2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
22 * XMLAttributeExtractor.cpp
24 * AttributeExtractor based on an XML mapping file.
28 #include "exceptions.h"
29 #include "Application.h"
30 #include "ServiceProvider.h"
31 #include "attribute/Attribute.h"
32 #include "attribute/AttributeDecoder.h"
33 #include "attribute/filtering/AttributeFilter.h"
34 #include "attribute/filtering/BasicFilteringContext.h"
35 #include "attribute/resolver/AttributeExtractor.h"
36 #include "remoting/ddf.h"
37 #include "security/SecurityPolicy.h"
38 #include "util/SPConstants.h"
40 #include <boost/bind.hpp>
41 #include <boost/shared_ptr.hpp>
42 #include <boost/algorithm/string.hpp>
43 #include <boost/iterator/indirect_iterator.hpp>
44 #include <boost/ptr_container/ptr_vector.hpp>
45 #include <boost/tuple/tuple.hpp>
46 #include <saml/SAMLConfig.h>
47 #include <saml/saml1/core/Assertions.h>
48 #include <saml/saml2/core/Assertions.h>
49 #include <saml/saml2/metadata/Metadata.h>
50 #include <saml/saml2/metadata/MetadataCredentialCriteria.h>
51 #include <saml/saml2/metadata/ObservableMetadataProvider.h>
52 #include <xmltooling/XMLToolingConfig.h>
53 #include <xmltooling/security/TrustEngine.h>
54 #include <xmltooling/util/NDC.h>
55 #include <xmltooling/util/ReloadableXMLFile.h>
56 #include <xmltooling/util/Threads.h>
57 #include <xmltooling/util/XMLHelper.h>
58 #include <xercesc/util/XMLUniDefs.hpp>
60 using namespace shibsp;
61 using namespace opensaml::saml2md;
62 using namespace opensaml;
63 using namespace xmltooling;
64 using namespace boost;
66 using saml1::NameIdentifier;
68 using saml2::EncryptedAttribute;
72 #if defined (_MSC_VER)
73 #pragma warning( push )
74 #pragma warning( disable : 4250 )
77 class XMLExtractorImpl : public ObservableMetadataProvider::Observer
80 XMLExtractorImpl(const DOMElement* e, Category& log);
82 for (map<const ObservableMetadataProvider*,decoded_t>::iterator i=m_decodedMap.begin(); i!=m_decodedMap.end(); ++i) {
83 i->first->removeObserver(this);
84 for (decoded_t::iterator attrs = i->second.begin(); attrs!=i->second.end(); ++attrs)
85 for_each(attrs->second.begin(), attrs->second.end(), mem_fun_ref<DDF&,DDF>(&DDF::destroy));
88 m_document->release();
91 void setDocument(DOMDocument* doc) {
95 void onEvent(const ObservableMetadataProvider& metadata) const {
96 // Destroy attributes we cached from this provider.
98 SharedLock wrapper(m_attrLock, false);
99 decoded_t& d = m_decodedMap[&metadata];
100 for (decoded_t::iterator a = d.begin(); a!=d.end(); ++a)
101 for_each(a->second.begin(), a->second.end(), mem_fun_ref<DDF&,DDF>(&DDF::destroy));
105 void extractAttributes(const Application&, const char*, const char*, const NameIdentifier&, ptr_vector<Attribute>&) const;
106 void extractAttributes(const Application&, const char*, const char*, const NameID&, ptr_vector<Attribute>&) const;
107 void extractAttributes(const Application&, const GenericRequest*, const char*, const char*, const saml1::Attribute&, ptr_vector<Attribute>&) const;
108 void extractAttributes(const Application&, const GenericRequest*, const char*, const char*, const saml2::Attribute&, ptr_vector<Attribute>&) const;
109 void extractAttributes(const Application&, const GenericRequest*, const char*, const char*, const saml1::AttributeStatement&, ptr_vector<Attribute>&) const;
110 void extractAttributes(const Application&, const GenericRequest*, const char*, const char*, const saml2::AttributeStatement&, ptr_vector<Attribute>&) const;
111 void extractAttributes(
112 const Application&, const GenericRequest*, const ObservableMetadataProvider*, const XMLCh*, const char*, const Extensions&, ptr_vector<Attribute>&
115 void getAttributeIds(vector<string>& attributes) const {
116 attributes.insert(attributes.end(), m_attributeIds.begin(), m_attributeIds.end());
119 void generateMetadata(SPSSODescriptor& role) const;
123 DOMDocument* m_document;
124 typedef map< pair<xstring,xstring>,pair< boost::shared_ptr<AttributeDecoder>,vector<string> > > attrmap_t;
126 vector<string> m_attributeIds;
127 vector< boost::tuple<xstring,xstring,bool> > m_requestedAttrs;
129 // settings for embedded assertions in metadata
131 scoped_ptr<AttributeFilter> m_filter;
132 scoped_ptr<MetadataProvider> m_metadata;
133 scoped_ptr<TrustEngine> m_trust;
134 bool m_entityAssertions,m_metaAttrCaching;
136 // manages caching of decoded Attributes
137 scoped_ptr<RWLock> m_attrLock;
138 typedef map< const EntityAttributes*,vector<DDF> > decoded_t;
139 mutable map<const ObservableMetadataProvider*,decoded_t> m_decodedMap;
142 class XMLExtractor : public AttributeExtractor, public ReloadableXMLFile
145 XMLExtractor(const DOMElement* e) : ReloadableXMLFile(e, Category::getInstance(SHIBSP_LOGCAT ".AttributeExtractor.XML")) {
146 if (m_local && m_lock)
