2 * The Shibboleth License, Version 1.
4 * University Corporation for Advanced Internet Development, Inc.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions are met:
11 * Redistributions of source code must retain the above copyright notice, this
12 * list of conditions and the following disclaimer.
14 * Redistributions in binary form must reproduce the above copyright notice,
15 * this list of conditions and the following disclaimer in the documentation
16 * and/or other materials provided with the distribution, if any, must include
17 * the following acknowledgment: "This product includes software developed by
18 * the University Corporation for Advanced Internet Development
19 * <http://www.ucaid.edu>Internet2 Project. Alternately, this acknowledegement
20 * may appear in the software itself, if and wherever such third-party
21 * acknowledgments normally appear.
23 * Neither the name of Shibboleth nor the names of its contributors, nor
24 * Internet2, nor the University Corporation for Advanced Internet Development,
25 * Inc., nor UCAID may be used to endorse or promote products derived from this
26 * software without specific prior written permission. For written permission,
27 * please contact shibboleth@shibboleth.org
29 * Products derived from this software may not be called Shibboleth, Internet2,
30 * UCAID, or the University Corporation for Advanced Internet Development, nor
31 * may Shibboleth appear in their name, without prior written permission of the
32 * University Corporation for Advanced Internet Development.
35 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
36 * AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
37 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
38 * PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK
39 * OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE.
40 * IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY
41 * CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT,
42 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
43 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
44 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
45 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
46 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
47 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
51 /* shib.h - Shibboleth header file
62 #include <saml/saml.h>
66 # define SHIB_EXPORTS __declspec(dllimport)
75 extern SHIB_EXPORTS const unsigned short RTTI_UnsupportedProtocolException;
76 extern SHIB_EXPORTS const unsigned short RTTI_OriginSiteMapperException;
79 #define DECLARE_SHIB_EXCEPTION(name,base) \
80 class SHIB_EXPORTS name : public saml::base \
83 name(const char* msg) : saml::base(msg) {RTTI(name); m_typename=#name;} \
84 name(const std::string& msg) : saml::base(msg) {RTTI(name); m_typename=#name;} \
85 name(const saml::Iterator<saml::QName>& codes, const char* msg) : saml::base(codes,msg) {RTTI(name); m_typename=#name;} \
86 name(const saml::Iterator<saml::QName>& codes, const std::string& msg) : saml::base(codes, msg) {RTTI(name); m_typename=#name;} \
87 name(const saml::QName& code, const char* msg) : saml::base(code,msg) {RTTI(name); m_typename=#name;} \
88 name(const saml::QName& code, const std::string& msg) : saml::base(code, msg) {RTTI(name); m_typename=#name;} \
89 name(DOMElement* e) : saml::base(e) {RTTI(name); m_typename=#name;} \
90 name(std::istream& in) : saml::base(in) {RTTI(name); m_typename=#name;} \
91 virtual ~name() throw () {} \
94 DECLARE_SHIB_EXCEPTION(UnsupportedProtocolException,SAMLException);
95 DECLARE_SHIB_EXCEPTION(OriginSiteMapperException,SAMLException);
97 struct SHIB_EXPORTS IContactInfo
99 enum ContactType { technical, administrative, billing, other };
100 virtual ContactType getType() const=0;
