/*
- * The Shibboleth License, Version 1.
- * Copyright (c) 2002
- * University Corporation for Advanced Internet Development, Inc.
- * All rights reserved
+ * Copyright 2001-2005 Internet2
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
*
+ * http://www.apache.org/licenses/LICENSE-2.0
*
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution, if any, must include
- * the following acknowledgment: "This product includes software developed by
- * the University Corporation for Advanced Internet Development
- * <http://www.ucaid.edu>Internet2 Project. Alternately, this acknowledegement
- * may appear in the software itself, if and wherever such third-party
- * acknowledgments normally appear.
- *
- * Neither the name of Shibboleth nor the names of its contributors, nor
- * Internet2, nor the University Corporation for Advanced Internet Development,
- * Inc., nor UCAID may be used to endorse or promote products derived from this
- * software without specific prior written permission. For written permission,
- * please contact shibboleth@shibboleth.org
- *
- * Products derived from this software may not be called Shibboleth, Internet2,
- * UCAID, or the University Corporation for Advanced Internet Development, nor
- * may Shibboleth appear in their name, without prior written permission of the
- * University Corporation for Advanced Internet Development.
- *
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
- * PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK
- * OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE.
- * IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY
- * CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
*/
/*
# include <unistd.h>
#endif
+#include <ctime>
#include <sstream>
#include <fstream>
#include <stdexcept>
-#include <shib/shib-threads.h>
-#include <log4cpp/Category.hh>
-#include <log4cpp/PropertyConfigurator.hh>
+#include <saml/SAMLConfig.h>
+#include <saml/binding/URLEncoder.h>
#include <xercesc/util/Base64.hpp>
-#include <xercesc/util/regx/RegularExpression.hpp>
+#include <xmltooling/util/NDC.h>
+#include <xmltooling/util/TemplateEngine.h>
+#include <xmltooling/util/XMLHelper.h>
#ifndef HAVE_STRCASECMP
# define strcasecmp stricmp
#endif
-using namespace std;
-using namespace saml;
-using namespace shibboleth;
+using namespace shibsp;
using namespace shibtarget;
+using namespace shibboleth;
+using namespace saml;
+using namespace opensaml::saml2md;
using namespace log4cpp;
+using namespace std;
+
+using xmltooling::TemplateEngine;
+using xmltooling::XMLToolingException;
+using xmltooling::XMLToolingConfig;
+using xmltooling::XMLHelper;
namespace shibtarget {
- class CgiParse
- {
- public:
- CgiParse(const char* data, unsigned int len);
- ~CgiParse();
- const char* get_value(const char* name) const;
-
- static char x2c(char *what);
- static void url_decode(char *url);
- static string url_encode(const char* s);
- private:
- char * fmakeword(char stop, unsigned int *cl, const char** ppch);
- char * makeword(char *line, char stop);
- void plustospace(char *str);
-
- map<string,char*> kvp_map;
- };
-
- class ShibTargetPriv
- {
- public:
- ShibTargetPriv();
- ~ShibTargetPriv();
-
- // Helper functions
- void get_application(const string& protocol, const string& hostname, int port, const string& uri);
- const char* getCookie(ShibTarget* st, const string& name) const;
- pair<string,const char*> getCookieNameProps(const char* prefix) const;
- const char* getHandlerURL(const char* resource) const;
-
- // Handlers do the real Shibboleth work
- pair<bool,void*> doSessionInitiator(ShibTarget* st, const IPropertySet* handler, bool isHandler=true) const;
- pair<bool,void*> doAssertionConsumer(ShibTarget* st, const IPropertySet* handler) const;
- pair<bool,void*> doLogout(ShibTarget* st, const IPropertySet* handler) const;
-
- // And the binding/profile handlers do the low level packing and unpacking.
- pair<bool,void*> ShibAuthnRequest(
- ShibTarget* st,
- const IPropertySet* shire,
- const char* dest,
- const char* target,
- const char* providerId
- ) const;
-
- private:
- friend class ShibTarget;
- IRequestMapper::Settings m_settings;
- const IApplication *m_app;
- mutable string m_handlerURL;
- mutable map<string,string> m_cookieMap;
-
- ShibProfile m_sso_profile;
- string m_provider_id;
- SAMLAuthenticationStatement* m_sso_statement;
- SAMLResponse* m_pre_response;
- SAMLResponse* m_post_response;
+ class CgiParse
+ {
+ public:
+ CgiParse(const ShibTarget* st);
+ ~CgiParse();
+
+ typedef multimap<string,char*>::const_iterator walker;
+ pair<walker,walker> get_values(const char* name) const;
+
+ private:
+ char* fmakeword(char stop, unsigned int *cl, const char** ppch);
+ char* makeword(char *line, char stop);
+ void plustospace(char *str);
+
+ multimap<string,char*> kvp_map;
+ };
+
+ class ExtTemplateParameters : public TemplateEngine::TemplateParameters
+ {
+ const PropertySet* m_props;
+ public:
+ ExtTemplateParameters() : m_props(NULL) {}
+ ~ExtTemplateParameters() {}
+
+ void setPropertySet(const PropertySet* props) {
+ m_props = props;
+
+ // Create a timestamp.
+ time_t now = time(NULL);
+#ifdef HAVE_CTIME_R
+ char timebuf[32];
+ m_map["now"] = ctime_r(&now,timebuf);
+#else
+ m_map["now"] = ctime(&now);
+#endif
+ }
+
+ const char* getParameter(const char* name) const {
+ const char* pch = TemplateParameters::getParameter(name);
+ if (pch || !m_props)
+ return pch;
+ pair<bool,const char*> p = m_props->getString(name);
+ return p.first ? p.second : NULL;
+ }
+ };
+
+ class ShibTargetPriv
+ {
+ public:
+ ShibTargetPriv();
+ ~ShibTargetPriv();
+
+ // Helper functions
+ void get_application(ShibTarget* st, const string& protocol, const string& hostname, int port, const string& uri);
+ void* sendError(ShibTarget* st, const char* page, ExtTemplateParameters& tp, const XMLToolingException* ex=NULL);
+ void clearHeaders(ShibTarget* st);
- // These are the actual request parameters set via the init method.
- string m_url;
- string m_method;
- string m_protocol;
- string m_content_type;
- string m_remote_addr;
-
- ShibTargetConfig* m_Config;
-
- IConfig* m_conf;
- IRequestMapper* m_mapper;
- };
+ private:
+ friend class ShibTarget;
+ IRequestMapper::Settings m_settings;
+ const IApplication *m_app;
+ mutable string m_handlerURL;
+ mutable map<string,string> m_cookieMap;
+ mutable CgiParse* m_cgiParser;
+
+ ISessionCacheEntry* m_cacheEntry;
+
+ ShibTargetConfig* m_Config;
+
+ IConfig* m_conf;
+ IRequestMapper* m_mapper;
+ };
}
* Shib Target implementation
*/
-ShibTarget::ShibTarget(void) : m_priv(NULL)
-{
- m_priv = new ShibTargetPriv();
-}
+ShibTarget::ShibTarget() : m_priv(new ShibTargetPriv()) {}
-ShibTarget::ShibTarget(const IApplication *app) : m_priv(NULL)
+ShibTarget::ShibTarget(const IApplication *app) : m_priv(new ShibTargetPriv())
{
- m_priv = new ShibTargetPriv();
- m_priv->m_app = app;
+ m_priv->m_app = app;
}
ShibTarget::~ShibTarget(void)
{
- if (m_priv) delete m_priv;
+ delete m_priv;
}
void ShibTarget::init(
- ShibTargetConfig *config,
const char* protocol,
const char* hostname,
int port,
const char* uri,
const char* content_type,
- const char* remote_host,
+ const char* remote_addr,
const char* method
)
{
#ifdef _DEBUG
- saml::NDC ndc("init");
+ xmltooling::NDC ndc("init");
#endif
- if (m_priv->m_app)
- throw SAMLException("Request initialization occurred twice!");
- if (!config)
- throw SAMLException("SP configuration not supplied.");
-
- if (protocol) m_priv->m_protocol = protocol;
- if (content_type) m_priv->m_content_type = content_type;
- if (remote_host) m_priv->m_remote_addr = remote_host;
- if (method) m_priv->m_method = method;
- m_priv->m_Config = config;
- m_priv->get_application(protocol, hostname, port, uri);
+ if (m_priv->m_app)
+ throw XMLToolingException("Request initialization occurred twice!");
+
+ if (method) m_method = method;
+ if (protocol) m_protocol = protocol;
+ if (hostname) m_hostname = hostname;
+ if (uri) m_uri = uri;
+ if (content_type) m_content_type = content_type;
+ if (remote_addr) m_remote_addr = remote_addr;
+ m_port = port;
+ m_priv->m_Config = &ShibTargetConfig::getConfig();
+ m_priv->get_application(this, protocol, hostname, port, uri);
}
// The web server modules implement a subclass and then call into
// these methods once they instantiate their request object.
-pair<bool,void*> ShibTarget::doCheckAuthN(bool requireSessionFlag, bool handler)
+pair<bool,void*> ShibTarget::doCheckAuthN(bool handler)
{
#ifdef _DEBUG
- saml::NDC ndc("doCheckAuthN");
+ xmltooling::NDC ndc("doCheckAuthN");
#endif
- const char *procState = "Request Processing Error";
- const char *targetURL = m_priv->m_url.c_str();
- ShibMLP mlp;
+ const char* procState = "Request Processing Error";
+ const char* targetURL = m_url.c_str();
+ ExtTemplateParameters tp;
try {
if (!m_priv->m_app)
throw ConfigurationException("System uninitialized, application did not supply request information.");
- const char* handlerURL = m_priv->getHandlerURL(targetURL);
+ // If not SSL, check to see if we should block or redirect it.
+ if (!strcmp("http",getProtocol())) {
+ pair<bool,const char*> redirectToSSL = m_priv->m_settings.first->getString("redirectToSSL");
+ if (redirectToSSL.first) {
+ if (!strcasecmp("GET",getRequestMethod()) || !strcasecmp("HEAD",getRequestMethod())) {
+ // Compute the new target URL
+ string redirectURL = string("https://") + getHostname();
+ if (strcmp(redirectToSSL.second,"443")) {
+ redirectURL = redirectURL + ':' + redirectToSSL.second;
+ }
+ redirectURL += getRequestURI();
+ return make_pair(true, sendRedirect(redirectURL));
+ }
+ else {
+ tp.m_map["requestURL"] = m_url.substr(0,m_url.find('?'));
+ return make_pair(true,m_priv->sendError(this,"ssl", tp));
+ }
+ }
+ }
+
+ string hURL = getHandlerURL(targetURL);
+ const char* handlerURL=hURL.c_str();
if (!handlerURL)
throw ConfigurationException("Cannot determine handler from resource URL, check configuration.");
if (handler)
return doHandler();
else
- return pair<bool,void*>(true, returnOK());
+ return make_pair(true, returnOK());
}
- string auth_type = getAuthType();
- if (strcasecmp(auth_type.c_str(),"shibboleth"))
- return pair<bool,void*>(true,returnDecline());
-
+ // Three settings dictate how to proceed.
