/* $Id$

 *

 * Lasso - A free implementation of the Liberty Alliance specifications.

 *

 * Copyright (C) 2004-2007 Entr'ouvert

 * http://lasso.entrouvert.org

 *

 * Authors: See AUTHORS file in top-level directory.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License as published by

 * the Free Software Foundation; either version 2 of the License, or

 * (at your option) any later version.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * along with this program; if not, see <http://www.gnu.org/licenses/>.

 */

#include "../xml/private.h"

#include <libxml/xpath.h>

#include <libxml/xpathInternals.h>

#include "providerprivate.h"

#include "loginprivate.h"

#include "profileprivate.h"

#include "federationprivate.h"

#include "saml2_helper.h"

#include "../id-ff/providerprivate.h"

#include "../id-ff/serverprivate.h"

#include "../id-ff/login.h"

#include "../id-ff/identityprivate.h"

#include "../id-ff/sessionprivate.h"

#include "../id-ff/loginprivate.h"

#include "../xml/ecp/ecp_relaystate.h"

#include "../xml/paos_response.h"

#include "../xml/xml_enc.h"

#include "../xml/saml-2.0/samlp2_authn_request.h"

#include "../xml/saml-2.0/samlp2_response.h"

#include "../xml/saml-2.0/saml2_assertion.h"

#include "../xml/saml-2.0/saml2_audience_restriction.h"

#include "../xml/saml-2.0/saml2_authn_statement.h"

#include "../xml/saml-2.0/saml2_encrypted_element.h"

#include "../xml/saml-2.0/saml2_attribute.h"

#include "../xml/saml-2.0/saml2_attribute_statement.h"

#include "../xml/saml-2.0/saml2_attribute_value.h"

#include "../xml/saml-2.0/saml2_name_id.h"

#include "../xml/saml-2.0/saml2_xsd.h"

#include "../xml/saml-2.0/samlp2_artifact_response.h"

#include "../utils.h"

static int lasso_saml20_login_process_federation(LassoLogin *login, gboolean is_consent_obtained);

static gboolean lasso_saml20_login_must_ask_for_consent_private(LassoLogin *login);

static gint lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login);

static char* lasso_saml20_login_get_assertion_consumer_service_url(LassoLogin *login,

		LassoProvider *remote_provider);

static gboolean _lasso_login_must_verify_signature(LassoProfile *profile) G_GNUC_UNUSED;

static gboolean _lasso_login_must_verify_authn_request_signature(LassoProfile *profile);

/* No need to check type of arguments, it has been done in lasso_login_* methods */

gint

lasso_saml20_login_init_authn_request(LassoLogin *login, LassoHttpMethod http_method)

{

	LassoProfile *profile = NULL;

	LassoSamlp2RequestAbstract *request = NULL;

	gchar *default_name_id_format = NULL;

	int rc = 0;

	profile = &login->parent;

	/* new */

	request = (LassoSamlp2RequestAbstract*)lasso_samlp2_authn_request_new();

	lasso_check_good_rc(lasso_saml20_profile_init_request(profile, profile->remote_providerID, FALSE,

				request, http_method, LASSO_MD_PROTOCOL_TYPE_SINGLE_SIGN_ON));

	/* FIXME: keep old behaviour */

	login->http_method = login->parent.http_request_method;

	/* save request ID, for later check */

	lasso_assign_string(login->private_data->request_id, request->ID);

	/* set name id policy */

	lasso_assign_new_gobject(LASSO_SAMLP2_AUTHN_REQUEST(request)->NameIDPolicy,

			lasso_samlp2_name_id_policy_new());

	/* set name id policy format */

	/* no need to check server, done in init_request */

	default_name_id_format = lasso_provider_get_metadata_one_for_role(&profile->server->parent,

			LASSO_PROVIDER_ROLE_SP, "NameIDFormat");

	if (default_name_id_format) {

		/* steal the string */

		lasso_assign_new_string(LASSO_SAMLP2_AUTHN_REQUEST(request)->NameIDPolicy->Format,

				default_name_id_format);

	} else {

		lasso_assign_string(LASSO_SAMLP2_AUTHN_REQUEST(request)->NameIDPolicy->Format,

			LASSO_SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT);

	}

cleanup:

	lasso_release_gobject(request);

	return rc;

}

static gboolean want_authn_request_signed(LassoProvider *provider) {

	char *s;

	gboolean rc = FALSE;

	s = lasso_provider_get_metadata_one_for_role(provider, LASSO_PROVIDER_ROLE_IDP,

			LASSO_SAML2_METADATA_ATTRIBUTE_WANT_AUTHN_REQUEST_SIGNED);

	if (lasso_strisequal(s,"false")) {

		rc = FALSE;

