From 54cee92590fb021f1b3eaf1d711c914cf3f561c6 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Mon, 12 Sep 2011 22:07:17 +1000 Subject: [PATCH] make possible build without OpenSAML and/or Shib --- moonshot/acinclude.m4 | 60 ++++++++++++++++++++++++++++++++++++++--- moonshot/configure.ac | 5 +++- moonshot/mech_eap/Makefile.am | 15 ++++++++--- moonshot/mech_eap/util_attr.cpp | 20 ++++++++------ moonshot/mech_eap/util_attr.h | 2 ++ moonshot/mech_eap/util_json.cpp | 2 ++ moonshot/mech_eap/util_json.h | 8 +++++- moonshot/mech_eap/util_saml.cpp | 14 ++++++++-- moonshot/mech_eap/util_shib.cpp | 37 ++++++++++++++++++++++--- 9 files changed, 139 insertions(+), 24 deletions(-) diff --git a/moonshot/acinclude.m4 b/moonshot/acinclude.m4 index f8a7efb..c1c2224 100644 --- a/moonshot/acinclude.m4 +++ b/moonshot/acinclude.m4 @@ -129,7 +129,7 @@ AC_MSG_RESULT($found_shibsp) if test x_$found_shibsp != x_yes; then AC_MSG_ERROR([ ---------------------------------------------------------------------- - Cannot find Shibboleth/OpenSAML libraries. + Cannot find Shibboleth libraries. Please install Shibboleth or specify installation directory with --with-shibsp=(dir). @@ -137,11 +137,12 @@ if test x_$found_shibsp != x_yes; then ]) else printf "Shibboleth found in $shibspdir\n"; - SHIBSP_LIBS="-lshibsp -lsaml -lxml-security-c -lxmltooling -lxerces-c"; + SHIBSP_LIBS="-lshibsp -lsaml -lxml-security-c -lxmltooling -lxerces-c"; SHIBSP_LDFLAGS="-L$shibspdir/lib"; AC_SUBST(SHIBSP_CXXFLAGS) AC_SUBST(SHIBSP_LDFLAGS) AC_SUBST(SHIBSP_LIBS) + AC_DEFINE_UNQUOTED([HAVE_SHIBSP], 1, [Define is Shibboleth SP is available]) fi ])dnl @@ -154,6 +155,7 @@ AC_ARG_WITH(shibresolver, [Use Shibboleth resolver (in specified installation directory)]), [check_shibresolver_dir="$withval"], [check_shibresolver_dir=]) +if test x_$check_shibresolver_dir != x_no; then for dir in $check_shibresolver_dir $prefix /usr /usr/local ; do shibresolverdir="$dir" if test -f "$dir/include/shibresolver/resolver.h"; then @@ -163,11 +165,14 @@ for dir in $check_shibresolver_dir $prefix /usr /usr/local ; do break; fi done +fi AC_MSG_RESULT($found_shibresolver) +if test x_$check_shibresolver_dir != x_no; then if test x_$found_shibresolver != x_yes; then - AC_MSG_ERROR([ + AC_MSG_WARN([ ---------------------------------------------------------------------- - Cannot find Shibboleth resolver libraries. + Cannot find Shibboleth resolver libraries, building without + Shibboleth support. Please install Shibboleth or specify installation directory with --with-shibresolver=(dir). @@ -180,7 +185,54 @@ else AC_SUBST(SHIBRESOLVER_CXXFLAGS) AC_SUBST(SHIBRESOLVER_LDFLAGS) AC_SUBST(SHIBRESOLVER_LIBS) + AC_DEFINE_UNQUOTED([HAVE_SHIBRESOLVER], 1, [Define is Shibboleth resolver is available]) +fi +fi +AM_CONDITIONAL(SHIBRESOLVER, test "x_$check_shibresolver_dir" != "x_no") +])dnl + +AC_DEFUN([AX_CHECK_OPENSAML], +[AC_MSG_CHECKING(for OpenSAML implementation) +OPENSAML_DIR= +found_opensaml="no" +AC_ARG_WITH(opensaml, + AC_HELP_STRING([--with-opensaml], + [Use