2 * Copyright 2001-2007 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * XMLAttributeExtractor.cpp
20 * AttributeExtractor based on an XML mapping file.
24 #include "Application.h"
25 #include "ServiceProvider.h"
26 #include "attribute/AttributeDecoder.h"
27 #include "attribute/filtering/AttributeFilter.h"
28 #include "attribute/filtering/BasicFilteringContext.h"
29 #include "attribute/resolver/AttributeExtractor.h"
30 #include "security/SecurityPolicy.h"
31 #include "util/SPConstants.h"
33 #include <saml/SAMLConfig.h>
34 #include <saml/saml1/core/Assertions.h>
35 #include <saml/saml2/core/Assertions.h>
36 #include <saml/saml2/metadata/MetadataCredentialCriteria.h>
37 #include <saml/saml2/metadata/ObservableMetadataProvider.h>
38 #include <xmltooling/util/NDC.h>
39 #include <xmltooling/util/ReloadableXMLFile.h>
40 #include <xmltooling/util/XMLHelper.h>
41 #include <xercesc/util/XMLUniDefs.hpp>
43 using namespace shibsp;
44 using namespace opensaml::saml2md;
45 using namespace opensaml;
46 using namespace xmltooling;
48 using saml1::NameIdentifier;
50 using saml2::EncryptedAttribute;
54 #if defined (_MSC_VER)
55 #pragma warning( push )
56 #pragma warning( disable : 4250 )
59 class XMLExtractorImpl : public ObservableMetadataProvider::Observer
62 XMLExtractorImpl(const DOMElement* e, Category& log);
64 for (map<const ObservableMetadataProvider*,decoded_t>::iterator i=m_decodedMap.begin(); i!=m_decodedMap.end(); ++i) {
65 i->first->removeObserver(this);
66 for (decoded_t::iterator attrs = i->second.begin(); attrs!=i->second.end(); ++attrs)
67 for_each(attrs->second.begin(), attrs->second.end(), mem_fun_ref<DDF&,DDF>(&DDF::destroy));
73 for (attrmap_t::iterator j = m_attrMap.begin(); j!=m_attrMap.end(); ++j)
74 delete j->second.first;
76 m_document->release();
79 void setDocument(DOMDocument* doc) {
83 void onEvent(const ObservableMetadataProvider& metadata) const {
84 // Destroy attributes we cached from this provider.
86 decoded_t& d = m_decodedMap[&metadata];
87 for (decoded_t::iterator a = d.begin(); a!=d.end(); ++a)
88 for_each(a->second.begin(), a->second.end(), mem_fun_ref<DDF&,DDF>(&DDF::destroy));
93 void extractAttributes(
94 const Application& application,
95 const char* assertingParty,
96 const char* relyingParty,
97 const NameIdentifier& nameid,
98 vector<Attribute*>& attributes
100 void extractAttributes(
101 const Application& application,
102 const char* assertingParty,
103 const char* relyingParty,
104 const NameID& nameid,
105 vector<Attribute*>& attributes
107 void extractAttributes(
108 const Application& application,
109 const char* assertingParty,
110 const char* relyingParty,
111 const saml1::Attribute& attr,
112 vector<Attribute*>& attributes
114 void extractAttributes(
115 const Application& application,
116 const char* assertingParty,
117 const char* relyingParty,
118 const saml2::Attribute& attr,
119 vector<Attribute*>& attributes
121 void extractAttributes(
122 const Application& application,
123 const ObservableMetadataProvider* observable,
124 const XMLCh* entityID,
125 const char* relyingParty,
126 const Extensions& ext,
127 vector<Attribute*>& attributes
130 void getAttributeIds(vector<string>& attributes) const {
131 attributes.insert(attributes.end(), m_attributeIds.begin(), m_attributeIds.end());
136 DOMDocument* m_document;
138 typedef map< pair<xstring,xstring>,pair< AttributeDecoder*,vector<string> > > attrmap_t;
140 typedef map< pair<string,string>,pair< AttributeDecoder*,vector<string> > > attrmap_t;
143 vector<string> m_attributeIds;
145 // settings for embedded assertions in metadata
146 auto_ptr_char m_policyId;
147 MetadataProvider* m_metadata;
148 TrustEngine* m_trust;
149 AttributeFilter* m_filter;
150 bool m_entityAssertions;
152 // manages caching of decoded Attributes
153 mutable RWLock* m_attrLock;
154 typedef map< const EntityAttributes*,vector<DDF> > decoded_t;
155 mutable map<const ObservableMetadataProvider*,decoded_t> m_decodedMap;
158 class XMLExtractor : public AttributeExtractor, public ReloadableXMLFile
161 XMLExtractor(const DOMElement* e) : ReloadableXMLFile(e, Category::getInstance(SHIBSP_LOGCAT".AttributeExtractor.XML")), m_impl(NULL) {
