2 * Copyright 2001-2007 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * XMLAttributeExtractor.cpp
20 * AttributeExtractor based on an XML mapping file.
24 #include "Application.h"
25 #include "ServiceProvider.h"
26 #include "attribute/AttributeDecoder.h"
27 #include "attribute/resolver/AttributeExtractor.h"
28 #include "util/SPConstants.h"
30 #include <saml/saml1/core/Assertions.h>
31 #include <saml/saml2/core/Assertions.h>
32 #include <saml/saml2/metadata/MetadataCredentialCriteria.h>
33 #include <xmltooling/util/NDC.h>
34 #include <xmltooling/util/ReloadableXMLFile.h>
35 #include <xmltooling/util/XMLHelper.h>
36 #include <xercesc/util/XMLUniDefs.hpp>
38 using namespace shibsp;
39 using namespace opensaml::saml2md;
40 using namespace opensaml;
41 using namespace xmltooling;
43 using saml1::NameIdentifier;
45 using saml2::EncryptedAttribute;
49 #if defined (_MSC_VER)
50 #pragma warning( push )
51 #pragma warning( disable : 4250 )
54 class XMLExtractorImpl
57 XMLExtractorImpl(const DOMElement* e, Category& log);
59 for (attrmap_t::iterator i = m_attrMap.begin(); i!=m_attrMap.end(); ++i)
60 delete i->second.first;
62 m_document->release();
65 void setDocument(DOMDocument* doc) {
69 void extractAttributes(
70 const Application& application, const char* assertingParty, const NameIdentifier& nameid, vector<Attribute*>& attributes
72 void extractAttributes(
73 const Application& application, const char* assertingParty, const NameID& nameid, vector<Attribute*>& attributes
75 void extractAttributes(
76 const Application& application, const char* assertingParty, const saml1::Attribute& attr, vector<Attribute*>& attributes
78 void extractAttributes(
79 const Application& application, const char* assertingParty, const saml2::Attribute& attr, vector<Attribute*>& attributes
81 void extractAttributes(
82 const Application& application, const char* assertingParty, const Extensions& ext, vector<Attribute*>& attributes
85 void getAttributeIds(vector<string>& attributes) const {
86 attributes.insert(attributes.end(), m_attributeIds.begin(), m_attributeIds.end());
91 DOMDocument* m_document;
93 typedef map< pair<xstring,xstring>,pair< AttributeDecoder*,vector<string> > > attrmap_t;
95 typedef map< pair<string,string>,pair< AttributeDecoder*,vector<string> > > attrmap_t;
98 vector<string> m_attributeIds;
101 class XMLExtractor : public AttributeExtractor, public ReloadableXMLFile
104 XMLExtractor(const DOMElement* e) : ReloadableXMLFile(e, Category::getInstance(SHIBSP_LOGCAT".AttributeExtractor")), m_impl(NULL) {
111 void extractAttributes(
112 const Application& application, const RoleDescriptor* issuer, const XMLObject& xmlObject, vector<Attribute*>& attributes
115 void getAttributeIds(std::vector<std::string>& attributes) const {
117 m_impl->getAttributeIds(attributes);
121 pair<bool,DOMElement*> load();
124 XMLExtractorImpl* m_impl;
127 #if defined (_MSC_VER)
128 #pragma warning( pop )
131 AttributeExtractor* SHIBSP_DLLLOCAL XMLAttributeExtractorFactory(const DOMElement* const & e)
133 return new XMLExtractor(e);
136 static const XMLCh _AttributeDecoder[] = UNICODE_LITERAL_16(A,t,t,r,i,b,u,t,e,D,e,c,o,d,e,r);
137 static const XMLCh Attributes[] = UNICODE_LITERAL_10(A,t,t,r,i,b,u,t,e,s);
138 static const XMLCh _id[] = UNICODE_LITERAL_2(i,d);
139 static const XMLCh _aliases[] = UNICODE_LITERAL_7(a,l,i,a,s,e,s);
140 static const XMLCh _name[] = UNICODE_LITERAL_4(n,a,m,e);
141 static const XMLCh nameFormat[] = UNICODE_LITERAL_10(n,a,m,e,F,o,r,m,a,t);
144 void SHIBSP_API shibsp::registerAttributeExtractors()
146 SPConfig::getConfig().AttributeExtractorManager.registerFactory(XML_ATTRIBUTE_EXTRACTOR, XMLAttributeExtractorFactory);
149 XMLExtractorImpl::XMLExtractorImpl(const DOMElement* e, Category& log) : m_log(log), m_document(NULL)
152 xmltooling::NDC ndc("XMLExtractorImpl");
155 if (!XMLHelper::isNodeNamed(e, shibspconstants::SHIB2ATTRIBUTEMAP_NS, Attributes))
156 throw ConfigurationException("XML AttributeExtractor requires am:Attributes at root of configuration.");
158 DOMElement* child = XMLHelper::getFirstChildElement(e, shibspconstants::SHIB2ATTRIBUTEMAP_NS, saml1::Attribute::LOCAL_NAME);
160 // Check for missing name or id.
