projects / shibboleth / cpp-sp.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
https://issues.shibboleth.net/jira/browse/SSPCPP-193
[shibboleth/cpp-sp.git] / shibsp / ServiceProvider.cpp
1 /*
2  *  Copyright 2001-2007 Internet2
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16
17 /**
18  * ServiceProvider.cpp
19  *
20  * Interface to a Shibboleth ServiceProvider instance.
21  */
22
23 #include "internal.h"
24 #include "exceptions.h"
25 #include "AccessControl.h"
26 #include "Application.h"
27 #include "ServiceProvider.h"
28 #include "SessionCache.h"
29 #include "SPRequest.h"
30 #include "attribute/Attribute.h"
31 #include "handler/SessionInitiator.h"
32 #include "util/TemplateParameters.h"
33
34 #include <fstream>
35 #include <sstream>
36 #include <xmltooling/XMLToolingConfig.h>
37 #include <xmltooling/util/NDC.h>
38 #include <xmltooling/util/PathResolver.h>
39 #include <xmltooling/util/URLEncoder.h>
40 #include <xmltooling/util/XMLHelper.h>
41
42 using namespace shibsp;
43 using namespace xmltooling::logging;
44 using namespace xmltooling;
45 using namespace std;
46
47 namespace shibsp {
48     SHIBSP_DLLLOCAL PluginManager<ServiceProvider,string,const DOMElement*>::Factory XMLServiceProviderFactory;
49
50     long SHIBSP_DLLLOCAL sendError(
51         Category& log, SPRequest& request, const Application* app, const char* page, TemplateParameters& tp, bool mayRedirect=true
52         )
53     {
54         // The properties we need can be set in the RequestMap, or the Errors element.
55         bool mderror = dynamic_cast<const opensaml::saml2md::MetadataException*>(tp.getRichException())!=NULL;
56         pair<bool,const char*> redirectErrors = pair<bool,const char*>(false,NULL);
57         pair<bool,const char*> pathname = pair<bool,const char*>(false,NULL);
58
59         // Strictly for error handling, detect a NULL application and point at the default.
60         if (!app)
61             app = request.getServiceProvider().getApplication("default");
62
63         const PropertySet* props=app->getPropertySet("Errors");
64
65         try {
66             RequestMapper::Settings settings = request.getRequestSettings();
67             if (mderror)
68                 pathname = settings.first->getString("metadataError");
69             if (!pathname.first) {
70                 string pagename(page);
71                 pagename += "Error";
72                 pathname = settings.first->getString(pagename.c_str());
73             }
74             if (mayRedirect)
75                 redirectErrors = settings.first->getString("redirectErrors");
76         }
77         catch (exception& ex) {
78             log.error(ex.what());
79         }
80
81         if (mayRedirect) {
82             // Check for redirection on errors instead of template.
83             if (!redirectErrors.first && props)
84                 redirectErrors = props->getString("redirectErrors");
85             if (redirectErrors.first) {
86                 string loc(redirectErrors.second);
87                 loc = loc + '?' + tp.toQueryString();
88                 return request.sendRedirect(loc.c_str());
89             }
90         }
91
92         request.setContentType("text/html");
93         request.setResponseHeader("Expires","01-Jan-1997 12:00:00 GMT");
94         request.setResponseHeader("Cache-Control","private,no-store,no-cache");
95
96         if (!pathname.first && props) {
97             if (mderror)
98                 pathname=props->getString("metadata");
99             if (!pathname.first)
100                 pathname=props->getString(page);
101         }
102         if (pathname.first) {
103             string fname(pathname.second);
104             ifstream infile(XMLToolingConfig::getConfig().getPathResolver()->resolve(fname, PathResolver::XMLTOOLING_CFG_FILE).c_str());
105             if (infile) {
106                 tp.setPropertySet(props);
107                 stringstream str;
108                 XMLToolingConfig::getConfig().getTemplateEngine()->run(infile, str, tp, tp.getRichException());
109                 return request.sendError(str);
110             }
111         }
112
113         if (!strcmp(page,"access")) {
114             istringstream msg("Access Denied");
115             return request.sendResponse(msg, HTTPResponse::XMLTOOLING_HTTP_STATUS_FORBIDDEN);
116         }
117
118         log.error("sendError could not process error template (%s)", page);
119         istringstream msg("Internal Server Error. Please contact the site administrator.");
120         return request.sendError(msg);
121     }
122
123     void SHIBSP_DLLLOCAL clearHeaders(SPRequest& request) {
124         const Application& app = request.getApplication();
125         app.clearHeader(request, "Shib-Session-ID", "HTTP_SHIB_SESSION_ID");
