/*
- * The Shibboleth License, Version 1.
- * Copyright (c) 2002
- * University Corporation for Advanced Internet Development, Inc.
- * All rights reserved
+ * Copyright 2001-2005 Internet2
*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
*
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
+ * http://www.apache.org/licenses/LICENSE-2.0
*
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution, if any, must include
- * the following acknowledgment: "This product includes software developed by
- * the University Corporation for Advanced Internet Development
- * <http://www.ucaid.edu>Internet2 Project. Alternately, this acknowledegement
- * may appear in the software itself, if and wherever such third-party
- * acknowledgments normally appear.
- *
- * Neither the name of Shibboleth nor the names of its contributors, nor
- * Internet2, nor the University Corporation for Advanced Internet Development,
- * Inc., nor UCAID may be used to endorse or promote products derived from this
- * software without specific prior written permission. For written permission,
- * please contact shibboleth@shibboleth.org
- *
- * Products derived from this software may not be called Shibboleth, Internet2,
- * UCAID, or the University Corporation for Advanced Internet Development, nor
- * may Shibboleth appear in their name, without prior written permission of the
- * University Corporation for Advanced Internet Development.
- *
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
- * PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK
- * OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE.
- * IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY
- * CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
*/
-
/* shib.h - Shibboleth header file
Scott Cantor
#ifndef __shib_h__
#define __shib_h__
+#include <xmltooling/util/Threads.h>
+
#include <saml/saml.h>
-#include <openssl/ssl.h>
+#include <xsec/xenc/XENCEncryptionMethod.hpp>
#ifdef WIN32
# ifndef SHIB_EXPORTS
# define SHIB_EXPORTS
#endif
-#define SHIB_L(s) shibboleth::XML::Literals::s
-#define SHIB_L_QNAME(p,s) shibboleth::XML::Literals::p##_##s
-
namespace shibboleth
{
- #define DECLARE_SHIB_EXCEPTION(name,base) \
- class SHIB_EXPORTS name : public saml::base \
- { \
- public: \
- name(const char* msg) : saml::base(msg) {RTTI(name);} \
- name(const std::string& msg) : saml::base(msg) {RTTI(name);} \
- name(const saml::Iterator<saml::QName>& codes, const char* msg) : saml::base(codes,msg) {RTTI(name);} \
- name(const saml::Iterator<saml::QName>& codes, const std::string& msg) : saml::base(codes, msg) {RTTI(name);} \
- name(const saml::QName& code, const char* msg) : saml::base(code,msg) {RTTI(name);} \
- name(const saml::QName& code, const std::string& msg) : saml::base(code, msg) {RTTI(name);} \
- name(DOMElement* e) : saml::base(e) {RTTI(name);} \
- name(std::istream& in) : saml::base(in) {RTTI(name);} \
- virtual ~name() throw () {} \
- }
-
- DECLARE_SHIB_EXCEPTION(UnsupportedProtocolException,SAMLException);
- DECLARE_SHIB_EXCEPTION(MetadataException,SAMLException);
-
- // Metadata abstract interfaces
+ DECLARE_SAML_EXCEPTION(SHIB_EXPORTS,ResourceAccessException,SAMLException);
+ DECLARE_SAML_EXCEPTION(SHIB_EXPORTS,MetadataException,SAMLException);
+ DECLARE_SAML_EXCEPTION(SHIB_EXPORTS,CredentialException,SAMLException);
+ DECLARE_SAML_EXCEPTION(SHIB_EXPORTS,InvalidHandleException,SAMLException);
+ DECLARE_SAML_EXCEPTION(SHIB_EXPORTS,InvalidSessionException,RetryableProfileException);
+
+ // Metadata abstract interfaces, based on SAML 2.0
- struct SHIB_EXPORTS IContactInfo
+ struct SHIB_EXPORTS IContactPerson
{
- enum ContactType { technical, administrative, billing, other };
+ enum ContactType { technical, support, administrative, billing, other };
virtual ContactType getType() const=0;
- virtual const char* getName() const=0;
- virtual const char* getEmail() const=0;
- virtual ~IContactInfo() {}
+ virtual const char* getCompany() const=0;
+ virtual const char* getGivenName() const=0;
+ virtual const char* getSurName() const=0;