+ pair<bool,const char*> authType = m_priv->m_settings.first->getString("authType");
pair<bool,bool> requireSession = m_priv->m_settings.first->getBool("requireSession");
- if (!requireSession.first || !requireSession.second) {
- // Web server might override.
- if (requireSessionFlag)
- requireSession.second=true;
- }
+ pair<bool,const char*> requireSessionWith = m_priv->m_settings.first->getString("requireSessionWith");
+
+ // If no session is required AND the AuthType (an Apache-derived concept) isn't shibboleth,
+ // then we ignore this request and consider it unprotected. Apache might lie to us if
+ // ShibBasicHijack is on, but that's up to it.
+ if ((!requireSession.first || !requireSession.second) && !requireSessionWith.first &&
+#ifdef HAVE_STRCASECMP
+ (!authType.first || strcasecmp(authType.second,"shibboleth")))
+#else
+ (!authType.first || _stricmp(authType.second,"shibboleth")))
+#endif
+ return make_pair(true,returnDecline());
+
+ // Fix for secadv 20050901
+ m_priv->clearHeaders(this);
- pair<string,const char*> shib_cookie = m_priv->getCookieNameProps("_shibsession_");
- const char* session_id = m_priv->getCookie(this,shib_cookie.first);
+ pair<string,const char*> shib_cookie = getCookieNameProps("_shibsession_");
+ const char* session_id = getCookie(shib_cookie.first);
if (!session_id || !*session_id) {
// No session. Maybe that's acceptable?
- if (!requireSession.second)
- return pair<bool,void*>(true,returnOK());
+ if ((!requireSession.first || !requireSession.second) && !requireSessionWith.first)
+ return make_pair(true,returnOK());
- // No cookie, but we require a session. Initiate a new session using the default method.
+ // No cookie, but we require a session. Initiate a new session using the indicated method.
procState = "Session Initiator Error";
- const IPropertySet* initiator=m_priv->m_app->getDefaultSessionInitiator();
- return m_priv->doSessionInitiator(this, initiator ? initiator : m_priv->m_app->getPropertySet("Sessions"), false);
+ const IHandler* initiator=NULL;
+ if (requireSessionWith.first) {
+ initiator=m_priv->m_app->getSessionInitiatorById(requireSessionWith.second);
+ if (!initiator)
+ throw ConfigurationException(
+ "No session initiator found with id ($1), check requireSessionWith command.",
+ xmltooling::params(1,requireSessionWith.second)
+ );
+ }
+ else {
+ initiator=m_priv->m_app->getDefaultSessionInitiator();
+ if (!initiator)
+ throw ConfigurationException("No default session initiator found, check configuration.");
+ }
+
+ return initiator->run(this,false);
}
procState = "Session Processing Error";
try {
- // Localized exception throw if the session isn't valid.
- sessionGet(
+ m_priv->m_cacheEntry=m_priv->m_conf->getSessionCache()->find(
session_id,
- m_priv->m_remote_addr.c_str(),
- m_priv->m_sso_profile,
- m_priv->m_provider_id,
- &m_priv->m_sso_statement,
- &m_priv->m_pre_response,
- &m_priv->m_post_response
+ m_priv->m_app,
+ m_remote_addr.c_str()
);
+ // Make a localized exception throw if the session isn't valid.
+ if (!m_priv->m_cacheEntry)
+ throw RetryableProfileException("Session no longer valid.");
}
- catch (SAMLException& e) {
+ catch (exception& e) {
log(LogLevelError, string("session processing failed: ") + e.what());
// If no session is required, bail now.
- if (!requireSession.second)
+ if ((!requireSession.first || !requireSession.second) && !requireSessionWith.first)
// Has to be OK because DECLINED will just cause Apache
// to fail when it can't locate anything to process the
// AuthType. No session plus requireSession false means
// do not authenticate the user at this time.
- return pair<bool,void*>(true, returnOK());
+ return make_pair(true, returnOK());
- // Try and cast down. This should throw an exception if it fails.
- bool retryable=false;
- try {
- RetryableProfileException& trycast=dynamic_cast<RetryableProfileException&>(e);
- retryable=true;
- }
- catch (exception&) {
- }
- if (retryable) {
+ // Try and cast down.
+ exception* base = &e;
+ RetryableProfileException* trycast=dynamic_cast<RetryableProfileException*>(base);
+ if (trycast) {
// Session is invalid but we can retry -- initiate a new session.
procState = "Session Initiator Error";
- const IPropertySet* initiator=m_priv->m_app->getDefaultSessionInitiator();
- return m_priv->doSessionInitiator(this, initiator ? initiator : m_priv->m_app->getPropertySet("Sessions"), false);
+ const IHandler* initiator=NULL;
+ if (requireSessionWith.first) {
+ initiator=m_priv->m_app->getSessionInitiatorById(requireSessionWith.second);
+ if (!initiator)
+ throw ConfigurationException(
+ "No session initiator found with id ($1), check requireSessionWith command.",
+ xmltooling::params(1,requireSessionWith.second)
+ );
+ }
+ else {
+ initiator=m_priv->m_app->getDefaultSessionInitiator();
+ if (!initiator)
+ throw ConfigurationException("No default session initiator found, check configuration.");
+ }
+ return initiator->run(this,false);
}
throw; // send it to the outer handler
}
// We're done. Everything is okay. Nothing to report. Nothing to do..
// Let the caller decide how to proceed.
log(LogLevelDebug, "doCheckAuthN succeeded");
- return pair<bool,void*>(false,NULL);
+ return make_pair(false,(void*)NULL);
}
- catch (SAMLException& e) {
- mlp.insert(e);
+ catch (XMLToolingException& e) {
+ tp.m_map["errorType"] = procState;
+ tp.m_map["errorText"] = e.what();
+ if (targetURL)
+ tp.m_map["requestURL"] = m_url.substr(0,m_url.find('?'));
+ return make_pair(true,m_priv->sendError(this, "session", tp, &e));
}
#ifndef _DEBUG
catch (...) {
- mlp.insert("errorText", "Caught an unknown exception.");
+ tp.m_map["errorType"] = procState;
+ tp.m_map["errorText"] = "Caught an unknown exception.";
+ if (targetURL)
+ tp.m_map["requestURL"] = m_url.substr(0,m_url.find('?'));
+ return make_pair(true,m_priv->sendError(this, "session", tp));
}
#endif
-
- // If we get here then we've got an error.
- mlp.insert("errorType", procState);
- if (targetURL)
- mlp.insert("requestURL", m_priv->m_url.substr(0,m_priv->m_url.find('?')));
-
- return pair<bool,void*>(true,sendError("session", mlp));
}
pair<bool,void*> ShibTarget::doHandler(void)
{
#ifdef _DEBUG
- saml::NDC ndc("doHandler");
+ xmltooling::NDC ndc("doHandler");
#endif
- const char *procState = "Shibboleth Handler Error";
- const char* targetURL = m_priv->m_url.c_str();
- ShibMLP mlp;
+ ExtTemplateParameters tp;
+ const char* procState = "Shibboleth Handler Error";
+ const char* targetURL = m_url.c_str();
try {
if (!m_priv->m_app)
throw ConfigurationException("System uninitialized, application did not supply request information.");
- const char* handlerURL = m_priv->getHandlerURL(targetURL);
+ string hURL = getHandlerURL(targetURL);
+ const char* handlerURL=hURL.c_str();
if (!handlerURL)
throw ConfigurationException("Cannot determine handler from resource URL, check configuration.");
// Make sure we only process handler requests.
if (!strstr(targetURL,handlerURL))
- return pair<bool,void*>(true, returnDecline());
+ return make_pair(true, returnDecline());
- const IPropertySet* sessionProps=m_priv->m_app->getPropertySet("Sessions");
+ const PropertySet* sessionProps=m_priv->m_app->getPropertySet("Sessions");
if (!sessionProps)
throw ConfigurationException("Unable to map request to application session settings, check configuration.");
pair<bool,bool> handlerSSL=sessionProps->getBool("handlerSSL");
// Make sure this is SSL, if it should be
- if ((!handlerSSL.first || handlerSSL.second) && m_priv->m_protocol != "https")
- throw FatalProfileException("Blocked non-SSL access to Shibboleth handler.");
+ if ((!handlerSSL.first || handlerSSL.second) && m_protocol != "https")
+ throw opensaml::FatalProfileException("Blocked non-SSL access to Shibboleth handler.");
// We dispatch based on our path info. We know the request URL begins with or equals the handler URL,
// so the path info is the next character (or null).
- const IPropertySet* handler=m_priv->m_app->getHandler(targetURL + strlen(handlerURL));
- if (handler) {
- if (saml::XML::isElementNamed(handler->getElement(),shibtarget::XML::SAML2META_NS,SHIBT_L(AssertionConsumerService))) {
- procState = "Session Creation Error";
- return m_priv->doAssertionConsumer(this,handler);
- }
- else if (saml::XML::isElementNamed(handler->getElement(),ShibTargetConfig::SHIBTARGET_NS,SHIBT_L(SessionInitiator))) {
- procState = "Session Initiator Error";
- return m_priv->doSessionInitiator(this,handler);
- }
- else if (saml::XML::isElementNamed(handler->getElement(),shibtarget::XML::SAML2META_NS,SHIBT_L(SingleLogoutService))) {
- procState = "Session Termination Error";
- return m_priv->doLogout(this,handler);
- }
- else
- throw ConfigurationException("Endpoint is mapped to unrecognized handler element.");
- }
-
- if (strlen(targetURL)>strlen(handlerURL) && targetURL[strlen(handlerURL)]!='?')
- throw SAMLException("Shibboleth handler invoked at an unconfigured location.");
-
- // This is a legacy direct execution of the handler (the old shireURL).
- // If this is a GET, we see if it's a lazy session request, otherwise
- // assume it's a SAML 1.x POST profile response and process it.
