projects / mech_eap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
allow authenticated/complete to be optional
[mech_eap.git] / util_saml.cpp
1 /*
2  * Copyright (c) 2010, JANET(UK)
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  *
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  *
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  * 3. Neither the name of JANET(UK) nor the names of its contributors
17  *    may be used to endorse or promote products derived from this software
18  *    without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30  * SUCH DAMAGE.
31  */
32
33 #include "gssapiP_eap.h"
34
35 #include <sstream>
36
37 #include <xercesc/util/XMLUniDefs.hpp>
38 #include <xmltooling/XMLToolingConfig.h>
39 #include <xmltooling/util/XMLHelper.h>
40
41 #include <saml/saml1/core/Assertions.h>
42 #include <saml/saml2/core/Assertions.h>
43 #include <saml/saml2/metadata/Metadata.h>
44
45 using namespace xmltooling;
46 using namespace opensaml::saml2md;
47 using namespace opensaml;
48 using namespace xercesc;
49 using namespace std;
50
51 /*
52  * gss_eap_saml_assertion_provider is for retrieving the underlying
53  * assertion.
54  */
55 bool
56 gss_eap_saml_assertion_provider::initFromExistingContext(const gss_eap_attr_ctx *manager,
57                                                          const gss_eap_attr_provider *ctx)
58 {
59     /* Then we may be creating from an existing attribute context */
60     const gss_eap_saml_assertion_provider *saml;
61
62     assert(m_assertion == NULL);
63
64     if (!gss_eap_attr_provider::initFromExistingContext(manager, ctx))
65         return false;
66
67     saml = static_cast<const gss_eap_saml_assertion_provider *>(ctx);
68     setAssertion(saml->getAssertion(), saml->authenticated());
69
70     return true;
71 }
72
73 bool
74 gss_eap_saml_assertion_provider::initFromGssContext(const gss_eap_attr_ctx *manager,
75                                                     const gss_cred_id_t gssCred,
76                                                     const gss_ctx_id_t gssCtx)
77 {
78     const gss_eap_radius_attr_provider *radius;
79     gss_buffer_desc value = GSS_C_EMPTY_BUFFER;
80     int authenticated, complete, more = -1;
81     OM_uint32 minor;
82
83     assert(m_assertion == NULL);
84
85     if (!gss_eap_attr_provider::initFromGssContext(manager, gssCred, gssCtx))
86         return false;
87
88     radius = static_cast<const gss_eap_radius_attr_provider *>
89         (m_manager->getProvider(ATTR_TYPE_RADIUS));
90     if (radius != NULL &&
91         radius->getAttribute(PW_SAML_ASSERTION, &authenticated, &complete,
92                              &value, NULL, &more)) {
93         setAssertion(&value, authenticated);
94         gss_release_buffer(&minor, &value);
95     } else {
96         m_assertion = NULL;
97     }
98
99     return true;
100 }
101
102 gss_eap_saml_assertion_provider::~gss_eap_saml_assertion_provider(void)
103 {
104     delete m_assertion;
105 }
106
107 void
108 gss_eap_saml_assertion_provider::setAssertion(const saml2::Assertion *assertion,
109                                               bool authenticated)
110 {
111
112     delete m_assertion;
113
114     if (assertion != NULL) {
115         m_assertion = dynamic_cast<saml2::Assertion *>(assertion->clone());
116         m_authenticated = authenticated;
117     } else {
118         m_assertion = NULL;
119         m_authenticated = false;
120     }
121 }
122
123 void
124 gss_eap_saml_assertion_provider::setAssertion(const gss_buffer_t buffer,
125                                               bool authenticated)
126 {
127     delete m_assertion;
128
129     m_assertion = parseAssertion(buffer);
130     m_authenticated = (m_assertion != NULL && authenticated);
131 }
132
133 saml2::Assertion *
134 gss_eap_saml_assertion_provider::parseAssertion(const gss_buffer_t buffer)
135 {
136     string str((char *)buffer->value, buffer->length);
137     istringstream istream(str);
138     DOMDocument *doc;
139     const XMLObjectBuilder *b;
140
