shibsp/handler/impl/MetadataGenerator.cpp

   1 /**
   2  * Licensed to the University Corporation for Advanced Internet
   3  * Development, Inc. (UCAID) under one or more contributor license
   4  * agreements. See the NOTICE file distributed with this work for
   5  * additional information regarding copyright ownership.
   6  *
   7  * UCAID licenses this file to you under the Apache License,
   8  * Version 2.0 (the "License"); you may not use this file except
   9  * in compliance with the License. You may obtain a copy of the
  10  * License at
  11  *
  12  * http://www.apache.org/licenses/LICENSE-2.0
  13  *
  14  * Unless required by applicable law or agreed to in writing,
  15  * software distributed under the License is distributed on an
  16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
  17  * either express or implied. See the License for the specific
  18  * language governing permissions and limitations under the License.
  19  */
  20
  21 /**
  22  * MetadataGenerator.cpp
  23  *
  24  * Handler for generating "approximate" metadata based on SP configuration.
  25  */
  26
  27 #include "internal.h"
  28 #include "Application.h"
  29 #include "exceptions.h"
  30 #include "ServiceProvider.h"
  31 #include "SPRequest.h"
  32 #include "handler/AbstractHandler.h"
  33 #include "handler/RemotedHandler.h"
  34
  35 #ifndef SHIBSP_LITE
  36 # include "attribute/resolver/AttributeExtractor.h"
  37 # include "metadata/MetadataProviderCriteria.h"
  38 # include <saml/exceptions.h>
  39 # include <saml/SAMLConfig.h>
  40 # include <saml/signature/ContentReference.h>
  41 # include <saml/saml2/metadata/Metadata.h>
  42 # include <saml/saml2/metadata/MetadataProvider.h>
  43 # include <xmltooling/XMLToolingConfig.h>
  44 # include <xmltooling/security/Credential.h>
  45 # include <xmltooling/security/CredentialCriteria.h>
  46 # include <xmltooling/security/SecurityHelper.h>
  47 # include <xmltooling/signature/Signature.h>
  48 # include <xmltooling/util/ParserPool.h>
  49 # include <xmltooling/util/PathResolver.h>
  50 # include <xercesc/framework/LocalFileInputSource.hpp>
  51 # include <xercesc/framework/Wrapper4InputSource.hpp>
  52 #endif
  53
  54
  55 using namespace shibsp;
  56 #ifndef SHIBSP_LITE
  57 using namespace opensaml::saml2md;
  58 using namespace opensaml;
  59 using namespace xmlsignature;
  60 #endif
  61 using namespace xmltooling;
  62 using namespace std;
  63
  64 namespace shibsp {
  65
  66 #if defined (_MSC_VER)
  67     #pragma warning( push )
  68     #pragma warning( disable : 4250 )
  69 #endif
  70
  71     class SHIBSP_DLLLOCAL Blocker : public DOMNodeFilter
  72     {
  73     public:
  74 #ifdef SHIBSP_XERCESC_SHORT_ACCEPTNODE
  75         short
  76 #else
  77         FilterAction
  78 #endif
  79         acceptNode(const DOMNode* node) const {
  80             return FILTER_REJECT;
  81         }
  82     };
  83
  84     static SHIBSP_DLLLOCAL Blocker g_Blocker;
  85
  86     class SHIBSP_API MetadataGenerator : public AbstractHandler, public RemotedHandler
  87     {
  88     public:
  89         MetadataGenerator(const DOMElement* e, const char* appId);
  90         virtual ~MetadataGenerator() {
  91 #ifndef SHIBSP_LITE
  92             delete m_uiinfo;
  93             delete m_org;
  94             delete m_entityAttrs;
  95             for_each(m_contacts.begin(), m_contacts.end(), xmltooling::cleanup<ContactPerson>());
