2 * Copyright (c) 2010, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * Copyright 2001-2009 Internet2
35 * Licensed under the Apache License, Version 2.0 (the "License");
36 * you may not use this file except in compliance with the License.
37 * You may obtain a copy of the License at
39 * http://www.apache.org/licenses/LICENSE-2.0
41 * Unless required by applicable law or agreed to in writing, software
42 * distributed under the License is distributed on an "AS IS" BASIS,
43 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
44 * See the License for the specific language governing permissions and
45 * limitations under the License.
48 #include <gssapi/gssapi.h>
49 #include <gssapi/gssapi_ext.h>
52 #include <shibsp/Application.h>
53 #include <shibsp/exceptions.h>
54 #include <shibsp/SPConfig.h>
55 #include <shibsp/ServiceProvider.h>
56 #include <shibsp/attribute/Attribute.h>
57 #include <shibsp/attribute/SimpleAttribute.h>
58 #include <shibsp/attribute/resolver/ResolutionContext.h>
59 #include <shibsp/handler/AssertionConsumerService.h>
60 #include <shibsp/metadata/MetadataProviderCriteria.h>
61 #include <shibsp/util/SPConstants.h>
63 #include <saml/saml1/core/Assertions.h>
64 #include <saml/saml2/core/Assertions.h>
65 #include <saml/saml2/metadata/Metadata.h>
66 #include <xercesc/util/XMLUniDefs.hpp>
67 #include <xmltooling/XMLToolingConfig.h>
68 #include <xmltooling/util/XMLHelper.h>
70 using namespace shibsp;
71 using namespace opensaml::saml2md;
72 using namespace opensaml;
73 using namespace xmltooling::logging;
74 using namespace xmltooling;
75 using namespace xercesc;
78 class GSSEAPResolver : public shibsp::AssertionConsumerService
81 GSSEAPResolver(const DOMElement *e, const char *appId)
82 : shibsp::AssertionConsumerService(e, appId, Category::getInstance(SHIBSP_LOGCAT".GSSEAPResolver")) {
84 virtual ~GSSEAPResolver() {}
86 ResolutionContext* resolveAttributes (
87 const Application& application,
88 const RoleDescriptor* issuer,
89 const XMLCh* protocol,
90 const saml1::NameIdentifier* v1nameid,
91 const saml2::NameID* nameid,
92 const XMLCh* authncontext_class,
93 const XMLCh* authncontext_decl,
94 const vector<const Assertion*>* tokens
96 return shibsp::AssertionConsumerService::resolveAttributes(
97 application, issuer, protocol, v1nameid,
98 nameid, authncontext_class, authncontext_decl, tokens
103 void implementProtocol(
104 const Application& application,
105 const HTTPRequest& httpRequest,
106 HTTPResponse& httpResponse,
107 SecurityPolicy& policy,
108 const PropertySet* settings,
109 const XMLObject& xmlObject
111 throw FatalProfileException("Should never be called.");
115 struct eap_gss_saml_attr_ctx {
117 eap_gss_saml_attr_ctx();
118 eap_gss_saml_attr_ctx(const gss_buffer_t buffer);
119 eap_gss_saml_attr_ctx(const Assertion *assertion);
121 eap_gss_saml_attr_ctx(const vector<Attribute*>& attributes,
122 const Assertion *assertion);
124 eap_gss_saml_attr_ctx(const eap_gss_saml_attr_ctx &ctx) {
125 eap_gss_saml_attr_ctx(ctx.m_attributes, ctx.m_assertion);
128 ~eap_gss_saml_attr_ctx();
130 const vector <Attribute *> getAttributes(void) const {
134 void addAttribute(Attribute *attr, bool copy = true);
135 void setAttributes(const vector<Attribute*> attributes);
137 void setAttribute(int complete,
138 const gss_buffer_t attr,
139 const gss_buffer_t value);
140 void deleteAttribute(const gss_buffer_t attr);
142 int getAttributeIndex(const gss_buffer_t attr) const;
143 const Attribute *getAttribute(const gss_buffer_t attr) const;
145 bool getAttribute(const gss_buffer_t attr,
149 gss_buffer_t display_value,
152 const Assertion *getAssertion(void) const {
156 bool getAssertion(gss_buffer_t buffer);
158 DDF marshall() const;
159 static eap_gss_saml_attr_ctx *unmarshall(DDF &in);
161 void marshall(gss_buffer_t buffer);
