saml/saml2/binding/impl/SAML2SOAPClient.cpp

   1 /*
   2  *  Copyright 2001-2009 Internet2
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 /**
  18  * SAML2SOAPClient.cpp
  19  *
  20  * Specialized SOAPClient for SAML 2.0 SOAP binding.
  21  */
  22
  23 #include "internal.h"
  24 #include "exceptions.h"
  25 #include "binding/SecurityPolicy.h"
  26 #include "binding/SOAPClient.h"
  27 #include "saml2/binding/SAML2SOAPClient.h"
  28 #include "saml2/core/Protocols.h"
  29 #include "saml2/metadata/Metadata.h"
  30 #include "saml2/metadata/MetadataProvider.h"
  31
  32 #include <xmltooling/logging.h>
  33 #include <xmltooling/soap/SOAP.h>
  34
  35 using namespace opensaml::saml2;
  36 using namespace opensaml::saml2p;
  37 using namespace opensaml::saml2md;
  38 using namespace opensaml;
  39 using namespace soap11;
  40 using namespace xmltooling::logging;
  41 using namespace xmltooling;
  42 using namespace std;
  43
  44 SAML2SOAPClient::SAML2SOAPClient(opensaml::SOAPClient& soaper, bool fatalSAMLErrors)
  45     : m_soaper(soaper), m_fatal(fatalSAMLErrors), m_correlate(NULL)
  46 {
  47 }
  48
  49 SAML2SOAPClient::~SAML2SOAPClient()
  50 {
  51     XMLString::release(&m_correlate);
  52 }
  53
  54 void SAML2SOAPClient::sendSAML(RequestAbstractType* request, const char* from, MetadataCredentialCriteria& to, const char* endpoint)
  55 {
  56     auto_ptr<Envelope> env(EnvelopeBuilder::buildEnvelope());
  57     Body* body = BodyBuilder::buildBody();
  58     env->setBody(body);
  59     body->getUnknownXMLObjects().push_back(request);
  60     m_soaper.send(*env.get(), from, to, endpoint);
  61     m_correlate = XMLString::replicate(request->getID());
  62 }
  63
  64 StatusResponseType* SAML2SOAPClient::receiveSAML()
  65 {
  66     auto_ptr<Envelope> env(m_soaper.receive());
  67     if (env.get()) {
  68         Body* body = env->getBody();
  69         if (body && body->hasChildren()) {
  70             // Check for SAML Response.
  71             StatusResponseType* response = dynamic_cast<StatusResponseType*>(body->getUnknownXMLObjects().front());
  72             if (response) {
  73                 // Check InResponseTo.
  74                 if (m_correlate && response->getInResponseTo() && !XMLString::equals(m_correlate, response->getInResponseTo()))
  75                     throw SecurityPolicyException("InResponseTo attribute did not correlate with the Request ID.");
  76
  77                 SecurityPolicy& policy = m_soaper.getPolicy();
  78                 policy.reset(true);
  79
  80                 // Extract Response details.
  81                 policy.setMessageID(response->getID());
  82                 policy.setIssueInstant(response->getIssueInstantEpoch());
  83
  84                 // Extract and re-verify Issuer if present.
  85                 const Issuer* issuer = response->getIssuer();
  86                 if (issuer)
  87                     policy.setIssuer(issuer);   // This will throw if it conflicts with the known peer identity.
  88
  89                 // Now run the policy.
  90                 policy.evaluate(*response);
  91
  92                 // Check Status.
  93                 Status* status = response->getStatus();
  94                 if (status) {
  95                     const XMLCh* code = status->getStatusCode() ? status->getStatusCode()->getValue() : NULL;
  96                     if (code && !XMLString::equals(code,StatusCode::SUCCESS) && handleError(*status)) {
  97                         BindingException ex("SAML response contained an error.");
  98                         annotateException(&ex, policy.getIssuerMetadata(), status);   // throws it
  99                     }
 100                 }
 101
 102                 env.release();
 103                 body->detach(); // frees Envelope
 104                 response->detach();   // frees Body
 105                 return response;
 106             }
 107         }
 108
 109         BindingException ex("SOAP Envelope did not contain a SAML Response or a Fault.");
 110         if (m_soaper.getPolicy().getIssuerMetadata())
 111             annotateException(&ex, m_soaper.getPolicy().getIssuerMetadata());   // throws it
 112         else
 113             ex.raise();
 114     }
 115     return NULL;
 116 }
 117
 118 bool SAML2SOAPClient::handleError(const Status& status)
 119 {
 120     auto_ptr_char code((status.getStatusCode() ? status.getStatusCode()->getValue() : NULL));
 121     auto_ptr_char str((status.getStatusMessage() ? status.getStatusMessage()->getMessage() : NULL));
 122     Category::getInstance(SAML_LOGCAT".SOAPClient").error(
 123         "SOAP client detected a SAML error: (%s) (%s)",
 124         (code.get() ? code.get() : "no code"),
 125         (str.get() ? str.get() : "no message")
 126         );
 127     return m_fatal;
 128 }