X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=adfs%2Fadfs.cpp;h=b2be93ba107d22b8e285ae26a7d0afdb9b86ce65;hb=392d1448deb48beb75f219532ac248b4776f16db;hp=8a3755960e619cec3edacbae7f485245dcf64566;hpb=c8bb7d6ef7633f5464b317e67a074506dddbb18b;p=shibboleth%2Fsp.git

diff --git a/adfs/adfs.cpp b/adfs/adfs.cpp
index 8a37559..b2be93b 100644
--- a/adfs/adfs.cpp
+++ b/adfs/adfs.cpp
@@ -162,9 +162,10 @@ namespace {
         auto_ptr_XMLCh m_protocol;
 
     private:
-        string implementProtocol(
+        void implementProtocol(
             const Application& application,
             const HTTPRequest& httpRequest,
+            HTTPResponse& httpResponse,
             SecurityPolicy& policy,
             const PropertySet* settings,
             const XMLObject& xmlObject
@@ -208,9 +209,7 @@ namespace {
 #endif
 
     private:
-        pair<bool,long> doRequest(
-            const Application& application, const char* requestURL, const char* entityID, HTTPResponse& httpResponse
-            ) const;
+        pair<bool,long> doRequest(const Application& application, const char* entityID, HTTPResponse& httpResponse) const;
 
         string m_appId;
         auto_ptr_XMLCh m_binding;
@@ -326,7 +325,7 @@ pair<bool,long> ADFSSessionInitiator::run(SPRequest& request, const char* entity
 
         // Since we're passing the ACS by value, we need to compute the return URL,
         // so we'll need the target resource for real.
-        recoverRelayState(request.getApplication(), request, target, false);
+        recoverRelayState(request.getApplication(), request, request, target, false);
     }
     else {
         // We're running as a "virtual handler" from within the filter.
@@ -438,19 +437,23 @@ pair<bool,long> ADFSSessionInitiator::doRequest(
     MetadataProvider::Criteria mc(entityID, &IDPSSODescriptor::ELEMENT_QNAME, m_binding.get());
     pair<const EntityDescriptor*,const RoleDescriptor*> entity=m->getEntityDescriptor(mc);
     if (!entity.first) {
-        m_log.error("unable to locate metadata for provider (%s)", entityID);
+        m_log.warn("unable to locate metadata for provider (%s)", entityID);
         throw MetadataException("Unable to locate metadata for identity provider ($entityID)", namedparams(1, "entityID", entityID));
     }
     else if (!entity.second) {
-        m_log.error("unable to locate ADFS-aware identity provider role for provider (%s)", entityID);
-        return make_pair(false,0L);
+        m_log.warn("unable to locate ADFS-aware identity provider role for provider (%s)", entityID);
+        if (getParent())
+            return make_pair(false,0L);
+        throw MetadataException("Unable to locate ADFS-aware identity provider role for provider ($entityID)", namedparams(1, "entityID", entityID));
     }
     const EndpointType* ep = EndpointManager<SingleSignOnService>(
         dynamic_cast<const IDPSSODescriptor*>(entity.second)->getSingleSignOnServices()
         ).getByBinding(m_binding.get());
     if (!ep) {
-        m_log.error("unable to locate compatible SSO service for provider (%s)", entityID);
-        return make_pair(false,0L);
+        m_log.warn("unable to locate compatible SSO service for provider (%s)", entityID);
+        if (getParent())
+            return make_pair(false,0L);
+        throw MetadataException("Unable to locate compatible SSO service for provider ($entityID)", namedparams(1, "entityID", entityID));
     }
 
     preserveRelayState(app, httpResponse, relayState);
@@ -528,9 +531,10 @@ XMLObject* ADFSDecoder::decode(string& relayState, const GenericRequest& generic
     return xmlObject.release();
 }
 
-string ADFSConsumer::implementProtocol(
+void ADFSConsumer::implementProtocol(
     const Application& application,
     const HTTPRequest& httpRequest,
+    HTTPResponse& httpResponse,
     SecurityPolicy& policy,
     const PropertySet* settings,
     const XMLObject& xmlObject
@@ -562,10 +566,12 @@ string ADFSConsumer::implementProtocol(
     if (!policy.isAuthenticated())
         throw SecurityPolicyException("Unable to establish security of incoming assertion.");
 
+    const EntityDescriptor* entity = policy.getIssuerMetadata() ? dynamic_cast<const EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : NULL;
+
     // Now do profile and core semantic validation to ensure we can use it for SSO.
     // Profile validator.
     time_t now = time(NULL);
-    saml1::AssertionValidator ssoValidator(application.getAudiences(), now);
+    saml1::AssertionValidator ssoValidator(application.getRelyingParty(entity)->getXMLString("entityID").second, application.getAudiences(), now);
     ssoValidator.validateAssertion(*token);
     if (!token->getConditions() || !token->getConditions()->getNotBefore() || !token->getConditions()->getNotOnOrAfter())
         throw FatalProfileException("Assertion did not contain time conditions.");
@@ -579,7 +585,7 @@ string ADFSConsumer::implementProtocol(
 