147 m_log.warn("attribute mappings are reloadable; be sure to restart web server when adding new attribute IDs");
155 void extractAttributes(
156 const Application& application, const RoleDescriptor* issuer, const XMLObject& xmlObject, vector<Attribute*>& attributes
158 extractAttributes(application, nullptr, issuer, xmlObject, attributes);
161 void extractAttributes(const Application&, const GenericRequest*, const RoleDescriptor*, const XMLObject&, vector<Attribute*>&) const;
163 void getAttributeIds(std::vector<std::string>& attributes) const {
165 m_impl->getAttributeIds(attributes);
168 void generateMetadata(SPSSODescriptor& role) const {
170 m_impl->generateMetadata(role);
174 pair<bool,DOMElement*> background_load();
177 scoped_ptr<XMLExtractorImpl> m_impl;
179 void extractAttributes(const Application&, const GenericRequest*, const RoleDescriptor*, const XMLObject&, ptr_vector<Attribute>&) const;
182 #if defined (_MSC_VER)
183 #pragma warning( pop )
186 AttributeExtractor* SHIBSP_DLLLOCAL XMLAttributeExtractorFactory(const DOMElement* const & e)
188 return new XMLExtractor(e);
191 static const XMLCh _aliases[] = UNICODE_LITERAL_7(a,l,i,a,s,e,s);
192 static const XMLCh _AttributeDecoder[] = UNICODE_LITERAL_16(A,t,t,r,i,b,u,t,e,D,e,c,o,d,e,r);
193 static const XMLCh _AttributeFilter[] = UNICODE_LITERAL_15(A,t,t,r,i,b,u,t,e,F,i,l,t,e,r);
194 static const XMLCh Attributes[] = UNICODE_LITERAL_10(A,t,t,r,i,b,u,t,e,s);
195 static const XMLCh _id[] = UNICODE_LITERAL_2(i,d);
196 static const XMLCh isRequested[] = UNICODE_LITERAL_11(i,s,R,e,q,u,e,s,t,e,d);
197 static const XMLCh _MetadataProvider[] = UNICODE_LITERAL_16(M,e,t,a,d,a,t,a,P,r,o,v,i,d,e,r);
198 static const XMLCh metadataAttributeCaching[] = UNICODE_LITERAL_24(m,e,t,a,d,a,t,a,A,t,t,r,i,b,u,t,e,C,a,c,h,i,n,g);
199 static const XMLCh metadataPolicyId[] = UNICODE_LITERAL_16(m,e,t,a,d,a,t,a,P,o,l,i,c,y,I,d);
200 static const XMLCh _name[] = UNICODE_LITERAL_4(n,a,m,e);
201 static const XMLCh nameFormat[] = UNICODE_LITERAL_10(n,a,m,e,F,o,r,m,a,t);
202 static const XMLCh _TrustEngine[] = UNICODE_LITERAL_11(T,r,u,s,t,E,n,g,i,n,e);
203 static const XMLCh _type[] = UNICODE_LITERAL_4(t,y,p,e);
206 XMLExtractorImpl::XMLExtractorImpl(const DOMElement* e, Category& log)
209 m_policyId(XMLHelper::getAttrString(e, nullptr, metadataPolicyId)),
210 m_entityAssertions(true),
211 m_metaAttrCaching(XMLHelper::getAttrBool(e, true, metadataAttributeCaching))
214 xmltooling::NDC ndc("XMLExtractorImpl");
217 if (!XMLHelper::isNodeNamed(e, shibspconstants::SHIB2ATTRIBUTEMAP_NS, Attributes))
218 throw ConfigurationException("XML AttributeExtractor requires am:Attributes at root of configuration.");
220 DOMElement* child = XMLHelper::getFirstChildElement(e, shibspconstants::SHIB2ATTRIBUTEMAP_NS, _MetadataProvider);
223 string t(XMLHelper::getAttrString(child, nullptr, _type));
225 throw ConfigurationException("MetadataProvider element missing type attribute.");
226 m_log.info("building MetadataProvider of type %s...", t.c_str());
227 m_metadata.reset(SAMLConfig::getConfig().MetadataProviderManager.newPlugin(t.c_str(), child));
230 catch (std::exception& ex) {
232 m_entityAssertions = false;
233 m_log.crit("error building/initializing dedicated MetadataProvider: %s", ex.what());
234 m_log.crit("disabling support for Assertions in EntityAttributes extension");
238 if (m_entityAssertions) {
239 child = XMLHelper::getFirstChildElement(e, shibspconstants::SHIB2ATTRIBUTEMAP_NS, _TrustEngine);
242 string t(XMLHelper::getAttrString(child, nullptr, _type));
244 throw ConfigurationException("TrustEngine element missing type attribute.");
245 m_log.info("building TrustEngine of type %s...", t.c_str());
246 m_trust.reset(XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(t.c_str(), child));
248 catch (std::exception& ex) {
249 m_entityAssertions = false;
250 m_log.crit("error building/initializing dedicated TrustEngine: %s", ex.what());
251 m_log.crit("disabling support for Assertions in EntityAttributes extension");
256 if (m_entityAssertions) {
257 child = XMLHelper::getFirstChildElement(e, shibspconstants::SHIB2ATTRIBUTEMAP_NS, _AttributeFilter);
260 string t(XMLHelper::getAttrString(child, nullptr, _type));
262 throw ConfigurationException("AttributeFilter element missing type attribute.");
263 m_log.info("building AttributeFilter of type %s...", t.c_str());
264 m_filter.reset(SPConfig::getConfig().AttributeFilterManager.newPlugin(t.c_str(), child));
266 catch (std::exception& ex) {
267 m_entityAssertions = false;
268 m_log.crit("error building/initializing dedicated AttributeFilter: %s", ex.what());
269 m_log.crit("disabling support for Assertions in EntityAttributes extension");
274 child = XMLHelper::getFirstChildElement(e, shibspconstants::SHIB2ATTRIBUTEMAP_NS, saml1::Attribute::LOCAL_NAME);
276 // Check for missing name or id.
