2 * Copyright (c) 2011, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * Copyright 2001-2009 Internet2
35 * Licensed under the Apache License, Version 2.0 (the "License");
36 * you may not use this file except in compliance with the License.
37 * You may obtain a copy of the License at
39 * http://www.apache.org/licenses/LICENSE-2.0
41 * Unless required by applicable law or agreed to in writing, software
42 * distributed under the License is distributed on an "AS IS" BASIS,
43 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
44 * See the License for the specific language governing permissions and
45 * limitations under the License.
49 * Local attribute provider implementation.
52 #include <xmltooling/XMLObject.h>
54 #include <saml/saml2/core/Assertions.h>
56 #include <shibsp/exceptions.h>
57 #include <shibsp/attribute/SimpleAttribute.h>
58 #include <shibresolver/resolver.h>
62 #include "gssapiP_eap.h"
64 using namespace shibsp;
65 using namespace shibresolver;
66 using namespace opensaml::saml2md;
67 using namespace opensaml;
68 using namespace xmltooling;
71 gss_eap_shib_attr_provider::gss_eap_shib_attr_provider(void)
73 m_initialized = false;
74 m_authenticated = false;
77 gss_eap_shib_attr_provider::~gss_eap_shib_attr_provider(void)
79 for_each(m_attributes.begin(),
81 xmltooling::cleanup<Attribute>())
86 gss_eap_shib_attr_provider::initFromExistingContext(const gss_eap_attr_ctx *manager,
87 const gss_eap_attr_provider *ctx)
89 const gss_eap_shib_attr_provider *shib;
91 if (!gss_eap_attr_provider::initFromExistingContext(manager, ctx)) {
95 m_authenticated = false;
97 shib = static_cast<const gss_eap_shib_attr_provider *>(ctx);
99 m_attributes = duplicateAttributes(shib->getAttributes());
100 m_authenticated = shib->authenticated();
103 m_initialized = true;
109 exportMechSecContext(OM_uint32 *minor,
111 gss_buffer_t mechContext)
114 gss_buffer_desc exportedCtx;
117 assert(gssCtx->mechanismUsed != GSS_C_NO_OID);
119 major = gssEapExportSecContext(minor, gssCtx, &exportedCtx);
120 if (GSS_ERROR(major))
124 * gss_import_sec_context expects the exported security context token
125 * to be tagged with the mechanism OID; in Heimdal and MIT, this is
126 * done by the mechglue, so if we are subverting the mechglue we need
127 * to add it ourselves.
129 mechContext->length = 4 + gssCtx->mechanismUsed->length + exportedCtx.length;
130 mechContext->value = p = (unsigned char *)GSSEAP_MALLOC(mechContext->length);
131 if (mechContext->value == NULL) {
132 gss_release_buffer(minor, &exportedCtx);
133 throw new std::bad_alloc;
136 p = store_oid(gssCtx->mechanismUsed, p);
137 memcpy(p, exportedCtx.value, exportedCtx.length);
139 gss_release_buffer(minor, &exportedCtx);
141 return GSS_S_COMPLETE;
145 gss_eap_shib_attr_provider::initFromGssContext(const gss_eap_attr_ctx *manager,
146 const gss_cred_id_t gssCred,
147 const gss_ctx_id_t gssCtx)
149 const gss_eap_saml_assertion_provider *saml;
150 gss_buffer_desc mechContext = GSS_C_EMPTY_BUFFER;
151 OM_uint32 major, minor;
153 gss_buffer_desc nameBuf = GSS_C_EMPTY_BUFFER;
156 if (!gss_eap_attr_provider::initFromGssContext(manager, gssCred, gssCtx))
159 saml = static_cast<const gss_eap_saml_assertion_provider *>
160 (m_manager->getProvider(ATTR_TYPE_SAML_ASSERTION));
162 auto_ptr<ShibbolethResolver> resolver(ShibbolethResolver::create());
165 * For now, leave ApplicationID defaulted.
