/*
* Copyright 2001-2007 Internet2
- *
+ *
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
/**
* QueryAttributeResolver.cpp
- *
+ *
* AttributeResolver based on SAML queries.
*/
#include "attribute/resolver/AttributeResolver.h"
#include "attribute/resolver/ResolutionContext.h"
#include "binding/SOAPClient.h"
+#include "metadata/MetadataProviderCriteria.h"
#include "util/SPConstants.h"
#include <saml/exceptions.h>
m_class = XMLString::transcode(session.getAuthnContextClassRef());
m_decl = XMLString::transcode(session.getAuthnContextDeclRef());
}
-
+
QueryContext(
const Application& application,
const EntityDescriptor* issuer,
const XMLCh* protocol,
- const NameID* nameid,
+ const NameID* nameid=NULL,
const XMLCh* authncontext_class=NULL,
const XMLCh* authncontext_decl=NULL,
const vector<const opensaml::Assertion*>* tokens=NULL,
}
}
}
-
+
~QueryContext() {
if (m_session) {
XMLString::release((XMLCh**)&m_protocol);
for_each(m_attributes.begin(), m_attributes.end(), xmltooling::cleanup<shibsp::Attribute>());
for_each(m_assertions.begin(), m_assertions.end(), xmltooling::cleanup<opensaml::Assertion>());
}
-
+
bool doQuery() const {
return m_query;
}
if (m_entity)
return m_entity;
if (m_session && m_session->getEntityID()) {
- m_metadata = m_app.getMetadataProvider();
+ m_metadata = m_app.getMetadataProvider(false);
if (m_metadata) {
m_metadata->lock();
- return m_entity = m_metadata->getEntityDescriptor(m_session->getEntityID());
+ return m_entity = m_metadata->getEntityDescriptor(MetadataProviderCriteria(m_app, m_session->getEntityID())).first;
}
}
return NULL;
vector<shibsp::Attribute*> m_attributes;
vector<opensaml::Assertion*> m_assertions;
};
-
+
class SHIBSP_DLLLOCAL QueryResolver : public AttributeResolver
{
public:
Lockable* lock() {return this;}
void unlock() {}
-
+
ResolutionContext* createResolutionContext(
const Application& application,
const EntityDescriptor* issuer,
const XMLCh* protocol,
- const NameID* nameid,
+ const NameID* nameid=NULL,
const XMLCh* authncontext_class=NULL,
const XMLCh* authncontext_decl=NULL,
const vector<const opensaml::Assertion*>* tokens=NULL,
private:
bool SAML1Query(QueryContext& ctx) const;
bool SAML2Query(QueryContext& ctx) const;
- void signMessage(const Application& app, const RoleDescriptor& role, SignableObject& msg) const;
Category& m_log;
+ string m_policyId;
vector<AttributeDesignator*> m_SAML1Designators;
vector<saml2::Attribute*> m_SAML2Designators;
};
{
return new QueryResolver(e);
}
-
-};
-void SHIBSP_API shibsp::registerAttributeResolvers()
-{
- SPConfig::getConfig().AttributeResolverManager.registerFactory(QUERY_ATTRIBUTE_RESOLVER, QueryResolverFactory);
-}
+ static const XMLCh _policyId[] = UNICODE_LITERAL_8(p,o,l,i,c,y,I,d);
+};
-QueryResolver::QueryResolver(const DOMElement* e) : m_log(Category::getInstance(SHIBSP_LOGCAT".AttributeResolver"))
+QueryResolver::QueryResolver(const DOMElement* e) : m_log(Category::getInstance(SHIBSP_LOGCAT".AttributeResolver.Query"))
{
#ifdef _DEBUG
xmltooling::NDC ndc("QueryResolver");
#endif
-
+
+ const XMLCh* pid = e ? e->getAttributeNS(NULL, _policyId) : NULL;
+ if (pid && *pid) {
+ auto_ptr_char temp(pid);
+ m_policyId = temp.get();
+ }
+
DOMElement* child = XMLHelper::getFirstChildElement(e);
while (child) {
try {
}
}
-void QueryResolver::signMessage(const Application& application, const RoleDescriptor& role, SignableObject& msg) const
-{
- const PropertySet* relyingParty = application.getRelyingParty(dynamic_cast<const EntityDescriptor*>(role.getParent()));
- pair<bool,const char*> prop = relyingParty->getString("signing");
- if (prop.first && (!strcmp(prop.second, "true") || !strcmp(prop.second, "back"))) {
- CredentialResolver* credResolver=application.getCredentialResolver();
- if (credResolver) {
- Locker credLocker(credResolver);
- // Fill in criteria to use.
