2 * Copyright 2001-2009 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * AbstractMetadataProvider.cpp
20 * Base class for caching metadata providers.
24 #include "binding/SAMLArtifact.h"
25 #include "saml2/metadata/Metadata.h"
26 #include "saml2/metadata/AbstractMetadataProvider.h"
27 #include "saml2/metadata/MetadataCredentialContext.h"
28 #include "saml2/metadata/MetadataCredentialCriteria.h"
30 #include <xercesc/util/XMLUniDefs.hpp>
31 #include <xmltooling/XMLToolingConfig.h>
32 #include <xmltooling/security/Credential.h>
33 #include <xmltooling/security/KeyInfoResolver.h>
34 #include <xmltooling/security/SecurityHelper.h>
35 #include <xmltooling/util/Threads.h>
36 #include <xmltooling/util/XMLHelper.h>
38 using namespace opensaml::saml2md;
39 using namespace xmltooling;
41 using opensaml::SAMLArtifact;
43 static const XMLCh _KeyInfoResolver[] = UNICODE_LITERAL_15(K,e,y,I,n,f,o,R,e,s,o,l,v,e,r);
44 static const XMLCh type[] = UNICODE_LITERAL_4(t,y,p,e);
46 AbstractMetadataProvider::AbstractMetadataProvider(const DOMElement* e)
47 : ObservableMetadataProvider(e), m_resolver(NULL), m_credentialLock(NULL)
49 e = e ? XMLHelper::getFirstChildElement(e, _KeyInfoResolver) : NULL;
51 auto_ptr_char t(e->getAttributeNS(NULL,type));
53 m_resolver = XMLToolingConfig::getConfig().KeyInfoResolverManager.newPlugin(t.get(),e);
55 throw UnknownExtensionException("<KeyInfoResolver> element found with no type attribute");
57 m_credentialLock = Mutex::create();
60 AbstractMetadataProvider::~AbstractMetadataProvider()
62 for (credmap_t::iterator c = m_credentialMap.begin(); c!=m_credentialMap.end(); ++c)
63 for_each(c->second.begin(), c->second.end(), xmltooling::cleanup<Credential>());
64 delete m_credentialLock;
68 void AbstractMetadataProvider::emitChangeEvent() const
70 for (credmap_t::iterator c = m_credentialMap.begin(); c!=m_credentialMap.end(); ++c)
71 for_each(c->second.begin(), c->second.end(), xmltooling::cleanup<Credential>());
72 m_credentialMap.clear();
73 ObservableMetadataProvider::emitChangeEvent();
76 void AbstractMetadataProvider::index(EntityDescriptor* site, time_t validUntil, bool replace) const
78 if (validUntil < site->getValidUntilEpoch())
79 site->setValidUntil(validUntil);
81 auto_ptr_char id(site->getEntityID());
84 m_sites.erase(id.get());
85 for (sitemap_t::iterator s = m_sources.begin(); s != m_sources.end();) {
86 if (s->second == site) {
87 sitemap_t::iterator temp = s;
89 m_sources.erase(temp);
96 m_sites.insert(sitemap_t::value_type(id.get(),site));
99 // Process each IdP role.
100 const vector<IDPSSODescriptor*>& roles=const_cast<const EntityDescriptor*>(site)->getIDPSSODescriptors();
101 for (vector<IDPSSODescriptor*>::const_iterator i=roles.begin(); i!=roles.end(); i++) {
103 if ((*i)->hasSupport(samlconstants::SAML10_PROTOCOL_ENUM) || (*i)->hasSupport(samlconstants::SAML11_PROTOCOL_ENUM)) {
104 // Check for SourceID extension element.
105 const Extensions* exts=(*i)->getExtensions();
106 if (exts && exts->hasChildren()) {
107 const vector<XMLObject*>& children=exts->getUnknownXMLObjects();
108 for (vector<XMLObject*>::const_iterator ext=children.begin(); ext!=children.end(); ++ext) {
109 SourceID* sid=dynamic_cast<SourceID*>(*ext);
111 auto_ptr_char sourceid(sid->getID());
112 if (sourceid.get()) {
113 m_sources.insert(sitemap_t::value_type(sourceid.get(),site));
121 m_sources.insert(sitemap_t::value_type(SecurityHelper::doHash("SHA1", id.get(), strlen(id.get())),site));
123 // Load endpoints for type 0x0002 artifacts.