168 void extractAttributes(
169 const Application& application, const RoleDescriptor* issuer, const XMLObject& xmlObject, vector<Attribute*>& attributes
172 void getAttributeIds(std::vector<std::string>& attributes) const {
174 m_impl->getAttributeIds(attributes);
178 pair<bool,DOMElement*> load();
181 XMLExtractorImpl* m_impl;
184 #if defined (_MSC_VER)
185 #pragma warning( pop )
188 AttributeExtractor* SHIBSP_DLLLOCAL XMLAttributeExtractorFactory(const DOMElement* const & e)
190 return new XMLExtractor(e);
193 static const XMLCh _aliases[] = UNICODE_LITERAL_7(a,l,i,a,s,e,s);
194 static const XMLCh _AttributeDecoder[] = UNICODE_LITERAL_16(A,t,t,r,i,b,u,t,e,D,e,c,o,d,e,r);
195 static const XMLCh _AttributeFilter[] = UNICODE_LITERAL_15(A,t,t,r,i,b,u,t,e,F,i,l,t,e,r);
196 static const XMLCh Attributes[] = UNICODE_LITERAL_10(A,t,t,r,i,b,u,t,e,s);
197 static const XMLCh _id[] = UNICODE_LITERAL_2(i,d);
198 static const XMLCh _MetadataProvider[] = UNICODE_LITERAL_16(M,e,t,a,d,a,t,a,P,r,o,v,i,d,e,r);
199 static const XMLCh _name[] = UNICODE_LITERAL_4(n,a,m,e);
200 static const XMLCh nameFormat[] = UNICODE_LITERAL_10(n,a,m,e,F,o,r,m,a,t);
201 static const XMLCh metadataPolicyId[] = UNICODE_LITERAL_16(m,e,t,a,d,a,t,a,P,o,l,i,c,y,I,d);
202 static const XMLCh _TrustEngine[] = UNICODE_LITERAL_11(T,r,u,s,t,E,n,g,i,n,e);
203 static const XMLCh _type[] = UNICODE_LITERAL_4(t,y,p,e);
206 XMLExtractorImpl::XMLExtractorImpl(const DOMElement* e, Category& log)
209 m_policyId(e ? e->getAttributeNS(NULL, metadataPolicyId) : NULL),
213 m_entityAssertions(false),
217 xmltooling::NDC ndc("XMLExtractorImpl");
220 if (!XMLHelper::isNodeNamed(e, shibspconstants::SHIB2ATTRIBUTEMAP_NS, Attributes))
221 throw ConfigurationException("XML AttributeExtractor requires am:Attributes at root of configuration.");
223 DOMElement* child = XMLHelper::getFirstChildElement(e, shibspconstants::SHIB2ATTRIBUTEMAP_NS, _MetadataProvider);
226 auto_ptr_char type(child->getAttributeNS(NULL, _type));
227 if (!type.get() || !*type.get())
228 throw ConfigurationException("MetadataProvider element missing type attribute.");
229 m_log.info("building MetadataProvider of type %s...", type.get());
230 auto_ptr<MetadataProvider> mp(SAMLConfig::getConfig().MetadataProviderManager.newPlugin(type.get(), child));
232 m_metadata = mp.release();
233 m_entityAssertions = true;
235 catch (exception& ex) {
237 "disabling support for Assertions in EntityAttributes extension, error building/initializing MetadataProvider: %s",
243 m_log.info("no dedicated MetadataProvider supplied, disabling support for Assertions in EntityAttributes extension");
246 if (m_entityAssertions) {
247 child = XMLHelper::getFirstChildElement(e, shibspconstants::SHIB2ATTRIBUTEMAP_NS, _TrustEngine);
250 auto_ptr_char type(child->getAttributeNS(NULL, _type));
251 if (!type.get() || !*type.get())
252 throw ConfigurationException("MetadataProvider element missing type attribute.");
253 m_log.info("building TrustEngine of type %s...", type.get());
254 m_trust = XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(type.get(), child);
256 catch (exception& ex) {
258 "disabling support for Assertions in EntityAttributes extension, error building TrustEngine: %s", ex.what()
260 m_entityAssertions = false;
265 if (m_entityAssertions) {
266 child = XMLHelper::getFirstChildElement(e, shibspconstants::SHIB2ATTRIBUTEMAP_NS, _AttributeFilter);
269 auto_ptr_char type(child->getAttributeNS(NULL, _type));
270 if (!type.get() || !*type.get())
271 throw ConfigurationException("AttributeFilter element missing type attribute.");
272 m_log.info("building AttributeFilter of type %s...", type.get());
273 m_filter = SPConfig::getConfig().AttributeFilterManager.newPlugin(type.get(), child);
275 catch (exception& ex) {
277 "disabling support for Assertions in EntityAttributes extension, error building AttributeFilter: %s", ex.what()
279 m_entityAssertions = false;
284 child = XMLHelper::getFirstChildElement(e, shibspconstants::SHIB2ATTRIBUTEMAP_NS, saml1::Attribute::LOCAL_NAME);
286 // Check for missing name or id.
