projects / shibboleth / sp.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Improve property inheritance, first batch of SessionInitiators, rename providerId.
[shibboleth/sp.git] / shibsp / impl / XMLServiceProvider.cpp
diff --git a/shibsp/impl/XMLServiceProvider.cpp b/shibsp/impl/XMLServiceProvider.cpp
index b7d6f39..725970a 100644 (file)
--- a/shibsp/impl/XMLServiceProvider.cpp
+++ b/shibsp/impl/XMLServiceProvider.cpp
@@ -75,14 +75,6 @@ namespace {
         XMLApplication(const ServiceProvider*, const DOMElement* e, const XMLApplication* base=NULL);\r
         ~XMLApplication() { cleanup(); }\r
     \r
-        // PropertySet\r
-        pair<bool,bool> getBool(const char* name, const char* ns=NULL) const;\r
-        pair<bool,const char*> getString(const char* name, const char* ns=NULL) const;\r
-        pair<bool,const XMLCh*> getXMLString(const char* name, const char* ns=NULL) const;\r
-        pair<bool,unsigned int> getUnsignedInt(const char* name, const char* ns=NULL) const;\r
-        pair<bool,int> getInt(const char* name, const char* ns=NULL) const;\r
-        const PropertySet* getPropertySet(const char* name, const char* ns="urn:mace:shibboleth:sp:config:2.0") const;\r
-\r
         // Application\r
         const ServiceProvider& getServiceProvider() const {return *m_sp;}\r
         const char* getId() const {return getString("id").second;}\r
@@ -97,8 +89,13 @@ namespace {
         AttributeResolver* getAttributeResolver() const {\r
             return (!m_attrResolver && m_base) ? m_base->getAttributeResolver() : m_attrResolver;\r
         }\r
-\r
-        const PropertySet* getCredentialUse(const EntityDescriptor* provider) const;\r
+        const set<string>* getAttributeIds() const {\r
+            return (m_attributeIds.empty() && m_base) ? m_base->getAttributeIds() : (m_attributeIds.empty() ? NULL : &m_attributeIds);\r
+        }\r
+        CredentialResolver* getCredentialResolver() const {\r
+            return (!m_credResolver && m_base) ? m_base->getCredentialResolver() : m_credResolver;\r
+        }\r
+        const PropertySet* getRelyingParty(const EntityDescriptor* provider) const;\r
 \r
         const Handler* getDefaultSessionInitiator() const;\r
         const Handler* getSessionInitiatorById(const char* id) const;\r
@@ -122,7 +119,9 @@ namespace {
         MetadataProvider* m_metadata;\r
         TrustEngine* m_trust;\r
         AttributeResolver* m_attrResolver;\r
+        CredentialResolver* m_credResolver;\r
         vector<const XMLCh*> m_audiences;\r
+        set<string> m_attributeIds;\r
 \r
         // manage handler objects\r
         vector<Handler*> m_handlers;\r
@@ -150,11 +149,12 @@ namespace {
         // pointer to default session initiator\r
         const Handler* m_sessionInitDefault;\r
 \r
-        DOMPropertySet* m_credDefault;\r
+        // RelyingParty properties\r
+        DOMPropertySet* m_partyDefault;\r
 #ifdef HAVE_GOOD_STL\r
-        map<xstring,PropertySet*> m_credMap;\r
+        map<xstring,PropertySet*> m_partyMap;\r
 #else\r
-        map<const XMLCh*,PropertySet*> m_credMap;\r
+        map<const XMLCh*,PropertySet*> m_partyMap;\r
 #endif\r
     };\r
 \r
@@ -168,7 +168,6 @@ namespace {
         \r
         RequestMapper* m_requestMapper;\r
         map<string,Application*> m_appmap;\r
-        map<string,CredentialResolver*> m_credResolverMap;\r
         map< string,pair< PropertySet*,vector<const SecurityPolicyRule*> > > m_policyMap;\r
         \r
         // Provides filter to exclude special config elements.\r
@@ -207,6 +206,7 @@ namespace {
         }\r
 \r
         // PropertySet\r
+        void setParent(const PropertySet* parent) {return m_impl->setParent(parent);}\r
