MojoX-Authentication

 view release on metacpan or  search on metacpan

lib/MojoX/Authentication/Model/SAML2.pm  view on Meta::CPAN

      key   => $sp_conf->{key},    # to sign the redirect
      param => 'SAMLRequest',      # what's this about
      url   => $sso_url,           # where it's heading to
      (defined($sig_hash) ? (sig_hash => $sig_hash) : ()),
   );
   my $url = $redirect->sign($authnreq->as_xml);

   return ($id, $url);
}

sub load_user ($s, $A, $key) { return $s->cache->get(__key(user => $key)) }

# TODO FIXME this is an occasion to implement some clever redirection in
# the Controller to implement the logout properly (i.e. forwarding to the
# server, not just "consider this user gone here"). But we're not there
# yet, sorry!
sub logout ($self, $controller, $user) {
   $self->wipe_user($user);
   $controller->logout;
   return;
}

sub _normalize_user ($s, $user) { return $s->remap($user, $s->remaps) }

sub parse_assertion ($self, $id, $response) {
   defined($response) or ouch 400, 'No SAMLResponse';
   defined($id)
      or ouch 400, 'Not expecting anything SAML-related', 'undefined id';
   my $reqts = $self->cache->get(__key(authnreq_id => $id))
      or ouch 400, 'Not expecting anything SAML-related', 'unknown id';
   time() <= $reqts->{ts} + 30
      or ouch 400, 'Not expecting anything SAML-related', 'expired id';

   my $xml_response =
      Net::SAML2::Binding::POST->new->handle_response($response);

   # the module insists on a file-based CA certificate...
   my ($fh, $cacert_path) = tempfile();
   print {$fh} join "\n\n", $self->idp->cert('signing')->@*;
   close $fh;

   my $sp_conf = $self->sp_configuration;
   my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml(
      xml => $xml_response,
      key_file => $sp_conf->{key},
      cacert => $cacert_path,
   );
   unlink $cacert_path;

   $assertion->valid($sp_conf->{identifier}, $id)
     or ouch 400, 'Invalid SAMLResponse';

   my $uid = $assertion->nameid;
   my $user = $self->_normalize_user(
      { $assertion->attributes->%*, $self->user_key => $uid, });
   $self->_cache_user($user);

   return $user;
}

# this should never (arguably) be called if "auto_validate" in
# Mojolicious::Plugin::Authentication is used. Anyway...
sub validate_user ($self, $controller, $name, $secret, $extra) {
   ...;
   return defined($self->load_user($name)) ? $name : undef;
}

sub wipe_user ($self, $user) { $self->cache->wipe(__key(user => $user)) }

1;



( run in 0.455 second using v1.01-cache-2.11-cpan-0b5f733616e )