2 * Copyright (c) 2010, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 #include "gssapiP_eap.h"
37 #include <xercesc/util/XMLUniDefs.hpp>
38 #include <xmltooling/unicode.h>
39 #include <xmltooling/XMLToolingConfig.h>
40 #include <xmltooling/util/XMLHelper.h>
41 #include <xmltooling/util/ParserPool.h>
42 #include <xmltooling/util/DateTime.h>
44 #include <saml/saml1/core/Assertions.h>
45 #include <saml/saml2/core/Assertions.h>
46 #include <saml/saml2/metadata/Metadata.h>
48 using namespace xmltooling;
49 using namespace opensaml::saml2md;
50 using namespace opensaml;
51 using namespace xercesc;
55 * gss_eap_saml_assertion_provider is for retrieving the underlying
58 gss_eap_saml_assertion_provider::gss_eap_saml_assertion_provider(void)
61 m_authenticated = false;
64 gss_eap_saml_assertion_provider::~gss_eap_saml_assertion_provider(void)
70 gss_eap_saml_assertion_provider::initFromExistingContext(const gss_eap_attr_ctx *manager,
71 const gss_eap_attr_provider *ctx)
73 /* Then we may be creating from an existing attribute context */
74 const gss_eap_saml_assertion_provider *saml;
76 assert(m_assertion == NULL);
78 if (!gss_eap_attr_provider::initFromExistingContext(manager, ctx))
81 saml = static_cast<const gss_eap_saml_assertion_provider *>(ctx);
82 setAssertion(saml->getAssertion(), saml->authenticated());
88 gss_eap_saml_assertion_provider::initFromGssContext(const gss_eap_attr_ctx *manager,
89 const gss_cred_id_t gssCred,
90 const gss_ctx_id_t gssCtx)
92 const gss_eap_radius_attr_provider *radius;
93 gss_buffer_desc value = GSS_C_EMPTY_BUFFER;
94 int authenticated, complete;
97 assert(m_assertion == NULL);
99 if (!gss_eap_attr_provider::initFromGssContext(manager, gssCred, gssCtx))
103 * XXX TODO we need to support draft-howlett-radius-saml-attr-00
105 radius = static_cast<const gss_eap_radius_attr_provider *>
106 (m_manager->getProvider(ATTR_TYPE_RADIUS));
107 if (radius != NULL &&
108 radius->getFragmentedAttribute(PW_SAML_AAA_ASSERTION,
110 &authenticated, &complete, &value)) {
111 setAssertion(&value, authenticated);
112 gss_release_buffer(&minor, &value);
121 gss_eap_saml_assertion_provider::setAssertion(const saml2::Assertion *assertion,
127 if (assertion != NULL) {
129 m_assertion = (saml2::Assertion *)((void *)assertion->clone());
131 m_assertion = dynamic_cast<saml2::Assertion *>(assertion->clone());
133 m_authenticated = authenticated;
136 m_authenticated = false;
141 gss_eap_saml_assertion_provider::setAssertion(const gss_buffer_t buffer,
146 m_assertion = parseAssertion(buffer);
147 m_authenticated = (m_assertion != NULL && authenticated);
151 gss_eap_saml_assertion_provider::parseAssertion(const gss_buffer_t buffer)
153 string str((char *)buffer->value, buffer->length);
154 istringstream istream(str);
156 const XMLObjectBuilder *b;
158 doc = XMLToolingConfig::getConfig().getParser().parse(istream);
162 b = XMLObjectBuilder::getBuilder(doc->getDocumentElement());
165 return (saml2::Assertion *)((void *)b->buildFromDocument(doc));
167 return dynamic_cast<saml2::Assertion *>(b->buildFromDocument(doc));
172 gss_eap_saml_assertion_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
177 /* just add the prefix */
178 if (m_assertion != NULL)
179 ret = addAttribute(this, GSS_C_NO_BUFFER, data);
187 gss_eap_saml_assertion_provider::setAttribute(int complete,
188 const gss_buffer_t attr,
189 const gss_buffer_t value)
191 if (attr == GSS_C_NO_BUFFER || attr->length == 0) {
200 gss_eap_saml_assertion_provider::deleteAttribute(const gss_buffer_t value)
