[shibboleth-sp2] 15/29: https://issues.shibboleth.net/jira/browse/SSPCPP-380
Ferenc Wágner
wferi-guest at moszumanska.debian.org
Tue Jan 26 21:30:27 UTC 2016
This is an automated email from the git hooks/post-receive script.
wferi-guest pushed a commit to annotated tag 2.4.3
in repository shibboleth-sp2.
commit a6d73bf47a73972d76b34d915929544b64303466
Author: Scott Cantor <cantor.2 at osu.edu>
Date: Sat Jun 25 05:21:50 2011 +0000
https://issues.shibboleth.net/jira/browse/SSPCPP-380
---
adfs/adfs.cpp | 15 ++++++++++++---
shibsp/handler/impl/SAML1Consumer.cpp | 21 ++++++++++++++++-----
shibsp/handler/impl/SAML2Consumer.cpp | 15 ++++++++++++---
3 files changed, 40 insertions(+), 11 deletions(-)
diff --git a/adfs/adfs.cpp b/adfs/adfs.cpp
index 5d89ecb..c49ec99 100644
--- a/adfs/adfs.cpp
+++ b/adfs/adfs.cpp
@@ -658,9 +658,18 @@ void ADFSConsumer::implementProtocol(
pair<bool,unsigned int> authnskew = sessionProps ? sessionProps->getUnsignedInt("maxTimeSinceAuthn") : pair<bool,unsigned int>(false,0);
const saml1::AuthenticationStatement* ssoStatement=saml1token->getAuthenticationStatements().front();
- if (authnskew.first && authnskew.second &&
- ssoStatement->getAuthenticationInstant() && (now - ssoStatement->getAuthenticationInstantEpoch() > authnskew.second))
- throw FatalProfileException("The gap between now and the time you logged into your identity provider exceeds the limit.");
+ if (ssoStatement->getAuthenticationInstant()) {
+ if (ssoStatement->getAuthenticationInstantEpoch() - XMLToolingConfig::getConfig().clock_skew_secs > now) {
+ throw FatalProfileException("The login time at your identity provider was future-dated.");
+ }
+ else if (authnskew.first && authnskew.second && ssoStatement->getAuthenticationInstantEpoch() <= now &&
+ (now - ssoStatement->getAuthenticationInstantEpoch() > authnskew.second)) {
+ throw FatalProfileException("The gap between now and the time you logged into your identity provider exceeds the allowed limit.");
+ }
+ }
+ else if (authnskew.first && authnskew.second) {
+ throw FatalProfileException("Your identity provider did not supply a time of login, violating local policy.");
+ }
// Address checking.
saml1::SubjectLocality* locality = ssoStatement->getSubjectLocality();
diff --git a/shibsp/handler/impl/SAML1Consumer.cpp b/shibsp/handler/impl/SAML1Consumer.cpp
index 0a82306..46ef55c 100644
--- a/shibsp/handler/impl/SAML1Consumer.cpp
+++ b/shibsp/handler/impl/SAML1Consumer.cpp
@@ -39,6 +39,7 @@
# include <saml/saml1/core/Assertions.h>
# include <saml/saml1/core/Protocols.h>
# include <saml/saml2/metadata/Metadata.h>
+# include <xmltooling/XMLToolingConfig.h>
# include <xmltooling/io/HTTPRequest.h>
# include <xmltooling/util/DateTime.h>
using namespace opensaml::saml1;
@@ -211,7 +212,8 @@ void SAML1Consumer::implementProtocol(
// Extract message bits and re-verify Issuer information.
extractMessageDetails(
- *(*a), (minor.first && minor.second==0) ? samlconstants::SAML10_PROTOCOL_ENUM : samlconstants::SAML11_PROTOCOL_ENUM, policy
+ *(*a),
+ (minor.first && minor.second==0) ? samlconstants::SAML10_PROTOCOL_ENUM : samlconstants::SAML11_PROTOCOL_ENUM, policy
);
// Run the policy over the assertion. Handles replay, freshness, and
@@ -227,11 +229,20 @@ void SAML1Consumer::implementProtocol(
tokens.push_back(*a);
// Save off the first valid SSO statement.
