X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=mech_eap%2Futil_saml.cpp;h=9658bf0848be41d51de500d8578f35468ee90105;hb=898862478f9adecfc5580814cf1296464c448b1b;hp=dcd7ae315ee9d9d400af406aeed2c6a62da9d2b6;hpb=1a186fb30f78cbe03e346bc3b23d81474bad1d4e;p=moonshot.git diff --git a/mech_eap/util_saml.cpp b/mech_eap/util_saml.cpp index dcd7ae3..9658bf0 100644 --- a/mech_eap/util_saml.cpp +++ b/mech_eap/util_saml.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010, JANET(UK) + * Copyright (c) 2011, JANET(UK) * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -29,403 +29,738 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ + /* - * Copyright 2001-2009 Internet2 - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. + * SAML attribute provider implementation. */ -#include -#include -#include "util.h" +#include "gssapiP_eap.h" -#include -#include -#include -#include -#include -#include -#include -#include -#include +#include -#include -#include -#include #include +#include #include #include +#include +#include -using namespace shibsp; +#include +#include +#include +#include +#include + +using namespace xmltooling; using namespace opensaml::saml2md; using namespace opensaml; -using namespace xmltooling::logging; -using namespace xmltooling; using namespace xercesc; using namespace std; -class GSSEAPResolver : public shibsp::AssertionConsumerService +/* + * gss_eap_saml_assertion_provider is for retrieving the underlying + * assertion. + */ +gss_eap_saml_assertion_provider::gss_eap_saml_assertion_provider(void) { -public: - GSSEAPResolver(const DOMElement *e, const char *appId) - : shibsp::AssertionConsumerService(e, appId, Category::getInstance(SHIBSP_LOGCAT".GSSEAPResolver")) { - } - virtual ~GSSEAPResolver() {} - - ResolutionContext* resolveAttributes ( - const Application& application, - const RoleDescriptor* issuer, - const XMLCh* protocol, - const saml1::NameIdentifier* v1nameid, - const saml2::NameID* nameid, - const XMLCh* authncontext_class, - const XMLCh* authncontext_decl, - const vector* tokens - ) const { - return shibsp::AssertionConsumerService::resolveAttributes( - application, issuer, protocol, v1nameid, - nameid, authncontext_class, authncontext_decl, tokens - ); - } + m_assertion = NULL; + m_authenticated = false; +} -private: - void implementProtocol( - const Application& application, - const HTTPRequest& httpRequest, - HTTPResponse& httpResponse, - SecurityPolicy& policy, - const PropertySet* settings, - const XMLObject& xmlObject - ) const { - throw FatalProfileException("Should never be called."); - } -}; +gss_eap_saml_assertion_provider::~gss_eap_saml_assertion_provider(void) +{ + delete m_assertion; +} -class SHIBSP_DLLLOCAL DummyContext : public ResolutionContext +bool +gss_eap_saml_assertion_provider::initWithExistingContext(const gss_eap_attr_ctx *manager, + const gss_eap_attr_provider *ctx) { -public: - DummyContext(const vector& attributes) : m_attributes(attributes) { - } + /* Then we may be creating from an existing attribute context */ + const gss_eap_saml_assertion_provider *saml; - virtual ~DummyContext() { - for_each(m_attributes.begin(), m_attributes.end(), xmltooling::cleanup()); - } + assert(m_assertion == NULL); - vector& getResolvedAttributes() { - return m_attributes; - } - vector& getResolvedAssertions() { - return m_tokens; - } + if (!gss_eap_attr_provider::initWithExistingContext(manager, ctx)) + return false; + + saml = static_cast(ctx); + setAssertion(saml->getAssertion(), saml->authenticated()); + + return true; +} -private: - vector m_attributes; - static vector m_tokens; // never any tokens, so just share an empty vector -}; +bool +gss_eap_saml_assertion_provider::initWithGssContext(const gss_eap_attr_ctx *manager, + const gss_cred_id_t