2 * Copyright (c) 2011, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * SAML attribute provider implementation.
37 #include "gssapiP_eap.h"
41 #include <xercesc/util/XMLUniDefs.hpp>
42 #include <xmltooling/unicode.h>
43 #include <xmltooling/XMLToolingConfig.h>
44 #include <xmltooling/util/XMLHelper.h>
45 #include <xmltooling/util/ParserPool.h>
46 #include <xmltooling/util/DateTime.h>
48 #include <saml/exceptions.h>
49 #include <saml/SAMLConfig.h>
50 #include <saml/saml1/core/Assertions.h>
51 #include <saml/saml2/core/Assertions.h>
52 #include <saml/saml2/metadata/Metadata.h>
53 #include <saml/saml2/metadata/MetadataProvider.h>
55 using namespace xmltooling;
56 using namespace opensaml::saml2md;
57 using namespace opensaml;
58 using namespace xercesc;
62 base64Binary[] = {'b','a','s','e','6','4','B','i','n','a','r','y',0};
65 * gss_eap_saml_assertion_provider is for retrieving the underlying
68 gss_eap_saml_assertion_provider::gss_eap_saml_assertion_provider(void)
71 m_authenticated = false;
74 gss_eap_saml_assertion_provider::~gss_eap_saml_assertion_provider(void)
80 gss_eap_saml_assertion_provider::initWithExistingContext(const gss_eap_attr_ctx *manager,
81 const gss_eap_attr_provider *ctx)
83 /* Then we may be creating from an existing attribute context */
84 const gss_eap_saml_assertion_provider *saml;
86 GSSEAP_ASSERT(m_assertion == NULL);
88 if (!gss_eap_attr_provider::initWithExistingContext(manager, ctx))
91 saml = static_cast<const gss_eap_saml_assertion_provider *>(ctx);
92 setAssertion(saml->getAssertion(), saml->authenticated());
98 gss_eap_saml_assertion_provider::initWithGssContext(const gss_eap_attr_ctx *manager,
99 const gss_cred_id_t gssCred,
100 const gss_ctx_id_t gssCtx)
102 const gss_eap_radius_attr_provider *radius;
103 gss_buffer_desc value = GSS_C_EMPTY_BUFFER;
104 int authenticated, complete;
106 gss_eap_attrid attrid(VENDORPEC_UKERNA, PW_SAML_AAA_ASSERTION);
108 GSSEAP_ASSERT(m_assertion == NULL);
110 if (!gss_eap_attr_provider::initWithGssContext(manager, gssCred, gssCtx))
114 * XXX TODO we need to support draft-howlett-radius-saml-attr-00
116 radius = static_cast<const gss_eap_radius_attr_provider *>
117 (m_manager->getProvider(ATTR_TYPE_RADIUS));
118 if (radius != NULL &&
119 radius->getFragmentedAttribute(attrid, &authenticated, &complete, &value)) {
120 setAssertion(&value, authenticated);
121 gss_release_buffer(&minor, &value);
130 gss_eap_saml_assertion_provider::setAssertion(const saml2::Assertion *assertion,
136 if (assertion != NULL) {
138 m_assertion = (saml2::Assertion *)((void *)assertion->clone());
140 m_assertion = dynamic_cast<saml2::Assertion *>(assertion->clone());
142 m_authenticated = authenticated;
145 m_authenticated = false;
150 gss_eap_saml_assertion_provider::setAssertion(const gss_buffer_t buffer,
155 m_assertion = parseAssertion(buffer);
156 m_authenticated = (m_assertion != NULL && authenticated);
160 gss_eap_saml_assertion_provider::parseAssertion(const gss_buffer_t buffer)
162 string str((char *)buffer->value, buffer->length);
163 istringstream istream(str);
165 const XMLObjectBuilder *b;
168 doc = XMLToolingConfig::getConfig().getParser().parse(istream);
172 b = XMLObjectBuilder::getBuilder(doc->getDocumentElement());
175 return (saml2::Assertion *)((void *)b->buildFromDocument(doc));
177 return dynamic_cast<saml2::Assertion *>(b->buildFromDocument(doc));
