-/*
- * Copyright 2001-2007 Internet2
+/**
+ * Licensed to the University Corporation for Advanced Internet
+ * Development, Inc. (UCAID) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for
+ * additional information regarding copyright ownership.
*
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
+ * UCAID licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the
+ * License at
*
- * http://www.apache.org/licenses/LICENSE-2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
*
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific
+ * language governing permissions and limitations under the License.
*/
/**
#include "exceptions.h"
#include "Application.h"
#include "ServiceProvider.h"
+#include "SPRequest.h"
#include "handler/AbstractHandler.h"
#include "handler/RemotedHandler.h"
#include "util/SPConstants.h"
#ifndef SHIBSP_LITE
# include "SessionCache.h"
# include "security/SecurityPolicy.h"
-# include "util/TemplateParameters.h"
+# include "security/SecurityPolicyProvider.h"
# include <fstream>
+# include <boost/algorithm/string.hpp>
+# include <boost/iterator/indirect_iterator.hpp>
+# include <saml/exceptions.h>
# include <saml/SAMLConfig.h>
# include <saml/saml2/core/Protocols.h>
# include <saml/saml2/metadata/EndpointManager.h>
+# include <saml/saml2/metadata/Metadata.h>
# include <saml/saml2/metadata/MetadataCredentialCriteria.h>
# include <xmltooling/util/URLEncoder.h>
using namespace opensaml::saml2;
using namespace opensaml::saml2p;
using namespace opensaml::saml2md;
using namespace opensaml;
+#else
+# include "lite/SAMLConstants.h"
#endif
+#include <boost/scoped_ptr.hpp>
+
using namespace shibsp;
using namespace xmltooling;
+using namespace boost;
using namespace std;
namespace shibsp {
{
public:
SAML2NameIDMgmt(const DOMElement* e, const char* appId);
- virtual ~SAML2NameIDMgmt() {
-#ifndef SHIBSP_LITE
- if (SPConfig::getConfig().isEnabled(SPConfig::OutOfProcess)) {
- delete m_decoder;
- XMLString::release(&m_outgoing);
- for_each(m_encoders.begin(), m_encoders.end(), cleanup_pair<const XMLCh*,MessageEncoder>());
- }
-#endif
- }
+ virtual ~SAML2NameIDMgmt() {}
void receive(DDF& in, ostream& out);
pair<bool,long> run(SPRequest& request, bool isHandler=true) const;
return "ManageNameIDService";
}
#endif
+ const XMLCh* getProtocolFamily() const {
+ return samlconstants::SAML20P_NS;
+ }
private:
pair<bool,long> doRequest(const Application& application, const HTTPRequest& httpRequest, HTTPResponse& httpResponse) const;
bool front
) const;
- xmltooling::QName m_role;
- MessageDecoder* m_decoder;
- XMLCh* m_outgoing;
- vector<const XMLCh*> m_bindings;
- map<const XMLCh*,MessageEncoder*> m_encoders;
+ scoped_ptr<MessageDecoder> m_decoder;
+ vector<string> m_bindings;
+ map< string,boost::shared_ptr<MessageEncoder> > m_encoders;
#endif
};
};
SAML2NameIDMgmt::SAML2NameIDMgmt(const DOMElement* e, const char* appId)
- : AbstractHandler(e, Category::getInstance(SHIBSP_LOGCAT".NameIDMgmt.SAML2"))
-#ifndef SHIBSP_LITE
- ,m_role(samlconstants::SAML20MD_NS, IDPSSODescriptor::LOCAL_NAME), m_decoder(NULL), m_outgoing(NULL)
-#endif
+ : AbstractHandler(e, Category::getInstance(SHIBSP_LOGCAT ".NameIDMgmt.SAML2"))
{
#ifndef SHIBSP_LITE
if (SPConfig::getConfig().isEnabled(SPConfig::OutOfProcess)) {
SAMLConfig& conf = SAMLConfig::getConfig();
// Handle incoming binding.
- m_decoder = conf.MessageDecoderManager.newPlugin(
- getString("Binding").second, pair<const DOMElement*,const XMLCh*>(e,shibspconstants::SHIB2SPCONFIG_NS)
+ m_decoder.reset(
+ conf.MessageDecoderManager.newPlugin(
+ getString("Binding").second, pair<const DOMElement*,const XMLCh*>(e,shibspconstants::SHIB2SPCONFIG_NS)
+ )
);
m_decoder->setArtifactResolver(SPConfig::getConfig().getArtifactResolver());
if (m_decoder->isUserAgentPresent()) {
// Handle front-channel binding setup.