126         app.clearHeader(request, "Shib-Identity-Provider", "HTTP_SHIB_IDENTITY_PROVIDER");
127         app.clearHeader(request, "Shib-Authentication-Method", "HTTP_SHIB_AUTHENTICATION_METHOD");
128         app.clearHeader(request, "Shib-Authentication-Instant", "HTTP_SHIB_AUTHENTICATION_INSTANT");
129         app.clearHeader(request, "Shib-AuthnContext-Class", "HTTP_SHIB_AUTHNCONTEXT_CLASS");
130         app.clearHeader(request, "Shib-AuthnContext-Decl", "HTTP_SHIB_AUTHNCONTEXT_DECL");
131         app.clearHeader(request, "Shib-Assertion-Count", "HTTP_SHIB_ASSERTION_COUNT");
132         app.clearAttributeHeaders(request);
133         request.clearHeader("REMOTE_USER", "HTTP_REMOTE_USER");
134     }
135 };
136
137 void SHIBSP_API shibsp::registerServiceProviders()
138 {
139     SPConfig::getConfig().ServiceProviderManager.registerFactory(XML_SERVICE_PROVIDER, XMLServiceProviderFactory);
140 }
141
142 pair<bool,long> ServiceProvider::doAuthentication(SPRequest& request, bool handler) const
143 {
144 #ifdef _DEBUG
145     xmltooling::NDC ndc("doAuthentication");
146 #endif
147     Category& log = Category::getInstance(SHIBSP_LOGCAT".ServiceProvider");
148
149     const Application* app=NULL;
150     string targetURL = request.getRequestURL();
151
152     try {
153         RequestMapper::Settings settings = request.getRequestSettings();
154         app = &(request.getApplication());
155
156         // If not SSL, check to see if we should block or redirect it.
157         if (!request.isSecure()) {
158             pair<bool,const char*> redirectToSSL = settings.first->getString("redirectToSSL");
159             if (redirectToSSL.first) {
160 #ifdef HAVE_STRCASECMP
161                 if (!strcasecmp("GET",request.getMethod()) || !strcasecmp("HEAD",request.getMethod())) {
162 #else
163                 if (!stricmp("GET",request.getMethod()) || !stricmp("HEAD",request.getMethod())) {
164 #endif
165                     // Compute the new target URL
166                     string redirectURL = string("https://") + request.getHostname();
167                     if (strcmp(redirectToSSL.second,"443")) {
168                         redirectURL = redirectURL + ':' + redirectToSSL.second;
169                     }
170                     redirectURL += request.getRequestURI();
171                     return make_pair(true, request.sendRedirect(redirectURL.c_str()));
172                 }
173                 else {
174                     TemplateParameters tp;
175                     tp.m_map["requestURL"] = targetURL.substr(0,targetURL.find('?'));
176                     return make_pair(true,sendError(log, request, app, "ssl", tp, false));
177                 }
178             }
179         }
180
181         const char* handlerURL=request.getHandlerURL(targetURL.c_str());
182         if (!handlerURL)
183             throw ConfigurationException("Cannot determine handler from resource URL, check configuration.");
184
185         // If the request URL contains the handler base URL for this application, either dispatch
186         // directly (mainly Apache 2.0) or just pass back control.
187         if (strstr(targetURL.c_str(),handlerURL)) {
188             if (handler)
189                 return doHandler(request);
190             else
191                 return make_pair(true, request.returnOK());
192         }
193
194         // Three settings dictate how to proceed.
195         pair<bool,const char*> authType = settings.first->getString("authType");
196         pair<bool,bool> requireSession = settings.first->getBool("requireSession");
197         pair<bool,const char*> requireSessionWith = settings.first->getString("requireSessionWith");
198
199         // If no session is required AND the AuthType (an Apache-derived concept) isn't shibboleth,
200         // then we ignore this request and consider it unprotected. Apache might lie to us if
201         // ShibBasicHijack is on, but that's up to it.
202         if ((!requireSession.first || !requireSession.second) && !requireSessionWith.first &&
203 #ifdef HAVE_STRCASECMP
204                 (!authType.first || strcasecmp(authType.second,"shibboleth")))
205 #else
206                 (!authType.first || _stricmp(authType.second,"shibboleth")))
207 #endif
208             return make_pair(true,request.returnDecline());
209
210         // Fix for secadv 20050901
211         clearHeaders(request);
212
213         Session* session = NULL;
214         try {
215             session = request.getSession();
216         }
217         catch (exception& e) {
218             log.warn("error during session lookup: %s", e.what());
219             // If it's not a retryable session failure, we throw to the outer handler for reporting.
