X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fcpp-opensaml.git;a=blobdiff_plain;f=saml%2Fsaml2%2Fmetadata%2Fimpl%2FChainingMetadataProvider.cpp;h=e544a29f7e5445dfe09d93174cf8debbf09b045a;hp=5e48c2632fd78b48be9d71d5db86c8d80c01d03f;hb=dd16087e97a64afe3520f6896b9332ef62dae6f0;hpb=58ed1144be743e1ebfa0f5081e9185d771e45678 diff --git a/saml/saml2/metadata/impl/ChainingMetadataProvider.cpp b/saml/saml2/metadata/impl/ChainingMetadataProvider.cpp index 5e48c26..e544a29 100644 --- a/saml/saml2/metadata/impl/ChainingMetadataProvider.cpp +++ b/saml/saml2/metadata/impl/ChainingMetadataProvider.cpp @@ -1,5 +1,5 @@ /* - * Copyright 2001-2007 Internet2 + * Copyright 2001-2009 Internet2 * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,73 +22,168 @@ #include "internal.h" #include "exceptions.h" -#include "saml2/metadata/ChainingMetadataProvider.h" +#include "saml/binding/SAMLArtifact.h" +#include "saml2/metadata/ObservableMetadataProvider.h" +#include "saml2/metadata/MetadataCredentialCriteria.h" -#include -#include +#include #include +#include +#include + using namespace opensaml::saml2md; using namespace opensaml; using namespace xmlsignature; +using namespace xmltooling::logging; using namespace xmltooling; -using namespace log4cpp; using namespace std; namespace opensaml { namespace saml2md { + + // per-thread structure allocated to track locks and role->provider mappings + struct SAML_DLLLOCAL tracker_t; + + class SAML_DLLLOCAL ChainingMetadataProvider + : public ObservableMetadataProvider, public ObservableMetadataProvider::Observer { + public: + ChainingMetadataProvider(const xercesc::DOMElement* e=NULL); + virtual ~ChainingMetadataProvider(); + + using MetadataProvider::getEntityDescriptor; + using MetadataProvider::getEntitiesDescriptor; + + Lockable* lock(); + void unlock(); + void init(); + const XMLObject* getMetadata() const; + const EntitiesDescriptor* getEntitiesDescriptor(const char* name, bool requireValidMetadata=true) const; + pair getEntityDescriptor(const Criteria& criteria) const; + void onEvent(const ObservableMetadataProvider& provider) const; + + const Credential* resolve(const CredentialCriteria* criteria=NULL) const; + vector::size_type resolve(vector& results, const CredentialCriteria* criteria=NULL) const; + + private: + bool m_firstMatch; + mutable Mutex* m_trackerLock; + ThreadKey* m_tlsKey; + vector m_providers; + mutable set m_trackers; + static void tracker_cleanup(void*); + Category& m_log; + friend struct tracker_t; + }; + + struct SAML_DLLLOCAL tracker_t { + tracker_t(const ChainingMetadataProvider* m) : m_metadata(m) { + Lock lock(m_metadata->m_trackerLock); + m_metadata->m_trackers.insert(this); + } + + void lock_if(MetadataProvider* m) { + if (m_locked.count(m) == 0) + m->lock(); + } + + void unlock_if(MetadataProvider* m) { + if (m_locked.count(m) == 0) + m->unlock(); + } + + void remember(MetadataProvider* m, const EntityDescriptor* entity=NULL) { + m_locked.insert(m); + if (entity) + m_objectMap.insert(pair(entity,m)); + } + + const MetadataProvider* getProvider(const RoleDescriptor& role) { + map::const_iterator i = m_objectMap.find(role.getParent()); + return (i != m_objectMap.end()) ? i->second : NULL; + } + + const ChainingMetadataProvider* m_metadata; + set m_locked; + map m_objectMap; + }; + MetadataProvider* SAML_DLLLOCAL ChainingMetadataProviderFactory(const DOMElement* const & e) { return new ChainingMetadataProvider(e); } + + static const XMLCh _MetadataProvider[] = UNICODE_LITERAL_16(M,e,t,a,d,a,t,a,P,r,o,v,i,d,e,r); + static const XMLCh precedence[] = UNICODE_LITERAL_10(p,r,e,c,e,d,e,n,c,e); + static const XMLCh last[] = UNICODE_LITERAL_4(l,a,s,t); + static const XMLCh _type[] = UNICODE_LITERAL_4(t,y,p,e); }; }; -static const XMLCh _MetadataProvider[] = UNICODE_LITERAL_16(M,e,t,a,d,a,t,a,P,r,o,v,i,d,e,r); -static const XMLCh type[] = UNICODE_LITERAL_4(t,y,p,e); +void ChainingMetadataProvider::tracker_cleanup(void* ptr) +{ + if (ptr) { + // free the tracker after removing it from the parent plugin's tracker set + tracker_t* t = reinterpret_cast(ptr); + Lock lock(t->m_metadata->m_trackerLock); + t->m_metadata->m_trackers.erase(t); + delete t; + } +} -ChainingMetadataProvider::ChainingMetadataProvider(const DOMElement* e) : ObservableMetadataProvider(e), m_tlsKey(NULL) +ChainingMetadataProvider::ChainingMetadataProvider(const DOMElement* e) + : ObservableMetadataProvider(e), m_firstMatch(true), m_trackerLock(NULL), m_tlsKey(NULL), + m_log(Category::getInstance(SAML_LOGCAT".Metadata.Chaining")) { - Category& log=Category::getInstance(SAML_LOGCAT".Metadata"); - try { - e = e ? XMLHelper::getFirstChildElement(e, _MetadataProvider) : NULL; - while (e) { - auto_ptr_char temp(e->getAttributeNS(NULL,type)); - if (temp.get() && *temp.get()) { - log.info("building MetadataProvider of type %s", temp.get()); - auto_ptr provider( - SAMLConfig::getConfig().MetadataProviderManager.newPlugin(temp.get(), e) - ); + if (XMLString::equals(e ? e->getAttributeNS(NULL, precedence) : NULL, last)) + m_firstMatch = false; + + e = e ? XMLHelper::getFirstChildElement(e, _MetadataProvider) : NULL; + while (e) { + auto_ptr_char temp(e->getAttributeNS(NULL, _type)); + if (temp.get() && *temp.get()) { + try { + m_log.info("building MetadataProvider of type %s", temp.get()); + auto_ptr provider(SAMLConfig::getConfig().MetadataProviderManager.newPlugin(temp.get(), e)); ObservableMetadataProvider* obs = dynamic_cast(provider.get()); if (obs) obs->addObserver(this); m_providers.push_back(provider.get()); provider.release(); } - e = XMLHelper::getNextSiblingElement(e, _MetadataProvider); + catch (exception& ex) { + m_log.error("error building MetadataProvider: %s", ex.what()); + } } + e = XMLHelper::getNextSiblingElement(e, _MetadataProvider); } - catch (exception&) { - for_each(m_providers.begin(), m_providers.end(), xmltooling::cleanup()); - throw; - } - m_tlsKey = ThreadKey::create(NULL); + m_trackerLock = Mutex::create(); + m_tlsKey = ThreadKey::create(tracker_cleanup); } ChainingMetadataProvider::~ChainingMetadataProvider() { delete m_tlsKey; + delete m_trackerLock; + for_each(m_trackers.begin(), m_trackers.end(), xmltooling::cleanup()); for_each(m_providers.begin(), m_providers.end(), xmltooling::cleanup()); } -void ChainingMetadataProvider::onEvent(const MetadataProvider& provider) const +void ChainingMetadataProvider::onEvent(const ObservableMetadataProvider& provider) const { emitChangeEvent(); } void ChainingMetadataProvider::init() { - for_each(m_providers.begin(), m_providers.end(), mem_fun(&MetadataProvider::init)); + for (vector::const_iterator i=m_providers.begin(); i!=m_providers.end(); ++i) { + try { + (*i)->init(); + } + catch (exception& ex) { + m_log.crit("failure initializing MetadataProvider: %s", ex.what()); + } + } } Lockable* ChainingMetadataProvider::lock() @@ -98,97 +193,219 @@ Lockable* ChainingMetadataProvider::lock() void ChainingMetadataProvider::unlock() { - // Check for a locked provider. + // Check for locked providers and remove role mappings. void* ptr=m_tlsKey->getData(); if (ptr) { - m_tlsKey->setData(NULL); - reinterpret_cast(ptr)->unlock(); + tracker_t* t = reinterpret_cast(ptr); + for_each(t->m_locked.begin(), t->m_locked.end(), mem_fun(&Lockable::unlock)); + t->m_locked.clear(); + t->m_objectMap.clear(); } } const XMLObject* ChainingMetadataProvider::getMetadata() const { - throw