gssCred, + const gss_ctx_id_t gssCtx) +{ + const gss_eap_radius_attr_provider *radius; + gss_buffer_desc value = GSS_C_EMPTY_BUFFER; + int authenticated, complete; + OM_uint32 minor; + + assert(m_assertion == NULL); + + if (!gss_eap_attr_provider::initWithGssContext(manager, gssCred, gssCtx)) + return false; + + /* + * XXX TODO we need to support draft-howlett-radius-saml-attr-00 + */ + radius = static_cast + (m_manager->getProvider(ATTR_TYPE_RADIUS)); + if (radius != NULL && + radius->getFragmentedAttribute(PW_SAML_AAA_ASSERTION, + VENDORPEC_UKERNA, + &authenticated, &complete, &value)) { + setAssertion(&value, authenticated); + gss_release_buffer(&minor, &value); + } else { + m_assertion = NULL; + } -struct eap_gss_saml_attr_ctx { - ResolutionContext *resCtx; - gss_buffer_desc assertion; -}; + return true; +} -static OM_uint32 -samlAllocAttrContext(OM_uint32 *minor, - struct eap_gss_saml_attr_ctx **pCtx) +void +gss_eap_saml_assertion_provider::setAssertion(const saml2::Assertion *assertion, + bool authenticated) { - struct eap_gss_saml_attr_ctx *ctx; - ctx = (struct eap_gss_saml_attr_ctx *)GSSEAP_CALLOC(1, sizeof(*ctx)); - if (ctx == NULL) { - *minor = ENOMEM; - return GSS_S_FAILURE; + delete m_assertion; + + if (assertion != NULL) { +#ifdef __APPLE__ + m_assertion = (saml2::Assertion *)((void *)assertion->clone()); +#else + m_assertion = dynamic_cast(assertion->clone()); +#endif + m_authenticated = authenticated; + } else { + m_assertion = NULL; + m_authenticated = false; } +} - *pCtx = ctx; - *minor = 0; - return GSS_S_COMPLETE; +void +gss_eap_saml_assertion_provider::setAssertion(const gss_buffer_t buffer, + bool authenticated) +{ + delete m_assertion; + + m_assertion = parseAssertion(buffer); + m_authenticated = (m_assertion != NULL && authenticated); } -static OM_uint32 -samlImportAssertion(OM_uint32 *minor, - gss_buffer_t buffer, - saml2::Assertion **pAssertion) +saml2::Assertion * +gss_eap_saml_assertion_provider::parseAssertion(const gss_buffer_t buffer) { - *pAssertion = NULL; + string str((char *)buffer->value, buffer->length); + istringstream istream(str); + DOMDocument *doc; + const XMLObjectBuilder *b; try { - DOMDocument *doc; - const XMLObjectBuilder *b; - DOMElement *elem; - XMLObject *xobj; - string samlBuf((char *)buffer->value, buffer->length); - istringstream samlIn(samlBuf); - - doc = XMLToolingConfig::getConfig().getParser().parse(samlIn); - b = XMLObjectBuilder::getDefaultBuilder(); - elem = doc->getDocumentElement(); - xobj = b->buildOneFromElement(elem, true); - - *pAssertion = dynamic_cast(xobj); - if (*pAssertion == NULL) { - /* TODO minor_status */ - return GSS_S_BAD_NAME; - } - } catch (exception &e){ - /* TODO minor_status */ - return GSS_S_BAD_NAME; + doc = XMLToolingConfig::getConfig().getParser().parse(istream); + if (doc == NULL) + return NULL; + + b = XMLObjectBuilder::getBuilder(doc->getDocumentElement()); + +#ifdef __APPLE__ + return (saml2::Assertion *)((void *)b->buildFromDocument(doc)); +#else + return dynamic_cast(b->buildFromDocument(doc)); +#endif + } catch (exception &e) { + return NULL; } +} - *minor = 0; - return GSS_S_COMPLETE; +bool +gss_eap_saml_assertion_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute, + void *data) const +{ + bool ret; + + /* just add the prefix */ + if (m_assertion != NULL) + ret = addAttribute(m_manager, this, GSS_C_NO_BUFFER, data); + else + ret = true; + + return ret; } -OM_uint32 -samlDuplicateAttrContext(OM_uint32 *minor, - const struct eap_gss_saml_attr_ctx *in, - struct eap_gss_saml_attr_ctx **out) +bool +gss_eap_saml_assertion_provider::setAttribute(int complete GSSEAP_UNUSED, + const gss_buffer_t attr, + const gss_buffer_t value) +{ + if (attr == GSS_C_NO_BUFFER || attr->length == 