
elsif (my $global = $xpath->findvalue('//saml:Conditions/@NotBefore')) { |
137
|
1
|
|
|
|
|
125
|
$not_before = DateTime::Format::XSD->parse_datetime($global); |
138
|
|
|
|
|
|
|
} |
139
|
|
|
|
|
|
|
else { |
140
|
0
|
|
|
|
|
0
|
$not_before = DateTime::HiRes->now(); |
141
|
|
|
|
|
|
|
} |
142
|
|
|
|
|
|
|
|
143
|
13
|
|
|
|
|
11082
|
my $not_after; |
144
|
13
|
100
|
|
|
|
89
|
if (my $value = $xpath->findvalue($xpath_base . '@NotOnOrAfter')) { |
|
|
50
|
|
|
|
|
|
145
|
12
|
|
|
|
|
953
|
$not_after = DateTime::Format::XSD->parse_datetime($value); |
146
|
|
|
|
|
|
|
} |
147
|
|
|
|
|
|
|
elsif (my $global = $xpath->findvalue('//saml:Conditions/@NotOnOrAfter')) { |
148
|
1
|
|
|
|
|
105
|
$not_after = DateTime::Format::XSD->parse_datetime($global); |
149
|
|
|
|
|
|
|
} |
150
|
|
|
|
|
|
|
else { |
151
|
0
|
|
|
|
|
0
|
$not_after = DateTime->from_epoch(epoch => time() + 1000); |
152
|
|
|
|
|
|
|
} |
153
|
|
|
|
|
|
|
|
154
|
13
|
|
|
|
|
8147
|
my $nameid; |
155
|
13
|
100
|
|
|
|
93
|
if (my $node = $xpath->findnodes('/samlp:Response/saml:Assertion/saml:Subject/saml:NameID')) { |
|
|
100
|
|
|
|
|
|
156
|
8
|
|
|
|
|
665
|
$nameid = $node->get_node(1); |
157
|
|
|
|
|
|
|
} |
158
|
|
|
|
|
|
|
elsif (my $global = $xpath->findnodes('//saml:Subject/saml:NameID')) { |
159
|
3
|
|
|
|
|
426
|
$nameid = $global->get_node(1); |
160
|
|
|
|
|
|
|
} |
161
|
|
|
|
|
|
|
|
162
|
13
|
|
|
|
|
522
|
my $authnstatement; |
163
|
13
|
100
|
|
|
|
45
|
if (my $node = $xpath->findnodes('/samlp:Response/saml:Assertion/saml:AuthnStatement')) { |
164
|
10
|
|
|
|
|
589
|
$authnstatement = $node->get_node(1); |
165
|
|
|
|
|
|
|
} |
166
|
|
|
|
|
|
|
|
167
|
13
|
|
|
|
|
234
|
my $nodeset = $xpath->findnodes('/samlp:Response/samlp:Status/samlp:StatusCode|/samlp:ArtifactResponse/samlp:Status/samlp:StatusCode'); |
168
|
|
|
|
|
|
|
|
169
|
13
|
50
|
|
|
|
519
|
croak("Unable to parse status from assertion") unless $nodeset->size; |
170
|
|
|
|
|
|
|
|
171
|
13
|
|
|
|
|
99
|
my $status_node = $nodeset->get_node(1); |
172
|
13
|
|
|
|
|
97
|
my $status = $status_node->getAttribute('Value'); |
173
|
13
|
|
|
|
|
190
|
my $sub_status; |
174
|
|
|
|
|
|
|
|
175
|
13
|
100
|
|
3
|
|
123
|
if (my $s = first { $_->isa('XML::LibXML::Element') } $status_node->childNodes) { |
|
3
|
|
|
|
|
61
|
|
176
|
1
|
|
|
|
|
9
|
$sub_status = $s->getAttribute('Value'); |
177
|
|
|
|
|
|
|
} |
178
|
|
|
|
|
|
|
|
179
|
13
|
100
|
|
|
|
240
|
my $self = $class->new( |
|
|
100
|
|
|
|
|
|
|
|
100
|
|
|
|
|
|
180
|
|
|
|
|
|
|
id => $xpath->findvalue('//saml:Assertion/@ID'), |
181