161 const XMLCh* name = child->getAttributeNS(NULL, _name);
162 if (!name || !*name) {
163 m_log.warn("skipping Attribute with no name");
164 child = XMLHelper::getNextSiblingElement(child, shibspconstants::SHIB2ATTRIBUTEMAP_NS, saml1::Attribute::LOCAL_NAME);
168 auto_ptr_char id(child->getAttributeNS(NULL, _id));
169 if (!id.get() || !*id.get()) {
170 m_log.warn("skipping Attribute with no id");
171 child = XMLHelper::getNextSiblingElement(child, shibspconstants::SHIB2ATTRIBUTEMAP_NS, saml1::Attribute::LOCAL_NAME);
174 else if (!strcmp(id.get(), "REMOTE_USER")) {
175 m_log.warn("skipping Attribute, id of REMOTE_USER is a reserved name");
176 child = XMLHelper::getNextSiblingElement(child, shibspconstants::SHIB2ATTRIBUTEMAP_NS, saml1::Attribute::LOCAL_NAME);
180 AttributeDecoder* decoder=NULL;
182 DOMElement* dchild = XMLHelper::getFirstChildElement(child, shibspconstants::SHIB2ATTRIBUTEMAP_NS, _AttributeDecoder);
184 auto_ptr<QName> q(XMLHelper::getXSIType(dchild));
186 decoder = SPConfig::getConfig().AttributeDecoderManager.newPlugin(*q.get(), dchild);
189 decoder = SPConfig::getConfig().AttributeDecoderManager.newPlugin(StringAttributeDecoderType, NULL);
191 catch (exception& ex) {
192 m_log.error("skipping Attribute (%s), error building AttributeDecoder: %s", id.get(), ex.what());
196 child = XMLHelper::getNextSiblingElement(child, shibspconstants::SHIB2ATTRIBUTEMAP_NS, saml1::Attribute::LOCAL_NAME);
200 // Empty NameFormat implies the usual Shib URI naming defaults.
201 const XMLCh* format = child->getAttributeNS(NULL, nameFormat);
202 if (!format || XMLString::equals(format, shibspconstants::SHIB1_ATTRIBUTE_NAMESPACE_URI) ||
203 XMLString::equals(format, saml2::Attribute::URI_REFERENCE))
204 format = &chNull; // ignore default Format/Namespace values
206 // Fetch/create the map entry and see if it's a duplicate rule.