204 m_authenticated = false;
210 gss_eap_saml_assertion_provider::getExpiryTime(void) const
212 saml2::Conditions *conditions;
213 time_t expiryTime = 0;
215 if (m_assertion == NULL)
218 conditions = m_assertion->getConditions();
220 if (conditions != NULL && conditions->getNotOnOrAfter() != NULL)
221 expiryTime = conditions->getNotOnOrAfter()->getEpoch();
227 gss_eap_saml_assertion_provider::getAttribute(const gss_buffer_t attr,
231 gss_buffer_t display_value,
236 if (attr != GSS_C_NO_BUFFER && attr->length != 0)
239 if (m_assertion == NULL)
245 if (authenticated != NULL)
246 *authenticated = m_authenticated;
247 if (complete != NULL)
250 XMLHelper::serialize(m_assertion->marshall((DOMDocument *)NULL), str);
252 duplicateBuffer(str, value);
259 gss_eap_saml_assertion_provider::mapToAny(int authenticated,
260 gss_buffer_t type_id) const
262 if (authenticated && !m_authenticated)
263 return (gss_any_t)NULL;
265 return (gss_any_t)m_assertion;
269 gss_eap_saml_assertion_provider::releaseAnyNameMapping(gss_buffer_t type_id,
270 gss_any_t input) const
272 delete ((saml2::Assertion *)input);
276 gss_eap_saml_assertion_provider::exportToBuffer(gss_buffer_t buffer) const
282 buffer->value = NULL;
284 if (m_assertion == NULL)
287 sink << *m_assertion;
290 duplicateBuffer(str, buffer);
294 gss_eap_saml_assertion_provider::initFromBuffer(const gss_eap_attr_ctx *ctx,
295 const gss_buffer_t buffer)
297 if (!gss_eap_attr_provider::initFromBuffer(ctx, buffer))
300 if (buffer->length == 0)
303 assert(m_assertion == NULL);
305 setAssertion(buffer);
306 /* TODO XXX how to propagate authenticated flag? */
312 gss_eap_saml_assertion_provider::init(void)
314 gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML_ASSERTION,
315 "urn:ietf:params:gss-eap:saml-aaa-assertion",
316 gss_eap_saml_assertion_provider::createAttrContext);
321 gss_eap_saml_assertion_provider::finalize(void)
323 gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_SAML_ASSERTION);
326 gss_eap_attr_provider *
327 gss_eap_saml_assertion_provider::createAttrContext(void)
329 return new gss_eap_saml_assertion_provider;
333 * gss_eap_saml_attr_provider is for retrieving the underlying attributes.
336 gss_eap_saml_attr_provider::getAssertion(int *authenticated,
337 const saml2::Assertion **pAssertion) const
339 const gss_eap_saml_assertion_provider *saml;
341 if (authenticated != NULL)
342 *authenticated = false;
343 if (pAssertion != NULL)
346 saml = static_cast<const gss_eap_saml_assertion_provider *>
347 (m_manager->getProvider(ATTR_TYPE_SAML_ASSERTION));
351 if (authenticated != NULL)
352 *authenticated = saml->authenticated();
353 if (pAssertion != NULL)
354 *pAssertion = saml->getAssertion();
356 return (saml->getAssertion() != NULL);
360 gss_eap_saml_attr_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
363 const saml2::Assertion *assertion;
367 if (!getAssertion(&authenticated, &assertion))
371 * Note: the first prefix is added by the attribute provider manager
373 * From draft-hartman-gss-eap-naming-00:
375 * Each attribute carried in the assertion SHOULD also be a GSS name
376 * attribute. The name of this attribute has three parts, all separated
377 * by an ASCII space character. The first part is
378 * urn:ietf:params:gss-eap:saml-attr. The second part is the URI for
379 * the SAML attribute name format. The final part is the name of the
380 * SAML attribute. If the mechanism performs an additional attribute
381 * query, the retrieved attributes SHOULD be GSS-API name attributes
382 * using the same name syntax.
