2 * The Shibboleth License, Version 1.
4 * University Corporation for Advanced Internet Development, Inc.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions are met:
11 * Redistributions of source code must retain the above copyright notice, this
12 * list of conditions and the following disclaimer.
14 * Redistributions in binary form must reproduce the above copyright notice,
15 * this list of conditions and the following disclaimer in the documentation
16 * and/or other materials provided with the distribution, if any, must include
17 * the following acknowledgment: "This product includes software developed by
18 * the University Corporation for Advanced Internet Development
19 * <http://www.ucaid.edu>Internet2 Project. Alternately, this acknowledegement
20 * may appear in the software itself, if and wherever such third-party
21 * acknowledgments normally appear.
23 * Neither the name of Shibboleth nor the names of its contributors, nor
24 * Internet2, nor the University Corporation for Advanced Internet Development,
25 * Inc., nor UCAID may be used to endorse or promote products derived from this
26 * software without specific prior written permission. For written permission,
27 * please contact shibboleth@shibboleth.org
29 * Products derived from this software may not be called Shibboleth, Internet2,
30 * UCAID, or the University Corporation for Advanced Internet Development, nor
31 * may Shibboleth appear in their name, without prior written permission of the
32 * University Corporation for Advanced Internet Development.
35 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
36 * AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
37 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
38 * PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK
39 * OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE.
40 * IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY
41 * CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT,
42 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
43 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
44 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
45 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
46 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
47 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
51 /* shib.h - Shibboleth header file
62 #include <saml/saml.h>
63 #include <openssl/x509.h>
67 # define SHIB_EXPORTS __declspec(dllimport)
76 extern SHIB_EXPORTS const unsigned short RTTI_UnsupportedProtocolException;
77 extern SHIB_EXPORTS const unsigned short RTTI_OriginSiteMapperException;
80 #define DECLARE_SHIB_EXCEPTION(name,base) \
81 class SHIB_EXPORTS name : public saml::base \
84 name(const char* msg) : saml::base(msg) {RTTI(name); m_typename=#name;} \
85 name(const std::string& msg) : saml::base(msg) {RTTI(name); m_typename=#name;} \
86 name(const saml::Iterator<saml::QName>& codes, const char* msg) : saml::base(codes,msg) {RTTI(name); m_typename=#name;} \
87 name(const saml::Iterator<saml::QName>& codes, const std::string& msg) : saml::base(codes, msg) {RTTI(name); m_typename=#name;} \
88 name(const saml::QName& code, const char* msg) : saml::base(code,msg) {RTTI(name); m_typename=#name;} \
89 name(const saml::QName& code, const std::string& msg) : saml::base(code, msg) {RTTI(name); m_typename=#name;} \
90 name(DOMElement* e) : saml::base(e) {RTTI(name); m_typename=#name;} \
91 name(std::istream& in) : saml::base(in) {RTTI(name); m_typename=#name;} \
92 virtual ~name() throw () {} \
95 DECLARE_SHIB_EXCEPTION(UnsupportedProtocolException,SAMLException);
96 DECLARE_SHIB_EXCEPTION(MetadataException,SAMLException);
98 // Metadata abstract interfaces
100 struct SHIB_EXPORTS IContactInfo
102 enum ContactType { technical, administrative, billing, other };
103 virtual ContactType getType() const=0;
104 virtual const char* getName() const=0;
105 virtual const char* getEmail() const=0;
106 virtual ~IContactInfo() {}
109 struct SHIB_EXPORTS ISite
111 virtual const XMLCh* getName() const=0;
112 virtual saml::Iterator<const XMLCh*> getGroups() const=0;
113 virtual saml::Iterator<const IContactInfo*> getContacts() const=0;
114 virtual const char* getErrorURL() const=0;
115 virtual bool validate(saml::Iterator<XSECCryptoX509*> certs) const=0;
116 virtual bool validate(saml::Iterator<const XMLCh*> certs) const=0;
120 struct SHIB_EXPORTS IAuthority
122 virtual const XMLCh* getName() const=0;
