2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
22 * XMLSecurityPolicyProvider.cpp
24 * XML-based security policy provider.
28 #include "exceptions.h"
29 #include "Application.h"
30 #include "security/SecurityPolicy.h"
31 #include "security/SecurityPolicyProvider.h"
32 #include "util/DOMPropertySet.h"
33 #include "util/SPConstants.h"
36 #include <boost/shared_ptr.hpp>
37 #include <saml/SAMLConfig.h>
38 #include <saml/binding/SecurityPolicyRule.h>
39 #include <xmltooling/io/HTTPResponse.h>
40 #include <xmltooling/util/NDC.h>
41 #include <xmltooling/util/ReloadableXMLFile.h>
42 #include <xmltooling/util/Threads.h>
43 #include <xmltooling/util/XMLHelper.h>
44 #include <xercesc/util/XMLStringTokenizer.hpp>
45 #include <xercesc/util/XMLUniDefs.hpp>
47 using shibspconstants::SHIB2SPCONFIG_NS;
48 using opensaml::SAMLConfig;
49 using opensaml::SecurityPolicyRule;
50 using namespace shibsp;
51 using namespace xmltooling;
52 using namespace boost;
57 #if defined (_MSC_VER)
58 #pragma warning( push )
59 #pragma warning( disable : 4250 )
62 class SHIBSP_DLLLOCAL XMLSecurityPolicyProviderImpl
65 XMLSecurityPolicyProviderImpl(const DOMElement*, Category&);
66 ~XMLSecurityPolicyProviderImpl() {
68 m_document->release();
71 void setDocument(DOMDocument* doc) {
76 DOMDocument* m_document;
77 bool m_includeDefaultBlacklist;
78 vector<xstring> m_whitelist,m_blacklist;
79 vector< boost::shared_ptr<SecurityPolicyRule> > m_ruleJanitor; // need this to maintain vector type in API
80 typedef map< string,pair< boost::shared_ptr<PropertySet>,vector<const SecurityPolicyRule*> > > policymap_t;
81 policymap_t m_policyMap;
82 policymap_t::const_iterator m_defaultPolicy;
84 friend class SHIBSP_DLLLOCAL XMLSecurityPolicyProvider;
87 class XMLSecurityPolicyProvider : public SecurityPolicyProvider, public ReloadableXMLFile
90 XMLSecurityPolicyProvider(const DOMElement* e)
91 : ReloadableXMLFile(e, Category::getInstance(SHIBSP_LOGCAT".SecurityPolicyProvider.XML")) {
92 background_load(); // guarantees an exception or the policy is loaded
95 ~XMLSecurityPolicyProvider() {
99 const PropertySet* getPolicySettings(const char* id=nullptr) const {
101 return m_impl->m_defaultPolicy->second.first.get();
102 XMLSecurityPolicyProviderImpl::policymap_t::const_iterator i = m_impl->m_policyMap.find(id);
103 if (i != m_impl->m_policyMap.end())
104 return i->second.first.get();
105 throw ConfigurationException("Security Policy ($1) not found, check <SecurityPolicies> element.", params(1,id));
108 const vector<const SecurityPolicyRule*>& getPolicyRules(const char* id=nullptr) const {
110 return m_impl->m_defaultPolicy->second.second;
111 XMLSecurityPolicyProviderImpl::policymap_t::const_iterator i = m_impl->m_policyMap.find(id);
112 if (i != m_impl->m_policyMap.end())
113 return i->second.second;
114 throw ConfigurationException("Security Policy ($1) not found, check <SecurityPolicies> element.", params(1,id));
116 const vector<xstring>& getDefaultAlgorithmBlacklist() const {
117 return m_impl->m_includeDefaultBlacklist ? m_defaultBlacklist : m_empty;
119 const vector<xstring>& getAlgorithmBlacklist() const {
120 return m_impl->m_blacklist;
122 const vector<xstring>& getAlgorithmWhitelist() const {
123 return m_impl->m_whitelist;
127 pair<bool,DOMElement*> load(bool backup);
128 pair<bool,DOMElement*> background_load();
131 scoped_ptr<XMLSecurityPolicyProviderImpl> m_impl;
132 static vector<xstring> m_empty;
135 #if defined (_MSC_VER)
136 #pragma warning( pop )
139 SecurityPolicyProvider* SHIBSP_DLLLOCAL XMLSecurityPolicyProviderFactory(const DOMElement* const & e)
141 return new XMLSecurityPolicyProvider(e);
