X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=shibsp%2Fhandler%2Fimpl%2FAssertionLookup.cpp;h=e031f27ca2c21e88be8cfea451547d66c2fc29f6;hb=c51bfd77603cf0ddb0b5e374c35586a8435895d6;hp=5b8f006b243ff913c948938f03323f23e71c5635;hpb=66a7b1f30513115db03cd5bbe9b28fdbe7846cc0;p=shibboleth%2Fcpp-sp.git

diff --git a/shibsp/handler/impl/AssertionLookup.cpp b/shibsp/handler/impl/AssertionLookup.cpp
index 5b8f006..e031f27 100644
--- a/shibsp/handler/impl/AssertionLookup.cpp
+++ b/shibsp/handler/impl/AssertionLookup.cpp
@@ -1,39 +1,51 @@
-/*
- *  Copyright 2001-2007 Internet2
- * 
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
+/**
+ * Licensed to the University Corporation for Advanced Internet
+ * Development, Inc. (UCAID) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for
+ * additional information regarding copyright ownership.
+ *
+ * UCAID licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the
+ * License at
  *
- *     http://www.apache.org/licenses/LICENSE-2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
  *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific
+ * language governing permissions and limitations under the License.
  */
 
 /**
  * AssertionLookup.cpp
- * 
- * Handler for looking assertions in SessionCache
+ *
+ * Handler for looking up assertions in the SessionCache.
  */
 
 #include "internal.h"
-#include "Application.h"
 #include "exceptions.h"
+#include "Application.h"
 #include "ServiceProvider.h"
-#include "SessionCache.h"
-#include "handler/AbstractHandler.h"
+#include "SessionCacheEx.h"
+#include "SPRequest.h"
 #include "handler/RemotedHandler.h"
-#include "util/SPConstants.h"
+#include "handler/SecuredHandler.h"
+
+#include <boost/scoped_ptr.hpp>
+
+#ifndef SHIBSP_LITE
+# include <saml/exceptions.h>
+# include <saml/Assertion.h>
+# include <xmltooling/util/XMLHelper.h>
+using namespace opensaml;
+#endif
 
 using namespace shibspconstants;
 using namespace shibsp;
-using namespace opensaml;
 using namespace xmltooling;
-using namespace log4cpp;
+using namespace boost;
 using namespace std;
 
 namespace shibsp {
@@ -43,7 +55,7 @@ namespace shibsp {
     #pragma warning( disable : 4250 )
 #endif
 
-    class SHIBSP_API AssertionLookup : public AbstractHandler, public RemotedHandler 
+    class SHIBSP_API AssertionLookup : public SecuredHandler, public RemotedHandler
     {
     public:
         AssertionLookup(const DOMElement* e, const char* appId);
@@ -52,10 +64,12 @@ namespace shibsp {
         pair<bool,long> run(SPRequest& request, bool isHandler=true) const;
         void receive(DDF& in, ostream& out);
 
+        const char* getType() const {
+            return "AssertionLookup";
+        }
+
     private:
         pair<bool,long> processMessage(const Application& application, HTTPRequest& httpRequest, HTTPResponse& httpResponse) const;
-
-        set<string> m_acl;
     };
 
 #if defined (_MSC_VER)
@@ -70,85 +84,63 @@ namespace shibsp {
 };
 
 AssertionLookup::AssertionLookup(const DOMElement* e, const char* appId)
-    : AbstractHandler(e, Category::getInstance(SHIBSP_LOGCAT".AssertionLookup"))
+    : SecuredHandler(e, Category::getInstance(SHIBSP_LOGCAT ".AssertionLookup"), "exportACL", "127.0.0.1 ::1")
 {
     setAddress("run::AssertionLookup");
-    if (SPConfig::getConfig().isEnabled(SPConfig::InProcess)) {
-        pair<bool,const char*> acl = getString("exportACL");
-        if (!acl.first) {
-            m_acl.insert("127.0.0.1");
-            return;
-        }
-        string aclbuf=acl.second;
-        int j = 0;
-        for (unsigned int i=0;  i < aclbuf.length();  i++) {
-            if (aclbuf.at(i)==' ') {
-                m_acl.insert(aclbuf.substr(j, i-j));
-                j = i+1;
-            }
-        }
-        m_acl.insert(aclbuf.substr(j, aclbuf.length()-j));
-    }
 }
 