         pair<bool,bool> getBool(const char* name, const char* ns=NULL) const {return m_impl->getBool(name,ns);}\r
         pair<bool,const char*> getString(const char* name, const char* ns=NULL) const {return m_impl->getString(name,ns);}\r
         pair<bool,const XMLCh*> getXMLString(const char* name, const char* ns=NULL) const {return m_impl->getXMLString(name,ns);}\r
@@ -254,15 +254,6 @@ namespace {
             return (i!=m_impl->m_appmap.end()) ? i->second : NULL;\r
         }\r
 \r
-        CredentialResolver* getCredentialResolver(const char* id) const {\r
-            if (id) {\r
-                map<string,CredentialResolver*>::const_iterator i=m_impl->m_credResolverMap.find(id);\r
-                if (i!=m_impl->m_credResolverMap.end())\r
-                    return i->second;\r
-            }\r
-            return NULL;\r
-        }\r
-\r
         const PropertySet* getPolicySettings(const char* id) const {\r
             map<string,pair<PropertySet*,vector<const SecurityPolicyRule*> > >::const_iterator i = m_impl->m_policyMap.find(id);\r
             if (i!=m_impl->m_policyMap.end())\r
@@ -297,8 +288,8 @@ namespace {
     static const XMLCh Applications[] =         UNICODE_LITERAL_12(A,p,p,l,i,c,a,t,i,o,n,s);\r
     static const XMLCh _ArtifactMap[] =         UNICODE_LITERAL_11(A,r,t,i,f,a,c,t,M,a,p);\r
     static const XMLCh _AttributeResolver[] =   UNICODE_LITERAL_17(A,t,t,r,i,b,u,t,e,R,e,s,o,l,v,e,r);\r
-    static const XMLCh Credentials[] =          UNICODE_LITERAL_11(C,r,e,d,e,n,t,i,a,l,s);\r
-    static const XMLCh CredentialUse[] =        UNICODE_LITERAL_13(C,r,e,d,e,n,t,i,a,l,U,s,e);\r
+    static const XMLCh _CredentialResolver[] =  UNICODE_LITERAL_18(C,r,e,d,e,n,t,i,a,l,R,e,s,o,l,v,e,r);\r
+    static const XMLCh DefaultRelyingParty[] =  UNICODE_LITERAL_19(D,e,f,a,u,l,t,R,e,l,y,i,n,g,P,a,r,t,y);\r
     static const XMLCh fatal[] =                UNICODE_LITERAL_5(f,a,t,a,l);\r
     static const XMLCh _Handler[] =             UNICODE_LITERAL_7(H,a,n,d,l,e,r);\r
     static const XMLCh _id[] =                  UNICODE_LITERAL_2(i,d);\r
@@ -347,8 +338,8 @@ XMLApplication::XMLApplication(
     const ServiceProvider* sp,\r
     const DOMElement* e,\r
     const XMLApplication* base\r
-    ) : m_sp(sp), m_base(base), m_metadata(NULL), m_trust(NULL), m_attrResolver(NULL),\r
-        m_credDefault(NULL), m_sessionInitDefault(NULL), m_acsDefault(NULL)\r
+    ) : m_sp(sp), m_base(base), m_metadata(NULL), m_trust(NULL), m_attrResolver(NULL), m_credResolver(NULL),\r
+        m_partyDefault(NULL), m_sessionInitDefault(NULL), m_acsDefault(NULL)\r
 {\r
 #ifdef _DEBUG\r
     xmltooling::NDC ndc("XMLApplication");\r
@@ -358,15 +349,36 @@ XMLApplication::XMLApplication(
     try {\r
         // First load any property sets.\r
         load(e,log,this);\r
+        if (base)\r
+            setParent(base);\r
 \r
         SPConfig& conf=SPConfig::getConfig();\r
         SAMLConfig& samlConf=SAMLConfig::getConfig();\r
         XMLToolingConfig& xmlConf=XMLToolingConfig::getConfig();\r
 \r
         m_hash=getId();\r
-        m_hash+=getString("providerId").second;\r
+        m_hash+=getString("entityID").second;\r
         m_hash=samlConf.hashSHA1(m_hash.c_str(), true);\r
 \r
+        pair<bool,const char*> attributes = getString("attributeIds");\r
+        if (attributes.first) {\r
+            char* dup = strdup(attributes.second);\r
+            char* pos;\r
+            char* start = dup;\r
+            while (start && *start) {\r
+                while (*start && isspace(*start))\r
+                    start++;\r
+                if (!*start)\r
+                    break;\r
+                pos = strchr(start,' ');\r
+                if (pos)\r
+                    *pos=0;\r
+                m_attributeIds.insert(start);\r
