2 * Copyright 2001-2005 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 /* shib.h - Shibboleth header file
28 #include <saml/saml.h>
29 #include <shib/shib-threads.h>
30 #include <xsec/xenc/XENCEncryptionMethod.hpp>
34 # define SHIB_EXPORTS __declspec(dllimport)
42 DECLARE_SAML_EXCEPTION(SHIB_EXPORTS,ResourceAccessException,SAMLException);
43 DECLARE_SAML_EXCEPTION(SHIB_EXPORTS,MetadataException,SAMLException);
44 DECLARE_SAML_EXCEPTION(SHIB_EXPORTS,CredentialException,SAMLException);
45 DECLARE_SAML_EXCEPTION(SHIB_EXPORTS,InvalidHandleException,SAMLException);
46 DECLARE_SAML_EXCEPTION(SHIB_EXPORTS,InvalidSessionException,RetryableProfileException);
48 // Metadata abstract interfaces, based on SAML 2.0
50 struct SHIB_EXPORTS IContactPerson
52 enum ContactType { technical, support, administrative, billing, other };
53 virtual ContactType getType() const=0;
54 virtual const char* getCompany() const=0;
55 virtual const char* getGivenName() const=0;
56 virtual const char* getSurName() const=0;
57 virtual saml::Iterator<std::string> getEmailAddresses() const=0;
58 virtual saml::Iterator<std::string> getTelephoneNumbers() const=0;
59 virtual const DOMElement* getElement() const=0;
60 virtual ~IContactPerson() {}
63 struct SHIB_EXPORTS IOrganization
65 virtual const char* getName(const char* lang="en") const=0;
66 virtual const char* getDisplayName(const char* lang="en") const=0;
67 virtual const char* getURL(const char* lang="en") const=0;
68 virtual const DOMElement* getElement() const=0;
69 virtual ~IOrganization() {}
72 struct SHIB_EXPORTS IKeyDescriptor
74 enum KeyUse { unspecified, encryption, signing };
75 virtual KeyUse getUse() const=0;
76 virtual DSIGKeyInfoList* getKeyInfo() const=0;
77 virtual saml::Iterator<const XENCEncryptionMethod*> getEncryptionMethods() const=0;
78 virtual ~IKeyDescriptor() {}
81 struct SHIB_EXPORTS IEndpoint
83 virtual const XMLCh* getBinding() const=0;
84 virtual const XMLCh* getLocation() const=0;
85 virtual const XMLCh* getResponseLocation() const=0;
86 virtual const DOMElement* getElement() const=0;
87 virtual ~IEndpoint() {}
90 struct SHIB_EXPORTS IIndexedEndpoint : public virtual IEndpoint
92 virtual unsigned short getIndex() const=0;
93 virtual ~IIndexedEndpoint() {}
96 struct SHIB_EXPORTS IEndpointManager
98 virtual saml::Iterator<const IEndpoint*> getEndpoints() const=0;
99 virtual const IEndpoint* getDefaultEndpoint() const=0;
100 virtual const IEndpoint* getEndpointByIndex(unsigned short index) const=0;
101 virtual const IEndpoint* getEndpointByBinding(const XMLCh* binding) const=0;
102 virtual ~IEndpointManager() {}
105 struct SHIB_EXPORTS IEntityDescriptor;
106 struct SHIB_EXPORTS IRoleDescriptor
108 virtual const IEntityDescriptor* getEntityDescriptor() const=0;
109 virtual saml::Iterator<const XMLCh*> getProtocolSupportEnumeration() const=0;
110 virtual bool hasSupport(const XMLCh* protocol) const=0;
111 virtual bool isValid() const=0;
112 virtual const char* getErrorURL() const=0;
113 virtual saml::Iterator<const IKeyDescriptor*> getKeyDescriptors() const=0;
114 virtual const IOrganization* getOrganization() const=0;
115 virtual saml::Iterator<const IContactPerson*> getContactPersons() const=0;
116 virtual const DOMElement* getElement() const=0;
117 virtual ~IRoleDescriptor() {}
120 struct SHIB_EXPORTS ISSODescriptor : public virtual IRoleDescriptor
122 virtual const IEndpointManager* getArtifactResolutionServiceManager() const=0;
123 virtual const IEndpointManager* getSingleLogoutServiceManager() const=0;
124 virtual const IEndpointManager* getManageNameIDServiceManager() const=0;
125 virtual saml::Iterator<const XMLCh*> getNameIDFormats() const=0;
126 virtual ~ISSODescriptor() {}
129 struct SHIB_EXPORTS IIDPSSODescriptor : public virtual ISSODescriptor
131 virtual bool getWantAuthnRequestsSigned() const=0;
132 virtual const IEndpointManager* getSingleSignOnServiceManager() const=0;