208 pair< AttributeDecoder*,vector<string> >& decl = m_attrMap[pair<xstring,xstring>(name,format)];
210 auto_ptr_char n(name);
211 auto_ptr_char f(format);
212 pair< AttributeDecoder*,vector<string> >& decl = m_attrMap[pair<string,string>(n.get(),f.get())];
215 m_log.warn("skipping duplicate Attribute mapping (same name and nameFormat)");
217 child = XMLHelper::getNextSiblingElement(child, shibspconstants::SHIB2ATTRIBUTEMAP_NS, saml1::Attribute::LOCAL_NAME);
221 if (m_log.isInfoEnabled()) {
223 auto_ptr_char n(name);
224 auto_ptr_char f(format);
226 m_log.info("creating mapping for Attribute %s%s%s", n.get(), *f.get() ? ", Format/Namespace:" : "", f.get());
229 decl.first = decoder;
230 decl.second.push_back(id.get());
231 m_attributeIds.push_back(id.get());
233 name = child->getAttributeNS(NULL, _aliases);
235 auto_ptr_char aliases(name);
237 char* start = const_cast<char*>(aliases.get());
238 while (start && *start) {
239 while (*start && isspace(*start))
243 pos = strchr(start,' ');
246 if (strcmp(start, "REMOTE_USER")) {
247 decl.second.push_back(start);
248 m_attributeIds.push_back(start);
251 m_log.warn("skipping alias, REMOTE_USER is a reserved name");
253 start = pos ? pos+1 : NULL;
257 child = XMLHelper::getNextSiblingElement(child, shibspconstants::SHIB2ATTRIBUTEMAP_NS, saml1::Attribute::LOCAL_NAME);
261 void XMLExtractorImpl::extractAttributes(
262 const Application& application, const char* assertingParty, const NameIdentifier& nameid, vector<Attribute*>& attributes
266 map< pair<xstring,xstring>,pair< AttributeDecoder*,vector<string> > >::const_iterator rule;
268 map< pair<string,string>,pair< AttributeDecoder*,vector<string> > >::const_iterator rule;
271 const XMLCh* format = nameid.getFormat();
272 if (!format || !*format)
273 format = NameIdentifier::UNSPECIFIED;
275 if ((rule=m_attrMap.find(pair<xstring,xstring>(format,xstring()))) != m_attrMap.end()) {
277 auto_ptr_char temp(format);
278 if ((rule=m_attrMap.find(pair<string,string>(temp.get(),string()))) != m_attrMap.end()) {
280 Attribute* a = rule->second.first->decode(rule->second.second, &nameid, assertingParty, application.getString("entityID").second);
282 attributes.push_back(a);
286 void XMLExtractorImpl::extractAttributes(
287 const Application& application, const char* assertingParty, const NameID& nameid, vector<Attribute*>& attributes
291 map< pair<xstring,xstring>,pair< AttributeDecoder*,vector<string> > >::const_iterator rule;
293 map< pair<string,string>,pair< AttributeDecoder*,vector<string> > >::const_iterator rule;
296 const XMLCh* format = nameid.getFormat();
297 if (!format || !*format)
298 format = NameID::UNSPECIFIED;
300 if ((rule=m_attrMap.find(pair<xstring,xstring>(format,xstring()))) != m_attrMap.end()) {
302 auto_ptr_char temp(format);
303 if ((rule=m_attrMap.find(pair<string,string>(temp.get(),string()))) != m_attrMap.end()) {
305 Attribute* a = rule->second.first->decode(rule->second.second, &nameid, assertingParty, application.getString("entityID").second);
307 attributes.push_back(a);
311 void XMLExtractorImpl::extractAttributes(
312 const Application& application, const char* assertingParty, const saml1::Attribute& attr, vector<Attribute*>& attributes
316 map< pair<xstring,xstring>,pair< AttributeDecoder*,vector<string> > >::const_iterator rule;
318 map< pair<string,string>,pair< AttributeDecoder*,vector<string> > >::const_iterator rule;
321 const XMLCh* name = attr.getAttributeName();
322 const XMLCh* format = attr.getAttributeNamespace();
325 if (!format || XMLString::equals(format, shibspconstants::SHIB1_ATTRIBUTE_NAMESPACE_URI))
328 if ((rule=m_attrMap.find(pair<xstring,xstring>(name,format))) != m_attrMap.end()) {
330 auto_ptr_char temp1(name);
331 auto_ptr_char temp2(format);
332 if ((rule=m_attrMap.find(pair<string,string>(temp1.get(),temp2.get()))) != m_attrMap.end()) {
