shibsp/binding/impl/SOAPClient.cpp

   1 /*
   2  *  Copyright 2001-2009 Internet2
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 /**
  18  * SOAPClient.cpp
  19  *
  20  * Specialized SOAPClient for SP environment.
  21  */
  22
  23 #include "internal.h"
  24 #include "Application.h"
  25 #include "exceptions.h"
  26 #include "ServiceProvider.h"
  27 #include "binding/SOAPClient.h"
  28
  29 #include <saml/saml2/metadata/Metadata.h>
  30 #include <xmltooling/security/Credential.h>
  31 #include <xmltooling/soap/SOAP.h>
  32 #include <xmltooling/soap/HTTPSOAPTransport.h>
  33 #include <xmltooling/util/NDC.h>
  34
  35 using namespace shibsp;
  36 using namespace opensaml::saml2md;
  37 using namespace xmlsignature;
  38 using namespace xmltooling;
  39 using namespace std;
  40
  41 SOAPClient::SOAPClient(SecurityPolicy& policy)
  42     : opensaml::SOAPClient(policy), m_app(policy.getApplication()), m_relyingParty(NULL), m_credResolver(NULL)
  43 {
  44 }
  45
  46 void SOAPClient::send(const soap11::Envelope& env, const char* from, MetadataCredentialCriteria& to, const char* endpoint)
  47 {
  48     // Check for message signing requirements.
  49     m_relyingParty = m_app.getRelyingParty(dynamic_cast<const EntityDescriptor*>(to.getRole().getParent()));
  50     pair<bool,const char*> flag = m_relyingParty->getString("signing");
  51     if (flag.first && (!strcmp(flag.second, "true") || !strcmp(flag.second, "back"))) {
  52         m_credResolver=m_app.getCredentialResolver();
  53         if (m_credResolver) {
  54             m_credResolver->lock();
  55             // Fill in criteria to use.
  56             to.setUsage(Credential::SIGNING_CREDENTIAL);
  57             pair<bool,const char*> keyName = m_relyingParty->getString("keyName");
  58             if (keyName.first)
  59                 to.getKeyNames().insert(keyName.second);
  60             pair<bool,const XMLCh*> sigalg = m_relyingParty->getXMLString("signingAlg");
  61             if (sigalg.first)
  62                 to.setXMLAlgorithm(sigalg.second);
  63             const Credential* cred = m_credResolver->resolve(&to);
  64             // Reset criteria back.
  65             to.setKeyAlgorithm(NULL);
  66             to.setKeySize(0);
  67             to.getKeyNames().clear();
  68
  69             if (cred) {
  70                 // Check for message.
  71                 const vector<XMLObject*>& bodies=const_cast<const soap11::Body*>(env.getBody())->getUnknownXMLObjects();
  72                 if (!bodies.empty()) {
  73                     opensaml::SignableObject* msg = dynamic_cast<opensaml::SignableObject*>(bodies.front());
  74                     if (msg) {
  75                         // Build a Signature.
  76                         Signature* sig = SignatureBuilder::buildSignature();
  77                         msg->setSignature(sig);
  78                         if (sigalg.first)
  79                             sig->setSignatureAlgorithm(sigalg.second);
  80                         sigalg = m_relyingParty->getXMLString("digestAlg");
  81                         if (sigalg.first)
  82                             dynamic_cast<opensaml::ContentReference*>(sig->getContentReference())->setDigestAlgorithm(sigalg.second);
  83
  84                         // Sign it. The marshalling step in the base class should be a no-op.
