8/23/02
*/
-#include <windows.h>
-#include <httpfilt.h>
-
// SAML Runtime
-#include <saml.h>
-#include <shib.h>
-#include <eduPerson.h>
+#include <saml/saml.h>
+#include <shib/shib.h>
+#include <shib/shib-threads.h>
+#include <shib-target/shib-target.h>
#include <log4cpp/Category.hh>
-#include <log4cpp/PropertyConfigurator.hh>
-#include <xercesc/util/Base64.hpp>
#include <ctime>
-#include <strstream>
+#include <fstream>
+#include <sstream>
#include <stdexcept>
+#include <httpfilt.h>
+
using namespace std;
using namespace log4cpp;
using namespace saml;
using namespace shibboleth;
-using namespace eduPerson;
-
-class CCacheEntry;
-class CCache
-{
-public:
- CCache();
- ~CCache();
-
- SAMLBinding* getBinding(const XMLCh* bindingProt);
- CCacheEntry* find(const char* key);
- void insert(const char* key, CCacheEntry* entry);
- void remove(const char* key);
- void sweep(time_t lifetime);
-
- bool lock() { EnterCriticalSection(&m_lock); return true; }
- void unlock() { LeaveCriticalSection(&m_lock); }
+using namespace shibtarget;
-private:
- SAMLBinding* m_SAMLBinding;
- map<string,CCacheEntry*> m_hashtable;
- CRITICAL_SECTION m_lock;
-};
-
-// Per-website global structure
struct settings_t
{
- settings_t();
- string g_CookieName; // name of authentication token
- string g_WAYFLocation; // URL of WAYF service
- string g_GarbageCollector; // URL of cache garbage collection service
- string g_SHIRELocation; // URL of SHIRE acceptance point
- string g_SHIRESessionPath; // path to storage for sessions
- vector<string> g_MustContain; // simple URL matching string array
- bool g_bSSLOnly; // only over SSL?
- time_t g_Lifetime; // maximum token lifetime
- time_t g_Timeout; // maximum time between uses
- bool g_bCheckAddress; // validate IP addresses?
- bool g_bExportAssertion; // export SAML assertion to header?
- CCache g_AuthCache; // local auth cache
-};
-
-settings_t::settings_t()
-{
- g_bSSLOnly=true;
- g_Lifetime=7200;
- g_Timeout=3600;
- g_bCheckAddress=true;
- g_bExportAssertion=false;
-}
-
-class CCacheEntry
-{
-public:
- CCacheEntry(const char* sessionFile);
- ~CCacheEntry();
-
- SAMLAuthorityBinding* getBinding() { return m_binding; }
- Iterator<SAMLAttribute*> getAttributes(const char* resource_url, settings_t* pSite);
- const XMLByte* getSerializedAssertion(const char* resource_url, settings_t* pSite);
- bool isSessionValid(time_t lifetime, time_t timeout);
- const XMLCh* getHandle() { return m_handle.c_str(); }
- const XMLCh* getOriginSite() { return m_originSite.c_str(); }
- const char* getClientAddress() { return m_clientAddress.c_str(); }
-
-private:
- void populate(const char* resource_url, settings_t* pSite);
-
- xstring m_originSite;
- xstring m_handle;
- SAMLAuthorityBinding* m_binding;
- string m_clientAddress;
- SAMLResponse* m_response;
- SAMLAssertion* m_assertion;
- time_t m_sessionCreated;
- time_t m_lastAccess;
- XMLByte* m_serialized;
-
- static saml::QName g_authorityKind;
- static saml::QName g_respondWith;
- friend class CCache;
+ settings_t() {}
+ settings_t(string& name) : m_name(name) {}
+
+ string m_name;
+ vector<string> m_mustContain;
};
-// static members
-saml::QName CCacheEntry::g_authorityKind(saml::XML::SAMLP_NS,L(AttributeQuery));
-saml::QName CCacheEntry::g_respondWith(saml::XML::SAML_NS,L(AttributeStatement));
-
-CCache::CCache()
-{
- m_SAMLBinding=SAMLBindingFactory::getInstance();
- InitializeCriticalSection(&m_lock);
-}
-
-CCache::~CCache()
-{
- DeleteCriticalSection(&m_lock);
- delete m_SAMLBinding;
- for (map<string,CCacheEntry*>::iterator i=m_hashtable.begin(); i!=m_hashtable.end(); i++)
- delete i->second;
-}
-
-SAMLBinding* CCache::getBinding(const XMLCh* bindingProt)
-{
- if (!XMLString::compareString(bindingProt,SAMLBinding::SAML_SOAP_HTTPS))
- return m_SAMLBinding;
- return NULL;
-}
-
-CCacheEntry* CCache::find(const char* key)
-{
- map<string,CCacheEntry*>::const_iterator i=m_hashtable.find(key);
- if (i==m_hashtable.end())
- return NULL;
- return i->second;
-}
-
-void CCache::insert(const char* key, CCacheEntry* entry)
-{
- m_hashtable[key]=entry;
-}
-
-void CCache::remove(const char* key)
-{
- m_hashtable.erase(key);
+// globals
+namespace {
+ HINSTANCE g_hinstDLL;
+ ThreadKey* rpc_handle_key = NULL;
+ ShibTargetConfig* g_Config = NULL;
+ vector<settings_t> g_Sites;
}
-void CCache::sweep(time_t lifetime)
+void destroy_handle(void* data)
{
- time_t now=time(NULL);
- for (map<string,CCacheEntry*>::iterator i=m_hashtable.begin(); i!=m_hashtable.end();)
- {
- if (lifetime > 0 && now > i->second->m_sessionCreated+lifetime)
- {
- delete i->second;
- i=m_hashtable.erase(i);
- }
- else
- i++;
- }
+ delete (RPCHandle*)data;
}
-CCacheEntry::CCacheEntry(const char* sessionFile)
- : m_binding(NULL), m_assertion(NULL), m_response(NULL), m_lastAccess(0), m_sessionCreated(0), m_serialized(NULL)
+BOOL LogEvent(
+ LPCSTR lpUNCServerName,
+ WORD wType,
+ DWORD dwEventID,
+ PSID lpUserSid,
+ LPCSTR message)
{
- FILE* f;
- char line[1024];
- const char* token = NULL;
- char* w = NULL;
- auto_ptr<XMLCh> binding,location;
-
- if (!(f=fopen(sessionFile,"r")))
- {
- fprintf(stderr,"CCacheEntry() could not open session file: %s",sessionFile);
- throw runtime_error("CCacheEntry() could not open session file");
- }
-
- while (fgets(line,1024,f))
- {
- if ((*line=='#') || (!*line))
- continue;
- token = line;
- w=strchr(token,'=');
- if (!w)
- continue;
- *w++=0;
- if (w[strlen(w)-1]=='\n')
- w[strlen(w)-1]=0;
-
- if (!strcmp("Domain",token))
- {
- auto_ptr<XMLCh> origin(XMLString::transcode(w));
- m_originSite=origin.get();
- }
- else if (!strcmp("Handle",token))
- {
