-
Notifications
You must be signed in to change notification settings - Fork 121
/
retrieve_assertion.go
111 lines (91 loc) · 3.22 KB
/
retrieve_assertion.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
// Copyright 2016 Russell Haering et al.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package saml2
import "fmt"
//ErrMissingElement is the error type that indicates an element and/or attribute is
//missing. It provides a structured error that can be more appropriately acted
//upon.
type ErrMissingElement struct {
Tag, Attribute string
}
type ErrVerification struct {
Cause error
}
func (e ErrVerification) Error() string {
return fmt.Sprintf("error validating response: %s", e.Cause.Error())
}
//ErrMissingAssertion indicates that an appropriate assertion element could not
//be found in the SAML Response
var (
ErrMissingAssertion = ErrMissingElement{Tag: AssertionTag}
)
func (e ErrMissingElement) Error() string {
if e.Attribute != "" {
return fmt.Sprintf("missing %s attribute on %s element", e.Attribute, e.Tag)
}
return fmt.Sprintf("missing %s element", e.Tag)
}
//RetrieveAssertionInfo takes an encoded response and returns the AssertionInfo
//contained, or an error message if an error has been encountered.
func (sp *SAMLServiceProvider) RetrieveAssertionInfo(encodedResponse string) (*AssertionInfo, error) {
assertionInfo := &AssertionInfo{
Values: make(Values),
}
response, err := sp.ValidateEncodedResponse(encodedResponse)
if err != nil {
return nil, ErrVerification{Cause: err}
}
// TODO: Support multiple assertions
if len(response.Assertions) == 0 {
return nil, ErrMissingAssertion
}
assertion := response.Assertions[0]
assertionInfo.Assertions = response.Assertions
assertionInfo.ResponseSignatureValidated = response.SignatureValidated
warningInfo, err := sp.VerifyAssertionConditions(&assertion)
if err != nil {
return nil, err
}
//Get the NameID
subject := assertion.Subject
if subject == nil {
return nil, ErrMissingElement{Tag: SubjectTag}
}
nameID := subject.NameID
if nameID == nil {
return nil, ErrMissingElement{Tag: NameIdTag}
}
assertionInfo.NameID = nameID.Value
//Get the actual assertion attributes
attributeStatement := assertion.AttributeStatement
if attributeStatement == nil && !sp.AllowMissingAttributes {
return nil, ErrMissingElement{Tag: AttributeStatementTag}
}
if attributeStatement != nil {
for _, attribute := range attributeStatement.Attributes {
assertionInfo.Values[attribute.Name] = attribute
}
}
if assertion.AuthnStatement != nil {
if assertion.AuthnStatement.AuthnInstant != nil {
assertionInfo.AuthnInstant = assertion.AuthnStatement.AuthnInstant
}
if assertion.AuthnStatement.SessionNotOnOrAfter != nil {
assertionInfo.SessionNotOnOrAfter = assertion.AuthnStatement.SessionNotOnOrAfter
}
assertionInfo.SessionIndex = assertion.AuthnStatement.SessionIndex
}
assertionInfo.WarningInfo = warningInfo
return assertionInfo, nil
}