2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
22 * XMLAttributeExtractor.cpp
24 * AttributeExtractor based on an XML mapping file.
28 #include "exceptions.h"
29 #include "Application.h"
30 #include "ServiceProvider.h"
31 #include "attribute/Attribute.h"
32 #include "attribute/AttributeDecoder.h"
33 #include "attribute/filtering/AttributeFilter.h"
34 #include "attribute/filtering/BasicFilteringContext.h"
35 #include "attribute/resolver/AttributeExtractor.h"
36 #include "remoting/ddf.h"
37 #include "security/SecurityPolicy.h"
38 #include "util/SPConstants.h"
40 #include <saml/SAMLConfig.h>
41 #include <saml/saml1/core/Assertions.h>
42 #include <saml/saml2/core/Assertions.h>
43 #include <saml/saml2/metadata/Metadata.h>
44 #include <saml/saml2/metadata/MetadataCredentialCriteria.h>
45 #include <saml/saml2/metadata/ObservableMetadataProvider.h>
46 #include <xmltooling/XMLToolingConfig.h>
47 #include <xmltooling/security/TrustEngine.h>
48 #include <xmltooling/util/NDC.h>
49 #include <xmltooling/util/ReloadableXMLFile.h>
50 #include <xmltooling/util/Threads.h>
51 #include <xmltooling/util/XMLHelper.h>
52 #include <xercesc/util/XMLUniDefs.hpp>
54 using namespace shibsp;
55 using namespace opensaml::saml2md;
56 using namespace opensaml;
57 using namespace xmltooling;
59 using saml1::NameIdentifier;
61 using saml2::EncryptedAttribute;
65 #if defined (_MSC_VER)
66 #pragma warning( push )
67 #pragma warning( disable : 4250 )
70 class XMLExtractorImpl : public ObservableMetadataProvider::Observer
73 XMLExtractorImpl(const DOMElement* e, Category& log);
75 for (map<const ObservableMetadataProvider*,decoded_t>::iterator i=m_decodedMap.begin(); i!=m_decodedMap.end(); ++i) {
76 i->first->removeObserver(this);
77 for (decoded_t::iterator attrs = i->second.begin(); attrs!=i->second.end(); ++attrs)
78 for_each(attrs->second.begin(), attrs->second.end(), mem_fun_ref<DDF&,DDF>(&DDF::destroy));
84 for (attrmap_t::iterator j = m_attrMap.begin(); j!=m_attrMap.end(); ++j)
85 delete j->second.first;
87 m_document->release();
90 void setDocument(DOMDocument* doc) {
94 void onEvent(const ObservableMetadataProvider& metadata) const {
95 // Destroy attributes we cached from this provider.
97 decoded_t& d = m_decodedMap[&metadata];
98 for (decoded_t::iterator a = d.begin(); a!=d.end(); ++a)
99 for_each(a->second.begin(), a->second.end(), mem_fun_ref<DDF&,DDF>(&DDF::destroy));
101 m_attrLock->unlock();
104 void extractAttributes(
105 const Application& application,
106 const char* assertingParty,
107 const char* relyingParty,
108 const NameIdentifier& nameid,
109 vector<Attribute*>& attributes
111 void extractAttributes(
112 const Application& application,
113 const char* assertingParty,
114 const char* relyingParty,
115 const NameID& nameid,
116 vector<Attribute*>& attributes
118 void extractAttributes(
119 const Application& application,
120 const char* assertingParty,
121 const char* relyingParty,
122 const saml1::Attribute& attr,
123 vector<Attribute*>& attributes
125 void extractAttributes(
126 const Application& application,
127 const char* assertingParty,
128 const char* relyingParty,
129 const saml2::Attribute& attr,
130 vector<Attribute*>& attributes
132 void extractAttributes(
133 const Application& application,
134 const char* assertingParty,
135 const char* relyingParty,
136 const saml1::AttributeStatement& statement,
137 vector<Attribute*>& attributes
139 void extractAttributes(
140 const Application& application,
141 const char* assertingParty,
142 const char* relyingParty,
143 const saml2::AttributeStatement& statement,
144 vector<Attribute*>& attributes
146 void extractAttributes(
147 const Application& application,
148 const ObservableMetadataProvider* observable,
149 const XMLCh* entityID,
150 const char* relyingParty,
151 const Extensions& ext,
152 vector<Attribute*>& attributes
155 void getAttributeIds(vector<string>& attributes) const {
156 attributes.insert(attributes.end(), m_attributeIds.begin(), m_attributeIds.end());
159 void generateMetadata(SPSSODescriptor& role) const;
163 DOMDocument* m_document;
164 typedef map< pair<xstring,xstring>,pair< AttributeDecoder*,vector<string> > > attrmap_t;
166 vector<string> m_attributeIds;
167 vector< pair< pair<xstring,xstring>,bool > > m_requestedAttrs;
169 // settings for embedded assertions in metadata
171 MetadataProvider* m_metadata;
172 TrustEngine* m_trust;
173 AttributeFilter* m_filter;
174 bool m_entityAssertions;
176 // manages caching of decoded Attributes
177 mutable RWLock* m_attrLock;