- auto_ptr<XMLCh> handle(XMLString::transcode(w));
- m_handle=handle.get();
- }
- else if (!strcmp("PBinding0",token))
- binding=auto_ptr<XMLCh>(XMLString::transcode(w));
- else if (!strcmp("LBinding0",token))
- location=auto_ptr<XMLCh>(XMLString::transcode(w));
- else if (!strcmp("Time",token))
- m_sessionCreated=atoi(w);
- else if (!strcmp("ClientAddress",token))
- m_clientAddress=w;
- else if (!strcmp("EOF",token))
- break;
- }
- fclose(f);
+ LPCSTR messages[] = {message, NULL};
- if (binding.get()!=NULL && location.get()!=NULL)
- m_binding=new SAMLAuthorityBinding(g_authorityKind,binding.get(),location.get());
-
- m_lastAccess=time(NULL);
- if (!m_sessionCreated)
- m_sessionCreated=m_lastAccess;
-}
-
-CCacheEntry::~CCacheEntry()
-{
- delete m_binding;
- delete m_response;
- delete[] m_serialized;
-}
-
-bool CCacheEntry::isSessionValid(time_t lifetime, time_t timeout)
-{
- time_t now=time(NULL);
- if (lifetime > 0 && now > m_sessionCreated+lifetime)
- return false;
- if (timeout > 0 && now-m_lastAccess >= timeout)
- return false;
- m_lastAccess=now;
- return true;
+ HANDLE hElog = RegisterEventSource(lpUNCServerName, "Shibboleth ISAPI Filter");
+ BOOL res = ReportEvent(hElog, wType, 0, dwEventID, lpUserSid, 1, 0, messages, NULL);
+ return (DeregisterEventSource(hElog) && res);
}
-Iterator<SAMLAttribute*> CCacheEntry::getAttributes(const char* resource_url, settings_t* pSite)
-{
- populate(resource_url,pSite);
- if (m_assertion)
- {
- Iterator<SAMLStatement*> i=m_assertion->getStatements();
- if (i.hasNext())
- {
- SAMLAttributeStatement* s=dynamic_cast<SAMLAttributeStatement*>(i.next());
- if (s)
- return s->getAttributes();
- }
- }
- return Iterator<SAMLAttribute*>();
-}
-
-const XMLByte* CCacheEntry::getSerializedAssertion(const char* resource_url, settings_t* pSite)
-{
- populate(resource_url,pSite);
- if (m_serialized)
- return m_serialized;
- if (!m_assertion)
- return NULL;
- ostrstream os;
- os << *m_assertion;
- unsigned int outlen;
- return m_serialized=Base64::encode(reinterpret_cast<XMLByte*>(os.str()),os.pcount(),&outlen);
-}
-
-void CCacheEntry::populate(const char* resource_url, settings_t* pSite)
-{
-#undef FUNC
-#define FUNC populate
- Category& log=Category::getInstance("isapi_shib.CCacheEntry");
-
- // Can we use what we have?
- if (m_assertion && m_assertion->getNotOnOrAfter())
- {
- // This is awful, but the XMLDateTime class is truly horrible.
- time_t now=time(NULL);
- struct tm* ptime=gmtime(&now);
- char timebuf[32];
- strftime(timebuf,32,"%Y-%m-%dT%H:%M:%SZ",ptime);
- auto_ptr<XMLCh> timeptr(XMLString::transcode(timebuf));
- XMLDateTime curDateTime(timeptr.get());
- int result=XMLDateTime::compareOrder(&curDateTime,m_assertion->getNotOnOrAfter());
- if (XMLDateTime::LESS_THAN)
- return;
-
- delete m_response;
- delete[] m_serialized;
- m_assertion=NULL;
- m_response=NULL;
- m_serialized=NULL;
-
- log.info("%s: cached attributes have expired",FUNC);
- }
-
- if (!m_binding)
- return;
-
- auto_ptr<XMLCh> resource(XMLString::transcode(resource_url));
-
- // Build a SAML Request and send it to the AA.
- SAMLSubject* subject=new SAMLSubject(m_handle.c_str(),m_originSite.c_str());
- SAMLAttributeQuery* q=new SAMLAttributeQuery(subject,resource.get());
- SAMLRequest* req=new SAMLRequest(q,ArrayIterator<saml::QName>(&g_respondWith));
- SAMLBinding* pBinding=pSite->g_AuthCache.getBinding(m_binding->getBinding());
- m_response=pBinding->send(*m_binding,*req);
- delete req;
-
- // Store off the assertion for quick access. Memory mgmt is based on the response pointer.
- Iterator<SAMLAssertion*> i=m_response->getAssertions();
- if (i.hasNext())
- m_assertion=i.next();
-
- auto_ptr<char> h(XMLString::transcode(m_handle.c_str()));
- auto_ptr<char> d(XMLString::transcode(m_originSite.c_str()));
- log.info("%s: fetched and stored SAML response for %s@%s",FUNC,h.get(),d.get());
-}
-
-class DummyMapper : public IOriginSiteMapper
-{
-public:
- DummyMapper() { InitializeCriticalSection(&m_lock); }
- ~DummyMapper();
- virtual Iterator<xstring> getHandleServiceNames(const XMLCh* originSite) { return Iterator<xstring>(); }
- virtual Key* getHandleServiceKey(const XMLCh* handleService) { return NULL; }
- virtual Iterator<xstring> getSecurityDomains(const XMLCh* originSite);
- virtual Iterator<X509Certificate*> getTrustedRoots() { return Iterator<X509Certificate*>(); }
-
-private:
- typedef map<xstring,vector<xstring>*> domains_t;
- domains_t m_domains;
- CRITICAL_SECTION m_lock;
-};
-
-Iterator<xstring> DummyMapper::getSecurityDomains(const XMLCh* originSite)
-{
- EnterCriticalSection(&m_lock);
- vector<xstring>* pv=NULL;
- domains_t::iterator i=m_domains.find(originSite);
- if (i==m_domains.end())
- {
- pv=new vector<xstring>();
- pv->push_back(originSite);
- pair<domains_t::iterator,bool> p=m_domains.insert(domains_t::value_type(originSite,pv));
- i=p.first;
- }
- else
- pv=i->second;
- LeaveCriticalSection(&m_lock);
- return Iterator<xstring>(*pv);
-}
-
-DummyMapper::~DummyMapper()
-{
- for (domains_t::iterator i=m_domains.begin(); i!=m_domains.end(); i++)
- delete i->second;
- DeleteCriticalSection(&m_lock);
-}
-
-// globals
-HINSTANCE g_hinstDLL;
-ULONG g_ulMaxSite=1; // max IIS site instance to handle
-settings_t* g_Sites=NULL; // array of site settings
-map<string,string> g_mapAttribNameToHeader; // attribute mapping
-map<xstring,string> g_mapAttribNames;
-
-
extern "C" __declspec(dllexport) BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID)
{
if (fdwReason==DLL_PROCESS_ATTACH)
if (!pVer)
return FALSE;
- // Get module pathname and replace file name with ini file name.
