#include "internal.h"
-#include <shib/shib-threads.h>
-#include <log4cpp/Category.hh>
-#include <log4cpp/PropertyConfigurator.hh>
-#include <algorithm>
#include <sys/types.h>
#include <sys/stat.h>
-
-using namespace std;
-using namespace saml;
-using namespace shibboleth;
+#include <log4cpp/Category.hh>
+#include <log4cpp/PropertyConfigurator.hh>
+#include <shibsp/RequestMapper.h>
+#include <shibsp/SPConfig.h>
+#include <shibsp/security/PKIXTrustEngine.h>
+#include <shibsp/util/DOMPropertySet.h>
+#include <saml/SAMLConfig.h>
+#include <saml/saml1/core/Assertions.h>
+#include <saml/saml2/metadata/ChainingMetadataProvider.h>
+#include <xmltooling/XMLToolingConfig.h>
+#include <xmltooling/security/ChainingTrustEngine.h>
+#include <xmltooling/util/ReloadableXMLFile.h>
+
+using namespace shibsp;
using namespace shibtarget;
+using namespace shibboleth;
+using namespace saml;
+using namespace opensaml::saml1;
+using namespace opensaml::saml2md;
+using namespace xmltooling;
using namespace log4cpp;
+using namespace std;
+using xmlsignature::CredentialResolver;
-namespace shibtarget {
+namespace {
+
+ vector<const Handler*> g_noHandlers;
// Application configuration wrapper
- class XMLApplication : public virtual IApplication, public XMLPropertySet, public DOMNodeFilter
+ class XMLApplication : public virtual IApplication, public DOMPropertySet, public DOMNodeFilter
{
public:
- XMLApplication(const IConfig*, const Iterator<ICredentials*>& creds, const DOMElement* e, const XMLApplication* base=NULL);
+ XMLApplication(const ServiceProvider*, const DOMElement* e, const XMLApplication* base=NULL);
~XMLApplication() { cleanup(); }
- // IPropertySet
+ // PropertySet
pair<bool,bool> getBool(const char* name, const char* ns=NULL) const;
pair<bool,const char*> getString(const char* name, const char* ns=NULL) const;
pair<bool,const XMLCh*> getXMLString(const char* name, const char* ns=NULL) const;
pair<bool,unsigned int> getUnsignedInt(const char* name, const char* ns=NULL) const;
pair<bool,int> getInt(const char* name, const char* ns=NULL) const;
- const IPropertySet* getPropertySet(const char* name, const char* ns="urn:mace:shibboleth:target:config:1.0") const;
+ const PropertySet* getPropertySet(const char* name, const char* ns="urn:mace:shibboleth:target:config:1.0") const;
// IApplication
const char* getId() const {return getString("id").second;}
const char* getHash() const {return m_hash.c_str();}
- Iterator<SAMLAttributeDesignator*> getAttributeDesignators() const;
Iterator<IAAP*> getAAPProviders() const;
- Iterator<IMetadata*> getMetadataProviders() const;
- Iterator<ITrust*> getTrustProviders() const;
- Iterator<const XMLCh*> getAudiences() const;
- const IPropertySet* getCredentialUse(const IEntityDescriptor* provider) const;
+ MetadataProvider* getMetadataProvider() const;
+ TrustEngine* getTrustEngine() const;
+ const vector<const XMLCh*>& getAudiences() const;
+ const PropertySet* getCredentialUse(const EntityDescriptor* provider) const;
+
const SAMLBrowserProfile* getBrowserProfile() const {return m_profile;}
const SAMLBinding* getBinding(const XMLCh* binding) const
{return XMLString::compareString(SAMLBinding::SOAP,binding) ? NULL : m_binding;}
void validateToken(
SAMLAssertion* token,
time_t t=0,
- const IRoleDescriptor* role=NULL,
- const Iterator<ITrust*>& trusts=EMPTY(ITrust*)
+ const RoleDescriptor* role=NULL,
+ const TrustEngine* trust=NULL
) const;
- const IHandler* getDefaultSessionInitiator() const;
- const IHandler* getSessionInitiatorById(const char* id) const;
- const IHandler* getDefaultAssertionConsumerService() const;
- const IHandler* getAssertionConsumerServiceByIndex(unsigned short index) const;
- Iterator<const IHandler*> getAssertionConsumerServicesByBinding(const XMLCh* binding) const;
- const IHandler* getHandler(const char* path) const;
+ const Handler* getDefaultSessionInitiator() const;
+ const Handler* getSessionInitiatorById(const char* id) const;
+ const Handler* getDefaultAssertionConsumerService() const;
+ const Handler* getAssertionConsumerServiceByIndex(unsigned short index) const;
+ const vector<const Handler*>& getAssertionConsumerServicesByBinding(const XMLCh* binding) const;
+ const Handler* getHandler(const char* path) const;
// Provides filter to exclude special config elements.
short acceptNode(const DOMNode* node) const;
private:
void cleanup();
- const IConfig* m_ini; // this is ok because its locking scope includes us
+ const ServiceProvider* m_sp; // this is ok because its locking scope includes us
const XMLApplication* m_base;
string m_hash;
- vector<SAMLAttributeDesignator*> m_designators;
vector<IAAP*> m_aaps;
- vector<IMetadata*> m_metadatas;
- vector<ITrust*> m_trusts;
+ MetadataProvider* m_metadata;
+ TrustEngine* m_trust;
vector<const XMLCh*> m_audiences;
ShibBrowserProfile* m_profile;
SAMLBinding* m_binding;
ShibHTTPHook* m_bindingHook;
- // vectors manage object life for handlers and their property sets
- vector<IHandler*> m_handlers;
- vector<XMLPropertySet*> m_handlerProps;
+ // manage handler objects
+ vector<Handler*> m_handlers;
// maps location (path info) to applicable handlers
- map<string,const IHandler*> m_handlerMap;
+ map<string,const Handler*> m_handlerMap;
// maps unique indexes to consumer services
- map<unsigned int,const IHandler*> m_acsIndexMap;
+ map<unsigned int,const Handler*> m_acsIndexMap;
// pointer to default consumer service
- const IHandler* m_acsDefault;
+ const Handler* m_acsDefault;
// maps binding strings to supporting consumer service(s)
#ifdef HAVE_GOOD_STL
- typedef map<xstring,vector<const IHandler*> > ACSBindingMap;
+ typedef map<xmltooling::xstring,vector<const Handler*> > ACSBindingMap;
#else
- typedef map<string,vector<const IHandler*> > ACSBindingMap;
+ typedef map<string,vector<const Handler*> > ACSBindingMap;
#endif
ACSBindingMap m_acsBindingMap;
// maps unique ID strings to session initiators
- map<string,const IHandler*> m_sessionInitMap;
+ map<string,const Handler*> m_sessionInitMap;
// pointer to default session initiator
- const IHandler* m_sessionInitDefault;
+ const Handler* m_sessionInitDefault;
- XMLPropertySet* m_credDefault;
+ DOMPropertySet* m_credDefault;
#ifdef HAVE_GOOD_STL
- map<xstring,XMLPropertySet*> m_credMap;
+ map<xmltooling::xstring,PropertySet*> m_credMap;
#else
- map<const XMLCh*,XMLPropertySet*> m_credMap;
+ map<const XMLCh*,PropertySet*> m_credMap;
#endif
};
// Top-level configuration implementation
class XMLConfig;
- class XMLConfigImpl : public ReloadableXMLFileImpl, public XMLPropertySet, public DOMNodeFilter
+ class XMLConfigImpl : public DOMPropertySet, public DOMNodeFilter
{
public:
- XMLConfigImpl(const char* pathname, bool first, const XMLConfig* outer)
- : ReloadableXMLFileImpl(pathname), m_outer(outer), m_requestMapper(NULL) { init(first); }
- XMLConfigImpl(const DOMElement* e, bool first, const XMLConfig* outer)
- : ReloadableXMLFileImpl(e), m_outer(outer), m_requestMapper(NULL) { init(first); }
+ XMLConfigImpl(const DOMElement* e, bool first, const XMLConfig* outer);
~XMLConfigImpl();
- IRequestMapper* m_requestMapper;
- map<string,IApplication*> m_appmap;
- vector<ICredentials*> m_creds;
+ RequestMapper* m_requestMapper;
+ map<string,Application*> m_appmap;
+ map<string,CredentialResolver*> m_credResolverMap;
vector<IAttributeFactory*> m_attrFactories;
// Provides filter to exclude special config elements.
short acceptNode(const DOMNode* node) const;
+ void setDocument(DOMDocument* doc) {
+ m_document = doc;
+ }
+
private:
- void init(bool first);
+ void doExtensions(const DOMElement* e, const char* label, Category& log);
+
const XMLConfig* m_outer;
+ DOMDocument* m_document;
};
-
- class XMLConfig : public IConfig, public ReloadableXMLFile
+
+#if defined (_MSC_VER)
+ #pragma warning( push )
+ #pragma warning( disable : 4250 )
+#endif
+
+ class XMLConfig : public ServiceProvider, public ReloadableXMLFile
{
public:
- XMLConfig(const DOMElement* e) : ReloadableXMLFile(e), m_listener(NULL), m_sessionCache(NULL), m_replayCache(NULL) {}
+ XMLConfig(const DOMElement* e)
+ : ReloadableXMLFile(e), m_impl(NULL), m_listener(NULL), m_sessionCache(NULL) {
+ }
+
+ void init() {
+ load();
+ }
+
~XMLConfig() {
delete m_impl;
- m_impl=NULL;
delete m_sessionCache;
- m_sessionCache=NULL;
- delete m_replayCache;
- m_replayCache=NULL;
delete m_listener;
- m_listener=NULL;
}
- void init() { getImplementation(); }
-
- // IPropertySet
- pair<bool,bool> getBool(const char* name, const char* ns=NULL) const {return static_cast<XMLConfigImpl*>(m_impl)->getBool(name,ns);}
- pair<bool,const char*> getString(const char* name, const char* ns=NULL) const {return static_cast<XMLConfigImpl*>(m_impl)->getString(name,ns);}
- pair<bool,const XMLCh*> getXMLString(const char* name, const char* ns=NULL) const {return static_cast<XMLConfigImpl*>(m_impl)->getXMLString(name,ns);}
- pair<bool,unsigned int> getUnsignedInt(const char* name, const char* ns=NULL) const {return static_cast<XMLConfigImpl*>(m_impl)->getUnsignedInt(name,ns);}
- pair<bool,int> getInt(const char* name, const char* ns=NULL) const {return static_cast<XMLConfigImpl*>(m_impl)->getInt(name,ns);}
- const IPropertySet* getPropertySet(const char* name, const char* ns="urn:mace:shibboleth:target:config:1.0") const {return static_cast<XMLConfigImpl*>(m_impl)->getPropertySet(name,ns);}
- const DOMElement* getElement() const {return static_cast<XMLConfigImpl*>(m_impl)->getElement();}
-
- // IConfig
- IListener* getListener() const {return m_listener;}
- ISessionCache* getSessionCache() const {return m_sessionCache;}
- IReplayCache* getReplayCache() const {return m_replayCache;}
- IRequestMapper* getRequestMapper() const {return static_cast<XMLConfigImpl*>(m_impl)->m_requestMapper;}
- const IApplication* getApplication(const char* applicationId) const {
- map<string,IApplication*>::const_iterator i=static_cast<XMLConfigImpl*>(m_impl)->m_appmap.find(applicationId);
- return (i!=static_cast<XMLConfigImpl*>(m_impl)->m_appmap.end()) ? i->second : NULL;
+ // PropertySet
+ pair<bool,bool> getBool(const char* name, const char* ns=NULL) const {return m_impl->getBool(name,ns);}
+ pair<bool,const char*> getString(const char* name, const char* ns=NULL) const {return m_impl->getString(name,ns);}
+ pair<bool,const XMLCh*> getXMLString(const char* name, const char* ns=NULL) const {return m_impl->getXMLString(name,ns);}
+ pair<bool,unsigned int> getUnsignedInt(const char* name, const char* ns=NULL) const {return m_impl->getUnsignedInt(name,ns);}
+ pair<bool,int> getInt(const char* name, const char* ns=NULL) const {return m_impl->getInt(name,ns);}
+ const PropertySet* getPropertySet(const char* name, const char* ns="urn:mace:shibboleth:target:config:1.0") const {return m_impl->getPropertySet(name,ns);}
+ const DOMElement* getElement() const {return m_impl->getElement();}
+
+ // ServiceProvider
+ ListenerService* getListenerService(bool required=true) const {
+ if (required && !m_listener)
+ throw ConfigurationException("No ListenerService available.");
+ return m_listener;
}
- Iterator<ICredentials*> getCredentialsProviders() const {return static_cast<XMLConfigImpl*>(m_impl)->m_creds;}
-
- protected:
- virtual ReloadableXMLFileImpl* newImplementation(const char* pathname, bool first=true) const;
- virtual ReloadableXMLFileImpl* newImplementation(const DOMElement* e, bool first=true) const;
- private:
- friend class XMLConfigImpl;
- mutable IListener* m_listener;
- mutable ISessionCache* m_sessionCache;
- mutable IReplayCache* m_replayCache;
- };
-}
-
-IConfig* STConfig::ShibTargetConfigFactory(const DOMElement* e)
-{
- return new XMLConfig(e);
-}
+ SessionCache* getSessionCache(bool required=true) const {
+ if (required && !m_sessionCache)
+ throw ConfigurationException("No SessionCache available.");
+ return m_sessionCache;
+ }
-XMLPropertySet::~XMLPropertySet()
-{
- for (map<string,pair<char*,const XMLCh*> >::iterator i=m_map.begin(); i!=m_map.end(); i++)
- XMLString::release(&(i->second.first));
- for_each(m_nested.begin(),m_nested.end(),shibtarget::cleanup_pair<string,IPropertySet>());
-}
+ RequestMapper* getRequestMapper(bool required=true) const {
+ if (required && !m_impl->m_requestMapper)
+ throw ConfigurationException("No RequestMapper available.");
+ return m_impl->m_requestMapper;
+ }
-void XMLPropertySet::load(
- const DOMElement* e,
- Category& log,
- DOMNodeFilter* filter,
- const std::map<std::string,std::string>* remapper
- )
-{
-#ifdef _DEBUG
- saml::NDC ndc("load");
-#endif
- m_root=e;
-
- // Process each attribute as a property.
