X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mech_eap.git;a=blobdiff_plain;f=util_saml.cpp;h=5346cc4537234f5957a2c822859f1f87f9f73026;hp=050e5bdcb84683b113f5deb678c6cf141d2291bb;hb=ae79fdae047f980d01b2b4e84ccea52e24d8c7a0;hpb=60e15c3169829b20cbd8dcdb55c170c855e38ad6 diff --git a/util_saml.cpp b/util_saml.cpp index 050e5bd..5346cc4 100644 --- a/util_saml.cpp +++ b/util_saml.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010, JANET(UK) + * Copyright (c) 2011, JANET(UK) * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -29,879 +29,725 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ + /* - * Copyright 2001-2009 Internet2 - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. + * SAML attribute provider implementation. */ #include "gssapiP_eap.h" -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include +#include -#include -#include -#include #include +#include #include #include +#include +#include -#include "resolver.h" +#include +#include +#include +#include +#include -using namespace shibsp; -using namespace shibresolver; +using namespace xmltooling; using namespace opensaml::saml2md; using namespace opensaml; -using namespace xmltooling::logging; -using namespace xmltooling; using namespace xercesc; using namespace std; -static vector -duplicateAttributes(const vector src); - /* - * Class representing the SAML compoments of a EAP GSS name. + * gss_eap_saml_assertion_provider is for retrieving the underlying + * assertion. */ -struct gss_eap_saml_attr_ctx +gss_eap_saml_assertion_provider::gss_eap_saml_assertion_provider(void) { -public: - gss_eap_saml_attr_ctx(void) {} - - gss_eap_saml_attr_ctx(const vector& attributes, - const saml2::Assertion *assertion = NULL) { - if (assertion != NULL) - setAssertion(assertion); - if (attributes.size()) - setAttributes(duplicateAttributes(attributes)); - } + m_assertion = NULL; + m_authenticated = false; +} - gss_eap_saml_attr_ctx(const gss_eap_saml_attr_ctx &ctx) { - gss_eap_saml_attr_ctx(ctx.m_attributes, ctx.m_assertion); - } +gss_eap_saml_assertion_provider::~gss_eap_saml_assertion_provider(void) +{ + delete m_assertion; +} - ~gss_eap_saml_attr_ctx() { - for_each(m_attributes.begin(), - m_attributes.end(), - xmltooling::cleanup()) - ; - delete m_assertion; - } +bool +gss_eap_saml_assertion_provider::initFromExistingContext(const gss_eap_attr_ctx *manager, + const gss_eap_attr_provider *ctx) +{ + /* Then we may be creating from an existing attribute context */ + const gss_eap_saml_assertion_provider *saml; - const vector getAttributes(void) const { - return m_attributes; - } + assert(m_assertion == NULL); - void addAttribute(Attribute *attr, bool copy = true); - void setAttributes(const vector attributes); + if (!gss_eap_attr_provider::initFromExistingContext(manager, ctx)) + return false; - void setAttribute(int complete, - const gss_buffer_t attr, - const gss_buffer_t value); - void deleteAttribute(const gss_buffer_t attr); + saml = static_cast(ctx); + setAssertion(saml->getAssertion(), saml->authenticated()); - int getAttributeIndex(const gss_buffer_t attr) const; - const Attribute *getAttribute(const gss_buffer_t attr) const; + return true; +} - bool getAttribute(const gss_buffer_t attr, - int *authenticated, - int *complete, - gss_buffer_t value, - gss_buffer_t display_value, - int *more); +bool +gss_eap_saml_assertion_provider::initFromGssContext(const gss_eap_attr_ctx *manager, + const gss_cred_id_t gssCred, + const gss_ctx_id_t gssCtx) +{ + const gss_eap_radius_attr_provider *radius; + gss_buffer_desc value = GSS_C_EMPTY_BUFFER; + int authenticated, complete; + OM_uint32 minor; - const saml2::Assertion *getAssertion(void) const { - return m_assertion; - } + assert(m_assertion == NULL); - void setAssertion(const saml2::Assertion *assertion) { - delete m_assertion; - if (assertion != NULL) - m_assertion = dynamic_cast(assertion->clone()); - else - m_assertion = NULL; - } + if (!gss_eap_attr_provider::initFromGssContext(manager, gssCred, gssCtx)) + return false; - void setAssertion(const gss_buffer_t buffer) { - delete m_assertion; - m_assertion = parseAssertion(buffer); + /* + * XXX TODO we need to support draft-howlett-radius-saml-attr-00 + */ + radius = static_cast + (m_manager->getProvider(ATTR_TYPE_RADIUS)); + if (radius != NULL && + radius->getFragmentedAttribute(PW_SAML_AAA_ASSERTION, + VENDORPEC_UKERNA, + &authenticated, &complete, &value)) { + setAssertion(&value, authenticated); + gss_release_buffer(&minor, &value); + } else { + m_assertion = NULL; } - bool getAssertion(gss_buffer_t buffer); - - DDF marshall() const; - static gss_eap_saml_attr_ctx *unmarshall(DDF &in); + return true; +} - void marshall(gss_buffer_t buffer); - static gss_eap_saml_attr_ctx *unmarshall(const gss_buffer_t buffer); +void +gss_eap_saml_assertion_provider::setAssertion(const saml2::Assertion *assertion, + bool authenticated) +{ -private: - mutable vector m_attributes; - mutable saml2::Assertion *m_assertion; + delete m_assertion; - static saml2::Assertion *parseAssertion(const gss_buffer_t buffer); -}; + if (assertion != NULL) { +#ifdef __APPLE__ + m_assertion = (saml2::Assertion *)((void *)assertion->clone()); +#else + m_assertion = dynamic_cast(assertion->clone()); +#endif + m_authenticated = authenticated; + } else { + m_assertion = NULL; + m_authenticated = false; + } +} -/* - * Map an exception to a GSS major/mechanism status code. - * TODO - */ -static OM_uint32 -mapException(OM_uint32 *minor, exception &e) +void +gss_eap_saml_assertion_provider::setAssertion(const gss_buffer_t buffer, + bool authenticated) { - *minor = 0; - return GSS_S_FAILURE; + delete m_assertion; + + m_assertion = parseAssertion(buffer); + m_authenticated = (m_assertion != NULL && authenticated); } -/* - * Parse a GSS buffer into a SAML v2 assertion. - */ saml2::Assertion * -gss_eap_saml_attr_ctx::parseAssertion(const gss_buffer_t buffer) +gss_eap_saml_assertion_provider::parseAssertion(const gss_buffer_t buffer) { string str((char *)buffer->value, buffer->length); istringstream istream(str); DOMDocument *doc; const XMLObjectBuilder *b; - doc = XMLToolingConfig::getConfig().getParser().parse(istream); - b =XMLObjectBuilder::getBuilder(doc->getDocumentElement()); - - return dynamic_cast(b->buildFromDocument(doc)); -} + try { + doc = XMLToolingConfig::getConfig().getParser().parse(istream); + if (doc == NULL) + return NULL; -static inline void -duplicateBuffer(gss_buffer_desc &src, gss_buffer_t dst) -{ - OM_uint32 minor; + b = XMLObjectBuilder::getBuilder(doc->getDocumentElement()); - if (GSS_ERROR(duplicateBuffer(&minor, &src, dst))) - throw new bad_alloc(); +#ifdef __APPLE__ + return (saml2::Assertion *)((void *)b->buildFromDocument(doc)); +#else + return dynamic_cast(b->buildFromDocument(doc)); +#endif + } catch (exception &e) { + return NULL; + } } -static inline void -duplicateBuffer(string &str, gss_buffer_t buffer) +bool +gss_eap_saml_assertion_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute, + void *data) const { - gss_buffer_desc tmp; + bool ret; - tmp.length = str.length(); - tmp.value = (char *)str.c_str(); + /* just add the prefix */ + if (m_assertion != NULL) + ret = addAttribute(this, GSS_C_NO_BUFFER, data); + else + ret = true; - duplicateBuffer(tmp, buffer); + return ret; } -/* - * Marshall SAML attribute context into a form suitable for - * exported names. - */ -DDF -gss_eap_saml_attr_ctx::marshall() const +bool +gss_eap_saml_assertion_provider::setAttribute(int complete GSSEAP_UNUSED, + const gss_buffer_t attr, + const gss_buffer_t value) { - DDF obj(NULL); - DDF attrs; - DDF assertion; - - obj.addmember("version").integer(1); - - attrs = obj.addmember("attributes").list(); - for (vector::const_iterator a = m_attributes.begin(); - a != m_attributes.end(); ++a) { - DDF attr = (*a)->marshall(); - attrs.add(attr); + if (attr == GSS_C_NO_BUFFER || attr->length == 0) { + setAssertion(value); + return true; } - ostringstream sink; - sink << *m_assertion; - assertion = obj.addmember("assertion").string(sink.str().c_str()); - - return obj; + return false; } -/* - * Unmarshall SAML attribute context from a form suitable for - * exported names. - */ -gss_eap_saml_attr_ctx * -gss_eap_saml_attr_ctx::unmarshall(DDF &obj) +bool +gss_eap_saml_assertion_provider::deleteAttribute(const gss_buffer_t value GSSEAP_UNUSED) { - gss_eap_saml_attr_ctx *ctx = new gss_eap_saml_attr_ctx(); + delete m_assertion; + m_assertion = NULL; + m_authenticated = false; - DDF version = obj["version"]; - if (version.integer() != 1) - return NULL; - - DDF