+ virtual saml::Iterator<std::string> getEmailAddresses() const=0;
+ virtual saml::Iterator<std::string> getTelephoneNumbers() const=0;
+ virtual const DOMElement* getElement() const=0;
+ virtual ~IContactPerson() {}
};
- struct SHIB_EXPORTS ISite
+ struct SHIB_EXPORTS IOrganization
{
- virtual const XMLCh* getName() const=0;
- virtual saml::Iterator<const XMLCh*> getGroups() const=0;
- virtual saml::Iterator<const IContactInfo*> getContacts() const=0;
+ virtual const char* getName(const char* lang="en") const=0;
+ virtual const char* getDisplayName(const char* lang="en") const=0;
+ virtual const char* getURL(const char* lang="en") const=0;
+ virtual const DOMElement* getElement() const=0;
+ virtual ~IOrganization() {}
+ };
+
+ struct SHIB_EXPORTS IKeyDescriptor
+ {
+ enum KeyUse { unspecified, encryption, signing };
+ virtual KeyUse getUse() const=0;
+ virtual DSIGKeyInfoList* getKeyInfo() const=0;
+ virtual saml::Iterator<const XENCEncryptionMethod*> getEncryptionMethods() const=0;
+ virtual ~IKeyDescriptor() {}
+ };
+
+ struct SHIB_EXPORTS IEndpoint
+ {
+ virtual const XMLCh* getBinding() const=0;
+ virtual const XMLCh* getLocation() const=0;
+ virtual const XMLCh* getResponseLocation() const=0;
+ virtual const DOMElement* getElement() const=0;
+ virtual ~IEndpoint() {}
+ };
+
+ struct SHIB_EXPORTS IIndexedEndpoint : public virtual IEndpoint
+ {
+ virtual unsigned short getIndex() const=0;
+ virtual ~IIndexedEndpoint() {}
+ };
+
+ struct SHIB_EXPORTS IEndpointManager
+ {
+ virtual saml::Iterator<const IEndpoint*> getEndpoints() const=0;
+ virtual const IEndpoint* getDefaultEndpoint() const=0;
+ virtual const IEndpoint* getEndpointByIndex(unsigned short index) const=0;
+ virtual const IEndpoint* getEndpointByBinding(const XMLCh* binding) const=0;
+ virtual ~IEndpointManager() {}
+ };
+
+ struct SHIB_EXPORTS IEntityDescriptor;
+ struct SHIB_EXPORTS IRoleDescriptor
+ {
+ virtual const IEntityDescriptor* getEntityDescriptor() const=0;
+ virtual saml::Iterator<const XMLCh*> getProtocolSupportEnumeration() const=0;
+ virtual bool hasSupport(const XMLCh* protocol) const=0;
+ virtual bool isValid() const=0;
virtual const char* getErrorURL() const=0;
- virtual bool validate(saml::Iterator<XSECCryptoX509*> certs) const=0;
- virtual bool validate(saml::Iterator<const XMLCh*> certs) const=0;
- virtual ~ISite() {}
+ virtual saml::Iterator<const IKeyDescriptor*> getKeyDescriptors() const=0;
+ virtual const IOrganization* getOrganization() const=0;
+ virtual saml::Iterator<const IContactPerson*> getContactPersons() const=0;
+ virtual const DOMElement* getElement() const=0;
+ virtual ~IRoleDescriptor() {}
+ };
+
+ struct SHIB_EXPORTS ISSODescriptor : public virtual IRoleDescriptor
+ {
+ virtual const IEndpointManager* getArtifactResolutionServiceManager() const=0;
+ virtual const IEndpointManager* getSingleLogoutServiceManager() const=0;
+ virtual const IEndpointManager* getManageNameIDServiceManager() const=0;
+ virtual saml::Iterator<const XMLCh*> getNameIDFormats() const=0;
+ virtual ~ISSODescriptor() {}
};
- struct SHIB_EXPORTS IAuthority
+ struct SHIB_EXPORTS IIDPSSODescriptor : public virtual ISSODescriptor
{
- virtual const XMLCh* getName() const=0;
- virtual const char* getURL() const=0;
- virtual ~IAuthority() {}
+ virtual bool getWantAuthnRequestsSigned() const=0;
+ virtual const IEndpointManager* getSingleSignOnServiceManager() const=0;
+ virtual const IEndpointManager* getNameIDMappingServiceManager() const=0;
+ virtual const IEndpointManager* getAssertionIDRequestServiceManager() const=0;
+ virtual saml::Iterator<const XMLCh*> getAttributeProfiles() const=0;
+ virtual saml::Iterator<const saml::SAMLAttribute*> getAttributes() const=0;
+ virtual ~IIDPSSODescriptor() {}
+ };
+
+ struct SHIB_EXPORTS IAttributeConsumingService
+ {
+ virtual const XMLCh* getName(const char* lang="en") const=0;
+ virtual const XMLCh* getDescription(const char* lang="en") const=0;
+ virtual saml::Iterator<std::pair<const saml::SAMLAttribute*,bool> > getRequestedAttributes() const=0;
+ virtual ~IAttributeConsumingService() {}
};