- const vector<AuthenticationStatement*>& statements = const_cast<const saml1::Assertion*>(*a)->getAuthenticationStatements();
+ const vector<AuthenticationStatement*>& statements =
+ const_cast<const saml1::Assertion*>(*a)->getAuthenticationStatements();
for (vector<AuthenticationStatement*>::const_iterator s = statements.begin(); s!=statements.end(); ++s) {
- if (authnskew.first && authnskew.second &&
- (*s)->getAuthenticationInstant() && (now - (*s)->getAuthenticationInstantEpoch() > authnskew.second))
- contextualError = "The gap between now and the time you logged into your identity provider exceeds the limit.";
+ if ((*s)->getAuthenticationInstant() &&
+ (*s)->getAuthenticationInstantEpoch() - XMLToolingConfig::getConfig().clock_skew_secs > now) {
+ contextualError = "The login time at your identity provider was future-dated.";
+ }
+ else if (authnskew.first && authnskew.second && (*s)->getAuthenticationInstant() &&
+ (*s)->getAuthenticationInstantEpoch() <= now && (now - (*s)->getAuthenticationInstantEpoch() > authnskew.second)) {
+ contextualError = "The gap between now and the time you logged into your identity provider exceeds the allowed limit.";
+ }
+ else if (authnskew.first && authnskew.second && (*s)->getAuthenticationInstant() == nullptr) {
+ contextualError = "Your identity provider did not supply a time of login, violating local policy.";
+ }
else if (!ssoStatement) {
ssoStatement = *s;
break;
diff --git a/shibsp/handler/impl/SAML2Consumer.cpp b/shibsp/handler/impl/SAML2Consumer.cpp
index 9e939dc..6af77e7 100644
--- a/shibsp/handler/impl/SAML2Consumer.cpp
+++ b/shibsp/handler/impl/SAML2Consumer.cpp
@@ -238,10 +238,19 @@ void SAML2Consumer::implementProtocol(
// Save off the first valid SSO statement, but favor the "soonest" session expiration.
const vector<AuthnStatement*>& statements = const_cast<const saml2::Assertion*>(*a)->getAuthnStatements();
for (vector<AuthnStatement*>::const_iterator s = statements.begin(); s!=statements.end(); ++s) {
- if (authnskew.first && authnskew.second && (*s)->getAuthnInstant() && (now - (*s)->getAuthnInstantEpoch() > authnskew.second))
- contextualError = "The gap between now and the time you logged into your identity provider exceeds the limit.";
- else if (!ssoStatement || (*s)->getSessionNotOnOrAfterEpoch() < ssoStatement->getSessionNotOnOrAfterEpoch())
+ if ((*s)->getAuthnInstant() && (*s)->getAuthnInstantEpoch() - XMLToolingConfig::getConfig().clock_skew_secs > now) {
+ contextualError = "The login time at your identity provider was future-dated.";
+ }
+ else if (authnskew.first && authnskew.second && (*s)->getAuthnInstant() &&
+ (*s)->getAuthnInstantEpoch() <= now && (now - (*s)->getAuthnInstantEpoch() > authnskew.second)) {
+ contextualError = "The gap between now and the time you logged into your identity provider exceeds the allowed limit.";
+ }
+ else if (authnskew.first && authnskew.second && (*s)->getAuthnInstant() == nullptr) {
+ contextualError = "Your identity provider did not supply a time of login, violating local policy.";
+ }
+ else if (!ssoStatement || (*s)->getSessionNotOnOrAfterEpoch() < ssoStatement->getSessionNotOnOrAfterEpoch()) {
ssoStatement = *s;
+ }
}
// Save off the first valid Subject, but favor an unencrypted NameID over anything else.
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/shibboleth-sp2.git
More information about the Pkg-shibboleth-devel
mailing list