- DOMNamedNodeMap* attrs=m_root->getAttributes();
- for (XMLSize_t i=0; i<attrs->getLength(); i++) {
- DOMNode* a=attrs->item(i);
- if (!XMLString::compareString(a->getNamespaceURI(),saml::XML::XMLNS_NS))
- continue;
- char* val=XMLString::transcode(a->getNodeValue());
- if (val && *val) {
- auto_ptr_char ns(a->getNamespaceURI());
- auto_ptr_char name(a->getLocalName());
- const char* realname=name.get();
- if (remapper) {
- map<string,string>::const_iterator remap=remapper->find(realname);
- if (remap!=remapper->end()) {
- log.warn("remapping property (%s) to (%s)",realname,remap->second.c_str());
- realname=remap->second.c_str();
- }
- }
- if (ns.get()) {
- m_map[string("{") + ns.get() + '}' + realname]=pair<char*,const XMLCh*>(val,a->getNodeValue());
- log.debug("added property {%s}%s (%s)",ns.get(),realname,val);
- }
- else {
- m_map[realname]=pair<char*,const XMLCh*>(val,a->getNodeValue());
- log.debug("added property %s (%s)",realname,val);
- }
+ const Application* getApplication(const char* applicationId) const {
+ map<string,Application*>::const_iterator i=m_impl->m_appmap.find(applicationId);
+ return (i!=m_impl->m_appmap.end()) ? i->second : NULL;
}
- }
-
- // Process non-excluded elements as nested sets.
- DOMTreeWalker* walker=
- static_cast<DOMDocumentTraversal*>(
- m_root->getOwnerDocument())->createTreeWalker(const_cast<DOMElement*>(m_root),DOMNodeFilter::SHOW_ELEMENT,filter,false
- );
- e=static_cast<DOMElement*>(walker->firstChild());
- while (e) {
- auto_ptr_char ns(e->getNamespaceURI());
- auto_ptr_char name(e->getLocalName());
- const char* realname=name.get();
- if (remapper) {
- map<string,string>::const_iterator remap=remapper->find(realname);
- if (remap!=remapper->end()) {
- log.warn("remapping property set (%s) to (%s)",realname,remap->second.c_str());
- realname=remap->second.c_str();
+
+ CredentialResolver* getCredentialResolver(const char* id) const {
+ if (id) {
+ map<string,CredentialResolver*>::const_iterator i=m_impl->m_credResolverMap.find(id);
+ if (i!=m_impl->m_credResolverMap.end())
+ return i->second;
}
+ return NULL;
}
- string key;
- if (ns.get())
- key=string("{") + ns.get() + '}' + realname;
- else
- key=realname;
- if (m_nested.find(key)!=m_nested.end())
- log.warn("load() skipping duplicate property set: %s",key.c_str());
- else {
- XMLPropertySet* set=new XMLPropertySet();
- set->load(e,log,filter,remapper);
- m_nested[key]=set;
- log.debug("added nested property set: %s",key.c_str());
- }
- e=static_cast<DOMElement*>(walker->nextSibling());
- }
- walker->release();
-}
-
-pair<bool,bool> XMLPropertySet::getBool(const char* name, const char* ns) const
-{
- pair<bool,bool> ret(false,false);
- map<string,pair<char*,const XMLCh*> >::const_iterator i;
-
- if (ns)
- i=m_map.find(string("{") + ns + '}' + name);
- else
- i=m_map.find(name);
-
- if (i!=m_map.end()) {
- ret.first=true;
- ret.second=(!strcmp(i->second.first,"true") || !strcmp(i->second.first,"1"));
- }
- return ret;
-}
-
-pair<bool,const char*> XMLPropertySet::getString(const char* name, const char* ns) const
-{
- pair<bool,const char*> ret(false,NULL);
- map<string,pair<char*,const XMLCh*> >::const_iterator i;
-
- if (ns)
- i=m_map.find(string("{") + ns + '}' + name);
- else
- i=m_map.find(name);
-
- if (i!=m_map.end()) {
- ret.first=true;
- ret.second=i->second.first;
- }
- return ret;
-}
-
-pair<bool,const XMLCh*> XMLPropertySet::getXMLString(const char* name, const char* ns) const
-{
- pair<bool,const XMLCh*> ret(false,NULL);
- map<string,pair<char*,const XMLCh*> >::const_iterator i;
- if (ns)
- i=m_map.find(string("{") + ns + '}' + name);
- else
- i=m_map.find(name);
-
- if (i!=m_map.end()) {
- ret.first=true;
- ret.second=i->second.second;
- }
- return ret;
-}
-
-pair<bool,unsigned int> XMLPropertySet::getUnsignedInt(const char* name, const char* ns) const
-{
- pair<bool,unsigned int> ret(false,0);
- map<string,pair<char*,const XMLCh*> >::const_iterator i;
-
- if (ns)
- i=m_map.find(string("{") + ns + '}' + name);
- else
- i=m_map.find(name);
-
- if (i!=m_map.end()) {
- ret.first=true;
- ret.second=strtol(i->second.first,NULL,10);
- }
- return ret;
-}
+ protected:
+ pair<bool,DOMElement*> load();
-pair<bool,int> XMLPropertySet::getInt(const char* name, const char* ns) const
-{
- pair<bool,int> ret(false,0);
- map<string,pair<char*,const XMLCh*> >::const_iterator i;
+ private:
+ friend class XMLConfigImpl;
+ XMLConfigImpl* m_impl;
+ mutable ListenerService* m_listener;
+ mutable SessionCache* m_sessionCache;
+ };
- if (ns)
- i=m_map.find(string("{") + ns + '}' + name);
- else
- i=m_map.find(name);
+#if defined (_MSC_VER)
+ #pragma warning( pop )
+#endif
- if (i!=m_map.end()) {
- ret.first=true;
- ret.second=atoi(i->second.first);
- }
- return ret;
+ static const XMLCh AAPProvider[] = UNICODE_LITERAL_11(A,A,P,P,r,o,v,i,d,e,r);
+ static const XMLCh _Application[] = UNICODE_LITERAL_11(A,p,p,l,i,c,a,t,i,o,n);
+ static const XMLCh Applications[] = UNICODE_LITERAL_12(A,p,p,l,i,c,a,t,i,o,n,s);
+ static const XMLCh AttributeFactory[] = UNICODE_LITERAL_16(A,t,t,r,i,b,u,t,e,F,a,c,t,o,r,y);
+ static const XMLCh Credentials[] = UNICODE_LITERAL_11(C,r,e,d,e,n,t,i,a,l,s);
+ static const XMLCh CredentialsProvider[] = UNICODE_LITERAL_19(C,r,e,d,e,n,t,i,a,l,s,P,r,o,v,i,d,e,r);
+ static const XMLCh CredentialUse[] = UNICODE_LITERAL_13(C,r,e,d,e,n,t,i,a,l,U,s,e);
+ static const XMLCh DiagnosticService[] = UNICODE_LITERAL_17(D,i,a,g,n,o,s,t,i,c,S,e,r,v,i,c,e);
+ static const XMLCh fatal[] = UNICODE_LITERAL_5(f,a,t,a,l);
+ static const XMLCh FileResolver[] = UNICODE_LITERAL_12(F,i,l,e,R,e,s,o,l,v,e,r);
+ static const XMLCh Global[] = UNICODE_LITERAL_6(G,l,o,b,a,l);
+ static const XMLCh Id[] = UNICODE_LITERAL_2(I,d);
+ static const XMLCh Implementation[] = UNICODE_LITERAL_14(I,m,p,l,e,m,e,n,t,a,t,i,o,n);
+ static const XMLCh InProcess[] = UNICODE_LITERAL_9(I,n,P,r,o,c,e,s,s);
+ static const XMLCh Library[] = UNICODE_LITERAL_7(L,i,b,r,a,r,y);
+ static const XMLCh Listener[] = UNICODE_LITERAL_8(L,i,s,t,e,n,e,r);
+ static const XMLCh Local[] = UNICODE_LITERAL_5(L,o,c,a,l);
+ static const XMLCh logger[] = UNICODE_LITERAL_6(l,o,g,g,e,r);
+ static const XMLCh MemoryListener[] = UNICODE_LITERAL_14(M,e,m,o,r,y,L,i,s,t,e,n,e,r);
+ static const XMLCh MemorySessionCache[] = UNICODE_LITERAL_18(M,e,m,o,r,y,S,e,s,s,i,o,n,C,a,c,h,e);
+ static const XMLCh RelyingParty[] = UNICODE_LITERAL_12(R,e,l,y,i,n,g,P,a,r,t,y);
+ static const XMLCh ReplayCache[] = UNICODE_LITERAL_11(R,e,p,l,a,y,C,a,c,h,e);
+ static const XMLCh RequestMapProvider[] = UNICODE_LITERAL_18(R,e,q,u,e,s,t,M,a,p,P,r,o,v,i,d,e,r);
+ static const XMLCh SessionCache[] = UNICODE_LITERAL_12(S,e,s,s,i,o,n,C,a,c,h,e);
+ static const XMLCh SessionInitiator[] = UNICODE_LITERAL_16(S,e,s,s,i,o,n,I,n,i,t,i,a,t,o,r);
+ static const XMLCh OutOfProcess[] = UNICODE_LITERAL_12(O,u,t,O,f,P,r,o,c,e,s,s);
+ static const XMLCh TCPListener[] = UNICODE_LITERAL_11(T,C,P,L,i,s,t,e,n,e,r);
+ static const XMLCh TrustProvider[] = UNICODE_LITERAL_13(T,r,u,s,t,P,r,o,v,i,d,e,r);
+ static const XMLCh UnixListener[] = UNICODE_LITERAL_12(U,n,i,x,L,i,s,t,e,n,e,r);
+ static const XMLCh _MetadataProvider[] = UNICODE_LITERAL_16(M,e,t,a,d,a,t,a,P,r,o,v,i,d,e,r);
+ static const XMLCh _path[] = UNICODE_LITERAL_4(p,a,t,h);
+ static const XMLCh _type[] = UNICODE_LITERAL_4(t,y,p,e);
+
}
-const IPropertySet* XMLPropertySet::getPropertySet(const char* name, const char* ns) const
+ServiceProvider* shibtarget::XMLServiceProviderFactory(const DOMElement* const & e)
{
- map<string,IPropertySet*>::const_iterator i;
-
- if (ns)
- i=m_nested.find(string("{") + ns + '}' + name);
- else
- i=m_nested.find(name);
-
- return (i!=m_nested.end()) ? i->second : NULL;
+ return new XMLConfig(e);
}
XMLApplication::XMLApplication(
- const IConfig* ini,
- const Iterator<ICredentials*>& creds,
+ const ServiceProvider* sp,
const DOMElement* e,
const XMLApplication* base
- ) : m_ini(ini), m_base(base), m_profile(NULL), m_binding(NULL), m_bindingHook(NULL),
+ ) : m_sp(sp), m_base(base), m_metadata(NULL), m_trust(NULL), m_profile(NULL), m_binding(NULL), m_bindingHook(NULL),
m_credDefault(NULL), m_sessionInitDefault(NULL), m_acsDefault(NULL)
{
#ifdef _DEBUG
- saml::NDC ndc("XMLApplication");
+ xmltooling::NDC ndc("XMLApplication");
#endif
- Category& log=Category::getInstance("shibtarget.XMLApplication");
+ Category& log=Category::getInstance(SHIBT_LOGCAT".Application");
try {
// First load any property sets.
