From: Scott Cantor Date: Fri, 5 Jan 2007 05:50:01 +0000 (+0000) Subject: Moved credential resolver map inside SP. X-Git-Tag: 2.0-alpha1~169 X-Git-Url: http://www.project-moonshot.org/gitweb/?a=commitdiff_plain;h=a576ef39778fb49c075a8a7015ae1e7a790e096b;p=shibboleth%2Fcpp-sp.git Moved credential resolver map inside SP. --- diff --git a/.cdtproject b/.cdtproject index 4563ddd..901182e 100644 --- a/.cdtproject +++ b/.cdtproject @@ -1,13 +1,13 @@ - + - + - + diff --git a/shib-target/ArtifactMapper.cpp b/shib-target/ArtifactMapper.cpp index 9f43e44..c0ab6a9 100644 --- a/shib-target/ArtifactMapper.cpp +++ b/shib-target/ArtifactMapper.cpp @@ -68,8 +68,7 @@ SAMLResponse* STArtifactMapper::resolve(SAMLRequest* request) pair signingCred=credUse ? credUse->getString("Signing") : pair(false,NULL); if (signRequest.first && signRequest.second && signingCred.first) { if (request->getMinorVersion()==1) { - shibboleth::Credentials creds(ShibTargetConfig::getConfig().getINI()->getCredentialsProviders()); - CredentialResolver* cr=creds.lookup(signingCred.second); + CredentialResolver* cr=ShibTargetConfig::getConfig().getINI()->getCredentialResolver(signingCred.second); if (cr) { xmltooling::Locker locker(cr); request->sign(cr->getKey(),cr->getCertificates(),signatureAlg.second,digestAlg.second); diff --git a/shib-target/ShibHTTPHook.cpp b/shib-target/ShibHTTPHook.cpp index 002a65d..12c3eed 100644 --- a/shib-target/ShibHTTPHook.cpp +++ b/shib-target/ShibHTTPHook.cpp @@ -76,7 +76,7 @@ static int verify_callback(X509_STORE_CTX* x509_ctx, void* arg) static bool ssl_ctx_callback(void* ssl_ctx, void* userptr) { #ifdef _DEBUG - saml::NDC("ssl_ctx_callback"); + xmltooling::NDC("ssl_ctx_callback"); #endif Category& log=Category::getInstance(SHIBT_LOGCAT".ShibHTTPHook"); @@ -86,8 +86,7 @@ static bool ssl_ctx_callback(void* ssl_ctx, void* userptr) const PropertySet* credUse=ctx->getCredentialUse(); pair TLS=credUse ? credUse->getString("TLS") : pair(false,NULL); if (TLS.first) { - Credentials c(ctx->getHook()->getCredentialProviders()); - OpenSSLCredentialResolver* cr=dynamic_cast(c.lookup(TLS.second)); + OpenSSLCredentialResolver* cr=dynamic_cast(ShibTargetConfig::getConfig().getINI()->getCredentialResolver(TLS.second)); if (cr) { xmltooling::Locker locker(cr); cr->attach(reinterpret_cast(ssl_ctx)); diff --git a/shib-target/shib-ccache.cpp b/shib-target/shib-ccache.cpp index 484c48d..f086a15 100644 --- a/shib-target/shib-ccache.cpp +++ b/shib-target/shib-ccache.cpp @@ -864,8 +864,7 @@ pair MemorySessionCacheEntry::getNewResponse( // Sign it? if (signRequest.first && signRequest.second && signingCred.first) { if (req->getMinorVersion()==1) { - shibboleth::Credentials creds(ShibTargetConfig::getConfig().getINI()->getCredentialsProviders()); - CredentialResolver* cr=creds.lookup(signingCred.second); + CredentialResolver* cr=ShibTargetConfig::getConfig().getINI()->getCredentialResolver(signingCred.second); if (cr) { xmltooling::Locker locker(cr); req->sign(cr->getKey(),cr->getCertificates(),signatureAlg.second,digestAlg.second); diff --git a/shib-target/shib-ini.cpp b/shib-target/shib-ini.cpp index ceefacb..df04e10 100644 --- a/shib-target/shib-ini.cpp +++ b/shib-target/shib-ini.cpp @@ -45,14 +45,15 @@ using namespace opensaml::saml2md; using namespace xmltooling; using namespace log4cpp; using namespace