133 virtual const IEndpointManager* getNameIDMappingServiceManager() const=0;
134 virtual const IEndpointManager* getAssertionIDRequestServiceManager() const=0;
135 virtual saml::Iterator<const XMLCh*> getAttributeProfiles() const=0;
136 virtual saml::Iterator<const saml::SAMLAttribute*> getAttributes() const=0;
137 virtual ~IIDPSSODescriptor() {}
140 struct SHIB_EXPORTS IAttributeConsumingService
142 virtual const XMLCh* getName(const char* lang="en") const=0;
143 virtual const XMLCh* getDescription(const char* lang="en") const=0;
144 virtual saml::Iterator<std::pair<const saml::SAMLAttribute*,bool> > getRequestedAttributes() const=0;
145 virtual ~IAttributeConsumingService() {}
148 struct SHIB_EXPORTS ISPSSODescriptor : public virtual ISSODescriptor
150 virtual bool getAuthnRequestsSigned() const=0;
151 virtual bool getWantAssertionsSigned() const=0;
152 virtual const IEndpointManager* getAssertionConsumerServiceManager() const=0;
153 virtual saml::Iterator<const IAttributeConsumingService*> getAttributeConsumingServices() const=0;
154 virtual const IAttributeConsumingService* getDefaultAttributeConsumingService() const=0;
155 virtual const IAttributeConsumingService* getAttributeConsumingServiceByID(const XMLCh* id) const=0;
156 virtual ~ISPSSODescriptor() {}
159 struct SHIB_EXPORTS IAuthnAuthorityDescriptor : public virtual IRoleDescriptor
161 virtual const IEndpointManager* getAuthnQueryServiceManager() const=0;
162 virtual const IEndpointManager* getAssertionIDRequestServiceManager() const=0;
163 virtual saml::Iterator<const XMLCh*> getNameIDFormats() const=0;
164 virtual ~IAuthnAuthorityDescriptor() {}
167 struct SHIB_EXPORTS IPDPDescriptor : public virtual IRoleDescriptor
169 virtual const IEndpointManager* getAuthzServiceManager() const=0;
170 virtual const IEndpointManager* getAssertionIDRequestServiceManager() const=0;
171 virtual saml::Iterator<const XMLCh*> getNameIDFormats() const=0;
172 virtual ~IPDPDescriptor() {}
175 struct SHIB_EXPORTS IAttributeAuthorityDescriptor : public virtual IRoleDescriptor
177 virtual const IEndpointManager* getAttributeServiceManager() const=0;
178 virtual const IEndpointManager* getAssertionIDRequestServiceManager() const=0;
179 virtual saml::Iterator<const XMLCh*> getNameIDFormats() const=0;
180 virtual saml::Iterator<const XMLCh*> getAttributeProfiles() const=0;
181 virtual saml::Iterator<const saml::SAMLAttribute*> getAttributes() const=0;
182 virtual ~IAttributeAuthorityDescriptor() {}
185 struct SHIB_EXPORTS IAffiliationDescriptor
187 virtual const IEntityDescriptor* getEntityDescriptor() const=0;
188 virtual const XMLCh* getOwnerID() const=0;
189 virtual bool isValid() const=0;
190 virtual saml::Iterator<const XMLCh*> getMembers() const=0;
191 virtual bool isMember(const XMLCh* id) const=0;
192 virtual saml::Iterator<const IKeyDescriptor*> getKeyDescriptors() const=0;
193 virtual const DOMElement* getElement() const=0;
194 virtual ~IAffiliationDescriptor() {}
197 struct SHIB_EXPORTS IEntitiesDescriptor;
198 struct SHIB_EXPORTS IEntityDescriptor
200 virtual const XMLCh* getId() const=0;
201 virtual bool isValid() const=0;
202 virtual saml::Iterator<const IRoleDescriptor*> getRoleDescriptors() const=0;
203 virtual const IIDPSSODescriptor* getIDPSSODescriptor(const XMLCh* protocol) const=0;
204 virtual const ISPSSODescriptor* getSPSSODescriptor(const XMLCh* protocol) const=0;
205 virtual const IAuthnAuthorityDescriptor* getAuthnAuthorityDescriptor(const XMLCh* protocol) const=0;
206 virtual const IAttributeAuthorityDescriptor* getAttributeAuthorityDescriptor(const XMLCh* protocol) const=0;
207 virtual const IPDPDescriptor* getPDPDescriptor(const XMLCh* protocol) const=0;
208 virtual const IAffiliationDescriptor* getAffiliationDescriptor() const=0;
209 virtual const IOrganization* getOrganization() const=0;
210 virtual saml::Iterator<const IContactPerson*> getContactPersons() const=0;
