2 * Copyright (c) 2010, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * SAML attribute provider implementation.
37 #include "gssapiP_eap.h"
41 #include <xercesc/util/XMLUniDefs.hpp>
42 #include <xmltooling/unicode.h>
43 #include <xmltooling/XMLToolingConfig.h>
44 #include <xmltooling/util/XMLHelper.h>
45 #include <xmltooling/util/ParserPool.h>
46 #include <xmltooling/util/DateTime.h>
48 #include <saml/saml1/core/Assertions.h>
49 #include <saml/saml2/core/Assertions.h>
50 #include <saml/saml2/metadata/Metadata.h>
52 using namespace xmltooling;
53 using namespace opensaml::saml2md;
54 using namespace opensaml;
55 using namespace xercesc;
59 * gss_eap_saml_assertion_provider is for retrieving the underlying
62 gss_eap_saml_assertion_provider::gss_eap_saml_assertion_provider(void)
65 m_authenticated = false;
68 gss_eap_saml_assertion_provider::~gss_eap_saml_assertion_provider(void)
74 gss_eap_saml_assertion_provider::initFromExistingContext(const gss_eap_attr_ctx *manager,
75 const gss_eap_attr_provider *ctx)
77 /* Then we may be creating from an existing attribute context */
78 const gss_eap_saml_assertion_provider *saml;
80 assert(m_assertion == NULL);
82 if (!gss_eap_attr_provider::initFromExistingContext(manager, ctx))
85 saml = static_cast<const gss_eap_saml_assertion_provider *>(ctx);
86 setAssertion(saml->getAssertion(), saml->authenticated());
92 gss_eap_saml_assertion_provider::initFromGssContext(const gss_eap_attr_ctx *manager,
93 const gss_cred_id_t gssCred,
94 const gss_ctx_id_t gssCtx)
96 const gss_eap_radius_attr_provider *radius;
97 gss_buffer_desc value = GSS_C_EMPTY_BUFFER;
98 int authenticated, complete;
101 assert(m_assertion == NULL);
103 if (!gss_eap_attr_provider::initFromGssContext(manager, gssCred, gssCtx))
107 * XXX TODO we need to support draft-howlett-radius-saml-attr-00
109 radius = static_cast<const gss_eap_radius_attr_provider *>
110 (m_manager->getProvider(ATTR_TYPE_RADIUS));
111 if (radius != NULL &&
112 radius->getFragmentedAttribute(PW_SAML_AAA_ASSERTION,
114 &authenticated, &complete, &value)) {
115 setAssertion(&value, authenticated);
116 gss_release_buffer(&minor, &value);
125 gss_eap_saml_assertion_provider::setAssertion(const saml2::Assertion *assertion,
131 if (assertion != NULL) {
133 m_assertion = (saml2::Assertion *)((void *)assertion->clone());
135 m_assertion = dynamic_cast<saml2::Assertion *>(assertion->clone());
137 m_authenticated = authenticated;
140 m_authenticated = false;
145 gss_eap_saml_assertion_provider::setAssertion(const gss_buffer_t buffer,
150 m_assertion = parseAssertion(buffer);
151 m_authenticated = (m_assertion != NULL && authenticated);
155 gss_eap_saml_assertion_provider::parseAssertion(const gss_buffer_t buffer)
157 string str((char *)buffer->value, buffer->length);
158 istringstream istream(str);
160 const XMLObjectBuilder *b;
162 doc = XMLToolingConfig::getConfig().getParser().parse(istream);
166 b = XMLObjectBuilder::getBuilder(doc->getDocumentElement());
169 return (saml2::Assertion *)((void *)b->buildFromDocument(doc));
171 return dynamic_cast<saml2::Assertion *>(b->buildFromDocument(doc));
176 gss_eap_saml_assertion_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
181 /* just add the prefix */
182 if (m_assertion != NULL)
183 ret = addAttribute(this, GSS_C_NO_BUFFER, data);
191 gss_eap_saml_assertion_provider::setAttribute(int complete,
192 const gss_buffer_t attr,
193 const gss_buffer_t value)
195 if (attr == GSS_C_NO_BUFFER || attr->length == 0) {
204 gss_eap_saml_assertion_provider::deleteAttribute(const gss_buffer_t value)
208 m_authenticated = false;
214 gss_eap_saml_assertion_provider::getExpiryTime(void) const
216 saml2::Conditions *conditions;