- char inifile[MAX_PATH+1];
- if (GetModuleFileName(g_hinstDLL,inifile,MAX_PATH+1)==0)
- return FALSE;
- char* pch=strrchr(inifile,'\\');
- if (pch==NULL)
- return FALSE;
- pch++;
- *pch=0;
- strcat(inifile,"isapi_shib.ini");
-
- // Read system-wide parameters from isapi_shib.ini.
- char buf[1024];
- char buf3[48];
-
try
{
- SAMLConfig& SAMLconf=SAMLConfig::getConfig();
-
- GetPrivateProfileString("shibboleth","ShibLogConfig","",buf,sizeof(buf),inifile);
- if (*buf)
- PropertyConfigurator::configure(buf);
- Category& log=Category::getInstance("isapi_shib.GetFilterVersion");
- log.info("using INI file: %s",inifile);
-
- GetPrivateProfileString("shibboleth","ShibSchemaPath","",buf,sizeof(buf),inifile);
- if (!*buf)
+ g_Config = &(ShibTargetConfig::init(SHIBTARGET_SHIRE, getenv("SHIBCONFIG")));
+ ShibINI& ini = g_Config->getINI();
+
+ // Create the RPC Handle TLS key.
+ rpc_handle_key=ThreadKey::create(destroy_handle);
+
+ // Read site-specific settings for each instance ID we can find.
+ unsigned short i=1;
+ char iid[8];
+ sprintf(iid,"%u",i++);
+ string hostname;
+ while (ini.get_tag("isapi",iid,false,&hostname))
{
- log.fatal("ShibSchemaPath missing");
- return FALSE;
- }
- SAMLconf.schema_dir=buf;
- if (*SAMLconf.schema_dir.end()!='\\')
- SAMLconf.schema_dir+='\\';
-
- GetPrivateProfileString("shibboleth","ShibSSLCertFile","",buf,sizeof(buf),inifile);
- if (!*buf)
- {
- log.fatal("ShibSSLCertFile missing");
- return FALSE;
- }
- SAMLconf.ssl_certfile=buf;
-
- GetPrivateProfileString("shibboleth","ShibSSLKeyFile","",buf,sizeof(buf),inifile);
- if (!*buf)
- {
- log.fatal("ShibSSLKeyFile missing");
- return FALSE;
- }
- SAMLconf.ssl_keyfile=buf;
-
- GetPrivateProfileString("shibboleth","ShibSSLKeyPass","",buf,sizeof(buf),inifile);
- SAMLconf.ssl_keypass=buf;
-
- GetPrivateProfileString("shibboleth","ShibSSLCAList","",buf,sizeof(buf),inifile);
- SAMLconf.ssl_calist=buf;
-
- // Read site count and allocate site array.
- g_ulMaxSite=GetPrivateProfileInt("shibboleth","max-site",0,inifile);
- if (g_ulMaxSite==0)
- {
- log.fatal("max-site was 0 or invalid");
- return FALSE;
- }
- log.debug("max-site is %d",g_ulMaxSite);
- g_Sites=new settings_t[g_ulMaxSite];
-
- // Read site-specific settings for each site.
- for (ULONG i=0; i<g_ulMaxSite; i++)
- {
- ultoa(i+1,buf3,10);
- GetPrivateProfileString(buf3,"ShibSiteName","X",buf,sizeof(buf),inifile);
- if (!strcmp(buf,"X"))
+ // If no section exists for the host, mark it as a "skip" site.
+ if (!ini.exists(hostname))
{
- log.info("skipping site %d (no ShibSiteName)",i);
+ g_Sites.push_back(settings_t());
+ sprintf(iid,"%u",i++);
continue;
}
-
- GetPrivateProfileString(buf3,"ShibCookieName","",buf,sizeof(buf),inifile);
- if (!*buf)
- {
- delete[] g_Sites;
- log.fatal("ShibCookieName missing in site %d",i);
- return FALSE;
- }
- g_Sites[i].g_CookieName=buf;
-
- GetPrivateProfileString(buf3,"WAYFLocation","",buf,sizeof(buf),inifile);
- if (!*buf)
- {
- delete[] g_Sites;
- log.fatal("WAYFLocation missing in site %d",i);
- return FALSE;
- }
- g_Sites[i].g_WAYFLocation=buf;
-
- GetPrivateProfileString(buf3,"GarbageCollector","",buf,sizeof(buf),inifile);
- if (!*buf)
- {
- delete[] g_Sites;
- log.fatal("GarbageCollector missing in site %d",i);
- return FALSE;
- }
- g_Sites[i].g_GarbageCollector=buf;
-
- GetPrivateProfileString(buf3,"SHIRELocation","",buf,sizeof(buf),inifile);
- if (!*buf)
- {
- delete[] g_Sites;
- log.fatal("SHIRELocation missing in site %d",i);
- return FALSE;
- }
- g_Sites[i].g_SHIRELocation=buf;
-
- GetPrivateProfileString(buf3,"SHIRESessionPath","",buf,sizeof(buf),inifile);
- if (!*buf)
- {
- delete[] g_Sites;
- log.fatal("SHIRESessionPath missing in site %d",i);
- return FALSE;
- }
- g_Sites[i].g_SHIRESessionPath=buf;
- if (g_Sites[i].g_SHIRESessionPath[g_Sites[i].g_SHIRESessionPath.length()]!='\\')
- g_Sites[i].g_SHIRESessionPath+='\\';
-
- // Old-style matching string.
- GetPrivateProfileString(buf3,"ShibMustContain","",buf,sizeof(buf),inifile);
- _strupr(buf);
- char* start=buf;
- while (char* sep=strchr(start,';'))
+
+ settings_t settings(hostname);
+
+ // Content matching string.