 pair<bool,long> AssertionLookup::run(SPRequest& request, bool isHandler) const
 {
-    string relayState;
-    SPConfig& conf = SPConfig::getConfig();
-    if (conf.isEnabled(SPConfig::InProcess)) {
-        if (m_acl.count(request.getRemoteAddr()) == 0) {
-            m_log.error("request for assertion lookup blocked from invalid address (%s)", request.getRemoteAddr());
-            istringstream msg("Assertion Lookup Blocked");
-            return make_pair(true,request.sendResponse(msg, HTTPResponse::XMLTOOLING_HTTP_STATUS_FORBIDDEN));
-        }
-    }
-    
+    // Check ACL in base class.
+    pair<bool,long> ret = SecuredHandler::run(request, isHandler);
+    if (ret.first)
+        return ret;
+
     try {
-        if (conf.isEnabled(SPConfig::OutOfProcess)) {
+        if (SPConfig::getConfig().isEnabled(SPConfig::OutOfProcess)) {
             // When out of process, we run natively and directly process the message.
             return processMessage(request.getApplication(), request, request);
         }
         else {
             // When not out of process, we remote all the message processing.
-            DDF out,in = wrap(request, NULL, true);
+            DDF out,in = wrap(request);
             DDFJanitor jin(in), jout(out);
-            
-            in.addmember("application_id").string(request.getApplication().getId());
+
             out=request.getServiceProvider().getListenerService()->send(in);
             return unwrap(request, out);
         }
     }
-    catch (exception& ex) {
+    catch (std::exception& ex) {
         m_log.error("error while processing request: %s", ex.what());
         istringstream msg("Assertion Lookup Failed");
-        return make_pair(true,request.sendResponse(msg, HTTPResponse::XMLTOOLING_HTTP_STATUS_ERROR));
+        return make_pair(true, request.sendResponse(msg, HTTPResponse::XMLTOOLING_HTTP_STATUS_ERROR));
     }
 }
 
 void AssertionLookup::receive(DDF& in, ostream& out)
 {
     // Find application.
-    const char* aid=in["application_id"].string();
-    const Application* app=aid ? SPConfig::getConfig().getServiceProvider()->getApplication(aid) : NULL;
+    const char* aid = in["application_id"].string();
+    const Application* app = aid ? SPConfig::getConfig().getServiceProvider()->getApplication(aid) : nullptr;
     if (!app) {
         // Something's horribly wrong.
         m_log.error("couldn't find application (%s) for assertion lookup", aid ? aid : "(missing)");
         throw ConfigurationException("Unable to locate application for assertion lookup, deleted?");
     }
-    
+
     // Unpack the request.
-    auto_ptr<HTTPRequest> req(getRequest(in));
+    scoped_ptr<HTTPRequest> req(getRequest(in));
     //m_log.debug("found %d client certificates", req->getClientCertificates().size());
 
     // Wrap a response shim.
-    DDF ret(NULL);
+    DDF ret(nullptr);
     DDFJanitor jout(ret);
-    auto_ptr<HTTPResponse> resp(getResponse(ret));
-        
+    scoped_ptr<HTTPResponse> resp(getResponse(ret));
+
     // Since we're remoted, the result should either be a throw, a false/0 return,
     // which we just return as an empty structure, or a response/redirect,
     // which we capture in the facade and send back.
-    processMessage(*app, *req.get(), *resp.get());
+    processMessage(*app, *req, *resp);
     out << ret;
 }
 
@@ -164,8 +156,14 @@ pair<bool,long> AssertionLookup::processMessage(const Application& application,
 
     m_log.debug("processing assertion lookup request (session: %s, assertion: %s)", key, ID);
 
-    // The cache will either silently pass a session or NULL back, or throw an exception out.
-    Session* session = application.getServiceProvider().getSessionCache()->find(key, application);
+    SessionCacheEx* cache = dynamic_cast<SessionCacheEx*>(application.getServiceProvider().getSessionCache());
+    if (!cache) {
+        m_log.error("session cache does not support extended API");
+        throw FatalProfileException("Session cache does not support assertion lookup.");
+    }
+
+    // The cache will either silently pass a session or nullptr back, or throw an exception out.
+    Session* session = cache->find(application, key);
     if (!session) {
         m_log.error("valid session (%s) not found for assertion lookup", key);
         throw FatalProfileException("Session key not found.");
@@ -179,11 +177,11 @@ pair<bool,long> AssertionLookup::processMessage(const Application& application,
         throw FatalProfileException("Assertion not found.");
     }
 
-    stringstream s;
-    s << *assertion;
+    stringstream s;
+    s << *assertion;
     httpResponse.setContentType("application/samlassertion+xml");
     return make_pair(true, httpResponse.sendResponse(s));
 #else
-    return make_pair(false,0);
+    return make_pair(false, 0L);
 #endif
 }