277 const XMLCh* name = child->getAttributeNS(nullptr, _name);
278 if (!name || !*name) {
279 m_log.warn("skipping Attribute with no name");
280 child = XMLHelper::getNextSiblingElement(child, shibspconstants::SHIB2ATTRIBUTEMAP_NS, saml1::Attribute::LOCAL_NAME);
284 auto_ptr_char id(child->getAttributeNS(nullptr, _id));
285 if (!id.get() || !*id.get()) {
286 m_log.warn("skipping Attribute with no id");
287 child = XMLHelper::getNextSiblingElement(child, shibspconstants::SHIB2ATTRIBUTEMAP_NS, saml1::Attribute::LOCAL_NAME);
290 else if (!strcmp(id.get(), "REMOTE_USER")) {
291 m_log.warn("skipping Attribute, id of REMOTE_USER is a reserved name");
292 child = XMLHelper::getNextSiblingElement(child, shibspconstants::SHIB2ATTRIBUTEMAP_NS, saml1::Attribute::LOCAL_NAME);
296 boost::shared_ptr<AttributeDecoder> decoder;
298 DOMElement* dchild = XMLHelper::getFirstChildElement(child, shibspconstants::SHIB2ATTRIBUTEMAP_NS, _AttributeDecoder);
300 auto_ptr<xmltooling::QName> q(XMLHelper::getXSIType(dchild));
302 decoder.reset(SPConfig::getConfig().AttributeDecoderManager.newPlugin(*q.get(), dchild));
305 decoder.reset(SPConfig::getConfig().AttributeDecoderManager.newPlugin(StringAttributeDecoderType, nullptr));
307 catch (std::exception& ex) {
308 m_log.error("skipping Attribute (%s), error building AttributeDecoder: %s", id.get(), ex.what());
312 child = XMLHelper::getNextSiblingElement(child, shibspconstants::SHIB2ATTRIBUTEMAP_NS, saml1::Attribute::LOCAL_NAME);
316 // Empty NameFormat implies the usual Shib URI naming defaults.
317 const XMLCh* format = child->getAttributeNS(nullptr, nameFormat);
318 if (!format || XMLString::equals(format, shibspconstants::SHIB1_ATTRIBUTE_NAMESPACE_URI) ||
319 XMLString::equals(format, saml2::Attribute::URI_REFERENCE))
320 format = &chNull; // ignore default Format/Namespace values
322 // Fetch/create the map entry and see if it's a duplicate rule.
323 // Trim the format, or the name only if the format is the default (URI).
324 pair<xstring,xstring> entryKey;
325 if (*format == chNull) {
326 auto_ptr_XMLCh copyName(name);
327 entryKey.first = copyName.get();
329 entryKey.first = name;
330 auto_ptr_XMLCh copyFormat(format);
331 entryKey.second = copyFormat.get();
333 pair< boost::shared_ptr<AttributeDecoder>,vector<string> >& decl = m_attrMap[entryKey];
335 m_log.warn("skipping duplicate Attribute mapping (same name and nameFormat)");
336 child = XMLHelper::getNextSiblingElement(child, shibspconstants::SHIB2ATTRIBUTEMAP_NS, saml1::Attribute::LOCAL_NAME);
340 if (m_log.isInfoEnabled()) {
341 auto_ptr_char n(entryKey.first.c_str());
342 auto_ptr_char f(entryKey.second.c_str());
343 m_log.info("creating mapping for Attribute %s%s%s", n.get(), *f.get() ? ", Format/Namespace:" : "", f.get());
346 decl.first = decoder;
347 decl.second.push_back(id.get());
348 m_attributeIds.push_back(id.get());
350 // Check for isRequired/isRequested.
