2 * Copyright (c) 2011, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * SAML attribute provider implementation.
37 #include "gssapiP_eap.h"
41 #include <xercesc/util/XMLUniDefs.hpp>
42 #include <xmltooling/unicode.h>
43 #include <xmltooling/XMLToolingConfig.h>
44 #include <xmltooling/util/XMLHelper.h>
45 #include <xmltooling/util/ParserPool.h>
46 #include <xmltooling/util/DateTime.h>
48 #include <saml/exceptions.h>
49 #include <saml/saml1/core/Assertions.h>
50 #include <saml/saml2/core/Assertions.h>
51 #include <saml/saml2/metadata/Metadata.h>
52 #include <saml/saml2/metadata/MetadataProvider.h>
54 using namespace xmltooling;
55 using namespace opensaml::saml2md;
56 using namespace opensaml;
57 using namespace xercesc;
61 * gss_eap_saml_assertion_provider is for retrieving the underlying
64 gss_eap_saml_assertion_provider::gss_eap_saml_assertion_provider(void)
67 m_authenticated = false;
70 gss_eap_saml_assertion_provider::~gss_eap_saml_assertion_provider(void)
76 gss_eap_saml_assertion_provider::initFromExistingContext(const gss_eap_attr_ctx *manager,
77 const gss_eap_attr_provider *ctx)
79 /* Then we may be creating from an existing attribute context */
80 const gss_eap_saml_assertion_provider *saml;
82 assert(m_assertion == NULL);
84 if (!gss_eap_attr_provider::initFromExistingContext(manager, ctx))
87 saml = static_cast<const gss_eap_saml_assertion_provider *>(ctx);
88 setAssertion(saml->getAssertion(), saml->authenticated());
94 gss_eap_saml_assertion_provider::initFromGssContext(const gss_eap_attr_ctx *manager,
95 const gss_cred_id_t gssCred,
96 const gss_ctx_id_t gssCtx)
98 const gss_eap_radius_attr_provider *radius;
99 gss_buffer_desc value = GSS_C_EMPTY_BUFFER;
100 int authenticated, complete;
103 assert(m_assertion == NULL);
105 if (!gss_eap_attr_provider::initFromGssContext(manager, gssCred, gssCtx))
109 * XXX TODO we need to support draft-howlett-radius-saml-attr-00
111 radius = static_cast<const gss_eap_radius_attr_provider *>
112 (m_manager->getProvider(ATTR_TYPE_RADIUS));
113 if (radius != NULL &&
114 radius->getFragmentedAttribute(PW_SAML_AAA_ASSERTION,
116 &authenticated, &complete, &value)) {
117 setAssertion(&value, authenticated);
118 gss_release_buffer(&minor, &value);
127 gss_eap_saml_assertion_provider::setAssertion(const saml2::Assertion *assertion,
133 if (assertion != NULL) {
135 m_assertion = (saml2::Assertion *)((void *)assertion->clone());
137 m_assertion = dynamic_cast<saml2::Assertion *>(assertion->clone());
139 m_authenticated = authenticated;
142 m_authenticated = false;
147 gss_eap_saml_assertion_provider::setAssertion(const gss_buffer_t buffer,
152 m_assertion = parseAssertion(buffer);
153 m_authenticated = (m_assertion != NULL && authenticated);
157 gss_eap_saml_assertion_provider::parseAssertion(const gss_buffer_t buffer)
159 string str((char *)buffer->value, buffer->length);
160 istringstream istream(str);
162 const XMLObjectBuilder *b;
165 doc = XMLToolingConfig::getConfig().getParser().parse(istream);
169 b = XMLObjectBuilder::getBuilder(doc->getDocumentElement());
172 return (saml2::Assertion *)((void *)b->buildFromDocument(doc));
174 return dynamic_cast<saml2::Assertion *>(b->buildFromDocument(doc));
176 } catch (exception &e) {
182 gss_eap_saml_assertion_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
187 /* just add the prefix */
188 if (m_assertion != NULL)
189 ret = addAttribute(m_manager, this, GSS_C_NO_BUFFER, data);
197 gss_eap_saml_assertion_provider::setAttribute(int complete GSSEAP_UNUSED,
198 const gss_buffer_t attr,
199 const gss_buffer_t value)
201 if (attr == GSS_C_NO_BUFFER || attr->length == 0) {
210 gss_eap_saml_assertion_provider::deleteAttribute(const gss_buffer_t value GSSEAP_UNUSED)
214 m_authenticated = false;
220 gss_eap_saml_assertion_provider::getExpiryTime(void) const
222 saml2::Conditions *conditions;
223 time_t expiryTime = 0;
225 if (m_assertion == NULL)
228 conditions = m_assertion->getConditions();
230 if (conditions != NULL && conditions->getNotOnOrAfter() != NULL)
231 expiryTime = conditions->getNotOnOrAfter()->getEpoch();
237 gss_eap_saml_assertion_provider::mapException(OM_uint32 *minor,