220             if (dynamic_cast<opensaml::RetryableProfileException*>(&e)==NULL)
221                 throw;
222         }
223
224         if (!session) {
225             // No session.  Maybe that's acceptable?
226             if ((!requireSession.first || !requireSession.second) && !requireSessionWith.first)
227                 return make_pair(true,request.returnOK());
228
229             // No session, but we require one. Initiate a new session using the indicated method.
230             const SessionInitiator* initiator=NULL;
231             if (requireSessionWith.first) {
232                 initiator=app->getSessionInitiatorById(requireSessionWith.second);
233                 if (!initiator) {
234                     throw ConfigurationException(
235                         "No session initiator found with id ($1), check requireSessionWith command.", params(1,requireSessionWith.second)
236                         );
237                 }
238             }
239             else {
240                 initiator=app->getDefaultSessionInitiator();
241                 if (!initiator)
242                     throw ConfigurationException("No default session initiator found, check configuration.");
243             }
244
245             return initiator->run(request,false);
246         }
247
248         request.setAuthType("shibboleth");
249
250         // We're done.  Everything is okay.  Nothing to report.  Nothing to do..
251         // Let the caller decide how to proceed.
252         log.debug("doAuthentication succeeded");
253         return make_pair(false,0L);
254     }
255     catch (exception& e) {
256         TemplateParameters tp(&e);
257         tp.m_map["requestURL"] = targetURL.substr(0,targetURL.find('?'));
258         return make_pair(true,sendError(log, request, app, "session", tp));
259     }
260 }
261
262 pair<bool,long> ServiceProvider::doAuthorization(SPRequest& request) const
263 {
264 #ifdef _DEBUG
265     xmltooling::NDC ndc("doAuthorization");
266 #endif
267     Category& log = Category::getInstance(SHIBSP_LOGCAT".ServiceProvider");
268
269     const Application* app=NULL;
270     string targetURL = request.getRequestURL();
271
272     try {
273         RequestMapper::Settings settings = request.getRequestSettings();
274         app = &(request.getApplication());
275
276         // Three settings dictate how to proceed.
277         pair<bool,const char*> authType = settings.first->getString("authType");
278         pair<bool,bool> requireSession = settings.first->getBool("requireSession");
279         pair<bool,const char*> requireSessionWith = settings.first->getString("requireSessionWith");
280
281         // If no session is required AND the AuthType (an Apache-derived concept) isn't shibboleth,
282         // then we ignore this request and consider it unprotected. Apache might lie to us if
283         // ShibBasicHijack is on, but that's up to it.
284         if ((!requireSession.first || !requireSession.second) && !requireSessionWith.first &&
285 #ifdef HAVE_STRCASECMP
286                 (!authType.first || strcasecmp(authType.second,"shibboleth")))
287 #else
288                 (!authType.first || _stricmp(authType.second,"shibboleth")))
289 #endif
290             return make_pair(true,request.returnDecline());
291
292         // Do we have an access control plugin?
293         if (settings.second) {
294             const Session* session = NULL;
295             try {
296                 session = request.getSession(false);
297             }
298             catch (exception& e) {
299                 log.warn("unable to obtain session to pass to access control provider: %s", e.what());
300             }
301
302             Locker acllock(settings.second);
303             switch (settings.second->authorized(request,session)) {
304                 case AccessControl::shib_acl_true:
305                     log.debug("access control provider granted access");
306                     return make_pair(true,request.returnOK());
307
308                 case AccessControl::shib_acl_false:
309                 {
310                     log.warn("access control provider denied access");
311                     TemplateParameters tp;
312                     tp.m_map["requestURL"] = targetURL;
313                     return make_pair(true,sendError(log, request, app, "access", tp, false));
314                 }
315
316                 default:
317                     // Use the "DECLINE" interface to signal we don't know what to do.
