const XMLCh shibtarget::XML::Literals::Host[]= { chLatin_H, chLatin_o, chLatin_s, chLatin_t, chNull };
+const XMLCh shibtarget::XML::Literals::Name[]= { chLatin_N, chLatin_a, chLatin_m, chLatin_e, chNull };
+
const XMLCh shibtarget::XML::Literals::Path[]= { chLatin_P, chLatin_a, chLatin_t, chLatin_h, chNull };
const XMLCh shibtarget::XML::Literals::Port[]= { chLatin_P, chLatin_o, chLatin_r, chLatin_t, chNull };
DOMElement* host=static_cast<DOMElement*>(nlist->item(i));
const XMLCh* scheme=host->getAttributeNS(NULL,shibtarget::XML::Literals::Scheme);
const XMLCh* port=host->getAttributeNS(NULL,shibtarget::XML::Literals::Port);
- auto_ptr_XMLCh name(host->getAttributeNS(NULL,shibboleth::XML::Literals::Name));
+ auto_ptr_XMLCh name(host->getAttributeNS(NULL,shibtarget::XML::Literals::Name));
if (!name.get() || !*(name.get()))
{
for (int i=0; nlist && i<nlist->getLength(); i++)
{
DOMElement* path=static_cast<DOMElement*>(nlist->item(i));
- auto_ptr_XMLCh name(path->getAttributeNS(NULL,shibboleth::XML::Literals::Name));
+ auto_ptr_XMLCh name(path->getAttributeNS(NULL,shibtarget::XML::Literals::Name));
if (!name.get() || !*(name.get()))
{
log.warn("Skipping Path element (%d) with empty Name attribute",i);
ShibINI& getINI() const { return *ini; }
IApplicationMapper* getApplicationMapper() const { return m_applicationMapper; }
saml::Iterator<shibboleth::IMetadata*> getMetadataProviders() const { return metadatas; }
+ saml::Iterator<shibboleth::IRevocation*> getRevocationProviders() const { return revocations; }
saml::Iterator<shibboleth::ITrust*> getTrustProviders() const { return trusts; }
saml::Iterator<shibboleth::ICredentials*> getCredentialProviders() const { return creds; }
saml::Iterator<shibboleth::IAAP*> getAAPProviders() const { return aaps; }
#endif
IApplicationMapper* m_applicationMapper;
std::vector<shibboleth::IMetadata*> metadatas;
+ std::vector<shibboleth::IRevocation*> revocations;
std::vector<shibboleth::ITrust*> trusts;
std::vector<shibboleth::ICredentials*> creds;
std::vector<shibboleth::IAAP*> aaps;
static const XMLCh ApplicationID[];
static const XMLCh ApplicationMap[];
static const XMLCh Host[];
+ static const XMLCh Name[];
static const XMLCh Path[];
static const XMLCh Port[];
static const XMLCh Scheme[];
if (r) {
// Run pushed data through the AAP. Note that we could end up with an empty response!
ShibTargetConfig& conf=ShibTargetConfig::getConfig();
- OriginMetadata site(conf.getMetadataProviders(),m_subject->getNameQualifier());
- if (site.fail())
+ Metadata m(conf.getMetadataProviders());
+ const IProvider* site=m.lookup(m_subject->getNameQualifier());
+ if (!site)
throw MetadataException("unable to locate origin site's metadata during attribute acceptance processing");
Iterator<SAMLAssertion*> assertions=r->getAssertions();
for (unsigned long i=0; i < assertions.size();) {
);
auto_ptr<SAMLRequest> req(new SAMLRequest(EMPTY(QName),q));
- // Try this request against all the bindings in the AuthenticationStatement
- // (i.e. send it to each AA in the list of bindings)
- SAMLResponse* response = NULL;
- OriginMetadata site(conf.getMetadataProviders(),m_subject->getNameQualifier());
- if (site.fail())
+ // Try this request. The wrapper class handles all of the details.