287 const XMLCh* name = child->getAttributeNS(NULL, _name);
288 if (!name || !*name) {
289 m_log.warn("skipping Attribute with no name");
290 child = XMLHelper::getNextSiblingElement(child, shibspconstants::SHIB2ATTRIBUTEMAP_NS, saml1::Attribute::LOCAL_NAME);
294 auto_ptr_char id(child->getAttributeNS(NULL, _id));
295 if (!id.get() || !*id.get()) {
296 m_log.warn("skipping Attribute with no id");
297 child = XMLHelper::getNextSiblingElement(child, shibspconstants::SHIB2ATTRIBUTEMAP_NS, saml1::Attribute::LOCAL_NAME);
300 else if (!strcmp(id.get(), "REMOTE_USER")) {
301 m_log.warn("skipping Attribute, id of REMOTE_USER is a reserved name");
302 child = XMLHelper::getNextSiblingElement(child, shibspconstants::SHIB2ATTRIBUTEMAP_NS, saml1::Attribute::LOCAL_NAME);
306 AttributeDecoder* decoder=NULL;
308 DOMElement* dchild = XMLHelper::getFirstChildElement(child, shibspconstants::SHIB2ATTRIBUTEMAP_NS, _AttributeDecoder);
310 auto_ptr<xmltooling::QName> q(XMLHelper::getXSIType(dchild));
312 decoder = SPConfig::getConfig().AttributeDecoderManager.newPlugin(*q.get(), dchild);
315 decoder = SPConfig::getConfig().AttributeDecoderManager.newPlugin(StringAttributeDecoderType, NULL);
317 catch (exception& ex) {
318 m_log.error("skipping Attribute (%s), error building AttributeDecoder: %s", id.get(), ex.what());
322 child = XMLHelper::getNextSiblingElement(child, shibspconstants::SHIB2ATTRIBUTEMAP_NS, saml1::Attribute::LOCAL_NAME);
326 // Empty NameFormat implies the usual Shib URI naming defaults.
327 const XMLCh* format = child->getAttributeNS(NULL, nameFormat);
328 if (!format || XMLString::equals(format, shibspconstants::SHIB1_ATTRIBUTE_NAMESPACE_URI) ||
329 XMLString::equals(format, saml2::Attribute::URI_REFERENCE))
330 format = &chNull; // ignore default Format/Namespace values
332 // Fetch/create the map entry and see if it's a duplicate rule.