211 virtual saml::Iterator<std::pair<const XMLCh*,const XMLCh*> > getAdditionalMetadataLocations() const=0;
212 virtual const IEntitiesDescriptor* getEntitiesDescriptor() const=0;
213 virtual const DOMElement* getElement() const=0;
214 virtual ~IEntityDescriptor() {}
217 struct SHIB_EXPORTS IEntitiesDescriptor
219 virtual const XMLCh* getName() const=0;
220 virtual bool isValid() const=0;
221 virtual const IEntitiesDescriptor* getEntitiesDescriptor() const=0;
222 virtual saml::Iterator<const IEntitiesDescriptor*> getEntitiesDescriptors() const=0;
223 virtual saml::Iterator<const IEntityDescriptor*> getEntityDescriptors() const=0;
224 virtual const DOMElement* getElement() const=0;
225 virtual ~IEntitiesDescriptor() {}
228 // Supports Shib role extension describing attribute scoping rules
229 struct SHIB_EXPORTS IScopedRoleDescriptor : public virtual IRoleDescriptor
231 virtual saml::Iterator<std::pair<const XMLCh*,bool> > getScopes() const=0;
232 virtual ~IScopedRoleDescriptor() {}
235 // Shib extension interfaces to key authority data
236 struct SHIB_EXPORTS IKeyAuthority
238 virtual int getVerifyDepth() const=0;
239 virtual saml::Iterator<DSIGKeyInfoList*> getKeyInfos() const=0;
240 virtual ~IKeyAuthority() {}
243 struct SHIB_EXPORTS IExtendedEntityDescriptor : public virtual IEntityDescriptor
245 virtual saml::Iterator<const IKeyAuthority*> getKeyAuthorities() const=0;
246 virtual ~IExtendedEntityDescriptor() {}
249 struct SHIB_EXPORTS IExtendedEntitiesDescriptor : public virtual IEntitiesDescriptor
251 virtual saml::Iterator<const IKeyAuthority*> getKeyAuthorities() const=0;
252 virtual ~IExtendedEntitiesDescriptor() {}
255 struct SHIB_EXPORTS IMetadata : public virtual saml::ILockable, public virtual saml::IPlugIn
257 virtual const IEntityDescriptor* lookup(const char* id, bool strict=true) const=0;
258 virtual const IEntityDescriptor* lookup(const XMLCh* id, bool strict=true) const=0;
259 virtual const IEntityDescriptor* lookup(const saml::SAMLArtifact* artifact) const=0;
260 virtual const IEntitiesDescriptor* lookupGroup(const char* name, bool strict=true) const=0;
261 virtual const IEntitiesDescriptor* lookupGroup(const XMLCh* name, bool strict=true) const=0;
262 virtual std::pair<const IEntitiesDescriptor*,const IEntityDescriptor*> getRoot() const=0;
263 virtual ~IMetadata() {}
266 // Trust interface hides *all* details of signature and SSL validation.
267 // Pluggable providers can fully override the Shibboleth trust model here.
269 struct SHIB_EXPORTS ITrust : public virtual saml::IPlugIn
271 // Performs certificate validation processing of an untrusted certificates
272 // using a library-specific representation, in this case an OpenSSL X509*
273 virtual bool validate(
275 const saml::Iterator<void*>& certChain,
276 const IRoleDescriptor* role,
280 // Validates signed SAML messages and assertions sent by an entity acting in a specific role.
281 // If certificate validation is required, the trust provider used can be overridden using
282 // the last parameter, or left null and the provider will rely on itself.
283 virtual bool validate(
284 const saml::SAMLSignedObject& token,
285 const IRoleDescriptor* role,
286 ITrust* certValidator=NULL
292 // Credentials interface abstracts access to "owned" keys and certificates.
294 struct SHIB_EXPORTS ICredResolver : public virtual saml::IPlugIn
296 virtual void attach(void* ctx) const=0;
297 virtual XSECCryptoKey* getKey() const=0;
298 virtual saml::Iterator<XSECCryptoX509*> getCertificates() const=0;
299 virtual void dump(FILE* f) const=0;
300 virtual void dump() const { dump(stdout); }
301 virtual ~ICredResolver() {}
304 struct SHIB_EXPORTS ICredentials : public virtual saml::ILockable, public virtual saml::IPlugIn
306 virtual const ICredResolver* lookup(const char* id) const=0;
307 virtual ~ICredentials() {}
310 // Attribute acceptance processing interfaces, applied to incoming attributes.