178 typedef map< const EntityAttributes*,vector<DDF> > decoded_t;
179 mutable map<const ObservableMetadataProvider*,decoded_t> m_decodedMap;
182 class XMLExtractor : public AttributeExtractor, public ReloadableXMLFile
185 XMLExtractor(const DOMElement* e) : ReloadableXMLFile(e, Category::getInstance(SHIBSP_LOGCAT".AttributeExtractor.XML")), m_impl(nullptr) {
193 void extractAttributes(
194 const Application& application, const RoleDescriptor* issuer, const XMLObject& xmlObject, vector<Attribute*>& attributes
197 void getAttributeIds(std::vector<std::string>& attributes) const {
199 m_impl->getAttributeIds(attributes);
202 void generateMetadata(SPSSODescriptor& role) const {
204 m_impl->generateMetadata(role);
208 pair<bool,DOMElement*> background_load();
211 XMLExtractorImpl* m_impl;
214 #if defined (_MSC_VER)
215 #pragma warning( pop )
218 AttributeExtractor* SHIBSP_DLLLOCAL XMLAttributeExtractorFactory(const DOMElement* const & e)
220 return new XMLExtractor(e);
223 static const XMLCh _aliases[] = UNICODE_LITERAL_7(a,l,i,a,s,e,s);
224 static const XMLCh _AttributeDecoder[] = UNICODE_LITERAL_16(A,t,t,r,i,b,u,t,e,D,e,c,o,d,e,r);
225 static const XMLCh _AttributeFilter[] = UNICODE_LITERAL_15(A,t,t,r,i,b,u,t,e,F,i,l,t,e,r);
226 static const XMLCh Attributes[] = UNICODE_LITERAL_10(A,t,t,r,i,b,u,t,e,s);
227 static const XMLCh _id[] = UNICODE_LITERAL_2(i,d);
228 static const XMLCh isRequested[] = UNICODE_LITERAL_11(i,s,R,e,q,u,e,s,t,e,d);
229 static const XMLCh _MetadataProvider[] = UNICODE_LITERAL_16(M,e,t,a,d,a,t,a,P,r,o,v,i,d,e,r);
230 static const XMLCh _name[] = UNICODE_LITERAL_4(n,a,m,e);
231 static const XMLCh nameFormat[] = UNICODE_LITERAL_10(n,a,m,e,F,o,r,m,a,t);
232 static const XMLCh metadataPolicyId[] = UNICODE_LITERAL_16(m,e,t,a,d,a,t,a,P,o,l,i,c,y,I,d);
233 static const XMLCh _TrustEngine[] = UNICODE_LITERAL_11(T,r,u,s,t,E,n,g,i,n,e);
234 static const XMLCh _type[] = UNICODE_LITERAL_4(t,y,p,e);
237 XMLExtractorImpl::XMLExtractorImpl(const DOMElement* e, Category& log)
240 m_policyId(XMLHelper::getAttrString(e, nullptr, metadataPolicyId)),
244 m_entityAssertions(true),
248 xmltooling::NDC ndc("XMLExtractorImpl");
251 if (!XMLHelper::isNodeNamed(e, shibspconstants::SHIB2ATTRIBUTEMAP_NS, Attributes))
252 throw ConfigurationException("XML AttributeExtractor requires am:Attributes at root of configuration.");
254 DOMElement* child = XMLHelper::getFirstChildElement(e, shibspconstants::SHIB2ATTRIBUTEMAP_NS, _MetadataProvider);
257 string t(XMLHelper::getAttrString(child, nullptr, _type));
259 throw ConfigurationException("MetadataProvider element missing type attribute.");
260 m_log.info("building MetadataProvider of type %s...", t.c_str());
261 auto_ptr<MetadataProvider> mp(SAMLConfig::getConfig().MetadataProviderManager.newPlugin(t.c_str(), child));
263 m_metadata = mp.release();
265 catch (exception& ex) {
266 m_entityAssertions = false;
267 m_log.crit("error building/initializing dedicated MetadataProvider: %s", ex.what());
268 m_log.crit("disabling support for Assertions in EntityAttributes extension");
272 if (m_entityAssertions) {
273 child = XMLHelper::getFirstChildElement(e, shibspconstants::SHIB2ATTRIBUTEMAP_NS, _TrustEngine);
276 string t(XMLHelper::getAttrString(child, nullptr, _type));
278 throw ConfigurationException("TrustEngine element missing type attribute.");
279 m_log.info("building TrustEngine of type %s...", t.c_str());
280 m_trust = XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(t.c_str(), child);
282 catch (exception& ex) {
283 m_entityAssertions = false;
284 m_log.crit("error building/initializing dedicated TrustEngine: %s", ex.what());
285 m_log.crit("disabling support for Assertions in EntityAttributes extension");
290 if (m_entityAssertions) {
291 child = XMLHelper::getFirstChildElement(e, shibspconstants::SHIB2ATTRIBUTEMAP_NS, _AttributeFilter);
294 string t(XMLHelper::getAttrString(child, nullptr, _type));
296 throw ConfigurationException("AttributeFilter element missing type attribute.");
297 m_log.info("building AttributeFilter of type %s...", t.c_str());
298 m_filter = SPConfig::getConfig().AttributeFilterManager.newPlugin(t.c_str(), child);
300 catch (exception& ex) {
301 m_entityAssertions = false;
302 m_log.crit("error building/initializing dedicated AttributeFilter: %s", ex.what());
303 m_log.crit("disabling support for Assertions in EntityAttributes extension");
308 child = XMLHelper::getFirstChildElement(e, shibspconstants::SHIB2ATTRIBUTEMAP_NS, saml1::Attribute::LOCAL_NAME);
310 // Check for missing name or id.
