projects / moonshot.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Propagate expiry time from assertion
[moonshot.git] / mech_eap / util_saml.cpp
1 /*
2  * Copyright (c) 2010, JANET(UK)
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  *
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  *
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  * 3. Neither the name of JANET(UK) nor the names of its contributors
17  *    may be used to endorse or promote products derived from this software
18  *    without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30  * SUCH DAMAGE.
31  */
32
33 #include "gssapiP_eap.h"
34
35 #include <sstream>
36
37 #include <xercesc/util/XMLUniDefs.hpp>
38 #include <xmltooling/XMLToolingConfig.h>
39 #include <xmltooling/util/XMLHelper.h>
40
41 #include <saml/saml1/core/Assertions.h>
42 #include <saml/saml2/core/Assertions.h>
43 #include <saml/saml2/metadata/Metadata.h>
44
45 using namespace xmltooling;
46 using namespace opensaml::saml2md;
47 using namespace opensaml;
48 using namespace xercesc;
49 using namespace std;
50
51 /*
52  * gss_eap_saml_assertion_provider is for retrieving the underlying
53  * assertion.
54  */
55 bool
56 gss_eap_saml_assertion_provider::initFromExistingContext(const gss_eap_attr_ctx *manager,
57                                                          const gss_eap_attr_provider *ctx)
58 {
59     /* Then we may be creating from an existing attribute context */
60     const gss_eap_saml_assertion_provider *saml;
61
62     assert(m_assertion == NULL);
63
64     if (!gss_eap_attr_provider::initFromExistingContext(manager, ctx))
65         return false;
66
67     saml = static_cast<const gss_eap_saml_assertion_provider *>(ctx);
68     setAssertion(saml->getAssertion(), saml->authenticated());
69
70     return true;
71 }
72
73 bool
74 gss_eap_saml_assertion_provider::initFromGssContext(const gss_eap_attr_ctx *manager,
75                                                     const gss_cred_id_t gssCred,
76                                                     const gss_ctx_id_t gssCtx)
77 {
78     const gss_eap_radius_attr_provider *radius;
79     gss_buffer_desc value = GSS_C_EMPTY_BUFFER;
80     int authenticated, complete, more = -1;
81     OM_uint32 minor;
82
83     assert(m_assertion == NULL);
84
85     if (!gss_eap_attr_provider::initFromGssContext(manager, gssCred, gssCtx))
86         return false;
87
88     radius = static_cast<const gss_eap_radius_attr_provider *>
89         (m_manager->getProvider(ATTR_TYPE_RADIUS));
90     if (radius != NULL &&
91         radius->getAttribute(PW_SAML_ASSERTION, &authenticated, &complete,
92                              &value, NULL, &more)) {
93         setAssertion(&value, authenticated);
94         gss_release_buffer(&minor, &value);
95     } else {
96         m_assertion = NULL;
97     }
98
99     return true;
100 }
101
102 gss_eap_saml_assertion_provider::~gss_eap_saml_assertion_provider(void)
103 {
104     delete m_assertion;
105 }
106
107 void
108 gss_eap_saml_assertion_provider::setAssertion(const saml2::Assertion *assertion,
109                                               bool authenticated)
110 {
111
112     delete m_assertion;
113
114     if (assertion != NULL) {
115         m_assertion = dynamic_cast<saml2::Assertion *>(assertion->clone());
116         m_authenticated = authenticated;
117     } else {
118         m_assertion = NULL;
119         m_authenticated = false;
120     }
121 }
122
123 void
124 gss_eap_saml_assertion_provider::setAssertion(const gss_buffer_t buffer,
125                                               bool authenticated)
126 {
127     delete m_assertion;
128
129     m_assertion = parseAssertion(buffer);
130     m_authenticated = (m_assertion != NULL && authenticated);
131 }
132
133 saml2::Assertion *
134 gss_eap_saml_assertion_provider::parseAssertion(const gss_buffer_t buffer)
135 {
136     string str((char *)buffer->value, buffer->length);
137     istringstream istream(str);
138     DOMDocument *doc;
139     const XMLObjectBuilder *b;
140
141     doc = XMLToolingConfig::getConfig().getParser().parse(istream);
142     b = XMLObjectBuilder::getBuilder(doc->getDocumentElement());
143
144     return dynamic_cast<saml2::Assertion *>(b->buildFromDocument(doc));
145 }
146
147 bool
