projects / mech_eap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
some fixes for attribute handling
[mech_eap.git] / util_saml.cpp
1 /*
2  * Copyright (c) 2010, JANET(UK)
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  *
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  *
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  * 3. Neither the name of JANET(UK) nor the names of its contributors
17  *    may be used to endorse or promote products derived from this software
18  *    without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30  * SUCH DAMAGE.
31  */
32
33 #include "gssapiP_eap.h"
34
35 #include <sstream>
36
37 #include <xercesc/util/XMLUniDefs.hpp>
38 #include <xmltooling/XMLToolingConfig.h>
39 #include <xmltooling/util/XMLHelper.h>
40
41 #include <saml/saml1/core/Assertions.h>
42 #include <saml/saml2/core/Assertions.h>
43 #include <saml/saml2/metadata/Metadata.h>
44
45 using namespace xmltooling;
46 using namespace opensaml::saml2md;
47 using namespace opensaml;
48 using namespace xercesc;
49 using namespace std;
50
51 /*
52  * gss_eap_saml_assertion_provider is for retrieving the underlying
53  * assertion.
54  */
55 gss_eap_saml_assertion_provider::gss_eap_saml_assertion_provider(void)
56 {
57     m_assertion = NULL;
58     m_authenticated = false;
59 }
60
61 gss_eap_saml_assertion_provider::~gss_eap_saml_assertion_provider(void)
62 {
63     delete m_assertion;
64 }
65
66 bool
67 gss_eap_saml_assertion_provider::initFromExistingContext(const gss_eap_attr_ctx *manager,
68                                                          const gss_eap_attr_provider *ctx)
69 {
70     /* Then we may be creating from an existing attribute context */
71     const gss_eap_saml_assertion_provider *saml;
72
73     assert(m_assertion == NULL);
74
75     if (!gss_eap_attr_provider::initFromExistingContext(manager, ctx))
76         return false;
77
78     saml = static_cast<const gss_eap_saml_assertion_provider *>(ctx);
79     setAssertion(saml->getAssertion(), saml->authenticated());
80
81     return true;
82 }
83
84 bool
85 gss_eap_saml_assertion_provider::initFromGssContext(const gss_eap_attr_ctx *manager,
86                                                     const gss_cred_id_t gssCred,
87                                                     const gss_ctx_id_t gssCtx)
88 {
89     const gss_eap_radius_attr_provider *radius;
90     gss_buffer_desc value = GSS_C_EMPTY_BUFFER;
91     int authenticated, complete;
92     OM_uint32 minor;
93
94     assert(m_assertion == NULL);
95
96     if (!gss_eap_attr_provider::initFromGssContext(manager, gssCred, gssCtx))
97         return false;
98
99     radius = static_cast<const gss_eap_radius_attr_provider *>
100         (m_manager->getProvider(ATTR_TYPE_RADIUS));
101     if (radius != NULL &&
102         radius->getFragmentedAttribute(RADIUS_VENDOR_ATTR_GSS_EAP_SAML_AAA_ASSERTION,
103                                        RADIUS_VENDOR_ID_GSS_EAP,
104                                        &authenticated, &complete, &value)) {
105         setAssertion(&value, authenticated);
106         gss_release_buffer(&minor, &value);
107     } else {
108         m_assertion = NULL;
109     }
110
111     return true;
112 }
113
114 void
115 gss_eap_saml_assertion_provider::setAssertion(const saml2::Assertion *assertion,
116                                               bool authenticated)
117 {
118
119     delete m_assertion;
120
121     if (assertion != NULL) {
122 #if 0
123         m_assertion = dynamic_cast<saml2::Assertion *>(assertion->clone());
124 #else
125         m_assertion = (saml2::Assertion *)((void *)assertion->clone());
126 #endif
127         m_authenticated = authenticated;
128     } else {
129         m_assertion = NULL;
130         m_authenticated = false;
131     }
132 }
133
134 void
135 gss_eap_saml_assertion_provider::setAssertion(const gss_buffer_t buffer,
136                                               bool authenticated)
137 {
138     delete m_assertion;
139
140     m_assertion = parseAssertion(buffer);
141     m_authenticated = (m_assertion != NULL && authenticated);
142 }
143
144 saml2::Assertion *
145 gss_eap_saml_assertion_provider::parseAssertion(const gss_buffer_t buffer)
146 {
147     string str((char *)buffer->value, buffer->length);
148     istringstream istream(str);
149     DOMDocument *doc;
150     const XMLObjectBuilder *b;
151
152     doc = XMLToolingConfig::getConfig().getParser().parse(istream);
153     if (doc == NULL)
154         return NULL;
155
156     b = XMLObjectBuilder::getBuilder(doc->getDocumentElement());
157
158 #if 0
159     return dynamic_cast<saml2::Assertion *>(b->buildFromDocument(doc));