318                     return make_pair(true,request.returnDecline());
319             }
320         }
321         else {
322             return make_pair(true,request.returnDecline());
323         }
324     }
325     catch (exception& e) {
326         TemplateParameters tp(&e);
327         tp.m_map["requestURL"] = targetURL.substr(0,targetURL.find('?'));
328         return make_pair(true,sendError(log, request, app, "access", tp));
329     }
330 }
331
332 pair<bool,long> ServiceProvider::doExport(SPRequest& request, bool requireSession) const
333 {
334 #ifdef _DEBUG
335     xmltooling::NDC ndc("doExport");
336 #endif
337     Category& log = Category::getInstance(SHIBSP_LOGCAT".ServiceProvider");
338
339     const Application* app=NULL;
340     string targetURL = request.getRequestURL();
341
342     try {
343         RequestMapper::Settings settings = request.getRequestSettings();
344         app = &(request.getApplication());
345
346         const Session* session = NULL;
347         try {
348             session = request.getSession(false);
349         }
350         catch (exception& e) {
351             log.warn("unable to obtain session to export to request: %s", e.what());
352                 // If we have to have a session, then this is a fatal error.
353                 if (requireSession)
354                         throw;
355         }
356
357                 // Still no data?
358         if (!session) {
359                 if (requireSession)
360                 throw opensaml::RetryableProfileException("Unable to obtain session to export to request.");
361                 else
362                         return make_pair(false,0L);     // just bail silently
363         }
364
365         app->setHeader(request, "Shib-Application-ID", app->getId());
366         app->setHeader(request, "Shib-Session-ID", session->getID());
367
368         // Export the IdP name and Authn method/context info.
369         const char* hval = session->getEntityID();
370         if (hval)
371             app->setHeader(request, "Shib-Identity-Provider", hval);
372         hval = session->getAuthnInstant();
373         if (hval)
374             app->setHeader(request, "Shib-Authentication-Instant", hval);
375         hval = session->getAuthnContextClassRef();
376         if (hval) {
377             app->setHeader(request, "Shib-Authentication-Method", hval);
378             app->setHeader(request, "Shib-AuthnContext-Class", hval);
379         }
380         hval = session->getAuthnContextDeclRef();
381         if (hval)
382             app->setHeader(request, "Shib-AuthnContext-Decl", hval);
383
384         // Maybe export the assertion keys.
385         pair<bool,bool> exp=settings.first->getBool("exportAssertion");
386         if (exp.first && exp.second) {
387             const PropertySet* sessions=app->getPropertySet("Sessions");
388             pair<bool,const char*> exportLocation = sessions ? sessions->getString("exportLocation") : pair<bool,const char*>(false,NULL);
389             if (!exportLocation.first)
390                 log.warn("can't export assertions without an exportLocation Sessions property");
391             else {
392                 const URLEncoder* encoder = XMLToolingConfig::getConfig().getURLEncoder();
393                 string exportName = "Shib-Assertion-00";
394                 string baseURL;
395                 if (!strncmp(exportLocation.second, "http", 4))
396                     baseURL = exportLocation.second;
397                 else
398                     baseURL = string(request.getHandlerURL(targetURL.c_str())) + exportLocation.second;
399                 baseURL = baseURL + "?key=" + session->getID() + "&ID=";
400                 const vector<const char*>& tokens = session->getAssertionIDs();
401                 vector<const char*>::size_type count = 0;
402                 for (vector<const char*>::const_iterator tokenids = tokens.begin(); tokenids!=tokens.end(); ++tokenids) {
403                     count++;
404                     *(exportName.rbegin()) = '0' + (count%10);
405                     *(++exportName.rbegin()) = '0' + (count/10);
406                     string fullURL = baseURL + encoder->encode(*tokenids);
407                     app->setHeader(request, exportName.c_str(), fullURL.c_str());
408                 }
409                 app->setHeader(request, "Shib-Assertion-Count", exportName.c_str() + 15);
410             }
411         }
412
413         // Export the attributes.
414         const multimap<string,const Attribute*>& attributes = session->getIndexedAttributes();
415         for (multimap<string,const Attribute*>::const_iterator a = attributes.begin(); a!=attributes.end(); ++a) {
416             string header(app->getSecureHeader(request, a->first.c_str()));
417             const vector<string>& vals = a->second->getSerializedValues();
418             for (vector<string>::const_iterator v = vals.begin(); v!=vals.end(); ++v) {
419                 if (!header.empty())
420                     header += ";";
421                 string::size_type pos = v->find_first_of(';',string::size_type(0));
422                 if (pos!=string::npos) {
423                     string value(*v);
424                     for (; pos != string::npos; pos = value.find_first_of(';',pos)) {
425                         value.insert(pos, "\\");
426                         pos += 2;
427                     }
428                     header += value;
429                 }
430                 else {
431                     header += (*v);
432                 }
433             }
434             app->setHeader(request, a->first.c_str(), header.c_str());
435         }
436
437         // Check for REMOTE_USER.