+                start = pos ? pos+1 : NULL;\r
+            }\r
+            free(dup);\r
+        }\r
+\r
         const PropertySet* sessions = getPropertySet("Sessions");\r
 \r
         // Process handlers.\r
@@ -384,7 +396,7 @@ XMLApplication::XMLApplication(
                         child = XMLHelper::getNextSiblingElement(child);\r
                         continue;\r
                     }\r
-                    handler=conf.AssertionConsumerServiceManager.newPlugin(bindprop.get(),child);\r
+                    handler=conf.AssertionConsumerServiceManager.newPlugin(bindprop.get(),make_pair(child, getId()));\r
                     // Map by binding (may be > 1 per binding, e.g. SAML 1.0 vs 1.1)\r
 #ifdef HAVE_GOOD_STL\r
                     m_acsBindingMap[handler->getXMLString("Binding").second].push_back(handler);\r
@@ -406,13 +418,13 @@ XMLApplication::XMLApplication(
                     }\r
                 }\r
                 else if (XMLString::equals(child->getLocalName(),SessionInitiator)) {\r
-                    auto_ptr_char bindprop(child->getAttributeNS(NULL,EndpointType::BINDING_ATTRIB_NAME));\r
-                    if (!bindprop.get() || !*(bindprop.get())) {\r
-                        log.warn("SessionInitiator element has no Binding attribute, skipping it...");\r
+                    auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
+                    if (!type.get() || !*(type.get())) {\r
+                        log.warn("SessionInitiator element has no type attribute, skipping it...");\r
                         child = XMLHelper::getNextSiblingElement(child);\r
                         continue;\r
                     }\r
-                    handler=conf.SessionInitiatorManager.newPlugin(bindprop.get(),child);\r
+                    handler=conf.SessionInitiatorManager.newPlugin(type.get(),make_pair(child, getId()));\r
                     pair<bool,const char*> si_id=handler->getString("id");\r
                     if (si_id.first && si_id.second)\r
                         m_sessionInitMap[si_id.second]=handler;\r
@@ -435,7 +447,7 @@ XMLApplication::XMLApplication(
                         child = XMLHelper::getNextSiblingElement(child);\r
                         continue;\r
                     }\r
-                    handler=conf.SingleLogoutServiceManager.newPlugin(bindprop.get(),child);\r
+                    handler=conf.SingleLogoutServiceManager.newPlugin(bindprop.get(),make_pair(child, getId()));\r
                 }\r
                 else if (XMLHelper::isNodeNamed(child,samlconstants::SAML20MD_NS,ManageNameIDService::LOCAL_NAME)) {\r
                     auto_ptr_char bindprop(child->getAttributeNS(NULL,EndpointType::BINDING_ATTRIB_NAME));\r
@@ -444,7 +456,7 @@ XMLApplication::XMLApplication(
                         child = XMLHelper::getNextSiblingElement(child);\r
                         continue;\r
                     }\r
-                    handler=conf.ManageNameIDServiceManager.newPlugin(bindprop.get(),child);\r
+                    handler=conf.ManageNameIDServiceManager.newPlugin(bindprop.get(),make_pair(child, getId()));\r
                 }\r
                 else {\r
                     auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
@@ -453,7 +465,7 @@ XMLApplication::XMLApplication(
                         child = XMLHelper::getNextSiblingElement(child);\r
                         continue;\r
                     }\r
-                    handler=conf.HandlerManager.newPlugin(type.get(),child);\r
+                    handler=conf.HandlerManager.newPlugin(type.get(),make_pair(child, getId()));\r
                 }\r
 \r
                 // Save off the objects after giving the property set to the handler for its use.\r
