shibsp/attribute/resolver/impl/DelegationAttributeExtractor.cpp

   1 /*
   2  *  Copyright 2009-2010 Internet2
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 /**
  18  * DelegationAttributeExtractor.cpp
  19  *
  20  * AttributeExtractor for DelegationRestriction information.
  21  */
  22
  23 #include "internal.h"
  24 #include "Application.h"
  25 #include "ServiceProvider.h"
  26 #include "attribute/ExtensibleAttribute.h"
  27 #include "attribute/resolver/AttributeExtractor.h"
  28 #include "util/SPConstants.h"
  29
  30 #include <saml/saml2/core/Assertions.h>
  31 #include <saml/saml2/metadata/Metadata.h>
  32 #include <saml/saml2/metadata/MetadataCredentialCriteria.h>
  33 #include <xmltooling/security/CredentialResolver.h>
  34 #include <xmltooling/util/DateTime.h>
  35 #include <xmltooling/util/XMLHelper.h>
  36 #include <xercesc/util/XMLUniDefs.hpp>
  37
  38 using namespace shibsp;
  39 using namespace opensaml::saml2md;
  40 using namespace opensaml;
  41 using namespace xmltooling;
  42 using namespace std;
  43
  44 namespace shibsp {
  45
  46 #if defined (_MSC_VER)
  47     #pragma warning( push )
  48     #pragma warning( disable : 4250 )
  49 #endif
  50
  51     class DelegationExtractor : public AttributeExtractor
  52     {
  53     public:
  54         DelegationExtractor(const DOMElement* e);
  55         ~DelegationExtractor() {}
  56
  57         Lockable* lock() {
  58             return this;
  59         }
  60
  61         void unlock() {
  62         }
  63
  64         void extractAttributes(
  65             const Application& application, const RoleDescriptor* issuer, const XMLObject& xmlObject, vector<Attribute*>& attributes
  66             ) const;
  67
  68         void getAttributeIds(std::vector<std::string>& attributes) const {
  69             attributes.push_back(m_attributeId);
  70         }
  71
  72     private:
  73         string m_attributeId,m_formatter;
  74     };
  75
  76 #if defined (_MSC_VER)
  77     #pragma warning( pop )
  78 #endif
  79
  80     AttributeExtractor* SHIBSP_DLLLOCAL DelegationAttributeExtractorFactory(const DOMElement* const & e)
  81     {
  82         return new DelegationExtractor(e);
  83     }
  84
  85     static const XMLCh attributeId[] =  UNICODE_LITERAL_11(a,t,t,r,i,b,u,t,e,I,d);
  86     static const XMLCh formatter[] =    UNICODE_LITERAL_9(f,o,r,m,a,t,t,e,r);
  87 };
  88
  89 DelegationExtractor::DelegationExtractor(const DOMElement* e)
  90     : m_attributeId(XMLHelper::getAttrString(e, "delegate", attributeId)),
  91         m_formatter(XMLHelper::getAttrString(e, "$Name", formatter))
  92 {
  93 }
  94
  95 void DelegationExtractor::extractAttributes(
  96     const Application& application, const RoleDescriptor* issuer, const XMLObject& xmlObject, vector<Attribute*>& attributes
  97     ) const
  98 {
  99     const saml2::Assertion* assertion = dynamic_cast<const saml2::Assertion*>(&xmlObject);
 100     if (!assertion || !assertion->getConditions())
 101         return;
 102
 103     Category& log = Category::getInstance(SHIBSP_LOGCAT".AttributeExtractor.Delegation");
 104
 105     const vector<saml2::Condition*>& conditions = const_cast<const saml2::Conditions*>(assertion->getConditions())->getConditions();
 106     for (vector<saml2::Condition*>::const_iterator c = conditions.begin(); c != conditions.end(); ++c) {
 107         const saml2::DelegationRestrictionType* drt = dynamic_cast<const saml2::DelegationRestrictionType*>(*c);
 108         if (drt) {
 109             auto_ptr<ExtensibleAttribute> attr(new ExtensibleAttribute(vector<string>(1,m_attributeId), m_formatter.c_str()));
 110
 111             const vector<saml2::Delegate*>& dels = drt->getDelegates();
 112             for (vector<saml2::Delegate*>::const_iterator d = dels.begin(); d != dels.end(); ++d) {
 113                 if ((*d)->getBaseID()) {
 114                     log.error("delegate identified by saml:BaseID cannot be processed into an attribute value");
 115                     continue;