438         bool remoteUserSet = false;
439         const vector<string>& rmids = app->getRemoteUserAttributeIds();
440         for (vector<string>::const_iterator rmid = rmids.begin(); !remoteUserSet && rmid != rmids.end(); ++rmid) {
441             pair<multimap<string,const Attribute*>::const_iterator,multimap<string,const Attribute*>::const_iterator> matches =
442                 attributes.equal_range(*rmid);
443             for (; matches.first != matches.second; ++matches.first) {
444                 const vector<string>& vals = matches.first->second->getSerializedValues();
445                 if (!vals.empty()) {
446                     request.setRemoteUser(vals.front().c_str());
447                     remoteUserSet = true;
448                     break;
449                 }
450             }
451         }
452
453         return make_pair(false,0L);
454     }
455     catch (exception& e) {
456         TemplateParameters tp(&e);
457         tp.m_map["requestURL"] = targetURL.substr(0,targetURL.find('?'));
458         return make_pair(true,sendError(log, request, app, "session", tp));
459     }
460 }
461
462 pair<bool,long> ServiceProvider::doHandler(SPRequest& request) const
463 {
464 #ifdef _DEBUG
465     xmltooling::NDC ndc("doHandler");
466 #endif
467     Category& log = Category::getInstance(SHIBSP_LOGCAT".ServiceProvider");
468
469     const Application* app=NULL;
470     string targetURL = request.getRequestURL();
471
472     try {
473         RequestMapper::Settings settings = request.getRequestSettings();
474         app = &(request.getApplication());
475
476         // If not SSL, check to see if we should block or redirect it.
477         if (!request.isSecure()) {
478             pair<bool,const char*> redirectToSSL = settings.first->getString("redirectToSSL");
479             if (redirectToSSL.first) {
480 #ifdef HAVE_STRCASECMP
481                 if (!strcasecmp("GET",request.getMethod()) || !strcasecmp("HEAD",request.getMethod())) {
482 #else
483                 if (!stricmp("GET",request.getMethod()) || !stricmp("HEAD",request.getMethod())) {
484 #endif
485                     // Compute the new target URL
486                     string redirectURL = string("https://") + request.getHostname();
487                     if (strcmp(redirectToSSL.second,"443")) {
488                         redirectURL = redirectURL + ':' + redirectToSSL.second;
489                     }
490                     redirectURL += request.getRequestURI();
491                     return make_pair(true, request.sendRedirect(redirectURL.c_str()));
492                 }
493                 else {
494                     TemplateParameters tp;
495                     tp.m_map["requestURL"] = targetURL.substr(0,targetURL.find('?'));
496                     return make_pair(true,sendError(log, request, app, "ssl", tp, false));
497                 }
498             }
499         }
500
501         const char* handlerURL=request.getHandlerURL(targetURL.c_str());
502         if (!handlerURL)
503             throw ConfigurationException("Cannot determine handler from resource URL, check configuration.");
504
505         // Make sure we only process handler requests.
506         if (!strstr(targetURL.c_str(),handlerURL))
507             return make_pair(true, request.returnDecline());
508
509         const PropertySet* sessionProps=app->getPropertySet("Sessions");
510         if (!sessionProps)
511             throw ConfigurationException("Unable to map request to application session settings, check configuration.");
512
513         // Process incoming request.
514         pair<bool,bool> handlerSSL=sessionProps->getBool("handlerSSL");
515
516         // Make sure this is SSL, if it should be
517         if ((!handlerSSL.first || handlerSSL.second) && !request.isSecure())
518             throw opensaml::FatalProfileException("Blocked non-SSL access to Shibboleth handler.");
519
520         // We dispatch based on our path info. We know the request URL begins with or equals the handler URL,
521         // so the path info is the next character (or null).
522         const Handler* handler=app->getHandler(targetURL.c_str() + strlen(handlerURL));
523         if (!handler)
524             throw ConfigurationException("Shibboleth handler invoked at an unconfigured location.");
525
526         pair<bool,long> hret=handler->run(request);
527
528         // Did the handler run successfully?
529         if (hret.first)
530             return hret;
531
532         throw ConfigurationException("Configured Shibboleth handler failed to process the request.");
533     }
534     catch (exception& e) {
535         TemplateParameters tp(&e);
536         tp.m_map["requestURL"] = targetURL.substr(0,targetURL.find('?'));
537         tp.m_request = &request;
538         return make_pair(true,sendError(log, request, app, "session", tp));
539     }
540 }
Unnamed repository; edit this file 'description' to name the repository.