From: Katy Feng Date: Tue, 22 Aug 2023 22:37:45 +0000 (-0700) Subject: Enable hostVerfied SAML token feature in Tools. X-Git-Tag: stable-12.3.0~20 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f584dca10f4cc7e0a0733ac5dc8844aac65af7ae;p=thirdparty%2Fopen-vm-tools.git Enable hostVerfied SAML token feature in Tools. --- diff --git a/open-vm-tools/configure.ac b/open-vm-tools/configure.ac index cd8526d7c..d45fabfa8 100644 --- a/open-vm-tools/configure.ac +++ b/open-vm-tools/configure.ac @@ -1944,6 +1944,11 @@ AC_CONFIG_FILES([ \ +AM_CONDITIONAL([VMTOOLS_FS_VGAUTH_HOST_VERIFICATION],[true]) +if test "$enable_vgauth" = "yes"; then + echo "Enabling vgauth host verification" + CPPFLAGS="$CPPFLAGS -DVMTOOLS_FS_VGAUTH_HOST_VERIFICATION" +fi ### diff --git a/open-vm-tools/services/plugins/vix/vixPlugin.c b/open-vm-tools/services/plugins/vix/vixPlugin.c index 1a28b955a..186a30c2a 100644 --- a/open-vm-tools/services/plugins/vix/vixPlugin.c +++ b/open-vm-tools/services/plugins/vix/vixPlugin.c @@ -75,6 +75,29 @@ VixShutdown(gpointer src, } +/** + * Sends vix capabilites. + * + * @param[in] src The source object. + * @param[in] ctx Unused. + * @param[in] set Whether capabilities are being set. + * @param[in] data Unused. + * + * @return List of capabilities. + */ + +static GArray * +VixCapabilitiesCb(gpointer src, + ToolsAppCtx *ctx, + gboolean set, + gpointer data) +{ + const ToolsAppCapability caps[] = { + { TOOLS_CAP_NEW, NULL, CAP_HOST_VERIFIED_SAML_TOKEN, 1}, + }; + + return VMTools_WrapArray(caps, sizeof *caps, ARRAYSIZE(caps)); +} /** @@ -106,6 +129,7 @@ ToolsOnLoad(ToolsAppCtx *ctx) }; ToolsPluginSignalCb sigs[] = { { TOOLS_CORE_SIG_SHUTDOWN, VixShutdown, ®Data }, + { TOOLS_CORE_SIG_CAPABILITIES, VixCapabilitiesCb, NULL } }; ToolsAppReg regs[] = { { TOOLS_APP_GUESTRPC, VMTools_WrapArray(rpcs, sizeof *rpcs, ARRAYSIZE(rpcs)) }, diff --git a/open-vm-tools/services/plugins/vix/vixTools.c b/open-vm-tools/services/plugins/vix/vixTools.c index cddca4aee..8f231acc6 100644 --- a/open-vm-tools/services/plugins/vix/vixTools.c +++ b/open-vm-tools/services/plugins/vix/vixTools.c @@ -724,6 +724,7 @@ VixError GuestAuthPasswordAuthenticateImpersonate( VixError GuestAuthSAMLAuthenticateAndImpersonate( char const *obfuscatedNamePassword, Bool loadUserProfile, + Bool hostVerified, void **userToken); void GuestAuthUnimpersonate(); @@ -8043,6 +8044,7 @@ VixToolsImpersonateUser(VixCommandRequestHeader *requestMsg, // IN } #if SUPPORT_VGAUTH case VIX_USER_CREDENTIAL_SAML_BEARER_TOKEN: + case VIX_USER_CREDENTIAL_SAML_BEARER_TOKEN_HOST_VERIFIED: { VixCommandSAMLToken *samlStruct = (VixCommandSAMLToken *) credentialField; @@ -8238,10 +8240,15 @@ VixToolsImpersonateUserImplEx(char const *credentialTypeStr, // IN #if SUPPORT_VGAUTH else if ((VIX_USER_CREDENTIAL_SAML_BEARER_TOKEN == credentialType) + || (VIX_USER_CREDENTIAL_SAML_BEARER_TOKEN_HOST_VERIFIED == credentialType) ) { if (GuestAuthEnabled()) { + Bool hostVerified = + (credentialType == VIX_USER_CREDENTIAL_SAML_BEARER_TOKEN_HOST_VERIFIED) + ? TRUE : FALSE; err = GuestAuthSAMLAuthenticateAndImpersonate(obfuscatedNamePassword, loadUserProfile, + hostVerified, userToken); } else { err = VIX_E_NOT_SUPPORTED; @@ -11861,6 +11868,7 @@ VixError GuestAuthSAMLAuthenticateAndImpersonate( char const *obfuscatedNamePassword, // IN Bool loadUserProfile, // IN + Bool hostVerified, // IN void **userToken) // OUT { #if SUPPORT_VGAUTH @@ -11871,6 +11879,7 @@ GuestAuthSAMLAuthenticateAndImpersonate( VGAuthError