	}

	lasso_release_string(s);

	return rc;

}

static gboolean authn_request_signed(LassoProvider *provider) {

	char *s;

	gboolean rc = FALSE;

	s = lasso_provider_get_metadata_one_for_role(provider, LASSO_PROVIDER_ROLE_SP,

			LASSO_SAML2_METADATA_ATTRIBUTE_AUTHN_REQUEST_SIGNED);

	if (lasso_strisequal(s,"true")) {

		rc = TRUE;

	}

	lasso_release_string(s);

	return rc;

}

static gboolean

_lasso_login_must_sign_non_authn_request(LassoLogin *profile)

{

	switch (lasso_profile_get_signature_hint(&profile->parent)) {

		case LASSO_PROFILE_SIGNATURE_HINT_MAYBE:

			return lasso_flag_add_signature;

		case LASSO_PROFILE_SIGNATURE_HINT_FORCE:

			return TRUE;

		case LASSO_PROFILE_SIGNATURE_HINT_FORBID:

			return FALSE;

		default:

			return TRUE;

	}

}

static gboolean

_lasso_login_must_sign(LassoProfile *profile)

{

	gboolean ret;

	LassoProvider *remote_provider;

	remote_provider = lasso_server_get_provider(profile->server,

			profile->remote_providerID);

	switch (lasso_profile_get_signature_hint(profile)) {

		case LASSO_PROFILE_SIGNATURE_HINT_MAYBE:

			/* If our metadatas say that we sign, then we sign,

			 * If the IdP says that he wants our signature, then we sign

			 * Otherwise we do not.

			 */

			ret = authn_request_signed(&profile->server->parent)

				|| want_authn_request_signed(remote_provider);

			return ret;

		case LASSO_PROFILE_SIGNATURE_HINT_FORCE:

			return TRUE;

		case LASSO_PROFILE_SIGNATURE_HINT_FORBID:

			return FALSE;

	}

	g_assert(0);

	return TRUE;

}

static gboolean

_lasso_login_must_verify_authn_request_signature(LassoProfile *profile) {

	LassoProvider *remote_provider;

	remote_provider = lasso_server_get_provider(profile->server,

			profile->remote_providerID);

	switch (lasso_profile_get_signature_verify_hint(profile)) {

			/* If our metadatas say that we want signature, then we verify,

			 * If the SP says that he signs, then we verify

			 * Otherwise we do not.

			 */

		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE:

			return want_authn_request_signed(&profile->server->parent) ||

				authn_request_signed(remote_provider);

		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE:

			return FALSE;

		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE:

			return TRUE;

		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_LAST:

			break;

	}

	g_assert(0);

	return TRUE;

}

static gboolean

_lasso_login_must_verify_signature(LassoProfile *profile) {

	switch (lasso_profile_get_signature_verify_hint(profile)) {

		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE:

			return lasso_flag_verify_signature;

		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE:

			return FALSE;

		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE:

			return TRUE;

		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_LAST:

			break;

	}

	g_assert(0);

	return TRUE;

}

gint

lasso_saml20_login_build_authn_request_msg(LassoLogin *login)

{

	char *url = NULL;

	gboolean must_sign = TRUE;

	LassoProfile *profile;

	LassoSamlp2AuthnRequest *authn_request;

	int rc = 0;

	profile = &login->parent;

	lasso_extract_node_or_fail(authn_request, profile->request, SAMLP2_AUTHN_REQUEST,

			LASSO_PROFILE_ERROR_INVALID_REQUEST);

	/* default is to sign ! */

	must_sign = _lasso_login_must_sign(profile);

	if (! must_sign) {

		lasso_node_remove_signature(profile->request);

	}

	/* support old way of doing PAOS */

	if (login->http_method == LASSO_HTTP_METHOD_SOAP

			&& lasso_strisequal(authn_request->ProtocolBinding,LASSO_SAML2_METADATA_BINDING_PAOS)) {

		login->http_method = LASSO_HTTP_METHOD_PAOS;

	}

	if (login->http_method == LASSO_HTTP_METHOD_PAOS) {

		/*

		 * PAOS is special, the url passed to build_request is the

		 * AssertionConsumerServiceURL of this SP, not the

		 * destination.