|
|
|
|
|
|
|
issuer => $xpath->findvalue('//saml:Assertion/saml:Issuer'), |
182
|
|
|
|
|
|
|
destination => $xpath->findvalue('/samlp:Response/@Destination'), |
183
|
|
|
|
|
|
|
attributes => $attributes, |
184
|
|
|
|
|
|
|
session => $xpath->findvalue('//saml:AuthnStatement/@SessionIndex'), |
185
|
|
|
|
|
|
|
$nameid ? (nameid => $nameid) : (), |
186
|
|
|
|
|
|
|
audience => $xpath->findvalue('//saml:Conditions/saml:AudienceRestriction/saml:Audience'), |
187
|
|
|
|
|
|
|
not_before => $not_before, |
188
|
|
|
|
|
|
|
not_after => $not_after, |
189
|
|
|
|
|
|
|
xpath => $xpath, |
190
|
|
|
|
|
|
|
in_response_to => $xpath->findvalue('//saml:Subject/saml:SubjectConfirmation/saml:SubjectConfirmationData/@InResponseTo'), |
191
|
|
|
|
|
|
|
response_status => $status, |
192
|
|
|
|
|
|
|
$sub_status ? (response_substatus => $sub_status) : (), |
193
|
|
|
|
|
|
|
$authnstatement ? (authnstatement => $authnstatement) : (), |
194
|
|
|
|
|
|
|
); |
195
|
|
|
|
|
|
|
|
196
|
13
|
|
|
|
|
81872
|
return $self; |
197
|
|
|
|
|
|
|
} |
198
|
|
|
|
|
|
|
|
199
|
|
|
|
|
|
|
|
200
|
|
|
|
|
|
|
|
201
|
|
|
|
|
|
|
sub name { |
202
|
0
|
|
|
0
|
1
|
0
|
my $self = shift; |
203
|
0
|
|
|
|
|
0
|
return $self->attributes->{CN}[0]; |
204
|
|
|
|
|
|
|
} |
205
|
|
|
|
|
|
|
|
206
|
|
|
|
|
|
|
|
207
|
|
|
|
|
|
|
sub nameid { |
208
|
6
|
|
|
6
|
1
|
22
|
my $self = shift; |
209
|
6
|
50
|
|
|
|
224
|
return unless $self->has_nameid; |
210
|
6
|
|
|
|
|
167
|
return $self->nameid_object->textContent; |
211
|
|
|
|
|
|
|
} |
212
|
|
|
|
|
|
|
|
213
|
|
|
|
|
|
|
|
214
|
|
|
|
|
|
|
sub nameid_format { |
215
|
1
|
|
|
1
|
1
|
4
|
my $self = shift; |
216
|
1
|
50
|
|
|
|
42
|
return unless $self->has_nameid; |
217
|
1
|
|
|
|
|
32
|
return $self->nameid_object->getAttribute('Format'); |
218
|
|
|
|
|
|
|
} |
219
|
|
|
|
|
|
|
|
220
|
|
|
|
|
|
|
|
221
|
|
|
|
|
|
|
sub nameid_name_qualifier { |
222
|
1
|
|
|
1
|
1
|
681
|
my $self = shift; |
223
|
1
|
50
|
|
|
|
43
|
return unless $self->has_nameid; |
224
|
1
|
|
|
|
|
31
|
return $self->nameid_object->getAttribute('NameQualifier'); |
225
|
|
|
|
|
|
|
} |
226
|
|
|
|
|
|
|
|
227
|
|
|
|
|
|
|
|
228
|
|
|
|
|
|
|
sub nameid_sp_name_qualifier { |
229
|
1
|
|
|
1
|
1
|
673
|
my $self = shift; |
230
|
1
|
50
|
|
|
|
42
|
return unless $self->has_nameid; |
231
|
1
|
|
|
|
|
32
|
return $self->nameid_object->getAttribute('SPNameQualifier'); |
232
|
|
|
|
|
|
|
} |
233
|
|
|
|
|
|
|
|
234
|
|
|
|
|
|
|
|
235
|
|
|
|
|
|
|
sub nameid_sp_provided_id { |
236
|
1
|
|
|
1
|
1
|
647
|
my $self = shift; |
237
|
1
|
50
|