334 pair< AttributeDecoder*,vector<string> >& decl = m_attrMap[pair<xstring,xstring>(name,format)];
336 auto_ptr_char n(name);
337 auto_ptr_char f(format);
338 pair< AttributeDecoder*,vector<string> >& decl = m_attrMap[pair<string,string>(n.get(),f.get())];
341 m_log.warn("skipping duplicate Attribute mapping (same name and nameFormat)");
343 child = XMLHelper::getNextSiblingElement(child, shibspconstants::SHIB2ATTRIBUTEMAP_NS, saml1::Attribute::LOCAL_NAME);
347 if (m_log.isInfoEnabled()) {
349 auto_ptr_char n(name);
350 auto_ptr_char f(format);
352 m_log.info("creating mapping for Attribute %s%s%s", n.get(), *f.get() ? ", Format/Namespace:" : "", f.get());
355 decl.first = decoder;
356 decl.second.push_back(id.get());
357 m_attributeIds.push_back(id.get());
359 name = child->getAttributeNS(NULL, _aliases);
361 auto_ptr_char aliases(name);
363 char* start = const_cast<char*>(aliases.get());
364 while (start && *start) {
365 while (*start && isspace(*start))
369 pos = strchr(start,' ');
372 if (strcmp(start, "REMOTE_USER")) {
373 decl.second.push_back(start);
374 m_attributeIds.push_back(start);
377 m_log.warn("skipping alias, REMOTE_USER is a reserved name");
379 start = pos ? pos+1 : NULL;
383 child = XMLHelper::getNextSiblingElement(child, shibspconstants::SHIB2ATTRIBUTEMAP_NS, saml1::Attribute::LOCAL_NAME);
386 m_attrLock = RWLock::create();
389 void XMLExtractorImpl::extractAttributes(
390 const Application& application,
391 const char* assertingParty,
392 const char* relyingParty,
393 const NameIdentifier& nameid,
394 vector<Attribute*>& attributes
398 map< pair<xstring,xstring>,pair< AttributeDecoder*,vector<string> > >::const_iterator rule;
400 map< pair<string,string>,pair< AttributeDecoder*,vector<string> > >::const_iterator rule;
403 const XMLCh* format = nameid.getFormat();
404 if (!format || !*format)
405 format = NameIdentifier::UNSPECIFIED;
407 if ((rule=m_attrMap.find(pair<xstring,xstring>(format,xstring()))) != m_attrMap.end()) {
409 auto_ptr_char temp(format);
410 if ((rule=m_attrMap.find(pair<string,string>(temp.get(),string()))) != m_attrMap.end()) {
412 Attribute* a = rule->second.first->decode(rule->second.second, &nameid, assertingParty, relyingParty);
414 attributes.push_back(a);
416 else if (m_log.isDebugEnabled()) {
418 auto_ptr_char temp(format);
420 m_log.debug("skipping unmapped NameIdentifier with format (%s)", temp.get());
424 void XMLExtractorImpl::extractAttributes(
425 const Application& application,
426 const char* assertingParty,
427 const char* relyingParty,
428 const NameID& nameid,
429 vector<Attribute*>& attributes
433 map< pair<xstring,xstring>,pair< AttributeDecoder*,vector<string> > >::const_iterator rule;
435 map< pair<string,string>,pair< AttributeDecoder*,vector<string> > >::const_iterator rule;
438 const XMLCh* format = nameid.getFormat();
439 if (!format || !*format)
440 format = NameID::UNSPECIFIED;
442 if ((rule=m_attrMap.find(pair<xstring,xstring>(format,xstring()))) != m_attrMap.end()) {
444 auto_ptr_char temp(format);
445 if ((rule=m_attrMap.find(pair<string,string>(temp.get(),string()))) != m_attrMap.end()) {
447 Attribute* a = rule->second.first->decode(rule->second.second, &nameid, assertingParty, relyingParty);
449 attributes.push_back(a);
451 else if (m_log.isDebugEnabled()) {
453 auto_ptr_char temp(format);
455 m_log.debug("skipping unmapped NameID with format (%s)", temp.get());
459 void XMLExtractorImpl::extractAttributes(
460 const Application& application,
461 const char* assertingParty,
462 const char* relyingParty,
463 const saml1::Attribute& attr,
464 vector<Attribute*>& attributes
468 map< pair<xstring,xstring>,pair< AttributeDecoder*,vector<string> > >::const_iterator rule;
470 map< pair<string,string>,pair< AttributeDecoder*,vector<string> > >::const_iterator rule;
473 const XMLCh* name = attr.getAttributeName();
474 const XMLCh* format = attr.getAttributeNamespace();
477 if (!format || XMLString::equals(format, shibspconstants::SHIB1_ATTRIBUTE_NAMESPACE_URI))
480 if ((rule=m_attrMap.find(pair<xstring,xstring>(name,format))) != m_attrMap.end()) {
482 auto_ptr_char temp1(name);
483 auto_ptr_char temp2(format);
484 if ((rule=m_attrMap.find(pair<string,string>(temp1.get(),temp2.get()))) != m_attrMap.end()) {
486 Attribute* a = rule->second.first->decode(rule->second.second, &attr, assertingParty, relyingParty);
488 attributes.push_back(a);
490 else if (m_log.isInfoEnabled()) {
492 auto_ptr_char temp1(name);
493 auto_ptr_char temp2(format);
495 m_log.info("skipping unmapped SAML 1.x Attribute with Name: %s%s%s", temp1.get(), *temp2.get() ? ", Namespace:" : "", temp2.get());