root_remap["shireURL"]="handlerURL";
root_remap["shireSSL"]="handlerSSL";
load(e,log,this,&root_remap);
- const IPropertySet* propcheck=getPropertySet("Errors");
+
+ const PropertySet* propcheck=getPropertySet("Errors");
if (propcheck && !propcheck->getString("session").first)
throw ConfigurationException("<Errors> element requires 'session' (or deprecated 'shire') attribute");
propcheck=getPropertySet("Sessions");
if (propcheck && !propcheck->getString("handlerURL").first)
throw ConfigurationException("<Sessions> element requires 'handlerURL' (or deprecated 'shireURL') attribute");
+ SPConfig& conf=SPConfig::getConfig();
+ XMLToolingConfig& xmlConf=XMLToolingConfig::getConfig();
+ opensaml::SAMLConfig& samlConf=opensaml::SAMLConfig::getConfig();
+ SAMLConfig& shibConf=SAMLConfig::getConfig();
+
m_hash=getId();
m_hash+=getString("providerId").second;
- m_hash=SAMLArtifact::toHex(SAMLArtifactType0001::generateSourceId(m_hash.c_str()));
-
- ShibTargetConfig& conf=ShibTargetConfig::getConfig();
- SAMLConfig& shibConf=SAMLConfig::getConfig();
+ m_hash=samlConf.hashSHA1(m_hash.c_str(), true);
// Process handlers.
+ Handler* handler=NULL;
bool hardACS=false, hardSessionInit=false;
- DOMElement* handler=saml::XML::getFirstChildElement(propcheck->getElement());
- while (handler) {
- // A handler is split across a property set and the plugin itself, which is based on the Binding property.
- // We build both objects first and then insert them into various structures for lookup.
- IHandler* hobj=NULL;
- XMLPropertySet* hprops=new XMLPropertySet();
- try {
- hprops->load(handler,log,this); // filter irrelevant for now, no embedded elements expected
- const char* bindprop=hprops->getString("Binding").second;
- if (!bindprop)
- throw ConfigurationException("Handler element has no Binding attribute, skipping it...");
- IPlugIn* hplug=shibConf.getPlugMgr().newPlugin(bindprop,handler);
- hobj=dynamic_cast<IHandler*>(hplug);
- if (!hobj) {
- delete hplug;
- throw UnsupportedProfileException(
- "Plugin for binding ($1) does not implement IHandler interface.",params(1,bindprop)
- );
- }
- }
- catch (SAMLException& ex) {
- // If we get here, the handler's not built, so dispose of the property set.
- log.error("caught exception processing a handler element: %s",ex.what());
- delete hprops;
- hprops=NULL;
- }
-
- const char* location=hprops ? hprops->getString("Location").second : NULL;
- if (!location) {
- delete hprops;
- hprops=NULL;
- handler=saml::XML::getNextSiblingElement(handler);
+ const DOMElement* child = XMLHelper::getFirstChildElement(propcheck->getElement());
+ while (child) {
+ xmltooling::auto_ptr_char bindprop(child->getAttributeNS(NULL,EndpointType::BINDING_ATTRIB_NAME));
+ if (!bindprop.get() || !*(bindprop.get())) {
+ log.warn("md:AssertionConsumerService element has no Binding attribute, skipping it...");
+ child = XMLHelper::getNextSiblingElement(child);
continue;
}
- // Save off the objects after giving the property set to the handler for its use.
- hobj->setProperties(hprops);
- m_handlers.push_back(hobj);
- m_handlerProps.push_back(hprops);
-
- // Insert into location map.
- if (*location == '/')
- m_handlerMap[location]=hobj;
- else
- m_handlerMap[string("/") + location]=hobj;
-
- // If it's an ACS or SI, handle index/id mappings and defaulting.
- if (saml::XML::isElementNamed(handler,shibtarget::XML::SAML2META_NS,SHIBT_L(AssertionConsumerService))) {
- // Map it.
+ try {
+ // A handler is based on the Binding property in conjunction with the element name.
+ // If it's an ACS or SI, also handle index/id mappings and defaulting.
+ if (XMLHelper::isNodeNamed(child,samlconstants::SAML20MD_NS,AssertionConsumerService::LOCAL_NAME)) {
+ handler=conf.AssertionConsumerServiceManager.newPlugin(bindprop.get(),child);
+ // Map by binding (may be > 1 per binding, e.g. SAML 1.0 vs 1.1)
#ifdef HAVE_GOOD_STL
- const XMLCh* binding=hprops->getXMLString("Binding").second;
+ m_acsBindingMap[handler->getXMLString("Binding").second].push_back(handler);
#else
- const char* binding=hprops->getString("Binding").second;
+ m_acsBindingMap[handler->getString("Binding").second].push_back(handler);
#endif
- if (m_acsBindingMap.count(binding)==0)
- m_acsBindingMap[binding]=vector<const IHandler*>(1,hobj);
- else
- m_acsBindingMap[binding].push_back(hobj);
- m_acsIndexMap[hprops->getUnsignedInt("index").second]=hobj;
-
- if (!hardACS) {
- pair<bool,bool> defprop=hprops->getBool("isDefault");
- if (defprop.first) {
- if (defprop.second) {
- hardACS=true;
- m_acsDefault=hobj;
+ m_acsIndexMap[handler->getUnsignedInt("index").second]=handler;
+
+ if (!hardACS) {
+ pair<bool,bool> defprop=handler->getBool("isDefault");
+ if (defprop.first) {
+ if (defprop.second) {
+ hardACS=true;
+ m_acsDefault=handler;
+ }
}
+ else if (!m_acsDefault)
+ m_acsDefault=handler;
}
- else if (!m_acsDefault)
- m_acsDefault=hobj;
}
- }
- else if (saml::XML::isElementNamed(handler,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(SessionInitiator))) {
- pair<bool,const char*> si_id=hprops->getString("id");
- if (si_id.first && si_id.second)
- m_sessionInitMap[si_id.second]=hobj;
- if (!hardSessionInit) {
- pair<bool,bool> defprop=hprops->getBool("isDefault");
- if (defprop.first) {
- if (defprop.second) {
- hardSessionInit=true;
- m_sessionInitDefault=hobj;
+ else if (XMLString::equals(child->getLocalName(),SessionInitiator)) {
+ handler=conf.SessionInitiatorManager.newPlugin(bindprop.get(),child);
+ pair<bool,const char*> si_id=handler->getString("id");
+ if (si_id.first && si_id.second)
+ m_sessionInitMap[si_id.second]=handler;
+ if (!hardSessionInit) {
+ pair<bool,bool> defprop=handler->getBool("isDefault");
+ if (defprop.first) {
+ if (defprop.second) {
+ hardSessionInit=true;
+ m_sessionInitDefault=handler;
+ }
}
+ else if (!m_sessionInitDefault)
+ m_sessionInitDefault=handler;
}
- else if (!m_sessionInitDefault)
- m_sessionInitDefault=hobj;
}
+ else if (XMLHelper::isNodeNamed(child,samlconstants::SAML20MD_NS,SingleLogoutService::LOCAL_NAME)) {
+ handler=conf.SingleLogoutServiceManager.newPlugin(bindprop.get(),child);
+ }
+ else if (XMLHelper::isNodeNamed(child,samlconstants::SAML20MD_NS,ManageNameIDService::LOCAL_NAME)) {
+ handler=conf.ManageNameIDServiceManager.newPlugin(bindprop.get(),child);
+ }
+ else {
+ handler=conf.HandlerManager.newPlugin(bindprop.get(),child);
+ }
+ }
+ catch (exception& ex) {
+ log.error("caught exception processing md:AssertionConsumerService element: %s",ex.what());
}
- handler=saml::XML::getNextSiblingElement(handler);
+
+ // Save off the objects after giving the property set to the handler for its use.
+ m_handlers.push_back(handler);
+
+ // Insert into location map.
+ pair<bool,const char*> location=handler->getString("Location");
+ if (location.first && *location.second == '/')
+ m_handlerMap[location.second]=handler;
+ else if (location.first)
+ m_handlerMap[string("/") + location.second]=handler;
+
+ child = XMLHelper::getNextSiblingElement(child);
}
// If no handlers defined at the root, assume a legacy configuration.
if (!m_base && m_handlers.empty()) {
// A legacy config installs a SAML POST handler at the root handler location.
- // We use the Sessions element itself as the IPropertySet.
-
- auto_ptr_char b1(Constants::SHIB_SESSIONINIT_PROFILE_URI);
- IPlugIn* hplug=shibConf.getPlugMgr().newPlugin(b1.get(),propcheck->getElement());
- IHandler* h1=dynamic_cast<IHandler*>(hplug);
- if (!h1) {
- delete hplug;
- throw UnsupportedProfileException(
- "Plugin for binding ($1) does not implement IHandler interface.",params(1,b1.get())
- );
- }
- h1->setProperties(propcheck);
+ // We use the Sessions element itself as the PropertySet.