334 Attribute* a = rule->second.first->decode(rule->second.second, &attr, assertingParty, application.getString("entityID").second);
336 attributes.push_back(a);
340 void XMLExtractorImpl::extractAttributes(
341 const Application& application, const char* assertingParty, const saml2::Attribute& attr, vector<Attribute*>& attributes
345 map< pair<xstring,xstring>,pair< AttributeDecoder*,vector<string> > >::const_iterator rule;
347 map< pair<string,string>,pair< AttributeDecoder*,vector<string> > >::const_iterator rule;
350 const XMLCh* name = attr.getName();
351 const XMLCh* format = attr.getNameFormat();
354 if (!format || !*format)
355 format = saml2::Attribute::UNSPECIFIED;
356 else if (XMLString::equals(format, saml2::Attribute::URI_REFERENCE))
359 if ((rule=m_attrMap.find(pair<xstring,xstring>(name,format))) != m_attrMap.end()) {
361 auto_ptr_char temp1(name);
362 auto_ptr_char temp2(format);
363 if ((rule=m_attrMap.find(pair<string,string>(temp1.get(),temp2.get()))) != m_attrMap.end()) {
365 Attribute* a = rule->second.first->decode(rule->second.second, &attr, assertingParty, application.getString("entityID").second);
367 attributes.push_back(a);
371 void XMLExtractorImpl::extractAttributes(
372 const Application& application, const char* assertingParty, const Extensions& ext, vector<Attribute*>& attributes
375 const vector<XMLObject*> exts = ext.getUnknownXMLObjects();
376 for (vector<XMLObject*>::const_iterator i = exts.begin(); i!=exts.end(); ++i) {
377 const saml2::Attribute* attr = dynamic_cast<const saml2::Attribute*>(*i);
379 extractAttributes(application, assertingParty, *attr, attributes);
383 void XMLExtractor::extractAttributes(
384 const Application& application, const RoleDescriptor* issuer, const XMLObject& xmlObject, vector<Attribute*>& attributes
390 // Check for assertions.
391 if (XMLString::equals(xmlObject.getElementQName().getLocalPart(), saml1::Assertion::LOCAL_NAME)) {
392 const saml2::Assertion* token2 = dynamic_cast<const saml2::Assertion*>(&xmlObject);
394 auto_ptr_char assertingParty(issuer ? dynamic_cast<const EntityDescriptor*>(issuer->getParent())->getEntityID() : NULL);
395 const vector<saml2::AttributeStatement*>& statements = token2->getAttributeStatements();
396 for (vector<saml2::AttributeStatement*>::const_iterator s = statements.begin(); s!=statements.end(); ++s) {
397 const vector<saml2::Attribute*>& attrs = const_cast<const saml2::AttributeStatement*>(*s)->getAttributes();
398 for (vector<saml2::Attribute*>::const_iterator a = attrs.begin(); a!=attrs.end(); ++a)
399 m_impl->extractAttributes(application, assertingParty.get(), *(*a), attributes);
401 const vector<saml2::EncryptedAttribute*>& encattrs = const_cast<const saml2::AttributeStatement*>(*s)->getEncryptedAttributes();
402 for (vector<saml2::EncryptedAttribute*>::const_iterator ea = encattrs.begin(); ea!=encattrs.end(); ++ea)
403 extractAttributes(application, issuer, *(*ea), attributes);
408 const saml1::Assertion* token1 = dynamic_cast<const saml1::Assertion*>(&xmlObject);
410 auto_ptr_char assertingParty(issuer ? dynamic_cast<const EntityDescriptor*>(issuer->getParent())->getEntityID() : NULL);
411 const vector<saml1::AttributeStatement*>& statements = token1->getAttributeStatements();
412 for (vector<saml1::AttributeStatement*>::const_iterator s = statements.begin(); s!=statements.end(); ++s) {
413 const vector<saml1::Attribute*>& attrs = const_cast<const saml1::AttributeStatement*>(*s)->getAttributes();
414 for (vector<saml1::Attribute*>::const_iterator a = attrs.begin(); a!=attrs.end(); ++a)
415 m_impl->extractAttributes(application, assertingParty.get(), *(*a), attributes);
420 throw AttributeExtractionException("Unable to extract attributes, unknown object type.");
423 // Check for metadata.
