1
  
2
  
3
  
4
  
5
  
6
  
7
  
8
  
9
  
10
  
11
  
12
  
13
  
14
  
15
  
16
  
17
  
18
  
19
  
20
  
21
  
22
  
23
  
24
  
25
  
26
  
27
  
28
  
29
  
30
  
31
  
32
  
33
  
34
  
35
  
36
  
37
  
38
  
39
  
40
  
41
  
42
  
43
  
44
  
45
  
46
  
47
  
48
  
49
  
50
  
51
  
52
  
53
  
54
  
55
  
56
  
57
  
58
  
59
  
60
  
61
  
62
  
63
  
64
  
65
  
66
  
67
  
68
  
69
  
70
  
71
  
72
  
73
  
74
  
75
  
76
  
77
  
78
  
79
  
80
  
81
  
82
  
83
  
84
  
85
  
86
  
87
  
88
  
89
  
90
  
91
  
92
  
93
  
94
  
95
  
96
  
97
  
98
  
99
  
100
  
101
  
102
  
103
  
104
  
105
  
106
  
107
  
108
  
109
  
110
  
111
  
112
  
113
  
114
  
115
  
116
  
117
  
118
  
119
  
120
  
121
  
122
  
123
  
124
  
125
  
126
  
127
  
128
  
129
  
130
  
131
  
132
  
133
  
134
  
135
  
136
  
137
  
138
  
139
  
140
  
141
  
142
  
143
  
144
  
145
  
146
  
147
  
148
  
149
  
150
  
151
  
152
  
153
  
#pike __REAL_VERSION__ 
 
inherit @module@ : ZXID; 
 
final constant dont_dump_module = 1; 
 
#if constant(@module@.Configuration) 
//! Convert a mapping of query variables to a query string. 
string(0..255) mapping_to_query(mapping(string(0..255):string(0..255)) map) 
{ 
  return predef::map((array(array(string)))map, 
                     lambda(array(string) pair) { 
                       return predef::map(pair, 
                                          Protocols.HTTP.percent_encode) * "="; 
                     }) * "&"; 
} 
 
//! 
class Configuration 
{ 
  inherit ZXID::Configuration : Configuration; 
 
  mapping(string(0..255):string(0..255)|array(string(0..255))) 
  parse_conf_file(string file) 
  { 
    mapping(string(0..255):string(0..255)) conf = ([]); 
 
    if (!Stdio.exist(file)) return conf; 
 
    Stdio.File f = Stdio.File(file, "r"); 
    foreach(f->line_iterator(1);; string line) { 
      foreach(line/"&", string frag) { 
        sscanf(frag, "%*[ \t]%s=%s", string name, string val); 
        if (!sizeof(name) || (name[0] == '#') || !val) continue; 
        conf[Protocols.HTTP.uri_decode(name)] = Protocols.HTTP.uri_decode(val); 
      } 
    } 
    return conf; 
  } 
 
  protected string url = "/"; 
 
  // Perform some parsing here. 
  protected void create(mapping(string(0..255):string(0..255)|array(string(0..255))) conf) 
  { 
    conf += ([]); 
    while(1) { 
      url = conf->URL || url; 
      if (stringp(conf->REDIRECT_HACK_ZXID_URL)) { 
        array(string(0..255)) a = conf->REDIRECT_HACK_ZXID_URL/"?"; 
        if (sizeof(a) > 1) { 
          conf->REDIRECT_HACK_ZXID_QS = a[1..]*"?"; 
        } 
        conf->REDIRECT_HACK_ZXID_URL = a[0]; 
      } 
      if (stringp(conf->REQUIRED_AUTHNCTX)) { 
        conf->REQUIRED_AUTHNCTX /= "$"; 
      } 
      ::create(conf); 
      if (conf->PATH) { 
        // Recurse. 
        conf = parse_conf_file(combine_path(conf->PATH, "zxid.conf")); 
 
        // FIXME: Loop detection. 
        continue; 
      } 
      break; 
    } 
  } 
 
  //! 
  class Session 
  { 
    inherit Configuration::Session; 
 
    //! 
    mapping(string:mixed) auth_info; 
 
    //! 
    mapping(string:mixed) get_auth_info() 
    { 
      return auth_info; 
    } 
 
    //! Authenticate via SAML given the query-string @[query]. 
    //! 
    //! @returns 
    //!   @mixed 
    //!     @type mapping(string(0..255):string(0..255)) 
    //!       Returns a mapping when interaction with the browser 
    //!       is needed. 
    //!     @type string 
    //!       Returns a string to ask for some specific actions. 
    //!     @type zero 
    //!       Returns @expr{0@} (zero) on successfull authentication. 
    //!       @[auth_info] will be set with the corresponding user information. 
    //!   @endmixed 
    //! 
    //! @throws 
    //!   Throws errors on most error conditions. 
    mixed authenticate(string(0..255) uri_path, 
                       string(0..255)|mapping(string(0..255):string(0..255)) query) 
    { 
      if (mappingp(query)) query = mapping_to_query(query); 
      string raw_res = ::authenticate(uri_path, query); 
 
      switch(sizeof(raw_res) && raw_res[0]) { 
      case '*': // Error. 
        error("SAML authentication failure: %s\n", raw_res[1..]); 
      case '<': // HTML-content. 
        return ([ "data":raw_res, "type":"text/html" ]); 
      case 'L': // Location header. 
        if (!has_prefix(raw_res, "Location:")) break; 
        raw_res = 
          String.trim((raw_res/"\r\n")[0][sizeof("Location:")..]); 
 
        if (has_prefix(raw_res, "?")) { 
          // Prefix with the URL. 
          raw_res = url + raw_res; 
        } 
        return ([ "error":Protocols.HTTP.HTTP_FOUND, 
                  "rettext":"Redirect to " + raw_res, 
                  "extra_heads":([ "Location":raw_res ]) ]); 
      case 'n': // NOOP. 
        break; 
      case 'b': // Send SP metadata. 
        // Should be handled by the C-layer already. 
        break; 
      case 'c': // Send SP CARML declaration. 
        // Should be handled by the C-layer already. 
        break; 
      case 'e': // Send IdP selection page. 
        break; 
      case 'a': // Send authentication page (usually on the IdP). 
        break; 
      case 'd': // Authentication completed. LDIF-entry. 
        break; 
      case 'z': // Authentication failure. 
        auth_info = UNDEFINED; 
        return 0; 
      case '{': // Success, JSON result. 
        auth_info = Standards.JSON.decode(raw_res); 
        return 0; 
      default: 
        error("Unknown SAML response: %O\n", raw_res[..30]); 
      } 
      return raw_res; 
    } 
  } 
 
} 
#endif