+ Handler* h1=conf.SessionInitiatorManager.newPlugin(
+ shibspconstants::SHIB1_SESSIONINIT_PROFILE_URI,propcheck->getElement()
+ );
m_handlers.push_back(h1);
m_sessionInitDefault=h1;
- auto_ptr_char b2(SAMLBrowserProfile::BROWSER_POST);
- hplug=shibConf.getPlugMgr().newPlugin(b2.get(),propcheck->getElement());
- IHandler* h2=dynamic_cast<IHandler*>(hplug);
- if (!h2) {
- delete hplug;
- throw UnsupportedProfileException(
- "Plugin for binding ($1) does not implement IHandler interface.",params(1,b2.get())
- );
- }
- h2->setProperties(propcheck);
+ Handler* h2=conf.AssertionConsumerServiceManager.newPlugin(
+ samlconstants::SAML1_PROFILE_BROWSER_POST,propcheck->getElement()
+ );
m_handlers.push_back(h2);
m_handlerMap[""] = h2;
m_acsDefault=h2;
}
- // Process general configuration elements.
- unsigned int i;
- DOMNodeList* nlist=e->getElementsByTagNameNS(saml::XML::SAML_NS,L(AttributeDesignator));
- for (i=0; nlist && i<nlist->getLength(); i++)
- if (nlist->item(i)->getParentNode()->isSameNode(e))
- m_designators.push_back(new SAMLAttributeDesignator(static_cast<DOMElement*>(nlist->item(i))));
-
- nlist=e->getElementsByTagNameNS(saml::XML::SAML_NS,L(Audience));
- for (i=0; nlist && i<nlist->getLength(); i++)
- if (nlist->item(i)->getParentNode()->isSameNode(e))
+ DOMNodeList* nlist=e->getElementsByTagNameNS(samlconstants::SAML1_NS,Audience::LOCAL_NAME);
+ for (XMLSize_t i=0; nlist && i<nlist->getLength(); i++)
+ if (nlist->item(i)->getParentNode()->isSameNode(e) && nlist->item(i)->hasChildNodes())
m_audiences.push_back(nlist->item(i)->getFirstChild()->getNodeValue());
// Always include our own providerId as an audience.
m_audiences.push_back(getXMLString("providerId").second);
- if (conf.isEnabled(ShibTargetConfig::AAP)) {
- nlist=e->getElementsByTagNameNS(shibtarget::XML::SHIBTARGET_NS,SHIBT_L(AAPProvider));
- for (i=0; nlist && i<nlist->getLength(); i++) {
- if (nlist->item(i)->getParentNode()->isSameNode(e)) {
- auto_ptr_char type(static_cast<DOMElement*>(nlist->item(i))->getAttributeNS(NULL,SHIBT_L(type)));
- log.info("building AAP provider of type %s...",type.get());
- try {
- IPlugIn* plugin=shibConf.getPlugMgr().newPlugin(type.get(),static_cast<DOMElement*>(nlist->item(i)));
- IAAP* aap=dynamic_cast<IAAP*>(plugin);
- if (aap)
- m_aaps.push_back(aap);
- else {
- delete plugin;
- log.crit("plugin was not an AAP provider");
- }
- }
- catch (SAMLException& ex) {
- log.crit("error building AAP provider: %s",ex.what());
+ if (conf.isEnabled(SPConfig::AAP)) {
+ child = XMLHelper::getFirstChildElement(e,AAPProvider);
+ while (child) {
+ xmltooling::auto_ptr_char type(child->getAttributeNS(NULL,_type));
+ log.info("building AAP provider of type %s...",type.get());
+ try {
+ IPlugIn* plugin=shibConf.getPlugMgr().newPlugin(type.get(),child);
+ IAAP* aap=dynamic_cast<IAAP*>(plugin);
+ if (aap)
+ m_aaps.push_back(aap);
+ else {
+ delete plugin;
+ log.crit("plugin was not an AAP provider");
}
}
+ catch (exception& ex) {
+ log.crit("error building AAP provider: %s", ex.what());
+ }
+
+ child = XMLHelper::getNextSiblingElement(child,AAPProvider);
}
}
- if (conf.isEnabled(ShibTargetConfig::Metadata)) {
- nlist=e->getElementsByTagNameNS(shibtarget::XML::SHIBTARGET_NS,SHIBT_L(MetadataProvider));
- for (i=0; nlist && i<nlist->getLength(); i++) {
- if (nlist->item(i)->getParentNode()->isSameNode(e)) {
- auto_ptr_char type(static_cast<DOMElement*>(nlist->item(i))->getAttributeNS(NULL,SHIBT_L(type)));
- log.info("building metadata provider of type %s...",type.get());
- try {
- IPlugIn* plugin=shibConf.getPlugMgr().newPlugin(type.get(),static_cast<DOMElement*>(nlist->item(i)));
- IMetadata* md=dynamic_cast<IMetadata*>(plugin);
- if (md)
- m_metadatas.push_back(md);
- else {
- delete plugin;
- log.crit("plugin was not a metadata provider");
- }
- }
- catch (SAMLException& ex) {
- log.crit("error building metadata provider: %s",ex.what());
- }
+ if (conf.isEnabled(SPConfig::Metadata)) {
+ vector<MetadataProvider*> os2providers;
+ child = XMLHelper::getFirstChildElement(e,_MetadataProvider);
+ while (child) {
+ xmltooling::auto_ptr_char type(child->getAttributeNS(NULL,_type));
+ log.info("building metadata provider of type %s...",type.get());
+ try {
+ auto_ptr<MetadataProvider> mp(samlConf.MetadataProviderManager.newPlugin(type.get(),child));
+ mp->init();
+ os2providers.push_back(mp.release());
}
+ catch (exception& ex) {
+ log.crit("error building/initializing metadata provider: %s", ex.what());
+ }
+
+ child = XMLHelper::getNextSiblingElement(child,_MetadataProvider);
}
- nlist=e->getElementsByTagNameNS(shibtarget::XML::SHIBTARGET_NS,SHIBT_L(FederationProvider));
- for (i=0; nlist && i<nlist->getLength(); i++) {
- if (nlist->item(i)->getParentNode()->isSameNode(e)) {
- auto_ptr_char type(static_cast<DOMElement*>(nlist->item(i))->getAttributeNS(NULL,SHIBT_L(type)));
- log.info("building metadata provider of type %s...",type.get());
- try {
- IPlugIn* plugin=shibConf.getPlugMgr().newPlugin(type.get(),static_cast<DOMElement*>(nlist->item(i)));
- IMetadata* md=dynamic_cast<IMetadata*>(plugin);
- if (md)
- m_metadatas.push_back(md);
- else {
- delete plugin;
- log.crit("plugin was not a metadata provider");
- }
- }
- catch (SAMLException& ex) {
- log.crit("error building metadata provider: %s",ex.what());
+
+ if (os2providers.size()==1)
+ m_metadata=os2providers.front();
+ else if (os2providers.size()>1) {
+ try {
+ m_metadata = samlConf.MetadataProviderManager.newPlugin(CHAINING_METADATA_PROVIDER,NULL);
+ ChainingMetadataProvider* chainMeta = dynamic_cast<ChainingMetadataProvider*>(m_metadata);
+ while (!os2providers.empty()) {
+ chainMeta->addMetadataProvider(os2providers.back());
+ os2providers.pop_back();
}
}
+ catch (exception& ex) {
+ log.crit("error building chaining metadata provider wrapper: %s",ex.what());
+ for_each(os2providers.begin(), os2providers.end(), xmltooling::cleanup<MetadataProvider>());
+ }
}
}
- if (conf.isEnabled(ShibTargetConfig::Trust)) {
- nlist=e->getElementsByTagNameNS(shibtarget::XML::SHIBTARGET_NS,SHIBT_L(TrustProvider));
- for (i=0; nlist && i<nlist->getLength(); i++) {
- if (nlist->item(i)->getParentNode()->isSameNode(e)) {
- auto_ptr_char type(static_cast<DOMElement*>(nlist->item(i))->getAttributeNS(NULL,SHIBT_L(type)));
- log.info("building trust provider of type %s...",type.get());
- try {
- IPlugIn* plugin=shibConf.getPlugMgr().newPlugin(type.get(),static_cast<DOMElement*>(nlist->item(i)));
- ITrust* trust=dynamic_cast<ITrust*>(plugin);
- if (trust)
- m_trusts.push_back(trust);
- else {
- delete plugin;
- log.crit("plugin was not a trust provider");
- }
+ if (conf.isEnabled(SPConfig::Trust)) {
+ ChainingTrustEngine* chainTrust = NULL;
+ child = XMLHelper::getFirstChildElement(e,TrustProvider);
+ while (child) {
+ xmltooling::auto_ptr_char type(child->getAttributeNS(NULL,_type));
+ log.info("building trust provider of type %s...",type.get());
+ try {
+ if (!m_trust) {
+ // For compatibility with old engine types, we're assuming a Shib engine is likely,
+ // which requires chaining, so we'll build that regardless.
+ m_trust = xmlConf.TrustEngineManager.newPlugin(CHAINING_TRUSTENGINE,NULL);
+ chainTrust = dynamic_cast<ChainingTrustEngine*>(m_trust);
+ }
+ if (!strcmp(type.get(),"edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrust")) {
+ chainTrust->addTrustEngine(xmlConf.TrustEngineManager.newPlugin(EXPLICIT_KEY_TRUSTENGINE,child));
+ chainTrust->addTrustEngine(xmlConf.TrustEngineManager.newPlugin(SHIBBOLETH_PKIX_TRUSTENGINE,child));
+ }
+ else if (!strcmp(type.get(),"edu.internet2.middleware.shibboleth.common.provider.BasicTrust")) {
+ chainTrust->addTrustEngine(xmlConf.TrustEngineManager.newPlugin(EXPLICIT_KEY_TRUSTENGINE,child));
}
- catch (SAMLException& ex) {
- log.crit("error building trust provider: %s",ex.what());
+ else {
+ chainTrust->addTrustEngine(xmlConf.TrustEngineManager.newPlugin(type.get(),child));
}
}
+ catch (exception& ex) {
+ log.crit("error building trust provider: %s",ex.what());
+ }
+
+ child = XMLHelper::getNextSiblingElement(child,TrustProvider);
}
}
// Finally, load credential mappings.
- const DOMElement* cu=saml::XML::getFirstChildElement(e,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(CredentialUse));
- if (cu) {
- m_credDefault=new XMLPropertySet();
- m_credDefault->load(cu,log,this);
- cu=saml::XML::getFirstChildElement(cu,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(RelyingParty));
- while (cu) {
- XMLPropertySet* rp=new XMLPropertySet();
- rp->load(cu,log,this);
- m_credMap[cu->getAttributeNS(NULL,SHIBT_L(Name))]=rp;
- cu=saml::XML::getNextSiblingElement(cu,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(RelyingParty));
+ child = XMLHelper::getFirstChildElement(e,CredentialUse);
+ if (child) {
+ m_credDefault=new DOMPropertySet();
+ m_credDefault->load(child,log,this);
+ child = XMLHelper::getFirstChildElement(child,RelyingParty);
+ while (child) {
+ DOMPropertySet* rp=new DOMPropertySet();
+ rp->load(child,log,this);
+ m_credMap[child->getAttributeNS(NULL,opensaml::saml2::Attribute::NAME_ATTRIB_NAME)]=rp;
+ child = XMLHelper::getNextSiblingElement(child,RelyingParty);
}
}
- if (conf.isEnabled(ShibTargetConfig::OutOfProcess)) {
+ if (conf.isEnabled(SPConfig::OutOfProcess)) {
// Really finally, build local browser profile and binding objects.
