Collapse entity/role lookup in metadata API.

[shibboleth/cpp-sp.git] / shibsp / handler / impl / AssertionConsumerService.cpp

diff --git a/shibsp/handler/impl/AssertionConsumerService.cpp b/shibsp/handler/impl/AssertionConsumerService.cpp
index c7cdc8e..57dacb3 100644 (file)
--- a/shibsp/handler/impl/AssertionConsumerService.cpp
+++ b/shibsp/handler/impl/AssertionConsumerService.cpp
@@ -40,6 +40,11 @@
 # include <saml/saml1/core/Assertions.h>
 # include <saml/util/CommonDomainCookie.h>
 using namespace samlconstants;
+using opensaml::saml2md::MetadataProvider;
+using opensaml::saml2md::RoleDescriptor;
+using opensaml::saml2md::EntityDescriptor;
+using opensaml::saml2md::IDPSSODescriptor;
+using opensaml::saml2md::SPSSODescriptor;
 #else
 # include "lite/CommonDomainCookie.h"
 #endif
@@ -56,6 +61,8 @@ AssertionConsumerService::AssertionConsumerService(const DOMElement* e, const ch
         ,m_decoder(NULL), m_role(samlconstants::SAML20MD_NS, opensaml::saml2md::IDPSSODescriptor::LOCAL_NAME)
 #endif
 {
+    if (!e)
+        return;
     string address(appId);
     address += getString("Location").second;
     setAddress(address.c_str());
@@ -246,6 +253,20 @@ void AssertionConsumerService::checkAddress(
 
 #ifndef SHIBSP_LITE
 
+void AssertionConsumerService::generateMetadata(SPSSODescriptor& role, const char* handlerURL) const {
+    const char* loc = getString("Location").second;
+    string hurl(handlerURL);
+    if (*loc != '/')
+        hurl += '/';
+    hurl += loc;
+    auto_ptr_XMLCh widen(hurl.c_str());
+    saml2md::AssertionConsumerService* ep = saml2md::AssertionConsumerServiceBuilder::buildAssertionConsumerService();
+    ep->setLocation(widen.get());
+    ep->setBinding(getXMLString("Binding").second);
+    ep->setIndex(getXMLString("index").second);
+    role.getAssertionConsumerServices().push_back(ep);
+}
+
 class SHIBSP_DLLLOCAL DummyContext : public ResolutionContext
 {
 public:
@@ -281,11 +302,30 @@ ResolutionContext* AssertionConsumerService::resolveAttributes(
     const vector<const Assertion*>* tokens
     ) const
 {
+    const saml2md::EntityDescriptor* entity = issuer ? dynamic_cast<const saml2md::EntityDescriptor*>(issuer->getParent()) : NULL;
+
     // First we do the extraction of any pushed information, including from metadata.
     vector<Attribute*> resolvedAttributes;
     AttributeExtractor* extractor = application.getAttributeExtractor();
     if (extractor) {
         Locker extlocker(extractor);
+        if (entity) {
+            pair<bool,const char*> prefix = application.getString("metadataAttributePrefix");
+            if (prefix.first) {
+                m_log.debug("extracting metadata-derived attributes...");
+                try {
+                    extractor->extractAttributes(application, issuer, *entity, resolvedAttributes);
+                    for (vector<Attribute*>::iterator a = resolvedAttributes.begin(); a != resolvedAttributes.end(); ++a) {
+                        vector<string>& ids = (*a)->getAliases();
+                        for (vector<string>::iterator id = ids.begin(); id != ids.end(); ++id)
+                            *id = prefix.second + *id;
+                    }
+                }
+                catch (exception& ex) {
+                    m_log.error("caught exception extracting attributes: %s", ex.what());
+                }
+            }
+        }
         m_log.debug("extracting pushed attributes...");
         if (v1nameid) {
             try {
@@ -339,7 +379,7 @@ ResolutionContext* AssertionConsumerService::resolveAttributes(
             auto_ptr<ResolutionContext> ctx(
                 resolver->createResolutionContext(
                     application,
-                    issuer ? dynamic_cast<const saml2md::EntityDescriptor*>(issuer->getParent()) : NULL,
+                    entity,
                     protocol,
                     nameid,
                     authncontext_class,
@@ -363,6 +403,44 @@ ResolutionContext* AssertionConsumerService::resolveAttributes(
         return new DummyContext(resolvedAttributes);
     return NULL;
 }
+
+void AssertionConsumerService::extractMessageDetails(const Assertion& assertion, const XMLCh* protocol, opensaml::SecurityPolicy& policy) const
+{
+    policy.setMessageID(assertion.getID());
+    policy.setIssueInstant(assertion.getIssueInstantEpoch());
+
+    if (XMLString::equals(assertion.getElementQName().getNamespaceURI(), samlconstants::SAML20P_NS)) {
+        const saml2::Assertion* a2 = dynamic_cast<const saml2::Assertion*>(&assertion);
+        if (a2) {
+            m_log.debug("extracting issuer from SAML 2.0 assertion");
+            policy.setIssuer(a2->getIssuer());
+        }
+    }
+    else {
+        const saml1::Assertion* a1 = dynamic_cast<const saml1::Assertion*>(&assertion);
+        if (a1) {
+            m_log.debug("extracting issuer from SAML 1.x assertion");
+            policy.setIssuer(a1->getIssuer());
+        }
+    }
+
+    if (policy.getIssuer() && !policy.getIssuerMetadata() && policy.getMetadataProvider()) {
+        m_log.debug("searching metadata for assertion issuer...");
+        MetadataProvider::Criteria mc(policy.getIssuer()->getName(), &IDPSSODescriptor::ELEMENT_QNAME, protocol);
+        pair<const EntityDescriptor*,const RoleDescriptor*> entity = policy.getMetadataProvider()->getEntityDescriptor(mc);
+        if (!entity.first) {
+            auto_ptr_char iname(policy.getIssuer()->getName());
+            m_log.warn("no metadata found, can't establish identity of issuer (%s)", iname.get());
+        }
+        else if (!entity.second) {
+            m_log.warn("unable to find compatible IdP role in metadata");
+        }
+        else {
+            policy.setIssuerMetadata(entity.second);
+        }
+    }
+}
+
 #endif
 
 void AssertionConsumerService::maintainHistory(SPRequest& request, const char* entityID, const char* cookieProps) const