- if (!strcasecmp(m_priv->m_method.c_str(), "GET")) {
+ const IHandler* handler=m_priv->m_app->getHandler(targetURL + strlen(handlerURL));
+ if (!handler)
+ throw opensaml::BindingException("Shibboleth handler invoked at an unconfigured location.");
+
+ if (XMLHelper::isNodeNamed(handler->getProperties()->getElement(),samlconstants::SAML20MD_NS,SHIBT_L(AssertionConsumerService)))
+ procState = "Session Creation Error";
+ else if (XMLHelper::isNodeNamed(handler->getProperties()->getElement(),shibtarget::XML::SHIBTARGET_NS,SHIBT_L(SessionInitiator)))
procState = "Session Initiator Error";
- return m_priv->doSessionInitiator(this, sessionProps);
- }
-
- procState = "Session Creation Error";
- return m_priv->doAssertionConsumer(this, sessionProps);
+ else if (XMLHelper::isNodeNamed(handler->getProperties()->getElement(),samlconstants::SAML20MD_NS,SHIBT_L(SingleLogoutService)))
+ procState = "Session Termination Error";
+ else if (XMLHelper::isNodeNamed(handler->getProperties()->getElement(),shibtarget::XML::SHIBTARGET_NS,SHIBT_L(DiagnosticService)))
+ procState = "Diagnostics Error";
+ else
+ procState = "Extension Service Error";
+ pair<bool,void*> hret=handler->run(this);
+
+ // Did the handler run successfully?
+ if (hret.first)
+ return hret;
+
+ throw opensaml::BindingException("Configured Shibboleth handler failed to process the request.");
}
catch (MetadataException& e) {
- mlp.insert(e);
+ tp.m_map["errorText"] = e.what();
// See if a metadata error page is installed.
- const IPropertySet* props=m_priv->m_app->getPropertySet("Errors");
+ const PropertySet* props=m_priv->m_app->getPropertySet("Errors");
if (props) {
pair<bool,const char*> p=props->getString("metadata");
if (p.first) {
- mlp.insert("errorType", procState);
+ tp.m_map["errorType"] = procState;
if (targetURL)
- mlp.insert("requestURL", targetURL);
- return pair<bool,void*>(true,sendError("metadata", mlp));
+ tp.m_map["requestURL"] = targetURL;
+ return make_pair(true,m_priv->sendError(this, "metadata", tp));
}
}
+ throw;
}
- catch (SAMLException& e) {
- mlp.insert(e);
+ catch (XMLToolingException& e) {
+ tp.m_map["errorType"] = procState;
+ tp.m_map["errorText"] = e.what();
+ if (targetURL)
+ tp.m_map["requestURL"] = m_url.substr(0,m_url.find('?'));
+ return make_pair(true,m_priv->sendError(this, "session", tp, &e));
}
#ifndef _DEBUG
catch (...) {
- mlp.insert("errorText", "Caught an unknown exception.");
+ tp.m_map["errorType"] = procState;
+ tp.m_map["errorText"] = "Caught an unknown exception.";
+ if (targetURL)
+ tp.m_map["requestURL"] = m_url.substr(0,m_url.find('?'));
+ return make_pair(true,m_priv->sendError(this, "session", tp));
}
#endif
-
- // If we get here then we've got an error.
- mlp.insert("errorType", procState);
-
- if (targetURL)
- mlp.insert("requestURL", m_priv->m_url.substr(0,m_priv->m_url.find('?')));
-
- return pair<bool,void*>(true,sendError("session", mlp));
}
pair<bool,void*> ShibTarget::doCheckAuthZ(void)
{
#ifdef _DEBUG
- saml::NDC ndc("doCheckAuthZ");
+ xmltooling::NDC ndc("doCheckAuthZ");
#endif
- ShibMLP mlp;
- const char *procState = "Authorization Processing Error";
- const char *targetURL = m_priv->m_url.c_str();
+ ExtTemplateParameters tp;
+ const char* procState = "Authorization Processing Error";
+ const char* targetURL = m_url.c_str();
try {
if (!m_priv->m_app)
throw ConfigurationException("System uninitialized, application did not supply request information.");
+ // Three settings dictate how to proceed.
+ pair<bool,const char*> authType = m_priv->m_settings.first->getString("authType");
+ pair<bool,bool> requireSession = m_priv->m_settings.first->getBool("requireSession");
+ pair<bool,const char*> requireSessionWith = m_priv->m_settings.first->getString("requireSessionWith");
+
+ // If no session is required AND the AuthType (an Apache-derived concept) isn't shibboleth,
+ // then we ignore this request and consider it unprotected. Apache might lie to us if
+ // ShibBasicHijack is on, but that's up to it.
+ if ((!requireSession.first || !requireSession.second) && !requireSessionWith.first &&
+#ifdef HAVE_STRCASECMP
+ (!authType.first || strcasecmp(authType.second,"shibboleth")))
+#else
+ (!authType.first || _stricmp(authType.second,"shibboleth")))
+#endif
+ return make_pair(true,returnDecline());
+
// Do we have an access control plugin?
if (m_priv->m_settings.second) {
+
+ if (!m_priv->m_cacheEntry) {
+ // No data yet, so we may need to try and get the session.
+ pair<string,const char*> shib_cookie=getCookieNameProps("_shibsession_");
+ const char *session_id = getCookie(shib_cookie.first);
+ try {
+ if (session_id && *session_id) {
+ m_priv->m_cacheEntry=m_priv->m_conf->getSessionCache()->find(
+ session_id,
+ m_priv->m_app,
+ m_remote_addr.c_str()
+ );
+ }
+ }
+ catch (exception&) {
+ log(LogLevelError, "doCheckAuthZ: unable to obtain session information to pass to access control provider");
+ }
+ }
+
Locker acllock(m_priv->m_settings.second);
- if (!m_priv->m_settings.second->authorized(*m_priv->m_sso_statement,
- m_priv->m_post_response ? m_priv->m_post_response->getAssertions() : EMPTY(SAMLAssertion*))) {
- log(LogLevelWarn, "doCheckAuthZ() access control provider denied access");
- if (targetURL)
- mlp.insert("requestURL", targetURL);
- return pair<bool,void*>(true,sendError("access", mlp));
- }
- }
-
- // Perform HTAccess Checks
- auto_ptr<HTAccessInfo> ht(getAccessInfo());
-
- // No Info means OK. Just return
- if (!ht.get())
- return pair<bool,void*>(false, NULL);
-
- vector<bool> auth_OK(ht->elements.size(), false);
- bool method_restricted=false;
- string remote_user = getRemoteUser();
-
-#define CHECK_OK \
- do { \
- if (!ht->requireAll) { \
- return pair<bool,void*>(false, NULL); \
- } \
- auth_OK[x] = true; \
- continue; \
- } while (0)
-
- for (int x = 0; x < ht->elements.size(); x++) {
- auth_OK[x] = false;
- HTAccessInfo::RequireLine *line = ht->elements[x];
- if (! line->use_line)
- continue;
- method_restricted = true;
-
- const char *w = line->tokens[0].c_str();
-
- if (!strcasecmp(w,"Shibboleth")) {
- // This is a dummy rule needed because Apache conflates authn and authz.
- // Without some require rule, AuthType is ignored and no check_user hooks run.
- CHECK_OK;
- }
- else if (!strcmp(w,"valid-user")) {
- log(LogLevelDebug, "doCheckAuthZ accepting valid-user");
- CHECK_OK;
- }
- else if (!strcmp(w,"user") && !remote_user.empty()) {
- bool regexp=false;
- for (int i = 1; i < line->tokens.size(); i++) {
- w = line->tokens[i].c_str();
- if (*w == '~') {
- regexp = true;
- continue;
- }
-
- if (regexp) {
- try {
- // To do regex matching, we have to convert from UTF-8.
- auto_ptr<XMLCh> trans(fromUTF8(w));
- RegularExpression re(trans.get());
- auto_ptr<XMLCh> trans2(fromUTF8(remote_user.c_str()));
- if (re.matches(trans2.get())) {
- log(LogLevelDebug, string("doCheckAuthZ accepting user: ") + w);
- CHECK_OK;
- }
- }
- catch (XMLException& ex) {
- auto_ptr_char tmp(ex.getMessage());
- log(LogLevelError, string("doCheckAuthZ caught exception while parsing regular expression (")
- + w + "): " + tmp.get());
- }
- }
- else if (!strcmp(remote_user.c_str(), w)) {
- log(LogLevelDebug, string("doCheckAuthZ accepting user: ") + w);
- CHECK_OK;
- }
- }
- }
- else if (!strcmp(w,"group")) {
- auto_ptr<HTGroupTable> grpstatus(getGroupTable(remote_user));
- if (!grpstatus.get()) {
- return pair<bool,void*>(true, returnDecline());
- }
-
- for (int i = 1; i < line->tokens.size(); i++) {
- w = line->tokens[i].c_str();
- if (grpstatus->lookup(w)) {
- log(LogLevelDebug, string("doCheckAuthZ accepting group: ") + w);
- CHECK_OK;
- }
- }
+ if (m_priv->m_settings.second->authorized(this,m_priv->m_cacheEntry)) {
+ // Let the caller decide how to proceed.