499 void XMLExtractorImpl::extractAttributes(
500 const Application& application,
501 const char* assertingParty,
502 const char* relyingParty,
503 const saml2::Attribute& attr,
504 vector<Attribute*>& attributes
508 map< pair<xstring,xstring>,pair< AttributeDecoder*,vector<string> > >::const_iterator rule;
510 map< pair<string,string>,pair< AttributeDecoder*,vector<string> > >::const_iterator rule;
513 const XMLCh* name = attr.getName();
514 const XMLCh* format = attr.getNameFormat();
517 if (!format || !*format)
518 format = saml2::Attribute::UNSPECIFIED;
519 else if (XMLString::equals(format, saml2::Attribute::URI_REFERENCE))
522 if ((rule=m_attrMap.find(pair<xstring,xstring>(name,format))) != m_attrMap.end()) {
524 auto_ptr_char temp1(name);
525 auto_ptr_char temp2(format);
526 if ((rule=m_attrMap.find(pair<string,string>(temp1.get(),temp2.get()))) != m_attrMap.end()) {
528 Attribute* a = rule->second.first->decode(rule->second.second, &attr, assertingParty, relyingParty);
530 attributes.push_back(a);
532 else if (m_log.isInfoEnabled()) {
534 auto_ptr_char temp1(name);
535 auto_ptr_char temp2(format);
537 m_log.info("skipping unmapped SAML 2.0 Attribute with Name: %s%s%s", temp1.get(), *temp2.get() ? ", Format:" : "", temp2.get());
541 void XMLExtractorImpl::extractAttributes(
542 const Application& application,
543 const ObservableMetadataProvider* observable,
544 const XMLCh* entityID,
545 const char* relyingParty,
546 const Extensions& ext,
547 vector<Attribute*>& attributes
550 const vector<XMLObject*>& exts = ext.getUnknownXMLObjects();
551 for (vector<XMLObject*>::const_iterator i = exts.begin(); i!=exts.end(); ++i) {
552 const EntityAttributes* container = dynamic_cast<const EntityAttributes*>(*i);
556 bool useCache = false;
557 map<const ObservableMetadataProvider*,decoded_t>::iterator cacheEntry;
559 // Check for cached result.
561 m_attrLock->rdlock();
562 cacheEntry = m_decodedMap.find(observable);
563 if (cacheEntry == m_decodedMap.end()) {
564 // We need to elevate the lock and retry.
565 m_attrLock->unlock();
566 m_attrLock->wrlock();
567 cacheEntry = m_decodedMap.find(observable);
568 if (cacheEntry==m_decodedMap.end()) {
570 // It's still brand new, so hook it for cache activation.
571 observable->addObserver(this);
573 // Prime the map reference with an empty decoded map.
574 cacheEntry = m_decodedMap.insert(make_pair(observable,decoded_t())).first;
576 // Downgrade the lock.
577 // We don't have to recheck because we never erase the master map entry entirely, even on changes.
578 m_attrLock->unlock();
579 m_attrLock->rdlock();
586 // We're holding a read lock, so check the cache.
587 decoded_t::iterator d = cacheEntry->second.find(container);
588 if (d != cacheEntry->second.end()) {
589 SharedLock locker(m_attrLock, false); // pop the lock when we're done
590 for (vector<DDF>::iterator obj = d->second.begin(); obj != d->second.end(); ++obj) {
591 auto_ptr<Attribute> wrapper(Attribute::unmarshall(*obj));
592 m_log.debug("recovered cached metadata attribute (%s)", wrapper->getId());
593 attributes.push_back(wrapper.release());
599 // Use a holding area to support caching.
600 vector<Attribute*> holding;
602 const vector<saml2::Attribute*>& attrs = container->getAttributes();
603 for (vector<saml2::Attribute*>::const_iterator attr = attrs.begin(); attr != attrs.end(); ++attr) {
605 extractAttributes(application, NULL, relyingParty, *(*attr), holding);
609 m_attrLock->unlock();
610 for_each(holding.begin(), holding.end(), xmltooling::cleanup<Attribute>());
615 if (entityID && m_entityAssertions) {
616 const vector<saml2::Assertion*>& asserts = container->getAssertions();
617 for (vector<saml2::Assertion*>::const_iterator assert = asserts.begin(); assert != asserts.end(); ++assert) {
618 if (!(*assert)->getSignature()) {
619 if (m_log.isDebugEnabled()) {
620 auto_ptr_char eid(entityID);
621 m_log.debug("skipping unsigned assertion in metadata extension for entity (%s)", eid.get());
625 else if ((*assert)->getAttributeStatements().empty()) {
626 if (m_log.isDebugEnabled()) {
627 auto_ptr_char eid(entityID);
628 m_log.debug("skipping assertion with no AttributeStatement in metadata extension for entity (%s)", eid.get());
634 const NameID* subject = (*assert)->getSubject() ? (*assert)->getSubject()->getNameID() : NULL;
636 !XMLString::equals(subject->getFormat(), NameID::ENTITY) ||
637 !XMLString::equals(subject->getName(), entityID)) {
638 if (m_log.isDebugEnabled()) {
639 auto_ptr_char eid(entityID);
640 m_log.debug("skipping assertion with improper Subject in metadata extension for entity (%s)", eid.get());
646 // Use a private holding area for filtering purposes.