424 if (XMLString::equals(xmlObject.getElementQName().getNamespaceURI(), samlconstants::SAML20MD_NS)) {
425 const EntityDescriptor* entity = dynamic_cast<const EntityDescriptor*>(&xmlObject);
427 throw AttributeExtractionException("Unable to extract attributes, unknown metadata object type.");
428 auto_ptr_char assertingParty(issuer ? dynamic_cast<const EntityDescriptor*>(issuer->getParent())->getEntityID() : NULL);
429 const Extensions* ext = entity->getExtensions();
431 m_impl->extractAttributes(application, assertingParty.get(), *ext, attributes);
432 const EntitiesDescriptor* group = dynamic_cast<const EntitiesDescriptor*>(entity->getParent());
434 ext = group->getExtensions();
436 m_impl->extractAttributes(application, assertingParty.get(), *ext, attributes);
437 group = dynamic_cast<const EntitiesDescriptor*>(group->getParent());
442 // Check for attributes.
443 if (XMLString::equals(xmlObject.getElementQName().getLocalPart(), saml1::Attribute::LOCAL_NAME)) {
444 auto_ptr_char assertingParty(issuer ? dynamic_cast<const EntityDescriptor*>(issuer->getParent())->getEntityID() : NULL);
446 const saml2::Attribute* attr2 = dynamic_cast<const saml2::Attribute*>(&xmlObject);
448 return m_impl->extractAttributes(application, assertingParty.get(), *attr2, attributes);
450 const saml1::Attribute* attr1 = dynamic_cast<const saml1::Attribute*>(&xmlObject);
452 return m_impl->extractAttributes(application, assertingParty.get(), *attr1, attributes);
454 throw AttributeExtractionException("Unable to extract attributes, unknown object type.");
457 if (XMLString::equals(xmlObject.getElementQName().getLocalPart(), EncryptedAttribute::LOCAL_NAME)) {
458 const EncryptedAttribute* encattr = dynamic_cast<const EncryptedAttribute*>(&xmlObject);
460 const XMLCh* recipient = application.getXMLString("entityID").second;
461 CredentialResolver* cr = application.getCredentialResolver();
463 m_log.warn("found encrypted attribute, but no CredentialResolver was available");
468 Locker credlocker(cr);
470 MetadataCredentialCriteria mcc(*issuer);
471 auto_ptr<XMLObject> decrypted(encattr->decrypt(*cr, recipient, &mcc));
472 return extractAttributes(application, issuer, *(decrypted.get()), attributes);
475 auto_ptr<XMLObject> decrypted(encattr->decrypt(*cr, recipient));
476 return extractAttributes(application, issuer, *(decrypted.get()), attributes);
479 catch (exception& ex) {
480 m_log.error("caught exception decrypting Attribute: %s", ex.what());
486 // Check for NameIDs.
487 const NameID* name2 = dynamic_cast<const NameID*>(&xmlObject);
489 auto_ptr_char assertingParty(issuer ? dynamic_cast<const EntityDescriptor*>(issuer->getParent())->getEntityID() : NULL);
490 return m_impl->extractAttributes(application, assertingParty.get(), *name2, attributes);
493 const NameIdentifier* name1 = dynamic_cast<const NameIdentifier*>(&xmlObject);
495 auto_ptr_char assertingParty(issuer ? dynamic_cast<const EntityDescriptor*>(issuer->getParent())->getEntityID() : NULL);
496 return m_impl->extractAttributes(application, assertingParty.get(), *name1, attributes);
499 throw AttributeExtractionException("Unable to extract attributes, unknown object type.");
502 pair<bool,DOMElement*> XMLExtractor::load()
504 // Load from source using base class.
505 pair<bool,DOMElement*> raw = ReloadableXMLFile::load();
507 // If we own it, wrap it.
508 XercesJanitor<DOMDocument> docjanitor(raw.first ? raw.second->getOwnerDocument() : NULL);
510 XMLExtractorImpl* impl = new XMLExtractorImpl(raw.second, m_log);
512 // If we held the document, transfer it to the impl. If we didn't, it's a no-op.
513 impl->setDocument(docjanitor.release());
518 return make_pair(false,(DOMElement*)NULL);