if test x_$found_shibsp != x_yes; then
AC_MSG_ERROR([
----------------------------------------------------------------------
- Cannot find Shibboleth/OpenSAML libraries.
+ Cannot find Shibboleth libraries.
Please install Shibboleth or specify installation directory with
--with-shibsp=(dir).
])
else
printf "Shibboleth found in $shibspdir\n";
- SHIBSP_LIBS="-lshibsp -lsaml -lxml-security-c -lxmltooling -lxerces-c";
+ SHIBSP_LIBS="-lshibsp -lsaml -lxml-security-c -lxmltooling -lxerces-c";
SHIBSP_LDFLAGS="-L$shibspdir/lib";
AC_SUBST(SHIBSP_CXXFLAGS)
AC_SUBST(SHIBSP_LDFLAGS)
AC_SUBST(SHIBSP_LIBS)
+ AC_DEFINE_UNQUOTED([HAVE_SHIBSP], 1, [Define is Shibboleth SP is available])
fi
])dnl
[Use Shibboleth resolver (in specified installation directory)]),
[check_shibresolver_dir="$withval"],
[check_shibresolver_dir=])
+if test x_$check_shibresolver_dir != x_no; then
for dir in $check_shibresolver_dir $prefix /usr /usr/local ; do
shibresolverdir="$dir"
if test -f "$dir/include/shibresolver/resolver.h"; then
break;
fi
done
+fi
AC_MSG_RESULT($found_shibresolver)
+if test x_$check_shibresolver_dir != x_no; then
if test x_$found_shibresolver != x_yes; then
- AC_MSG_ERROR([
+ AC_MSG_WARN([
----------------------------------------------------------------------
- Cannot find Shibboleth resolver libraries.
+ Cannot find Shibboleth resolver libraries, building without
+ Shibboleth support.
Please install Shibboleth or specify installation directory with
--with-shibresolver=(dir).
AC_SUBST(SHIBRESOLVER_CXXFLAGS)
AC_SUBST(SHIBRESOLVER_LDFLAGS)
AC_SUBST(SHIBRESOLVER_LIBS)
+ AC_DEFINE_UNQUOTED([HAVE_SHIBRESOLVER], 1, [Define is Shibboleth resolver is available])
+fi
+fi
+AM_CONDITIONAL(SHIBRESOLVER, test "x_$check_shibresolver_dir" != "x_no")
+])dnl
+
+AC_DEFUN([AX_CHECK_OPENSAML],
+[AC_MSG_CHECKING(for OpenSAML implementation)
+OPENSAML_DIR=
+found_opensaml="no"
+AC_ARG_WITH(opensaml,
+ AC_HELP_STRING([--with-opensaml],
+ [Use OpenSAML (in specified installation directory)]),
+ [check_opensaml_dir="$withval"],
+ [check_opensaml_dir=])
+if test x_$check_opensaml_dir != x_no; then
+for dir in $check_opensaml_dir $prefix /usr /usr/local ; do
+ opensamldir="$dir"
+ if test -f "$dir/include/saml/Assertion.h"; then
+ found_opensaml="yes";
+ OPENSAML_DIR="${opensamldir}"
+ OPENSAML_CXXFLAGS="-I$opensamldir/include";
+ break;
+ fi
+done
+fi
+AC_MSG_RESULT($found_opensaml)
+if test x_$check_opensaml_dir != x_no; then
+if test x_$found_opensaml != x_yes; then
+ AC_MSG_WARN([
+----------------------------------------------------------------------
+ Cannot find OpenSAML libraries, building without OpenSAML support.
+
+ Please install OpenSAML or specify installation directory with
+ --with-opensaml=(dir).