- m_profile=new ShibBrowserProfile(
- this,
- getMetadataProviders(),
- getTrustProviders()
- );
- m_bindingHook=new ShibHTTPHook(
- getTrustProviders(),
- creds
- );
+ m_profile=new ShibBrowserProfile(this, getMetadataProvider(), getTrustEngine());
+ m_bindingHook=new ShibHTTPHook(getTrustEngine());
m_binding=SAMLBinding::getInstance(SAMLBinding::SOAP);
SAMLSOAPHTTPBinding* bptr=dynamic_cast<SAMLSOAPHTTPBinding*>(m_binding);
if (!bptr) {
log.fatal("binding implementation was not SOAP over HTTP");
- throw UnsupportedExtensionException("binding implementation was not SOAP over HTTP");
+ throw UnknownExtensionException("binding implementation was not SOAP over HTTP");
}
bptr->addHook(m_bindingHook,m_bindingHook); // the hook is its own global context
}
}
- catch (SAMLException& e) {
- log.errorStream() << "Error while processing applicaton element: " << e.what() << CategoryStream::ENDLINE;
+ catch (exception&) {
cleanup();
throw;
}
#ifndef _DEBUG
catch (...) {
- log.error("Unexpected error while processing application element");
cleanup();
throw;
}
delete m_bindingHook;
delete m_binding;
delete m_profile;
- for_each(m_handlers.begin(),m_handlers.end(),shibtarget::cleanup<IHandler>());
-
+ for_each(m_handlers.begin(),m_handlers.end(),xmltooling::cleanup<Handler>());
+
delete m_credDefault;
#ifdef HAVE_GOOD_STL
- for_each(m_credMap.begin(),m_credMap.end(),shibtarget::cleanup_pair<xstring,XMLPropertySet>());
+ for_each(m_credMap.begin(),m_credMap.end(),xmltooling::cleanup_pair<xmltooling::xstring,PropertySet>());
#else
- for_each(m_credMap.begin(),m_credMap.end(),shibtarget::cleanup_pair<const XMLCh*,XMLPropertySet>());
+ for_each(m_credMap.begin(),m_credMap.end(),xmltooling::cleanup_pair<const XMLCh*,PropertySet>());
#endif
- for_each(m_designators.begin(),m_designators.end(),shibtarget::cleanup<SAMLAttributeDesignator>());
- for_each(m_aaps.begin(),m_aaps.end(),shibtarget::cleanup<IAAP>());
- for_each(m_metadatas.begin(),m_metadatas.end(),shibtarget::cleanup<IMetadata>());
- for_each(m_trusts.begin(),m_trusts.end(),shibtarget::cleanup<ITrust>());
+ for_each(m_aaps.begin(),m_aaps.end(),xmltooling::cleanup<IAAP>());
+
+ delete m_trust;
+ delete m_metadata;
}
short XMLApplication::acceptNode(const DOMNode* node) const
{
- if (saml::XML::isElementNamed(static_cast<const DOMElement*>(node),saml::XML::SAML_NS,L(AttributeDesignator)))
+ if (XMLHelper::isNodeNamed(node,samlconstants::SAML1_NS,AttributeDesignator::LOCAL_NAME))
+ return FILTER_REJECT;
+ else if (XMLHelper::isNodeNamed(node,samlconstants::SAML20_NS,Attribute::LOCAL_NAME))
return FILTER_REJECT;
- else if (saml::XML::isElementNamed(static_cast<const DOMElement*>(node),saml::XML::SAML_NS,L(Audience)))
+ else if (XMLHelper::isNodeNamed(node,samlconstants::SAML1_NS,Audience::LOCAL_NAME))
return FILTER_REJECT;
const XMLCh* name=node->getLocalName();
- if (!XMLString::compareString(name,SHIBT_L(Application)) ||
- !XMLString::compareString(name,SHIBT_L(AssertionConsumerService)) ||
- !XMLString::compareString(name,SHIBT_L(SingleLogoutService)) ||
- !XMLString::compareString(name,SHIBT_L(DiagnosticService)) ||
- !XMLString::compareString(name,SHIBT_L(SessionInitiator)) ||
- !XMLString::compareString(name,SHIBT_L(AAPProvider)) ||
- !XMLString::compareString(name,SHIBT_L(CredentialUse)) ||
- !XMLString::compareString(name,SHIBT_L(RelyingParty)) ||
- !XMLString::compareString(name,SHIBT_L(FederationProvider)) ||
- !XMLString::compareString(name,SHIBT_L(MetadataProvider)) ||
- !XMLString::compareString(name,SHIBT_L(TrustProvider)))
+ if (XMLString::equals(name,_Application) ||
+ XMLString::equals(name,AssertionConsumerService::LOCAL_NAME) ||
+ XMLString::equals(name,SingleLogoutService::LOCAL_NAME) ||
+ XMLString::equals(name,DiagnosticService) ||
+ XMLString::equals(name,SessionInitiator) ||
+ XMLString::equals(name,AAPProvider) ||
+ XMLString::equals(name,CredentialUse) ||
+ XMLString::equals(name,RelyingParty) ||
+ XMLString::equals(name,_MetadataProvider) ||
+ XMLString::equals(name,TrustProvider))
return FILTER_REJECT;
return FILTER_ACCEPT;
pair<bool,bool> XMLApplication::getBool(const char* name, const char* ns) const
{
- pair<bool,bool> ret=XMLPropertySet::getBool(name,ns);
+ pair<bool,bool> ret=DOMPropertySet::getBool(name,ns);
if (ret.first)
return ret;
return m_base ? m_base->getBool(name,ns) : ret;
pair<bool,const char*> XMLApplication::getString(const char* name, const char* ns) const
{
- pair<bool,const char*> ret=XMLPropertySet::getString(name,ns);
+ pair<bool,const char*> ret=DOMPropertySet::getString(name,ns);
if (ret.first)
return ret;
return m_base ? m_base->getString(name,ns) : ret;
pair<bool,const XMLCh*> XMLApplication::getXMLString(const char* name, const char* ns) const
{
- pair<bool,const XMLCh*> ret=XMLPropertySet::getXMLString(name,ns);
+ pair<bool,const XMLCh*> ret=DOMPropertySet::getXMLString(name,ns);
if (ret.first)
return ret;
return m_base ? m_base->getXMLString(name,ns) : ret;
pair<bool,unsigned int> XMLApplication::getUnsignedInt(const char* name, const char* ns) const
{
- pair<bool,unsigned int> ret=XMLPropertySet::getUnsignedInt(name,ns);
+ pair<bool,unsigned int> ret=DOMPropertySet::getUnsignedInt(name,ns);
if (ret.first)
return ret;
return m_base ? m_base->getUnsignedInt(name,ns) : ret;
pair<bool,int> XMLApplication::getInt(const char* name, const char* ns) const
{
- pair<bool,int> ret=XMLPropertySet::getInt(name,ns);
+ pair<bool,int> ret=DOMPropertySet::getInt(name,ns);
if (ret.first)
return ret;
return m_base ? m_base->getInt(name,ns) : ret;
}
-const IPropertySet* XMLApplication::getPropertySet(const char* name, const char* ns) const
+const PropertySet* XMLApplication::getPropertySet(const char* name, const char* ns) const
{
- const IPropertySet* ret=XMLPropertySet::getPropertySet(name,ns);
+ const PropertySet* ret=DOMPropertySet::getPropertySet(name,ns);
if (ret || !m_base)
return ret;
return m_base->getPropertySet(name,ns);
}
-Iterator<SAMLAttributeDesignator*> XMLApplication::getAttributeDesignators() const
-{
- if (!m_designators.empty() || !m_base)
- return m_designators;
- return m_base->getAttributeDesignators();
-}
-
Iterator<IAAP*> XMLApplication::getAAPProviders() const
{
return (m_aaps.empty() && m_base) ? m_base->getAAPProviders() : m_aaps;
}
-Iterator<IMetadata*> XMLApplication::getMetadataProviders() const
+MetadataProvider* XMLApplication::getMetadataProvider() const
{
- return (m_metadatas.empty() && m_base) ? m_base->getMetadataProviders() : m_metadatas;
+ return (!m_metadata && m_base) ? m_base->getMetadataProvider() : m_metadata;
}
-Iterator<ITrust*> XMLApplication::getTrustProviders() const
+TrustEngine* XMLApplication::getTrustEngine() const
{
- return (m_trusts.empty() && m_base) ? m_base->getTrustProviders() : m_trusts;
+ return (!m_trust && m_base) ? m_base->getTrustEngine() : m_trust;
}
-Iterator<const XMLCh*> XMLApplication::getAudiences() const
+const vector<const XMLCh*>& XMLApplication::getAudiences() const
{
return (m_audiences.empty() && m_base) ? m_base->getAudiences() : m_audiences;
}
-const IPropertySet* XMLApplication::getCredentialUse(const IEntityDescriptor* provider) const
+const PropertySet* XMLApplication::getCredentialUse(const EntityDescriptor* provider) const
{
if (!m_credDefault && m_base)
return m_base->getCredentialUse(provider);
#ifdef HAVE_GOOD_STL
- map<xstring,XMLPropertySet*>::const_iterator i=m_credMap.find(provider->getId());
+ map<xmltooling::xstring,PropertySet*>::const_iterator i=m_credMap.find(provider->getEntityID());
if (i!=m_credMap.end())
return i->second;
- const IEntitiesDescriptor* group=provider->getEntitiesDescriptor();
+ const EntitiesDescriptor* group=dynamic_cast<const EntitiesDescriptor*>(provider->getParent());
while (group) {
if (group->getName()) {
i=m_credMap.find(group->getName());
if (i!=m_credMap.end())
return i->second;
}
- group=group->getEntitiesDescriptor();
+ group=dynamic_cast<const EntitiesDescriptor*>(group->getParent());
}
#else
- map<const XMLCh*,XMLPropertySet*>::const_iterator i=m_credMap.begin();
+ map<const XMLCh*,PropertySet*>::const_iterator i=m_credMap.begin();
for (; i!=m_credMap.end(); i++) {
- if (!XMLString::compareString(i->first,provider->getId()))
+ if (XMLString::equals(i->first,provider->getId()))
return i->second;
- const IEntitiesDescriptor* group=provider->getEntitiesDescriptor();
+ const EntitiesDescriptor* group=dynamic_cast<const EntitiesDescriptor*>(provider->getParent());
while (group) {
- if (!XMLString::compareString(i->first,group->getName()))
+ if (XMLString::equals(i->first,group->getName()))
return i->second;
- group=group->getEntitiesDescriptor();
+ group=dynamic_cast<const EntitiesDescriptor*>(group->getParent());
}
}
#endif
return m_credDefault;
}
-void XMLApplication::validateToken(SAMLAssertion* token, time_t ts, const IRoleDescriptor* role, const Iterator<ITrust*>& trusts) const
+void XMLApplication::validateToken(SAMLAssertion* token, time_t ts, const RoleDescriptor* role, const TrustEngine* trust) const
{
#ifdef _DEBUG
- saml::NDC ndc("validateToken");
+ xmltooling::NDC ndc("validateToken");
#endif
- Category& log=Category::getInstance("shibtarget.XMLApplication");
+ Category& log=Category::getInstance(SHIBT_LOGCAT".Application");
// First we verify the time conditions, using the specified timestamp, if non-zero.