124 const vector<ArtifactResolutionService*>& locs=const_cast<const IDPSSODescriptor*>(*i)->getArtifactResolutionServices();
125 for (vector<ArtifactResolutionService*>::const_iterator loc=locs.begin(); loc!=locs.end(); loc++) {
126 auto_ptr_char location((*loc)->getLocation());
128 m_sources.insert(sitemap_t::value_type(location.get(),site));
133 if ((*i)->hasSupport(samlconstants::SAML20P_NS)) {
135 m_sources.insert(sitemap_t::value_type(SecurityHelper::doHash("SHA1", id.get(), strlen(id.get())),site));
140 void AbstractMetadataProvider::index(EntitiesDescriptor* group, time_t validUntil) const
142 if (validUntil < group->getValidUntilEpoch())
143 group->setValidUntil(validUntil);
145 auto_ptr_char name(group->getName());
147 m_groups.insert(groupmap_t::value_type(name.get(),group));
150 const vector<EntitiesDescriptor*>& groups=const_cast<const EntitiesDescriptor*>(group)->getEntitiesDescriptors();
151 for (vector<EntitiesDescriptor*>::const_iterator i=groups.begin(); i!=groups.end(); i++)
152 index(*i,group->getValidUntilEpoch());
154 const vector<EntityDescriptor*>& sites=const_cast<const EntitiesDescriptor*>(group)->getEntityDescriptors();
155 for (vector<EntityDescriptor*>::const_iterator j=sites.begin(); j!=sites.end(); j++)
156 index(*j,group->getValidUntilEpoch());
159 void AbstractMetadataProvider::clearDescriptorIndex(bool freeSites)
162 for_each(m_sites.begin(), m_sites.end(), cleanup_const_pair<string,EntityDescriptor>());
168 const EntitiesDescriptor* AbstractMetadataProvider::getEntitiesDescriptor(const char* name, bool strict) const
170 pair<groupmap_t::const_iterator,groupmap_t::const_iterator> range=const_cast<const groupmap_t&>(m_groups).equal_range(name);
172 time_t now=time(NULL);
173 for (groupmap_t::const_iterator i=range.first; i!=range.second; i++)
174 if (now < i->second->getValidUntilEpoch())
177 if (!strict && range.first!=range.second)
178 return range.first->second;
183 pair<const EntityDescriptor*,const RoleDescriptor*> AbstractMetadataProvider::getEntityDescriptor(const Criteria& criteria) const
185 pair<sitemap_t::const_iterator,sitemap_t::const_iterator> range;
186 if (criteria.entityID_ascii)
187 range = const_cast<const sitemap_t&>(m_sites).equal_range(criteria.entityID_ascii);
188 else if (criteria.entityID_unicode) {
189 auto_ptr_char id(criteria.entityID_unicode);
190 range = const_cast<const sitemap_t&>(m_sites).equal_range(id.get());
192 else if (criteria.artifact)
193 range = const_cast<const sitemap_t&>(m_sources).equal_range(criteria.artifact->getSource());
195 return pair<const EntityDescriptor*,const RoleDescriptor*>(NULL,NULL);
197 pair<const EntityDescriptor*,const RoleDescriptor*> result;
199 result.second = NULL;
201 time_t now=time(NULL);
202 for (sitemap_t::const_iterator i=range.first; i!=range.second; i++) {
203 if (now < i->second->getValidUntilEpoch()) {
204 result.first = i->second;
209 if (!result.first && !criteria.validOnly && range.first!=range.second)
210 result.first = range.first->second;
212 if (result.first && criteria.role) {
213 result.second = result.first->getRoleDescriptor(*criteria.role, criteria.protocol);
214 if (!result.second && criteria.protocol2)
215 result.second = result.first->getRoleDescriptor(*criteria.role, criteria.protocol2);
221 const Credential* AbstractMetadataProvider::resolve(const CredentialCriteria* criteria) const
223 const MetadataCredentialCriteria* metacrit = dynamic_cast<const MetadataCredentialCriteria*>(criteria);
225 throw MetadataException("Cannot resolve credentials without a MetadataCredentialCriteria object.");
227 Lock lock(m_credentialLock);
228 const credmap_t::mapped_type& creds = resolveCredentials(metacrit->getRole());
230 for (credmap_t::mapped_type::const_iterator c = creds.begin(); c!=creds.end(); ++c)
231 if (metacrit->matches(*(*c)))
236 vector<const Credential*>::size_type AbstractMetadataProvider::resolve(
237 vector<const Credential*>& results, const CredentialCriteria* criteria
240 const MetadataCredentialCriteria* metacrit = dynamic_cast<const MetadataCredentialCriteria*>(criteria);
242 throw MetadataException("Cannot resolve credentials without a MetadataCredentialCriteria object.");
244 Lock lock(m_credentialLock);
245 const credmap_t::mapped_type& creds = resolveCredentials(metacrit->getRole());
247 for (credmap_t::mapped_type::const_iterator c = creds.begin(); c!=creds.end(); ++c)
248 if (metacrit->matches(*(*c)))
249 results.push_back(*c);
250 return results.size();
253 const AbstractMetadataProvider::credmap_t::mapped_type& AbstractMetadataProvider::resolveCredentials(const RoleDescriptor& role) const
255 credmap_t::const_iterator i = m_credentialMap.find(&role);
256 if (i!=m_credentialMap.end())
259 const KeyInfoResolver* resolver = m_resolver ? m_resolver : XMLToolingConfig::getConfig().getKeyInfoResolver();
260 const vector<KeyDescriptor*>& keys = role.getKeyDescriptors();
261 AbstractMetadataProvider::credmap_t::mapped_type& resolved = m_credentialMap[&role];
262 for (vector<KeyDescriptor*>::const_iterator k = keys.begin(); k!=keys.end(); ++k) {
263 if ((*k)->getKeyInfo()) {
264 auto_ptr<MetadataCredentialContext> mcc(new MetadataCredentialContext(*(*k)));
265 Credential* c = resolver->resolve(mcc.get());
267 resolved.push_back(c);