/*
- * Copyright (c) 2010, JANET(UK)
+ * Copyright (c) 2011, JANET(UK)
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
+
/*
- * Copyright 2001-2009 Internet2
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * SAML attribute provider implementation.
*/
#include "gssapiP_eap.h"
-#include <shibsp/Application.h>
-#include <shibsp/exceptions.h>
-#include <shibsp/SPConfig.h>
-#include <shibsp/ServiceProvider.h>
-#include <shibsp/attribute/Attribute.h>
-#include <shibsp/attribute/SimpleAttribute.h>
-#include <shibsp/attribute/resolver/ResolutionContext.h>
-#include <shibsp/handler/AssertionConsumerService.h>
-#include <shibsp/metadata/MetadataProviderCriteria.h>
-#include <shibsp/util/SPConstants.h>
+#include <sstream>
-#include <saml/saml1/core/Assertions.h>
-#include <saml/saml2/core/Assertions.h>
-#include <saml/saml2/metadata/Metadata.h>
#include <xercesc/util/XMLUniDefs.hpp>
+#include <xmltooling/unicode.h>
#include <xmltooling/XMLToolingConfig.h>
#include <xmltooling/util/XMLHelper.h>
+#include <xmltooling/util/ParserPool.h>
+#include <xmltooling/util/DateTime.h>
-#include "resolver.h"
+#include <saml/exceptions.h>
+#include <saml/saml1/core/Assertions.h>
+#include <saml/saml2/core/Assertions.h>
+#include <saml/saml2/metadata/Metadata.h>
+#include <saml/saml2/metadata/MetadataProvider.h>
-using namespace shibsp;
-using namespace shibresolver;
+using namespace xmltooling;
using namespace opensaml::saml2md;
using namespace opensaml;
-using namespace xmltooling::logging;
-using namespace xmltooling;
using namespace xercesc;
using namespace std;
-static vector <Attribute *>
-duplicateAttributes(const vector <Attribute *>src);
-
/*
- * Class representing the SAML compoments of a EAP GSS name.
+ * gss_eap_saml_assertion_provider is for retrieving the underlying
+ * assertion.
*/
-struct gss_eap_saml_attr_ctx
+gss_eap_saml_assertion_provider::gss_eap_saml_assertion_provider(void)
{
-public:
- gss_eap_saml_attr_ctx(void) {}
-
- gss_eap_saml_attr_ctx(const vector<Attribute*>& attributes,
- const saml2::Assertion *assertion = NULL) {
- if (assertion != NULL)
- setAssertion(assertion);
- if (attributes.size())
- setAttributes(duplicateAttributes(attributes));
- }
+ m_assertion = NULL;
+ m_authenticated = false;
+}
- gss_eap_saml_attr_ctx(const gss_eap_saml_attr_ctx &ctx) {
- gss_eap_saml_attr_ctx(ctx.m_attributes, ctx.m_assertion);
- }
+gss_eap_saml_assertion_provider::~gss_eap_saml_assertion_provider(void)
+{
+ delete m_assertion;
+}
- ~gss_eap_saml_attr_ctx() {
- for_each(m_attributes.begin(),
- m_attributes.end(),
- xmltooling::cleanup<Attribute>())
- ;
- delete m_assertion;
- }
+bool
+gss_eap_saml_assertion_provider::initFromExistingContext(const gss_eap_attr_ctx *manager,
+ const gss_eap_attr_provider *ctx)
+{
+ /* Then we may be creating from an existing attribute context */
+ const gss_eap_saml_assertion_provider *saml;
- const vector <Attribute *> getAttributes(void) const {
- return m_attributes;
- }
+ assert(m_assertion == NULL);
- void addAttribute(Attribute *attr, bool copy = true);
- void setAttributes(const vector<Attribute*> attributes);
+ if (!gss_eap_attr_provider::initFromExistingContext(manager, ctx))
+ return false;
- void setAttribute(int complete,
- const gss_buffer_t attr,
- const gss_buffer_t value);
- void deleteAttribute(const gss_buffer_t attr);
+ saml = static_cast<const gss_eap_saml_assertion_provider *>(ctx);
+ setAssertion(saml->getAssertion(), saml->authenticated());
- int getAttributeIndex(const gss_buffer_t attr) const;
- const Attribute *getAttribute(const gss_buffer_t attr) const;
+ return true;
+}
- bool getAttribute(const gss_buffer_t attr,
- int *authenticated,
- int *complete,
- gss_buffer_t value,
- gss_buffer_t display_value,
- int *more);
+bool
+gss_eap_saml_assertion_provider::initFromGssContext(const gss_eap_attr_ctx *manager,
+ const gss_cred_id_t gssCred,
+ const gss_ctx_id_t gssCtx)
+{
+ const gss_eap_radius_attr_provider *radius;
+ gss_buffer_desc value = GSS_C_EMPTY_BUFFER;
+ int authenticated, complete;
+ OM_uint32 minor;
- const saml2::Assertion *getAssertion(void) const {
- return m_assertion;
- }
+ assert(m_assertion == NULL);
- void setAssertion(const saml2::Assertion *assertion) {
- delete m_assertion;
- if (assertion != NULL)
- m_assertion = dynamic_cast<saml2::Assertion *>(assertion->clone());
- else
- m_assertion = NULL;
- }
+ if (!gss_eap_attr_provider::initFromGssContext(manager, gssCred, gssCtx))
+ return false;
- void setAssertion(const gss_buffer_t buffer) {
- delete m_assertion;
- m_assertion = parseAssertion(buffer);
+ /*
+ * XXX TODO we need to support draft-howlett-radius-saml-attr-00
+ */
+ radius = static_cast<const gss_eap_radius_attr_provider *>
+ (m_manager->getProvider(ATTR_TYPE_RADIUS));
+ if (radius != NULL &&
+ radius->getFragmentedAttribute(PW_SAML_AAA_ASSERTION,
+ VENDORPEC_UKERNA,
+ &authenticated, &complete, &value)) {
+ setAssertion(&value, authenticated);
+ gss_release_buffer(&minor, &value);
+ } else {
+ m_assertion = NULL;
}
- bool getAssertion(gss_buffer_t buffer);
-
- DDF marshall() const;
- static gss_eap_saml_attr_ctx *unmarshall(DDF &in);
+ return true;
+}
- void marshall(gss_buffer_t buffer);
- static gss_eap_saml_attr_ctx *unmarshall(const gss_buffer_t buffer);
+void
+gss_eap_saml_assertion_provider::setAssertion(const saml2::Assertion *assertion,
+ bool authenticated)
+{
-private:
- mutable vector<Attribute*> m_attributes;
- mutable saml2::Assertion *m_assertion;
+ delete m_assertion;
- static saml2::Assertion *parseAssertion(const gss_buffer_t buffer);
-};
+ if (assertion != NULL) {
+#ifdef __APPLE__
+ m_assertion = (saml2::Assertion *)((void *)assertion->clone());
+#else
+ m_assertion = dynamic_cast<saml2::Assertion *>(assertion->clone());
+#endif
+ m_authenticated = authenticated;
+ } else {
+ m_assertion = NULL;
+ m_authenticated = false;
+ }
+}
-/*
- * Map an exception to a GSS major/mechanism status code.
