2 * Copyright 2001-2009 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * AbstractMetadataProvider.cpp
20 * Base class for caching metadata providers.
24 #include "binding/SAMLArtifact.h"
25 #include "saml2/metadata/Metadata.h"
26 #include "saml2/metadata/AbstractMetadataProvider.h"
27 #include "saml2/metadata/MetadataCredentialContext.h"
28 #include "saml2/metadata/MetadataCredentialCriteria.h"
30 #include <xercesc/util/XMLUniDefs.hpp>
31 #include <xmltooling/XMLToolingConfig.h>
32 #include <xmltooling/security/Credential.h>
33 #include <xmltooling/security/KeyInfoResolver.h>
34 #include <xmltooling/util/XMLHelper.h>
36 using namespace opensaml::saml2md;
37 using namespace xmltooling;
39 using opensaml::SAMLArtifact;
41 static const XMLCh _KeyInfoResolver[] = UNICODE_LITERAL_15(K,e,y,I,n,f,o,R,e,s,o,l,v,e,r);
42 static const XMLCh type[] = UNICODE_LITERAL_4(t,y,p,e);
44 AbstractMetadataProvider::AbstractMetadataProvider(const DOMElement* e)
45 : ObservableMetadataProvider(e), m_resolver(NULL), m_credentialLock(NULL)
47 e = e ? XMLHelper::getFirstChildElement(e, _KeyInfoResolver) : NULL;
49 auto_ptr_char t(e->getAttributeNS(NULL,type));
51 m_resolver = XMLToolingConfig::getConfig().KeyInfoResolverManager.newPlugin(t.get(),e);
53 throw UnknownExtensionException("<KeyInfoResolver> element found with no type attribute");
55 m_credentialLock = Mutex::create();
58 AbstractMetadataProvider::~AbstractMetadataProvider()
60 for (credmap_t::iterator c = m_credentialMap.begin(); c!=m_credentialMap.end(); ++c)
61 for_each(c->second.begin(), c->second.end(), xmltooling::cleanup<Credential>());
62 delete m_credentialLock;
66 void AbstractMetadataProvider::emitChangeEvent() const
68 for (credmap_t::iterator c = m_credentialMap.begin(); c!=m_credentialMap.end(); ++c)
69 for_each(c->second.begin(), c->second.end(), xmltooling::cleanup<Credential>());
70 m_credentialMap.clear();
71 ObservableMetadataProvider::emitChangeEvent();
74 void AbstractMetadataProvider::index(EntityDescriptor* site, time_t validUntil, bool replace) const
76 if (validUntil < site->getValidUntilEpoch())
77 site->setValidUntil(validUntil);
79 auto_ptr_char id(site->getEntityID());
82 m_sites.erase(id.get());
83 for (sitemap_t::iterator s = m_sources.begin(); s != m_sources.end();) {
84 if (s->second == site) {
85 sitemap_t::iterator temp = s;
87 m_sources.erase(temp);
94 m_sites.insert(sitemap_t::value_type(id.get(),site));
97 // Process each IdP role.
98 const vector<IDPSSODescriptor*>& roles=const_cast<const EntityDescriptor*>(site)->getIDPSSODescriptors();
99 for (vector<IDPSSODescriptor*>::const_iterator i=roles.begin(); i!=roles.end(); i++) {
101 if ((*i)->hasSupport(samlconstants::SAML10_PROTOCOL_ENUM) || (*i)->hasSupport(samlconstants::SAML11_PROTOCOL_ENUM)) {
102 // Check for SourceID extension element.
103 const Extensions* exts=(*i)->getExtensions();
104 if (exts && exts->hasChildren()) {
105 const vector<XMLObject*>& children=exts->getUnknownXMLObjects();
106 for (vector<XMLObject*>::const_iterator ext=children.begin(); ext!=children.end(); ++ext) {
107 SourceID* sid=dynamic_cast<SourceID*>(*ext);
109 auto_ptr_char sourceid(sid->getID());
110 if (sourceid.get()) {
111 m_sources.insert(sitemap_t::value_type(sourceid.get(),site));
119 m_sources.insert(sitemap_t::value_type(SAMLConfig::getConfig().hashSHA1(id.get(), true),site));
121 // Load endpoints for type 0x0002 artifacts.