141     doc = XMLToolingConfig::getConfig().getParser().parse(istream);
142     b = XMLObjectBuilder::getBuilder(doc->getDocumentElement());
143
144     return dynamic_cast<saml2::Assertion *>(b->buildFromDocument(doc));
145 }
146
147 bool
148 gss_eap_saml_assertion_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
149                                                    void *data) const
150 {
151     /* just add the prefix */
152     return addAttribute(this, GSS_C_NO_BUFFER, data);
153 }
154
155 void
156 gss_eap_saml_assertion_provider::setAttribute(int complete,
157                                               const gss_buffer_t attr,
158                                               const gss_buffer_t value)
159 {
160     if (attr == GSS_C_NO_BUFFER || attr->length == 0) {
161         setAssertion(value);
162     }
163 }
164
165 void
166 gss_eap_saml_assertion_provider::deleteAttribute(const gss_buffer_t value)
167 {
168     delete m_assertion;
169     m_assertion = NULL;
170     m_authenticated = false;
171 }
172
173 bool
174 gss_eap_saml_assertion_provider::getAttribute(const gss_buffer_t attr,
175                                               int *authenticated,
176                                               int *complete,
177                                               gss_buffer_t value,
178                                               gss_buffer_t display_value,
179                                               int *more) const
180 {
181     string str;
182
183     if (attr != GSS_C_NO_BUFFER || attr->length != 0)
184         return false;
185
186     if (m_assertion == NULL)
187         return false;
188
189     if (*more != -1)
190         return false;
191
192     if (authenticated != NULL)
193         *authenticated = m_authenticated;
194     if (complete != NULL)
195         *complete = true;
196
197     XMLHelper::serialize(m_assertion->marshall((DOMDocument *)NULL), str);
198
199     duplicateBuffer(str, value);
200     *more = 0;
201
202     return true;
203 }
204
205 gss_any_t
206 gss_eap_saml_assertion_provider::mapToAny(int authenticated,
207                                           gss_buffer_t type_id) const
208 {
209     return (gss_any_t)m_assertion;
210 }
211
212 void
213 gss_eap_saml_assertion_provider::releaseAnyNameMapping(gss_buffer_t type_id,
214                                                        gss_any_t input) const
215 {
216     delete ((saml2::Assertion *)input);
217 }
218
219 void
220 gss_eap_saml_assertion_provider::exportToBuffer(gss_buffer_t buffer) const
221 {
222     ostringstream sink;
223     string str;
224
225     buffer->length = 0;
226     buffer->value = NULL;
227
228     if (m_assertion == NULL)
229         return;
230
231     sink << *m_assertion;
232     str = sink.str();
233
234     duplicateBuffer(str, buffer);
235 }
236
237 bool
238 gss_eap_saml_assertion_provider::initFromBuffer(const gss_eap_attr_ctx *ctx,
239                                                 const gss_buffer_t buffer)
240 {
241     if (!gss_eap_attr_provider::initFromBuffer(ctx, buffer))
242         return false;
243
244     if (buffer->length == 0)
245         return true;
246
247     assert(m_assertion == NULL);
248
249     setAssertion(buffer);
250     /* TODO XXX how to propagate authenticated flag? */
251
252     return true;
253 }
254
255 bool
256 gss_eap_saml_assertion_provider::init(void)
257 {
258     gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML_ASSERTION,
259                                        "urn:ietf:params:gss-eap:saml-aaa-assertion",
260                                        gss_eap_saml_assertion_provider::createAttrContext);
261     return true;
262 }
263
264 void
265 gss_eap_saml_assertion_provider::finalize(void)
266 {
267     gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_SAML_ASSERTION);
268 }
269
270 gss_eap_attr_provider *
271 gss_eap_saml_assertion_provider::createAttrContext(void)
272 {
273     return new gss_eap_saml_assertion_provider;
274 }
275
276 /*
277  * gss_eap_saml_attr_provider is for retrieving the underlying attributes.
