From 5faba179b771abf24c08e4537d2d171096079f87 Mon Sep 17 00:00:00 2001
From: Scott Cantor <cantor.2@osu.edu>
Date: Wed, 23 Mar 2011 21:25:53 +0000
Subject: [PATCH] Add GSS context extraction.

---
 .cproject                           |   9 ++-
 .project                            |  56 +++++++-------
 configure.ac                        | 147 +++++++++++++++++++++++++++++++++++-
 src/Makefile.am                     |   3 +
 src/resolver-lite.vcxproj           |   1 +
 src/resolver.vcxproj                |   1 +
 src/shibresolver/base.h             |   9 ++-
 src/shibresolver/config_pub.h.in    |  11 +++
 src/shibresolver/config_pub_win32.h |  11 +++
 src/shibresolver/resolver.cpp       |  65 +++++++++++++++-
 src/shibresolver/resolver.h         |  24 +++++-
 11 files changed, 305 insertions(+), 32 deletions(-)
 create mode 100644 src/shibresolver/config_pub.h.in
 create mode 100644 src/shibresolver/config_pub_win32.h

diff --git a/.cproject b/.cproject
index 99f65fd..202fbdd 100644
--- a/.cproject
+++ b/.cproject
@@ -26,6 +26,11 @@
 							<tool id="org.eclipse.linuxtools.cdt.autotools.gnu.toolchain.tool.configure.1683701533" name="configure" superClass="org.eclipse.linuxtools.cdt.autotools.gnu.toolchain.tool.configure">
 								<option id="org.eclipse.linuxtools.cdt.autotools.option.configure.prefix.26305207" name="Arch-independent install directory (--prefix)" superClass="org.eclipse.linuxtools.cdt.autotools.option.configure.prefix" value="/Users/scantor/Documents/workspace/2.0/install" valueType="string"/>
 								<option id="org.eclipse.linuxtools.cdt.autotools.option.configure.user.1607291625" name="User-specified configuration options" superClass="org.eclipse.linuxtools.cdt.autotools.option.configure.user" value="--enable-debug --with-log4shib=/opt/local --with-xmltooling=/Users/scantor/Documents/workspace/2.0/install" valueType="string"/>
+								<option id="org.eclipse.linuxtools.cdt.autotools.option.configure.includes.1450899039" name="includes" superClass="org.eclipse.linuxtools.cdt.autotools.option.configure.includes" valueType="includePath">
+									<listOptionValue builtIn="false" value="&quot;${workspace_loc:/cpp-xmltooling}&quot;"/>
+									<listOptionValue builtIn="false" value="&quot;${workspace_loc:/cpp-opensaml}&quot;"/>
+									<listOptionValue builtIn="false" value="&quot;${workspace_loc:/cpp-sp}&quot;"/>
+								</option>
 								<inputType id="org.eclipse.linuxtools.cdt.autotools.inputType.configure.1359986111" superClass="org.eclipse.linuxtools.cdt.autotools.inputType.configure"/>
 								<inputType id="org.eclipse.linuxtools.cdt.autotools.inputType.configure1.707690559" superClass="org.eclipse.linuxtools.cdt.autotools.inputType.configure1"/>
 							</tool>
@@ -33,9 +38,9 @@
 						</toolChain>
 					</folderInfo>
 					<sourceEntries>
-						<entry flags="VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="src/shibresolver"/>
-						<entry excluding="shibresolver" flags="VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="src"/>
 						<entry excluding="src|shibresolver" flags="VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name=""/>
+						<entry excluding="shibresolver" flags="VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="src"/>
+						<entry flags="VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="src/shibresolver"/>
 					</sourceEntries>
 				</configuration>
 			</storageModule>
diff --git a/.project b/.project
index 459de7e..325277b 100644
--- a/.project
+++ b/.project
@@ -1,26 +1,30 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<projectDescription>
-	<name>cpp-sp-resolver</name>
-	<comment></comment>
-	<projects>
-	</projects>
-	<buildSpec>
-		<buildCommand>
-			<name>org.eclipse.linuxtools.cdt.autotools.genmakebuilder</name>
-			<arguments>
-			</arguments>
-		</buildCommand>
-		<buildCommand>
-			<name>org.eclipse.cdt.managedbuilder.core.ScannerConfigBuilder</name>
-			<arguments>
-			</arguments>
-		</buildCommand>
-	</buildSpec>
-	<natures>
-		<nature>org.eclipse.cdt.core.ccnature</nature>
-		<nature>org.eclipse.cdt.managedbuilder.core.ScannerConfigNature</nature>
-		<nature>org.eclipse.cdt.managedbuilder.core.managedBuildNature</nature>
-		<nature>org.eclipse.cdt.core.cnature</nature>
-		<nature>org.eclipse.linuxtools.cdt.autotools.autotoolsNature</nature>
-	</natures>
-</projectDescription>
+<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+	<name>cpp-sp-resolver</name>
+	<comment></comment>
+	<projects>
+		<project>cpp-log4shib</project>
+		<project>cpp-opensaml</project>
+		<project>cpp-sp</project>
+		<project>cpp-xmltooling</project>
+	</projects>
+	<buildSpec>
+		<buildCommand>
+			<name>org.eclipse.linuxtools.cdt.autotools.genmakebuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+		<buildCommand>
+			<name>org.eclipse.cdt.managedbuilder.core.ScannerConfigBuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+	</buildSpec>
+	<natures>
+		<nature>org.eclipse.cdt.core.ccnature</nature>
+		<nature>org.eclipse.cdt.managedbuilder.core.ScannerConfigNature</nature>
+		<nature>org.eclipse.cdt.managedbuilder.core.managedBuildNature</nature>
+		<nature>org.eclipse.cdt.core.cnature</nature>
+		<nature>org.eclipse.linuxtools.cdt.autotools.autotoolsNature</nature>
+	</natures>
+</projectDescription>
diff --git a/configure.ac b/configure.ac
index 918d895..9803375 100644
--- a/configure.ac
+++ b/configure.ac
@@ -19,7 +19,7 @@ else
     GCC_CXXFLAGS="$CXXFLAGS -O2 -DNDEBUG"
 fi
 
