https://issues.shibboleth.net/jira/browse/SSPCPP-132

[shibboleth/cpp-opensaml.git] / saml / saml2 / binding / impl / SAML2ArtifactDecoder.cpp

diff --git a/saml/saml2/binding/impl/SAML2ArtifactDecoder.cpp b/saml/saml2/binding/impl/SAML2ArtifactDecoder.cpp
index 1bb7af2..081787f 100644 (file)
--- a/saml/saml2/binding/impl/SAML2ArtifactDecoder.cpp
+++ b/saml/saml2/binding/impl/SAML2ArtifactDecoder.cpp
@@ -1,6 +1,6 @@
 /*
  *  Copyright 2001-2007 Internet2
- * 
+ *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
@@ -16,7 +16,7 @@
 
 /**
  * SAML2ArtifactDecoder.cpp
- * 
+ *
  * SAML 2.0 Artifact binding message decoder
  */
 
@@ -42,19 +42,19 @@ using namespace xmltooling;
 using namespace std;
 
 namespace opensaml {
-    namespace saml2p {              
+    namespace saml2p {
         class SAML_DLLLOCAL SAML2ArtifactDecoder : public SAML2MessageDecoder
         {
         public:
             SAML2ArtifactDecoder() {}
             virtual ~SAML2ArtifactDecoder() {}
-            
+
             xmltooling::XMLObject* decode(
                 std::string& relayState,
                 const GenericRequest& genericRequest,
                 SecurityPolicy& policy
                 ) const;
-        };                
+        };
 
         MessageDecoder* SAML_DLLLOCAL SAML2ArtifactDecoderFactory(const pair<const DOMElement*,const XMLCh*>& p)
         {
@@ -80,7 +80,7 @@ XMLObject* SAML2ArtifactDecoder::decode(
         throw BindingException("Unable to cast request object to HTTPRequest type.");
     const char* SAMLart = httpRequest->getParameter("SAMLart");
     if (!SAMLart)
-        throw BindingException("Request missing SAMLart parameter.");
+        throw BindingException("Request missing SAMLart query string or form parameter.");
     const char* state = httpRequest->getParameter("RelayState");
     if (state)
         relayState = state;
@@ -92,7 +92,7 @@ XMLObject* SAML2ArtifactDecoder::decode(
     SAMLArtifact* artifact=NULL;
     try {
         log.debug("processing encoded artifact (%s)", SAMLart);
-        
+
         // Check replay.
         ReplayCache* replayCache = XMLToolingConfig::getConfig().getReplayCache();
         if (replayCache) {
@@ -110,55 +110,59 @@ XMLObject* SAML2ArtifactDecoder::decode(
         log.error("error parsing artifact (%s)", SAMLart);
         throw;
     }
-    
+
     // Check the type.
     auto_ptr<SAML2Artifact> artifact2(dynamic_cast<SAML2Artifact*>(artifact));
     if (!artifact2.get()) {
         throw BindingException("Artifact binding requires SAML 2.0 artifact.");
         delete artifact;
     }
-    
+
     log.debug("attempting to determine source of artifact...");
-    const EntityDescriptor* provider=policy.getMetadataProvider()->getEntityDescriptor(artifact);
-    if (!provider) {
+    MetadataProvider::Criteria& mc = policy.getMetadataProviderCriteria();
+    mc.artifact = artifact;
+    mc.role = policy.getRole();
+    mc.protocol = samlconstants::SAML20P_NS;
+    pair<const EntityDescriptor*,const RoleDescriptor*> provider=policy.getMetadataProvider()->getEntityDescriptor(mc);
+    if (!provider.first) {
         log.error(
             "metadata lookup failed, unable to determine issuer of artifact (0x%s)",
             SAMLArtifact::toHex(artifact->getBytes()).c_str()
             );
         throw BindingException("Metadata lookup failed, unable to determine artifact issuer.");
     }
-    
+
     if (log.isDebugEnabled()) {
-        auto_ptr_char issuer(provider->getEntityID());
+        auto_ptr_char issuer(provider.first->getEntityID());
         log.debug("lookup succeeded, artifact issued by (%s)", issuer.get());
     }
 
-    log.debug("attempting to find artifact issuing role...");
-    const RoleDescriptor* roledesc=provider->getRoleDescriptor(*(policy.getRole()), samlconstants::SAML20P_NS);
-    if (!roledesc || !dynamic_cast<const SSODescriptorType*>(roledesc)) {
-        log.error("unable to find compatible SAML role (%s) in metadata", policy.getRole()->toString().c_str());
+    if (!provider.second || !dynamic_cast<const SSODescriptorType*>(provider.second)) {
+        log.error("unable to find compatible SAML 2.0 role (%s) in metadata", policy.getRole()->toString().c_str());
         throw BindingException("Unable to find compatible metadata role for artifact issuer.");
     }
     // Set issuer into policy.
-    policy.setIssuer(provider->getEntityID());
-    policy.setIssuerMetadata(roledesc);
-    
+    policy.setIssuer(provider.first->getEntityID());
+    policy.setIssuerMetadata(provider.second);
+
     log.debug("calling ArtifactResolver...");
     auto_ptr<ArtifactResponse> response(
-        m_artifactResolver->resolve(*(artifact2.get()), dynamic_cast<const SSODescriptorType&>(*roledesc), policy)
+        m_artifactResolver->resolve(*(artifact2.get()), dynamic_cast<const SSODescriptorType&>(*provider.second), policy)
         );
-    
+
     // The policy should be enforced against the ArtifactResponse by the resolve step.
     // Reset only the message state.
     policy.reset(true);
 
     // Now extract details from the payload and check that message.
     XMLObject* payload = response->getPayload();
+    if (!payload)
+        throw BindingException("ArtifactResponse message did not contain a protocol message.");
     extractMessageDetails(*payload, genericRequest, samlconstants::SAML20P_NS, policy);
     policy.evaluate(*payload, &genericRequest);
 
     // Return the payload only.
     response.release();
-    payload->detach(); 
+    payload->detach();
     return payload;
 }