2 * Copyright 2001-2005 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 /* shib.h - Shibboleth header file
28 #include <saml/saml2/metadata/Metadata.h>
29 #include <saml/saml2/metadata/MetadataProvider.h>
30 #include <xmltooling/security/TrustEngine.h>
31 #include <xmltooling/util/Threads.h>
33 #include <saml/saml.h>
34 #undef SAML10_PROTOCOL_ENUM
38 # define SHIB_EXPORTS __declspec(dllimport)
46 // Credentials interface abstracts access to "owned" keys and certificates.
48 struct SHIB_EXPORTS ICredResolver : public virtual saml::IPlugIn
50 virtual void attach(void* ctx) const=0;
51 virtual XSECCryptoKey* getKey() const=0;
52 virtual saml::Iterator<XSECCryptoX509*> getCertificates() const=0;
53 virtual void dump(FILE* f) const=0;
54 virtual void dump() const { dump(stdout); }
55 virtual ~ICredResolver() {}
58 struct SHIB_EXPORTS ICredentials : public virtual saml::ILockable, public virtual saml::IPlugIn
60 virtual const ICredResolver* lookup(const char* id) const=0;
61 virtual ~ICredentials() {}
64 // Attribute acceptance processing interfaces, applied to incoming attributes.
66 struct SHIB_EXPORTS IAttributeRule
68 virtual const XMLCh* getName() const=0;
69 virtual const XMLCh* getNamespace() const=0;
70 virtual const char* getAlias() const=0;
71 virtual const char* getHeader() const=0;
72 virtual bool getCaseSensitive() const=0;
73 virtual void apply(saml::SAMLAttribute& attribute, const opensaml::saml2md::RoleDescriptor* role=NULL) const=0;
74 virtual ~IAttributeRule() {}
77 struct SHIB_EXPORTS IAAP : public virtual saml::ILockable, public virtual saml::IPlugIn
79 virtual bool anyAttribute() const=0;
80 virtual const IAttributeRule* lookup(const XMLCh* attrName, const XMLCh* attrNamespace=NULL) const=0;
81 virtual const IAttributeRule* lookup(const char* alias) const=0;
82 virtual saml::Iterator<const IAttributeRule*> getAttributeRules() const=0;
86 struct SHIB_EXPORTS IAttributeFactory : public virtual saml::IPlugIn
88 virtual saml::SAMLAttribute* build(DOMElement* e) const=0;
89 virtual ~IAttributeFactory() {}
92 #ifdef SHIB_INSTANTIATE
93 template class SHIB_EXPORTS saml::Iterator<ICredentials*>;
94 template class SHIB_EXPORTS saml::ArrayIterator<ICredentials*>;
95 template class SHIB_EXPORTS saml::Iterator<IAAP*>;
96 template class SHIB_EXPORTS saml::ArrayIterator<IAAP*>;
99 class SHIB_EXPORTS Credentials
102 Credentials(const saml::Iterator<ICredentials*>& creds) : m_creds(creds), m_mapper(NULL) {}
105 const ICredResolver* lookup(const char* id);
108 Credentials(const Credentials&);
109 void operator=(const Credentials&);
110 ICredentials* m_mapper;
111 saml::Iterator<ICredentials*> m_creds;
114 class SHIB_EXPORTS AAP
117 AAP(const saml::Iterator<IAAP*>& aaps, const XMLCh* attrName, const XMLCh* attrNamespace=NULL);
118 AAP(const saml::Iterator<IAAP*>& aaps, const char* alias);
120 bool fail() const {return m_mapper==NULL;}
121 const IAttributeRule* operator->() const {return m_rule;}
122 operator const IAttributeRule*() const {return m_rule;}
125 const saml::Iterator<IAAP*>& aaps, saml::SAMLAssertion& assertion, const opensaml::saml2md::RoleDescriptor* role=NULL
130 void operator=(const AAP&);
132 const IAttributeRule* m_rule;
135 // Subclass around the OpenSAML browser profile interface,
136 // incoporates additional functionality using Shib-defined APIs.
137 class SHIB_EXPORTS ShibBrowserProfile : virtual public saml::SAMLBrowserProfile
140 struct SHIB_EXPORTS ITokenValidator {
141 virtual void validateToken(
142 saml::SAMLAssertion* token,
144 const opensaml::saml2md::RoleDescriptor* role=NULL,
145 const xmltooling::TrustEngine* trustEngine=NULL
147 virtual ~ITokenValidator() {}
151 const ITokenValidator* validator,
152 opensaml::saml2md::MetadataProvider* metadata=NULL,
153 xmltooling::TrustEngine* trust=NULL
155 virtual ~ShibBrowserProfile();
157 virtual saml::SAMLBrowserProfile::BrowserProfileResponse receive(
158 const char* samlResponse,
159 const XMLCh* recipient,
160 saml::IReplayCache* replayCache,
163 virtual saml::SAMLBrowserProfile::BrowserProfileResponse receive(
164 saml::Iterator<const char*> artifacts,
165 const XMLCh* recipient,
166 saml::SAMLBrowserProfile::ArtifactMapper* artifactMapper,
167 saml::IReplayCache* replayCache,
172 void postprocess(saml::SAMLBrowserProfile::BrowserProfileResponse& bpr, int minorVersion=1) const;
174 saml::SAMLBrowserProfile* m_profile;
175 opensaml::saml2md::MetadataProvider* m_metadata;
176 xmltooling::TrustEngine* m_trust;
177 const ITokenValidator* m_validator;
180 class SHIB_EXPORTS ShibConfig
184 virtual ~ShibConfig() {}
186 // global per-process setup and shutdown of Shibboleth runtime
190 // manages specific attribute name to factory mappings
191 void regAttributeMapping(const XMLCh* name, const IAttributeFactory* factory);
192 void unregAttributeMapping(const XMLCh* name);
193 void clearAttributeMappings();
195 // enables runtime and clients to access configuration
196 static ShibConfig& getConfig();
199 /* Helper classes for implementing reloadable XML-based config files
200 The ILockable interface will usually be inherited twice, once as
201 part of the external interface to clients and once as an implementation
202 detail of the reloading class below.
205 class SHIB_EXPORTS ReloadableXMLFileImpl
208 ReloadableXMLFileImpl(const char* pathname);
209 ReloadableXMLFileImpl(const DOMElement* pathname);
210 virtual ~ReloadableXMLFileImpl();
214 const DOMElement* m_root;
217 class SHIB_EXPORTS ReloadableXMLFile : protected virtual saml::ILockable
220 ReloadableXMLFile(const DOMElement* e);
221 ~ReloadableXMLFile() { delete m_lock; delete m_impl; }
224 virtual void unlock() { if (m_lock) m_lock->unlock(); }
226 ReloadableXMLFileImpl* getImplementation() const;
229 virtual ReloadableXMLFileImpl* newImplementation(const char* pathname, bool first=true) const=0;
230 virtual ReloadableXMLFileImpl* newImplementation(const DOMElement* e, bool first=true) const=0;
231 mutable ReloadableXMLFileImpl* m_impl;
234 const DOMElement* m_root;
235 std::string m_source;
237 xmltooling::RWLock* m_lock;