122 const vector<ArtifactResolutionService*>& locs=const_cast<const IDPSSODescriptor*>(*i)->getArtifactResolutionServices();
123 for (vector<ArtifactResolutionService*>::const_iterator loc=locs.begin(); loc!=locs.end(); loc++) {
124 auto_ptr_char location((*loc)->getLocation());
126 m_sources.insert(sitemap_t::value_type(location.get(),site));
131 if ((*i)->hasSupport(samlconstants::SAML20P_NS)) {
133 m_sources.insert(sitemap_t::value_type(SAMLConfig::getConfig().hashSHA1(id.get(), true),site));
138 void AbstractMetadataProvider::index(EntitiesDescriptor* group, time_t validUntil) const
140 if (validUntil < group->getValidUntilEpoch())
141 group->setValidUntil(validUntil);
143 auto_ptr_char name(group->getName());
145 m_groups.insert(groupmap_t::value_type(name.get(),group));
148 const vector<EntitiesDescriptor*>& groups=const_cast<const EntitiesDescriptor*>(group)->getEntitiesDescriptors();
149 for (vector<EntitiesDescriptor*>::const_iterator i=groups.begin(); i!=groups.end(); i++)
150 index(*i,group->getValidUntilEpoch());
152 const vector<EntityDescriptor*>& sites=const_cast<const EntitiesDescriptor*>(group)->getEntityDescriptors();
153 for (vector<EntityDescriptor*>::const_iterator j=sites.begin(); j!=sites.end(); j++)
154 index(*j,group->getValidUntilEpoch());
157 void AbstractMetadataProvider::clearDescriptorIndex(bool freeSites)
160 for_each(m_sites.begin(), m_sites.end(), cleanup_const_pair<string,EntityDescriptor>());
166 const EntitiesDescriptor* AbstractMetadataProvider::getEntitiesDescriptor(const char* name, bool strict) const
168 pair<groupmap_t::const_iterator,groupmap_t::const_iterator> range=const_cast<const groupmap_t&>(m_groups).equal_range(name);
170 time_t now=time(NULL);
171 for (groupmap_t::const_iterator i=range.first; i!=range.second; i++)
172 if (now < i->second->getValidUntilEpoch())
175 if (!strict && range.first!=range.second)
176 return range.first->second;
181 pair<const EntityDescriptor*,const RoleDescriptor*> AbstractMetadataProvider::getEntityDescriptor(const Criteria& criteria) const
183 pair<sitemap_t::const_iterator,sitemap_t::const_iterator> range;
184 if (criteria.entityID_ascii)
185 range = const_cast<const sitemap_t&>(m_sites).equal_range(criteria.entityID_ascii);
186 else if (criteria.entityID_unicode) {
187 auto_ptr_char id(criteria.entityID_unicode);
188 range = const_cast<const sitemap_t&>(m_sites).equal_range(id.get());
190 else if (criteria.artifact)
191 range = const_cast<const sitemap_t&>(m_sources).equal_range(criteria.artifact->getSource());
193 return pair<const EntityDescriptor*,const RoleDescriptor*>(NULL,NULL);
195 pair<const EntityDescriptor*,const RoleDescriptor*> result;
197 result.second = NULL;
199 time_t now=time(NULL);
200 for (sitemap_t::const_iterator i=range.first; i!=range.second; i++) {
201 if (now < i->second->getValidUntilEpoch()) {
202 result.first = i->second;
207 if (!result.first && !criteria.validOnly && range.first!=range.second)
208 result.first = range.first->second;
210 if (result.first && criteria.role) {
211 result.second = result.first->getRoleDescriptor(*criteria.role, criteria.protocol);
212 if (!result.second && criteria.protocol2)
213 result.second = result.first->getRoleDescriptor(*criteria.role, criteria.protocol2);
219 const Credential* AbstractMetadataProvider::resolve(const CredentialCriteria* criteria) const
221 const MetadataCredentialCriteria* metacrit = dynamic_cast<const MetadataCredentialCriteria*>(criteria);
223 throw MetadataException("Cannot resolve credentials without a MetadataCredentialCriteria object.");
225 Lock lock(m_credentialLock);
226 const credmap_t::mapped_type& creds = resolveCredentials(metacrit->getRole());
228 for (credmap_t::mapped_type::const_iterator c = creds.begin(); c!=creds.end(); ++c)
229 if (metacrit->matches(*(*c)))
234 vector<const Credential*>::size_type AbstractMetadataProvider::resolve(
235 vector<const Credential*>& results, const CredentialCriteria* criteria
238 const MetadataCredentialCriteria* metacrit = dynamic_cast<const MetadataCredentialCriteria*>(criteria);
240 throw MetadataException("Cannot resolve credentials without a MetadataCredentialCriteria object.");
242 Lock lock(m_credentialLock);
243 const credmap_t::mapped_type& creds = resolveCredentials(metacrit->getRole());
245 for (credmap_t::mapped_type::const_iterator c = creds.begin(); c!=creds.end(); ++c)
246 if (metacrit->matches(*(*c)))
247 results.push_back(*c);
248 return results.size();
251 const AbstractMetadataProvider::credmap_t::mapped_type& AbstractMetadataProvider::resolveCredentials(const RoleDescriptor& role) const
253 credmap_t::const_iterator i = m_credentialMap.find(&role);
254 if (i!=m_credentialMap.end())
257 const KeyInfoResolver* resolver = m_resolver ? m_resolver : XMLToolingConfig::getConfig().getKeyInfoResolver();
258 const vector<KeyDescriptor*>& keys = role.getKeyDescriptors();
259 AbstractMetadataProvider::credmap_t::mapped_type& resolved = m_credentialMap[&role];
260 for (vector<KeyDescriptor*>::const_iterator k = keys.begin(); k!=keys.end(); ++k) {
261 if ((*k)->getKeyInfo()) {
262 auto_ptr<MetadataCredentialContext> mcc(new MetadataCredentialContext(*(*k)));
263 Credential* c = resolver->resolve(mcc.get());
265 resolved.push_back(c);