144 class SHIBSP_DLLLOCAL PolicyNodeFilter : public DOMNodeFilter
147 #ifdef SHIBSP_XERCESC_SHORT_ACCEPTNODE
152 acceptNode(const DOMNode* node) const {
153 return FILTER_REJECT;
157 static const XMLCh _id[] = UNICODE_LITERAL_2(i,d);
158 static const XMLCh _type[] = UNICODE_LITERAL_4(t,y,p,e);
159 static const XMLCh includeDefaultBlacklist[] = UNICODE_LITERAL_23(i,n,c,l,u,d,e,D,e,f,a,u,l,t,B,l,a,c,k,l,i,s,t);
160 static const XMLCh AlgorithmBlacklist[] = UNICODE_LITERAL_18(A,l,g,o,r,i,t,h,m,B,l,a,c,k,l,i,s,t);
161 static const XMLCh AlgorithmWhitelist[] = UNICODE_LITERAL_18(A,l,g,o,r,i,t,h,m,W,h,i,t,e,l,i,s,t);
162 static const XMLCh Policy[] = UNICODE_LITERAL_6(P,o,l,i,c,y);
163 static const XMLCh PolicyRule[] = UNICODE_LITERAL_10(P,o,l,i,c,y,R,u,l,e);
164 static const XMLCh Rule[] = UNICODE_LITERAL_4(R,u,l,e);
165 static const XMLCh SecurityPolicies[] = UNICODE_LITERAL_16(S,e,c,u,r,i,t,y,P,o,l,i,c,i,e,s);
168 void SHIBSP_API shibsp::registerSecurityPolicyProviders()
170 SPConfig::getConfig().SecurityPolicyProviderManager.registerFactory(XML_SECURITYPOLICY_PROVIDER, XMLSecurityPolicyProviderFactory);
173 SecurityPolicyProvider::SecurityPolicyProvider()
175 m_defaultBlacklist.push_back(DSIGConstants::s_unicodeStrURIRSA_MD5);
176 m_defaultBlacklist.push_back(DSIGConstants::s_unicodeStrURIMD5);
177 m_defaultBlacklist.push_back(DSIGConstants::s_unicodeStrURIRSA_1_5);
180 SecurityPolicyProvider::~SecurityPolicyProvider()
184 const vector<xstring>& SecurityPolicyProvider::getDefaultAlgorithmBlacklist() const
186 return m_defaultBlacklist;
189 SecurityPolicy* SecurityPolicyProvider::createSecurityPolicy(
190 const Application& application, const xmltooling::QName* role, const char* policyId
193 pair<bool,bool> validate = getPolicySettings(policyId ? policyId : application.getString("policyId").second)->getBool("validate");
194 return new SecurityPolicy(application, role, (validate.first && validate.second), policyId);
197 XMLSecurityPolicyProviderImpl::XMLSecurityPolicyProviderImpl(const DOMElement* e, Category& log)
198 : m_document(nullptr), m_includeDefaultBlacklist(true), m_defaultPolicy(m_policyMap.end())
201 xmltooling::NDC ndc("XMLSecurityPolicyProviderImpl");
204 if (!XMLHelper::isNodeNamed(e, SHIB2SPCONFIG_NS, SecurityPolicies))
205 throw ConfigurationException("XML SecurityPolicyProvider requires conf:SecurityPolicies at root of configuration.");
207 const XMLCh* algs = nullptr;
208 const DOMElement* alglist = XMLHelper::getLastChildElement(e, AlgorithmBlacklist);
210 m_includeDefaultBlacklist = XMLHelper::getAttrBool(alglist, true, includeDefaultBlacklist);
211 if (alglist->hasChildNodes()) {
212 algs = alglist->getFirstChild()->getNodeValue();
215 else if ((alglist = XMLHelper::getLastChildElement(e, AlgorithmWhitelist)) && alglist->hasChildNodes()) {
216 algs = alglist->getFirstChild()->getNodeValue();
217 m_includeDefaultBlacklist = false;
221 XMLStringTokenizer tokenizer(algs);
222 while (tokenizer.hasMoreTokens()) {
223 token = tokenizer.nextToken();
225 if (XMLString::equals(alglist->getLocalName(), AlgorithmBlacklist))
226 m_blacklist.push_back(token);
228 m_whitelist.push_back(token);
233 PolicyNodeFilter filter;
234 SAMLConfig& samlConf = SAMLConfig::getConfig();
235 e = XMLHelper::getFirstChildElement(e, Policy);
237 string id(XMLHelper::getAttrString(e, nullptr, _id));
238 policymap_t::mapped_type& rules = m_policyMap[id];
239 boost::shared_ptr<DOMPropertySet> settings(new DOMPropertySet());
240 settings->load(e, nullptr, &filter);
241 rules.first = settings;
243 // Set default policy if not set, or id is "default".