- * TODO
- */
-static OM_uint32
-mapException(OM_uint32 *minor, exception &e)
+void
+gss_eap_saml_assertion_provider::setAssertion(const gss_buffer_t buffer,
+ bool authenticated)
{
- *minor = 0;
- return GSS_S_FAILURE;
+ delete m_assertion;
+
+ m_assertion = parseAssertion(buffer);
+ m_authenticated = (m_assertion != NULL && authenticated);
}
-/*
- * Parse a GSS buffer into a SAML v2 assertion.
- */
saml2::Assertion *
-gss_eap_saml_attr_ctx::parseAssertion(const gss_buffer_t buffer)
+gss_eap_saml_assertion_provider::parseAssertion(const gss_buffer_t buffer)
{
- DOMDocument *doc;
- const XMLObjectBuilder *b;
- DOMElement *elem;
- XMLObject *xobj;
string str((char *)buffer->value, buffer->length);
istringstream istream(str);
+ DOMDocument *doc;
+ const XMLObjectBuilder *b;
- doc = XMLToolingConfig::getConfig().getParser().parse(istream);
- b = XMLObjectBuilder::getDefaultBuilder();
- elem = doc->getDocumentElement();
- xobj = b->buildOneFromElement(elem, true);
-
- return dynamic_cast<saml2::Assertion *>(xobj);
-}
+ try {
+ doc = XMLToolingConfig::getConfig().getParser().parse(istream);
+ if (doc == NULL)
+ return NULL;
-static inline void
-duplicateBuffer(gss_buffer_desc &src, gss_buffer_t dst)
-{
- OM_uint32 minor;
+ b = XMLObjectBuilder::getBuilder(doc->getDocumentElement());
- if (GSS_ERROR(duplicateBuffer(&minor, &src, dst)))
- throw new bad_alloc();
+#ifdef __APPLE__
+ return (saml2::Assertion *)((void *)b->buildFromDocument(doc));
+#else
+ return dynamic_cast<saml2::Assertion *>(b->buildFromDocument(doc));
+#endif
+ } catch (exception &e) {
+ return NULL;
+ }
}
-static inline void
-duplicateBuffer(string &str, gss_buffer_t buffer)
+bool
+gss_eap_saml_assertion_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
+ void *data) const
{
- gss_buffer_desc tmp;
+ bool ret;
- tmp.length = str.length();
- tmp.value = (char *)str.c_str();
+ /* just add the prefix */
+ if (m_assertion != NULL)
+ ret = addAttribute(this, GSS_C_NO_BUFFER, data);
+ else
+ ret = true;
- duplicateBuffer(tmp, buffer);
+ return ret;
}
-/*
- * Marshall SAML attribute context into a form suitable for
- * exported names.
- */
-DDF
-gss_eap_saml_attr_ctx::marshall() const
+bool
+gss_eap_saml_assertion_provider::setAttribute(int complete GSSEAP_UNUSED,
+ const gss_buffer_t attr,
+ const gss_buffer_t value)
{
- DDF obj(NULL);
- DDF attrs;
- DDF assertion;
-
- obj.addmember("version").integer(1);
-
- attrs = obj.addmember("attributes").list();
- for (vector<Attribute*>::const_iterator a = m_attributes.begin();
- a != m_attributes.end(); ++a) {
- DDF attr = (*a)->marshall();
- attrs.add(attr);
+ if (attr == GSS_C_NO_BUFFER || attr->length == 0) {
+ setAssertion(value);
+ return true;
}
- ostringstream sink;
- sink << *m_assertion;
- assertion = obj.addmember("assertion").string(sink.str().c_str());
-
- return obj;
+ return false;
}
-/*
- * Unmarshall SAML attribute context from a form suitable for
- * exported names.