- struct SHIB_EXPORTS IOriginSite : public ISite
+ struct SHIB_EXPORTS ISPSSODescriptor : public virtual ISSODescriptor
{
- virtual saml::Iterator<const IAuthority*> getHandleServices() const=0;
- virtual saml::Iterator<const IAuthority*> getAttributeAuthorities() const=0;
- virtual saml::Iterator<std::pair<const XMLCh*,bool> > getSecurityDomains() const=0;
- virtual ~IOriginSite() {}
+ virtual bool getAuthnRequestsSigned() const=0;
+ virtual bool getWantAssertionsSigned() const=0;
+ virtual const IEndpointManager* getAssertionConsumerServiceManager() const=0;
+ virtual saml::Iterator<const IAttributeConsumingService*> getAttributeConsumingServices() const=0;
+ virtual const IAttributeConsumingService* getDefaultAttributeConsumingService() const=0;
+ virtual const IAttributeConsumingService* getAttributeConsumingServiceByID(const XMLCh* id) const=0;
+ virtual ~ISPSSODescriptor() {}
};
- struct SHIB_EXPORTS IMetadata
+ struct SHIB_EXPORTS IAuthnAuthorityDescriptor : public virtual IRoleDescriptor
{
- virtual void lock()=0;
- virtual void unlock()=0;
- virtual const ISite* lookup(const XMLCh* site) const=0;
- virtual ~IMetadata() {}
+ virtual const IEndpointManager* getAuthnQueryServiceManager() const=0;
+ virtual const IEndpointManager* getAssertionIDRequestServiceManager() const=0;
+ virtual saml::Iterator<const XMLCh*> getNameIDFormats() const=0;
+ virtual ~IAuthnAuthorityDescriptor() {}
};
- struct SHIB_EXPORTS ITrust
+ struct SHIB_EXPORTS IPDPDescriptor : public virtual IRoleDescriptor
{
- virtual void lock()=0;
- virtual void unlock()=0;
- virtual saml::Iterator<XSECCryptoX509*> getCertificates(const XMLCh* subject) const=0;
- virtual bool validate(const ISite* site, saml::Iterator<XSECCryptoX509*> certs) const=0;
- virtual bool validate(const ISite* site, saml::Iterator<const XMLCh*> certs) const=0;
- virtual bool attach(const ISite* site, SSL_CTX* ctx) const=0;
- virtual ~ITrust() {}
+ virtual const IEndpointManager* getAuthzServiceManager() const=0;
+ virtual const IEndpointManager* getAssertionIDRequestServiceManager() const=0;
+ virtual saml::Iterator<const XMLCh*> getNameIDFormats() const=0;
+ virtual ~IPDPDescriptor() {}
+ };
+
+ struct SHIB_EXPORTS IAttributeAuthorityDescriptor : public virtual IRoleDescriptor
+ {
+ virtual const IEndpointManager* getAttributeServiceManager() const=0;
+ virtual const IEndpointManager* getAssertionIDRequestServiceManager() const=0;
+ virtual saml::Iterator<const XMLCh*> getNameIDFormats() const=0;
+ virtual saml::Iterator<const XMLCh*> getAttributeProfiles() const=0;
+ virtual saml::Iterator<const saml::SAMLAttribute*> getAttributes() const=0;
+ virtual ~IAttributeAuthorityDescriptor() {}
};
- struct SHIB_EXPORTS ICredentials
+ struct SHIB_EXPORTS IAffiliationDescriptor
{
- virtual void lock()=0;
- virtual void unlock()=0;
- virtual bool attach(const XMLCh* subject, const ISite* relyingParty, SSL_CTX* ctx) const=0;
- virtual ~ICredentials() {}
+ virtual const IEntityDescriptor* getEntityDescriptor() const=0;
+ virtual const XMLCh* getOwnerID() const=0;
+ virtual bool isValid() const=0;
+ virtual saml::Iterator<const XMLCh*> getMembers() const=0;
+ virtual bool isMember(const XMLCh* id) const=0;
+ virtual saml::Iterator<const IKeyDescriptor*> getKeyDescriptors() const=0;
+ virtual const DOMElement* getElement() const=0;
+ virtual ~IAffiliationDescriptor() {}
+ };
+
+ struct SHIB_EXPORTS IEntitiesDescriptor;
+ struct SHIB_EXPORTS IEntityDescriptor
+ {
+ virtual const XMLCh* getId() const=0;
+ virtual bool isValid() const=0;
+ virtual saml::Iterator<const IRoleDescriptor*> getRoleDescriptors() const=0;
+ virtual const IIDPSSODescriptor* getIDPSSODescriptor(const XMLCh* protocol) const=0;
+ virtual const ISPSSODescriptor* getSPSSODescriptor(const XMLCh* protocol) const=0;
+ virtual const IAuthnAuthorityDescriptor* getAuthnAuthorityDescriptor(const XMLCh* protocol) const=0;
+ virtual const IAttributeAuthorityDescriptor* getAttributeAuthorityDescriptor(const XMLCh* protocol) const=0;
+ virtual const IPDPDescriptor* getPDPDescriptor(const XMLCh* protocol) const=0;
