From: Scott Cantor Date: Sun, 11 Feb 2007 05:26:18 +0000 (+0000) Subject: Draft of 2.0 config schema/file, removed legacy support, validate config. X-Git-Tag: 2.0-alpha1~131 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fcpp-sp.git;a=commitdiff_plain;h=40c8de5b64574ac828a001022877ff0a1a35c741 Draft of 2.0 config schema/file, removed legacy support, validate config. --- diff --git a/Shibboleth.sln b/Shibboleth.sln index fdedcf9..fb11df6 100644 --- a/Shibboleth.sln +++ b/Shibboleth.sln @@ -42,17 +42,6 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "nsapi_shib", "nsapi_shib\ns {81F0F7A6-DC36-46EF-957F-F9E81D4403F6} = {81F0F7A6-DC36-46EF-957F-F9E81D4403F6} EndProjectSection EndProject -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "posttest", "posttest\posttest.vcproj", "{16E70C47-789E-43D5-AFDF-964D386C3CB5}" - ProjectSection(WebsiteProperties) = preProject - Debug.AspNetCompiler.Debug = "True" - Release.AspNetCompiler.Debug = "False" - EndProjectSection - ProjectSection(ProjectDependencies) = postProject - {E6CAB6C8-1D73-4410-970A-52BF9EC57810} = {E6CAB6C8-1D73-4410-970A-52BF9EC57810} - {81F0F7A6-DC36-46EF-957F-F9E81D4403F6} = {81F0F7A6-DC36-46EF-957F-F9E81D4403F6} - {84890110-2190-4AAE-9BDC-58F90DF71E4F} = {84890110-2190-4AAE-9BDC-58F90DF71E4F} - EndProjectSection -EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "shar", "shar\shar.vcproj", "{F13141B5-6C87-40BB-8D4E-5CC56EBB4C59}" ProjectSection(WebsiteProperties) = preProject Debug.AspNetCompiler.Debug = "True" @@ -62,30 +51,12 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "shar", "shar\shar.vcproj", {81F0F7A6-DC36-46EF-957F-F9E81D4403F6} = {81F0F7A6-DC36-46EF-957F-F9E81D4403F6} EndProjectSection EndProject -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "shib", "shib\shib.vcproj", "{E6CAB6C8-1D73-4410-970A-52BF9EC57810}" - ProjectSection(WebsiteProperties) = preProject - Debug.AspNetCompiler.Debug = "True" - Release.AspNetCompiler.Debug = "False" - EndProjectSection -EndProject -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "shibtarget", "shib-target\shibtarget.vcproj", "{84890110-2190-4AAE-9BDC-58F90DF71E4F}" - ProjectSection(WebsiteProperties) = preProject - Debug.AspNetCompiler.Debug = "True" - Release.AspNetCompiler.Debug = "False" - EndProjectSection - ProjectSection(ProjectDependencies) = postProject - {E6CAB6C8-1D73-4410-970A-52BF9EC57810} = {E6CAB6C8-1D73-4410-970A-52BF9EC57810} - {81F0F7A6-DC36-46EF-957F-F9E81D4403F6} = {81F0F7A6-DC36-46EF-957F-F9E81D4403F6} - EndProjectSection -EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "shibtest", "shibtest\shibtest.vcproj", "{67AF22A3-C26E-40BE-B0CA-2ABEE5123763}" ProjectSection(WebsiteProperties) = preProject Debug.AspNetCompiler.Debug = "True" Release.AspNetCompiler.Debug = "False" EndProjectSection ProjectSection(ProjectDependencies) = postProject - {84890110-2190-4AAE-9BDC-58F90DF71E4F} = {84890110-2190-4AAE-9BDC-58F90DF71E4F} - {E6CAB6C8-1D73-4410-970A-52BF9EC57810} = {E6CAB6C8-1D73-4410-970A-52BF9EC57810} {81F0F7A6-DC36-46EF-957F-F9E81D4403F6} = {81F0F7A6-DC36-46EF-957F-F9E81D4403F6} EndProjectSection EndProject @@ -95,17 +66,6 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "siterefresh", "siterefresh\ Release.AspNetCompiler.Debug = "False" EndProjectSection EndProject -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "testclient", "shar\testclient.vcproj", "{B3F1E899-86F9-4D3A-8026-B57D1A5B90B1}" - ProjectSection(WebsiteProperties) = preProject - Debug.AspNetCompiler.Debug = "True" - Release.AspNetCompiler.Debug = "False" - EndProjectSection - ProjectSection(ProjectDependencies) = postProject - {E6CAB6C8-1D73-4410-970A-52BF9EC57810} = {E6CAB6C8-1D73-4410-970A-52BF9EC57810} - {81F0F7A6-DC36-46EF-957F-F9E81D4403F6} = {81F0F7A6-DC36-46EF-957F-F9E81D4403F6} - {84890110-2190-4AAE-9BDC-58F90DF71E4F} = {84890110-2190-4AAE-9BDC-58F90DF71E4F} - EndProjectSection -EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "mod_shib22", "apache\mod_shib22.vcproj", "{B44C0852-83B8-4FB2-A86E-097C9C8256D0}" ProjectSection(WebsiteProperties) = preProject Debug.AspNetCompiler.Debug = "True" @@ -171,22 +131,10 @@ Global {1396D80A-8672-4224-9B02-95F3F4207CDB}.Debug|Win32.Build.0 = Debug|Win32 {1396D80A-8672-4224-9B02-95F3F4207CDB}.Release|Win32.ActiveCfg = Release|Win32 {1396D80A-8672-4224-9B02-95F3F4207CDB}.Release|Win32.Build.0 = Release|Win32 - {16E70C47-789E-43D5-AFDF-964D386C3CB5}.Debug|Win32.ActiveCfg = Debug|Win32 - {16E70C47-789E-43D5-AFDF-964D386C3CB5}.Debug|Win32.Build.0 = Debug|Win32 - {16E70C47-789E-43D5-AFDF-964D386C3CB5}.Release|Win32.ActiveCfg = Release|Win32 - {16E70C47-789E-43D5-AFDF-964D386C3CB5}.Release|Win32.Build.0 = Release|Win32 {F13141B5-6C87-40BB-8D4E-5CC56EBB4C59}.Debug|Win32.ActiveCfg = Debug|Win32 {F13141B5-6C87-40BB-8D4E-5CC56EBB4C59}.Debug|Win32.Build.0 = Debug|Win32 {F13141B5-6C87-40BB-8D4E-5CC56EBB4C59}.Release|Win32.ActiveCfg = Release|Win32 {F13141B5-6C87-40BB-8D4E-5CC56EBB4C59}.Release|Win32.Build.0 = Release|Win32 - {E6CAB6C8-1D73-4410-970A-52BF9EC57810}.Debug|Win32.ActiveCfg = Debug|Win32 - {E6CAB6C8-1D73-4410-970A-52BF9EC57810}.Debug|Win32.Build.0 = Debug|Win32 - {E6CAB6C8-1D73-4410-970A-52BF9EC57810}.Release|Win32.ActiveCfg = Release|Win32 - {E6CAB6C8-1D73-4410-970A-52BF9EC57810}.Release|Win32.Build.0 = Release|Win32 - {84890110-2190-4AAE-9BDC-58F90DF71E4F}.Debug|Win32.ActiveCfg = Debug|Win32 - {84890110-2190-4AAE-9BDC-58F90DF71E4F}.Debug|Win32.Build.0 = Debug|Win32 - {84890110-2190-4AAE-9BDC-58F90DF71E4F}.Release|Win32.ActiveCfg = Release|Win32 - {84890110-2190-4AAE-9BDC-58F90DF71E4F}.Release|Win32.Build.0 = Release|Win32 {67AF22A3-C26E-40BE-B0CA-2ABEE5123763}.Debug|Win32.ActiveCfg = Debug|Win32 {67AF22A3-C26E-40BE-B0CA-2ABEE5123763}.Debug|Win32.Build.0 = Debug|Win32 {67AF22A3-C26E-40BE-B0CA-2ABEE5123763}.Release|Win32.ActiveCfg = Release|Win32 @@ -195,10 +143,6 @@ Global {4D02F36E-D2CD-4FD1-AC50-2941E27BB3FB}.Debug|Win32.Build.0 = Debug|Win32 {4D02F36E-D2CD-4FD1-AC50-2941E27BB3FB}.Release|Win32.ActiveCfg = Release|Win32 {4D02F36E-D2CD-4FD1-AC50-2941E27BB3FB}.Release|Win32.Build.0 = Release|Win32 - {B3F1E899-86F9-4D3A-8026-B57D1A5B90B1}.Debug|Win32.ActiveCfg = Debug|Win32 - {B3F1E899-86F9-4D3A-8026-B57D1A5B90B1}.Debug|Win32.Build.0 = Debug|Win32 - {B3F1E899-86F9-4D3A-8026-B57D1A5B90B1}.Release|Win32.ActiveCfg = Release|Win32 - {B3F1E899-86F9-4D3A-8026-B57D1A5B90B1}.Release|Win32.Build.0 = Release|Win32 {B44C0852-83B8-4FB2-A86E-097C9C8256D0}.Debug|Win32.ActiveCfg = Debug|Win32 {B44C0852-83B8-4FB2-A86E-097C9C8256D0}.Debug|Win32.Build.0 = Debug|Win32 {B44C0852-83B8-4FB2-A86E-097C9C8256D0}.Release|Win32.ActiveCfg = Release|Win32 @@ -223,9 +167,7 @@ Global {87C25D4E-8D19-4513-B0BA-BC668BC2DEE3} = {26BA8F84-6E42-41FA-9B13-5D3F4B5B2050} {D341DCD8-7DCD-43A2-8559-C07DAB838711} = {96AE4FC9-45EF-4C18-9F3B-EDA439E26E4C} {666A63A7-983F-4C19-8411-207F24305197} = {96AE4FC9-45EF-4C18-9F3B-EDA439E26E4C} - {67AF22A3-C26E-40BE-B0CA-2ABEE5123763} = {FED80230-119E-4B2F-9F53-D2660A5F022B} {4D02F36E-D2CD-4FD1-AC50-2941E27BB3FB} = {FED80230-119E-4B2F-9F53-D2660A5F022B} - {B3F1E899-86F9-4D3A-8026-B57D1A5B90B1} = {FED80230-119E-4B2F-9F53-D2660A5F022B} - {16E70C47-789E-43D5-AFDF-964D386C3CB5} = {FED80230-119E-4B2F-9F53-D2660A5F022B} + {67AF22A3-C26E-40BE-B0CA-2ABEE5123763} = {FED80230-119E-4B2F-9F53-D2660A5F022B} EndGlobalSection EndGlobal diff --git a/apache/mod_apache.cpp b/apache/mod_apache.cpp index 1b4f190..1494e5e 100644 --- a/apache/mod_apache.cpp +++ b/apache/mod_apache.cpp @@ -87,6 +87,7 @@ namespace { string g_unsetHeaderValue; static const char* g_UserDataKey = "_shib_check_user_"; static const XMLCh path[] = UNICODE_LITERAL_4(p,a,t,h); + static const XMLCh validate[] = UNICODE_LITERAL_8(v,a,l,i,d,a,t,e); } /* Apache 2.2.x headers must be accumulated and set in the output filter. @@ -1012,7 +1013,6 @@ extern "C" void shib_child_init(apr_pool_t* p, server_rec* s) g_Config=&SPConfig::getConfig(); g_Config->setFeatures( - SPConfig::Caching | SPConfig::Listener | SPConfig::Metadata | SPConfig::RequestMapping | @@ -1032,6 +1032,7 @@ extern "C" void shib_child_init(apr_pool_t* p, server_rec* s) DOMElement* dummy = dummydoc->createElementNS(NULL,path); auto_ptr_XMLCh src(g_szSHIBConfig); dummy->setAttributeNS(NULL,path,src.get()); + dummy->setAttributeNS(NULL,validate,xmlconstants::XML_ONE); g_Config->setServiceProvider(g_Config->ServiceProviderManager.newPlugin(XML_SERVICE_PROVIDER,dummy)); g_Config->getServiceProvider()->init(); diff --git a/configs/shibboleth.xml.in b/configs/shibboleth.xml.in index a2e6052..b41fda3 100644 --- a/configs/shibboleth.xml.in +++ b/configs/shibboleth.xml.in @@ -1,19 +1,22 @@ - - + @@ -22,34 +25,19 @@ + + - - - - - + + + + @@ -57,12 +45,12 @@ - + + homeURL="https://sp.example.org/index.html"> - - - - - - - - - - - - - - - - + + + + + + + + + + + - - - - - @-PKGSYSCONFDIR-@/sp-example.key - - - @-PKGSYSCONFDIR-@/sp-example.crt - - - - - - - + + + + @-PKGSYSCONFDIR-@/sp-example.key + + + @-PKGSYSCONFDIR-@/sp-example.crt + + + + + + + + + + + + + + + + diff --git a/isapi_shib/isapi_shib.cpp b/isapi_shib/isapi_shib.cpp index d67aad2..efe5aac 100644 --- a/isapi_shib/isapi_shib.cpp +++ b/isapi_shib/isapi_shib.cpp @@ -50,6 +50,7 @@ using namespace std; // globals namespace { static const XMLCh path[] = UNICODE_LITERAL_4(p,a,t,h); + static const XMLCh validate[] = UNICODE_LITERAL_8(v,a,l,i,d,a,t,e); static const XMLCh name[] = UNICODE_LITERAL_4(n,a,m,e); static const XMLCh port[] = UNICODE_LITERAL_4(p,o,r,t); static const XMLCh sslport[] = UNICODE_LITERAL_7(s,s,l,p,o,r,t); @@ -152,7 +153,6 @@ extern "C" BOOL WINAPI GetFilterVersion(PHTTP_FILTER_VERSION pVer) g_Config=&SPConfig::getConfig(); g_Config->setFeatures( SPConfig::Listener | - SPConfig::Caching | SPConfig::Metadata | SPConfig::RequestMapping | SPConfig::InProcess | @@ -171,6 +171,7 @@ extern "C" BOOL WINAPI GetFilterVersion(PHTTP_FILTER_VERSION pVer) DOMElement* dummy = dummydoc->createElementNS(NULL,path); auto_ptr_XMLCh src(config); dummy->setAttributeNS(NULL,path,src.get()); + dummy->setAttributeNS(NULL,validate,xmlconstants::XML_ONE); g_Config->setServiceProvider(g_Config->ServiceProviderManager.newPlugin(XML_SERVICE_PROVIDER,dummy)); g_Config->getServiceProvider()->init(); diff --git a/nsapi_shib/nsapi_shib.cpp b/nsapi_shib/nsapi_shib.cpp index 9e35a83..5d45aac 100644 --- a/nsapi_shib/nsapi_shib.cpp +++ b/nsapi_shib/nsapi_shib.cpp @@ -73,7 +73,8 @@ namespace { string g_ServerScheme; string g_unsetHeaderValue; - static const XMLCh path[] = UNICODE_LITERAL_4(p,a,t,h); + static const XMLCh path[] = UNICODE_LITERAL_4(p,a,t,h); + static const XMLCh validate[] = UNICODE_LITERAL_8(v,a,l,i,d,a,t,e); } PluginManager::Factory SunRequestMapFactory; @@ -126,7 +127,6 @@ extern "C" NSAPI_PUBLIC int