311 const XMLCh* name = child->getAttributeNS(nullptr, _name);
312 if (!name || !*name) {
313 m_log.warn("skipping Attribute with no name");
314 child = XMLHelper::getNextSiblingElement(child, shibspconstants::SHIB2ATTRIBUTEMAP_NS, saml1::Attribute::LOCAL_NAME);
318 auto_ptr_char id(child->getAttributeNS(nullptr, _id));
319 if (!id.get() || !*id.get()) {
320 m_log.warn("skipping Attribute with no id");
321 child = XMLHelper::getNextSiblingElement(child, shibspconstants::SHIB2ATTRIBUTEMAP_NS, saml1::Attribute::LOCAL_NAME);
324 else if (!strcmp(id.get(), "REMOTE_USER")) {
325 m_log.warn("skipping Attribute, id of REMOTE_USER is a reserved name");
326 child = XMLHelper::getNextSiblingElement(child, shibspconstants::SHIB2ATTRIBUTEMAP_NS, saml1::Attribute::LOCAL_NAME);
330 AttributeDecoder* decoder=nullptr;
332 DOMElement* dchild = XMLHelper::getFirstChildElement(child, shibspconstants::SHIB2ATTRIBUTEMAP_NS, _AttributeDecoder);
334 auto_ptr<xmltooling::QName> q(XMLHelper::getXSIType(dchild));
336 decoder = SPConfig::getConfig().AttributeDecoderManager.newPlugin(*q.get(), dchild);
339 decoder = SPConfig::getConfig().AttributeDecoderManager.newPlugin(StringAttributeDecoderType, nullptr);
341 catch (exception& ex) {
342 m_log.error("skipping Attribute (%s), error building AttributeDecoder: %s", id.get(), ex.what());
346 child = XMLHelper::getNextSiblingElement(child, shibspconstants::SHIB2ATTRIBUTEMAP_NS, saml1::Attribute::LOCAL_NAME);
350 // Empty NameFormat implies the usual Shib URI naming defaults.
351 const XMLCh* format = child->getAttributeNS(nullptr, nameFormat);
352 if (!format || XMLString::equals(format, shibspconstants::SHIB1_ATTRIBUTE_NAMESPACE_URI) ||
353 XMLString::equals(format, saml2::Attribute::URI_REFERENCE))
354 format = &chNull; // ignore default Format/Namespace values
356 // Fetch/create the map entry and see if it's a duplicate rule.
357 pair< AttributeDecoder*,vector<string> >& decl = m_attrMap[pair<xstring,xstring>(name,format)];
359 m_log.warn("skipping duplicate Attribute mapping (same name and nameFormat)");
361 child = XMLHelper::getNextSiblingElement(child, shibspconstants::SHIB2ATTRIBUTEMAP_NS, saml1::Attribute::LOCAL_NAME);
365 if (m_log.isInfoEnabled()) {
366 auto_ptr_char n(name);
367 auto_ptr_char f(format);
368 m_log.info("creating mapping for Attribute %s%s%s", n.get(), *f.get() ? ", Format/Namespace:" : "", f.get());
371 decl.first = decoder;
372 decl.second.push_back(id.get());
373 m_attributeIds.push_back(id.get());
375 // Check for isRequired/isRequested.