|
|
|
44
|
return unless $self->has_nameid; |
238
|
1
|
|
|
|
|
32
|
return $self->nameid_object->getAttribute('SPProvidedID'); |
239
|
|
|
|
|
|
|
} |
240
|
|
|
|
|
|
|
|
241
|
|
|
|
|
|
|
|
242
|
|
|
|
|
|
|
sub authnstatement { |
243
|
0
|
|
|
0
|
1
|
0
|
my $self = shift; |
244
|
0
|
0
|
|
|
|
0
|
return unless $self->has_authnstatement; |
245
|
0
|
|
|
|
|
0
|
return $self->authnstatement_object->textContent; |
246
|
|
|
|
|
|
|
} |
247
|
|
|
|
|
|
|
|
248
|
|
|
|
|
|
|
|
249
|
|
|
|
|
|
|
sub authnstatement_authninstant { |
250
|
3
|
|
|
3
|
1
|
1000
|
my $self = shift; |
251
|
3
|
50
|
|
|
|
134
|
return unless $self->has_authnstatement; |
252
|
3
|
|
|
|
|
98
|
return $self->authnstatement_object->getAttribute('AuthnInstant'); |
253
|
|
|
|
|
|
|
} |
254
|
|
|
|
|
|
|
|
255
|
|
|
|
|
|
|
|
256
|
|
|
|
|
|
|
sub authnstatement_sessionindex { |
257
|
3
|
|
|
3
|
1
|
1989
|
my $self = shift; |
258
|
3
|
50
|
|
|
|
132
|
return unless $self->has_authnstatement; |
259
|
3
|
|
|
|
|
97
|
return $self->authnstatement_object->getAttribute('SessionIndex'); |
260
|
|
|
|
|
|
|
} |
261
|
|
|
|
|
|
|
|
262
|
|
|
|
|
|
|
|
263
|
|
|
|
|
|
|
sub authnstatement_subjectlocality { |
264
|
6
|
|
|
6
|
1
|
11
|
my $self = shift; |
265
|
6
|
50
|
|
|
|
211
|
return unless $self->has_authnstatement; |
266
|
|
|
|
|
|
|
|
267
|
6
|
|
|
|
|
141
|
my $xpc = XML::LibXML::XPathContext->new; |
268
|
6
|
|
|
|
|
36
|
$xpc->registerNs('saml', 'urn:oasis:names:tc:SAML:2.0:assertion'); |
269
|
6
|
|
|
|
|
9
|
my $subjectlocality; |
270
|
6
|
|
|
|
|
12
|
my $xpath_base = '//saml:AuthnStatement/saml:SubjectLocality'; |
271
|
6
|
100
|
|
|
|
200
|
if (my $nodes = $xpc->find($xpath_base, $self->authnstatement_object)) { |
272
|
2
|
|
|
|
|
174
|
my $node = $nodes->get_node(1); |
273
|
2
|
|
|
|
|
14
|
$subjectlocality = $node; |
274
|
|
|
|
|
|
|
} |
275
|
6
|
|
|
|
|
407
|
return $subjectlocality; |
276
|
|
|
|
|
|
|
} |
277
|
|
|
|
|
|
|
|
278
|
|
|
|
|
|
|
|
279
|
|
|
|
|
|
|
sub subjectlocality_address { |
280
|
3
|
|
|
3
|
1
|
1738
|
my $self = shift; |
281
|
3
|
50
|
|
|
|
164
|
return unless $self->has_authnstatement; |
282
|
3
|
|
|
|
|
10
|
my $subjectlocality = $self->authnstatement_subjectlocality; |
283
|
3
|
100
|
|
|
|
17
|
return unless $subjectlocality; |
284
|
1
|
|
|
|
|
8
|
return $subjectlocality->getAttribute('Address'); |
285
|
|
|
|
|
|
|
} |
286
|
|
|
|
|
|
|
|
287
|
|
|
|
|
|
|
|
288
|
|
|
|
|
|
|
sub subjectlocality_dnsname { |
289
|
3
|
|
|
3
|
1
|
655
|
my $self = shift; |
290
|
3
|
50
|
|
|
|
131
|
return unless $self->has_authnstatement; |