+ string mustcontain;
+ if (ini.get_tag(hostname,"mustContain",true,&mustcontain) && !mustcontain.empty())
{
- *sep='\0';
- if (*start)
+ char* buf=strdup(mustcontain.c_str());
+ _strupr(buf);
+ char* start=buf;
+ while (char* sep=strchr(start,';'))
{
- g_Sites[i].g_MustContain.push_back(start);
- log.info("site %d told to match against %s",i,start);
+ *sep='\0';
+ if (*start)
+ settings.m_mustContain.push_back(start);
+ start=sep+1;
}
- start=sep+1;
- }
- if (*start)
- {
- g_Sites[i].g_MustContain.push_back(start);
- log.info("site %d told to match against %s",i,start);
+ if (*start)
+ settings.m_mustContain.push_back(start);
+ free(buf);
}
- if (GetPrivateProfileInt(buf3,"ShibSSLOnly",1,inifile)==0)
- g_Sites[i].g_bSSLOnly=false;
- if (GetPrivateProfileInt(buf3,"ShibCheckAddress",1,inifile)==0)
- g_Sites[i].g_bCheckAddress=false;
- if (GetPrivateProfileInt(buf3,"ShibExportAssertion",0,inifile)==1)
- g_Sites[i].g_bExportAssertion=true;
- g_Sites[i].g_Lifetime=GetPrivateProfileInt(buf3,"ShibAuthLifetime",7200,inifile);
- if (g_Sites[i].g_Lifetime<=0)
- g_Sites[i].g_Lifetime=7200;
- g_Sites[i].g_Timeout=GetPrivateProfileInt(buf3,"ShibAuthTimeout",3600,inifile);
- if (g_Sites[i].g_Timeout<=0)
- g_Sites[i].g_Timeout=3600;
- log.info("configuration of site %d complete",i);
- }
-
- ShibConfig& Shibconf=ShibConfig::getConfig();
- static DummyMapper mapper;
-
- if (!SAMLconf.init())
- {
- delete[] g_Sites;
- log.fatal("SAML initialization failed");
- return FALSE;
- }
-
- Shibconf.origin_mapper=&mapper;
- if (!Shibconf.init())
- {
- delete[] g_Sites;
- log.fatal("Shibboleth initialization failed");
- return FALSE;
- }
-
- char buf2[32767];
- DWORD res=GetPrivateProfileSection("ShibMapAttributes",buf2,sizeof(buf2),inifile);
- if (res==sizeof(buf2)-2)
- {
- delete[] g_Sites;
- log.fatal("ShibMapAttributes INI section was larger than 32k");
- return FALSE;
- }
-
- for (char* attr=buf2; *attr; attr++)
- {
- char* delim=strchr(attr,'=');
- if (!delim)
- {
- delete[] g_Sites;
- log.fatal("unrecognizable ShibMapAttributes directive: %s",attr);
- return FALSE;
- }
- *delim++=0;
- g_mapAttribNameToHeader[attr]=(string(delim) + ':');
- log.info("mapping attribute %s to request header %s",attr,delim);
- attr=delim + strlen(delim);
+ g_Sites.push_back(settings);
+ sprintf(iid,"%u",i++);
}
-
- log.info("configuration of attributes complete");
-
- // Transcode the attribute names we know about for quick handling map access.
- for (map<string,string>::const_iterator j=g_mapAttribNameToHeader.begin();
- j!=g_mapAttribNameToHeader.end(); j++)
- {
- auto_ptr<XMLCh> temp(XMLString::transcode(j->first.c_str()));
- g_mapAttribNames[temp.get()]=j->first;
- }
-
- res=GetPrivateProfileSection("ShibExtensions",buf2,sizeof(buf2),inifile);
- if (res==sizeof(buf2)-2)
- {
- delete[] g_Sites;
- log.fatal("ShibExtensions INI section was larger than 32k");
- return FALSE;
- }
-
- for (char* libpath=buf2; *libpath; libpath+=strlen(libpath)+1)
- SAMLconf.saml_register_extension(libpath);
-
- log.info("completed loading of extension libraries");
}
- catch (bad_alloc)
+ catch (SAMLException&)
{
- delete[] g_Sites;
- Category::getInstance("isapi_shib.GetFilterVersion").fatal("out of memory");
+ LogEvent(NULL, EVENTLOG_ERROR_TYPE, 2100, NULL,
+ "Filter startup failed with SAML exception, check shire log for help.");
return FALSE;
}
- catch (log4cpp::ConfigureFailure& ex)
+ catch (...)
{
- delete[] g_Sites;
- WritePrivateProfileString("startlog","bailed-at","log4cpp exception caught",inifile);
- WritePrivateProfileString("startlog","log4cpp",ex.what(),inifile);
- return FALSE;
- }
- catch (SAMLException& ex)
- {
- delete[] g_Sites;
- Category::getInstance("isapi_shib.GetFilterVersion").fatal("caught SAML exception: %s",ex.what());
+ LogEvent(NULL, EVENTLOG_ERROR_TYPE, 2100, NULL,
+ "Filter startup failed with unexpected exception, check shire log for help.");
return FALSE;
}
SF_NOTIFY_NONSECURE_PORT |
SF_NOTIFY_PREPROC_HEADERS |
SF_NOTIFY_LOG);
+ LogEvent(NULL, EVENTLOG_INFORMATION_TYPE, 7701, NULL, "Filter initialized...");
return TRUE;
}
extern "C" BOOL WINAPI TerminateFilter(DWORD dwFlags)
{
- Category::getInstance("isapi_shib.TerminateFilter").info("shutting down...");
- delete[] g_Sites;
- g_Sites=NULL;
- ShibConfig::getConfig().term();
- SAMLConfig::getConfig().term();
- Category::getInstance("isapi_shib.TerminateFilter").info("shut down complete");
+ delete rpc_handle_key;
+ if (g_Config)
+ g_Config->shutdown();
+ g_Config = NULL;
+ LogEvent(NULL, EVENTLOG_INFORMATION_TYPE, 7701, NULL, "Filter shut down...");
return TRUE;
}
return strcmp(bufptr,s)==0;
}
-void GetServerVariable(PHTTP_FILTER_CONTEXT pfc,
- LPSTR lpszVariable, dynabuf& s, DWORD size=80, bool bRequired=true)
+void GetServerVariable(PHTTP_FILTER_CONTEXT pfc, LPSTR lpszVariable, dynabuf& s, DWORD size=80, bool bRequired=true)
throw (bad_alloc, DWORD)
{
s.erase();
return s;
}
-string get_target(PHTTP_FILTER_CONTEXT pfc, PHTTP_FILTER_PREPROC_HEADERS pn, settings_t* pSite)
+string get_target(PHTTP_FILTER_CONTEXT pfc, PHTTP_FILTER_PREPROC_HEADERS pn, settings_t& site)
{
// Reconstructing the requested URL is not fun. Apparently, the PREPROC_HEADERS
// event means way pre. As in, none of the usual CGI headers are in place yet.
else
s="http://";
+ // We use the "normalizeRequest" tag to decide how to obtain the server's name.
