Add on error pipeline

Author: john-sonz

lib/samly/idp_data.ex

@@ -16,6 +16,7 @@ defmodule Samly.IdpData do
             custom_recipient_url: nil,
             metadata_file: nil,
             metadata: nil,
+            on_error_pipeline: nil,
             pre_session_create_pipeline: nil,
             use_redirect_for_req: false,
             sign_requests: true,
@@ -45,6 +46,7 @@ defmodule Samly.IdpData do
           custom_recipient_url: nil | binary(),
           metadata_file: nil | binary(),
           metadata: nil | binary(),
+          on_error_pipeline: nil | module(),
           pre_session_create_pipeline: nil | module(),
           use_redirect_for_req: boolean(),
           sign_requests: boolean(),
@@ -117,6 +119,7 @@ defmodule Samly.IdpData do
     %IdpData{idp_data | id: id, sp_id: sp_id, base_url: Map.get(opts_map, :base_url)}
     |> set_metadata(opts_map)
     |> set_pipeline(opts_map)
+    |> set_error_pipeline(opts_map)
     |> set_custom_recipient_url(opts_map)
     |> set_allowed_target_urls(opts_map)
     |> set_boolean_attr(opts_map, :use_redirect_for_req)
@@ -206,6 +209,12 @@ defmodule Samly.IdpData do
     %IdpData{idp_data | pre_session_create_pipeline: pipeline}
   end
 
+  @spec set_error_pipeline(%IdpData{}, map()) :: %IdpData{}
+  defp set_error_pipeline(%IdpData{} = idp_data, %{} = opts_map) do
+    pipeline = Map.get(opts_map, :on_error_pipeline)
+    %IdpData{idp_data | on_error_pipeline: pipeline}
+  end
+
   @spec set_custom_recipient_url(%IdpData{}, map()) :: %IdpData{}
   defp set_custom_recipient_url(%IdpData{} = idp_data, %{} = opts_map) do
     consume_url =
@@ -372,7 +381,9 @@ defmodule Samly.IdpData do
       idp_signs_assertions: idp_data.signed_assertion_in_resp,
       trusted_fingerprints: idp_data.fingerprints,
       metadata_uri: Helper.get_metadata_uri(idp_data.base_url, path_segment_idp_id),
-      consume_uri: idp_data.custom_recipient_url || Helper.get_consume_uri(idp_data.base_url, path_segment_idp_id),
+      consume_uri:
+        idp_data.custom_recipient_url ||
+          Helper.get_consume_uri(idp_data.base_url, path_segment_idp_id),
       logout_uri: Helper.get_logout_uri(idp_data.base_url, path_segment_idp_id),
       entity_id: sp_entity_id
     )

lib/samly/sp_handler.ex

@@ -27,7 +27,13 @@ defmodule Samly.SPHandler do
 
   def consume_signin_response(conn) do
     %IdpData{id: idp_id} = idp = conn.private[:samly_idp]
-    %IdpData{pre_session_create_pipeline: pipeline, esaml_sp_rec: sp_rec} = idp
+
+    %IdpData{
+      pre_session_create_pipeline: pipeline,
+      on_error_pipeline: error_pipeline,
+      esaml_sp_rec: sp_rec
+    } = idp
+
     sp = ensure_sp_uris_set(sp_rec, conn)
 
     saml_encoding = conn.body_params["SAMLEncoding"]
@@ -53,17 +59,42 @@ defmodule Samly.SPHandler do
       |> put_session_new("samly_assertion_key", assertion_key)
       |> redirect(302, target_url)
     else
-      {:halted, conn} -> conn
+      {:halted, conn} ->
+        conn
+
       {:error, reason} ->
-        case idp do
-          %IdpData{debug_mode: true} ->
+        {_, assertion_or_error} = Helper.decode_idp_auth_resp(sp, saml_encoding, saml_response)
+
+        conn
+        |> put_private(:samly_error, reason)
+        |> put_private(:samly_assertion, assertion_or_error)
+        |> then(fn conn ->
+          if idp.debug_mode do
+            put_private(conn, :samly_saml_response, saml_response)
+          else
             conn
-            |> put_resp_header("content-type", "text/html")
-            |> send_resp(403, "<html><body><div><h1>access_denied</h1><p><b>Error:</b><br /><pre><code>#{inspect(reason)}</code></pre></p><p><b>Raw Response:</b><br /><pre><code>#{saml_response}</code></pre></p></div></body></html")
-          _ ->
-            conn |> send_resp(403, "access_denied #{inspect(reason)}")
+          end
+        end)
+        |> pipethrough(error_pipeline)
+        |> case do
+          %Conn{halted: true} = conn ->
+            {:halted, conn}
+
+          conn ->
+            if idp.debug_mode do
+              conn
+              |> put_resp_header("content-type", "text/html")
+              |> send_resp(
+                403,
+                "<html><body><div><h1>access_denied</h1><p><b>Error:</b><br /><pre><code>#{inspect(reason)}</code></pre></p><p><b>Raw Response:</b><br /><pre><code>#{saml_response}</code></pre></p></div></body></html"
+              )
+            else
+              conn |> send_resp(403, "access_denied #{inspect(reason)}")
+            end
         end
-      _ -> conn |> send_resp(403, "access_denied")
+
+      _ ->
+        conn |> send_resp(403, "access_denied")
     end
 
     # rescue

test/samly_idp_data_test.exs

@@ -177,6 +177,13 @@ defmodule SamlyIdpDataTest do
     assert idp_data.custom_recipient_url == ~c"custom-recipient-url"
   end
 
+  test "valid-idp-config-13", %{sps: sps} do
+    idp_config = Map.put(@idp_config1, :on_error_pipeline, MyErrorPipeline)
+    %IdpData{} = idp_data = IdpData.load_provider(idp_config, sps)
+    assert idp_data.valid?
+    assert idp_data.on_error_pipeline == MyErrorPipeline
+  end
+
   test "url-test-1", %{sps: sps} do
     idp_config = %{@idp_config1 | metadata_file: "test/data/shibboleth_idp_metadata.xml"}
     %IdpData{} = idp_data = IdpData.load_provider(idp_config, sps)