using namespace boost;
using namespace std;
-namespace shibsp {
+namespace {
+
+ // Allows the cache to bind sessions to multiple client address
+ // families based on whatever this function returns.
+ static const char* getAddressFamily(const char* addr) {
+ if (strchr(addr, ':'))
+ return "6";
+ else
+ return "4";
+ }
class StoredSession;
class SSCache : public SessionCacheEx
const set<string>* indexes,
time_t expires,
vector<string>& sessions
- );
+ ) {
+ return _logout(app, issuer, nameid, indexes, expires, sessions, 0);
+ }
bool matches(
const Application& app,
const HTTPRequest& request,
private:
#ifndef SHIBSP_LITE
// maintain back-mappings of NameID/SessionIndex -> session key
- void insert(const char* key, time_t expires, const char* name, const char* index);
+ void insert(const char* key, time_t expires, const char* name, const char* index, short attempts=0);
+ vector<string>::size_type _logout(
+ const Application& app,
+ const EntityDescriptor* issuer,
+ const saml2::NameID& nameid,
+ const set<string>* indexes,
+ time_t expires,
+ vector<string>& sessions,
+ short attempts
+ );
bool stronglyMatches(const XMLCh* idp, const XMLCh* sp, const saml2::NameID& n1, const saml2::NameID& n2) const;
LogoutEvent* newLogoutEvent(const Application& app) const;
const char* saddr = m_obj["client_addr"].string();
DDF addrobj = m_obj["client_addr"].structure();
if (saddr && *saddr) {
- if (strchr(saddr, ':'))
- addrobj.addmember("6").string(saddr);
- else
- addrobj.addmember("4").string(saddr);
+ addrobj.addmember(getAddressFamily(saddr)).string(saddr);
}
}
return m_obj["client_addr"].first().string();
}
- const char* getClientAddressV4() const {
- return m_obj["client_addr"]["4"].string();
- }
- const char* getClientAddressV6() const {
- return m_obj["client_addr"]["6"].string();
+ const char* getClientAddress(const char* family) const {
+ if (family)
+ return m_obj["client_addr"][family].string();
+ return nullptr;
}
void setClientAddress(const char* client_addr) {
DDF obj = m_obj["client_addr"];
if (!obj.isstruct())
obj = m_obj.addmember("client_addr").structure();
- if (strchr(client_addr, ':'))
- obj.addmember("6").string(client_addr);
- else
- obj.addmember("4").string(client_addr);
+ obj.addmember(getAddressFamily(client_addr)).string(client_addr);
}
const char* getEntityID() const {
// Address check?
if (client_addr) {
- const char* saddr = nullptr;
- if (strchr(client_addr, ':'))
- saddr = getClientAddressV6();
- else
- saddr = getClientAddressV4();
+ const char* saddr = getClientAddress(getAddressFamily(client_addr));
if (saddr && *saddr) {
if (!XMLString::equals(saddr, client_addr)) {
m_cache->m_log.warn("client address mismatch, client (%s), session (%s)", client_addr, saddr);
// We may need to write back a new address into the session using a versioned update loop.
if (client_addr) {
+ short attempts = 0;
do {
- const char* saddr = nullptr;
- if (strchr(client_addr, ':'))
- saddr = getClientAddressV6();
- else
- saddr = getClientAddressV4();
- // Something snuck in and bound the session to this address type, so it better match what we have.
+ const char* saddr = getClientAddress(getAddressFamily(client_addr));
if (saddr) {
+ // Something snuck in and bound the session to this address type, so it better match what we have.
if (!XMLString::equals(saddr, client_addr)) {
m_cache->m_log.warn("client address mismatch, client (%s), session (%s)", client_addr, saddr);
throw RetryableProfileException(
}
else if (ver < 0) {
// Out of sync.
+ if (++attempts > 10) {
+ m_cache->m_log.error("failed to bind client address, update attempts exceeded limit");
+ throw IOException("Unable to update stored session, exceeded retry limit.");
+ }
m_cache->m_log.warn("storage service indicates the record is out of sync, updating with a fresh copy...");
ver = m_cache->m_storage->readText(getID(), "session", &record, nullptr);
if (!ver) {
m_cache->m_log.debug("adding attributes to session (%s)", getID());
int ver;
+ short attempts = 0;
do {
DDF attr;
DDF attrs = m_obj["attributes"];
}
else if (ver < 0) {
// Out of sync.
+ if (++attempts > 10) {
+ m_cache->m_log.error("failed to update stored session, update attempts exceeded limit");
+ throw IOException("Unable to update stored session, exceeded retry limit.");
+ }
m_cache->m_log.warn("storage service indicates the record is out of sync, updating with a fresh copy...");
ver = m_cache->m_storage->readText(getID(), "session", &record, nullptr);
if (!ver) {
throw IOException("Attempted to insert duplicate assertion ID into session.");
int ver;
+ short attempts = 0;
do {
DDF token = DDF(nullptr).string(id.get());
m_obj["assertions"].add(token);
}
else if (ver < 0) {
// Out of sync.