351 bool requested = XMLHelper::getAttrBool(child, false, isRequested);
352 bool required = XMLHelper::getAttrBool(child, false, RequestedAttribute::ISREQUIRED_ATTRIB_NAME);
353 if (required || requested) {
354 m_requestedAttrs.push_back(boost::tuple<xstring,xstring,bool>(entryKey.first, entryKey.second, required));
357 name = child->getAttributeNS(nullptr, _aliases);
359 m_log.warn("attribute mapping rule (%s) uses deprecated aliases feature, consider revising", id.get());
360 auto_ptr_char aliases(name);
361 string dup(aliases.get());
362 set<string> new_aliases;
363 split(new_aliases, dup, is_space(), algorithm::token_compress_on);
364 set<string>::iterator ru = new_aliases.find("REMOTE_USER");
365 if (ru != new_aliases.end()) {
366 m_log.warn("skipping alias, REMOTE_USER is a reserved name");
367 new_aliases.erase(ru);
369 decl.second.insert(decl.second.end(), new_aliases.begin(), new_aliases.end());
370 m_attributeIds.insert(m_attributeIds.end(), new_aliases.begin(), new_aliases.end());
373 child = XMLHelper::getNextSiblingElement(child, shibspconstants::SHIB2ATTRIBUTEMAP_NS, saml1::Attribute::LOCAL_NAME);
376 if (m_metaAttrCaching)
377 m_attrLock.reset(RWLock::create());
380 void XMLExtractorImpl::generateMetadata(SPSSODescriptor& role) const
382 if (m_requestedAttrs.empty())
385 const vector<AttributeConsumingService*>& svcs = const_cast<const SPSSODescriptor*>(&role)->getAttributeConsumingServices();
386 for (vector<AttributeConsumingService*>::const_iterator s =svcs.begin(); s != svcs.end(); ++s) {
387 pair<bool,int> i = (*s)->getIndex();
388 if (i.first && index == i.second)
389 index = i.second + 1;
391 AttributeConsumingService* svc = AttributeConsumingServiceBuilder::buildAttributeConsumingService();
392 role.getAttributeConsumingServices().push_back(svc);
393 svc->setIndex(index);
394 ServiceName* sn = ServiceNameBuilder::buildServiceName();
395 svc->getServiceNames().push_back(sn);
396 sn->setName(dynamic_cast<EntityDescriptor*>(role.getParent())->getEntityID());
397 static const XMLCh english[] = UNICODE_LITERAL_2(e,n);
398 sn->setLang(english);
400 for (vector< boost::tuple<xstring,xstring,bool> >::const_iterator i = m_requestedAttrs.begin(); i != m_requestedAttrs.end(); ++i) {
401 RequestedAttribute* req = RequestedAttributeBuilder::buildRequestedAttribute();
402 svc->getRequestedAttributes().push_back(req);
403 req->setName(i->get<0>().c_str());
404 if (i->get<1>().empty())
405 req->setNameFormat(saml2::Attribute::URI_REFERENCE);
407 req->setNameFormat(i->get<1>().c_str());
409 req->isRequired(true);
413 void XMLExtractorImpl::extractAttributes(
414 const Application& application,
415 const char* assertingParty,
416 const char* relyingParty,
417 const NameIdentifier& nameid,
418 ptr_vector<Attribute>& attributes
421 const XMLCh* format = nameid.getFormat();
422 if (!format || !*format)
423 format = NameIdentifier::UNSPECIFIED;
424 attrmap_t::const_iterator rule;
425 if ((rule = m_attrMap.find(pair<xstring,xstring>(format,xstring()))) != m_attrMap.end()) {
426 auto_ptr<Attribute> a(rule->second.first->decode(nullptr, rule->second.second, &nameid, assertingParty, relyingParty));
428 attributes.push_back(a.get());
432 else if (m_log.isDebugEnabled()) {
433 auto_ptr_char temp(format);
434 m_log.debug("skipping unmapped NameIdentifier with format (%s)", temp.get());
438 void XMLExtractorImpl::extractAttributes(
439 const Application& application,
440 const char* assertingParty,
441 const char* relyingParty,
442 const NameID& nameid,
443 ptr_vector<Attribute>& attributes
446 const XMLCh* format = nameid.getFormat();
447 if (!format || !*format)
448 format = NameID::UNSPECIFIED;
449 attrmap_t::const_iterator rule;
450 if ((rule = m_attrMap.find(pair<xstring,xstring>(format,xstring()))) != m_attrMap.end()) {
451 auto_ptr<Attribute> a(rule->second.first->decode(nullptr, rule->second.second, &nameid, assertingParty, relyingParty));
453 attributes.push_back(a.get());
457 else if (m_log.isDebugEnabled()) {
458 auto_ptr_char temp(format);
459 m_log.debug("skipping unmapped NameID with format (%s)", temp.get());
463 void XMLExtractorImpl::extractAttributes(
464 const Application& application,
465 const GenericRequest* request,
466 const char* assertingParty,
467 const char* relyingParty,
468 const saml1::Attribute& attr,
469 ptr_vector<Attribute>& attributes
472 const XMLCh* name = attr.getAttributeName();
473 const XMLCh* format = attr.getAttributeNamespace();
476 if (!format || XMLString::equals(format, shibspconstants::SHIB1_ATTRIBUTE_NAMESPACE_URI))
478 attrmap_t::const_iterator rule;
479 if ((rule = m_attrMap.find(pair<xstring,xstring>(name,format))) != m_attrMap.end()) {
480 auto_ptr<Attribute> a(rule->second.first->decode(request, rule->second.second, &attr, assertingParty, relyingParty));
482 attributes.push_back(a.get());
486 else if (m_log.isInfoEnabled()) {
487 auto_ptr_char temp1(name);
488 auto_ptr_char temp2(format);
489 m_log.info("skipping unmapped SAML 1.x Attribute with Name: %s%s%s", temp1.get(), *temp2.get() ? ", Namespace:" : "", temp2.get());
493 void XMLExtractorImpl::extractAttributes(
494 const Application& application,
495 const GenericRequest* request,
496 const char* assertingParty,
497 const char* relyingParty,
498 const saml2::Attribute& attr,
499 ptr_vector<Attribute>& attributes
502 const XMLCh* name = attr.getName();
503 const XMLCh* format = attr.getNameFormat();
506 if (!format || !*format)
507 format = saml2::Attribute::UNSPECIFIED;
508 else if (XMLString::equals(format, saml2::Attribute::URI_REFERENCE))
510 attrmap_t::const_iterator rule;
511 if ((rule = m_attrMap.find(pair<xstring,xstring>(name,format))) != m_attrMap.end()) {
512 auto_ptr<Attribute> a(rule->second.first->decode(request, rule->second.second, &attr, assertingParty, relyingParty));
514 attributes.push_back(a.get());
519 else if (XMLString::equals(format, saml2::Attribute::UNSPECIFIED)) {
520 // As a fallback, if the format is "unspecified", null out the value and re-map.