+ log(LogLevelDebug, "doCheckAuthZ: access control provider granted access");
+ return make_pair(false,(void*)NULL);
}
else {
- Iterator<IAAP*> provs = m_priv->m_app->getAAPProviders();
- AAP wrapper(provs, w);
- if (wrapper.fail()) {
- log(LogLevelWarn, string("doCheckAuthZ didn't recognize require rule: ") + w);
- continue;
- }
-
- bool regexp = false;
- string vals = getHeader(wrapper->getHeader());
- for (int i = 1; i < line->tokens.size() && !vals.empty(); i++) {
- w = line->tokens[i].c_str();
- if (*w == '~') {
- regexp = true;
- continue;
- }
-
- try {
- auto_ptr<RegularExpression> re;
- if (regexp) {
- delete re.release();
- auto_ptr<XMLCh> trans(fromUTF8(w));
- auto_ptr<RegularExpression> temp(new RegularExpression(trans.get()));
- re=temp;
- }
-
- string vals_str(vals);
- int j = 0;
- for (int i = 0; i < vals_str.length(); i++) {
- if (vals_str.at(i) == ';') {
- if (i == 0) {
- log(LogLevelError, string("doCheckAuthZ invalid header encoding") +
- vals + ": starts with a semicolon");
- throw SAMLException("Invalid information supplied to authorization module.");
- }
-
- if (vals_str.at(i-1) == '\\') {
- vals_str.erase(i-1, 1);
- i--;
- continue;
- }
-
- string val = vals_str.substr(j, i-j);
- j = i+1;
- if (regexp) {
- auto_ptr<XMLCh> trans(fromUTF8(val.c_str()));
- if (re->matches(trans.get())) {
- log(LogLevelDebug, string("doCheckAuthZ expecting ") + w +
- ", got " + val + ": authorization granted");
- CHECK_OK;
- }
- }
- else if ((wrapper->getCaseSensitive() && val==w) ||
- (!wrapper->getCaseSensitive() && !strcasecmp(val.c_str(),w))) {
- log(LogLevelDebug, string("doCheckAuthZ expecting ") + w +
- ", got " + val + ": authorization granted.");
- CHECK_OK;
- }
- else {
- log(LogLevelDebug, string("doCheckAuthZ expecting ") + w +
- ", got " + val + ": authoritzation not granted.");
- }
- }
- }
-
- string val = vals_str.substr(j, vals_str.length()-j);
- if (regexp) {
- auto_ptr<XMLCh> trans(fromUTF8(val.c_str()));
- if (re->matches(trans.get())) {
- log(LogLevelDebug, string("doCheckAuthZ expecting ") + w +
- ", got " + val + ": authorization granted.");
- CHECK_OK;
- }
- }
- else if ((wrapper->getCaseSensitive() && val==w) ||
- (!wrapper->getCaseSensitive() && !strcasecmp(val.c_str(),w))) {
- log(LogLevelDebug, string("doCheckAuthZ expecting ") + w +
- ", got " + val + ": authorization granted");
- CHECK_OK;
- }
- else {
- log(LogLevelDebug, string("doCheckAuthZ expecting ") + w +
- ", got " + val + ": authorization not granted");
- }
- }
- catch (XMLException& ex) {
- auto_ptr_char tmp(ex.getMessage());
- log(LogLevelError, string("doCheckAuthZ caught exception while parsing regular expression (")
- + w + "): " + tmp.get());
- }
- }
+ log(LogLevelWarn, "doCheckAuthZ: access control provider denied access");
+ if (targetURL)
+ tp.m_map["requestURL"] = targetURL;
+ return make_pair(true,m_priv->sendError(this, "access", tp));
}
- } // for x
-
-
- // check if all require directives are true
- bool auth_all_OK = true;
- for (int i = 0; i < ht->elements.size(); i++) {
- auth_all_OK &= auth_OK[i];
}
-
- if (auth_all_OK || !method_restricted)
- return pair<bool,void*>(false, NULL);
-
- // If we get here there's an access error, so just fall through
+ else
+ return make_pair(true,returnDecline());
}
- catch (SAMLException& e) {
- mlp.insert(e);
+ catch (exception& e) {
+ tp.m_map["errorType"] = procState;
+ tp.m_map["errorText"] = e.what();
+ if (targetURL)
+ tp.m_map["requestURL"] = m_url.substr(0,m_url.find('?'));
+ return make_pair(true,m_priv->sendError(this, "access", tp));
}
#ifndef _DEBUG
catch (...) {
- mlp.insert("errorText", "Caught an unknown exception.");
+ tp.m_map["errorType"] = procState;
+ tp.m_map["errorText"] = "Caught an unknown exception.";
+ if (targetURL)
+ tp.m_map["requestURL"] = m_url.substr(0,m_url.find('?'));
+ return make_pair(true,m_priv->sendError(this, "access", tp));
}
#endif
-
- // If we get here then we've got an error.
- mlp.insert("errorType", procState);
-
- if (targetURL)
- mlp.insert("requestURL", m_priv->m_url.substr(0,m_priv->m_url.find('?')));
-
- return pair<bool,void*>(true,sendError("access", mlp));
}
-pair<bool,void*> ShibTarget::doExportAssertions(bool exportAssertion)
+pair<bool,void*> ShibTarget::doExportAssertions(bool requireSession)
{
#ifdef _DEBUG
- saml::NDC ndc("doExportAssertions");
+ xmltooling::NDC ndc("doExportAssertions");
#endif
- ShibMLP mlp;
- const char *procState = "Attribute Processing Error";
- const char *targetURL = m_priv->m_url.c_str();
+ ExtTemplateParameters tp;
+ const char* procState = "Attribute Processing Error";
+ const char* targetURL = m_url.c_str();
try {
if (!m_priv->m_app)
throw ConfigurationException("System uninitialized, application did not supply request information.");
- pair<string,const char*> shib_cookie=m_priv->getCookieNameProps("_shibsession_");
- const char *session_id = m_priv->getCookie(this,shib_cookie.first);
-
- if (!m_priv->m_sso_statement) {
+ if (!m_priv->m_cacheEntry) {
// No data yet, so we need to get the session. This can only happen
// if the call to doCheckAuthn doesn't happen in the same object lifetime.
- sessionGet(
- session_id,
- m_priv->m_remote_addr.c_str(),
- m_priv->m_sso_profile,
- m_priv->m_provider_id,
- &m_priv->m_sso_statement,
- &m_priv->m_pre_response,
- &m_priv->m_post_response
- );
+ pair<string,const char*> shib_cookie=getCookieNameProps("_shibsession_");
+ const char *session_id = getCookie(shib_cookie.first);
+ try {
+ if (session_id && *session_id) {
+ m_priv->m_cacheEntry=m_priv->m_conf->getSessionCache()->find(
+ session_id,
+ m_priv->m_app,
+ m_remote_addr.c_str()
+ );
+ }
+ }
+ catch (exception&) {
+ log(LogLevelError, "unable to obtain session information to export into request headers");
+ // If we have to have a session, then this is a fatal error.
+ if (requireSession)
+ throw;
+ }
}
- // Get the AAP providers, which contain the attribute policy info.
- Iterator<IAAP*> provs=m_priv->m_app->getAAPProviders();
-
- // Clear out the list of mapped attributes
- while (provs.hasNext()) {
- IAAP* aap=provs.next();
- Locker locker(aap);
- Iterator<const IAttributeRule*> rules=aap->getAttributeRules();
- while (rules.hasNext()) {
- const char* header=rules.next()->getHeader();
- if (header)
- clearHeader(header);
- }
+ // Still no data?
+ if (!m_priv->m_cacheEntry) {
+ if (requireSession)
+ throw RetryableProfileException("Unable to obtain session information for request.");
+ else
+ return make_pair(false,(void*)NULL); // just bail silently
}
- // Maybe export the first assertion.
- clearHeader("Shib-Attributes");
+ // Extract data from session.
+ pair<const char*,const SAMLSubject*> sub=m_priv->m_cacheEntry->getSubject(false,true);
+ pair<const char*,const SAMLResponse*> unfiltered=m_priv->m_cacheEntry->getTokens(true,false);
+ pair<const char*,const SAMLResponse*> filtered=m_priv->m_cacheEntry->getTokens(false,true);
+
+ // Maybe export the tokens.
pair<bool,bool> exp=m_priv->m_settings.first->getBool("exportAssertion");
- if (!exp.first || !exp.second)
- if (exportAssertion)
- exp.second=true;
- if (exp.second && m_priv->m_pre_response) {
- ostringstream os;
- os << *(m_priv->m_pre_response);
+ if (exp.first && exp.second && unfiltered.first && *unfiltered.first) {
unsigned int outlen;
- XMLByte* serialized = Base64::encode(reinterpret_cast<XMLByte*>((char*)os.str().c_str()), os.str().length(), &outlen);
+ XMLByte* serialized =
+ Base64::encode(reinterpret_cast<XMLByte*>((char*)unfiltered.first), XMLString::stringLen(unfiltered.first), &outlen);
XMLByte *pos, *pos2;
for (pos=serialized, pos2=serialized; *pos2; pos2++)
if (isgraph(*pos2))
setHeader("Shib-Attributes", reinterpret_cast<char*>(serialized));
XMLString::release(&serialized);
}
-
+
// Export the SAML AuthnMethod and the origin site name, and possibly the NameIdentifier.
- clearHeader("Shib-Origin-Site");
- clearHeader("Shib-Identity-Provider");
- clearHeader("Shib-Authentication-Method");
- clearHeader("Shib-NameIdentifier-Format");
- setHeader("Shib-Origin-Site", m_priv->m_provider_id.c_str());
- setHeader("Shib-Identity-Provider", m_priv->m_provider_id.c_str());
- auto_ptr_char am(m_priv->m_sso_statement->getAuthMethod());
- setHeader("Shib-Authentication-Method", am.get());
+ setHeader("Shib-Origin-Site", m_priv->m_cacheEntry->getProviderId());
+ setHeader("Shib-Identity-Provider", m_priv->m_cacheEntry->getProviderId());
+ setHeader("Shib-Authentication-Method", m_priv->m_cacheEntry->getAuthnContext());
+ // Get the AAP providers, which contain the attribute policy info.
+ Iterator<IAAP*> provs=m_priv->m_app->getAAPProviders();
+
// Export NameID?
- provs.reset();
while (provs.hasNext()) {
IAAP* aap=provs.next();
Locker locker(aap);
- const IAttributeRule* rule=aap->lookup(m_priv->m_sso_statement->getSubject()->getNameIdentifier()->getFormat());
+ const XMLCh* format = sub.second->getNameIdentifier()->getFormat();
+ const IAttributeRule* rule=aap->lookup(format ? format : SAMLNameIdentifier::UNSPECIFIED);
if (rule && rule->getHeader()) {
- auto_ptr_char form(m_priv->m_sso_statement->getSubject()->getNameIdentifier()->getFormat());
- auto_ptr_char nameid(m_priv->m_sso_statement->getSubject()->getNameIdentifier()->getName());
+ auto_ptr_char form(format ? format : SAMLNameIdentifier::UNSPECIFIED);
+ auto_ptr_char nameid(sub.second->getNameIdentifier()->getName());
setHeader("Shib-NameIdentifier-Format", form.get());
if (!strcmp(rule->getHeader(),"REMOTE_USER"))
setRemoteUser(nameid.get());
}
}
- clearHeader("Shib-Application-ID");
setHeader("Shib-Application-ID", m_priv->m_app->getId());
// Export the attributes.
- Iterator<SAMLAssertion*> a_iter(m_priv->m_post_response ? m_priv->m_post_response->getAssertions() : EMPTY(SAMLAssertion*));
+ Iterator<SAMLAssertion*> a_iter(filtered.second ? filtered.second->getAssertions() : EMPTY(SAMLAssertion*));
while (a_iter.hasNext()) {
SAMLAssertion* assert=a_iter.next();
Iterator<SAMLStatement*> statements=assert->getStatements();
}
}
- return pair<bool,void*>(false,NULL);
+ return make_pair(false,(void*)NULL);
}
- catch (SAMLException& e) {
- mlp.insert(e);
+ catch (XMLToolingException& e) {
+ tp.m_map["errorType"] = procState;
+ tp.m_map["errorText"] = e.what();
+ if (targetURL)
+ tp.m_map["requestURL"] = m_url.substr(0,m_url.find('?'));
+ return make_pair(true,m_priv->sendError(this, "rm", tp, &e));
}
#ifndef _DEBUG
catch (...) {
- mlp.insert("errorText", "Caught an unknown exception.");
+ tp.m_map["errorType"] = procState;
+ tp.m_map["errorText"] = "Caught an unknown exception.";
+ if (targetURL)
+ tp.m_map["requestURL"] = m_url.substr(0,m_url.find('?'));
+ return make_pair(true,m_priv->sendError(this, "rm", tp));
}
#endif
-
- // If we get here then we've got an error.