dynabuf buf(256);
- GetServerVariable(pfc,"SERVER_NAME",buf);
- s+=buf;
+ string tag;
+ if (g_Config->getINI().get_tag(site.m_name,"normalizeRequest",true,&tag) && ShibINI::boolean(tag))
+ {
+ s+=site.m_name;
+ }
+ else
+ {
+ GetServerVariable(pfc,"SERVER_NAME",buf);
+ s+=buf;
+ }
GetServerVariable(pfc,"SERVER_PORT",buf,10);
if (buf!=(pfc->fIsSecurePort ? "443" : "80"))
return s;
}
-string get_shire_location(PHTTP_FILTER_CONTEXT pfc, settings_t* pSite, const char* target)
+string get_shire_location(PHTTP_FILTER_CONTEXT pfc, settings_t& site, const char* target)
{
- if (pSite->g_SHIRELocation[0]!='/')
- return url_encode(pSite->g_SHIRELocation.c_str());
- const char* colon=strchr(target,':');
- const char* slash=strchr(colon+3,'/');
- string s(target,slash-target);
- s+=pSite->g_SHIRELocation;
- return url_encode(s.c_str());
+ string shireURL;
+ if (g_Config->getINI().get_tag(site.m_name,"shireURL",true,&shireURL) && !shireURL.empty())
+ {
+ if (shireURL[0]!='/')
+ return shireURL;
+ const char* colon=strchr(target,':');
+ const char* slash=strchr(colon+3,'/');
+ string s(target,slash-target);
+ s+=shireURL;
+ return s;
+ }
+ return shireURL;
}
DWORD WriteClientError(PHTTP_FILTER_CONTEXT pfc, const char* msg)
{
- Category::getInstance("isapi_shib.WriteClientError").error("sending error page to browser: %s",msg);
-
+ LogEvent(NULL, EVENTLOG_ERROR_TYPE, 2100, NULL, msg);
pfc->ServerSupportFunction(pfc,SF_REQ_SEND_RESPONSE_HEADER,"200 OK",0,0);
static const char* xmsg="<HTML><HEAD><TITLE>Shibboleth Filter Error</TITLE></HEAD><BODY>"
"<H1>Shibboleth Filter Error</H1>";
return SF_STATUS_REQ_FINISHED;
}
-DWORD shib_shar_error(PHTTP_FILTER_CONTEXT pfc, SAMLException& e)
+DWORD WriteClientError(PHTTP_FILTER_CONTEXT pfc, const char* filename, ShibMLP& mlp)
{
- Category::getInstance("isapi_shib.shib_shar_error").errorStream()
- << "exception during SHAR request: " << e;
+ ifstream infile(filename);
+ if (!infile)
+ return WriteClientError(pfc,"Unable to open error template, check settings.");
+ string res = mlp.run(infile);
pfc->ServerSupportFunction(pfc,SF_REQ_SEND_RESPONSE_HEADER,"200 OK",0,0);
-
- static const char* msg="<HTML><HEAD><TITLE>Shibboleth Attribute Exchange Failed</TITLE></HEAD>\n"
- "<BODY><H3>Shibboleth Attribute Exchange Failed</H3>\n"
- "While attempting to securely contact your origin site to obtain "
- "information about you, an error occurred:<BR><BLOCKQUOTE>";
- DWORD resplen=strlen(msg);
- pfc->WriteClient(pfc,(LPVOID)msg,&resplen,0);
-
- const char* msg2=e.what();
- resplen=strlen(msg2);
- pfc->WriteClient(pfc,(LPVOID)msg2,&resplen,0);
-
- bool origin=true;
- Iterator<saml::QName> i=e.getCodes();
- if (i.hasNext() && XMLString::compareString(L(Responder),i.next().getLocalName()))
- origin=false;
-
- const char* msg4=(origin ? "</BLOCKQUOTE><P>The error appears to be located at your origin site.<BR>" :
- "</BLOCKQUOTE><P>The error appears to be located at the resource provider's site.<BR>");
- resplen=strlen(msg4);
- pfc->WriteClient(pfc,(LPVOID)msg4,&resplen,0);
-
- static const char* msg5="<P>Try restarting your browser and accessing the site again to make "
- "sure the problem isn't temporary. Please contact the administrator "
- "of that site if this problem recurs. If possible, provide him/her "
- "with the error message shown above.</BODY></HTML>";
- resplen=strlen(msg5);
- pfc->WriteClient(pfc,(LPVOID)msg5,&resplen,0);
+ DWORD resplen=res.length();
+ pfc->WriteClient(pfc,(LPVOID)res.c_str(),&resplen,0);
return SF_STATUS_REQ_FINISHED;
}
return SF_STATUS_REQ_NEXT_NOTIFICATION;
}
- char* xmsg=NULL;
- settings_t* pSite=NULL;
- bool bLocked=false;
PHTTP_FILTER_PREPROC_HEADERS pn=(PHTTP_FILTER_PREPROC_HEADERS)pvNotification;
- Category& log=Category::getInstance("isapi_shib.HttpFilterProc");
try
{
- // Determine web site number.
+ // Determine web site number. This can't really fail, I don't think.
dynabuf buf(128);
ULONG site_id=0;
GetServerVariable(pfc,"INSTANCE_ID",buf,10);
if ((site_id=strtoul(buf,NULL,10))==0)
return WriteClientError(pfc,"IIS site instance appears to be invalid.");
- // Match site instance to site settings pointer.
- if (site_id>g_ulMaxSite || g_Sites[site_id-1].g_CookieName.empty())
+ // Match site instance to site settings.
+ if (site_id>g_Sites.size() || g_Sites[site_id-1].m_name.length()==0)
return SF_STATUS_REQ_NEXT_NOTIFICATION;
- pSite=&g_Sites[site_id-1];
+ settings_t& site=g_Sites[site_id-1];
- string targeturl=get_target(pfc,pn,pSite);
+ string target_url=get_target(pfc,pn,site);
+ string shire_url=get_shire_location(pfc,site,target_url.c_str());
- // If the user is accessing the SHIRE acceptance point, pass on.
- if (targeturl.find(pSite->g_SHIRELocation)!=string::npos)
- {
- log.debug("passing on SHIRE acceptance request");
+ // If the user is accessing the SHIRE acceptance point, pass it on.
+ if (target_url.find(shire_url)!=string::npos)
return SF_STATUS_REQ_NEXT_NOTIFICATION;
- }
-
- // If this is the garbage collection service, do a cache sweep.
- if (targeturl==pSite->g_GarbageCollector)
- {
- log.notice("garbage collector triggered");
- pSite->g_AuthCache.lock();
- bLocked=true;
- pSite->g_AuthCache.sweep(pSite->g_Lifetime);
- pSite->g_AuthCache.unlock();
- bLocked=false;
- return WriteClientError(pfc,"The cache was swept for expired sessions.");
- }
// Get the url request and scan for the must-contain string.
- if (!pSite->g_MustContain.empty())
+ if (!site.m_mustContain.empty())
{
- char* upcased=new char[targeturl.length()+1];
- strcpy(upcased,targeturl.c_str());
+ char* upcased=new char[target_url.length()+1];
+ strcpy(upcased,target_url.c_str());
_strupr(upcased);
- for (vector<string>::const_iterator index=pSite->g_MustContain.begin(); index!=pSite->g_MustContain.end(); index++)
+ for (vector<string>::const_iterator index=site.m_mustContain.begin(); index!=site.m_mustContain.end(); index++)
if (strstr(upcased,index->c_str()))
break;
delete[] upcased;
- if (index==pSite->g_MustContain.end())
+ if (index==site.m_mustContain.end())
return SF_STATUS_REQ_NEXT_NOTIFICATION;
}
- // SSL check.