+ virtual const IAffiliationDescriptor* getAffiliationDescriptor() const=0;
+ virtual const IOrganization* getOrganization() const=0;
+ virtual saml::Iterator<const IContactPerson*> getContactPersons() const=0;
+ virtual saml::Iterator<std::pair<const XMLCh*,const XMLCh*> > getAdditionalMetadataLocations() const=0;
+ virtual const IEntitiesDescriptor* getEntitiesDescriptor() const=0;
+ virtual const DOMElement* getElement() const=0;
+ virtual ~IEntityDescriptor() {}
+ };
+
+ struct SHIB_EXPORTS IEntitiesDescriptor
+ {
+ virtual const XMLCh* getName() const=0;
+ virtual bool isValid() const=0;
+ virtual const IEntitiesDescriptor* getEntitiesDescriptor() const=0;
+ virtual saml::Iterator<const IEntitiesDescriptor*> getEntitiesDescriptors() const=0;
+ virtual saml::Iterator<const IEntityDescriptor*> getEntityDescriptors() const=0;
+ virtual const DOMElement* getElement() const=0;
+ virtual ~IEntitiesDescriptor() {}
+ };
+
+ // Shib extension interfaces
+ struct SHIB_EXPORTS IKeyAuthority
+ {
+ virtual int getVerifyDepth() const=0;
+ virtual saml::Iterator<DSIGKeyInfoList*> getKeyInfos() const=0;
+ virtual ~IKeyAuthority() {}
+ };
+
+ struct SHIB_EXPORTS IExtendedEntityDescriptor : public virtual IEntityDescriptor
+ {
+ virtual saml::Iterator<const IKeyAuthority*> getKeyAuthorities() const=0;
+ virtual saml::Iterator<std::pair<const XMLCh*,bool> > getScopes() const=0;
+ virtual ~IExtendedEntityDescriptor() {}
+ };
+
+ struct SHIB_EXPORTS IExtendedEntitiesDescriptor : public virtual IEntitiesDescriptor
+ {
+ virtual saml::Iterator<const IKeyAuthority*> getKeyAuthorities() const=0;
+ virtual ~IExtendedEntitiesDescriptor() {}
};
+
+ struct SHIB_EXPORTS IMetadata : public virtual saml::ILockable, public virtual saml::IPlugIn
+ {
+ virtual const IEntityDescriptor* lookup(const char* id, bool strict=true) const=0;
+ virtual const IEntityDescriptor* lookup(const XMLCh* id, bool strict=true) const=0;
+ virtual const IEntityDescriptor* lookup(const saml::SAMLArtifact* artifact) const=0;
+ virtual const IEntitiesDescriptor* lookupGroup(const char* name, bool strict=true) const=0;
+ virtual const IEntitiesDescriptor* lookupGroup(const XMLCh* name, bool strict=true) const=0;
+ virtual std::pair<const IEntitiesDescriptor*,const IEntityDescriptor*> getRoot() const=0;
+ virtual ~IMetadata() {}
+ };
+
+ // Trust interface hides *all* details of signature and SSL validation.
+ // Pluggable providers can fully override the Shibboleth trust model here.
+
+ struct SHIB_EXPORTS ITrust : public virtual saml::IPlugIn
+ {
+ // Performs certificate validation processing of an untrusted certificates
+ // using a library-specific representation, in this case an OpenSSL X509*
+ virtual bool validate(
+ void* certEE,
+ const saml::Iterator<void*>& certChain,
+ const IRoleDescriptor* role,
+ bool checkName=true
+ )=0;
+
+ // Validates signed SAML messages and assertions sent by an entity acting in a specific role.
+ // If certificate validation is required, the trust provider used can be overridden using
+ // the last parameter, or left null and the provider will rely on itself.
+ virtual bool validate(
+ const saml::SAMLSignedObject& token,
+ const IRoleDescriptor* role,
+ ITrust* certValidator=NULL
+ )=0;
+
+ virtual ~ITrust() {}
+ };
+
+ // Credentials interface abstracts access to "owned" keys and certificates.
- struct SHIB_EXPORTS ICredResolver
+ struct SHIB_EXPORTS ICredResolver : public virtual saml::IPlugIn
{
- virtual void resolveKey(SSL_CTX* ctx) const=0;
- virtual void resolveCert(SSL_CTX* ctx) const=0;
+ virtual void attach(void* ctx) const=0;
+ virtual XSECCryptoKey* getKey() const=0;
+ virtual saml::Iterator<XSECCryptoX509*> getCertificates() const=0;
virtual void dump(FILE* f) const=0;
virtual void dump() const { dump(stdout); }
virtual ~ICredResolver() {}
};
+ struct SHIB_EXPORTS ICredentials : public virtual saml::ILockable, public virtual saml::IPlugIn
+ {
+ virtual const ICredResolver* lookup(const char* id) const=0;
+ virtual ~ICredentials() {}
+ };
+
+ // Attribute acceptance processing interfaces, applied to incoming attributes.