244 if (m_defaultPolicy == m_policyMap.end() || id == "default")
245 m_defaultPolicy = m_policyMap.find(id);
247 // Process PolicyRule elements.
248 const DOMElement* rule = XMLHelper::getFirstChildElement(e, PolicyRule);
250 string t(XMLHelper::getAttrString(rule, nullptr, _type));
253 boost::shared_ptr<SecurityPolicyRule> ptr(samlConf.SecurityPolicyRuleManager.newPlugin(t.c_str(), rule));
254 m_ruleJanitor.push_back(ptr);
255 rules.second.push_back(ptr.get());
257 catch (std::exception& ex) {
258 log.crit("error instantiating policy rule (%s) in policy (%s): %s", t.c_str(), id.c_str(), ex.what());
261 rule = XMLHelper::getNextSiblingElement(rule, PolicyRule);
264 if (rules.second.size() == 0) {
265 // Process Rule elements.
266 log.warn("detected deprecated Policy configuration, consider converting to new PolicyRule syntax");
267 rule = XMLHelper::getFirstChildElement(e, Rule);
269 string t(XMLHelper::getAttrString(rule, nullptr, _type));
272 boost::shared_ptr<SecurityPolicyRule> ptr(samlConf.SecurityPolicyRuleManager.newPlugin(t.c_str(), rule));
273 m_ruleJanitor.push_back(ptr);
274 rules.second.push_back(ptr.get());
276 catch (std::exception& ex) {
277 log.crit("error instantiating policy rule (%s) in policy (%s): %s", t.c_str(), id.c_str(), ex.what());
280 rule = XMLHelper::getNextSiblingElement(rule, Rule);
283 // Manually add a basic Conditions rule.
284 log.info("installing a default Conditions rule in policy (%s) for compatibility with legacy configuration", id.c_str());
285 boost::shared_ptr<SecurityPolicyRule> cptr(samlConf.SecurityPolicyRuleManager.newPlugin(CONDITIONS_POLICY_RULE, nullptr));
286 m_ruleJanitor.push_back(cptr);
287 rules.second.push_back(cptr.get());
290 e = XMLHelper::getNextSiblingElement(e, Policy);
293 if (m_defaultPolicy == m_policyMap.end())
294 throw ConfigurationException("XML SecurityPolicyProvider requires at least one Policy.");
297 vector<xstring> XMLSecurityPolicyProvider::m_empty;
299 pair<bool,DOMElement*> XMLSecurityPolicyProvider::load(bool backup)
301 // Load from source using base class.
302 pair<bool,DOMElement*> raw = ReloadableXMLFile::load(backup);
304 // If we own it, wrap it.
305 XercesJanitor<DOMDocument> docjanitor(raw.first ? raw.second->getOwnerDocument() : nullptr);
307 scoped_ptr<XMLSecurityPolicyProviderImpl> impl(new XMLSecurityPolicyProviderImpl(raw.second, m_log));
309 // If we held the document, transfer it to the impl. If we didn't, it's a no-op.
310 impl->setDocument(docjanitor.release());
312 // Perform the swap inside a lock.
315 SharedLock locker(m_lock, false);
318 return make_pair(false,(DOMElement*)nullptr);
321 pair<bool,DOMElement*> XMLSecurityPolicyProvider::background_load()
327 if (ex == HTTPResponse::XMLTOOLING_HTTP_STATUS_NOTMODIFIED)
328 m_log.info("remote resource (%s) unchanged", m_source.c_str());
329 if (!m_loaded && !m_backing.empty())
333 catch (std::exception&) {
334 if (!m_loaded && !m_backing.empty())