-/*
- * The Shibboleth License, Version 1.
- * Copyright (c) 2002
- * University Corporation for Advanced Internet Development, Inc.
- * All rights reserved
- *
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution, if any, must include
- * the following acknowledgment: "This product includes software developed by
- * the University Corporation for Advanced Internet Development
- * <http://www.ucaid.edu>Internet2 Project. Alternately, this acknowledegement
- * may appear in the software itself, if and wherever such third-party
- * acknowledgments normally appear.
- *
- * Neither the name of Shibboleth nor the names of its contributors, nor
- * Internet2, nor the University Corporation for Advanced Internet Development,
- * Inc., nor UCAID may be used to endorse or promote products derived from this
- * software without specific prior written permission. For written permission,
- * please contact shibboleth@shibboleth.org
- *
- * Products derived from this software may not be called Shibboleth, Internet2,
- * UCAID, or the University Corporation for Advanced Internet Development, nor
- * may Shibboleth appear in their name, without prior written permission of the
- * University Corporation for Advanced Internet Development.
- *
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
- * PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK
- * OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE.
- * IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY
- * CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+/*
+ * Copyright 2001-2007 Internet2
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
*/
/* Metadata.h - glue classes that interface to metadata providers
*/
#include "internal.h"
+#include <xmltooling/util/NDC.h>
using namespace shibboleth;
+using namespace opensaml::saml2md;
using namespace saml;
using namespace std;
-const IEntityDescriptor* Metadata::lookup(const XMLCh* id)
-{
- if (m_mapper) {
- m_mapper->unlock();
- m_mapper=NULL;
- }
- const IEntityDescriptor* ret=NULL;
- m_metadatas.reset();
- while (m_metadatas.hasNext()) {
- IMetadata* i=m_metadatas.next();
- i->lock();
- if (ret=i->lookup(id)) {
- m_mapper=i;
- return ret;
- }
- i->unlock();
- }
- return NULL;
-}
-
-const IEntityDescriptor* Metadata::lookup(const SAMLArtifact* artifact)
-{
- if (m_mapper) {
- m_mapper->unlock();
- m_mapper=NULL;
- }
- const IEntityDescriptor* ret=NULL;
- m_metadatas.reset();
- while (m_metadatas.hasNext()) {
- IMetadata* i=m_metadatas.next();
- i->lock();
- if (ret=i->lookup(artifact)) {
- m_mapper=i;
- return ret;
- }
- i->unlock();
- }
- return NULL;
-}
-
-Metadata::~Metadata()
-{
- if (m_mapper)
- m_mapper->unlock();
-}
-
-Iterator<void*> Revocation::getRevocationLists(const IEntityDescriptor* provider, const IRoleDescriptor* role)
-{
- if (m_mapper) {
- m_mapper->unlock();
- m_mapper=NULL;
- }
- m_revocations.reset();
- while (m_revocations.hasNext()) {
- IRevocation* i=m_revocations.next();
- i->lock();
- Iterator<void*> ret=i->getRevocationLists(provider,role);
- if (ret.size()) {
- m_mapper=i;
- return ret;
- }
- i->unlock();
- }
- return EMPTY(void*);
-}
-
-Revocation::~Revocation()
-{
- if (m_mapper)
- m_mapper->unlock();
-}
-
-bool Trust::validate(
- const Iterator<IRevocation*>& revocations,
- const IRoleDescriptor* role, const SAMLSignedObject& token,
- const Iterator<IMetadata*>& metadatas) const
-{
- m_trusts.reset();
- while (m_trusts.hasNext()) {
- if (m_trusts.next()->validate(revocations,role,token,metadatas))
- return true;
- }
- return false;
-}
-
-bool Trust::attach(const Iterator<IRevocation*>& revocations, const IRoleDescriptor* role, void* ctx) const
-{
- m_trusts.reset();
- while (m_trusts.hasNext()) {
- if (m_trusts.next()->attach(revocations,role,ctx))
- return true;
- }
- return false;
-}
-
-const ICredResolver* Credentials::lookup(const char* id)
-{
- if (m_mapper) {
- m_mapper->unlock();
- m_mapper=NULL;
- }
- const ICredResolver* ret=NULL;
- m_creds.reset();
- while (m_creds.hasNext()) {
- ICredentials* i=m_creds.next();
- i->lock();
- if (ret=i->lookup(id)) {
- m_mapper=i;
- return ret;
- }
- i->unlock();
- }
- return NULL;
-}
-
-Credentials::~Credentials()
-{
- if (m_mapper)
- m_mapper->unlock();
-}
-
AAP::AAP(const saml::Iterator<IAAP*>& aaps, const XMLCh* attrName, const XMLCh* attrNamespace) : m_mapper(NULL), m_rule(NULL)
{
aaps.reset();
while (aaps.hasNext()) {
- IAAP* i=aaps.next();
- i->lock();
- if (m_rule=i->lookup(attrName,attrNamespace)) {
- m_mapper=i;
+ m_mapper=aaps.next();
+ m_mapper->lock();
+ if (m_rule=m_mapper->lookup(attrName,attrNamespace)) {
break;
}
- i->unlock();
+ m_mapper->unlock();
+ m_mapper=NULL;
}
}
{
aaps.reset();
while (aaps.hasNext()) {
- IAAP* i=aaps.next();
- i->lock();
- if (m_rule=i->lookup(alias)) {
- m_mapper=i;
+ m_mapper=aaps.next();
+ m_mapper->lock();
+ if (m_rule=m_mapper->lookup(alias)) {
break;
}
- i->unlock();
+ m_mapper->unlock();
+ m_mapper=NULL;
}
}
AAP::~AAP()
{
- if (m_mapper)
+ if (m_mapper) {
m_mapper->unlock();
+ m_mapper=NULL;
+ }
}
-void AAP::apply(const saml::Iterator<IAAP*>& aaps, saml::SAMLAssertion& assertion, const IRoleDescriptor* role)
+void AAP::apply(const saml::Iterator<IAAP*>& aaps, saml::SAMLAssertion& assertion, const RoleDescriptor* role)
{
- saml::NDC("apply");
+#ifdef _DEBUG
+ xmltooling::NDC("apply");
+#endif
log4cpp::Category& log=log4cpp::Category::getInstance(SHIB_LOGCAT".AAP");
// First check for no providers or AnyAttribute.
}
aaps.reset();
while (aaps.hasNext()) {
- if (aaps.next()->anyAttribute()) {
+ IAAP* p=aaps.next();
+ xmltooling::Locker locker(p);
+ if (p->anyAttribute()) {
log.info("any attribute enabled, accepting entire assertion");
return;
}
// Check each attribute, applying any matching rules.
Iterator<SAMLAttribute*> attrs=s->getAttributes();
- for (long acount=0; acount < attrs.size();) {
+ for (unsigned long acount=0; acount < attrs.size();) {
SAMLAttribute* a=attrs[acount];
bool ruleFound=false;
aaps.reset();
while (aaps.hasNext()) {
IAAP* i=aaps.next();
- i->lock();
+ xmltooling::Locker locker(i);
if (rule=i->lookup(a->getName(),a->getNamespace())) {
ruleFound=true;
try {
rule->apply(*a,role);
- i->unlock();
}
catch (SAMLException&) {
// The attribute is now defunct.
- i->unlock();
log.info("no values remain, removing attribute");
s->removeAttribute(acount--);
break;