291
|
3
|
|
|
|
|
10
|
my $subjectlocality = $self->authnstatement_subjectlocality; |
292
|
3
|
100
|
|
|
|
20
|
return unless $subjectlocality; |
293
|
1
|
|
|
|
|
8
|
return $subjectlocality->getAttribute('DNSName'); |
294
|
|
|
|
|
|
|
} |
295
|
|
|
|
|
|
|
|
296
|
|
|
|
|
|
|
|
297
|
|
|
|
|
|
|
sub authnstatement_authncontext { |
298
|
3
|
|
|
3
|
1
|
5
|
my $self = shift; |
299
|
3
|
50
|
|
|
|
120
|
return unless $self->has_authnstatement; |
300
|
|
|
|
|
|
|
|
301
|
3
|
|
|
|
|
77
|
my $xpc = XML::LibXML::XPathContext->new; |
302
|
3
|
|
|
|
|
17
|
$xpc->registerNs('saml', 'urn:oasis:names:tc:SAML:2.0:assertion'); |
303
|
3
|
|
|
|
|
6
|
my $authncontext; |
304
|
3
|
|
|
|
|
6
|
my $xpath_base = '//saml:AuthnStatement/saml:AuthnContext'; |
305
|
3
|
50
|
|
|
|
102
|
if (my $nodes = $xpc->find($xpath_base, $self->authnstatement_object)) { |
306
|
3
|
|
|
|
|
252
|
my $node = $nodes->get_node(1); |
307
|
3
|
|
|
|
|
24
|
$authncontext = $node; |
308
|
|
|
|
|
|
|
} |
309
|
3
|
|
|
|
|
50
|
return $authncontext; |
310
|
|
|
|
|
|
|
} |
311
|
|
|
|
|
|
|
|
312
|
|
|
|
|
|
|
|
313
|
|
|
|
|
|
|
sub contextclass_authncontextclassref { |
314
|
3
|
|
|
3
|
1
|
418
|
my $self = shift; |
315
|
3
|
50
|
|
|
|
134
|
return unless $self->has_authnstatement; |
316
|
3
|
|
|
|
|
13
|
my $authncontextclassref = $self->authnstatement_authncontext; |
317
|
3
|
50
|
|
|
|
16
|
return unless $authncontextclassref; |
318
|
3
|
|
|
|
|
54
|
my $xpc = XML::LibXML::XPathContext->new; |
319
|
3
|
|
|
|
|
16
|
$xpc->registerNs('saml', 'urn:oasis:names:tc:SAML:2.0:assertion'); |
320
|
3
|
50
|
|
|
|
113
|
if (my $value = $xpc->findvalue('//saml:AuthnContextClassRef', $self->authnstatement_object)) { |
321
|
3
|
|
|
|
|
273
|
$authncontextclassref = $value; |
322
|
|
|
|
|
|
|
} |
323
|
3
|
|
|
|
|
11
|
return $authncontextclassref; |
324
|
|
|
|
|
|
|
} |
325
|
|
|
|
|
|
|
|
326
|
|
|
|
|
|
|
|
327
|
|
|
|
|
|
|
sub valid { |
328
|
22
|
|
|
22
|
1
|
8561
|
my ($self, $audience, $in_response_to) = @_; |
329
|
|
|
|
|
|
|
|
330
|
22
|
50
|
|
|
|
59
|
return 0 unless defined $audience; |
331
|
22
|
100
|
|
|
|
721
|
return 0 unless($audience eq $self->audience); |
332
|
|
|
|
|
|
|
|
333
|
16
|
100
|
100
|
|
|
302
|
return 0 unless !defined $in_response_to |
334
|
|
|
|
|
|
|
or $in_response_to eq $self->in_response_to; |
335
|
|
|
|
|
|
|
|
336
|
13
|
|
|
|
|
70
|
my $now = DateTime::HiRes->now; |
337
|
|
|
|
|
|
|
|
338
|
|
|
|
|
|
|
# not_before is "NotBefore" element - exact match is ok |
339
|
|
|
|
|
|
|
# not_after is "NotOnOrAfter" element - exact match is *not* ok |
340