278  */
279 bool
280 gss_eap_saml_attr_provider::getAssertion(int *authenticated,
281                                          const saml2::Assertion **pAssertion) const
282 {
283     const gss_eap_saml_assertion_provider *saml;
284
285     if (authenticated != NULL)
286         *authenticated = false;
287     if (pAssertion != NULL)
288         *pAssertion = NULL;
289
290     saml = static_cast<const gss_eap_saml_assertion_provider *>
291         (m_manager->getProvider(ATTR_TYPE_SAML_ASSERTION));
292     if (saml == NULL)
293         return false;
294
295     if (authenticated != NULL)
296         *authenticated = saml->authenticated();
297     if (pAssertion != NULL)
298         *pAssertion = saml->getAssertion();
299
300     return (saml->getAssertion() != NULL);
301 }
302
303 gss_eap_saml_attr_provider::~gss_eap_saml_attr_provider(void)
304 {
305     /* Nothing to do, we're just a wrapper around the assertion provider. */
306 }
307
308 bool
309 gss_eap_saml_attr_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
310                                               void *data) const
311 {
312     const saml2::Assertion *assertion;
313     bool ret = true;
314     int authenticated;
315
316     if (!getAssertion(&authenticated, &assertion))
317         return true;
318
319     /*
320      * Note: the first prefix is added by the attribute provider manager
321      *
322      * From draft-hartman-gss-eap-naming-00:
323      *
324      *   Each attribute carried in the assertion SHOULD also be a GSS name
325      *   attribute.  The name of this attribute has three parts, all separated
326      *   by an ASCII space character.  The first part is
327      *   urn:ietf:params:gss-eap:saml-attr.  The second part is the URI for
328      *   the SAML attribute name format.  The final part is the name of the
329      *   SAML attribute.  If the mechanism performs an additional attribute
330      *   query, the retrieved attributes SHOULD be GSS-API name attributes
331      *   using the same name syntax.
332      */
333     const vector<saml2::Attribute*>& attrs2 =
334         const_cast<const saml2::AttributeStatement*>(assertion->getAttributeStatements().front())->getAttributes();
335     for (vector<saml2::Attribute*>::const_iterator a = attrs2.begin();
336         a != attrs2.end();
337         ++a)
338     {
339         const XMLCh *attributeName = (*a)->getName();
340         const XMLCh *attributeNameFormat = (*a)->getNameFormat();
341         XMLCh *qualifiedName;
342         XMLCh space[2] = { ' ', 0 };
343         gss_buffer_desc utf8;
344
345         qualifiedName = new XMLCh[XMLString::stringLen(attributeName) + 1 +
346                                   XMLString::stringLen(attributeNameFormat) + 1];
347         XMLString::copyString(qualifiedName, attributeName);
348         XMLString::catString(qualifiedName, space);
349         XMLString::catString(qualifiedName, attributeNameFormat);
350
351         utf8.value = (void *)toUTF8(qualifiedName);
352         utf8.length = strlen((char *)utf8.value);
353
354         ret = addAttribute(this, &utf8, data);
355
356         delete qualifiedName;
357
358         if (!ret)
359             break;
360     }
361
362     return ret;
363 }
364
365 void
366 gss_eap_saml_attr_provider::setAttribute(int complete,
367                                          const gss_buffer_t attr,
368                                          const gss_buffer_t value)
369 {
370 }
371
372 void
373 gss_eap_saml_attr_provider::deleteAttribute(const gss_buffer_t value)
374 {
375 }
376
377 static BaseRefVectorOf<XMLCh> *
378 decomposeAttributeName(const gss_buffer_t attr)
379 {
380     XMLCh *qualifiedAttr = new XMLCh[attr->length + 1];
381     XMLString::transcode((const char *)attr->value, qualifiedAttr, attr->length);
382
383     BaseRefVectorOf<XMLCh> *components = XMLString::tokenizeString(qualifiedAttr);
384
385     delete qualifiedAttr;
386
387     return components;
388 }
389
390 bool
391 gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr,
392                                          int *authenticated,
393                                          int *complete,
394                                          const saml2::Attribute **pAttribute) const
395 {
396     const saml2::Assertion *assertion;
397
398     if (authenticated != NULL)
399         *authenticated = false;