384 const vector<saml2::Attribute*>& attrs2 =
385 const_cast<const saml2::AttributeStatement*>(assertion->getAttributeStatements().front())->getAttributes();
386 for (vector<saml2::Attribute*>::const_iterator a = attrs2.begin();
390 const XMLCh *attributeName = (*a)->getName();
391 const XMLCh *attributeNameFormat = (*a)->getNameFormat();
392 XMLCh *qualifiedName;
393 XMLCh space[2] = { ' ', 0 };
394 gss_buffer_desc utf8;
396 qualifiedName = new XMLCh[XMLString::stringLen(attributeNameFormat) + 1 +
397 XMLString::stringLen(attributeName) + 1];
398 XMLString::copyString(qualifiedName, attributeNameFormat);
399 XMLString::catString(qualifiedName, space);
400 XMLString::catString(qualifiedName, attributeName);
402 utf8.value = (void *)toUTF8(qualifiedName);
403 utf8.length = strlen((char *)utf8.value);
405 ret = addAttribute(this, &utf8, data);
407 delete qualifiedName;
417 gss_eap_saml_attr_provider::setAttribute(int complete,
418 const gss_buffer_t attr,
419 const gss_buffer_t value)
425 gss_eap_saml_attr_provider::deleteAttribute(const gss_buffer_t value)
430 static BaseRefVectorOf<XMLCh> *
431 decomposeAttributeName(const gss_buffer_t attr)
433 XMLCh *qualifiedAttr = new XMLCh[attr->length + 1];
434 XMLString::transcode((const char *)attr->value, qualifiedAttr, attr->length);
436 BaseRefVectorOf<XMLCh> *components = XMLString::tokenizeString(qualifiedAttr);
438 delete qualifiedAttr;
444 gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr,
447 const saml2::Attribute **pAttribute) const
449 const saml2::Assertion *assertion;
451 if (authenticated != NULL)
452 *authenticated = false;
453 if (complete != NULL)
457 if (!getAssertion(authenticated, &assertion) ||
458 assertion->getAttributeStatements().size() == 0)
461 /* Check the attribute name consists of name format | whsp | name */
462 BaseRefVectorOf<XMLCh> *components = decomposeAttributeName(attr);
463 if (components == NULL || components->size() != 2) {
468 /* For each attribute statement, look for an attribute match */
469 const vector <saml2::AttributeStatement *>&statements =
470 assertion->getAttributeStatements();
471 const saml2::Attribute *ret = NULL;
473 for (vector<saml2::AttributeStatement *>::const_iterator s = statements.begin();
474 s != statements.end();
476 const vector<saml2::Attribute*>& attrs =
477 const_cast<const saml2::AttributeStatement*>(*s)->getAttributes();
479 for (vector<saml2::Attribute*>::const_iterator a = attrs.begin(); a != attrs.end(); ++a) {
480 if (XMLString::equals((*a)->getNameFormat(), components->elementAt(0)) &&
481 XMLString::equals((*a)->getName(), components->elementAt(1))) {
495 return (ret != NULL);
499 gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr,
503 gss_buffer_t display_value,
506 const saml2::Attribute *a;
507 const saml2::AttributeValue *av;
508 int nvalues, i = *more;
512 if (!getAttribute(attr, authenticated, complete, &a))
515 nvalues = a->getAttributeValues().size();
519 else if (i >= nvalues)
522 av = (const saml2::AttributeValue *)((void *)(a->getAttributeValues().at(i)));
524 av = dynamic_cast<const saml2::AttributeValue *>(a->getAttributeValues().at(i));
528 value->value = toUTF8(av->getTextContent(), true);
529 value->length = strlen((char *)value->value);
531 if (display_value != NULL) {
532 display_value->value = toUTF8(av->getTextContent(), true);
533 display_value->length = strlen((char *)value->value);
544 gss_eap_saml_attr_provider::mapToAny(int authenticated,
545 gss_buffer_t type_id) const
547 return (gss_any_t)NULL;
551 gss_eap_saml_attr_provider::releaseAnyNameMapping(gss_buffer_t type_id,
552 gss_any_t input) const
557 gss_eap_saml_attr_provider::exportToBuffer(gss_buffer_t buffer) const
560 buffer->value = NULL;
564 gss_eap_saml_attr_provider::initFromBuffer(const gss_eap_attr_ctx *ctx,
565 const gss_buffer_t buffer)
567 return gss_eap_attr_provider::initFromBuffer(ctx, buffer);
571 gss_eap_saml_attr_provider::init(void)
573 gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML,
574 "urn:ietf:params:gss-eap:saml-attr",
575 gss_eap_saml_attr_provider::createAttrContext);
580 gss_eap_saml_attr_provider::finalize(void)
582 gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_SAML);
585 gss_eap_attr_provider *
586 gss_eap_saml_attr_provider::createAttrContext(void)
588 return new gss_eap_saml_attr_provider;
592 gssEapSamlAttrProvidersInit(OM_uint32 *minor)
594 if (!gss_eap_saml_assertion_provider::init() ||
595 !gss_eap_saml_attr_provider::init()) {
596 *minor = GSSEAP_SAML_INIT_FAILURE;
597 return GSS_S_FAILURE;
600 return GSS_S_COMPLETE;
604 gssEapSamlAttrProvidersFinalize(OM_uint32 *minor)
606 gss_eap_saml_attr_provider::finalize();
607 gss_eap_saml_assertion_provider::finalize();
608 return GSS_S_COMPLETE;