  96             for_each(m_formats.begin(), m_formats.end(), xmltooling::cleanup<NameIDFormat>());
  97             for_each(m_reqAttrs.begin(), m_reqAttrs.end(), xmltooling::cleanup<RequestedAttribute>());
  98             for_each(m_attrConsumers.begin(), m_attrConsumers.end(), xmltooling::cleanup<AttributeConsumingService>());
  99 #endif
 100         }
 101
 102         pair<bool,long> run(SPRequest& request, bool isHandler=true) const;
 103         void receive(DDF& in, ostream& out);
 104
 105     private:
 106         pair<bool,long> processMessage(
 107             const Application& application,
 108             const char* handlerURL,
 109             const char* entityID,
 110             HTTPResponse& httpResponse
 111             ) const;
 112
 113         set<string> m_acl;
 114 #ifndef SHIBSP_LITE
 115         string m_salt;
 116         short m_http,m_https;
 117         vector<string> m_bases;
 118         UIInfo* m_uiinfo;
 119         Organization* m_org;
 120         EntityAttributes* m_entityAttrs;
 121         vector<ContactPerson*> m_contacts;
 122         vector<NameIDFormat*> m_formats;
 123         vector<RequestedAttribute*> m_reqAttrs;
 124         vector<AttributeConsumingService*> m_attrConsumers;
 125 #endif
 126     };
 127
 128 #if defined (_MSC_VER)
 129     #pragma warning( pop )
 130 #endif
 131
 132     Handler* SHIBSP_DLLLOCAL MetadataGeneratorFactory(const pair<const DOMElement*,const char*>& p)
 133     {
 134         return new MetadataGenerator(p.first, p.second);
 135     }
 136
 137 };
 138
 139 MetadataGenerator::MetadataGenerator(const DOMElement* e, const char* appId)
 140     : AbstractHandler(e, Category::getInstance(SHIBSP_LOGCAT".MetadataGenerator"), &g_Blocker)
 141 #ifndef SHIBSP_LITE
 142         ,m_http(0), m_https(0), m_uiinfo(nullptr), m_org(nullptr), m_entityAttrs(nullptr)
 143 #endif
 144 {
 145     string address(appId);
 146     address += getString("Location").second;
 147     setAddress(address.c_str());
 148     if (SPConfig::getConfig().isEnabled(SPConfig::InProcess)) {
 149         pair<bool,const char*> acl = getString("acl");
 150         if (acl.first) {
 151             string aclbuf=acl.second;
 152             int j = 0;
 153             for (unsigned int i=0;  i < aclbuf.length();  i++) {
 154                 if (aclbuf.at(i)==' ') {
 155                     m_acl.insert(aclbuf.substr(j, i-j));
 156                     j = i+1;
 157                 }
 158             }
 159             m_acl.insert(aclbuf.substr(j, aclbuf.length()-j));
 160         }
 161     }
 162
 163 #ifndef SHIBSP_LITE
 164     static XMLCh EndpointBase[] = UNICODE_LITERAL_12(E,n,d,p,o,i,n,t,B,a,s,e);
 165
 166     pair<bool,const char*> salt = getString("salt");
 167     if (salt.first)
 168         m_salt = salt.second;
 169
 170     pair<bool,bool> flag = getBool("http");
 171     if (flag.first)
 172         m_http = flag.second ? 1 : -1;
 173     flag = getBool("https");
 174     if (flag.first)
 175         m_https = flag.second ? 1 : -1;
 176
 177     e = XMLHelper::getFirstChildElement(e);
 178     while (e) {
 179         if (XMLString::equals(e->getLocalName(), EndpointBase) && e->hasChildNodes()) {
 180             auto_ptr_char base(e->getFirstChild()->getNodeValue());
 181             if (base.get() && *base.get())
 182                 m_bases.push_back(base.get());
 183         }
 184         else {
 185             // Try and parse the object.