|
13
|
100
|
|
|
|
4182
|
return 0 unless DateTime::->compare($now, $self->not_before) > -1; |
341
|
9
|
100
|
|
|
|
1006
|
return 0 unless DateTime::->compare($self->not_after, $now) > 0; |
342
|
|
|
|
|
|
|
|
343
|
7
|
|
|
|
|
634
|
return 1; |
344
|
|
|
|
|
|
|
} |
345
|
|
|
|
|
|
|
|
346
|
|
|
|
|
|
|
|
347
|
|
|
|
|
|
|
sub success { |
348
|
1
|
|
|
1
|
1
|
141
|
my $self = shift; |
349
|
1
|
50
|
|
|
|
44
|
return 1 if $self->response_status eq STATUS_SUCCESS; |
350
|
1
|
|
|
|
|
7
|
return 0; |
351
|
|
|
|
|
|
|
} |
352
|
|
|
|
|
|
|
|
353
|
|
|
|
|
|
|
sub _decrypt { |
354
|
14
|
|
|
14
|
|
39
|
my $self = shift; |
355
|
14
|
|
|
|
|
29
|
my $xml = shift; |
356
|
14
|
|
|
|
|
60
|
my %options = @_; |
357
|
|
|
|
|
|
|
|
358
|
14
|
100
|
|
|
|
65
|
return $xml unless $options{key_file}; |
359
|
|
|
|
|
|
|
|
360
|
|
|
|
|
|
|
my $enc = XML::Enc->new( |
361
|
|
|
|
|
|
|
{ |
362
|
|
|
|
|
|
|
no_xml_declaration => 1, |
363
|
|
|
|
|
|
|
key => $options{key_file}, |
364
|
|
|
|
|
|
|
} |
365
|
2
|
|
|
|
|
13
|
); |
366
|
2
|
|
|
|
|
2520
|
return XML::LibXML->load_xml(string => $enc->decrypt($xml, %options)); |
367
|
|
|
|
|
|
|
} |
368
|
|
|
|
|
|
|
|
369
|
|
|
|
|
|
|
1; |
370
|
|
|
|
|
|
|
|
371
|
|
|
|
|
|
|
__END__ |
372
|
|
|
|
|
|
|
|
373
|
|
|
|
|
|
|
=pod |
374
|
|
|
|
|
|
|
|
375
|
|
|
|
|
|
|
=encoding UTF-8 |
376
|
|
|
|
|
|
|
|
377
|
|
|
|
|
|
|
=head1 NAME |
378
|
|
|
|
|
|
|
|
379
|
|
|
|
|
|
|
Net::SAML2::Protocol::Assertion - SAML2 assertion object |
380
|
|
|
|
|
|
|
|
381
|
|
|
|
|
|
|
=head1 VERSION |
382
|
|
|
|
|
|
|
|
383
|
|
|
|
|
|
|
version 0.72 |
384
|
|
|
|
|
|
|
|
385
|
|
|
|
|
|
|
=head1 SYNOPSIS |
386
|
|
|
|
|
|
|
|
387
|
|
|
|
|
|
|
my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml( |
388
|
|
|
|
|
|
|
xml => decode_base64($SAMLResponse) |
389
|
|
|
|
|
|
|
); |
390
|
|
|
|
|
|
|
|
391
|
|
|
|
|
|
|
=head1 NAME |
392
|
|
|
|
|
|
|
|
393
|
|
|
|
|
|
|
Net::SAML2::Protocol::Assertion - SAML2 assertion object |
394
|
|
|
|
|
|
|
|
395
|
|
|
|
|
|
|
=head1 METHODS |
396
|
|
|
|
|
|
|
|
397
|
|
|
|
|
|
|
=head2 new_from_xml( ... ) |
398
|
|
|
|
|
|
|
|
399
|
|
|
|
|
|
|
Constructor. Creates an instance of the Assertion object, parsing the |
400
|
|
|
|
|
|
|
given XML to find the attributes, session and nameid. |
401
|
|
|
|
|
|
|
|
402
|
|
|
|
|
|
|
Arguments: |
403
|
|
|
|
|
|
|
|
404
|
|
|
|
|
|
|
=over |
405
|
|
|
|
|
|
|
|
406
|
|
|
|
|
|
|
=item B<xml> |
407
|
|
|
|
|
|
|
|
408
|
|
|
|
|
|
|
XML data |
409
|
|
|
|
|
|
|
|
410
|
|
|
|
|
|
|
=item B<key_file> |
411
|
|
|
|
|
|
|
|
412
|
|
|
