/*
* Copyright 2001-2007 Internet2
- *
+ *
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
/**
* QueryAttributeResolver.cpp
- *
+ *
* AttributeResolver based on SAML queries.
*/
#include "attribute/resolver/AttributeResolver.h"
#include "attribute/resolver/ResolutionContext.h"
#include "binding/SOAPClient.h"
+#include "metadata/MetadataProviderCriteria.h"
#include "util/SPConstants.h"
#include <saml/exceptions.h>
m_class = XMLString::transcode(session.getAuthnContextClassRef());
m_decl = XMLString::transcode(session.getAuthnContextDeclRef());
}
-
+
QueryContext(
const Application& application,
const EntityDescriptor* issuer,
const XMLCh* protocol,
- const NameID* nameid,
+ const NameID* nameid=NULL,
const XMLCh* authncontext_class=NULL,
const XMLCh* authncontext_decl=NULL,
const vector<const opensaml::Assertion*>* tokens=NULL,
}
}
}
-
+
~QueryContext() {
if (m_session) {
XMLString::release((XMLCh**)&m_protocol);
for_each(m_attributes.begin(), m_attributes.end(), xmltooling::cleanup<shibsp::Attribute>());
for_each(m_assertions.begin(), m_assertions.end(), xmltooling::cleanup<opensaml::Assertion>());
}
-
+
bool doQuery() const {
return m_query;
}
m_metadata = m_app.getMetadataProvider(false);
if (m_metadata) {
m_metadata->lock();
- return m_entity = m_metadata->getEntityDescriptor(MetadataProvider::Criteria(m_session->getEntityID())).first;
+ return m_entity = m_metadata->getEntityDescriptor(MetadataProviderCriteria(m_app, m_session->getEntityID())).first;
}
}
return NULL;
vector<shibsp::Attribute*> m_attributes;
vector<opensaml::Assertion*> m_assertions;
};
-
+
class SHIBSP_DLLLOCAL QueryResolver : public AttributeResolver
{
public:
Lockable* lock() {return this;}
void unlock() {}
-
+
ResolutionContext* createResolutionContext(
const Application& application,
const EntityDescriptor* issuer,
const XMLCh* protocol,
- const NameID* nameid,
+ const NameID* nameid=NULL,
const XMLCh* authncontext_class=NULL,
const XMLCh* authncontext_decl=NULL,
const vector<const opensaml::Assertion*>* tokens=NULL,
bool SAML2Query(QueryContext& ctx) const;
Category& m_log;
+ string m_policyId;
vector<AttributeDesignator*> m_SAML1Designators;
vector<saml2::Attribute*> m_SAML2Designators;
};
{
return new QueryResolver(e);
}
-
+
+ static const XMLCh _policyId[] = UNICODE_LITERAL_8(p,o,l,i,c,y,I,d);
};
-QueryResolver::QueryResolver(const DOMElement* e) : m_log(Category::getInstance(SHIBSP_LOGCAT".AttributeResolver"))
+QueryResolver::QueryResolver(const DOMElement* e) : m_log(Category::getInstance(SHIBSP_LOGCAT".AttributeResolver.Query"))
{
#ifdef _DEBUG
xmltooling::NDC ndc("QueryResolver");
#endif
-
+
+ const XMLCh* pid = e ? e->getAttributeNS(NULL, _policyId) : NULL;
+ if (pid && *pid) {
+ auto_ptr_char temp(pid);
+ m_policyId = temp.get();
+ }
+
DOMElement* child = XMLHelper::getFirstChildElement(e);
while (child) {
try {
const Application& application = ctx.getApplication();
const PropertySet* relyingParty = application.getRelyingParty(ctx.getEntityDescriptor());
- shibsp::SecurityPolicy policy(application);
+
+ // Locate policy key.
+ const char* policyId = m_policyId.empty() ? application.getString("policyId").second : m_policyId.c_str();
+
+ // Access policy properties.
+ const PropertySet* settings = application.getServiceProvider().getPolicySettings(policyId);
+ pair<bool,bool> validate = settings->getBool("validate");
+
+ shibsp::SecurityPolicy policy(application, NULL, validate.first && validate.second, policyId);
+ policy.getAudiences().push_back(relyingParty->getXMLString("entityID").second);
MetadataCredentialCriteria mcc(*AA);
shibsp::SOAPClient soaper(policy);
saml1p::Response* response=NULL;
const vector<AttributeService*>& endpoints=AA->getAttributeServices();
for (vector<AttributeService*>::const_iterator ep=endpoints.begin(); !response && ep!=endpoints.end(); ++ep) {
+ if (!XMLString::equals((*ep)->getBinding(),binding.get()) || !(*ep)->getLocation())
+ continue;
+ auto_ptr_char loc((*ep)->getLocation());
try {
- if (!XMLString::equals((*ep)->getBinding(),binding.get()))
- continue;
- auto_ptr_char loc((*ep)->getLocation());
NameIdentifier* nameid = NameIdentifierBuilder::buildNameIdentifier();
nameid->setName(ctx.getNameID()->getName());
nameid->setFormat(ctx.getNameID()->getFormat());
response = client.receiveSAML();
}
catch (exception& ex) {
- m_log.error("exception making SAML query: %s", ex.what());
+ m_log.error("exception during SAML query to %s: %s", loc.get(), ex.what());
soaper.reset();
}
}
}
const Application& application = ctx.getApplication();
- shibsp::SecurityPolicy policy(application);
- MetadataCredentialCriteria mcc(*AA);
- shibsp::SOAPClient soaper(policy);
-
const PropertySet* relyingParty = application.getRelyingParty(ctx.getEntityDescriptor());
+
+ // Locate policy key.
+ const char* policyId = m_policyId.empty() ? application.getString("policyId").second : m_policyId.c_str();
+
+ // Access policy properties.
+ const PropertySet* settings = application.getServiceProvider().getPolicySettings(policyId);
+ pair<bool,bool> validate = settings->getBool("validate");
+
pair<bool,bool> signedAssertions = relyingParty->getBool("requireSignedAssertions");
pair<bool,const char*> encryption = relyingParty->getString("encryption");
+ shibsp::SecurityPolicy policy(application, NULL, validate.first && validate.second, policyId);
+ policy.getAudiences().push_back(relyingParty->getXMLString("entityID").second);
+ MetadataCredentialCriteria mcc(*AA);
+ shibsp::SOAPClient soaper(policy);
+
auto_ptr_XMLCh binding(samlconstants::SAML20_BINDING_SOAP);
saml2p::StatusResponseType* srt=NULL;
const vector<AttributeService*>& endpoints=AA->getAttributeServices();
for (vector<AttributeService*>::const_iterator ep=endpoints.begin(); !srt && ep!=endpoints.end(); ++ep) {
+ if (!XMLString::equals((*ep)->getBinding(),binding.get()) || !(*ep)->getLocation())
+ continue;
+ auto_ptr_char loc((*ep)->getLocation());
try {
- if (!XMLString::equals((*ep)->getBinding(),binding.get()))
- continue;
- auto_ptr_char loc((*ep)->getLocation());
auto_ptr<saml2::Subject> subject(saml2::SubjectBuilder::buildSubject());
// Encrypt the NameID?
srt = client.receiveSAML();
}
catch (exception& ex) {
- m_log.error("exception making SAML query: %s", ex.what());
+ m_log.error("exception during SAML query to %s: %s", loc.get(), ex.what());
soaper.reset();
}
}