- MetadataCredentialCriteria mcc(role);
- mcc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);
- prop = relyingParty->getString("keyName");
- if (prop.first)
- mcc.getKeyNames().insert(prop.second);
- pair<bool,const XMLCh*> sigalg = relyingParty->getXMLString("signingAlg");
- if (sigalg.first)
- mcc.setXMLAlgorithm(sigalg.second);
- const Credential* cred = credResolver->resolve(&mcc);
- if (cred) {
- xmlsignature::Signature* sig = xmlsignature::SignatureBuilder::buildSignature();
- msg.setSignature(sig);
- if (sigalg.first)
- sig->setSignatureAlgorithm(sigalg.second);
- sigalg = relyingParty->getXMLString("digestAlg");
- if (sigalg.first) {
- ContentReference* cr = dynamic_cast<ContentReference*>(sig->getContentReference());
- if (cr)
- cr->setDigestAlgorithm(sigalg.second);
- }
-
- // Sign response while marshalling.
- vector<xmlsignature::Signature*> sigs(1,sig);
- msg.marshall((DOMDocument*)NULL,&sigs,cred);
- }
- else {
- m_log.warn("no signing credential resolved, leaving query unsigned");
- }
- }
- else {
- m_log.warn("no credential resolver installed, leaving query unsigned");
- }
- }
-}
-
bool QueryResolver::SAML1Query(QueryContext& ctx) const
{
#ifdef _DEBUG
#endif
int version = XMLString::equals(ctx.getProtocol(), samlconstants::SAML11_PROTOCOL_ENUM) ? 1 : 0;
- const AttributeAuthorityDescriptor* AA = ctx.getEntityDescriptor()->getAttributeAuthorityDescriptor(ctx.getProtocol());
+ const AttributeAuthorityDescriptor* AA =
+ find_if(ctx.getEntityDescriptor()->getAttributeAuthorityDescriptors(), isValidForProtocol(ctx.getProtocol()));
if (!AA) {
m_log.warn("no SAML 1.%d AttributeAuthority role found in metadata", version);
return false;
}
- shibsp::SecurityPolicy policy(ctx.getApplication());
+ const Application& application = ctx.getApplication();
+ const PropertySet* relyingParty = application.getRelyingParty(ctx.getEntityDescriptor());
+
+ // Locate policy key.
+ const char* policyId = m_policyId.empty() ? application.getString("policyId").second : m_policyId.c_str();
+
+ // Access policy properties.
+ const PropertySet* settings = application.getServiceProvider().getPolicySettings(policyId);
+ pair<bool,bool> validate = settings->getBool("validate");
+
+ shibsp::SecurityPolicy policy(application, NULL, validate.first && validate.second, policyId);
+ policy.getAudiences().push_back(relyingParty->getXMLString("entityID").second);
MetadataCredentialCriteria mcc(*AA);
shibsp::SOAPClient soaper(policy);
- const PropertySet* policySettings =
- ctx.getApplication().getServiceProvider().getPolicySettings(ctx.getApplication().getString("policyId").second);
- pair<bool,bool> signedAssertions = policySettings->getBool("signedAssertions");
auto_ptr_XMLCh binding(samlconstants::SAML1_BINDING_SOAP);
saml1p::Response* response=NULL;
const vector<AttributeService*>& endpoints=AA->getAttributeServices();
for (vector<AttributeService*>::const_iterator ep=endpoints.begin(); !response && ep!=endpoints.end(); ++ep) {
+ if (!XMLString::equals((*ep)->getBinding(),binding.get()) || !(*ep)->getLocation())
+ continue;
+ auto_ptr_char loc((*ep)->getLocation());
try {
- if (!XMLString::equals((*ep)->getBinding(),binding.get()))
- continue;
- auto_ptr_char loc((*ep)->getLocation());
- auto_ptr_XMLCh issuer(ctx.getApplication().getString("entityID").second);
NameIdentifier* nameid = NameIdentifierBuilder::buildNameIdentifier();
nameid->setName(ctx.getNameID()->getName());
nameid->setFormat(ctx.getNameID()->getFormat());
subject->setNameIdentifier(nameid);
saml1p::AttributeQuery* query = saml1p::AttributeQueryBuilder::buildAttributeQuery();
query->setSubject(subject);
- query->setResource(issuer.get());
+ query->setResource(relyingParty->getXMLString("entityID").second);
for (vector<AttributeDesignator*>::const_iterator ad = m_SAML1Designators.begin(); ad!=m_SAML1Designators.end(); ++ad)
query->getAttributeDesignators().push_back((*ad)->cloneAttributeDesignator());
Request* request = RequestBuilder::buildRequest();
request->setAttributeQuery(query);
request->setMinorVersion(version);
- signMessage(ctx.getApplication(), *AA, *request);
SAML1SOAPClient client(soaper, false);
- client.sendSAML(request, mcc, loc.get());
+ client.sendSAML(request, application.getId(), mcc, loc.get());
response = client.receiveSAML();
}
catch (exception& ex) {
- m_log.error("exception making SAML query: %s", ex.what());
+ m_log.error("exception during SAML query to %s: %s", loc.get(), ex.what());
soaper.reset();
}
}
auto_ptr<saml1p::Response> wrapper(response);
saml1::Assertion* newtoken = assertions.front();
+ pair<bool,bool> signedAssertions = relyingParty->getBool("requireSignedAssertions");
if (!newtoken->getSignature() && signedAssertions.first && signedAssertions.second) {
m_log.error("assertion unsigned, rejecting it based on signedAssertions policy");
return true;
}
try {
+ // We're going to insist that the assertion issuer is the same as the peer.
