- threadid << "[" << getpid() << "] shire" << '\0';
- saml::NDC ndc(threadid.str().c_str());
-
- // Set SHIRE policies.
- SHIREConfig config;
- config.checkIPAddress = (ini.get_tag(site.m_name,"checkIPAddress",true,&tag) && ShibINI::boolean(tag));
- config.lifetime=config.timeout=0;
- tag.erase();
- if (ini.get_tag(site.m_name, "authLifetime", true, &tag))
- config.lifetime=strtoul(tag.c_str(),NULL,10);
- tag.erase();
- if (ini.get_tag(site.m_name, "authTimeout", true, &tag))
- config.timeout=strtoul(tag.c_str(),NULL,10);
-
- // Pull the config data we need to handle the various possible conditions.
- string shib_cookie;
- if (!ini.get_tag(site.m_name, "cookieName", true, &shib_cookie))
- return WriteClientError(pfc,"The cookieName configuration setting is missing, check configuration.");
-
- string wayfLocation;
- if (!ini.get_tag(site.m_name, "wayfURL", true, &wayfLocation))
- return WriteClientError(pfc,"The wayfURL configuration setting is missing, check configuration.");
-
- string shireError;
- if (!ini.get_tag(site.m_name, "shireError", true, &shireError))
- return WriteClientError(pfc,"The shireError configuration setting is missing, check configuration.");
-
- string accessError;
- if (!ini.get_tag(site.m_name, "accessError", true, &shireError))
- return WriteClientError(pfc,"The accessError configuration setting is missing, check configuration.");
-
- // Get an RPC handle and build the SHIRE object.
- RPCHandle* rpc_handle = (RPCHandle*)rpc_handle_key->getData();
- if (!rpc_handle)
- {
- rpc_handle = new RPCHandle(shib_target_sockname(), SHIBRPC_PROG, SHIBRPC_VERS_1);
- rpc_handle_key->setData(rpc_handle);
- }
- SHIRE shire(rpc_handle, config, shire_url);
-
- // Check for authentication cookie.
- const char* session_id=NULL;
- GetHeader(pn,pfc,"Cookie:",buf,128,false);
- if (buf.empty() || !(session_id=strstr(buf,shib_cookie.c_str())) || *(session_id+shib_cookie.length())!='=')
- {
- // Redirect to WAYF.
- string wayf("Location: ");
- wayf+=wayfLocation + "?shire=" + url_encode(shire_url.c_str()) + "&target=" + url_encode(target_url.c_str()) + "\r\n";
- // Insert the headers.
- pfc->AddResponseHeaders(pfc,const_cast<char*>(wayf.c_str()),0);
- pfc->ServerSupportFunction(pfc,SF_REQ_SEND_RESPONSE_HEADER,"302 Please Wait",0,0);
- return SF_STATUS_REQ_FINISHED;
- }
-
- session_id+=shib_cookie.length() + 1; /* Skip over the '=' */
- char* cookieend=strchr(session_id,';');
- if (cookieend)
- *cookieend = '\0'; /* Ignore anyting after a ; */
-
- // Make sure this session is still valid.
- RPCError* status = NULL;
- ShibMLP markupProcessor;
- bool has_tag = ini.get_tag(site.m_name, "supportContact", true, &tag);
- markupProcessor.insert("supportContact", has_tag ? tag : "");
- has_tag = ini.get_tag(site.m_name, "logoLocation", true, &tag);
- markupProcessor.insert("logoLocation", has_tag ? tag : "");
- markupProcessor.insert("requestURL", target_url);
-
- GetServerVariable(pfc,"REMOTE_ADDR",buf,16);
- try {
- status = shire.sessionIsValid(session_id, buf, target_url.c_str());
- }
- catch (ShibTargetException &e) {
- markupProcessor.insert("errorType", "SHIRE Processing Error");
- markupProcessor.insert("errorText", e.what());
- markupProcessor.insert("errorDesc", "An error occurred while processing your request.");
- return WriteClientError(pfc, shireError.c_str(), markupProcessor);
- }
- catch (...) {
- markupProcessor.insert("errorType", "SHIRE Processing Error");
- markupProcessor.insert("errorText", "Unexpected Exception");
- markupProcessor.insert("errorDesc", "An error occurred while processing your request.");
- return WriteClientError(pfc, shireError.c_str(), markupProcessor);
- }
-
- // Check the status
- if (status->isError()) {
- if (status->isRetryable()) {
- // Redirect to WAYF.
- delete status;
- string wayf("Location: ");
- wayf+=wayfLocation + "?shire=" + url_encode(shire_url.c_str()) + "&target=" + url_encode(target_url.c_str()) + "\r\n";
- // Insert the headers.
- pfc->AddResponseHeaders(pfc,const_cast<char*>(wayf.c_str()),0);
- pfc->ServerSupportFunction(pfc,SF_REQ_SEND_RESPONSE_HEADER,"302 Please Wait",0,0);
- return SF_STATUS_REQ_FINISHED;
- }
- else {
- // return the error page to the user
- markupProcessor.insert(*status);
- delete status;
- return WriteClientError(pfc, shireError.c_str(), markupProcessor);
- }
- }
- delete status;
-
- // Move to RM phase.
- RMConfig rm_config;
- rm_config.checkIPAddress = config.checkIPAddress;
- RM rm(rpc_handle,rm_config);
-
- // Get the attributes.
- vector<SAMLAssertion*> assertions;
- SAMLAuthenticationStatement* sso_statement=NULL;
- status = rm.getAssertions(session_id, buf, target_url.c_str(), assertions, &sso_statement);
-
- if (status->isError()) {
- string rmError;
- if (!ini.get_tag(site.m_name, "rmError", true, &shireError))
- return WriteClientError(pfc,"The rmError configuration setting is missing, check configuration.");
-
- markupProcessor.insert(*status);
- delete status;
- return WriteClientError(pfc, rmError.c_str(), markupProcessor);
- }
- delete status;
-
- // Only allow a single assertion...
- if (assertions.size() > 1) {
- for (int k = 0; k < assertions.size(); k++)
- delete assertions[k];
- delete sso_statement;
- return WriteClientError(pfc, accessError.c_str(), markupProcessor);
- }