2 * Copyright (c) 2010, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 #include "gssapiP_eap.h"
37 #include <xercesc/util/XMLUniDefs.hpp>
38 #include <xmltooling/XMLToolingConfig.h>
39 #include <xmltooling/util/XMLHelper.h>
41 #include <saml/saml1/core/Assertions.h>
42 #include <saml/saml2/core/Assertions.h>
43 #include <saml/saml2/metadata/Metadata.h>
45 using namespace xmltooling;
46 using namespace opensaml::saml2md;
47 using namespace opensaml;
48 using namespace xercesc;
52 * gss_eap_saml_assertion_provider is for retrieving the underlying
56 gss_eap_saml_assertion_provider::initFromExistingContext(const gss_eap_attr_ctx *manager,
57 const gss_eap_attr_provider *ctx)
59 /* Then we may be creating from an existing attribute context */
60 const gss_eap_saml_assertion_provider *saml;
62 assert(m_assertion == NULL);
64 if (!gss_eap_attr_provider::initFromExistingContext(manager, ctx))
67 saml = static_cast<const gss_eap_saml_assertion_provider *>(ctx);
68 setAssertion(saml->getAssertion(), saml->authenticated());
74 gss_eap_saml_assertion_provider::initFromGssContext(const gss_eap_attr_ctx *manager,
75 const gss_cred_id_t gssCred,
76 const gss_ctx_id_t gssCtx)
78 const gss_eap_radius_attr_provider *radius;
79 gss_buffer_desc value = GSS_C_EMPTY_BUFFER;
80 int authenticated, complete, more = -1;
83 assert(m_assertion == NULL);
85 if (!gss_eap_attr_provider::initFromGssContext(manager, gssCred, gssCtx))
88 radius = static_cast<const gss_eap_radius_attr_provider *>
89 (m_manager->getProvider(ATTR_TYPE_RADIUS));
91 radius->getAttribute(512 /* XXX */, &authenticated, &complete,
92 &value, NULL, &more)) {
93 setAssertion(&value, authenticated);
94 gss_release_buffer(&minor, &value);
102 gss_eap_saml_assertion_provider::~gss_eap_saml_assertion_provider(void)
108 gss_eap_saml_assertion_provider::setAssertion(const saml2::Assertion *assertion,
114 if (assertion != NULL) {
115 m_assertion = dynamic_cast<saml2::Assertion *>(assertion->clone());
116 m_authenticated = authenticated;
119 m_authenticated = false;
124 gss_eap_saml_assertion_provider::setAssertion(const gss_buffer_t buffer,
129 m_assertion = parseAssertion(buffer);
130 m_authenticated = (m_assertion != NULL && authenticated);
134 gss_eap_saml_assertion_provider::parseAssertion(const gss_buffer_t buffer)
136 string str((char *)buffer->value, buffer->length);
137 istringstream istream(str);
139 const XMLObjectBuilder *b;
141 doc = XMLToolingConfig::getConfig().getParser().parse(istream);
142 b = XMLObjectBuilder::getBuilder(doc->getDocumentElement());
144 return dynamic_cast<saml2::Assertion *>(b->buildFromDocument(doc));
148 gss_eap_saml_assertion_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
151 /* just add the prefix */
152 return addAttribute(this, GSS_C_NO_BUFFER, data);
156 gss_eap_saml_assertion_provider::setAttribute(int complete,
157 const gss_buffer_t attr,
158 const gss_buffer_t value)
160 if (attr == GSS_C_NO_BUFFER || attr->length == 0) {
166 gss_eap_saml_assertion_provider::deleteAttribute(const gss_buffer_t value)
170 m_authenticated = false;