 116                 }
 117
 118                 saml2::NameID* n = nullptr;
 119                 if ((*d)->getEncryptedID()) {
 120                     CredentialResolver* cr = application.getCredentialResolver();
 121                     if (!cr) {
 122                         log.warn("found encrypted Delegate, but no CredentialResolver was available");
 123                     }
 124
 125                     try {
 126                         const XMLCh* recipient = application.getRelyingParty(
 127                             issuer ? dynamic_cast<EntityDescriptor*>(issuer->getParent()) : nullptr
 128                             )->getXMLString("entityID").second;
 129                         Locker credlocker(cr);
 130                         if (issuer) {
 131                             MetadataCredentialCriteria mcc(*issuer);
 132                             auto_ptr<XMLObject> decrypted((*d)->getEncryptedID()->decrypt(*cr, recipient, &mcc));
 133                             n = dynamic_cast<saml2::NameID*>(decrypted.release());
 134                         }
 135                         else {
 136                             auto_ptr<XMLObject> decrypted((*d)->getEncryptedID()->decrypt(*cr, recipient));
 137                             n = dynamic_cast<saml2::NameID*>(decrypted.release());
 138                         }
 139                         if (n && log.isDebugEnabled())
 140                             log.debugStream() << "decrypted Delegate: " << *n << logging::eol;
 141                     }
 142                     catch (exception& ex) {
 143                         log.error("caught exception decrypting Delegate: %s", ex.what());
 144                     }
 145                 }
 146                 else {
 147                     n = (*d)->getNameID();
 148                 }
 149
 150                 if (n) {
 151                     DDF val = DDF(nullptr).structure();
 152                     if ((*d)->getConfirmationMethod()) {
 153                         auto_ptr_char temp((*d)->getConfirmationMethod());
 154                         val.addmember("ConfirmationMethod").string(temp.get());
 155                     }
 156                     if ((*d)->getDelegationInstant()) {
 157                         auto_ptr_char temp((*d)->getDelegationInstant()->getRawData());
 158                         val.addmember("DelegationInstant").string(temp.get());
 159                     }
 160
 161                     auto_arrayptr<char> name(toUTF8(n->getName()));
 162                     if (name.get() && *name.get()) {
 163                         val.addmember("Name").string(name.get());
 164                         char* str = toUTF8(n->getFormat());
 165                         if (str && *str)
 166                             val.addmember("Format").string(str);
 167                         delete[] str;
 168
 169                         str = toUTF8(n->getNameQualifier());
 170                         if (str && *str)
 171                             val.addmember("NameQualifier").string(str);
 172                         delete[] str;
 173
 174                         str = toUTF8(n->getSPNameQualifier());
 175                         if (str && *str)
 176                             val.addmember("SPNameQualifier").string(str);
 177                         delete[] str;
 178
 179                         str = toUTF8(n->getSPProvidedID());
 180                         if (str && *str)
 181                             val.addmember("SPProvidedID").string(str);
 182                         delete[] str;
 183                     }
 184
 185                     if (n != (*d)->getNameID())
 186                         delete n;
 187
 188                     if (val.integer())
 189                         attr->getValues().add(val);
 190                     else
 191                         val.destroy();
 192                 }
 193             }
 194
 195             attributes.push_back(attr.release());
 196         }
 197     }
 198 }