-AC_CONFIG_HEADERS([config.h])
+AC_CONFIG_HEADERS([config.h src/shibresolver/config_pub.h])
 AC_CONFIG_FILES([resolver.spec Portfile])
 AC_CONFIG_FILES([Makefile doc/Makefile src/Makefile])
 
@@ -269,6 +269,151 @@ AC_COMPILE_IFELSE(
 # restore master libs
 LIBS="$save_LIBS"
 
+# GSS-API checking
+
+GSSAPI_ROOT="/usr"
+AC_ARG_WITH(gssapi-includes,
+  AS_HELP_STRING([--with-gssapi-includes=DIR],[Specify location of GSSAPI header]),
+  [ GSSAPI_INCS="-I$withval"
+    want_gss="yes" ]
+)
+
+AC_ARG_WITH(gssapi-libs,
+  AS_HELP_STRING([--with-gssapi-libs=DIR],[Specify location of GSSAPI libs]),
+  [ GSSAPI_LIB_DIR="-L$withval"
+    want_gss="yes" ]
+)
+
+AC_ARG_WITH(gssapi,
+  AS_HELP_STRING([--with-gssapi=DIR],[Where to look for GSSAPI]),
+  [ GSSAPI_ROOT="$withval"
+  if test x"$GSSAPI_ROOT" != xno; then
+    want_gss="yes"
+    if test x"$GSSAPI_ROOT" = xyes; then
+      dnl if yes, then use default root
+      GSSAPI_ROOT="/usr"
+    fi
+  fi
+])
+
+save_CPPFLAGS="$CPPFLAGS"
+AC_MSG_CHECKING([if GSSAPI support is requested])
+if test x"$want_gss" = xyes; then
+  AC_MSG_RESULT(yes)
+
+  if test -z "$GSSAPI_INCS"; then
+     if test -f "$GSSAPI_ROOT/bin/krb5-config"; then
+        GSSAPI_INCS=`$GSSAPI_ROOT/bin/krb5-config --cflags gssapi`
+     elif test "$GSSAPI_ROOT" != "yes"; then
+        GSSAPI_INCS="-I$GSSAPI_ROOT/include"
+     fi
+  fi
+
+  CPPFLAGS="$CPPFLAGS $GSSAPI_INCS"
+
+  AC_CHECK_HEADER(gss.h,
+    [
+      dnl found in the given dirs
+      AC_DEFINE([SHIBRESOLVER_HAVE_GSSGNU],[1],[if you have the GNU gssapi libraries])
+      gnu_gss=yes
+    ],
+    [
+      dnl not found, check Heimdal or MIT
+      AC_CHECK_HEADERS([gssapi/gssapi.h], [], [not_mit=1])
+      AC_CHECK_HEADERS(
+        [gssapi/gssapi_generic.h gssapi/gssapi_krb5.h],
+        [],
+        [not_mit=1],
+        [
+AC_INCLUDES_DEFAULT
+#ifdef HAVE_GSSAPI_GSSAPI_H
+#include <gssapi/gssapi.h>
+#endif
+        ])
+      if test "x$not_mit" = "x1"; then
+        dnl MIT not found, check for Heimdal
+        AC_CHECK_HEADER([gssapi.h],
+            [
+              dnl found
+              AC_DEFINE([SHIBRESOLVER_HAVE_GSSHEIMDAL],[1],[if you have the Heimdal gssapi libraries])
+            ],
+            [
+              dnl no header found, disabling GSS
+              want_gss=no
+              AC_MSG_WARN([disabling GSSAPI since no header files was found])
+            ]
