/*
- * Copyright 2001-2007 Internet2
+ * Copyright 2001-2009 Internet2
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
#include "internal.h"
#include "exceptions.h"
+#include "version.h"
#include "AccessControl.h"
#include "Application.h"
#include "RequestMapper.h"
#endif
#include <xercesc/util/XMLUniDefs.hpp>
#include <xmltooling/XMLToolingConfig.h>
+#include <xmltooling/version.h>
#include <xmltooling/util/NDC.h>
#include <xmltooling/util/ReloadableXMLFile.h>
+#include <xmltooling/util/TemplateEngine.h>
#include <xmltooling/util/XMLHelper.h>
#ifndef SHIBSP_LITE
# include "attribute/resolver/AttributeResolver.h"
# include "security/PKIXTrustEngine.h"
# include <saml/SAMLConfig.h>
+# include <saml/version.h>
# include <saml/binding/ArtifactMap.h>
# include <saml/binding/SAMLArtifact.h>
# include <saml/saml1/core/Assertions.h>
# include <saml/saml2/binding/SAML2ArtifactType0004.h>
-# include <saml/saml2/metadata/ChainingMetadataProvider.h>
-# include <xmltooling/security/ChainingTrustEngine.h>
# include <xmltooling/util/ReplayCache.h>
using namespace opensaml::saml2;
using namespace opensaml::saml2p;
}
// Provides filter to exclude special config elements.
- short acceptNode(const DOMNode* node) const;
+#ifdef SHIBSP_XERCESC_SHORT_ACCEPTNODE
+ short
+#else
+ FilterAction
+#endif
+ acceptNode(const DOMNode* node) const;
private:
void cleanup();
vector<const XMLCh*> m_audiences;
// RelyingParty properties
-#ifdef HAVE_GOOD_STL
map<xstring,PropertySet*> m_partyMap;
-#else
- map<const XMLCh*,PropertySet*> m_partyMap;
-#endif
#endif
vector<string> m_remoteUsers,m_frontLogout,m_backLogout;
const Handler* m_acsDefault;
// maps binding strings to supporting consumer service(s)
-#ifdef HAVE_GOOD_STL
typedef map<xstring,vector<const Handler*> > ACSBindingMap;
-#else
- typedef map<string,vector<const Handler*> > ACSBindingMap;
-#endif
ACSBindingMap m_acsBindingMap;
// pointer to default session initiator
#endif
// Provides filter to exclude special config elements.
- short acceptNode(const DOMNode* node) const;
+#ifdef SHIBSP_XERCESC_SHORT_ACCEPTNODE
+ short
+#else
+ FilterAction
+#endif
+ acceptNode(const DOMNode* node) const;
void setDocument(DOMDocument* doc) {
m_document = doc;
static const XMLCh OutOfProcess[] = UNICODE_LITERAL_12(O,u,t,O,f,P,r,o,c,e,s,s);
static const XMLCh _path[] = UNICODE_LITERAL_4(p,a,t,h);
static const XMLCh Policy[] = UNICODE_LITERAL_6(P,o,l,i,c,y);
+ static const XMLCh PolicyRule[] = UNICODE_LITERAL_10(P,o,l,i,c,y,R,u,l,e);
static const XMLCh _provider[] = UNICODE_LITERAL_8(p,r,o,v,i,d,e,r);
static const XMLCh RelyingParty[] = UNICODE_LITERAL_12(R,e,l,y,i,n,g,P,a,r,t,y);
static const XMLCh _ReplayCache[] = UNICODE_LITERAL_11(R,e,p,l,a,y,C,a,c,h,e);
class SHIBSP_DLLLOCAL PolicyNodeFilter : public DOMNodeFilter
{
public:
- short acceptNode(const DOMNode* node) const {
+#ifdef SHIBSP_XERCESC_SHORT_ACCEPTNODE
+ short
+#else
+ FilterAction
+#endif
+ acceptNode(const DOMNode* node) const {
return FILTER_REJECT;
}
};
}