- mlp.insert("errorType", procState);
-
- if (targetURL)
- mlp.insert("requestURL", m_priv->m_url.substr(0,m_priv->m_url.find('?')));
-
- return pair<bool,void*>(true,sendError("rm", mlp));
-}
-
-
-void ShibTarget::sessionNew(
- int supported_profiles,
- const string& recipient,
- const char* packet,
- const char* ip,
- string& target,
- string& cookie,
- string& provider_id
- ) const
-{
-#ifdef _DEBUG
- saml::NDC ndc("sessionNew");
-#endif
- Category& log = Category::getInstance("shibtarget.ShibTarget");
-
- if (!packet || !*packet) {
- log.error("missing profile response");
- throw FatalProfileException("Profile response missing.");
- }
-
- if (!ip || !*ip) {
- log.error("missing client address");
- throw FatalProfileException("Invalid client address.");
- }
-
- if (supported_profiles <= 0) {
- log.error("no profile support indicated");
- throw FatalProfileException("No profile support indicated.");
- }
-
- shibrpc_new_session_args_2 arg;
- arg.recipient = (char*)recipient.c_str();
- arg.application_id = (char*)m_priv->m_app->getId();
- arg.packet = (char*)packet;
- arg.client_addr = (char*)ip;
- arg.supported_profiles = supported_profiles;
-
- log.info("create session for user at (%s) for application (%s)", ip, arg.application_id);
-
- shibrpc_new_session_ret_2 ret;
- memset(&ret, 0, sizeof(ret));
-
- // Loop on the RPC in case we lost contact the first time through
- int retry = 1;
- CLIENT* clnt;
- RPC rpc;
- do {
- clnt = rpc->connect();
- clnt_stat status = shibrpc_new_session_2 (&arg, &ret, clnt);
- if (status != RPC_SUCCESS) {
- // FAILED. Release, disconnect, and retry
- log.error("RPC Failure: %p (%p) (%d): %s", this, clnt, status, clnt_spcreateerror("shibrpc_new_session_2"));
- rpc->disconnect();
- if (retry)
- retry--;
- else
- throw ListenerException("Failure passing session setup information to listener.");
- }
- else {
- // SUCCESS. Pool and continue
- retry = -1;
- }
- } while (retry>=0);
-
- if (ret.status && *ret.status)
- log.debug("RPC completed with exception: %s", ret.status);
- else
- log.debug("RPC completed successfully");
-
- SAMLException* except=NULL;
- if (ret.status && *ret.status) {
- // Reconstitute exception object.
- try {
- istringstream estr(ret.status);
- except=SAMLException::getInstance(estr);
- }
- catch (SAMLException& e) {
- log.error("caught SAML Exception while building the SAMLException: %s", e.what());
- log.error("XML was: %s", ret.status);
- clnt_freeres(clnt, (xdrproc_t)xdr_shibrpc_new_session_ret_2, (caddr_t)&ret);
- rpc.pool();
- throw FatalProfileException("An unrecoverable error occurred while creating your session.");
- }
-#ifndef _DEBUG
- catch (...) {
- log.error("caught unknown exception building SAMLException");
- log.error("XML was: %s", ret.status);
- clnt_freeres(clnt, (xdrproc_t)xdr_shibrpc_new_session_ret_2, (caddr_t)&ret);
- rpc.pool();
- throw;
- }
-#endif
- }
- else {
- log.debug("new session from IdP (%s) with key (%s)", ret.provider_id, ret.cookie);
- cookie = ret.cookie;
- provider_id = ret.provider_id;
- if (ret.target)
- target = ret.target;
- }
-
- clnt_freeres(clnt, (xdrproc_t)xdr_shibrpc_new_session_ret_2, (caddr_t)&ret);
- rpc.pool();
- if (except) {
- auto_ptr<SAMLException> wrapper(except);
- wrapper->raise();
- }
}
-void ShibTarget::sessionGet(
- const char* cookie,
- const char* ip,
- ShibProfile& profile,
- string& provider_id,
- SAMLAuthenticationStatement** auth_statement,
- SAMLResponse** attr_response_pre,
- SAMLResponse** attr_response_post
- ) const
+const char* ShibTarget::getRequestParameter(const char* param, size_t index) const
{
-#ifdef _DEBUG
- saml::NDC ndc("sessionGet");
-#endif
- Category& log = Category::getInstance("shibtarget.ShibTarget");
-
- if (!cookie || !*cookie) {
- log.error("no session key provided");
- throw InvalidSessionException("No session key was provided.");
- }
- else if (strchr(cookie,'=')) {
- log.error("cookie value not extracted successfully, probably overlapping cookies across domains");
- throw InvalidSessionException("The session key wasn't extracted successfully from the browser cookie.");
- }
-
- if (!ip || !*ip) {
- log.error("invalid client Address");
- throw FatalProfileException("Invalid client address.");
- }
-
- log.info("getting session for client at (%s)", ip);
- log.debug("session cookie (%s)", cookie);
-
- shibrpc_get_session_args_2 arg;
- arg.cookie = (char*)cookie;
- arg.client_addr = (char*)ip;
- arg.application_id = (char*)m_priv->m_app->getId();
-
- shibrpc_get_session_ret_2 ret;
- memset (&ret, 0, sizeof(ret));
-
- // Loop on the RPC in case we lost contact the first time through
- int retry = 1;
- CLIENT *clnt;
- RPC rpc;
- do {
- clnt = rpc->connect();
- clnt_stat status = shibrpc_get_session_2(&arg, &ret, clnt);
- if (status != RPC_SUCCESS) {
- // FAILED. Release, disconnect, and try again...
- log.error("RPC Failure: %p (%p) (%d) %s", this, clnt, status, clnt_spcreateerror("shibrpc_get_session_2"));
- rpc->disconnect();
- if (retry)
- retry--;
- else
- throw ListenerException("Failure requesting session information from listener.");
- }
- else {
- // SUCCESS
- retry = -1;
- }
- } while (retry>=0);
-
- if (ret.status && *ret.status)
- log.debug("RPC completed with exception: %s", ret.status);
- else
- log.debug("RPC completed successfully");
-
- SAMLException* except=NULL;
- if (ret.status && *ret.status) {
- // Reconstitute exception object.
- try {
- istringstream estr(ret.status);
- except=SAMLException::getInstance(estr);
- }
- catch (SAMLException& e) {
- log.error("caught SAML Exception while building the SAMLException: %s", e.what());
- log.error("XML was: %s", ret.status);
- clnt_freeres(clnt, (xdrproc_t)xdr_shibrpc_get_session_ret_2, (caddr_t)&ret);
- rpc.pool();
- throw FatalProfileException("An unrecoverable error occurred while accessing your session.");
- }
- catch (...) {
- log.error("caught unknown exception building SAMLException");
- log.error("XML was: %s", ret.status);
- clnt_freeres(clnt, (xdrproc_t)xdr_shibrpc_get_session_ret_2, (caddr_t)&ret);
- rpc.pool();
- throw;
- }
- }
- else {
- try {
- profile = ret.profile;
- provider_id = ret.provider_id;
-
- // return the Authentication Statement
- if (auth_statement) {
- istringstream authstream(ret.auth_statement);
- log.debugStream() << "trying to decode authentication statement: "
- << ret.auth_statement << CategoryStream::ENDLINE;
- *auth_statement = new SAMLAuthenticationStatement(authstream);
- }
+ if (!m_priv->m_cgiParser)
+ m_priv->m_cgiParser=new CgiParse(this);
- // return the unfiltered Response
- if (attr_response_pre) {
- istringstream prestream(ret.attr_response_pre);
- log.debugStream() << "trying to decode unfiltered attribute response: "
- << ret.attr_response_pre << CategoryStream::ENDLINE;
- *attr_response_pre = new SAMLResponse(prestream);
- }
+ pair<CgiParse::walker,CgiParse::walker> bounds=m_priv->m_cgiParser->get_values(param);
- // return the filtered Response
- if (attr_response_post) {
- istringstream poststream(ret.attr_response_post);
- log.debugStream() << "trying to decode filtered attribute response: "
- << ret.attr_response_post << CategoryStream::ENDLINE;
- *attr_response_post = new SAMLResponse(poststream);
- }
- }
- catch (SAMLException& e) {
- log.error("caught SAML exception while reconstituting session objects: %s", e.what());
- clnt_freeres (clnt, (xdrproc_t)xdr_shibrpc_get_session_ret_2, (caddr_t)&ret);
- rpc.pool();
- throw;
- }
-#ifndef _DEBUG
- catch (...) {
- log.error("caught unknown exception while reconstituting session objects");
- clnt_freeres (clnt, (xdrproc_t)xdr_shibrpc_get_session_ret_2, (caddr_t)&ret);
- rpc.pool();
- throw;
- }
-#endif
- }
-
- clnt_freeres (clnt, (xdrproc_t)xdr_shibrpc_get_session_ret_2, (caddr_t)&ret);
- rpc.pool();
- if (except) {
- auto_ptr<SAMLException> wrapper(except);
- wrapper->raise();
- }
-}
-
-void ShibTarget::sessionEnd(const char* cookie) const
-{
-#ifdef _DEBUG
- saml::NDC ndc("sessionEnd");
-#endif
- Category& log = Category::getInstance("shibtarget.ShibTarget");
-
- if (!cookie || !*cookie) {
- log.error("no session key provided");
- throw InvalidSessionException("No session key was provided.");
- }
- else if (strchr(cookie,'=')) {
- log.error("cookie value not extracted successfully, probably overlapping cookies across domains");
- throw InvalidSessionException("The session key wasn't extracted successfully from the browser cookie.");
- }
-
- log.debug("ending session with cookie (%s)", cookie);
-
- shibrpc_end_session_args_2 arg;
- arg.cookie = (char*)cookie;
-
- shibrpc_end_session_ret_2 ret;
- memset (&ret, 0, sizeof(ret));
-
- // Loop on the RPC in case we lost contact the first time through
- int retry = 1;
- CLIENT *clnt;
- RPC rpc;
- do {
- clnt = rpc->connect();
- clnt_stat status = shibrpc_end_session_2(&arg, &ret, clnt);
- if (status != RPC_SUCCESS) {
- // FAILED. Release, disconnect, and try again...
- log.error("RPC Failure: %p (%p) (%d) %s", this, clnt, status, clnt_spcreateerror("shibrpc_end_session_2"));
- rpc->disconnect();
- if (retry)
- retry--;
- else
- throw ListenerException("Failure ending session through listener.");
- }
- else {
- // SUCCESS
- retry = -1;
- }
- } while (retry>=0);
-
- if (ret.status && *ret.status)
- log.debug("RPC completed with exception: %s", ret.status);
- else
- log.debug("RPC completed successfully");
-
- SAMLException* except=NULL;
- if (ret.status && *ret.status) {
- // Reconstitute exception object.
