X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mech_eap.git;a=blobdiff_plain;f=util_saml.cpp;h=5346cc4537234f5957a2c822859f1f87f9f73026;hp=321cad62c34727b3592a00f713af0c686432f5ab;hb=ae79fdae047f980d01b2b4e84ccea52e24d8c7a0;hpb=ef586f9114b022ec11c5b498fadefc7a5d19bf00

diff --git a/util_saml.cpp b/util_saml.cpp
index 321cad6..5346cc4 100644
--- a/util_saml.cpp
+++ b/util_saml.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, JANET(UK)
+ * Copyright (c) 2011, JANET(UK)
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -30,17 +30,26 @@
  * SUCH DAMAGE.
  */
 
+/*
+ * SAML attribute provider implementation.
+ */
+
 #include "gssapiP_eap.h"
 
 #include <sstream>
 
 #include <xercesc/util/XMLUniDefs.hpp>
+#include <xmltooling/unicode.h>
 #include <xmltooling/XMLToolingConfig.h>
 #include <xmltooling/util/XMLHelper.h>
+#include <xmltooling/util/ParserPool.h>
+#include <xmltooling/util/DateTime.h>
 
+#include <saml/exceptions.h>
 #include <saml/saml1/core/Assertions.h>
 #include <saml/saml2/core/Assertions.h>
 #include <saml/saml2/metadata/Metadata.h>
+#include <saml/saml2/metadata/MetadataProvider.h>
 
 using namespace xmltooling;
 using namespace opensaml::saml2md;
@@ -52,6 +61,17 @@ using namespace std;
  * gss_eap_saml_assertion_provider is for retrieving the underlying
  * assertion.
  */
+gss_eap_saml_assertion_provider::gss_eap_saml_assertion_provider(void)
+{
+    m_assertion = NULL;
+    m_authenticated = false;
+}
+
+gss_eap_saml_assertion_provider::~gss_eap_saml_assertion_provider(void)
+{
+    delete m_assertion;
+}
+
 bool
 gss_eap_saml_assertion_provider::initFromExistingContext(const gss_eap_attr_ctx *manager,
                                                          const gss_eap_attr_provider *ctx)
@@ -77,7 +97,7 @@ gss_eap_saml_assertion_provider::initFromGssContext(const gss_eap_attr_ctx *mana
 {
     const gss_eap_radius_attr_provider *radius;
     gss_buffer_desc value = GSS_C_EMPTY_BUFFER;
-    int authenticated, complete, more = -1;
+    int authenticated, complete;
     OM_uint32 minor;
 
     assert(m_assertion == NULL);
@@ -85,11 +105,15 @@ gss_eap_saml_assertion_provider::initFromGssContext(const gss_eap_attr_ctx *mana
     if (!gss_eap_attr_provider::initFromGssContext(manager, gssCred, gssCtx))
         return false;
 
+    /*
+     * XXX TODO we need to support draft-howlett-radius-saml-attr-00
+     */
     radius = static_cast<const gss_eap_radius_attr_provider *>
         (m_manager->getProvider(ATTR_TYPE_RADIUS));
     if (radius != NULL &&
-        radius->getAttribute(512 /* XXX */, &authenticated, &complete,
-                             &value, NULL, &more)) {
+        radius->getFragmentedAttribute(PW_SAML_AAA_ASSERTION,
+                                       VENDORPEC_UKERNA,
+                                       &authenticated, &complete, &value)) {
         setAssertion(&value, authenticated);
         gss_release_buffer(&minor, &value);
     } else {
@@ -99,11 +123,6 @@ gss_eap_saml_assertion_provider::initFromGssContext(const gss_eap_attr_ctx *mana
     return true;
 }
 