+ Metadata m(conf.getMetadataProviders());
+ const IProvider* site=m.lookup(m_subject->getNameQualifier());
+ if (!site)
throw MetadataException("unable to locate origin site's metadata during attribute query");
- auto_ptr<SAMLBinding> pBinding(
- SAMLBindingFactory::getInstance(
- conf.getMetadataProviders(),conf.getTrustProviders(),conf.getCredentialProviders(),providerID.get(),site
- )
- );
-
- Iterator<SAMLAuthorityBinding*> AAbindings=p_auth->getBindings();
- while (!response && AAbindings.hasNext()) {
- SAMLAuthorityBinding* binding = AAbindings.next();
- log->debug("Trying binding to AA...");
- try {
- response=pBinding->send(*binding,*req);
- }
- catch (SAMLException& e) {
- log->error("caught SAML exception during query to AA: %s", e.what());
- }
- }
+ log->debug("Trying to query an AA...");
+ SAMLResponse* response = NULL;
+ ShibBinding binding(conf.getRevocationProviders(),conf.getTrustProviders(),conf.getCredentialProviders());
+ try {
+ response=binding.send(*req,site,NULL,p_auth->getBindings());
+ }
+ catch (SAMLException& e) {
+ log->error("caught SAML exception during query to AA: %s", e.what());
+ }
// See if we got a response.
if (!response) {
log->error("No response obtained");
- throw ShibTargetException(SHIBRPC_INTERNAL_ERROR,"Unable to obtain attributes from user's origin site.",m_subject->getNameQualifier());
+ throw ShibTargetException(SHIBRPC_INTERNAL_ERROR,"Unable to obtain attributes from user's origin site.",site->getId());
}
// Run it through the AAP. Note that we could end up with an empty response!
DOMElement* dummy = dummydoc->createElementNS(NULL,XML::Literals::ApplicationMap);
// Load the specified metadata, trust, creds, and aap sources.
+ static const XMLCh url[] = { chLatin_u, chLatin_r, chLatin_l, chNull };
const string* prov;
ShibINI::Iterator* iter=ini->tag_iterator(SHIBTARGET_TAG_METADATA);
for (prov=iter->begin(); prov; prov=iter->next()) {
log.info("building metadata provider: type=%s, source=%s",prov->c_str(),source.c_str());
try {
auto_ptr_XMLCh src(source.c_str());
- dummy->setAttributeNS(NULL,shibboleth::XML::Literals::url,src.get());
+ dummy->setAttributeNS(NULL,url,src.get());
metadatas.push_back(shibConf.newMetadata(prov->c_str(),dummy));
}
catch (exception& e) {
log.info("building AAP provider: type=%s, source=%s",prov->c_str(),source.c_str());
try {
auto_ptr_XMLCh src(source.c_str());
- dummy->setAttributeNS(NULL,shibboleth::XML::Literals::url,src.get());
+ dummy->setAttributeNS(NULL,url,src.get());
aaps.push_back(shibConf.newAAP(prov->c_str(),dummy));
}
catch (exception& e) {
log.info("building trust provider: type=%s, source=%s",prov->c_str(),source.c_str());
try {
auto_ptr_XMLCh src(source.c_str());
- dummy->setAttributeNS(NULL,shibboleth::XML::Literals::url,src.get());
+ dummy->setAttributeNS(NULL,url,src.get());
trusts.push_back(shibConf.newTrust(prov->c_str(),dummy));
}
catch (exception& e) {
log.info("building creds provider: type=%s, source=%s",prov->c_str(),source.c_str());
try {
auto_ptr_XMLCh src(source.c_str());
- dummy->setAttributeNS(NULL,shibboleth::XML::Literals::url,src.get());
+ dummy->setAttributeNS(NULL,url,src.get());
creds.push_back(shibConf.newCredentials(prov->c_str(),dummy));
}
catch (exception& e) {
}
}
delete iter;
+
+ iter=ini->tag_iterator(SHIBTARGET_TAG_REVOCATION);
+ for (prov=iter->begin(); prov; prov=iter->next()) {
+ string source=ini->get(SHIBTARGET_TAG_REVOCATION,*prov);
+ log.info("building revocation provider: type=%s, source=%s",prov->c_str(),source.c_str());
+ try {
+ auto_ptr_XMLCh src(source.c_str());
+ dummy->setAttributeNS(NULL,url,src.get());
+ revocations.push_back(shibConf.newRevocation(prov->c_str(),dummy));
+ }
+ catch (exception& e) {
+ log.crit("error building revocation provider: type=%s, source=%s (%s)",prov->c_str(),source.c_str(),e.what());
+ throw;
+ }
+ }
+ delete iter;
}
// Load SAML policies.