- pair<bool,const XMLCh*> outgoing = getXMLString("outgoingBindings", m_configNS.get());
+ string dupBindings;
+ pair<bool,const char*> outgoing = getString("outgoingBindings", m_configNS.get());
if (outgoing.first) {
- m_outgoing = XMLString::replicate(outgoing.second);
- XMLString::trim(m_outgoing);
+ dupBindings = outgoing.second;
+ trim(dupBindings);
}
else {
// No override, so we'll install a default binding precedence.
- string prec = string(samlconstants::SAML20_BINDING_HTTP_REDIRECT) + ' ' + samlconstants::SAML20_BINDING_HTTP_POST + ' ' +
+ dupBindings = string(samlconstants::SAML20_BINDING_HTTP_REDIRECT) + ' ' + samlconstants::SAML20_BINDING_HTTP_POST + ' ' +
samlconstants::SAML20_BINDING_HTTP_POST_SIMPLESIGN + ' ' + samlconstants::SAML20_BINDING_HTTP_ARTIFACT;
- m_outgoing = XMLString::transcode(prec.c_str());
}
- int pos;
- XMLCh* start = m_outgoing;
- while (start && *start) {
- pos = XMLString::indexOf(start,chSpace);
- if (pos != -1)
- *(start + pos)=chNull;
- m_bindings.push_back(start);
+ split(m_bindings, dupBindings, is_space(), algorithm::token_compress_on);
+ for (vector<string>::const_iterator b = m_bindings.begin(); b != m_bindings.end(); ++b) {
try {
- auto_ptr_char b(start);
- MessageEncoder * encoder = conf.MessageEncoderManager.newPlugin(
- b.get(), pair<const DOMElement*,const XMLCh*>(e,shibspconstants::SHIB2SPCONFIG_NS)
+ boost::shared_ptr<MessageEncoder> encoder(
+ conf.MessageEncoderManager.newPlugin(*b, pair<const DOMElement*,const XMLCh*>(e,shibspconstants::SHIB2SPCONFIG_NS))
);
- if (encoder->isUserAgentPresent()) {
- m_encoders[start] = encoder;
- m_log.debug("supporting outgoing binding (%s)", b.get());
+ if (encoder->isUserAgentPresent() && XMLString::equals(getProtocolFamily(), encoder->getProtocolFamily())) {
+ m_encoders[*b] = encoder;
+ m_log.debug("supporting outgoing binding (%s)", b->c_str());
}
else {
- delete encoder;
- m_log.warn("skipping outgoing binding (%s), not a front-channel mechanism", b.get());
+ m_log.warn("skipping outgoing binding (%s), not a SAML 2.0 front-channel mechanism", b->c_str());
}
}
- catch (exception& ex) {
+ catch (std::exception& ex) {
m_log.error("error building MessageEncoder: %s", ex.what());
}
- if (pos != -1)
- start = start + pos + 1;
- else
- break;
}
}
else {
- MessageEncoder* encoder = conf.MessageEncoderManager.newPlugin(
- getString("Binding").second, pair<const DOMElement*,const XMLCh*>(e,shibspconstants::SHIB2SPCONFIG_NS)
+ pair<bool,const char*> b = getString("Binding");
+ boost::shared_ptr<MessageEncoder> encoder(
+ conf.MessageEncoderManager.newPlugin(b.second, pair<const DOMElement*,const XMLCh*>(e,shibspconstants::SHIB2SPCONFIG_NS))
);
- m_encoders.insert(pair<const XMLCh*,MessageEncoder*>(NULL, encoder));
+ m_encoders[b.second] = encoder;
}
}
#endif
else {
// When not out of process, we remote all the message processing.
vector<string> headers(1,"Cookie");
+ headers.push_back("User-Agent");
DDF out,in = wrap(request, &headers, true);
DDFJanitor jin(in), jout(out);
out=request.getServiceProvider().getListenerService()->send(in);
void SAML2NameIDMgmt::receive(DDF& in, ostream& out)
{
// Find application.