123 virtual const char* getURL() const=0;
124 virtual ~IAuthority() {}
127 struct SHIB_EXPORTS IOriginSite : public ISite
129 virtual saml::Iterator<const IAuthority*> getHandleServices() const=0;
130 virtual saml::Iterator<const IAuthority*> getAttributeAuthorities() const=0;
131 virtual saml::Iterator<std::pair<const XMLCh*,bool> > getSecurityDomains() const=0;
132 virtual ~IOriginSite() {}
135 struct SHIB_EXPORTS IMetadata
137 virtual void lock()=0;
138 virtual void unlock()=0;
139 virtual const ISite* lookup(const XMLCh* site) const=0;
140 virtual ~IMetadata() {}
143 struct SHIB_EXPORTS ITrust
145 virtual void lock()=0;
146 virtual void unlock()=0;
147 virtual saml::Iterator<XSECCryptoX509*> getCertificates(const XMLCh* subject) const=0;
148 virtual bool validate(const ISite* site, saml::Iterator<XSECCryptoX509*> certs) const=0;
149 virtual bool validate(const ISite* site, saml::Iterator<const XMLCh*> certs) const=0;
153 #ifdef SHIB_INSTANTIATE
155 const unsigned short RTTI_UnsupportedProtocolException= RTTI_EXTENSION_BASE;
156 const unsigned short RTTI_MetadataException= RTTI_EXTENSION_BASE+1;
158 template class SHIB_EXPORTS saml::Iterator<std::pair<saml::xstring,bool> >;
159 template class SHIB_EXPORTS saml::ArrayIterator<std::pair<saml::xstring,bool> >;
160 template class SHIB_EXPORTS saml::Iterator<const IContactInfo*>;
161 template class SHIB_EXPORTS saml::ArrayIterator<const IContactInfo*>;
162 template class SHIB_EXPORTS saml::Iterator<const IAuthority*>;
163 template class SHIB_EXPORTS saml::ArrayIterator<const IAuthority*>;
166 class SHIB_EXPORTS SimpleAttribute : public saml::SAMLAttribute
169 SimpleAttribute(const XMLCh* name, const XMLCh* ns, long lifetime=0,
170 const saml::Iterator<const XMLCh*>& values=saml::Iterator<const XMLCh*>());
171 SimpleAttribute(DOMElement* e);
172 virtual saml::SAMLObject* clone() const;
173 virtual ~SimpleAttribute();
176 virtual bool accept(DOMElement* e) const;
178 saml::xstring m_originSite;
181 class SHIB_EXPORTS ScopedAttribute : public SimpleAttribute
184 ScopedAttribute(const XMLCh* name, const XMLCh* ns, long lifetime=0,
185 const saml::Iterator<const XMLCh*>& scopes=saml::Iterator<const XMLCh*>(),
186 const saml::Iterator<const XMLCh*>& values=saml::Iterator<const XMLCh*>());
187 ScopedAttribute(DOMElement* e);
188 virtual ~ScopedAttribute();
190 virtual DOMNode* toDOM(DOMDocument* doc=NULL, bool xmlns=true) const;
191 virtual saml::SAMLObject* clone() const;
193 virtual saml::Iterator<saml::xstring> getValues() const;
194 virtual saml::Iterator<std::string> getSingleByteValues() const;
196 static const XMLCh Scope[];
199 virtual bool accept(DOMElement* e) const;
200 virtual bool addValue(DOMElement* e);
202 std::vector<saml::xstring> m_scopes;
203 mutable std::vector<saml::xstring> m_scopedValues;
206 class SHIB_EXPORTS ShibPOSTProfile
209 ShibPOSTProfile(const saml::Iterator<const XMLCh*>& policies, const XMLCh* receiver, int ttlSeconds);
210 ShibPOSTProfile(const saml::Iterator<const XMLCh*>& policies, const XMLCh* issuer);
211 virtual ~ShibPOSTProfile();
213 virtual saml::SAMLAssertion* getSSOAssertion(const saml::SAMLResponse& r);
214 virtual saml::SAMLAuthenticationStatement* getSSOStatement(const saml::SAMLAssertion& a);
215 virtual saml::SAMLResponse* accept(const XMLByte* buf, XMLCh** originSitePtr=NULL);
216 virtual saml::SAMLResponse* prepare(
217 const XMLCh* recipient,
219 const XMLCh* nameQualifier,
220 const XMLCh* subjectIP,
221 const XMLCh* authMethod,
223 const saml::Iterator<saml::SAMLAuthorityBinding*>& bindings,
224 XSECCryptoKey* responseKey,
225 const saml::Iterator<XSECCryptoX509*>& responseCerts=saml::Iterator<XSECCryptoX509*>(),
226 XSECCryptoKey* assertionKey=NULL,
227 const saml::Iterator<XSECCryptoX509*>& assertionCerts=saml::Iterator<XSECCryptoX509*>()
229 virtual bool checkReplayCache(const saml::SAMLAssertion& a);
231 virtual const XMLCh* getOriginSite(const saml::SAMLResponse& r);
234 virtual void verifySignature(
235 const saml::SAMLSignedObject& obj,
236 const IOriginSite* originSite,
237 const XMLCh* signerName,
238 XSECCryptoKey* knownKey=NULL);
240 signatureMethod m_algorithm;
241 std::vector<const XMLCh*> m_policies;
247 ShibPOSTProfile(const ShibPOSTProfile&) {}
248 ShibPOSTProfile& operator=(const ShibPOSTProfile&) {return *this;}
251 class SHIB_EXPORTS ClubShibPOSTProfile : public ShibPOSTProfile
254 ClubShibPOSTProfile(const saml::Iterator<const XMLCh*>& policies, const XMLCh* receiver, int ttlSeconds);