- if (pSite->g_bSSLOnly && !pfc->fIsSecurePort)
+ // SSL content check.
+ ShibINI& ini=g_Config->getINI();
+ string tag;
+ if (ini.get_tag(site.m_name,"contentSSLOnly",true,&tag) && ShibINI::boolean(tag) && !pfc->fIsSecurePort)
{
- log.warn("blocking non-SSL request");
- xmsg="<HTML><HEAD><TITLE>Access Denied</TITLE></HEAD><BODY>"
- "<H1>Access Denied</H1>"
- "This server is configured to deny non-SSL requests for secure resources. "
- "Try your request again using https instead of http."
- "</BODY></HTML>";
- DWORD resplen=strlen(xmsg);
- pfc->ServerSupportFunction(pfc,SF_REQ_SEND_RESPONSE_HEADER,"200 OK",0,0);
- pfc->WriteClient(pfc,xmsg,&resplen,0);
- return SF_STATUS_REQ_FINISHED;
+ return WriteClientError(pfc,
+ "This server is configured to deny non-SSL requests for secure resources. "
+ "Try your request again using https instead of http.");
}
+ ostringstream threadid;
+ threadid << "[" << getpid() << "] shire" << '\0';
+ saml::NDC ndc(threadid.str().c_str());
+
+ // Set SHIRE policies.
+ SHIREConfig config;
+ config.checkIPAddress = (ini.get_tag(site.m_name,"checkIPAddress",true,&tag) && ShibINI::boolean(tag));
+ config.lifetime=config.timeout=0;
+ tag.erase();
+ if (ini.get_tag(site.m_name, "authLifetime", true, &tag))
+ config.lifetime=strtoul(tag.c_str(),NULL,10);
+ tag.erase();
+ if (ini.get_tag(site.m_name, "authTimeout", true, &tag))
+ config.timeout=strtoul(tag.c_str(),NULL,10);
+
+ // Pull the config data we need to handle the various possible conditions.
+ string shib_cookie;
+ if (!ini.get_tag(site.m_name, "cookieName", true, &shib_cookie))
+ return WriteClientError(pfc,"The cookieName configuration setting is missing, check configuration.");
+
+ string wayfLocation;
+ if (!ini.get_tag(site.m_name, "wayfURL", true, &wayfLocation))
+ return WriteClientError(pfc,"The wayfURL configuration setting is missing, check configuration.");
+
+ string shireError;
+ if (!ini.get_tag(site.m_name, "shireError", true, &shireError))
+ return WriteClientError(pfc,"The shireError configuration setting is missing, check configuration.");
+
+ string accessError;
+ if (!ini.get_tag(site.m_name, "accessError", true, &shireError))
+ return WriteClientError(pfc,"The accessError configuration setting is missing, check configuration.");
+
+ // Get an RPC handle and build the SHIRE object.
+ RPCHandle* rpc_handle = (RPCHandle*)rpc_handle_key->getData();
+ if (!rpc_handle)
+ {
+ rpc_handle = new RPCHandle(shib_target_sockname(), SHIBRPC_PROG, SHIBRPC_VERS_1);
+ rpc_handle_key->setData(rpc_handle);
+ }
+ SHIRE shire(rpc_handle, config, shire_url);
+
// Check for authentication cookie.
const char* session_id=NULL;
GetHeader(pn,pfc,"Cookie:",buf,128,false);
- if (buf.empty() || !(session_id=strstr(buf,pSite->g_CookieName.c_str())) ||
- *(session_id+pSite->g_CookieName.length())!='=')
+ if (buf.empty() || !(session_id=strstr(buf,shib_cookie.c_str())) || *(session_id+shib_cookie.length())!='=')
{
- log.info("session cookie not found, redirecting to WAYF");
-
// Redirect to WAYF.
string wayf("Location: ");
- wayf+=pSite->g_WAYFLocation + "?shire=" + get_shire_location(pfc,pSite,targeturl.c_str()) +
- "&target=" + url_encode(targeturl.c_str()) + "\r\n";
+ wayf+=wayfLocation + "?shire=" + url_encode(shire_url.c_str()) + "&target=" + url_encode(target_url.c_str()) + "\r\n";
// Insert the headers.
pfc->AddResponseHeaders(pfc,const_cast<char*>(wayf.c_str()),0);
pfc->ServerSupportFunction(pfc,SF_REQ_SEND_RESPONSE_HEADER,"302 Please Wait",0,0);
return SF_STATUS_REQ_FINISHED;
}
- session_id+=pSite->g_CookieName.length() + 1; /* Skip over the '=' */
+ session_id+=shib_cookie.length() + 1; /* Skip over the '=' */
char* cookieend=strchr(session_id,';');
if (cookieend)
*cookieend = '\0'; /* Ignore anyting after a ; */
- pSite->g_AuthCache.lock(); // ---> Get cache lock
- bLocked=true;
-
- // The caching logic is the heart of the "SHAR".
- CCacheEntry* entry=pSite->g_AuthCache.find(session_id);
- try
- {
- if (!entry)
- {
- pSite->g_AuthCache.unlock(); // ---> Release cache lock
- bLocked=false;
-
- // Construct the path to the session file
- string sessionFile=pSite->g_SHIRESessionPath + session_id;
- try
- {
- entry=new CCacheEntry(sessionFile.c_str());
- }
- catch (runtime_error e)
- {
- log.info("unable to load session from file '%s', redirecting to WAYF",sessionFile.c_str());
-
- // Redirect to WAYF.
- string wayf("Location: ");
- wayf+=pSite->g_WAYFLocation + "?shire=" + get_shire_location(pfc,pSite,targeturl.c_str()) +
- "&target=" + url_encode(targeturl.c_str()) + "\r\n";
- wayf+="Set-Cookie: " + pSite->g_CookieName + "=; path=/; expires=19-Mar-1971 08:23:00 GMT\r\n";
-
- // Insert the headers.
- pfc->AddResponseHeaders(pfc,const_cast<char*>(wayf.c_str()),0);
- pfc->ServerSupportFunction(pfc,SF_REQ_SEND_RESPONSE_HEADER,"302 Please Wait",0,0);
- return SF_STATUS_REQ_FINISHED;
- }
- pSite->g_AuthCache.lock(); // ---> Get cache lock
- bLocked=true;
- pSite->g_AuthCache.insert(session_id,entry);
- log.info("new session established: %s",session_id);
- }
-
- if (!entry->isSessionValid(pSite->g_Lifetime,pSite->g_Timeout))
- {
- pSite->g_AuthCache.remove(session_id);
- pSite->g_AuthCache.unlock(); // ---> Release cache lock
- bLocked=false;
- delete entry;
-
- log.warn("invalidating session because of timeout, redirecting to WAYF");
-
+ // Make sure this session is still valid.