238 std::exception &e) const
240 if (typeid(e) == typeid(SecurityPolicyException))
241 *minor = GSSEAP_SAML_SEC_POLICY_FAILURE;
242 else if (typeid(e) == typeid(BindingException))
243 *minor = GSSEAP_SAML_BINDING_FAILURE;
244 else if (typeid(e) == typeid(ProfileException))
245 *minor = GSSEAP_SAML_PROFILE_FAILURE;
246 else if (typeid(e) == typeid(FatalProfileException))
247 *minor = GSSEAP_SAML_FATAL_PROFILE_FAILURE;
248 else if (typeid(e) == typeid(RetryableProfileException))
249 *minor = GSSEAP_SAML_RETRY_PROFILE_FAILURE;
250 else if (typeid(e) == typeid(MetadataException))
251 *minor = GSSEAP_SAML_METADATA_FAILURE;
253 return GSS_S_CONTINUE_NEEDED;
255 return GSS_S_FAILURE;
259 gss_eap_saml_assertion_provider::getAttribute(const gss_buffer_t attr,
263 gss_buffer_t display_value GSSEAP_UNUSED,
268 if (attr != GSS_C_NO_BUFFER && attr->length != 0)
271 if (m_assertion == NULL)
277 if (authenticated != NULL)
278 *authenticated = m_authenticated;
279 if (complete != NULL)
282 XMLHelper::serialize(m_assertion->marshall((DOMDocument *)NULL), str);
284 duplicateBuffer(str, value);
291 gss_eap_saml_assertion_provider::mapToAny(int authenticated,
292 gss_buffer_t type_id GSSEAP_UNUSED) const
294 if (authenticated && !m_authenticated)
295 return (gss_any_t)NULL;
297 return (gss_any_t)m_assertion;
301 gss_eap_saml_assertion_provider::releaseAnyNameMapping(gss_buffer_t type_id GSSEAP_UNUSED,
302 gss_any_t input) const
304 delete ((saml2::Assertion *)input);
310 gss_eap_saml_assertion_provider::prefix(void) const
312 return "urn:ietf:params:gss-eap:saml-aaa-assertion";
316 gss_eap_saml_assertion_provider::exportToBuffer(gss_buffer_t buffer) const
319 gss_eap_saml_assertion_provider::marshall(void) const
320 >>>>>>> 1ef293a... in progress use DDF to serialise names
326 gss_eap_saml_assertion_provider::unmarshallAndInit(const gss_eap_attr_ctx *ctx GSSEAP_UNUSED,
327 DDF &object GSSEAP_UNUSED)
333 >>>>>>> eef7b3b... get DDF marshalling working
335 gss_eap_saml_assertion_provider::init(void)
337 gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML_ASSERTION, createAttrContext);
342 gss_eap_saml_assertion_provider::finalize(void)
344 gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_SAML_ASSERTION);
347 gss_eap_attr_provider *
348 gss_eap_saml_assertion_provider::createAttrContext(void)
350 return new gss_eap_saml_assertion_provider;
354 gss_eap_saml_assertion_provider::initAssertion(void)
357 m_assertion = saml2::AssertionBuilder::buildAssertion();
358 m_authenticated = false;
364 * gss_eap_saml_attr_provider is for retrieving the underlying attributes.
367 gss_eap_saml_attr_provider::getAssertion(int *authenticated,
368 saml2::Assertion **pAssertion,
369 bool createIfAbsent) const
371 gss_eap_saml_assertion_provider *saml;
373 if (authenticated != NULL)
374 *authenticated = false;
375 if (pAssertion != NULL)
378 saml = static_cast<const gss_eap_saml_assertion_provider *>
379 (m_manager->getProvider(ATTR_TYPE_SAML_ASSERTION));
383 if (authenticated != NULL)
384 *authenticated = saml->authenticated();
385 if (pAssertion != NULL)
386 *pAssertion = saml->getAssertion();
388 if (saml->getAssertion() == NULL) {
389 if (createIfAbsent) {
390 if (authenticated != NULL)
391 *authenticated = false;
392 if (pAssertion != NULL)
393 *pAssertion = saml->initAssertion();
402 gss_eap_saml_attr_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
405 saml2::Assertion *assertion;
408 if (!getAssertion(&authenticated, &assertion))
412 * Note: the first prefix is added by the attribute provider manager
414 * From draft-hartman-gss-eap-naming-00:
416 * Each attribute carried in the assertion SHOULD also be a GSS name
417 * attribute. The name of this attribute has three parts, all separated
418 * by an ASCII space character. The first part is
419 * urn:ietf:params:gss-eap:saml-attr. The second part is the URI for
420 * the SAML attribute name format. The final part is the name of the
421 * SAML attribute. If the mechanism performs an additional attribute
422 * query, the retrieved attributes SHOULD be GSS-API name attributes
423 * using the same name syntax.