- */
-gss_eap_saml_attr_ctx *
-gss_eap_saml_attr_ctx::unmarshall(DDF &obj)
+bool
+gss_eap_saml_assertion_provider::deleteAttribute(const gss_buffer_t value GSSEAP_UNUSED)
{
- gss_eap_saml_attr_ctx *ctx = new gss_eap_saml_attr_ctx();
+ delete m_assertion;
+ m_assertion = NULL;
+ m_authenticated = false;
- DDF version = obj["version"];
- if (version.integer() != 1)
- return NULL;
-
- DDF assertion = obj["assertion"];
- gss_buffer_desc buffer;
-
- if (!assertion.isnull()) {
- buffer.length = assertion.strlen();
- buffer.value = (void *)assertion.string();
- } else {
- buffer.length = 0;
- }
-
- if (buffer.length != 0)
- ctx->parseAssertion(&buffer);
-
- DDF attrs = obj["attributes"];
- DDF attr = attrs.first();
- while (!attr.isnull()) {
- Attribute *attribute = Attribute::unmarshall(attr);
- ctx->addAttribute(attribute, false);
- attr = attrs.next();
- }
-
- return ctx;
+ return true;
}
-void
-gss_eap_saml_attr_ctx::marshall(gss_buffer_t buffer)
+time_t
+gss_eap_saml_assertion_provider::getExpiryTime(void) const
{
- DDF obj = marshall();
- ostringstream sink;
- sink << obj;
- string str = sink.str();
+ saml2::Conditions *conditions;
+ time_t expiryTime = 0;
- duplicateBuffer(str, buffer);
+ if (m_assertion == NULL)
+ return 0;
- obj.destroy();
-}
+ conditions = m_assertion->getConditions();
-gss_eap_saml_attr_ctx *
-gss_eap_saml_attr_ctx::unmarshall(const gss_buffer_t buffer)
-{
- gss_eap_saml_attr_ctx *ctx;
+ if (conditions != NULL && conditions->getNotOnOrAfter() != NULL)
+ expiryTime = conditions->getNotOnOrAfter()->getEpoch();
- string str((const char *)buffer->value, buffer->length);
- istringstream source(str);
- DDF obj(NULL);
- source >> obj;
-
- ctx = unmarshall(obj);
+ return expiryTime;
+}
- obj.destroy();
+OM_uint32
+gss_eap_saml_assertion_provider::mapException(OM_uint32 *minor,
+ std::exception &e) const
+{
+ if (typeid(e) == typeid(SecurityPolicyException))
+ *minor = GSSEAP_SAML_SEC_POLICY_FAILURE;
+ else if (typeid(e) == typeid(BindingException))
+ *minor = GSSEAP_SAML_BINDING_FAILURE;
+ else if (typeid(e) == typeid(ProfileException))
+ *minor = GSSEAP_SAML_PROFILE_FAILURE;
+ else if (typeid(e) == typeid(FatalProfileException))
+ *minor = GSSEAP_SAML_FATAL_PROFILE_FAILURE;
+ else if (typeid(e) == typeid(RetryableProfileException))
+ *minor = GSSEAP_SAML_RETRY_PROFILE_FAILURE;
+ else if (typeid(e) == typeid(MetadataException))
+ *minor = GSSEAP_SAML_METADATA_FAILURE;
+ else
+ return GSS_S_CONTINUE_NEEDED;
- return ctx;
+ return GSS_S_FAILURE;
}
-/*
- * Return the serialised assertion.
- */
bool
-gss_eap_saml_attr_ctx::getAssertion(gss_buffer_t buffer)
+gss_eap_saml_assertion_provider::getAttribute(const gss_buffer_t attr,
+ int *authenticated,
+ int *complete,
+ gss_buffer_t value,
+ gss_buffer_t display_value GSSEAP_UNUSED,
+ int *more) const
{
string str;
+ if (attr != GSS_C_NO_BUFFER && attr->length != 0)
+ return false;
+
if (m_assertion == NULL)
return false;
- buffer->value = NULL;
- buffer->length = 0;
+ if (*more != -1)
+ return false;
+
+ if (authenticated != NULL)
+ *authenticated = m_authenticated;
+ if (complete != NULL)
+ *complete = true;
XMLHelper::serialize(m_assertion->marshall((DOMDocument *)NULL), str);
- duplicateBuffer(str, buffer);
+ duplicateBuffer(str, value);
+ *more = 0;
return true;
}
-static Attribute *
-duplicateAttribute(const Attribute *src)
+gss_any_t
+gss_eap_saml_assertion_provider::mapToAny(int authenticated,
+ gss_buffer_t type_id GSSEAP_UNUSED) const
{
- Attribute *attribute;
-
- DDF obj = src->marshall();
- attribute = Attribute::unmarshall(obj);
- obj.destroy();
+ if (authenticated && !m_authenticated)
+ return (gss_any_t)NULL;
- return attribute;
-}
-
-static vector <Attribute *>
-duplicateAttributes(const vector <Attribute *>src)
-{
- vector <Attribute *> dst;
-
- for (vector<Attribute *>::const_iterator a = src.begin();
- a != src.end();
- ++a)
- dst.push_back(duplicateAttribute(*a));
-
- return dst;
+ return (gss_any_t)m_assertion;
}
void
-gss_eap_saml_attr_ctx::addAttribute(Attribute *attribute, bool copy)
+gss_eap_saml_assertion_provider::releaseAnyNameMapping(gss_buffer_t type_id GSSEAP_UNUSED,
+ gss_any_t input) const
{
- Attribute *a;
-
- a = copy ? duplicateAttribute(attribute) : attribute;
-
- m_attributes.push_back(a);
+ delete ((saml2::Assertion *)input);
}
void