+ // Reset the policy's message bits and extract them from the assertion.
+ policy.reset(true);
+ policy.setMessageID(newtoken->getAssertionID());
+ policy.setIssueInstant(newtoken->getIssueInstantEpoch());
+ policy.setIssuer(newtoken->getIssuer());
policy.evaluate(*newtoken);
- if (!policy.isSecure())
+
+ // Now we can check the security status of the policy.
+ if (!policy.isAuthenticated())
throw SecurityPolicyException("Security of SAML 1.x query result not established.");
- saml1::AssertionValidator tokval(ctx.getApplication().getAudiences(), time(NULL));
+
+ // Lastly, check it over.
+ saml1::AssertionValidator tokval(relyingParty->getXMLString("entityID").second, application.getAudiences(), time(NULL));
tokval.validateAssertion(*newtoken);
}
catch (exception& ex) {
// Finally, extract and filter the result.
try {
- AttributeExtractor* extractor = ctx.getApplication().getAttributeExtractor();
+ AttributeExtractor* extractor = application.getAttributeExtractor();
if (extractor) {
Locker extlocker(extractor);
- extractor->extractAttributes(ctx.getApplication(), AA, *newtoken, ctx.getResolvedAttributes());
+ extractor->extractAttributes(application, AA, *newtoken, ctx.getResolvedAttributes());
}
- AttributeFilter* filter = ctx.getApplication().getAttributeFilter();
+ AttributeFilter* filter = application.getAttributeFilter();
if (filter) {
- BasicFilteringContext fc(ctx.getApplication(), ctx.getResolvedAttributes(), AA, ctx.getClassRef(), ctx.getDeclRef());
+ BasicFilteringContext fc(application, ctx.getResolvedAttributes(), AA, ctx.getClassRef(), ctx.getDeclRef());
Locker filtlocker(filter);
filter->filterAttributes(fc, ctx.getResolvedAttributes());
}
xmltooling::NDC ndc("query");
#endif
- const AttributeAuthorityDescriptor* AA = ctx.getEntityDescriptor()->getAttributeAuthorityDescriptor(samlconstants::SAML20P_NS);
+ const AttributeAuthorityDescriptor* AA =
+ find_if(ctx.getEntityDescriptor()->getAttributeAuthorityDescriptors(), isValidForProtocol(samlconstants::SAML20P_NS));
if (!AA) {
m_log.warn("no SAML 2 AttributeAuthority role found in metadata");
return false;
}
- shibsp::SecurityPolicy policy(ctx.getApplication());
- MetadataCredentialCriteria mcc(*AA);
- shibsp::SOAPClient soaper(policy);
- const PropertySet* policySettings =
- ctx.getApplication().getServiceProvider().getPolicySettings(ctx.getApplication().getString("policyId").second);
- pair<bool,bool> signedAssertions = policySettings->getBool("signedAssertions");
+ const Application& application = ctx.getApplication();
+ const PropertySet* relyingParty = application.getRelyingParty(ctx.getEntityDescriptor());
+
+ // Locate policy key.
+ const char* policyId = m_policyId.empty() ? application.getString("policyId").second : m_policyId.c_str();
+
+ // Access policy properties.
