/*
- * The Shibboleth License, Version 1.
- * Copyright (c) 2002
- * University Corporation for Advanced Internet Development, Inc.
- * All rights reserved
+ * Copyright 2001-2007 Internet2
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
*
+ * http://www.apache.org/licenses/LICENSE-2.0
*
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution, if any, must include
- * the following acknowledgment: "This product includes software developed by
- * the University Corporation for Advanced Internet Development
- * <http://www.ucaid.edu>Internet2 Project. Alternately, this acknowledegement
- * may appear in the software itself, if and wherever such third-party
- * acknowledgments normally appear.
- *
- * Neither the name of Shibboleth nor the names of its contributors, nor
- * Internet2, nor the University Corporation for Advanced Internet Development,
- * Inc., nor UCAID may be used to endorse or promote products derived from this
- * software without specific prior written permission. For written permission,
- * please contact shibboleth@shibboleth.org
- *
- * Products derived from this software may not be called Shibboleth, Internet2,
- * UCAID, or the University Corporation for Advanced Internet Development, nor
- * may Shibboleth appear in their name, without prior written permission of the
- * University Corporation for Advanced Internet Development.
- *
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
- * PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK
- * OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE.
- * IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY
- * CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
*/
-
/* ShibConfig.cpp - Shibboleth runtime configuration
Scott Cantor
$History:$
*/
-#include <time.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-
#define SHIB_INSTANTIATE
-
#include "internal.h"
-#include <log4cpp/Category.hh>
+
+#include <ctime>
+#include <sys/types.h>
+#include <sys/stat.h>
#include <openssl/err.h>
+#include <xmltooling/util/Threads.h>
using namespace saml;
using namespace shibboleth;
+using namespace xmltooling;
using namespace log4cpp;
using namespace std;
-SAML_EXCEPTION_FACTORY(UnsupportedProtocolException);
-SAML_EXCEPTION_FACTORY(MetadataException);
namespace {
- ShibInternalConfig g_config;
-}
-
-ShibConfig::~ShibConfig() {}
-
-extern "C" IMetadata* XMLMetadataFactory(const char* source)
-{
- return new XMLMetadata(source);
-}
-
-extern "C" ITrust* XMLTrustFactory(const char* source)
-{
- return new XMLTrust(source);
-}
-
-extern "C" ICredentials* XMLCredentialsFactory(const char* source)
-{
- return new XMLCredentials(source);
-}
-
-extern "C" IAAP* XMLAAPFactory(const char* source)
-{
- return new XMLAAP(source);
+ ShibConfig g_config;
+ vector<Mutex*> g_openssl_locks;
+#ifdef HAVE_GOOD_STL
+ map<xmltooling::xstring,const IAttributeFactory*> attrMap;
+#else
+ map<XMLCh*,const IAttributeFactory*> attrMap;
+#endif
}
extern "C" SAMLAttribute* ShibAttributeFactory(DOMElement* e)
{
- DOMNode* n=e->getFirstChild();
- while (n && n->getNodeType()!=DOMNode::ELEMENT_NODE)
- n=n->getNextSibling();
- if (n && static_cast<DOMElement*>(n)->hasAttributeNS(NULL,SHIB_L(Scope)))
+ // First check for an explicit factory.
+#ifdef HAVE_GOOD_STL
+ map<xmltooling::xstring,const IAttributeFactory*>::const_iterator i=attrMap.find(e->getAttributeNS(NULL,L(AttributeName)));
+#else
+ const XMLCh* aname=e->getAttributeNS(NULL,L(AttributeName));
+ map<XMLCh*,const IAttributeFactory*>::const_iterator i;
+ for (i=attrMap.begin(); i!=attrMap.end(); i++)
+ if (!XMLString::compareString(aname,i->first))
+ break;
+#endif
+ if (i!=attrMap.end())
+ return i->second->build(e);
+
+ // Now check for a Scope attribute to ensure proper value handling whenever possible.
+ DOMElement* n=saml::XML::getFirstChildElement(e,saml::XML::SAML_NS,L(AttributeValue));
+ if (n && n->hasAttributeNS(NULL,ScopedAttribute::Scope))
return new ScopedAttribute(e);
- return new SimpleAttribute(e);
-}
-
-
-bool ShibInternalConfig::init()
-{
- saml::NDC ndc("init");
-
- REGISTER_EXCEPTION_FACTORY(edu.internet2.middleware.shibboleth.common,UnsupportedProtocolException);
- REGISTER_EXCEPTION_FACTORY(edu.internet2.middleware.shibboleth.common,MetadataException);
-
- // Register extension schema.