148 gss_eap_saml_assertion_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
149                                                    void *data) const
150 {
151     /* just add the prefix */
152     return addAttribute(this, GSS_C_NO_BUFFER, data);
153 }
154
155 void
156 gss_eap_saml_assertion_provider::setAttribute(int complete,
157                                               const gss_buffer_t attr,
158                                               const gss_buffer_t value)
159 {
160     if (attr == GSS_C_NO_BUFFER || attr->length == 0) {
161         setAssertion(value);
162     }
163 }
164
165 void
166 gss_eap_saml_assertion_provider::deleteAttribute(const gss_buffer_t value)
167 {
168     delete m_assertion;
169     m_assertion = NULL;
170     m_authenticated = false;
171 }
172
173 time_t
174 gss_eap_saml_assertion_provider::getExpiryTime(void) const
175 {
176     saml2::Conditions *conditions;
177     time_t expiryTime = 0;
178
179     if (m_assertion == NULL)
180         return 0;
181
182     conditions = m_assertion->getConditions();
183
184     if (conditions != NULL && conditions->getNotOnOrAfter() != NULL)
185         expiryTime = conditions->getNotOnOrAfter()->getEpoch();
186
187     return expiryTime;
188 }
189
190 bool
191 gss_eap_saml_assertion_provider::getAttribute(const gss_buffer_t attr,
192                                               int *authenticated,
193                                               int *complete,
194                                               gss_buffer_t value,
195                                               gss_buffer_t display_value,
196                                               int *more) const
197 {
198     string str;
199
200     if (attr != GSS_C_NO_BUFFER || attr->length != 0)
201         return false;
202
203     if (m_assertion == NULL)
204         return false;
205
206     if (*more != -1)
207         return false;
208
209     if (authenticated != NULL)
210         *authenticated = m_authenticated;
211     if (complete != NULL)
212         *complete = true;
213
214     XMLHelper::serialize(m_assertion->marshall((DOMDocument *)NULL), str);
215
216     duplicateBuffer(str, value);
217     *more = 0;
218
219     return true;
220 }
221
222 gss_any_t
223 gss_eap_saml_assertion_provider::mapToAny(int authenticated,
224                                           gss_buffer_t type_id) const
225 {
226     return (gss_any_t)m_assertion;
227 }
228
229 void
230 gss_eap_saml_assertion_provider::releaseAnyNameMapping(gss_buffer_t type_id,
231                                                        gss_any_t input) const
232 {
233     delete ((saml2::Assertion *)input);
234 }
235
236 void
237 gss_eap_saml_assertion_provider::exportToBuffer(gss_buffer_t buffer) const
238 {
239     ostringstream sink;
240     string str;
241
242     buffer->length = 0;
243     buffer->value = NULL;
244
245     if (m_assertion == NULL)
246         return;
247
248     sink << *m_assertion;
249     str = sink.str();
250
251     duplicateBuffer(str, buffer);
252 }
253
254 bool
255 gss_eap_saml_assertion_provider::initFromBuffer(const gss_eap_attr_ctx *ctx,
256                                                 const gss_buffer_t buffer)
257 {
258     if (!gss_eap_attr_provider::initFromBuffer(ctx, buffer))
259         return false;
260
261     if (buffer->length == 0)
262         return true;
263
264     assert(m_assertion == NULL);
265
266     setAssertion(buffer);
267     /* TODO XXX how to propagate authenticated flag? */
268
269     return true;
270 }
271
272 bool
273 gss_eap_saml_assertion_provider::init(void)
274 {
275     gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML_ASSERTION,
276                                        "urn:ietf:params:gss-eap:saml-aaa-assertion",
277                                        gss_eap_saml_assertion_provider::createAttrContext);
278     return true;
279 }
280
281 void
282 gss_eap_saml_assertion_provider::finalize(void)
283 {
284     gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_SAML_ASSERTION);
285 }
286
287 gss_eap_attr_provider *
288 gss_eap_saml_assertion_provider::createAttrContext(void)
289 {
290     return new gss_eap_saml_assertion_provider;
291 }
292
293 /*
294  * gss_eap_saml_attr_provider is for retrieving the underlying attributes.