assertion = obj["assertion"]; - gss_buffer_desc buffer; - - if (!assertion.isnull()) { - buffer.length = assertion.strlen(); - buffer.value = (void *)assertion.string(); - } else { - buffer.length = 0; - } - - if (buffer.length != 0) - ctx->parseAssertion(&buffer); - - DDF attrs = obj["attributes"]; - DDF attr = attrs.first(); - while (!attr.isnull()) { - Attribute *attribute = Attribute::unmarshall(attr); - ctx->addAttribute(attribute, false); - attr = attrs.next(); - } - - return ctx; + return true; } -void -gss_eap_saml_attr_ctx::marshall(gss_buffer_t buffer) +time_t +gss_eap_saml_assertion_provider::getExpiryTime(void) const { - DDF obj = marshall(); - ostringstream sink; - sink << obj; - string str = sink.str(); - - duplicateBuffer(str, buffer); + saml2::Conditions *conditions; + time_t expiryTime = 0; - obj.destroy(); -} + if (m_assertion == NULL) + return 0; -gss_eap_saml_attr_ctx * -gss_eap_saml_attr_ctx::unmarshall(const gss_buffer_t buffer) -{ - gss_eap_saml_attr_ctx *ctx; + conditions = m_assertion->getConditions(); - string str((const char *)buffer->value, buffer->length); - istringstream source(str); - DDF obj(NULL); - source >> obj; + if (conditions != NULL && conditions->getNotOnOrAfter() != NULL) + expiryTime = conditions->getNotOnOrAfter()->getEpoch(); - ctx = unmarshall(obj); + return expiryTime; +} - obj.destroy(); +OM_uint32 +gss_eap_saml_assertion_provider::mapException(OM_uint32 *minor, + std::exception &e) const +{ + if (typeid(e) == typeid(SecurityPolicyException)) + *minor = GSSEAP_SAML_SEC_POLICY_FAILURE; + else if (typeid(e) == typeid(BindingException)) + *minor = GSSEAP_SAML_BINDING_FAILURE; + else if (typeid(e) == typeid(ProfileException)) + *minor = GSSEAP_SAML_PROFILE_FAILURE; + else if (typeid(e) == typeid(FatalProfileException)) + *minor = GSSEAP_SAML_FATAL_PROFILE_FAILURE; + else if (typeid(e) == typeid(RetryableProfileException)) + *minor = GSSEAP_SAML_RETRY_PROFILE_FAILURE; + else if (typeid(e) == typeid(MetadataException)) + *minor = GSSEAP_SAML_METADATA_FAILURE; + else + return GSS_S_CONTINUE_NEEDED; - return ctx; + return GSS_S_FAILURE; } -/* - * Return the serialised assertion. - */ bool -gss_eap_saml_attr_ctx::getAssertion(gss_buffer_t buffer) +gss_eap_saml_assertion_provider::getAttribute(const gss_buffer_t attr, + int *authenticated, + int *complete, + gss_buffer_t value, + gss_buffer_t display_value GSSEAP_UNUSED, + int *more) const { string str; + if (attr != GSS_C_NO_BUFFER && attr->length != 0) + return false; + if (m_assertion == NULL) return false; - buffer->value = NULL; - buffer->length = 0; + if (*more != -1) + return false; + + if (authenticated != NULL) + *authenticated = m_authenticated; + if (complete != NULL) + *complete = true; XMLHelper::serialize(m_assertion->marshall((DOMDocument *)NULL), str); - duplicateBuffer(str, buffer); + duplicateBuffer(str, value); + *more = 0; return true; } -static Attribute * -duplicateAttribute(const Attribute *src) -{ - Attribute *attribute; - - DDF obj = src->marshall(); - attribute = Attribute::unmarshall(obj); - obj.destroy(); - - return attribute; -} - -static vector -duplicateAttributes(const vector src) +gss_any_t +gss_eap_saml_assertion_provider::mapToAny(int authenticated, + gss_buffer_t type_id GSSEAP_UNUSED) const { - vector dst; - - for (vector::const_iterator a = src.begin(); - a != src.end(); - ++a) - dst.push_back(duplicateAttribute(*a)); + if (authenticated && !m_authenticated) + return (gss_any_t)NULL; - return dst; + return (gss_any_t)m_assertion; } void -gss_eap_saml_attr_ctx::addAttribute(Attribute *attribute, bool copy) +gss_eap_saml_assertion_provider::releaseAnyNameMapping(gss_buffer_t type_id GSSEAP_UNUSED, + gss_any_t input) const { - Attribute *a; - - a = copy ? duplicateAttribute(attribute) : attribute; - - m_attributes.push_back(a); + delete ((saml2::Assertion *)input); } void -gss_eap_saml_attr_ctx::setAttributes(const vector attributes) +gss_eap_saml_assertion_provider::exportToBuffer(gss_buffer_t buffer) const { - for_each(m_attributes.begin(), m_attributes.end(), xmltooling::cleanup()); - m_attributes = attributes; -} - -int -gss_eap_saml_attr_ctx::getAttributeIndex(const gss_buffer_t attr) const -{ - int i = 0; - - for (vector::const_iterator a = getAttributes().begin(); - a != getAttributes().end(); - ++a) - { - for (vector::const_iterator s = (*a)->getAliases().begin(); - s != (*a)->getAliases().end(); - ++s) { - if (attr->length == (*s).length() && - memcmp((*s).c_str(), attr->value, attr->length) == 0) { - return i; - } - } - } + ostringstream sink; + string str; - return -1; -} + buffer->length = 0; + buffer->value = NULL; -const Attribute * -gss_eap_saml_attr_ctx::getAttribute(const gss_buffer_t attr) const -{ - const Attribute *ret = NULL; + if (m_assertion == NULL) + return; - for (vector::const_iterator a = getAttributes().begin(); - a != getAttributes().end(); - ++a) - { - for (vector::const_iterator s = (*a)->getAliases().begin(); - s != (*a)->getAliases().end(); - ++s) { - if (attr->length == (*s).length() && - memcmp((*s).c_str(), attr->value, attr->length) == 0) { - ret = *a; - break; - } - } - if (ret != NULL) - break; - } + sink << *m_assertion; + str = sink.str(); - return ret; + duplicateBuffer(str, buffer); } bool -gss_eap_saml_attr_ctx::getAttribute(const gss_buffer_t attr, - int *authenticated, - int *complete, - gss_buffer_t value, - gss_buffer_t display_value, - int *more) -{ - const Attribute *shibAttr = NULL; - gss_buffer_desc buf; - - shibAttr = getAttribute(attr); - if (shibAttr == NULL) +gss_eap_saml_assertion_provider::initFromBuffer(const gss_eap_attr_ctx *ctx, + const gss_buffer_t buffer) +{ + if (!gss_eap_attr_provider::initFromBuffer(ctx, buffer)) return false; - if (*more == -1) { - *more = 0; - } else if (*more >= (int)shibAttr->valueCount()) { - *more = 0; + if (buffer->length == 0) return true; - } - buf.value = (void *)shibAttr->getString(*more); - buf.length = strlen((char *)buf.value); + assert(m_assertion == NULL); - duplicateBuffer(buf, value); - - *authenticated = TRUE; - *complete = FALSE; + setAssertion(buffer); + /* TODO XXX how to propagate authenticated flag? */ return true; } -static Attribute * -samlAttributeFromGssBuffers(const gss_buffer_t attr, - const gss_buffer_t value) +bool +gss_eap_saml_assertion_provider::init(void) { - string attrStr((char *)attr->value, attr->length); - vector ids(1); - SimpleAttribute *a; - - ids.push_back(attrStr); - - a = new SimpleAttribute(ids); - - if (value->length != 0) { - string valStr((char *)value->value, value->length); - - a->getValues().push_back(valStr); - } - - return a; + gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML_ASSERTION, + "urn:ietf:params:gss-eap:saml-aaa-assertion", + createAttrContext); + return true; } void -gss_eap_saml_attr_ctx::setAttribute(int complete, - const gss_buffer_t attr, - const gss_buffer_t value) +gss_eap_saml_assertion_provider::finalize(void) { - Attribute *a = samlAttributeFromGssBuffers(attr, value); - - addAttribute(a, false); + gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_SAML_ASSERTION); } -void -gss_eap_saml_attr_ctx::deleteAttribute(const gss_buffer_t attr) +gss_eap_attr_provider * +gss_eap_saml_assertion_provider::createAttrContext(void) { - int i; - - i = getAttributeIndex(attr); - if (i >= 0) - m_attributes.erase(m_attributes.begin() + i); + return new gss_eap_saml_assertion_provider; } -OM_uint32 -samlReleaseAttrContext(OM_uint32 *minor, gss_name_t name) +saml2::Assertion * +gss_eap_saml_assertion_provider::initAssertion(void) { - try { - delete name->samlCtx; - name->samlCtx = NULL; - } catch (exception &e) { - return mapException(minor, e); - } + delete m_assertion; + m_assertion = saml2::AssertionBuilder::buildAssertion(); + m_authenticated = false; - return GSS_S_COMPLETE; + return m_assertion; } -static gss_buffer_desc -gssEapRadiusAssertionAttr = { 3, (void *)"128" }; /* TODO */ - -class gss_eap_saml_attr_args { -public: - vector attrs; - ShibbolethResolver *resolver; -}; - /* - * Callback to add a RADIUS attribute as input to the resolver. + * gss_eap_saml_attr_provider is for retrieving the underlying attributes. */ -static OM_uint32 -samlAddRadiusAttribute(OM_uint32 *minor, - gss_name_t name, - gss_buffer_t attr, - void *data) -{ - OM_uint32 major; - gss_eap_saml_attr_args *args = (gss_eap_saml_attr_args *)data; - Attribute *a; - int authenticated, complete, more = -1; - gss_buffer_desc value; - - /* Put attributes to skip here (or in a table somewhere) */ - if (bufferEqual(attr, &gssEapRadiusAssertionAttr)) { - return GSS_S_COMPLETE; - } +bool +gss_eap_saml_attr_provider::getAssertion(int *authenticated, + saml2::Assertion **pAssertion, + bool createIfAbsent) const +{ + gss_eap_saml_assertion_provider *saml; + + if (authenticated != NULL) + *authenticated = false; + if (pAssertion != NULL) + *pAssertion = NULL; + + saml = static_cast + (m_manager->getProvider(ATTR_TYPE_SAML_ASSERTION)); + if (saml == NULL) + return false; - major = radiusGetAttribute(minor, name, attr, - &authenticated, &complete, - &value, GSS_C_NO_BUFFER, &more); - if (major == GSS_S_COMPLETE) { - /* XXX TODO prefix */ - a = samlAttributeFromGssBuffers(attr, &value); - args->attrs.push_back(a); - args->resolver->addAttribute(a); + if (authenticated != NULL) + *authenticated = saml->authenticated(); + if (pAssertion != NULL) + *pAssertion = saml->getAssertion(); + + if (saml->getAssertion() == NULL) { + if (createIfAbsent) { + if (authenticated != NULL) + *authenticated = false; + if (pAssertion != NULL) + *pAssertion = saml->initAssertion(); + } else + return false; } - return GSS_S_COMPLETE; + return true; } -/* - * Add attributes retrieved via RADIUS. - */ -static OM_uint32 -samlAddRadiusAttributes(OM_uint32 *minor, - gss_name_t name, - gss_eap_saml_attr_args *args) +bool +gss_eap_saml_attr_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute, + void *data) const { - return radiusGetAttributeTypes(minor, - name, - samlAddRadiusAttribute, - (void *)args); + saml2::Assertion *assertion; + int authenticated; + + if (!getAssertion(&authenticated, &assertion)) + return true; + + /* + * Note: the first prefix is added by the attribute provider manager + * + * From draft-hartman-gss-eap-naming-00: + * + * Each attribute carried in the assertion SHOULD also be a GSS name + * attribute. The name of this attribute has three parts, all separated + * by an ASCII space character. The first part is + * urn:ietf:params:gss-eap:saml-attr. The second part is the URI for + * the SAML attribute name format. The final part is the name of the + * SAML attribute. If the mechanism performs an additional attribute + * query, the retrieved attributes SHOULD be GSS-API name attributes + * using the same name syntax. + */ + /* For each attribute statement, look for an attribute match */ + const vector &statements = + const_cast(assertion)->getAttributeStatements(); + + for (vector::const_iterator s = statements.begin(); + s != statements.end(); + ++s) { + const vector &attrs = + const_cast(*s)->getAttributes(); + + for (vector::const_iterator a = attrs.begin(); a != attrs.end(); ++a) { + const XMLCh *attributeName = (*a)->getName(); + const XMLCh *attributeNameFormat = (*a)->getNameFormat(); + XMLCh *qualifiedName; + XMLCh space[2] = { ' ', 0 }; + gss_buffer_desc utf8; + bool ret; + + qualifiedName = new XMLCh[XMLString::stringLen(attributeNameFormat) + 1 + + XMLString::stringLen(attributeName) + 1]; + XMLString::copyString(qualifiedName, attributeNameFormat); + XMLString::catString(qualifiedName, space); + XMLString::catString(qualifiedName, attributeName); + + utf8.value = (void *)toUTF8(qualifiedName); + utf8.length = strlen((char *)utf8.value); + + ret = addAttribute(this, &utf8, data); + + delete qualifiedName; + + if (!ret) + return ret; + } + } + + return true; } -/* - * Add assertion retrieved via RADIUS. - */ -static OM_uint32 -samlAddRadiusAssertion(OM_uint32 *minor, - gss_name_t name, - gss_eap_saml_attr_ctx *ctx) +static BaseRefVectorOf * +decomposeAttributeName(const gss_buffer_t attr) { - OM_uint32 major; - int authenticated, complete, more = -1; - gss_buffer_desc value; + XMLCh *qualifiedAttr = new XMLCh[attr->length + 1]; + XMLString::transcode((const char *)attr->value, qualifiedAttr, attr->length); - value.value = NULL; - value.length = 0; + BaseRefVectorOf *components = XMLString::tokenizeString(qualifiedAttr); - major = radiusGetAttribute(minor, name, &gssEapRadiusAssertionAttr, - &authenticated, &complete, - &value, GSS_C_NO_BUFFER, &more); - if (GSS_ERROR(major) && major != GSS_S_UNAVAILABLE) - return major; + delete qualifiedAttr; - ctx->setAssertion(&value); - - gss_release_buffer(minor, &value); + if (components->size() != 2) { + delete components; + components = NULL; + } - return GSS_S_COMPLETE; + return