647 vector<Attribute*> holding2;
650 // Set up and evaluate a policy for an AA asserting attributes to us.
651 shibsp::SecurityPolicy policy(application, &AttributeAuthorityDescriptor::ELEMENT_QNAME, false, m_policyId.get());
652 Locker locker(m_metadata);
653 policy.setMetadataProvider(m_metadata);
655 policy.setTrustEngine(m_trust);
656 // Populate recipient as audience.
657 const XMLCh* issuer = (*assert)->getIssuer() ? (*assert)->getIssuer()->getName() : NULL;
658 policy.getAudiences().push_back(application.getRelyingParty(issuer)->getXMLString("entityID").second);
660 // Extract assertion information for policy.
661 policy.setMessageID((*assert)->getID());
662 policy.setIssueInstant((*assert)->getIssueInstantEpoch());
663 policy.setIssuer((*assert)->getIssuer());
665 // Look up metadata for issuer.
666 if (policy.getIssuer() && policy.getMetadataProvider()) {
667 if (policy.getIssuer()->getFormat() && !XMLString::equals(policy.getIssuer()->getFormat(), saml2::NameIDType::ENTITY)) {
668 m_log.debug("non-system entity issuer, skipping metadata lookup");
671 m_log.debug("searching metadata for entity assertion issuer...");
672 pair<const EntityDescriptor*,const RoleDescriptor*> lookup;
673 MetadataProvider::Criteria& mc = policy.getMetadataProviderCriteria();
674 mc.entityID_unicode = policy.getIssuer()->getName();
675 mc.role = &AttributeAuthorityDescriptor::ELEMENT_QNAME;
676 mc.protocol = samlconstants::SAML20P_NS;
677 lookup = policy.getMetadataProvider()->getEntityDescriptor(mc);
679 auto_ptr_char iname(policy.getIssuer()->getName());
680 m_log.debug("no metadata found, can't establish identity of issuer (%s)", iname.get());
682 else if (!lookup.second) {
683 m_log.debug("unable to find compatible AA role in metadata");
686 policy.setIssuerMetadata(lookup.second);
691 // Authenticate the assertion. We have to marshall them to establish the signature for verification.
692 (*assert)->marshall();
693 policy.evaluate(*(*assert));
694 if (!policy.isAuthenticated()) {
695 if (m_log.isDebugEnabled()) {
696 auto_ptr_char tempid((*assert)->getID());
697 auto_ptr_char eid(entityID);
699 "failed to authenticate assertion (%s) in metadata extension for entity (%s)", tempid.get(), eid.get()
702 (*assert)->releaseThisAndChildrenDOM();
703 (*assert)->setDocument(NULL);
707 // Override the asserting/relying party names based on this new issuer.
708 const EntityDescriptor* inlineEntity =
709 policy.getIssuerMetadata() ? dynamic_cast<const EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : NULL;
710 auto_ptr_char inlineAssertingParty(inlineEntity ? inlineEntity->getEntityID() : NULL);
711 relyingParty = application.getRelyingParty(inlineEntity)->getString("entityID").second;
712 const vector<saml2::Attribute*>& attrs2 =
713 const_cast<const saml2::AttributeStatement*>((*assert)->getAttributeStatements().front())->getAttributes();
714 for (vector<saml2::Attribute*>::const_iterator a = attrs2.begin(); a!=attrs2.end(); ++a)
715 extractAttributes(application, inlineAssertingParty.get(), relyingParty, *(*a), holding2);
716 (*assert)->releaseThisAndChildrenDOM();
717 (*assert)->setDocument(NULL);
719 // Now we locally filter the attributes so that the actual issuer can be properly set.
720 // If we relied on outside filtering, the attributes couldn't be distinguished from the
721 // ones that come from the user's IdP.
