2 * Copyright 2001-2005 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 /* ArtifactMapper.cpp - a ShibTarget-aware SAML artifact->binding mapper
26 #include <saml/binding/SAMLArtifact.h>
28 using namespace shibsp;
29 using namespace shibtarget;
31 using namespace opensaml::saml2md;
32 using namespace xmltooling;
33 using namespace log4cpp;
36 SAMLResponse* STArtifactMapper::resolve(SAMLRequest* request)
38 Category& log=Category::getInstance("shibtarget.ArtifactMapper");
40 // First do a search for the issuer.
41 SAMLArtifact* artifact=request->getArtifacts().next();
42 auto_ptr<opensaml::SAMLArtifact> os2art(opensaml::SAMLArtifact::parse(artifact->encode().c_str()));
44 MetadataProvider* m=m_app->getMetadataProvider();
45 const EntityDescriptor* entity=m->getEntityDescriptor(os2art.get());
48 "metadata lookup failed, unable to determine issuer of artifact (0x%s)",
49 opensaml::SAMLArtifact::toHex(artifact->getBytes()).c_str()
51 throw MetadataException("Metadata lookup failed, unable to determine artifact issuer");
54 xmltooling::auto_ptr_char issuer(entity->getEntityID());
55 log.info("lookup succeeded, artifact issued by (%s)", issuer.get());
58 const PropertySet* credUse=m_app->getCredentialUse(entity);
59 pair<bool,bool> signRequest=credUse ? credUse->getBool("signRequest") : make_pair(false,false);
60 pair<bool,const char*> signatureAlg=credUse ? credUse->getString("signatureAlg") : pair<bool,const char*>(false,NULL);
61 if (!signatureAlg.first)
62 signatureAlg.second=URI_ID_RSA_SHA1;
63 pair<bool,const char*> digestAlg=credUse ? credUse->getString("digestAlg") : pair<bool,const char*>(false,NULL);
65 digestAlg.second=URI_ID_SHA1;
66 pair<bool,bool> signedResponse=credUse ? credUse->getBool("signedResponse") : make_pair(false,false);
67 pair<bool,const char*> signingCred=credUse ? credUse->getString("Signing") : pair<bool,const char*>(false,NULL);
68 if (signRequest.first && signRequest.second && signingCred.first) {
69 if (request->getMinorVersion()==1) {
70 shibboleth::Credentials creds(ShibTargetConfig::getConfig().getINI()->getCredentialsProviders());
71 const shibboleth::ICredResolver* cr=creds.lookup(signingCred.second);
73 request->sign(cr->getKey(),cr->getCertificates(),signatureAlg.second,digestAlg.second);
75 log.error("unable to sign artifact request, specified credential (%s) was not found",signingCred.second);
78 log.error("unable to sign SAML 1.0 artifact request, only SAML 1.1 defines signing adequately");
81 SAMLResponse* response = NULL;
82 bool authenticated = false;
83 static const XMLCh https[] = {chLatin_h, chLatin_t, chLatin_t, chLatin_p, chLatin_s, chColon, chNull};
85 // Depends on type of artifact.
86 const SAMLArtifactType0001* type1=dynamic_cast<const SAMLArtifactType0001*>(artifact);
88 // With type 01, any endpoint will do.
89 const IDPSSODescriptor* idp=entity->getIDPSSODescriptor(
90 request->getMinorVersion()==1 ? samlconstants::SAML11_PROTOCOL_ENUM : samlconstants::SAML10_PROTOCOL_ENUM
93 ShibHTTPHook::ShibHTTPHookCallContext callCtx(credUse,idp);
94 const vector<ArtifactResolutionService*>& endpoints=idp->getArtifactResolutionServices();
95 for (vector<ArtifactResolutionService*>::const_iterator ep=endpoints.begin(); !response && ep!=endpoints.end(); ++ep) {
96 const SAMLBinding* binding = m_app->getBinding((*ep)->getBinding());
98 xmltooling::auto_ptr_char prot((*ep)->getBinding());
99 log.warn("skipping binding on unsupported protocol (%s)", prot.get());
103 response = binding->send((*ep)->getLocation(),*request,&callCtx);
104 if (log.isDebugEnabled())
105 log.debugStream() << "SAML response from artifact request:\n" << *response << CategoryStream::ENDLINE;
107 if (!response->getAssertions().hasNext()) {
109 throw FatalProfileException("No SAML assertions returned in response to artifact profile request.");
111 authenticated = callCtx.isAuthenticated() && !XMLString::compareNString((*ep)->getLocation(),https,6);
113 catch (XMLToolingException& ex) {
114 annotateException(&ex,idp); // rethrows it
116 catch (exception& ex) {
117 opensaml::BindingException ex2(ex.what());
118 annotateException(&ex2,idp); // rethrows it
124 const SAMLArtifactType0002* type2=dynamic_cast<const SAMLArtifactType0002*>(artifact);
126 // With type 02, we have to find the matching location.
127 const IDPSSODescriptor* idp=entity->getIDPSSODescriptor(
128 request->getMinorVersion()==1 ? samlconstants::SAML11_PROTOCOL_ENUM : samlconstants::SAML10_PROTOCOL_ENUM
131 ShibHTTPHook::ShibHTTPHookCallContext callCtx(credUse,idp);
132 const vector<ArtifactResolutionService*>& endpoints=idp->getArtifactResolutionServices();
133 for (vector<ArtifactResolutionService*>::const_iterator ep=endpoints.begin(); !response && ep!=endpoints.end(); ++ep) {
134 xmltooling::auto_ptr_char loc((*ep)->getLocation());
135 if (strcmp(loc.get(),type2->getSourceLocation()))
137 const SAMLBinding* binding = m_app->getBinding((*ep)->getBinding());
139 xmltooling::auto_ptr_char prot((*ep)->getBinding());
140 log.warn("skipping binding on unsupported protocol (%s)", prot.get());
144 response = binding->send((*ep)->getLocation(),*request,&callCtx);
145 if (log.isDebugEnabled())
146 log.debugStream() << "SAML response from artifact request:\n" << *response << CategoryStream::ENDLINE;
148 if (!response->getAssertions().hasNext()) {
150 throw FatalProfileException("No SAML assertions returned in response to artifact profile request.");
152 authenticated = callCtx.isAuthenticated() && !XMLString::compareNString((*ep)->getLocation(),https,6);
154 catch (XMLToolingException& ex) {
155 annotateException(&ex,idp); // rethrows it
157 catch (exception& ex) {
158 opensaml::BindingException ex2(ex.what());
159 annotateException(&ex2,idp); // rethrows it
165 log.error("unrecognized artifact type (0x%s)", SAMLArtifact::toHex(artifact->getTypeCode()).c_str());
166 throw xmltooling::UnknownExtensionException(
167 string("Received unrecognized artifact type (0x") + SAMLArtifact::toHex(artifact->getTypeCode()) + ")"
173 log.error("unable to locate acceptable binding/endpoint to resolve artifact");
174 MetadataException ex("Unable to locate acceptable binding/endpoint to resolve artifact.");
175 annotateException(&ex,entity); // throws it
177 else if (!response->isSigned()) {
178 if (!authenticated || (signedResponse.first && signedResponse.second)) {
179 log.error("unsigned response obtained, but it must be signed.");
180 XMLSecurityException ex("Unable to obtain a signed response from artifact request.");
181 annotateException(&ex,entity); // throws it