+ if (++attempts > 10) {
+ m_cache->m_log.error("failed to update stored session, update attempts exceeded limit");
+ throw IOException("Unable to update stored session, exceeded retry limit.");
+ }
m_cache->m_log.warn("storage service indicates the record is out of sync, updating with a fresh copy...");
ver = m_cache->m_storage->readText(getID(), "session", &record, nullptr);
if (!ver) {
if (m_storage)
m_log.info("bound to StorageService (%s)", ssid.c_str());
else
- m_log.warn("specified StorageService (%s) not found", ssid.c_str());
+ throw ConfigurationException("SessionCache unable to locate StorageService ($1), check configuration.", params(1, ssid.c_str()));
}
if (!m_storage) {
m_storage = conf.getServiceProvider()->getStorageService(nullptr);
if (m_storage_lite)
m_log.info("bound to 'lite' StorageService (%s)", ssid.c_str());
else
- m_log.warn("specified 'lite' StorageService (%s) not found", ssid.c_str());
+ throw ConfigurationException("SessionCache unable to locate 'lite' StorageService ($1), check configuration.", params(1, ssid.c_str()));
}
if (!m_storage_lite) {
m_log.info("StorageService for 'lite' use not set, using standard StorageService");
m_storage->deleteString("SessionCacheTest", temp.get());
}
-void SSCache::insert(const char* key, time_t expires, const char* name, const char* index)
+void SSCache::insert(const char* key, time_t expires, const char* name, const char* index, short attempts)
{
+ if (attempts > 10)
+ throw IOException("Exceeded retry limit.");
+
string dup;
unsigned int storageLimit = m_storage_lite->getCapabilities().getKeySize();
if (strlen(name) > storageLimit) {
ver = m_storage_lite->updateText("NameID", name, out.str().c_str(), max(expires, recordexp), ver);
if (ver <= 0) {
// Out of sync, or went missing, so retry.
- return insert(key, expires, name, index);
+ return insert(key, expires, name, index, attempts + 1);
}
}
else if (!m_storage_lite->createText("NameID", name, out.str().c_str(), expires)) {
// Hit a dup, so just retry, hopefully hitting the other branch.
- return insert(key, expires, name, index);
+ return insert(key, expires, name, index, attempts + 1);
}
}
string caddr(httpRequest.getRemoteAddr());
if (!caddr.empty()) {
DDF addrobj = obj.addmember("client_addr").structure();
- if (caddr.find(':') != string::npos)
- addrobj.addmember("6").string(caddr.c_str());
- else
- addrobj.addmember("4").string(caddr.c_str());
+ addrobj.addmember(getAddressFamily(caddr.c_str())).string(caddr.c_str());
}
if (issuer)
return false;
}
-vector<string>::size_type SSCache::logout(
+vector<string>::size_type SSCache::_logout(
const Application& app,
const saml2md::EntityDescriptor* issuer,
const saml2::NameID& nameid,
const set<string>* indexes,
time_t expires,
- vector<string>& sessionsKilled
+ vector<string>& sessionsKilled,
+ short attempts
)
{
#ifdef _DEBUG
if (!m_storage)
throw ConfigurationException("SessionCache logout requires a StorageService.");
+ else if (attempts > 10)
+ throw IOException("Exceeded retry limit.");
auto_ptr_char entityID(issuer ? issuer->getEntityID() : nullptr);
auto_ptr_char name(nameid.getName());
ver = m_storage_lite->updateText("Logout", name.get(), lout.str().c_str(), max(expires, oldexp), ver);
if (ver <= 0) {
// Out of sync, or went missing, so retry.
- return logout(app, issuer, nameid, indexes, expires, sessionsKilled);
+ return _logout(app, issuer, nameid, indexes, expires, sessionsKilled, attempts + 1);
}
}
else if (!m_storage_lite->createText("Logout", name.get(), lout.str().c_str(), expires)) {
// Hit a dup, so just retry, hopefully hitting the other branch.
- return logout(app, issuer, nameid, indexes, expires, sessionsKilled);
+ return _logout(app, issuer, nameid, indexes, expires, sessionsKilled, attempts + 1);
}
obj.destroy();
// We may need to write back a new address into the session using a versioned update loop.
if (client_addr) {
+ short attempts = 0;
m_log.info("binding session (%s) to new client address (%s)", key, client_addr);
do {
// We have to reconstitute the session object ourselves.
istringstream src(record);
src >> sessionobj;
ver = sessionobj["version"].integer();
- const char* saddr = nullptr;
- if (strchr(client_addr, ':'))
- saddr = sessionobj["client_addr"]["6"].string();
- else
- saddr = sessionobj["client_addr"]["4"].string();
+ const char* saddr = sessionobj["client_addr"][getAddressFamily(client_addr)].string();
if (saddr) {
// Something snuck in and bound the session to this address type, so it better match what we have.
if (!XMLString::equals(saddr, client_addr)) {
}
else {
// Bind it into the session.
- if (strchr(client_addr, ':'))
- sessionobj["client_addr"].addmember("6").string(client_addr);
- else
- sessionobj["client_addr"].addmember("4").string(client_addr);
+ sessionobj["client_addr"].addmember(getAddressFamily(client_addr)).string(client_addr);
}
// Tentatively increment the version.
}
if (ver < 0) {
// Out of sync.
+ if (++attempts > 10) {
+ m_log.error("failed to bind client address, update attempts exceeded limit");
+ throw IOException("Unable to update stored session, exceeded retry limit.");
+ }
m_log.warn("storage service indicates the record is out of sync, updating with a fresh copy...");
sessionobj["version"].integer(sessionobj["version"].integer() - 1);
ver = m_storage->readText(key, "session", &record);