162 static eap_gss_saml_attr_ctx *unmarshall(const gss_buffer_t buffer);
165 mutable vector<Attribute*> m_attributes;
166 mutable Assertion *m_assertion;
168 bool parseAssertion(const gss_buffer_t buffer);
171 eap_gss_saml_attr_ctx::eap_gss_saml_attr_ctx(const vector<Attribute*>& attributes,
172 const Assertion *assertion)
174 m_assertion = dynamic_cast<Assertion *>(assertion->clone());
175 setAttributes(attributes);
178 eap_gss_saml_attr_ctx::~eap_gss_saml_attr_ctx()
180 for_each(m_attributes.begin(), m_attributes.end(), xmltooling::cleanup<Attribute>());
184 eap_gss_saml_attr_ctx::eap_gss_saml_attr_ctx(const gss_buffer_t buffer)
186 parseAssertion(buffer);
190 mapException(OM_uint32 *minor, exception &e)
193 return GSS_S_FAILURE;
197 eap_gss_saml_attr_ctx::parseAssertion(const gss_buffer_t buffer)
200 const XMLObjectBuilder *b;
203 string str((char *)buffer->value, buffer->length);
204 istringstream istream(str);
206 doc = XMLToolingConfig::getConfig().getParser().parse(istream);
207 b = XMLObjectBuilder::getDefaultBuilder();
208 elem = doc->getDocumentElement();
209 xobj = b->buildOneFromElement(elem, true);
211 m_assertion = dynamic_cast<Assertion *>(xobj);
213 return (m_assertion != NULL);
217 duplicateBuffer(gss_buffer_desc &src, gss_buffer_t dst)
221 if (GSS_ERROR(duplicateBuffer(&minor, &src, dst)))
222 throw new bad_alloc();
226 duplicateBuffer(string &str, gss_buffer_t buffer)
230 tmp.length = str.length();
231 tmp.value = (char *)str.c_str();
233 duplicateBuffer(tmp, buffer);
237 eap_gss_saml_attr_ctx::marshall() const
243 obj.addmember("version").integer(1);
245 attrs = obj.addmember("attributes").list();
246 for (vector<Attribute*>::const_iterator a = m_attributes.begin();
247 a != m_attributes.end(); ++a) {
248 DDF attr = (*a)->marshall();
253 sink << *m_assertion;
254 assertion = obj.addmember("assertion").string(sink.str().c_str());
259 eap_gss_saml_attr_ctx *
260 eap_gss_saml_attr_ctx::unmarshall(DDF &obj)
262 eap_gss_saml_attr_ctx *ctx = new eap_gss_saml_attr_ctx();
264 DDF version = obj["version"];
265 if (version.integer() != 1)
268 DDF assertion = obj["assertion"];
269 gss_buffer_desc buffer;
271 if (!assertion.isnull()) {
272 buffer.length = assertion.strlen();
273 buffer.value = (void *)assertion.string();
278 if (buffer.length != 0)
279 ctx->parseAssertion(&buffer);
281 DDF attrs = obj["attributes"];
282 DDF attr = attrs.first();
283 while (!attr.isnull()) {
284 Attribute *attribute = Attribute::unmarshall(attr);
285 ctx->addAttribute(attribute, false);
293 eap_gss_saml_attr_ctx::marshall(gss_buffer_t buffer)
295 DDF obj = marshall();
298 string str = sink.str();
300 duplicateBuffer(str, buffer);
305 eap_gss_saml_attr_ctx *
306 eap_gss_saml_attr_ctx::unmarshall(const gss_buffer_t buffer)
308 eap_gss_saml_attr_ctx *ctx;
310 string str((const char *)buffer->value, buffer->length);
311 istringstream source(str);
315 ctx = unmarshall(obj);
323 eap_gss_saml_attr_ctx::getAssertion(gss_buffer_t buffer)
327 if (m_assertion == NULL)
330 buffer->value = NULL;
333 XMLHelper::serialize(m_assertion->marshall((DOMDocument *)NULL), str);
335 duplicateBuffer(str, buffer);
341 duplicateAttribute(const Attribute *src)
343 Attribute *attribute;
345 DDF obj = src->marshall();
346 attribute = Attribute::unmarshall(obj);
352 static vector <Attribute *>
353 duplicateAttributes(const vector <Attribute *>src)
355 vector <Attribute *> dst;
357 for (vector<Attribute *>::const_iterator a = src.begin();
360 dst.push_back(duplicateAttribute(*a));
366 eap_gss_saml_attr_ctx::addAttribute(Attribute *attribute, bool copy)
370 a = copy ? duplicateAttribute(attribute) : attribute;
372 m_attributes.push_back(a);
376 eap_gss_saml_attr_ctx::setAttributes(const vector<Attribute*> attributes)
378 for_each(m_attributes.begin(), m_attributes.end(), xmltooling::cleanup<Attribute>());