 186             auto_ptr<XMLObject> child(XMLObjectBuilder::buildOneFromElement(const_cast<DOMElement*>(e)));
 187             ContactPerson* cp = dynamic_cast<ContactPerson*>(child.get());
 188             if (cp) {
 189                 child.release();
 190                 m_contacts.push_back(cp);
 191             }
 192             else {
 193                 NameIDFormat* nif = dynamic_cast<NameIDFormat*>(child.get());
 194                 if (nif) {
 195                     child.release();
 196                     m_formats.push_back(nif);
 197                 }
 198                 else {
 199                     RequestedAttribute* req = dynamic_cast<RequestedAttribute*>(child.get());
 200                     if (req) {
 201                         child.release();
 202                         m_reqAttrs.push_back(req);
 203                     }
 204                     else {
 205                         AttributeConsumingService* acs = dynamic_cast<AttributeConsumingService*>(child.get());
 206                         if (acs) {
 207                             child.release();
 208                             m_attrConsumers.push_back(acs);
 209                         }
 210                         else {
 211                             UIInfo* info = dynamic_cast<UIInfo*>(child.get());
 212                             if (info) {
 213                                 if (!m_uiinfo) {
 214                                     child.release();
 215                                     m_uiinfo = info;
 216                                 }
 217                                 else {
 218                                     m_log.warn("skipping duplicate UIInfo element");
 219                                 }
 220                             }
 221                             else {
 222                                 Organization* org = dynamic_cast<Organization*>(child.get());
 223                                 if (org) {
 224                                     if (!m_org) {
 225                                         child.release();
 226                                         m_org = org;
 227                                     }
 228                                     else {
 229                                         m_log.warn("skipping duplicate Organization element");
 230                                     }
 231                                 }
 232                                 else {
 233                                     EntityAttributes* ea = dynamic_cast<EntityAttributes*>(child.get());
 234                                     if (ea) {
 235                                         if (!m_entityAttrs) {
 236                                             child.release();
 237                                             m_entityAttrs = ea;
 238                                         }
 239                                         else {
 240                                             m_log.warn("skipping duplicate EntityAttributes element");
 241                                         }
 242                                     }
 243                                 }
 244                             }
 245                         }
 246                     }
 247                 }
 248             }
 249         }
 250         e = XMLHelper::getNextSiblingElement(e);
 251     }
 252 #endif
 253 }
 254
 255 pair<bool,long> MetadataGenerator::run(SPRequest& request, bool isHandler) const
 256 {
 257     SPConfig& conf = SPConfig::getConfig();
 258     if (conf.isEnabled(SPConfig::InProcess)) {
 259         if (!m_acl.empty() && m_acl.count(request.getRemoteAddr()) == 0) {
 260             m_log.error("request for metadata blocked from invalid address (%s)", request.getRemoteAddr().c_str());
 261             istringstream msg("Metadata Request Blocked");
 262             return make_pair(true,request.sendResponse(msg, HTTPResponse::XMLTOOLING_HTTP_STATUS_FORBIDDEN));
 263         }
 264     }
 265
 266     try {
 267         if (conf.isEnabled(SPConfig::OutOfProcess)) {
 268             // When out of process, we run natively and directly process the message.
 269             return processMessage(request.getApplication(), request.getHandlerURL(), request.getParameter("entityID"), request);
 270         }
 271         else {
 272             // When not out of process, we remote all the message processing.
 273             DDF out,in = DDF(m_address.c_str());
 274             in.addmember("application_id").string(request.getApplication().getId());
 275             in.addmember("handler_url").string(request.getHandlerURL());
 276             if (request.getParameter("entityID"))
 277                 in.addmember("entity_id").string(request.getParameter("entityID"));
 278             DDFJanitor jin(in), jout(out);
 279
 280             out=request.getServiceProvider().getListenerService()->send(in);
 281             return unwrap(request, out);
 282         }
 283     }
 284     catch (exception& ex) {
 285         m_log.error("error while processing request: %s", ex.what());
 286         istringstream msg("Metadata Request Failed");
 287         return make_pair(true,request.sendResponse(msg, HTTPResponse::XMLTOOLING_HTTP_STATUS_ERROR));
 288     }
 289 }
 290
 291 void MetadataGenerator::receive(DDF& in, ostream& out)
 292 {
 293     // Find application.
 294     const char* aid=in["application_id"].string();
 295     const char* hurl=in["handler_url"].string();
 296     const Application* app=aid ? SPConfig::getConfig().getServiceProvider()->getApplication(aid) : nullptr;
 297     if (!app) {
 298         // Something's horribly wrong.
 299         m_log.error("couldn't find application (%s) for metadata request", aid ? aid : "(missing)");
 300         throw ConfigurationException("Unable to locate application for metadata request, deleted?");
 301     }
 302     else if (!hurl) {
 303         throw ConfigurationException("Missing handler_url parameter in remoted method call.");
 304     }
 305
 306     // Wrap a response shim.
 307     DDF ret(nullptr);
 308     DDFJanitor jout(ret);
 309     auto_ptr<HTTPResponse> resp(getResponse(ret));
 310
 311     // Since we're remoted, the result should either be a throw, a false/0 return,
 312     // which we just return as an empty structure, or a response/redirect,
 313     // which we capture in the facade and send back.