vgErr; VGAuthUserHandle *newHandle = NULL; VGAuthExtraParams extraParams[1]; + VGAuthExtraParams hostVerfiedParams[1]; Bool impersonated = FALSE; extraParams[0].name = VGAUTH_PARAM_LOAD_USER_PROFILE; @@ -11892,10 +11901,14 @@ GuestAuthSAMLAuthenticateAndImpersonate( goto done; } + hostVerfiedParams[0].name = VGAUTH_PARAM_SAML_HOST_VERIFIED; + hostVerfiedParams[0].value = hostVerified ? VGAUTH_PARAM_VALUE_TRUE : + VGAUTH_PARAM_VALUE_FALSE; vgErr = VGAuth_ValidateSamlBearerToken(ctx, token, username, - 0, NULL, + (int)ARRAYSIZE(hostVerfiedParams), + hostVerfiedParams, &newHandle); #if ALLOW_LOCAL_SYSTEM_IMPERSONATION_BYPASS /* diff --git a/open-vm-tools/vgauth/common/VGAuthProto.h b/open-vm-tools/vgauth/common/VGAuthProto.h index 913116e08..f7bcae12f 100644 --- a/open-vm-tools/vgauth/common/VGAuthProto.h +++ b/open-vm-tools/vgauth/common/VGAuthProto.h @@ -109,6 +109,7 @@ #define VGAUTH_COMMENT_ELEMENT_NAME "comment" #define VGAUTH_ALIAS_ELEMENT_NAME "alias" #define VGAUTH_VALIDATE_ONLY_ELEMENT_NAME "validateOnly" +#define VGAUTH_HOST_VERIFIED_ELEMENT_NAME "hostVerified" /* * Complex types @@ -605,10 +606,14 @@ * SAML token, and does not create an access token on Windows. This * flag is ignored on *ix. * + * If hostVerified is set, then the service will skip the signature + * check in the SAML token. + * * Request: * SAML token * user * validateOnly (bool) + * hostVerified (bool) * => * user * token (empty for non-Windows) @@ -624,6 +629,7 @@ "<"VGAUTH_SAMLTOKEN_ELEMENT_NAME">%s" \ "<"VGAUTH_USERNAME_ELEMENT_NAME">%s" \ "<"VGAUTH_VALIDATE_ONLY_ELEMENT_NAME">%s" \ + "<"VGAUTH_HOST_VERIFIED_ELEMENT_NAME">%s" \ VGAUTH_REQUEST_FORMAT_END diff --git a/open-vm-tools/vgauth/lib/VGAuthInt.h b/open-vm-tools/vgauth/lib/VGAuthInt.h index e41707bd2..49efa85f0 100644 --- a/open-vm-tools/vgauth/lib/VGAuthInt.h +++ b/open-vm-tools/vgauth/lib/VGAuthInt.h @@ -246,6 +246,7 @@ VGAuthError VGAuth_SendQueryMappedAliasesRequest(VGAuthContext *ctx, /* clang-format off */ VGAuthError VGAuth_SendValidateSamlBearerTokenRequest(VGAuthContext *ctx, gboolean validateOnly, + gboolean hostVerified, const char *samlToken, const char *userName, VGAuthUserHandle **userHandle); diff --git a/open-vm-tools/vgauth/lib/auth.c b/open-vm-tools/vgauth/lib/auth.c index 9db6c8e20..fd4a78539 100644 --- a/open-vm-tools/vgauth/lib/auth.c +++ b/open-vm-tools/vgauth/lib/auth.c @@ -416,6 +416,11 @@ VGAuth_ValidateSSPIResponse(VGAuthContext *ctx, * @a handle cannot be used for impersonation or ticket * creation. * + * VGAUTH_PARAM_SAML_HOST_VERIFIED, which must have the value + * VGAUTH_PARAM_VALUE_TRUE or VGAUTH_PARAM_VALUE_FALSE. + * If set, the SAML token has been verified by the host + * and this service will skip that step when validating. + * * @param[in] ctx The VGAuthContext. * @param[in] samlToken The SAML token to be validated. * @param[in] userName The user to authenticate as. Optional. @@ -453,6 +458,7 @@ VGAuth_ValidateSamlBearerToken(VGAuthContext *ctx, VGAuthError err; VGAuthUserHandle *newHandle = NULL; gboolean validateOnly; + gboolean hostVerified; /* * arg check @@ -491,9 +497,17 @@ VGAuth_ValidateSamlBearerToken(VGAuthContext *ctx, if (VGAUTH_E_OK != err) { return err; } + err = VGAuthGetBoolExtraParam(numExtraParams, extraParams, + VGAUTH_PARAM_SAML_HOST_VERIFIED, + FALSE, + &hostVerified); + if (VGAUTH_E_OK != err) { + return err; + } err = VGAuth_SendValidateSamlBearerTokenRequest(ctx, validateOnly, + hostVerified, samlToken, userName, &newHandle); diff --git a/open-vm-tools/vgauth/lib/proto.c b/open-vm-tools/vgauth/lib/proto.c index f7fe05fcf..fe60f959a 100644 --- a/open-vm-tools/vgauth/lib/proto.c +++ b/open-vm-tools/vgauth/lib/proto.c @@ -2066,6 +2066,7 @@ done: VGAuthError VGAuth_SendValidateSamlBearerTokenRequest(VGAuthContext *ctx, gboolean validateOnly, + gboolean hostVerified, const char *samlToken, const char *userName, VGAuthUserHandle **userHandle) @@ -2097,7 +2098,8 @@ VGAuth_SendValidateSamlBearerTokenRequest(VGAuthContext *ctx, ctx->comm.sequenceNumber, samlToken, userName ? userName : "", - validateOnly ? "1" : "0"); + validateOnly ? "1" : "0", + hostVerified ? "1" : "0"); err = VGAuth_CommSendData(ctx, packet); if (VGAUTH_E_OK != err) { diff --git a/open-vm-tools/vgauth/public/VGAuthAuthentication.h b/open-vm-tools/vgauth/public/VGAuthAuthentication.h index df6daf71f..0d6565af1 100644 --- a/open-vm-tools/vgauth/public/VGAuthAuthentication.h +++ b/open-vm-tools/vgauth/public/VGAuthAuthentication.h @@ -198,6 +198,7 @@ VGAuthError VGAuth_ValidateSSPIResponse(VGAuthContext *ctx, #define VGAUTH_PARAM_VALIDATE_INFO_ONLY "validateInfoOnly" +# define VGAUTH_PARAM_SAML_HOST_VERIFIED "hostVerified" VGAuthError VGAuth_ValidateSamlBearerToken(VGAuthContext *ctx, const char *samlToken, diff --git a/open-vm-tools/vgauth/serviceImpl/proto.c b/open-vm-tools/vgauth/serviceImpl/proto.c index 503c15dfa..1608c6ab6 100644 --- a/open-vm-tools/vgauth/serviceImpl/proto.c +++ b/open-vm-tools/vgauth/serviceImpl/proto.c @@ -80,6 +80,7 @@ typedef enum { PARSE_STATE_USERHANDLESAMLINFO, PARSE_STATE_USERHANDLESAMLSUBJECT, PARSE_STATE_SAML_VALIDATE_ONLY, + PARSE_STATE_SAML_HOST_VERIFIED, } ProtoParseState; /* @@ -146,6 +147,7 @@ struct ProtoRequest { gchar *samlToken; gchar *userName; gboolean validateOnly; + gboolean hostVerified; } validateSamlBToken; } reqData; @@ -310,6 +312,8 @@ Proto_DumpRequest(ProtoRequest *req) Log("username '%s'\n", req->reqData.validateSamlBToken.userName); Log("validate Only '%s'\n", req->reqData.validateSamlBToken.validateOnly ? "TRUE" : "FALSE"); + Log("hostVerified '%s'\n", + req->reqData.validateSamlBToken.hostVerified ? "TRUE" : "FALSE"); break; default: Warning("Unknown request type -- no request specific data\n"); @@ -436,6 +440,8 @@ Proto_StartElement(GMarkupParseContext *parseContext, req->parseState = PARSE_STATE_SAMLTOKEN; } else if (g_strcmp0(elementName, VGAUTH_VALIDATE_ONLY_ELEMENT_NAME) == 0) { req->parseState = PARSE_STATE_SAML_VALIDATE_ONLY; + } else if (g_strcmp0(elementName, VGAUTH_HOST_VERIFIED_ELEMENT_NAME) == 0) { + req->parseState = PARSE_STATE_SAML_HOST_VERIFIED; } else if (g_strcmp0(elementName, VGAUTH_ALIASINFO_ELEMENT_NAME) == 0) { req->parseState = PARSE_STATE_ALIASINFO; } else if (g_strcmp0(elementName, VGAUTH_SUBJECT_ELEMENT_NAME) == 0) { @@ -566,6 +572,7 @@ Proto_EndElement(GMarkupParseContext *parseContext, case PARSE_STATE_TOKEN: case PARSE_STATE_SAMLTOKEN: case PARSE_STATE_SAML_VALIDATE_ONLY: + case PARSE_STATE_SAML_HOST_VERIFIED: case PARSE_STATE_USERHANDLEINFO: req->parseState = PARSE_STATE_REQUEST; break; @@ -875,6 +882,17 @@ Proto_TextContents(GMarkupParseContext *parseContext, iVal = atoi(val); req->reqData.validateSamlBToken.validateOnly = (iVal) ? TRUE : FALSE; break; + case PARSE_STATE_SAML_HOST_VERIFIED: + + if (req->reqType != PROTO_REQUEST_VALIDATE_SAML_BEARER_TOKEN) { + g_set_error(error, G_MARKUP_ERROR_PARSE, VGAUTH_E_INVALID_ARGUMENT, + "Found hostVerified