166 * Later on, we could allow this via config option to the mechanism
167 * or rely on an SPRequest interface to pass in a URI identifying the
171 if (gssCred != GSS_C_NO_CREDENTIAL &&
172 gssEapDisplayName(&minor, gssCred->name, &nameBuf, NULL) == GSS_S_COMPLETE) {
173 resolver->setApplicationID((const char *)nameBuf.value);
174 gss_release_buffer(&minor, &nameBuf);
178 major = exportMechSecContext(&minor, gssCtx, &mechContext);
179 if (major == GSS_S_COMPLETE) {
180 resolver->addToken(&mechContext);
181 gss_release_buffer(&minor, &mechContext);
184 if (saml != NULL && saml->getAssertion() != NULL) {
185 resolver->addToken(saml->getAssertion());
186 m_authenticated = saml->authenticated();
191 m_attributes = resolver->getResolvedAttributes();
192 resolver->getResolvedAttributes().clear();
193 } catch (exception &e) {
196 m_initialized = true;
202 gss_eap_shib_attr_provider::getAttributeIndex(const gss_buffer_t attr) const
206 assert(m_initialized);
208 for (vector<Attribute *>::const_iterator a = m_attributes.begin();
209 a != m_attributes.end();
212 for (vector<string>::const_iterator s = (*a)->getAliases().begin();
213 s != (*a)->getAliases().end();
215 if (attr->length == (*s).length() &&
216 memcmp((*s).c_str(), attr->value, attr->length) == 0) {
226 gss_eap_shib_attr_provider::setAttribute(int complete GSSEAP_UNUSED,
227 const gss_buffer_t attr,
228 const gss_buffer_t value)
230 string attrStr((char *)attr->value, attr->length);
231 vector <string> ids(1, attrStr);
232 SimpleAttribute *a = new SimpleAttribute(ids);
234 assert(m_initialized);
236 if (value->length != 0) {
237 string valueStr((char *)value->value, value->length);
239 a->getValues().push_back(valueStr);
242 m_attributes.push_back(a);
243 m_authenticated = false;
249 gss_eap_shib_attr_provider::deleteAttribute(const gss_buffer_t attr)
253 assert(m_initialized);
255 i = getAttributeIndex(attr);
257 m_attributes.erase(m_attributes.begin() + i);
259 m_authenticated = false;
265 gss_eap_shib_attr_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
268 assert(m_initialized);
270 for (vector<Attribute*>::const_iterator a = m_attributes.begin();
271 a != m_attributes.end();
274 gss_buffer_desc attribute;
276 attribute.value = (void *)((*a)->getId());
277 attribute.length = strlen((char *)attribute.value);
279 if (!addAttribute(m_manager, this, &attribute, data))
287 gss_eap_shib_attr_provider::getAttribute(const gss_buffer_t attr) const
289 const Attribute *ret = NULL;
291 assert(m_initialized);
293 for (vector<Attribute *>::const_iterator a = m_attributes.begin();
294 a != m_attributes.end();
297 for (vector<string>::const_iterator s = (*a)->getAliases().begin();
298 s != (*a)->getAliases().end();
300 if (attr->length == (*s).length() &&
301 memcmp((*s).c_str(), attr->value, attr->length) == 0) {
314 gss_eap_shib_attr_provider::getAttribute(const gss_buffer_t attr,
318 gss_buffer_t display_value,
321 const Attribute *shibAttr = NULL;
323 int nvalues, i = *more;
325 assert(m_initialized);
329 shibAttr = getAttribute(attr);
330 if (shibAttr == NULL)
333 nvalues = shibAttr->valueCount();
337 else if (i >= nvalues)
340 buf.value = (void *)shibAttr->getSerializedValues()[*more].c_str();
341 buf.length = strlen((char *)buf.value);
343 if (buf.length != 0) {
345 duplicateBuffer(buf, value);
347 if (display_value != NULL)
348 duplicateBuffer(buf, display_value);
351 if (authenticated != NULL)
352 *authenticated = m_authenticated;
353 if (complete != NULL)
363 gss_eap_shib_attr_provider::mapToAny(int authenticated,
364 gss_buffer_t type_id GSSEAP_UNUSED) const