376 bool requested = XMLHelper::getAttrBool(child, false, isRequested);
377 bool required = XMLHelper::getAttrBool(child, false, RequestedAttribute::ISREQUIRED_ATTRIB_NAME);
378 if (required || requested)
379 m_requestedAttrs.push_back(make_pair(pair<xstring,xstring>(name,format), required));
381 name = child->getAttributeNS(nullptr, _aliases);
383 auto_ptr_char aliases(name);
385 char* start = const_cast<char*>(aliases.get());
386 while (start && *start) {
387 while (*start && isspace(*start))
391 pos = strchr(start,' ');
394 if (strcmp(start, "REMOTE_USER")) {
395 decl.second.push_back(start);
396 m_attributeIds.push_back(start);
399 m_log.warn("skipping alias, REMOTE_USER is a reserved name");
401 start = pos ? pos+1 : nullptr;
405 child = XMLHelper::getNextSiblingElement(child, shibspconstants::SHIB2ATTRIBUTEMAP_NS, saml1::Attribute::LOCAL_NAME);
408 m_attrLock = RWLock::create();
411 void XMLExtractorImpl::generateMetadata(SPSSODescriptor& role) const
413 if (m_requestedAttrs.empty())
416 const vector<AttributeConsumingService*>& svcs = const_cast<const SPSSODescriptor*>(&role)->getAttributeConsumingServices();
417 for (vector<AttributeConsumingService*>::const_iterator s =svcs.begin(); s != svcs.end(); ++s) {
418 pair<bool,int> i = (*s)->getIndex();
419 if (i.first && index == i.second)
420 index = i.second + 1;
422 AttributeConsumingService* svc = AttributeConsumingServiceBuilder::buildAttributeConsumingService();
423 role.getAttributeConsumingServices().push_back(svc);
424 svc->setIndex(index);
425 ServiceName* sn = ServiceNameBuilder::buildServiceName();
426 svc->getServiceNames().push_back(sn);
427 sn->setName(dynamic_cast<EntityDescriptor*>(role.getParent())->getEntityID());
428 static const XMLCh english[] = UNICODE_LITERAL_2(e,n);
429 sn->setLang(english);
431 for (vector< pair< pair<xstring,xstring>,bool > >::const_iterator i = m_requestedAttrs.begin(); i != m_requestedAttrs.end(); ++i) {
432 RequestedAttribute* req = RequestedAttributeBuilder::buildRequestedAttribute();
433 svc->getRequestedAttributes().push_back(req);
434 req->setName(i->first.first.c_str());
435 if (i->first.second.empty())
436 req->setNameFormat(saml2::Attribute::URI_REFERENCE);
438 req->setNameFormat(i->first.second.c_str());
440 req->isRequired(true);
444 void XMLExtractorImpl::extractAttributes(
445 const Application& application,
446 const char* assertingParty,
447 const char* relyingParty,
448 const NameIdentifier& nameid,
449 vector<Attribute*>& attributes
452 map< pair<xstring,xstring>,pair< AttributeDecoder*,vector<string> > >::const_iterator rule;
454 const XMLCh* format = nameid.getFormat();
455 if (!format || !*format)
456 format = NameIdentifier::UNSPECIFIED;
457 if ((rule=m_attrMap.find(pair<xstring,xstring>(format,xstring()))) != m_attrMap.end()) {
458 Attribute* a = rule->second.first->decode(rule->second.second, &nameid, assertingParty, relyingParty);
460 attributes.push_back(a);
462 else if (m_log.isDebugEnabled()) {
463 auto_ptr_char temp(format);
464 m_log.debug("skipping unmapped NameIdentifier with format (%s)", temp.get());
468 void XMLExtractorImpl::extractAttributes(
469 const Application& application,
470 const char* assertingParty,
471 const char* relyingParty,
472 const NameID& nameid,
473 vector<Attribute*>& attributes
476 map< pair<xstring,xstring>,pair< AttributeDecoder*,vector<string> > >::const_iterator rule;
478 const XMLCh* format = nameid.getFormat();
479 if (!format || !*format)
480 format = NameID::UNSPECIFIED;
481 if ((rule=m_attrMap.find(pair<xstring,xstring>(format,xstring()))) != m_attrMap.end()) {
482 Attribute* a = rule->second.first->decode(rule->second.second, &nameid, assertingParty, relyingParty);
484 attributes.push_back(a);
486 else if (m_log.isDebugEnabled()) {
487 auto_ptr_char temp(format);
488 m_log.debug("skipping unmapped NameID with format (%s)", temp.get());
492 void XMLExtractorImpl::extractAttributes(
493 const Application& application,
494 const char* assertingParty,
495 const char* relyingParty,
496 const saml1::Attribute& attr,
497 vector<Attribute*>& attributes
500 map< pair<xstring,xstring>,pair< AttributeDecoder*,vector<string> > >::const_iterator rule;
502 const XMLCh* name = attr.getAttributeName();
503 const XMLCh* format = attr.getAttributeNamespace();
506 if (!format || XMLString::equals(format, shibspconstants::SHIB1_ATTRIBUTE_NAMESPACE_URI))
508 if ((rule=m_attrMap.find(pair<xstring,xstring>(name,format))) != m_attrMap.end()) {
509 Attribute* a = rule->second.first->decode(rule->second.second, &attr, assertingParty, relyingParty);
511 attributes.push_back(a);
513 else if (m_log.isInfoEnabled()) {
514 auto_ptr_char temp1(name);
515 auto_ptr_char temp2(format);
516 m_log.info("skipping unmapped SAML 1.x Attribute with Name: %s%s%s", temp1.get(), *temp2.get() ? ", Namespace:" : "", temp2.get());
520 void XMLExtractorImpl::extractAttributes(
521 const Application& application,
522 const char* assertingParty,
523 const char* relyingParty,
524 const saml2::Attribute& attr,
525 vector<Attribute*>& attributes
528 map< pair<xstring,xstring>,pair< AttributeDecoder*,vector<string> > >::const_iterator rule;
530 const XMLCh* name = attr.getName();
531 const XMLCh* format = attr.getNameFormat();
534 if (!format || !*format)
535 format = saml2::Attribute::UNSPECIFIED;
536 else if (XMLString::equals(format, saml2::Attribute::URI_REFERENCE))
539 if ((rule=m_attrMap.find(pair<xstring,xstring>(name,format))) != m_attrMap.end()) {
540 Attribute* a = rule->second.first->decode(rule->second.second, &attr, assertingParty, relyingParty);
542 attributes.push_back(a);
546 else if (XMLString::equals(format, saml2::Attribute::UNSPECIFIED)) {
547 // As a fallback, if the format is "unspecified", null out the value and re-map.
