2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
24 * Pluggable runtime functionality that is protected by simple access control.
28 #include "SPRequest.h"
29 #include "handler/SecuredHandler.h"
31 #include <boost/bind.hpp>
32 #include <boost/algorithm/string.hpp>
34 using namespace shibsp;
35 using namespace xmltooling;
36 using namespace boost;
40 class SHIBSP_DLLLOCAL Blocker : public DOMNodeFilter
43 #ifdef SHIBSP_XERCESC_SHORT_ACCEPTNODE
48 acceptNode(const DOMNode* node) const {
53 static Blocker g_Blocker;
56 SecuredHandler::SecuredHandler(
59 const char* aclProperty,
60 const char* defaultACL,
61 DOMNodeFilter* filter,
62 const map<string,string>* remapper
63 ) : AbstractHandler(e, log, filter ? filter : &g_Blocker, remapper)
65 if (SPConfig::getConfig().isEnabled(SPConfig::InProcess)) {
66 pair<bool,const char*> acl = getString(aclProperty);
67 if (!acl.first && defaultACL) {
68 m_log.info("installing default ACL (%s)", defaultACL);
70 acl.second = defaultACL;
73 string aclbuf(acl.second);
74 vector<string> aclarray;
75 split(aclarray, aclbuf, is_space(), algorithm::token_compress_on);
76 for_each(aclarray.begin(), aclarray.end(), boost::bind(&SecuredHandler::parseACL, this, _1));
78 m_log.warn("invalid CIDR range(s) in handler's acl property, allowing 127.0.0.1 and ::1 as a fall back");
79 m_acl.push_back(IPRange::parseCIDRBlock("127.0.0.1"));
80 m_acl.push_back(IPRange::parseCIDRBlock("::1"));
86 SecuredHandler::~SecuredHandler()
90 void SecuredHandler::parseACL(const string& acl)
93 m_acl.push_back(IPRange::parseCIDRBlock(acl.c_str()));
95 catch (std::exception& ex) {
96 m_log.error("invalid CIDR block (%s): %s", acl.c_str(), ex.what());
100 pair<bool,long> SecuredHandler::run(SPRequest& request, bool isHandler) const
102 SPConfig& conf = SPConfig::getConfig();
103 if (conf.isEnabled(SPConfig::InProcess) && !m_acl.empty()) {
104 static bool (IPRange::* contains)(const char*) const = &IPRange::contains;
105 if (find_if(m_acl.begin(), m_acl.end(), boost::bind(contains, _1, request.getRemoteAddr().c_str())) == m_acl.end()) {
106 request.log(SPRequest::SPWarn, string("handler request blocked from invalid address (") + request.getRemoteAddr() + ')');
107 istringstream msg("Access Denied");
108 return make_pair(true, request.sendResponse(msg, HTTPResponse::XMLTOOLING_HTTP_STATUS_FORBIDDEN));
111 return make_pair(false, 0L);