@@ -479,8 +491,8 @@ XMLApplication::XMLApplication(
             if (nlist->item(i)->getParentNode()->isSameNode(e) && nlist->item(i)->hasChildNodes())\r
                 m_audiences.push_back(nlist->item(i)->getFirstChild()->getNodeValue());\r
 \r
-        // Always include our own providerId as an audience.\r
-        m_audiences.push_back(getXMLString("providerId").second);\r
+        // Always include our own entityID as an audience.\r
+        m_audiences.push_back(getXMLString("entityID").second);\r
 \r
         if (conf.isEnabled(SPConfig::Metadata)) {\r
             child = XMLHelper::getFirstChildElement(e,_MetadataProvider);\r
@@ -526,16 +538,31 @@ XMLApplication::XMLApplication(
             }\r
         }\r
 \r
-        // Finally, load credential mappings.\r
-        child = XMLHelper::getFirstChildElement(e,CredentialUse);\r
+        if (conf.isEnabled(SPConfig::Credentials)) {\r
+            child = XMLHelper::getFirstChildElement(e,_CredentialResolver);\r
+            if (child) {\r
+                auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
+                log.info("building CredentialResolver of type %s...",type.get());\r
+                try {\r
+                    m_credResolver = xmlConf.CredentialResolverManager.newPlugin(type.get(),child);\r
+                }\r
+                catch (exception& ex) {\r
+                    log.crit("error building CredentialResolver: %s", ex.what());\r
+                }\r
+            }\r
+        }\r
+\r
+\r
+        // Finally, load relying parties.\r
+        child = XMLHelper::getFirstChildElement(e,DefaultRelyingParty);\r
         if (child) {\r
-            m_credDefault=new DOMPropertySet();\r
-            m_credDefault->load(child,log,this);\r
+            m_partyDefault=new DOMPropertySet();\r
+            m_partyDefault->load(child,log,this);\r
             child = XMLHelper::getFirstChildElement(child,RelyingParty);\r
             while (child) {\r
-                DOMPropertySet* rp=new DOMPropertySet();\r
+                auto_ptr<DOMPropertySet> rp(new DOMPropertySet());\r
                 rp->load(child,log,this);\r
-                m_credMap[child->getAttributeNS(NULL,saml2::Attribute::NAME_ATTRIB_NAME)]=rp;\r
+                m_partyMap[child->getAttributeNS(NULL,saml2::Attribute::NAME_ATTRIB_NAME)]=rp.release();\r
                 child = XMLHelper::getNextSiblingElement(child,RelyingParty);\r
             }\r
         }\r
@@ -559,15 +586,14 @@ XMLApplication::XMLApplication(
 \r
 void XMLApplication::cleanup()\r
 {\r
-    for_each(m_handlers.begin(),m_handlers.end(),xmltooling::cleanup<Handler>());\r
-    \r
-    delete m_credDefault;\r
+    delete m_partyDefault;\r
 #ifdef HAVE_GOOD_STL\r
-    for_each(m_credMap.begin(),m_credMap.end(),cleanup_pair<xstring,PropertySet>());\r
+    for_each(m_partyMap.begin(),m_partyMap.end(),cleanup_pair<xstring,PropertySet>());\r
 #else\r
-    for_each(m_credMap.begin(),m_credMap.end(),cleanup_pair<const XMLCh*,PropertySet>());\r
+    for_each(m_partyMap.begin(),m_partyMap.end(),cleanup_pair<const XMLCh*,PropertySet>());\r
 #endif\r
-\r
+    for_each(m_handlers.begin(),m_handlers.end(),xmltooling::cleanup<Handler>());\r
+    delete m_credResolver;\r
     delete m_attrResolver;\r
     delete m_trust;\r
     delete m_metadata;\r
@@ -585,85 +611,40 @@ short XMLApplication::acceptNode(const DOMNode* node) const
         XMLString::equals(name,SingleLogoutService::LOCAL_NAME) ||\r
         XMLString::equals(name,ManageNameIDService::LOCAL_NAME) ||\r
         XMLString::equals(name,SessionInitiator) ||\r
-        XMLString::equals(name,CredentialUse) ||\r
+        XMLString::equals(name,DefaultRelyingParty) ||\r
         XMLString::equals(name,RelyingParty) ||\r