101 virtual const char* getName() const=0;
102 virtual const char* getEmail() const=0;
103 virtual ~IContactInfo()=0;
106 #ifdef SHIB_INSTANTIATE
108 const unsigned short RTTI_UnsupportedProtocolException= RTTI_EXTENSION_BASE;
109 const unsigned short RTTI_OriginSiteMapperException= RTTI_EXTENSION_BASE+1;
111 template class SHIB_EXPORTS saml::Iterator<std::pair<saml::xstring,bool> >;
112 template class SHIB_EXPORTS saml::ArrayIterator<std::pair<saml::xstring,bool> >;
113 template class SHIB_EXPORTS saml::Iterator<const IContactInfo*>;
114 template class SHIB_EXPORTS saml::ArrayIterator<const IContactInfo*>;
117 struct SHIB_EXPORTS IOriginSiteMapper
119 virtual saml::Iterator<const IContactInfo*> getContacts(const XMLCh* originSite) const=0;
120 virtual const char* getErrorURL(const XMLCh* originSite) const=0;
121 virtual saml::Iterator<saml::xstring> getHandleServiceNames(const XMLCh* originSite) const=0;
122 virtual XSECCryptoX509* getHandleServiceCert(const XMLCh* handleService) const=0;
123 virtual saml::Iterator<std::pair<saml::xstring,bool> > getSecurityDomains(const XMLCh* originSite) const=0;
124 virtual time_t getTimestamp() const=0;
125 virtual ~IOriginSiteMapper()=0;
128 class SHIB_EXPORTS OriginSiteMapper : public IOriginSiteMapper
133 virtual saml::Iterator<const IContactInfo*> getContacts(const XMLCh* originSite) const;
134 virtual const char* getErrorURL(const XMLCh* originSite) const;
135 virtual saml::Iterator<saml::xstring> getHandleServiceNames(const XMLCh* originSite) const;
136 virtual XSECCryptoX509* getHandleServiceCert(const XMLCh* handleService) const;
137 virtual saml::Iterator<std::pair<saml::xstring,bool> > getSecurityDomains(const XMLCh* originSite) const;
138 virtual time_t getTimestamp() const;
141 OriginSiteMapper(const OriginSiteMapper&);
142 void operator=(const OriginSiteMapper&);
143 IOriginSiteMapper* m_mapper;
146 class SHIB_EXPORTS SimpleAttribute : public saml::SAMLAttribute
149 SimpleAttribute(const XMLCh* name, const XMLCh* ns, long lifetime=0,
150 const saml::Iterator<const XMLCh*>& values=saml::Iterator<const XMLCh*>());
151 SimpleAttribute(DOMElement* e);
152 virtual saml::SAMLObject* clone() const;
153 virtual ~SimpleAttribute();
156 virtual bool accept(DOMElement* e) const;
158 saml::xstring m_originSite;
161 class SHIB_EXPORTS ScopedAttribute : public SimpleAttribute
164 ScopedAttribute(const XMLCh* name, const XMLCh* ns, long lifetime=0,
165 const saml::Iterator<const XMLCh*>& scopes=saml::Iterator<const XMLCh*>(),
166 const saml::Iterator<const XMLCh*>& values=saml::Iterator<const XMLCh*>());
167 ScopedAttribute(DOMElement* e);
168 virtual ~ScopedAttribute();
170 virtual DOMNode* toDOM(DOMDocument* doc=NULL, bool xmlns=true) const;
171 virtual saml::SAMLObject* clone() const;
173 virtual saml::Iterator<saml::xstring> getValues() const;
174 virtual saml::Iterator<std::string> getSingleByteValues() const;
176 static const XMLCh Scope[];
179 virtual bool accept(DOMElement* e) const;
180 virtual bool addValue(DOMElement* e);
182 std::vector<saml::xstring> m_scopes;
183 mutable std::vector<saml::xstring> m_scopedValues;
186 class SHIB_EXPORTS ShibPOSTProfile
189 ShibPOSTProfile(const saml::Iterator<const XMLCh*>& policies, const XMLCh* receiver, int ttlSeconds);
190 ShibPOSTProfile(const saml::Iterator<const XMLCh*>& policies, const XMLCh* issuer);
191 virtual ~ShibPOSTProfile();
193 virtual saml::SAMLAssertion* getSSOAssertion(const saml::SAMLResponse& r);
194 virtual saml::SAMLAuthenticationStatement* getSSOStatement(const saml::SAMLAssertion& a);
195 virtual saml::SAMLResponse* accept(const XMLByte* buf, XMLCh** originSitePtr=NULL);
196 virtual saml::SAMLResponse* prepare(
197 const XMLCh* recipient,
199 const XMLCh* nameQualifier,
200 const XMLCh* subjectIP,
201 const XMLCh* authMethod,