nsapi_shib_init(pblock* pb, ::Session* sn, Request* g_Config=&SPConfig::getConfig(); g_Config->setFeatures( SPConfig::Listener | - SPConfig::Caching | SPConfig::Metadata | SPConfig::RequestMapping | SPConfig::InProcess | @@ -146,6 +146,7 @@ extern "C" NSAPI_PUBLIC int nsapi_shib_init(pblock* pb, ::Session* sn, Request* DOMElement* dummy = dummydoc->createElementNS(NULL,path); auto_ptr_XMLCh src(config); dummy->setAttributeNS(NULL,path,src.get()); + dummy->setAttributeNS(NULL,validate,xmlconstants::XML_ONE); g_Config->setServiceProvider(g_Config->ServiceProviderManager.newPlugin(XML_SERVICE_PROVIDER,dummy)); g_Config->getServiceProvider()->init(); diff --git a/schemas/Makefile.am b/schemas/Makefile.am index 32b39ad..ed57c54 100644 --- a/schemas/Makefile.am +++ b/schemas/Makefile.am @@ -7,10 +7,8 @@ pkgxmldir = $(datadir)/xml/@PACKAGE@ pkgxml_DATA = \ catalog.xml \ shibboleth-metadata-1.0.xsd \ - shibboleth-targetconfig-1.0.xsd \ shibboleth-spconfig-2.0.xsd \ shibboleth.xsd \ - shibboleth-trust-1.0.xsd \ metadata_v12_to_v11.xsl \ metadata_v12_to_v13.xsl \ metadata_v13_to_v12.xsl \ @@ -32,8 +30,4 @@ catalog.xml: ${srcdir}/catalog.xml.in Makefile ${top_builddir}/config.status CLEANFILES = catalog.xml -EXTRA_DIST = - catalog.xml.in \ - shibboleth-metadata-1.0.xsd \ - shibboleth-targetconfig-1.0.xsd \ - shibboleth-spconfig-2.0.xsd +EXTRA_DIST = catalog.xml.in diff --git a/schemas/catalog.xml.in b/schemas/catalog.xml.in index e142ba0..cd58fe1 100644 --- a/schemas/catalog.xml.in +++ b/schemas/catalog.xml.in @@ -2,6 +2,5 @@ - diff --git a/schemas/shibboleth-spconfig-2.0.xsd b/schemas/shibboleth-spconfig-2.0.xsd index 61d13f6..87d9bc0 100644 --- a/schemas/shibboleth-spconfig-2.0.xsd +++ b/schemas/shibboleth-spconfig-2.0.xsd @@ -19,41 +19,42 @@ + + + + + + + + + + - + - - - - - - Root of configuration - - - - - - - - - - - - - - - - - - - - - + + + + Root of configuration + + + + + + + + + + + + + + @@ -63,12 +64,15 @@ - - - - - - + + + + + + + + + @@ -76,81 +80,109 @@ - + + + References StorageService plugins + + + + + + + + + + + References SessionCache plugins + + + + + + + + - + + + Ties ReplayCache to custom StorageService + + + + + + - + Container for shibd out-of-process configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + - + Container for configuration of locally integrated or platform-specific features (e.g. web server filters) - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + @@ -161,10 +193,10 @@ - + - + @@ -204,19 +236,16 @@ - + - - - - + - + @@ -239,7 +268,7 @@ - + @@ -256,7 +285,7 @@ - + @@ -265,9 +294,9 @@ - + - + @@ -282,8 +311,8 @@ - - + + @@ -297,15 +326,12 @@ - - - - - - + + + - + @@ -321,14 +347,11 @@ - - - - - - + + + - + @@ -360,14 +383,15 @@ - - + + + @@ -385,7 +409,7 @@ - + @@ -403,7 +427,7 @@ - + @@ -411,14 +435,14 @@ - - + + - + @@ -441,7 +465,7 @@ - + @@ -460,13 +484,17 @@ + + References CredentialResolver plugins + - + + @@ -475,5 +503,26 @@ + + + Container for specifying sets of policy rules to apply to incoming messages + + + + + + Specifies a set of SecurityPolicyRule plugins + + + + + + + + + + + + + - diff --git a/schemas/shibboleth-targetconfig-1.0.xsd b/schemas/shibboleth-targetconfig-1.0.xsd deleted file mode 100644 index 98e80bc..0000000 --- a/schemas/shibboleth-targetconfig-1.0.xsd +++ /dev/null @@ -1,542 +0,0 @@ - - - - - - - - - 1.0 schema for XML-based configuration of Shibboleth target libraries and modules. - First appearing in Shibboleth 1.2 release. - - - - - - - - - - - - - - - - - Root element of configuration file - - - - - - - - - - - - - - - - - - - - - - - - - Container for extension libraries and custom configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Container for global (server independent) configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Container for configuration of locally integrated or platform-specific - features (e.g. web server filters) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - A simple example access policy language extension that supersedes Apache .htaccess - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Built-in request mapping syntax, decomposes URLs into Host/Path/Path/... - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Container for global target settings and application-specific overrides - - - - - - - - - - - - - - - - - - - - - - - - - Container for application-specific overrides - - - - - - - - - - - - - - - - - - - - - - - - - - Custom plug-in that resolves ds:KeyInfo elements into public keys, used in - TrustProvider elements. - - - - - - - Container for specifying app session establishment and policy - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Used to specify WAYF/Discovery services (external or internal) - - - - - - - - - - - - - - - - - - Used to specify internal diagnostic capabilities - - - - - - - - - - - - - - - - - - - - - - Container for error templates and associated details - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Container for specifying credentials to use - - - - - - - - - - - - - - - - - - - - - - - Specifies a plugin that implements a specialized SAML attribute - - - - - - - - - - - - - diff --git a/schemas/shibboleth-trust-1.0.xsd b/schemas/shibboleth-trust-1.0.xsd deleted file mode 100644 index 0e603a5..0000000 --- a/schemas/shibboleth-trust-1.0.xsd +++ /dev/null @@ -1,60 +0,0 @@ - - - - - - - Trust metadata binds keys or