shibsp/binding/impl/ArtifactResolver.cpp

   1 /**
   2  * Licensed to the University Corporation for Advanced Internet
   3  * Development, Inc. (UCAID) under one or more contributor license
   4  * agreements. See the NOTICE file distributed with this work for
   5  * additional information regarding copyright ownership.
   6  *
   7  * UCAID licenses this file to you under the Apache License,
   8  * Version 2.0 (the "License"); you may not use this file except
   9  * in compliance with the License. You may obtain a copy of the
  10  * License at
  11  *
  12  * http://www.apache.org/licenses/LICENSE-2.0
  13  *
  14  * Unless required by applicable law or agreed to in writing,
  15  * software distributed under the License is distributed on an
  16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
  17  * either express or implied. See the License for the specific
  18  * language governing permissions and limitations under the License.
  19  */
  20
  21 /**
  22  * ArtifactResolver.cpp
  23  *
  24  * SAML artifact resolver for SP use.
  25  */
  26
  27 #include "internal.h"
  28 #include "Application.h"
  29 #include "binding/ArtifactResolver.h"
  30 #include "binding/SOAPClient.h"
  31 #include "security/SecurityPolicy.h"
  32
  33 #include <saml/exceptions.h>
  34 #include <saml/saml1/core/Protocols.h>
  35 #include <saml/saml1/binding/SAML1SOAPClient.h>
  36 #include <saml/saml2/core/Protocols.h>
  37 #include <saml/saml2/binding/SAML2Artifact.h>
  38 #include <saml/saml2/binding/SAML2SOAPClient.h>
  39 #include <saml/saml2/metadata/Metadata.h>
  40 #include <saml/saml2/metadata/MetadataCredentialCriteria.h>
  41 #include <saml/util/SAMLConstants.h>
  42
  43 using namespace shibsp;
  44 using namespace opensaml::saml1p;
  45 using namespace opensaml::saml2;
  46 using namespace opensaml::saml2p;
  47 using namespace opensaml::saml2md;
  48 using namespace opensaml;
  49 using namespace xmltooling;
  50 using namespace std;
  51
  52 ArtifactResolver::ArtifactResolver()
  53 {
  54 }
  55
  56 ArtifactResolver::~ArtifactResolver()
  57 {
  58 }
  59
  60 saml1p::Response* ArtifactResolver::resolve(
  61     const vector<SAMLArtifact*>& artifacts,
  62     const IDPSSODescriptor& idpDescriptor,
  63     opensaml::SecurityPolicy& policy
  64     ) const
  65 {
  66     MetadataCredentialCriteria mcc(idpDescriptor);
  67     shibsp::SecurityPolicy& sppolicy = dynamic_cast<shibsp::SecurityPolicy&>(policy);
  68     shibsp::SOAPClient soaper(sppolicy);
  69
  70     bool foundEndpoint = false;
  71     auto_ptr_XMLCh binding(samlconstants::SAML1_BINDING_SOAP);
  72     saml1p::Response* response=nullptr;
  73     const vector<ArtifactResolutionService*>& endpoints=idpDescriptor.getArtifactResolutionServices();
  74     for (vector<ArtifactResolutionService*>::const_iterator ep=endpoints.begin(); !response && ep!=endpoints.end(); ++ep) {
  75         try {
  76             if (!XMLString::equals((*ep)->getBinding(),binding.get()))
  77                 continue;
  78             foundEndpoint = true;
  79             auto_ptr_char loc((*ep)->getLocation());
  80             saml1p::Request* request = saml1p::RequestBuilder::buildRequest();
  81             request->setMinorVersion(idpDescriptor.hasSupport(samlconstants::SAML11_PROTOCOL_ENUM) ? 1 : 0);
  82             for (vector<SAMLArtifact*>::const_iterator a = artifacts.begin(); a!=artifacts.end(); ++a) {
  83                 auto_ptr_XMLCh artbuf((*a)->encode().c_str());
  84                 AssertionArtifact* aa = AssertionArtifactBuilder::buildAssertionArtifact();
  85                 aa->setArtifact(artbuf.get());
  86                 request->getAssertionArtifacts().push_back(aa);
  87             }
  88
  89             SAML1SOAPClient client(soaper, false);
  90             client.sendSAML(request, sppolicy.getApplication().getId(), mcc, loc.get());
  91             response = client.receiveSAML();
  92         }
  93         catch (exception& ex) {
  94             Category::getInstance(SHIBSP_LOGCAT".ArtifactResolver").error("exception resolving SAML 1.x artifact(s): %s", ex.what());
  95             soaper.reset();
  96         }
  97     }
  98
  99     if (!foundEndpoint)
 100         throw MetadataException("No compatible endpoint found in issuer's metadata.");
 101     else if (!response)
 102         throw BindingException("Unable to resolve artifact(s) into a SAML response.");
 103     const xmltooling::QName* code = (response->getStatus() && response->getStatus()->getStatusCode()) ? response->getStatus()->getStatusCode()->getValue() : nullptr;
 104     if (!code || *code != saml1p::StatusCode::SUCCESS) {
 105         delete response;
 106         throw BindingException("Identity provider returned a SAML error in response to artifact(s).");
 107     }
 108
 109     // The SOAP client handles policy evaluation against the SOAP and Response layer,
 110     // but no security checking is done here.