SAMLConfig& config=SAMLConfig::getConfig();
if (ts>0) {
const SAMLDateTime* notBefore=token->getNotBefore();
if (notBefore && ts+config.clock_skew_secs < notBefore->getEpoch())
- throw ExpiredAssertionException("Assertion is not yet valid.");
+ throw opensaml::FatalProfileException("Assertion is not yet valid.");
const SAMLDateTime* notOnOrAfter=token->getNotOnOrAfter();
if (notOnOrAfter && notOnOrAfter->getEpoch() <= ts-config.clock_skew_secs)
- throw ExpiredAssertionException("Assertion is no longer valid.");
+ throw opensaml::FatalProfileException("Assertion is no longer valid.");
}
// Now we process conditions. Only audience restrictions at the moment.
ostringstream os;
os << *cond;
log.error("unrecognized Condition in assertion (%s)",os.str().c_str());
- throw UnsupportedExtensionException("Assertion contains an unrecognized condition.");
+ throw xmltooling::UnknownExtensionException("Assertion contains an unrecognized condition.");
}
else if (!ac->eval(getAudiences())) {
ostringstream os;
os << *ac;
log.error("unacceptable AudienceRestrictionCondition in assertion (%s)",os.str().c_str());
- throw UnsupportedProfileException("Assertion contains an unacceptable AudienceRestrictionCondition.");
+ throw opensaml::FatalProfileException("Assertion contains an unacceptable AudienceRestrictionCondition.");
}
}
- if (!role) {
+ if (!role || !trust) {
log.warn("no metadata provided, so no signature validation was performed");
return;
}
- const IPropertySet* credUse=getCredentialUse(role->getEntityDescriptor());
+ const PropertySet* credUse=getCredentialUse(dynamic_cast<const EntityDescriptor*>(role->getParent()));
pair<bool,bool> signedAssertions=credUse ? credUse->getBool("signedAssertions") : make_pair(false,false);
- Trust t(trusts);
- if (token->isSigned() && !t.validate(*token,role))
- throw TrustException("Assertion signature did not validate.");
+ if (token->isSigned()) {
+
+ // This will all change, but for fun, we'll port the object from OS1->OS2 for validation.
+ stringstream s;
+ s << *token;
+ DOMDocument* doc = XMLToolingConfig::getConfig().getValidatingParser().parse(s);
+ XercesJanitor<DOMDocument> jdoc(doc);
+ auto_ptr<Assertion> os2ass(AssertionBuilder::buildAssertion());
+ os2ass->unmarshall(doc->getDocumentElement(),true);
+ jdoc.release();
+
+ if (!trust->validate(*(os2ass->getSignature()),*role))
+ throw xmltooling::XMLSecurityException("Assertion signature did not validate.");
+ }
else if (signedAssertions.first && signedAssertions.second)
- throw TrustException("Assertion was unsigned, violating policy based on the issuer.");
+ throw xmltooling::XMLSecurityException("Assertion was unsigned, violating policy based on the issuer.");
}
-const IHandler* XMLApplication::getDefaultSessionInitiator() const
+const Handler* XMLApplication::getDefaultSessionInitiator() const
{
if (m_sessionInitDefault) return m_sessionInitDefault;
return m_base ? m_base->getDefaultSessionInitiator() : NULL;
}
-const IHandler* XMLApplication::getSessionInitiatorById(const char* id) const
+const Handler* XMLApplication::getSessionInitiatorById(const char* id) const
{
- map<string,const IHandler*>::const_iterator i=m_sessionInitMap.find(id);
+ map<string,const Handler*>::const_iterator i=m_sessionInitMap.find(id);
if (i!=m_sessionInitMap.end()) return i->second;
return m_base ? m_base->getSessionInitiatorById(id) : NULL;
}
-const IHandler* XMLApplication::getDefaultAssertionConsumerService() const
+const Handler* XMLApplication::getDefaultAssertionConsumerService() const
{
if (m_acsDefault) return m_acsDefault;
return m_base ? m_base->getDefaultAssertionConsumerService() : NULL;
}
-const IHandler* XMLApplication::getAssertionConsumerServiceByIndex(unsigned short index) const
+const Handler* XMLApplication::getAssertionConsumerServiceByIndex(unsigned short index) const
{
- map<unsigned int,const IHandler*>::const_iterator i=m_acsIndexMap.find(index);
+ map<unsigned int,const Handler*>::const_iterator i=m_acsIndexMap.find(index);
if (i!=m_acsIndexMap.end()) return i->second;
return m_base ? m_base->getAssertionConsumerServiceByIndex(index) : NULL;
}
-Iterator<const IHandler*> XMLApplication::getAssertionConsumerServicesByBinding(const XMLCh* binding) const
+const vector<const Handler*>& XMLApplication::getAssertionConsumerServicesByBinding(const XMLCh* binding) const
{
#ifdef HAVE_GOOD_STL
ACSBindingMap::const_iterator i=m_acsBindingMap.find(binding);
#else
- auto_ptr_char temp(binding);
+ xmltooling::auto_ptr_char temp(binding);
ACSBindingMap::const_iterator i=m_acsBindingMap.find(temp.get());
#endif
if (i!=m_acsBindingMap.end())
return i->second;
- return m_base ? m_base->getAssertionConsumerServicesByBinding(binding) : EMPTY(const IHandler*);
+ return m_base ? m_base->getAssertionConsumerServicesByBinding(binding) : g_noHandlers;
}
-const IHandler* XMLApplication::getHandler(const char* path) const
+const Handler* XMLApplication::getHandler(const char* path) const
{
string wrap(path);
- map<string,const IHandler*>::const_iterator i=m_handlerMap.find(wrap.substr(0,wrap.find('?')));
+ map<string,const Handler*>::const_iterator i=m_handlerMap.find(wrap.substr(0,wrap.find('?')));
if (i!=m_handlerMap.end())
return i->second;
return m_base ? m_base->getHandler(path) : NULL;
}
-ReloadableXMLFileImpl* XMLConfig::newImplementation(const char* pathname, bool first) const
-{
- return new XMLConfigImpl(pathname,first,this);
-}
-
-ReloadableXMLFileImpl* XMLConfig::newImplementation(const DOMElement* e, bool first) const
-{
- return new XMLConfigImpl(e,first,this);
-}
-
short XMLConfigImpl::acceptNode(const DOMNode* node) const
{
- if (XMLString::compareString(node->getNamespaceURI(),shibtarget::XML::SHIBTARGET_NS))
+ if (!XMLString::equals(node->getNamespaceURI(),shibspconstants::SHIB1SPCONFIG_NS))
return FILTER_ACCEPT;
const XMLCh* name=node->getLocalName();
- if (!XMLString::compareString(name,SHIBT_L(Applications)) ||
- !XMLString::compareString(name,SHIBT_L(AttributeFactory)) ||
- !XMLString::compareString(name,SHIBT_L(CredentialsProvider)) ||
- !XMLString::compareString(name,SHIBT_L(Extensions)) ||
- !XMLString::compareString(name,SHIBT_L(Implementation)) ||
- !XMLString::compareString(name,SHIBT_L(Listener)) ||
- !XMLString::compareString(name,SHIBT_L(MemorySessionCache)) ||
- !XMLString::compareString(name,SHIBT_L(MySQLReplayCache)) ||
- !XMLString::compareString(name,SHIBT_L(MySQLSessionCache)) ||
- !XMLString::compareString(name,SHIBT_L(RequestMap)) ||
- !XMLString::compareString(name,SHIBT_L(RequestMapProvider)) ||
- !XMLString::compareString(name,SHIBT_L(ReplayCache)) ||
- !XMLString::compareString(name,SHIBT_L(SessionCache)) ||
- !XMLString::compareString(name,SHIBT_L(TCPListener)) ||
- !XMLString::compareString(name,SHIBT_L(UnixListener)))
+ if (XMLString::equals(name,Applications) ||
+ XMLString::equals(name,AttributeFactory) ||
+ XMLString::equals(name,Credentials) ||
+ XMLString::equals(name,CredentialsProvider) ||
+ XMLString::equals(name,Extensions::LOCAL_NAME) ||
+ XMLString::equals(name,Implementation) ||
+ XMLString::equals(name,Listener) ||
+ XMLString::equals(name,MemoryListener) ||
+ XMLString::equals(name,MemorySessionCache) ||
+ XMLString::equals(name,RequestMapProvider) ||
+ XMLString::equals(name,ReplayCache) ||
+ XMLString::equals(name,SessionCache) ||
+ XMLString::equals(name,TCPListener) ||
+ XMLString::equals(name,UnixListener))
return FILTER_REJECT;
return FILTER_ACCEPT;
}
-void XMLConfigImpl::init(bool first)
+void XMLConfigImpl::doExtensions(const DOMElement* e, const char* label, Category& log)
+{
+ const DOMElement* exts=XMLHelper::getFirstChildElement(e,Extensions::LOCAL_NAME);
+ if (exts) {
+ exts=XMLHelper::getFirstChildElement(exts,Library);
+ while (exts) {
+ xmltooling::auto_ptr_char path(exts->getAttributeNS(NULL,_path));
+ try {
+ if (path.get()) {
+ // TODO: replace with xmltooling extension load...
+ SAMLConfig::getConfig().saml_register_extension(path.get(),(void*)exts);
+ log.debug("loaded %s extension library (%s)", label, path.get());
+ }
+ }
+ catch (exception& e) {
+ const XMLCh* fatal=exts->getAttributeNS(NULL,fatal);
+ if (fatal && (*fatal==chLatin_t || *fatal==chDigit_1)) {
+ log.fatal("unable to load mandatory %s extension library %s: %s", label, path.get(), e.what());
+ throw;
+ }
+ else {
+ log.crit("unable to load optional %s extension library %s: %s", label, path.get(), e.what());
+ }
+ }
+ exts=XMLHelper::getNextSiblingElement(exts,Library);
+ }
+ }
+}
+
+XMLConfigImpl::XMLConfigImpl(const DOMElement* e, bool first, const XMLConfig* outer) : m_outer(outer), m_requestMapper(NULL)
{
#ifdef _DEBUG
- saml::NDC ndc("init");
+ xmltooling::NDC ndc("XMLConfigImpl");
#endif
- Category& log=Category::getInstance("shibtarget.Config");
+ Category& log=Category::getInstance(SHIBT_LOGCAT".Config");
try {
- if (!saml::XML::isElementNamed(ReloadableXMLFileImpl::m_root,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(ShibbolethTargetConfig)) &&
- !saml::XML::isElementNamed(ReloadableXMLFileImpl::m_root,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(SPConfig))) {
- log.error("Construction requires a valid configuration file: (conf:SPConfig as root element)");
- throw ConfigurationException("Construction requires a valid configuration file: (conf:SPConfig as root element)");
- }
-
SAMLConfig& shibConf=SAMLConfig::getConfig();
- ShibTargetConfig& conf=ShibTargetConfig::getConfig();
- const DOMElement* SHAR=saml::XML::getFirstChildElement(ReloadableXMLFileImpl::m_root,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(SHAR));
- if (!SHAR)
- SHAR=saml::XML::getFirstChildElement(ReloadableXMLFileImpl::m_root,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(Global));
+ SPConfig& conf=SPConfig::getConfig();
+ const DOMElement* SHAR=XMLHelper::getFirstChildElement(e,OutOfProcess);
if (!SHAR)
- SHAR=saml::XML::getFirstChildElement(ReloadableXMLFileImpl::m_root,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(OutOfProcess));
- const DOMElement* SHIRE=saml::XML::getFirstChildElement(ReloadableXMLFileImpl::m_root,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(SHIRE));
+ SHAR=XMLHelper::getFirstChildElement(e,Global);
+ const DOMElement* SHIRE=XMLHelper::getFirstChildElement(e,InProcess);
if (!SHIRE)
- SHIRE=saml::XML::getFirstChildElement(ReloadableXMLFileImpl::m_root,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(Local));
- if (!SHIRE)
- SHIRE=saml::XML::getFirstChildElement(ReloadableXMLFileImpl::m_root,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(InProcess));
+ SHIRE=XMLHelper::getFirstChildElement(e,Local);
// Initialize log4cpp manually in order to redirect log messages as soon as possible.