0) { + setAssertion(value); + return true; + } + + return false; +} + +bool +gss_eap_saml_assertion_provider::deleteAttribute(const gss_buffer_t value GSSEAP_UNUSED) +{ + delete m_assertion; + m_assertion = NULL; + m_authenticated = false; + + return true; +} + +time_t +gss_eap_saml_assertion_provider::getExpiryTime(void) const { - OM_uint32 major, tmpMinor; - struct eap_gss_saml_attr_ctx *ctx; + saml2::Conditions *conditions; + time_t expiryTime = 0; - major = samlAllocAttrContext(minor, &ctx); - if (GSS_ERROR(major)) - goto cleanup; + if (m_assertion == NULL) + return 0; - ctx->resCtx = new DummyContext(in->resCtx->getResolvedAttributes()); + conditions = m_assertion->getConditions(); -cleanup: - if (GSS_ERROR(major)) - samlReleaseAttrContext(&tmpMinor, &ctx); + if (conditions != NULL && conditions->getNotOnOrAfter() != NULL) + expiryTime = conditions->getNotOnOrAfter()->getEpoch(); - return major; + return expiryTime; } OM_uint32 -samlReleaseAttrContext(OM_uint32 *minor, - struct eap_gss_saml_attr_ctx **pCtx) +gss_eap_saml_assertion_provider::mapException(OM_uint32 *minor, + std::exception &e) const { - struct eap_gss_saml_attr_ctx *ctx = *pCtx; + if (typeid(e) == typeid(SecurityPolicyException)) + *minor = GSSEAP_SAML_SEC_POLICY_FAILURE; + else if (typeid(e) == typeid(BindingException)) + *minor = GSSEAP_SAML_BINDING_FAILURE; + else if (typeid(e) == typeid(ProfileException)) + *minor = GSSEAP_SAML_PROFILE_FAILURE; + else if (typeid(e) == typeid(FatalProfileException)) + *minor = GSSEAP_SAML_FATAL_PROFILE_FAILURE; + else if (typeid(e) == typeid(RetryableProfileException)) + *minor = GSSEAP_SAML_RETRY_PROFILE_FAILURE; + else if (typeid(e) == typeid(MetadataException)) + *minor = GSSEAP_SAML_METADATA_FAILURE; + else + return GSS_S_CONTINUE_NEEDED; + + gssEapSaveStatusInfo(*minor, "%s", e.what()); + + return GSS_S_FAILURE; +} - if (ctx != NULL) { - delete ctx->resCtx; - GSSEAP_FREE(ctx); - *pCtx = NULL; - } +bool +gss_eap_saml_assertion_provider::getAttribute(const gss_buffer_t attr, + int *authenticated, + int *complete, + gss_buffer_t value, + gss_buffer_t display_value GSSEAP_UNUSED, + int *more) const +{ + string str; - *minor = 0; - return GSS_S_COMPLETE; + if (attr != GSS_C_NO_BUFFER && attr->length != 0) + return false; + + if (m_assertion == NULL) + return false; + + if (*more != -1) + return false; + + if (authenticated != NULL) + *authenticated = m_authenticated; + if (complete != NULL) + *complete = true; + + XMLHelper::serialize(m_assertion->marshall((DOMDocument *)NULL), str); + + if (value != NULL) + duplicateBuffer(str, value); + if (display_value != NULL) + duplicateBuffer(str, display_value); + + *more = 0; + + return true; } -OM_uint32 -samlCreateAttrContext(OM_uint32 *minor, - gss_buffer_t buffer, - gss_name_t acceptorName, - struct eap_gss_saml_attr_ctx **pCtx) -{ - OM_uint32 major, tmpMinor; - struct eap_gss_saml_attr_ctx *ctx; - SPConfig &conf = SPConfig::getConfig(); - ServiceProvider *sp; - const Application *app; - MetadataProvider *m; - gss_buffer_desc nameBuf; - const XMLCh *issuer = NULL; - saml2::NameID *subjectName = NULL; - saml2::Assertion *assertion; +gss_any_t +gss_eap_saml_assertion_provider::mapToAny(int authenticated, + gss_buffer_t type_id GSSEAP_UNUSED) const +{ + if (authenticated && !m_authenticated) + return (gss_any_t)NULL; - nameBuf.length = 0; - nameBuf.value = NULL; + return (gss_any_t)m_assertion; +} - conf.setFeatures(SPConfig::Metadata | - SPConfig::Trust | - SPConfig::AttributeResolution | - SPConfig::Credentials | - SPConfig::OutOfProcess); - if (!conf.init()) - return GSS_S_FAILURE; - if (!conf.instantiate()) - return GSS_S_FAILURE; +void +gss_eap_saml_assertion_provider::releaseAnyNameMapping(gss_buffer_t type_id GSSEAP_UNUSED, + gss_any_t input) const +{ + delete ((saml2::Assertion *)input); +} - sp = conf.getServiceProvider(); - sp->lock(); +const char * +gss_eap_saml_assertion_provider::prefix(void) const +{ + return "urn:ietf:params:gss-eap:saml-aaa-assertion"; +} - major = gss_display_name(minor, acceptorName, &nameBuf, NULL); - if (GSS_ERROR(major)) - goto cleanup; +bool +gss_eap_saml_assertion_provider::init(void) +{ + gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML_ASSERTION, createAttrContext); + return true; +} - app = sp->getApplication((const char *)nameBuf.value); - if (app == NULL) { - major = GSS_S_FAILURE; - goto cleanup; - } +void +gss_eap_saml_assertion_provider::finalize(void) +{ + gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_SAML_ASSERTION); +} - major = samlAllocAttrContext(minor, &ctx); - if (GSS_ERROR(major)) - goto cleanup; +gss_eap_attr_provider * +gss_eap_saml_assertion_provider::createAttrContext(void) +{ + return new gss_eap_saml_assertion_provider; +} - major = samlImportAssertion(minor, buffer, &assertion); - if (GSS_ERROR(major)) - goto cleanup; +saml2::Assertion * +gss_eap_saml_assertion_provider::initAssertion(void) +{ + delete m_assertion; + m_assertion = saml2::AssertionBuilder::buildAssertion(); + m_authenticated = false; - if (assertion->getIssuer() != NULL) - issuer = assertion->getIssuer()->getName(); - if (assertion->getSubject() != NULL) - subjectName = assertion->getSubject()->getNameID(); + return m_assertion; +} - try { - m = app->getMetadataProvider(); - xmltooling::Locker mlocker(m); - MetadataProviderCriteria mc(*app, issuer, - &IDPSSODescriptor::ELEMENT_QNAME, - samlconstants::SAML20P_NS); - pair site = - m->getEntityDescriptor(mc); - if (!site.first) { - auto_ptr_char temp(issuer); - throw MetadataException("Unable to locate metadata for IdP ($1).", - params(1,temp.get())); +/* + * gss_eap_saml_attr_provider is for retrieving the underlying attributes. + */ +bool +gss_eap_saml_attr_provider::getAssertion(int *authenticated, + saml2::Assertion **pAssertion, + bool createIfAbsent) const +{ + gss_eap_saml_assertion_provider *saml; + + if (authenticated != NULL) + *authenticated = false; + if (pAssertion != NULL) + *pAssertion = NULL; + + saml = static_cast + (m_manager->getProvider(ATTR_TYPE_SAML_ASSERTION)); + if (saml == NULL) + return false; + + if (authenticated != NULL) + *authenticated = saml->authenticated(); + if (pAssertion != NULL) + *pAssertion = saml->getAssertion(); + + if (saml->getAssertion() == NULL) { + if (createIfAbsent) { + if (authenticated != NULL) + *authenticated = false; + if (pAssertion != NULL) + *pAssertion = saml->initAssertion(); + } else + return false; + } + + return true; +} + +bool +gss_eap_saml_attr_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute, + void *data) const +{ + saml2::Assertion *assertion; + int authenticated; + + if (!getAssertion(&authenticated, &assertion)) + return true; + + /* + * Note: the first prefix is added by the attribute provider manager + * + * From draft-hartman-gss-eap-naming-00: + * + * Each attribute carried in the assertion SHOULD also be a GSS name + * attribute. The name of this attribute has three parts, all separated + * by an ASCII space character. The first part is + * urn:ietf:params:gss-eap:saml-attr. The second part is the URI for + * the SAML attribute name format. The final part is the name of the + * SAML attribute. If the mechanism performs an additional attribute + * query, the retrieved attributes SHOULD be GSS-API name attributes + * using the same name syntax. + */ + /* For each attribute statement, look for an attribute match */ + const vector &statements = + const_cast(assertion)->getAttributeStatements(); + + for (vector::const_iterator s = statements.begin(); + s != statements.end(); + ++s) { + const vector &attrs = + const_cast(*s)->getAttributes(); + + for (vector::const_iterator a = attrs.begin(); a != attrs.end(); ++a) { + const XMLCh *attributeName, *attributeNameFormat; + XMLCh space[2] = { ' ', 0 }; + gss_buffer_desc utf8; + + attributeName = (*a)->getName(); + attributeNameFormat = (*a)->getNameFormat(); + if (attributeNameFormat == NULL || attributeNameFormat[0] == '\0') + attributeNameFormat = saml2::Attribute::UNSPECIFIED; + + XMLCh qualifiedName[XMLString::stringLen(attributeNameFormat) + 1 + + XMLString::stringLen(attributeName) + 1]; + XMLString::copyString(qualifiedName, attributeNameFormat); + XMLString::catString(qualifiedName, space); + XMLString::catString(qualifiedName, attributeName); + + utf8.value = (void *)toUTF8(qualifiedName); + utf8.length = strlen((char *)utf8.value); + + if (!addAttribute(m_manager, this, &utf8, data)) + return false; } - vector tokens(1, assertion); - GSSEAPResolver gssResolver(NULL, (const char *)nameBuf.value); - ctx->resCtx = gssResolver.resolveAttributes(*app, site.second, - samlconstants::SAML20P_NS, - NULL, subjectName, NULL, - NULL, &tokens); - } catch (exception &ex) { - major = GSS_S_BAD_NAME; - goto cleanup; } - major = GSS_S_COMPLETE; - *pCtx = ctx; + return true; +} + +static BaseRefVectorOf * +decomposeAttributeName(const gss_buffer_t attr) +{ + BaseRefVectorOf *components; + string str((const char *)attr->value, attr->length); + auto_ptr_XMLCh qualifiedAttr(str.c_str()); -cleanup: - sp->unlock(); - conf.term(); + components = XMLString::tokenizeString(qualifiedAttr.get()); - if (GSS_ERROR(major)) - samlReleaseAttrContext(&tmpMinor, &ctx); - gss_release_buffer(&tmpMinor, &nameBuf); + if (components->size() != 2) { + delete components; + components = NULL; + } - return major; + return components; } -OM_uint32 -samlGetAttributeTypes(OM_uint32 *minor, - const struct eap_gss_saml_attr_ctx *ctx, - void *data, - OM_uint32 (*addAttribute)(OM_uint32 *, void *, gss_buffer_t)) +static bool +isNotPrintable(const gss_buffer_t value) { - OM_uint32 major = GSS_S_COMPLETE; + size_t i; + char *p = (char *)value->value; - if (ctx == NULL) - return GSS_S_COMPLETE; - - for (vector::const_iterator a = ctx->resCtx->getResolvedAttributes().begin(); - a != ctx->resCtx->getResolvedAttributes().end(); - ++a) + if (isgraph(p[0]) && + isgraph(p[value->length - 1])) { - gss_buffer_desc attribute; + for (i = 0; p[i]; i++) { + if (!isascii(p[i]) || !isprint(p[i])) + return true; + } + return false; + } - attribute.value = (void *)((*a)->getId()); - attribute.length = strlen((char *)attribute.value); + return true; +} - major = addAttribute(minor, data, &attribute); - if (GSS_ERROR(major)) - break; +bool +gss_eap_saml_attr_provider::setAttribute(int complete GSSEAP_UNUSED, + const gss_buffer_t attr, + const gss_buffer_t value) +{ + saml2::Assertion *assertion; + saml2::Attribute *attribute; + saml2::AttributeValue *attributeValue; + saml2::AttributeStatement *attributeStatement; + + if (!getAssertion(NULL, &assertion, true)) + return false; + + if (assertion->getAttributeStatements().size() != 0) { + attributeStatement = assertion->getAttributeStatements().front(); + } else { + attributeStatement = saml2::AttributeStatementBuilder::buildAttributeStatement(); + assertion->getAttributeStatements().push_back(attributeStatement); + } + + /* Check the attribute name consists of name format | whsp | name */ + BaseRefVectorOf *components = decomposeAttributeName(attr); + if (components == NULL) + return false; + + attribute = saml2::AttributeBuilder::buildAttribute(); + attribute->setNameFormat(components->elementAt(0)); + attribute->setName(components->elementAt(1)); + + attributeValue = saml2::AttributeValueBuilder::buildAttributeValue(); + if (isNotPrintable(value)) { + char *b64; + + if (base64Encode(value->value, value->length, &b64)) + return false; + + auto_ptr_XMLCh unistr(b64); + attributeValue->setTextContent(unistr.get()); + } else { + auto_ptr_XMLCh unistr((char *)value->value); + attributeValue->setTextContent(unistr.get()); } - return major; + attribute->getAttributeValues().push_back(attributeValue); + + assert(attributeStatement != NULL); + attributeStatement->getAttributes().push_back(attribute); + + delete components; + + return true; } -OM_uint32 -samlGetAttribute(OM_uint32 *minor, - const struct eap_gss_saml_attr_ctx *ctx, - gss_buffer_t attr, - int *authenticated, - int *complete, - gss_buffer_t value, - gss_buffer_t display_value, - int *more) -{ - OM_uint32 major; - Attribute *shibAttr = NULL; - gss_buffer_desc buf; - - if (ctx == NULL) - return GSS_S_UNAVAILABLE; - - for (vector::const_iterator a = ctx->resCtx->getResolvedAttributes().begin(); - a != ctx->resCtx->getResolvedAttributes().end(); - ++a) { - for (vector::const_iterator s = (*a)->getAliases().begin(); - s != (*a)->getAliases().end(); - ++s) { - if (attr->length == strlen((*s).c_str()) && - memcmp((*s).c_str(), attr->value, attr->length) == 0) { - shibAttr = *a; +bool +gss_eap_saml_attr_provider::deleteAttribute(const gss_buffer_t attr) +{ + saml2::Assertion *assertion; + bool ret = false; + + if (!getAssertion(NULL, &assertion) || + assertion->getAttributeStatements().size() == 0) + return false; + + /* Check the attribute name consists of name format | whsp | name */ + BaseRefVectorOf *components = decomposeAttributeName(attr); + if (components == NULL) + return false; + + /* For each attribute statement, look for an attribute match */ + const vector &statements = + const_cast(assertion)->getAttributeStatements(); + + for (vector::const_iterator s = statements.begin(); + s != statements.end(); + ++s) { + const vector &attrs = + const_cast(*s)->getAttributes(); + ssize_t index = -1, i = 0; + + /* There's got to be an easier way to do this */ + for (vector::const_iterator a = attrs.begin(); + a != attrs.end(); + ++a) { + if (XMLString::equals((*a)->getNameFormat(), components->elementAt(0)) && + XMLString::equals((*a)->getName(), components->elementAt(1))) { + index = i; + break; + } + ++i; + } + if (index != -1) { + (*s)->getAttributes().erase((*s)->getAttributes().begin() + index); + ret = true; + } + } + + delete components; + + return ret; +} + +bool +gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr, + int *authenticated, + int *complete, + const saml2::Attribute **pAttribute) const +{ + saml2::Assertion *assertion; + + if (authenticated != NULL) + *authenticated = false; + if (complete != NULL) + *complete = true; + *pAttribute = NULL; + + if (!getAssertion(authenticated, &assertion) || + assertion->getAttributeStatements().size() == 0) + return false; + + /* Check the attribute name consists of name format | whsp | name */ + BaseRefVectorOf *components = decomposeAttributeName(attr); + if (components == NULL) + return false; + + /* For each attribute statement, look for an attribute match */ + const vector &statements = + const_cast(assertion)->getAttributeStatements(); + const saml2::Attribute *ret = NULL; + + for (vector::const_iterator s = statements.begin(); + s != statements.end(); + ++s) { + const vector &attrs = + const_cast(*s)->getAttributes(); + + for (vector::const_iterator a = attrs.begin(); a != attrs.end(); ++a) { + const XMLCh *attributeName, *attributeNameFormat; + + attributeName = (*a)->getName(); + attributeNameFormat = (*a)->getNameFormat(); + if (attributeNameFormat == NULL || attributeNameFormat[0] == '\0') + attributeNameFormat = saml2::Attribute::UNSPECIFIED; + + if (XMLString::equals(attributeNameFormat, components->elementAt(0)) && + XMLString::equals(attributeName, components->elementAt(1))) { + ret = *a; break; } } - if (shibAttr != NULL) + + if (ret != NULL) break; } - if (shibAttr == NULL) - return GSS_S_UNAVAILABLE; + delete components; - if (*more == -1) { - *more = 0; - } else if (*more >= (int)shibAttr->valueCount()) { - *more = 0; - return GSS_S_COMPLETE; + *pAttribute = ret; + + return (ret != NULL); +} + +bool +gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr, + int *authenticated, + int *complete, + gss_buffer_t value, + gss_buffer_t display_value, + int *more) const +{ + const saml2::Attribute *a; + const saml2::AttributeValue *av; + int nvalues, i = *more; + + *more = 0; + + if (!getAttribute(attr, authenticated, complete, &a)) + return false; + + nvalues = a->getAttributeValues().size(); + + if (i == -1) + i = 0; + if (i >= nvalues) + return false; +#ifdef __APPLE__ + av = (const saml2::AttributeValue *)((void *)(a->getAttributeValues().at(i))); +#else + av = dynamic_cast(a->getAttributeValues().at(i)); +#endif + if (av != NULL) { + if (value != NULL) { + char *stringValue = toUTF8(av->getTextContent(), true); + size_t stringValueLen = strlen(stringValue); + + if (base64Valid(stringValue)) { + ssize_t binaryLen; + + value->value = GSSEAP_MALLOC(stringValueLen); + if (value->value == NULL) + throw new std::bad_alloc; + + binaryLen = base64Decode(stringValue, value->value); + if (binaryLen < 0) { + GSSEAP_FREE(value->value); + value->value = NULL; + return false; + } + value->length = binaryLen; + } else { + value->value = stringValue; + value->length = stringValueLen; + } + } + if (display_value != NULL) { + display_value->value = toUTF8(av->getTextContent(), true); + display_value->length = strlen((char *)value->value); + } } - buf.value = (void *)shibAttr->getString(*more); - buf.length = strlen((char *)buf.value); + if (nvalues > ++i) + *more = i; - major = duplicateBuffer(minor, &buf, value); - if (GSS_ERROR(major)) - return major; - - *authenticated = TRUE; - *complete = FALSE; + return true; +} - return GSS_S_COMPLETE; +gss_any_t +gss_eap_saml_attr_provider::mapToAny(int authenticated GSSEAP_UNUSED, + gss_buffer_t type_id GSSEAP_UNUSED) const +{ + return (gss_any_t)NULL; } -OM_uint32 -samlSetAttribute(OM_uint32 *minor, - struct eap_gss_saml_attr_ctx *ctx, - int complete, - gss_buffer_t attr, - gss_buffer_t value) +void +gss_eap_saml_attr_provider::releaseAnyNameMapping(gss_buffer_t type_id GSSEAP_UNUSED, + gss_any_t input GSSEAP_UNUSED) const +{ +} + +const char * +gss_eap_saml_attr_provider::prefix(void) const +{ + return "urn:ietf:params:gss-eap:saml-attr"; +} + +bool +gss_eap_saml_attr_provider::init(void) +{ + gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML, createAttrContext); + return true; +} + +void +gss_eap_saml_attr_provider::finalize(void) { - return GSS_S_UNAVAILABLE; + gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_SAML); +} + +gss_eap_attr_provider * +gss_eap_saml_attr_provider::createAttrContext(void) +{ + return new gss_eap_saml_attr_provider; } OM_uint32 -samlExportAttrContext(OM_uint32 *minor, - struct eap_gss_saml_attr_ctx *ctx, - gss_buffer_t buffer) +gssEapSamlAttrProvidersInit(OM_uint32 *minor) { - GSSEAP_NOT_IMPLEMENTED; + if (!gss_eap_saml_assertion_provider::init() || + !gss_eap_saml_attr_provider::init()) { + *minor = GSSEAP_SAML_INIT_FAILURE; + return GSS_S_FAILURE; + } + + return GSS_S_COMPLETE; } OM_uint32 -samlImportAttrContext(OM_uint32 *minor, - gss_buffer_t buffer, - struct eap_gss_saml_attr_ctx **ppCtx) +gssEapSamlAttrProvidersFinalize(OM_uint32 *minor) { - GSSEAP_NOT_IMPLEMENTED; + gss_eap_saml_attr_provider::finalize(); + gss_eap_saml_assertion_provider::finalize(); + + *minor = 0; + return GSS_S_COMPLETE; }