authority lists to system entities. - The metadata consumer is responsible for associating the names of system entities - to the application context in an appropriate way. - - - - - - - An optionally signed collection of trust binding elements. - ds:KeyInfo is by definition a binding of a key to a specific entity, - which may be specified in various ways such as KeyName or X509SubjectName. - - - - - - - - - - - - - - - - - - - - - - Binds keying authorities to one or more named system entities. - Omitting ds:KeyName will apply the authorities to all transactions, unless - another specific match applies. This is risky, so use wisely, in conjunction - with constraints on acceptable messages using other forms of metadata or policy. - - - - - - - - - - - diff --git a/shar/shar.cpp b/shar/shar.cpp index 48ac4c4..d11b26e 100644 --- a/shar/shar.cpp +++ b/shar/shar.cpp @@ -134,11 +134,13 @@ int real_main(int preinit) try { fprintf(stderr, "loading configuration file: %s\n", shar_config); static const XMLCh path[] = UNICODE_LITERAL_4(p,a,t,h); + static const XMLCh validate[] = UNICODE_LITERAL_8(v,a,l,i,d,a,t,e); DOMDocument* dummydoc=XMLToolingConfig::getConfig().getParser().newDocument(); XercesJanitor docjanitor(dummydoc); DOMElement* dummy = dummydoc->createElementNS(NULL,path); auto_ptr_XMLCh src(shar_config); dummy->setAttributeNS(NULL,path,src.get()); + dummy->setAttributeNS(NULL,validate,xmlconstants::XML_ONE); conf.setServiceProvider(conf.ServiceProviderManager.newPlugin(XML_SERVICE_PROVIDER,dummy)); conf.getServiceProvider()->init(); @@ -288,11 +290,13 @@ int main(int argc, char *argv[]) try { fprintf(stderr, "loading configuration file: %s\n", shar_config); static const XMLCh path[] = UNICODE_LITERAL_4(p,a,t,h); + static const XMLCh validate[] = UNICODE_LITERAL_8(v,a,l,i,d,a,t,e); DOMDocument* dummydoc=XMLToolingConfig::getConfig().getParser().newDocument(); XercesJanitor docjanitor(dummydoc); DOMElement* dummy = dummydoc->createElementNS(NULL,path); auto_ptr_XMLCh src(shar_config); dummy->setAttributeNS(NULL,path,src.get()); + dummy->setAttributeNS(NULL,validate,xmlconstants::XML_ONE); conf.setServiceProvider(conf.ServiceProviderManager.newPlugin(XML_SERVICE_PROVIDER,dummy)); conf.getServiceProvider()->init(); diff --git a/shibsp/ServiceProvider.h b/shibsp/ServiceProvider.h index e9ea103..4519a21 100644 --- a/shibsp/ServiceProvider.h +++ b/shibsp/ServiceProvider.h @@ -24,12 +24,14 @@ #define __shibsp_sp_h__ #include +#include #include #include namespace shibsp { class SHIBSP_API Application; + class SHIBSP_API Handler; class SHIBSP_API ListenerService; class SHIBSP_API RequestMapper; class SHIBSP_API SessionCache; @@ -43,7 +45,7 @@ namespace shibsp { *

A ServiceProvider exposes configuration and infrastructure services required * by the SP implementation, allowing a flexible configuration format. */ - class SHIBSP_API ServiceProvider : public virtual xmltooling::Lockable, public virtual PropertySet + class SHIBSP_API ServiceProvider : public virtual xmltooling::Lockable, public virtual PropertySet { MAKE_NONCOPYABLE(ServiceProvider); protected: @@ -100,6 +102,14 @@ namespace shibsp { virtual xmlsignature::CredentialResolver* getCredentialResolver(const char* id) const=0; /** + * Returns the security policy rules in effect for a Handler instance. + * + * @param handler identifies the Handler for which to return the policy rules + * @return array of policy rules + */ + virtual std::vector& getPolicyRules(const Handler& handler) const=0; + + /** * Returns a RequestMapper instance. * * @param required true iff an exception should be thrown if no RequestMapper is available @@ -107,8 +117,6 @@ namespace shibsp { */ virtual RequestMapper* getRequestMapper(bool required=true) const=0; - //virtual ISessionCache* getSessionCache() const=0; - /** * Returns an Application instance matching the specified ID. * diff --git a/shibsp/impl/RemotedSessionCache.cpp b/shibsp/impl/RemotedSessionCache.cpp index fadb7ce..ad81d01 100644 --- a/shibsp/impl/RemotedSessionCache.cpp +++ b/shibsp/impl/RemotedSessionCache.cpp @@ -612,7 +612,7 @@ void RemotedCache::cleanup() rerun_timer = XMLString::parseInt(tag); if (rerun_timer <= 0) - rerun_timer = 300; // rerun every 5 minutes + rerun_timer = 900; // rerun every 5 minutes mutex->lock(); diff --git a/shibsp/impl/XMLRequestMapper.cpp b/shibsp/impl/XMLRequestMapper.cpp index 772c51c..66fd87c 100644 --- a/shibsp/impl/XMLRequestMapper.cpp +++ b/shibsp/impl/XMLRequestMapper.cpp @@ -162,7 +162,7 @@ void SHIBSP_API shibsp::registerRequestMappers() short Override::acceptNode(const DOMNode* node) const { - if (!XMLString::equals(node->getNamespaceURI(),shibspconstants::SHIB1SPCONFIG_NS)) + if (!XMLString::equals(node->getNamespaceURI(),shibspconstants::SHIB2SPCONFIG_NS)) return FILTER_ACCEPT; const XMLCh* name=node->getLocalName(); if (XMLString::equals(name,Host) || @@ -247,7 +247,7 @@ Override::Override(const DOMElement* e, Category& log, const Override* base) : m if (*n) { // Create a placeholder Path element for the first path segment and replant under it. - DOMElement* newpath=path->getOwnerDocument()->createElementNS(shibspconstants::SHIB1SPCONFIG_NS,Path); + DOMElement* newpath=path->getOwnerDocument()->createElementNS(shibspconstants::SHIB2SPCONFIG_NS,Path); newpath->setAttributeNS(NULL,name,namebuf); path->setAttributeNS(NULL,name,n); path->getParentNode()->replaceChild(newpath,path); diff --git a/shibsp/impl/XMLServiceProvider.cpp b/shibsp/impl/XMLServiceProvider.cpp index b2b87fb..faa71d7 100644 --- a/shibsp/impl/XMLServiceProvider.cpp +++ b/shibsp/impl/XMLServiceProvider.cpp @@ -51,7 +51,7 @@ #include using namespace shibsp; -using namespace opensaml::saml1; +using namespace opensaml::saml2; using namespace opensaml::saml2md; using namespace opensaml; using namespace xmltooling; @@ -59,7 +59,7 @@ using namespace log4cpp; using namespace std; using xmlsignature::CredentialResolver; -namespace shibsp { +namespace { #if defined (_MSC_VER) #pragma warning( push ) @@ -124,7 +124,7 @@ namespace shibsp { // maps binding strings to supporting consumer service(s) #ifdef HAVE_GOOD_STL - typedef map > ACSBindingMap; + typedef map > ACSBindingMap; #else typedef map > ACSBindingMap; #endif @@ -138,7 +138,7 @@ namespace shibsp { DOMPropertySet* m_credDefault; #ifdef HAVE_GOOD_STL - map m_credMap; + map m_credMap; #else map m_credMap; #endif @@ -155,6 +155,8 @@ namespace shibsp { RequestMapper* m_requestMapper; map m_appmap; map m_credResolverMap; + map< string,vector > m_policyMap; + string m_policyDefault; // Provides filter to exclude special config elements. short acceptNode(const DOMNode* node) const; @@ -174,7 +176,7 @@ namespace shibsp { { public: XMLConfig(const DOMElement* e) - : ReloadableXMLFile(e), m_impl(NULL), m_listener(NULL), m_sessionCache(NULL) { + : ReloadableXMLFile(e), m_impl(NULL), m_listener(NULL), m_sessionCache(NULL), m_tranLog(NULL) { } void init() { @@ -196,7 +198,7 @@ namespace shibsp { pair getXMLString(const char* name, const char* ns=NULL) const {return m_impl->getXMLString(name,ns);} pair getUnsignedInt(const char* name, const char* ns=NULL) const {return m_impl->getUnsignedInt(name,ns);} pair getInt(const char* name, const char* ns=NULL) const {return m_impl->getInt(name,ns);} - const PropertySet* getPropertySet(const char* name, const char* ns="urn:mace:shibboleth:target:config:1.0") const {return m_impl->getPropertySet(name,ns);} + const PropertySet* getPropertySet(const char* name, const char* ns="urn:mace:shibboleth:sp:config:2.0") const {return m_impl->getPropertySet(name,ns);} const DOMElement* getElement() const {return m_impl->getElement();} // ServiceProvider @@ -247,6 +249,15 @@ namespace shibsp { return NULL; } + vector& getPolicyRules(const Handler& handler) const { + pair pid = handler.getString("policyId", "urn:mace:shibboleth:sp:config:2.0"); + if (!pid.first) + pid.second = m_impl->m_policyDefault.c_str(); + if (m_impl->m_policyMap.count(pid.second)) + return m_impl->m_policyMap[pid.second]; + throw ConfigurationException("Security Policy ($1) not found, check element.", params(1,pid.second)); + } + protected: pair load(); @@ -263,46 +274,45 @@ namespace shibsp { #pragma warning( pop ) #endif - ServiceProvider* XMLServiceProviderFactory(const DOMElement* const & e) - { - return new XMLConfig(e); - } - - static const XMLCh AAPProvider[] = UNICODE_LITERAL_11(A,A,P,P,r,o,v,i,d,e,r); static const XMLCh _Application[] = UNICODE_LITERAL_11(A,p,p,l,i,c,a,t,i,o,n); static const XMLCh Applications[] = UNICODE_LITERAL_12(A,p,p,l,i,c,a,t,i,o,n,s); - static const XMLCh AttributeFactory[] = UNICODE_LITERAL_16(A,t,t,r,i,b,u,t,e,F,a,c,t,o,r,y); static const XMLCh Credentials[] = UNICODE_LITERAL_11(C,r,e,d,e,n,t,i,a,l,s); - static const XMLCh CredentialsProvider[] = UNICODE_LITERAL_19(C,r,e,d,e,n,t,i,a,l,s,P,r,o,v,i,d,e,r); static const XMLCh CredentialUse[] = UNICODE_LITERAL_13(C,r,e,d,e,n,t,i,a,l,U,s,e); - static const XMLCh DiagnosticService[] = UNICODE_LITERAL_17(D,i,a,g,n,o,s,t,i,c,S,e,r,v,i,c,e); + static const XMLCh _default[] = UNICODE_LITERAL_7(d,e,f,a,u,l,t); static const XMLCh fatal[] = UNICODE_LITERAL_5(f,a,t,a,l); - static const XMLCh FileResolver[] = UNICODE_LITERAL_12(F,i,l,e,R,e,s,o,l,v,e,r); - static const XMLCh Global[] = UNICODE_LITERAL_6(G,l,o,b,a,l); - static const XMLCh Id[] = UNICODE_LITERAL_2(I,d); + static const XMLCh _Handler[] = UNICODE_LITERAL_7(H,a,n,d,l,e,r); + static const XMLCh _id[] = UNICODE_LITERAL_2(i,d); static const XMLCh Implementation[] = UNICODE_LITERAL_14(I,m,p,l,e,m,e,n,t,a,t,i,o,n); static const XMLCh InProcess[] = UNICODE_LITERAL_9(I,n,P,r,o,c,e,s,s); static const XMLCh Library[] = UNICODE_LITERAL_7(L,i,b,r,a,r,y); static const XMLCh Listener[] = UNICODE_LITERAL_8(L,i,s,t,e,n,e,r); - static const XMLCh Local[] = UNICODE_LITERAL_5(L,o,c,a,l); static const XMLCh logger[] = UNICODE_LITERAL_6(l,o,g,g,e,r); static const XMLCh MemoryListener[] = UNICODE_LITERAL_14(M,e,m,o,r,y,L,i,s,t,e,n,e,r); - static const XMLCh MemorySessionCache[] = UNICODE_LITERAL_18(M,e,m,o,r,y,S,e,s,s,i,o,n,C,a,c,h,e); + static const XMLCh Policy[] = UNICODE_LITERAL_6(P,o,l,i,c,y); static const XMLCh RelyingParty[] = UNICODE_LITERAL_12(R,e,l,y,i,n,g,P,a,r,t,y); static const XMLCh _ReplayCache[] = UNICODE_LITERAL_11(R,e,p,l,a,y,C,a,c,h,e); - static const XMLCh RequestMapProvider[] = UNICODE_LITERAL_18(R,e,q,u,e,s,t,M,a,p,P,r,o,v,i,d,e,r); + static const XMLCh _RequestMapper[] = UNICODE_LITERAL_13(R,e,q,u,e,s,t,M,a,p,p,e,r); + static const XMLCh Rule[] = UNICODE_LITERAL_4(R,u,l,e); + static const XMLCh SecurityPolicies[] = UNICODE_LITERAL_16(S,e,c,u,r,i,t,y,P,o,l,i,c,i,e,s); static const XMLCh _SessionCache[] = UNICODE_LITERAL_12(S,e,s,s,i,o,n,C,a,c,h,e); static const XMLCh