 314     processMessage(*app, hurl, in["entity_id"].string(), *resp.get());
 315     out << ret;
 316 }
 317
 318 pair<bool,long> MetadataGenerator::processMessage(
 319     const Application& application, const char* handlerURL, const char* entityID, HTTPResponse& httpResponse
 320     ) const
 321 {
 322 #ifndef SHIBSP_LITE
 323     m_log.debug("processing metadata request");
 324
 325     const PropertySet* relyingParty=nullptr;
 326     if (entityID) {
 327         MetadataProvider* m=application.getMetadataProvider();
 328         Locker locker(m);
 329         MetadataProviderCriteria mc(application, entityID);
 330         relyingParty = application.getRelyingParty(m->getEntityDescriptor(mc).first);
 331     }
 332     else {
 333         relyingParty = &application;
 334     }
 335
 336     EntityDescriptor* entity;
 337     pair<bool,const char*> prop = getString("template");
 338     if (prop.first) {
 339         // Load a template to use for our metadata.
 340         string templ(prop.second);
 341         XMLToolingConfig::getConfig().getPathResolver()->resolve(templ, PathResolver::XMLTOOLING_CFG_FILE);
 342         auto_ptr_XMLCh widenit(templ.c_str());
 343         LocalFileInputSource src(widenit.get());
 344         Wrapper4InputSource dsrc(&src,false);
 345         DOMDocument* doc=XMLToolingConfig::getConfig().getParser().parse(dsrc);
 346         XercesJanitor<DOMDocument> docjan(doc);
 347         auto_ptr<XMLObject> xmlobj(XMLObjectBuilder::buildOneFromElement(doc->getDocumentElement(), true));
 348         docjan.release();
 349         entity = dynamic_cast<EntityDescriptor*>(xmlobj.get());
 350         if (!entity)
 351             throw ConfigurationException("Template file ($1) did not contain an EntityDescriptor", params(1, templ.c_str()));
 352         xmlobj.release();
 353     }
 354     else {
 355         entity = EntityDescriptorBuilder::buildEntityDescriptor();
 356     }
 357
 358     if (!entity->getID()) {
 359         string hashinput = m_salt + relyingParty->getString("entityID").second;
 360         string hashed = '_' + SecurityHelper::doHash("SHA1", hashinput.c_str(), hashinput.length());
 361         auto_ptr_XMLCh widenit(hashed.c_str());
 362         entity->setID(widenit.get());
 363     }
 364
 365     auto_ptr<EntityDescriptor> wrapper(entity);
 366     pair<bool,unsigned int> cache = getUnsignedInt("cacheDuration");
 367     if (cache.first) {
 368         entity->setCacheDuration(cache.second);
 369     }
 370     cache = getUnsignedInt("validUntil");
 371     if (cache.first)
 372         entity->setValidUntil(time(nullptr) + cache.second);
 373     entity->setEntityID(relyingParty->getXMLString("entityID").second);
 374
 375     if (m_org && !entity->getOrganization())
 376         entity->setOrganization(m_org->cloneOrganization());
 377
 378     for (vector<ContactPerson*>::const_iterator cp = m_contacts.begin(); cp != m_contacts.end(); ++cp)
 379         entity->getContactPersons().push_back((*cp)->cloneContactPerson());
 380
 381     if (m_entityAttrs) {
 382         if (!entity->getExtensions())
 383             entity->setExtensions(ExtensionsBuilder::buildExtensions());
 384         entity->getExtensions()->getUnknownXMLObjects().push_back(m_entityAttrs->cloneEntityAttributes());
 385     }
 386
 387     SPSSODescriptor* role;
 388     if (entity->getSPSSODescriptors().empty()) {
 389         role = SPSSODescriptorBuilder::buildSPSSODescriptor();
 390         entity->getSPSSODescriptors().push_back(role);
 391     }
 392     else {
 393         role = entity->getSPSSODescriptors().front();
 394     }
 395
 396     for (vector<NameIDFormat*>::const_iterator nif = m_formats.begin(); nif != m_formats.end(); ++nif)
 397         role->getNameIDFormats().push_back((*nif)->cloneNameIDFormat());
 398
 399     if (m_uiinfo) {
 400         if (!role->getExtensions())
 401             role->setExtensions(ExtensionsBuilder::buildExtensions());
 402         role->getExtensions()->getUnknownXMLObjects().push_back(m_uiinfo->cloneUIInfo());