+----------------------------------------------------------------------
+])
+else
+ printf "OpenSAML found in $opensamldir\n";
+ OPENSAML_LIBS="-lsaml -lxml-security-c -lxmltooling -lxerces-c";
+ OPENSAML_LDFLAGS="-L$opensamldir/lib";
+ AC_SUBST(OPENSAML_CXXFLAGS)
+ AC_SUBST(OPENSAML_LDFLAGS)
+ AC_SUBST(OPENSAML_LIBS)
+ AC_DEFINE_UNQUOTED([HAVE_OPENSAML], 1, [Define is OpenSAML is available])
+fi
fi
+AM_CONDITIONAL(OPENSAML, test "x_$check_opensaml_dir" != "x_no")
])dnl
AC_DEFUN([AX_CHECK_RADSEC],
AC_SUBST(TARGET_LDFLAGS)
AX_CHECK_KRB5
dnl AX_CHECK_EAP
-AX_CHECK_SHIBSP
+AX_CHECK_OPENSAML
AX_CHECK_SHIBRESOLVER
+if test x_$found_shibresolver = x_yes; then
+ AX_CHECK_SHIBSP
+fi
AX_CHECK_RADSEC
AX_CHECK_JANSSON
AX_CHECK_LIBMOONSHOT
@KRB5_CFLAGS@ @RADSEC_CFLAGS@ @TARGET_CFLAGS@ $(EAP_CFLAGS)
mech_eap_la_CXXFLAGS = -Werror -Wall -Wunused-parameter \
@KRB5_CFLAGS@ @RADSEC_CFLAGS@ \
- @SHIBRESOLVER_CXXFLAGS@ @SHIBSP_CXXFLAGS@ @TARGET_CFLAGS@ $(EAP_CFLAGS)
+ @OPENSAML_CXXFLAGS@ @SHIBRESOLVER_CXXFLAGS@ @SHIBSP_CXXFLAGS@ \
+ @TARGET_CFLAGS@ $(EAP_CFLAGS)
mech_eap_la_LDFLAGS = -avoid-version -module \
-export-symbols mech_eap.exports -no-undefined \
@RADSEC_LDFLAGS@ @TARGET_LDFLAGS@
mech_eap_la_LIBADD = @KRB5_LIBS@ ../libeap/libeap.la @RADSEC_LIBS@ \
- @SHIBRESOLVER_LIBS@ @SHIBSP_LIBS@ @JANSSON_LIBS@
+ @OPENSAML_LIBS@ @SHIBRESOLVER_LIBS@ @SHIBSP_LIBS@ @JANSSON_LIBS@
mech_eap_la_SOURCES = \
accept_sec_context.c \
util_oid.c \
util_ordering.c \
util_radius.cpp \
- util_saml.cpp \
- util_shib.cpp \
util_sm.c \
util_token.c \
verify_mic.c \
wrap_iov_length.c \
wrap_size_limit.c
+if OPENSAML
+mech_eap_la_SOURCES += util_saml.cpp
+endif
+
+if SHIBRESOLVER
+mech_eap_la_SOURCES += util_shib.cpp
+endif
+
BUILT_SOURCES = gsseap_err.c radsec_err.c
if GSSEAP_ENABLE_REAUTH
if (GSS_ERROR(major))
goto cleanup;
+#ifdef HAVE_OPENSAML
major = gssEapSamlAttrProvidersInit(&minor);
if (GSS_ERROR(major))
goto cleanup;
+#endif
+#ifdef HAVE_SHIBRESOLVER
/* Allow Shibboleth initialization failure to be non-fatal */
gssEapLocalAttrProviderInit(&minor);
+#endif
cleanup:
#ifdef GSSEAP_DEBUG
OM_uint32
gssEapAttrProvidersFinalize(OM_uint32 *minor)
{
- OM_uint32 major = GSS_S_COMPLETE;
-
if (gssEapAttrProvidersInitStatus == GSS_S_COMPLETE) {
- major = gssEapLocalAttrProviderFinalize(minor);
- if (major == GSS_S_COMPLETE)
- major = gssEapSamlAttrProvidersFinalize(minor);
- if (major == GSS_S_COMPLETE)
- major = gssEapRadiusAttrProviderFinalize(minor);
+#ifdef HAVE_SHIBRESOLVER
+ gssEapLocalAttrProviderFinalize(minor);
+#endif
+#ifdef HAVE_OPENSAML
+ gssEapSamlAttrProvidersFinalize(minor);
+#endif
+ gssEapRadiusAttrProviderFinalize(minor);
gssEapAttrProvidersInitStatus = GSS_S_UNAVAILABLE;
}
- return major;
+ return GSS_S_COMPLETE;
}
static gss_eap_attr_create_provider gssEapAttrFactories[ATTR_TYPE_MAX + 1];
void *data);
#define ATTR_TYPE_RADIUS 0U /* RADIUS AVPs */
+#ifdef HAVE_OPENSAML
#define ATTR_TYPE_SAML_ASSERTION 1U /* SAML assertion */
#define ATTR_TYPE_SAML 2U /* SAML attributes */
+#endif
#define ATTR_TYPE_LOCAL 3U /* Local attributes */
#define ATTR_TYPE_MIN ATTR_TYPE_RADIUS
#define ATTR_TYPE_MAX ATTR_TYPE_LOCAL
return json_number_value(m_obj);
}
+#ifdef HAVE_SHIBRESOLVER
