From 3684ca33403dddaa12d50c63dea34f5525e9e099 Mon Sep 17 00:00:00 2001
From: Scott Cantor <cantor.2@osu.edu>
Date: Fri, 10 Apr 2009 16:08:43 +0000
Subject: [PATCH] Add decryption of Delegates.

---
 .../resolver/impl/DelegationAttributeExtractor.cpp | 34 +++++++++++++++++++---
 1 file changed, 30 insertions(+), 4 deletions(-)

diff --git a/shibsp/attribute/resolver/impl/DelegationAttributeExtractor.cpp b/shibsp/attribute/resolver/impl/DelegationAttributeExtractor.cpp
index 460ac43..df38e62 100644
--- a/shibsp/attribute/resolver/impl/DelegationAttributeExtractor.cpp
+++ b/shibsp/attribute/resolver/impl/DelegationAttributeExtractor.cpp
@@ -107,6 +107,8 @@ void DelegationExtractor::extractAttributes(
     if (!assertion || !assertion->getConditions())
         return;
 
+    Category& log = Category::getInstance(SHIBSP_LOGCAT".AttributeExtractor.Delegation");
+
     const vector<saml2::Condition*>& conditions = const_cast<const saml2::Conditions*>(assertion->getConditions())->getConditions();
     for (vector<saml2::Condition*>::const_iterator c = conditions.begin(); c != conditions.end(); ++c) {
         const saml2::DelegationRestrictionType* drt = dynamic_cast<const saml2::DelegationRestrictionType*>(*c);
@@ -116,19 +118,43 @@ void DelegationExtractor::extractAttributes(
             const vector<saml2::Delegate*>& dels = drt->getDelegates();
             for (vector<saml2::Delegate*>::const_iterator d = dels.begin(); d != dels.end(); ++d) {
                 if ((*d)->getBaseID()) {
-                    Category::getInstance(SHIBSP_LOGCAT".AttributeExtractor.Delegation").error(
-                        "delegate identified by saml:BaseID cannot be processed into an attribute value"
-                        );
+                    log.error("delegate identified by saml:BaseID cannot be processed into an attribute value");
                     continue;
                 }
 
                 saml2::NameID* n = NULL;
                 if ((*d)->getEncryptedID()) {
-                    // TODO: add decryption
+                    CredentialResolver* cr = application.getCredentialResolver();
+                    if (!cr) {
+                        log.warn("found encrypted Delegate, but no CredentialResolver was available");
+                    }
+
+                    try {
+                        const XMLCh* recipient = application.getRelyingParty(
+                            issuer ? dynamic_cast<EntityDescriptor*>(issuer->getParent()) : NULL
+                            )->getXMLString("entityID").second;
+                        Locker credlocker(cr);
+                        if (issuer) {
+                            MetadataCredentialCriteria mcc(*issuer);
+                            auto_ptr<XMLObject> decrypted((*d)->getEncryptedID()->decrypt(*cr, recipient, &mcc));
+                            n = dynamic_cast<saml2::NameID*>(decrypted.release());
+                        }
+                        else {
+                            auto_ptr<XMLObject> decrypted((*d)->getEncryptedID()->decrypt(*cr, recipient));
+                            n = dynamic_cast<saml2::NameID*>(decrypted.release());
+                        }
+                        if (n && log.isDebugEnabled())
+                            log.debugStream() << "decrypted Delegate: " << *n << logging::eol;
+                    }
+                    catch (exception& ex) {
+                        log.error("caught exception decrypting Delegate: %s", ex.what());
+                        return;
+                    }
                 }
                 else {
                     n = (*d)->getNameID();
                 }
+
                 if (n) {
                     DDF val = DDF(NULL).structure();
                     if ((*d)->getConfirmationMethod()) {
-- 
2.1.4