#include <sstream>
#include <xercesc/util/XMLUniDefs.hpp>
-#include <xmltooling/XMLToolingConfig.h>
+#include <xmltooling/unicode.h>
+#include <xmltooling/XMLToolingConfig.h>
#include <xmltooling/util/XMLHelper.h>
+#include <xmltooling/util/ParserPool.h>
+#include <xmltooling/util/DateTime.h>
-#include <saml/saml1/core/Assertions.h>
+#include <saml/saml1/core/Assertions.h>
#include <saml/saml2/core/Assertions.h>
#include <saml/saml2/metadata/Metadata.h>
using namespace xercesc;
using namespace std;
-class auto_ptr_gss_buffer {
- MAKE_NONCOPYABLE(auto_ptr_gss_buffer);
- public:
- auto_ptr_gss_buffer() : m_buf(NULL) {
- }
- auto_ptr_gss_buffer(const gss_buffer_t src) {
- m_buf = new XMLCh[src->length + 1];
- XMLString::transcode((const char *)src->value, m_buf, src->length);
- }
- ~auto_ptr_gss_buffer() {
- xercesc::XMLString::release(&m_buf);
- }
- const XMLCh* get() const {
- return m_buf;
- }
- XMLCh* release() {
- XMLCh *temp = m_buf; m_buf = NULL; return temp;
- }
- private:
- XMLCh *m_buf;
-};
-
/*
- * gss_eap_saml_assertion_source is for retrieving the underlying
+ * gss_eap_saml_assertion_provider is for retrieving the underlying
* assertion.
*/
+gss_eap_saml_assertion_provider::gss_eap_saml_assertion_provider(void)
+{
+ m_assertion = NULL;
+ m_authenticated = false;
+}
+
+gss_eap_saml_assertion_provider::~gss_eap_saml_assertion_provider(void)
+{
+ delete m_assertion;
+}
+
bool
-gss_eap_saml_assertion_source::initFromExistingContext(const gss_eap_attr_ctx *source,
- const gss_eap_attr_source *ctx)
+gss_eap_saml_assertion_provider::initFromExistingContext(const gss_eap_attr_ctx *manager,
+ const gss_eap_attr_provider *ctx)
{
/* Then we may be creating from an existing attribute context */
- const gss_eap_saml_assertion_source *saml;
+ const gss_eap_saml_assertion_provider *saml;
assert(m_assertion == NULL);
- if (!gss_eap_attr_source::initFromExistingContext(source, ctx))
+ if (!gss_eap_attr_provider::initFromExistingContext(manager, ctx))
return false;
- saml = dynamic_cast<const gss_eap_saml_assertion_source *>(ctx);
- setAssertion(saml->getAssertion());
+ saml = static_cast<const gss_eap_saml_assertion_provider *>(ctx);
+ setAssertion(saml->getAssertion(), saml->authenticated());
return true;
}
bool
-gss_eap_saml_assertion_source::initFromGssContext(const gss_eap_attr_ctx *source,
- const gss_cred_id_t gssCred,
- const gss_ctx_id_t gssCtx)
+gss_eap_saml_assertion_provider::initFromGssContext(const gss_eap_attr_ctx *manager,
+ const gss_cred_id_t gssCred,
+ const gss_ctx_id_t gssCtx)
{
- const gss_eap_radius_attr_source *radius;
+ const gss_eap_radius_attr_provider *radius;
gss_buffer_desc value = GSS_C_EMPTY_BUFFER;
- int authenticated, complete, more = -1;
+ int authenticated, complete;
OM_uint32 minor;
assert(m_assertion == NULL);
- if (!gss_eap_attr_source::initFromGssContext(source, gssCred, gssCtx))
+ if (!gss_eap_attr_provider::initFromGssContext(manager, gssCred, gssCtx))
return false;
- radius = dynamic_cast<const gss_eap_radius_attr_source *>
+ /*
+ * XXX TODO we need to support draft-howlett-radius-saml-attr-00
+ */
+ radius = static_cast<const gss_eap_radius_attr_provider *>
