2 * Copyright 2001-2005 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 /* shib.h - Shibboleth header file
28 #include <saml/saml2/metadata/Metadata.h>
29 #include <saml/saml2/metadata/MetadataProvider.h>
30 #include <xmltooling/security/TrustEngine.h>
31 #include <xmltooling/signature/CredentialResolver.h>
32 #include <xmltooling/util/Threads.h>
34 #include <saml/saml.h>
35 #undef SAML10_PROTOCOL_ENUM
39 # define SHIB_EXPORTS __declspec(dllimport)
47 // Credentials interface abstracts access to "owned" keys and certificates.
49 struct SHIB_EXPORTS ICredentials : public virtual saml::ILockable, public virtual saml::IPlugIn
51 virtual xmlsignature::CredentialResolver* lookup(const char* id) const=0;
52 virtual ~ICredentials() {}
55 // Attribute acceptance processing interfaces, applied to incoming attributes.
57 struct SHIB_EXPORTS IAttributeRule
59 virtual const XMLCh* getName() const=0;
60 virtual const XMLCh* getNamespace() const=0;
61 virtual const char* getAlias() const=0;
62 virtual const char* getHeader() const=0;
63 virtual bool getCaseSensitive() const=0;
64 virtual void apply(saml::SAMLAttribute& attribute, const opensaml::saml2md::RoleDescriptor* role=NULL) const=0;
65 virtual ~IAttributeRule() {}
68 struct SHIB_EXPORTS IAAP : public virtual saml::ILockable, public virtual saml::IPlugIn
70 virtual bool anyAttribute() const=0;
71 virtual const IAttributeRule* lookup(const XMLCh* attrName, const XMLCh* attrNamespace=NULL) const=0;
72 virtual const IAttributeRule* lookup(const char* alias) const=0;
73 virtual saml::Iterator<const IAttributeRule*> getAttributeRules() const=0;
77 struct SHIB_EXPORTS IAttributeFactory : public virtual saml::IPlugIn
79 virtual saml::SAMLAttribute* build(DOMElement* e) const=0;
80 virtual ~IAttributeFactory() {}
83 #ifdef SHIB_INSTANTIATE
84 template class SHIB_EXPORTS saml::Iterator<ICredentials*>;
85 template class SHIB_EXPORTS saml::ArrayIterator<ICredentials*>;
86 template class SHIB_EXPORTS saml::Iterator<IAAP*>;
87 template class SHIB_EXPORTS saml::ArrayIterator<IAAP*>;
90 class SHIB_EXPORTS Credentials
93 Credentials(const saml::Iterator<ICredentials*>& creds) : m_creds(creds), m_mapper(NULL) {}
96 xmlsignature::CredentialResolver* lookup(const char* id);
99 Credentials(const Credentials&);
100 void operator=(const Credentials&);
101 ICredentials* m_mapper;
102 saml::Iterator<ICredentials*> m_creds;
105 class SHIB_EXPORTS AAP
108 AAP(const saml::Iterator<IAAP*>& aaps, const XMLCh* attrName, const XMLCh* attrNamespace=NULL);
109 AAP(const saml::Iterator<IAAP*>& aaps, const char* alias);
111 bool fail() const {return m_mapper==NULL;}
112 const IAttributeRule* operator->() const {return m_rule;}
113 operator const IAttributeRule*() const {return m_rule;}
116 const saml::Iterator<IAAP*>& aaps, saml::SAMLAssertion& assertion, const opensaml::saml2md::RoleDescriptor* role=NULL
121 void operator=(const AAP&);
123 const IAttributeRule* m_rule;
126 // Subclass around the OpenSAML browser profile interface,
127 // incoporates additional functionality using Shib-defined APIs.
128 class SHIB_EXPORTS ShibBrowserProfile : virtual public saml::SAMLBrowserProfile
131 struct SHIB_EXPORTS ITokenValidator {
132 virtual void validateToken(
133 saml::SAMLAssertion* token,
135 const opensaml::saml2md::RoleDescriptor* role=NULL,
136 const xmltooling::TrustEngine* trustEngine=NULL
138 virtual ~ITokenValidator() {}
142 const ITokenValidator* validator,
143 opensaml::saml2md::MetadataProvider* metadata=NULL,
144 xmltooling::TrustEngine* trust=NULL
146 virtual ~ShibBrowserProfile();
148 virtual saml::SAMLBrowserProfile::BrowserProfileResponse receive(
149 const char* samlResponse,
150 const XMLCh* recipient,
151 saml::IReplayCache* replayCache,
154 virtual saml::SAMLBrowserProfile::BrowserProfileResponse receive(
155 saml::Iterator<const char*> artifacts,
156 const XMLCh* recipient,
157 saml::SAMLBrowserProfile::ArtifactMapper* artifactMapper,
158 saml::IReplayCache* replayCache,
163 void postprocess(saml::SAMLBrowserProfile::BrowserProfileResponse& bpr, int minorVersion=1) const;
165 saml::SAMLBrowserProfile* m_profile;
166 opensaml::saml2md::MetadataProvider* m_metadata;
167 xmltooling::TrustEngine* m_trust;
168 const ITokenValidator* m_validator;
171 class SHIB_EXPORTS ShibConfig
175 virtual ~ShibConfig() {}
177 // global per-process setup and shutdown of Shibboleth runtime
181 // manages specific attribute name to factory mappings
182 void regAttributeMapping(const XMLCh* name, const IAttributeFactory* factory);
183 void unregAttributeMapping(const XMLCh* name);
184 void clearAttributeMappings();
186 // enables runtime and clients to access configuration
187 static ShibConfig& getConfig();
190 /* Helper classes for implementing reloadable XML-based config files
191 The ILockable interface will usually be inherited twice, once as
192 part of the external interface to clients and once as an implementation
193 detail of the reloading class below.
196 class SHIB_EXPORTS ReloadableXMLFileImpl
199 ReloadableXMLFileImpl(const char* pathname);
200 ReloadableXMLFileImpl(const DOMElement* pathname);
201 virtual ~ReloadableXMLFileImpl();
205 const DOMElement* m_root;
208 class SHIB_EXPORTS ReloadableXMLFile : protected virtual saml::ILockable
211 ReloadableXMLFile(const DOMElement* e);
212 ~ReloadableXMLFile() { delete m_lock; delete m_impl; }
215 virtual void unlock() { if (m_lock) m_lock->unlock(); }
217 ReloadableXMLFileImpl* getImplementation() const;
220 virtual ReloadableXMLFileImpl* newImplementation(const char* pathname, bool first=true) const=0;
221 virtual ReloadableXMLFileImpl* newImplementation(const DOMElement* e, bool first=true) const=0;
222 mutable ReloadableXMLFileImpl* m_impl;
225 const DOMElement* m_root;
226 std::string m_source;
228 xmltooling::RWLock* m_lock;