521 if ((rule = m_attrMap.find(pair<xstring,xstring>(name,xstring()))) != m_attrMap.end()) {
522 auto_ptr<Attribute> a(rule->second.first->decode(request, rule->second.second, &attr, assertingParty, relyingParty));
524 attributes.push_back(a.get());
531 if (m_log.isInfoEnabled()) {
532 auto_ptr_char temp1(name);
533 auto_ptr_char temp2(format);
534 m_log.info("skipping unmapped SAML 2.0 Attribute with Name: %s%s%s", temp1.get(), *temp2.get() ? ", Format:" : "", temp2.get());
538 void XMLExtractorImpl::extractAttributes(
539 const Application& application,
540 const GenericRequest* request,
541 const char* assertingParty,
542 const char* relyingParty,
543 const saml1::AttributeStatement& statement,
544 ptr_vector<Attribute>& attributes
547 static void (XMLExtractorImpl::* extract)(
548 const Application&, const GenericRequest*, const char*, const char*, const saml1::Attribute&, ptr_vector<Attribute>&
549 ) const = &XMLExtractorImpl::extractAttributes;
551 make_indirect_iterator(statement.getAttributes().begin()), make_indirect_iterator(statement.getAttributes().end()),
552 boost::bind(extract, this, boost::cref(application), request, assertingParty, relyingParty, _1, boost::ref(attributes))
556 void XMLExtractorImpl::extractAttributes(
557 const Application& application,
558 const GenericRequest* request,
559 const char* assertingParty,
560 const char* relyingParty,
561 const saml2::AttributeStatement& statement,
562 ptr_vector<Attribute>& attributes
565 static void (XMLExtractorImpl::* extract)(
566 const Application&, const GenericRequest*, const char*, const char*, const saml2::Attribute&, ptr_vector<Attribute>&
567 ) const = &XMLExtractorImpl::extractAttributes;
569 make_indirect_iterator(statement.getAttributes().begin()), make_indirect_iterator(statement.getAttributes().end()),
570 boost::bind(extract, this, boost::cref(application), request, assertingParty, relyingParty, _1, boost::ref(attributes))
574 void XMLExtractorImpl::extractAttributes(
575 const Application& application,
576 const GenericRequest* request,
577 const ObservableMetadataProvider* observable,
578 const XMLCh* entityID,
579 const char* relyingParty,
580 const Extensions& ext,
581 ptr_vector<Attribute>& attributes
584 const vector<XMLObject*>& exts = ext.getUnknownXMLObjects();
585 for (vector<XMLObject*>::const_iterator i = exts.begin(); i != exts.end(); ++i) {
586 const EntityAttributes* container = dynamic_cast<const EntityAttributes*>(*i);
590 bool useCache = false;
591 map<const ObservableMetadataProvider*,decoded_t>::iterator cacheEntry;
593 // Check for cached result.
594 if (observable && m_metaAttrCaching) {
595 m_attrLock->rdlock();
596 cacheEntry = m_decodedMap.find(observable);
597 if (cacheEntry == m_decodedMap.end()) {
598 // We need to elevate the lock and retry.
599 m_attrLock->unlock();
600 m_attrLock->wrlock();
601 cacheEntry = m_decodedMap.find(observable);
602 if (cacheEntry == m_decodedMap.end()) {
603 SharedLock locker(m_attrLock, false); // guard in case these throw
605 // It's still brand new, so hook it for cache activation.
606 observable->addObserver(this);
608 // Prime the map reference with an empty decoded map.
609 cacheEntry = m_decodedMap.insert(make_pair(observable,decoded_t())).first;
611 // Downgrade the lock.
612 // We don't have to recheck because we never erase the master map entry entirely, even on changes.
613 locker.release(); // unguard for lock downgrade
614 m_attrLock->unlock();
615 m_attrLock->rdlock();
622 // We're holding the lock, so check the cache.
623 decoded_t::iterator d = cacheEntry->second.find(container);
624 if (d != cacheEntry->second.end()) {
625 SharedLock locker(m_attrLock, false); // pop the lock when we're done
626 for (vector<DDF>::iterator obj = d->second.begin(); obj != d->second.end(); ++obj) {
627 auto_ptr<Attribute> wrapper(Attribute::unmarshall(*obj));
628 m_log.debug("recovered cached metadata attribute (%s)", wrapper->getId());
629 attributes.push_back(wrapper.get());
636 // Add a guard for the lock if we're caching.
637 SharedLock locker(useCache ? m_attrLock.get() : nullptr, false);
639 // Use a holding area to support caching.
640 ptr_vector<Attribute> holding;
642 // Extract attributes into holding area with no asserting party set.