(m_manager->getProvider(ATTR_TYPE_RADIUS));
if (radius != NULL &&
- radius->getAttribute(512 /* XXX */, &authenticated, &complete,
- &value, NULL, &more)) {
- m_assertion = parseAssertion(&value);
+ radius->getFragmentedAttribute(PW_SAML_AAA_ASSERTION,
+ VENDORPEC_UKERNA,
+ &authenticated, &complete, &value)) {
+ setAssertion(&value, authenticated);
gss_release_buffer(&minor, &value);
} else {
m_assertion = NULL;
return true;
}
-gss_eap_saml_assertion_source::~gss_eap_saml_assertion_source(void)
+void
+gss_eap_saml_assertion_provider::setAssertion(const saml2::Assertion *assertion,
+ bool authenticated)
{
+
delete m_assertion;
+
+ if (assertion != NULL) {
+#ifdef __APPLE__
+ m_assertion = (saml2::Assertion *)((void *)assertion->clone());
+#else
+ m_assertion = dynamic_cast<saml2::Assertion *>(assertion->clone());
+#endif
+ m_authenticated = authenticated;
+ } else {
+ m_assertion = NULL;
+ m_authenticated = false;
+ }
}
void
-gss_eap_saml_assertion_source::setAssertion(const saml2::Assertion *assertion)
+gss_eap_saml_assertion_provider::setAssertion(const gss_buffer_t buffer,
+ bool authenticated)
{
-
delete m_assertion;
- if (assertion != NULL)
- m_assertion = dynamic_cast<saml2::Assertion*>(assertion->clone());
- else
- m_assertion = NULL;
+ m_assertion = parseAssertion(buffer);
+ m_authenticated = (m_assertion != NULL && authenticated);
}
saml2::Assertion *
-gss_eap_saml_assertion_source::parseAssertion(const gss_buffer_t buffer)
+gss_eap_saml_assertion_provider::parseAssertion(const gss_buffer_t buffer)
{
string str((char *)buffer->value, buffer->length);
istringstream istream(str);
const XMLObjectBuilder *b;
doc = XMLToolingConfig::getConfig().getParser().parse(istream);
+ if (doc == NULL)
+ return NULL;
+
b = XMLObjectBuilder::getBuilder(doc->getDocumentElement());
+#ifdef __APPLE__
+ return (saml2::Assertion *)((void *)b->buildFromDocument(doc));
+#else
return dynamic_cast<saml2::Assertion *>(b->buildFromDocument(doc));
+#endif
}
bool
-gss_eap_saml_assertion_source::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
- void *data) const
+gss_eap_saml_assertion_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
+ void *data) const
{
+ bool ret;
+
/* just add the prefix */
- return addAttribute(this, GSS_C_NO_BUFFER, data);
+ if (m_assertion != NULL)
+ ret = addAttribute(this, GSS_C_NO_BUFFER, data);
+ else
+ ret = true;
+
+ return ret;
}
void
-gss_eap_saml_assertion_source::setAttribute(int complete,
- const gss_buffer_t attr,
- const gss_buffer_t value)
+gss_eap_saml_assertion_provider::setAttribute(int complete,
+ const gss_buffer_t attr,
+ const gss_buffer_t value)
{
if (attr == GSS_C_NO_BUFFER || attr->length == 0) {
- saml2::Assertion *assertion = parseAssertion(value);
-
- delete m_assertion;
- m_assertion = assertion;
+ setAssertion(value);
}
}
void
-gss_eap_saml_assertion_source::deleteAttribute(const gss_buffer_t value)
+gss_eap_saml_assertion_provider::deleteAttribute(const gss_buffer_t value)
{
delete m_assertion;
m_assertion = NULL;
+ m_authenticated = false;
+}
+
+time_t
+gss_eap_saml_assertion_provider::getExpiryTime(void) const
+{
+ saml2::Conditions *conditions;
+ time_t expiryTime = 0;
+