		 */

		if (authn_request->AssertionConsumerServiceURL) {

			url = authn_request->AssertionConsumerServiceURL;

			if (!lasso_saml20_provider_check_assertion_consumer_service_url(

					LASSO_PROVIDER(profile->server), url, LASSO_SAML2_METADATA_BINDING_PAOS)) {

				rc = LASSO_PROFILE_ERROR_INVALID_REQUEST;

				goto cleanup;

			}

		} else {

			url = lasso_saml20_provider_get_assertion_consumer_service_url_by_binding(

					LASSO_PROVIDER(profile->server), LASSO_SAML2_METADATA_BINDING_PAOS);

			lasso_assign_new_string(authn_request->AssertionConsumerServiceURL, url);

		}

	}

	lasso_check_good_rc(lasso_saml20_profile_build_request_msg(profile, "SingleSignOnService",

				login->http_method, url));

cleanup:

	return rc;

}

int

lasso_saml20_login_process_authn_request_msg(LassoLogin *login, const char *authn_request_msg)

{

	LassoNode *request = NULL;

	LassoProfile *profile = LASSO_PROFILE(login);

	LassoSamlp2StatusResponse *response = NULL;

	LassoSamlp2AuthnRequest *authn_request = NULL;

	LassoProvider *remote_provider = NULL;

	LassoServer *server = NULL;

	const gchar *protocol_binding = NULL;

	const char *status1 = LASSO_SAML2_STATUS_CODE_RESPONDER;

	const char *status2 = NULL;

	int rc = 0;

	if (authn_request_msg == NULL) {

		if (profile->request == NULL) {

			return critical_error(LASSO_PROFILE_ERROR_MISSING_REQUEST);

		}

		/* AuthnRequest already set by .._init_idp_initiated_authn_request, or from a

		 * previously failed call to process_authn_request that we retry. */

		request = lasso_ref(profile->request);

	} else {

		request = lasso_samlp2_authn_request_new();

		lasso_check_good_rc(lasso_saml20_profile_process_any_request(profile, request, authn_request_msg));

	}

	if (! LASSO_IS_SAMLP2_AUTHN_REQUEST(request)) {

		return critical_error(LASSO_PROFILE_ERROR_INVALID_MSG);

	}

	authn_request = LASSO_SAMLP2_AUTHN_REQUEST(request);

	/* intialize the response */

	response = (LassoSamlp2StatusResponse*) lasso_samlp2_response_new();

	lasso_assign_string(response->InResponseTo,

			LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->ID);

	/* reset response binding */

	login->protocolProfile = 0;

	/* find the remote provider */

	if (! authn_request->parent.Issuer || ! authn_request->parent.Issuer->content) {

		rc = LASSO_PROFILE_ERROR_INVALID_REQUEST;

		goto cleanup;

	}

	remote_provider = lasso_server_get_provider(profile->server, profile->remote_providerID);

	if (remote_provider == NULL) {

		rc = LASSO_PROFILE_ERROR_UNKNOWN_PROVIDER;

		goto cleanup;

	}

	lasso_extract_node_or_fail(server, lasso_profile_get_server(&login->parent), SERVER,

			LASSO_PROFILE_ERROR_MISSING_SERVER);

	remote_provider->role = LASSO_PROVIDER_ROLE_SP;

	server->parent.role = LASSO_PROVIDER_ROLE_IDP;

	if (((authn_request->ProtocolBinding != NULL) ||

			(authn_request->AssertionConsumerServiceURL != NULL)) &&

			(authn_request->AssertionConsumerServiceIndex != -1))

	{

		rc = LASSO_PROFILE_ERROR_INVALID_REQUEST;

		goto cleanup;

	}

	/* try to find a protocol profile for sending the response */

	protocol_binding = authn_request->ProtocolBinding;

	if (protocol_binding || authn_request->AssertionConsumerServiceURL)

	{

		if (authn_request->AssertionConsumerServiceURL) {

			if (protocol_binding) {

				if (! lasso_saml20_provider_check_assertion_consumer_service_url(

							remote_provider, 

							authn_request->AssertionConsumerServiceURL,

							authn_request->ProtocolBinding)) {

					// Sent ACS URL is unknown

					rc = LASSO_PROFILE_ERROR_INVALID_PROTOCOLPROFILE;

					goto cleanup;

				}

			} else {

				// Only ACS URL sent, choose the first associated binding

				protocol_binding = lasso_saml20_provider_get_assertion_consumer_service_binding_by_url(

						remote_provider, authn_request->AssertionConsumerServiceURL);

				if (! protocol_binding) {

					rc = LASSO_PROFILE_ERROR_INVALID_PROTOCOLPROFILE;

					goto cleanup;

				}

				lasso_assign_string(authn_request->ProtocolBinding,

						protocol_binding);

