2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
24 * Specialized SOAPClient for SP environment.
28 #include "Application.h"
29 #include "ServiceProvider.h"
30 #include "binding/SOAPClient.h"
31 #include "security/SecurityPolicy.h"
33 #include <saml/exceptions.h>
34 #include <saml/saml2/metadata/Metadata.h>
35 #include <saml/saml2/metadata/MetadataCredentialCriteria.h>
36 #include <saml/signature/ContentReference.h>
37 #include <xmltooling/security/Credential.h>
38 #include <xmltooling/signature/Signature.h>
39 #include <xmltooling/soap/SOAP.h>
40 #include <xmltooling/soap/HTTPSOAPTransport.h>
41 #include <xmltooling/util/NDC.h>
43 using namespace shibsp;
44 using namespace opensaml::saml2md;
45 using namespace xmlsignature;
46 using namespace xmltooling;
49 SOAPClient::SOAPClient(SecurityPolicy& policy)
50 : opensaml::SOAPClient(policy), m_app(policy.getApplication()), m_relyingParty(nullptr), m_credResolver(nullptr)
54 SOAPClient::~SOAPClient()
57 m_credResolver->unlock();
60 void SOAPClient::send(const soap11::Envelope& env, const char* from, MetadataCredentialCriteria& to, const char* endpoint)
62 // Check for message signing requirements.
63 m_relyingParty = m_app.getRelyingParty(dynamic_cast<const EntityDescriptor*>(to.getRole().getParent()));
64 pair<bool, const char*> signing = m_relyingParty->getString("signing");
65 if (SPConfig::shouldSignOrEncrypt(signing.first ? signing.second : "conditional", endpoint, false)) {
66 m_credResolver=m_app.getCredentialResolver();
68 m_credResolver->lock();
69 const Credential* cred = nullptr;
71 // Fill in criteria to use.
72 to.setUsage(Credential::SIGNING_CREDENTIAL);
73 pair<bool,const char*> keyName = m_relyingParty->getString("keyName");
75 to.getKeyNames().insert(keyName.second);
77 // Check for an explicit algorithm, in which case resolve a credential directly.
78 pair<bool,const XMLCh*> sigalg = m_relyingParty->getXMLString("signingAlg");
80 to.setXMLAlgorithm(sigalg.second);
81 cred = m_credResolver->resolve(&to);
84 // Prefer credential based on peer's requirements.
85 pair<const SigningMethod*,const Credential*> p = to.getRole().getSigningMethod(*m_credResolver, to);
87 sigalg = make_pair(true, p.first->getAlgorithm());
92 // Reset criteria back.
97 const vector<XMLObject*>& bodies=const_cast<const soap11::Body*>(env.getBody())->getUnknownXMLObjects();
98 if (!bodies.empty()) {
99 opensaml::SignableObject* msg = dynamic_cast<opensaml::SignableObject*>(bodies.front());
101 // Build a Signature.
102 Signature* sig = SignatureBuilder::buildSignature();
103 msg->setSignature(sig);
105 sig->setSignatureAlgorithm(sigalg.second);
106 sigalg = m_relyingParty->getXMLString("digestAlg");
108 const DigestMethod* dm = to.getRole().getDigestMethod();
110 sigalg = make_pair(true, dm->getAlgorithm());
113 dynamic_cast<opensaml::ContentReference*>(sig->getContentReference())->setDigestAlgorithm(sigalg.second);
115 // Sign it. The marshalling step in the base class should be a no-op.
116 vector<Signature*> sigs(1,sig);
117 env.marshall((DOMDocument*)nullptr,&sigs,cred);
122 Category::getInstance(SHIBSP_LOGCAT ".SOAPClient").warn("no signing credential resolved, leaving message unsigned");
126 Category::getInstance(SHIBSP_LOGCAT ".SOAPClient").warn("no CredentialResolver available, leaving unsigned");
130 pair<bool,bool> flag = m_relyingParty->getBool("requireTransportAuth");
132 forceTransportAuthentication(flag.second);
135 // If not set, toggle transport authentication requirement inversely to conditional signing/encryption.
