-/*
- * The Shibboleth License, Version 1.
- * Copyright (c) 2002
- * University Corporation for Advanced Internet Development, Inc.
- * All rights reserved
- *
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution, if any, must include
- * the following acknowledgment: "This product includes software developed by
- * the University Corporation for Advanced Internet Development
- * <http://www.ucaid.edu>Internet2 Project. Alternately, this acknowledegement
- * may appear in the software itself, if and wherever such third-party
- * acknowledgments normally appear.
- *
- * Neither the name of Shibboleth nor the names of its contributors, nor
- * Internet2, nor the University Corporation for Advanced Internet Development,
- * Inc., nor UCAID may be used to endorse or promote products derived from this
- * software without specific prior written permission. For written permission,
- * please contact shibboleth@shibboleth.org
- *
- * Products derived from this software may not be called Shibboleth, Internet2,
- * UCAID, or the University Corporation for Advanced Internet Development, nor
- * may Shibboleth appear in their name, without prior written permission of the
- * University Corporation for Advanced Internet Development.
- *
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
- * PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK
- * OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE.
- * IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY
- * CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+/*
+ * Copyright 2001-2007 Internet2
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
*/
/* Metadata.h - glue classes that interface to metadata providers
*/
#include "internal.h"
-#include <log4cpp/Category.hh>
+#include <xmltooling/util/NDC.h>
using namespace shibboleth;
+using namespace opensaml::saml2md;
using namespace saml;
using namespace std;
-OriginMetadata::OriginMetadata(const Iterator<IMetadata*>& metadatas, const XMLCh* site) : m_mapper(NULL), m_site(NULL)
-{
- metadatas.reset();
- while (metadatas.hasNext())
- {
- IMetadata* i=metadatas.next();
- i->lock();
- if (m_site=dynamic_cast<const IOriginSite*>(i->lookup(site)))
- {
- m_mapper=i;
- break;
- }
- i->unlock();
- }
-}
-
-OriginMetadata::~OriginMetadata()
-{
- if (m_mapper)
- m_mapper->unlock();
-}
-
-Iterator<XSECCryptoX509*> Trust::getCertificates(const XMLCh* subject)
-{
- if (m_mapper)
- {
- m_mapper->unlock();
- m_mapper=NULL;
- }
-
- m_trusts.reset();
- while (m_trusts.hasNext())
- {
- ITrust* i=m_trusts.next();
- i->lock();
- Iterator<XSECCryptoX509*> iter=i->getCertificates(subject);
- if (iter.size())
- {
- m_mapper=i;
- return iter;
- }
- i->unlock();
- }
- return EMPTY(XSECCryptoX509*);
-}
-
-bool Trust::validate(const ISite* site, Iterator<XSECCryptoX509*> certs) const
-{
- bool ret=false;
- m_trusts.reset();
- while (!ret && m_trusts.hasNext())
- {
- ITrust* i=m_trusts.next();
- i->lock();
- ret=i->validate(site,certs);
- i->unlock();
- }
- return ret;
-}
-
-bool Trust::validate(const ISite* site, Iterator<const XMLCh*> certs) const
-{
- bool ret=false;
- m_trusts.reset();
- while (!ret && m_trusts.hasNext())
- {
- ITrust* i=m_trusts.next();
- i->lock();
- ret=i->validate(site,certs);
- i->unlock();
- }
- return ret;
-}
-
-bool Trust::attach(const ISite* site, SSL_CTX* ctx) const
-{
- bool ret=false;
- m_trusts.reset();
- while (!ret && m_trusts.hasNext())
- {
- ITrust* i=m_trusts.next();
- i->lock();
- ret=i->attach(site,ctx);
- i->unlock();
- }
- return ret;
-}
-
-Trust::~Trust()
-{
- if (m_mapper)