+ if (m_assertion == NULL)
+ return 0;
+
+ conditions = m_assertion->getConditions();
+
+ if (conditions != NULL && conditions->getNotOnOrAfter() != NULL)
+ expiryTime = conditions->getNotOnOrAfter()->getEpoch();
+
+ return expiryTime;
}
bool
-gss_eap_saml_assertion_source::getAttribute(const gss_buffer_t attr,
- int *authenticated,
- int *complete,
- gss_buffer_t value,
- gss_buffer_t display_value,
- int *more) const
+gss_eap_saml_assertion_provider::getAttribute(const gss_buffer_t attr,
+ int *authenticated,
+ int *complete,
+ gss_buffer_t value,
+ gss_buffer_t display_value,
+ int *more) const
{
string str;
- if (attr != GSS_C_NO_BUFFER || attr->length != 0)
+ if (attr != GSS_C_NO_BUFFER && attr->length != 0)
return false;
if (m_assertion == NULL)
if (*more != -1)
return false;
- *authenticated = true;
- *complete = false;
+ if (authenticated != NULL)
+ *authenticated = m_authenticated;
+ if (complete != NULL)
+ *complete = true;
XMLHelper::serialize(m_assertion->marshall((DOMDocument *)NULL), str);
}
gss_any_t
-gss_eap_saml_assertion_source::mapToAny(int authenticated,
- gss_buffer_t type_id) const
+gss_eap_saml_assertion_provider::mapToAny(int authenticated,
+ gss_buffer_t type_id) const
{
+ if (authenticated && !m_authenticated)
+ return (gss_any_t)NULL;
+
return (gss_any_t)m_assertion;
}
void
-gss_eap_saml_assertion_source::releaseAnyNameMapping(gss_buffer_t type_id,
- gss_any_t input) const
+gss_eap_saml_assertion_provider::releaseAnyNameMapping(gss_buffer_t type_id,
+ gss_any_t input) const
{
delete ((saml2::Assertion *)input);
}
void
-gss_eap_saml_assertion_source::exportToBuffer(gss_buffer_t buffer) const
+gss_eap_saml_assertion_provider::exportToBuffer(gss_buffer_t buffer) const
{
ostringstream sink;
string str;
}
bool
-gss_eap_saml_assertion_source::initFromBuffer(const gss_eap_attr_ctx *ctx,
- const gss_buffer_t buffer)
+gss_eap_saml_assertion_provider::initFromBuffer(const gss_eap_attr_ctx *ctx,
+ const gss_buffer_t buffer)
{
- if (!gss_eap_attr_source::initFromBuffer(ctx, buffer))
+ if (!gss_eap_attr_provider::initFromBuffer(ctx, buffer))
return false;
- assert(m_assertion == NULL);
-
if (buffer->length == 0)
return true;
- m_assertion = parseAssertion(buffer);
- return (m_assertion != NULL);
+ assert(m_assertion == NULL);
+
+ setAssertion(buffer);
+ /* TODO XXX how to propagate authenticated flag? */
+
+ return true;
}
bool
-gss_eap_saml_assertion_source::init(void)
+gss_eap_saml_assertion_provider::init(void)
{
+ gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML_ASSERTION,
+ "urn:ietf:params:gss-eap:saml-aaa-assertion",
+ gss_eap_saml_assertion_provider::createAttrContext);
return true;
}
void
-gss_eap_saml_assertion_source::finalize(void)
+gss_eap_saml_assertion_provider::finalize(void)
{
+ gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_SAML_ASSERTION);
}
-gss_eap_attr_source *
-gss_eap_saml_assertion_source::createAttrContext(void)
+gss_eap_attr_provider *
+gss_eap_saml_assertion_provider::createAttrContext(void)
{
- return new gss_eap_saml_assertion_source;
+ return new gss_eap_saml_assertion_provider;
}
/*
- * gss_eap_saml_attr_source is for retrieving the underlying attributes.