425 /* For each attribute statement, look for an attribute match */
426 const vector <saml2::AttributeStatement *> &statements =
427 const_cast<const saml2::Assertion *>(assertion)->getAttributeStatements();
429 for (vector<saml2::AttributeStatement *>::const_iterator s = statements.begin();
430 s != statements.end();
432 const vector<saml2::Attribute*> &attrs =
433 const_cast<const saml2::AttributeStatement*>(*s)->getAttributes();
435 for (vector<saml2::Attribute*>::const_iterator a = attrs.begin(); a != attrs.end(); ++a) {
436 const XMLCh *attributeName, *attributeNameFormat;
437 XMLCh *qualifiedName;
438 XMLCh space[2] = { ' ', 0 };
439 gss_buffer_desc utf8;
442 attributeName = (*a)->getName();
443 attributeNameFormat = (*a)->getNameFormat();
444 if (attributeNameFormat == NULL || attributeNameFormat[0] == '\0')
445 attributeNameFormat = saml2::Attribute::UNSPECIFIED;
447 qualifiedName = new XMLCh[XMLString::stringLen(attributeNameFormat) + 1 +
448 XMLString::stringLen(attributeName) + 1];
449 XMLString::copyString(qualifiedName, attributeNameFormat);
450 XMLString::catString(qualifiedName, space);
451 XMLString::catString(qualifiedName, attributeName);
453 utf8.value = (void *)toUTF8(qualifiedName);
454 utf8.length = strlen((char *)utf8.value);
456 ret = addAttribute(m_manager, this, &utf8, data);
458 delete qualifiedName;
468 static BaseRefVectorOf<XMLCh> *
469 decomposeAttributeName(const gss_buffer_t attr)
471 XMLCh *qualifiedAttr = new XMLCh[attr->length + 1];
472 XMLString::transcode((const char *)attr->value, qualifiedAttr, attr->length);
474 BaseRefVectorOf<XMLCh> *components = XMLString::tokenizeString(qualifiedAttr);
476 delete qualifiedAttr;
478 if (components->size() != 2) {
487 gss_eap_saml_attr_provider::setAttribute(int complete GSSEAP_UNUSED,
488 const gss_buffer_t attr,
489 const gss_buffer_t value)
491 saml2::Assertion *assertion;
492 saml2::Attribute *attribute;
493 saml2::AttributeValue *attributeValue;
494 saml2::AttributeStatement *attributeStatement;
496 if (!getAssertion(NULL, &assertion, true))
499 if (assertion->getAttributeStatements().size() != 0) {
500 attributeStatement = assertion->getAttributeStatements().front();
502 attributeStatement = saml2::AttributeStatementBuilder::buildAttributeStatement();
503 assertion->getAttributeStatements().push_back(attributeStatement);
506 /* Check the attribute name consists of name format | whsp | name */
507 BaseRefVectorOf<XMLCh> *components = decomposeAttributeName(attr);
508 if (components == NULL)
511 attribute = saml2::AttributeBuilder::buildAttribute();
512 attribute->setNameFormat(components->elementAt(0));
513 attribute->setName(components->elementAt(1));
515 XMLCh *xmlValue = new XMLCh[value->length + 1];
516 XMLString::transcode((const char *)value->value, xmlValue, attr->length);
518 attributeValue = saml2::AttributeValueBuilder::buildAttributeValue();
519 attributeValue->setTextContent(xmlValue);
521 attribute->getAttributeValues().push_back(attributeValue);
523 assert(attributeStatement != NULL);
524 attributeStatement->getAttributes().push_back(attribute);
533 gss_eap_saml_attr_provider::deleteAttribute(const gss_buffer_t attr)
535 saml2::Assertion *assertion;
538 if (!getAssertion(NULL, &assertion) ||
539 assertion->getAttributeStatements().size() == 0)
542 /* Check the attribute name consists of name format | whsp | name */
543 BaseRefVectorOf<XMLCh> *components = decomposeAttributeName(attr);
544 if (components == NULL)
547 /* For each attribute statement, look for an attribute match */
548 const vector<saml2::AttributeStatement *> &statements =
549 const_cast<const saml2::Assertion *>(assertion)->getAttributeStatements();
551 for (vector<saml2::AttributeStatement *>::const_iterator s = statements.begin();
552 s != statements.end();
554 const vector<saml2::Attribute *> &attrs =
555 const_cast<const saml2::AttributeStatement *>(*s)->getAttributes();
556 ssize_t index = -1, i = 0;
558 /* There's got to be an easier way to do this */
559 for (vector<saml2::Attribute *>::const_iterator a = attrs.begin();