- const char* aid=in["application_id"].string();
- const Application* app=aid ? SPConfig::getConfig().getServiceProvider()->getApplication(aid) : NULL;
+ const char* aid = in["application_id"].string();
+ const Application* app = aid ? SPConfig::getConfig().getServiceProvider()->getApplication(aid) : nullptr;
if (!app) {
// Something's horribly wrong.
m_log.error("couldn't find application (%s) for NameID mgmt", aid ? aid : "(missing)");
}
// Unpack the request.
- auto_ptr<HTTPRequest> req(getRequest(in));
+ scoped_ptr<HTTPRequest> req(getRequest(in));
// Wrap a response shim.
- DDF ret(NULL);
+ DDF ret(nullptr);
DDFJanitor jout(ret);
- auto_ptr<HTTPResponse> resp(getResponse(ret));
+ scoped_ptr<HTTPResponse> resp(getResponse(ret));
// Since we're remoted, the result should either be a throw, which we pass on,
// a false/0 return, which we just return as an empty structure, or a response/redirect,
// which we capture in the facade and send back.
- doRequest(*app, *req.get(), *resp.get());
+ doRequest(*app, *req, *resp);
out << ret;
}
-pair<bool,long> SAML2NameIDMgmt::doRequest(
- const Application& application, const HTTPRequest& request, HTTPResponse& response
- ) const
+pair<bool,long> SAML2NameIDMgmt::doRequest(const Application& application, const HTTPRequest& request, HTTPResponse& response) const
{
#ifndef SHIBSP_LITE
SessionCache* cache = application.getServiceProvider().getSessionCache();
// Locate policy key.
- pair<bool,const char*> policyId = getString("policyId", m_configNS.get()); // namespace-qualified if inside handler element
+ pair<bool,const char*> policyId = getString("policyId", m_configNS.get()); // may be namespace-qualified inside handler element
+ if (!policyId.first)
+ policyId = getString("policyId"); // try unqualified
if (!policyId.first)
policyId = application.getString("policyId"); // unqualified in Application(s) element
- // Access policy properties.
- const PropertySet* settings = application.getServiceProvider().getPolicySettings(policyId.second);
- pair<bool,bool> validate = settings->getBool("validate");
-
// Lock metadata for use by policy.
Locker metadataLocker(application.getMetadataProvider());
// Create the policy.
- shibsp::SecurityPolicy policy(application, &m_role, validate.first && validate.second);
+ scoped_ptr<SecurityPolicy> policy(
+ application.getServiceProvider().getSecurityPolicyProvider()->createSecurityPolicy(application, &IDPSSODescriptor::ELEMENT_QNAME, policyId.second)
+ );
// Decode the message.
string relayState;
- auto_ptr<XMLObject> msg(m_decoder->decode(relayState, request, policy));
+ scoped_ptr<XMLObject> msg(m_decoder->decode(relayState, request, *policy));
const ManageNameIDRequest* mgmtRequest = dynamic_cast<ManageNameIDRequest*>(msg.get());
if (mgmtRequest) {
- if (!policy.isAuthenticated())
+ if (!policy->isAuthenticated())
throw SecurityPolicyException("Security of ManageNameIDRequest not established.");
// Message from IdP to change or terminate a NameID.
mgmtRequest->getID(),
StatusCode::REQUESTER, StatusCode::UNKNOWN_PRINCIPAL, "No active session found in request.",
relayState.c_str(),
- policy.getIssuerMetadata(),
+ policy->getIssuerMetadata(),
application,
response,
true
);
}
- EntityDescriptor* entity = policy.getIssuerMetadata() ? dynamic_cast<EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : NULL;
+ EntityDescriptor* entity = policy->getIssuerMetadata() ? dynamic_cast<EntityDescriptor*>(policy->getIssuerMetadata()->getParent()) : nullptr;
- bool ownedName = false;
+ scoped_ptr<XMLObject> decryptedID;
NameID* nameid = mgmtRequest->getNameID();
if (!nameid) {
// Check for EncryptedID.