			}

		}

		if (lasso_strisequal(protocol_binding,LASSO_SAML2_METADATA_BINDING_ARTIFACT)) {

			login->protocolProfile = LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_ART;

		} else if (lasso_strisequal(protocol_binding,LASSO_SAML2_METADATA_BINDING_POST)) {

			login->protocolProfile = LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_POST;

		} else if (lasso_strisequal(protocol_binding,LASSO_SAML2_METADATA_BINDING_SOAP)) {

			login->protocolProfile = LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_LECP;

		} else if (lasso_strisequal(protocol_binding,LASSO_SAML2_METADATA_BINDING_REDIRECT)) {

			login->protocolProfile = LASSO_LOGIN_PROTOCOL_PROFILE_REDIRECT;

			goto_cleanup_with_rc(LASSO_PROFILE_ERROR_INVALID_PROTOCOLPROFILE);

		} else if (lasso_strisequal(protocol_binding,LASSO_SAML2_METADATA_BINDING_PAOS)) {

			login->protocolProfile = LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_LECP;

		} else {

			rc = LASSO_PROFILE_ERROR_INVALID_PROTOCOLPROFILE;

			goto cleanup;

		}

	} else {

		/* protocol binding not set; so it will look into

		 * AssertionConsumerServiceIndex

		 * Also, if AssertionConsumerServiceIndex is not set in request,

		 * its value will be -1, which is just the right value to get

		 * default assertion consumer...  (convenient)

		 */

		gchar *binding;

		int service_index = authn_request->AssertionConsumerServiceIndex;

		binding = lasso_saml20_provider_get_assertion_consumer_service_binding(

				remote_provider, service_index);

		if (binding == NULL) {

			if (service_index == -1) {

				goto_cleanup_with_rc(LASSO_LOGIN_ERROR_NO_DEFAULT_ENDPOINT);

			} else {

				goto_cleanup_with_rc(LASSO_PROFILE_ERROR_INVALID_PROTOCOLPROFILE);

			}

		} else if (lasso_strisequal(binding,"HTTP-Artifact")) {

			login->protocolProfile = LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_ART;

		} else if (lasso_strisequal(binding,"HTTP-POST")) {

			login->protocolProfile = LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_POST;

		} else if (lasso_strisequal(binding,"HTTP-Redirect")) {

			login->protocolProfile = LASSO_LOGIN_PROTOCOL_PROFILE_REDIRECT;

		} else if (lasso_strisequal(binding,"SOAP")) {

			login->protocolProfile = LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_LECP;

		} else if (lasso_strisequal(binding,"PAOS")) {

			login->protocolProfile = LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_LECP;

		}

		lasso_release_string(binding);

	}

	if (_lasso_login_must_verify_authn_request_signature(profile) && profile->signature_status)

	{

		status1 = LASSO_SAML2_STATUS_CODE_REQUESTER;

		status2 = LASSO_LIB_STATUS_CODE_INVALID_SIGNATURE;

		rc = profile->signature_status;

	} else {

		status1 = LASSO_SAML2_STATUS_CODE_SUCCESS;

		status2 = NULL;

	}

	lasso_saml20_profile_init_response(profile, response,

				status1, status2);

cleanup:

	lasso_release_gobject(request);

	lasso_release_gobject(response);

	return rc;

}

gboolean

lasso_saml20_login_must_authenticate(LassoLogin *login)

{

	LassoSamlp2AuthnRequest *request;

	gboolean matched = TRUE;

	GList *assertions = NULL;

	LassoProfile *profile = &login->parent;

	if (! LASSO_IS_SAMLP2_AUTHN_REQUEST(profile->request))

		return FALSE;

	request = LASSO_SAMLP2_AUTHN_REQUEST(profile->request);

	if (request->ForceAuthn == TRUE && request->IsPassive == FALSE)

		return TRUE;

	if (request->RequestedAuthnContext) {

		char *comparison = request->RequestedAuthnContext->Comparison;

		GList *class_refs = request->RequestedAuthnContext->AuthnContextClassRef;

		char *class_ref;

		GList *t1, *t2;

		int compa = -1;

		if (comparison == NULL || lasso_strisequal(comparison,"exact")) {

			compa = 0;

		} else if (lasso_strisequal(comparison,"minimum")) {

			message(G_LOG_LEVEL_CRITICAL, "'minimum' comparison is not implemented");

			compa = 1;

		} else if (lasso_strisequal(comparison,"better")) {

			message(G_LOG_LEVEL_CRITICAL, "'better' comparison is not implemented");

			compa = 2;