174 gss_eap_saml_assertion_provider::getAttribute(const gss_buffer_t attr,
178 gss_buffer_t display_value,
183 if (attr != GSS_C_NO_BUFFER || attr->length != 0)
186 if (m_assertion == NULL)
192 *authenticated = m_authenticated;
195 XMLHelper::serialize(m_assertion->marshall((DOMDocument *)NULL), str);
197 duplicateBuffer(str, value);
204 gss_eap_saml_assertion_provider::mapToAny(int authenticated,
205 gss_buffer_t type_id) const
207 return (gss_any_t)m_assertion;
211 gss_eap_saml_assertion_provider::releaseAnyNameMapping(gss_buffer_t type_id,
212 gss_any_t input) const
214 delete ((saml2::Assertion *)input);
218 gss_eap_saml_assertion_provider::exportToBuffer(gss_buffer_t buffer) const
224 buffer->value = NULL;
226 if (m_assertion == NULL)
229 sink << *m_assertion;
232 duplicateBuffer(str, buffer);
236 gss_eap_saml_assertion_provider::initFromBuffer(const gss_eap_attr_ctx *ctx,
237 const gss_buffer_t buffer)
239 if (!gss_eap_attr_provider::initFromBuffer(ctx, buffer))
242 if (buffer->length == 0)
245 assert(m_assertion == NULL);
247 setAssertion(buffer);
248 /* TODO XXX how to propagate authenticated flag? */
254 gss_eap_saml_assertion_provider::init(void)
256 gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML_ASSERTION,
257 "urn:ietf:params:gss-eap:saml-aaa-assertion",
258 gss_eap_saml_assertion_provider::createAttrContext);
263 gss_eap_saml_assertion_provider::finalize(void)
265 gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_SAML_ASSERTION);
268 gss_eap_attr_provider *
269 gss_eap_saml_assertion_provider::createAttrContext(void)
271 return new gss_eap_saml_assertion_provider;
275 * gss_eap_saml_attr_provider is for retrieving the underlying attributes.
278 gss_eap_saml_attr_provider::getAssertion(int *authenticated,
279 const saml2::Assertion **pAssertion) const
281 const gss_eap_saml_assertion_provider *saml;
283 *authenticated = false;
286 saml = static_cast<const gss_eap_saml_assertion_provider *>
287 (m_manager->getProvider(ATTR_TYPE_SAML_ASSERTION));
291 *authenticated = saml->authenticated();
292 *pAssertion = saml->getAssertion();
294 return (*pAssertion != NULL);
297 gss_eap_saml_attr_provider::~gss_eap_saml_attr_provider(void)
299 /* Nothing to do, we're just a wrapper around the assertion provider. */
303 gss_eap_saml_attr_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
306 const saml2::Assertion *assertion;
310 if (!getAssertion(&authenticated, &assertion))
314 * Note: the first prefix is added by the attribute provider manager
316 * From draft-hartman-gss-eap-naming-00:
318 * Each attribute carried in the assertion SHOULD also be a GSS name
319 * attribute. The name of this attribute has three parts, all separated
320 * by an ASCII space character. The first part is
321 * urn:ietf:params:gss-eap:saml-attr. The second part is the URI for
322 * the SAML attribute name format. The final part is the name of the
323 * SAML attribute. If the mechanism performs an additional attribute
324 * query, the retrieved attributes SHOULD be GSS-API name attributes
325 * using the same name syntax.