|
|
|
|
Optional but Required handling Encrypted Assertions. |
413
|
|
|
|
|
|
|
|
414
|
|
|
|
|
|
|
path to the SP's private key file that matches the SP's public certificate |
415
|
|
|
|
|
|
|
used by the IdP to Encrypt the response (or parts of the response) |
416
|
|
|
|
|
|
|
|
417
|
|
|
|
|
|
|
=item B<cacert> |
418
|
|
|
|
|
|
|
|
419
|
|
|
|
|
|
|
path to the CA certificate for verification. Optional: This is only used for |
420
|
|
|
|
|
|
|
validating the certificate provided for a signed Assertion that was found |
421
|
|
|
|
|
|
|
when the EncryptedAssertion is decrypted. |
422
|
|
|
|
|
|
|
|
423
|
|
|
|
|
|
|
While optional it is recommended for ensuring that the Assertion in an |
424
|
|
|
|
|
|
|
EncryptedAssertion is properly validated. |
425
|
|
|
|
|
|
|
|
426
|
|
|
|
|
|
|
=back |
427
|
|
|
|
|
|
|
|
428
|
|
|
|
|
|
|
=head2 response_status |
429
|
|
|
|
|
|
|
|
430
|
|
|
|
|
|
|
Returns the response status |
431
|
|
|
|
|
|
|
|
432
|
|
|
|
|
|
|
=head2 response_substatus |
433
|
|
|
|
|
|
|
|
434
|
|
|
|
|
|
|
SAML errors are usually "nested" ("Responder -> RequestDenied" for instance, |
435
|
|
|
|
|
|
|
means that the responder in this transaction (the IdP) denied the login |
436
|
|
|
|
|
|
|
request). For proper error message generation, both levels are needed. |
437
|
|
|
|
|
|
|
|
438
|
|
|
|
|
|
|
=head2 name |
439
|
|
|
|
|
|
|
|
440
|
|
|
|
|
|
|
Returns the CN attribute, if provided. |
441
|
|
|
|
|
|
|
|
442
|
|
|
|
|
|
|
=head2 nameid |
443
|
|
|
|
|
|
|
|
444
|
|
|
|
|
|
|
Returns the NameID |
445
|
|
|
|
|
|
|
|
446
|
|
|
|
|
|
|
=head2 nameid_format |
447
|
|
|
|
|
|
|
|
448
|
|
|
|
|
|
|
Returns the NameID Format |
449
|
|
|
|
|
|
|
|
450
|
|
|
|
|
|
|
=head2 nameid_name_qualifier |
451
|
|
|
|
|
|
|
|
452
|
|
|
|
|
|
|
Returns the NameID NameQualifier |
453
|
|
|
|
|
|
|
|
454
|
|
|
|
|
|
|
=head2 nameid_sp_name_qualifier |
455
|
|
|
|
|
|
|
|
456
|
|
|
|
|
|
|
Returns the NameID SPNameQualifier |
457
|
|
|
|
|
|
|
|
458
|
|
|
|
|
|
|
=head2 nameid_sp_provided_id |
459
|
|
|
|
|
|
|
|
460
|
|
|
|
|
|
|
Returns the NameID SPProvidedID |
461
|
|
|
|
|
|
|
|
462
|
|
|
|
|
|
|
=head2 authnstatement |
463
|
|
|
|
|
|
|
|
464
|
|
|
|
|
|
|
Returns the AuthnStatement |
465
|
|
|
|
|
|
|
|
466
|
|
|
|
|
|
|
=head2 authnstatement_authninstant |
467
|
|
|
|
|
|
|
|
468
|
|
|
|
|
|
|
Returns the AuthnStatement AuthnInstant |
469
|
|
|
|
|
|
|
|
470
|
|
|
|
|
|
|
=head2 authnstatement_sessionindex |
471
|
|
|
|
|
|
|
|
472
|
|
|
|
|
|
|
Returns the AuthnStatement SessionIndex |
473
|
|
|
|
|
|
|
|
474
|
|
|
|
|
|
|