+ * gss_eap_saml_attr_provider is for retrieving the underlying attributes.
*/
-const saml2::Assertion *
-gss_eap_saml_attr_source::getAssertion(void) const
+bool
+gss_eap_saml_attr_provider::getAssertion(int *authenticated,
+ const saml2::Assertion **pAssertion) const
{
- const gss_eap_saml_assertion_source *saml;
-
- saml = dynamic_cast<const gss_eap_saml_assertion_source *>
+ const gss_eap_saml_assertion_provider *saml;
+
+ if (authenticated != NULL)
+ *authenticated = false;
+ if (pAssertion != NULL)
+ *pAssertion = NULL;
+
+ saml = static_cast<const gss_eap_saml_assertion_provider *>
(m_manager->getProvider(ATTR_TYPE_SAML_ASSERTION));
- if (saml != NULL)
- return saml->getAssertion();
+ if (saml == NULL)
+ return false;
- return NULL;
-}
+ if (authenticated != NULL)
+ *authenticated = saml->authenticated();
+ if (pAssertion != NULL)
+ *pAssertion = saml->getAssertion();
-gss_eap_saml_attr_source::~gss_eap_saml_attr_source(void)
-{
- /* Nothing to do, we're just a wrapper around the assertion provider. */
+ return (saml->getAssertion() != NULL);
}
bool
-gss_eap_saml_attr_source::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
- void *data) const
+gss_eap_saml_attr_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
+ void *data) const
{
- const saml2::Assertion *assertion = getAssertion();
+ const saml2::Assertion *assertion;
+ bool ret = true;
+ int authenticated;
- if (assertion == NULL)
+ if (!getAssertion(&authenticated, &assertion))
return true;
+ /*
+ * Note: the first prefix is added by the attribute provider manager
+ *
+ * From draft-hartman-gss-eap-naming-00:
+ *
+ * Each attribute carried in the assertion SHOULD also be a GSS name
+ * attribute. The name of this attribute has three parts, all separated
+ * by an ASCII space character. The first part is
+ * urn:ietf:params:gss-eap:saml-attr. The second part is the URI for
+ * the SAML attribute name format. The final part is the name of the
+ * SAML attribute. If the mechanism performs an additional attribute
+ * query, the retrieved attributes SHOULD be GSS-API name attributes
+ * using the same name syntax.
+ */
const vector<saml2::Attribute*>& attrs2 =
const_cast<const saml2::AttributeStatement*>(assertion->getAttributeStatements().front())->getAttributes();
for (vector<saml2::Attribute*>::const_iterator a = attrs2.begin();
a != attrs2.end();
++a)
{
- gss_buffer_desc attribute;
+ const XMLCh *attributeName = (*a)->getName();
+ const XMLCh *attributeNameFormat = (*a)->getNameFormat();
+ XMLCh *qualifiedName;
+ XMLCh space[2] = { ' ', 0 };
+ gss_buffer_desc utf8;
+
+ qualifiedName = new XMLCh[XMLString::stringLen(attributeNameFormat) + 1 +
+ XMLString::stringLen(attributeName) + 1];
+ XMLString::copyString(qualifiedName, attributeNameFormat);
+ XMLString::catString(qualifiedName, space);
+ XMLString::catString(qualifiedName, attributeName);
+
+ utf8.value = (void *)toUTF8(qualifiedName);
+ utf8.length = strlen((char *)utf8.value);
- attribute.value = (void *)toUTF8((*a)->getName(), true);
- attribute.length = strlen((char *)attribute.value);
+ ret = addAttribute(this, &utf8, data);
- if (!addAttribute(this, &attribute, data))
- return false;