379 m_attributes = duplicateAttributes(attributes);
383 eap_gss_saml_attr_ctx::getAttributeIndex(const gss_buffer_t attr) const
387 for (vector<Attribute *>::const_iterator a = getAttributes().begin();
388 a != getAttributes().end();
391 for (vector<string>::const_iterator s = (*a)->getAliases().begin();
392 s != (*a)->getAliases().end();
394 if (attr->length == (*s).length() &&
395 memcmp((*s).c_str(), attr->value, attr->length) == 0) {
405 eap_gss_saml_attr_ctx::getAttribute(const gss_buffer_t attr) const
407 const Attribute *ret = NULL;
409 for (vector<Attribute *>::const_iterator a = getAttributes().begin();
410 a != getAttributes().end();
413 for (vector<string>::const_iterator s = (*a)->getAliases().begin();
414 s != (*a)->getAliases().end();
416 if (attr->length == (*s).length() &&
417 memcmp((*s).c_str(), attr->value, attr->length) == 0) {
430 eap_gss_saml_attr_ctx::getAttribute(const gss_buffer_t attr,
434 gss_buffer_t display_value,
437 const Attribute *shibAttr = NULL;
440 shibAttr = getAttribute(attr);
441 if (shibAttr == NULL)
446 } else if (*more >= (int)shibAttr->valueCount()) {
451 buf.value = (void *)shibAttr->getString(*more);
452 buf.length = strlen((char *)buf.value);
454 duplicateBuffer(buf, value);
456 *authenticated = TRUE;
463 eap_gss_saml_attr_ctx::setAttribute(int complete,
464 const gss_buffer_t attr,
465 const gss_buffer_t value)
467 string attrStr((char *)attr->value, attr->length);
468 vector <string> ids(1);
471 ids.push_back(attrStr);
473 a = new SimpleAttribute(ids);
475 if (value->length != 0) {
476 string valStr((char *)value->value, value->length);
478 a->getValues().push_back(valStr);
481 m_attributes.push_back(a);
485 eap_gss_saml_attr_ctx::deleteAttribute(const gss_buffer_t attr)
489 i = getAttributeIndex(attr);
491 m_attributes.erase(m_attributes.begin() + i);
495 samlReleaseAttrContext(OM_uint32 *minor,
496 struct eap_gss_saml_attr_ctx **pCtx)
498 eap_gss_saml_attr_ctx *ctx = *pCtx;
506 return GSS_S_COMPLETE;
510 samlCreateAttrContext(OM_uint32 *minor,
512 gss_name_t acceptorName,
513 struct eap_gss_saml_attr_ctx **pCtx,
516 OM_uint32 major, tmpMinor;
517 eap_gss_saml_attr_ctx *ctx = NULL;
518 SPConfig &conf = SPConfig::getConfig();
520 const Application *app;
522 gss_buffer_desc nameBuf;
523 const XMLCh *issuer = NULL;
524 saml2::NameID *subjectName = NULL;
525 saml2::Assertion *assertion;
526 ResolutionContext *resolverContext;
529 nameBuf.value = NULL;
531 conf.setFeatures(SPConfig::Metadata |
533 SPConfig::AttributeResolution |
534 SPConfig::Credentials |
535 SPConfig::OutOfProcess);
537 return GSS_S_FAILURE;
538 if (!conf.instantiate())
539 return GSS_S_FAILURE;
541 sp = conf.getServiceProvider();
544 major = gss_display_name(minor, acceptorName, &nameBuf, NULL);
545 if (GSS_ERROR(major))
548 app = sp->getApplication((const char *)nameBuf.value);
550 major = GSS_S_FAILURE;
555 ctx = new eap_gss_saml_attr_ctx(buffer);
557 if (assertion->getIssuer() != NULL)
558 issuer = assertion->getIssuer()->getName();
559 if (assertion->getSubject() != NULL)
560 subjectName = assertion->getSubject()->getNameID();
561 if (assertion->getConditions())
562 *pExpiryTime = assertion->getConditions()->getNotOnOrAfter()->getEpoch();
564 m = app->getMetadataProvider();
565 xmltooling::Locker mlocker(m);
566 MetadataProviderCriteria mc(*app, issuer,
567 &IDPSSODescriptor::ELEMENT_QNAME,
568 samlconstants::SAML20P_NS);
569 pair<const EntityDescriptor *, const RoleDescriptor *> site =
570 m->getEntityDescriptor(mc);
572 auto_ptr_char temp(issuer);
573 throw MetadataException("Unable to locate metadata for IdP ($1).",
574 params(1,temp.get()));
576 vector<const Assertion*> tokens(1, assertion);
577 GSSEAPResolver gssResolver(NULL, (const char *)nameBuf.value);
