Add composite name support (for when it shows up in libraries).

author Scott Cantor <cantor.2@osu.edu>

Mon, 18 Apr 2011 19:55:23 +0000 (19:55 +0000)

committer Scott Cantor <cantor.2@osu.edu>

Mon, 18 Apr 2011 19:55:23 +0000 (19:55 +0000)
author Scott Cantor <cantor.2@osu.edu>
Mon, 18 Apr 2011 19:55:23 +0000 (19:55 +0000)
committer Scott Cantor <cantor.2@osu.edu>
Mon, 18 Apr 2011 19:55:23 +0000 (19:55 +0000)
diff --git a/configure.ac b/configure.ac

index 711e607..3902b63 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -386,8 +386,7 @@ if test x"$want_gss" = xyes; then
         LDFLAGS="$LDFLAGS -L$GSSAPI_ROOT/lib$libsuff"
      fi
      if test -f "$GSSAPI_ROOT/bin/krb5-config"; then
         LDFLAGS="$LDFLAGS -L$GSSAPI_ROOT/lib$libsuff"
      fi
      if test -f "$GSSAPI_ROOT/bin/krb5-config"; then
-      dnl krb5-config doesn't have --libs-only-L or similar, put everything
-      dnl into LIBS
+      dnl krb5-config does not have --libs-only-L or similar, put everything into LIBS
        gss_libs=`$GSSAPI_ROOT/bin/krb5-config --libs gssapi`
      else
        if test "x$not_mit" = "x1"; then
        gss_libs=`$GSSAPI_ROOT/bin/krb5-config --libs gssapi`
      else
        if test "x$not_mit" = "x1"; then
@@ -406,6 +405,18 @@ if test x"$want_gss" = xyes; then
      [AC_MSG_RESULT([yes])AC_DEFINE([HAVE_GSSAPI_NAMINGEXTS],[1],[Define to 1 if GSS-API naming extensions are available.])],
      [AC_MSG_RESULT([no])])
  
      [AC_MSG_RESULT([yes])AC_DEFINE([HAVE_GSSAPI_NAMINGEXTS],[1],[Define to 1 if GSS-API naming extensions are available.])],
      [AC_MSG_RESULT([no])])
  
+  AC_MSG_CHECKING([whether GSS-API composite name import is available])
+  AC_COMPILE_IFELSE(
+    [AC_LANG_PROGRAM([[#include <gssapi/gssapi_ext.h>]],
+    [[
+    OM_uint32 minor;
+    gss_name_t srcname;
+    gss_buffer_desc importbuf;
+    gss_import_name(&minor, &importbuf, GSS_C_NT_EXPORT_NAME_COMPOSITE, &srcname);
+    ]])],
+    [AC_MSG_RESULT([yes])AC_DEFINE([SHIBRESOLVER_HAVE_GSSAPI_COMPOSITE_NAME],[1],[Define to 1 if GSS-API composite name import is available.])],
+    [AC_MSG_RESULT([no])])
+
  else
    CPPFLAGS="$save_CPPFLAGS"
  fi
  else
    CPPFLAGS="$save_CPPFLAGS"
  fi
diff --git a/src/shibresolver/config_pub.h.in b/src/shibresolver/config_pub.h.in

index 93f35bc..27e0991 100644 (file)
--- a/src/shibresolver/config_pub.h.in
+++ b/src/shibresolver/config_pub.h.in
@@ -9,3 +9,6 @@
  
  /* if you have the MIT gssapi libraries */
  #undef SHIBRESOLVER_HAVE_GSSMIT
  
  /* if you have the MIT gssapi libraries */
  #undef SHIBRESOLVER_HAVE_GSSMIT
+
+/* if you have GSS composite name support */
+#undef SHIBRESOLVER_HAVE_GSSAPI_COMPOSITE_NAME
diff --git a/src/shibresolver/config_pub_win32.h b/src/shibresolver/config_pub_win32.h

index 93f35bc..27e0991 100644 (file)
--- a/src/shibresolver/config_pub_win32.h
+++ b/src/shibresolver/config_pub_win32.h
@@ -9,3 +9,6 @@
  