- if (conf.isEnabled(ShibTargetConfig::Logging)) {
- const XMLCh* logger=NULL;
- if (conf.isEnabled(ShibTargetConfig::OutOfProcess))
- logger=SHAR->getAttributeNS(NULL,SHIBT_L(logger));
- else if (conf.isEnabled(ShibTargetConfig::InProcess))
- logger=SHIRE->getAttributeNS(NULL,SHIBT_L(logger));
- if (!logger || !*logger)
- logger=ReloadableXMLFileImpl::m_root->getAttributeNS(NULL,SHIBT_L(logger));
- if (logger && *logger) {
- auto_ptr_char logpath(logger);
+ if (conf.isEnabled(SPConfig::Logging)) {
+ const XMLCh* logconf=NULL;
+ if (conf.isEnabled(SPConfig::OutOfProcess))
+ logconf=SHAR->getAttributeNS(NULL,logger);
+ else if (conf.isEnabled(SPConfig::InProcess))
+ logconf=SHIRE->getAttributeNS(NULL,logger);
+ if (!logconf || !*logconf)
+ logconf=e->getAttributeNS(NULL,logger);
+ if (logconf && *logconf) {
+ xmltooling::auto_ptr_char logpath(logconf);
log.debug("loading new logging configuration from (%s), check log destination for status of configuration",logpath.get());
- try {
- PropertyConfigurator::configure(logpath.get());
- }
- catch (ConfigureFailure& e) {
- log.error("Error reading logging configuration: %s",e.what());
- }
+ XMLToolingConfig::getConfig().log_config(logpath.get());
}
}
// First load any property sets.
map<string,string> root_remap;
- root_remap["SHAR"]="OutOfProcess";
- root_remap["SHIRE"]="InProcess";
root_remap["Global"]="OutOfProcess";
root_remap["Local"]="InProcess";
- load(ReloadableXMLFileImpl::m_root,log,this,&root_remap);
+ load(e,log,this,&root_remap);
+
+ const DOMElement* child;
+ string plugtype;
// Much of the processing can only occur on the first instantiation.
if (first) {
- // Now load any extensions to insure any needed plugins are registered.
- DOMElement* exts=
- saml::XML::getFirstChildElement(ReloadableXMLFileImpl::m_root,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(Extensions));
- if (exts) {
- exts=saml::XML::getFirstChildElement(exts,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(Library));
- while (exts) {
- auto_ptr_char path(exts->getAttributeNS(NULL,SHIBT_L(path)));
- try {
- SAMLConfig::getConfig().saml_register_extension(path.get(),exts);
- log.debug("loaded global extension library %s",path.get());
- }
- catch (SAMLException& e) {
- const XMLCh* fatal=exts->getAttributeNS(NULL,SHIBT_L(fatal));
- if (fatal && (*fatal==chLatin_t || *fatal==chDigit_1)) {
- log.fatal("unable to load mandatory global extension library %s: %s", path.get(), e.what());
- throw;
- }
- else
- log.crit("unable to load optional global extension library %s: %s", path.get(), e.what());
- }
- exts=saml::XML::getNextSiblingElement(exts,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(Library));
- }
- }
-
- if (conf.isEnabled(ShibTargetConfig::OutOfProcess)) {
- exts=saml::XML::getFirstChildElement(SHAR,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(Extensions));
- if (exts) {
- exts=saml::XML::getFirstChildElement(exts,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(Library));
- while (exts) {
- auto_ptr_char path(exts->getAttributeNS(NULL,SHIBT_L(path)));
- try {
- SAMLConfig::getConfig().saml_register_extension(path.get(),exts);
- log.debug("loaded Global extension library %s",path.get());
- }
- catch (SAMLException& e) {
- const XMLCh* fatal=exts->getAttributeNS(NULL,SHIBT_L(fatal));
- if (fatal && (*fatal==chLatin_t || *fatal==chDigit_1)) {
- log.fatal("unable to load mandatory Global extension library %s: %s", path.get(), e.what());
- throw;
- }
- else
- log.crit("unable to load optional Global extension library %s: %s", path.get(), e.what());
- }
- exts=saml::XML::getNextSiblingElement(exts,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(Library));
- }
- }
- }
- if (conf.isEnabled(ShibTargetConfig::InProcess)) {
- exts=saml::XML::getFirstChildElement(SHIRE,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(Extensions));
- if (exts) {
- exts=saml::XML::getFirstChildElement(exts,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(Library));
- while (exts) {
- auto_ptr_char path(exts->getAttributeNS(NULL,SHIBT_L(path)));
- try {
- SAMLConfig::getConfig().saml_register_extension(path.get(),exts);
- log.debug("loaded Local extension library %s",path.get());
- }
- catch (SAMLException& e) {
- const XMLCh* fatal=exts->getAttributeNS(NULL,SHIBT_L(fatal));
- if (fatal && (*fatal==chLatin_t || *fatal==chDigit_1)) {
- log.fatal("unable to load mandatory Local extension library %s: %s", path.get(), e.what());
- throw;
- }
- else
- log.crit("unable to load optional Local extension library %s: %s", path.get(), e.what());
- }
- exts=saml::XML::getNextSiblingElement(exts,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(Library));
- }
- }
- }
+ // Extensions
+ doExtensions(e, "global", log);
+ if (conf.isEnabled(SPConfig::OutOfProcess))
+ doExtensions(SHAR, "out of process", log);
+
+ if (conf.isEnabled(SPConfig::InProcess))
+ doExtensions(SHIRE, "in process", log);
- // Instantiate the Listener and SessionCache objects.
- if (conf.isEnabled(ShibTargetConfig::Listener)) {
- IPlugIn* plugin=NULL;
- exts=saml::XML::getFirstChildElement(SHAR,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(UnixListener));
- if (exts) {
- log.info("building Listener of type %s...",shibtarget::XML::UnixListenerType);
- plugin=shibConf.getPlugMgr().newPlugin(shibtarget::XML::UnixListenerType,exts);
- }
+ // Instantiate the ListenerService and SessionCache objects.
+ if (conf.isEnabled(SPConfig::Listener)) {
+ child=XMLHelper::getFirstChildElement(SHAR,UnixListener);
+ if (child)
+ plugtype=UNIX_LISTENER_SERVICE;
else {
- exts=saml::XML::getFirstChildElement(SHAR,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(TCPListener));
- if (exts) {
- log.info("building Listener of type %s...",shibtarget::XML::TCPListenerType);
- plugin=shibConf.getPlugMgr().newPlugin(shibtarget::XML::TCPListenerType,exts);
- }
+ child=XMLHelper::getFirstChildElement(SHAR,TCPListener);
+ if (child)
+ plugtype=TCP_LISTENER_SERVICE;
else {
- exts=saml::XML::getFirstChildElement(SHAR,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(Listener));
- if (exts) {
- auto_ptr_char type(exts->getAttributeNS(NULL,SHIBT_L(type)));
- log.info("building Listener of type %s...",type.get());
- plugin=shibConf.getPlugMgr().newPlugin(type.get(),exts);
- }
+ child=XMLHelper::getFirstChildElement(SHAR,MemoryListener);
+ if (child)
+ plugtype=MEMORY_LISTENER_SERVICE;
else {
- log.fatal("can't build Listener object, missing conf:Listener element?");
- throw ConfigurationException("can't build Listener object, missing conf:Listener element?");
+ child=XMLHelper::getFirstChildElement(SHAR,Listener);
+ if (child) {
+ xmltooling::auto_ptr_char type(child->getAttributeNS(NULL,_type));
+ if (type.get())
+ plugtype=type.get();
+ }
}
}
}
- if (plugin) {
- IListener* listen=dynamic_cast<IListener*>(plugin);
- if (listen)
- m_outer->m_listener=listen;
- else {
- delete plugin;
- log.fatal("plugin was not a Listener object");
- throw UnsupportedExtensionException("plugin was not a Listener object");
- }
+ if (child) {
+ log.info("building ListenerService of type %s...", plugtype.c_str());
+ m_outer->m_listener = conf.ListenerServiceManager.newPlugin(plugtype.c_str(),child);
+ }
+ else {
+ log.fatal("can't build ListenerService, missing conf:Listener element?");
+ throw ConfigurationException("Can't build ListenerService, missing conf:Listener element?");
}
}
- if (conf.isEnabled(ShibTargetConfig::Caching)) {
- IPlugIn* plugin=NULL;
- const DOMElement* container=conf.isEnabled(ShibTargetConfig::OutOfProcess) ? SHAR : SHIRE;
- exts=saml::XML::getFirstChildElement(container,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(MemorySessionCache));
- if (exts) {
- log.info("building Session Cache of type %s...",shibtarget::XML::MemorySessionCacheType);
- plugin=shibConf.getPlugMgr().newPlugin(shibtarget::XML::MemorySessionCacheType,exts);
+ if (conf.isEnabled(SPConfig::Caching)) {
+ // TODO: This code's a mess, due to a very bad config layout for the caches...
+ // Needs rework with the new config file.
+ const DOMElement* container=conf.isEnabled(SPConfig::OutOfProcess) ? SHAR : SHIRE;
+ child=XMLHelper::getFirstChildElement(container,MemorySessionCache);
+ if (child) {
+ log.info("building Session Cache of type %s...",MEMORY_SESSIONCACHE);
+ m_outer->m_sessionCache=conf.SessionCacheManager.newPlugin(MEMORY_SESSIONCACHE,child);
}
else {
- exts=saml::XML::getFirstChildElement(container,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(ODBCSessionCache));
- if (exts) {
- log.info("building Session Cache of type %s...",shibtarget::XML::ODBCSessionCacheType);
- plugin=shibConf.getPlugMgr().newPlugin(shibtarget::XML::ODBCSessionCacheType,exts);
+ child=XMLHelper::getFirstChildElement(container,SessionCache);
+ if (child) {
+ xmltooling::auto_ptr_char type(child->getAttributeNS(NULL,_type));
+ log.info("building Session Cache of type %s...",type.get());
+ m_outer->m_sessionCache=conf.SessionCacheManager.newPlugin(type.get(),child);
}
else {
- exts=saml::XML::getFirstChildElement(container,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(MySQLSessionCache));
- if (exts) {
- log.info("building Session Cache of type %s...",shibtarget::XML::MySQLSessionCacheType);
- plugin=shibConf.getPlugMgr().newPlugin(shibtarget::XML::MySQLSessionCacheType,exts);
- }
- else {
- exts=saml::XML::getFirstChildElement(container,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(SessionCache));
- if (exts) {
- auto_ptr_char type(exts->getAttributeNS(NULL,SHIBT_L(type)));
- log.info("building Session Cache of type %s...",type.get());
- plugin=shibConf.getPlugMgr().newPlugin(type.get(),exts);
- }
- else {
- log.info("session cache not specified, building Session Cache of type %s...",shibtarget::XML::MemorySessionCacheType);
- plugin=shibConf.getPlugMgr().newPlugin(shibtarget::XML::MemorySessionCacheType,exts);
- }
- }
- }
- }
- if (plugin) {
- ISessionCache* cache=dynamic_cast<ISessionCache*>(plugin);
- if (cache)
- m_outer->m_sessionCache=cache;
- else {
- delete plugin;
- log.fatal("plugin was not a Session Cache object");
- throw UnsupportedExtensionException("plugin was not a Session Cache object");
+ log.info("custom SessionCache unspecified or no longer supported, building SessionCache of type %s...",MEMORY_SESSIONCACHE);
+ m_outer->m_sessionCache=conf.SessionCacheManager.newPlugin(MEMORY_SESSIONCACHE,child);
}
}
// Replay cache.