delete iter;
}
- log.debug("about to test for AppMapper -- are we SHIRE...");
- if (app == SHIBTARGET_SHIRE) {
- log.debug("yep, we're a shire -- try loading the map...");
- if (ini->get_tag(app, SHIBTARGET_TAG_APPMAPPER, false, &tag)) {
- log.debug("loading Application Mapper");
- saml::XML::registerSchema(shibtarget::XML::APPMAP_NS,shibtarget::XML::APPMAP_SCHEMA_ID);
- try {
+ if (app == SHIBTARGET_SHIRE && ini->get_tag(app, SHIBTARGET_TAG_APPMAPPER, false, &tag)) {
+ saml::XML::registerSchema(shibtarget::XML::APPMAP_NS,shibtarget::XML::APPMAP_SCHEMA_ID);
+ try {
auto_ptr_XMLCh src(tag.c_str());
- dummy->setAttributeNS(NULL,shibboleth::XML::Literals::url,src.get());
+ dummy->setAttributeNS(NULL,url,src.get());
m_applicationMapper=new XMLApplicationMapper(dummy);
dynamic_cast<XMLApplicationMapper*>(m_applicationMapper)->getImplementation();
- }
- catch (exception& e) {
+ }
+ catch (exception& e) {
log.crit("caught exception while loading URL->Application mapping file (%s)", e.what());
- }
- catch (...) {
+ }
+ catch (...) {
log.crit("caught unknown exception while loading URL->Application mapping file");
- }
}
}
saml::QName name = codes.next();
if (!XMLString::compareString(name.getNamespaceURI(),
- shibboleth::XML::SHIB_NS)) {
+ shibboleth::Constants::SHIB_NS)) {
if (!XMLString::compareString(name.getLocalName(), code_InvalidHandle)) {
return true;
}
string RPCError::getOriginErrorURL()
{
- string res="No URL Available";
- if (m_priv->origin)
- {
- OriginMetadata mapper(ShibTargetConfig::getConfig().getMetadataProviders(),m_priv->origin);
- if (!mapper.fail())
- {
- const char* temp=mapper->getErrorURL();
+ if (m_priv->origin) {
+ Metadata mapper(ShibTargetConfig::getConfig().getMetadataProviders());
+ const IProvider* provider=mapper.lookup(m_priv->origin);
+ if (provider) {
+ Iterator<const IProviderRole*> roles=provider->getRoles();
+ while (roles.hasNext()) {
+ const char* temp=roles.next()->getErrorURL();
if (temp)
- res=temp;
+ return temp;
+ }
}
}
- return res;
+ return "No URL Available";
}
string RPCError::getOriginContactName()
{
- string res="No Name Available";
- if (m_priv->origin)
- {
- OriginMetadata mapper(ShibTargetConfig::getConfig().getMetadataProviders(),m_priv->origin);
- Iterator<const IContactInfo*> i=
- mapper.fail() ? EMPTY(const IContactInfo*) : mapper->getContacts();
- while (i.hasNext())
- {
- const IContactInfo* c=i.next();
- if (c->getType()==IContactInfo::technical && c->getName())
- {
- res=c->getName();
- break;
- }
+ if (m_priv->origin) {
+ Metadata mapper(ShibTargetConfig::getConfig().getMetadataProviders());
+ const IProvider* provider=mapper.lookup(m_priv->origin);
+ Iterator<const IContactPerson*> i=provider ? provider->getContacts() : EMPTY(const IContactPerson*);
+ while (i.hasNext()) {
+ const IContactPerson* c=i.next();
+ if ((c->getType()==IContactPerson::technical || c->getType()==IContactPerson::support) && c->getName())
+ return c->getName();
}
}
- return res;
+ return "No Name Available";
}
string RPCError::getOriginContactEmail()
{
- string res="No Email Available";
- if (m_priv->origin)
- {
- OriginMetadata mapper(ShibTargetConfig::getConfig().getMetadataProviders(),m_priv->origin);
- Iterator<const IContactInfo*> i=
- mapper.fail() ? EMPTY(const IContactInfo*) : mapper->getContacts();
- while (i.hasNext())
- {
- const IContactInfo* c=i.next();
- if (c->getType()==IContactInfo::technical && c->getEmail())
- {
- res=c->getEmail();
- break;
+ if (m_priv->origin) {
+ Metadata mapper(ShibTargetConfig::getConfig().getMetadataProviders());
+ const IProvider* provider=mapper.lookup(m_priv->origin);
+ Iterator<const IContactPerson*> i=provider ? provider->getContacts() : EMPTY(const IContactPerson*);
+ while (i.hasNext()) {
+ const IContactPerson* c=i.next();
+ if (c->getType()==IContactPerson::technical || c->getType()==IContactPerson::support) {
+ Iterator<string> emails=c->getEmails();