  /* if you have the MIT gssapi libraries */
  #undef SHIBRESOLVER_HAVE_GSSMIT
  
  /* if you have the MIT gssapi libraries */
  #undef SHIBRESOLVER_HAVE_GSSMIT
+
+/* if you have GSS composite name support */
+#undef SHIBRESOLVER_HAVE_GSSAPI_COMPOSITE_NAME
diff --git a/src/shibresolver/resolver.cpp b/src/shibresolver/resolver.cpp

index 287adda..bc80d8c 100644 (file)
--- a/src/shibresolver/resolver.cpp
+++ b/src/shibresolver/resolver.cpp
@@ -22,6 +22,10 @@
  
  #include "internal.h"
  
  
  #include "internal.h"
  
+#ifdef SHIBRESOLVER_HAVE_GSSAPI_COMPOSITE_NAME
+# include <gssapi/gssapi_ext.h>
+#endif
+
  #include <shibsp/exceptions.h>
  #include <shibsp/Application.h>
  #include <shibsp/GSSRequest.h>
  #include <shibsp/exceptions.h>
  #include <shibsp/Application.h>
  #include <shibsp/GSSRequest.h>
@@ -193,6 +197,45 @@ void ShibbolethResolver::addToken(const gss_buffer_t contextbuf)
          Category::getInstance(SHIBRESOLVER_LOGCAT).error("error while base64-encoding GSS context");
      }
  }
          Category::getInstance(SHIBRESOLVER_LOGCAT).error("error while base64-encoding GSS context");
      }
  }
+
+#ifdef SHIBRESOLVER_HAVE_GSSAPI_COMPOSITE_NAME
+void ShibbolethResolver::addToken(gss_name_t name)
+{
+    if (m_gsswrapper) {
+        delete m_gsswrapper;
+        m_gsswrapper = NULL;
+    }
+
+    OM_uint32 major, minor;
+    gss_buffer_desc namebuf = GSS_C_EMPTY_BUFFER;
+
+    major = gss_export_name_composite(&minor, name, &namebuf);
+    if (major == GSS_S_COMPLETE) {
+        xsecsize_t len=0;
+        XMLByte* out=Base64::encode(reinterpret_cast<const XMLByte*>(namebuf.value), namebuf.length, &len);
+        if (out) {
+            string s;
+            s.append(reinterpret_cast<char*>(out), len);
+            auto_ptr_XMLCh temp(s.c_str());
+    #ifdef SHIBSP_XERCESC_HAS_XMLBYTE_RELEASE
+            XMLString::release(&out);
+    #else
+            XMLString::release((char**)&out);
+    #endif
+            static const XMLCh _GSSAPI[] = UNICODE_LITERAL_10(G,S,S,A,P,I,N,a,m,e);
+            m_gsswrapper = new AnyElementImpl(shibspconstants::SHIB2ATTRIBUTEMAP_NS, _GSSAPI);
+            m_gsswrapper->setTextContent(temp.get());
+        }
+        else {
+            Category::getInstance(SHIBRESOLVER_LOGCAT).error("error while base64-encoding GSS name");
+        }
+        gss_release_buffer(&minor, &namebuf);
+    }
+    else {
+        Category::getInstance(SHIBRESOLVER_LOGCAT).error("error exporting GSS name");
+    }
+}
+#endif
  #endif
  