- try {
- istringstream estr(ret.status);
- except=SAMLException::getInstance(estr);
- }
- catch (SAMLException& e) {
- log.error("caught SAML Exception while building the SAMLException: %s", e.what());
- log.error("XML was: %s", ret.status);
- clnt_freeres(clnt, (xdrproc_t)xdr_shibrpc_end_session_ret_2, (caddr_t)&ret);
- rpc.pool();
- throw FatalProfileException("An unrecoverable error occurred while accessing your session.");
- }
- catch (...) {
- log.error("caught unknown exception building SAMLException");
- log.error("XML was: %s", ret.status);
- clnt_freeres(clnt, (xdrproc_t)xdr_shibrpc_end_session_ret_2, (caddr_t)&ret);
- rpc.pool();
- throw;
- }
- }
-
- clnt_freeres (clnt, (xdrproc_t)xdr_shibrpc_end_session_ret_2, (caddr_t)&ret);
- rpc.pool();
- if (except) {
- auto_ptr<SAMLException> wrapper(except);
- wrapper->raise();
- }
-}
-
-void* ShibTarget::sendError(const char* page, ShibMLP &mlp)
-{
- const IPropertySet* props=m_priv->m_app->getPropertySet("Errors");
- if (props) {
- pair<bool,const char*> p=props->getString(page);
- if (p.first) {
- ifstream infile(p.second);
- if (!infile.fail()) {
- const char* res = mlp.run(infile,props);
- if (res)
- return sendPage(res);
- }
- }
- else if (!strcmp(page,"access"))
- return sendPage("Access Denied", 403);
+ // Advance to the right index.
+ while (index && bounds.first!=bounds.second) {
+ index--;
+ bounds.first++;
}
- string errstr = string("sendError could not process error template (") + page + ") for application (";
- errstr += m_priv->m_app->getId();
- errstr += ")";
- log(ShibTarget::LogLevelError, errstr);
- return sendPage("Internal Server Error. Please contact the site administrator.");
-}
-
-/*************************************************************************
- * Shib Target Private implementation
- */
-
-ShibTargetPriv::ShibTargetPriv() : m_app(NULL), m_mapper(NULL), m_conf(NULL), m_Config(NULL),
- m_sso_profile(PROFILE_UNSPECIFIED), m_sso_statement(NULL), m_pre_response(NULL), m_post_response(NULL) {}
-
-ShibTargetPriv::~ShibTargetPriv()
-{
- delete m_sso_statement;
- m_sso_statement = NULL;
-
- delete m_pre_response;
- m_pre_response = NULL;
-
- delete m_post_response;
- m_post_response = NULL;
-
- if (m_mapper) {
- m_mapper->unlock();
- m_mapper = NULL;
- }
- if (m_conf) {
- m_conf->unlock();
- m_conf = NULL;
- }
- m_app = NULL;
- m_Config = NULL;
+ return (bounds.first==bounds.second) ? NULL : bounds.first->second;
}
-void ShibTargetPriv::get_application(const string& protocol, const string& hostname, int port, const string& uri)
+const char* ShibTarget::getCookie(const string& name) const
{
- if (m_app)
- return;
-
- // XXX: Do we need to keep conf and mapper locked while we hold m_app?
- // TODO: No, should be able to hold the conf but release the mapper.
-
- // We lock the configuration system for the duration.
- m_conf=m_Config->getINI();
- m_conf->lock();
-
- // Map request to application and content settings.
- m_mapper=m_conf->getRequestMapper();
- m_mapper->lock();
-
- // Obtain the application settings from the parsed URL
- m_settings = m_mapper->getSettingsFromParsedURL(protocol.c_str(),
- hostname.c_str(),
- port, uri.c_str());
-
- // Now find the application from the URL settings
- pair<bool,const char*> application_id=m_settings.first->getString("applicationId");
- const IApplication* application=m_conf->getApplication(application_id.second);
- if (!application) {
- m_mapper->unlock();
- m_mapper = NULL;
- m_conf->unlock();
- m_conf = NULL;
- throw SAMLException("Unable to map request to application settings, check configuration.");
- }
-
- // Store the application for later use
- m_app = application;
-
- // Compute the target URL
- m_url = protocol + "://" + hostname;
- if ((protocol == "http" && port != 80) || (protocol == "https" && port != 443))
- m_url += ":" + port;
- m_url += uri;
-}
-
-const char* ShibTargetPriv::getCookie(ShibTarget* st, const string& name) const
-{
- if (m_cookieMap.empty()) {
- string cookies=st->getCookies();
+ if (m_priv->m_cookieMap.empty()) {
+ string cookies=getCookies();
string::size_type pos=0,cname,namelen,val,vallen;
while (pos !=string::npos && pos < cookies.length()) {
if (pos != string::npos) {
vallen=pos-val;
pos++;
- m_cookieMap.insert(make_pair(cookies.substr(cname,namelen),cookies.substr(val,vallen)));
+ m_priv->m_cookieMap.insert(make_pair(cookies.substr(cname,namelen),cookies.substr(val,vallen)));
}
else
- m_cookieMap.insert(make_pair(cookies.substr(cname,namelen),cookies.substr(val)));
+ m_priv->m_cookieMap.insert(make_pair(cookies.substr(cname,namelen),cookies.substr(val)));
}
}
- map<string,string>::const_iterator lookup=m_cookieMap.find(name);
- return (lookup==m_cookieMap.end()) ? NULL : lookup->second.c_str();
+ map<string,string>::const_iterator lookup=m_priv->m_cookieMap.find(name);
+ return (lookup==m_priv->m_cookieMap.end()) ? NULL : lookup->second.c_str();
}
-// Get the session cookie name and properties for the application
-pair<string,const char*> ShibTargetPriv::getCookieNameProps(const char* prefix) const
+pair<string,const char*> ShibTarget::getCookieNameProps(const char* prefix) const
{
static const char* defProps="; path=/";
- const IPropertySet* props=m_app ? m_app->getPropertySet("Sessions") : NULL;
+ const PropertySet* props=m_priv->m_app ? m_priv->m_app->getPropertySet("Sessions") : NULL;
if (props) {
pair<bool,const char*> p=props->getString("cookieProps");
if (!p.first)
pair<bool,const char*> p2=props->getString("cookieName");
if (p2.first)
return make_pair(string(prefix) + p2.second,p.second);
- return make_pair(string(prefix) + m_app->getHash(),p.second);
+ return make_pair(string(prefix) + m_priv->m_app->getHash(),p.second);
}
// Shouldn't happen, but just in case..
- return make_pair(prefix,defProps);
+ return pair<string,const char*>(prefix,defProps);
}
-const char* ShibTargetPriv::getHandlerURL(const char* resource) const
+string ShibTarget::getHandlerURL(const char* resource) const
{
- if (!m_handlerURL.empty())
- return m_handlerURL.c_str();
-
- if (!m_app)
+ if (!m_priv->m_handlerURL.empty() && resource && !strcmp(getRequestURL(),resource))
+ return m_priv->m_handlerURL;
+
+ if (!m_priv->m_app)
throw ConfigurationException("Internal error in ShibTargetPriv::getHandlerURL, missing application pointer.");
bool ssl_only=false;
const char* handler=NULL;
- const IPropertySet* props=m_app->getPropertySet("Sessions");
+ const PropertySet* props=m_priv->m_app->getPropertySet("Sessions");
if (props) {
pair<bool,bool> p=props->getBool("handlerSSL");
if (p.first)
if (!handler || (*handler!='/' && strncmp(handler,"http:",5) && strncmp(handler,"https:",6)))
throw ConfigurationException(
"Invalid handlerURL property ($1) in Application ($2)",
- params(2, handler ? handler : "null", m_app->getId())
+ xmltooling::params(2, handler ? handler : "null", m_priv->m_app->getId())
);
// The "handlerURL" property can be in one of three formats:
// Compute the actual protocol and store in member.
if (ssl_only)
- m_handlerURL.assign("https://");
+ m_priv->m_handlerURL.assign("https://");
else
- m_handlerURL.assign(prot, colon-prot);
+ m_priv->m_handlerURL.assign(prot, colon-prot);
// create the "host" from either the colon/slash or from the target string
// If prot == handler then we're in either #1 or #2, else #3.
colon += 3; // Get past the ://
slash = strchr(colon, '/');
}
- string host(colon, slash-colon);
+ string host(colon, (slash ? slash-colon : strlen(colon)));
- // Build the shire URL
- m_handlerURL+=host + path;
- return m_handlerURL.c_str();
+ // Build the handler URL
+ m_priv->m_handlerURL+=host + path;
+ return m_priv->m_handlerURL;
}
-pair<bool,void*> ShibTargetPriv::doSessionInitiator(ShibTarget* st, const IPropertySet* handler, bool isHandler) const
+void ShibTarget::log(ShibLogLevel level, const string& msg)
{
- string dupresource;
- const char* resource=NULL;
- const IPropertySet* ACS=NULL;
-
- if (isHandler) {
- // We're running as an actual handler, so check to see if we understand the binding.
- pair<bool,const XMLCh*> binding=handler->getXMLString("Binding");
- if (binding.first && XMLString::compareString(binding.second,Constants::SHIB_SESSIONINIT_PROFILE_URI))
- throw UnsupportedProfileException(
- "Unsupported session initiator binding ($1).", params(1,handler->getString("Binding").second)
- );
-
- /*
- * Binding is CGI query string with:
- * target the resource to direct back to later
- * acsIndex optional index of an ACS to use on the way back in
- * providerId optional direct invocation of a specific IdP
- */
- string query=st->getArgs();
- CgiParse parser(query.c_str(),query.length());
-
- const char* option=parser.get_value("acsIndex");
- if (option)
- ACS=m_app->getAssertionConsumerServiceByIndex(atoi(option));
- option=parser.get_value("providerId");
-
- resource=parser.get_value("target");
- if (!resource || !*resource) {
- pair<bool,const char*> home=m_app->getString("homeURL");
- if (home.first)
- resource=home.second;
- else
- throw FatalProfileException("Session initiator requires a target parameter or a homeURL application property.");
- }
- else if (!option) {
- dupresource=resource;
- resource=dupresource.c_str();
- }
-
- if (option) {
- // Here we actually use metadata to invoke the SSO service directly.
- // The only currently understood binding is the Shibboleth profile.