 403     }
 404
 405     for (vector<AttributeConsumingService*>::const_iterator acs = m_attrConsumers.begin(); acs != m_attrConsumers.end(); ++acs)
 406         role->getAttributeConsumingServices().push_back((*acs)->cloneAttributeConsumingService());
 407
 408     if (!m_reqAttrs.empty()) {
 409         int index = 1;
 410         const vector<AttributeConsumingService*>& svcs = const_cast<const SPSSODescriptor*>(role)->getAttributeConsumingServices();
 411         for (vector<AttributeConsumingService*>::const_iterator s =svcs.begin(); s != svcs.end(); ++s) {
 412             pair<bool,int> i = (*s)->getIndex();
 413             if (i.first && index == i.second)
 414                 index = i.second + 1;
 415         }
 416         AttributeConsumingService* svc = AttributeConsumingServiceBuilder::buildAttributeConsumingService();
 417         role->getAttributeConsumingServices().push_back(svc);
 418         svc->setIndex(index);
 419         ServiceName* sn = ServiceNameBuilder::buildServiceName();
 420         svc->getServiceNames().push_back(sn);
 421         sn->setName(entity->getEntityID());
 422         static const XMLCh english[] = UNICODE_LITERAL_2(e,n);
 423         sn->setLang(english);
 424         for (vector<RequestedAttribute*>::const_iterator req = m_reqAttrs.begin(); req != m_reqAttrs.end(); ++req)
 425             svc->getRequestedAttributes().push_back((*req)->cloneRequestedAttribute());
 426     }
 427
 428     // Policy flags.
 429     prop = relyingParty->getString("signing");
 430     if (prop.first && (!strcmp(prop.second,"true") || !strcmp(prop.second,"front")))
 431         role->AuthnRequestsSigned(true);
 432     pair<bool,bool> flagprop = relyingParty->getBool("requireSignedAssertions");
 433     if (flagprop.first && flagprop.second)
 434         role->WantAssertionsSigned(true);
 435
 436     // Ask each handler to generate itself.
 437     vector<const Handler*> handlers;
 438     application.getHandlers(handlers);
 439     for (vector<const Handler*>::const_iterator h = handlers.begin(); h != handlers.end(); ++h) {
 440         if (m_bases.empty()) {
 441             if (strncmp(handlerURL, "https", 5) == 0) {
 442                 if (m_https >= 0)
 443                     (*h)->generateMetadata(*role, handlerURL);
 444                 if (m_http == 1) {
 445                     string temp(handlerURL);
 446                     temp.erase(4, 1);
 447                     (*h)->generateMetadata(*role, temp.c_str());
 448                 }
 449             }
 450             else {
 451                 if (m_http >= 0)
 452                     (*h)->generateMetadata(*role, handlerURL);
 453                 if (m_https == 1) {
 454                     string temp(handlerURL);
 455                     temp.insert(temp.begin() + 4, 's');
 456                     (*h)->generateMetadata(*role, temp.c_str());
 457                 }
 458             }
 459         }
 460         else {
 461             for (vector<string>::const_iterator b = m_bases.begin(); b != m_bases.end(); ++b)
 462                 (*h)->generateMetadata(*role, b->c_str());
 463         }
 464     }
 465
 466     AttributeExtractor* extractor = application.getAttributeExtractor();
 467     if (extractor) {
 468         Locker extlocker(extractor);
 469         extractor->generateMetadata(*role);
 470     }
 471
 472     CredentialResolver* credResolver=application.getCredentialResolver();
 473     if (credResolver) {
 474         Locker credLocker(credResolver);
 475         CredentialCriteria cc;
 476         prop = relyingParty->getString("keyName");
 477         if (prop.first)
 478             cc.getKeyNames().insert(prop.second);
 479         vector<const Credential*> signingcreds,enccreds;
 480         cc.setUsage(Credential::SIGNING_CREDENTIAL);
 481         credResolver->resolve(signingcreds, &cc);
 482         cc.setUsage(Credential::ENCRYPTION_CREDENTIAL);
 483         credResolver->resolve(enccreds, &cc);
 484