160 #else
161     return (saml2::Assertion *)((void *)b->buildFromDocument(doc));
162 #endif
163 }
164
165 bool
166 gss_eap_saml_assertion_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
167                                                    void *data) const
168 {
169     bool ret;
170
171     /* just add the prefix */
172     if (m_assertion != NULL)
173         ret = addAttribute(this, GSS_C_NO_BUFFER, data);
174     else
175         ret = true;
176
177     return ret;
178 }
179
180 void
181 gss_eap_saml_assertion_provider::setAttribute(int complete,
182                                               const gss_buffer_t attr,
183                                               const gss_buffer_t value)
184 {
185     if (attr == GSS_C_NO_BUFFER || attr->length == 0) {
186         setAssertion(value);
187     }
188 }
189
190 void
191 gss_eap_saml_assertion_provider::deleteAttribute(const gss_buffer_t value)
192 {
193     delete m_assertion;
194     m_assertion = NULL;
195     m_authenticated = false;
196 }
197
198 time_t
199 gss_eap_saml_assertion_provider::getExpiryTime(void) const
200 {
201     saml2::Conditions *conditions;
202     time_t expiryTime = 0;
203
204     if (m_assertion == NULL)
205         return 0;
206
207     conditions = m_assertion->getConditions();
208
209     if (conditions != NULL && conditions->getNotOnOrAfter() != NULL)
210         expiryTime = conditions->getNotOnOrAfter()->getEpoch();
211
212     return expiryTime;
213 }
214
215 bool
216 gss_eap_saml_assertion_provider::getAttribute(const gss_buffer_t attr,
217                                               int *authenticated,
218                                               int *complete,
219                                               gss_buffer_t value,
220                                               gss_buffer_t display_value,
221                                               int *more) const
222 {
223     string str;
224
225     if (attr != GSS_C_NO_BUFFER && attr->length != 0)
226         return false;
227
228     if (m_assertion == NULL)
229         return false;
230
231     if (*more != -1)
232         return false;
233
234     if (authenticated != NULL)
235         *authenticated = m_authenticated;
236     if (complete != NULL)
237         *complete = true;
238
239     XMLHelper::serialize(m_assertion->marshall((DOMDocument *)NULL), str);
240
241     duplicateBuffer(str, value);
242     *more = 0;
243
244     return true;
245 }
246
247 gss_any_t
248 gss_eap_saml_assertion_provider::mapToAny(int authenticated,
249                                           gss_buffer_t type_id) const
250 {
251     if (authenticated && !m_authenticated)
252         return (gss_any_t)NULL;
253
254     return (gss_any_t)m_assertion;
255 }
256
257 void
258 gss_eap_saml_assertion_provider::releaseAnyNameMapping(gss_buffer_t type_id,
259                                                        gss_any_t input) const
260 {
261     delete ((saml2::Assertion *)input);
262 }
263
264 void
265 gss_eap_saml_assertion_provider::exportToBuffer(gss_buffer_t buffer) const
266 {
267     ostringstream sink;
268     string str;
269
270     buffer->length = 0;
271     buffer->value = NULL;
272
273     if (m_assertion == NULL)
274         return;
275
276     sink << *m_assertion;
277     str = sink.str();
278
279     duplicateBuffer(str, buffer);
280 }
281
282 bool
283 gss_eap_saml_assertion_provider::initFromBuffer(const gss_eap_attr_ctx *ctx,
284                                                 const gss_buffer_t buffer)
285 {
286     if (!gss_eap_attr_provider::initFromBuffer(ctx, buffer))
287         return false;
288
289     if (buffer->length == 0)
290         return true;
291
292     assert(m_assertion == NULL);
293
294     setAssertion(buffer);
295     /* TODO XXX how to propagate authenticated flag? */
296
297     return true;
298 }
299
300 bool
301 gss_eap_saml_assertion_provider::init(void)
302 {
303     gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML_ASSERTION,
304                                        "urn:ietf:params:gss-eap:saml-aaa-assertion",
305                                        gss_eap_saml_assertion_provider::createAttrContext);
306     return true;
307 }
308
309 void
310 gss_eap_saml_assertion_provider::finalize(void)
311 {
312     gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_SAML_ASSERTION);
313 }
314
315 gss_eap_attr_provider *
316 gss_eap_saml_assertion_provider::createAttrContext(void)
317 {
318     return new gss_eap_saml_assertion_provider;
319 }
320
321 /*
322  * gss_eap_saml_attr_provider is for retrieving the underlying attributes.