179 } catch (exception &e) {
185 gss_eap_saml_assertion_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
190 /* just add the prefix */
191 if (m_assertion != NULL)
192 ret = addAttribute(m_manager, this, GSS_C_NO_BUFFER, data);
200 gss_eap_saml_assertion_provider::setAttribute(int complete GSSEAP_UNUSED,
201 const gss_buffer_t attr,
202 const gss_buffer_t value)
204 if (attr == GSS_C_NO_BUFFER || attr->length == 0) {
213 gss_eap_saml_assertion_provider::deleteAttribute(const gss_buffer_t value GSSEAP_UNUSED)
217 m_authenticated = false;
223 gss_eap_saml_assertion_provider::getExpiryTime(void) const
225 saml2::Conditions *conditions;
226 time_t expiryTime = 0;
228 if (m_assertion == NULL)
231 conditions = m_assertion->getConditions();
233 if (conditions != NULL && conditions->getNotOnOrAfter() != NULL)
234 expiryTime = conditions->getNotOnOrAfter()->getEpoch();
240 gss_eap_saml_assertion_provider::mapException(OM_uint32 *minor,
241 std::exception &e) const
243 if (typeid(e) == typeid(SecurityPolicyException))
244 *minor = GSSEAP_SAML_SEC_POLICY_FAILURE;
245 else if (typeid(e) == typeid(BindingException))
246 *minor = GSSEAP_SAML_BINDING_FAILURE;
247 else if (typeid(e) == typeid(ProfileException))
248 *minor = GSSEAP_SAML_PROFILE_FAILURE;
249 else if (typeid(e) == typeid(FatalProfileException))
250 *minor = GSSEAP_SAML_FATAL_PROFILE_FAILURE;
251 else if (typeid(e) == typeid(RetryableProfileException))
252 *minor = GSSEAP_SAML_RETRY_PROFILE_FAILURE;
253 else if (typeid(e) == typeid(MetadataException))
254 *minor = GSSEAP_SAML_METADATA_FAILURE;
256 return GSS_S_CONTINUE_NEEDED;
258 gssEapSaveStatusInfo(*minor, "%s", e.what());
260 return GSS_S_FAILURE;
264 gss_eap_saml_assertion_provider::getAttribute(const gss_buffer_t attr,
268 gss_buffer_t display_value GSSEAP_UNUSED,
273 if (attr != GSS_C_NO_BUFFER && attr->length != 0)
276 if (m_assertion == NULL)
282 if (authenticated != NULL)
283 *authenticated = m_authenticated;
284 if (complete != NULL)
287 XMLHelper::serialize(m_assertion->marshall((DOMDocument *)NULL), str);
290 duplicateBuffer(str, value);
291 if (display_value != NULL)
292 duplicateBuffer(str, display_value);
300 gss_eap_saml_assertion_provider::mapToAny(int authenticated,
301 gss_buffer_t type_id GSSEAP_UNUSED) const
303 if (authenticated && !m_authenticated)
304 return (gss_any_t)NULL;
306 return (gss_any_t)m_assertion;
310 gss_eap_saml_assertion_provider::releaseAnyNameMapping(gss_buffer_t type_id GSSEAP_UNUSED,
311 gss_any_t input) const
313 delete ((saml2::Assertion *)input);
317 gss_eap_saml_assertion_provider::prefix(void) const
319 return "urn:ietf:params:gss:federated-saml-assertion";
323 gss_eap_saml_assertion_provider::init(void)
328 ret = SAMLConfig::getConfig().init();
329 } catch (exception &e) {
333 gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML_ASSERTION, createAttrContext);
339 gss_eap_saml_assertion_provider::finalize(void)
341 gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_SAML_ASSERTION);
344 gss_eap_attr_provider *
345 gss_eap_saml_assertion_provider::createAttrContext(void)
347 return new gss_eap_saml_assertion_provider;
351 gss_eap_saml_assertion_provider::initAssertion(void)
354 m_assertion = saml2::AssertionBuilder::buildAssertion();
355 m_authenticated = false;
361 * gss_eap_saml_attr_provider is for retrieving the underlying attributes.