option in req type %d", + req->reqType); + goto done; + } + iVal = atoi(val); + req->reqData.validateSamlBToken.hostVerified = (iVal) ? TRUE : FALSE; + break; case PARSE_STATE_USERHANDLETYPE: { ServiceValidationResultsType t = VALIDATION_RESULTS_TYPE_UNKNOWN; @@ -2123,6 +2141,7 @@ ServiceProtoValidateSamlBearerToken(ServiceConnection *conn, */ err = SAML_VerifyBearerTokenAndChain(req->reqData.validateSamlBToken.samlToken, req->reqData.validateSamlBToken.userName, + req->reqData.validateSamlBToken.hostVerified, &userName, &subjectName, &ai); diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xml-security-c.cpp b/open-vm-tools/vgauth/serviceImpl/saml-xml-security-c.cpp index 027e0238a..7fca8ba63 100644 --- a/open-vm-tools/vgauth/serviceImpl/saml-xml-security-c.cpp +++ b/open-vm-tools/vgauth/serviceImpl/saml-xml-security-c.cpp @@ -209,6 +209,7 @@ static bool SAMLCheckTimeAttr(const DOMElement *elem, const char *attrName, static bool SAMLCheckAudience(const XMLCh *audience); static bool SAMLCheckSignature(DOMDocument *doc, + gboolean hostVerified, vector &certs); static bool SAMLCheckReference(const DOMDocument *doc, DSIGSignature *sig); @@ -464,6 +465,7 @@ SAML_VerifyBearerToken(const char *xmlText, SAMLTokenData token; err = SAMLVerifyAssertion(xmlText, + FALSE, // use original mode token, certs); if (VGAUTH_E_OK != err) { return err; @@ -500,6 +502,7 @@ SAML_VerifyBearerToken(const char *xmlText, * * @param[in] xmlText The text of the SAML assertion. * @param[in] userName Optional username to authenticate as. + * @param[in] hostVerified If true, skip signature verification. * @param[out] userNameOut The user that the token has authenticated as. * @param[out] subjNameOut The subject in the token. * @param[out] verifySi The subjectInfo associated with the entry @@ -514,6 +517,7 @@ SAML_VerifyBearerToken(const char *xmlText, VGAuthError SAML_VerifyBearerTokenAndChain(const char *xmlText, const char *userName, + gboolean hostVerified, char **userNameOut, char **subjNameOut, ServiceAliasInfo **verifyAi) @@ -531,6 +535,7 @@ SAML_VerifyBearerTokenAndChain(const char *xmlText, int i; err = SAMLVerifyAssertion(xmlText, + hostVerified, token, certs); if (VGAUTH_E_OK != err) { return err; @@ -597,6 +602,7 @@ SAML_VerifyBearerTokenAndChain(const char *xmlText, * certs. * * @param[in] xmlText + * @param[in] hostVerified If true, skip signature verification. * @param[out] token The interesting bits extracted from the xmlText. * @param[out] certs If the SAML assertion is verified, then this will * contain the certificate chain for the issuer. @@ -611,6 +617,7 @@ SAML_VerifyBearerTokenAndChain(const char *xmlText, VGAuthError SAMLVerifyAssertion(const char *xmlText, + gboolean hostVerified, SAMLTokenData &token, vector &certs) { @@ -659,6 +666,7 @@ SAMLVerifyAssertion(const char *xmlText, } if (!SAMLCheckSignature(doc, + hostVerified, certs)) { return VGAUTH_E_AUTHENTICATION_DENIED; } @@ -1058,6 +1066,7 @@ SAMLCheckAudience(const XMLCh *audience) * from that, then checks that the signature is valid. * * @param[in] doc The document of which to check the signature. + * @param[in] hostVerified If true, skip signature verification. * @param[out] certs The base64 encoded certificates present in the * signature. * @@ -1068,6 +1077,7 @@ SAMLCheckAudience(const XMLCh *audience) static bool SAMLCheckSignature(DOMDocument *doc, + gboolean hostVerified, vector &certs) { DOMElement *sigElem = SAMLFindChildByName(doc->getDocumentElement(), @@ -1091,6 +1101,9 @@ SAMLCheckSignature(DOMDocument *doc, __FUNCTION__); return false; } + if (hostVerified) { + Debug("hostVerified is set, skipping signtaure check"); + } else { const XSECCryptoX509 *x509 = keyInfo->getCertificateCryptoItem(0); ASSERT(NULL != x509); @@ -1111,6 +1124,7 @@ SAMLCheckSignature(DOMDocument *doc, return false; } + } for (int i = 0; i < keyInfo->getCertificateListSize(); i++) { const XSECCryptoX509 *cert = keyInfo->getCertificateCryptoItem(i); certs.push_back(string(cert->getDEREncodingSB().rawCharBuffer())); diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c index d156de211..72f1a495e 100644 --- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c +++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c @@ -1243,6 +1243,7 @@ done: * Verifies the signature on an XML document. * * @param[in] doc Parsed XML document. + * @param[in] hostVerified If set, signature verifcation can be skipped. * @param[out] numCerts Number of certs in the token. * @param[out] certChain Certs in the token. Caller should g_free() array and * contents. @@ -1254,6 +1255,7 @@ done: static gboolean VerifySignature(xmlDocPtr doc, + gboolean hostVerified, int *numCerts, gchar ***certChain) { @@ -1326,6 +1328,12 @@ VerifySignature(xmlDocPtr doc, goto done; } + if (hostVerified) { + // XXX add a check that the sig is replaced with the expected value + g_debug("%s: token is hostVerified, skipping signature check", + __FUNCTION__); + goto verified; + } /* * Create a signature context with the key manager @@ -1389,6 +1397,7 @@ VerifySignature(xmlDocPtr doc, goto done; } +verified: retCode = TRUE; *numCerts = num; *certChain = certList; @@ -1413,10 +1422,12 @@ done: gboolean SAML_VerifySignature(xmlDocPtr doc, + gboolean hostVerified, int *numCerts, gchar ***certChain) { return VerifySignature(doc, + hostVerified, numCerts, certChain); } @@ -1430,6 +1441,7 @@ SAML_VerifySignature(xmlDocPtr doc, * Parses the XML, then verifies Subject, Conditions and Signature. * * @param[in] token Text of SAML token. + * @param[in] hostVerfied If true, the signature check can be skipped. * @param[out] subject Subject of SAML token, Caller must g_free(). * @param[out] numCerts Number of certs in the token. * @param[out] certChain Certs in the token. Caller should g_free() @@ -1442,6 +1454,7 @@ SAML_VerifySignature(xmlDocPtr doc, static gboolean VerifySAMLToken(const gchar *token, + gboolean hostVerified, gchar **subject, int *numCerts, gchar ***certChain) @@ -1499,6 +1512,7 @@ VerifySAMLToken(const gchar *token, #endif bRet = VerifySignature(doc, + hostVerified, numCerts, certChain); if (FALSE == bRet) { g_warning("Failed to verify Signature\n"); @@ -1525,6 +1539,58 @@ done: } +// XXX remove this? hostVerified can be tested just fine with the 'real' +// API, the test-only shortcut may be overkill. Though once this is +// out of dev, we could add the extra param to SAML_VerifyBearerToken() +// and fix all the test calls. + +/* + ****************************************************************************** + * SAML_VerifyBearerTokenEx -- */ /** + * + * Determines whether the SAML bearer token can be used to authenticate. + * A token consists of a single SAML assertion. + * + * This is currently only used from the test code. + * + * @param[in] xmlText The text of the SAML assertion. + * @param[in] userName Optional username to authenticate as. + * @param[in] hostVerified If set, then the signature verification