		} else if (lasso_strisequal(comparison,"maximum")) {

			message(G_LOG_LEVEL_CRITICAL, "'maximum' comparison is not implemented");

			compa = 3;

		}

		if (class_refs) {

			matched = FALSE;

		}

		assertions = lasso_session_get_assertions(profile->session, NULL);

		for (t1 = class_refs; t1 && !matched; t1 = g_list_next(t1)) {

			class_ref = t1->data;

			for (t2 = assertions; t2 && !matched; t2 = g_list_next(t2)) {

				LassoSaml2Assertion *assertion;

				LassoSaml2AuthnStatement *as = NULL;

				char *method;

				GList *t3;

				if (LASSO_IS_SAML2_ASSERTION(t2->data) == FALSE) {

					continue;

				}

				assertion = t2->data;

				for (t3 = assertion->AuthnStatement; t3; t3 = g_list_next(t3)) {

					if (LASSO_IS_SAML2_AUTHN_STATEMENT(t3->data)) {

						as = t3->data;

						break;

					}

				}

				if (as == NULL)

					continue;

				if (as->AuthnContext == NULL)

					continue;

				method = as->AuthnContext->AuthnContextClassRef;

				switch (compa) {

				case 1: /* minimum */

					/* XXX: implement 'minimum' comparison */

				case 2: /* better */

					/* XXX: implement 'better' comparison */

				case 3: /* maximum */

					/* XXX: implement 'maximum' comparison */

				case 0: /* exact */

					if (lasso_strisequal(method,class_ref)) {

						matched = TRUE;

					}

					break;

				default: /* never reached */

					break;

				}

				if (matched == TRUE) {

					break;

				}

			}

		}

	} else {

		/* if nothing specific was asked; don't look for any

		 * particular assertions, one is enough

		 */

		matched = (profile->session != NULL && \

				lasso_session_count_assertions(profile->session) > 0);

	}

	if (assertions) {

		lasso_release_list(assertions);

	}

	if (matched == FALSE && request->IsPassive == FALSE)

		return TRUE;

	if (profile->identity == NULL && request->IsPassive) {

		lasso_saml20_profile_set_response_status_responder(LASSO_PROFILE(login),

				LASSO_SAML2_STATUS_CODE_NO_PASSIVE);

		return FALSE;

	}

	return FALSE;

}

static gboolean

lasso_saml20_login_must_ask_for_consent_private(LassoLogin *login)

{

	LassoProfile *profile = LASSO_PROFILE(login);

	LassoSamlp2NameIDPolicy *name_id_policy;

	char *consent;

	LassoFederation *federation;

	const char *name_id_sp_name_qualifier = NULL;

	LassoProvider *remote_provider;

	gboolean rc = TRUE;

	name_id_policy = LASSO_SAMLP2_AUTHN_REQUEST(profile->request)->NameIDPolicy;

	if (name_id_policy) {

		char *format = name_id_policy->Format;

		if (lasso_strisequal(format,LASSO_SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT)) {

			goto_cleanup_with_rc (FALSE)

		}

		if (name_id_policy->AllowCreate == FALSE) {

			goto_cleanup_with_rc (FALSE)

		}

	}

	remote_provider = lasso_server_get_provider(profile->server, profile->remote_providerID);

	name_id_sp_name_qualifier = lasso_provider_get_sp_name_qualifier(remote_provider);

	/* if something goes wrong better to ask thant to let go */

	if (name_id_sp_name_qualifier == NULL)

		goto_cleanup_with_rc (TRUE)

	if (profile->identity && profile->identity->federations) {

		federation = g_hash_table_lookup(profile->identity->federations,

				name_id_sp_name_qualifier);

		if (federation) {

			goto_cleanup_with_rc (FALSE)

		}

	}

	consent = LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->Consent;

	if (consent == NULL)

		goto_cleanup_with_rc (FALSE)

	if (lasso_strisequal(consent,LASSO_SAML2_CONSENT_OBTAINED))

		goto_cleanup_with_rc (FALSE)

	if (lasso_strisequal(consent,LASSO_SAML2_CONSENT_PRIOR))

		goto_cleanup_with_rc (FALSE)

	if (lasso_strisequal(consent,LASSO_SAML2_CONSENT_IMPLICIT))

		goto_cleanup_with_rc (FALSE)

	if (lasso_strisequal(consent,LASSO_SAML2_CONSENT_EXPLICIT))

		goto_cleanup_with_rc (FALSE)

	if (lasso_strisequal(consent,LASSO_SAML2_CONSENT_UNAVAILABLE))

		goto_cleanup_with_rc (TRUE)

	if (lasso_strisequal(consent,LASSO_SAML2_CONSENT_INAPPLICABLE))

		goto_cleanup_with_rc (TRUE)

cleanup:

	return rc;

