X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=util_saml.cpp;h=8722b841592ef5d72228e09b365c0782368a25e4;hb=e063ba4e45d12dbc1a397653f9e77228835e4a2b;hp=377cd60c2fad89e6de8b380ef3341fd517dba5ea;hpb=a31cb6c48de815120f895e75d2b08b8961b71633;p=mech_eap.git diff --git a/util_saml.cpp b/util_saml.cpp index 377cd60..8722b84 100644 --- a/util_saml.cpp +++ b/util_saml.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010, JANET(UK) + * Copyright (c) 2011, JANET(UK) * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -29,757 +29,694 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ + /* - * Copyright 2001-2009 Internet2 - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. + * SAML attribute provider implementation. */ -#include -#include -#include "util.h" - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include +#include "gssapiP_eap.h" + +#include -#include -#include -#include #include +#include #include #include +#include +#include + +#include +#include +#include +#include +#include -using namespace shibsp; +using namespace xmltooling; using namespace opensaml::saml2md; using namespace opensaml; -using namespace xmltooling::logging; -using namespace xmltooling; using namespace xercesc; using namespace std; -class GSSEAPResolver : public shibsp::AssertionConsumerService +/* + * gss_eap_saml_assertion_provider is for retrieving the underlying + * assertion. + */ +gss_eap_saml_assertion_provider::gss_eap_saml_assertion_provider(void) { -public: - GSSEAPResolver(const DOMElement *e, const char *appId) - : shibsp::AssertionConsumerService(e, appId, Category::getInstance(SHIBSP_LOGCAT".GSSEAPResolver")) { - } - virtual ~GSSEAPResolver() {} - - ResolutionContext* resolveAttributes ( - const Application& application, - const RoleDescriptor* issuer, - const XMLCh* protocol, - const saml1::NameIdentifier* v1nameid, - const saml2::NameID* nameid, - const XMLCh* authncontext_class, - const XMLCh* authncontext_decl, - const vector* tokens - ) const { - return shibsp::AssertionConsumerService::resolveAttributes( - application, issuer, protocol, v1nameid, - nameid, authncontext_class, authncontext_decl, tokens - ); - } - -private: - void implementProtocol( - const Application& application, - const HTTPRequest& httpRequest, - HTTPResponse& httpResponse, - SecurityPolicy& policy, - const PropertySet* settings, - const XMLObject& xmlObject - ) const { - throw FatalProfileException("Should never be called."); - } -}; + m_assertion = NULL; + m_authenticated = false; +} -struct eap_gss_saml_attr_ctx { -public: - eap_gss_saml_attr_ctx(); - eap_gss_saml_attr_ctx(const gss_buffer_t buffer); - eap_gss_saml_attr_ctx(const Assertion *assertion); +gss_eap_saml_assertion_provider::~gss_eap_saml_assertion_provider(void) +{ + delete m_assertion; +} - eap_gss_saml_attr_ctx(const vector& attributes, - const Assertion *assertion); +bool +gss_eap_saml_assertion_provider::initFromExistingContext(const gss_eap_attr_ctx *manager, + const gss_eap_attr_provider *ctx) +{ + /* Then we may be creating from an existing attribute context */ + const gss_eap_saml_assertion_provider *saml; - eap_gss_saml_attr_ctx(const eap_gss_saml_attr_ctx &ctx) { - eap_gss_saml_attr_ctx(ctx.m_attributes, ctx.m_assertion); - } + assert(m_assertion == NULL); - ~eap_gss_saml_attr_ctx(); + if (!gss_eap_attr_provider::initFromExistingContext(manager, ctx)) + return false; - const vector getAttributes(void) const { - return m_attributes; - } + saml = static_cast(ctx); + setAssertion(saml->getAssertion(), saml->authenticated()); - void addAttribute(Attribute *attr, bool copy = true); - void setAttributes(const vector attributes); + return true; +} - void setAttribute(int complete, - const gss_buffer_t attr, - const gss_buffer_t value); - void deleteAttribute(const gss_buffer_t attr); +bool +gss_eap_saml_assertion_provider::initFromGssContext(const gss_eap_attr_ctx *manager, + const gss_cred_id_t gssCred, + const gss_ctx_id_t gssCtx) +{ + const gss_eap_radius_attr_provider *radius; + gss_buffer_desc