OpenSAML (in specified installation directory)]), + [check_opensaml_dir="$withval"], + [check_opensaml_dir=]) +if test x_$check_opensaml_dir != x_no; then +for dir in $check_opensaml_dir $prefix /usr /usr/local ; do + opensamldir="$dir" + if test -f "$dir/include/saml/Assertion.h"; then + found_opensaml="yes"; + OPENSAML_DIR="${opensamldir}" + OPENSAML_CXXFLAGS="-I$opensamldir/include"; + break; + fi +done +fi +AC_MSG_RESULT($found_opensaml) +if test x_$check_opensaml_dir != x_no; then +if test x_$found_opensaml != x_yes; then + AC_MSG_WARN([ +---------------------------------------------------------------------- + Cannot find OpenSAML libraries, building without OpenSAML support. + + Please install OpenSAML or specify installation directory with + --with-opensaml=(dir). +---------------------------------------------------------------------- +]) +else + printf "OpenSAML found in $opensamldir\n"; + OPENSAML_LIBS="-lsaml -lxml-security-c -lxmltooling -lxerces-c"; + OPENSAML_LDFLAGS="-L$opensamldir/lib"; + AC_SUBST(OPENSAML_CXXFLAGS) + AC_SUBST(OPENSAML_LDFLAGS) + AC_SUBST(OPENSAML_LIBS) + AC_DEFINE_UNQUOTED([HAVE_OPENSAML], 1, [Define is OpenSAML is available]) +fi fi +AM_CONDITIONAL(OPENSAML, test "x_$check_opensaml_dir" != "x_no") ])dnl AC_DEFUN([AX_CHECK_RADSEC], diff --git a/moonshot/configure.ac b/moonshot/configure.ac index 161b554..957a5bf 100644 --- a/moonshot/configure.ac +++ b/moonshot/configure.ac @@ -51,8 +51,11 @@ AC_SUBST(TARGET_CFLAGS) AC_SUBST(TARGET_LDFLAGS) AX_CHECK_KRB5 dnl AX_CHECK_EAP -AX_CHECK_SHIBSP +AX_CHECK_OPENSAML AX_CHECK_SHIBRESOLVER +if test x_$found_shibresolver = x_yes; then + AX_CHECK_SHIBSP +fi AX_CHECK_RADSEC AX_CHECK_JANSSON AX_CHECK_LIBMOONSHOT diff --git a/moonshot/mech_eap/Makefile.am b/moonshot/mech_eap/Makefile.am index 1f26d7d..b3a951d 100644 --- a/moonshot/mech_eap/Makefile.am +++ b/moonshot/mech_eap/Makefile.am @@ -15,12 +15,13 @@ mech_eap_la_CFLAGS = -Werror -Wall -Wunused-parameter \ @KRB5_CFLAGS@ @RADSEC_CFLAGS@ @TARGET_CFLAGS@ $(EAP_CFLAGS) mech_eap_la_CXXFLAGS = -Werror -Wall -Wunused-parameter \ @KRB5_CFLAGS@ @RADSEC_CFLAGS@ \ - @SHIBRESOLVER_CXXFLAGS@ @SHIBSP_CXXFLAGS@ @TARGET_CFLAGS@ $(EAP_CFLAGS) + @OPENSAML_CXXFLAGS@ @SHIBRESOLVER_CXXFLAGS@ @SHIBSP_CXXFLAGS@ \ + @TARGET_CFLAGS@ $(EAP_CFLAGS) mech_eap_la_LDFLAGS = -avoid-version -module \ -export-symbols mech_eap.exports -no-undefined \ @RADSEC_LDFLAGS@ @TARGET_LDFLAGS@ mech_eap_la_LIBADD = @KRB5_LIBS@ ../libeap/libeap.la @RADSEC_LIBS@ \ - @SHIBRESOLVER_LIBS@ @SHIBSP_LIBS@ @JANSSON_LIBS@ + @OPENSAML_LIBS@ @SHIBRESOLVER_LIBS@ @SHIBSP_LIBS@ @JANSSON_LIBS@ mech_eap_la_SOURCES = \ accept_sec_context.c \ @@ -90,8 +91,6 @@ mech_eap_la_SOURCES = \ util_oid.c \ util_ordering.c \ util_radius.cpp \ - util_saml.cpp \ - util_shib.cpp \ util_sm.c \ util_token.c \ verify_mic.c \ @@ -100,6 +99,14 @@ mech_eap_la_SOURCES = \ wrap_iov_length.c \ wrap_size_limit.c +if OPENSAML +mech_eap_la_SOURCES += util_saml.cpp +endif + +if