312 struct SHIB_EXPORTS IAttributeRule
314 virtual const XMLCh* getName() const=0;
315 virtual const XMLCh* getNamespace() const=0;
316 virtual const char* getAlias() const=0;
317 virtual const char* getHeader() const=0;
318 virtual bool getCaseSensitive() const=0;
319 virtual void apply(saml::SAMLAttribute& attribute, const IRoleDescriptor* role=NULL) const=0;
320 virtual ~IAttributeRule() {}
323 struct SHIB_EXPORTS IAAP : public virtual saml::ILockable, public virtual saml::IPlugIn
325 virtual bool anyAttribute() const=0;
326 virtual const IAttributeRule* lookup(const XMLCh* attrName, const XMLCh* attrNamespace=NULL) const=0;
327 virtual const IAttributeRule* lookup(const char* alias) const=0;
328 virtual saml::Iterator<const IAttributeRule*> getAttributeRules() const=0;
332 struct SHIB_EXPORTS IAttributeFactory : public virtual saml::IPlugIn
334 virtual saml::SAMLAttribute* build(DOMElement* e) const=0;
335 virtual ~IAttributeFactory() {}
338 #ifdef SHIB_INSTANTIATE
341 template class SHIB_EXPORTS Iterator<const shibboleth::IContactPerson*>;
342 template class SHIB_EXPORTS Iterator<const XENCEncryptionMethod*>;
343 template class SHIB_EXPORTS Iterator<const shibboleth::IKeyDescriptor*>;
344 template class SHIB_EXPORTS Iterator<const shibboleth::IAttributeConsumingService*>;
345 template class SHIB_EXPORTS Iterator<const shibboleth::IRoleDescriptor*>;
346 template class SHIB_EXPORTS Iterator<const shibboleth::IEntityDescriptor*>;
347 template class SHIB_EXPORTS Iterator<const shibboleth::IEntitiesDescriptor*>;
348 template class SHIB_EXPORTS Iterator<const shibboleth::IEndpoint*>;
349 template class SHIB_EXPORTS Iterator<const shibboleth::IAttributeRule*>;
350 template class SHIB_EXPORTS Iterator<const shibboleth::IKeyAuthority*>;
351 template class SHIB_EXPORTS Iterator<DSIGKeyInfoList*>;
352 template class SHIB_EXPORTS Iterator<shibboleth::IMetadata*>;
353 template class SHIB_EXPORTS ArrayIterator<shibboleth::IMetadata*>;
354 template class SHIB_EXPORTS Iterator<shibboleth::ITrust*>;
355 template class SHIB_EXPORTS ArrayIterator<shibboleth::ITrust*>;
356 template class SHIB_EXPORTS Iterator<shibboleth::ICredentials*>;
357 template class SHIB_EXPORTS ArrayIterator<shibboleth::ICredentials*>;
358 template class SHIB_EXPORTS Iterator<shibboleth::IAAP*>;
359 template class SHIB_EXPORTS ArrayIterator<shibboleth::IAAP*>;
361 namespace shibboleth {
364 struct SHIB_EXPORTS Constants
366 static const XMLCh SHIB_ATTRIBUTE_NAMESPACE_URI[];
367 static const XMLCh SHIB_NAMEID_FORMAT_URI[];
368 static const XMLCh SHIB_AUTHNREQUEST_PROFILE_URI[];
369 static const XMLCh SHIB_LEGACY_AUTHNREQUEST_PROFILE_URI[];
370 static const XMLCh SHIB_SESSIONINIT_PROFILE_URI[];
371 static const XMLCh SHIB_LOGOUT_PROFILE_URI[];
372 static const XMLCh SHIB_NS[];
373 static const XMLCh InvalidHandle[];
376 // Glue classes between abstract metadata and concrete providers
378 class SHIB_EXPORTS Metadata
381 Metadata(const saml::Iterator<IMetadata*>& metadatas) : m_mapper(NULL), m_metadatas(metadatas) {}
384 const IEntityDescriptor* lookup(const char* id, bool strict=true);
385 const IEntityDescriptor* lookup(const XMLCh* id, bool strict=true);
386 const IEntityDescriptor* lookup(const saml::SAMLArtifact* artifact);
389 Metadata(const Metadata&);
390 void operator=(const Metadata&);
392 saml::Iterator<IMetadata*> m_metadatas;
395 class SHIB_EXPORTS Trust
398 Trust(const saml::Iterator<ITrust*>& trusts) : m_trusts(trusts) {}
403 const saml::Iterator<void*>& certChain,
404 const IRoleDescriptor* role,
407 bool validate(const saml::SAMLSignedObject& token, const IRoleDescriptor* role) const;
411 void operator=(const Trust&);
412 saml::Iterator<ITrust*> m_trusts;
415 class SHIB_EXPORTS Credentials
