2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
22 * ChainingMetadataProvider.cpp
24 * MetadataProvider that uses multiple providers in sequence.
28 #include "exceptions.h"
29 #include "saml/binding/SAMLArtifact.h"
30 #include "saml2/metadata/Metadata.h"
31 #include "saml2/metadata/DiscoverableMetadataProvider.h"
32 #include "saml2/metadata/ObservableMetadataProvider.h"
33 #include "saml2/metadata/MetadataCredentialCriteria.h"
37 #include <boost/bind.hpp>
38 #include <boost/ptr_container/ptr_vector.hpp>
39 #include <xercesc/util/XMLUniDefs.hpp>
40 #include <xmltooling/logging.h>
41 #include <xmltooling/util/Threads.h>
42 #include <xmltooling/util/XMLHelper.h>
45 using namespace opensaml::saml2md;
46 using namespace opensaml;
47 using namespace xmlsignature;
48 using namespace xmltooling::logging;
49 using namespace xmltooling;
50 using namespace boost;
56 // per-thread structure allocated to track locks and role->provider mappings
57 struct SAML_DLLLOCAL tracker_t;
59 class SAML_DLLLOCAL ChainingMetadataProvider
60 : public DiscoverableMetadataProvider, public ObservableMetadataProvider, public ObservableMetadataProvider::Observer {
62 ChainingMetadataProvider(const xercesc::DOMElement* e=nullptr);
63 virtual ~ChainingMetadataProvider();
65 using MetadataProvider::getEntityDescriptor;
66 using MetadataProvider::getEntitiesDescriptor;
70 void setContext(const MetadataFilterContext*);
72 void outputStatus(ostream&) const;
73 const XMLObject* getMetadata() const;
74 const EntitiesDescriptor* getEntitiesDescriptor(const char*, bool requireValidMetadata=true) const;
75 pair<const EntityDescriptor*,const RoleDescriptor*> getEntityDescriptor(const Criteria&) const;
77 const Credential* resolve(const CredentialCriteria* criteria=nullptr) const;
78 vector<const Credential*>::size_type resolve(vector<const Credential*>&, const CredentialCriteria* criteria=nullptr) const;
80 string getCacheTag() const {
81 Lock lock(m_trackerLock);
85 void outputFeed(ostream& os, bool& first, bool wrapArray=true) const {
88 // Lock each provider in turn and suck in its feed.
89 for (ptr_vector<MetadataProvider>::iterator m = m_providers.begin(); m != m_providers.end(); ++m) {
90 DiscoverableMetadataProvider* d = dynamic_cast<DiscoverableMetadataProvider*>(&(*m));
93 d->outputFeed(os, first, false);
100 void onEvent(const ObservableMetadataProvider& provider) const {
101 // Reset the cache tag for the feed.
102 Lock lock(m_trackerLock);
103 SAMLConfig::getConfig().generateRandomBytes(m_feedTag, 4);
104 m_feedTag = SAMLArtifact::toHex(m_feedTag);
109 void generateFeed() {
115 mutable auto_ptr<Mutex> m_trackerLock;
116 auto_ptr<ThreadKey> m_tlsKey;
117 mutable ptr_vector<MetadataProvider> m_providers;
118 mutable set<tracker_t*> m_trackers;
119 static void tracker_cleanup(void*);
121 friend struct tracker_t;
124 struct SAML_DLLLOCAL tracker_t {
125 tracker_t(const ChainingMetadataProvider* m) : m_metadata(m) {
126 Lock lock(m_metadata->m_trackerLock);
127 m_metadata->m_trackers.insert(this);
130 void lock_if(MetadataProvider* m) {
131 if (m_locked.count(m) == 0)
135 void unlock_if(MetadataProvider* m) {
136 if (m_locked.count(m) == 0)
140 void remember(MetadataProvider* m, const EntityDescriptor* entity=nullptr) {
143 m_objectMap.insert(pair<const XMLObject*,const MetadataProvider*>(entity,m));
146 const MetadataProvider* getProvider(const RoleDescriptor& role) {
147 map<const XMLObject*,const MetadataProvider*>::const_iterator i = m_objectMap.find(role.getParent());
148 return (i != m_objectMap.end()) ? i->second : nullptr;
151 const ChainingMetadataProvider* m_metadata;
152 set<MetadataProvider*> m_locked;
153 map<const XMLObject*,const MetadataProvider*> m_objectMap;
156 MetadataProvider* SAML_DLLLOCAL ChainingMetadataProviderFactory(const DOMElement* const & e)
158 return new ChainingMetadataProvider(e);
161 static const XMLCh _MetadataProvider[] = UNICODE_LITERAL_16(M,e,t,a,d,a,t,a,P,r,o,v,i,d,e,r);
162 static const XMLCh precedence[] = UNICODE_LITERAL_10(p,r,e,c,e,d,e,n,c,e);
163 static const XMLCh last[] = UNICODE_LITERAL_4(l,a,s,t);