-gss_eap_saml_attr_ctx::setAttributes(const vector<Attribute*> attributes)
+gss_eap_saml_assertion_provider::exportToBuffer(gss_buffer_t buffer) const
{
- for_each(m_attributes.begin(), m_attributes.end(), xmltooling::cleanup<Attribute>());
- m_attributes = attributes;
-}
-
-int
-gss_eap_saml_attr_ctx::getAttributeIndex(const gss_buffer_t attr) const
-{
- int i = 0;
-
- for (vector<Attribute *>::const_iterator a = getAttributes().begin();
- a != getAttributes().end();
- ++a)
- {
- for (vector<string>::const_iterator s = (*a)->getAliases().begin();
- s != (*a)->getAliases().end();
- ++s) {
- if (attr->length == (*s).length() &&
- memcmp((*s).c_str(), attr->value, attr->length) == 0) {
- return i;
- }
- }
- }
+ ostringstream sink;
+ string str;
- return -1;
-}
+ buffer->length = 0;
+ buffer->value = NULL;
-const Attribute *
-gss_eap_saml_attr_ctx::getAttribute(const gss_buffer_t attr) const
-{
- const Attribute *ret = NULL;
+ if (m_assertion == NULL)
+ return;
- for (vector<Attribute *>::const_iterator a = getAttributes().begin();
- a != getAttributes().end();
- ++a)
- {
- for (vector<string>::const_iterator s = (*a)->getAliases().begin();
- s != (*a)->getAliases().end();
- ++s) {
- if (attr->length == (*s).length() &&
- memcmp((*s).c_str(), attr->value, attr->length) == 0) {
- ret = *a;
- break;
- }
- }
- if (ret != NULL)
- break;
- }
+ sink << *m_assertion;
+ str = sink.str();
- return ret;
+ duplicateBuffer(str, buffer);
}
bool
-gss_eap_saml_attr_ctx::getAttribute(const gss_buffer_t attr,
- int *authenticated,
- int *complete,
- gss_buffer_t value,
- gss_buffer_t display_value,
- int *more)
-{
- const Attribute *shibAttr = NULL;
- gss_buffer_desc buf;
-
- shibAttr = getAttribute(attr);
- if (shibAttr == NULL)
+gss_eap_saml_assertion_provider::initFromBuffer(const gss_eap_attr_ctx *ctx,
+ const gss_buffer_t buffer)
+{
+ if (!gss_eap_attr_provider::initFromBuffer(ctx, buffer))
return false;
- if (*more == -1) {
- *more = 0;
- } else if (*more >= (int)shibAttr->valueCount()) {
- *more = 0;
+ if (buffer->length == 0)
return true;
- }
- buf.value = (void *)shibAttr->getString(*more);
- buf.length = strlen((char *)buf.value);
+ assert(m_assertion == NULL);
- duplicateBuffer(buf, value);
-
- *authenticated = TRUE;
- *complete = FALSE;
+ setAssertion(buffer);
+ /* TODO XXX how to propagate authenticated flag? */
return true;
}
-static Attribute *
-samlAttributeFromGssBuffers(const gss_buffer_t attr,
- const gss_buffer_t value)
+bool
+gss_eap_saml_assertion_provider::init(void)
{
- string attrStr((char *)attr->value, attr->length);
- vector <string> ids(1);
- SimpleAttribute *a;
-
- ids.push_back(attrStr);
-
- a = new SimpleAttribute(ids);
-
- if (value->length != 0) {
- string valStr((char *)value->value, value->length);
-
- a->getValues().push_back(valStr);
- }
-
- return a;
+ gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML_ASSERTION,
+ "urn:ietf:params:gss-eap:saml-aaa-assertion",
+ createAttrContext);
+ return true;
}
void
-gss_eap_saml_attr_ctx::setAttribute(int complete,
- const gss_buffer_t attr,
- const gss_buffer_t value)
+gss_eap_saml_assertion_provider::finalize(void)
{
- Attribute *a = samlAttributeFromGssBuffers(attr, value);
-
- addAttribute(a, false);
+ gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_SAML_ASSERTION);
}
-void
-gss_eap_saml_attr_ctx::deleteAttribute(const gss_buffer_t attr)
+gss_eap_attr_provider *
+gss_eap_saml_assertion_provider::createAttrContext(void)
{
- int i;
-
- i = getAttributeIndex(attr);
- if (i >= 0)
- m_attributes.erase(m_attributes.begin() + i);
+ return new gss_eap_saml_assertion_provider;
}
-OM_uint32
-samlReleaseAttrContext(OM_uint32 *minor, gss_name_t name)
+saml2::Assertion *
+gss_eap_saml_assertion_provider::initAssertion(void)
{
- try {
- delete name->samlCtx;
- name->samlCtx = NULL;
- } catch (exception &e) {
- return mapException(minor, e);
- }
+ delete m_assertion;
+ m_assertion = saml2::AssertionBuilder::buildAssertion();
+ m_authenticated = false;
- return GSS_S_COMPLETE;
+ return m_assertion;
}
-static gss_buffer_desc
-gssEapRadiusAssertionAttr = { 3, (void *)"128" }; /* TODO */
-
-class gss_eap_saml_attr_args {
-public:
- vector <Attribute *> attrs;
- ShibbolethResolver *resolver;
-};
-
/*
- * Callback to add a RADIUS attribute as input to the resolver.
+ * gss_eap_saml_attr_provider is for retrieving the underlying attributes.