548 if ((rule=m_attrMap.find(pair<xstring,xstring>(name,xstring()))) != m_attrMap.end()) {
549 Attribute* a = rule->second.first->decode(rule->second.second, &attr, assertingParty, relyingParty);
551 attributes.push_back(a);
557 if (m_log.isInfoEnabled()) {
558 auto_ptr_char temp1(name);
559 auto_ptr_char temp2(format);
560 m_log.info("skipping unmapped SAML 2.0 Attribute with Name: %s%s%s", temp1.get(), *temp2.get() ? ", Format:" : "", temp2.get());
564 void XMLExtractorImpl::extractAttributes(
565 const Application& application,
566 const char* assertingParty,
567 const char* relyingParty,
568 const saml1::AttributeStatement& statement,
569 vector<Attribute*>& attributes
572 const vector<saml1::Attribute*>& attrs = statement.getAttributes();
573 for (vector<saml1::Attribute*>::const_iterator a = attrs.begin(); a!=attrs.end(); ++a)
574 extractAttributes(application, assertingParty, relyingParty, *(*a), attributes);
577 void XMLExtractorImpl::extractAttributes(
578 const Application& application,
579 const char* assertingParty,
580 const char* relyingParty,
581 const saml2::AttributeStatement& statement,
582 vector<Attribute*>& attributes
585 const vector<saml2::Attribute*>& attrs = statement.getAttributes();
586 for (vector<saml2::Attribute*>::const_iterator a = attrs.begin(); a!=attrs.end(); ++a)
587 extractAttributes(application, assertingParty, relyingParty, *(*a), attributes);
590 void XMLExtractorImpl::extractAttributes(
591 const Application& application,
592 const ObservableMetadataProvider* observable,
593 const XMLCh* entityID,
594 const char* relyingParty,
595 const Extensions& ext,
596 vector<Attribute*>& attributes
599 const vector<XMLObject*>& exts = ext.getUnknownXMLObjects();
600 for (vector<XMLObject*>::const_iterator i = exts.begin(); i!=exts.end(); ++i) {
601 const EntityAttributes* container = dynamic_cast<const EntityAttributes*>(*i);
605 bool useCache = false;
606 map<const ObservableMetadataProvider*,decoded_t>::iterator cacheEntry;
608 // Check for cached result.
610 m_attrLock->rdlock();
611 cacheEntry = m_decodedMap.find(observable);
612 if (cacheEntry == m_decodedMap.end()) {
613 // We need to elevate the lock and retry.
614 m_attrLock->unlock();
615 m_attrLock->wrlock();
616 cacheEntry = m_decodedMap.find(observable);
617 if (cacheEntry==m_decodedMap.end()) {
619 // It's still brand new, so hook it for cache activation.
620 observable->addObserver(this);
622 // Prime the map reference with an empty decoded map.
623 cacheEntry = m_decodedMap.insert(make_pair(observable,decoded_t())).first;
625 // Downgrade the lock.
626 // We don't have to recheck because we never erase the master map entry entirely, even on changes.
627 m_attrLock->unlock();
628 m_attrLock->rdlock();
635 // We're holding a read lock, so check the cache.
636 decoded_t::iterator d = cacheEntry->second.find(container);
637 if (d != cacheEntry->second.end()) {
638 SharedLock locker(m_attrLock, false); // pop the lock when we're done
639 for (vector<DDF>::iterator obj = d->second.begin(); obj != d->second.end(); ++obj) {
640 auto_ptr<Attribute> wrapper(Attribute::unmarshall(*obj));
641 m_log.debug("recovered cached metadata attribute (%s)", wrapper->getId());
642 attributes.push_back(wrapper.release());
648 // Use a holding area to support caching.