+ if (emails.hasNext())
+ return emails.next();
}
}
}
- return res;
+ return "No Email Available";
}
#define SHIBTARGET_TAG_SAMLCOMPAT "SAMLCompat"
#define SHIBTARGET_TAG_METADATA "metadata"
+#define SHIBTARGET_TAG_REVOCATION "revocation"
#define SHIBTARGET_TAG_TRUST "trust"
#define SHIBTARGET_TAG_CREDS "credentials"
#define SHIBTARGET_TAG_AAP "aap"
virtual shibtarget::ShibINI& getINI() const = 0;
virtual IApplicationMapper* getApplicationMapper() const = 0;
virtual saml::Iterator<shibboleth::IMetadata*> getMetadataProviders() const = 0;
+ virtual saml::Iterator<shibboleth::IRevocation*> getRevocationProviders() const = 0;
virtual saml::Iterator<shibboleth::ITrust*> getTrustProviders() const = 0;
virtual saml::Iterator<shibboleth::ICredentials*> getCredentialProviders() const = 0;
virtual saml::Iterator<shibboleth::IAAP*> getAAPProviders() const = 0;
log.debug ("application: %s", argp->application_id);
entry->preFetch(15); // give a 15-second window for the RM
- } catch (SAMLException &e) {
+ }
+ catch (SAMLException &e) {
log.debug ("prefetch failed with a SAML Exception: %s", e.what());
ostringstream os;
os << e;
throw ShibTargetException(SHIBRPC_SAML_EXCEPTION, os.str(), origin);
- } catch (...) {
+ }
+#ifndef _DEBUG
+ catch (...) {
log.error ("prefetch caught an unknown exception");
throw ShibTargetException(SHIBRPC_UNKNOWN_ERROR,
"An unknown error occured while pre-fetching attributes.",
origin);
}
-
+#endif
} catch (ShibTargetException &e) {
entry->release();
g_shibTargetCCache->remove (argp->cookie.cookie);
// Pull in the Policies
Iterator<const XMLCh*> policies=dynamic_cast<STConfig&>(ShibTargetConfig::getConfig()).getPolicies();
- // And grab the Profile
- // XXX: Create a "Global" POSTProfile instance per location...
+ // And build the POST profile wrapper.
log.debug ("create the POST profile (%d policies)", policies.size());
- ShibPOSTProfile *profile = ShibPOSTProfileFactory::getInstance(
+ ShibPOSTProfile profile(
ShibTargetConfig::getConfig().getMetadataProviders(),
- ShibTargetConfig::getConfig().getTrustProviders(),
- policies,location.get(),3600
+ ShibTargetConfig::getConfig().getRevocationProviders(),
+ ShibTargetConfig::getConfig().getTrustProviders()
);
SAMLResponse* r = NULL;
{
try
{
- // Make sure we've got a profile
- if (!profile)
- throw ShibTargetException(SHIBRPC_INTERNAL_ERROR,
- "Failed to obtain the profile");
-
// Try and accept the response...
log.debug ("Trying to accept the post");
- r = profile->accept(post, &origin);
+ r = profile.accept(post, location.get(),300,policies,&origin);
// Make sure we got a response
if (!r)
- throw ShibTargetException(SHIBRPC_RESPONSE_MISSING,
- "Failed to accept the response.",
- origin);
+ throw ShibTargetException(SHIBRPC_RESPONSE_MISSING, "Failed to accept the response.", origin);
// Find the SSO Assertion
log.debug ("Get the SSOAssertion");
- const SAMLAssertion* ssoAssertion = profile->getSSOAssertion(*r);
+ const SAMLAssertion* ssoAssertion = profile.getSSOAssertion(*r,policies);
// Check against the replay cache
log.debug ("check replay cache");
- if (profile->checkReplayCache(*ssoAssertion) == false)
- throw ShibTargetException(SHIBRPC_ASSERTION_REPLAYED,
- "Duplicate assertion found.",
- origin);
+ if (!profile.checkReplayCache(*ssoAssertion))
+ throw ShibTargetException(SHIBRPC_ASSERTION_REPLAYED, "Duplicate assertion found.", origin);
// Get the authentication statement we need.
log.debug ("get SSOStatement");
- auth_st = profile->getSSOStatement(*ssoAssertion);
+ auth_st = profile.getSSOStatement(*ssoAssertion);
// Maybe verify the origin address....
if (argp->checkIPAddress) {
"The IP address provided by your origin site did not match your current address. "
"To correct this problem, you may need to bypass a local proxy server.",
origin);
- }
+ }
}
}
catch (SAMLException &e) // XXX refine this handler to catch and log different profile exceptions