*/
-static OM_uint32
-samlAddRadiusAttribute(OM_uint32 *minor,
- gss_name_t name,
- gss_buffer_t attr,
- void *data)
-{
- OM_uint32 major;
- gss_eap_saml_attr_args *args = (gss_eap_saml_attr_args *)data;
- Attribute *a;
- int authenticated, complete, more = -1;
- gss_buffer_desc value;
-
- /* Put attributes to skip here (or in a table somewhere) */
- if (bufferEqual(attr, &gssEapRadiusAssertionAttr)) {
- return GSS_S_COMPLETE;
- }
+bool
+gss_eap_saml_attr_provider::getAssertion(int *authenticated,
+ saml2::Assertion **pAssertion,
+ bool createIfAbsent) const
+{
+ gss_eap_saml_assertion_provider *saml;
+
+ if (authenticated != NULL)
+ *authenticated = false;
+ if (pAssertion != NULL)
+ *pAssertion = NULL;
- major = radiusGetAttribute(minor, name, attr,
- &authenticated, &complete,
- &value, GSS_C_NO_BUFFER, &more);
- if (major == GSS_S_COMPLETE) {
- /* XXX TODO prefix */
- a = samlAttributeFromGssBuffers(attr, &value);
- args->attrs.push_back(a);
- args->resolver->addAttribute(a);
+ saml = static_cast<const gss_eap_saml_assertion_provider *>
+ (m_manager->getProvider(ATTR_TYPE_SAML_ASSERTION));
+ if (saml == NULL)
+ return false;
+
+ if (authenticated != NULL)
+ *authenticated = saml->authenticated();
+ if (pAssertion != NULL)
+ *pAssertion = saml->getAssertion();
+
+ if (saml->getAssertion() == NULL) {
+ if (createIfAbsent) {
+ if (authenticated != NULL)
+ *authenticated = false;
+ if (pAssertion != NULL)
+ *pAssertion = saml->initAssertion();
+ } else
+ return false;
}
- return GSS_S_COMPLETE;
+ return true;
}
-/*
- * Add attributes retrieved via RADIUS.
- */
-static OM_uint32
-samlAddRadiusAttributes(OM_uint32 *minor,
- gss_name_t name,
- gss_eap_saml_attr_args *args)
+bool
+gss_eap_saml_attr_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
+ void *data) const
{
- return radiusGetAttributeTypes(minor,
- name,
- samlAddRadiusAttribute,
- (void *)args);
+ saml2::Assertion *assertion;
+ int authenticated;
+
+ if (!getAssertion(&authenticated, &assertion))
+ return true;
+
+ /*
+ * Note: the first prefix is added by the attribute provider manager
+ *
+ * From draft-hartman-gss-eap-naming-00:
+ *
+ * Each attribute carried in the assertion SHOULD also be a GSS name
+ * attribute. The name of this attribute has three parts, all separated
+ * by an ASCII space character. The first part is
+ * urn:ietf:params:gss-eap:saml-attr. The second part is the URI for
+ * the SAML attribute name format. The final part is the name of the
+ * SAML attribute. If the mechanism performs an additional attribute
+ * query, the retrieved attributes SHOULD be GSS-API name attributes
+ * using the same name syntax.
+ */
+ /* For each attribute statement, look for an attribute match */
+ const vector <saml2::AttributeStatement *> &statements =
+ const_cast<const saml2::Assertion *>(assertion)->getAttributeStatements();
+
+ for (vector<saml2::AttributeStatement *>::const_iterator s = statements.begin();
+ s != statements.end();
+ ++s) {
+ const vector<saml2::Attribute*> &attrs =
+ const_cast<const saml2::AttributeStatement*>(*s)->getAttributes();
+
+ for (vector<saml2::Attribute*>::const_iterator a = attrs.begin(); a != attrs.end(); ++a) {
+ const XMLCh *attributeName = (*a)->getName();
+ const XMLCh *attributeNameFormat = (*a)->getNameFormat();
+ XMLCh *qualifiedName;
+ XMLCh space[2] = { ' ', 0 };
+ gss_buffer_desc utf8;
+ bool ret;
+
+ qualifiedName = new XMLCh[XMLString::stringLen(attributeNameFormat) + 1 +
+ XMLString::stringLen(attributeName) + 1];
+ XMLString::copyString(qualifiedName, attributeNameFormat);
+ XMLString::catString(qualifiedName, space);
+ XMLString::catString(qualifiedName, attributeName);
+
+ utf8.value = (void *)toUTF8(qualifiedName);
+ utf8.length = strlen((char *)utf8.value);
+
+ ret = addAttribute(this, &utf8, data);
+
+ delete qualifiedName;
+
+ if (!ret)
+ return ret;
+ }
+ }
+
+ return true;
}
-/*
- * Add assertion retrieved via RADIUS.
- */
-static OM_uint32
-samlAddRadiusAssertion(OM_uint32 *minor,
- gss_name_t name,
- gss_eap_saml_attr_ctx *ctx)
+static BaseRefVectorOf<XMLCh> *
+decomposeAttributeName(const gss_buffer_t attr)
{
- OM_uint32 major;
- int authenticated, complete, more = -1;
- gss_buffer_desc value;
-
- value.value = NULL;
- value.length = 0;
+ XMLCh *qualifiedAttr = new XMLCh[attr->length + 1];
+ XMLString::transcode((const char *)attr->value, qualifiedAttr, attr->length);
- major = radiusGetAttribute(minor, name, &gssEapRadiusAssertionAttr,
- &authenticated, &complete,
- &value, GSS_C_NO_BUFFER, &more);
- if (GSS_ERROR(major) && major != GSS_S_UNAVAILABLE)
- return major;
+ BaseRefVectorOf<XMLCh> *components = XMLString::tokenizeString(qualifiedAttr);
- ctx->setAssertion(&value);
+ delete qualifiedAttr;
- gss_release_buffer(minor, &value);
+ if (components->size() != 2) {
+ delete components;
+ components = NULL;
+ }
- return GSS_S_COMPLETE;
+ return components;
}
-/*
- * Initialise SAML attribute context in initiator name. RADIUS context
- * must have been previously initialised.