- saml::XML::registerSchema(XML::SHIB_NS,XML::SHIB_SCHEMA_ID);
-
- regFactory("edu.internet2.middleware.shibboleth.metadata.XML",&XMLMetadataFactory);
- regFactory("edu.internet2.middleware.shibboleth.trust.XML",&XMLTrustFactory);
- regFactory("edu.internet2.middleware.shibboleth.creds.XML",&XMLCredentialsFactory);
- regFactory("edu.internet2.middleware.shibboleth.target.AAP.XML",&XMLAAPFactory);
- regFactory("edu.internet2.middleware.shibboleth.target.AttributeFactory",&ShibAttributeFactory);
-
- return true;
+
+ // Just use the default class.
+ return new SAMLAttribute(e);
}
-void ShibInternalConfig::term()
+void ShibConfig::regAttributeMapping(const XMLCh* name, const IAttributeFactory* factory)
{
- for (vector<IMetadata*>::iterator i=m_providers.begin(); i!=m_providers.end(); i++)
- delete *i;
- for (vector<ITrust*>::iterator j=m_trust_providers.begin(); j!=m_trust_providers.end(); j++)
- delete *j;
- for (vector<ICredentials*>::iterator k=m_cred_providers.begin(); k!=m_cred_providers.end(); k++)
- delete *k;
- for (vector<IAAP*>::iterator l=m_aap_providers.begin(); l!=m_aap_providers.end(); l++)
- delete *l;
-}
-
-void ShibInternalConfig::regFactory(const char* type, MetadataFactory* factory)
-{
- if (type && factory)
- m_metadataFactoryMap[type]=factory;
+ if (name && factory) {
+#ifdef HAVE_GOOD_STL
+ attrMap[name]=factory;
+#else
+ attrMap.insert(make_pair(XMLString::replicate(name),factory));
+#endif
+ }
}
-void ShibInternalConfig::regFactory(const char* type, TrustFactory* factory)
+void ShibConfig::unregAttributeMapping(const XMLCh* name)
{
- if (type && factory)
- m_trustFactoryMap[type]=factory;
+ if (name) {
+#ifdef HAVE_GOOD_STL
+ attrMap.erase(name);
+#else
+ for (map<XMLCh*,const IAttributeFactory*>::iterator i=attrMap.begin(); i!=attrMap.end(); i++) {
+ if (!XMLString::compareString(name,i->first)) {
+ XMLCh* temp=i->first;
+ XMLString::release(&temp);
+ attrMap.erase(i);
+ break;
+ }
+ }
+#endif
+ }
}
-void ShibInternalConfig::regFactory(const char* type, CredentialsFactory* factory)
+void ShibConfig::clearAttributeMappings()
{
- if (type && factory)
- {
- m_credFactoryMap[type]=factory;
- SAMLConfig::getConfig().binding_defaults.ssl_ctx_callback=ssl_ctx_callback;
+#ifndef HAVE_GOOD_STL
+ for (map<XMLCh*,const IAttributeFactory*>::iterator i=attrMap.begin(); i!=attrMap.end(); i++) {
+ XMLCh* temp=i->first;
+ XMLString::release(&temp);
}
+#endif
+ attrMap.clear();
}
-void ShibInternalConfig::regFactory(const char* type, AAPFactory* factory)
+extern "C" void openssl_locking_callback(int mode,int n,const char *file,int line)
{
- if (type && factory)
- m_aapFactoryMap[type]=factory;
+ if (mode & CRYPTO_LOCK)
+ g_openssl_locks[n]->lock();
+ else
+ g_openssl_locks[n]->unlock();
}
-void ShibInternalConfig::regFactory(const char* type, SAMLAttributeFactory* factory)
+#ifndef WIN32
+extern "C" unsigned long openssl_thread_id(void)
{
- if (type && factory)
- m_attrFactoryMap[type]=factory;
+ return (unsigned long)(pthread_self());
}
+#endif
-void ShibInternalConfig::unregFactory(const char* type)
+bool ShibConfig::init()
{
- if (type)
- {
- m_metadataFactoryMap.erase(type);
- m_trustFactoryMap.erase(type);
- m_credFactoryMap.erase(type);
- m_aapFactoryMap.erase(type);
- }
-}
+ // Set up OpenSSL locking.