562 if (XMLString::equals((*a)->getNameFormat(), components->elementAt(0)) &&
563 XMLString::equals((*a)->getName(), components->elementAt(1))) {
570 (*s)->getAttributes().erase((*s)->getAttributes().begin() + index);
581 gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr,
584 const saml2::Attribute **pAttribute) const
586 saml2::Assertion *assertion;
588 if (authenticated != NULL)
589 *authenticated = false;
590 if (complete != NULL)
594 if (!getAssertion(authenticated, &assertion) ||
595 assertion->getAttributeStatements().size() == 0)
598 /* Check the attribute name consists of name format | whsp | name */
599 BaseRefVectorOf<XMLCh> *components = decomposeAttributeName(attr);
600 if (components == NULL)
603 /* For each attribute statement, look for an attribute match */
604 const vector <saml2::AttributeStatement *> &statements =
605 const_cast<const saml2::Assertion *>(assertion)->getAttributeStatements();
606 const saml2::Attribute *ret = NULL;
608 for (vector<saml2::AttributeStatement *>::const_iterator s = statements.begin();
609 s != statements.end();
611 const vector<saml2::Attribute *> &attrs =
612 const_cast<const saml2::AttributeStatement*>(*s)->getAttributes();
614 for (vector<saml2::Attribute *>::const_iterator a = attrs.begin(); a != attrs.end(); ++a) {
615 const XMLCh *attributeName, *attributeNameFormat;
617 attributeName = (*a)->getName();
618 attributeNameFormat = (*a)->getNameFormat();
619 if (attributeNameFormat == NULL || attributeNameFormat[0] == '\0')
620 attributeNameFormat = saml2::Attribute::UNSPECIFIED;
622 if (XMLString::equals(attributeNameFormat, components->elementAt(0)) &&
623 XMLString::equals(attributeName, components->elementAt(1))) {
637 return (ret != NULL);
641 gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr,
645 gss_buffer_t display_value,
648 const saml2::Attribute *a;
649 const saml2::AttributeValue *av;
650 int nvalues, i = *more;
654 if (!getAttribute(attr, authenticated, complete, &a))
657 nvalues = a->getAttributeValues().size();
661 else if (i >= nvalues)
664 av = (const saml2::AttributeValue *)((void *)(a->getAttributeValues().at(i)));
666 av = dynamic_cast<const saml2::AttributeValue *>(a->getAttributeValues().at(i));
670 value->value = toUTF8(av->getTextContent(), true);
671 value->length = strlen((char *)value->value);
673 if (display_value != NULL) {
674 display_value->value = toUTF8(av->getTextContent(), true);
675 display_value->length = strlen((char *)value->value);
686 gss_eap_saml_attr_provider::mapToAny(int authenticated GSSEAP_UNUSED,
687 gss_buffer_t type_id GSSEAP_UNUSED) const
689 return (gss_any_t)NULL;
693 gss_eap_saml_attr_provider::releaseAnyNameMapping(gss_buffer_t type_id GSSEAP_UNUSED,
694 gss_any_t input GSSEAP_UNUSED) const
701 gss_eap_saml_attr_provider::prefix(void) const
703 return "urn:ietf:params:gss-eap:saml-attr";
707 gss_eap_saml_attr_provider::exportToBuffer(gss_buffer_t buffer) const
710 gss_eap_saml_attr_provider::marshall(void) const
711 >>>>>>> 1ef293a... in progress use DDF to serialise names
717 gss_eap_saml_attr_provider::unmarshallAndInit(const gss_eap_attr_ctx *ctx GSSEAP_UNUSED,
718 DDF &object GSSEAP_UNUSED)
724 >>>>>>> eef7b3b... get DDF marshalling working
726 gss_eap_saml_attr_provider::init(void)
728 gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML, createAttrContext);
733 gss_eap_saml_attr_provider::finalize(void)
735 gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_SAML);
738 gss_eap_attr_provider *
739 gss_eap_saml_attr_provider::createAttrContext(void)
741 return new gss_eap_saml_attr_provider;
745 gssEapSamlAttrProvidersInit(OM_uint32 *minor)
747 if (!gss_eap_saml_assertion_provider::init() ||
748 !gss_eap_saml_attr_provider::init()) {
749 *minor = GSSEAP_SAML_INIT_FAILURE;
750 return GSS_S_FAILURE;
753 return GSS_S_COMPLETE;
757 gssEapSamlAttrProvidersFinalize(OM_uint32 *minor)
759 gss_eap_saml_attr_provider::finalize();
760 gss_eap_saml_assertion_provider::finalize();
763 return GSS_S_COMPLETE;
projects / mech_eap.orig / blob