- Metadata m(m_app->getMetadataProviders());
- const IEntityDescriptor* entity=m.lookup(option);
- if (!entity)
- throw MetadataException("Session initiator unable to locate metadata for provider ($1).", params(1,option));
- const IIDPSSODescriptor* role=entity->getIDPSSODescriptor(saml::XML::SAML11_PROTOCOL_ENUM);
- if (!role)
- throw MetadataException(
- "Session initiator unable to locate SAML identity provider role for provider ($1).", params(1,option)
- );
- const IEndpointManager* SSO=role->getSingleSignOnServiceManager();
- const IEndpoint* ep=SSO->getEndpointByBinding(Constants::SHIB_AUTHNREQUEST_PROFILE_URI);
- if (!ep)
- throw MetadataException(
- "Session initiator unable to locate compatible SSO service for provider ($1).", params(1,option)
- );
- auto_ptr_char dest(ep->getLocation());
- return ShibAuthnRequest(
- st,ACS ? ACS : m_app->getDefaultAssertionConsumerService(),dest.get(),resource,m_app->getString("providerId").second
- );
- }
- }
- else {
- // We're running as a "virtual handler" from within the filter.
- // The target resource is the current one and everything else is defaulted.
- resource=m_url.c_str();
- }
-
- if (!ACS) ACS=m_app->getDefaultAssertionConsumerService();
-
- // For now, we only support external session initiation via a wayfURL
- pair<bool,const char*> wayfURL=handler->getString("wayfURL");
- if (!wayfURL.first)
- throw ConfigurationException("Session initiator is missing wayfURL property.");
-
- pair<bool,const XMLCh*> wayfBinding=handler->getXMLString("wayfBinding");
- if (!wayfBinding.first || !XMLString::compareString(wayfBinding.second,Constants::SHIB_AUTHNREQUEST_PROFILE_URI))
- // Standard Shib 1.x
- return ShibAuthnRequest(st,ACS,wayfURL.second,resource,m_app->getString("providerId").second);
- else if (!XMLString::compareString(wayfBinding.second,Constants::SHIB_LEGACY_AUTHNREQUEST_PROFILE_URI))
- // Shib pre-1.2
- return ShibAuthnRequest(st,ACS,wayfURL.second,resource,NULL);
- else if (!strcmp(handler->getString("wayfBinding").second,"urn:mace:shibboleth:1.0:profiles:EAuth")) {
- // TODO: Finalize E-Auth profile URI
- pair<bool,bool> localRelayState=m_conf->getPropertySet("Local")->getBool("localRelayState");
- if (!localRelayState.first || !localRelayState.second)
- throw ConfigurationException("Federal E-Authn requests cannot include relay state, so localRelayState must be enabled.");
-
- // Here we store the state in a cookie.
- pair<string,const char*> shib_cookie=getCookieNameProps("_shibstate_");
- st->setCookie(shib_cookie.first,CgiParse::url_encode(resource) + shib_cookie.second);
- return make_pair(true, st->sendRedirect(wayfURL.second));
- }
-
- throw UnsupportedProfileException("Unsupported WAYF binding ($1).", params(1,handler->getString("wayfBinding").second));
+ Category::getInstance("shibtarget.ShibTarget").log(
+ (level == LogLevelDebug ? Priority::DEBUG :
+ (level == LogLevelInfo ? Priority::INFO :
+ (level == LogLevelWarn ? Priority::WARN : Priority::ERROR))),
+ msg
+ );
}
-// Handles Shib 1.x AuthnRequest profile.
-pair<bool,void*> ShibTargetPriv::ShibAuthnRequest(
- ShibTarget* st,
- const IPropertySet* shire,
- const char* dest,
- const char* target,
- const char* providerId
- ) const
+const IApplication* ShibTarget::getApplication() const
{
- // Compute the ACS URL. We add the ACS location to the handler baseURL.
- // Legacy configs will not have an ACS specified, so no suffix will be added.
- string ACSloc=getHandlerURL(target);
- if (shire) ACSloc+=shire->getString("Location").second;
-
- char timebuf[16];
- sprintf(timebuf,"%u",time(NULL));
- string req=string(dest) + "?shire=" + CgiParse::url_encode(ACSloc.c_str()) + "&time=" + timebuf;
-
- // How should the resource value be preserved?
- pair<bool,bool> localRelayState=m_conf->getPropertySet("Local")->getBool("localRelayState");
- if (!localRelayState.first || !localRelayState.second) {
- // The old way, just send it along.
- req+="&target=" + CgiParse::url_encode(target);
- }
- else {
- // Here we store the state in a cookie and send a fixed
- // value to the IdP so we can recognize it on the way back.
- pair<string,const char*> shib_cookie=getCookieNameProps("_shibstate_");
- st->setCookie(shib_cookie.first,CgiParse::url_encode(target) + shib_cookie.second);
- req+="&target=cookie";
- }
-
- // Only omitted for 1.1 style requests.
- if (providerId)
- req+="&providerId=" + CgiParse::url_encode(providerId);
+ return m_priv->m_app;
+}
- return make_pair(true, st->sendRedirect(req));
+const IConfig* ShibTarget::getConfig() const
+{
+ return m_priv->m_conf;
}
-pair<bool,void*> ShibTargetPriv::doAssertionConsumer(ShibTarget* st, const IPropertySet* handler) const
+void* ShibTarget::returnDecline(void)
{
- int profile=0;
- string input,cookie,target,providerId;
-
- // Right now, this only handles SAML 1.1.
- pair<bool,const XMLCh*> binding=handler->getXMLString("Binding");
- if (!binding.first || !XMLString::compareString(binding.second,SAMLBrowserProfile::BROWSER_POST)) {
- if (strcasecmp(m_method.c_str(), "POST"))
- throw FatalProfileException(
- "SAML 1.1 Browser/POST handler does not support HTTP method ($1).", params(1,m_method.c_str())
- );
-
- if (m_content_type.empty() || strcasecmp(m_content_type.c_str(),"application/x-www-form-urlencoded"))
- throw FatalProfileException(
- "Blocked invalid content-type ($1) submitted to SAML 1.1 Browser/POST handler.", params(1,m_content_type.c_str())
- );
- input=st->getPostData();
- profile|=SAML11_POST;
+ return NULL;
+}
+
+void* ShibTarget::returnOK(void)
+{
+ return NULL;
+}
+
+/*************************************************************************
+ * Shib Target Private implementation
+ */
+
+ShibTargetPriv::ShibTargetPriv()
+ : m_app(NULL), m_mapper(NULL), m_conf(NULL), m_Config(NULL), m_cacheEntry(NULL), m_cgiParser(NULL) {}
+
+ShibTargetPriv::~ShibTargetPriv()
+{
+ if (m_cacheEntry) {
+ m_cacheEntry->unlock();
+ m_cacheEntry = NULL;
}
- else if (!XMLString::compareString(binding.second,SAMLBrowserProfile::BROWSER_ARTIFACT)) {
- if (strcasecmp(m_method.c_str(), "GET"))
- throw FatalProfileException(
- "SAML 1.1 Browser/Artifact handler does not support HTTP method ($1).", params(1,m_method.c_str())
- );
- input=st->getArgs();
- profile|=SAML11_ARTIFACT;
+
+ if (m_mapper) {
+ m_mapper->unlock();
+ m_mapper = NULL;
}
- if (input.empty())
- throw FatalProfileException("SAML 1.1 Browser Profile handler received no data from browser.");
-
- pair<bool,const char*> loc=handler->getString("Location");
- st->sessionNew(
- profile,
- loc.first ? m_handlerURL + loc.second : m_handlerURL,
- input.c_str(),
- m_remote_addr.c_str(),
- target,
- cookie,
- providerId
- );
+ if (m_conf) {
+ m_conf->unlock();
+ m_conf = NULL;
+ }
- st->log(ShibTarget::LogLevelDebug, string("profile processing succeeded, new session created (") + cookie + ")");
+ delete m_cgiParser;
+ m_app = NULL;
+ m_Config = NULL;
+}
- if (target=="default") {
- pair<bool,const char*> homeURL=m_app->getString("homeURL");
- target=homeURL.first ? homeURL.second : "/";
- }
- else if (target=="cookie") {
- // Pull the target value from the "relay state" cookie.
- pair<string,const char*> relay_cookie = getCookieNameProps("_shibstate_");
- const char* relay_state = getCookie(st,relay_cookie.first);
- if (!relay_state || !*relay_state) {
- // No apparent relay state value to use, so fall back on the default.
- pair<bool,const char*> homeURL=m_app->getString("homeURL");
- target=homeURL.first ? homeURL.second : "/";
- }
- else {
- char* rscopy=strdup(relay_state);
- CgiParse::url_decode(rscopy);
- target=rscopy;
- free(rscopy);
- }
- }
+void ShibTargetPriv::get_application(ShibTarget* st, const string& protocol, const string& hostname, int port, const string& uri)
+{
+ if (m_app)
+ return;
- // We've got a good session, set the session cookie.
- pair<string,const char*> shib_cookie=getCookieNameProps("_shibsession_");
- st->setCookie(shib_cookie.first, cookie + shib_cookie.second);
+ // XXX: Do we need to keep conf and mapper locked while we hold m_app?
+ // TODO: No, should be able to hold the conf but release the mapper.
- const IPropertySet* sessionProps=m_app->getPropertySet("Sessions");
- pair<bool,bool> idpHistory=sessionProps->getBool("idpHistory");
- if (!idpHistory.first || idpHistory.second) {
- // Set an IdP history cookie locally (essentially just a CDC).
- CommonDomainCookie cdc(getCookie(st,CommonDomainCookie::CDCName));
+ // We lock the configuration system for the duration.
+ m_conf=m_Config->getINI();
+ m_conf->lock();
+
+ // Map request to application and content settings.
+ m_mapper=m_conf->getRequestMapper();
+ m_mapper->lock();
- // Either leave in memory or set an expiration.
- pair<bool,unsigned int> days=sessionProps->getUnsignedInt("idpHistoryDays");
- if (!days.first || days.second==0)
- st->setCookie(CommonDomainCookie::CDCName,string(cdc.set(providerId.c_str())) + shib_cookie.second);
- else {
- time_t now=time(NULL) + (days.second * 24 * 60 * 60);
-#ifdef HAVE_GMTIME_R
- struct tm res;
- struct tm* ptime=gmtime_r(&now,&res);
-#else
- struct tm* ptime=gmtime(&now);
-#endif
- char timebuf[64];
- strftime(timebuf,64,"%a, %d %b %Y %H:%M:%S GMT",ptime);
- st->setCookie(
- CommonDomainCookie::CDCName,
- string(cdc.set(providerId.c_str())) + shib_cookie.second + "; expires=" + timebuf
- );
- }
- }
+ // Obtain the application settings from the parsed URL
+ m_settings = m_mapper->getSettings(st);
- // Now redirect to the target.