=head2 authnstatement_subjectlocality |
475
|
|
|
|
|
|
|
|
476
|
|
|
|
|
|
|
Returns the AuthnStatement SubjectLocality |
477
|
|
|
|
|
|
|
|
478
|
|
|
|
|
|
|
=head2 subjectlocality_address |
479
|
|
|
|
|
|
|
|
480
|
|
|
|
|
|
|
Returns the SubjectLocality Address |
481
|
|
|
|
|
|
|
|
482
|
|
|
|
|
|
|
=head2 subjectlocality_dnsname |
483
|
|
|
|
|
|
|
|
484
|
|
|
|
|
|
|
Returns the SubjectLocality DNSName |
485
|
|
|
|
|
|
|
|
486
|
|
|
|
|
|
|
=head2 authnstatement_authncontext |
487
|
|
|
|
|
|
|
|
488
|
|
|
|
|
|
|
Returns the AuthnContext for the AuthnStatement |
489
|
|
|
|
|
|
|
|
490
|
|
|
|
|
|
|
=head2 contextclass_authncontextclassref |
491
|
|
|
|
|
|
|
|
492
|
|
|
|
|
|
|
Returns the ContextClass AuthnContextClassRef |
493
|
|
|
|
|
|
|
|
494
|
|
|
|
|
|
|
=head2 valid( $audience, $in_response_to ) |
495
|
|
|
|
|
|
|
|
496
|
|
|
|
|
|
|
Returns true if this Assertion is currently valid for the given audience. |
497
|
|
|
|
|
|
|
|
498
|
|
|
|
|
|
|
Also accepts $in_response_to which it checks against the returned |
499
|
|
|
|
|
|
|
Assertion. This is very important for security as it helps ensure |
500
|
|
|
|
|
|
|
that the assertion that was received was for the request that was made. |
501
|
|
|
|
|
|
|
|
502
|
|
|
|
|
|
|
Checks the audience matches, and that the current time is within the |
503
|
|
|
|
|
|
|
Assertions validity period as specified in its Conditions element. |
504
|
|
|
|
|
|
|
|
505
|
|
|
|
|
|
|
=head2 success |
506
|
|
|
|
|
|
|
|
507
|
|
|
|
|
|
|
Returns true if the response status is a success, returns false otherwise. |
508
|
|
|
|
|
|
|
In case the assertion isn't successfull, the L</response_status> and L</response_substatus> calls can be use to see why the assertion wasn't successful. |
509
|
|
|
|
|
|
|
|
510
|
|
|
|
|
|
|
=head1 AUTHORS |
511
|
|
|
|
|
|
|
|
512
|
|
|
|
|
|
|
=over 4 |
513
|
|
|
|
|
|
|
|
514
|
|
|
|
|
|
|
=item * |
515
|
|
|
|
|
|
|
|
516
|
|
|
|
|
|
|
Chris Andrews <chrisa@cpan.org> |
517
|
|
|
|
|
|
|
|
518
|
|
|
|
|
|
|
=item * |
519
|
|
|
|
|
|
|
|
520
|
|
|
|
|
|
|
Timothy Legge <timlegge@gmail.com> |
521
|
|
|
|
|
|
|
|
522
|
|
|
|
|
|
|
=back |
523
|
|
|
|
|
|
|
|
524
|
|
|
|
|
|
|
=head1 COPYRIGHT AND LICENSE |
525
|
|
|
|
|
|
|
|
526
|
|
|
|
|
|
|
This software is copyright (c) 2023 by Venda Ltd, see the CONTRIBUTORS file for others. |
527
|
|
|
|
|
|
|
|
528
|
|
|
|
|
|
|
This is free software; you can redistribute it and/or modify it under |
529
|
|
|
|
|
|
|
the same terms as the Perl 5 programming language system itself. |
530
|
|
|
|
|
|
|
|
531
|
|
|
|
|
|
|
=cut |