value = GSS_C_EMPTY_BUFFER; + int authenticated, complete; + OM_uint32 minor; - int getAttributeIndex(const gss_buffer_t attr) const; - const Attribute *getAttribute(const gss_buffer_t attr) const; + assert(m_assertion == NULL); - bool getAttribute(const gss_buffer_t attr, - int *authenticated, - int *complete, - gss_buffer_t value, - gss_buffer_t display_value, - int *more); + if (!gss_eap_attr_provider::initFromGssContext(manager, gssCred, gssCtx)) + return false; - const Assertion *getAssertion(void) const { - return m_assertion; + /* + * XXX TODO we need to support draft-howlett-radius-saml-attr-00 + */ + radius = static_cast + (m_manager->getProvider(ATTR_TYPE_RADIUS)); + if (radius != NULL && + radius->getFragmentedAttribute(PW_SAML_AAA_ASSERTION, + VENDORPEC_UKERNA, + &authenticated, &complete, &value)) { + setAssertion(&value, authenticated); + gss_release_buffer(&minor, &value); + } else { + m_assertion = NULL; } - bool getAssertion(gss_buffer_t buffer); - - DDF marshall() const; - static eap_gss_saml_attr_ctx *unmarshall(DDF &in); - - void marshall(gss_buffer_t buffer); - static eap_gss_saml_attr_ctx *unmarshall(const gss_buffer_t buffer); - -private: - mutable vector m_attributes; - mutable Assertion *m_assertion; - - bool parseAssertion(const gss_buffer_t buffer); -}; - -eap_gss_saml_attr_ctx::eap_gss_saml_attr_ctx(const vector& attributes, - const Assertion *assertion) -{ - m_assertion = dynamic_cast(assertion->clone()); - setAttributes(attributes); + return true; } -eap_gss_saml_attr_ctx::~eap_gss_saml_attr_ctx() +void +gss_eap_saml_assertion_provider::setAssertion(const saml2::Assertion *assertion, + bool authenticated) { - for_each(m_attributes.begin(), m_attributes.end(), xmltooling::cleanup()); + delete m_assertion; -} -eap_gss_saml_attr_ctx::eap_gss_saml_attr_ctx(const gss_buffer_t buffer) -{ - parseAssertion(buffer); + if (assertion != NULL) { +#ifdef __APPLE__ + m_assertion = (saml2::Assertion *)((void *)assertion->clone()); +#else + m_assertion = dynamic_cast(assertion->clone()); +#endif + m_authenticated = authenticated; + } else { + m_assertion = NULL; + m_authenticated = false; + } } -static OM_uint32 -mapException(OM_uint32 *minor, exception &e) +void +gss_eap_saml_assertion_provider::setAssertion(const gss_buffer_t buffer, + bool authenticated) { - *minor = 0; - return GSS_S_FAILURE; + delete m_assertion; + + m_assertion = parseAssertion(buffer); + m_authenticated = (m_assertion != NULL && authenticated); } -bool -eap_gss_saml_attr_ctx::parseAssertion(const gss_buffer_t buffer) +saml2::Assertion * +gss_eap_saml_assertion_provider::parseAssertion(const gss_buffer_t buffer) { - DOMDocument *doc; - const XMLObjectBuilder *b; - DOMElement *elem; - XMLObject *xobj; string str((char *)buffer->value, buffer->length); istringstream istream(str); + DOMDocument *doc; + const XMLObjectBuilder *b; - doc = XMLToolingConfig::getConfig().getParser().parse(istream); - b = XMLObjectBuilder::getDefaultBuilder(); - elem = doc->getDocumentElement(); - xobj = b->buildOneFromElement(elem, true); + try { + doc = XMLToolingConfig::getConfig().getParser().parse(istream); + if (doc == NULL) + return NULL; - m_assertion = dynamic_cast(xobj); + b = XMLObjectBuilder::getBuilder(doc->getDocumentElement()); - return (m_assertion != NULL); -} - -static inline void -duplicateBuffer(gss_buffer_desc &src, gss_buffer_t dst) -{ - OM_uint32 minor; - - if (GSS_ERROR(duplicateBuffer(&minor, &src, dst))) - throw new bad_alloc(); +#ifdef __APPLE__ + return (saml2::Assertion *)((void *)b->buildFromDocument(doc)); +#else + return dynamic_cast(b->buildFromDocument(doc)); +#endif + } catch (exception &e) { + return NULL; + } } -static inline void -duplicateBuffer(string &str, gss_buffer_t buffer) +bool +gss_eap_saml_assertion_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute, + void *data) const { - gss_buffer_desc tmp; + bool ret; - tmp.length = str.length(); - tmp.value = (char *)str.c_str(); + /* just add the prefix */ + if (m_assertion != NULL) + ret = addAttribute(m_manager, this, GSS_C_NO_BUFFER, data); + else + ret = true; - duplicateBuffer(tmp, buffer); + return ret; } -DDF -eap_gss_saml_attr_ctx::marshall() const +bool +gss_eap_saml_assertion_provider::setAttribute(int complete GSSEAP_UNUSED, + const gss_buffer_t attr, + const gss_buffer_t value) { - DDF obj(NULL); - DDF attrs; - DDF assertion; - - obj.addmember("version").integer(1); - - attrs = obj.addmember("attributes").list(); - for (vector::const_iterator a = m_attributes.begin(); - a != m_attributes.end(); ++a) { - DDF attr = (*a)->marshall(); - attrs.add(attr); + if (attr == GSS_C_NO_BUFFER || attr->length == 0) { + setAssertion(value); + return true; } - ostringstream sink; - sink << *m_assertion; - assertion = obj.addmember("assertion").string(sink.str().c_str()); - - return obj; + return false; } -eap_gss_saml_attr_ctx * -eap_gss_saml_attr_ctx::unmarshall(DDF &obj) +bool +gss_eap_saml_assertion_provider::deleteAttribute(const gss_buffer_t value GSSEAP_UNUSED) { - eap_gss_saml_attr_ctx *ctx = new eap_gss_saml_attr_ctx(); - - DDF version = obj["version"]; - if (version.integer() != 1) - return NULL; - - DDF assertion = obj["assertion"]; - gss_buffer_desc buffer; - - if (!assertion.isnull()) { - buffer.length = assertion.strlen(); - buffer.value = (void *)assertion.string(); - } else { - buffer.length = 0; - } - - if (buffer.length != 0) - ctx->parseAssertion(&buffer); - - DDF attrs = obj["attributes"]; - DDF attr = attrs.first(); - while (!attr.isnull()) { - Attribute *attribute = Attribute::unmarshall(attr); - ctx->addAttribute(attribute, false); - attr = attrs.next(); - } + delete m_assertion; + m_assertion = NULL; + m_authenticated = false; - return ctx; + return true; } -void -eap_gss_saml_attr_ctx::marshall(gss_buffer_t buffer) +time_t +gss_eap_saml_assertion_provider::getExpiryTime(void) const { - DDF obj = marshall(); - ostringstream sink; - sink << obj; - string str = sink.str(); + saml2::Conditions *conditions; + time_t expiryTime = 0; - duplicateBuffer(str, buffer); - - obj.destroy(); -} + if (m_assertion == NULL) + return 0; -eap_gss_saml_attr_ctx * -eap_gss_saml_attr_ctx::unmarshall(const gss_buffer_t buffer) -{ - eap_gss_saml_attr_ctx *ctx; + conditions = m_assertion->getConditions(); - string str((const char *)buffer->value, buffer->length); - istringstream source(str); - DDF obj(NULL); - source >> obj; + if (conditions != NULL && conditions->getNotOnOrAfter() != NULL) + expiryTime = conditions->getNotOnOrAfter()->getEpoch(); - ctx = unmarshall(obj); + return expiryTime; +} - obj.destroy(); +OM_uint32 +gss_eap_saml_assertion_provider::mapException(OM_uint32 *minor, + std::exception &e) const +{ + if (typeid(e) == typeid(SecurityPolicyException)) + *minor = GSSEAP_SAML_SEC_POLICY_FAILURE; + else if (typeid(e) == typeid(BindingException)) + *minor = GSSEAP_SAML_BINDING_FAILURE; + else if (typeid(e) == typeid(ProfileException)) + *minor = GSSEAP_SAML_PROFILE_FAILURE; + else if (typeid(e) == typeid(FatalProfileException)) + *minor = GSSEAP_SAML_FATAL_PROFILE_FAILURE; + else if (typeid(e) == typeid(RetryableProfileException)) + *minor = GSSEAP_SAML_RETRY_PROFILE_FAILURE; + else if (typeid(e) == typeid(MetadataException)) + *minor = GSSEAP_SAML_METADATA_FAILURE; + else + return GSS_S_CONTINUE_NEEDED; - return ctx; + return GSS_S_FAILURE; } bool -eap_gss_saml_attr_ctx::getAssertion(gss_buffer_t buffer) +gss_eap_saml_assertion_provider::getAttribute(const gss_buffer_t attr, + int *authenticated, + int *complete, + gss_buffer_t value, + gss_buffer_t display_value GSSEAP_UNUSED, + int *more) const { string str; + if (attr != GSS_C_NO_BUFFER && attr->length != 0) + return false; + if (m_assertion == NULL) return false; - buffer->value = NULL; - buffer->length = 0; + if (*more != -1) + return false; + + if (authenticated != NULL) + *authenticated = m_authenticated; + if (complete != NULL) + *complete = true; XMLHelper::serialize(m_assertion->marshall((DOMDocument *)NULL), str); - duplicateBuffer(str, buffer); + duplicateBuffer(str, value); + *more = 0; return true; } -static Attribute * -duplicateAttribute(const Attribute *src) +gss_any_t +gss_eap_saml_assertion_provider::mapToAny(int authenticated, + gss_buffer_t type_id GSSEAP_UNUSED) const { - Attribute *attribute; + if (authenticated && !m_authenticated) + return (gss_any_t)NULL; - DDF obj = src->marshall(); - attribute = Attribute::unmarshall(obj); - obj.destroy(); - - return attribute; + return (gss_any_t)m_assertion; } -static vector -duplicateAttributes(const vector src) +void +gss_eap_saml_assertion_provider::releaseAnyNameMapping(gss_buffer_t type_id GSSEAP_UNUSED, + gss_any_t input) const { - vector dst; + delete ((saml2::Assertion *)input); +} - for (vector::const_iterator a = src.begin(); - a != src.end(); - ++a) - dst.push_back(duplicateAttribute(*a)); +const char * +gss_eap_saml_assertion_provider::prefix(void) const +{ + return "urn:ietf:params:gss-eap:saml-aaa-assertion"; +} - return dst; +bool +gss_eap_saml_assertion_provider::init(void) +{ + gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML_ASSERTION, createAttrContext); + return true; } void -eap_gss_saml_attr_ctx::addAttribute(Attribute *attribute, bool copy) +gss_eap_saml_assertion_provider::finalize(void) { - Attribute *a; + gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_SAML_ASSERTION); +} - a = copy ? duplicateAttribute(attribute) : attribute; +gss_eap_attr_provider * +gss_eap_saml_assertion_provider::createAttrContext(void) +{ + return new gss_eap_saml_assertion_provider; +} - m_attributes.push_back(a); +saml2::Assertion * +gss_eap_saml_assertion_provider::initAssertion(void) +{ + delete m_assertion; + m_assertion = saml2::AssertionBuilder::buildAssertion(); + m_authenticated = false; + + return m_assertion; } -void -eap_gss_saml_attr_ctx::setAttributes(const vector attributes) +/* + * gss_eap_saml_attr_provider is for retrieving the underlying attributes. + */ +bool +gss_eap_saml_attr_provider::getAssertion(int *authenticated, + saml2::Assertion **pAssertion, + bool createIfAbsent) const { - for_each(m_attributes.begin(), m_attributes.end(), xmltooling::cleanup()); - m_attributes = duplicateAttributes(attributes); + gss_eap_saml_assertion_provider *saml; + + if (authenticated != NULL) + *authenticated = false; + if (pAssertion != NULL) + *pAssertion = NULL; + + saml = static_cast + (m_manager->getProvider(ATTR_TYPE_SAML_ASSERTION)); + if (saml == NULL) + return false; + + if (authenticated != NULL) + *authenticated = saml->authenticated(); + if (pAssertion != NULL) + *pAssertion = saml->getAssertion(); + + if (saml->getAssertion() == NULL) { + if (createIfAbsent) { + if (authenticated != NULL) + *authenticated = false; + if (pAssertion != NULL) + *pAssertion = saml->initAssertion(); + } else + return false; + } + + return true; } -int -eap_gss_saml_attr_ctx::getAttributeIndex(const gss_buffer_t attr) const +bool +gss_eap_saml_attr_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute, + void *data) const { - int i = 0; + saml2::Assertion *assertion; + int authenticated; - for (vector::const_iterator a = getAttributes().begin(); - a != getAttributes().end(); - ++a) - { - for (vector::const_iterator s = (*a)->getAliases().begin(); - s != (*a)->getAliases().end(); - ++s) { - if (attr->length == (*s).length() && - memcmp((*s).c_str(), attr->value, attr->length) == 0) { - return i; - } + if (!getAssertion(&authenticated, &assertion)) + return true; + + /* + * Note: the first prefix is added by the attribute provider manager + * + * From draft-hartman-gss-eap-naming-00: + * + * Each attribute carried in the assertion SHOULD also be a GSS name + * attribute. The name of this attribute has three parts, all separated + * by an ASCII space character. The first part is + * urn:ietf:params:gss-eap:saml-attr. The second part is the URI for + * the SAML attribute name format. The final part is the name of the + * SAML attribute. If the mechanism performs an additional attribute + * query, the retrieved attributes