handler=conf.AssertionConsumerServiceManager.newPlugin(bindprop.get(),make_pair(child, getId()));
// Map by binding (may be > 1 per binding, e.g. SAML 1.0 vs 1.1)
-#ifdef HAVE_GOOD_STL
m_acsBindingMap[handler->getXMLString("Binding").second].push_back(handler);
-#else
- m_acsBindingMap[handler->getString("Binding").second].push_back(handler);
-#endif
m_acsIndexMap[handler->getUnsignedInt("index").second]=handler;
if (!hardACS) {
#ifndef SHIBSP_LITE
nlist=e->getElementsByTagNameNS(samlconstants::SAML20_NS,Audience::LOCAL_NAME);
- for (XMLSize_t i=0; nlist && i<nlist->getLength(); i++)
- if (nlist->item(i)->getParentNode()->isSameNode(e) && nlist->item(i)->hasChildNodes())
- m_audiences.push_back(nlist->item(i)->getFirstChild()->getNodeValue());
+ if (nlist && nlist->getLength()) {
+ log.warn("use of <saml:Audience> elements outside of a Security Policy Rule is deprecated");
+ for (XMLSize_t i=0; i<nlist->getLength(); i++)
+ if (nlist->item(i)->getParentNode()->isSameNode(e) && nlist->item(i)->hasChildNodes())
+ m_audiences.push_back(nlist->item(i)->getFirstChild()->getNodeValue());
+ }
if (conf.isEnabled(SPConfig::Metadata)) {
child = XMLHelper::getFirstChildElement(e,_MetadataProvider);
for_each(m_handlers.begin(),m_handlers.end(),xmltooling::cleanup<Handler>());
m_handlers.clear();
#ifndef SHIBSP_LITE
-#ifdef HAVE_GOOD_STL
for_each(m_partyMap.begin(),m_partyMap.end(),cleanup_pair<xstring,PropertySet>());
-#else
- for_each(m_partyMap.begin(),m_partyMap.end(),cleanup_pair<const XMLCh*,PropertySet>());
-#endif
m_partyMap.clear();
delete m_credResolver;
m_credResolver = NULL;
#endif
}
-short XMLApplication::acceptNode(const DOMNode* node) const
+#ifdef SHIBSP_XERCESC_SHORT_ACCEPTNODE
+short
+#else
+DOMNodeFilter::FilterAction
+#endif
+XMLApplication::acceptNode(const DOMNode* node) const
{
const XMLCh* name=node->getLocalName();
if (XMLString::equals(name,ApplicationOverride) ||
if (!provider)
return this;
-#ifdef HAVE_GOOD_STL
map<xstring,PropertySet*>::const_iterator i=m_partyMap.find(provider->getEntityID());
if (i!=m_partyMap.end())
return i->second;
}
group=dynamic_cast<const EntitiesDescriptor*>(group->getParent());
}
-#else
- map<const XMLCh*,PropertySet*>::const_iterator i=m_partyMap.begin();
- for (; i!=m_partyMap.end(); i++) {
- if (XMLString::equals(i->first,provider->getEntityID()))
- return i->second;
- const EntitiesDescriptor* group=dynamic_cast<const EntitiesDescriptor*>(provider->getParent());
- while (group) {
- if (XMLString::equals(i->first,group->getName()))
- return i->second;
- group=dynamic_cast<const EntitiesDescriptor*>(group->getParent());
- }
- }
-#endif
return this;
}
if (!entityID)
return this;
-#ifdef HAVE_GOOD_STL
map<xstring,PropertySet*>::const_iterator i=m_partyMap.find(entityID);
if (i!=m_partyMap.end())
return i->second;
-#else
- map<const XMLCh*,PropertySet*>::const_iterator i=m_partyMap.begin();
- for (; i!=m_partyMap.end(); i++) {
- if (XMLString::equals(i->first,entityID))
- return i->second;
- }
-#endif
return this;
}