722 if (m_filter && !holding2.empty()) {
723 BasicFilteringContext fc(application, holding2, policy.getIssuerMetadata());
724 Locker filtlocker(m_filter);
726 m_filter->filterAttributes(fc, holding2);
728 catch (exception& ex) {
729 m_log.error("caught exception filtering attributes: %s", ex.what());
730 m_log.error("dumping extracted attributes due to filtering exception");
731 for_each(holding2.begin(), holding2.end(), xmltooling::cleanup<Attribute>());
736 if (!holding2.empty()) {
737 // Copy them over to the main holding tank.
738 holding.insert(holding.end(), holding2.begin(), holding2.end());
741 catch (exception& ex) {
742 // Known exceptions are handled gracefully by skipping the assertion.
743 if (m_log.isDebugEnabled()) {
744 auto_ptr_char tempid((*assert)->getID());
745 auto_ptr_char eid(entityID);
747 "exception authenticating assertion (%s) in metadata extension for entity (%s): %s",
753 (*assert)->releaseThisAndChildrenDOM();
754 (*assert)->setDocument(NULL);
755 for_each(holding2.begin(), holding2.end(), xmltooling::cleanup<Attribute>());
759 // Unknown exceptions are fatal.
761 m_attrLock->unlock();
762 (*assert)->releaseThisAndChildrenDOM();
763 (*assert)->setDocument(NULL);
764 for_each(holding.begin(), holding.end(), xmltooling::cleanup<Attribute>());
765 for_each(holding2.begin(), holding2.end(), xmltooling::cleanup<Attribute>());
771 if (!holding.empty()) {
773 m_attrLock->unlock();
774 m_attrLock->wrlock();
775 SharedLock locker(m_attrLock, false); // pop the lock when we're done
776 if (cacheEntry->second.count(container) == 0) {
777 for (vector<Attribute*>::const_iterator held = holding.begin(); held != holding.end(); ++held)
778 cacheEntry->second[container].push_back((*held)->marshall());
781 attributes.insert(attributes.end(), holding.begin(), holding.end());
784 m_attrLock->unlock();
787 break; // only process a single extension element
791 void XMLExtractor::extractAttributes(
792 const Application& application, const RoleDescriptor* issuer, const XMLObject& xmlObject, vector<Attribute*>& attributes
798 const EntityDescriptor* entity = issuer ? dynamic_cast<const EntityDescriptor*>(issuer->getParent()) : NULL;
799 const char* relyingParty = application.getRelyingParty(entity)->getString("entityID").second;
801 // Check for assertions.
802 if (XMLString::equals(xmlObject.getElementQName().getLocalPart(), saml1::Assertion::LOCAL_NAME)) {
803 const saml2::Assertion* token2 = dynamic_cast<const saml2::Assertion*>(&xmlObject);
805 auto_ptr_char assertingParty(entity ? entity->getEntityID() : NULL);
806 const vector<saml2::AttributeStatement*>& statements = token2->getAttributeStatements();
807 for (vector<saml2::AttributeStatement*>::const_iterator s = statements.begin(); s!=statements.end(); ++s) {
808 const vector<saml2::Attribute*>& attrs = const_cast<const saml2::AttributeStatement*>(*s)->getAttributes();
809 for (vector<saml2::Attribute*>::const_iterator a = attrs.begin(); a!=attrs.end(); ++a)
810 m_impl->extractAttributes(application, assertingParty.get(), relyingParty, *(*a), attributes);
812 const vector<saml2::EncryptedAttribute*>& encattrs = const_cast<const saml2::AttributeStatement*>(*s)->getEncryptedAttributes();
813 for (vector<saml2::EncryptedAttribute*>::const_iterator ea = encattrs.begin(); ea!=encattrs.end(); ++ea)
814 extractAttributes(application, issuer, *(*ea), attributes);
819 const saml1::Assertion* token1 = dynamic_cast<const saml1::Assertion*>(&xmlObject);
821 auto_ptr_char assertingParty(entity ? entity->getEntityID() : NULL);
822 const vector<saml1::AttributeStatement*>& statements = token1->getAttributeStatements();
823 for (vector<saml1::AttributeStatement*>::const_iterator s = statements.begin(); s!=statements.end(); ++s) {
824 const vector<saml1::Attribute*>& attrs = const_cast<const saml1::AttributeStatement*>(*s)->getAttributes();
825 for (vector<saml1::Attribute*>::const_iterator a = attrs.begin(); a!=attrs.end(); ++a)
826 m_impl->extractAttributes(application, assertingParty.get(), relyingParty, *(*a), attributes);
831 throw AttributeExtractionException("Unable to extract attributes, unknown object type.");
834 // Check for metadata.