203 const saml::Iterator<saml::SAMLAuthorityBinding*>& bindings,
204 XSECCryptoKey* responseKey,
205 const saml::Iterator<XSECCryptoX509*>& responseCerts=saml::Iterator<XSECCryptoX509*>(),
206 XSECCryptoKey* assertionKey=NULL,
207 const saml::Iterator<XSECCryptoX509*>& assertionCerts=saml::Iterator<XSECCryptoX509*>()
209 virtual bool checkReplayCache(const saml::SAMLAssertion& a);
211 virtual const XMLCh* getOriginSite(const saml::SAMLResponse& r);
214 virtual void verifySignature(const saml::SAMLSignedObject& obj, const XMLCh* signerName, XSECCryptoKey* knownKey);
216 signatureMethod m_algorithm;
217 std::vector<const XMLCh*> m_policies;
223 ShibPOSTProfile(const ShibPOSTProfile&) {}
224 ShibPOSTProfile& operator=(const ShibPOSTProfile&) {return *this;}
227 class SHIB_EXPORTS ClubShibPOSTProfile : public ShibPOSTProfile
230 ClubShibPOSTProfile(const saml::Iterator<const XMLCh*>& policies, const XMLCh* receiver, int ttlSeconds);
231 ClubShibPOSTProfile(const saml::Iterator<const XMLCh*>& policies, const XMLCh* issuer);
232 virtual ~ClubShibPOSTProfile();
234 virtual saml::SAMLResponse* prepare(
235 const XMLCh* recipient,
237 const XMLCh* nameQualifier,
238 const XMLCh* subjectIP,
239 const XMLCh* authMethod,
241 const saml::Iterator<saml::SAMLAuthorityBinding*>& bindings,
242 XSECCryptoKey* responseKey,
243 const saml::Iterator<XSECCryptoX509*>& responseCerts=saml::Iterator<XSECCryptoX509*>(),
244 XSECCryptoKey* assertionKey=NULL,
245 const saml::Iterator<XSECCryptoX509*>& assertionCerts=saml::Iterator<XSECCryptoX509*>()
249 virtual void verifySignature(const saml::SAMLSignedObject& obj, const XMLCh* signerName, XSECCryptoKey* knownKey);
252 class SHIB_EXPORTS ShibPOSTProfileFactory
255 static ShibPOSTProfile* getInstance(const saml::Iterator<const XMLCh*>& policies, const XMLCh* receiver, int ttlSeconds);
256 static ShibPOSTProfile* getInstance(const saml::Iterator<const XMLCh*>& policies, const XMLCh* issuer);
259 class SHIB_EXPORTS ShibConfig
263 virtual ~ShibConfig();
265 // global per-process setup and shutdown of Shibboleth runtime
266 virtual bool init()=0;
267 virtual void term()=0;
269 // enables runtime and clients to access configuration
270 static ShibConfig& getConfig();
272 virtual IOriginSiteMapper* getMapper()=0;
273 virtual void releaseMapper(IOriginSiteMapper* mapper)=0;
275 /* start of external configuration */
277 std::string mapperFile;
278 /* end of external configuration */
281 struct SHIB_EXPORTS Constants
283 static const XMLCh POLICY_INCOMMON[];
284 static const XMLCh SHIB_ATTRIBUTE_NAMESPACE_URI[];
285 static const XMLCh SHIB_NAMEID_FORMAT_URI[];
286 static saml::QName SHIB_ATTRIBUTE_VALUE_TYPE;
289 class SHIB_EXPORTS XML
293 static const XMLCh SHIB_NS[];
294 static const XMLCh SHIB_SCHEMA_ID[];
296 struct SHIB_EXPORTS Literals
298 // Shibboleth vocabulary
299 static const XMLCh AttributeValueType[];
301 static const XMLCh Contact[];
302 static const XMLCh Domain[];
303 static const XMLCh Email[];
304 static const XMLCh ErrorURL[];
305 static const XMLCh HandleService[];
306 static const XMLCh InvalidHandle[];
307 static const XMLCh Name[];
308 static const XMLCh OriginSite[];
309 static const XMLCh Sites[];
311 static const XMLCh AnySite[];
312 static const XMLCh AttributeAcceptancePolicy[];
313 static const XMLCh AttributeRule[];
314 static const XMLCh SiteRule[];
315 static const XMLCh Type[];
316 static const XMLCh Value[];
318 static const XMLCh literal[];
319 static const XMLCh regexp[];
320 static const XMLCh xpath[];
322 static const XMLCh technical[];
323 static const XMLCh administrative[];
324 static const XMLCh billing[];
325 static const XMLCh other[];
328 static const XMLCh xmlns_shib[];
333 class SHIB_EXPORTS SAMLBindingFactory
336 static saml::SAMLBinding* getInstance(const XMLCh* protocol=saml::SAMLBinding::SAML_SOAP_HTTPS);