649 vector<Attribute*> holding;
651 const vector<saml2::Attribute*>& attrs = container->getAttributes();
652 for (vector<saml2::Attribute*>::const_iterator attr = attrs.begin(); attr != attrs.end(); ++attr) {
654 extractAttributes(application, nullptr, relyingParty, *(*attr), holding);
658 m_attrLock->unlock();
659 for_each(holding.begin(), holding.end(), xmltooling::cleanup<Attribute>());
664 if (entityID && m_entityAssertions) {
665 const vector<saml2::Assertion*>& asserts = container->getAssertions();
666 for (vector<saml2::Assertion*>::const_iterator assert = asserts.begin(); assert != asserts.end(); ++assert) {
667 if (!(*assert)->getSignature()) {
668 if (m_log.isDebugEnabled()) {
669 auto_ptr_char eid(entityID);
670 m_log.debug("skipping unsigned assertion in metadata extension for entity (%s)", eid.get());
674 else if ((*assert)->getAttributeStatements().empty()) {
675 if (m_log.isDebugEnabled()) {
676 auto_ptr_char eid(entityID);
677 m_log.debug("skipping assertion with no AttributeStatement in metadata extension for entity (%s)", eid.get());
683 const NameID* subject = (*assert)->getSubject() ? (*assert)->getSubject()->getNameID() : nullptr;
685 !XMLString::equals(subject->getFormat(), NameID::ENTITY) ||
686 !XMLString::equals(subject->getName(), entityID)) {
687 if (m_log.isDebugEnabled()) {
688 auto_ptr_char eid(entityID);
689 m_log.debug("skipping assertion with improper Subject in metadata extension for entity (%s)", eid.get());
695 // Use a private holding area for filtering purposes.
696 vector<Attribute*> holding2;
699 // Set up and evaluate a policy for an AA asserting attributes to us.
700 shibsp::SecurityPolicy policy(application, &AttributeAuthorityDescriptor::ELEMENT_QNAME, false, m_policyId.c_str());
701 Locker locker(m_metadata);
703 policy.setMetadataProvider(m_metadata);
705 policy.setTrustEngine(m_trust);
706 // Populate recipient as audience.
707 const XMLCh* issuer = (*assert)->getIssuer() ? (*assert)->getIssuer()->getName() : nullptr;
708 policy.getAudiences().push_back(application.getRelyingParty(issuer)->getXMLString("entityID").second);
710 // Extract assertion information for policy.
711 policy.setMessageID((*assert)->getID());
712 policy.setIssueInstant((*assert)->getIssueInstantEpoch());
713 policy.setIssuer((*assert)->getIssuer());
715 // Look up metadata for issuer.
716 if (policy.getIssuer() && policy.getMetadataProvider()) {
717 if (policy.getIssuer()->getFormat() && !XMLString::equals(policy.getIssuer()->getFormat(), saml2::NameIDType::ENTITY)) {
718 m_log.debug("non-system entity issuer, skipping metadata lookup");
721 m_log.debug("searching metadata for entity assertion issuer...");
722 pair<const EntityDescriptor*,const RoleDescriptor*> lookup;
723 MetadataProvider::Criteria& mc = policy.getMetadataProviderCriteria();
724 mc.entityID_unicode = policy.getIssuer()->getName();
725 mc.role = &AttributeAuthorityDescriptor::ELEMENT_QNAME;
726 mc.protocol = samlconstants::SAML20P_NS;
727 lookup = policy.getMetadataProvider()->getEntityDescriptor(mc);
729 auto_ptr_char iname(policy.getIssuer()->getName());
730 m_log.debug("no metadata found, can't establish identity of issuer (%s)", iname.get());
732 else if (!lookup.second) {
733 m_log.debug("unable to find compatible AA role in metadata");
736 policy.setIssuerMetadata(lookup.second);
741 // Authenticate the assertion. We have to clone and marshall it to establish the signature for verification.
742 auto_ptr<saml2::Assertion> tokencopy((*assert)->cloneAssertion());
743 tokencopy->marshall();
744 policy.evaluate(*tokencopy);
745 if (!policy.isAuthenticated()) {
746 if (m_log.isDebugEnabled()) {
747 auto_ptr_char tempid(tokencopy->getID());
748 auto_ptr_char eid(entityID);
750 "failed to authenticate assertion (%s) in metadata extension for entity (%s)", tempid.get(), eid.get()
756 // Override the asserting/relying party names based on this new issuer.
757 const EntityDescriptor* inlineEntity =
758 policy.getIssuerMetadata() ? dynamic_cast<const EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : nullptr;
759 auto_ptr_char inlineAssertingParty(inlineEntity ? inlineEntity->getEntityID() : nullptr);
760 relyingParty = application.getRelyingParty(inlineEntity)->getString("entityID").second;
761 const vector<saml2::Attribute*>& attrs2 =
762 const_cast<const saml2::AttributeStatement*>(tokencopy->getAttributeStatements().front())->getAttributes();
763 for (vector<saml2::Attribute*>::const_iterator a = attrs2.begin(); a!=attrs2.end(); ++a)
764 extractAttributes(application, inlineAssertingParty.get(), relyingParty, *(*a), holding2);
766 // Now we locally filter the attributes so that the actual issuer can be properly set.
767 // If we relied on outside filtering, the attributes couldn't be distinguished from the
768 // ones that come from the user's IdP.
