Merge pull request #160 from timlegge/post-support-2023-02-06

Initial support for sending requests via HTTP-POST

Author: timlegge

lib/Net/SAML2/Binding/POST.pm

@@ -4,6 +4,7 @@ package Net::SAML2::Binding::POST;
 # VERSION
 
 use Moose;
+use Carp qw(croak);
 
 # ABSTRACT: Net::SAML2::Binding::POST - HTTP POST binding for SAML
 
@@ -27,6 +28,8 @@ Net::SAML2::Binding::POST - HTTP POST binding for SAML2
 use Net::SAML2::XML::Sig;
 use MIME::Base64 qw/ decode_base64 /;
 use Crypt::OpenSSL::Verify;
+use MIME::Base64;
+use URI::Escape;
 
 with 'Net::SAML2::Role::VerifyXML';
 
@@ -49,6 +52,9 @@ path to the CA certificate for verification
 has 'cert_text' => (isa => 'Str', is => 'ro');
 has 'cacert' => (isa => 'Maybe[Str]', is => 'ro');
 
+has 'cert' => (isa => 'Str', is => 'ro', required => 0, predicate => 'has_cert');
+has 'key'  => (isa => 'Str', is => 'ro', required => 0, predicate => 'has_key');
+
 =head2 handle_response( $response )
 
 Decodes and verifies the response provided, which should be the raw
@@ -76,4 +82,50 @@ sub handle_response {
     return $xml;
 }
 
+=head2 sign_xml( $request )
+
+Sign and encode the SAMLRequest.
+
+=cut
+
+sub sign_xml {
+    my ($self, $request) = @_;
+
+    croak("Need to have a cert specified") unless $self->has_cert;
+    croak("Need to have a key specified") unless $self->has_key;
+
+    my $signer = XML::Sig->new({
+                        key => $self->key,
+                        cert => $self->cert,
+                        no_xml_declaration => 1,
+                    }
+                );
+
+    my $signed_message = $signer->sign($request);
+
+    # saml-schema-protocol-2.0.xsd Schema hack
+    #
+    # The real fix here is to fix XML::Sig to accept a XPATH to
+    # place the signature in the correct location.  Or use XML::LibXML
+    # here to do so
+    #
+    # The protocol schema defines a sequence which requires the order
+    # of the child elements in a Protocol based message:
+    #
+    # The dsig:Signature (should it exist) MUST follow the saml:Issuer
+    #
+    # 1: saml:Issuer
+    # 2: dsig:Signature
+    #
+    # Seems like an oversight in the SAML schema specifiation but...
+
+    $signed_message =~ s!(<dsig:Signature.*?</dsig:Signature>)!!s;
+    my $signature = $1;
+    $signed_message =~ s/(<\/saml\d*:Issuer>)/$1$signature/;
+
+    my $encoded_request = encode_base64($signed_message, "\n");
+
+    return $encoded_request;
+
+}
 __PACKAGE__->meta->make_immutable;

lib/Net/SAML2/SP.pm

@@ -424,6 +424,37 @@ sub artifact_request {
     return $artifact_request;
 }
 
+=head2 sp_post_binding ( $idp, $param )
+
+Returns a POST binding object for this SP, configured against the
+given IDP for Single Sign On. $param specifies the name of the query
+parameter involved - typically C<SAMLRequest>.
+
+=cut
+
+sub sp_post_binding {
+    my ($self, $idp, $param) = @_;
+
+    unless ($idp) {
+        croak("Unable to create a post binding without an IDP");
+    }
+
+    $param //= 'SAMLRequest';
+
+    my $post = Net::SAML2::Binding::POST->new(
+        url   => $idp->sso_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'),
+        cert  => ($self->cert,),
+        $self->authnreq_signed ? (
+            key   => $self->key,
+        ) : (
+            insecure => 1,
+        ),
+        param => $param,
+    );
+
+    return $post;
+}
+
 =head2 sso_redirect_binding( $idp, $param )
 
 Returns a Redirect binding object for this SP, configured against the

t/23-post-binding.t

@@ -0,0 +1,76 @@
+use strict;
+use warnings;
+use Test::Lib;
+use Test::Net::SAML2;
+use URI;
+use MIME::Base64 qw/decode_base64/;
+
+use Net::SAML2::IdP;
+use Net::SAML2::Binding::Redirect;
+use XML::Sig;
+
+my $sp = net_saml2_sp();
+
+my $metadata = path('t/idp-metadata.xml')->slurp;
+
+my $idp = Net::SAML2::IdP->new_from_xml(
+    xml    => $metadata,
+    cacert => 't/cacert.pem'
+);
+isa_ok($idp, "Net::SAML2::IdP");
+
+my $sso_url = $idp->sso_url($idp->binding('post'));
+is(
+    $sso_url,
+    'http://sso.dev.venda.com/opensso/SSOPOST/metaAlias/idp',
+    'POST URI is correct'
+);
+
+my $authnreq = $sp->authn_request(
+    $idp->entityid,
+    $idp->format('persistent')
+)->as_xml;
+
+my $xp = get_xpath($authnreq);
+
+my $post = $sp->sp_post_binding($idp, 'SAMLRequest');
+isa_ok($post, 'Net::SAML2::Binding::POST');
+
+my $post_request = $post->sign_xml($authnreq);
+
+my $request = decode_base64($post_request);
+
+like(
+    $request,
+    qr#\Q<saml2:Issuer>Some%20entity%20ID</saml2:Issuer>\E#,
+    "Authn request checks out"
+);
+
+my $signer = XML::Sig->new();
+ok($signer->verify($request), "Valid Signature");
+
+my %logout_params;
+
+my $logoutreq = $sp->logout_request(
+    $idp->slo_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'),
+    'timlegge@cpan.org',
+    $idp->format || undef,
+    '94750270472009384017107023022',
+    \%logout_params,
+)->as_xml;
+
+$post = $sp->sp_post_binding($idp, 'SAMLRequest');
+
+$post_request = $post->sign_xml($logoutreq);
+$request = decode_base64($post_request);
+
+like(
+    $request,
+    qr#\Q<samlp:SessionIndex>94750270472009384017107023022</samlp:SessionIndex>\E#,
+    "LogoutRequest checks out"
+);
+
+$signer = XML::Sig->new();
+ok($signer->verify($request), "Valid Signature");
+
+done_testing;