X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;ds=sidebyside;f=saml%2Fsaml2%2Fmetadata%2Fimpl%2FChainingMetadataProvider.cpp;h=9faca915c911514ed64cb8b24c4391e5785ac50a;hb=4257ff295dfe1b2aec5b17e7d06e3a7e51284a36;hp=5e48c2632fd78b48be9d71d5db86c8d80c01d03f;hpb=58ed1144be743e1ebfa0f5081e9185d771e45678;p=shibboleth%2Fcpp-opensaml.git diff --git a/saml/saml2/metadata/impl/ChainingMetadataProvider.cpp b/saml/saml2/metadata/impl/ChainingMetadataProvider.cpp index 5e48c26..9faca91 100644 --- a/saml/saml2/metadata/impl/ChainingMetadataProvider.cpp +++ b/saml/saml2/metadata/impl/ChainingMetadataProvider.cpp @@ -22,17 +22,20 @@ #include "internal.h" #include "exceptions.h" +#include "saml/binding/SAMLArtifact.h" #include "saml2/metadata/ChainingMetadataProvider.h" -#include -#include +#include #include +#include +#include + using namespace opensaml::saml2md; using namespace opensaml; using namespace xmlsignature; +using namespace xmltooling::logging; using namespace xmltooling; -using namespace log4cpp; using namespace std; namespace opensaml { @@ -45,17 +48,22 @@ namespace opensaml { }; static const XMLCh _MetadataProvider[] = UNICODE_LITERAL_16(M,e,t,a,d,a,t,a,P,r,o,v,i,d,e,r); +static const XMLCh precedence[] = UNICODE_LITERAL_10(p,r,e,c,e,d,e,n,c,e); +static const XMLCh last[] = UNICODE_LITERAL_4(l,a,s,t); static const XMLCh type[] = UNICODE_LITERAL_4(t,y,p,e); -ChainingMetadataProvider::ChainingMetadataProvider(const DOMElement* e) : ObservableMetadataProvider(e), m_tlsKey(NULL) +ChainingMetadataProvider::ChainingMetadataProvider(const DOMElement* e) + : ObservableMetadataProvider(e), m_firstMatch(true), m_tlsKey(NULL), m_log(Category::getInstance(SAML_LOGCAT".Metadata.Chaining")) { - Category& log=Category::getInstance(SAML_LOGCAT".Metadata"); - try { - e = e ? XMLHelper::getFirstChildElement(e, _MetadataProvider) : NULL; - while (e) { - auto_ptr_char temp(e->getAttributeNS(NULL,type)); - if (temp.get() && *temp.get()) { - log.info("building MetadataProvider of type %s", temp.get()); + if (XMLString::equals(e ? e->getAttributeNS(NULL, precedence) : NULL, last)) + m_firstMatch = false; + + e = e ? XMLHelper::getFirstChildElement(e, _MetadataProvider) : NULL; + while (e) { + auto_ptr_char temp(e->getAttributeNS(NULL,type)); + if (temp.get() && *temp.get()) { + try { + m_log.info("building MetadataProvider of type %s", temp.get()); auto_ptr provider( SAMLConfig::getConfig().MetadataProviderManager.newPlugin(temp.get(), e) ); @@ -65,12 +73,11 @@ ChainingMetadataProvider::ChainingMetadataProvider(const DOMElement* e) : Observ m_providers.push_back(provider.get()); provider.release(); } - e = XMLHelper::getNextSiblingElement(e, _MetadataProvider); + catch (exception& ex) { + m_log.error("error building MetadataProvider: %s", ex.what()); + } } - } - catch (exception&) { - for_each(m_providers.begin(), m_providers.end(), xmltooling::cleanup()); - throw; + e = XMLHelper::getNextSiblingElement(e, _MetadataProvider); } m_tlsKey = ThreadKey::create(NULL); } @@ -81,14 +88,21 @@ ChainingMetadataProvider::~ChainingMetadataProvider() for_each(m_providers.begin(), m_providers.end(), xmltooling::cleanup()); } -void ChainingMetadataProvider::onEvent(const MetadataProvider& provider) const +void ChainingMetadataProvider::onEvent(const ObservableMetadataProvider& provider) const { emitChangeEvent(); } void ChainingMetadataProvider::init() { - for_each(m_providers.begin(), m_providers.end(), mem_fun(&MetadataProvider::init)); + for (vector::const_iterator i=m_providers.begin(); i!=m_providers.end(); ++i) { + try { + (*i)->init(); + } + catch (exception& ex) { + m_log.error("failure initializing MetadataProvider: %s", ex.what()); + } + } } Lockable* ChainingMetadataProvider::lock() @@ -108,7 +122,7 @@ void ChainingMetadataProvider::unlock() const XMLObject* ChainingMetadataProvider::getMetadata() const { - throw XMLToolingException("getMetadata operation not implemented on this provider."); + throw MetadataException("getMetadata operation not implemented on this provider."); } const EntitiesDescriptor* ChainingMetadataProvider::getEntitiesDescriptor(const char* name, bool requireValidMetadata) const @@ -117,58 +131,151 @@ const EntitiesDescriptor* ChainingMetadataProvider::getEntitiesDescriptor(const const_cast(this)->unlock(); // Do a search. + MetadataProvider* held = NULL; const EntitiesDescriptor* ret=NULL; + const EntitiesDescriptor* cur=NULL; for (vector::const_iterator i=m_providers.begin(); i!