+ const PropertySet* settings = application.getServiceProvider().getPolicySettings(policyId);
+ pair<bool,bool> validate = settings->getBool("validate");
- const PropertySet* relyingParty = ctx.getApplication().getRelyingParty(ctx.getEntityDescriptor());
+ pair<bool,bool> signedAssertions = relyingParty->getBool("requireSignedAssertions");
pair<bool,const char*> encryption = relyingParty->getString("encryption");
+ shibsp::SecurityPolicy policy(application, NULL, validate.first && validate.second, policyId);
+ policy.getAudiences().push_back(relyingParty->getXMLString("entityID").second);
+ MetadataCredentialCriteria mcc(*AA);
+ shibsp::SOAPClient soaper(policy);
+
auto_ptr_XMLCh binding(samlconstants::SAML20_BINDING_SOAP);
saml2p::StatusResponseType* srt=NULL;
const vector<AttributeService*>& endpoints=AA->getAttributeServices();
for (vector<AttributeService*>::const_iterator ep=endpoints.begin(); !srt && ep!=endpoints.end(); ++ep) {
+ if (!XMLString::equals((*ep)->getBinding(),binding.get()) || !(*ep)->getLocation())
+ continue;
+ auto_ptr_char loc((*ep)->getLocation());
try {
- if (!XMLString::equals((*ep)->getBinding(),binding.get()))
- continue;
- auto_ptr_char loc((*ep)->getLocation());
- auto_ptr_XMLCh issuer(ctx.getApplication().getString("entityID").second);
-
auto_ptr<saml2::Subject> subject(saml2::SubjectBuilder::buildSubject());
// Encrypt the NameID?
MetadataCredentialCriteria mcc(*AA);
encrypted->encrypt(
*ctx.getNameID(),
- *(ctx.getApplication().getMetadataProvider()),
+ *(application.getMetadataProvider()),
mcc,
false,
relyingParty->getXMLString("encryptionAlg").second
saml2p::AttributeQuery* query = saml2p::AttributeQueryBuilder::buildAttributeQuery();
query->setSubject(subject.release());
Issuer* iss = IssuerBuilder::buildIssuer();
- iss->setName(issuer.get());
+ iss->setName(relyingParty->getXMLString("entityID").second);
query->setIssuer(iss);
for (vector<saml2::Attribute*>::const_iterator ad = m_SAML2Designators.begin(); ad!=m_SAML2Designators.end(); ++ad)
query->getAttributes().push_back((*ad)->cloneAttribute());
- signMessage(ctx.getApplication(), *AA, *query);
SAML2SOAPClient client(soaper, false);
- client.sendSAML(query, mcc, loc.get());
+ client.sendSAML(query, application.getId(), mcc, loc.get());
srt = client.receiveSAML();
}
catch (exception& ex) {
- m_log.error("exception making SAML query: %s", ex.what());
+ m_log.error("exception during SAML query to %s: %s", loc.get(), ex.what());
soaper.reset();
}
}
}
try {
+ // We're going to insist that the assertion issuer is the same as the peer.
+ // Reset the policy's message bits and extract them from the assertion.
+ policy.reset(true);
+ policy.setMessageID(newtoken->getID());
+ policy.setIssueInstant(newtoken->getIssueInstantEpoch());
+ policy.setIssuer(newtoken->getIssuer());
policy.evaluate(*newtoken);
- if (!policy.isSecure())
+
+ // Now we can check the security status of the policy.
+ if (!policy.isAuthenticated())
throw SecurityPolicyException("Security of SAML 2.0 query result not established.");
- saml2::AssertionValidator tokval(ctx.getApplication().getAudiences(), time(NULL));
+
+ // Lastly, check it over.
+ saml2::AssertionValidator tokval(relyingParty->getXMLString("entityID").second, application.getAudiences(), time(NULL));
tokval.validateAssertion(*newtoken);
}
catch (exception& ex) {
// Finally, extract and filter the result.
try {
- AttributeExtractor* extractor = ctx.getApplication().getAttributeExtractor();
+ AttributeExtractor* extractor = application.getAttributeExtractor();
if (extractor) {
Locker extlocker(extractor);
- extractor->extractAttributes(ctx.getApplication(), AA, *newtoken, ctx.getResolvedAttributes());
+ extractor->extractAttributes(application, AA, *newtoken, ctx.getResolvedAttributes());
}
- AttributeFilter* filter = ctx.getApplication().getAttributeFilter();
+ AttributeFilter* filter = application.getAttributeFilter();
if (filter) {
- BasicFilteringContext fc(ctx.getApplication(), ctx.getResolvedAttributes(), AA, ctx.getClassRef(), ctx.getDeclRef());
+ BasicFilteringContext fc(application, ctx.getResolvedAttributes(), AA, ctx.getClassRef(), ctx.getDeclRef());
Locker filtlocker(filter);
filter->filterAttributes(fc, ctx.getResolvedAttributes());
}