shibsp/binding/impl/ArtifactResolver.cpp

   1 /*
   2  *  Copyright 2001-2007 Internet2
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 /**
  18  * ArtifactResolver.cpp
  19  *
  20  * SAML artifact resolver for SP use.
  21  */
  22
  23 #include "internal.h"
  24 #include "Application.h"
  25 #include "exceptions.h"
  26 #include "binding/ArtifactResolver.h"
  27 #include "binding/SOAPClient.h"
  28 #include "security/SecurityPolicy.h"
  29
  30 #include <saml/saml1/core/Protocols.h>
  31 #include <saml/saml1/binding/SAML1SOAPClient.h>
  32 #include <saml/saml2/core/Protocols.h>
  33 #include <saml/saml2/binding/SAML2Artifact.h>
  34 #include <saml/saml2/binding/SAML2SOAPClient.h>
  35 #include <saml/saml2/metadata/MetadataCredentialCriteria.h>
  36 #include <saml/util/SAMLConstants.h>
  37
  38 using namespace shibsp;
  39 using namespace opensaml::saml1p;
  40 using namespace opensaml::saml2;
  41 using namespace opensaml::saml2p;
  42 using namespace opensaml::saml2md;
  43 using namespace opensaml;
  44 using namespace xmltooling;
  45 using namespace std;
  46
  47 saml1p::Response* ArtifactResolver::resolve(
  48     const vector<SAMLArtifact*>& artifacts,
  49     const IDPSSODescriptor& idpDescriptor,
  50     opensaml::SecurityPolicy& policy
  51     ) const
  52 {
  53     MetadataCredentialCriteria mcc(idpDescriptor);
  54     shibsp::SOAPClient soaper(dynamic_cast<shibsp::SecurityPolicy&>(policy));
  55
  56     bool foundEndpoint = false;
  57     auto_ptr_XMLCh binding(samlconstants::SAML1_BINDING_SOAP);
  58     saml1p::Response* response=NULL;
  59     const vector<ArtifactResolutionService*>& endpoints=idpDescriptor.getArtifactResolutionServices();
  60     for (vector<ArtifactResolutionService*>::const_iterator ep=endpoints.begin(); !response && ep!=endpoints.end(); ++ep) {
  61         try {
  62             if (!XMLString::equals((*ep)->getBinding(),binding.get()))
  63                 continue;
  64             foundEndpoint = true;
  65             auto_ptr_char loc((*ep)->getLocation());
  66             saml1p::Request* request = saml1p::RequestBuilder::buildRequest();
  67             request->setMinorVersion(idpDescriptor.hasSupport(samlconstants::SAML11_PROTOCOL_ENUM) ? 1 : 0);
  68             for (vector<SAMLArtifact*>::const_iterator a = artifacts.begin(); a!=artifacts.end(); ++a) {
  69                 auto_ptr_XMLCh artbuf((*a)->encode().c_str());
  70                 AssertionArtifact* aa = AssertionArtifactBuilder::buildAssertionArtifact();
  71                 aa->setArtifact(artbuf.get());
  72                 request->getAssertionArtifacts().push_back(aa);
  73             }
  74
  75             SAML1SOAPClient client(soaper, false);
  76             client.sendSAML(request, mcc, loc.get());
  77             response = client.receiveSAML();
  78         }
  79         catch (exception& ex) {
  80             Category::getInstance(SHIBSP_LOGCAT".ArtifactResolver").error("exception resolving SAML 1.x artifact(s): %s", ex.what());
  81             soaper.reset();
  82         }
  83     }
  84
  85     if (!foundEndpoint)
  86         throw MetadataException("No compatible endpoint found in issuer's metadata.");
  87     else if (!response)
  88         throw BindingException("Unable to resolve artifact(s) into a SAML response.");
  89     const QName* code = (response->getStatus() && response->getStatus()->getStatusCode()) ? response->getStatus()->getStatusCode()->getValue() : NULL;
  90     if (!code || *code != saml1p::StatusCode::SUCCESS) {
  91         delete response;
  92         throw BindingException("Identity provider returned a SAML error in response to artifact(s).");
  93     }
  94
  95     return response;
  96 }
  97
  98 ArtifactResponse* ArtifactResolver::resolve(
  99     const SAML2Artifact& artifact,
 100     const SSODescriptorType& ssoDescriptor,
 101     opensaml::SecurityPolicy& policy
 102     ) const
 103 {
 104     MetadataCredentialCriteria mcc(ssoDescriptor);
 105     shibsp::SecurityPolicy& sppolicy = dynamic_cast<shibsp::SecurityPolicy&>(policy);
 106     shibsp::SOAPClient soaper(sppolicy);
 107
 108     bool foundEndpoint = false;
 109     auto_ptr_XMLCh binding(samlconstants::SAML20_BINDING_SOAP);
 110     ArtifactResponse* response=NULL;
 111     const vector<ArtifactResolutionService*>& endpoints=ssoDescriptor.getArtifactResolutionServices();
 112     for (vector<ArtifactResolutionService*>::const_iterator ep=endpoints.begin(); !response && ep!=endpoints.end(); ++ep) {
 113         try {
 114             if (!XMLString::equals((*ep)->getBinding(),binding.get()))
 115                 continue;
 116             foundEndpoint = true;
 117             auto_ptr_char loc((*ep)->getLocation());
 118             auto_ptr_XMLCh issuer(sppolicy.getApplication().getString("entityID").second);
 119             ArtifactResolve* request = ArtifactResolveBuilder::buildArtifactResolve();
 120             Issuer* iss = IssuerBuilder::buildIssuer();
 121             request->setIssuer(iss);
 122             iss->setName(issuer.get());
 123             auto_ptr_XMLCh artbuf(artifact.encode().c_str());
 124             Artifact* a = ArtifactBuilder::buildArtifact();
 125             a->setArtifact(artbuf.get());
 126             request->setArtifact(a);
 127
 128             SAML2SOAPClient client(soaper, false);
 129             client.sendSAML(request, mcc, loc.get());
 130             StatusResponseType* srt = client.receiveSAML();
 131             if (!(response = dynamic_cast<ArtifactResponse*>(srt))) {
 132                 delete srt;
 133                 break;
 134             }
 135         }
 136         catch (exception& ex) {
 137             Category::getInstance(SHIBSP_LOGCAT".ArtifactResolver").error("exception resolving SAML 2.0 artifact: %s", ex.what());
 138             soaper.reset();
 139         }
 140     }
 141
 142     if (!foundEndpoint)
 143         throw MetadataException("No compatible endpoint found in issuer's metadata.");
 144     else if (!response)
 145         throw BindingException("Unable to resolve artifact(s) into a SAML response.");
 146     else if (!response->getStatus() || !response->getStatus()->getStatusCode() ||
 147            !XMLString::equals(response->getStatus()->getStatusCode()->getValue(), saml2p::StatusCode::SUCCESS)) {
 148         delete response;
 149         throw BindingException("Identity provider returned a SAML error in response to artifact.");
 150     }
 151     return response;
 152 }