364 gss_eap_saml_attr_provider::getAssertion(int *authenticated,
365 saml2::Assertion **pAssertion,
366 bool createIfAbsent) const
368 gss_eap_saml_assertion_provider *saml;
370 if (authenticated != NULL)
371 *authenticated = false;
372 if (pAssertion != NULL)
375 saml = static_cast<gss_eap_saml_assertion_provider *>
376 (m_manager->getProvider(ATTR_TYPE_SAML_ASSERTION));
380 if (authenticated != NULL)
381 *authenticated = saml->authenticated();
382 if (pAssertion != NULL)
383 *pAssertion = saml->getAssertion();
385 if (saml->getAssertion() == NULL) {
386 if (createIfAbsent) {
387 if (authenticated != NULL)
388 *authenticated = false;
389 if (pAssertion != NULL)
390 *pAssertion = saml->initAssertion();
399 gss_eap_saml_attr_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
402 saml2::Assertion *assertion;
405 if (!getAssertion(&authenticated, &assertion))
409 * Note: the first prefix is added by the attribute provider manager
411 * From draft-hartman-gss-eap-naming-00:
413 * Each attribute carried in the assertion SHOULD also be a GSS name
414 * attribute. The name of this attribute has three parts, all separated
415 * by an ASCII space character. The first part is
416 * urn:ietf:params:gss:federated-saml-attribute. The second part is the URI for
417 * the SAML attribute name format. The final part is the name of the
418 * SAML attribute. If the mechanism performs an additional attribute
419 * query, the retrieved attributes SHOULD be GSS-API name attributes
420 * using the same name syntax.
422 /* For each attribute statement, look for an attribute match */
423 const vector <saml2::AttributeStatement *> &statements =
424 const_cast<const saml2::Assertion *>(assertion)->getAttributeStatements();
426 for (vector<saml2::AttributeStatement *>::const_iterator s = statements.begin();
427 s != statements.end();
429 const vector<saml2::Attribute*> &attrs =
430 const_cast<const saml2::AttributeStatement*>(*s)->getAttributes();
432 for (vector<saml2::Attribute*>::const_iterator a = attrs.begin(); a != attrs.end(); ++a) {
433 const XMLCh *attributeName, *attributeNameFormat;
434 XMLCh space[2] = { ' ', 0 };
435 gss_buffer_desc utf8;
437 attributeName = (*a)->getName();
438 attributeNameFormat = (*a)->getNameFormat();
439 if (attributeNameFormat == NULL || attributeNameFormat[0] == '\0')
440 attributeNameFormat = saml2::Attribute::UNSPECIFIED;
442 XMLCh qualifiedName[XMLString::stringLen(attributeNameFormat) + 1 +
443 XMLString::stringLen(attributeName) + 1];
444 XMLString::copyString(qualifiedName, attributeNameFormat);
445 XMLString::catString(qualifiedName, space);
446 XMLString::catString(qualifiedName, attributeName);
448 utf8.value = (void *)toUTF8(qualifiedName);
449 utf8.length = strlen((char *)utf8.value);
451 if (!addAttribute(m_manager, this, &utf8, data))
459 static BaseRefVectorOf<XMLCh> *
460 decomposeAttributeName(const gss_buffer_t attr)
462 BaseRefVectorOf<XMLCh> *components;
463 string str((const char *)attr->value, attr->length);
464 auto_ptr_XMLCh qualifiedAttr(str.c_str());
466 components = XMLString::tokenizeString(qualifiedAttr.get());
468 if (components->size() != 2) {
477 gss_eap_saml_attr_provider::setAttribute(int complete GSSEAP_UNUSED,
478 const gss_buffer_t attr,
479 const gss_buffer_t value)