769 if (m_filter && !holding2.empty()) {
770 BasicFilteringContext fc(application, holding2, policy.getIssuerMetadata());
771 Locker filtlocker(m_filter);
773 m_filter->filterAttributes(fc, holding2);
775 catch (exception& ex) {
776 m_log.error("caught exception filtering attributes: %s", ex.what());
777 m_log.error("dumping extracted attributes due to filtering exception");
778 for_each(holding2.begin(), holding2.end(), xmltooling::cleanup<Attribute>());
783 if (!holding2.empty()) {
784 // Copy them over to the main holding tank.
785 holding.insert(holding.end(), holding2.begin(), holding2.end());
788 catch (exception& ex) {
789 // Known exceptions are handled gracefully by skipping the assertion.
790 if (m_log.isDebugEnabled()) {
791 auto_ptr_char tempid((*assert)->getID());
792 auto_ptr_char eid(entityID);
794 "exception authenticating assertion (%s) in metadata extension for entity (%s): %s",
800 for_each(holding2.begin(), holding2.end(), xmltooling::cleanup<Attribute>());
804 // Unknown exceptions are fatal.
806 m_attrLock->unlock();
807 for_each(holding.begin(), holding.end(), xmltooling::cleanup<Attribute>());
808 for_each(holding2.begin(), holding2.end(), xmltooling::cleanup<Attribute>());
814 if (!holding.empty()) {
816 m_attrLock->unlock();
817 m_attrLock->wrlock();
818 SharedLock locker(m_attrLock, false); // pop the lock when we're done
819 if (cacheEntry->second.count(container) == 0) {
820 for (vector<Attribute*>::const_iterator held = holding.begin(); held != holding.end(); ++held)
821 cacheEntry->second[container].push_back((*held)->marshall());
824 attributes.insert(attributes.end(), holding.begin(), holding.end());
827 m_attrLock->unlock();
830 break; // only process a single extension element
834 void XMLExtractor::extractAttributes(
835 const Application& application, const RoleDescriptor* issuer, const XMLObject& xmlObject, vector<Attribute*>& attributes
841 const EntityDescriptor* entity = issuer ? dynamic_cast<const EntityDescriptor*>(issuer->getParent()) : nullptr;
842 const char* relyingParty = application.getRelyingParty(entity)->getString("entityID").second;
844 // Check for statements.
845 if (XMLString::equals(xmlObject.getElementQName().getLocalPart(), saml1::AttributeStatement::LOCAL_NAME)) {
846 const saml2::AttributeStatement* statement2 = dynamic_cast<const saml2::AttributeStatement*>(&xmlObject);
848 auto_ptr_char assertingParty(entity ? entity->getEntityID() : nullptr);
849 m_impl->extractAttributes(application, assertingParty.get(), relyingParty, *statement2, attributes);
850 // Handle EncryptedAttributes inline so we have access to the role descriptor.
851 const vector<saml2::EncryptedAttribute*>& encattrs = statement2->getEncryptedAttributes();
852 for (vector<saml2::EncryptedAttribute*>::const_iterator ea = encattrs.begin(); ea!=encattrs.end(); ++ea)
853 extractAttributes(application, issuer, *(*ea), attributes);
857 const saml1::AttributeStatement* statement1 = dynamic_cast<const saml1::AttributeStatement*>(&xmlObject);
859 auto_ptr_char assertingParty(entity ? entity->getEntityID() : nullptr);
860 m_impl->extractAttributes(application, assertingParty.get(), relyingParty, *statement1, attributes);
864 throw AttributeExtractionException("Unable to extract attributes, unknown object type.");
867 // Check for assertions.
868 if (XMLString::equals(xmlObject.getElementQName().getLocalPart(), saml1::Assertion::LOCAL_NAME)) {
869 const saml2::Assertion* token2 = dynamic_cast<const saml2::Assertion*>(&xmlObject);
871 auto_ptr_char assertingParty(entity ? entity->getEntityID() : nullptr);
872 const vector<saml2::AttributeStatement*>& statements = token2->getAttributeStatements();
873 for (vector<saml2::AttributeStatement*>::const_iterator s = statements.begin(); s!=statements.end(); ++s) {
874 m_impl->extractAttributes(application, assertingParty.get(), relyingParty, *(*s), attributes);
875 // Handle EncryptedAttributes inline so we have access to the role descriptor.
876 const vector<saml2::EncryptedAttribute*>& encattrs = const_cast<const saml2::AttributeStatement*>(*s)->getEncryptedAttributes();
877 for (vector<saml2::EncryptedAttribute*>::const_iterator ea = encattrs.begin(); ea!=encattrs.end(); ++ea)
878 extractAttributes(application, issuer, *(*ea), attributes);
883 const saml1::Assertion* token1 = dynamic_cast<const saml1::Assertion*>(&xmlObject);
885 auto_ptr_char assertingParty(entity ? entity->getEntityID() : nullptr);
886 const vector<saml1::AttributeStatement*>& statements = token1->getAttributeStatements();
887 for (vector<saml1::AttributeStatement*>::const_iterator s = statements.begin(); s!=statements.end(); ++s)
888 m_impl->extractAttributes(application, assertingParty.get(), relyingParty, *(*s), attributes);
892 throw AttributeExtractionException("Unable to extract attributes, unknown object type.");
895 // Check for metadata.