-gss_eap_saml_assertion_provider::~gss_eap_saml_assertion_provider(void)
-{
-    delete m_assertion;
-}
-
 void
 gss_eap_saml_assertion_provider::setAssertion(const saml2::Assertion *assertion,
                                               bool authenticated)
@@ -112,7 +131,11 @@ gss_eap_saml_assertion_provider::setAssertion(const saml2::Assertion *assertion,
     delete m_assertion;
 
     if (assertion != NULL) {
+#ifdef __APPLE__
+        m_assertion = (saml2::Assertion *)((void *)assertion->clone());
+#else
         m_assertion = dynamic_cast<saml2::Assertion *>(assertion->clone());
+#endif
         m_authenticated = authenticated;
     } else {
         m_assertion = NULL;
@@ -138,36 +161,98 @@ gss_eap_saml_assertion_provider::parseAssertion(const gss_buffer_t buffer)
     DOMDocument *doc;
     const XMLObjectBuilder *b;
 
-    doc = XMLToolingConfig::getConfig().getParser().parse(istream);
-    b = XMLObjectBuilder::getBuilder(doc->getDocumentElement());
+    try {
+        doc = XMLToolingConfig::getConfig().getParser().parse(istream);
+        if (doc == NULL)
+            return NULL;
 
-    return dynamic_cast<saml2::Assertion *>(b->buildFromDocument(doc));
+        b = XMLObjectBuilder::getBuilder(doc->getDocumentElement());
+
+#ifdef __APPLE__
+        return (saml2::Assertion *)((void *)b->buildFromDocument(doc));
+#else
+        return dynamic_cast<saml2::Assertion *>(b->buildFromDocument(doc));
+#endif
+    } catch (exception &e) {
+        return NULL;
+    }
 }
 
 bool
 gss_eap_saml_assertion_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
                                                    void *data) const
 {
+    bool ret;
+
     /* just add the prefix */
-    return addAttribute(this, GSS_C_NO_BUFFER, data);
+    if (m_assertion != NULL)
+        ret = addAttribute(this, GSS_C_NO_BUFFER, data);
+    else
+        ret = true;
+
+    return ret;
 }
 
-void
-gss_eap_saml_assertion_provider::setAttribute(int complete,
+bool
+gss_eap_saml_assertion_provider::setAttribute(int complete GSSEAP_UNUSED,
                                               const gss_buffer_t attr,
                                               const gss_buffer_t value)
 {
     if (attr == GSS_C_NO_BUFFER || attr->length == 0) {
         setAssertion(value);
+        return true;
     }
+
+    return false;
 }
 
-void
-gss_eap_saml_assertion_provider::deleteAttribute(const gss_buffer_t value)
+bool
+gss_eap_saml_assertion_provider::deleteAttribute(const gss_buffer_t value GSSEAP_UNUSED)
 {
     delete m_assertion;
     m_assertion = NULL;
     m_authenticated = false;
+
+    return true;
+}
+
+time_t
+gss_eap_saml_assertion_provider::getExpiryTime(void) const
+{
+    saml2::Conditions *conditions;
+    time_t expiryTime = 0;
+
+    if (m_assertion == NULL)
+        return 0;
+
+    conditions = m_assertion->getConditions();
+
+    if (conditions != NULL && conditions->getNotOnOrAfter() != NULL)
+        expiryTime = conditions->getNotOnOrAfter()->getEpoch();
+
+    return expiryTime;
+}
+
+OM_uint32
+gss_eap_saml_assertion_provider::mapException(OM_uint32 *minor,
+                                              std::exception &e) const
+{
+    if (typeid(e) == typeid(SecurityPolicyException))
+        *minor = GSSEAP_SAML_SEC_POLICY_FAILURE;
+    else if (typeid(e) == typeid(BindingException))
+        *minor = GSSEAP_SAML_BINDING_FAILURE;
+    else if (typeid(e) == typeid(ProfileException))
+        *minor = GSSEAP_SAML_PROFILE_FAILURE;
+    else if (typeid(e) == typeid(FatalProfileException))
+        *minor = GSSEAP_SAML_FATAL_PROFILE_FAILURE;
+    else if (typeid(e) == typeid(RetryableProfileException))
+        *minor = GSSEAP_SAML_RETRY_PROFILE_FAILURE;
+    else if (typeid(e) == typeid(MetadataException))
+        *minor = GSSEAP_SAML_METADATA_FAILURE;
+    else
+        return GSS_S_CONTINUE_NEEDED;
+
+    return GSS_S_FAILURE;
 }
 
 bool
@@ -175,12 +260,12 @@ gss_eap_saml_assertion_provider::getAttribute(const gss_buffer_t attr,
                                               int *authenticated,
                                               int *complete,
                                               gss_buffer_t value,
-                                              gss_buffer_t display_value,
+                                              gss_buffer_t display_value GSSEAP_UNUSED,
                                               int *more) const
 {
     string str;
 