m_log.warn("found encrypted NameID, but no decryption credential was available");
else {
Locker credlocker(cr);
- auto_ptr<MetadataCredentialCriteria> mcc(
- policy.getIssuerMetadata() ? new MetadataCredentialCriteria(*policy.getIssuerMetadata()) : NULL
+ scoped_ptr<MetadataCredentialCriteria> mcc(
+ policy->getIssuerMetadata() ? new MetadataCredentialCriteria(*policy->getIssuerMetadata()) : nullptr
);
try {
- auto_ptr<XMLObject> decryptedID(encname->decrypt(*cr,application.getRelyingParty(entity)->getXMLString("entityID").second,mcc.get()));
+ decryptedID.reset(encname->decrypt(*cr, application.getRelyingParty(entity)->getXMLString("entityID").second, mcc.get()));
nameid = dynamic_cast<NameID*>(decryptedID.get());
- if (nameid) {
- ownedName = true;
- decryptedID.release();
- }
}
- catch (exception& ex) {
+ catch (std::exception& ex) {
m_log.error(ex.what());
}
}
mgmtRequest->getID(),
StatusCode::REQUESTER, StatusCode::UNKNOWN_PRINCIPAL, "NameID not found in request.",
relayState.c_str(),
- policy.getIssuerMetadata(),
+ policy->getIssuerMetadata(),
application,
response,
m_decoder->isUserAgentPresent()
);
}
- auto_ptr<NameID> namewrapper(ownedName ? nameid : NULL);
-
// For a front-channel request, we have to match the information in the request
// against the current session.
if (!session_id.empty()) {
- if (!cache->matches(application, request, entity, *nameid, NULL)) {
+ if (!cache->matches(application, request, entity, *nameid, nullptr)) {
return sendResponse(
mgmtRequest->getID(),
StatusCode::REQUESTER, StatusCode::REQUEST_DENIED, "Active session did not match NameID mgmt request.",
relayState.c_str(),
- policy.getIssuerMetadata(),
+ policy->getIssuerMetadata(),
application,
response,
true
}
// Determine what's happening...
- bool ownedNewID = false;
- NewID* newid = NULL;
+ scoped_ptr<XMLObject> newDecryptedID;
+ NewID* newid = nullptr;
if (!mgmtRequest->getTerminate()) {
// Better be a NewID in there.
newid = mgmtRequest->getNewID();
m_log.warn("found encrypted NewID, but no decryption credential was available");
else {
Locker credlocker(cr);
- auto_ptr<MetadataCredentialCriteria> mcc(
- policy.getIssuerMetadata() ? new MetadataCredentialCriteria(*policy.getIssuerMetadata()) : NULL
+ scoped_ptr<MetadataCredentialCriteria> mcc(
+ policy->getIssuerMetadata() ? new MetadataCredentialCriteria(*policy->getIssuerMetadata()) : nullptr
);
try {
- auto_ptr<XMLObject> decryptedID(encnewid->decrypt(*cr,application.getRelyingParty(entity)->getXMLString("entityID").second,mcc.get()));
- newid = dynamic_cast<NewID*>(decryptedID.get());
- if (newid) {
- ownedNewID = true;
- decryptedID.release();
- }
+ newDecryptedID.reset(encnewid->decrypt(*cr, application.getRelyingParty(entity)->getXMLString("entityID").second, mcc.get()));
+ newid = dynamic_cast<NewID*>(newDecryptedID.get());
}
- catch (exception& ex) {
+ catch (std::exception& ex) {
m_log.error(ex.what());
}
}
m_log.error("NewID not found in request");
return sendResponse(
mgmtRequest->getID(),
- StatusCode::REQUESTER, NULL, "NewID not found in request.",
+ StatusCode::REQUESTER, nullptr, "NewID not found in request.",
relayState.c_str(),
- policy.getIssuerMetadata(),
+ policy->getIssuerMetadata(),
application,
response,
m_decoder->isUserAgentPresent()
}
}
- auto_ptr<NewID> newwrapper(ownedNewID ? newid : NULL);
-
// TODO: maybe support in-place modification of sessions?
/*
vector<string> sessions;
m_log.error("error while logging out matching sessions: %s", ex.what());
return sendResponse(
logoutRequest->getID(),
- StatusCode::RESPONDER, NULL, ex.what(),
+ StatusCode::RESPONDER, nullptr, ex.what(),
relayState.c_str(),
policy.getIssuerMetadata(),
application,
*/
// Do back-channel app notifications.
- // Not supporting front-channel due to privacy fears.