217 time_t expiryTime = 0;
219 if (m_assertion == NULL)
222 conditions = m_assertion->getConditions();
224 if (conditions != NULL && conditions->getNotOnOrAfter() != NULL)
225 expiryTime = conditions->getNotOnOrAfter()->getEpoch();
231 gss_eap_saml_assertion_provider::getAttribute(const gss_buffer_t attr,
235 gss_buffer_t display_value,
240 if (attr != GSS_C_NO_BUFFER && attr->length != 0)
243 if (m_assertion == NULL)
249 if (authenticated != NULL)
250 *authenticated = m_authenticated;
251 if (complete != NULL)
254 XMLHelper::serialize(m_assertion->marshall((DOMDocument *)NULL), str);
256 duplicateBuffer(str, value);
263 gss_eap_saml_assertion_provider::mapToAny(int authenticated,
264 gss_buffer_t type_id) const
266 if (authenticated && !m_authenticated)
267 return (gss_any_t)NULL;
269 return (gss_any_t)m_assertion;
273 gss_eap_saml_assertion_provider::releaseAnyNameMapping(gss_buffer_t type_id,
274 gss_any_t input) const
276 delete ((saml2::Assertion *)input);
280 gss_eap_saml_assertion_provider::exportToBuffer(gss_buffer_t buffer) const
286 buffer->value = NULL;
288 if (m_assertion == NULL)
291 sink << *m_assertion;
294 duplicateBuffer(str, buffer);
298 gss_eap_saml_assertion_provider::initFromBuffer(const gss_eap_attr_ctx *ctx,
299 const gss_buffer_t buffer)
301 if (!gss_eap_attr_provider::initFromBuffer(ctx, buffer))
304 if (buffer->length == 0)
307 assert(m_assertion == NULL);
309 setAssertion(buffer);
310 /* TODO XXX how to propagate authenticated flag? */
316 gss_eap_saml_assertion_provider::init(void)
318 gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML_ASSERTION,
319 "urn:ietf:params:gss-eap:saml-aaa-assertion",
320 gss_eap_saml_assertion_provider::createAttrContext);
325 gss_eap_saml_assertion_provider::finalize(void)
327 gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_SAML_ASSERTION);
330 gss_eap_attr_provider *
331 gss_eap_saml_assertion_provider::createAttrContext(void)
333 return new gss_eap_saml_assertion_provider;
337 gss_eap_saml_assertion_provider::initAssertion(void)
340 m_assertion = saml2::AssertionBuilder::buildAssertion();
341 m_authenticated = false;
347 * gss_eap_saml_attr_provider is for retrieving the underlying attributes.
350 gss_eap_saml_attr_provider::getAssertion(int *authenticated,
351 saml2::Assertion **pAssertion,
352 bool createIfAbsent) const
354 gss_eap_saml_assertion_provider *saml;
356 if (authenticated != NULL)
357 *authenticated = false;
358 if (pAssertion != NULL)
361 saml = static_cast<const gss_eap_saml_assertion_provider *>
362 (m_manager->getProvider(ATTR_TYPE_SAML_ASSERTION));
366 if (authenticated != NULL)
367 *authenticated = saml->authenticated();
368 if (pAssertion != NULL)
369 *pAssertion = saml->getAssertion();
371 if (saml->getAssertion() == NULL) {
372 if (createIfAbsent) {
373 if (authenticated != NULL)
374 *authenticated = false;
375 if (pAssertion != NULL)
376 *pAssertion = saml->initAssertion();
385 gss_eap_saml_attr_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
388 saml2::Assertion *assertion;
391 if (!getAssertion(&authenticated, &assertion))
395 * Note: the first prefix is added by the attribute provider manager
397 * From draft-hartman-gss-eap-naming-00:
399 * Each attribute carried in the assertion SHOULD also be a GSS name
400 * attribute. The name of this attribute has three parts, all separated
401 * by an ASCII space character. The first part is
402 * urn:ietf:params:gss-eap:saml-attr. The second part is the URI for
403 * the SAML attribute name format. The final part is the name of the
404 * SAML attribute. If the mechanism performs an additional attribute
405 * query, the retrieved attributes SHOULD be GSS-API name attributes
406 * using the same name syntax.