+          )
+      else
+        dnl MIT found
+        AC_DEFINE([SHIBRESOLVER_HAVE_GSSMIT],[1],[if you have the MIT gssapi libraries])
+        dnl check if we have a really old MIT kerberos (<= 1.2)
+        AC_MSG_CHECKING([if gssapi headers declare GSS_C_NT_HOSTBASED_SERVICE])
+        AC_COMPILE_IFELSE([
+          AC_LANG_PROGRAM([[
+#include <gssapi/gssapi.h>
+#include <gssapi/gssapi_generic.h>
+#include <gssapi/gssapi_krb5.h>
+          ]],[[
+            gss_import_name(
+                            (OM_uint32 *)0,
+                            (gss_buffer_t)0,
+                            GSS_C_NT_HOSTBASED_SERVICE,
+                            (gss_name_t *)0);
+          ]])
+        ],[
+          AC_MSG_RESULT([yes])
+        ],[
+          AC_MSG_RESULT([no])
+          AC_DEFINE([HAVE_OLD_GSSMIT],[1],[if you have an old MIT gssapi library, lacking GSS_C_NT_HOSTBASED_SERVICE])
+        ])
+      fi
+    ]
+  )
+else
+  AC_MSG_RESULT(no)
+fi
+if test x"$want_gss" = xyes; then
+  AC_DEFINE([SHIBRESOLVER_HAVE_GSSAPI],[1],[if you have the gssapi libraries])
+
+  if test -n "$gnu_gss"; then
+    LDFLAGS="$LDFLAGS $GSSAPI_LIB_DIR"
+    LIBS="$LIBS -lgss"
+  elif test -z "$GSSAPI_LIB_DIR"; then
+     case $host in
+     *-*-darwin*)
+        LIBS="$LIBS -lgssapi_krb5 -lresolv"
+        ;;
+     *)
+        if test -f "$GSSAPI_ROOT/bin/krb5-config"; then
+           dnl krb5-config doesn't have --libs-only-L or similar, put everything
+           dnl into LIBS
+           gss_libs=`$GSSAPI_ROOT/bin/krb5-config --libs gssapi`
+           LIBS="$LIBS $gss_libs"
+        elif test "$GSSAPI_ROOT" != "yes"; then
+           LDFLAGS="$LDFLAGS -L$GSSAPI_ROOT/lib$libsuff"
+           LIBS="$LIBS -lgssapi"
+        else
+           LIBS="$LIBS -lgssapi"
+        fi
+        ;;
+     esac
+  else
+     LDFLAGS="$LDFLAGS $GSSAPI_LIB_DIR"
+     LIBS="$LIBS -lgssapi"
+  fi
+
+  AC_MSG_CHECKING([whether GSS-API naming extensions are available])
+  AC_COMPILE_IFELSE(
+    [AC_LANG_PROGRAM([[#include <gssapi/gssapi_ext.h>]],
+    [[gss_get_name_attribute(NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL);]])],
+    [AC_MSG_RESULT([yes])AC_DEFINE([HAVE_GSSAPI_NAMINGEXTS],[1],[Define to 1 if GSS-API naming extensions are available.])],
+    [AC_MSG_RESULT([no])])
+
+else
+  CPPFLAGS="$save_CPPFLAGS"
+fi
+
+
 AC_SUBST(LITE_LIBS)
 AC_SUBST(XMLSEC_LIBS)
 