481 saml2::Assertion *assertion;
482 saml2::Attribute *attribute;
483 saml2::AttributeValue *attributeValue;
484 saml2::AttributeStatement *attributeStatement;
486 if (!getAssertion(NULL, &assertion, true))
489 if (assertion->getAttributeStatements().size() != 0) {
490 attributeStatement = assertion->getAttributeStatements().front();
492 attributeStatement = saml2::AttributeStatementBuilder::buildAttributeStatement();
493 assertion->getAttributeStatements().push_back(attributeStatement);
496 /* Check the attribute name consists of name format | whsp | name */
497 BaseRefVectorOf<XMLCh> *components = decomposeAttributeName(attr);
498 if (components == NULL)
501 attribute = saml2::AttributeBuilder::buildAttribute();
502 attribute->setNameFormat(components->elementAt(0));
503 attribute->setName(components->elementAt(1));
505 attributeValue = saml2::AttributeValueBuilder::buildAttributeValue();
506 auto_ptr_XMLCh unistr((char *)value->value, value->length);
507 attributeValue->setTextContent(unistr.get());
509 attribute->getAttributeValues().push_back(attributeValue);
511 GSSEAP_ASSERT(attributeStatement != NULL);
512 attributeStatement->getAttributes().push_back(attribute);
520 gss_eap_saml_attr_provider::deleteAttribute(const gss_buffer_t attr)
522 saml2::Assertion *assertion;
525 if (!getAssertion(NULL, &assertion) ||
526 assertion->getAttributeStatements().size() == 0)
529 /* Check the attribute name consists of name format | whsp | name */
530 BaseRefVectorOf<XMLCh> *components = decomposeAttributeName(attr);
531 if (components == NULL)
534 /* For each attribute statement, look for an attribute match */
535 const vector<saml2::AttributeStatement *> &statements =
536 const_cast<const saml2::Assertion *>(assertion)->getAttributeStatements();
538 for (vector<saml2::AttributeStatement *>::const_iterator s = statements.begin();
539 s != statements.end();
541 const vector<saml2::Attribute *> &attrs =
542 const_cast<const saml2::AttributeStatement *>(*s)->getAttributes();
543 ssize_t index = -1, i = 0;
545 /* There's got to be an easier way to do this */
546 for (vector<saml2::Attribute *>::const_iterator a = attrs.begin();
549 if (XMLString::equals((*a)->getNameFormat(), components->elementAt(0)) &&
550 XMLString::equals((*a)->getName(), components->elementAt(1))) {
557 (*s)->getAttributes().erase((*s)->getAttributes().begin() + index);
568 gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr,
571 const saml2::Attribute **pAttribute) const
573 saml2::Assertion *assertion;
575 if (authenticated != NULL)
576 *authenticated = false;
577 if (complete != NULL)
581 if (!getAssertion(authenticated, &assertion) ||
582 assertion->getAttributeStatements().size() == 0)
585 /* Check the attribute name consists of name format | whsp | name */
586 BaseRefVectorOf<XMLCh> *components = decomposeAttributeName(attr);
587 if (components == NULL)
590 /* For each attribute statement, look for an attribute match */
591 const vector <saml2::AttributeStatement *> &statements =
592 const_cast<const saml2::Assertion *>(assertion)->getAttributeStatements();
593 const saml2::Attribute *ret = NULL;
595 for (vector<saml2::AttributeStatement *>::const_iterator s = statements.begin();
596 s != statements.end();
598 const vector<saml2::Attribute *> &attrs =