400     if (complete != NULL)
401         *complete = true;
402     *pAttribute = NULL;
403
404     if (!getAssertion(authenticated, &assertion) ||
405         assertion->getAttributeStatements().size() == 0)
406         return false;
407
408     /* Check the attribute name consists of name format | whsp | name */
409     BaseRefVectorOf<XMLCh> *components = decomposeAttributeName(attr);
410     if (components == NULL || components->size() != 2) {
411         delete components;
412         return false;
413     }
414
415     /* For each attribute statement, look for an attribute match */
416     const vector <saml2::AttributeStatement *>&statements =
417         assertion->getAttributeStatements();
418     const saml2::Attribute *ret = NULL;
419
420     for (vector<saml2::AttributeStatement *>::const_iterator s = statements.begin();
421         s != statements.end();
422         ++s) {
423         const vector<saml2::Attribute*>& attrs =
424             const_cast<const saml2::AttributeStatement*>(*s)->getAttributes();
425
426         for (vector<saml2::Attribute*>::const_iterator a = attrs.begin(); a != attrs.end(); ++a) {
427             if (XMLString::equals((*a)->getNameFormat(), components->elementAt(0)) &&
428                 XMLString::equals((*a)->getName(), components->elementAt(1))) {
429                 ret = *a;
430                 break;
431             }
432         }
433
434         if (ret != NULL)
435             break;
436     }
437
438     delete components;
439
440     *pAttribute = ret;
441
442     return (ret != NULL);
443 }
444
445 bool
446 gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr,
447                                          int *authenticated,
448                                          int *complete,
449                                          gss_buffer_t value,
450                                          gss_buffer_t display_value,
451                                          int *more) const
452 {
453     const saml2::Attribute *a;
454     const saml2::AttributeValue *av;
455     int nvalues, i = *more;
456
457     *more = 0;
458
459     if (!getAttribute(attr, authenticated, complete, &a))
460         return false;
461
462     nvalues = a->getAttributeValues().size();
463
464     if (i == -1)
465         i = 0;
466     else if (i >= nvalues)
467         return false;
468     av = dynamic_cast<const saml2::AttributeValue *>(a->getAttributeValues().at(i)
469 );
470     if (av != NULL) {
471         if (value != NULL) {
472             value->value = toUTF8(av->getTextContent(), true);
473             value->length = strlen((char *)value->value);
474         }
475         if (display_value != NULL) {
476             display_value->value = toUTF8(av->getTextContent(), true);
477             display_value->length = strlen((char *)value->value);
478         }
479     }
480
481     if (nvalues > ++i)
482         *more = i;
483
484     return true;
485 }
486
487 gss_any_t
488 gss_eap_saml_attr_provider::mapToAny(int authenticated,
489                                      gss_buffer_t type_id) const
490 {
491     return (gss_any_t)NULL;
492 }
493
494 void
495 gss_eap_saml_attr_provider::releaseAnyNameMapping(gss_buffer_t type_id,
496                                                   gss_any_t input) const
497 {
498 }
499
500 void
501 gss_eap_saml_attr_provider::exportToBuffer(gss_buffer_t buffer) const
502 {
503     buffer->length = 0;
504     buffer->value = NULL;
505 }
506
507 bool
508 gss_eap_saml_attr_provider::initFromBuffer(const gss_eap_attr_ctx *ctx,
509                                            const gss_buffer_t buffer)
510 {
511     return gss_eap_attr_provider::initFromBuffer(ctx, buffer);
512 }
513
514 bool
515 gss_eap_saml_attr_provider::init(void)
516 {
517     gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML,
518                                        "urn:ietf:params:gss-eap:saml-attr",
519                                        gss_eap_saml_attr_provider::createAttrContext);
520     return true;
521 }
522
523 void
524 gss_eap_saml_attr_provider::finalize(void)
525 {
526     gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_SAML);
527 }
528
529 gss_eap_attr_provider *
530 gss_eap_saml_attr_provider::createAttrContext(void)
531 {
532     return new gss_eap_saml_attr_provider;
533 }
Moonshot GSS-API mechanism