diff --git a/src/Makefile.am b/src/Makefile.am
index 6c53974..6c00a2a 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -6,6 +6,7 @@ libshibresolverincludedir = $(includedir)/shibresolver
 
 libshibresolverinclude_HEADERS = \
 	shibresolver/base.h \
+	shibresolver/config_pub.h \
 	shibresolver/resolver.h
 
 noinst_HEADERS = \
@@ -32,5 +33,7 @@ install-exec-hook:
 EXTRA_DIST = \
 	resolver.vcxproj \
 	resolver-lite.vcxproj \
+	shibresolver/config_pub.h.in \
+	shibresolver/config_pub_win32.h \
 	shibresolver/resource.h \
 	shibresolver/resolver.rc
diff --git a/src/resolver-lite.vcxproj b/src/resolver-lite.vcxproj
index b64c3b9..6bb4343 100644
--- a/src/resolver-lite.vcxproj
+++ b/src/resolver-lite.vcxproj
@@ -20,6 +20,7 @@
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="shibresolver\base.h" />
+    <ClInclude Include="shibresolver\config_pub_win32.h" />
     <ClInclude Include="shibresolver\internal.h" />
     <ClInclude Include="shibresolver\resolver.h" />
     <ClInclude Include="shibresolver\resource.h" />
diff --git a/src/resolver.vcxproj b/src/resolver.vcxproj
index 0a7c0ff..bc721b6 100644
--- a/src/resolver.vcxproj
+++ b/src/resolver.vcxproj
@@ -20,6 +20,7 @@
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="shibresolver\base.h" />
+    <ClInclude Include="shibresolver\config_pub_win32.h" />
     <ClInclude Include="shibresolver\internal.h" />
     <ClInclude Include="shibresolver\resolver.h" />
     <ClInclude Include="shibresolver\resource.h" />
diff --git a/src/shibresolver/base.h b/src/shibresolver/base.h
index ae5d1f7..023d866 100644
--- a/src/shibresolver/base.h
+++ b/src/shibresolver/base.h
@@ -1,5 +1,5 @@
 /*
- *  Copyright 2010 JANET(UK)
+ *  Copyright 2011 JANET(UK)
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,6 +26,13 @@
 
