X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fcpp-opensaml.git;a=blobdiff_plain;f=saml%2Fsaml2%2Fbinding%2Fimpl%2FSAML2RedirectDecoder.cpp;h=ddffd3bbafd189f712742ee83ff86e58b451d3b1;hp=d2abd41b28459fbbdcc313263cf40182fca5aaa0;hb=615c4bc8bcbcabce8da0ef95946eaa028c616aa4;hpb=750aa26530f9e8993eae37cd9e68e25497be66b5 diff --git a/saml/saml2/binding/impl/SAML2RedirectDecoder.cpp b/saml/saml2/binding/impl/SAML2RedirectDecoder.cpp index d2abd41..ddffd3b 100644 --- a/saml/saml2/binding/impl/SAML2RedirectDecoder.cpp +++ b/saml/saml2/binding/impl/SAML2RedirectDecoder.cpp @@ -1,6 +1,6 @@ /* - * Copyright 2001-2006 Internet2 - * + * Copyright 2001-2009 Internet2 + * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -16,21 +16,21 @@ /** * SAML2RedirectDecoder.cpp - * + * * SAML 2.0 HTTP Redirect binding message encoder */ #include "internal.h" #include "exceptions.h" -#include "binding/HTTPRequest.h" +#include "saml2/binding/SAML2MessageDecoder.h" #include "saml2/binding/SAML2Redirect.h" -#include "saml2/binding/SAML2RedirectDecoder.h" #include "saml2/core/Protocols.h" #include "saml2/metadata/Metadata.h" #include "saml2/metadata/MetadataProvider.h" -#include #include +#include +#include #include #include @@ -39,21 +39,32 @@ using namespace opensaml::saml2p; using namespace opensaml::saml2; using namespace opensaml; using namespace xmlsignature; +using namespace xmltooling::logging; using namespace xmltooling; -using namespace log4cpp; using namespace std; namespace opensaml { - namespace saml2p { - MessageDecoder* SAML_DLLLOCAL SAML2RedirectDecoderFactory(const DOMElement* const & e) + namespace saml2p { + class SAML_DLLLOCAL SAML2RedirectDecoder : public SAML2MessageDecoder + { + public: + SAML2RedirectDecoder() {} + virtual ~SAML2RedirectDecoder() {} + + xmltooling::XMLObject* decode( + std::string& relayState, + const GenericRequest& genericRequest, + SecurityPolicy& policy + ) const; + }; + + MessageDecoder* SAML_DLLLOCAL SAML2RedirectDecoderFactory(const pair& p) { - return new SAML2RedirectDecoder(e); + return new SAML2RedirectDecoder(); } }; }; -SAML2RedirectDecoder::SAML2RedirectDecoder(const DOMElement* e) {} - XMLObject* SAML2RedirectDecoder::decode( string& relayState, const GenericRequest& genericRequest, @@ -67,17 +78,13 @@ XMLObject* SAML2RedirectDecoder::decode( log.debug("validating input"); const HTTPRequest* httpRequest=dynamic_cast(&genericRequest); - if (!httpRequest) { - log.error("unable to cast request to HTTPRequest type"); - return NULL; - } - if (strcmp(httpRequest->getMethod(),"GET")) - return NULL; + if (!httpRequest) + throw BindingException("Unable to cast request object to HTTPRequest type."); const char* msg = httpRequest->getParameter("SAMLResponse"); if (!msg) msg = httpRequest->getParameter("SAMLRequest"); if (!msg) - return NULL; + throw BindingException("Request missing SAMLRequest or SAMLResponse query string parameter."); const char* state = httpRequest->getParameter("RelayState"); if (state) relayState = state; @@ -86,27 +93,35 @@ XMLObject* SAML2RedirectDecoder::decode( state = httpRequest->getParameter("SAMLEncoding"); if (state && strcmp(state,samlconstants::SAML20_BINDING_URL_ENCODING_DEFLATE)) { log.warn("SAMLEncoding (%s) was not recognized", state); - return NULL; + throw BindingException("Unsupported SAMLEncoding value."); } // Decode the compressed message into SAML. First we base64-decode it. - unsigned int x; + xsecsize_t x; XMLByte* decoded=Base64::decode(reinterpret_cast(msg),&x); if (!decoded) throw BindingException("Unable to decode base64 in Redirect binding message."); - + // Now we have to inflate it. stringstream s; - if (inflate((char*)decoded, x, s)==0) { + if (inflate(reinterpret_cast(decoded), x, s)==0) { +#ifdef