- */
-OM_uint32
-samlCreateAttrContext(OM_uint32 *minor,
- gss_cred_id_t acceptorCred,
- gss_name_t initiatorName,
- time_t *pExpiryTime)
+bool
+gss_eap_saml_attr_provider::setAttribute(int complete GSSEAP_UNUSED,
+ const gss_buffer_t attr,
+ const gss_buffer_t value)
{
- OM_uint32 major, tmpMinor;
- gss_buffer_desc nameBuf;
- gss_eap_saml_attr_ctx *ctx = NULL;
- ShibbolethResolver *resolver = NULL;
- gss_eap_saml_attr_args args;
-
- assert(initiatorName != GSS_C_NO_NAME);
+ saml2::Assertion *assertion;
+ saml2::Attribute *attribute;
+ saml2::AttributeValue *attributeValue;
+ saml2::AttributeStatement *attributeStatement;
- if (initiatorName->radiusCtx == NULL)
- return GSS_S_UNAVAILABLE;
+ if (!getAssertion(NULL, &assertion, true))
+ return false;
- nameBuf.length = 0;
- nameBuf.value = NULL;
+ if (assertion->getAttributeStatements().size() != 0) {
+ attributeStatement = assertion->getAttributeStatements().front();
+ } else {
+ attributeStatement = saml2::AttributeStatementBuilder::buildAttributeStatement();
+ assertion->getAttributeStatements().push_back(attributeStatement);
+ }
- resolver = ShibbolethResolver::create();
- if (resolver == NULL)
- return GSS_S_FAILURE;
+ /* Check the attribute name consists of name format | whsp | name */
+ BaseRefVectorOf<XMLCh> *components = decomposeAttributeName(attr);
+ if (components == NULL)
+ return false;
- args.resolver = resolver;
+ attribute = saml2::AttributeBuilder::buildAttribute();
+ attribute->setNameFormat(components->elementAt(0));
+ attribute->setName(components->elementAt(1));
- if (acceptorCred != GSS_C_NO_CREDENTIAL) {
- major = gss_display_name(minor, acceptorCred->name, &nameBuf, NULL);
- if (GSS_ERROR(major))
- goto cleanup;
- }
+ XMLCh *xmlValue = new XMLCh[value->length + 1];
+ XMLString::transcode((const char *)value->value, xmlValue, attr->length);
- try {
- const saml2::Assertion *assertion;
- vector <Attribute *> attrs;
+ attributeValue = saml2::AttributeValueBuilder::buildAttributeValue();
+ attributeValue->setTextContent(xmlValue);
- ctx = new gss_eap_saml_attr_ctx();
+ attribute->getAttributeValues().push_back(attributeValue);
- major = samlAddRadiusAssertion(minor, initiatorName, ctx);
- if (GSS_ERROR(major))
- goto cleanup;
+ assert(attributeStatement != NULL);
+ attributeStatement->getAttributes().push_back(attribute);
- assertion = ctx->getAssertion();
+ delete components;
+ delete xmlValue;
- if (assertion != NULL) {
- if (assertion->getConditions()) {
- *pExpiryTime =
- assertion->getConditions()->getNotOnOrAfter()->getEpoch();
- }
+ return true;
+}
- resolver->addToken(assertion);
- }
+bool
+gss_eap_saml_attr_provider::deleteAttribute(const gss_buffer_t attr)
+{
+ saml2::Assertion *assertion;
+ bool ret = false;
- resolver->setApplicationID((const char *)nameBuf.value);
- if (initiatorName->radiusCtx != NULL)
- samlAddRadiusAttributes(minor, initiatorName, &args);
- resolver->resolveAttributes(attrs);
- ctx->setAttributes(attrs);
- } catch (exception &ex) {
- major = mapException(minor, ex);
- goto cleanup;
- }
+ if (!getAssertion(NULL, &assertion) ||
+ assertion->getAttributeStatements().size() == 0)
+ return false;
- *minor = 0;
- major = GSS_S_COMPLETE;
+ /* Check the attribute name consists of name format | whsp | name */
+ BaseRefVectorOf<XMLCh> *components = decomposeAttributeName(attr);
+ if (components == NULL)
+ return false;
- initiatorName->samlCtx = ctx;
+ /* For each attribute statement, look for an attribute match */
+ const vector<saml2::AttributeStatement *> &statements =
+ const_cast<const saml2::Assertion *>(assertion)->getAttributeStatements();
+
+ for (vector<saml2::AttributeStatement *>::const_iterator s = statements.begin();
+ s != statements.end();
+ ++s) {
+ const vector<saml2::Attribute *> &attrs =
+ const_cast<const saml2::AttributeStatement *>(*s)->getAttributes();
+ ssize_t index = -1, i = 0;
+
+ /* There's got to be an easier way to do this */
+ for (vector<saml2::Attribute *>::const_iterator a = attrs.begin();
+ a != attrs.end();
+ ++a) {
+ if (XMLString::equals((*a)->getNameFormat(), components->elementAt(0)) &&
+ XMLString::equals((*a)->getName(), components->elementAt(1))) {
+ index = i;
+ break;
+ }
+ ++i;
+ }
+ if (index != -1) {
+ (*s)->getAttributes().erase((*s)->getAttributes().begin() + index);
+ ret = true;
+ }
+ }
-cleanup:
- for_each(args.attrs.begin(), args.attrs.end(), xmltooling::cleanup<Attribute>());
- gss_release_buffer(&tmpMinor, &nameBuf);
- if (GSS_ERROR(major))
- delete ctx;
- delete resolver;
+ delete components;
- return major;
+ return ret;
}
-OM_uint32