 #include <shibsp/base.h>
 
+
+#if defined (_MSC_VER) || defined(__BORLANDC__)
+  #include <shibresolver/config_pub_win32.h>
+#else
+  #include <shibresolver/config_pub.h>
+#endif
+
 // Windows and GCC4 Symbol Visibility Macros
 #ifdef WIN32
   #define SHIBRESOLVER_IMPORT __declspec(dllimport)
diff --git a/src/shibresolver/config_pub.h.in b/src/shibresolver/config_pub.h.in
new file mode 100644
index 0000000..93f35bc
--- /dev/null
+++ b/src/shibresolver/config_pub.h.in
@@ -0,0 +1,11 @@
+/* if you have the gssapi libraries */
+#undef SHIBRESOLVER_HAVE_GSSAPI
+
+/* if you have the GNU gssapi libraries */
+#undef SHIBRESOLVER_HAVE_GSSGNU
+
+/* if you have the Heimdal gssapi libraries */
+#undef SHIBRESOLVER_HAVE_GSSHEIMDAL
+
+/* if you have the MIT gssapi libraries */
+#undef SHIBRESOLVER_HAVE_GSSMIT
diff --git a/src/shibresolver/config_pub_win32.h b/src/shibresolver/config_pub_win32.h
new file mode 100644
index 0000000..93f35bc
--- /dev/null
+++ b/src/shibresolver/config_pub_win32.h
@@ -0,0 +1,11 @@
+/* if you have the gssapi libraries */
+#undef SHIBRESOLVER_HAVE_GSSAPI
+
+/* if you have the GNU gssapi libraries */
+#undef SHIBRESOLVER_HAVE_GSSGNU
+
+/* if you have the Heimdal gssapi libraries */
+#undef SHIBRESOLVER_HAVE_GSSHEIMDAL
+
+/* if you have the MIT gssapi libraries */
+#undef SHIBRESOLVER_HAVE_GSSMIT
diff --git a/src/shibresolver/resolver.cpp b/src/shibresolver/resolver.cpp
index 8d90e64..503ad8c 100644
--- a/src/shibresolver/resolver.cpp
+++ b/src/shibresolver/resolver.cpp
@@ -1,5 +1,5 @@
 /*
- *  Copyright 2010 JANET(UK)
+ *  Copyright 2010-2011 JANET(UK)
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -24,6 +24,7 @@
 
 #include <shibsp/exceptions.h>
 #include <shibsp/Application.h>
+#include <shibsp/GSSRequest.h>
 #include <shibsp/SPRequest.h>
 #include <shibsp/ServiceProvider.h>
 #include <shibsp/attribute/Attribute.h>
@@ -41,8 +42,10 @@
 #endif
 #include <xmltooling/XMLObjectBuilder.h>
 #include <xmltooling/XMLToolingConfig.h>
+#include <xmltooling/impl/AnyElement.h>
 #include <xmltooling/util/ParserPool.h>
 #include <xmltooling/util/XMLHelper.h>
+#include <xercesc/util/Base64.hpp>
 
 using namespace shibresolver;
 using namespace shibsp;
@@ -90,11 +93,17 @@ ShibbolethResolver* ShibbolethResolver::create()
 }
 
 ShibbolethResolver::ShibbolethResolver() : m_request(NULL), m_sp(NULL)
+#ifdef SHIBRESOLVER_HAVE_GSSAPI
+        ,m_gsswrapper(NULL)
+#endif
 {
 }
 
 ShibbolethResolver::~ShibbolethResolver()
 {
+#ifdef SHIBRESOLVER_HAVE_GSSAPI
+    delete m_gsswrapper;
+#endif
     for_each(m_resolvedAttributes.begin(), m_resolvedAttributes.end(), xmltooling::cleanup<Attribute>());
     if (m_sp)
         m_sp->unlock();
@@ -103,6 +112,14 @@ ShibbolethResolver::~ShibbolethResolver()
 void ShibbolethResolver::setRequest(const SPRequest* request)
 {
     m_request = request;
+#if defined(SHIBSP_HAVE_GSSAPI) && defined (SHIBRESOLVER_HAVE_GSSAPI)
+    if (request) {
+        const GSSRequest* gss = dynamic_cast<const GSSRequest*>(request);
+        if (gss) {
+            addToken(gss->getGSSContext());
+        }
+    }
+#endif
 }
 
 void ShibbolethResolver::setApplicationID(const char* appID)
@@ -125,6 +142,47 @@ void ShibbolethResolver::addToken(const XMLObject* token)
         m_tokens.push_back(token);
 }
 