SHIBRESOLVER +mech_eap_la_SOURCES += util_shib.cpp +endif + BUILT_SOURCES = gsseap_err.c radsec_err.c if GSSEAP_ENABLE_REAUTH diff --git a/moonshot/mech_eap/util_attr.cpp b/moonshot/mech_eap/util_attr.cpp index 01c3135..9496863 100644 --- a/moonshot/mech_eap/util_attr.cpp +++ b/moonshot/mech_eap/util_attr.cpp @@ -57,12 +57,16 @@ gssEapAttrProvidersInitInternal(void) if (GSS_ERROR(major)) goto cleanup; +#ifdef HAVE_OPENSAML major = gssEapSamlAttrProvidersInit(&minor); if (GSS_ERROR(major)) goto cleanup; +#endif +#ifdef HAVE_SHIBRESOLVER /* Allow Shibboleth initialization failure to be non-fatal */ gssEapLocalAttrProviderInit(&minor); +#endif cleanup: #ifdef GSSEAP_DEBUG @@ -86,19 +90,19 @@ gssEapAttrProvidersInit(OM_uint32 *minor) OM_uint32 gssEapAttrProvidersFinalize(OM_uint32 *minor) { - OM_uint32 major = GSS_S_COMPLETE; - if (gssEapAttrProvidersInitStatus == GSS_S_COMPLETE) { - major = gssEapLocalAttrProviderFinalize(minor); - if (major == GSS_S_COMPLETE) - major = gssEapSamlAttrProvidersFinalize(minor); - if (major == GSS_S_COMPLETE) - major = gssEapRadiusAttrProviderFinalize(minor); +#ifdef HAVE_SHIBRESOLVER + gssEapLocalAttrProviderFinalize(minor); +#endif +#ifdef HAVE_OPENSAML + gssEapSamlAttrProvidersFinalize(minor); +#endif + gssEapRadiusAttrProviderFinalize(minor); gssEapAttrProvidersInitStatus = GSS_S_UNAVAILABLE; } - return major; + return GSS_S_COMPLETE; } static gss_eap_attr_create_provider gssEapAttrFactories[ATTR_TYPE_MAX + 1]; diff --git a/moonshot/mech_eap/util_attr.h b/moonshot/mech_eap/util_attr.h index e3f3567..2af0850 100644 --- a/moonshot/mech_eap/util_attr.h +++ b/moonshot/mech_eap/util_attr.h @@ -53,8 +53,10 @@ typedef bool void *data); #define ATTR_TYPE_RADIUS 0U /* RADIUS AVPs */ +#ifdef HAVE_OPENSAML #define ATTR_TYPE_SAML_ASSERTION 1U /* SAML assertion */ #define ATTR_TYPE_SAML 2U /* SAML attributes */ +#endif #define ATTR_TYPE_LOCAL 3U /* Local attributes */ #define ATTR_TYPE_MIN ATTR_TYPE_RADIUS #define ATTR_TYPE_MAX ATTR_TYPE_LOCAL diff --git a/moonshot/mech_eap/util_json.cpp b/moonshot/mech_eap/util_json.cpp index 0133772..97eb1ed 100644 --- a/moonshot/mech_eap/util_json.cpp +++ b/moonshot/mech_eap/util_json.cpp @@ -322,6 +322,7 @@ JSONObject::number(void) const return json_number_value(m_obj); } +#ifdef HAVE_SHIBRESOLVER JSONObject JSONObject::ddf(DDF &ddf) { @@ -409,6 +410,7 @@ JSONObject::ddf(void) const return ddf; } +#endif /* HAVE_SHIBRESOLVER */ bool JSONObject::isObject(void) const { diff --git a/moonshot/mech_eap/util_json.h b/moonshot/mech_eap/util_json.h index e2c5e29..4ffecc8 100644 --- a/moonshot/mech_eap/util_json.h +++ b/moonshot/mech_eap/util_json.h @@ -42,9 +42,11 @@ #include #include -#include +#ifdef HAVE_SHIBRESOLVER +#include using namespace shibsp; +#endif namespace gss_eap_util { class JSONObject; @@ -88,7 +90,9 @@ namespace gss_eap_util { static JSONObject object(void); static JSONObject array(void); static JSONObject null(void); +#ifdef HAVE_SHIBRESOLVER static JSONObject ddf(DDF &value); +#endif char *dump(size_t flags = 0) const; void dump(FILE *fp, size_t flags = JSON_INDENT(4)) const; @@ -123,7 +127,9 @@ namespace gss_eap_util { json_int_t integer(void) const; double real(void) const; double number(void) const; +#ifdef HAVE_SHIBRESOLVER DDF ddf(void) const; +#endif bool isObject(void) const; bool isArray(void) const; diff --git a/moonshot/mech_eap/util_saml.cpp b/moonshot/mech_eap/util_saml.cpp index 41bedad..9a3862a 100644 --- a/moonshot/mech_eap/util_saml.cpp +++ b/moonshot/mech_eap/util_saml.cpp @@ -46,6 +46,7 @@ #include #include +#include #include #include #include @@ -322,8 +323,17 @@ gss_eap_saml_assertion_provider::prefix(void) const bool gss_eap_saml_assertion_provider::init(void) { - gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML_ASSERTION, createAttrContext); - return true; + bool ret = false; + + try { + ret = SAMLConfig::getConfig().init(); + } catch (exception &e) { + } + + if (ret) + gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML_ASSERTION, createAttrContext); + + return ret; } void diff --git a/moonshot/mech_eap/util_shib.cpp b/moonshot/mech_eap/util_shib.cpp index 65900a8..4c268ec 100644 --- a/moonshot/mech_eap/util_shib.cpp +++ b/moonshot/mech_eap/util_shib.cpp @@ -49,7 +49,13 @@ * Local attribute provider implementation. */ +#include "gssapiP_eap.h" + #include +#ifndef HAVE_OPENSAML +#include +#include +#endif #include @@ -61,14 +67,16 @@ #include -#include "gssapiP_eap.h" - using namespace shibsp; using namespace shibresolver; -using namespace opensaml::saml2md; -using namespace opensaml; using namespace xmltooling; using namespace std; +#ifdef HAVE_OPENSAML +using namespace opensaml::saml2md; +using namespace opensaml; +#else +using namespace xercesc; +#endif gss_eap_shib_attr_provider::gss_eap_shib_attr_provider(void) { @@ -143,12 +151,33 @@ gss_eap_shib_attr_provider::initWithGssContext(const gss_eap_attr_ctx *manager, gss_release_buffer(&minor, &mechName); } +#ifdef HAVE_OPENSAML const gss_eap_saml_assertion_provider *saml; saml = static_cast (m_manager->getProvider(ATTR_TYPE_SAML_ASSERTION)); if (saml != NULL && saml->getAssertion() != NULL) { resolver->addToken(saml->getAssertion()); } +#else + /* If no OpenSAML, parse the XML assertion explicitly */ + const gss_eap_radius_attr_provider *radius; + int authenticated, complete; + gss_buffer_desc value = GSS_C_EMPTY_BUFFER; + + radius = static_cast + (m_manager->getProvider(ATTR_TYPE_RADIUS)); + if (radius != NULL && + radius->getFragmentedAttribute(PW_SAML_AAA_ASSERTION, + VENDORPEC_UKERNA, + &authenticated, &complete, &value)) { + string str((char *)value.value, value.length); + istringstream istream(str); + DOMDocument *doc = XMLToolingConfig::getConfig().getParser().parse(istream); + const XMLObjectBuilder *b = XMLObjectBuilder::getBuilder(doc->getDocumentElement()); + resolver->addToken(b->buildFromDocument(doc)); + gss_release_buffer(&minor, &value); + } +#endif /* HAVE_OPENSAML */ try { resolver->resolve(); -- 2.1.4