+ delete qualifiedName;
- delete (char *)attribute.value;
+ if (!ret)
+ break;
}
- return true;
+ return ret;
}
void
-gss_eap_saml_attr_source::setAttribute(int complete,
- const gss_buffer_t attr,
- const gss_buffer_t value)
+gss_eap_saml_attr_provider::setAttribute(int complete,
+ const gss_buffer_t attr,
+ const gss_buffer_t value)
{
}
void
-gss_eap_saml_attr_source::deleteAttribute(const gss_buffer_t value)
+gss_eap_saml_attr_provider::deleteAttribute(const gss_buffer_t value)
{
}
-const saml2::Attribute *
-gss_eap_saml_attr_source::getAttribute(const gss_buffer_t attr) const
+static BaseRefVectorOf<XMLCh> *
+decomposeAttributeName(const gss_buffer_t attr)
{
- const saml2::Assertion *assertion = getAssertion();
- saml2::AttributeStatement *statement;
+ XMLCh *qualifiedAttr = new XMLCh[attr->length + 1];
+ XMLString::transcode((const char *)attr->value, qualifiedAttr, attr->length);
- if (assertion == NULL)
- return NULL;
+ BaseRefVectorOf<XMLCh> *components = XMLString::tokenizeString(qualifiedAttr);
- if (assertion->getAttributeStatements().size() == 0)
- return NULL;
+ delete qualifiedAttr;
- statement = assertion->getAttributeStatements().front();
+ return components;
+}
- auto_ptr_gss_buffer attrname(attr);
+bool
+gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr,
+ int *authenticated,
+ int *complete,
+ const saml2::Attribute **pAttribute) const
+{
+ const saml2::Assertion *assertion;
- const vector<saml2::Attribute*>& attrs2 =
- const_cast<const saml2::AttributeStatement*>(statement)->getAttributes();
+ if (authenticated != NULL)
+ *authenticated = false;
+ if (complete != NULL)
+ *complete = true;
+ *pAttribute = NULL;
- for (vector<saml2::Attribute*>::const_iterator a = attrs2.begin();
- a != attrs2.end();
- ++a) {
- if (XMLString::equals((*a)->getName(), attrname.get()))
- return *a;
+ if (!getAssertion(authenticated, &assertion) ||
+ assertion->getAttributeStatements().size() == 0)
+ return false;
+
+ /* Check the attribute name consists of name format | whsp | name */
+ BaseRefVectorOf<XMLCh> *components = decomposeAttributeName(attr);
+ if (components == NULL || components->size() != 2) {
+ delete components;
+ return false;
+ }
+
+ /* For each attribute statement, look for an attribute match */
+ const vector <saml2::AttributeStatement *>&statements =
+ assertion->getAttributeStatements();
+ const saml2::Attribute *ret = NULL;
+
+ for (vector<saml2::AttributeStatement *>::const_iterator s = statements.begin();
+ s != statements.end();
+ ++s) {
+ const vector<saml2::Attribute*>& attrs =
+ const_cast<const saml2::AttributeStatement*>(*s)->getAttributes();
+
+ for (vector<saml2::Attribute*>::const_iterator a = attrs.begin(); a != attrs.end(); ++a) {
+ if (XMLString::equals((*a)->getNameFormat(), components->elementAt(0)) &&
+ XMLString::equals((*a)->getName(), components->elementAt(1))) {
+ ret = *a;
+ break;
+ }
+ }
+
+ if (ret != NULL)
+ break;
}
- return NULL;
+ delete components;
+
+ *pAttribute = ret;
+
+ return (ret != NULL);
}
bool
-gss_eap_saml_attr_source::getAttribute(const gss_buffer_t attr,
- int *authenticated,
- int *complete,
- gss_buffer_t value,
- gss_buffer_t display_value,
