gss_eap_shib_attr_provider::gss_eap_shib_attr_provider(void)
{
+ m_initialized = false;
m_authenticated = false;
}
}
bool
-gss_eap_shib_attr_provider::initFromExistingContext(const gss_eap_attr_ctx *manager,
+gss_eap_shib_attr_provider::initWithExistingContext(const gss_eap_attr_ctx *manager,
const gss_eap_attr_provider *ctx)
{
const gss_eap_shib_attr_provider *shib;
- if (!gss_eap_attr_provider::initFromExistingContext(manager, ctx)) {
+ if (!gss_eap_attr_provider::initWithExistingContext(manager, ctx)) {
return false;
}
m_authenticated = shib->authenticated();
}
+ m_initialized = true;
+
return true;
}
-bool
-addRadiusAttribute(const gss_eap_attr_ctx *manager,
- const gss_eap_attr_provider *provider,
- const gss_buffer_t attribute,
- void *data)
+static OM_uint32
+exportMechSecContext(OM_uint32 *minor,
+ gss_ctx_id_t gssCtx,
+ gss_buffer_t mechContext)
{
- const gss_eap_radius_attr_provider *radius;
- const gss_eap_shib_attr_provider *shib;
- int authenticated, complete, more = -1;
- vector <string> attributeIds(1);
- SimpleAttribute *a;
-
- radius = static_cast<const gss_eap_radius_attr_provider *>(provider);
- shib = static_cast<const gss_eap_shib_attr_provider *>(data);
-
- assert(radius != NULL && shib != NULL);
-
- string attributeName =
- manager->composeAttributeName(ATTR_TYPE_RADIUS, attribute);
-
- attributeIds.push_back(attributeName);
- a = new SimpleAttribute(attributeIds);
- if (a == NULL)
- return false;
-
- while (more != 0) {
- gss_buffer_desc value = GSS_C_EMPTY_BUFFER;
- OM_uint32 minor;
+ OM_uint32 major;
+ gss_buffer_desc exportedCtx;
+ unsigned char *p;
- if (!radius->getAttribute(attribute,
- &authenticated,
- &complete,
- &value,
- NULL,
- &more))
- return false;
+ assert(gssCtx->mechanismUsed != GSS_C_NO_OID);
- string attributeValue((char *)value.value, value.length);
- a->getValues().push_back(attributeValue);
+ major = gssEapExportSecContext(minor, gssCtx, &exportedCtx);
+ if (GSS_ERROR(major))
+ return major;
- gss_release_buffer(&minor, &value);
+ /*
+ * gss_import_sec_context expects the exported security context token
+ * to be tagged with the mechanism OID; in Heimdal and MIT, this is
+ * done by the mechglue, so if we are subverting the mechglue we need
+ * to add it ourselves.
+ */
+ mechContext->length = 4 + gssCtx->mechanismUsed->length + exportedCtx.length;
+ mechContext->value = p = (unsigned char *)GSSEAP_MALLOC(mechContext->length);
+ if (mechContext->value == NULL) {
+ gss_release_buffer(minor, &exportedCtx);
+ throw std::bad_alloc();
}
- shib->getAttributes().push_back(a);
+ p = store_oid(gssCtx->mechanismUsed, p);
+ memcpy(p, exportedCtx.value, exportedCtx.length);
- return true;
+ gss_release_buffer(minor, &exportedCtx);
+
+ return GSS_S_COMPLETE;
}
bool
-gss_eap_shib_attr_provider::initFromGssContext(const gss_eap_attr_ctx *manager,
+gss_eap_shib_attr_provider::initWithGssContext(const gss_eap_attr_ctx *manager,
const gss_cred_id_t gssCred,
const gss_ctx_id_t gssCtx)
{
- const gss_eap_saml_assertion_provider *saml;
- const gss_eap_radius_attr_provider *radius;
-#if 0
- gss_buffer_desc nameBuf = GSS_C_EMPTY_BUFFER;
- OM_uint32 minor;
-#endif
- if (!gss_eap_attr_provider::initFromGssContext(manager, gssCred, gssCtx))
+ if (!gss_eap_attr_provider::initWithGssContext(manager, gssCred, gssCtx))
return false;
- saml = static_cast<const gss_eap_saml_assertion_provider *>
- (m_manager->getProvider(ATTR_TYPE_SAML_ASSERTION));
- radius = static_cast<const gss_eap_radius_attr_provider *>
- (m_manager->getProvider(ATTR_TYPE_RADIUS));
-
auto_ptr<ShibbolethResolver> resolver(ShibbolethResolver::create());
/*
* acceptor.