835 if (XMLString::equals(xmlObject.getElementQName().getNamespaceURI(), samlconstants::SAML20MD_NS)) {
836 const EntityDescriptor* entityToExtract = dynamic_cast<const EntityDescriptor*>(&xmlObject);
837 if (!entityToExtract)
838 throw AttributeExtractionException("Unable to extract attributes, unknown metadata object type.");
839 const Extensions* ext = entityToExtract->getExtensions();
841 m_impl->extractAttributes(
843 dynamic_cast<const ObservableMetadataProvider*>(application.getMetadataProvider(false)),
844 entityToExtract->getEntityID(),
850 const EntitiesDescriptor* group = dynamic_cast<const EntitiesDescriptor*>(entityToExtract->getParent());
852 ext = group->getExtensions();
854 m_impl->extractAttributes(
856 dynamic_cast<const ObservableMetadataProvider*>(application.getMetadataProvider(false)),
857 NULL, // not an entity, so inline assertions won't be processed
863 group = dynamic_cast<const EntitiesDescriptor*>(group->getParent());
868 // Check for attributes.
869 if (XMLString::equals(xmlObject.getElementQName().getLocalPart(), saml1::Attribute::LOCAL_NAME)) {
870 auto_ptr_char assertingParty(entity ? entity->getEntityID() : NULL);
871 const saml2::Attribute* attr2 = dynamic_cast<const saml2::Attribute*>(&xmlObject);
873 return m_impl->extractAttributes(application, assertingParty.get(), relyingParty, *attr2, attributes);
875 const saml1::Attribute* attr1 = dynamic_cast<const saml1::Attribute*>(&xmlObject);
877 return m_impl->extractAttributes(application, assertingParty.get(), relyingParty, *attr1, attributes);
879 throw AttributeExtractionException("Unable to extract attributes, unknown object type.");
882 if (XMLString::equals(xmlObject.getElementQName().getLocalPart(), EncryptedAttribute::LOCAL_NAME)) {
883 const EncryptedAttribute* encattr = dynamic_cast<const EncryptedAttribute*>(&xmlObject);
885 const XMLCh* recipient = application.getXMLString("entityID").second;
886 CredentialResolver* cr = application.getCredentialResolver();
888 m_log.warn("found encrypted attribute, but no CredentialResolver was available");
893 Locker credlocker(cr);
895 MetadataCredentialCriteria mcc(*issuer);
896 auto_ptr<XMLObject> decrypted(encattr->decrypt(*cr, recipient, &mcc));
897 if (m_log.isDebugEnabled())
898 m_log.debugStream() << "decrypted Attribute: " << *(decrypted.get()) << logging::eol;
899 return extractAttributes(application, issuer, *(decrypted.get()), attributes);
902 auto_ptr<XMLObject> decrypted(encattr->decrypt(*cr, recipient));
903 if (m_log.isDebugEnabled())
904 m_log.debugStream() << "decrypted Attribute: " << *(decrypted.get()) << logging::eol;
905 return extractAttributes(application, issuer, *(decrypted.get()), attributes);
908 catch (exception& ex) {
909 m_log.error("caught exception decrypting Attribute: %s", ex.what());
915 // Check for NameIDs.
916 const NameID* name2 = dynamic_cast<const NameID*>(&xmlObject);
918 auto_ptr_char assertingParty(entity ? entity->getEntityID() : NULL);
919 return m_impl->extractAttributes(application, assertingParty.get(), relyingParty, *name2, attributes);
922 const NameIdentifier* name1 = dynamic_cast<const NameIdentifier*>(&xmlObject);
924 auto_ptr_char assertingParty(entity ? entity->getEntityID() : NULL);
925 return m_impl->extractAttributes(application, assertingParty.get(), relyingParty, *name1, attributes);
928 throw AttributeExtractionException("Unable to extract attributes, unknown object type.");
931 pair<bool,DOMElement*> XMLExtractor::load()
933 // Load from source using base class.
934 pair<bool,DOMElement*> raw = ReloadableXMLFile::load();
936 // If we own it, wrap it.
937 XercesJanitor<DOMDocument> docjanitor(raw.first ? raw.second->getOwnerDocument() : NULL);
939 XMLExtractorImpl* impl = new XMLExtractorImpl(raw.second, m_log);
941 // If we held the document, transfer it to the impl. If we didn't, it's a no-op.
942 impl->setDocument(docjanitor.release());
947 return make_pair(false,(DOMElement*)NULL);