- int *more) const
+gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr,
+ int *authenticated,
+ int *complete,
+ gss_buffer_t value,
+ gss_buffer_t display_value,
+ int *more) const
{
const saml2::Attribute *a;
const saml2::AttributeValue *av;
*more = 0;
- a = getAttribute(attr);
- if (a == NULL)
+ if (!getAttribute(attr, authenticated, complete, &a))
return false;
nvalues = a->getAttributeValues().size();
i = 0;
else if (i >= nvalues)
return false;
- av = dynamic_cast<const saml2::AttributeValue *>(a->getAttributeValues().at(i)
-);
- if (av == NULL)
- return false;
-
- *authenticated = TRUE;
- *complete = FALSE;
-
- value->value = toUTF8(av->getTextContent(), true);
- value->length = strlen((char *)value->value);
+#ifdef __APPLE__
+ av = (const saml2::AttributeValue *)((void *)(a->getAttributeValues().at(i)));
+#else
+ av = dynamic_cast<const saml2::AttributeValue *>(a->getAttributeValues().at(i));
+#endif
+ if (av != NULL) {
+ if (value != NULL) {
+ value->value = toUTF8(av->getTextContent(), true);
+ value->length = strlen((char *)value->value);
+ }
+ if (display_value != NULL) {
+ display_value->value = toUTF8(av->getTextContent(), true);
+ display_value->length = strlen((char *)value->value);
+ }
+ }
if (nvalues > ++i)
*more = i;
}
gss_any_t
-gss_eap_saml_attr_source::mapToAny(int authenticated,
- gss_buffer_t type_id) const
+gss_eap_saml_attr_provider::mapToAny(int authenticated,
+ gss_buffer_t type_id) const
{
return (gss_any_t)NULL;
}
void
-gss_eap_saml_attr_source::releaseAnyNameMapping(gss_buffer_t type_id,
- gss_any_t input) const
+gss_eap_saml_attr_provider::releaseAnyNameMapping(gss_buffer_t type_id,
+ gss_any_t input) const
{
}
void
-gss_eap_saml_attr_source::exportToBuffer(gss_buffer_t buffer) const
+gss_eap_saml_attr_provider::exportToBuffer(gss_buffer_t buffer) const
{
buffer->length = 0;
buffer->value = NULL;
}
bool
-gss_eap_saml_attr_source::initFromBuffer(const gss_eap_attr_ctx *ctx,
- const gss_buffer_t buffer)
+gss_eap_saml_attr_provider::initFromBuffer(const gss_eap_attr_ctx *ctx,
+ const gss_buffer_t buffer)
{
- return true;
+ return gss_eap_attr_provider::initFromBuffer(ctx, buffer);
}
bool
-gss_eap_saml_attr_source::init(void)
+gss_eap_saml_attr_provider::init(void)
{
+ gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML,
+ "urn:ietf:params:gss-eap:saml-attr",
+ gss_eap_saml_attr_provider::createAttrContext);
return true;
}
void
-gss_eap_saml_attr_source::finalize(void)
+gss_eap_saml_attr_provider::finalize(void)
+{
+ gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_SAML);
+}
+
+gss_eap_attr_provider *
+gss_eap_saml_attr_provider::createAttrContext(void)
{
+ return new gss_eap_saml_attr_provider;
+}
+
+OM_uint32
+gssEapSamlAttrProvidersInit(OM_uint32 *minor)
+{
+ if (gss_eap_saml_assertion_provider::init() &&
+ gss_eap_saml_attr_provider::init())
+ return GSS_S_COMPLETE;
+
+ return GSS_S_FAILURE;
}
-gss_eap_attr_source *
-gss_eap_saml_attr_source::createAttrContext(void)
+OM_uint32
+gssEapSamlAttrProvidersFinalize(OM_uint32 *minor)
{
- return new gss_eap_saml_attr_source;
+ gss_eap_saml_attr_provider::finalize();
+ gss_eap_saml_assertion_provider::finalize();
+ return GSS_S_COMPLETE;
}