  void ShibbolethResolver::addAttribute(Attribute* attr)
  #endif
  
  void ShibbolethResolver::addAttribute(Attribute* attr)
@@ -353,21 +396,45 @@ void RemotedResolver::resolve(
  {
  #ifndef SHIBSP_LITE
      Category& log = Category::getInstance(SHIBRESOLVER_LOGCAT);
  {
  #ifndef SHIBSP_LITE
      Category& log = Category::getInstance(SHIBRESOLVER_LOGCAT);
+    string issuerstr(issuer ? issuer : "");
      pair<const EntityDescriptor*,const RoleDescriptor*> entity = make_pair((EntityDescriptor*)NULL, (RoleDescriptor*)NULL);
      MetadataProvider* m = app.getMetadataProvider(false);
      Locker locker(m);
      if (!m) {
          log.warn("no metadata providers are configured");
      }
      pair<const EntityDescriptor*,const RoleDescriptor*> entity = make_pair((EntityDescriptor*)NULL, (RoleDescriptor*)NULL);
      MetadataProvider* m = app.getMetadataProvider(false);
      Locker locker(m);
      if (!m) {
          log.warn("no metadata providers are configured");
      }
-    else if (issuer && *issuer) {
-        // Lookup metadata for the issuer.
-        MetadataProviderCriteria mc(app, issuer, &IDPSSODescriptor::ELEMENT_QNAME, samlconstants::SAML20P_NS);
-        entity = m->getEntityDescriptor(mc);
-        if (!entity.first) {
-            log.warn("unable to locate metadata for provider (%s)", issuer);
+    else {
+        if (!issuerstr.empty()) {
+            // Attempt to locate an issuer based on input token.
+            for (vector<const XMLObject*>::const_iterator t = tokens.begin(); t!=tokens.end(); ++t) {
+                const saml2::Assertion* assertion = dynamic_cast<const saml2::Assertion*>(*t);
+                if (assertion && assertion->getIssuer()) {
+                    auto_ptr_char iss(assertion->getIssuer()->getName());
+                    if (iss.get() && *iss.get()) {
+                        issuerstr = iss.get();
+                        break;
+                    }
+                }
+            }
+            if (!issuerstr.empty()) {
+                log.info("setting issuer based on input token (%s)", issuerstr.c_str());
+            }
          }
          }
-        else if (!entity.second) {
-            log.warn("unable to locate SAML 2.0 identity provider role for provider (%s)", issuer);
+
+        if (!issuerstr.empty()) {
+            // Lookup metadata for the issuer.
+            MetadataProviderCriteria idpmc(app, issuerstr.c_str(), &IDPSSODescriptor::ELEMENT_QNAME, samlconstants::SAML20P_NS);
+            entity = m->getEntityDescriptor(idpmc);
+            if (!entity.first) {
+                log.warn("unable to locate metadata for provider (%s)", issuerstr.c_str());
+            }
+            else if (!entity.second) {
+                MetadataProviderCriteria aamc(app, issuerstr.c_str(), &AttributeAuthorityDescriptor::ELEMENT_QNAME, samlconstants::SAML20P_NS);
+                entity = m->getEntityDescriptor(aamc);
+                if (!entity.second) {
+                    log.warn("unable to locate SAML 2.0 IdP or AA role for provider (%s)", issuerstr.c_str());
+                }
+            }
          }
      }
  
          }
      }
  
diff --git a/src/shibresolver/resolver.h b/src/shibresolver/resolver.h

index 7ae1634..ffbdc7c 100644 (file)
--- a/src/shibresolver/resolver.h
+++ b/src/shibresolver/resolver.h
@@ -114,7 +114,17 @@ namespace shibresolver {
           *
           * @param ctx an input exported security context to evaluate
           */
           *
           * @param ctx an input exported security context to evaluate
           */
-        void addToken(gss_buffer_t token);
+        void addToken(const gss_buffer_t token);
+
+# ifndef SHIBRESOLVER_HAVE_GSSAPI_COMPOSITE_NAME
+        /**
+         * Adds a GSS-API mechanism name as input to the resolver.
+         * <p>The caller retains ownership of the name.
+         *
+         * @param name an input mechanism name to evaluate
+         */
+        void addToken(gss_name_t name);
+# endif
  #endif
  
          /**
  #endif
  
          /**
author	Scott Cantor <cantor.2@osu.edu>
	Mon, 18 Apr 2011 19:55:23 +0000 (19:55 +0000)
committer	Scott Cantor <cantor.2@osu.edu>
	Mon, 18 Apr 2011 19:55:23 +0000 (19:55 +0000)
configure.ac		patch \| blob \| history
src/shibresolver/config_pub.h.in		patch \| blob \| history
src/shibresolver/config_pub_win32.h		patch \| blob \| history
src/shibresolver/resolver.cpp		patch \| blob \| history
src/shibresolver/resolver.h		patch \| blob \| history