components; } -/* - * Initialise SAML attribute context in initiator name. RADIUS context - * must have been previously initialised. - */ -OM_uint32 -samlCreateAttrContext(OM_uint32 *minor, - gss_cred_id_t acceptorCred, - gss_name_t initiatorName, - time_t *pExpiryTime) +bool +gss_eap_saml_attr_provider::setAttribute(int complete GSSEAP_UNUSED, + const gss_buffer_t attr, + const gss_buffer_t value) { - OM_uint32 major, tmpMinor; - gss_buffer_desc nameBuf; - gss_eap_saml_attr_ctx *ctx = NULL; - ShibbolethResolver *resolver = NULL; - gss_eap_saml_attr_args args; + saml2::Assertion *assertion; + saml2::Attribute *attribute; + saml2::AttributeValue *attributeValue; + saml2::AttributeStatement *attributeStatement; - assert(initiatorName != GSS_C_NO_NAME); + if (!getAssertion(NULL, &assertion, true)) + return false; - if (initiatorName->radiusCtx == NULL) - return GSS_S_UNAVAILABLE; + if (assertion->getAttributeStatements().size() != 0) { + attributeStatement = assertion->getAttributeStatements().front(); + } else { + attributeStatement = saml2::AttributeStatementBuilder::buildAttributeStatement(); + assertion->getAttributeStatements().push_back(attributeStatement); + } - nameBuf.length = 0; - nameBuf.value = NULL; + /* Check the attribute name consists of name format | whsp | name */ + BaseRefVectorOf *components = decomposeAttributeName(attr); + if (components == NULL) + return false; - resolver = ShibbolethResolver::create(); - if (resolver == NULL) - return GSS_S_FAILURE; + attribute = saml2::AttributeBuilder::buildAttribute(); + attribute->setNameFormat(components->elementAt(0)); + attribute->setName(components->elementAt(1)); - args.resolver = resolver; + XMLCh *xmlValue = new XMLCh[value->length + 1]; + XMLString::transcode((const char *)value->value, xmlValue, attr->length); - if (acceptorCred != GSS_C_NO_CREDENTIAL) { - major = gss_display_name(minor, acceptorCred->name, &nameBuf, NULL); - if (GSS_ERROR(major)) - goto cleanup; - } + attributeValue = saml2::AttributeValueBuilder::buildAttributeValue(); + attributeValue->setTextContent(xmlValue); - try { - const saml2::Assertion *assertion; - vector attrs; + attribute->getAttributeValues().push_back(attributeValue); - ctx = new gss_eap_saml_attr_ctx(); + assert(attributeStatement != NULL); + attributeStatement->getAttributes().push_back(attribute); - major = samlAddRadiusAssertion(minor, initiatorName, ctx); - if (GSS_ERROR(major)) - goto cleanup; + delete components; + delete xmlValue; - assertion = ctx->getAssertion(); - - if (assertion != NULL) { - if (assertion->getConditions()) { - *pExpiryTime = - assertion->getConditions()->getNotOnOrAfter()->getEpoch(); - } + return true; +} - resolver->addToken(assertion); - } +bool +gss_eap_saml_attr_provider::deleteAttribute(const gss_buffer_t attr) +{ + saml2::Assertion *assertion; + bool ret = false; - resolver->setApplicationID((const char *)nameBuf.value); - if (initiatorName->radiusCtx != NULL) - samlAddRadiusAttributes(minor, initiatorName, &args); - resolver->resolveAttributes(attrs); - ctx->setAttributes(attrs); - } catch (exception &ex) { - major = mapException(minor, ex); - goto cleanup; - } + if (!getAssertion(NULL, &assertion) || + assertion->getAttributeStatements().size() == 0) + return false; - *minor = 0; - major = GSS_S_COMPLETE; + /* Check the attribute name consists of name format | whsp | name */ + BaseRefVectorOf *components = decomposeAttributeName(attr); + if (components == NULL) + return false; - initiatorName->samlCtx = ctx; + /* For each attribute statement, look for an attribute match */ + const vector &statements = + const_cast(assertion)->getAttributeStatements(); + + for (vector::const_iterator s = statements.begin(); + s != statements.end(); + ++s) { + const vector &attrs = + const_cast(*s)->getAttributes(); + ssize_t index = -1, i = 0; + + /* There's got to be an easier way to do this */ + for (vector::const_iterator a = attrs.begin(); + a != attrs.end(); + ++a) { + if (XMLString::equals((*a)->getNameFormat(), components->elementAt(0)) && + XMLString::equals((*a)->getName(), components->elementAt(1))) { + index = i; + break; + } + ++i; + } + if (index != -1) { + (*s)->getAttributes().erase((*s)->getAttributes().begin() + index); + ret = true; + } + } -cleanup: - for_each(args.attrs.begin(), args.attrs.end(), xmltooling::cleanup()); - gss_release_buffer(&tmpMinor, &nameBuf); - if (GSS_ERROR(major)) - delete ctx; - delete resolver; + delete components; - return major; + return ret; } -OM_uint32 -samlGetAttributeTypes(OM_uint32 *minor, - gss_name_t name, - enum gss_eap_attribute_type type, - gss_eap_add_attr_cb addAttribute, - void *data) +bool +gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr, + int *authenticated, + int *complete, + const saml2::Attribute **pAttribute) const { - OM_uint32 major = GSS_S_COMPLETE; - gss_eap_saml_attr_ctx *ctx = name->samlCtx; + saml2::Assertion *assertion; - if (ctx == NULL) - return GSS_S_COMPLETE; + if (authenticated != NULL) + *authenticated = false; + if (complete != NULL) + *complete = true; + *pAttribute = NULL; - if (type != ATTR_TYPE_NONE) - return GSS_S_UNAVAILABLE; + if (!getAssertion(authenticated, &assertion) || + assertion->getAttributeStatements().size() == 0) + return false; + + /* Check the attribute name consists of name format | whsp | name */ + BaseRefVectorOf *components = decomposeAttributeName(attr); + if (components == NULL) + return false; - for (vector::const_iterator a = ctx->getAttributes().begin(); - a != ctx->getAttributes().end(); - ++a) - { - gss_buffer_desc attribute; + /* For each attribute statement, look for an attribute match */ + const vector &statements = + const_cast(assertion)->getAttributeStatements(); + const saml2::Attribute *ret = NULL; - attribute.value = (void *)((*a)->getId()); - attribute.length = strlen((char *)attribute.value); + for (vector::const_iterator s = statements.begin(); + s != statements.end(); + ++s) { + const vector &attrs = + const_cast(*s)->getAttributes(); - major = addAttribute(minor, name, &attribute, data); - if (GSS_ERROR(major)) + for (vector::const_iterator a = attrs.begin(); a != attrs.end(); ++a) { + if (XMLString::equals((*a)->getNameFormat(), components->elementAt(0)) && + XMLString::equals((*a)->getName(), components->elementAt(1))) { + ret = *a; + break; + } + } + + if (ret != NULL) break; } - return major; -} + delete components; -/* - * SAML implementation of gss_get_name_attribute - */ -OM_uint32 -samlGetAttribute(OM_uint32 *minor, - enum gss_eap_attribute_type type, - gss_name_t name, - gss_buffer_t attr, - int *authenticated, - int *complete, - gss_buffer_t value, - gss_buffer_t display_value, - int *more) -{ - struct gss_eap_saml_attr_ctx *ctx = name->samlCtx; - bool ret; + *pAttribute = ret; - if (ctx == NULL) - return GSS_S_UNAVAILABLE; - - switch (type) { - case ATTR_TYPE_NONE: - ret = ctx->getAttribute(attr, authenticated, complete, - value, display_value, more); - break; - default: - ret = false; - break; - } - - return ret ? GSS_S_COMPLETE : GSS_S_UNAVAILABLE; + return (ret != NULL); } -OM_uint32 -samlSetAttribute(OM_uint32 *minor, - gss_name_t name, - int complete, - gss_buffer_t attr, - gss_buffer_t value) +bool +gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr, + int *authenticated, + int *complete, + gss_buffer_t value, + gss_buffer_t display_value, + int *more) const { - struct gss_eap_saml_attr_ctx *ctx = name->samlCtx; + const saml2::Attribute *a; + const saml2::AttributeValue *av; + int nvalues, i = *more; - if (ctx == NULL) - return GSS_S_UNAVAILABLE; + *more = 0; - try { - ctx->setAttribute(complete, attr, value); - } catch (exception &e) { - return mapException(minor, e); - } - - return GSS_S_COMPLETE; -} - -OM_uint32 -samlDeleteAttribute(OM_uint32 *minor, - gss_name_t name, - gss_buffer_t attr) -{ - struct gss_eap_saml_attr_ctx *ctx = name->samlCtx; + if (!getAttribute(attr, authenticated, complete, &a)) + return false; - if (ctx == NULL) - return GSS_S_UNAVAILABLE; + nvalues = a->getAttributeValues().size(); - try { - ctx->deleteAttribute(attr); - } catch (exception &e) { - return mapException(minor, e); + if (i == -1) + i = 0; + else if (i >= nvalues) + return false; +#ifdef __APPLE__ + av = (const saml2::AttributeValue *)((void *)(a->getAttributeValues().at(i))); +#else + av = dynamic_cast(a->getAttributeValues().at(i)); +#endif + if (av != NULL) { + if (value != NULL) { + value->value = toUTF8(av->getTextContent(), true); + value->length = strlen((char *)value->value); + } + if (display_value != NULL) { + display_value->value = toUTF8(av->getTextContent(), true); + display_value->length = strlen((char *)value->value); + } } - return GSS_S_COMPLETE; + if (nvalues > ++i) + *more = i; + + return true; } -/* - * In order to implement gss_export_name and gss_export_sec_context, - * we need to serialise a resolved attribute context to a buffer. - */ -OM_uint32 -samlExportAttrContext(OM_uint32 *minor, - gss_name_t name, - gss_buffer_t buffer) +gss_any_t +gss_eap_saml_attr_provider::mapToAny(int authenticated GSSEAP_UNUSED, + gss_buffer_t type_id GSSEAP_UNUSED) const { - struct gss_eap_saml_attr_ctx *ctx = name->samlCtx; - - try { - ctx->marshall(buffer); - } catch (exception &e) { - return mapException(minor, e); - } - - return GSS_S_COMPLETE; + return (gss_any_t)NULL; } -/* - * In order to implement gss_import_name and gss_import_sec_context, - * we need to deserialise a resolved attribute context from a buffer. - */ -OM_uint32 -samlImportAttrContext(OM_uint32 *minor, - gss_buffer_t buffer, - gss_name_t name) +void +gss_eap_saml_attr_provider::releaseAnyNameMapping(gss_buffer_t type_id GSSEAP_UNUSED, + gss_any_t input GSSEAP_UNUSED) const { - try { - assert(name->samlCtx == NULL); - name->samlCtx = gss_eap_saml_attr_ctx::unmarshall(buffer); - } catch (exception &e) { - return mapException(minor, e); - } - - return GSS_S_COMPLETE; } -OM_uint32 -samlGetAssertion(OM_uint32 *minor, - gss_name_t name, - gss_buffer_t assertion) +void +gss_eap_saml_attr_provider::exportToBuffer(gss_buffer_t buffer) const { - struct gss_eap_saml_attr_ctx *ctx = name->samlCtx; - - if (ctx == NULL) - return GSS_S_UNAVAILABLE; - - try { - ctx->getAssertion(assertion); - } catch (exception &e) { - return mapException(minor, e); - } - - return GSS_S_COMPLETE; + buffer->length = 0; + buffer->value = NULL; } -OM_uint32 -samlDuplicateAttrContext(OM_uint32 *minor, - gss_name_t in, - gss_name_t out) +bool +gss_eap_saml_attr_provider::initFromBuffer(const gss_eap_attr_ctx *ctx, + const gss_buffer_t buffer) { - try { - if (in->samlCtx != NULL) - out->samlCtx = new gss_eap_saml_attr_ctx(*(in->samlCtx)); - else - out->samlCtx = NULL; - } catch (exception &e) { - return mapException(minor, e); - } - - return GSS_S_COMPLETE; + return gss_eap_attr_provider::initFromBuffer(ctx, buffer); } -OM_uint32 -samlMapNameToAny(OM_uint32 *minor, - gss_name_t name, - int authenticated, - gss_buffer_t type_id, - gss_any_t *output) +bool +gss_eap_saml_attr_provider::init(void) { - struct gss_eap_saml_attr_ctx *ctx = name->samlCtx; - - if (bufferEqualString(type_id, "shibsp::Attribute")) { - vector v = duplicateAttributes(ctx->getAttributes()); + gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML, + "urn:ietf:params:gss-eap:saml-attr", + createAttrContext); + return true; +} - *output = (gss_any_t)new vector (v); - } else if (bufferEqualString(type_id, "opensaml::Assertion")) { - *output = (gss_any_t)ctx->getAssertion()->clone(); - } else { - *output = (gss_any_t)NULL; - return GSS_S_UNAVAILABLE; - } +void +gss_eap_saml_attr_provider::finalize(void) +{ + gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_SAML); +} - return GSS_S_COMPLETE; +gss_eap_attr_provider * +gss_eap_saml_attr_provider::createAttrContext(void) +{ + return new gss_eap_saml_attr_provider; } OM_uint32 -samlReleaseAnyNameMapping(OM_uint32 *minor, - gss_name_t name, - gss_buffer_t type_id, - gss_any_t *input) -{ - if (bufferEqualString(type_id, "vector")) { - vector *v = ((vector *)*input); - delete v; - } else if (bufferEqualString(type_id, "opensaml::Assertion")) { - delete (Assertion *)*input; - } else { - return GSS_S_UNAVAILABLE; +gssEapSamlAttrProvidersInit(OM_uint32 *minor) +{ + if (!gss_eap_saml_assertion_provider::init() || + !gss_eap_saml_attr_provider::init()) { + *minor = GSSEAP_SAML_INIT_FAILURE; + return GSS_S_FAILURE; } - *input = (gss_any_t)NULL; return GSS_S_COMPLETE; } OM_uint32 -samlInit(OM_uint32 *minor) +gssEapSamlAttrProvidersFinalize(OM_uint32 *minor) { - *minor = 0; + gss_eap_saml_attr_provider::finalize(); + gss_eap_saml_assertion_provider::finalize(); - return ShibbolethResolver::init() ? GSS_S_COMPLETE : GSS_S_FAILURE; -} - -OM_uint32 -samlFinalize(OM_uint32 *minor) -{ *minor = 0; - - ShibbolethResolver::term(); return GSS_S_COMPLETE; }