XMLToolingException("getMetadata operation not implemented on this provider."); + throw MetadataException("getMetadata operation not implemented on this provider."); } const EntitiesDescriptor* ChainingMetadataProvider::getEntitiesDescriptor(const char* name, bool requireValidMetadata) const { - // Clear any existing lock. - const_cast(this)->unlock(); + // Ensure we have a tracker to use. + tracker_t* tracker=NULL; + void* ptr=m_tlsKey->getData(); + if (ptr) { + tracker = reinterpret_cast(ptr); + } + else { + tracker = new tracker_t(this); + m_tlsKey->setData(tracker); + } - // Do a search. + MetadataProvider* held = NULL; const EntitiesDescriptor* ret=NULL; + const EntitiesDescriptor* cur=NULL; for (vector::const_iterator i=m_providers.begin(); i!=m_providers.end(); ++i) { - (*i)->lock(); - if (ret=(*i)->getEntitiesDescriptor(name,requireValidMetadata)) { - // Save locked provider. - m_tlsKey->setData(*i); - return ret; + tracker->lock_if(*i); + if (cur=(*i)->getEntitiesDescriptor(name,requireValidMetadata)) { + // Are we using a first match policy? + if (m_firstMatch) { + // Save locked provider. + tracker->remember(*i); + return cur; + } + + // Using last match wins. Did we already have one? + if (held) { + m_log.warn("found duplicate EntitiesDescriptor (%s), using last matching copy", name); + tracker->unlock_if(held); + } + + // Save off the latest match. + held = *i; + ret = cur; + } + else { + // No match, so just unlock this one and move on. + tracker->unlock_if(*i); } - (*i)->unlock(); } - return NULL; + // Preserve any lock we're holding. + if (held) + tracker->remember(held); + return ret; } -const EntityDescriptor* ChainingMetadataProvider::getEntityDescriptor(const char* id, bool requireValidMetadata) const +pair ChainingMetadataProvider::getEntityDescriptor(const Criteria& criteria) const { - // Clear any existing lock. - const_cast(this)->unlock(); + // Ensure we have a tracker to use. + tracker_t* tracker=NULL; + void* ptr=m_tlsKey->getData(); + if (ptr) { + tracker = reinterpret_cast(ptr); + } + else { + tracker = new tracker_t(this); + m_tlsKey->setData(tracker); + } // Do a search. - const EntityDescriptor* ret=NULL; + MetadataProvider* held = NULL; + pair ret = pair(NULL,NULL); + pair cur = ret; for (vector::const_iterator i=m_providers.begin(); i!=m_providers.end(); ++i) { - (*i)->lock(); - if (ret=(*i)->getEntityDescriptor(id,requireValidMetadata)) { - // Save locked provider. - m_tlsKey->setData(*i); - return ret; - } - (*i)->unlock(); - } + tracker->lock_if(*i); + cur = (*i)->getEntityDescriptor(criteria); + if (cur.first) { + if (criteria.role) { + // We want a role also. Did we find one? + if (cur.second) { + // Are we using a first match policy? + if (m_firstMatch) { + // We could have an entity-only match from earlier, so unlock it. + if (held) + tracker->unlock_if(held); + // Save locked provider and role mapping. + tracker->remember(*i, cur.first); + return cur; + } - return NULL; -} + // Using last match wins. Did we already have one? + if (held) { + if (ret.second) { + // We had a "complete" match, so log it. + if (criteria.entityID_ascii) { + m_log.warn("found duplicate EntityDescriptor (%s) with role (%s), using last matching copy", + criteria.entityID_ascii, criteria.role->toString().c_str()); + } + else if (criteria.entityID_unicode) { + auto_ptr_char temp(criteria.entityID_unicode); + m_log.warn("found duplicate EntityDescriptor (%s) with role (%s), using last matching copy", + temp.get(), criteria.role->toString().c_str()); + } + else if (criteria.artifact) { + m_log.warn("found duplicate EntityDescriptor for artifact source (%s) with role (%s), using last matching