323  */
324 bool
325 gss_eap_saml_attr_provider::getAssertion(int *authenticated,
326                                          const saml2::Assertion **pAssertion) const
327 {
328     const gss_eap_saml_assertion_provider *saml;
329
330     if (authenticated != NULL)
331         *authenticated = false;
332     if (pAssertion != NULL)
333         *pAssertion = NULL;
334
335     saml = static_cast<const gss_eap_saml_assertion_provider *>
336         (m_manager->getProvider(ATTR_TYPE_SAML_ASSERTION));
337     if (saml == NULL)
338         return false;
339
340     if (authenticated != NULL)
341         *authenticated = saml->authenticated();
342     if (pAssertion != NULL)
343         *pAssertion = saml->getAssertion();
344
345     return (saml->getAssertion() != NULL);
346 }
347
348 bool
349 gss_eap_saml_attr_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
350                                               void *data) const
351 {
352     const saml2::Assertion *assertion;
353     bool ret = true;
354     int authenticated;
355
356     if (!getAssertion(&authenticated, &assertion))
357         return true;
358
359     /*
360      * Note: the first prefix is added by the attribute provider manager
361      *
362      * From draft-hartman-gss-eap-naming-00:
363      *
364      *   Each attribute carried in the assertion SHOULD also be a GSS name
365      *   attribute.  The name of this attribute has three parts, all separated
366      *   by an ASCII space character.  The first part is
367      *   urn:ietf:params:gss-eap:saml-attr.  The second part is the URI for
368      *   the SAML attribute name format.  The final part is the name of the
369      *   SAML attribute.  If the mechanism performs an additional attribute
370      *   query, the retrieved attributes SHOULD be GSS-API name attributes
371      *   using the same name syntax.
372      */
373     const vector<saml2::Attribute*>& attrs2 =
374         const_cast<const saml2::AttributeStatement*>(assertion->getAttributeStatements().front())->getAttributes();
375     for (vector<saml2::Attribute*>::const_iterator a = attrs2.begin();
376         a != attrs2.end();
377         ++a)
378     {
379         const XMLCh *attributeName = (*a)->getName();
380         const XMLCh *attributeNameFormat = (*a)->getNameFormat();
381         XMLCh *qualifiedName;
382         XMLCh space[2] = { ' ', 0 };
383         gss_buffer_desc utf8;
384
385         qualifiedName = new XMLCh[XMLString::stringLen(attributeNameFormat) + 1 +
386                                   XMLString::stringLen(attributeName) + 1];
387         XMLString::copyString(qualifiedName, attributeNameFormat);
388         XMLString::catString(qualifiedName, space);
389         XMLString::catString(qualifiedName, attributeName);
390
391         utf8.value = (void *)toUTF8(qualifiedName);
392         utf8.length = strlen((char *)utf8.value);
393
394         ret = addAttribute(this, &utf8, data);
395
396         delete qualifiedName;
397
398         if (!ret)
399             break;
400     }
401
402     return ret;
403 }
404
405 void
406 gss_eap_saml_attr_provider::setAttribute(int complete,
407                                          const gss_buffer_t attr,
408                                          const gss_buffer_t value)
409 {
410 }
411
412 void
413 gss_eap_saml_attr_provider::deleteAttribute(const gss_buffer_t value)
414 {
415 }
416
417 static BaseRefVectorOf<XMLCh> *
418 decomposeAttributeName(const gss_buffer_t attr)
419 {
420     XMLCh *qualifiedAttr = new XMLCh[attr->length + 1];
421     XMLString::transcode((const char *)attr->value, qualifiedAttr, attr->length);
422
423     BaseRefVectorOf<XMLCh> *components = XMLString::tokenizeString(qualifiedAttr);
424
425     delete qualifiedAttr;
426
427     return components;
428 }
429
430 bool
431 gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr,
432                                          int *authenticated,
433                                          int *complete,
434                                          const saml2::Attribute **pAttribute) const
435 {
436     const saml2::Assertion *assertion;
437
438     if (authenticated != NULL)
439         *authenticated = false;
440     if (complete != NULL)
441         *complete = true;
442     *pAttribute = NULL;
443
444     if (!getAssertion(authenticated, &assertion) ||
445         assertion->getAttributeStatements().size() == 0)
446         return false;
447
448     /* Check the attribute name consists of name format | whsp | name */
449     BaseRefVectorOf<XMLCh> *components = decomposeAttributeName(attr);