-samlGetAttributeTypes(OM_uint32 *minor,
- gss_name_t name,
- enum gss_eap_attribute_type type,
- gss_eap_add_attr_cb addAttribute,
- void *data)
+bool
+gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr,
+ int *authenticated,
+ int *complete,
+ const saml2::Attribute **pAttribute) const
{
- OM_uint32 major = GSS_S_COMPLETE;
- gss_eap_saml_attr_ctx *ctx = name->samlCtx;
+ saml2::Assertion *assertion;
+
+ if (authenticated != NULL)
+ *authenticated = false;
+ if (complete != NULL)
+ *complete = true;
+ *pAttribute = NULL;
+
+ if (!getAssertion(authenticated, &assertion) ||
+ assertion->getAttributeStatements().size() == 0)
+ return false;
- if (ctx == NULL)
- return GSS_S_COMPLETE;
+ /* Check the attribute name consists of name format | whsp | name */
+ BaseRefVectorOf<XMLCh> *components = decomposeAttributeName(attr);
+ if (components == NULL)
+ return false;
- if (type != ATTR_TYPE_NONE)
- return GSS_S_UNAVAILABLE;
+ /* For each attribute statement, look for an attribute match */
+ const vector <saml2::AttributeStatement *> &statements =
+ const_cast<const saml2::Assertion *>(assertion)->getAttributeStatements();
+ const saml2::Attribute *ret = NULL;
- for (vector<Attribute*>::const_iterator a = ctx->getAttributes().begin();
- a != ctx->getAttributes().end();
- ++a)
- {
- gss_buffer_desc attribute;
+ for (vector<saml2::AttributeStatement *>::const_iterator s = statements.begin();
+ s != statements.end();
+ ++s) {
+ const vector<saml2::Attribute *> &attrs =
+ const_cast<const saml2::AttributeStatement*>(*s)->getAttributes();
- attribute.value = (void *)((*a)->getId());
- attribute.length = strlen((char *)attribute.value);
+ for (vector<saml2::Attribute *>::const_iterator a = attrs.begin(); a != attrs.end(); ++a) {
+ if (XMLString::equals((*a)->getNameFormat(), components->elementAt(0)) &&
+ XMLString::equals((*a)->getName(), components->elementAt(1))) {
+ ret = *a;
+ break;
+ }
+ }
- major = addAttribute(minor, name, &attribute, data);
- if (GSS_ERROR(major))
+ if (ret != NULL)
break;
}
- return major;
-}
+ delete components;
-/*
- * SAML implementation of gss_get_name_attribute
- */
-OM_uint32
-samlGetAttribute(OM_uint32 *minor,
- enum gss_eap_attribute_type type,
- gss_name_t name,
- gss_buffer_t attr,
- int *authenticated,
- int *complete,
- gss_buffer_t value,
- gss_buffer_t display_value,
- int *more)
-{
- struct gss_eap_saml_attr_ctx *ctx = name->samlCtx;
- bool ret;
-
- if (ctx == NULL)
- return GSS_S_UNAVAILABLE;
-
- switch (type) {
- case ATTR_TYPE_NONE:
- ret = ctx->getAttribute(attr, authenticated, complete,
- value, display_value, more);
- break;
- default:
- ret = false;
- break;
- }
+ *pAttribute = ret;
- return ret ? GSS_S_COMPLETE : GSS_S_UNAVAILABLE;
+ return (ret != NULL);
}
-OM_uint32
-samlSetAttribute(OM_uint32 *minor,
- gss_name_t name,
- int complete,
- gss_buffer_t attr,
- gss_buffer_t value)
+bool
+gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr,
+ int *authenticated,
+ int *complete,
+ gss_buffer_t value,
+ gss_buffer_t display_value,
+ int *more) const
{
- struct gss_eap_saml_attr_ctx *ctx = name->samlCtx;
-
- if (ctx == NULL)
- return GSS_S_UNAVAILABLE;
-
- try {
- ctx->setAttribute(complete, attr, value);
- } catch (exception &e) {
- return mapException(minor, e);
- }
+ const saml2::Attribute *a;
+ const saml2::AttributeValue *av;
+ int nvalues, i = *more;
- return GSS_S_COMPLETE;
-}
+ *more = 0;
-OM_uint32
-samlDeleteAttribute(OM_uint32 *minor,
- gss_name_t name,
- gss_buffer_t attr)
-{
- struct gss_eap_saml_attr_ctx *ctx = name->samlCtx;
+ if (!getAttribute(attr, authenticated, complete, &a))
+ return false;
- if (ctx == NULL)
- return GSS_S_UNAVAILABLE;
+ nvalues = a->getAttributeValues().size();
- try {
- ctx->deleteAttribute(attr);
- } catch (exception &e) {
- return mapException(minor, e);
+ if (i == -1)
+ i = 0;
+ else if (i >= nvalues)
+ return false;
+#ifdef __APPLE__
+ av = (const saml2::AttributeValue *)((void *)(a->getAttributeValues().at(i)));
+#else
+ av = dynamic_cast<const saml2::AttributeValue *>(a->getAttributeValues().at(i));
+#endif
+ if (av != NULL) {
+ if (value != NULL) {
+ value->value = toUTF8(av->getTextContent(), true);
+ value->length = strlen((char *)value->value);
+ }
+ if (display_value != NULL) {
+ display_value->value = toUTF8(av->getTextContent(), true);
+ display_value->length = strlen((char *)value->value);
+ }
}
- return GSS_S_COMPLETE;
+ if (nvalues > ++i)
+ *more = i;
+
+ return true;
}
-/*
- * In order to implement gss_export_name and gss_export_sec_context,
- * we need to serialise a resolved attribute context to a buffer.