copy", + criteria.artifact->getSource().c_str(), criteria.role->toString().c_str()); + } + } + tracker->unlock_if(held); + } -const EntityDescriptor* ChainingMetadataProvider::getEntityDescriptor(const SAMLArtifact* artifact) const -{ - // Clear any existing lock. - const_cast(this)->unlock(); + // Save off the latest match. + held = *i; + ret = cur; + } + else { + // We didn't find the role, so we're going to keep looking, + // but save this one if we didn't have the role yet. + if (ret.second) { + // We already had a role, so let's stick with that. + tracker->unlock_if(*i); + } + else { + // This is at least as good, so toss anything we had and keep it. + if (held) + tracker->unlock_if(held); + held = *i; + ret = cur; + } + } + } + else { + // Are we using a first match policy? + if (m_firstMatch) { + // I don't think this can happen, but who cares, check anyway. + if (held) + tracker->unlock_if(held); + + // Save locked provider. + tracker->remember(*i, cur.first); + return cur; + } - // Do a search. - const EntityDescriptor* ret=NULL; - for (vector::const_iterator i=m_providers.begin(); i!=m_providers.end(); ++i) { - (*i)->lock(); - if (ret=(*i)->getEntityDescriptor(artifact)) { - // Save locked provider. - m_tlsKey->setData(*i); - return ret; + // Using last match wins. Did we already have one? + if (held) { + if (criteria.entityID_ascii) { + m_log.warn("found duplicate EntityDescriptor (%s), using last matching copy", criteria.entityID_ascii); + } + else if (criteria.entityID_unicode) { + auto_ptr_char temp(criteria.entityID_unicode); + m_log.warn("found duplicate EntityDescriptor (%s), using last matching copy", temp.get()); + } + else if (criteria.artifact) { + m_log.warn("found duplicate EntityDescriptor for artifact source (%s), using last matching copy", + criteria.artifact->getSource().c_str()); + } + tracker->unlock_if(held); + } + + // Save off the latest match. + held = *i; + ret = cur; + } + } + else { + // No match, so just unlock this one and move on. + tracker->unlock_if(*i); } - (*i)->unlock(); } - return NULL; + // Preserve any lock we're holding. + if (held) + tracker->remember(held, ret.first); + return ret; } const Credential* ChainingMetadataProvider::resolve(const CredentialCriteria* criteria) const { - // Check for a locked provider. void* ptr=m_tlsKey->getData(); if (!ptr) throw MetadataException("No locked MetadataProvider, where did the role object come from?"); + tracker_t* tracker=reinterpret_cast(ptr); - return reinterpret_cast(ptr)->resolve(criteria); + const MetadataCredentialCriteria* mcc = dynamic_cast(criteria); + if (!mcc) + throw MetadataException("Cannot resolve credentials without a MetadataCredentialCriteria object."); + const MetadataProvider* m = tracker->getProvider(mcc->getRole()); + if (!m) + throw MetadataException("No record of corresponding MetadataProvider, where did the role object come from?"); + return m->resolve(mcc); } vector::size_type ChainingMetadataProvider::resolve( vector& results, const CredentialCriteria* criteria ) const { - // Check for a locked provider. void* ptr=m_tlsKey->getData(); if (!ptr) throw MetadataException("No locked MetadataProvider, where did the role object come from?"); + tracker_t* tracker=reinterpret_cast(ptr); - return reinterpret_cast(ptr)->resolve(results, criteria); + const MetadataCredentialCriteria* mcc = dynamic_cast(criteria); + if (!mcc) + throw MetadataException("Cannot resolve credentials without a MetadataCredentialCriteria object."); + const MetadataProvider* m = tracker->getProvider(mcc->getRole()); + if (!m) + throw MetadataException("No record of corresponding MetadataProvider, where did the role object come from?"); + return m->resolve(results, mcc); }