JSONObject
JSONObject::ddf(DDF &ddf)
{
return ddf;
}
+#endif /* HAVE_SHIBRESOLVER */
bool JSONObject::isObject(void) const
{
#include <new>
#include <jansson.h>
-#include <shibsp/remoting/ddf.h>
+#ifdef HAVE_SHIBRESOLVER
+#include <shibsp/remoting/ddf.h>
using namespace shibsp;
+#endif
namespace gss_eap_util {
class JSONObject;
static JSONObject object(void);
static JSONObject array(void);
static JSONObject null(void);
+#ifdef HAVE_SHIBRESOLVER
static JSONObject ddf(DDF &value);
+#endif
char *dump(size_t flags = 0) const;
void dump(FILE *fp, size_t flags = JSON_INDENT(4)) const;
json_int_t integer(void) const;
double real(void) const;
double number(void) const;
+#ifdef HAVE_SHIBRESOLVER
DDF ddf(void) const;
+#endif
bool isObject(void) const;
bool isArray(void) const;
#include <xmltooling/util/DateTime.h>
#include <saml/exceptions.h>
+#include <saml/SAMLConfig.h>
#include <saml/saml1/core/Assertions.h>
#include <saml/saml2/core/Assertions.h>
#include <saml/saml2/metadata/Metadata.h>
bool
gss_eap_saml_assertion_provider::init(void)
{
- gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML_ASSERTION, createAttrContext);
- return true;
+ bool ret = false;
+
+ try {
+ ret = SAMLConfig::getConfig().init();
+ } catch (exception &e) {
+ }
+
+ if (ret)
+ gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML_ASSERTION, createAttrContext);
+
+ return ret;
}
void
* Local attribute provider implementation.
*/
+#include "gssapiP_eap.h"
+
#include <xmltooling/XMLObject.h>
+#ifndef HAVE_OPENSAML
+#include <xmltooling/XMLToolingConfig.h>
+#include <xmltooling/util/ParserPool.h>
+#endif
#include <saml/saml2/core/Assertions.h>
#include <sstream>
-#include "gssapiP_eap.h"
-
using namespace shibsp;
using namespace shibresolver;
-using namespace opensaml::saml2md;
-using namespace opensaml;
using namespace xmltooling;
using namespace std;
+#ifdef HAVE_OPENSAML
+using namespace opensaml::saml2md;
+using namespace opensaml;
+#else
+using namespace xercesc;
+#endif
gss_eap_shib_attr_provider::gss_eap_shib_attr_provider(void)
{
gss_release_buffer(&minor, &mechName);
}
+#ifdef HAVE_OPENSAML
const gss_eap_saml_assertion_provider *saml;
saml = static_cast<const gss_eap_saml_assertion_provider *>
(m_manager->getProvider(ATTR_TYPE_SAML_ASSERTION));
if (saml != NULL && saml->getAssertion() != NULL) {
resolver->addToken(saml->getAssertion());
}
+#else
+ /* If no OpenSAML, parse the XML assertion explicitly */
+ const gss_eap_radius_attr_provider *radius;
+ int authenticated, complete;
+ gss_buffer_desc value = GSS_C_EMPTY_BUFFER;
+
+ radius = static_cast<const gss_eap_radius_attr_provider *>
+ (m_manager->getProvider(ATTR_TYPE_RADIUS));
+ if (radius != NULL &&
+ radius->getFragmentedAttribute(PW_SAML_AAA_ASSERTION,
+ VENDORPEC_UKERNA,
+ &authenticated, &complete, &value)) {
+ string str((char *)value.value, value.length);
+ istringstream istream(str);
+ DOMDocument *doc = XMLToolingConfig::getConfig().getParser().parse(istream);
+ const XMLObjectBuilder *b = XMLObjectBuilder::getBuilder(doc->getDocumentElement());
+ resolver->addToken(b->buildFromDocument(doc));
+ gss_release_buffer(&minor, &value);
+ }
+#endif /* HAVE_OPENSAML */
try {
resolver->resolve();