const vector<const Handler*>& XMLApplication::getAssertionConsumerServicesByBinding(const XMLCh* binding) const
{
-#ifdef HAVE_GOOD_STL
ACSBindingMap::const_iterator i=m_acsBindingMap.find(binding);
-#else
- auto_ptr_char temp(binding);
- ACSBindingMap::const_iterator i=m_acsBindingMap.find(temp.get());
-#endif
if (i!=m_acsBindingMap.end())
return i->second;
return m_base ? m_base->getAssertionConsumerServicesByBinding(binding) : g_noHandlers;
const Handler* XMLApplication::getHandler(const char* path) const
{
string wrap(path);
+ wrap = wrap.substr(0,wrap.find(';'));
map<string,const Handler*>::const_iterator i=m_handlerMap.find(wrap.substr(0,wrap.find('?')));
if (i!=m_handlerMap.end())
return i->second;
}
}
-short XMLConfigImpl::acceptNode(const DOMNode* node) const
+#ifdef SHIBSP_XERCESC_SHORT_ACCEPTNODE
+short
+#else
+DOMNodeFilter::FilterAction
+#endif
+XMLConfigImpl::acceptNode(const DOMNode* node) const
{
if (!XMLString::equals(node->getNamespaceURI(),shibspconstants::SHIB2SPCONFIG_NS))
return FILTER_ACCEPT;
if (logconf && *logconf) {
auto_ptr_char logpath(logconf);
log.debug("loading new logging configuration from (%s), check log destination for status of configuration",logpath.get());
- XMLToolingConfig::getConfig().log_config(logpath.get());
+ if (!XMLToolingConfig::getConfig().log_config(logpath.get()))
+ log.crit("failed to load new logging configuration from (%s)", logpath.get());
}
#ifndef SHIBSP_LITE
#endif
}
+ // Re-log library versions now that logging is set up.
+#ifndef SHIBSP_LITE
+ log.info(
+ "Library versions: Xerces-C %s, XML-Security-C %s, XMLTooling-C %s, OpenSAML-C %s, Shibboleth %s",
+ XERCES_FULLVERSIONDOT, XSEC_FULLVERSIONDOT, XMLTOOLING_FULLVERSIONDOT, OPENSAML_FULLVERSIONDOT, SHIBSP_FULLVERSIONDOT
+ );
+#else
+ log.info(
+ "Library versions: Xerces-C %s, XMLTooling-C %s, Shibboleth %s",
+ XERCES_FULLVERSIONDOT, XMLTOOLING_FULLVERSIONDOT, SHIBSP_FULLVERSIONDOT
+ );
+#endif
+
// First load any property sets.
load(e,NULL,this);
if (skew.first)
xmlConf.clock_skew_secs=min(skew.second,(60*60*24*7*28));
+ pair<bool,const char*> unsafe = getString("unsafeChars");
+ if (unsafe.first)
+ TemplateEngine::unsafe_chars = unsafe.second;
+
// Extensions
doExtensions(e, "global", log);
if (conf.isEnabled(SPConfig::OutOfProcess))
#ifndef SHIBSP_LITE
if (m_outer->m_listener && conf.isEnabled(SPConfig::OutOfProcess) && !conf.isEnabled(SPConfig::InProcess)) {
- m_outer->m_listener->regListener("set::RelayState", m_outer->m_listener);
- m_outer->m_listener->regListener("get::RelayState", m_outer->m_listener);
+ m_outer->m_listener->regListener("set::RelayState", const_cast<XMLConfig*>(m_outer));
+ m_outer->m_listener->regListener("get::RelayState", const_cast<XMLConfig*>(m_outer));
+ m_outer->m_listener->regListener("set::PostData", const_cast<XMLConfig*>(m_outer));
+ m_outer->m_listener->regListener("get::PostData", const_cast<XMLConfig*>(m_outer));
}
#endif
settings->load(child, NULL, &filter);
rules.first = settings.release();
- // Process Rule elements.