-    if (attr != GSS_C_NO_BUFFER || attr->length != 0)
+    if (attr != GSS_C_NO_BUFFER && attr->length != 0)
         return false;
 
     if (m_assertion == NULL)
@@ -189,8 +274,10 @@ gss_eap_saml_assertion_provider::getAttribute(const gss_buffer_t attr,
     if (*more != -1)
         return false;
 
-    *authenticated = m_authenticated;
-    *complete = false;
+    if (authenticated != NULL)
+        *authenticated = m_authenticated;
+    if (complete != NULL)
+        *complete = true;
 
     XMLHelper::serialize(m_assertion->marshall((DOMDocument *)NULL), str);
 
@@ -202,13 +289,16 @@ gss_eap_saml_assertion_provider::getAttribute(const gss_buffer_t attr,
 
 gss_any_t
 gss_eap_saml_assertion_provider::mapToAny(int authenticated,
-                                          gss_buffer_t type_id) const
+                                          gss_buffer_t type_id GSSEAP_UNUSED) const
 {
+    if (authenticated && !m_authenticated)
+        return (gss_any_t)NULL;
+
     return (gss_any_t)m_assertion;
 }
 
 void
-gss_eap_saml_assertion_provider::releaseAnyNameMapping(gss_buffer_t type_id,
+gss_eap_saml_assertion_provider::releaseAnyNameMapping(gss_buffer_t type_id GSSEAP_UNUSED,
                                                        gss_any_t input) const
 {
     delete ((saml2::Assertion *)input);
@@ -255,7 +345,7 @@ gss_eap_saml_assertion_provider::init(void)
 {
     gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML_ASSERTION,
                                        "urn:ietf:params:gss-eap:saml-aaa-assertion",
-                                       gss_eap_saml_assertion_provider::createAttrContext);
+                                       createAttrContext);
     return true;
 }
 
@@ -271,40 +361,59 @@ gss_eap_saml_assertion_provider::createAttrContext(void)
     return new gss_eap_saml_assertion_provider;
 }
 
+saml2::Assertion *
+gss_eap_saml_assertion_provider::initAssertion(void)
+{
+    delete m_assertion;
+    m_assertion = saml2::AssertionBuilder::buildAssertion();
+    m_authenticated = false;
+
+    return m_assertion;
+}
+
 /*
  * gss_eap_saml_attr_provider is for retrieving the underlying attributes.
  */
 bool
 gss_eap_saml_attr_provider::getAssertion(int *authenticated,
-                                         const saml2::Assertion **pAssertion) const
+                                         saml2::Assertion **pAssertion,
+                                         bool createIfAbsent) const
 {
-    const gss_eap_saml_assertion_provider *saml;
+    gss_eap_saml_assertion_provider *saml;
 
-    *authenticated = false;
-    *pAssertion = NULL;
+    if (authenticated != NULL)
+        *authenticated = false;
+    if (pAssertion != NULL)
+        *pAssertion = NULL;
 
     saml = static_cast<const gss_eap_saml_assertion_provider *>
         (m_manager->getProvider(ATTR_TYPE_SAML_ASSERTION));
     if (saml == NULL)
         return false;
 
-    *authenticated = saml->authenticated();
-    *pAssertion = saml->getAssertion();
-
-    return (*pAssertion != NULL);
-}
+    if (authenticated != NULL)
+        *authenticated = saml->authenticated();
+    if (pAssertion != NULL)
+        *pAssertion = saml->getAssertion();
+
+    if (saml->getAssertion() == NULL) {
+        if (createIfAbsent) {
+            if (authenticated != NULL)
+                *authenticated = false;
+            if (pAssertion != NULL)
+                *pAssertion = saml->initAssertion();
+        } else
+            return false;
+    }
 