+#ifdef SHIBRESOLVER_HAVE_GSSAPI
+void ShibbolethResolver::addToken(gss_ctx_id_t ctx)
+{
+    if (m_gsswrapper) {
+        delete m_gsswrapper;
+        m_gsswrapper = NULL;
+    }
+
+    if (ctx != GSS_C_NO_CONTEXT) {
+        OM_uint32 minor;
+        gss_buffer_desc contextbuf;
+        contextbuf.length = 0;
+        contextbuf.value = NULL;
+        OM_uint32 major = gss_export_sec_context(&minor, &ctx, &contextbuf);
+        if (major == GSS_S_COMPLETE) {
+            xsecsize_t len=0;
+            XMLByte* out=Base64::encode(reinterpret_cast<const XMLByte*>(contextbuf.value), contextbuf.length, &len);
+            if (out) {
+                string s;
+                s.append(reinterpret_cast<char*>(out), len);
+                auto_ptr_XMLCh temp(s.c_str());
+#ifdef SHIBSP_XERCESC_HAS_XMLBYTE_RELEASE
+                XMLString::release(&out);
+#else
+                XMLString::release((char**)&out);
+#endif
+                static const XMLCh _GSSAPI[] = UNICODE_LITERAL_6(G,S,S,A,P,I);
+                m_gsswrapper = new AnyElementImpl(shibspconstants::SHIB2ATTRIBUTEMAP_NS, _GSSAPI);
+                m_gsswrapper->setTextContent(temp.get());
+            }
+            else {
+                Category::getInstance(SHIBRESOLVER_LOGCAT).error("error while base64-encoding GSS context");
+            }
+        }
+        else {
+            Category::getInstance(SHIBRESOLVER_LOGCAT).error("error exporting GSS context");
+        }
+    }
+}
+#endif
+
 void ShibbolethResolver::addAttribute(Attribute* attr)
 {
     if (attr)
@@ -158,6 +216,11 @@ void ShibbolethResolver::resolve()
     if (!app)
         throw ConfigurationException("Unable to locate application for resolution.");
 
+#ifdef HAVE_GSSAPI
+    if (m_gsswrapper)
+        m_tokens.push_back(m_gsswrapper);
+#endif
+
     if (conf.isEnabled(SPConfig::OutOfProcess)) {
         g_Remoted.resolve(
             *app,
diff --git a/src/shibresolver/resolver.h b/src/shibresolver/resolver.h
index f9c1feb..179a4ba 100644
--- a/src/shibresolver/resolver.h
+++ b/src/shibresolver/resolver.h
@@ -1,5 +1,5 @@
 /*
- *  Copyright 2010 JANET(UK)
+ *  Copyright 2010-2011 JANET(UK)
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -31,6 +31,15 @@
 #include <string>
 #include <vector>
 
+#ifdef SHIBRESOLVER_HAVE_GSSGNU
+# include <gss.h>
+#elif defined SHIBRESOLVER_HAVE_GSSMIT
+# include <gssapi/gssapi.h>
+# include <gssapi/gssapi_generic.h>
+#else
+# include <gssapi.h>
+#endif
+
 namespace xmltooling {
     class XMLTOOL_API XMLObject;
 };
@@ -89,6 +98,16 @@ namespace shibresolver {
          */
         void addToken(const xmltooling::XMLObject* token);
 
+#ifdef SHIBRESOLVER_HAVE_GSSAPI
+        /**
+         * Adds a GSS-API security context as input to the resolver.
+         * <p>The caller retains ownership of the context.
+         *
+         * @param ctx an input context to evaluate
+         */
+        void addToken(gss_ctx_id_t ctx);
+#endif
+
         /**
          * Adds an Attribute as input to the resolver.
          * <p>The caller retains ownership of the object.
@@ -171,6 +190,9 @@ namespace shibresolver {
 
     private:
         shibsp::ServiceProvider* m_sp;
+#ifdef SHIBRESOLVER_HAVE_GSSAPI
+        xmltooling::XMLObject* m_gsswrapper;
+#endif
         std::vector<shibsp::Attribute*> m_resolvedAttributes;
     };
 
-- 
2.1.4