164 static const XMLCh _type[] = UNICODE_LITERAL_4(t,y,p,e);
168 void ChainingMetadataProvider::tracker_cleanup(void* ptr)
171 // free the tracker after removing it from the parent plugin's tracker set
172 tracker_t* t = reinterpret_cast<tracker_t*>(ptr);
173 Lock lock(t->m_metadata->m_trackerLock);
174 t->m_metadata->m_trackers.erase(t);
179 ChainingMetadataProvider::ChainingMetadataProvider(const DOMElement* e)
180 : ObservableMetadataProvider(e), m_firstMatch(true), m_trackerLock(Mutex::create()), m_tlsKey(ThreadKey::create(tracker_cleanup)),
181 m_log(Category::getInstance(SAML_LOGCAT ".Metadata.Chaining"))
183 if (XMLString::equals(e ? e->getAttributeNS(nullptr, precedence) : nullptr, last))
184 m_firstMatch = false;
186 e = XMLHelper::getFirstChildElement(e, _MetadataProvider);
188 string t = XMLHelper::getAttrString(e, nullptr, _type);
191 m_log.info("building MetadataProvider of type %s", t.c_str());
192 auto_ptr<MetadataProvider> provider(SAMLConfig::getConfig().MetadataProviderManager.newPlugin(t.c_str(), e));
193 ObservableMetadataProvider* obs = dynamic_cast<ObservableMetadataProvider*>(provider.get());
195 obs->addObserver(this);
196 m_providers.push_back(provider.get());
199 catch (std::exception& ex) {
200 m_log.error("error building MetadataProvider: %s", ex.what());
204 m_log.error("MetadataProvider element missing type attribute");
206 e = XMLHelper::getNextSiblingElement(e, _MetadataProvider);
210 ChainingMetadataProvider::~ChainingMetadataProvider()
212 m_tlsKey.reset(); // need to free this ahead of trackers in a command line case
213 for_each(m_trackers.begin(), m_trackers.end(), xmltooling::cleanup<tracker_t>());
216 void ChainingMetadataProvider::setContext(const MetadataFilterContext* ctx)
218 for_each(m_providers.begin(), m_providers.end(), boost::bind(&MetadataProvider::setContext, _1, ctx));
221 void ChainingMetadataProvider::init()
223 for (ptr_vector<MetadataProvider>::iterator i = m_providers.begin(); i != m_providers.end(); ++i) {
227 catch (std::exception& ex) {
228 m_log.crit("failure initializing MetadataProvider: %s", ex.what());
232 // Set an initial cache tag for the state of the plugins.
233 SAMLConfig::getConfig().generateRandomBytes(m_feedTag, 4);
234 m_feedTag = SAMLArtifact::toHex(m_feedTag);
237 void ChainingMetadataProvider::outputStatus(ostream& os) const
239 for_each(m_providers.begin(), m_providers.end(), boost::bind(&MetadataProvider::outputStatus, _1, boost::ref(os)));
242 Lockable* ChainingMetadataProvider::lock()
244 return this; // we're not lockable ourselves...
247 void ChainingMetadataProvider::unlock()
249 // Check for locked providers and remove role mappings.
250 void* ptr=m_tlsKey->getData();
252 tracker_t* t = reinterpret_cast<tracker_t*>(ptr);
253 for_each(t->m_locked.begin(), t->m_locked.end(), mem_fun(&Lockable::unlock));
255 t->m_objectMap.clear();
259 const XMLObject* ChainingMetadataProvider::getMetadata() const
261 throw MetadataException("getMetadata operation not implemented on this provider.");
264 const EntitiesDescriptor* ChainingMetadataProvider::getEntitiesDescriptor(const char* name, bool requireValidMetadata) const
266 // Ensure we have a tracker to use.
267 tracker_t* tracker = nullptr;
268 void* ptr=m_tlsKey->getData();
270 tracker = reinterpret_cast<tracker_t*>(ptr);
273 tracker = new tracker_t(this);
274 m_tlsKey->setData(tracker);
277 MetadataProvider* held = nullptr;
278 const EntitiesDescriptor* ret = nullptr;
279 const EntitiesDescriptor* cur = nullptr;
280 for (ptr_vector<MetadataProvider>::iterator i = m_providers.begin(); i != m_providers.end(); ++i) {
281 tracker->lock_if(&(*i));
282 if ((cur = i->getEntitiesDescriptor(name,requireValidMetadata))) {
283 // Are we using a first match policy?
285 // Save locked provider.
286 tracker->remember(&(*i));
290 // Using last match wins. Did we already have one?
292 m_log.warn("found duplicate EntitiesDescriptor (%s), using last matching copy", name);
293 tracker->unlock_if(held);
296 // Save off the latest match.
301 // No match, so just unlock this one and move on.
302 tracker->unlock_if(&(*i));
306 // Preserve any lock we're holding.
