2 * The Shibboleth License, Version 1.
4 * University Corporation for Advanced Internet Development, Inc.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions are met:
11 * Redistributions of source code must retain the above copyright notice, this
12 * list of conditions and the following disclaimer.
14 * Redistributions in binary form must reproduce the above copyright notice,
15 * this list of conditions and the following disclaimer in the documentation
16 * and/or other materials provided with the distribution, if any, must include
17 * the following acknowledgment: "This product includes software developed by
18 * the University Corporation for Advanced Internet Development
19 * <http://www.ucaid.edu>Internet2 Project. Alternately, this acknowledegement
20 * may appear in the software itself, if and wherever such third-party
21 * acknowledgments normally appear.
23 * Neither the name of Shibboleth nor the names of its contributors, nor
24 * Internet2, nor the University Corporation for Advanced Internet Development,
25 * Inc., nor UCAID may be used to endorse or promote products derived from this
26 * software without specific prior written permission. For written permission,
27 * please contact shibboleth@shibboleth.org
29 * Products derived from this software may not be called Shibboleth, Internet2,
30 * UCAID, or the University Corporation for Advanced Internet Development, nor
31 * may Shibboleth appear in their name, without prior written permission of the
32 * University Corporation for Advanced Internet Development.
35 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
36 * AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
37 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
38 * PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK
39 * OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE.
40 * IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY
41 * CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT,
42 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
43 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
44 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
45 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
46 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
47 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
50 /* ArtifactMapper.cpp - a ShibTarget-aware SAML artifact->binding mapper
61 using namespace log4cpp;
63 using namespace shibboleth;
64 using namespace shibtarget;
66 SAMLResponse* STArtifactMapper::resolve(SAMLRequest* request)
68 Category& log=Category::getInstance("shibtarget.ArtifactMapper");
70 // First do a search for the issuer.
71 SAMLArtifact* artifact=request->getArtifacts().next();
72 Metadata m(m_app->getMetadataProviders());
73 const IEntityDescriptor* entity=m.lookup(artifact);
76 "metadata lookup failed, unable to determine issuer of artifact (0x%s)",
77 SAMLArtifact::toHex(artifact->getBytes()).c_str()
79 throw MetadataException("Metadata lookup failed, unable to determine artifact issuer");
82 auto_ptr_char issuer(entity->getId());
83 log.info("lookup succeeded, artifact issued by (%s)", issuer.get());
86 const IPropertySet* credUse=m_app->getCredentialUse(entity);
87 pair<bool,bool> signRequest=credUse ? credUse->getBool("signRequest") : make_pair(false,false);
88 pair<bool,bool> signedResponse=credUse ? credUse->getBool("signedResponse") : make_pair(false,false);
89 pair<bool,const char*> signingCred=credUse ? credUse->getString("Signing") : pair<bool,const char*>(false,NULL);
90 if (signRequest.first && signRequest.second && signingCred.first) {
91 Credentials creds(ShibTargetConfig::getConfig().getINI()->getCredentialsProviders());
92 const ICredResolver* cr=creds.lookup(signingCred.second);
94 request->sign(SIGNATURE_RSA,cr->getKey(),cr->getCertificates());
96 log.error("unable to sign artifact request, specified credential (%) was not found",signingCred.second);
99 SAMLResponse* response = NULL;
101 // Depends on type of artifact.
102 const SAMLArtifactType0001* type1=dynamic_cast<const SAMLArtifactType0001*>(artifact);
104 // With type 01, any endpoint will do.
105 const IIDPSSODescriptor* idp=entity->getIDPSSODescriptor(
106 request->getMinorVersion()==1 ? saml::XML::SAML11_PROTOCOL_ENUM : saml::XML::SAML10_PROTOCOL_ENUM
109 ShibHTTPHook::ShibHTTPHookCallContext callCtx(credUse ? credUse->getString("TLS").second : NULL,idp);
110 const IEndpointManager* mgr=idp->getArtifactResolutionServiceManager();
111 Iterator<const IEndpoint*> eps=mgr ? mgr->getEndpoints() : EMPTY(const IEndpoint*);
112 while (!response && eps.hasNext()) {
113 const IEndpoint* ep=eps.next();
114 const SAMLBinding* binding = m_app->getBinding(ep->getBinding());
116 auto_ptr_char loc(ep->getLocation());
117 log.debug("sending artifact request to %s",loc.get());
119 response = binding->send(ep->getLocation(),*request,&callCtx);
120 if (log.isDebugEnabled())
121 log.debugStream() << "SAML response from artifact request:\n" << *response << CategoryStream::ENDLINE;
123 if (!response->getAssertions().hasNext()) {
125 throw FatalProfileException("No SAML assertions returned in response to artifact profile request.");
128 catch (SAMLException& ex) {
129 annotateException(&ex,idp); // rethrows it
136 const SAMLArtifactType0002* type2=dynamic_cast<const SAMLArtifactType0002*>(artifact);
138 // With type 02, we have to find the matching location.
139 const IIDPSSODescriptor* idp=entity->getIDPSSODescriptor(
140 request->getMinorVersion()==1 ? saml::XML::SAML11_PROTOCOL_ENUM : saml::XML::SAML10_PROTOCOL_ENUM
143 ShibHTTPHook::ShibHTTPHookCallContext callCtx(credUse ? credUse->getString("TLS").second : NULL,idp);
144 const IEndpointManager* mgr=idp->getArtifactResolutionServiceManager();
145 Iterator<const IEndpoint*> eps=mgr ? mgr->getEndpoints() : EMPTY(const IEndpoint*);
146 while (eps.hasNext()) {
147 const IEndpoint* ep=eps.next();
148 auto_ptr_char loc(ep->getLocation());
149 if (!strcmp(loc.get(),type2->getSourceLocation())) {
150 const SAMLBinding* binding = m_app->getBinding(ep->getBinding());
152 log.debug("sending artifact request to %s", loc.get());
154 response = binding->send(ep->getLocation(),*request,&callCtx);
155 if (log.isDebugEnabled())
156 log.debugStream() << "SAML response from artifact request:\n" << *response << CategoryStream::ENDLINE;
158 if (!response->getAssertions().hasNext()) {
160 throw FatalProfileException("No SAML assertions returned in response to artifact profile request.");
163 catch (SAMLException& ex) {
164 annotateException(&ex,idp); // rethrows it
172 log.error("unrecognized artifact type (0x%s)", SAMLArtifact::toHex(artifact->getTypeCode()).c_str());
173 throw UnsupportedExtensionException(
174 string("Received unrecognized artifact type (0x") + SAMLArtifact::toHex(artifact->getTypeCode()) + ")"
180 log.error("unable to locate acceptable binding/endpoint to resolve artifact");
181 MetadataException ex("Unable to locate acceptable binding/endpoint to resolve artifact.");
182 annotateException(&ex,entity); // throws it
184 else if (signedResponse.first && signedResponse.second && !response->isSigned()) {
185 log.error("unsigned response obtained, but we were told it must be signed.");
186 TrustException ex("Unable to obtain a signed response from artifact request.");
187 annotateException(&ex,entity); // throws it
projects / shibboleth / sp.git / blob