+
struct SHIB_EXPORTS IAttributeRule
{
virtual const XMLCh* getName() const=0;
virtual const XMLCh* getNamespace() const=0;
- virtual const char* getFactory() const=0;
virtual const char* getAlias() const=0;
virtual const char* getHeader() const=0;
- virtual bool accept(const XMLCh* originSite, const DOMElement* e) const=0;
+ virtual bool getCaseSensitive() const=0;
+ virtual void apply(saml::SAMLAttribute& attribute, const IEntityDescriptor* source=NULL) const=0;
virtual ~IAttributeRule() {}
};
- struct SHIB_EXPORTS IAAP
+ struct SHIB_EXPORTS IAAP : public virtual saml::ILockable, public virtual saml::IPlugIn
{
- virtual void lock()=0;
- virtual void unlock()=0;
+ virtual bool anyAttribute() const=0;
virtual const IAttributeRule* lookup(const XMLCh* attrName, const XMLCh* attrNamespace=NULL) const=0;
virtual const IAttributeRule* lookup(const char* alias) const=0;
virtual saml::Iterator<const IAttributeRule*> getAttributeRules() const=0;
virtual ~IAAP() {}
};
+
+ struct SHIB_EXPORTS IAttributeFactory : public virtual saml::IPlugIn
+ {
+ virtual saml::SAMLAttribute* build(DOMElement* e) const=0;
+ virtual ~IAttributeFactory() {}
+ };
#ifdef SHIB_INSTANTIATE
- template class SHIB_EXPORTS saml::Iterator<const IContactInfo*>;
- template class SHIB_EXPORTS saml::ArrayIterator<const IContactInfo*>;
- template class SHIB_EXPORTS saml::Iterator<const IAuthority*>;
- template class SHIB_EXPORTS saml::ArrayIterator<const IAuthority*>;
+ template class SHIB_EXPORTS saml::Iterator<const IContactPerson*>;
+ template class SHIB_EXPORTS saml::Iterator<const XENCEncryptionMethod*>;
+ template class SHIB_EXPORTS saml::Iterator<const IKeyDescriptor*>;
+ template class SHIB_EXPORTS saml::Iterator<const IAttributeConsumingService*>;
+ template class SHIB_EXPORTS saml::Iterator<const IRoleDescriptor*>;
+ template class SHIB_EXPORTS saml::Iterator<const IEntityDescriptor*>;
+ template class SHIB_EXPORTS saml::Iterator<const IEntitiesDescriptor*>;
+ template class SHIB_EXPORTS saml::Iterator<const IEndpoint*>;
template class SHIB_EXPORTS saml::Iterator<const IAttributeRule*>;
- template class SHIB_EXPORTS saml::ArrayIterator<const IAttributeRule*>;
+ template class SHIB_EXPORTS saml::Iterator<const IKeyAuthority*>;
+ template class SHIB_EXPORTS saml::Iterator<DSIGKeyInfoList*>;
template class SHIB_EXPORTS saml::Iterator<IMetadata*>;
template class SHIB_EXPORTS saml::ArrayIterator<IMetadata*>;
template class SHIB_EXPORTS saml::Iterator<ITrust*>;
template class SHIB_EXPORTS saml::ArrayIterator<IAAP*>;
#endif
- class SHIB_EXPORTS SimpleAttribute : public saml::SAMLAttribute
- {
- public:
- SimpleAttribute(const XMLCh* name, const XMLCh* ns, long lifetime=0,
- const saml::Iterator<const XMLCh*>& values=EMPTY(const XMLCh*));
- SimpleAttribute(DOMElement* e);
- virtual saml::SAMLObject* clone() const;
- virtual ~SimpleAttribute();
-
- protected:
- virtual bool accept(DOMElement* e) const;
-
- const XMLCh* m_originSite;
- };
-
- class SHIB_EXPORTS ScopedAttribute : public SimpleAttribute
- {
- public:
- ScopedAttribute(const XMLCh* name, const XMLCh* ns, long lifetime=0,
- const saml::Iterator<const XMLCh*>& scopes=EMPTY(const XMLCh*),
- const saml::Iterator<const XMLCh*>& values=EMPTY(const XMLCh*));
- ScopedAttribute(DOMElement* e);
- virtual ~ScopedAttribute();
-
- virtual DOMNode* toDOM(DOMDocument* doc=NULL, bool xmlns=true) const;
- virtual saml::SAMLObject* clone() const;
-
- virtual saml::Iterator<const XMLCh*> getValues() const;
- virtual saml::Iterator<std::string> getSingleByteValues() const;
-
- protected:
- virtual bool addValue(DOMElement* e);
-
- std::vector<const XMLCh*> m_scopes;
- mutable std::vector<const XMLCh*> m_scopedValues;
- };
-
- class SHIB_EXPORTS ShibPOSTProfile
- {
- public:
- ShibPOSTProfile(const saml::Iterator<const XMLCh*>& policies, const XMLCh* receiver, int ttlSeconds);
- ShibPOSTProfile(const saml::Iterator<const XMLCh*>& policies, const XMLCh* issuer);
- virtual ~ShibPOSTProfile();
-
- virtual const saml::SAMLAssertion* getSSOAssertion(const saml::SAMLResponse& r);
- virtual const saml::SAMLAuthenticationStatement* getSSOStatement(const saml::SAMLAssertion& a);
- virtual saml::SAMLResponse* accept(const XMLByte* buf, XMLCh** originSitePtr=NULL);
- virtual saml::SAMLResponse* prepare(
- const XMLCh* recipient,
- const XMLCh* name,
- const XMLCh* nameQualifier,
- const XMLCh* subjectIP,
- const XMLCh* authMethod,
- time_t authInstant,