*/
#if 0
+ gss_buffer_desc nameBuf = GSS_C_EMPTY_BUFFER;
if (gssCred != GSS_C_NO_CREDENTIAL &&
gssEapDisplayName(&minor, gssCred->name, &nameBuf, NULL) == GSS_S_COMPLETE) {
resolver->setApplicationID((const char *)nameBuf.value);
}
#endif
- m_authenticated = false;
-
- if (radius != NULL) {
- radius->getAttributeTypes(addRadiusAttribute, (void *)this);
- m_authenticated = radius->authenticated();
+ gss_buffer_desc mechContext = GSS_C_EMPTY_BUFFER;
+ OM_uint32 major, minor;
+ major = exportMechSecContext(&minor, gssCtx, &mechContext);
+ if (major == GSS_S_COMPLETE) {
+ resolver->addToken(&mechContext);
+ gss_release_buffer(&minor, &mechContext);
}
+ const gss_eap_saml_assertion_provider *saml;
+ saml = static_cast<const gss_eap_saml_assertion_provider *>
+ (m_manager->getProvider(ATTR_TYPE_SAML_ASSERTION));
if (saml != NULL && saml->getAssertion() != NULL) {
resolver->addToken(saml->getAssertion());
- if (m_authenticated)
- m_authenticated = saml->authenticated();
}
try {
m_attributes = resolver->getResolvedAttributes();
resolver->getResolvedAttributes().clear();
} catch (exception &e) {
-#if 0
- fprintf(stderr, "%s", e.what());
-#endif
+ return false;
}
+ m_authenticated = true;
+ m_initialized = true;
+
return true;
}
{
int i = 0;
+ assert(m_initialized);
+
for (vector<Attribute *>::const_iterator a = m_attributes.begin();
a != m_attributes.end();
++a)
vector <string> ids(1, attrStr);
SimpleAttribute *a = new SimpleAttribute(ids);
+ assert(m_initialized);
+
if (value->length != 0) {
string valueStr((char *)value->value, value->length);
{
int i;
+ assert(m_initialized);
+
i = getAttributeIndex(attr);
if (i >= 0)
m_attributes.erase(m_attributes.begin() + i);
gss_eap_shib_attr_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
void *data) const
{
+ assert(m_initialized);
+
for (vector<Attribute*>::const_iterator a = m_attributes.begin();
a != m_attributes.end();
++a)
{
const Attribute *ret = NULL;
+ assert(m_initialized);
+
for (vector<Attribute *>::const_iterator a = m_attributes.begin();
a != m_attributes.end();
++a)
gss_buffer_desc buf;
int nvalues, i = *more;
+ assert(m_initialized);
+
*more = 0;
shibAttr = getAttribute(attr);
{
gss_any_t output;
+ assert(m_initialized);
+
if (authenticated && !m_authenticated)
return (gss_any_t)NULL;
gss_eap_shib_attr_provider::releaseAnyNameMapping(gss_buffer_t type_id GSSEAP_UNUSED,
gss_any_t input) const
{
+ assert(m_initialized);
+
vector <Attribute *> *v = ((vector <Attribute *> *)input);
delete v;
}
return "local";
}
-static json_t *
-ddfToJson(DDF &ddf)
-{
- json_t *json;
-
- if (ddf.isstruct()) {
- DDF elem = ddf.first();
- json = json_array();
- if (json == NULL)
- throw new std::bad_alloc;
-
- while (!elem.isnull()) {
- if (json_array_append_new(json, ddfToJson(elem)) != 0) {
- json_decref(json);
- throw new std::bad_alloc;
- }
-
- elem = ddf.next();
- }
- } else if (ddf.islist()) {
- DDF elem = ddf.first();
- json = json_object();
- if (json == NULL)
- throw new std::bad_alloc;
-
- while (!elem.isnull()) {
- if (json_object_set(json, elem.name(), ddfToJson(elem)) != 0) {
- json_decref(json);
- throw new std::bad_alloc;
- }
-
- elem = ddf.next();
- }
- } else if (ddf.isstring()) {
- json = json_string(ddf.string());