+ // Not supporting front-channel due to privacy concerns.
bool worked = notifyBackChannel(application, request.getRequestURL(), *nameid, newid);
return sendResponse(
mgmtRequest->getID(),
worked ? StatusCode::SUCCESS : StatusCode::RESPONDER,
- NULL,
- NULL,
+ nullptr,
+ nullptr,
relayState.c_str(),
- policy.getIssuerMetadata(),
+ policy->getIssuerMetadata(),
application,
response,
m_decoder->isUserAgentPresent()
*/
FatalProfileException ex("Incoming message was not a samlp:ManageNameIDRequest.");
- if (policy.getIssuerMetadata())
- annotateException(&ex, policy.getIssuerMetadata()); // throws it
- ex.raise();
- return make_pair(false,0L); // never happen, satisfies compiler
+ annotateException(&ex, policy->getIssuerMetadata()); // throws it
+ return make_pair(false, 0L); // never happen, satisfies compiler
#else
throw ConfigurationException("Cannot process NameID mgmt message using lite version of shibsp library.");
#endif
) const
{
// Get endpoint and encoder to use.
- const EndpointType* ep = NULL;
- const MessageEncoder* encoder = NULL;
+ const EndpointType* ep = nullptr;
+ const MessageEncoder* encoder = nullptr;
if (front) {
const IDPSSODescriptor* idp = dynamic_cast<const IDPSSODescriptor*>(role);
- for (vector<const XMLCh*>::const_iterator b = m_bindings.begin(); idp && b!=m_bindings.end(); ++b) {
- if (ep=EndpointManager<ManageNameIDService>(idp->getManageNameIDServices()).getByBinding(*b)) {
- map<const XMLCh*,MessageEncoder*>::const_iterator enc = m_encoders.find(*b);
- if (enc!=m_encoders.end())
- encoder = enc->second;
+ for (vector<string>::const_iterator b = m_bindings.begin(); idp && b != m_bindings.end(); ++b) {
+ auto_ptr_XMLCh wideb(b->c_str());
+ if ((ep = EndpointManager<ManageNameIDService>(idp->getManageNameIDServices()).getByBinding(wideb.get()))) {
+ map< string,boost::shared_ptr<MessageEncoder> >::const_iterator enc = m_encoders.find(*b);
+ if (enc != m_encoders.end())
+ encoder = enc->second.get();
break;
}
}
}
}
else {
- encoder = m_encoders.begin()->second;
+ encoder = m_encoders.begin()->second.get();
}
// Prepare response.
Issuer* issuer = IssuerBuilder::buildIssuer();
nim->setIssuer(issuer);
issuer->setName(application.getRelyingParty(dynamic_cast<EntityDescriptor*>(role->getParent()))->getXMLString("entityID").second);
- fillStatus(*nim.get(), code, subcode, msg);
+ fillStatus(*nim, code, subcode, msg);
auto_ptr_char dest(nim->getDestination());
long ret = sendMessage(*encoder, nim.get(), relayState, dest.get(), role, application, httpResponse);
nim.release(); // freed by encoder
- return make_pair(true,ret);
+ return make_pair(true, ret);
}
#include "util/SPConstants.h"
HTTPSOAPTransport* http = dynamic_cast<HTTPSOAPTransport*>(&transport);
if (http) {
http->useChunkedEncoding(false);
- http->setRequestHeader("User-Agent", PACKAGE_NAME);
http->setRequestHeader(PACKAGE_NAME, PACKAGE_VERSION);
}
}
if (endpoint.empty())
return true;
- auto_ptr<Envelope> env(EnvelopeBuilder::buildEnvelope());
+ scoped_ptr<Envelope> env(EnvelopeBuilder::buildEnvelope());
Body* body = BodyBuilder::buildBody();
env->setBody(body);
ElementProxy* msg = new AnyElementImpl(shibspconstants::SHIB2SPNOTIFY_NS, NameIDNotification);
SOAPNotifier soaper;
while (!endpoint.empty()) {
try {
- soaper.send(*env.get(), SOAPTransport::Address(application.getId(), application.getId(), endpoint.c_str()));
+ soaper.send(*env, SOAPTransport::Address(application.getId(), application.getId(), endpoint.c_str()));
delete soaper.receive();
}
- catch (exception& ex) {
+ catch (std::exception& ex) {
m_log.error("error notifying application of logout event: %s", ex.what());
result = false;
}
projects / shibboleth / cpp-sp.git / blobdiff