-gss_eap_saml_attr_provider::~gss_eap_saml_attr_provider(void)
-{
-    /* Nothing to do, we're just a wrapper around the assertion provider. */
+    return true;
 }
 
 bool
 gss_eap_saml_attr_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
                                               void *data) const
 {
-    const saml2::Assertion *assertion;
-    bool ret = true;
+    saml2::Assertion *assertion;
     int authenticated;
 
     if (!getAssertion(&authenticated, &assertion))
@@ -324,49 +433,43 @@ gss_eap_saml_attr_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAtt
      *   query, the retrieved attributes SHOULD be GSS-API name attributes
      *   using the same name syntax.
      */
-    const vector<saml2::Attribute*>& attrs2 =
-        const_cast<const saml2::AttributeStatement*>(assertion->getAttributeStatements().front())->getAttributes();
-    for (vector<saml2::Attribute*>::const_iterator a = attrs2.begin();
-        a != attrs2.end();
-        ++a)
-    {
-        const XMLCh *attributeName = (*a)->getName();
-        const XMLCh *attributeNameFormat = (*a)->getNameFormat();
-        XMLCh *qualifiedName;
-        XMLCh space[2] = { ' ', 0 };
-        gss_buffer_desc utf8;
-
-        qualifiedName = new XMLCh[XMLString::stringLen(attributeName) + 1 +
-                                  XMLString::stringLen(attributeNameFormat) + 1];
-        XMLString::copyString(qualifiedName, attributeName);
-        XMLString::catString(qualifiedName, space);
-        XMLString::catString(qualifiedName, attributeNameFormat);
-
-        utf8.value = (void *)toUTF8(qualifiedName);
-        utf8.length = strlen((char *)utf8.value);
-
-        ret = addAttribute(this, &utf8, data);
-
-        delete qualifiedName;
-        delete qualifiedName;
-
-        if (!ret)
-            break;
-    }
+    /* For each attribute statement, look for an attribute match */
+    const vector <saml2::AttributeStatement *> &statements =
+        const_cast<const saml2::Assertion *>(assertion)->getAttributeStatements();
 
-    return ret;
-}
+    for (vector<saml2::AttributeStatement *>::const_iterator s = statements.begin();
+        s != statements.end();
+        ++s) {
+        const vector<saml2::Attribute*> &attrs =
+            const_cast<const saml2::AttributeStatement*>(*s)->getAttributes();
 
-void
-gss_eap_saml_attr_provider::setAttribute(int complete,
-                                         const gss_buffer_t attr,
-                                         const gss_buffer_t value)
-{
-}
+        for (vector<saml2::Attribute*>::const_iterator a = attrs.begin(); a != attrs.end(); ++a) {
+            const XMLCh *attributeName = (*a)->getName();
+            const XMLCh *attributeNameFormat = (*a)->getNameFormat();
+            XMLCh *qualifiedName;
+            XMLCh space[2] = { ' ', 0 };
+            gss_buffer_desc utf8;
+            bool ret;
 
-void
-gss_eap_saml_attr_provider::deleteAttribute(const gss_buffer_t value)
-{
+            qualifiedName = new XMLCh[XMLString::stringLen(attributeNameFormat) + 1 +
+                                      XMLString::stringLen(attributeName) + 1];
+            XMLString::copyString(qualifiedName, attributeNameFormat);
+            XMLString::catString(qualifiedName, space);
+            XMLString::catString(qualifiedName, attributeName);
+
+            utf8.value = (void *)toUTF8(qualifiedName);
+            utf8.length = strlen((char *)utf8.value);
+
+            ret = addAttribute(this, &utf8, data);
+
+            delete qualifiedName;
+
+            if (!ret)
+                return ret;
+        }
+    }
+
+    return true;
 }
 
 static BaseRefVectorOf<XMLCh> *
@@ -379,19 +482,120 @@ decomposeAttributeName(const gss_buffer_t attr)
 
     delete qualifiedAttr;
 