     // authnskew allows rejection of SSO if AuthnInstant is too old.
     const PropertySet* sessionProps = application.getPropertySet("Sessions");
-    pair<bool,unsigned int> authnskew = sessionProps ? sessionProps->getUnsignedInt("authnskew") : pair<bool,unsigned int>(false,0);
+    pair<bool,unsigned int> authnskew = sessionProps ? sessionProps->getUnsignedInt("maxTimeSinceAuthn") : pair<bool,unsigned int>(false,0);
 
     if (authnskew.first && authnskew.second &&
             ssoStatement->getAuthenticationInstant() && (now - ssoStatement->getAuthenticationInstantEpoch() > authnskew.second))
@@ -615,7 +621,7 @@ string ADFSConsumer::implementProtocol(
     }
 
     // The context will handle deleting attributes and new tokens.
-        auto_ptr<ResolutionContext> ctx(
+    auto_ptr<ResolutionContext> ctx(
         resolveAttributes(
             application,
             policy.getIssuerMetadata(),
@@ -633,11 +639,12 @@ string ADFSConsumer::implementProtocol(
         tokens.insert(tokens.end(), ctx->getResolvedAssertions().begin(), ctx->getResolvedAssertions().end());
     }
 
-    return application.getServiceProvider().getSessionCache()->insert(
-        now + lifetime.second,
+    application.getServiceProvider().getSessionCache()->insert(
         application,
-        httpRequest.getRemoteAddr().c_str(),
-        policy.getIssuerMetadata() ? dynamic_cast<const EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : NULL,
+        httpRequest,
+        httpResponse,
+        now + lifetime.second,
+        entity,
         m_protocol.get(),
         nameid.get(),
         ssoStatement->getAuthenticationInstant() ? ssoStatement->getAuthenticationInstant()->getRawData() : NULL,
@@ -681,7 +688,7 @@ pair<bool,long> ADFSLogoutInitiator::run(SPRequest& request, bool isHandler) con
 
     if (SPConfig::getConfig().isEnabled(SPConfig::OutOfProcess)) {
         // When out of process, we run natively.
-        return doRequest(request.getApplication(), request.getRequestURL(), entityID.c_str(), request);
+        return doRequest(request.getApplication(), entityID.c_str(), request);
     }
     else {
         // When not out of process, we remote the request.
@@ -689,7 +696,6 @@ pair<bool,long> ADFSLogoutInitiator::run(SPRequest& request, bool isHandler) con
         DDF out,in(m_address.c_str());
         DDFJanitor jin(in), jout(out);
         in.addmember("application_id").string(request.getApplication().getId());
-        in.addmember("url").string(request.getRequestURL());
         in.addmember("entity_id").string(entityID.c_str());
         out=request.getServiceProvider().getListenerService()->send(in);
         return unwrap(request, out);
@@ -716,7 +722,7 @@ void ADFSLogoutInitiator::receive(DDF& in, ostream& out)
     // Since we're remoted, the result should either be a throw, which we pass on,
     // a false/0 return, which we just return as an empty structure, or a response/redirect,
     // which we capture in the facade and send back.
-    doRequest(*app, in["url"].string(), in["entity_id"].string(), *resp.get());
+    doRequest(*app, in["entity_id"].string(), *resp.get());
 
     out << ret;
 #else
@@ -724,9 +730,7 @@ void ADFSLogoutInitiator::receive(DDF& in, ostream& out)
 #endif
 }
 
-pair<bool,long> ADFSLogoutInitiator::doRequest(
-    const Application& application, const char* requestURL, const char* entityID, HTTPResponse& response
-    ) const
+pair<bool,long> ADFSLogoutInitiator::doRequest(const Application& application, const char* entityID, HTTPResponse& response) const
 {
 #ifndef SHIBSP_LITE
     try {
@@ -793,10 +797,6 @@ pair<bool,long> ADFSLogout::run(SPRequest& request, bool isHandler) const
     param = request.getParameter("wreply");
     const Application& app = request.getApplication();
 
-    // Get the session_id.
-    pair<string,const char*> shib_cookie = app.getCookieNameProps("_shibsession_");
-    const char* session_id = request.getCookie(shib_cookie.first.c_str());
-
     if (!returning) {
         // Pass control to the first front channel notification point, if any.
         map<string,string> parammap;
@@ -808,19 +808,19 @@ pair<bool,long> ADFSLogout::run(SPRequest& request, bool isHandler) const
     }
 
     // Best effort on back channel and to remove the user agent's session.
-    if (session_id) {
+    string session_id = app.getServiceProvider().getSessionCache()->active(app, request);
+    if (!session_id.empty()) {
         vector<string> sessions(1,session_id);
         notifyBackChannel(app, request.getRequestURL(), sessions, false);
         try {
-            app.getServiceProvider().getSessionCache()->remove(session_id, app);
+            app.getServiceProvider().getSessionCache()->remove(app, request, &request);
         }
         catch (exception& ex) {
-            m_log.error("error removing session (%s): %s", session_id, ex.what());
+            m_log.error("error removing session (%s): %s", session_id.c_str(), ex.what());
         }
-        request.setCookie(shib_cookie.first.c_str(), shib_cookie.second);
     }
 
     if (param)
         return make_pair(true, request.sendRedirect(param));
-    return sendLogoutPage(app, request, false, "Logout complete.");
+    return sendLogoutPage(app, request, request, false, "Logout complete.");
 }