643 static void (XMLExtractorImpl::* extractV2Attr)(
644 const Application&, const GenericRequest*, const char*, const char*, const saml2::Attribute&, ptr_vector<Attribute>&
645 ) const = &XMLExtractorImpl::extractAttributes;
647 make_indirect_iterator(container->getAttributes().begin()), make_indirect_iterator(container->getAttributes().end()),
648 boost::bind(extractV2Attr, this, boost::ref(application), request, (const char*)nullptr, relyingParty, _1, boost::ref(holding))
651 if (entityID && m_entityAssertions) {
652 const vector<saml2::Assertion*>& asserts = container->getAssertions();
653 for (indirect_iterator<vector<saml2::Assertion*>::const_iterator> assert = make_indirect_iterator(asserts.begin());
654 assert != make_indirect_iterator(asserts.end()); ++assert) {
655 if (!(assert->getSignature())) {
656 if (m_log.isDebugEnabled()) {
657 auto_ptr_char eid(entityID);
658 m_log.debug("skipping unsigned assertion in metadata extension for entity (%s)", eid.get());
662 else if (assert->getAttributeStatements().empty()) {
663 if (m_log.isDebugEnabled()) {
664 auto_ptr_char eid(entityID);
665 m_log.debug("skipping assertion with no AttributeStatement in metadata extension for entity (%s)", eid.get());
671 const NameID* subject = assert->getSubject() ? assert->getSubject()->getNameID() : nullptr;
673 !XMLString::equals(subject->getFormat(), NameID::ENTITY) ||
674 !XMLString::equals(subject->getName(), entityID)) {
675 if (m_log.isDebugEnabled()) {
676 auto_ptr_char eid(entityID);
677 m_log.debug("skipping assertion with improper Subject in metadata extension for entity (%s)", eid.get());
684 // Set up and evaluate a policy for an AA asserting attributes to us.
685 shibsp::SecurityPolicy policy(application, &AttributeAuthorityDescriptor::ELEMENT_QNAME, false, m_policyId.c_str());
686 Locker locker(m_metadata.get());
688 policy.setMetadataProvider(m_metadata.get());
690 policy.setTrustEngine(m_trust.get());
691 // Populate recipient as audience.
692 const XMLCh* issuer = assert->getIssuer() ? assert->getIssuer()->getName() : nullptr;
693 policy.getAudiences().push_back(application.getRelyingParty(issuer)->getXMLString("entityID").second);
695 // Extract assertion information for policy.
696 policy.setMessageID(assert->getID());
697 policy.setIssueInstant(assert->getIssueInstantEpoch());
698 policy.setIssuer(assert->getIssuer());
700 // Look up metadata for issuer.
701 if (policy.getIssuer() && policy.getMetadataProvider()) {
702 if (policy.getIssuer()->getFormat() && !XMLString::equals(policy.getIssuer()->getFormat(), saml2::NameIDType::ENTITY)) {
703 m_log.debug("non-system entity issuer, skipping metadata lookup");
706 m_log.debug("searching metadata for entity assertion issuer...");
707 pair<const EntityDescriptor*,const RoleDescriptor*> lookup;
708 MetadataProvider::Criteria& mc = policy.getMetadataProviderCriteria();
709 mc.entityID_unicode = policy.getIssuer()->getName();
710 mc.role = &AttributeAuthorityDescriptor::ELEMENT_QNAME;
711 mc.protocol = samlconstants::SAML20P_NS;
712 lookup = policy.getMetadataProvider()->getEntityDescriptor(mc);
714 auto_ptr_char iname(policy.getIssuer()->getName());
715 m_log.debug("no metadata found, can't establish identity of issuer (%s)", iname.get());
717 else if (!lookup.second) {
718 m_log.debug("unable to find compatible AA role in metadata");
721 policy.setIssuerMetadata(lookup.second);
726 // Authenticate the assertion. We have to clone and marshall it to establish the signature for verification.
727 scoped_ptr<saml2::Assertion> tokencopy(assert->cloneAssertion());
728 tokencopy->marshall();
729 policy.evaluate(*tokencopy);
730 if (!policy.isAuthenticated()) {
731 if (m_log.isDebugEnabled()) {
732 auto_ptr_char tempid(tokencopy->getID());
733 auto_ptr_char eid(entityID);
735 "failed to authenticate assertion (%s) in metadata extension for entity (%s)", tempid.get(), eid.get()
741 // Override the asserting/relying party names based on this new issuer.
742 const EntityDescriptor* inlineEntity =
743 policy.getIssuerMetadata() ? dynamic_cast<const EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : nullptr;
744 auto_ptr_char inlineAssertingParty(inlineEntity ? inlineEntity->getEntityID() : nullptr);
745 relyingParty = application.getRelyingParty(inlineEntity)->getString("entityID").second;
747 // Use a private holding area for filtering purposes.
748 ptr_vector<Attribute> holding2;
749 const vector<saml2::Attribute*>& attrs2 =
750 const_cast<const saml2::AttributeStatement*>(tokencopy->getAttributeStatements().front())->getAttributes();
752 make_indirect_iterator(attrs2.begin()), make_indirect_iterator(attrs2.end()),
753 boost::bind(extractV2Attr, this, boost::ref(application), request, inlineAssertingParty.get(), relyingParty, _1, boost::ref(holding2))
756 // Now we locally filter the attributes so that the actual issuer can be properly set.
757 // If we relied on outside filtering, the attributes couldn't be distinguished from the
758 // ones that come from the user's IdP.
759 if (m_filter && !holding2.empty()) {
761 // The filter API uses an unsafe container, so we have to transfer everything into one and back.
762 vector<Attribute*> unsafe_holding2;
764 // Use a local exception context since the container is unsafe.
766 while (!holding2.empty()) {
767 ptr_vector<Attribute>::auto_type ptr = holding2.pop_back();
768 unsafe_holding2.push_back(ptr.get());
771 BasicFilteringContext fc(application, unsafe_holding2, policy.getIssuerMetadata());
772 Locker filtlocker(m_filter.get());
773 m_filter->filterAttributes(fc, unsafe_holding2);
775 // Transfer back to safe container
776 while (!unsafe_holding2.empty()) {
777 auto_ptr<Attribute> ptr(unsafe_holding2.back());
778 unsafe_holding2.pop_back();
779 holding2.push_back(ptr.get());
783 catch (std::exception& ex) {
784 m_log.error("caught exception filtering attributes: %s", ex.what());
785 m_log.error("dumping extracted attributes due to filtering exception");
786 for_each(unsafe_holding2.begin(), unsafe_holding2.end(), xmltooling::cleanup<Attribute>());
787 holding2.clear(); // in case the exception was during transfer between containers
791 if (!holding2.empty()) {
792 // Copy them over to the main holding tank, which transfers ownership.