327 const vector<saml2::Attribute*>& attrs2 =
328 const_cast<const saml2::AttributeStatement*>(assertion->getAttributeStatements().front())->getAttributes();
329 for (vector<saml2::Attribute*>::const_iterator a = attrs2.begin();
333 const XMLCh *attributeName = (*a)->getName();
334 const XMLCh *attributeNameFormat = (*a)->getNameFormat();
335 XMLCh *qualifiedName;
336 XMLCh space[2] = { ' ', 0 };
337 gss_buffer_desc utf8;
339 qualifiedName = new XMLCh[XMLString::stringLen(attributeName) + 1 +
340 XMLString::stringLen(attributeNameFormat) + 1];
341 XMLString::copyString(qualifiedName, attributeName);
342 XMLString::catString(qualifiedName, space);
343 XMLString::catString(qualifiedName, attributeNameFormat);
345 utf8.value = (void *)toUTF8(qualifiedName);
346 utf8.length = strlen((char *)utf8.value);
348 ret = addAttribute(this, &utf8, data);
350 delete qualifiedName;
351 delete qualifiedName;
361 gss_eap_saml_attr_provider::setAttribute(int complete,
362 const gss_buffer_t attr,
363 const gss_buffer_t value)
368 gss_eap_saml_attr_provider::deleteAttribute(const gss_buffer_t value)
372 static BaseRefVectorOf<XMLCh> *
373 decomposeAttributeName(const gss_buffer_t attr)
375 XMLCh *qualifiedAttr = new XMLCh[attr->length + 1];
376 XMLString::transcode((const char *)attr->value, qualifiedAttr, attr->length);
378 BaseRefVectorOf<XMLCh> *components = XMLString::tokenizeString(qualifiedAttr);
380 delete qualifiedAttr;
386 gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr,
389 const saml2::Attribute **pAttribute) const
391 const saml2::Assertion *assertion;
393 *authenticated = false;
397 if (!getAssertion(authenticated, &assertion) ||
398 assertion->getAttributeStatements().size() == 0)
401 /* Check the attribute name consists of name format | whsp | name */
402 BaseRefVectorOf<XMLCh> *components = decomposeAttributeName(attr);
403 if (components == NULL || components->size() != 2) {
408 /* For each attribute statement, look for an attribute match */
409 const vector <saml2::AttributeStatement *>&statements =
410 assertion->getAttributeStatements();
411 const saml2::Attribute *ret = NULL;
413 for (vector<saml2::AttributeStatement *>::const_iterator s = statements.begin();
414 s != statements.end();
416 const vector<saml2::Attribute*>& attrs =
417 const_cast<const saml2::AttributeStatement*>(*s)->getAttributes();
419 for (vector<saml2::Attribute*>::const_iterator a = attrs.begin(); a != attrs.end(); ++a) {
420 if (XMLString::equals((*a)->getNameFormat(), components->elementAt(0)) &&
421 XMLString::equals((*a)->getName(), components->elementAt(1))) {
435 return (ret != NULL);
439 gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr,
443 gss_buffer_t display_value,
446 const saml2::Attribute *a;
447 const saml2::AttributeValue *av;
448 int nvalues, i = *more;
452 if (!getAttribute(attr, authenticated, complete, &a))
455 nvalues = a->getAttributeValues().size();
459 else if (i >= nvalues)
461 av = dynamic_cast<const saml2::AttributeValue *>(a->getAttributeValues().at(i)
464 value->value = toUTF8(av->getTextContent(), true);
465 value->length = strlen((char *)value->value);
467 if (display_value != NULL)
468 duplicateBuffer(*value, display_value);
478 gss_eap_saml_attr_provider::mapToAny(int authenticated,
479 gss_buffer_t type_id) const
481 return (gss_any_t)NULL;
485 gss_eap_saml_attr_provider::releaseAnyNameMapping(gss_buffer_t type_id,
486 gss_any_t input) const
491 gss_eap_saml_attr_provider::exportToBuffer(gss_buffer_t buffer) const
494 buffer->value = NULL;
498 gss_eap_saml_attr_provider::initFromBuffer(const gss_eap_attr_ctx *ctx,
499 const gss_buffer_t buffer)
501 return gss_eap_attr_provider::initFromBuffer(ctx, buffer);
505 gss_eap_saml_attr_provider::init(void)
507 gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML,
508 "urn:ietf:params:gss-eap:saml-attr",
509 gss_eap_saml_attr_provider::createAttrContext);
514 gss_eap_saml_attr_provider::finalize(void)
516 gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_SAML);
519 gss_eap_attr_provider *
520 gss_eap_saml_attr_provider::createAttrContext(void)
522 return new gss_eap_saml_attr_provider;