295  */
296 bool
297 gss_eap_saml_attr_provider::getAssertion(int *authenticated,
298                                          const saml2::Assertion **pAssertion) const
299 {
300     const gss_eap_saml_assertion_provider *saml;
301
302     if (authenticated != NULL)
303         *authenticated = false;
304     if (pAssertion != NULL)
305         *pAssertion = NULL;
306
307     saml = static_cast<const gss_eap_saml_assertion_provider *>
308         (m_manager->getProvider(ATTR_TYPE_SAML_ASSERTION));
309     if (saml == NULL)
310         return false;
311
312     if (authenticated != NULL)
313         *authenticated = saml->authenticated();
314     if (pAssertion != NULL)
315         *pAssertion = saml->getAssertion();
316
317     return (saml->getAssertion() != NULL);
318 }
319
320 gss_eap_saml_attr_provider::~gss_eap_saml_attr_provider(void)
321 {
322     /* Nothing to do, we're just a wrapper around the assertion provider. */
323 }
324
325 bool
326 gss_eap_saml_attr_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
327                                               void *data) const
328 {
329     const saml2::Assertion *assertion;
330     bool ret = true;
331     int authenticated;
332
333     if (!getAssertion(&authenticated, &assertion))
334         return true;
335
336     /*
337      * Note: the first prefix is added by the attribute provider manager
338      *
339      * From draft-hartman-gss-eap-naming-00:
340      *
341      *   Each attribute carried in the assertion SHOULD also be a GSS name
342      *   attribute.  The name of this attribute has three parts, all separated
343      *   by an ASCII space character.  The first part is
344      *   urn:ietf:params:gss-eap:saml-attr.  The second part is the URI for
345      *   the SAML attribute name format.  The final part is the name of the
346      *   SAML attribute.  If the mechanism performs an additional attribute
347      *   query, the retrieved attributes SHOULD be GSS-API name attributes
348      *   using the same name syntax.
349      */
350     const vector<saml2::Attribute*>& attrs2 =
351         const_cast<const saml2::AttributeStatement*>(assertion->getAttributeStatements().front())->getAttributes();
352     for (vector<saml2::Attribute*>::const_iterator a = attrs2.begin();
353         a != attrs2.end();
354         ++a)
355     {
356         const XMLCh *attributeName = (*a)->getName();
357         const XMLCh *attributeNameFormat = (*a)->getNameFormat();
358         XMLCh *qualifiedName;
359         XMLCh space[2] = { ' ', 0 };
360         gss_buffer_desc utf8;
361
362         qualifiedName = new XMLCh[XMLString::stringLen(attributeName) + 1 +
363                                   XMLString::stringLen(attributeNameFormat) + 1];
364         XMLString::copyString(qualifiedName, attributeName);
365         XMLString::catString(qualifiedName, space);
366         XMLString::catString(qualifiedName, attributeNameFormat);
367
368         utf8.value = (void *)toUTF8(qualifiedName);
369         utf8.length = strlen((char *)utf8.value);
370
371         ret = addAttribute(this, &utf8, data);
372
373         delete qualifiedName;
374
375         if (!ret)
376             break;
377     }
378
379     return ret;
380 }
381
382 void
383 gss_eap_saml_attr_provider::setAttribute(int complete,
384                                          const gss_buffer_t attr,
385                                          const gss_buffer_t value)
386 {
387 }
388
389 void
390 gss_eap_saml_attr_provider::deleteAttribute(const gss_buffer_t value)
391 {
392 }
393
394 static BaseRefVectorOf<XMLCh> *
395 decomposeAttributeName(const gss_buffer_t attr)
396 {
397     XMLCh *qualifiedAttr = new XMLCh[attr->length + 1];
398     XMLString::transcode((const char *)attr->value, qualifiedAttr, attr->length);
399
400     BaseRefVectorOf<XMLCh> *components = XMLString::tokenizeString(qualifiedAttr);
401
402     delete qualifiedAttr;
403
404     return components;
405 }
406
407 bool
408 gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr,
409                                          int *authenticated,
410                                          int *complete,
411                                          const saml2::Attribute **pAttribute) const
412 {
413     const saml2::Assertion *assertion;
414
415     if (authenticated != NULL)
416         *authenticated = false;