408 /* For each attribute statement, look for an attribute match */
409 const vector <saml2::AttributeStatement *> &statements =
410 const_cast<const saml2::Assertion *>(assertion)->getAttributeStatements();
412 for (vector<saml2::AttributeStatement *>::const_iterator s = statements.begin();
413 s != statements.end();
415 const vector<saml2::Attribute*> &attrs =
416 const_cast<const saml2::AttributeStatement*>(*s)->getAttributes();
418 for (vector<saml2::Attribute*>::const_iterator a = attrs.begin(); a != attrs.end(); ++a) {
419 const XMLCh *attributeName = (*a)->getName();
420 const XMLCh *attributeNameFormat = (*a)->getNameFormat();
421 XMLCh *qualifiedName;
422 XMLCh space[2] = { ' ', 0 };
423 gss_buffer_desc utf8;
426 qualifiedName = new XMLCh[XMLString::stringLen(attributeNameFormat) + 1 +
427 XMLString::stringLen(attributeName) + 1];
428 XMLString::copyString(qualifiedName, attributeNameFormat);
429 XMLString::catString(qualifiedName, space);
430 XMLString::catString(qualifiedName, attributeName);
432 utf8.value = (void *)toUTF8(qualifiedName);
433 utf8.length = strlen((char *)utf8.value);
435 ret = addAttribute(this, &utf8, data);
437 delete qualifiedName;
447 static BaseRefVectorOf<XMLCh> *
448 decomposeAttributeName(const gss_buffer_t attr)
450 XMLCh *qualifiedAttr = new XMLCh[attr->length + 1];
451 XMLString::transcode((const char *)attr->value, qualifiedAttr, attr->length);
453 BaseRefVectorOf<XMLCh> *components = XMLString::tokenizeString(qualifiedAttr);
455 delete qualifiedAttr;
457 if (components->size() != 2) {
466 gss_eap_saml_attr_provider::setAttribute(int complete,
467 const gss_buffer_t attr,
468 const gss_buffer_t value)
470 saml2::Assertion *assertion;
471 saml2::Attribute *attribute;
472 saml2::AttributeValue *attributeValue;
473 saml2::AttributeStatement *attributeStatement;
475 if (!getAssertion(NULL, &assertion, true))
478 if (assertion->getAttributeStatements().size() != 0) {
479 attributeStatement = assertion->getAttributeStatements().front();
481 attributeStatement = saml2::AttributeStatementBuilder::buildAttributeStatement();
482 assertion->getAttributeStatements().push_back(attributeStatement);
485 /* Check the attribute name consists of name format | whsp | name */
486 BaseRefVectorOf<XMLCh> *components = decomposeAttributeName(attr);
487 if (components == NULL)
490 attribute = saml2::AttributeBuilder::buildAttribute();
491 attribute->setNameFormat(components->elementAt(0));
492 attribute->setName(components->elementAt(1));
494 XMLCh *xmlValue = new XMLCh[value->length + 1];
495 XMLString::transcode((const char *)value->value, xmlValue, attr->length);
497 attributeValue = saml2::AttributeValueBuilder::buildAttributeValue();
498 attributeValue->setTextContent(xmlValue);
500 attribute->getAttributeValues().push_back(attributeValue);
502 assert(attributeStatement != NULL);
503 attributeStatement->getAttributes().push_back(attribute);
512 gss_eap_saml_attr_provider::deleteAttribute(const gss_buffer_t attr)
514 saml2::Assertion *assertion;
517 if (!getAssertion(NULL, &assertion) ||
518 assertion->getAttributeStatements().size() == 0)
521 /* Check the attribute name consists of name format | whsp | name */
522 BaseRefVectorOf<XMLCh> *components = decomposeAttributeName(attr);
523 if (components == NULL)
526 /* For each attribute statement, look for an attribute match */
527 const vector<saml2::AttributeStatement *> &statements =
528 const_cast<const saml2::Assertion *>(assertion)->getAttributeStatements();
530 for (vector<saml2::AttributeStatement *>::const_iterator s = statements.begin();
531 s != statements.end();
533 const vector<saml2::Attribute *> &attrs =
534 const_cast<const saml2::AttributeStatement *>(*s)->getAttributes();