+    if (components->size() != 2) {
+        delete components;
+        components = NULL;
+    }
+
     return components;
 }
 
 bool
+gss_eap_saml_attr_provider::setAttribute(int complete GSSEAP_UNUSED,
+                                         const gss_buffer_t attr,
+                                         const gss_buffer_t value)
+{
+    saml2::Assertion *assertion;
+    saml2::Attribute *attribute;
+    saml2::AttributeValue *attributeValue;
+    saml2::AttributeStatement *attributeStatement;
+
+    if (!getAssertion(NULL, &assertion, true))
+        return false;
+
+    if (assertion->getAttributeStatements().size() != 0) {
+        attributeStatement = assertion->getAttributeStatements().front();
+    } else {
+        attributeStatement = saml2::AttributeStatementBuilder::buildAttributeStatement();
+        assertion->getAttributeStatements().push_back(attributeStatement);
+    }
+
+    /* Check the attribute name consists of name format | whsp | name */
+    BaseRefVectorOf<XMLCh> *components = decomposeAttributeName(attr);
+    if (components == NULL)
+        return false;
+
+    attribute = saml2::AttributeBuilder::buildAttribute();
+    attribute->setNameFormat(components->elementAt(0));
+    attribute->setName(components->elementAt(1));
+
+    XMLCh *xmlValue = new XMLCh[value->length + 1];
+    XMLString::transcode((const char *)value->value, xmlValue, attr->length);
+
+    attributeValue = saml2::AttributeValueBuilder::buildAttributeValue();
+    attributeValue->setTextContent(xmlValue);
+
+    attribute->getAttributeValues().push_back(attributeValue);
+
+    assert(attributeStatement != NULL);
+    attributeStatement->getAttributes().push_back(attribute);
+
+    delete components;
+    delete xmlValue;
+
+    return true;
+}
+
+bool
+gss_eap_saml_attr_provider::deleteAttribute(const gss_buffer_t attr)
+{
+    saml2::Assertion *assertion;
+    bool ret = false;
+
+    if (!getAssertion(NULL, &assertion) ||
+        assertion->getAttributeStatements().size() == 0)
+        return false;
+
+    /* Check the attribute name consists of name format | whsp | name */
+    BaseRefVectorOf<XMLCh> *components = decomposeAttributeName(attr);
+    if (components == NULL)
+        return false;
+
+    /* For each attribute statement, look for an attribute match */
+    const vector<saml2::AttributeStatement *> &statements =
+        const_cast<const saml2::Assertion *>(assertion)->getAttributeStatements();
+
+    for (vector<saml2::AttributeStatement *>::const_iterator s = statements.begin();
+        s != statements.end();
+        ++s) {
+        const vector<saml2::Attribute *> &attrs =
+            const_cast<const saml2::AttributeStatement *>(*s)->getAttributes();
+        ssize_t index = -1, i = 0;
+
+        /* There's got to be an easier way to do this */
+        for (vector<saml2::Attribute *>::const_iterator a = attrs.begin();
+             a != attrs.end();
+             ++a) {
+            if (XMLString::equals((*a)->getNameFormat(), components->elementAt(0)) &&
+                XMLString::equals((*a)->getName(), components->elementAt(1))) {
+                index = i;
+                break;
+            }
+            ++i;
+        }
+        if (index != -1) {
+            (*s)->getAttributes().erase((*s)->getAttributes().begin() + index);
+            ret = true;
+        }
+    }
+
+    delete components;
+
+    return ret;
+}
+
+bool
 gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr,
                                          int *authenticated,
                                          int *complete,
                                          const saml2::Attribute **pAttribute) const
 {
-    const saml2::Assertion *assertion;
+    saml2::Assertion *assertion;
 
-    *authenticated = false;
-    *complete = true;
+    if (authenticated != NULL)
+        *authenticated = false;
+    if (complete != NULL)
+        *complete = true;
     *pAttribute = NULL;
 
     if (!getAssertion(authenticated, &assertion) ||
@@ -400,23 +604,21 @@ gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr,
 
     /* Check the attribute name consists of name format | whsp | name */
     BaseRefVectorOf<XMLCh> *components = decomposeAttributeName(attr);
-    if (components == NULL || components->size() != 2) {
-        delete components;
+    if (components == NULL)
         return false;
-    }
 