}

gboolean

lasso_saml20_login_must_ask_for_consent(LassoLogin *login)

{

	LassoProfile *profile = LASSO_PROFILE(login);

	if (LASSO_SAMLP2_AUTHN_REQUEST(profile->request)->IsPassive)

		return FALSE;

	return lasso_saml20_login_must_ask_for_consent_private(login);

}

int

lasso_saml20_login_validate_request_msg(LassoLogin *login, gboolean authentication_result,

		gboolean is_consent_obtained)

{

	LassoProfile *profile;

	int rc = 0;

	profile = LASSO_PROFILE(login);

	if (authentication_result == FALSE) {

		lasso_saml20_profile_set_response_status_responder(profile,

				LASSO_SAML2_STATUS_CODE_REQUEST_DENIED);

		goto_cleanup_with_rc(LASSO_LOGIN_ERROR_REQUEST_DENIED);

	}

	if (_lasso_login_must_verify_authn_request_signature(profile) && profile->signature_status)

	{

		lasso_saml20_profile_set_response_status_requester(profile,

					LASSO_LIB_STATUS_CODE_INVALID_SIGNATURE);

		if (profile->signature_status == LASSO_DS_ERROR_SIGNATURE_NOT_FOUND) {

			goto_cleanup_with_rc(LASSO_LOGIN_ERROR_UNSIGNED_AUTHN_REQUEST);

		}

		goto_cleanup_with_rc(LASSO_LOGIN_ERROR_INVALID_SIGNATURE);

	}

	rc = lasso_saml20_login_process_federation(login, is_consent_obtained);

	if (rc == LASSO_LOGIN_ERROR_FEDERATION_NOT_FOUND) {

		lasso_saml20_profile_set_response_status_requester(profile,

			LASSO_LIB_STATUS_CODE_FEDERATION_DOES_NOT_EXIST);

		goto cleanup;

	}

	/* UNKNOWN_PROVIDER, CONSENT_NOT_OBTAINED */

	if (rc) {

		lasso_saml20_profile_set_response_status_responder(profile,

			LASSO_SAML2_STATUS_CODE_REQUEST_DENIED);

		goto cleanup;

	}

	lasso_saml20_profile_set_response_status_success(profile, NULL);

cleanup:

	return rc;

}

static int

lasso_saml20_login_process_federation(LassoLogin *login, gboolean is_consent_obtained)

{

	LassoProfile *profile = LASSO_PROFILE(login);

	LassoSamlp2NameIDPolicy *name_id_policy;

	char *name_id_policy_format = NULL;

	LassoFederation *federation;

	const char *name_id_sp_name_qualifier = NULL;

	LassoProvider *remote_provider;

	int rc = 0;

	/* verify if identity already exists else create it */

	if (profile->identity == NULL) {

		profile->identity = lasso_identity_new();

	}

	remote_provider = lasso_server_get_provider(profile->server, profile->remote_providerID);

	if (! LASSO_IS_PROVIDER(remote_provider)) {

		goto_cleanup_with_rc (LASSO_PROFILE_ERROR_UNKNOWN_PROVIDER);

	}

	if (! LASSO_IS_SAMLP2_AUTHN_REQUEST(profile->request)) {

		goto_cleanup_with_rc(critical_error(LASSO_PROFILE_ERROR_INVALID_REQUEST));

	}

	name_id_policy = ((LassoSamlp2AuthnRequest*)profile->request)->NameIDPolicy;

	if (name_id_policy) {

		name_id_policy_format = name_id_policy->Format;

	}

	if (! name_id_policy_format) {

		name_id_policy_format = lasso_provider_get_default_name_id_format(remote_provider);

	}

	lasso_assign_string(login->nameIDPolicy, name_id_policy_format);

	if (lasso_saml20_login_must_ask_for_consent_private(login) && !is_consent_obtained) {

		goto_cleanup_with_rc (LASSO_LOGIN_ERROR_CONSENT_NOT_OBTAINED)

	}

	if (lasso_strisnotequal(name_id_policy_format,LASSO_SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT)) {

		/* non persistent case, TRANSIENT is handled by lasso_login_build_assertion() and

		 * other format are the sole responsibility of the caller */

		goto_cleanup_with_rc (0)