- } else if (ddf.isint()) {
- json = json_integer(ddf.integer());
- } else if (ddf.isfloat()) {
- json = json_real(ddf.floating());
- } else if (ddf.isempty() || ddf.ispointer()) {
- json = json_object();
- } else if (ddf.isnull()) {
- json = json_null();
- } else {
- assert(0 && "Invalid DDF object");
- }
-
- if (json == NULL)
- throw new std::bad_alloc;
-
- return json;
-}
-
-static DDF
-jsonToDdf(json_t *json)
-{
- DDF ddf(NULL);
-
- switch (json_typeof(json)) {
- case JSON_OBJECT: {
- void *iter = json_object_iter(json);
-
- while (iter != NULL) {
- const char *key = json_object_iter_key(iter);
- json_t *value = json_object_iter_value(iter);
- ddf.add(jsonToDdf(value).name(key));
- iter = json_object_iter_next(json, iter);
- }
- break;
- }
- case JSON_ARRAY: {
- size_t i;
-
- for (i = 0; i < json_array_size(json); i++) {
- DDF value = jsonToDdf(json_array_get(json, i));
- ddf.add(value);
- }
- break;
- }
- case JSON_STRING:
- ddf.string(json_string_value(json));
- break;
- case JSON_INTEGER:
- ddf.integer(json_integer_value(json));
- break;
- case JSON_REAL:
- ddf.floating(json_real_value(json));
- break;
- case JSON_TRUE:
- ddf.integer(1L);
- break;
- case JSON_FALSE:
- ddf.integer(0L);
- break;
- case JSON_NULL:
- break;
- }
-
- return ddf;
-}
-
-json_t *
+JSONObject
gss_eap_shib_attr_provider::jsonRepresentation(void) const
{
- json_t *obj, *attrs;
+ JSONObject obj;
- obj = json_object();
- if (obj == NULL)
- throw new std::bad_alloc;
+ if (m_initialized == false)
+ return obj; /* don't export incomplete context */
- /* FIXME check json_object_set_new return value */
- json_object_set_new(obj, "authenticated", json_integer(m_authenticated));
-
- attrs = json_array();
- if (attrs == NULL) {
- json_decref(obj);
- throw new std::bad_alloc;
- }
+ JSONObject jattrs = JSONObject::array();
for (vector<Attribute*>::const_iterator a = m_attributes.begin();
a != m_attributes.end(); ++a) {
DDF attr = (*a)->marshall();
- /* FIXME check json_array_append_new return value */
- json_array_append_new(attrs, ddfToJson(attr));
+ JSONObject jattr = JSONObject::ddf(attr);
+ jattrs.append(jattr);
}
- json_object_set_new(obj, "attributes", attrs);
+ obj.set("attributes", jattrs);
+
+ obj.set("authenticated", m_authenticated);
return obj;
}
bool
gss_eap_shib_attr_provider::initWithJsonObject(const gss_eap_attr_ctx *ctx,
- json_t *obj)
+ JSONObject &obj)
{
- size_t i;
- json_t *attrs;
-
if (!gss_eap_attr_provider::initWithJsonObject(ctx, obj))
return false;
assert(m_authenticated == false);
assert(m_attributes.size() == 0);
- m_authenticated = json_integer_value(json_object_get(obj, "authenticated"));
+ JSONObject jattrs = obj["attributes"];
+ size_t nelems = jattrs.size();
- attrs = json_object_get(obj, "attributes");
+ for (size_t i = 0; i < nelems; i++) {
+ JSONObject jattr = jattrs.get(i);
- for (i = 0; i < json_array_size(attrs); i++) {
- DDF attr = jsonToDdf(json_array_get(attrs, i));
+ DDF attr = jattr.ddf();
Attribute *attribute = Attribute::unmarshall(attr);
m_attributes.push_back(attribute);
}
+ m_authenticated = obj["authenticated"].integer();
+ m_initialized = true;
+
return true;
}
else
return GSS_S_CONTINUE_NEEDED;
+ gssEapSaveStatusInfo(*minor, "%s", e.what());
+
return GSS_S_FAILURE;
}