     /* For each attribute statement, look for an attribute match */
-    const vector <saml2::AttributeStatement *>&statements =
-        assertion->getAttributeStatements();
+    const vector <saml2::AttributeStatement *> &statements =
+        const_cast<const saml2::Assertion *>(assertion)->getAttributeStatements();
     const saml2::Attribute *ret = NULL;
 
     for (vector<saml2::AttributeStatement *>::const_iterator s = statements.begin();
         s != statements.end();
         ++s) {
-        const vector<saml2::Attribute*>& attrs =
+        const vector<saml2::Attribute *> &attrs =
             const_cast<const saml2::AttributeStatement*>(*s)->getAttributes();
 
-        for (vector<saml2::Attribute*>::const_iterator a = attrs.begin(); a != attrs.end(); ++a) {
+        for (vector<saml2::Attribute *>::const_iterator a = attrs.begin(); a != attrs.end(); ++a) {
             if (XMLString::equals((*a)->getNameFormat(), components->elementAt(0)) &&
                 XMLString::equals((*a)->getName(), components->elementAt(1))) {
                 ret = *a;
@@ -458,32 +660,38 @@ gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr,
         i = 0;
     else if (i >= nvalues)
         return false;
-    av = dynamic_cast<const saml2::AttributeValue *>(a->getAttributeValues().at(i)
-);
+#ifdef __APPLE__
+    av = (const saml2::AttributeValue *)((void *)(a->getAttributeValues().at(i)));
+#else
+    av = dynamic_cast<const saml2::AttributeValue *>(a->getAttributeValues().at(i));
+#endif
     if (av != NULL) {
-        value->value = toUTF8(av->getTextContent(), true);
-        value->length = strlen((char *)value->value);
-
-        if (display_value != NULL)
-            duplicateBuffer(*value, display_value);
-
-        if (nvalues > ++i)
-            *more = i;
+        if (value != NULL) {
+            value->value = toUTF8(av->getTextContent(), true);
+            value->length = strlen((char *)value->value);
+        }
+        if (display_value != NULL) {
+            display_value->value = toUTF8(av->getTextContent(), true);
+            display_value->length = strlen((char *)value->value);
+        }
     }
 
+    if (nvalues > ++i)
+        *more = i;
+
     return true;
 }
 
 gss_any_t
-gss_eap_saml_attr_provider::mapToAny(int authenticated,
-                                     gss_buffer_t type_id) const
+gss_eap_saml_attr_provider::mapToAny(int authenticated GSSEAP_UNUSED,
+                                     gss_buffer_t type_id GSSEAP_UNUSED) const
 {
     return (gss_any_t)NULL;
 }
 
 void
-gss_eap_saml_attr_provider::releaseAnyNameMapping(gss_buffer_t type_id,
-                                                  gss_any_t input) const
+gss_eap_saml_attr_provider::releaseAnyNameMapping(gss_buffer_t type_id GSSEAP_UNUSED,
+                                                  gss_any_t input GSSEAP_UNUSED) const
 {
 }
 
@@ -506,7 +714,7 @@ gss_eap_saml_attr_provider::init(void)
 {
     gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML,
                                        "urn:ietf:params:gss-eap:saml-attr",
-                                       gss_eap_saml_attr_provider::createAttrContext);
+                                       createAttrContext);
     return true;
 }
 
@@ -521,3 +729,25 @@ gss_eap_saml_attr_provider::createAttrContext(void)
 {
     return new gss_eap_saml_attr_provider;
 }
+
+OM_uint32
+gssEapSamlAttrProvidersInit(OM_uint32 *minor)
+{
+    if (!gss_eap_saml_assertion_provider::init() ||
+        !gss_eap_saml_attr_provider::init()) {
+        *minor = GSSEAP_SAML_INIT_FAILURE;
+        return GSS_S_FAILURE;
+    }
+
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32
+gssEapSamlAttrProvidersFinalize(OM_uint32 *minor)
+{
+    gss_eap_saml_attr_provider::finalize();
+    gss_eap_saml_assertion_provider::finalize();
+
+    *minor = 0;
+    return GSS_S_COMPLETE;
+}