         XMLString::equals(name,_MetadataProvider) ||\r
         XMLString::equals(name,_TrustEngine) ||\r
+        XMLString::equals(name,_CredentialResolver) ||\r
         XMLString::equals(name,_AttributeResolver))\r
         return FILTER_REJECT;\r
 \r
     return FILTER_ACCEPT;\r
 }\r
 \r
-pair<bool,bool> XMLApplication::getBool(const char* name, const char* ns) const\r
+const PropertySet* XMLApplication::getRelyingParty(const EntityDescriptor* provider) const\r
 {\r
-    pair<bool,bool> ret=DOMPropertySet::getBool(name,ns);\r
-    if (ret.first)\r
-        return ret;\r
-    return m_base ? m_base->getBool(name,ns) : ret;\r
-}\r
-\r
-pair<bool,const char*> XMLApplication::getString(const char* name, const char* ns) const\r
-{\r
-    pair<bool,const char*> ret=DOMPropertySet::getString(name,ns);\r
-    if (ret.first)\r
-        return ret;\r
-    return m_base ? m_base->getString(name,ns) : ret;\r
-}\r
-\r
-pair<bool,const XMLCh*> XMLApplication::getXMLString(const char* name, const char* ns) const\r
-{\r
-    pair<bool,const XMLCh*> ret=DOMPropertySet::getXMLString(name,ns);\r
-    if (ret.first)\r
-        return ret;\r
-    return m_base ? m_base->getXMLString(name,ns) : ret;\r
-}\r
-\r
-pair<bool,unsigned int> XMLApplication::getUnsignedInt(const char* name, const char* ns) const\r
-{\r
-    pair<bool,unsigned int> ret=DOMPropertySet::getUnsignedInt(name,ns);\r
-    if (ret.first)\r
-        return ret;\r
-    return m_base ? m_base->getUnsignedInt(name,ns) : ret;\r
-}\r
-\r
-pair<bool,int> XMLApplication::getInt(const char* name, const char* ns) const\r
-{\r
-    pair<bool,int> ret=DOMPropertySet::getInt(name,ns);\r
-    if (ret.first)\r
-        return ret;\r
-    return m_base ? m_base->getInt(name,ns) : ret;\r
-}\r
-\r
-const PropertySet* XMLApplication::getPropertySet(const char* name, const char* ns) const\r
-{\r
-    const PropertySet* ret=DOMPropertySet::getPropertySet(name,ns);\r
-    if (ret || !m_base)\r
-        return ret;\r
-    return m_base->getPropertySet(name,ns);\r
-}\r
-\r
-const PropertySet* XMLApplication::getCredentialUse(const EntityDescriptor* provider) const\r
-{\r
-    if (!m_credDefault && m_base)\r
-        return m_base->getCredentialUse(provider);\r
+    if (!m_partyDefault && m_base)\r
+        return m_base->getRelyingParty(provider);\r
+    else if (!provider)\r
+        return m_partyDefault;\r
         \r
 #ifdef HAVE_GOOD_STL\r
-    map<xstring,PropertySet*>::const_iterator i=m_credMap.find(provider->getEntityID());\r
-    if (i!=m_credMap.end())\r
+    map<xstring,PropertySet*>::const_iterator i=m_partyMap.find(provider->getEntityID());\r
+    if (i!=m_partyMap.end())\r
         return i->second;\r
     const EntitiesDescriptor* group=dynamic_cast<const EntitiesDescriptor*>(provider->getParent());\r
     while (group) {\r
         if (group->getName()) {\r
-            i=m_credMap.find(group->getName());\r
-            if (i!=m_credMap.end())\r
+            i=m_partyMap.find(group->getName());\r
+            if (i!=m_partyMap.end())\r
                 return i->second;\r
         }\r
         group=dynamic_cast<const EntitiesDescriptor*>(group->getParent());\r
     }\r
 #else\r
-    map<const XMLCh*,PropertySet*>::const_iterator i=m_credMap.begin();\r
-    for (; i!=m_credMap.end(); i++) {\r
+    map<const XMLCh*,PropertySet*>::const_iterator i=m_partyMap.begin();\r
+    for (; i!=m_partyMap.end(); i++) {\r
         if (XMLString::equals(i->first,provider->getId()))\r
             return i->second;\r
         const EntitiesDescriptor* group=dynamic_cast<const EntitiesDescriptor*>(provider->getParent());\r
@@ -674,7 +655,7 @@ const PropertySet* XMLApplication::getCredentialUse(const EntityDescriptor* prov
         }\r