793 holding.transfer(holding.end(), holding2);
796 catch (std::exception& ex) {
797 // Known exceptions are handled gracefully by skipping the assertion.
798 if (m_log.isDebugEnabled()) {
799 auto_ptr_char tempid(assert->getID());
800 auto_ptr_char eid(entityID);
802 "exception authenticating assertion (%s) in metadata extension for entity (%s): %s",
813 if (!holding.empty()) {
815 locker.release(); // unguard to upgrade lock
816 m_attrLock->unlock();
817 m_attrLock->wrlock();
818 SharedLock locker2(m_attrLock, false); // pop the lock when we're done
819 if (cacheEntry->second.count(container) == 0) {
820 static void (vector<DDF>::* push_back)(DDF const &) = &vector<DDF>::push_back;
821 vector<DDF>& marshalled = cacheEntry->second[container];
823 holding.begin(), holding.end(),
824 boost::bind(push_back, boost::ref(marshalled), boost::bind(&Attribute::marshall, _1))
829 // Copy them to the output parameter, which transfers ownership.
830 attributes.transfer(attributes.end(), holding);
833 // If the lock is held, it's guarded.
835 break; // only process a single extension element
839 void XMLExtractor::extractAttributes(
840 const Application& application, const GenericRequest* request, const RoleDescriptor* issuer, const XMLObject& xmlObject, vector<Attribute*>& attributes
846 ptr_vector<Attribute> holding;
847 extractAttributes(application, request, issuer, xmlObject, holding);
849 // Transfer ownership from the ptr_vector to the unsafe vector for API compatibility.
850 // Any throws should leave each container in a consistent state. The holding container
851 // is freed by us, and the result container by the caller.
852 while (!holding.empty()) {
853 ptr_vector<Attribute>::auto_type ptr = holding.pop_back();
854 attributes.push_back(ptr.get());
859 void XMLExtractor::extractAttributes(
860 const Application& application, const GenericRequest* request, const RoleDescriptor* issuer, const XMLObject& xmlObject, ptr_vector<Attribute>& attributes
863 static void (XMLExtractor::* extractEncrypted)(
864 const Application&, const GenericRequest*, const RoleDescriptor*, const XMLObject&, ptr_vector<Attribute>&
865 ) const = &XMLExtractor::extractAttributes;
866 static void (XMLExtractorImpl::* extractV1Statement)(
867 const Application&, const GenericRequest*, const char*, const char*, const saml1::AttributeStatement&, ptr_vector<Attribute>&
868 ) const = &XMLExtractorImpl::extractAttributes;
870 const EntityDescriptor* entity = issuer ? dynamic_cast<const EntityDescriptor*>(issuer->getParent()) : nullptr;
871 const char* relyingParty = application.getRelyingParty(entity)->getString("entityID").second;
873 // Check for statements.
874 if (XMLString::equals(xmlObject.getElementQName().getLocalPart(), saml1::AttributeStatement::LOCAL_NAME)) {
875 const saml2::AttributeStatement* statement2 = dynamic_cast<const saml2::AttributeStatement*>(&xmlObject);
877 auto_ptr_char assertingParty(entity ? entity->getEntityID() : nullptr);
878 m_impl->extractAttributes(application, request, assertingParty.get(), relyingParty, *statement2, attributes);
879 // Handle EncryptedAttributes inline so we have access to the role descriptor.
880 const vector<saml2::EncryptedAttribute*>& encattrs = statement2->getEncryptedAttributes();
882 make_indirect_iterator(encattrs.begin()), make_indirect_iterator(encattrs.end()),
883 boost::bind(extractEncrypted, this, boost::ref(application), request, issuer, _1, boost::ref(attributes))
888 const saml1::AttributeStatement* statement1 = dynamic_cast<const saml1::AttributeStatement*>(&xmlObject);
890 auto_ptr_char assertingParty(entity ? entity->getEntityID() : nullptr);
891 m_impl->extractAttributes(application, request, assertingParty.get(), relyingParty, *statement1, attributes);
895 throw AttributeExtractionException("Unable to extract attributes, unknown object type.");
898 // Check for assertions.
899 if (XMLString::equals(xmlObject.getElementQName().getLocalPart(), saml1::Assertion::LOCAL_NAME)) {
900 const saml2::Assertion* token2 = dynamic_cast<const saml2::Assertion*>(&xmlObject);
902 auto_ptr_char assertingParty(entity ? entity->getEntityID() : nullptr);
903 const vector<saml2::AttributeStatement*>& statements = token2->getAttributeStatements();
904 for (indirect_iterator<vector<saml2::AttributeStatement*>::const_iterator> s = make_indirect_iterator(statements.begin());
905 s != make_indirect_iterator(statements.end()); ++s) {
906 m_impl->extractAttributes(application, request, assertingParty.get(), relyingParty, *s, attributes);
907 // Handle EncryptedAttributes inline so we have access to the role descriptor.