- */
-OM_uint32
-samlExportAttrContext(OM_uint32 *minor,
- gss_name_t name,
- gss_buffer_t buffer)
+gss_any_t
+gss_eap_saml_attr_provider::mapToAny(int authenticated GSSEAP_UNUSED,
+ gss_buffer_t type_id GSSEAP_UNUSED) const
{
- struct gss_eap_saml_attr_ctx *ctx = name->samlCtx;
-
- try {
- ctx->marshall(buffer);
- } catch (exception &e) {
- return mapException(minor, e);
- }
-
- return GSS_S_COMPLETE;
+ return (gss_any_t)NULL;
}
-/*
- * In order to implement gss_import_name and gss_import_sec_context,
- * we need to deserialise a resolved attribute context from a buffer.
- */
-OM_uint32
-samlImportAttrContext(OM_uint32 *minor,
- gss_buffer_t buffer,
- gss_name_t name)
+void
+gss_eap_saml_attr_provider::releaseAnyNameMapping(gss_buffer_t type_id GSSEAP_UNUSED,
+ gss_any_t input GSSEAP_UNUSED) const
{
- try {
- assert(name->samlCtx == NULL);
- name->samlCtx = gss_eap_saml_attr_ctx::unmarshall(buffer);
- } catch (exception &e) {
- return mapException(minor, e);
- }
-
- return GSS_S_COMPLETE;
}
-OM_uint32
-samlGetAssertion(OM_uint32 *minor,
- gss_name_t name,
- gss_buffer_t assertion)
+void
+gss_eap_saml_attr_provider::exportToBuffer(gss_buffer_t buffer) const
{
- struct gss_eap_saml_attr_ctx *ctx = name->samlCtx;
-
- if (ctx == NULL)
- return GSS_S_UNAVAILABLE;
-
- try {
- ctx->getAssertion(assertion);
- } catch (exception &e) {
- return mapException(minor, e);
- }
-
- return GSS_S_COMPLETE;
+ buffer->length = 0;
+ buffer->value = NULL;
}
-OM_uint32
-samlDuplicateAttrContext(OM_uint32 *minor,
- gss_name_t in,
- gss_name_t out)
+bool
+gss_eap_saml_attr_provider::initFromBuffer(const gss_eap_attr_ctx *ctx,
+ const gss_buffer_t buffer)
{
- try {
- if (in->samlCtx != NULL)
- out->samlCtx = new gss_eap_saml_attr_ctx(*(in->samlCtx));
- else
- out->samlCtx = NULL;
- } catch (exception &e) {
- return mapException(minor, e);
- }
-
- return GSS_S_COMPLETE;
+ return gss_eap_attr_provider::initFromBuffer(ctx, buffer);
}
-OM_uint32
-samlMapNameToAny(OM_uint32 *minor,
- gss_name_t name,
- int authenticated,
- gss_buffer_t type_id,
- gss_any_t *output)
+bool
+gss_eap_saml_attr_provider::init(void)
{
- struct gss_eap_saml_attr_ctx *ctx = name->samlCtx;
-
- if (bufferEqualString(type_id, "shibsp::Attribute")) {
- vector <Attribute *>v = duplicateAttributes(ctx->getAttributes());
+ gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML,
+ "urn:ietf:params:gss-eap:saml-attr",
+ createAttrContext);
+ return true;
+}
- *output = (gss_any_t)new vector <Attribute *>(v);
- } else if (bufferEqualString(type_id, "opensaml::Assertion")) {
- *output = (gss_any_t)ctx->getAssertion()->clone();
- } else {
- *output = (gss_any_t)NULL;
- return GSS_S_UNAVAILABLE;
- }
+void
+gss_eap_saml_attr_provider::finalize(void)
+{
+ gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_SAML);
+}
- return GSS_S_COMPLETE;
+gss_eap_attr_provider *
+gss_eap_saml_attr_provider::createAttrContext(void)
+{
+ return new gss_eap_saml_attr_provider;
}
OM_uint32
-samlReleaseAnyNameMapping(OM_uint32 *minor,
- gss_name_t name,
- gss_buffer_t type_id,
- gss_any_t *input)
-{
- if (bufferEqualString(type_id, "vector<shibsp::Attribute>")) {
- vector <Attribute *> *v = ((vector <Attribute *> *)*input);
- delete v;
- } else if (bufferEqualString(type_id, "opensaml::Assertion")) {
- delete (Assertion *)*input;
- } else {
- return GSS_S_UNAVAILABLE;
+gssEapSamlAttrProvidersInit(OM_uint32 *minor)
+{
+ if (!gss_eap_saml_assertion_provider::init() ||
+ !gss_eap_saml_attr_provider::init()) {
+ *minor = GSSEAP_SAML_INIT_FAILURE;
+ return GSS_S_FAILURE;
}
- *input = (gss_any_t)NULL;
return GSS_S_COMPLETE;
}
OM_uint32
-samlInit(OM_uint32 *minor)
+gssEapSamlAttrProvidersFinalize(OM_uint32 *minor)
{
- *minor = 0;
+ gss_eap_saml_attr_provider::finalize();
+ gss_eap_saml_assertion_provider::finalize();
- return ShibbolethResolver::init() ? GSS_S_COMPLETE : GSS_S_FAILURE;
-}
-
-OM_uint32
-samlFinalize(OM_uint32 *minor)
-{
*minor = 0;
-
- ShibbolethResolver::term();
return GSS_S_COMPLETE;
}
projects / mech_eap.git / blobdiff