     }\r
 #endif\r
-    return m_credDefault;\r
+    return m_partyDefault;\r
 }\r
 \r
 const Handler* XMLApplication::getDefaultSessionInitiator() const\r
@@ -732,7 +713,6 @@ short XMLConfigImpl::acceptNode(const DOMNode* node) const
     const XMLCh* name=node->getLocalName();\r
     if (XMLString::equals(name,Applications) ||\r
         XMLString::equals(name,_ArtifactMap) ||\r
-        XMLString::equals(name,Credentials) ||\r
         XMLString::equals(name,Extensions::LOCAL_NAME) ||\r
         XMLString::equals(name,Implementation) ||\r
         XMLString::equals(name,Listener) ||\r
@@ -943,8 +923,16 @@ XMLConfigImpl::XMLConfigImpl(const DOMElement* e, bool first, const XMLConfig* o
                     }\r
                 }\r
                 else {\r
-                    log.info("building in-process SessionCache of type %s...",REMOTED_SESSION_CACHE);\r
-                    m_outer->m_sessionCache=conf.SessionCacheManager.newPlugin(REMOTED_SESSION_CACHE,NULL);\r
+                    child=XMLHelper::getFirstChildElement(SHIRE,_SessionCache);\r
+                    if (child) {\r
+                        auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
+                        log.info("building SessionCache of type %s...",type.get());\r
+                        m_outer->m_sessionCache=conf.SessionCacheManager.newPlugin(type.get(),child);\r
+                    }\r
+                    else {\r
+                        log.warn("SessionCache unspecified, building SessionCache of type %s...",REMOTED_SESSION_CACHE);\r
+                        m_outer->m_sessionCache=conf.SessionCacheManager.newPlugin(REMOTED_SESSION_CACHE,child);\r
+                    }\r
                 }\r
             }\r
         } // end of first-time-only stuff\r
@@ -959,27 +947,6 @@ XMLConfigImpl::XMLConfigImpl(const DOMElement* e, bool first, const XMLConfig* o
             }\r
         }\r
         \r
-        // Now we load the credentials map.\r
-        if (conf.isEnabled(SPConfig::Credentials)) {\r
-            child = XMLHelper::getLastChildElement(e,Credentials);\r
-            if (child) {\r
-                // Step down and process resolvers.\r
-                child=XMLHelper::getFirstChildElement(child);\r
-                while (child) {\r
-                    auto_ptr_char id(child->getAttributeNS(NULL,_id));\r
-                    auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
-                    try {\r
-                        CredentialResolver* cr=xmlConf.CredentialResolverManager.newPlugin(type.get(),child);\r
-                        m_credResolverMap[id.get()] = cr;\r
-                    }\r
-                    catch (exception& ex) {\r
-                        log.crit("failed to instantiate CredentialResolver (%s): %s", id.get(), ex.what());\r
-                    }\r
-                    child = XMLHelper::getNextSiblingElement(child);\r
-                }\r
-            }\r
-        }\r
-\r
         // Load security policies.\r
         child = XMLHelper::getLastChildElement(e,SecurityPolicies);\r
         if (child) {\r
@@ -1043,7 +1010,6 @@ XMLConfigImpl::XMLConfigImpl(const DOMElement* e, bool first, const XMLConfig* o
 XMLConfigImpl::~XMLConfigImpl()\r
 {\r
     for_each(m_appmap.begin(),m_appmap.end(),cleanup_pair<string,Application>());\r
-    for_each(m_credResolverMap.begin(),m_credResolverMap.end(),cleanup_pair<string,CredentialResolver>());\r
     for (map< string,pair<PropertySet*,vector<const SecurityPolicyRule*> > >::iterator i=m_policyMap.begin(); i!=m_policyMap.end(); ++i) {\r
         delete i->second.first;\r
         for_each(i->second.second.begin(), i->second.second.end(), xmltooling::cleanup<SecurityPolicyRule>());\r
Shibboleth SP