896 if (XMLString::equals(xmlObject.getElementQName().getNamespaceURI(), samlconstants::SAML20MD_NS)) {
897 const RoleDescriptor* roleToExtract = dynamic_cast<const RoleDescriptor*>(&xmlObject);
898 const EntityDescriptor* entityToExtract = roleToExtract ? dynamic_cast<const EntityDescriptor*>(roleToExtract->getParent()) : nullptr;
899 if (!entityToExtract)
900 throw AttributeExtractionException("Unable to extract attributes, unknown metadata object type.");
901 const Extensions* ext = entityToExtract->getExtensions();
903 m_impl->extractAttributes(
905 dynamic_cast<const ObservableMetadataProvider*>(application.getMetadataProvider(false)),
906 entityToExtract->getEntityID(),
912 const EntitiesDescriptor* group = dynamic_cast<const EntitiesDescriptor*>(entityToExtract->getParent());
914 ext = group->getExtensions();
916 m_impl->extractAttributes(
918 dynamic_cast<const ObservableMetadataProvider*>(application.getMetadataProvider(false)),
919 nullptr, // not an entity, so inline assertions won't be processed
925 group = dynamic_cast<const EntitiesDescriptor*>(group->getParent());
930 // Check for attributes.
931 if (XMLString::equals(xmlObject.getElementQName().getLocalPart(), saml1::Attribute::LOCAL_NAME)) {
932 auto_ptr_char assertingParty(entity ? entity->getEntityID() : nullptr);
933 const saml2::Attribute* attr2 = dynamic_cast<const saml2::Attribute*>(&xmlObject);
935 return m_impl->extractAttributes(application, assertingParty.get(), relyingParty, *attr2, attributes);
937 const saml1::Attribute* attr1 = dynamic_cast<const saml1::Attribute*>(&xmlObject);
939 return m_impl->extractAttributes(application, assertingParty.get(), relyingParty, *attr1, attributes);
941 throw AttributeExtractionException("Unable to extract attributes, unknown object type.");
944 if (XMLString::equals(xmlObject.getElementQName().getLocalPart(), EncryptedAttribute::LOCAL_NAME)) {
945 const EncryptedAttribute* encattr = dynamic_cast<const EncryptedAttribute*>(&xmlObject);
947 const XMLCh* recipient = application.getXMLString("entityID").second;
948 CredentialResolver* cr = application.getCredentialResolver();
950 m_log.warn("found encrypted attribute, but no CredentialResolver was available");
955 Locker credlocker(cr);
957 MetadataCredentialCriteria mcc(*issuer);
958 auto_ptr<XMLObject> decrypted(encattr->decrypt(*cr, recipient, &mcc));
959 if (m_log.isDebugEnabled())
960 m_log.debugStream() << "decrypted Attribute: " << *(decrypted.get()) << logging::eol;
961 return extractAttributes(application, issuer, *(decrypted.get()), attributes);
964 auto_ptr<XMLObject> decrypted(encattr->decrypt(*cr, recipient));
965 if (m_log.isDebugEnabled())
966 m_log.debugStream() << "decrypted Attribute: " << *(decrypted.get()) << logging::eol;
967 return extractAttributes(application, issuer, *(decrypted.get()), attributes);
970 catch (exception& ex) {
971 m_log.error("caught exception decrypting Attribute: %s", ex.what());
977 // Check for NameIDs.
978 const NameID* name2 = dynamic_cast<const NameID*>(&xmlObject);
980 auto_ptr_char assertingParty(entity ? entity->getEntityID() : nullptr);
981 return m_impl->extractAttributes(application, assertingParty.get(), relyingParty, *name2, attributes);
984 const NameIdentifier* name1 = dynamic_cast<const NameIdentifier*>(&xmlObject);
986 auto_ptr_char assertingParty(entity ? entity->getEntityID() : nullptr);
987 return m_impl->extractAttributes(application, assertingParty.get(), relyingParty, *name1, attributes);
990 m_log.debug("unable to extract attributes, unknown XML object type: %s", xmlObject.getElementQName().toString().c_str());
993 pair<bool,DOMElement*> XMLExtractor::background_load()
995 // Load from source using base class.
996 pair<bool,DOMElement*> raw = ReloadableXMLFile::load();
998 // If we own it, wrap it.
999 XercesJanitor<DOMDocument> docjanitor(raw.first ? raw.second->getOwnerDocument() : nullptr);
1001 XMLExtractorImpl* impl = new XMLExtractorImpl(raw.second, m_log);
1003 // If we held the document, transfer it to the impl. If we didn't, it's a no-op.
1004 impl->setDocument(docjanitor.release());
1006 // Perform the swap inside a lock.
1009 SharedLock locker(m_lock, false);
1013 return make_pair(false,(DOMElement*)nullptr);