255 ClubShibPOSTProfile(const saml::Iterator<const XMLCh*>& policies, const XMLCh* issuer);
256 virtual ~ClubShibPOSTProfile();
258 virtual saml::SAMLResponse* prepare(
259 const XMLCh* recipient,
261 const XMLCh* nameQualifier,
262 const XMLCh* subjectIP,
263 const XMLCh* authMethod,
265 const saml::Iterator<saml::SAMLAuthorityBinding*>& bindings,
266 XSECCryptoKey* responseKey,
267 const saml::Iterator<XSECCryptoX509*>& responseCerts=saml::Iterator<XSECCryptoX509*>(),
268 XSECCryptoKey* assertionKey=NULL,
269 const saml::Iterator<XSECCryptoX509*>& assertionCerts=saml::Iterator<XSECCryptoX509*>()
273 virtual void verifySignature(
274 const saml::SAMLSignedObject& obj,
275 const IOriginSite* originSite,
276 const XMLCh* signerName,
277 XSECCryptoKey* knownKey=NULL);
280 class SHIB_EXPORTS ShibPOSTProfileFactory
283 static ShibPOSTProfile* getInstance(const saml::Iterator<const XMLCh*>& policies, const XMLCh* receiver, int ttlSeconds);
284 static ShibPOSTProfile* getInstance(const saml::Iterator<const XMLCh*>& policies, const XMLCh* issuer);
287 // Glue classes between abstract metadata and concrete providers
289 class SHIB_EXPORTS OriginMetadata
292 OriginMetadata(const XMLCh* site);
294 bool fail() const {return m_mapper==NULL;}
295 const IOriginSite* operator->() const {return m_site;}
296 operator const IOriginSite*() const {return m_site;}
299 OriginMetadata(const OriginMetadata&);
300 void operator=(const OriginMetadata&);
302 const IOriginSite* m_site;
305 class SHIB_EXPORTS Trust
308 Trust() : m_mapper(NULL) {}
310 saml::Iterator<XSECCryptoX509*> getCertificates(const XMLCh* subject);
311 bool validate(const ISite* site, saml::Iterator<XSECCryptoX509*> certs) const;
312 bool validate(const ISite* site, saml::Iterator<const XMLCh*> certs) const;
316 void operator=(const Trust&);
320 extern "C" { typedef IMetadata* MetadataFactory(const char* source); }
321 extern "C" { typedef ITrust* TrustFactory(const char* source); }
323 class SHIB_EXPORTS ShibConfig
327 virtual ~ShibConfig();
329 // global per-process setup and shutdown of Shibboleth runtime
330 virtual bool init()=0;
331 virtual void term()=0;
333 // enables runtime and clients to access configuration
334 static ShibConfig& getConfig();
336 // allows pluggable implementations of metadata
337 virtual void regFactory(const char* type, MetadataFactory* factory)=0;
338 virtual void regFactory(const char* type, TrustFactory* factory)=0;
339 virtual void unregFactory(const char* type)=0;
341 // builds a specific metadata lookup object
342 virtual bool addMetadata(const char* type, const char* source)=0;
344 /* start of external configuration */
346 /* end of external configuration */
349 struct SHIB_EXPORTS Constants
351 static const XMLCh POLICY_INCOMMON[];
352 static const XMLCh SHIB_ATTRIBUTE_NAMESPACE_URI[];
353 static const XMLCh SHIB_NAMEID_FORMAT_URI[];
354 static saml::QName SHIB_ATTRIBUTE_VALUE_TYPE;
357 class SHIB_EXPORTS XML
361 static const XMLCh SHIB_NS[];
362 static const XMLCh SHIB_SCHEMA_ID[];
364 struct SHIB_EXPORTS Literals
366 // Shibboleth vocabulary
367 static const XMLCh AttributeValueType[];
369 static const XMLCh AttributeAuthority[];
370 static const XMLCh Contact[];
371 static const XMLCh Domain[];
372 static const XMLCh Email[];
373 static const XMLCh ErrorURL[];
374 static const XMLCh HandleService[];
375 static const XMLCh InvalidHandle[];
376 static const XMLCh Location[];
377 static const XMLCh Name[];
378 static const XMLCh OriginSite[];
379 static const XMLCh SiteGroup[];
381 static const XMLCh KeyAuthority[];
382 static const XMLCh Trust[];
384 static const XMLCh AnySite[];
385 static const XMLCh AnyValue[];
386 static const XMLCh AttributeAcceptancePolicy[];
387 static const XMLCh AttributeRule[];
388 static const XMLCh SiteRule[];
389 static const XMLCh Type[];
390 static const XMLCh Value[];
392 static const XMLCh literal[];
393 static const XMLCh regexp[];
394 static const XMLCh xpath[];
396 static const XMLCh technical[];
397 static const XMLCh administrative[];
398 static const XMLCh billing[];
399 static const XMLCh other[];
402 static const XMLCh xmlns_shib[];
407 class SHIB_EXPORTS SAMLBindingFactory
410 static saml::SAMLBinding* getInstance(const XMLCh* protocol=saml::SAMLBinding::SAML_SOAP_HTTPS);
415 // Log errors from OpenSSL error queue.
418 // build an OpenSSL cert out of a base-64 encoded DER buffer (XML style)
419 X509* B64_to_X509(const char* buf);