+ for (int i=0; i<CRYPTO_num_locks(); i++)
+ g_openssl_locks.push_back(Mutex::create());
+ CRYPTO_set_locking_callback(openssl_locking_callback);
+#ifndef WIN32
+ CRYPTO_set_id_callback(openssl_thread_id);
+#endif
-SAMLAttributeFactory* ShibInternalConfig::getAttributeFactory(const char* type) const
-{
- AttributeFactoryMap::const_iterator i =
- m_attrFactoryMap.find((type && *type) ? type : "edu.internet2.middleware.shibboleth.target.AttributeFactory");
- if (i==m_attrFactoryMap.end())
- {
- saml::NDC ndc("getAttributeFactory");
- Category::getInstance(SHIB_LOGCAT".ShibInternalConfig").error("unknown attribute factory: %s",type);
- return NULL;
- }
- return i->second;
+ SAMLAttribute::setFactory(&ShibAttributeFactory);
+ return true;
}
-bool ShibInternalConfig::addMetadata(const char* type, const char* source)
+void ShibConfig::term()
{
- saml::NDC ndc("addMetadata");
-
- bool ret=false;
- try
- {
- MetadataFactoryMap::const_iterator i=m_metadataFactoryMap.find(type);
- if (i!=m_metadataFactoryMap.end())
- {
- m_providers.push_back((i->second)(source));
- ret=true;
- }
- else
- {
- TrustFactoryMap::const_iterator j=m_trustFactoryMap.find(type);
- if (j!=m_trustFactoryMap.end())
- {
- m_trust_providers.push_back((j->second)(source));
- ret=true;
- }
- else
- {
- CredentialsFactoryMap::const_iterator k=m_credFactoryMap.find(type);
- if (k!=m_credFactoryMap.end())
- {
- m_cred_providers.push_back((k->second)(source));
- ret=true;
- }
- else
- {
- AAPFactoryMap::const_iterator l=m_aapFactoryMap.find(type);
- if (l!=m_aapFactoryMap.end())
- {
- m_aap_providers.push_back((l->second)(source));
- ret=true;
- }
- else
- throw MetadataException("ShibConfig::addMetadata() unable to locate a metadata factory of the requested type");
- }
- }
- }
- }
- catch (SAMLException& e)
- {
- Category::getInstance(SHIB_LOGCAT".ShibConfig").error(
- "failed to add %s provider to system using source '%s': %s", type, source, e.what()
- );
- }
- catch (...)
- {
- Category::getInstance(SHIB_LOGCAT".ShibConfig").error(
- "failed to add %s provider to system using source '%s': unknown exception", type, source
- );
- }
- return ret;
+ SAMLAttribute::setFactory(NULL);
+ clearAttributeMappings();
+
+ CRYPTO_set_locking_callback(NULL);
+ for (vector<Mutex*>::iterator j=g_openssl_locks.begin(); j!=g_openssl_locks.end(); j++)
+ delete (*j);
+ g_openssl_locks.clear();
}
ShibConfig& ShibConfig::getConfig()
{
return g_config;
}
-
-void shibboleth::log_openssl()
-{
- const char* file;
- const char* data;
- int flags,line;
-
- unsigned long code=ERR_get_error_line_data(&file,&line,&data,&flags);
- while (code)
- {
- Category& log=Category::getInstance("OpenSSL");
- log.errorStream() << "error code: " << code << " in " << file << ", line " << line << CategoryStream::ENDLINE;
- if (data && (flags & ERR_TXT_STRING))
- log.errorStream() << "error data: " << data << CategoryStream::ENDLINE;
- code=ERR_get_error_line_data(&file,&line,&data,&flags);
- }
-}
-
-X509* shibboleth::B64_to_X509(const char* buf)
-{
- BIO* bmem = BIO_new_mem_buf((void*)buf,-1);
- BIO* b64 = BIO_new(BIO_f_base64());
- b64 = BIO_push(b64, bmem);
- X509* x=NULL;
- d2i_X509_bio(b64,&x);
- if (!x)
- log_openssl();
- BIO_free_all(b64);
- return x;
-}