std; +using xmlsignature::CredentialResolver; -namespace shibtarget { +namespace { // Application configuration wrapper class XMLApplication : public virtual IApplication, public DOMPropertySet, public DOMNodeFilter { public: - XMLApplication(const IConfig*, const Iterator& creds, const DOMElement* e, const XMLApplication* base=NULL); + XMLApplication(const IConfig*, const DOMElement* e, const XMLApplication* base=NULL); ~XMLApplication() { cleanup(); } // PropertySet @@ -155,7 +156,7 @@ namespace shibtarget { IRequestMapper* m_requestMapper; map m_appmap; - vector m_creds; + map m_credResolverMap; vector m_attrFactories; // Provides filter to exclude special config elements. @@ -201,7 +202,16 @@ namespace shibtarget { map::const_iterator i=static_cast(m_impl)->m_appmap.find(applicationId); return (i!=static_cast(m_impl)->m_appmap.end()) ? i->second : NULL; } - Iterator getCredentialsProviders() const {return static_cast(m_impl)->m_creds;} + + CredentialResolver* getCredentialResolver(const char* id) const { + if (id) { + XMLConfigImpl* impl=static_cast(getImplementation()); + map::const_iterator i=impl->m_credResolverMap.find(id); + if (i!=impl->m_credResolverMap.end()) + return i->second; + } + return NULL; + } protected: virtual ReloadableXMLFileImpl* newImplementation(const char* pathname, bool first=true) const; @@ -213,6 +223,12 @@ namespace shibtarget { mutable ISessionCache* m_sessionCache; mutable IReplayCache* m_replayCache; }; + + static const XMLCh Credentials[] = UNICODE_LITERAL_11(C,r,e,d,e,n,t,i,a,l,s); + static const XMLCh FileResolver[] = UNICODE_LITERAL_12(F,i,l,e,R,e,s,o,l,v,e,r); + static const XMLCh Id[] = UNICODE_LITERAL_2(I,d); + static const XMLCh type[] = UNICODE_LITERAL_4(t,y,p,e); + } IConfig* STConfig::ShibTargetConfigFactory(const DOMElement* e) @@ -222,7 +238,6 @@ IConfig* STConfig::ShibTargetConfigFactory(const DOMElement* e) XMLApplication::XMLApplication( const IConfig* ini, - const Iterator& creds, const DOMElement* e, const XMLApplication* base ) : m_ini(ini), m_base(base), m_metadata(NULL), m_trust(NULL), m_profile(NULL), m_binding(NULL), m_bindingHook(NULL), @@ -525,10 +540,7 @@ XMLApplication::XMLApplication( getMetadataProvider(), getTrustEngine() ); - m_bindingHook=new ShibHTTPHook( - getTrustEngine(), - creds - ); + m_bindingHook=new ShibHTTPHook(getTrustEngine()); m_binding=SAMLBinding::getInstance(SAMLBinding::SOAP); SAMLSOAPHTTPBinding* bptr=dynamic_cast(m_binding); if (!bptr) { @@ -1084,7 +1096,7 @@ void XMLConfigImpl::init(bool first) // Back to the fully dynamic stuff...next up is the Request Mapper. if (conf.isEnabled(SPConfig::RequestMapper)) { - const DOMElement* child=saml::XML::getFirstChildElement(SHIRE,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(RequestMapProvider)); + const DOMElement* child=XMLHelper::getFirstChildElement(SHIRE,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(RequestMapProvider)); if (child) { xmltooling::auto_ptr_char type(child->getAttributeNS(NULL,SHIBT_L(type))); log.info("building Request Mapper of type %s...",type.get()); @@ -1106,32 +1118,52 @@ void XMLConfigImpl::init(bool first) } } - // Now we load any credentials providers. - DOMNodeList* nlist; + // Now we load the credentials map. if (conf.isEnabled(SPConfig::Credentials)) { - nlist=ReloadableXMLFileImpl::m_root->getElementsByTagNameNS(shibtarget::XML::SHIBTARGET_NS,SHIBT_L(CredentialsProvider)); - for (unsigned int i=0; nlist && igetLength(); i++) { - xmltooling::auto_ptr_char type(static_cast(nlist->item(i))->getAttributeNS(NULL,SHIBT_L(type))); - log.info("building credentials provider of type %s...",type.get()); - try { - IPlugIn* plugin=shibConf.getPlugMgr().newPlugin(type.get(),static_cast(nlist->item(i))); - if (plugin) { - ICredentials* creds=dynamic_cast(plugin); - if (creds) - m_creds.push_back(creds); - else { - delete plugin; - log.crit("plugin was not a credentials provider"); + // Old format was to wrap it in a CredentialsProvider plugin, we're inlining that... + const DOMElement* child = XMLHelper::getFirstChildElement(ReloadableXMLFileImpl::m_root,shibtarget::XML::SHIBTARGET_NS,SHIBT_L(CredentialsProvider)); + if (!child) + child = XMLHelper::getFirstChildElement(ReloadableXMLFileImpl::m_root,Credentials); + if (child) { + // Step down and process resolvers. + child=XMLHelper::getFirstChildElement(child); + while (child) { + xmltooling::auto_ptr_char id(child->getAttributeNS(NULL,Id)); + if (!id.get() || !*(id.get())) { + log.warn("skipping CredentialsResolver with no Id attribute"); + child = XMLHelper::getNextSiblingElement(child); + continue; + } + + string cr_type; + if (XMLString::equals(child->getLocalName(),FileResolver)) + cr_type=FILESYSTEM_CREDENTIAL_RESOLVER; + else { + xmltooling::auto_ptr_char c(child->getAttributeNS(NULL,type)); + cr_type=c.get(); + } + + if (!cr_type.empty()) { + try { + CredentialResolver* plugin= + XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(cr_type.c_str(),child); + m_credResolverMap[id.get()] = plugin; + } + catch (exception& e) { + log.crit("failed to instantiate CredentialResolver (%s): %s", id.get(), e.what()); } } - } - catch (exception& ex) { - log.crit("error building credentials provider: %s",ex.what()); + else { + log.error("unknown type of CredentialResolver with Id (%s)", id.get()); + } + + child = XMLHelper::getNextSiblingElement(child); } } } // Now we load any attribute factories + DOMNodeList* nlist; nlist=ReloadableXMLFileImpl::m_root->getElementsByTagNameNS(shibtarget::XML::SHIBTARGET_NS,SHIBT_L(AttributeFactory)); for (unsigned int i=0; nlist && igetLength(); i++) { xmltooling::auto_ptr_char type(static_cast(nlist->item(i))->getAttributeNS(NULL,SHIBT_L(type))); @@ -1166,13 +1198,13 @@ void XMLConfigImpl::init(bool first) log.fatal("can't build default Application object, missing conf:Applications element?"); throw ConfigurationException("can't build default Application object, missing conf:Applications element?"); } - XMLApplication* defapp=new XMLApplication(m_outer, m_creds, app); + XMLApplication* defapp=new XMLApplication(m_outer,app); m_appmap[defapp->getId()]=defapp; // Load any overrides. nlist=app->getElementsByTagNameNS(shibtarget::XML::SHIBTARGET_NS,SHIBT_L(Application)); for (unsigned int j=0; nlist && jgetLength(); j++) { - auto_ptr iapp(new XMLApplication(m_outer,m_creds,static_cast(nlist->item(j)),defapp)); + auto_ptr iapp(new XMLApplication(m_outer,static_cast(nlist->item(j)),defapp)); if (m_appmap.find(iapp->getId())!