=m_providers.end(); ++i) { (*i)->lock(); - if (ret=(*i)->getEntitiesDescriptor(name,requireValidMetadata)) { - // Save locked provider. - m_tlsKey->setData(*i); - return ret; + if (cur=(*i)->getEntitiesDescriptor(name,requireValidMetadata)) { + // Are we using a first match policy? + if (m_firstMatch) { + // Save locked provider. + m_tlsKey->setData(*i); + return cur; + } + + // Using last match wins. Did we already have one? + if (held) { + m_log.warn("found duplicate EntitiesDescriptor (%s), using last matching copy", name); + held->unlock(); + } + + // Save off the latest match. + held = *i; + ret = cur; + } + else { + // No match, so just unlock this one and move on. + (*i)->unlock(); } - (*i)->unlock(); } - return NULL; + // Preserve any lock we're holding. + if (held) + m_tlsKey->setData(held); + return ret; } -const EntityDescriptor* ChainingMetadataProvider::getEntityDescriptor(const char* id, bool requireValidMetadata) const +pair ChainingMetadataProvider::getEntityDescriptor(const Criteria& criteria) const { // Clear any existing lock. const_cast(this)->unlock(); // Do a search. - const EntityDescriptor* ret=NULL; + MetadataProvider* held = NULL; + pair ret = pair(NULL,NULL); + pair cur = ret; for (vector::const_iterator i=m_providers.begin(); i!=m_providers.end(); ++i) { (*i)->lock(); - if (ret=(*i)->getEntityDescriptor(id,requireValidMetadata)) { - // Save locked provider. - m_tlsKey->setData(*i); - return ret; - } - (*i)->unlock(); - } + cur = (*i)->getEntityDescriptor(criteria); + if (cur.first) { + if (criteria.role) { + // We want a role also. Did we find one? + if (cur.second) { + // Are we using a first match policy? + if (m_firstMatch) { + // We could have an entity-only match from earlier, so unlock it. + if (held) + held->unlock(); + // Save locked provider. + m_tlsKey->setData(*i); + return cur; + } - return NULL; -} + // Using last match wins. Did we already have one? + if (held) { + if (ret.second) { + // We had a "complete" match, so log it. + if (criteria.entityID_ascii) { + m_log.warn("found duplicate EntityDescriptor (%s) with role (%s), using last matching copy", + criteria.entityID_ascii, criteria.role->toString().c_str()); + } + else if (criteria.entityID_unicode) { + auto_ptr_char temp(criteria.entityID_unicode); + m_log.warn("found duplicate EntityDescriptor (%s) with role (%s), using last matching copy", + temp.get(), criteria.role->toString().c_str()); + } + else if (criteria.artifact) { + m_log.warn("found duplicate EntityDescriptor for artifact source (%s) with role (%s), using last matching copy", + criteria.artifact->getSource().c_str(), criteria.role->toString().c_str()); + } + } + held->unlock(); + } -const EntityDescriptor* ChainingMetadataProvider::getEntityDescriptor(const SAMLArtifact* artifact) const -{ - // Clear any existing lock. - const_cast(this)->unlock(); + // Save off the latest match. + held = *i; + ret = cur; + } + else { + // We didn't find the role, so we're going to keep looking, + // but save this one if we didn't have the role yet. + if (ret.second) { + // We already had a role, so let's stick with that. + (*i)->unlock(); + } + else { + // This is at least as good, so toss anything we had and keep it. + if (held) + held->unlock(); + held = *i; + ret = cur; + } + } + } + else { + // Are we using a first match policy? + if (m_firstMatch) { + // I don't think this can happen, but who cares, check anyway. + if (held) + held->unlock(); + + // Save locked provider. + m_tlsKey->setData(*i); + return cur; + } - // Do a search. - const EntityDescriptor* ret=NULL; - for (vector::const_iterator i=m_providers.begin(); i!=m_providers.end(); ++i) { - (*i)->lock(); - if (ret=(*i)->getEntityDescriptor(artifact)) { - // Save locked provider. - m_tlsKey->setData(*i); - return ret; + // Using last match wins. Did we already have one? + if (held) { + if (criteria.entityID_ascii) { + m_log.warn("found duplicate EntityDescriptor (%s), using last matching copy", criteria.entityID_ascii); + } + else if (criteria.entityID_unicode) { + auto_ptr_char temp(criteria.entityID_unicode); + m_log.warn("found duplicate EntityDescriptor (%s), using last matching copy", temp.get()); + } + else if (criteria.artifact) { + m_log.warn("found duplicate EntityDescriptor for artifact source (%s), using last matching copy", + criteria.artifact->getSource().c_str()); + } + held->unlock(); + } + + // Save off the latest match. + held = *i; + ret = cur; + } + } + else { + // No match, so just unlock this one and move on. + (*i)->unlock(); } - (*i)->unlock(); } - return NULL; + // Preserve any lock we're holding. + if (held) + m_tlsKey->setData(held); + return ret; } const Credential* ChainingMetadataProvider::resolve(const CredentialCriteria* criteria) const