 111     return response;
 112 }
 113
 114 ArtifactResponse* ArtifactResolver::resolve(
 115     const SAML2Artifact& artifact,
 116     const SSODescriptorType& ssoDescriptor,
 117     opensaml::SecurityPolicy& policy
 118     ) const
 119 {
 120     MetadataCredentialCriteria mcc(ssoDescriptor);
 121     shibsp::SecurityPolicy& sppolicy = dynamic_cast<shibsp::SecurityPolicy&>(policy);
 122     shibsp::SOAPClient soaper(sppolicy);
 123
 124     bool foundEndpoint = false;
 125     auto_ptr_XMLCh binding(samlconstants::SAML20_BINDING_SOAP);
 126     ArtifactResponse* response=nullptr;
 127     const vector<ArtifactResolutionService*>& endpoints=ssoDescriptor.getArtifactResolutionServices();
 128     for (vector<ArtifactResolutionService*>::const_iterator ep=endpoints.begin(); !response && ep!=endpoints.end(); ++ep) {
 129         try {
 130             if (!XMLString::equals((*ep)->getBinding(),binding.get()))
 131                 continue;
 132             foundEndpoint = true;
 133             auto_ptr_char loc((*ep)->getLocation());
 134             ArtifactResolve* request = ArtifactResolveBuilder::buildArtifactResolve();
 135             Issuer* iss = IssuerBuilder::buildIssuer();
 136             request->setIssuer(iss);
 137             iss->setName(sppolicy.getApplication().getRelyingParty(dynamic_cast<EntityDescriptor*>(ssoDescriptor.getParent()))->getXMLString("entityID").second);
 138             auto_ptr_XMLCh artbuf(artifact.encode().c_str());
 139             Artifact* a = ArtifactBuilder::buildArtifact();
 140             a->setArtifact(artbuf.get());
 141             request->setArtifact(a);
 142
 143             SAML2SOAPClient client(soaper, false);
 144             client.sendSAML(request, sppolicy.getApplication().getId(), mcc, loc.get());
 145             StatusResponseType* srt = client.receiveSAML();
 146             if (!(response = dynamic_cast<ArtifactResponse*>(srt))) {
 147                 delete srt;
 148                 break;
 149             }
 150         }
 151         catch (exception& ex) {
 152             Category::getInstance(SHIBSP_LOGCAT".ArtifactResolver").error("exception resolving SAML 2.0 artifact: %s", ex.what());
 153             soaper.reset();
 154         }
 155     }
 156
 157     if (!foundEndpoint)
 158         throw MetadataException("No compatible endpoint found in issuer's metadata.");
 159     else if (!response)
 160         throw BindingException("Unable to resolve artifact(s) into a SAML response.");
 161     else if (!response->getStatus() || !response->getStatus()->getStatusCode() ||
 162            !XMLString::equals(response->getStatus()->getStatusCode()->getValue(), saml2p::StatusCode::SUCCESS)) {
 163         auto_ptr<ArtifactResponse> wrapper(response);
 164         BindingException ex("Identity provider returned a SAML error in response to artifact.");
 165         annotateException(&ex, &ssoDescriptor, response->getStatus());  // rethrow
 166     }
 167
 168     // The SOAP client handles policy evaluation against the SOAP and Response layer,
 169     // but no security checking is done here.
 170     return response;
 171 }