=m_appmap.end()) log.crit("found conf:Application element with duplicate Id attribute, ignoring it"); else @@ -1183,19 +1215,13 @@ void XMLConfigImpl::init(bool first) log.errorStream() << "Error while loading SP configuration: " << e.what() << CategoryStream::ENDLINE; throw ConfigurationException(e.what()); } -#ifndef _DEBUG - catch (...) { - log.error("Unexpected error while loading SP configuration"); - throw; - } -#endif } XMLConfigImpl::~XMLConfigImpl() { delete m_requestMapper; for_each(m_appmap.begin(),m_appmap.end(),xmltooling::cleanup_pair()); - for_each(m_creds.begin(),m_creds.end(),xmltooling::cleanup()); + for_each(m_credResolverMap.begin(),m_credResolverMap.end(),xmltooling::cleanup_pair()); ShibConfig::getConfig().clearAttributeMappings(); for_each(m_attrFactories.begin(),m_attrFactories.end(),xmltooling::cleanup()); } diff --git a/shib-target/shib-target.h b/shib-target/shib-target.h index d000a92..3144e1a 100644 --- a/shib-target/shib-target.h +++ b/shib-target/shib-target.h @@ -31,6 +31,7 @@ #include #include #include +#include // Old headers #include @@ -136,8 +137,7 @@ namespace shibtarget { class ShibHTTPHook : virtual public saml::SAMLSOAPHTTPBinding::HTTPHook { public: - ShibHTTPHook(const xmltooling::TrustEngine* trust, const saml::Iterator& creds) - : m_trust(trust), m_creds(creds) {} + ShibHTTPHook(const xmltooling::TrustEngine* trust) : m_trust(trust) {} virtual ~ShibHTTPHook() {} // Only hook we need here is for outgoing connection to server. @@ -163,10 +163,8 @@ namespace shibtarget { }; const xmltooling::TrustEngine* getTrustEngine() const {return m_trust;} - const saml::Iterator& getCredentialProviders() const {return m_creds;} private: const xmltooling::TrustEngine* m_trust; - saml::Iterator m_creds; }; /** @@ -290,7 +288,7 @@ namespace shibtarget { virtual saml::IReplayCache* getReplayCache() const=0; virtual IRequestMapper* getRequestMapper() const=0; virtual const IApplication* getApplication(const char* applicationId) const=0; - virtual saml::Iterator getCredentialsProviders() const=0; + virtual xmlsignature::CredentialResolver* getCredentialResolver(const char* id) const=0; virtual ~IConfig() {} }; diff --git a/shib/Metadata.cpp b/shib/Metadata.cpp index 0f39041..90f2635 100644 --- a/shib/Metadata.cpp +++ b/shib/Metadata.cpp @@ -29,35 +29,6 @@ using namespace shibboleth; using namespace opensaml::saml2md; using namespace saml; using namespace std; -using xmlsignature::CredentialResolver; - -CredentialResolver* Credentials::lookup(const char* id) -{ - if (m_mapper) { - m_mapper->unlock(); - m_mapper=NULL; - } - CredentialResolver* ret=NULL; - m_creds.reset(); - while (m_creds.hasNext()) { - m_mapper=m_creds.next(); - m_mapper->lock(); - if (ret=m_mapper->lookup(id)) { - return ret; - } - m_mapper->unlock(); - m_mapper=NULL; - } - return NULL; -} - -Credentials::~Credentials() -{ - if (m_mapper) { - m_mapper->unlock(); - m_mapper=NULL; - } -} AAP::AAP(const saml::Iterator& aaps, const XMLCh* attrName, const XMLCh* attrNamespace) : m_mapper(NULL), m_rule(NULL) { diff --git a/shib/shib.h b/shib/shib.h index 44c6e96..295e972 100644 --- a/shib/shib.h +++ b/shib/shib.h @@ -28,7 +28,6 @@ #include #include #include -#include #include #include @@ -44,14 +43,6 @@ namespace shibboleth { - // Credentials interface abstracts access to "owned" keys and certificates. - - struct SHIB_EXPORTS ICredentials : public virtual saml::ILockable, public virtual saml::IPlugIn - { - virtual xmlsignature::CredentialResolver* lookup(const