  85                         vector<Signature*> sigs(1,sig);
  86                         env.marshall((DOMDocument*)NULL,&sigs,cred);
  87                     }
  88                 }
  89             }
  90             else {
  91                 Category::getInstance(SHIBSP_LOGCAT".SOAPClient").error("no signing credential supplied, leaving unsigned.");
  92             }
  93         }
  94         else {
  95             Category::getInstance(SHIBSP_LOGCAT".SOAPClient").error("no CredentialResolver available, leaving unsigned.");
  96         }
  97     }
  98
  99     opensaml::SOAPClient::send(env, from, to, endpoint);
 100 }
 101
 102 void SOAPClient::prepareTransport(SOAPTransport& transport)
 103 {
 104 #ifdef _DEBUG
 105     xmltooling::NDC("prepareTransport");
 106 #endif
 107     Category& log=Category::getInstance(SHIBSP_LOGCAT".SOAPClient");
 108     log.debug("prepping SOAP transport for use by application (%s)", m_app.getId());
 109
 110     pair<bool,bool> flag = m_relyingParty->getBool("requireConfidentiality");
 111     if ((!flag.first || flag.second) && !transport.isConfidential())
 112         throw opensaml::BindingException("Transport confidentiality required, but not available.");
 113
 114     setValidating(getPolicy().getValidating());
 115     flag = m_relyingParty->getBool("requireTransportAuth");
 116     forceTransportAuthentication(!flag.first || flag.second);
 117
 118     opensaml::SOAPClient::prepareTransport(transport);
 119
 120     pair<bool,const char*> authType=m_relyingParty->getString("authType");
 121     if (!authType.first || !strcmp(authType.second,"TLS")) {
 122         if (!m_credResolver) {
 123             m_credResolver = m_app.getCredentialResolver();
 124             if (m_credResolver)
 125                 m_credResolver->lock();
 126         }
 127         if (m_credResolver) {
 128             m_criteria->setUsage(Credential::TLS_CREDENTIAL);
 129             authType = m_relyingParty->getString("keyName");
 130             if (authType.first)
 131                 m_criteria->getKeyNames().insert(authType.second);
 132             const Credential* cred = m_credResolver->resolve(m_criteria);
 133             m_criteria->getKeyNames().clear();
 134             if (cred) {
 135                 if (!transport.setCredential(cred))
 136                     log.error("failed to load Credential into SOAPTransport");
 137             }
 138             else {
 139                 log.error("no TLS credential supplied");
 140             }
 141         }
 142         else {
 143             log.error("no CredentialResolver available for TLS");
 144         }
 145     }
 146     else {
 147         SOAPTransport::transport_auth_t type=SOAPTransport::transport_auth_none;
 148         pair<bool,const char*> username=m_relyingParty->getString("authUsername");
 149         pair<bool,const char*> password=m_relyingParty->getString("authPassword");
 150         if (!username.first || !password.first)
 151             log.error("transport authType (%s) specified but authUsername or authPassword was missing", authType.second);
 152         else if (!strcmp(authType.second,"basic"))
 153             type = SOAPTransport::transport_auth_basic;
 154         else if (!strcmp(authType.second,"digest"))
 155             type = SOAPTransport::transport_auth_digest;
 156         else if (!strcmp(authType.second,"ntlm"))
 157             type = SOAPTransport::transport_auth_ntlm;
 158         else if (!strcmp(authType.second,"gss"))
 159             type = SOAPTransport::transport_auth_gss;
 160         else if (strcmp(authType.second,"none"))
 161             log.error("unknown authType (%s) specified for RelyingParty", authType.second);
 162         if (type > SOAPTransport::transport_auth_none) {
 163             if (transport.setAuth(type,username.second,password.second))
 164                 log.debug("configured for transport authentication (method=%s, username=%s)", authType.second, username.second);
 165             else
 166                 log.error("failed to configure transport authentication (method=%s)", authType.second);
 167         }
 168     }
 169
 170     pair<bool,unsigned int> timeout = m_relyingParty->getUnsignedInt("connectTimeout");
 171     transport.setConnectTimeout(timeout.first ? timeout.second : 10);
 172     timeout = m_relyingParty->getUnsignedInt("timeout");
 173     transport.setTimeout(timeout.first ? timeout.second : 20);
 174     m_app.getServiceProvider().setTransportOptions(transport);
 175
 176     HTTPSOAPTransport* http = dynamic_cast<HTTPSOAPTransport*>(&transport);
 177     if (http) {
 178         flag = m_relyingParty->getBool("chunkedEncoding");
 179         http->useChunkedEncoding(flag.first && flag.second);
 180         http->setRequestHeader("User-Agent", PACKAGE_NAME);
 181         http->setRequestHeader(PACKAGE_NAME, PACKAGE_VERSION);
 182     }
 183 }
 184
 185 void SOAPClient::reset()
 186 {
 187     m_relyingParty = NULL;
 188     if (m_credResolver)
 189         m_credResolver->unlock();
 190     m_credResolver = NULL;
 191     opensaml::SOAPClient::reset();
 192 }
 193