418 Credentials(const saml::Iterator<ICredentials*>& creds) : m_mapper(NULL), m_creds(creds) {}
421 const ICredResolver* lookup(const char* id);
424 Credentials(const Credentials&);
425 void operator=(const Credentials&);
426 ICredentials* m_mapper;
427 saml::Iterator<ICredentials*> m_creds;
430 class SHIB_EXPORTS AAP
433 AAP(const saml::Iterator<IAAP*>& aaps, const XMLCh* attrName, const XMLCh* attrNamespace=NULL);
434 AAP(const saml::Iterator<IAAP*>& aaps, const char* alias);
436 bool fail() const {return m_mapper==NULL;}
437 const IAttributeRule* operator->() const {return m_rule;}
438 operator const IAttributeRule*() const {return m_rule;}
440 static void apply(const saml::Iterator<IAAP*>& aaps, saml::SAMLAssertion& assertion, const IRoleDescriptor* role=NULL);
444 void operator=(const AAP&);
446 const IAttributeRule* m_rule;
449 // Subclass around the OpenSAML browser profile interface,
450 // incoporates additional functionality using Shib-defined APIs.
451 class SHIB_EXPORTS ShibBrowserProfile : virtual public saml::SAMLBrowserProfile
455 const saml::Iterator<IMetadata*>& metadatas=EMPTY(IMetadata*),
456 const saml::Iterator<ITrust*>& trusts=EMPTY(ITrust*)
458 virtual ~ShibBrowserProfile();
460 virtual saml::SAMLBrowserProfile::BrowserProfileResponse receive(
462 const XMLCh* recipient,
463 int supportedProfiles,
464 saml::IReplayCache* replayCache=NULL,
465 saml::SAMLBrowserProfile::ArtifactMapper* callback=NULL,
470 saml::SAMLBrowserProfile* m_profile;
471 saml::Iterator<IMetadata*> m_metadatas;
472 saml::Iterator<ITrust*> m_trusts;
475 class SHIB_EXPORTS ShibConfig
479 virtual ~ShibConfig() {}
481 // global per-process setup and shutdown of Shibboleth runtime
485 // manages specific attribute name to factory mappings
486 void regAttributeMapping(const XMLCh* name, const IAttributeFactory* factory);
487 void unregAttributeMapping(const XMLCh* name);
488 void clearAttributeMappings();
490 // enables runtime and clients to access configuration
491 static ShibConfig& getConfig();
494 /* Helper classes for implementing reloadable XML-based config files
495 The ILockable interface will usually be inherited twice, once as
496 part of the external interface to clients and once as an implementation
497 detail of the reloading class below.
500 class SHIB_EXPORTS ReloadableXMLFileImpl
503 ReloadableXMLFileImpl(const char* pathname);
504 ReloadableXMLFileImpl(const DOMElement* pathname);
505 virtual ~ReloadableXMLFileImpl();
509 const DOMElement* m_root;
512 class SHIB_EXPORTS ReloadableXMLFile : protected virtual saml::ILockable
515 ReloadableXMLFile(const DOMElement* e);
516 ~ReloadableXMLFile() { delete m_lock; delete m_impl; }
519 virtual void unlock() { if (m_lock) m_lock->unlock(); }
521 ReloadableXMLFileImpl* getImplementation() const;
524 virtual ReloadableXMLFileImpl* newImplementation(const char* pathname, bool first=true) const=0;
525 virtual ReloadableXMLFileImpl* newImplementation(const DOMElement* e, bool first=true) const=0;
526 mutable ReloadableXMLFileImpl* m_impl;
529 const DOMElement* m_root;
530 std::string m_source;
535 /* These helpers attach metadata-derived information as exception properties and then
536 * rethrow the object. The following properties are attached, when possible:
538 * providerId The unique ID of the entity
539 * errorURL The error support URL of the entity or role
540 * contactName A formatted support or technical contact name
541 * contactEmail A contact email address
543 SHIB_EXPORTS void annotateException(saml::SAMLException* e, const IEntityDescriptor* entity, bool rethrow=true);
544 SHIB_EXPORTS void annotateException(saml::SAMLException* e, const IRoleDescriptor* role, bool rethrow=true);