+ RPCError* status = NULL;
+ ShibMLP markupProcessor;
+ bool has_tag = ini.get_tag(site.m_name, "supportContact", true, &tag);
+ markupProcessor.insert("supportContact", has_tag ? tag : "");
+ has_tag = ini.get_tag(site.m_name, "logoLocation", true, &tag);
+ markupProcessor.insert("logoLocation", has_tag ? tag : "");
+ markupProcessor.insert("requestURL", target_url);
+
+ GetServerVariable(pfc,"REMOTE_ADDR",buf,16);
+ try {
+ status = shire.sessionIsValid(session_id, buf, target_url.c_str());
+ }
+ catch (ShibTargetException &e) {
+ markupProcessor.insert("errorType", "SHIRE Processing Error");
+ markupProcessor.insert("errorText", e.what());
+ markupProcessor.insert("errorDesc", "An error occurred while processing your request.");
+ return WriteClientError(pfc, shireError.c_str(), markupProcessor);
+ }
+ catch (...) {
+ markupProcessor.insert("errorType", "SHIRE Processing Error");
+ markupProcessor.insert("errorText", "Unexpected Exception");
+ markupProcessor.insert("errorDesc", "An error occurred while processing your request.");
+ return WriteClientError(pfc, shireError.c_str(), markupProcessor);
+ }
+
+ // Check the status
+ if (status->isError()) {
+ if (status->isRetryable()) {
// Redirect to WAYF.
+ delete status;
string wayf("Location: ");
- wayf+=pSite->g_WAYFLocation + "?shire=" + get_shire_location(pfc,pSite,targeturl.c_str()) +
- "&target=" + url_encode(targeturl.c_str()) + "\r\n";
- wayf+="Set-Cookie: " + pSite->g_CookieName + "=; path=/; expires=19-Mar-1971 08:23:00 GMT\r\n";
-
+ wayf+=wayfLocation + "?shire=" + url_encode(shire_url.c_str()) + "&target=" + url_encode(target_url.c_str()) + "\r\n";
// Insert the headers.
pfc->AddResponseHeaders(pfc,const_cast<char*>(wayf.c_str()),0);
pfc->ServerSupportFunction(pfc,SF_REQ_SEND_RESPONSE_HEADER,"302 Please Wait",0,0);
return SF_STATUS_REQ_FINISHED;
}
+ else {
+ // return the error page to the user
+ markupProcessor.insert(*status);
+ delete status;
+ return WriteClientError(pfc, shireError.c_str(), markupProcessor);
+ }
+ }
+ delete status;
+
+ // Move to RM phase.
+ RMConfig rm_config;
+ rm_config.checkIPAddress = config.checkIPAddress;
+ RM rm(rpc_handle,rm_config);
+
+ // Get the attributes.
+ vector<SAMLAssertion*> assertions;
+ SAMLAuthenticationStatement* sso_statement=NULL;
+ status = rm.getAssertions(session_id, buf, target_url.c_str(), assertions, &sso_statement);
+
+ if (status->isError()) {
+ string rmError;
+ if (!ini.get_tag(site.m_name, "rmError", true, &shireError))
+ return WriteClientError(pfc,"The rmError configuration setting is missing, check configuration.");
+
+ markupProcessor.insert(*status);
+ delete status;
+ return WriteClientError(pfc, rmError.c_str(), markupProcessor);
+ }
+ delete status;
+
+ // Only allow a single assertion...
+ if (assertions.size() > 1) {
+ for (int k = 0; k < assertions.size(); k++)
+ delete assertions[k];
+ delete sso_statement;
+ return WriteClientError(pfc, accessError.c_str(), markupProcessor);
+ }
- if (pSite->g_bCheckAddress && entry->getClientAddress())
+ // Get the AAP providers, which contain the attribute policy info.
+ Iterator<IAAP*> provs=ShibConfig::getConfig().getAAPProviders();
+
+ // Clear out the list of mapped attributes
+ while (provs.hasNext())
+ {
+ IAAP* aap=provs.next();
+ aap->lock();
+ try
{
- GetServerVariable(pfc,"REMOTE_ADDR",buf,16);
- if (strcmp(entry->getClientAddress(),buf))
+ Iterator<const IAttributeRule*> rules=aap->getAttributeRules();
+ while (rules.hasNext())
{
- pSite->g_AuthCache.remove(session_id);
- delete entry;
- pSite->g_AuthCache.unlock(); // ---> Release cache lock
- bLocked=false;
-
- log.warn("IP address mismatch detected, clearing session");
-
- string clearcookie("Set-Cookie: ");
- clearcookie+=pSite->g_CookieName + "=; path=/; expires=19-Mar-1971 08:23:00 GMT\r\n";
- pfc->AddResponseHeaders(pfc,const_cast<char*>(clearcookie.c_str()),0);
- return WriteClientError(pfc,
- "Your session was terminated because the network address associated "
- "with it does not match your current address. This is usually caused "
- "by a firewall or proxy of some sort.");
+ const char* header=rules.next()->getHeader();
+ if (header)
+ pn->SetHeader(pfc,const_cast<char*>(header),"");
}
}
-
- // Clear relevant headers.
- pn->SetHeader(pfc,"Shib-Attributes:","");
- pn->SetHeader(pfc,"remote-user:","");
- for (map<string,string>::const_iterator h_iter=g_mapAttribNameToHeader.begin(); h_iter!=g_mapAttribNameToHeader.end(); h_iter++)
- if (h_iter->second!="REMOTE_USER:")
- pn->SetHeader(pfc,const_cast<char*>(h_iter->second.c_str()),"");
-
- if (pSite->g_bExportAssertion)
+ catch(...)
{
- string exp((char*)entry->getSerializedAssertion(targeturl.c_str(),pSite));
- string::size_type lfeed;
- while ((lfeed=exp.find('\n'))!=string::npos)
- exp.erase(lfeed,1);
- pn->SetHeader(pfc,"Shib-Attributes:",const_cast<char*>(exp.c_str()));
+ aap->unlock();
+ for (int k = 0; k < assertions.size(); k++)
+ delete assertions[k];
+ delete sso_statement;
+ throw;
}
- Iterator<SAMLAttribute*> i=entry->getAttributes(targeturl.c_str(),pSite);
-
- while (i.hasNext())
- {
- SAMLAttribute* attr=i.next();
+ aap->unlock();
+ }
+ provs.reset();
- // Are we supposed to export it?