535 ssize_t index = -1, i = 0;
537 /* There's got to be an easier way to do this */
538 for (vector<saml2::Attribute *>::const_iterator a = attrs.begin();
541 if (XMLString::equals((*a)->getNameFormat(), components->elementAt(0)) &&
542 XMLString::equals((*a)->getName(), components->elementAt(1))) {
549 (*s)->getAttributes().erase((*s)->getAttributes().begin() + index);
560 gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr,
563 const saml2::Attribute **pAttribute) const
565 saml2::Assertion *assertion;
567 if (authenticated != NULL)
568 *authenticated = false;
569 if (complete != NULL)
573 if (!getAssertion(authenticated, &assertion) ||
574 assertion->getAttributeStatements().size() == 0)
577 /* Check the attribute name consists of name format | whsp | name */
578 BaseRefVectorOf<XMLCh> *components = decomposeAttributeName(attr);
579 if (components == NULL)
582 /* For each attribute statement, look for an attribute match */
583 const vector <saml2::AttributeStatement *> &statements =
584 const_cast<const saml2::Assertion *>(assertion)->getAttributeStatements();
585 const saml2::Attribute *ret = NULL;
587 for (vector<saml2::AttributeStatement *>::const_iterator s = statements.begin();
588 s != statements.end();
590 const vector<saml2::Attribute *> &attrs =
591 const_cast<const saml2::AttributeStatement*>(*s)->getAttributes();
593 for (vector<saml2::Attribute *>::const_iterator a = attrs.begin(); a != attrs.end(); ++a) {
594 if (XMLString::equals((*a)->getNameFormat(), components->elementAt(0)) &&
595 XMLString::equals((*a)->getName(), components->elementAt(1))) {
609 return (ret != NULL);
613 gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr,
617 gss_buffer_t display_value,
620 const saml2::Attribute *a;
621 const saml2::AttributeValue *av;
622 int nvalues, i = *more;
626 if (!getAttribute(attr, authenticated, complete, &a))
629 nvalues = a->getAttributeValues().size();
633 else if (i >= nvalues)
636 av = (const saml2::AttributeValue *)((void *)(a->getAttributeValues().at(i)));
638 av = dynamic_cast<const saml2::AttributeValue *>(a->getAttributeValues().at(i));
642 value->value = toUTF8(av->getTextContent(), true);
643 value->length = strlen((char *)value->value);
645 if (display_value != NULL) {
646 display_value->value = toUTF8(av->getTextContent(), true);
647 display_value->length = strlen((char *)value->value);
658 gss_eap_saml_attr_provider::mapToAny(int authenticated,
659 gss_buffer_t type_id) const
661 return (gss_any_t)NULL;
665 gss_eap_saml_attr_provider::releaseAnyNameMapping(gss_buffer_t type_id,
666 gss_any_t input) const
671 gss_eap_saml_attr_provider::exportToBuffer(gss_buffer_t buffer) const
674 buffer->value = NULL;
678 gss_eap_saml_attr_provider::initFromBuffer(const gss_eap_attr_ctx *ctx,
679 const gss_buffer_t buffer)
681 return gss_eap_attr_provider::initFromBuffer(ctx, buffer);
685 gss_eap_saml_attr_provider::init(void)
687 gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML,
688 "urn:ietf:params:gss-eap:saml-attr",
689 gss_eap_saml_attr_provider::createAttrContext);
694 gss_eap_saml_attr_provider::finalize(void)
696 gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_SAML);
699 gss_eap_attr_provider *
700 gss_eap_saml_attr_provider::createAttrContext(void)
702 return new gss_eap_saml_attr_provider;
706 gssEapSamlAttrProvidersInit(OM_uint32 *minor)
708 if (!gss_eap_saml_assertion_provider::init() ||
709 !gss_eap_saml_attr_provider::init()) {
710 *minor = GSSEAP_SAML_INIT_FAILURE;
711 return GSS_S_FAILURE;
714 return GSS_S_COMPLETE;
718 gssEapSamlAttrProvidersFinalize(OM_uint32 *minor)
720 gss_eap_saml_attr_provider::finalize();
721 gss_eap_saml_assertion_provider::finalize();
722 return GSS_S_COMPLETE;