- const saml::Iterator<saml::SAMLAuthorityBinding*>& bindings,
- XSECCryptoKey* responseKey,
- const saml::Iterator<XSECCryptoX509*>& responseCerts=EMPTY(XSECCryptoX509*),
- XSECCryptoKey* assertionKey=NULL,
- const saml::Iterator<XSECCryptoX509*>& assertionCerts=EMPTY(XSECCryptoX509*)
- );
- virtual bool checkReplayCache(const saml::SAMLAssertion& a);
-
- virtual const XMLCh* getOriginSite(const saml::SAMLResponse& r);
-
- protected:
- virtual void verifySignature(
- const saml::SAMLSignedObject& obj,
- const IOriginSite* originSite,
- const XMLCh* signerName,
- XSECCryptoKey* knownKey=NULL);
-
- signatureMethod m_algorithm;
- std::vector<const XMLCh*> m_policies;
- XMLCh* m_issuer;
- XMLCh* m_receiver;
- int m_ttlSeconds;
-
- private:
- ShibPOSTProfile(const ShibPOSTProfile&) {}
- ShibPOSTProfile& operator=(const ShibPOSTProfile&) {return *this;}
- };
-
- class SHIB_EXPORTS ShibPOSTProfileFactory
- {
- public:
- static ShibPOSTProfile* getInstance(const saml::Iterator<const XMLCh*>& policies, const XMLCh* receiver, int ttlSeconds);
- static ShibPOSTProfile* getInstance(const saml::Iterator<const XMLCh*>& policies, const XMLCh* issuer);
- };
-
// Glue classes between abstract metadata and concrete providers
- class SHIB_EXPORTS OriginMetadata
+ class SHIB_EXPORTS Metadata
{
public:
- OriginMetadata(const XMLCh* site);
- ~OriginMetadata();
- bool fail() const {return m_mapper==NULL;}
- const IOriginSite* operator->() const {return m_site;}
- operator const IOriginSite*() const {return m_site;}
-
+ Metadata(const saml::Iterator<IMetadata*>& metadatas) : m_metadatas(metadatas), m_mapper(NULL) {}
+ ~Metadata();
+
+ const IEntityDescriptor* lookup(const char* id, bool strict=true);
+ const IEntityDescriptor* lookup(const XMLCh* id, bool strict=true);
+ const IEntityDescriptor* lookup(const saml::SAMLArtifact* artifact);
+
private:
- OriginMetadata(const OriginMetadata&);
- void operator=(const OriginMetadata&);
+ Metadata(const Metadata&);
+ void operator=(const Metadata&);
IMetadata* m_mapper;
- const IOriginSite* m_site;
+ saml::Iterator<IMetadata*> m_metadatas;
};
class SHIB_EXPORTS Trust
{
public:
- Trust() : m_mapper(NULL) {}
- ~Trust();
- saml::Iterator<XSECCryptoX509*> getCertificates(const XMLCh* subject);
- bool validate(const ISite* site, saml::Iterator<XSECCryptoX509*> certs) const;
- bool validate(const ISite* site, saml::Iterator<const XMLCh*> certs) const;
- bool attach(const ISite* site, SSL_CTX* ctx) const;
+ Trust(const saml::Iterator<ITrust*>& trusts) : m_trusts(trusts) {}
+ ~Trust() {}
+
+ bool validate(
+ void* certEE,
+ const saml::Iterator<void*>& certChain,
+ const IRoleDescriptor* role,
+ bool checkName=true
+ ) const;
+ bool validate(const saml::SAMLSignedObject& token, const IRoleDescriptor* role) const;
private:
Trust(const Trust&);
void operator=(const Trust&);
- ITrust* m_mapper;
+ saml::Iterator<ITrust*> m_trusts;
};
class SHIB_EXPORTS Credentials
{
public:
- static bool attach(const XMLCh* subject, const ISite* relyingParty, SSL_CTX* ctx);
+ Credentials(const saml::Iterator<ICredentials*>& creds) : m_creds(creds), m_mapper(NULL) {}
+ ~Credentials();
+
+ const ICredResolver* lookup(const char* id);
+
+ private:
+ Credentials(const Credentials&);
+ void operator=(const Credentials&);
+ ICredentials* m_mapper;
+ saml::Iterator<ICredentials*> m_creds;
};
class SHIB_EXPORTS AAP
{
public:
- AAP(const XMLCh* attrName, const XMLCh* attrNamespace=NULL);
- AAP(const char* alias);
+ AAP(const saml::Iterator<IAAP*>& aaps, const XMLCh* attrName, const XMLCh* attrNamespace=NULL);
+ AAP(const saml::Iterator<IAAP*>& aaps, const char* alias);
~AAP();
bool fail() const {return m_mapper==NULL;}
const IAttributeRule* operator->() const {return m_rule;}
operator const IAttributeRule*() const {return m_rule;}
+ static void apply(const saml::Iterator<IAAP*>& aaps, saml::SAMLAssertion& assertion, const IEntityDescriptor* source=NULL);
+
private:
AAP(const AAP&);
void operator=(const AAP&);
const IAttributeRule* m_rule;
};
- extern "C" {
- typedef IMetadata* MetadataFactory(const char* source);
- typedef ITrust* TrustFactory(const char* source);
- typedef ICredentials* CredentialsFactory(const char* source);
- typedef ICredResolver* CredResolverFactory(const DOMElement* e);
- typedef IAAP* AAPFactory(const char* source);
- }
-
+ // Subclass around the OpenSAML browser profile interface,
+ // incoporates additional functionality using Shib-defined APIs.