908 const vector<saml2::EncryptedAttribute*>& encattrs = const_cast<const saml2::AttributeStatement&>(*s).getEncryptedAttributes();
910 make_indirect_iterator(encattrs.begin()), make_indirect_iterator(encattrs.end()),
911 boost::bind(extractEncrypted, this, boost::ref(application), request, issuer, _1, boost::ref(attributes))
917 const saml1::Assertion* token1 = dynamic_cast<const saml1::Assertion*>(&xmlObject);
919 auto_ptr_char assertingParty(entity ? entity->getEntityID() : nullptr);
920 const vector<saml1::AttributeStatement*>& statements = token1->getAttributeStatements();
921 for_each(make_indirect_iterator(statements.begin()), make_indirect_iterator(statements.end()),
922 boost::bind(extractV1Statement, m_impl.get(), boost::ref(application), request, assertingParty.get(), relyingParty, _1, boost::ref(attributes))
927 throw AttributeExtractionException("Unable to extract attributes, unknown object type.");
930 // Check for metadata.
931 if (XMLString::equals(xmlObject.getElementQName().getNamespaceURI(), samlconstants::SAML20MD_NS)) {
932 const RoleDescriptor* roleToExtract = dynamic_cast<const RoleDescriptor*>(&xmlObject);
933 const EntityDescriptor* entityToExtract = roleToExtract ? dynamic_cast<const EntityDescriptor*>(roleToExtract->getParent()) : nullptr;
934 if (!entityToExtract)
935 throw AttributeExtractionException("Unable to extract attributes, unknown metadata object type.");
936 const Extensions* ext = entityToExtract->getExtensions();
938 m_impl->extractAttributes(
941 dynamic_cast<const ObservableMetadataProvider*>(application.getMetadataProvider(false)),
942 entityToExtract->getEntityID(),
948 const EntitiesDescriptor* group = dynamic_cast<const EntitiesDescriptor*>(entityToExtract->getParent());
950 ext = group->getExtensions();
952 m_impl->extractAttributes(
955 dynamic_cast<const ObservableMetadataProvider*>(application.getMetadataProvider(false)),
956 nullptr, // not an entity, so inline assertions won't be processed
962 group = dynamic_cast<const EntitiesDescriptor*>(group->getParent());
967 // Check for attributes.
968 if (XMLString::equals(xmlObject.getElementQName().getLocalPart(), saml1::Attribute::LOCAL_NAME)) {
969 auto_ptr_char assertingParty(entity ? entity->getEntityID() : nullptr);
970 const saml2::Attribute* attr2 = dynamic_cast<const saml2::Attribute*>(&xmlObject);
972 return m_impl->extractAttributes(application, request, assertingParty.get(), relyingParty, *attr2, attributes);
974 const saml1::Attribute* attr1 = dynamic_cast<const saml1::Attribute*>(&xmlObject);
976 return m_impl->extractAttributes(application, request, assertingParty.get(), relyingParty, *attr1, attributes);
978 throw AttributeExtractionException("Unable to extract attributes, unknown object type.");
981 if (XMLString::equals(xmlObject.getElementQName().getLocalPart(), EncryptedAttribute::LOCAL_NAME)) {
982 const EncryptedAttribute* encattr = dynamic_cast<const EncryptedAttribute*>(&xmlObject);
984 const XMLCh* recipient = application.getXMLString("entityID").second;
985 CredentialResolver* cr = application.getCredentialResolver();
987 m_log.warn("found encrypted attribute, but no CredentialResolver was available");
992 Locker credlocker(cr);
994 MetadataCredentialCriteria mcc(*issuer);
995 scoped_ptr<XMLObject> decrypted(encattr->decrypt(*cr, recipient, &mcc));
996 if (m_log.isDebugEnabled())
997 m_log.debugStream() << "decrypted Attribute: " << *decrypted << logging::eol;
998 return extractAttributes(application, request, issuer, *decrypted, attributes);
1001 scoped_ptr<XMLObject> decrypted(encattr->decrypt(*cr, recipient));
1002 if (m_log.isDebugEnabled())
1003 m_log.debugStream() << "decrypted Attribute: " << *decrypted << logging::eol;
1004 return extractAttributes(application, request, issuer, *decrypted, attributes);
1007 catch (std::exception& ex) {
1008 m_log.error("failed to decrypt Attribute: %s", ex.what());
1014 // Check for NameIDs.
1015 const NameID* name2 = dynamic_cast<const NameID*>(&xmlObject);
1017 auto_ptr_char assertingParty(entity ? entity->getEntityID() : nullptr);
1018 return m_impl->extractAttributes(application, assertingParty.get(), relyingParty, *name2, attributes);
1021 const NameIdentifier* name1 = dynamic_cast<const NameIdentifier*>(&xmlObject);
1023 auto_ptr_char assertingParty(entity ? entity->getEntityID() : nullptr);
1024 return m_impl->extractAttributes(application, assertingParty.get(), relyingParty, *name1, attributes);
1027 m_log.debug("unable to extract attributes, unknown XML object type: %s", xmlObject.getElementQName().toString().c_str());
1030 pair<bool,DOMElement*> XMLExtractor::background_load()
1032 // Load from source using base class.
1033 pair<bool,DOMElement*> raw = ReloadableXMLFile::load();
1035 // If we own it, wrap it.
1036 XercesJanitor<DOMDocument> docjanitor(raw.first ? raw.second->getOwnerDocument() : nullptr);
1038 scoped_ptr<XMLExtractorImpl> impl(new XMLExtractorImpl(raw.second, m_log));
1040 // If we held the document, transfer it to the impl. If we didn't, it's a no-op.
1041 impl->setDocument(docjanitor.release());
1043 // Perform the swap inside a lock.
1046 SharedLock locker(m_lock, false);
1049 return make_pair(false,(DOMElement*)nullptr);