char* id) const=0; - virtual ~ICredentials() {} - }; - // Attribute acceptance processing interfaces, applied to incoming attributes. struct SHIB_EXPORTS IAttributeRule @@ -81,27 +72,10 @@ namespace shibboleth }; #ifdef SHIB_INSTANTIATE - template class SHIB_EXPORTS saml::Iterator; - template class SHIB_EXPORTS saml::ArrayIterator; template class SHIB_EXPORTS saml::Iterator; template class SHIB_EXPORTS saml::ArrayIterator; #endif - class SHIB_EXPORTS Credentials - { - public: - Credentials(const saml::Iterator& creds) : m_creds(creds), m_mapper(NULL) {} - ~Credentials(); - - xmlsignature::CredentialResolver* lookup(const char* id); - - private: - Credentials(const Credentials&); - void operator=(const Credentials&); - ICredentials* m_mapper; - saml::Iterator m_creds; - }; - class SHIB_EXPORTS AAP { public: diff --git a/xmlproviders/Makefile.am b/xmlproviders/Makefile.am index e173f74..c994f77 100644 --- a/xmlproviders/Makefile.am +++ b/xmlproviders/Makefile.am @@ -15,7 +15,6 @@ xmlproviders_la_SOURCES = \ TargetedID.cpp \ XMLAAP.cpp \ XMLAccessControl.cpp \ - XMLCredentials.cpp \ XMLProviders.cpp diff --git a/xmlproviders/XMLCredentials.cpp b/xmlproviders/XMLCredentials.cpp deleted file mode 100644 index c63cccb..0000000 --- a/xmlproviders/XMLCredentials.cpp +++ /dev/null @@ -1,148 +0,0 @@ -/* - * Copyright 2001-2005 Internet2 - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/* XMLCredentials.cpp - a credentials implementation that uses an XML file - - Scott Cantor - 9/27/02 - - $History:$ -*/ - -#include "internal.h" - -#include -#include -#include - -#include -#include -#include -#include - -using namespace shibsp; -using namespace shibboleth; -using namespace xmltooling; -using namespace log4cpp; -using namespace std; -using xmlsignature::CredentialResolver; - -namespace { - - class XMLCredentialsImpl : public ReloadableXMLFileImpl - { - public: - XMLCredentialsImpl(const char* pathname) : ReloadableXMLFileImpl(pathname) { init(); } - XMLCredentialsImpl(const DOMElement* e) : ReloadableXMLFileImpl(e) { init(); } - void init(); - ~XMLCredentialsImpl(); - - typedef map resolvermap_t; - resolvermap_t m_resolverMap; - }; - - class XMLCredentials : public ICredentials, public ReloadableXMLFile - { - public: - XMLCredentials(const DOMElement* e) : ReloadableXMLFile(e) {} - ~XMLCredentials() {} - - CredentialResolver* lookup(const char* id) const; - - protected: - virtual ReloadableXMLFileImpl* newImplementation(const char* pathname, bool first=true) const; - virtual ReloadableXMLFileImpl* newImplementation(const DOMElement* e, bool first=true) const; - }; - -} - -saml::IPlugIn* XMLCredentialsFactory(const DOMElement* e) -{ - auto_ptr creds(new XMLCredentials(e)); - creds->getImplementation(); - return creds.release(); -} - -ReloadableXMLFileImpl* XMLCredentials::newImplementation(const char* pathname, bool first) const -{ - return new XMLCredentialsImpl(pathname); -} - -ReloadableXMLFileImpl* XMLCredentials::newImplementation(const DOMElement* e, bool first) const -{ - return new XMLCredentialsImpl(e); -} - -static const XMLCh Id[] = UNICODE_LITERAL_2(I,d); -static const XMLCh type[] = UNICODE_LITERAL_4(t,y,p,e); -static const XMLCh FileResolver[] = UNICODE_LITERAL_12(F,i,l,e,R,e,s,o,l,v,e,r); - -void XMLCredentialsImpl::init() -{ -#ifdef _DEBUG - NDC ndc("init"); -#endif - Category& log=Category::getInstance(XMLPROVIDERS_LOGCAT".Credentials"); - - DOMElement* child=XMLHelper::getFirstChildElement(m_root); - while (child) { - string cr_type; - auto_ptr_char id(child->getAttributeNS(NULL,Id)); - if (!id.get()) { - child = XMLHelper::getNextSiblingElement(child); - continue; - } - - if (XMLString::equals(child->getLocalName(),FileResolver)) - cr_type=FILESYSTEM_CREDENTIAL_RESOLVER; - else { - xmltooling::auto_ptr_char c(child->getAttributeNS(NULL,type)); - cr_type=c.get(); - } - - if (!cr_type.empty()) { - try { - CredentialResolver* plugin= - XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(cr_type.c_str(),child); - m_resolverMap[id.get()] = plugin; - } - catch (exception& e) { - log.error("failed to instantiate credential resolver (%s): %s", id.get(), e.what()); - } - } - else { - log.error("unknown type of credential resolver (%s)", id.get()); - } - - child = XMLHelper::getNextSiblingElement(child); - } -} - -XMLCredentialsImpl::~XMLCredentialsImpl() -{ - for_each(m_resolverMap.begin(),m_resolverMap.end(),xmltooling::cleanup_pair()); -} - -CredentialResolver* XMLCredentials::lookup(const char* id) const -{ - if (id) { - XMLCredentialsImpl* impl=dynamic_cast(getImplementation()); - XMLCredentialsImpl::resolvermap_t::const_iterator i=impl->m_resolverMap.find(id); - if (i!=impl->m_resolverMap.end()) - return i->second; - } - return NULL; -} diff --git a/xmlproviders/XMLProviders.cpp b/xmlproviders/XMLProviders.cpp index 99551f8..637fef9 100644 --- a/xmlproviders/XMLProviders.cpp +++ b/xmlproviders/XMLProviders.cpp @@ -39,7 +39,6 @@ using namespace std; // Metadata Factories PlugManager::Factory TargetedIDFactory; -PlugManager::Factory XMLCredentialsFactory; PlugManager::Factory XMLAAPFactory; PlugManager::Factory XMLAccessControlFactory; @@ -48,7 +47,6 @@ extern "C" int XML_EXPORTS saml_extension_init(void*) // Register metadata factories (some are legacy aliases) SAMLConfig& conf=SAMLConfig::getConfig(); conf.getPlugMgr().regFactory("edu.internet2.middleware.shibboleth.common.provider.TargetedIDFactory",&TargetedIDFactory); - conf.getPlugMgr().regFactory("edu.internet2.middleware.shibboleth.common.Credentials",&XMLCredentialsFactory); conf.getPlugMgr().regFactory("edu.internet2.middleware.shibboleth.aap.provider.XMLAAP",&XMLAAPFactory); conf.getPlugMgr().regFactory("edu.internet2.middleware.shibboleth.target.provider.XMLAAP",&XMLAAPFactory); conf.getPlugMgr().regFactory(shibtarget::XML::XMLAccessControlType,&XMLAccessControlFactory); @@ -61,7 +59,6 @@ extern "C" void XML_EXPORTS saml_extension_term() // Unregister metadata factories SAMLConfig& conf=SAMLConfig::getConfig(); conf.getPlugMgr().unregFactory("edu.internet2.middleware.shibboleth.common.provider.TargetedIDFactory"); - conf.getPlugMgr().unregFactory("edu.internet2.middleware.shibboleth.common.Credentials"); conf.getPlugMgr().unregFactory("edu.internet2.middleware.shibboleth.aap.provider.XMLAAP"); conf.getPlugMgr().unregFactory("edu.internet2.middleware.shibboleth.target.provider.XMLAAP"); conf.getPlugMgr().unregFactory(shibtarget::XML::XMLAccessControlType); diff --git a/xmlproviders/xmlproviders.vcproj b/xmlproviders/xmlproviders.vcproj index dcdd8b2..dda9ad4 100644 --- a/xmlproviders/xmlproviders.vcproj +++ b/xmlproviders/xmlproviders.vcproj @@ -236,10 +236,6 @@ > - -