- container=conf.isEnabled(ShibTargetConfig::OutOfProcess) ? SHAR : SHIRE;
- exts=saml::XML::getFirstChildElement(container,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(ODBCReplayCache));
- if (exts) {
- log.info("building Replay Cache of type %s...",shibtarget::XML::ODBCReplayCacheType);
- m_outer->m_replayCache=IReplayCache::getInstance(shibtarget::XML::ODBCReplayCacheType,exts);
+ // TODO: switch to new cache interface
+ /*
+ child=XMLHelper::getFirstChildElement(container,ReplayCache);
+ if (child) {
+ xmltooling::auto_ptr_char type(child->getAttributeNS(NULL,_type));
+ log.info("building ReplayCache of type %s...",type.get());
+ m_outer->m_replayCache=IReplayCache::getInstance(type.get(),child);
}
else {
- exts=saml::XML::getFirstChildElement(container,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(MySQLReplayCache));
- if (exts) {
- log.info("building Replay Cache of type %s...",shibtarget::XML::MySQLReplayCacheType);
- m_outer->m_replayCache=IReplayCache::getInstance(shibtarget::XML::MySQLReplayCacheType,exts);
- }
- else {
- exts=saml::XML::getFirstChildElement(container,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(ReplayCache));
- if (exts) {
- auto_ptr_char type(exts->getAttributeNS(NULL,SHIBT_L(type)));
- log.info("building Replay Cache of type %s...",type.get());
- m_outer->m_replayCache=IReplayCache::getInstance(type.get(),exts);
- }
- else {
- // OpenSAML default provider.
- log.info("building default Replay Cache...");
- m_outer->m_replayCache=IReplayCache::getInstance();
- }
- }
+ // OpenSAML default provider.
+ log.info("custom ReplayCache unspecified or no longer supported, building default ReplayCache...");
+ m_outer->m_replayCache=IReplayCache::getInstance();
}
+ */
}
- }
+ } // end of first-time-only stuff
- // Back to the fully dynamic stuff...next up is the Request Mapper.
- if (conf.isEnabled(ShibTargetConfig::RequestMapper)) {
- const DOMElement* child=saml::XML::getFirstChildElement(SHIRE,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(RequestMapProvider));
+ // Back to the fully dynamic stuff...next up is the RequestMapper.
+ if (conf.isEnabled(SPConfig::RequestMapping)) {
+ child=XMLHelper::getFirstChildElement(SHIRE,RequestMapProvider);
if (child) {
- auto_ptr_char type(child->getAttributeNS(NULL,SHIBT_L(type)));
- log.info("building Request Mapper of type %s...",type.get());
- IPlugIn* plugin=shibConf.getPlugMgr().newPlugin(type.get(),child);
- if (plugin) {
- IRequestMapper* reqmap=dynamic_cast<IRequestMapper*>(plugin);
- if (reqmap)
- m_requestMapper=reqmap;
- else {
- delete plugin;
- log.fatal("plugin was not a Request Mapper object");
- throw UnsupportedExtensionException("plugin was not a Request Mapper object");
- }
- }
+ xmltooling::auto_ptr_char type(child->getAttributeNS(NULL,_type));
+ log.info("building RequestMapper of type %s...",type.get());
+ m_requestMapper=conf.RequestMapperManager.newPlugin(type.get(),child);
}
else {
- log.fatal("can't build Request Mapper object, missing conf:RequestMapProvider element?");
- throw ConfigurationException("can't build Request Mapper object, missing conf:RequestMapProvider element?");
+ log.fatal("can't build RequestMapper, missing conf:RequestMapProvider element?");
+ throw ConfigurationException("can't build RequestMapper, missing conf:RequestMapProvider element?");
}
}
- // Now we load any credentials providers.
- DOMNodeList* nlist;
- if (conf.isEnabled(ShibTargetConfig::Credentials)) {
- nlist=ReloadableXMLFileImpl::m_root->getElementsByTagNameNS(shibtarget::XML::SHIBTARGET_NS,SHIBT_L(CredentialsProvider));
- for (unsigned int i=0; nlist && i<nlist->getLength(); i++) {
- auto_ptr_char type(static_cast<DOMElement*>(nlist->item(i))->getAttributeNS(NULL,SHIBT_L(type)));
- log.info("building credentials provider of type %s...",type.get());
- try {
- IPlugIn* plugin=shibConf.getPlugMgr().newPlugin(type.get(),static_cast<DOMElement*>(nlist->item(i)));
- if (plugin) {
- ICredentials* creds=dynamic_cast<ICredentials*>(plugin);
- if (creds)
- m_creds.push_back(creds);
- else {
- delete plugin;
- log.crit("plugin was not a credentials provider");
+ // Now we load the credentials map.
+ if (conf.isEnabled(SPConfig::Credentials)) {
+ // Old format was to wrap it in a CredentialsProvider plugin, we're inlining that...
+ child = XMLHelper::getFirstChildElement(e,CredentialsProvider);
+ child = XMLHelper::getFirstChildElement(child ? child : e,Credentials);
+ if (child) {
+ // Step down and process resolvers.
+ child=XMLHelper::getFirstChildElement(child);
+ while (child) {
+ xmltooling::auto_ptr_char id(child->getAttributeNS(NULL,Id));
+ if (!id.get() || !*(id.get())) {
+ log.warn("skipping CredentialsResolver with no Id attribute");
+ child = XMLHelper::getNextSiblingElement(child);
+ continue;
+ }
+
+ if (XMLString::equals(child->getLocalName(),FileResolver))
+ plugtype=FILESYSTEM_CREDENTIAL_RESOLVER;
+ else {
+ xmltooling::auto_ptr_char c(child->getAttributeNS(NULL,_type));
+ plugtype=c.get();
+ }
+
+ if (!plugtype.empty()) {
+ try {
+ CredentialResolver* cr=
+ XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(plugtype.c_str(),child);
+ m_credResolverMap[id.get()] = cr;
+ }
+ catch (exception& ex) {
+ log.crit("failed to instantiate CredentialResolver (%s): %s", id.get(), ex.what());
}
}
- }
- catch (SAMLException& ex) {
- log.crit("error building credentials provider: %s",ex.what());
+ else {
+ log.error("unknown type of CredentialResolver with Id (%s)", id.get());
+ }
+
+ child = XMLHelper::getNextSiblingElement(child);
}
}
}
// Now we load any attribute factories
- nlist=ReloadableXMLFileImpl::m_root->getElementsByTagNameNS(shibtarget::XML::SHIBTARGET_NS,SHIBT_L(AttributeFactory));
- for (unsigned int i=0; nlist && i<nlist->getLength(); i++) {
- auto_ptr_char type(static_cast<DOMElement*>(nlist->item(i))->getAttributeNS(NULL,SHIBT_L(type)));
+ child = XMLHelper::getFirstChildElement(e,AttributeFactory);
+ while (child) {
+ xmltooling::auto_ptr_char type(child->getAttributeNS(NULL,_type));
log.info("building Attribute factory of type %s...",type.get());
try {
- IPlugIn* plugin=shibConf.getPlugMgr().newPlugin(type.get(),static_cast<DOMElement*>(nlist->item(i)));
+ IPlugIn* plugin=shibConf.getPlugMgr().newPlugin(type.get(),child);
if (plugin) {
IAttributeFactory* fact=dynamic_cast<IAttributeFactory*>(plugin);
if (fact) {
m_attrFactories.push_back(fact);
ShibConfig::getConfig().regAttributeMapping(
- static_cast<DOMElement*>(nlist->item(i))->getAttributeNS(NULL,L(AttributeName)),
- fact
+ child->getAttributeNS(NULL,Attribute::ATTRIBUTENAME_ATTRIB_NAME), fact
);
}
else {
}
}
}
- catch (SAMLException& ex) {
- log.crit("error building Attribute factory: %s",ex.what());
+ catch (exception& ex) {
+ log.crit("error building Attribute factory: %s", ex.what());
}
+
+ child = XMLHelper::getNextSiblingElement(child,AttributeFactory);
}
// Load the default application. This actually has a fixed ID of "default". ;-)
- const DOMElement* app=saml::XML::getFirstChildElement(
- ReloadableXMLFileImpl::m_root,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(Applications)
- );
- if (!app) {
+ child=XMLHelper::getFirstChildElement(e,Applications);
+ if (!child) {
log.fatal("can't build default Application object, missing conf:Applications element?");
throw ConfigurationException("can't build default Application object, missing conf:Applications element?");
}
- XMLApplication* defapp=new XMLApplication(m_outer, m_creds, app);
+ XMLApplication* defapp=new XMLApplication(m_outer,child);
m_appmap[defapp->getId()]=defapp;
// Load any overrides.
- nlist=app->getElementsByTagNameNS(shibtarget::XML::SHIBTARGET_NS,SHIBT_L(Application));
- for (unsigned int j=0; nlist && j<nlist->getLength(); j++) {
- auto_ptr<XMLApplication> iapp(new XMLApplication(m_outer,m_creds,static_cast<DOMElement*>(nlist->item(j)),defapp));
+ child = XMLHelper::getFirstChildElement(child,_Application);
+ while (child) {
+ auto_ptr<XMLApplication> iapp(new XMLApplication(m_outer,child,defapp));
if (m_appmap.find(iapp->getId())!=m_appmap.end())
- log.crit("found conf:Application element with duplicate Id attribute, ignoring it");
+ log.crit("found conf:Application element with duplicate Id attribute (%s), skipping it", iapp->getId());
else
m_appmap[iapp->getId()]=iapp.release();
+
+ child = XMLHelper::getNextSiblingElement(child,_Application);
}
}
- catch (SAMLException& e) {
- log.errorStream() << "Error while loading SP configuration: " << e.what() << CategoryStream::ENDLINE;
- throw ConfigurationException(e.what());
+ catch (exception&) {
+ this->~XMLConfigImpl();
+ throw;
}
#ifndef _DEBUG
catch (...) {
- log.error("Unexpected error while loading SP configuration");
+ this->~XMLConfigImpl();
throw;
}
#endif
XMLConfigImpl::~XMLConfigImpl()
{
- delete m_requestMapper;
- for_each(m_appmap.begin(),m_appmap.end(),cleanup_pair<string,IApplication>());
- for_each(m_creds.begin(),m_creds.end(),cleanup<ICredentials>());
+ for_each(m_appmap.begin(),m_appmap.end(),xmltooling::cleanup_pair<string,Application>());
ShibConfig::getConfig().clearAttributeMappings();
- for_each(m_attrFactories.begin(),m_attrFactories.end(),cleanup<IAttributeFactory>());
+ for_each(m_attrFactories.begin(),m_attrFactories.end(),xmltooling::cleanup<IAttributeFactory>());
+ for_each(m_credResolverMap.begin(),m_credResolverMap.end(),xmltooling::cleanup_pair<string,CredentialResolver>());
+ delete m_requestMapper;
+ if (m_document)
+ m_document->release();
+}
+
+pair<bool,DOMElement*> XMLConfig::load()
+{
+ // Load from source using base class.
+ pair<bool,DOMElement*> raw = ReloadableXMLFile::load();
+
+ // If we own it, wrap it.
+ XercesJanitor<DOMDocument> docjanitor(raw.first ? raw.second->getOwnerDocument() : NULL);
+
+ XMLConfigImpl* impl = new XMLConfigImpl(raw.second,(m_impl==NULL),this);
+
+ // If we held the document, transfer it to the impl. If we didn't, it's a no-op.
+ impl->setDocument(docjanitor.release());
+
+ delete m_impl;
+ m_impl = impl;
+
+ return make_pair(false,(DOMElement*)NULL);
}