368 assert(m_initialized);
370 if (authenticated && !m_authenticated)
371 return (gss_any_t)NULL;
373 vector <Attribute *>v = duplicateAttributes(m_attributes);
375 output = (gss_any_t)new vector <Attribute *>(v);
381 gss_eap_shib_attr_provider::releaseAnyNameMapping(gss_buffer_t type_id GSSEAP_UNUSED,
382 gss_any_t input) const
384 assert(m_initialized);
386 vector <Attribute *> *v = ((vector <Attribute *> *)input);
391 gss_eap_shib_attr_provider::prefix(void) const
397 gss_eap_shib_attr_provider::name(void) const
403 gss_eap_shib_attr_provider::jsonRepresentation(void) const
407 if (m_initialized == false)
408 return obj; /* don't export incomplete context */
410 JSONObject jattrs = JSONObject::array();
412 for (vector<Attribute*>::const_iterator a = m_attributes.begin();
413 a != m_attributes.end(); ++a) {
415 DDF attr = (*a)->marshall();
416 JSONObject jattr = JSONObject::ddf(attr);
417 jattrs.append(jattr);
418 } catch (AttributeException &e) {
419 /* XXX FIXME ignore attribute exceptions? */
423 obj.set("attributes", jattrs);
425 obj.set("authenticated", m_authenticated);
431 gss_eap_shib_attr_provider::initWithJsonObject(const gss_eap_attr_ctx *ctx,
434 if (!gss_eap_attr_provider::initWithJsonObject(ctx, obj))
437 assert(m_authenticated == false);
438 assert(m_attributes.size() == 0);
440 JSONObject jattrs = obj["attributes"];
441 size_t nelems = jattrs.size();
443 for (size_t i = 0; i < nelems; i++) {
444 JSONObject jattr = jattrs.get(i);
447 DDF attr = jattr.ddf();
448 Attribute *attribute = Attribute::unmarshall(attr);
449 m_attributes.push_back(attribute);
450 } catch (AttributeException &e) {
455 m_authenticated = obj["authenticated"].integer();
456 m_initialized = true;
462 gss_eap_shib_attr_provider::init(void)
464 if (!ShibbolethResolver::init())
467 gss_eap_attr_ctx::registerProvider(ATTR_TYPE_LOCAL, createAttrContext);
473 gss_eap_shib_attr_provider::finalize(void)
475 gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_LOCAL);
476 ShibbolethResolver::term();
480 gss_eap_shib_attr_provider::mapException(OM_uint32 *minor,
481 std::exception &e) const
483 if (typeid(e) == typeid(AttributeException))
484 *minor = GSSEAP_SHIB_ATTR_FAILURE;
485 else if (typeid(e) == typeid(AttributeExtractionException))
486 *minor = GSSEAP_SHIB_ATTR_EXTRACT_FAILURE;
487 else if (typeid(e) == typeid(AttributeFilteringException))
488 *minor = GSSEAP_SHIB_ATTR_FILTER_FAILURE;
489 else if (typeid(e) == typeid(AttributeResolutionException))
490 *minor = GSSEAP_SHIB_ATTR_RESOLVE_FAILURE;
491 else if (typeid(e) == typeid(ConfigurationException))
492 *minor = GSSEAP_SHIB_CONFIG_FAILURE;
493 else if (typeid(e) == typeid(ListenerException))
494 *minor = GSSEAP_SHIB_LISTENER_FAILURE;
496 return GSS_S_CONTINUE_NEEDED;
498 return GSS_S_FAILURE;
501 gss_eap_attr_provider *
502 gss_eap_shib_attr_provider::createAttrContext(void)
504 return new gss_eap_shib_attr_provider;
508 gss_eap_shib_attr_provider::duplicateAttribute(const Attribute *src)
510 DDF obj = src->marshall();
511 Attribute *attribute = Attribute::unmarshall(obj);
518 gss_eap_shib_attr_provider::duplicateAttributes(const vector <Attribute *>src)
520 vector <Attribute *> dst;
522 for (vector<Attribute *>::const_iterator a = src.begin();
525 dst.push_back(duplicateAttribute(*a));
531 gssEapLocalAttrProviderInit(OM_uint32 *minor)
533 if (!gss_eap_shib_attr_provider::init()) {
534 *minor = GSSEAP_SHIB_INIT_FAILURE;
535 return GSS_S_FAILURE;
537 return GSS_S_COMPLETE;
541 gssEapLocalAttrProviderFinalize(OM_uint32 *minor)
543 gss_eap_shib_attr_provider::finalize();
546 return GSS_S_COMPLETE;