SHOULD be GSS-API name attributes + * using the same name syntax. + */ + /* For each attribute statement, look for an attribute match */ + const vector &statements = + const_cast(assertion)->getAttributeStatements(); + + for (vector::const_iterator s = statements.begin(); + s != statements.end(); + ++s) { + const vector &attrs = + const_cast(*s)->getAttributes(); + + for (vector::const_iterator a = attrs.begin(); a != attrs.end(); ++a) { + const XMLCh *attributeName, *attributeNameFormat; + XMLCh *qualifiedName; + XMLCh space[2] = { ' ', 0 }; + gss_buffer_desc utf8; + bool ret; + + attributeName = (*a)->getName(); + attributeNameFormat = (*a)->getNameFormat(); + if (attributeNameFormat == NULL || attributeNameFormat[0] == '\0') + attributeNameFormat = saml2::Attribute::UNSPECIFIED; + + qualifiedName = new XMLCh[XMLString::stringLen(attributeNameFormat) + 1 + + XMLString::stringLen(attributeName) + 1]; + XMLString::copyString(qualifiedName, attributeNameFormat); + XMLString::catString(qualifiedName, space); + XMLString::catString(qualifiedName, attributeName); + + utf8.value = (void *)toUTF8(qualifiedName); + utf8.length = strlen((char *)utf8.value); + + ret = addAttribute(m_manager, this, &utf8, data); + + delete qualifiedName; + + if (!ret) + return ret; } } - return -1; + return true; } -const Attribute * -eap_gss_saml_attr_ctx::getAttribute(const gss_buffer_t attr) const +static BaseRefVectorOf * +decomposeAttributeName(const gss_buffer_t attr) { - const Attribute *ret = NULL; + XMLCh *qualifiedAttr = new XMLCh[attr->length + 1]; + XMLString::transcode((const char *)attr->value, qualifiedAttr, attr->length); - for (vector::const_iterator a = getAttributes().begin(); - a != getAttributes().end(); - ++a) - { - for (vector::const_iterator s = (*a)->getAliases().begin(); - s != (*a)->getAliases().end(); - ++s) { - if (attr->length == (*s).length() && - memcmp((*s).c_str(), attr->value, attr->length) == 0) { - ret = *a; - break; - } - } - if (ret != NULL) - break; + BaseRefVectorOf *components = XMLString::tokenizeString(qualifiedAttr); + + delete qualifiedAttr; + + if (components->size() != 2) { + delete components; + components = NULL; } - return ret; + return components; } bool -eap_gss_saml_attr_ctx::getAttribute(const gss_buffer_t attr, - int *authenticated, - int *complete, - gss_buffer_t value, - gss_buffer_t display_value, - int *more) -{ - const Attribute *shibAttr = NULL; - gss_buffer_desc buf; - - shibAttr = getAttribute(attr); - if (shibAttr == NULL) +gss_eap_saml_attr_provider::setAttribute(int complete GSSEAP_UNUSED, + const gss_buffer_t attr, + const gss_buffer_t value) +{ + saml2::Assertion *assertion; + saml2::Attribute *attribute; + saml2::AttributeValue *attributeValue; + saml2::AttributeStatement *attributeStatement; + + if (!getAssertion(NULL, &assertion, true)) return false; - if (*more == -1) { - *more = 0; - } else if (*more >= (int)shibAttr->valueCount()) { - *more = 0; - return true; + if (assertion->getAttributeStatements().size() != 0) { + attributeStatement = assertion->getAttributeStatements().front(); + } else { + attributeStatement = saml2::AttributeStatementBuilder::buildAttributeStatement(); + assertion->getAttributeStatements().push_back(attributeStatement); } - buf.value = (void *)shibAttr->getString(*more); - buf.length = strlen((char *)buf.value); + /* Check the attribute name consists of name format | whsp | name */ + BaseRefVectorOf *components = decomposeAttributeName(attr); + if (components == NULL) + return false; - duplicateBuffer(buf, value); - - *authenticated = TRUE; - *complete = FALSE; + attribute = saml2::AttributeBuilder::buildAttribute(); + attribute->setNameFormat(components->elementAt(0)); + attribute->setName(components->elementAt(1)); - return true; -} + XMLCh *xmlValue = new XMLCh[value->length + 1]; + XMLString::transcode((const char *)value->value, xmlValue, attr->length); -void -eap_gss_saml_attr_ctx::setAttribute(int complete, - const gss_buffer_t attr, - const gss_buffer_t value) -{ - string attrStr((char *)attr->value, attr->length); - vector ids(1); - SimpleAttribute *a; + attributeValue = saml2::AttributeValueBuilder::buildAttributeValue(); + attributeValue->setTextContent(xmlValue); - ids.push_back(attrStr); + attribute->getAttributeValues().push_back(attributeValue); - a = new SimpleAttribute(ids); + assert(attributeStatement != NULL); + attributeStatement->getAttributes().push_back(attribute); - if (value->length != 0) { - string valStr((char *)value->value, value->length); + delete components; + delete xmlValue; - a->getValues().push_back(valStr); - } - - m_attributes.push_back(a); + return true; } -void -eap_gss_saml_attr_ctx::deleteAttribute(const gss_buffer_t attr) +bool +gss_eap_saml_attr_provider::deleteAttribute(const gss_buffer_t attr) { - int i; + saml2::Assertion *assertion; + bool ret = false; - i = getAttributeIndex(attr); - if (i >= 0) - m_attributes.erase(m_attributes.begin() + i); -} + if (!getAssertion(NULL, &assertion) || + assertion->getAttributeStatements().size() == 0) + return false; -OM_uint32 -samlReleaseAttrContext(OM_uint32 *minor, - struct eap_gss_saml_attr_ctx **pCtx) -{ - eap_gss_saml_attr_ctx *ctx = *pCtx; + /* Check the attribute name consists of name format | whsp | name */ + BaseRefVectorOf *components = decomposeAttributeName(attr); + if (components == NULL) + return false; - if (ctx != NULL) { - delete ctx; - *pCtx = NULL; + /* For each attribute statement, look for an attribute match */ + const vector &statements = + const_cast(assertion)->getAttributeStatements(); + + for (vector::const_iterator s = statements.begin(); + s != statements.end(); + ++s) { + const vector &attrs = + const_cast(*s)->getAttributes(); + ssize_t index = -1, i = 0; + + /* There's got to be an easier way to do this */ + for (vector::const_iterator a = attrs.begin(); + a != attrs.end(); + ++a) { + if (XMLString::equals((*a)->getNameFormat(), components->elementAt(0)) && + XMLString::equals((*a)->getName(), components->elementAt(1))) { + index = i; + break; + } + ++i; + } + if (index != -1) { + (*s)->getAttributes().erase((*s)->getAttributes().begin() + index); + ret = true; + } } - *minor = 0; - return GSS_S_COMPLETE; + delete components; + + return ret; } -OM_uint32 -samlCreateAttrContext(OM_uint32 *minor, - gss_buffer_t buffer, - gss_name_t acceptorName, - struct eap_gss_saml_attr_ctx **pCtx, - time_t *pExpiryTime) -{ - OM_uint32 major, tmpMinor; - eap_gss_saml_attr_ctx *ctx = NULL; - SPConfig &conf = SPConfig::getConfig(); - ServiceProvider *sp; - const Application *app; - MetadataProvider *m; - gss_buffer_desc nameBuf; - const XMLCh *issuer = NULL; - saml2::NameID *subjectName = NULL; +bool +gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr, + int *authenticated, + int *complete, + const saml2::Attribute **pAttribute) const +{ saml2::Assertion *assertion; - ResolutionContext *resolverContext; - nameBuf.length = 0; - nameBuf.value = NULL; + if (authenticated != NULL) + *authenticated = false; + if (complete != NULL) + *complete = true; + *pAttribute = NULL; - conf.setFeatures(SPConfig::Metadata | - SPConfig::Trust | - SPConfig::AttributeResolution | - SPConfig::Credentials | - SPConfig::OutOfProcess); - if (!conf.init()) - return GSS_S_FAILURE; - if (!conf.instantiate()) - return GSS_S_FAILURE; + if (!getAssertion(authenticated, &assertion) || + assertion->getAttributeStatements().size() == 0) + return false; - sp = conf.getServiceProvider(); - sp->lock(); + /* Check the attribute name consists of name format | whsp | name */ + BaseRefVectorOf *components = decomposeAttributeName(attr); + if (components == NULL) + return false; - major = gss_display_name(minor, acceptorName, &nameBuf, NULL); - if (GSS_ERROR(major)) - goto cleanup; + /* For each attribute statement, look for an attribute match */ + const vector &statements = + const_cast(assertion)->getAttributeStatements(); + const saml2::Attribute *ret = NULL; - app = sp->getApplication((const char *)nameBuf.value); - if (app == NULL) { - major = GSS_S_FAILURE; - goto cleanup; - } + for (vector::const_iterator s = statements.begin(); + s != statements.end(); + ++s) { + const vector &attrs = + const_cast(*s)->getAttributes(); - try { - ctx = new eap_gss_saml_attr_ctx(buffer); - - if (assertion->getIssuer() != NULL) - issuer = assertion->getIssuer()->getName(); - if (assertion->getSubject() != NULL) - subjectName = assertion->getSubject()->getNameID(); - if (assertion->getConditions()) - *pExpiryTime = assertion->getConditions()->getNotOnOrAfter()->getEpoch(); - - m = app->getMetadataProvider(); - xmltooling::Locker mlocker(m); - MetadataProviderCriteria mc(*app, issuer, - &IDPSSODescriptor::ELEMENT_QNAME, - samlconstants::SAML20P_NS); - pair site = - m->getEntityDescriptor(mc); - if (!site.first) { - auto_ptr_char temp(issuer); - throw MetadataException("Unable to locate metadata for IdP ($1).", - params(1,temp.get())); + for (vector::const_iterator a = attrs.begin(); a != attrs.end(); ++a) { + const XMLCh *attributeName, *attributeNameFormat; + + attributeName = (*a)->getName(); + attributeNameFormat = (*a)->getNameFormat(); + if (attributeNameFormat == NULL || attributeNameFormat[0] == '\0') + attributeNameFormat = saml2::Attribute::UNSPECIFIED; + + if (XMLString::equals(attributeNameFormat, components->elementAt(0)) && + XMLString::equals(attributeName, components->elementAt(1))) { + ret = *a; + break; + } } - vector tokens(1, assertion); - GSSEAPResolver gssResolver(NULL, (const char *)nameBuf.value); - resolverContext = gssResolver.resolveAttributes(*app, site.second, - samlconstants::SAML20P_NS, - NULL, subjectName, NULL, - NULL, &tokens); - ctx->setAttributes(resolverContext->getResolvedAttributes()); - } catch (exception &ex) { - major = mapException(minor, ex); - goto cleanup; - } - major = GSS_S_COMPLETE; - *pCtx = ctx; + if (ret != NULL) + break; + } -cleanup: - sp->unlock(); - conf.term(); + delete components; - if (GSS_ERROR(major)) - delete ctx; - gss_release_buffer(&tmpMinor, &nameBuf); + *pAttribute = ret; - return major; + return (ret != NULL); } -OM_uint32 -samlGetAttributeTypes(OM_uint32 *minor, - const struct eap_gss_saml_attr_ctx *ctx, - void *data, - OM_uint32 (*addAttribute)(OM_uint32 *, void *, gss_buffer_t)) +bool +gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr, + int *authenticated, + int *complete, + gss_buffer_t value, + gss_buffer_t display_value, + int *more) const { - OM_uint32 major = GSS_S_COMPLETE; + const saml2::Attribute *a; + const saml2::AttributeValue *av; + int nvalues, i = *more; - if (ctx == NULL) - return GSS_S_COMPLETE; + *more = 0; - for (vector::const_iterator a = ctx->getAttributes().begin(); - a != ctx->getAttributes().end(); - ++a) - { - gss_buffer_desc attribute; + if (!getAttribute(attr, authenticated, complete, &a)) + return false; - attribute.value = (void *)((*a)->getId()); - attribute.length = strlen((char *)attribute.value); + nvalues = a->getAttributeValues().size(); - major = addAttribute(minor, data, &attribute); - if (GSS_ERROR(major)) - break; + if (i == -1) + i = 0; + else if (i >= nvalues) + return false; +#ifdef __APPLE__ + av = (const saml2::AttributeValue *)((void *)(a->getAttributeValues().at(i))); +#else + av = dynamic_cast(a->getAttributeValues().at(i)); +#endif + if (av != NULL) { + if (value != NULL) { + value->value = toUTF8(av->getTextContent(), true); + value->length = strlen((char *)value->value); + } + if (display_value != NULL) { + display_value->value = toUTF8(av->getTextContent(), true); + display_value->length = strlen((char *)value->value); + } } - return major; -} - -/* - * SAML implementation of gss_get_name_attribute - */ -OM_uint32 -samlGetAttribute(OM_uint32 *minor, - struct eap_gss_saml_attr_ctx *ctx, - gss_buffer_t attr, - int *authenticated, - int *complete, - gss_buffer_t value, - gss_buffer_t display_value, - int *more) -{ - if (ctx == NULL) - return GSS_S_UNAVAILABLE; - - if (!ctx->getAttribute(attr, authenticated, complete, - value, display_value, more)) - return GSS_S_UNAVAILABLE; + if (nvalues > ++i) + *more = i; - return GSS_S_COMPLETE; + return true; } -OM_uint32 -samlSetAttribute(OM_uint32 *minor, - struct eap_gss_saml_attr_ctx *ctx, - int complete, - gss_buffer_t attr, - gss_buffer_t value) +gss_any_t +gss_eap_saml_attr_provider::mapToAny(int authenticated GSSEAP_UNUSED, + gss_buffer_t type_id GSSEAP_UNUSED) const { - try { - ctx->setAttribute(complete, attr, value); - } catch (exception &e) { - return mapException(minor, e); - } - - return GSS_S_COMPLETE; + return (gss_any_t)NULL; } -OM_uint32 -samlDeleteAttribute(OM_uint32 *minor, - struct eap_gss_saml_attr_ctx *ctx, - gss_buffer_t attr) +void +gss_eap_saml_attr_provider::releaseAnyNameMapping(gss_buffer_t type_id GSSEAP_UNUSED, + gss_any_t input GSSEAP_UNUSED) const { - try { - ctx->deleteAttribute(attr); - } catch (exception &e) { - return mapException(minor, e); - } - - return GSS_S_COMPLETE; } -/* - * In order to implement gss_export_name and gss_export_sec_context, - * we need to serialise a resolved attribute context to a buffer. - */ -OM_uint32 -samlExportAttrContext(OM_uint32 *minor, - struct eap_gss_saml_attr_ctx *ctx, - gss_buffer_t buffer) +const char * +gss_eap_saml_attr_provider::prefix(void) const { - try { - ctx->marshall(buffer); - } catch (exception &e) { - return mapException(minor, e); - } - - return GSS_S_COMPLETE; + return "urn:ietf:params:gss-eap:saml-attr"; } -/* - * In order to implement gss_import_name and gss_import_sec_context, - * we need to deserialise a resolved attribute context from a buffer. - */ -OM_uint32 -samlImportAttrContext(OM_uint32 *minor, - gss_buffer_t buffer, - struct eap_gss_saml_attr_ctx **pCtx) +bool +gss_eap_saml_attr_provider::init(void) { - try { - *pCtx = eap_gss_saml_attr_ctx::unmarshall(buffer); - } catch (exception &e) { - return mapException(minor, e); - } - - return GSS_S_COMPLETE; + gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML, createAttrContext); + return true; } -OM_uint32 -samlGetAssertion(OM_uint32 *minor, - struct eap_gss_saml_attr_ctx *ctx, - gss_buffer_t assertion) +void +gss_eap_saml_attr_provider::finalize(void) { - try { - ctx->getAssertion(assertion); - } catch (exception &e) { - return mapException(minor, e); - } - - return GSS_S_COMPLETE; + gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_SAML); } -OM_uint32 -samlDuplicateAttrContext(OM_uint32 *minor, - const struct eap_gss_saml_attr_ctx *in, - struct eap_gss_saml_attr_ctx **out) +gss_eap_attr_provider * +gss_eap_saml_attr_provider::createAttrContext(void) { - try { - *out = new eap_gss_saml_attr_ctx(*in); - } catch (exception &e) { - return mapException(minor, e); - } - - return GSS_S_COMPLETE; + return new gss_eap_saml_attr_provider; } OM_uint32 -samlMapNametoAny(OM_uint32 *minor, - const struct eap_gss_saml_attr_ctx *ctx, - int authenticated, - gss_buffer_t type_id, - gss_any_t *output) -{ - if (bufferEqualString(type_id, "shibsp::Attribute")) { - vector v = duplicateAttributes(ctx->getAttributes()); - - *output = (gss_any_t)new vector (v); - } else if (bufferEqualString(type_id, "opensaml::Assertion")) { - *output = (gss_any_t)ctx->getAssertion()->clone(); - } else { - *output = (gss_any_t)NULL; - return GSS_S_UNAVAILABLE; +gssEapSamlAttrProvidersInit(OM_uint32 *minor) +{ + if (!gss_eap_saml_assertion_provider::init() || + !gss_eap_saml_attr_provider::init()) { + *minor = GSSEAP_SAML_INIT_FAILURE; + return GSS_S_FAILURE; } return GSS_S_COMPLETE; } OM_uint32 -samlReleaseAnyNameMapping(OM_uint32 *minor, - const struct eap_gss_saml_attr_ctx *ctx, - gss_buffer_t type_id, - gss_any_t *input) -{ - if (bufferEqualString(type_id, "vector")) { - vector *v = ((vector *)*input); - delete v; - } else if (bufferEqualString(type_id, "opensaml::Assertion")) { - delete (Assertion *)*input; - } else { - return GSS_S_UNAVAILABLE; - } +gssEapSamlAttrProvidersFinalize(OM_uint32 *minor) +{ + gss_eap_saml_attr_provider::finalize(); + gss_eap_saml_assertion_provider::finalize(); - *input = (gss_any_t)NULL; + *minor = 0; return GSS_S_COMPLETE; }