OPENSAML_XERCESC_HAS_XMLBYTE_RELEASE XMLString::release(&decoded); +#else + XMLString::release((char**)&decoded); +#endif throw BindingException("Unable to inflate Redirect binding message."); } if (log.isDebugEnabled()) log.debug("decoded SAML message:\n%s", s.str().c_str()); +#ifdef OPENSAML_XERCESC_HAS_XMLBYTE_RELEASE XMLString::release(&decoded); - +#else + XMLString::release((char**)&decoded); +#endif + // Parse and bind the document into an XMLObject. - DOMDocument* doc = (m_validate ? XMLToolingConfig::getConfig().getValidatingParser() + DOMDocument* doc = (policy.getValidating() ? XMLToolingConfig::getConfig().getValidatingParser() : XMLToolingConfig::getConfig().getParser()).parse(s); XercesJanitor janitor(doc); auto_ptr xmlObject(XMLObjectBuilder::buildOneFromElement(doc->getDocumentElement(), true)); @@ -124,50 +139,24 @@ XMLObject* SAML2RedirectDecoder::decode( else { root = static_cast(request); } - - - try { - if (!m_validate) - SchemaValidators.validate(xmlObject.get()); - - // Check destination URL. - auto_ptr_char dest(request ? request->getDestination() : response->getDestination()); - const char* dest2 = httpRequest->getRequestURL(); - if ((root->getSignature() || httpRequest->getParameter("Signature")) && !dest.get() || !*(dest.get())) { - log.error("signed SAML message missing Destination attribute"); - throw BindingException("Signed SAML message missing Destination attribute identifying intended destination."); - } - else if (dest.get() && (!dest2 || !*dest2 || strcmp(dest.get(),dest2))) { - log.error("Redirect targeted at (%s), but delivered to (%s)", dest.get(), dest2 ? dest2 : "none"); - throw BindingException("SAML message delivered with Redirect to incorrect server URL."); - } - // Run through the policy. - policy.evaluate(*root, &genericRequest); - } - catch (XMLToolingException& ex) { - // This is just to maximize the likelihood of attaching a source to the message for support purposes. - if (policy.getIssuerMetadata()) - annotateException(&ex,policy.getIssuerMetadata()); // throws it - - const Issuer* claimedIssuer = root->getIssuer(); - if (!claimedIssuer || !claimedIssuer->getName()) - throw; - const EntityDescriptor* provider=NULL; - if (!policy.getMetadataProvider() || - !(provider=policy.getMetadataProvider()->getEntityDescriptor(claimedIssuer->getName(), false))) { - // Just record it. - auto_ptr_char iname(claimedIssuer->getName()); - if (iname.get()) - ex.addProperty("entityID", iname.get()); - throw; - } + SchemaValidators.validate(root); - if (policy.getRole()) { - const RoleDescriptor* roledesc=provider->getRoleDescriptor(*(policy.getRole()), samlconstants::SAML20P_NS); - if (roledesc) annotateException(&ex,roledesc); // throws it - } - annotateException(&ex,provider); // throws it + // Run through the policy. + extractMessageDetails(*root, genericRequest, samlconstants::SAML20P_NS, policy); + policy.evaluate(*root, &genericRequest); + + // Check destination URL. + auto_ptr_char dest(request ? request->getDestination() : response->getDestination()); + const char* dest2 = httpRequest->getRequestURL(); + const char* delim = strchr(dest2, '?'); + if ((root->getSignature() || httpRequest->getParameter("Signature")) && (!dest.get() || !*(dest.get()))) { + log.error("signed SAML message missing Destination attribute"); + throw BindingException("Signed SAML message missing Destination attribute identifying intended destination."); + } + else if (dest.get() && *dest.get() && ((delim && strncmp(dest.get(), dest2, delim - dest2)) || (!delim && strcmp(dest.get(),dest2)))) { + log.error("Redirect targeted at (%s), but delivered to (%s)", dest.get(), dest2); + throw BindingException("SAML message delivered with Redirect to incorrect server URL."); } return xmlObject.release();