417     if (complete != NULL)
418         *complete = true;
419     *pAttribute = NULL;
420
421     if (!getAssertion(authenticated, &assertion) ||
422         assertion->getAttributeStatements().size() == 0)
423         return false;
424
425     /* Check the attribute name consists of name format | whsp | name */
426     BaseRefVectorOf<XMLCh> *components = decomposeAttributeName(attr);
427     if (components == NULL || components->size() != 2) {
428         delete components;
429         return false;
430     }
431
432     /* For each attribute statement, look for an attribute match */
433     const vector <saml2::AttributeStatement *>&statements =
434         assertion->getAttributeStatements();
435     const saml2::Attribute *ret = NULL;
436
437     for (vector<saml2::AttributeStatement *>::const_iterator s = statements.begin();
438         s != statements.end();
439         ++s) {
440         const vector<saml2::Attribute*>& attrs =
441             const_cast<const saml2::AttributeStatement*>(*s)->getAttributes();
442
443         for (vector<saml2::Attribute*>::const_iterator a = attrs.begin(); a != attrs.end(); ++a) {
444             if (XMLString::equals((*a)->getNameFormat(), components->elementAt(0)) &&
445                 XMLString::equals((*a)->getName(), components->elementAt(1))) {
446                 ret = *a;
447                 break;
448             }
449         }
450
451         if (ret != NULL)
452             break;
453     }
454
455     delete components;
456
457     *pAttribute = ret;
458
459     return (ret != NULL);
460 }
461
462 bool
463 gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr,
464                                          int *authenticated,
465                                          int *complete,
466                                          gss_buffer_t value,
467                                          gss_buffer_t display_value,
468                                          int *more) const
469 {
470     const saml2::Attribute *a;
471     const saml2::AttributeValue *av;
472     int nvalues, i = *more;
473
474     *more = 0;
475
476     if (!getAttribute(attr, authenticated, complete, &a))
477         return false;
478
479     nvalues = a->getAttributeValues().size();
480
481     if (i == -1)
482         i = 0;
483     else if (i >= nvalues)
484         return false;
485     av = dynamic_cast<const saml2::AttributeValue *>(a->getAttributeValues().at(i)
486 );
487     if (av != NULL) {
488         if (value != NULL) {
489             value->value = toUTF8(av->getTextContent(), true);
490             value->length = strlen((char *)value->value);
491         }
492         if (display_value != NULL) {
493             display_value->value = toUTF8(av->getTextContent(), true);
494             display_value->length = strlen((char *)value->value);
495         }
496     }
497
498     if (nvalues > ++i)
499         *more = i;
500
501     return true;
502 }
503
504 gss_any_t
505 gss_eap_saml_attr_provider::mapToAny(int authenticated,
506                                      gss_buffer_t type_id) const
507 {
508     return (gss_any_t)NULL;
509 }
510
511 void
512 gss_eap_saml_attr_provider::releaseAnyNameMapping(gss_buffer_t type_id,
513                                                   gss_any_t input) const
514 {
515 }
516
517 void
518 gss_eap_saml_attr_provider::exportToBuffer(gss_buffer_t buffer) const
519 {
520     buffer->length = 0;
521     buffer->value = NULL;
522 }
523
524 bool
525 gss_eap_saml_attr_provider::initFromBuffer(const gss_eap_attr_ctx *ctx,
526                                            const gss_buffer_t buffer)
527 {
528     return gss_eap_attr_provider::initFromBuffer(ctx, buffer);
529 }
530
531 bool
532 gss_eap_saml_attr_provider::init(void)
533 {
534     gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML,
535                                        "urn:ietf:params:gss-eap:saml-attr",
536                                        gss_eap_saml_attr_provider::createAttrContext);
537     return true;
538 }
539
540 void
541 gss_eap_saml_attr_provider::finalize(void)
542 {
543     gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_SAML);
544 }
545
546 gss_eap_attr_provider *
547 gss_eap_saml_attr_provider::createAttrContext(void)
548 {
549     return new gss_eap_saml_attr_provider;
550 }
Core Moonshot code including mech_eap