308 tracker->remember(held);
312 pair<const EntityDescriptor*,const RoleDescriptor*> ChainingMetadataProvider::getEntityDescriptor(const Criteria& criteria) const
314 // Ensure we have a tracker to use.
315 tracker_t* tracker = nullptr;
316 void* ptr=m_tlsKey->getData();
318 tracker = reinterpret_cast<tracker_t*>(ptr);
321 tracker = new tracker_t(this);
322 m_tlsKey->setData(tracker);
326 MetadataProvider* held = nullptr;
327 pair<const EntityDescriptor*,const RoleDescriptor*> ret = pair<const EntityDescriptor*,const RoleDescriptor*>(nullptr,nullptr);
328 pair<const EntityDescriptor*,const RoleDescriptor*> cur = ret;
329 for (ptr_vector<MetadataProvider>::iterator i = m_providers.begin(); i != m_providers.end(); ++i) {
330 tracker->lock_if(&(*i));
331 cur = i->getEntityDescriptor(criteria);
334 // We want a role also. Did we find one?
336 // Are we using a first match policy?
338 // We could have an entity-only match from earlier, so unlock it.
340 tracker->unlock_if(held);
341 // Save locked provider and role mapping.
342 tracker->remember(&(*i), cur.first);
346 // Using last match wins. Did we already have one?
349 // We had a "complete" match, so log it.
350 if (criteria.entityID_ascii) {
351 m_log.warn("found duplicate EntityDescriptor (%s) with role (%s), using last matching copy",
352 criteria.entityID_ascii, criteria.role->toString().c_str());
354 else if (criteria.entityID_unicode) {
355 auto_ptr_char temp(criteria.entityID_unicode);
356 m_log.warn("found duplicate EntityDescriptor (%s) with role (%s), using last matching copy",
357 temp.get(), criteria.role->toString().c_str());
359 else if (criteria.artifact) {
360 m_log.warn("found duplicate EntityDescriptor for artifact source (%s) with role (%s), using last matching copy",
361 criteria.artifact->getSource().c_str(), criteria.role->toString().c_str());
364 tracker->unlock_if(held);
367 // Save off the latest match.
372 // We didn't find the role, so we're going to keep looking,
373 // but save this one if we didn't have the role yet.
375 // We already had a role, so let's stick with that.
376 tracker->unlock_if(&(*i));
379 // This is at least as good, so toss anything we had and keep it.
381 tracker->unlock_if(held);
388 // Are we using a first match policy?
390 // I don't think this can happen, but who cares, check anyway.
392 tracker->unlock_if(held);
394 // Save locked provider.
395 tracker->remember(&(*i), cur.first);
399 // Using last match wins. Did we already have one?
401 if (criteria.entityID_ascii) {
402 m_log.warn("found duplicate EntityDescriptor (%s), using last matching copy", criteria.entityID_ascii);
404 else if (criteria.entityID_unicode) {
405 auto_ptr_char temp(criteria.entityID_unicode);
406 m_log.warn("found duplicate EntityDescriptor (%s), using last matching copy", temp.get());
408 else if (criteria.artifact) {
409 m_log.warn("found duplicate EntityDescriptor for artifact source (%s), using last matching copy",
410 criteria.artifact->getSource().c_str());
412 tracker->unlock_if(held);
415 // Save off the latest match.
421 // No match, so just unlock this one and move on.
422 tracker->unlock_if(&(*i));
426 // Preserve any lock we're holding.
428 tracker->remember(held, ret.first);
432 const Credential* ChainingMetadataProvider::resolve(const CredentialCriteria* criteria) const
434 void* ptr=m_tlsKey->getData();
436 throw MetadataException("No locked MetadataProvider, where did the role object come from?");
437 tracker_t* tracker=reinterpret_cast<tracker_t*>(ptr);
439 const MetadataCredentialCriteria* mcc = dynamic_cast<const MetadataCredentialCriteria*>(criteria);
441 throw MetadataException("Cannot resolve credentials without a MetadataCredentialCriteria object.");
442 const MetadataProvider* m = tracker->getProvider(mcc->getRole());
444 throw MetadataException("No record of corresponding MetadataProvider, where did the role object come from?");
445 return m->resolve(mcc);
448 vector<const Credential*>::size_type ChainingMetadataProvider::resolve(
449 vector<const Credential*>& results, const CredentialCriteria* criteria
452 void* ptr=m_tlsKey->getData();
454 throw MetadataException("No locked MetadataProvider, where did the role object come from?");
455 tracker_t* tracker=reinterpret_cast<tracker_t*>(ptr);
457 const MetadataCredentialCriteria* mcc = dynamic_cast<const MetadataCredentialCriteria*>(criteria);
459 throw MetadataException("Cannot resolve credentials without a MetadataCredentialCriteria object.");
460 const MetadataProvider* m = tracker->getProvider(mcc->getRole());
462 throw MetadataException("No record of corresponding MetadataProvider, where did the role object come from?");
463 return m->resolve(results, mcc);