+ class SHIB_EXPORTS ShibBrowserProfile : virtual public saml::SAMLBrowserProfile
+ {
+ public:
+ struct SHIB_EXPORTS ITokenValidator {
+ virtual void validateToken(
+ saml::SAMLAssertion* token,
+ time_t=0,
+ const IRoleDescriptor* role=NULL,
+ const saml::Iterator<ITrust*>& trusts=EMPTY(ITrust*)
+ ) const=0;
+ virtual ~ITokenValidator() {}
+ };
+
+ ShibBrowserProfile(
+ const ITokenValidator* validator,
+ const saml::Iterator<IMetadata*>& metadatas=EMPTY(IMetadata*),
+ const saml::Iterator<ITrust*>& trusts=EMPTY(ITrust*)
+ );
+ virtual ~ShibBrowserProfile();
+
+ virtual saml::SAMLBrowserProfile::BrowserProfileResponse receive(
+ const char* samlResponse,
+ const XMLCh* recipient,
+ saml::IReplayCache* replayCache,
+ int minorVersion=1
+ ) const;
+ virtual saml::SAMLBrowserProfile::BrowserProfileResponse receive(
+ saml::Iterator<const char*> artifacts,
+ const XMLCh* recipient,
+ saml::SAMLBrowserProfile::ArtifactMapper* artifactMapper,
+ saml::IReplayCache* replayCache,
+ int minorVersion=1
+ ) const;
+
+ private:
+ void postprocess(saml::SAMLBrowserProfile::BrowserProfileResponse& bpr, int minorVersion=1) const;
+
+ saml::SAMLBrowserProfile* m_profile;
+ saml::Iterator<IMetadata*> m_metadatas;
+ saml::Iterator<ITrust*> m_trusts;
+ const ITokenValidator* m_validator;
+ };
+
class SHIB_EXPORTS ShibConfig
{
public:
ShibConfig() {}
- virtual ~ShibConfig();
+ virtual ~ShibConfig() {}
// global per-process setup and shutdown of Shibboleth runtime
- virtual bool init()=0;
- virtual void term()=0;
+ virtual bool init();
+ virtual void term();
+
+ // manages specific attribute name to factory mappings
+ void regAttributeMapping(const XMLCh* name, const IAttributeFactory* factory);
+ void unregAttributeMapping(const XMLCh* name);
+ void clearAttributeMappings();
// enables runtime and clients to access configuration
static ShibConfig& getConfig();
-
- // allows pluggable implementations of metadata
- virtual void regFactory(const char* type, MetadataFactory* factory)=0;
- virtual void regFactory(const char* type, TrustFactory* factory)=0;
- virtual void regFactory(const char* type, CredentialsFactory* factory)=0;
- virtual void regFactory(const char* type, CredResolverFactory* factory)=0;
- virtual void regFactory(const char* type, AAPFactory* factory)=0;
- virtual void regFactory(const char* type, saml::SAMLAttributeFactory* factory)=0;
- virtual void unregFactory(const char* type)=0;
-
- // builds a specific metadata lookup object
- virtual bool addMetadata(const char* type, const char* source)=0;
-
- virtual saml::Iterator<IMetadata*> getMetadataProviders() const=0;
- virtual saml::Iterator<ITrust*> getTrustProviders() const=0;
- virtual saml::Iterator<ICredentials*> getCredentialProviders() const=0;
- virtual CredResolverFactory* getCredResolverFactory(const char* type) const=0;
- virtual saml::Iterator<IAAP*> getAAPProviders() const=0;
- virtual saml::SAMLAttributeFactory* getAttributeFactory(const char* type) const=0;
};
- struct SHIB_EXPORTS Constants
+ /* Helper classes for implementing reloadable XML-based config files
+ The ILockable interface will usually be inherited twice, once as
+ part of the external interface to clients and once as an implementation
+ detail of the reloading class below.