578 resolverContext = gssResolver.resolveAttributes(*app, site.second,
579 samlconstants::SAML20P_NS,
580 NULL, subjectName, NULL,
582 ctx->setAttributes(resolverContext->getResolvedAttributes());
583 } catch (exception &ex) {
584 major = mapException(minor, ex);
588 major = GSS_S_COMPLETE;
595 if (GSS_ERROR(major))
597 gss_release_buffer(&tmpMinor, &nameBuf);
603 samlGetAttributeTypes(OM_uint32 *minor,
604 const struct eap_gss_saml_attr_ctx *ctx,
606 OM_uint32 (*addAttribute)(OM_uint32 *, void *, gss_buffer_t))
608 OM_uint32 major = GSS_S_COMPLETE;
611 return GSS_S_COMPLETE;
613 for (vector<Attribute*>::const_iterator a = ctx->getAttributes().begin();
614 a != ctx->getAttributes().end();
617 gss_buffer_desc attribute;
619 attribute.value = (void *)((*a)->getId());
620 attribute.length = strlen((char *)attribute.value);
622 major = addAttribute(minor, data, &attribute);
623 if (GSS_ERROR(major))
631 * SAML implementation of gss_get_name_attribute
634 samlGetAttribute(OM_uint32 *minor,
635 struct eap_gss_saml_attr_ctx *ctx,
640 gss_buffer_t display_value,
644 return GSS_S_UNAVAILABLE;
646 if (!ctx->getAttribute(attr, authenticated, complete,
647 value, display_value, more))
648 return GSS_S_UNAVAILABLE;
650 return GSS_S_COMPLETE;
654 samlSetAttribute(OM_uint32 *minor,
655 struct eap_gss_saml_attr_ctx *ctx,
661 ctx->setAttribute(complete, attr, value);
662 } catch (exception &e) {
663 return mapException(minor, e);
666 return GSS_S_COMPLETE;
670 samlDeleteAttribute(OM_uint32 *minor,
671 struct eap_gss_saml_attr_ctx *ctx,
675 ctx->deleteAttribute(attr);
676 } catch (exception &e) {
677 return mapException(minor, e);
680 return GSS_S_COMPLETE;
684 * In order to implement gss_export_name and gss_export_sec_context,
685 * we need to serialise a resolved attribute context to a buffer.
688 samlExportAttrContext(OM_uint32 *minor,
689 struct eap_gss_saml_attr_ctx *ctx,
693 ctx->marshall(buffer);
694 } catch (exception &e) {
695 return mapException(minor, e);
698 return GSS_S_COMPLETE;
702 * In order to implement gss_import_name and gss_import_sec_context,
703 * we need to deserialise a resolved attribute context from a buffer.
706 samlImportAttrContext(OM_uint32 *minor,
708 struct eap_gss_saml_attr_ctx **pCtx)
711 *pCtx = eap_gss_saml_attr_ctx::unmarshall(buffer);
712 } catch (exception &e) {
713 return mapException(minor, e);
716 return GSS_S_COMPLETE;
720 samlGetAssertion(OM_uint32 *minor,
721 struct eap_gss_saml_attr_ctx *ctx,
722 gss_buffer_t assertion)
725 ctx->getAssertion(assertion);
726 } catch (exception &e) {
727 return mapException(minor, e);
730 return GSS_S_COMPLETE;
734 samlDuplicateAttrContext(OM_uint32 *minor,
735 const struct eap_gss_saml_attr_ctx *in,
736 struct eap_gss_saml_attr_ctx **out)
739 *out = new eap_gss_saml_attr_ctx(*in);
740 } catch (exception &e) {
741 return mapException(minor, e);
744 return GSS_S_COMPLETE;
748 samlMapNametoAny(OM_uint32 *minor,
749 const struct eap_gss_saml_attr_ctx *ctx,
751 gss_buffer_t type_id,
754 if (bufferEqualString(type_id, "shibsp::Attribute")) {
755 vector <Attribute *>v = duplicateAttributes(ctx->getAttributes());
757 *output = (gss_any_t)new vector <Attribute *>(v);
758 } else if (bufferEqualString(type_id, "opensaml::Assertion")) {
759 *output = (gss_any_t)ctx->getAssertion()->clone();
761 *output = (gss_any_t)NULL;
762 return GSS_S_UNAVAILABLE;
765 return GSS_S_COMPLETE;
769 samlReleaseAnyNameMapping(OM_uint32 *minor,
770 const struct eap_gss_saml_attr_ctx *ctx,
771 gss_buffer_t type_id,
774 if (bufferEqualString(type_id, "vector<shibsp::Attribute>")) {
775 vector <Attribute *> *v = ((vector <Attribute *> *)*input);
777 } else if (bufferEqualString(type_id, "opensaml::Assertion")) {
778 delete (Assertion *)*input;
780 return GSS_S_UNAVAILABLE;
783 *input = (gss_any_t)NULL;
784 return GSS_S_COMPLETE;