will + * be skipped. + * @param[out] userNameOut The user that the token has authenticated as. + * @param[out] subjNameOut The subject in the token. Caller must g_free(). + * @param[out] verifyAi The alias info associated with the entry + * in the alias store used to verify the + * SAML cert. + * + * @return VGAUTH_E_OK on success, VGAuthError on failure + * + ****************************************************************************** + */ + +VGAuthError +SAML_VerifyBearerTokenEx(const char *xmlText, + const char *userName, // UNUSED + gboolean hostVerified, + char **userNameOut, // UNUSED + char **subjNameOut, + ServiceAliasInfo **verifyAi) // UNUSED +{ + gboolean ret; + gchar **certChain = NULL; + int num = 0; + + ret = VerifySAMLToken(xmlText, + hostVerified, + subjNameOut, + &num, + &certChain); + + // clean up -- this code doesn't look at the chain + FreeCertArray(num, certChain); + + return (ret == TRUE) ? VGAUTH_E_OK : VGAUTH_E_AUTHENTICATION_DENIED; +} /* @@ -1561,6 +1627,7 @@ SAML_VerifyBearerToken(const char *xmlText, int num = 0; ret = VerifySAMLToken(xmlText, + FALSE, // XXX keep original to minimze test changes subjNameOut, &num, &certChain); @@ -1583,6 +1650,7 @@ SAML_VerifyBearerToken(const char *xmlText, * * @param[in] xmlText The text of the SAML assertion. * @param[in] userName Optional username to authenticate as. + * @param[in] hostVerified If true, skip signature verification. * @param[out] userNameOut The user that the token has authenticated as. * @param[out] subjNameOut The subject in the token. Caller must g_free(). * @param[out] verifyAi The alias info associated with the entry @@ -1597,6 +1665,7 @@ SAML_VerifyBearerToken(const char *xmlText, VGAuthError SAML_VerifyBearerTokenAndChain(const char *xmlText, const char *userName, + gboolean hostVerified, char **userNameOut, char **subjNameOut, ServiceAliasInfo **verifyAi) @@ -1612,6 +1681,7 @@ SAML_VerifyBearerTokenAndChain(const char *xmlText, *verifyAi = NULL; bRet = VerifySAMLToken(xmlText, + hostVerified, subjNameOut, &num, &certChain); diff --git a/open-vm-tools/vgauth/serviceImpl/samlInt.hpp b/open-vm-tools/vgauth/serviceImpl/samlInt.hpp index 846d23309..19f26f374 100644 --- a/open-vm-tools/vgauth/serviceImpl/samlInt.hpp +++ b/open-vm-tools/vgauth/serviceImpl/samlInt.hpp @@ -136,6 +136,7 @@ struct SAMLTokenData { auto_ptr SAMLCreateAndPopulateGrammarPool(); VGAuthError SAMLVerifyAssertion(const char *xmlText, + gboolean hostVerified, SAMLTokenData &token, vector &certs); #endif // ifndef _SAMLINT_H_ diff --git a/open-vm-tools/vgauth/serviceImpl/serviceInt.h b/open-vm-tools/vgauth/serviceImpl/serviceInt.h index 48773ea44..5f420192b 100644 --- a/open-vm-tools/vgauth/serviceImpl/serviceInt.h +++ b/open-vm-tools/vgauth/serviceImpl/serviceInt.h @@ -481,6 +481,12 @@ gchar *ServiceDecodeUserName(const char *userName); VGAuthError SAML_Init(void); /* clang-format off */ +VGAuthError SAML_VerifyBearerTokenEx(const char *xmlText, + const char *userName, + gboolean hostVerified, + char **userNameOut, + char **subjectNameOut, + ServiceAliasInfo **verifyAi); VGAuthError SAML_VerifyBearerToken(const char *xmlText, const char *userName, char **userNameOut, @@ -488,6 +494,7 @@ VGAuthError SAML_VerifyBearerToken(const char *xmlText, ServiceAliasInfo **verifyAi); VGAuthError SAML_VerifyBearerTokenAndChain(const char *xmlText, const char *userName, + gboolean hostVerified, char **userNameOut, char **subjectNameOut, ServiceAliasInfo **verifyAi);