+ */
+
+ class SHIB_EXPORTS ReloadableXMLFileImpl
{
- static const XMLCh SHIB_ATTRIBUTE_NAMESPACE_URI[];
- static const XMLCh SHIB_NAMEID_FORMAT_URI[];
-
- static const XMLCh XMLSIG_RETMETHOD_RAWX509[]; // DER X.509 defined by xmlsig
+ public:
+ ReloadableXMLFileImpl(const char* pathname);
+ ReloadableXMLFileImpl(const DOMElement* pathname);
+ virtual ~ReloadableXMLFileImpl();
- static saml::QName SHIB_ATTRIBUTE_VALUE_TYPE;
+ protected:
+ DOMDocument* m_doc;
+ const DOMElement* m_root;
};
- class SHIB_EXPORTS XML
+ class SHIB_EXPORTS ReloadableXMLFile : protected virtual saml::ILockable
{
public:
- // URI constants
- static const XMLCh SHIB_NS[];
- static const XMLCh SHIB_SCHEMA_ID[];
-
- struct SHIB_EXPORTS Literals
- {
- // Shibboleth vocabulary
- static const XMLCh AttributeValueType[];
-
- static const XMLCh Scope[];
-
- static const XMLCh AttributeAuthority[];
- static const XMLCh Contact[];
- static const XMLCh Domain[];
- static const XMLCh Email[];
- static const XMLCh ErrorURL[];
- static const XMLCh HandleService[];
- static const XMLCh InvalidHandle[];
- static const XMLCh Location[];
- static const XMLCh Name[];
- static const XMLCh OriginSite[];
- static const XMLCh SiteGroup[];
-
- static const XMLCh CertificateRef[];
- static const XMLCh Class[];
- static const XMLCh Credentials[];
- static const XMLCh CustomCredResolver[];
- static const XMLCh Exponent[];
- static const XMLCh FileCredResolver[];
- static const XMLCh Id[];
- static const XMLCh KeyAuthority[];
- static const XMLCh KeyRef[];
- static const XMLCh KeyUse[];
- static const XMLCh Modulus[];
- static const XMLCh Password[];
- static const XMLCh Path[];
- static const XMLCh RelyingParty[];
- static const XMLCh RetrievalMethod[];
- static const XMLCh RSAKeyValue[];
- static const XMLCh Trust[];
- static const XMLCh URI[];
- static const XMLCh VerifyDepth[];
-
- static const XMLCh Accept[];
- static const XMLCh Alias[];
- static const XMLCh AnySite[];
- static const XMLCh AnyValue[];
- static const XMLCh AttributeAcceptancePolicy[];
- static const XMLCh AttributeRule[];
- static const XMLCh Factory[];
- static const XMLCh Header[];
- static const XMLCh Namespace[];
- static const XMLCh SiteRule[];
- static const XMLCh Type[];
- static const XMLCh Value[];
-
- static const XMLCh literal[];
- static const XMLCh regexp[];
- static const XMLCh xpath[];
-
- static const XMLCh technical[];
- static const XMLCh administrative[];
- static const XMLCh billing[];
- static const XMLCh other[];
-
- // XML vocabulary
- static const XMLCh xmlns_shib[];
- };
- };
+ ReloadableXMLFile(const DOMElement* e);
+ ~ReloadableXMLFile() { delete m_lock; delete m_impl; }
- class SHIB_EXPORTS SAMLBindingFactory
- {
- public:
- static saml::SAMLBinding* getInstance(
- const XMLCh* subject,
- const ISite* relyingParty,
- const XMLCh* protocol=saml::SAMLBinding::SAML_SOAP_HTTPS);
+ virtual void lock();
+ virtual void unlock() { if (m_lock) m_lock->unlock(); }
+
+ ReloadableXMLFileImpl* getImplementation() const;
+
+ protected:
+ virtual ReloadableXMLFileImpl* newImplementation(const char* pathname, bool first=true) const=0;
+ virtual ReloadableXMLFileImpl* newImplementation(const DOMElement* e, bool first=true) const=0;
+ mutable ReloadableXMLFileImpl* m_impl;
+
+ private:
+ const DOMElement* m_root;
+ std::string m_source;
+ time_t m_filestamp;
+ xmltooling::RWLock* m_lock;
};
+
+ /* These helpers attach metadata-derived information as exception properties and then
+ * rethrow the object. The following properties are attached, when possible:
+ *
+ * providerId The unique ID of the entity
+ * errorURL The error support URL of the entity or role
+ * contactName A formatted support or technical contact name
+ * contactEmail A contact email address
+ */
+ SHIB_EXPORTS void annotateException(saml::SAMLException* e, const IEntityDescriptor* entity, bool rethrow=true);
+ SHIB_EXPORTS void annotateException(saml::SAMLException* e, const IRoleDescriptor* role, bool rethrow=true);
}
#endif