- map<xstring,string>::const_iterator iname=g_mapAttribNames.find(attr->getName());
- if (iname!=g_mapAttribNames.end())
- {
- string hname=g_mapAttribNameToHeader[iname->second];
- Iterator<string> vals=attr->getSingleByteValues();
- if (hname=="REMOTE_USER:" && vals.hasNext())
- {
- char* principal=const_cast<char*>(vals.next().c_str());
- pn->SetHeader(pfc,"remote-user:",principal);
- pfc->pFilterContext=pfc->AllocMem(pfc,strlen(principal)+1,0);
- if (pfc->pFilterContext)
- strcpy(static_cast<char*>(pfc->pFilterContext),principal);
- }
- else
- {
- string header(" ");
- while (vals.hasNext())
- header+=vals.next() + " ";
- pn->SetHeader(pfc,const_cast<char*>(hname.c_str()),const_cast<char*>(header.c_str()));
- }
- }
- }
+ // Clear relevant headers.
+ pn->SetHeader(pfc,"remote-user:","");
+ pn->SetHeader(pfc,"Shib-Attributes:","");
+ pn->SetHeader(pfc,"Shib-Origin-Site:","");
+ pn->SetHeader(pfc,"Shib-Authentication-Method:","");
- pSite->g_AuthCache.unlock(); // ---> Release cache lock
- bLocked=false;
- return SF_STATUS_REQ_NEXT_NOTIFICATION;
+ // Maybe export the assertion.
+ if (ini.get_tag(site.m_name,"exportAssertion",true,&tag) && ShibINI::boolean(tag))
+ {
+ string assertion;
+ RM::serialize(*(assertions[0]), assertion);
+// string::size_type lfeed;
+// while ((lfeed=exp.find('\n'))!=string::npos)
+// exp.erase(lfeed,1);
+ pn->SetHeader(pfc,"Shib-Attributes:",const_cast<char*>(assertion.c_str()));
+ }
+
+ if (sso_statement)
+ {
+ auto_ptr<char> os(XMLString::transcode(sso_statement->getSubject()->getNameQualifier()));
+ auto_ptr<char> am(XMLString::transcode(sso_statement->getAuthMethod()));
+ pn->SetHeader(pfc,"Shib-Origin-Site:", os.get());
+ pn->SetHeader(pfc,"Shib-Authentication-Method:", am.get());
}
- catch (SAMLException& e)
+
+ // Export the attributes. Only supports a single statement.
+ Iterator<SAMLAttribute*> j = assertions.size()==1 ? RM::getAttributes(*(assertions[0])) : EMPTY(SAMLAttribute*);
+ while (j.hasNext())
{
- Iterator<saml::QName> i=e.getCodes();
- int c=0;
- while (i.hasNext())
+ SAMLAttribute* attr=j.next();
+
+ // Are we supposed to export it?
+ const char* hname=NULL;
+ AAP wrapper(attr->getName(),attr->getNamespace());
+ if (!wrapper.fail())
+ hname=wrapper->getHeader();
+ if (hname)
{
- c++;
- saml::QName q=i.next();
- if (c==1 && !XMLString::compareString(q.getNamespaceURI(),saml::XML::SAMLP_NS) &&
- !XMLString::compareString(q.getLocalName(),L(Requester)))
- continue;
- else if (c==2 && !XMLString::compareString(q.getNamespaceURI(),shibboleth::XML::SHIB_NS) &&
- !XMLString::compareString(q.getLocalName(),shibboleth::XML::Literals::InvalidHandle))
+ Iterator<string> vals=attr->getSingleByteValues();
+ if (!strcmp(hname,"REMOTE_USER") && vals.hasNext())
{
- if (!bLocked)
- pSite->g_AuthCache.lock(); // ---> Grab cache lock
- pSite->g_AuthCache.remove(session_id);
- pSite->g_AuthCache.unlock(); // ---> Release cache lock
- delete entry;
-
- log.info("invaliding session due to shib:InvalidHandle code from AA");
-
- // Redirect to WAYF.
- string wayf("Location: ");
- wayf+=pSite->g_WAYFLocation + "?shire=" + get_shire_location(pfc,pSite,targeturl.c_str()) +
- "&target=" + url_encode(targeturl.c_str()) + "\r\n";
- wayf+="Set-Cookie: " + pSite->g_CookieName + "=; path=/; expires=19-Mar-1971 08:23:00 GMT\r\n";
-
- // Insert the headers.
- pfc->AddResponseHeaders(pfc,const_cast<char*>(wayf.c_str()),0);
- pfc->ServerSupportFunction(pfc,SF_REQ_SEND_RESPONSE_HEADER,"302 Please Wait",0,0);
- return SF_STATUS_REQ_FINISHED;
+ char* principal=const_cast<char*>(vals.next().c_str());
+ pn->SetHeader(pfc,"remote-user:",principal);
+ pfc->pFilterContext=pfc->AllocMem(pfc,strlen(principal)+1,0);
+ if (pfc->pFilterContext)
+ strcpy(static_cast<char*>(pfc->pFilterContext),principal);
+ }
+ else
+ {
+ string header;
+ for (int it = 0; vals.hasNext(); it++) {
+ string value = vals.next();
+ for (string::size_type pos = value.find_first_of(";", string::size_type(0)); pos != string::npos; pos = value.find_first_of(";", pos)) {
+ value.insert(pos, "\\");
+ pos += 2;
+ }
+ if (it == 0)
+ header=value;
+ else
+ header=header + ';' + value;
+ }
+ pn->SetHeader(pfc,const_cast<char*>(hname),const_cast<char*>(header.c_str()));
}
- break;
}
- if (bLocked)
- pSite->g_AuthCache.unlock();
- return shib_shar_error(pfc,e);
- }
- catch (XMLException& e)
- {
- if (bLocked)
- pSite->g_AuthCache.unlock();
- auto_ptr<char> msg(XMLString::transcode(e.getMessage()));
- SAMLException ex(SAMLException::RESPONDER,msg.get());
- return shib_shar_error(pfc,ex);
}
+
+ // clean up memory
+ for (int k = 0; k < assertions.size(); k++)
+ delete assertions[k];
+ delete sso_statement;
+
+ return SF_STATUS_REQ_NEXT_NOTIFICATION;
}
catch(bad_alloc)
{
- xmsg="Out of memory.";
- log.error("out of memory");
+ return WriteClientError(pfc,"Out of Memory");
}
catch(DWORD e)
{
if (e==ERROR_NO_DATA)
- xmsg="A required variable or header was empty.";
+ return WriteClientError(pfc,"A required variable or header was empty.");
else
- xmsg="Server detected unexpected IIS error.";
+ WriteClientError(pfc,"Server detected unexpected IIS error.");
}
catch(...)
{
- xmsg="Server caught an unknown exception.";
+ WriteClientError(pfc,"Server caught an unknown exception.");
}
- // If we drop here, the exception handler set the proper message.
- if (bLocked)
- pSite->g_AuthCache.unlock();
- return WriteClientError(pfc,xmsg);
+ return WriteClientError(pfc,"Server reached unreachable code!");
}