599 const_cast<const saml2::AttributeStatement*>(*s)->getAttributes();
601 for (vector<saml2::Attribute *>::const_iterator a = attrs.begin(); a != attrs.end(); ++a) {
602 const XMLCh *attributeName, *attributeNameFormat;
604 attributeName = (*a)->getName();
605 attributeNameFormat = (*a)->getNameFormat();
606 if (attributeNameFormat == NULL || attributeNameFormat[0] == '\0')
607 attributeNameFormat = saml2::Attribute::UNSPECIFIED;
609 if (XMLString::equals(attributeNameFormat, components->elementAt(0)) &&
610 XMLString::equals(attributeName, components->elementAt(1))) {
624 return (ret != NULL);
628 isBase64EncodedAttributeValueP(const saml2::AttributeValue *av)
630 const xmltooling::QName *type = av->getSchemaType();
635 if (!type->hasNamespaceURI() ||
636 !XMLString::equals(type->getNamespaceURI(), xmlconstants::XSD_NS))
639 if (!type->hasLocalPart() ||
640 !XMLString::equals(type->getLocalPart(), base64Binary))
647 gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr,
651 gss_buffer_t display_value,
654 const saml2::Attribute *a;
655 const saml2::AttributeValue *av;
656 int nvalues, i = *more;
660 if (!getAttribute(attr, authenticated, complete, &a))
663 nvalues = a->getAttributeValues().size();
670 av = (const saml2::AttributeValue *)((void *)(a->getAttributeValues().at(i)));
672 av = dynamic_cast<const saml2::AttributeValue *>(a->getAttributeValues().at(i));
675 bool base64Encoded = isBase64EncodedAttributeValueP(av);
678 char *stringValue = toUTF8(av->getTextContent(), true);
679 size_t stringValueLen = strlen(stringValue);
684 value->value = GSSEAP_MALLOC(stringValueLen);
685 if (value->value == NULL) {
686 GSSEAP_FREE(stringValue);
687 throw new std::bad_alloc;
690 octetLen = base64Decode(stringValue, value->value);
692 GSSEAP_FREE(value->value);
693 GSSEAP_FREE(stringValue);
697 value->length = octetLen;
698 GSSEAP_FREE(stringValue);
700 value->value = stringValue;
701 value->length = stringValueLen;
704 if (display_value != NULL && base64Encoded == false) {
705 display_value->value = toUTF8(av->getTextContent(), true);
706 display_value->length = strlen((char *)display_value->value);
717 gss_eap_saml_attr_provider::mapToAny(int authenticated GSSEAP_UNUSED,
718 gss_buffer_t type_id GSSEAP_UNUSED) const
720 return (gss_any_t)NULL;
724 gss_eap_saml_attr_provider::releaseAnyNameMapping(gss_buffer_t type_id GSSEAP_UNUSED,
725 gss_any_t input GSSEAP_UNUSED) const
730 gss_eap_saml_attr_provider::prefix(void) const
732 return "urn:ietf:params:gss:federated-saml-attribute";
736 gss_eap_saml_attr_provider::init(void)
738 gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML, createAttrContext);
743 gss_eap_saml_attr_provider::finalize(void)
745 gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_SAML);
748 gss_eap_attr_provider *
749 gss_eap_saml_attr_provider::createAttrContext(void)
751 return new gss_eap_saml_attr_provider;
755 gssEapSamlAttrProvidersInit(OM_uint32 *minor)
757 if (!gss_eap_saml_assertion_provider::init() ||
758 !gss_eap_saml_attr_provider::init()) {
759 *minor = GSSEAP_SAML_INIT_FAILURE;
760 return GSS_S_FAILURE;
763 return GSS_S_COMPLETE;
767 gssEapSamlAttrProvidersFinalize(OM_uint32 *minor)
769 gss_eap_saml_attr_provider::finalize();
770 gss_eap_saml_assertion_provider::finalize();
773 return GSS_S_COMPLETE;