450     if (components == NULL || components->size() != 2) {
451         delete components;
452         return false;
453     }
454
455     /* For each attribute statement, look for an attribute match */
456     const vector <saml2::AttributeStatement *>&statements =
457         assertion->getAttributeStatements();
458     const saml2::Attribute *ret = NULL;
459
460     for (vector<saml2::AttributeStatement *>::const_iterator s = statements.begin();
461         s != statements.end();
462         ++s) {
463         const vector<saml2::Attribute*>& attrs =
464             const_cast<const saml2::AttributeStatement*>(*s)->getAttributes();
465
466         for (vector<saml2::Attribute*>::const_iterator a = attrs.begin(); a != attrs.end(); ++a) {
467             if (XMLString::equals((*a)->getNameFormat(), components->elementAt(0)) &&
468                 XMLString::equals((*a)->getName(), components->elementAt(1))) {
469                 ret = *a;
470                 break;
471             }
472         }
473
474         if (ret != NULL)
475             break;
476     }
477
478     delete components;
479
480     *pAttribute = ret;
481
482     return (ret != NULL);
483 }
484
485 bool
486 gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr,
487                                          int *authenticated,
488                                          int *complete,
489                                          gss_buffer_t value,
490                                          gss_buffer_t display_value,
491                                          int *more) const
492 {
493     const saml2::Attribute *a;
494     const saml2::AttributeValue *av;
495     int nvalues, i = *more;
496
497     *more = 0;
498
499     if (!getAttribute(attr, authenticated, complete, &a))
500         return false;
501
502     nvalues = a->getAttributeValues().size();
503
504     if (i == -1)
505         i = 0;
506     else if (i >= nvalues)
507         return false;
508 #if 0
509     av = dynamic_cast<const saml2::AttributeValue *>(a->getAttributeValues().at(i));
510 #else
511     av = (const saml2::AttributeValue *)((void *)(a->getAttributeValues().at(i)));
512 #endif
513     if (av != NULL) {
514         if (value != NULL) {
515             value->value = toUTF8(av->getTextContent(), true);
516             value->length = strlen((char *)value->value);
517         }
518         if (display_value != NULL) {
519             display_value->value = toUTF8(av->getTextContent(), true);
520             display_value->length = strlen((char *)value->value);
521         }
522     }
523
524     if (nvalues > ++i)
525         *more = i;
526
527     return true;
528 }
529
530 gss_any_t
531 gss_eap_saml_attr_provider::mapToAny(int authenticated,
532                                      gss_buffer_t type_id) const
533 {
534     return (gss_any_t)NULL;
535 }
536
537 void
538 gss_eap_saml_attr_provider::releaseAnyNameMapping(gss_buffer_t type_id,
539                                                   gss_any_t input) const
540 {
541 }
542
543 void
544 gss_eap_saml_attr_provider::exportToBuffer(gss_buffer_t buffer) const
545 {
546     buffer->length = 0;
547     buffer->value = NULL;
548 }
549
550 bool
551 gss_eap_saml_attr_provider::initFromBuffer(const gss_eap_attr_ctx *ctx,
552                                            const gss_buffer_t buffer)
553 {
554     return gss_eap_attr_provider::initFromBuffer(ctx, buffer);
555 }
556
557 bool
558 gss_eap_saml_attr_provider::init(void)
559 {
560     gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML,
561                                        "urn:ietf:params:gss-eap:saml-attr",
562                                        gss_eap_saml_attr_provider::createAttrContext);
563     return true;
564 }
565
566 void
567 gss_eap_saml_attr_provider::finalize(void)
568 {
569     gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_SAML);
570 }
571
572 gss_eap_attr_provider *
573 gss_eap_saml_attr_provider::createAttrContext(void)
574 {
575     return new gss_eap_saml_attr_provider;
576 }
577
578 OM_uint32
579 gssEapSamlAttrProvidersInit(OM_uint32 *minor)
580 {
581     if (gss_eap_saml_assertion_provider::init() &&
582         gss_eap_saml_attr_provider::init())
583         return GSS_S_COMPLETE;
584
585     return GSS_S_FAILURE;
586 }
587
588 OM_uint32
589 gssEapSamlAttrProvidersFinalize(OM_uint32 *minor)
590 {
591     gss_eap_saml_attr_provider::finalize();
592     gss_eap_saml_assertion_provider::finalize();
593     return GSS_S_COMPLETE;
594 }
Moonshot GSS-API mechanism