- return make_pair(true, st->sendRedirect(target));
+ // Now find the application from the URL settings
+ pair<bool,const char*> application_id=m_settings.first->getString("applicationId");
+ m_app=m_conf->getApplication(application_id.second);
+ if (!m_app) {
+ m_mapper->unlock();
+ m_mapper = NULL;
+ m_conf->unlock();
+ m_conf = NULL;
+ throw ConfigurationException("Unable to map request to application settings, check configuration.");
+ }
+
+ // Compute the full target URL
+ st->m_url = protocol + "://" + hostname;
+ if ((protocol == "http" && port != 80) || (protocol == "https" && port != 443)) {
+ ostringstream portstr;
+ portstr << port;
+ st->m_url += ":" + portstr.str();
+ }
+ st->m_url += uri;
}
-pair<bool,void*> ShibTargetPriv::doLogout(ShibTarget* st, const IPropertySet* handler) const
+void* ShibTargetPriv::sendError(
+ ShibTarget* st, const char* page, ExtTemplateParameters& tp, const XMLToolingException* ex
+ )
{
- pair<bool,const XMLCh*> binding=handler->getXMLString("Binding");
- if (!binding.first || XMLString::compareString(binding.second,Constants::SHIB_LOGOUT_PROFILE_URI)) {
- if (!binding.first)
- throw UnsupportedProfileException("Missing Logout binding.");
- throw UnsupportedProfileException("Unsupported Logout binding ($1).", params(1,handler->getString("Binding").second));
- }
-
- // Recover the session key.
- pair<string,const char*> shib_cookie = getCookieNameProps("_shibsession_");
- const char* session_id = getCookie(st,shib_cookie.first);
+ ShibTarget::header_t hdrs[] = {
+ ShibTarget::header_t("Expires","01-Jan-1997 12:00:00 GMT"),
+ ShibTarget::header_t("Cache-Control","private,no-store,no-cache")
+ };
- // Logout is best effort.
- if (session_id && *session_id) {
- try {
- st->sessionEnd(session_id);
- }
- catch (SAMLException& e) {
- st->log(ShibTarget::LogLevelError, string("logout processing failed with exception: ") + e.what());
+ TemplateEngine* engine = XMLToolingConfig::getConfig().getTemplateEngine();
+ const PropertySet* props=m_app->getPropertySet("Errors");
+ if (props) {
+ pair<bool,const char*> p=props->getString(page);
+ if (p.first) {
+ ifstream infile(p.second);
+ if (infile) {
+ tp.setPropertySet(props);
+ ostringstream ostr;
+ engine->run(infile, ostr, tp, ex);
+ return st->sendPage(ostr.str().c_str(), 200, "text/html", ArrayIterator<ShibTarget::header_t>(hdrs,2));
+ }
}
-#ifndef _DEBUG
- catch (...) {
- st->log(ShibTarget::LogLevelError, "logout processing failed with unknown exception");
+ else if (!strcmp(page,"access"))
+ return st->sendPage("Access Denied", 403, "text/html", ArrayIterator<ShibTarget::header_t>(hdrs,2));
+ }
+
+ string errstr = string("sendError could not process error template (") + page + ") for application (";
+ errstr += m_app->getId();
+ errstr += ")";
+ st->log(ShibTarget::LogLevelError, errstr);
+ return st->sendPage(
+ "Internal Server Error. Please contact the site administrator.", 500, "text/html", ArrayIterator<ShibTarget::header_t>(hdrs,2)
+ );
+}
+
+void ShibTargetPriv::clearHeaders(ShibTarget* st)
+{
+ // Clear invariant stuff.
+ st->clearHeader("Shib-Origin-Site");
+ st->clearHeader("Shib-Identity-Provider");
+ st->clearHeader("Shib-Authentication-Method");
+ st->clearHeader("Shib-NameIdentifier-Format");
+ st->clearHeader("Shib-Attributes");
+ st->clearHeader("Shib-Application-ID");
+
+ // Clear out the list of mapped attributes
+ Iterator<IAAP*> provs=m_app->getAAPProviders();
+ while (provs.hasNext()) {
+ IAAP* aap=provs.next();
+ Locker locker(aap);
+ Iterator<const IAttributeRule*> rules=aap->getAttributeRules();
+ while (rules.hasNext()) {
+ const char* header=rules.next()->getHeader();
+ if (header)
+ st->clearHeader(header);
}
-#endif
- st->setCookie(shib_cookie.first,"");
}
-
- string query=st->getArgs();
- CgiParse parser(query.c_str(),query.length());
-
- const char* ret=parser.get_value("return");
- if (!ret)
- ret=handler->getString("ResponseLocation").second;
- if (!ret)
- ret=m_app->getString("homeURL").second;
- if (!ret)
- ret="/";
- return make_pair(true, st->sendRedirect(ret));
}
/*************************************************************************
* CGI Parser implementation
*/
-CgiParse::CgiParse(const char* data, unsigned int len)
+CgiParse::CgiParse(const ShibTarget* st)
{
- const char* pch = data;
- unsigned int cl = len;
+ const char* pch=NULL;
+ if (!strcmp(st->getRequestMethod(),"POST"))
+ pch=st->getRequestBody();
+ else
+ pch=st->getQueryString();
+ size_t cl=pch ? strlen(pch) : 0;
+
while (cl && pch) {
char *name;
char *value;
value=fmakeword('&',&cl,&pch);
plustospace(value);
- url_decode(value);
+ opensaml::SAMLConfig::getConfig().getURLEncoder()->decode(value);
name=makeword(value,'=');
- kvp_map[name]=value;
+ kvp_map.insert(pair<string,char*>(name,value));
free(name);
}
}
CgiParse::~CgiParse()
{
- for (map<string,char*>::iterator i=kvp_map.begin(); i!=kvp_map.end(); i++)
+ for (multimap<string,char*>::iterator i=kvp_map.begin(); i!=kvp_map.end(); i++)
free(i->second);
}
-const char*
-CgiParse::get_value(const char* name) const
+pair<CgiParse::walker,CgiParse::walker> CgiParse::get_values(const char* name) const
{
- map<string,char*>::const_iterator i=kvp_map.find(name);
- if (i==kvp_map.end())
- return NULL;
- return i->second;
+ return kvp_map.equal_range(name);
}
/* Parsing routines modified from NCSA source. */
-char *
-CgiParse::makeword(char *line, char stop)
+char* CgiParse::makeword(char *line, char stop)
{
int x = 0,y;
char *word = (char *) malloc(sizeof(char) * (strlen(line) + 1));
return word;
}
-char *
-CgiParse::fmakeword(char stop, unsigned int *cl, const char** ppch)
+char* CgiParse::fmakeword(char stop, size_t *cl, const char** ppch)
{
int wsize;
char *word;
}
}
-void
-CgiParse::plustospace(char *str)
+void CgiParse::plustospace(char *str)
{
register int x;
for(x=0;str[x];x++)
if(str[x] == '+') str[x] = ' ';
}
-
-char
-CgiParse::x2c(char *what)
-{
- register char digit;
-
- digit = (what[0] >= 'A' ? ((what[0] & 0xdf) - 'A')+10 : (what[0] - '0'));
- digit *= 16;
- digit += (what[1] >= 'A' ? ((what[1] & 0xdf) - 'A')+10 : (what[1] - '0'));
- return(digit);
-}
-
-void
-CgiParse::url_decode(char *url)
-{
- register int x,y;
-
- for(x=0,y=0;url[y];++x,++y)
- {
- if((url[x] = url[y]) == '%')
- {
- url[x] = x2c(&url[y+1]);
- y+=2;
- }
- }
- url[x] = '\0';
-}
-
-static inline char hexchar(unsigned short s)
-{
- return (s<=9) ? ('0' + s) : ('A' + s - 10);
-}
-
-string CgiParse::url_encode(const char* s)
-{
- static char badchars[]="\"\\+<>#%{}|^~[]`;/?:@=&";
-
- string ret;
- for (; *s; s++) {
- if (strchr(badchars,*s) || *s<=0x1F || *s>=0x7F) {
- ret+='%';
- ret+=hexchar(*s >> 4);
- ret+=hexchar(*s & 0x0F);
- }
- else
- ret+=*s;
- }
- return ret;
-}
-// Subclasses may not need to override these particular virtual methods.
-string ShibTarget::getAuthType(void)
-{
- return string("shibboleth");
-}
-void* ShibTarget::returnDecline(void)
-{
- return NULL;
-}
-void* ShibTarget::returnOK(void)
-{
- return NULL;
-}
-HTAccessInfo* ShibTarget::getAccessInfo(void)
-{
- return NULL;
-}
-HTGroupTable* ShibTarget::getGroupTable(string &user)
-{
- return NULL;
-}
-
-// CDC implementation
-
-const char CommonDomainCookie::CDCName[] = "_saml_idp";
-
-CommonDomainCookie::CommonDomainCookie(const char* cookie) : m_decoded(NULL)
-{
- if (!cookie)
- return;
-
- // Copy it so we can URL-decode it.
- char* b64=strdup(cookie);
- CgiParse::url_decode(b64);
-
- // Now Base64 decode it into the decoded delimited list.
- unsigned int len;
- m_decoded=Base64::decode(reinterpret_cast<XMLByte*>(b64),&len);
- free(b64);
- if (!m_decoded) {
- Category::getInstance("CommonDomainCookie").warn("cookie does not appear to be base64-encoded");
- return;
- }
-
- // Chop it up and save off pointers.
- char* ptr=reinterpret_cast<char*>(m_decoded);
- while (*ptr) {
- while (isspace(*ptr)) ptr++;
- m_list.push_back(ptr);
- while (*ptr && !isspace(*ptr)) ptr++;
- if (*ptr)
- *ptr++='\0';
- }
-}
-
-CommonDomainCookie::~CommonDomainCookie()
-{
- if (m_decoded)
- XMLString::release(&m_decoded);
-}
-
-const char* CommonDomainCookie::set(const char* providerId)
-{
- // First scan the list for this IdP.
- for (vector<const char*>::iterator i=m_list.begin(); i!=m_list.end(); i++) {
- if (!strcmp(providerId,*i)) {
- m_list.erase(i);
- break;
- }
- }
-
- // Append it to the end, after storing locally.
- m_additions.push_back(providerId);
- m_list.push_back(m_additions.back().c_str());
-
- // Now rebuild the delimited list.
- string delimited;
- for (vector<const char*>::const_iterator j=m_list.begin(); j!=m_list.end(); j++) {
- if (!delimited.empty()) delimited += ' ';
- delimited += *j;
- }
-
- // Base64 and URL encode it.
- unsigned int len;
- XMLByte* b64=Base64::encode(reinterpret_cast<const XMLByte*>(delimited.c_str()),delimited.length(),&len);
- XMLByte *pos, *pos2;
- for (pos=b64, pos2=b64; *pos2; pos2++)
- if (isgraph(*pos2))
- *pos++=*pos2;
- *pos=0;
- m_encoded=CgiParse::url_encode(reinterpret_cast<char*>(b64));
- XMLString::release(&b64);
- return m_encoded.c_str();
-}
projects / shibboleth / sp.git / blobdiff