shibsp/binding/impl/ArtifactResolver.cpp

   1 /*
   2  *  Copyright 2001-2007 Internet2
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 /**
  18  * ArtifactResolver.cpp
  19  *
  20  * SAML artifact resolver for SP use.
  21  */
  22
  23 #include "internal.h"
  24 #include "Application.h"
  25 #include "exceptions.h"
  26 #include "binding/ArtifactResolver.h"
  27 #include "binding/SOAPClient.h"
  28 #include "security/SecurityPolicy.h"
  29
  30 #include <saml/saml1/core/Protocols.h>
  31 #include <saml/saml1/binding/SAML1SOAPClient.h>
  32 #include <saml/saml2/core/Protocols.h>
  33 #include <saml/saml2/binding/SAML2Artifact.h>
  34 #include <saml/saml2/binding/SAML2SOAPClient.h>
  35 #include <saml/saml2/metadata/MetadataCredentialCriteria.h>
  36 #include <saml/util/SAMLConstants.h>
  37
  38 using namespace shibsp;
  39 using namespace opensaml::saml1p;
  40 using namespace opensaml::saml2;
  41 using namespace opensaml::saml2p;
  42 using namespace opensaml::saml2md;
  43 using namespace opensaml;
  44 using namespace xmltooling;
  45 using namespace std;
  46
  47 saml1p::Response* ArtifactResolver::resolve(
  48     const vector<SAMLArtifact*>& artifacts,
  49     const IDPSSODescriptor& idpDescriptor,
  50     opensaml::SecurityPolicy& policy
  51     ) const
  52 {
  53     MetadataCredentialCriteria mcc(idpDescriptor);
  54     shibsp::SecurityPolicy& sppolicy = dynamic_cast<shibsp::SecurityPolicy&>(policy);
  55     shibsp::SOAPClient soaper(sppolicy);
  56
  57     bool foundEndpoint = false;
  58     auto_ptr_XMLCh binding(samlconstants::SAML1_BINDING_SOAP);
  59     saml1p::Response* response=NULL;
  60     const vector<ArtifactResolutionService*>& endpoints=idpDescriptor.getArtifactResolutionServices();
  61     for (vector<ArtifactResolutionService*>::const_iterator ep=endpoints.begin(); !response && ep!=endpoints.end(); ++ep) {
  62         try {
  63             if (!XMLString::equals((*ep)->getBinding(),binding.get()))
  64                 continue;
  65             foundEndpoint = true;
  66             auto_ptr_char loc((*ep)->getLocation());
  67             saml1p::Request* request = saml1p::RequestBuilder::buildRequest();
  68             request->setMinorVersion(idpDescriptor.hasSupport(samlconstants::SAML11_PROTOCOL_ENUM) ? 1 : 0);
  69             for (vector<SAMLArtifact*>::const_iterator a = artifacts.begin(); a!=artifacts.end(); ++a) {
  70                 auto_ptr_XMLCh artbuf((*a)->encode().c_str());
  71                 AssertionArtifact* aa = AssertionArtifactBuilder::buildAssertionArtifact();
  72                 aa->setArtifact(artbuf.get());
  73                 request->getAssertionArtifacts().push_back(aa);
  74             }
  75
  76             SAML1SOAPClient client(soaper, false);
  77             client.sendSAML(request, sppolicy.getApplication().getId(), mcc, loc.get());
  78             response = client.receiveSAML();
  79         }
  80         catch (exception& ex) {
  81             Category::getInstance(SHIBSP_LOGCAT".ArtifactResolver").error("exception resolving SAML 1.x artifact(s): %s", ex.what());
  82             soaper.reset();
  83         }
  84     }
  85
  86     if (!foundEndpoint)
  87         throw MetadataException("No compatible endpoint found in issuer's metadata.");
  88     else if (!response)
  89         throw BindingException("Unable to resolve artifact(s) into a SAML response.");
  90     const QName* code = (response->getStatus() && response->getStatus()->getStatusCode()) ? response->getStatus()->getStatusCode()->getValue() : NULL;
  91     if (!code || *code != saml1p::StatusCode::SUCCESS) {
  92         delete response;
  93         throw BindingException("Identity provider returned a SAML error in response to artifact(s).");
  94     }
  95
  96     return response;
  97 }
  98
  99 ArtifactResponse* ArtifactResolver::resolve(
 100     const SAML2Artifact& artifact,
 101     const SSODescriptorType& ssoDescriptor,
 102     opensaml::SecurityPolicy& policy
 103     ) const
 104 {
 105     MetadataCredentialCriteria mcc(ssoDescriptor);
 106     shibsp::SecurityPolicy& sppolicy = dynamic_cast<shibsp::SecurityPolicy&>(policy);
 107     shibsp::SOAPClient soaper(sppolicy);
 108
 109     bool foundEndpoint = false;
 110     auto_ptr_XMLCh binding(samlconstants::SAML20_BINDING_SOAP);
 111     ArtifactResponse* response=NULL;
 112     const vector<ArtifactResolutionService*>& endpoints=ssoDescriptor.getArtifactResolutionServices();
 113     for (vector<ArtifactResolutionService*>::const_iterator ep=endpoints.begin(); !response && ep!=endpoints.end(); ++ep) {
 114         try {
 115             if (!XMLString::equals((*ep)->getBinding(),binding.get()))
 116                 continue;
 117             foundEndpoint = true;
 118             auto_ptr_char loc((*ep)->getLocation());
 119             ArtifactResolve* request = ArtifactResolveBuilder::buildArtifactResolve();
 120             Issuer* iss = IssuerBuilder::buildIssuer();
 121             request->setIssuer(iss);
 122             iss->setName(sppolicy.getApplication().getXMLString("entityID").second);
 123             auto_ptr_XMLCh artbuf(artifact.encode().c_str());
 124             Artifact* a = ArtifactBuilder::buildArtifact();
 125             a->setArtifact(artbuf.get());
 126             request->setArtifact(a);
 127
 128             SAML2SOAPClient client(soaper, false);
 129             client.sendSAML(request, sppolicy.getApplication().getId(), mcc, loc.get());
 130             StatusResponseType* srt = client.receiveSAML();
 131             if (!(response = dynamic_cast<ArtifactResponse*>(srt))) {
 132                 delete srt;
 133                 break;
 134             }
 135         }
 136         catch (exception& ex) {
 137             Category::getInstance(SHIBSP_LOGCAT".ArtifactResolver").error("exception resolving SAML 2.0 artifact: %s", ex.what());
 138             soaper.reset();
 139         }
 140     }
 141
 142     if (!foundEndpoint)
 143         throw MetadataException("No compatible endpoint found in issuer's metadata.");
 144     else if (!response)
 145         throw BindingException("Unable to resolve artifact(s) into a SAML response.");
 146     else if (!response->getStatus() || !response->getStatus()->getStatusCode() ||
 147            !XMLString::equals(response->getStatus()->getStatusCode()->getValue(), saml2p::StatusCode::SUCCESS)) {
 148         auto_ptr<ArtifactResponse> wrapper(response);
 149         BindingException ex("Identity provider returned a SAML error in response to artifact.");
 150         annotateException(&ex, &ssoDescriptor, response->getStatus());  // rethrow
 151     }
 152     return response;
 153 }