 485         for (vector<const Credential*>::const_iterator c = signingcreds.begin(); c != signingcreds.end(); ++c) {
 486             KeyInfo* kinfo = (*c)->getKeyInfo();
 487             if (kinfo) {
 488                 KeyDescriptor* kd = KeyDescriptorBuilder::buildKeyDescriptor();
 489                 kd->setKeyInfo(kinfo);
 490                 const XMLCh* use = KeyDescriptor::KEYTYPE_SIGNING;
 491                 for (vector<const Credential*>::iterator match = enccreds.begin(); match != enccreds.end(); ++match) {
 492                     if (*match == *c) {
 493                         use = nullptr;
 494                         enccreds.erase(match);
 495                         break;
 496                     }
 497                 }
 498                 kd->setUse(use);
 499                 role->getKeyDescriptors().push_back(kd);
 500             }
 501         }
 502
 503         for (vector<const Credential*>::const_iterator c = enccreds.begin(); c != enccreds.end(); ++c) {
 504             KeyInfo* kinfo = (*c)->getKeyInfo();
 505             if (kinfo) {
 506                 KeyDescriptor* kd = KeyDescriptorBuilder::buildKeyDescriptor();
 507                 kd->setUse(KeyDescriptor::KEYTYPE_ENCRYPTION);
 508                 kd->setKeyInfo(kinfo);
 509                 role->getKeyDescriptors().push_back(kd);
 510             }
 511         }
 512     }
 513
 514     // Stream for response.
 515     stringstream s;
 516
 517     // Self-sign it?
 518     pair<bool,bool> flag = getBool("signing");
 519     if (flag.first && flag.second) {
 520         if (credResolver) {
 521             Locker credLocker(credResolver);
 522             // Fill in criteria to use.
 523             CredentialCriteria cc;
 524             cc.setUsage(Credential::SIGNING_CREDENTIAL);
 525             prop = getString("keyName");
 526             if (prop.first)
 527                 cc.getKeyNames().insert(prop.second);
 528             pair<bool,const XMLCh*> sigalg = getXMLString("signingAlg");
 529             pair<bool,const XMLCh*> digalg = getXMLString("digestAlg");
 530             if (sigalg.first)
 531                 cc.setXMLAlgorithm(sigalg.second);
 532             const Credential* cred = credResolver->resolve(&cc);
 533             if (!cred)
 534                 throw XMLSecurityException("Unable to obtain signing credential to use.");
 535
 536             // Pretty-print it first and then read it back in.
 537             stringstream pretty;
 538             XMLHelper::serialize(entity->marshall(), pretty, true);
 539             DOMDocument* prettydoc = XMLToolingConfig::getConfig().getParser().parse(pretty);
 540             auto_ptr<XMLObject> prettyentity(XMLObjectBuilder::buildOneFromElement(prettydoc->getDocumentElement(), true));
 541
 542             Signature* sig = SignatureBuilder::buildSignature();
 543             dynamic_cast<EntityDescriptor*>(prettyentity.get())->setSignature(sig);
 544             if (sigalg.first)
 545                 sig->setSignatureAlgorithm(sigalg.second);
 546             if (digalg.first) {
 547                 opensaml::ContentReference* cr = dynamic_cast<opensaml::ContentReference*>(sig->getContentReference());
 548                 if (cr)
 549                     cr->setDigestAlgorithm(digalg.second);
 550             }
 551
 552             // Sign while marshalling.
 553             vector<Signature*> sigs(1,sig);
 554             prettyentity->marshall(prettydoc,&sigs,cred);
 555             s << *prettyentity;
 556         }
 557         else {
 558             throw FatalProfileException("Can't self-sign metadata, no credential resolver found.");
 559         }
 560     }
 561     else {
 562         // Pretty-print it directly to client.
 563         XMLHelper::serialize(entity->marshall(), s, true);
 564     }
 565
 566     prop = getString("mimeType");
 567     httpResponse.setContentType(prop.first ? prop.second : "application/samlmetadata+xml");
 568     return make_pair(true, httpResponse.sendResponse(s));
 569 #else
 570     return make_pair(false,0L);
 571 #endif
 572 }