	}

	/* PERSISTENT case, try to federation or find an existing federation */

	name_id_sp_name_qualifier = lasso_provider_get_sp_name_qualifier(remote_provider);

	if (name_id_sp_name_qualifier == NULL) {

		goto_cleanup_with_rc (LASSO_PROFILE_ERROR_UNKNOWN_PROVIDER);

	}

	/* search a federation in the identity */

	federation = lasso_identity_get_federation(profile->identity, name_id_sp_name_qualifier);

	if (! federation && ( ! name_id_policy || name_id_policy->AllowCreate == FALSE)) {

		goto_cleanup_with_rc (LASSO_LOGIN_ERROR_FEDERATION_NOT_FOUND)

	}

	if (! federation && name_id_policy && name_id_policy->AllowCreate) {

		federation = lasso_federation_new(name_id_sp_name_qualifier);

		lasso_saml20_federation_build_local_name_identifier(federation,

				LASSO_PROVIDER(profile->server)->ProviderID,

				LASSO_SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT,

				NULL);

		lasso_assign_string(LASSO_SAML2_NAME_ID(federation->local_nameIdentifier)->SPNameQualifier,

				name_id_sp_name_qualifier);

		lasso_identity_add_federation(profile->identity, federation);

	}

	lasso_assign_gobject(profile->nameIdentifier, federation->local_nameIdentifier);

cleanup:

	return rc;

}

static LassoFederation*

_lasso_login_saml20_get_federation(LassoLogin *login) {

	LassoFederation *federation = NULL;

	const char *name_id_sp_name_qualifier = NULL;

	name_id_sp_name_qualifier = lasso_provider_get_sp_name_qualifier(

			lasso_server_get_provider(login->parent.server, login->parent.remote_providerID));

	federation = lasso_identity_get_federation(login->parent.identity, name_id_sp_name_qualifier);

	return federation;

}

int

lasso_saml20_login_build_assertion(LassoLogin *login,

		const char *authenticationMethod,

		const char *authenticationInstant,

		const char *notBefore,

		const char *notOnOrAfter)

{

	LassoProfile *profile = &login->parent;

	LassoSaml2Assertion *assertion = NULL;

	LassoSaml2AudienceRestriction *audience_restriction = NULL;

	LassoSamlp2NameIDPolicy *name_id_policy = NULL;

	LassoSaml2NameID *name_id = NULL;

	LassoSaml2AuthnStatement *authentication_statement;

	LassoProvider *provider = NULL;

	LassoSamlp2Response *response = NULL;

	LassoSamlp2RequestAbstract *request_abstract = NULL;

	LassoSamlp2AuthnRequest *authn_request = NULL;

	gboolean do_encrypt_nameid = FALSE;

	gboolean do_encrypt_assertion = FALSE;

	int rc = 0;

	provider = lasso_server_get_provider(profile->server, profile->remote_providerID);

	if (provider) {

		do_encrypt_nameid = lasso_provider_get_encryption_mode(provider) &

			LASSO_ENCRYPTION_MODE_NAMEID;

		do_encrypt_assertion = lasso_provider_get_encryption_mode(provider) &

			LASSO_ENCRYPTION_MODE_ASSERTION;

	}

	if (LASSO_IS_SAMLP2_AUTHN_REQUEST(profile->request)) {

		authn_request = (LassoSamlp2AuthnRequest*)profile->request;

		request_abstract = &authn_request->parent;

	}

	goto_cleanup_if_fail_with_rc(LASSO_IS_SAMLP2_RESPONSE(profile->response),

			LASSO_PROFILE_ERROR_MISSING_RESPONSE);

	assertion = LASSO_SAML2_ASSERTION(lasso_saml2_assertion_new());

	assertion->ID = lasso_build_unique_id(32);

	lasso_assign_string(assertion->Version, "2.0");

	assertion->IssueInstant = lasso_get_current_time();

	assertion->Issuer = LASSO_SAML2_NAME_ID(lasso_saml2_name_id_new_with_string(

			LASSO_PROVIDER(profile->server)->ProviderID));

	assertion->Conditions = LASSO_SAML2_CONDITIONS(lasso_saml2_conditions_new());

	lasso_assign_string(assertion->Conditions->NotBefore, notBefore);

	lasso_assign_string(assertion->Conditions->NotOnOrAfter, notOnOrAfter);

	audience_restriction = LASSO_SAML2_AUDIENCE_RESTRICTION(

			lasso_saml2_audience_restriction_new());

	lasso_assign_string(audience_restriction->Audience, profile->remote_providerID);

	lasso_list_add_new_gobject(assertion->Conditions->AudienceRestriction, audience_restriction);

