MojoX-Authentication
view release on metacpan or search on metacpan
lib/MojoX/Authentication/Model/SAML2.pm view on Meta::CPAN
key => $sp_conf->{key}, # to sign the redirect
param => 'SAMLRequest', # what's this about
url => $sso_url, # where it's heading to
(defined($sig_hash) ? (sig_hash => $sig_hash) : ()),
);
my $url = $redirect->sign($authnreq->as_xml);
return ($id, $url);
}
sub load_user ($s, $A, $key) { return $s->cache->get(__key(user => $key)) }
# TODO FIXME this is an occasion to implement some clever redirection in
# the Controller to implement the logout properly (i.e. forwarding to the
# server, not just "consider this user gone here"). But we're not there
# yet, sorry!
sub logout ($self, $controller, $user) {
$self->wipe_user($user);
$controller->logout;
return;
}
sub _normalize_user ($s, $user) { return $s->remap($user, $s->remaps) }
sub parse_assertion ($self, $id, $response) {
defined($response) or ouch 400, 'No SAMLResponse';
defined($id)
or ouch 400, 'Not expecting anything SAML-related', 'undefined id';
my $reqts = $self->cache->get(__key(authnreq_id => $id))
or ouch 400, 'Not expecting anything SAML-related', 'unknown id';
time() <= $reqts->{ts} + 30
or ouch 400, 'Not expecting anything SAML-related', 'expired id';
my $xml_response =
Net::SAML2::Binding::POST->new->handle_response($response);
# the module insists on a file-based CA certificate...
my ($fh, $cacert_path) = tempfile();
print {$fh} join "\n\n", $self->idp->cert('signing')->@*;
close $fh;
my $sp_conf = $self->sp_configuration;
my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml(
xml => $xml_response,
key_file => $sp_conf->{key},
cacert => $cacert_path,
);
unlink $cacert_path;
$assertion->valid($sp_conf->{identifier}, $id)
or ouch 400, 'Invalid SAMLResponse';
my $uid = $assertion->nameid;
my $user = $self->_normalize_user(
{ $assertion->attributes->%*, $self->user_key => $uid, });
$self->_cache_user($user);
return $user;
}
# this should never (arguably) be called if "auto_validate" in
# Mojolicious::Plugin::Authentication is used. Anyway...
sub validate_user ($self, $controller, $name, $secret, $extra) {
...;
return defined($self->load_user($name)) ? $name : undef;
}
sub wipe_user ($self, $user) { $self->cache->wipe(__key(user => $user)) }
1;
( run in 0.455 second using v1.01-cache-2.11-cpan-0b5f733616e )