- m_mapper->unlock();
-}
-
-bool Credentials::attach(const saml::Iterator<ICredentials*>& creds, const XMLCh* subject, const ISite* relyingParty, SSL_CTX* ctx)
-{
- bool ret=false;
- creds.reset();
- while (!ret && creds.hasNext())
- {
- ICredentials* i=creds.next();
- i->lock();
- ret=i->attach(subject,relyingParty,ctx);
- i->unlock();
-
- }
- return ret;
-}
-
AAP::AAP(const saml::Iterator<IAAP*>& aaps, const XMLCh* attrName, const XMLCh* attrNamespace) : m_mapper(NULL), m_rule(NULL)
{
aaps.reset();
- while (aaps.hasNext())
- {
- IAAP* i=aaps.next();
- i->lock();
- if (m_rule=i->lookup(attrName,attrNamespace))
- {
- m_mapper=i;
+ while (aaps.hasNext()) {
+ m_mapper=aaps.next();
+ m_mapper->lock();
+ if (m_rule=m_mapper->lookup(attrName,attrNamespace)) {
break;
}
- i->unlock();
+ m_mapper->unlock();
+ m_mapper=NULL;
}
}
AAP::AAP(const saml::Iterator<IAAP*>& aaps, const char* alias) : m_mapper(NULL), m_rule(NULL)
{
aaps.reset();
- while (aaps.hasNext())
- {
- IAAP* i=aaps.next();
- i->lock();
- if (m_rule=i->lookup(alias))
- {
- m_mapper=i;
+ while (aaps.hasNext()) {
+ m_mapper=aaps.next();
+ m_mapper->lock();
+ if (m_rule=m_mapper->lookup(alias)) {
break;
}
- i->unlock();
+ m_mapper->unlock();
+ m_mapper=NULL;
}
}
AAP::~AAP()
{
- if (m_mapper)
+ if (m_mapper) {
m_mapper->unlock();
+ m_mapper=NULL;
+ }
}
-void AAP::apply(const saml::Iterator<IAAP*>& aaps, const IOriginSite* originSite, saml::SAMLAssertion& assertion)
+void AAP::apply(const saml::Iterator<IAAP*>& aaps, saml::SAMLAssertion& assertion, const RoleDescriptor* role)
{
- saml::NDC("apply");
+#ifdef _DEBUG
+ xmltooling::NDC("apply");
+#endif
log4cpp::Category& log=log4cpp::Category::getInstance(SHIB_LOGCAT".AAP");
+ // First check for no providers or AnyAttribute.
+ if (aaps.size()==0) {
+ log.info("no filters specified, accepting entire assertion");
+ return;
+ }
+ aaps.reset();
+ while (aaps.hasNext()) {
+ IAAP* p=aaps.next();
+ xmltooling::Locker locker(p);
+ if (p->anyAttribute()) {
+ log.info("any attribute enabled, accepting entire assertion");
+ return;
+ }
+ }
+
// Check each statement.
+ const IAttributeRule* rule=NULL;
Iterator<SAMLStatement*> statements=assertion.getStatements();
for (unsigned int scount=0; scount < statements.size();) {
SAMLAttributeStatement* s=dynamic_cast<SAMLAttributeStatement*>(statements[scount]);
- if (!s)
+ if (!s) {
+ scount++;
continue;
+ }
- // Check each attribute.
+ // Check each attribute, applying any matching rules.
Iterator<SAMLAttribute*> attrs=s->getAttributes();
- for (unsigned int acount=0; acount < attrs.size();) {
+ for (unsigned long acount=0; acount < attrs.size();) {
SAMLAttribute* a=attrs[acount];
-
- AAP rule(aaps,a->getName(),a->getNamespace());
- if (rule.fail()) {
+ bool ruleFound=false;
+ aaps.reset();
+ while (aaps.hasNext()) {
+ IAAP* i=aaps.next();
+ xmltooling::Locker locker(i);
+ if (rule=i->lookup(a->getName(),a->getNamespace())) {
+ ruleFound=true;
+ try {
+ rule->apply(*a,role);
+ }
+ catch (SAMLException&) {
+ // The attribute is now defunct.
+ log.info("no values remain, removing attribute");
+ s->removeAttribute(acount--);
+ break;
+ }
+ }
+ }
+ if (!ruleFound) {
if (log.isWarnEnabled()) {
auto_ptr_char temp(a->getName());
log.warn("no rule found for attribute (%s), filtering it out",temp.get());
}
- s->removeAttribute(acount);
- continue;
- }
-
- try {
- rule->apply(originSite,*a);
- acount++;
- }
- catch (SAMLException&) {
- // The attribute is now defunct.
- log.info("no values remain, removing attribute");
- s->removeAttribute(acount);
+ s->removeAttribute(acount--);
}
+ acount++;
}
try {