	assertion->Subject = LASSO_SAML2_SUBJECT(lasso_saml2_subject_new());

	assertion->Subject->SubjectConfirmation = LASSO_SAML2_SUBJECT_CONFIRMATION(

			lasso_saml2_subject_confirmation_new());

	assertion->Subject->SubjectConfirmation->Method = g_strdup(

			LASSO_SAML2_CONFIRMATION_METHOD_BEARER);

	assertion->Subject->SubjectConfirmation->SubjectConfirmationData =

		LASSO_SAML2_SUBJECT_CONFIRMATION_DATA(

			lasso_saml2_subject_confirmation_data_new());

	lasso_assign_string(

		assertion->Subject->SubjectConfirmation->SubjectConfirmationData->NotOnOrAfter,

		notOnOrAfter);

	/* If request is present, refer to it in the response */

	if (authn_request) {

		if (request_abstract->ID) {

			lasso_assign_string(assertion->Subject->SubjectConfirmation->SubjectConfirmationData->InResponseTo,

					request_abstract->ID);

			/*

			 * It MUST NOT contain a NotBefore attribute. If

			 * the containing message is in response to an <AuthnRequest>,

			 * then the InResponseTo attribute MUST match the request's ID.

			 */

			lasso_release_string(assertion->Subject->SubjectConfirmation->SubjectConfirmationData->NotBefore);

		}

		name_id_policy = authn_request->NameIDPolicy;

	}

	/* TRANSIENT */

	if (!name_id_policy || name_id_policy->Format == NULL ||

			lasso_strisequal(name_id_policy->Format,LASSO_SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED) ||

			lasso_strisequal(name_id_policy->Format,LASSO_SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT)) {

		char *id = lasso_build_unique_id(32);

		name_id = (LassoSaml2NameID*)lasso_saml2_name_id_new_with_string(id);

		lasso_release_string(id);

		lasso_assign_string(name_id->NameQualifier,

				lasso_provider_get_sp_name_qualifier(&profile->server->parent));

		lasso_assign_string(name_id->Format, LASSO_SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT);

		assertion->Subject->NameID = name_id;

	/* FEDERATED */

	} else if (lasso_strisequal(name_id_policy->Format,

				LASSO_SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT) ||

			lasso_strisequal(name_id_policy->Format,

				LASSO_SAML2_NAME_IDENTIFIER_FORMAT_ENCRYPTED))

		{

		LassoFederation *federation;

		federation = _lasso_login_saml20_get_federation(login);

		goto_cleanup_if_fail_with_rc(federation != NULL,

				LASSO_PROFILE_ERROR_FEDERATION_NOT_FOUND);

		if (lasso_strisequal(name_id_policy->Format,LASSO_SAML2_NAME_IDENTIFIER_FORMAT_ENCRYPTED)) {

			do_encrypt_nameid = TRUE;

		}

		lasso_assign_gobject(assertion->Subject->NameID,

				federation->local_nameIdentifier);

	/* ALL OTHER KIND OF NAME ID FORMATS */

	} else {

		/* caller must set the name identifier content afterwards */

		name_id = LASSO_SAML2_NAME_ID(lasso_saml2_name_id_new());

		lasso_assign_string(name_id->NameQualifier,

				LASSO_PROVIDER(profile->server)->ProviderID);

		lasso_assign_string(name_id->Format, name_id_policy->Format);

		assertion->Subject->NameID = name_id;

		if (do_encrypt_nameid) {

			message(G_LOG_LEVEL_WARNING, "NameID encryption is currently not "

					"supported with non transient or persisent NameID format");

			do_encrypt_nameid = FALSE;

		}

	}

	authentication_statement = LASSO_SAML2_AUTHN_STATEMENT(lasso_saml2_authn_statement_new());

	authentication_statement->AuthnInstant = g_strdup(authenticationInstant);

	authentication_statement->AuthnContext = LASSO_SAML2_AUTHN_CONTEXT(

			lasso_saml2_authn_context_new());

	authentication_statement->AuthnContext->AuthnContextClassRef = g_strdup(

			authenticationMethod);

	/* if remote provider supports logout profile, add a session index == ID of the assertion */

	if (lasso_provider_get_first_http_method(&login->parent.server->parent,

				provider, LASSO_MD_PROTOCOL_TYPE_SINGLE_LOGOUT) != LASSO_HTTP_METHOD_NONE) {

		lasso_assign_string(authentication_statement->SessionIndex, assertion->ID);

	}

	lasso_list_add_new_gobject(assertion->AuthnStatement, authentication_statement);