136 // That is, if we would force on signing, we probably expect the IdP to sign, and allow the transport layer
137 // to be ignored. This allows us to ignore regular certificates on standard ports.
138 forceTransportAuthentication(!SPConfig::shouldSignOrEncrypt("conditional", endpoint, false));
141 opensaml::SOAPClient::send(env, from, to, endpoint);
144 void SOAPClient::prepareTransport(SOAPTransport& transport)
147 xmltooling::NDC("prepareTransport");
149 Category& log=Category::getInstance(SHIBSP_LOGCAT ".SOAPClient");
150 log.debug("prepping SOAP transport for use by application (%s)", m_app.getId());
152 pair<bool,bool> flag = m_relyingParty->getBool("requireConfidentiality");
153 if ((!flag.first || flag.second) && !transport.isConfidential())
154 throw opensaml::BindingException("Transport confidentiality required, but not available.");
156 setValidating(getPolicy().getValidating());
158 opensaml::SOAPClient::prepareTransport(transport);
160 pair<bool,const char*> authType=m_relyingParty->getString("authType");
161 if (!authType.first || !strcmp(authType.second,"TLS")) {
162 if (!m_credResolver) {
163 m_credResolver = m_app.getCredentialResolver();
165 m_credResolver->lock();
167 if (m_credResolver) {
168 m_criteria->setUsage(Credential::TLS_CREDENTIAL);
169 authType = m_relyingParty->getString("keyName");
171 m_criteria->getKeyNames().insert(authType.second);
172 const Credential* cred = m_credResolver->resolve(m_criteria);
173 m_criteria->getKeyNames().clear();
175 if (!transport.setCredential(cred))
176 log.error("failed to load Credential into SOAPTransport");
179 log.error("no TLS credential supplied");
183 log.error("no CredentialResolver available for TLS");
187 SOAPTransport::transport_auth_t type=SOAPTransport::transport_auth_none;
188 pair<bool,const char*> username=m_relyingParty->getString("authUsername");
189 pair<bool,const char*> password=m_relyingParty->getString("authPassword");
190 if (!username.first || !password.first)
191 log.error("transport authType (%s) specified but authUsername or authPassword was missing", authType.second);
192 else if (!strcmp(authType.second,"basic"))
193 type = SOAPTransport::transport_auth_basic;
194 else if (!strcmp(authType.second,"digest"))
195 type = SOAPTransport::transport_auth_digest;
196 else if (!strcmp(authType.second,"ntlm"))
197 type = SOAPTransport::transport_auth_ntlm;
198 else if (!strcmp(authType.second,"gss"))
199 type = SOAPTransport::transport_auth_gss;
200 else if (strcmp(authType.second,"none"))
201 log.error("unknown authType (%s) specified for RelyingParty", authType.second);
202 if (type > SOAPTransport::transport_auth_none) {
203 if (transport.setAuth(type,username.second,password.second))
204 log.debug("configured for transport authentication (method=%s, username=%s)", authType.second, username.second);
206 log.error("failed to configure transport authentication (method=%s)", authType.second);
210 pair<bool,unsigned int> timeout = m_relyingParty->getUnsignedInt("connectTimeout");
211 transport.setConnectTimeout(timeout.first ? timeout.second : 10);
212 timeout = m_relyingParty->getUnsignedInt("timeout");
213 transport.setTimeout(timeout.first ? timeout.second : 20);
214 m_app.getServiceProvider().setTransportOptions(transport);
216 HTTPSOAPTransport* http = dynamic_cast<HTTPSOAPTransport*>(&transport);
218 flag = m_relyingParty->getBool("chunkedEncoding");
219 http->useChunkedEncoding(flag.first && flag.second);
220 http->setRequestHeader(PACKAGE_NAME, PACKAGE_VERSION);
224 void SOAPClient::reset()
226 m_relyingParty = nullptr;
228 m_credResolver->unlock();
229 m_credResolver = nullptr;
230 opensaml::SOAPClient::reset();