- const DOMElement* rule = XMLHelper::getFirstChildElement(child,Rule);
+ // Process PolicyRule elements.
+ const DOMElement* rule = XMLHelper::getFirstChildElement(child,PolicyRule);
while (rule) {
auto_ptr_char type(rule->getAttributeNS(NULL,_type));
try {
catch (exception& ex) {
log.crit("error instantiating policy rule (%s) in policy (%s): %s", type.get(), id.get(), ex.what());
}
- rule = XMLHelper::getNextSiblingElement(rule,Rule);
+ rule = XMLHelper::getNextSiblingElement(rule,PolicyRule);
+ }
+
+ if (rules.second.size() == 0) {
+ // Process Rule elements.
+ log.warn("detected legacy Policy configuration, please convert to new PolicyRule syntax");
+ rule = XMLHelper::getFirstChildElement(child,Rule);
+ while (rule) {
+ auto_ptr_char type(rule->getAttributeNS(NULL,_type));
+ try {
+ rules.second.push_back(samlConf.SecurityPolicyRuleManager.newPlugin(type.get(),rule));
+ }
+ catch (exception& ex) {
+ log.crit("error instantiating policy rule (%s) in policy (%s): %s", type.get(), id.get(), ex.what());
+ }
+ rule = XMLHelper::getNextSiblingElement(rule,Rule);
+ }
+
+ // Manually add a basic Conditions rule.
+ log.info("installing a default Conditions rule in policy (%s) for compatibility with legacy configuration", id.get());
+ rules.second.push_back(samlConf.SecurityPolicyRuleManager.newPlugin(CONDITIONS_POLICY_RULE, NULL));
}
child = XMLHelper::getNextSiblingElement(child,Policy);
}
// Repack for return to caller.
- DDF ret=DDF(NULL).string(relayState.c_str());
+ DDF ret=DDF(NULL).unsafe_string(relayState.c_str());
DDFJanitor jret(ret);
out << ret;
}
DDFJanitor jret(ret);
out << ret;
}
+ else if (!strcmp(in.name(), "get::PostData")) {
+ const char* id = in["id"].string();
+ const char* key = in["key"].string();
+ if (!id || !key)
+ throw ListenerException("Required parameters missing for PostData recovery.");
+
+ string postData;
+ StorageService* storage = getStorageService(id);
+ if (storage) {
+ if (storage->readString("PostData",key,&postData) > 0) {
+ storage->deleteString("PostData",key);
+ }
+ }
+ else {
+ Category::getInstance(SHIBSP_LOGCAT".ServiceProvider").error(
+ "Storage-backed PostData with invalid StorageService ID (%s)", id
+ );
+ }
+ // If the data's empty, we'll send nothing back.
+ // If not, we don't need to round trip it, just send back the serialized DDF list.
+ if (postData.empty()) {
+ DDF ret(NULL);
+ DDFJanitor jret(ret);
+ out << ret;
+ }
+ else {
+ out << postData;
+ }
+ }
+ else if (!strcmp(in.name(), "set::PostData")) {
+ const char* id = in["id"].string();
+ if (!id || !in["parameters"].islist())
+ throw ListenerException("Required parameters missing for PostData creation.");
+
+ string rsKey;
+ StorageService* storage = getStorageService(id);
+ if (storage) {
+ SAMLConfig::getConfig().generateRandomBytes(rsKey,20);
+ rsKey = SAMLArtifact::toHex(rsKey);
+ ostringstream params;
+ params << in["parameters"];
+ storage->createString("PostData", rsKey.c_str(), params.str().c_str(), time(NULL) + 600);
+ }
+ else {
+ Category::getInstance(SHIBSP_LOGCAT".ServiceProvider").error(
+ "Storage-backed PostData with invalid StorageService ID (%s)", id
+ );
+ }
+
+ // Repack for return to caller.
+ DDF ret=DDF(NULL).string(rsKey.c_str());
+ DDFJanitor jret(ret);
+ out << ret;
+ }
}
#endif