SessionInitiator[] = UNICODE_LITERAL_16(S,e,s,s,i,o,n,I,n,i,t,i,a,t,o,r); static const XMLCh _StorageService[] = UNICODE_LITERAL_14(S,t,o,r,a,g,e,S,e,r,v,i,c,e); static const XMLCh OutOfProcess[] = UNICODE_LITERAL_12(O,u,t,O,f,P,r,o,c,e,s,s); static const XMLCh TCPListener[] = UNICODE_LITERAL_11(T,C,P,L,i,s,t,e,n,e,r); - static const XMLCh TrustProvider[] = UNICODE_LITERAL_13(T,r,u,s,t,P,r,o,v,i,d,e,r); + static const XMLCh _TrustEngine[] = UNICODE_LITERAL_11(T,r,u,s,t,E,n,g,i,n,e); static const XMLCh UnixListener[] = UNICODE_LITERAL_12(U,n,i,x,L,i,s,t,e,n,e,r); static const XMLCh _MetadataProvider[] = UNICODE_LITERAL_16(M,e,t,a,d,a,t,a,P,r,o,v,i,d,e,r); static const XMLCh _path[] = UNICODE_LITERAL_4(p,a,t,h); static const XMLCh _type[] = UNICODE_LITERAL_4(t,y,p,e); }; +namespace shibsp { + ServiceProvider* XMLServiceProviderFactory(const DOMElement* const & e) + { + return new XMLConfig(e); + } +}; + XMLApplication::XMLApplication( const ServiceProvider* sp, const DOMElement* e, @@ -317,18 +327,7 @@ XMLApplication::XMLApplication( try { // First load any property sets. - map root_remap; - root_remap["shire"]="session"; - root_remap["shireURL"]="handlerURL"; - root_remap["shireSSL"]="handlerSSL"; - load(e,log,this,&root_remap); - - const PropertySet* propcheck=getPropertySet("Errors"); - if (propcheck && !propcheck->getString("session").first) - throw ConfigurationException(" element requires 'session' (or deprecated 'shire') attribute"); - propcheck=getPropertySet("Sessions"); - if (propcheck && !propcheck->getString("handlerURL").first) - throw ConfigurationException(" element requires 'handlerURL' (or deprecated 'shireURL') attribute"); + load(e,log,this); SPConfig& conf=SPConfig::getConfig(); SAMLConfig& samlConf=SAMLConfig::getConfig(); @@ -338,10 +337,12 @@ XMLApplication::XMLApplication( m_hash+=getString("providerId").second; m_hash=samlConf.hashSHA1(m_hash.c_str(), true); + const PropertySet* sessions = getPropertySet("Sessions"); + // Process handlers. Handler* handler=NULL; bool hardACS=false, hardSessionInit=false; - const DOMElement* child = XMLHelper::getFirstChildElement(propcheck->getElement()); + const DOMElement* child = sessions ? XMLHelper::getFirstChildElement(sessions->getElement()) : NULL; while (child) { try { // A handler is based on the Binding property in conjunction with the element name. @@ -443,30 +444,7 @@ XMLApplication::XMLApplication( child = XMLHelper::getNextSiblingElement(child); } - // If no handlers defined at the root, assume a legacy configuration. - if (!m_base && m_handlers.empty()) { - try { - // A legacy config installs a SAML POST handler at the root handler location. - // We use the Sessions element itself as the PropertySet. - Handler* h1=conf.SessionInitiatorManager.newPlugin( - shibspconstants::SHIB1_SESSIONINIT_PROFILE_URI,propcheck->getElement() - ); - m_handlers.push_back(h1); - m_sessionInitDefault=h1; - - Handler* h2=conf.AssertionConsumerServiceManager.newPlugin( - samlconstants::SAML1_PROFILE_BROWSER_POST,propcheck->getElement() - ); - m_handlers.push_back(h2); - m_handlerMap[""] = h2; - m_acsDefault=h2; - } - catch (exception& ex) { - log.crit("error installing legacy handler configuration: %s", ex.what()); - } - } - - DOMNodeList* nlist=e->getElementsByTagNameNS(samlconstants::SAML1_NS,Audience::LOCAL_NAME); + DOMNodeList* nlist=e->getElementsByTagNameNS(samlconstants::SAML20_NS,Audience::LOCAL_NAME); for (XMLSize_t i=0; nlist && igetLength(); i++) if (nlist->item(i)->getParentNode()->isSameNode(e) && nlist->item(i)->hasChildNodes()) m_audiences.push_back(nlist->item(i)->getFirstChild()->getNodeValue()); @@ -475,78 +453,36 @@ XMLApplication::XMLApplication( m_audiences.push_back(getXMLString("providerId").second); if (conf.isEnabled(SPConfig::AttributeResolver)) { - child = XMLHelper::getFirstChildElement(e,AAPProvider); - while (child) { - // TODO: some kind of compatibility - child = XMLHelper::getNextSiblingElement(child,AAPProvider); - } + // TODO } if (conf.isEnabled(SPConfig::Metadata)) { - vector os2providers; child = XMLHelper::getFirstChildElement(e,_MetadataProvider); - while (child) { + if (child) { auto_ptr_char type(child->getAttributeNS(NULL,_type)); log.info("building metadata provider of type %s...",type.get()); try { auto_ptr mp(samlConf.MetadataProviderManager.newPlugin(type.get(),child)); mp->init(); - os2providers.push_back(mp.release()); + m_metadata = mp.release(); } catch (exception& ex) { log.crit("error building/initializing metadata provider: %s", ex.what()); } - - child = XMLHelper::getNextSiblingElement(child,_MetadataProvider); - } - - if (os2providers.size()==1) - m_metadata=os2providers.front(); - else if (os2providers.size()>1) { - try { - m_metadata = samlConf.MetadataProviderManager.newPlugin(CHAINING_METADATA_PROVIDER,NULL); - ChainingMetadataProvider* chainMeta = dynamic_cast(m_metadata); - while (!os2providers.empty()) { - chainMeta->addMetadataProvider(os2providers.back()); - os2providers.pop_back(); - } - } - catch (exception& ex) { - log.crit("error building chaining metadata provider wrapper: %s",ex.what()); - for_each(os2providers.begin(), os2providers.end(), xmltooling::cleanup()); - } } } if (conf.isEnabled(SPConfig::Trust)) { - ChainingTrustEngine* chainTrust = NULL; - child = XMLHelper::getFirstChildElement(e,TrustProvider); - while (child) { + child = XMLHelper::getFirstChildElement(e,_TrustEngine); + if (child) { auto_ptr_char type(child->getAttributeNS(NULL,_type)); - log.info("building trust provider of type %s...",type.get()); + log.info("building trust engine of type %s...",type.get()); try { - if (!m_trust) { - // For compatibility with old engine types, we're assuming a Shib engine is likely, - // which requires chaining, so we'll build that regardless. - m_trust = xmlConf.TrustEngineManager.newPlugin(CHAINING_TRUSTENGINE,NULL); - chainTrust = dynamic_cast(m_trust); - } - if (!strcmp(type.get(),"edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrust")) { - chainTrust->addTrustEngine(xmlConf.TrustEngineManager.newPlugin(EXPLICIT_KEY_TRUSTENGINE,child)); - chainTrust->addTrustEngine(xmlConf.TrustEngineManager.newPlugin(SHIBBOLETH_PKIX_TRUSTENGINE,child)); - } - else if (!strcmp(type.get(),"edu.internet2.middleware.shibboleth.common.provider.BasicTrust")) { - chainTrust->addTrustEngine(xmlConf.TrustEngineManager.newPlugin(EXPLICIT_KEY_TRUSTENGINE,child)); - } - else { - chainTrust->addTrustEngine(xmlConf.TrustEngineManager.newPlugin(type.get(),child)); - } + m_trust = xmlConf.TrustEngineManager.newPlugin(type.get(),child); } catch (exception& ex) { - log.crit("error building trust provider: %s",ex.what()); + log.crit("error building trust engine: %s",ex.what()); } - - child = XMLHelper::getNextSiblingElement(child,TrustProvider); } } @@ -587,7 +523,7 @@ void XMLApplication::cleanup() delete m_credDefault; #ifdef HAVE_GOOD_STL - for_each(m_credMap.begin(),m_credMap.end(),cleanup_pair()); + for_each(m_credMap.begin(),m_credMap.end(),cleanup_pair()); #else for_each(m_credMap.begin(),m_credMap.end(),cleanup_pair()); #endif @@ -598,23 +534,20 @@ void XMLApplication::cleanup() short XMLApplication::acceptNode(const DOMNode* node) const { - if (XMLHelper::isNodeNamed(node,samlconstants::SAML1_NS,AttributeDesignator::LOCAL_NAME)) + if (XMLHelper::isNodeNamed(node,samlconstants::SAML20_NS,opensaml::saml2::Attribute::LOCAL_NAME)) return FILTER_REJECT; - else if (XMLHelper::isNodeNamed(node,samlconstants::SAML20_NS,opensaml::saml1::Attribute::LOCAL_NAME)) - return FILTER_REJECT; - else if (XMLHelper::isNodeNamed(node,samlconstants::SAML1_NS,Audience::LOCAL_NAME)) + else if (XMLHelper::isNodeNamed(node,samlconstants::SAML20_NS,Audience::LOCAL_NAME)) return FILTER_REJECT; const XMLCh* name=node->getLocalName(); if (XMLString::equals(name,_Application) || XMLString::equals(name,AssertionConsumerService::LOCAL_NAME) || XMLString::equals(name,SingleLogoutService::LOCAL_NAME) || - XMLString::equals(name,DiagnosticService) || + XMLString::equals(name,ManageNameIDService::LOCAL_NAME) || XMLString::equals(name,SessionInitiator) || - XMLString::equals(name,AAPProvider) || XMLString::equals(name,CredentialUse) || XMLString::equals(name,RelyingParty) || XMLString::equals(name,_MetadataProvider) || - XMLString::equals(name,TrustProvider)) + XMLString::equals(name,_TrustEngine)) return FILTER_REJECT; return FILTER_ACCEPT; @@ -689,7 +622,7 @@ const PropertySet* XMLApplication::getCredentialUse(const EntityDescriptor* prov return m_base->getCredentialUse(provider); #ifdef HAVE_GOOD_STL - map::const_iterator i=m_credMap.find(provider->getEntityID()); + map::const_iterator i=m_credMap.find(provider->getEntityID()); if (i!=m_credMap.end()) return i->second; const EntitiesDescriptor* group=dynamic_cast(provider->getParent()); @@ -767,20 +700,17 @@ const Handler* XMLApplication::getHandler(const char* path) const short XMLConfigImpl::acceptNode(const DOMNode* node) const { - if (!XMLString::equals(node->getNamespaceURI(),shibspconstants::SHIB1SPCONFIG_NS) && - !XMLString::equals(node->getNamespaceURI(),shibspconstants::SHIB2SPCONFIG_NS)) + if (!XMLString::equals(node->getNamespaceURI(),shibspconstants::SHIB2SPCONFIG_NS)) return FILTER_ACCEPT; const XMLCh* name=node->getLocalName(); if (XMLString::equals(name,Applications) || - XMLString::equals(name,AttributeFactory) || XMLString::equals(name,Credentials) || - XMLString::equals(name,CredentialsProvider) || XMLString::equals(name,Extensions::LOCAL_NAME) || XMLString::equals(name,Implementation) || XMLString::equals(name,Listener) || XMLString::equals(name,MemoryListener) || - XMLString::equals(name,MemorySessionCache) || - XMLString::equals(name,RequestMapProvider) || + XMLString::equals(name,Policy) || + XMLString::equals(name,_RequestMapper) || XMLString::equals(name,_ReplayCache) || XMLString::equals(name,_SessionCache) || XMLString::equals(name,_StorageService) || @@ -819,7 +749,7 @@ void XMLConfigImpl::doExtensions(const DOMElement* e, const char* label, Categor } } -XMLConfigImpl::XMLConfigImpl(const DOMElement* e, bool first, const XMLConfig* outer) : m_outer(outer), m_document(NULL), m_requestMapper(NULL) +XMLConfigImpl::XMLConfigImpl(const DOMElement* e, bool first, const XMLConfig* outer) : m_requestMapper(NULL), m_outer(outer), m_document(NULL) { #ifdef _DEBUG xmltooling::NDC ndc("XMLConfigImpl"); @@ -828,13 +758,10 @@ XMLConfigImpl::XMLConfigImpl(const DOMElement* e, bool first, const XMLConfig* o try { SPConfig& conf=SPConfig::getConfig(); + SAMLConfig& samlConf=SAMLConfig::getConfig(); XMLToolingConfig& xmlConf=XMLToolingConfig::getConfig(); const DOMElement* SHAR=XMLHelper::getFirstChildElement(e,OutOfProcess); - if (!SHAR) - SHAR=XMLHelper::getFirstChildElement(e,Global); const DOMElement* SHIRE=XMLHelper::getFirstChildElement(e,InProcess); - if (!SHIRE) - SHIRE=XMLHelper::getFirstChildElement(e,Local); // Initialize log4cpp manually in order to redirect log messages as soon as possible. if (conf.isEnabled(SPConfig::Logging)) { @@ -856,10 +783,7 @@ XMLConfigImpl::XMLConfigImpl(const DOMElement* e, bool first, const XMLConfig* o } // First load any property sets. - map root_remap; - root_remap["Global"]="OutOfProcess"; - root_remap["Local"]="InProcess"; - load(e,log,this,&root_remap); + load(e,log,this); const DOMElement* child; string plugtype; @@ -913,17 +837,13 @@ XMLConfigImpl::XMLConfigImpl(const DOMElement* e, bool first, const XMLConfig* o } if (conf.isEnabled(SPConfig::Caching)) { - // TODO: This code's a mess, due to a very bad config layout for the caches... - // Needs rework with the new config file. - const DOMElement* container=conf.isEnabled(SPConfig::OutOfProcess) ? SHAR : SHIRE; - - // First build any StorageServices. - string inmemID; - child=XMLHelper::getFirstChildElement(container,_StorageService); - while (child) { - auto_ptr_char id(child->getAttributeNS(NULL,Id)); - auto_ptr_char type(child->getAttributeNS(NULL,_type)); - if (id.get() && type.get()) { + if (conf.isEnabled(SPConfig::OutOfProcess)) { + // First build any StorageServices. + string inmemID; + child=XMLHelper::getFirstChildElement(SHAR,_StorageService); + while (child) { + auto_ptr_char id(child->getAttributeNS(NULL,_id)); + auto_ptr_char type(child->getAttributeNS(NULL,_type)); try { log.info("building StorageService (%s) of type %s...", id.get(), type.get()); m_outer->m_storage[id.get()] = xmlConf.StorageServiceManager.newPlugin(type.get(),child); @@ -933,117 +853,93 @@ XMLConfigImpl::XMLConfigImpl(const DOMElement* e, bool first, const XMLConfig* o catch (exception& ex) { log.crit("failed to instantiate StorageService (%s): %s", id.get(), ex.what()); } + child=XMLHelper::getNextSiblingElement(child,_StorageService); } - child=XMLHelper::getNextSiblingElement(container,_StorageService); - } - child=XMLHelper::getFirstChildElement(container,_SessionCache); - if (child) { - auto_ptr_char type(child->getAttributeNS(NULL,_type)); - log.info("building Session Cache of type %s...",type.get()); - m_outer->m_sessionCache=conf.SessionCacheManager.newPlugin(type.get(),child); - } - else if (conf.isEnabled(SPConfig::OutOfProcess)) { - log.warn("custom SessionCache unspecified or no longer supported, building SessionCache of type %s...",STORAGESERVICE_SESSION_CACHE); - if (inmemID.empty()) { - inmemID = "memory"; - log.info("no StorageServices configured, providing in-memory version for legacy config"); - m_outer->m_storage[inmemID] = xmlConf.StorageServiceManager.newPlugin(MEMORY_STORAGE_SERVICE,NULL); + child=XMLHelper::getFirstChildElement(SHAR,_SessionCache); + if (child) { + auto_ptr_char type(child->getAttributeNS(NULL,_type)); + log.info("building SessionCache of type %s...",type.get()); + m_outer->m_sessionCache=conf.SessionCacheManager.newPlugin(type.get(),child); + } + else { + log.warn("SessionCache unspecified, building SessionCache of type %s...",STORAGESERVICE_SESSION_CACHE); + if (inmemID.empty()) { + inmemID = "memory"; + log.info("no StorageServices configured, providing in-memory version for session cache"); + m_outer->m_storage[inmemID] = xmlConf.StorageServiceManager.newPlugin(MEMORY_STORAGE_SERVICE,NULL); + } + child = e->getOwnerDocument()->createElementNS(NULL,_SessionCache); + auto_ptr_XMLCh ssid(inmemID.c_str()); + const_cast(child)->setAttributeNS(NULL,_StorageService,ssid.get()); + m_outer->m_sessionCache=conf.SessionCacheManager.newPlugin(STORAGESERVICE_SESSION_CACHE,child); + } + + // Replay cache. + StorageService* replaySS=NULL; + child=XMLHelper::getFirstChildElement(SHAR,_ReplayCache); + if (child) { + auto_ptr_char ssid(child->getAttributeNS(NULL,_StorageService)); + if (ssid.get() && *ssid.get()) { + if (m_outer->m_storage.count(ssid.get())) + replaySS = m_outer->m_storage[ssid.get()]; + if (replaySS) + log.info("building ReplayCache on top of StorageService (%s)...", ssid.get()); + else + log.crit("unable to locate StorageService (%s) in configuration", ssid.get()); + } + } + if (!replaySS) { + log.info("building ReplayCache using in-memory StorageService..."); + if (inmemID.empty()) { + inmemID = "memory"; + log.info("no StorageServices configured, providing in-memory version for legacy config"); + m_outer->m_storage[inmemID] = xmlConf.StorageServiceManager.newPlugin(MEMORY_STORAGE_SERVICE,NULL); + } + replaySS = m_outer->m_storage[inmemID]; } - child = container->getOwnerDocument()->createElementNS(NULL,_SessionCache); - xmltooling::auto_ptr_XMLCh ssid(inmemID.c_str()); - const_cast(child)->setAttributeNS(NULL,_StorageService,ssid.get()); - m_outer->m_sessionCache=conf.SessionCacheManager.newPlugin(STORAGESERVICE_SESSION_CACHE,child); + xmlConf.setReplayCache(new ReplayCache(replaySS)); } else { - log.warn("custom SessionCache unspecified or no longer supported, building SessionCache of type %s...",REMOTED_SESSION_CACHE); + log.info("building in-process SessionCache of type %s...",REMOTED_SESSION_CACHE); m_outer->m_sessionCache=conf.SessionCacheManager.newPlugin(REMOTED_SESSION_CACHE,NULL); } - - // Replay cache. - StorageService* replaySS=NULL; - child=XMLHelper::getFirstChildElement(container,_ReplayCache); - if (child) { - auto_ptr_char ssid(child->getAttributeNS(NULL,_StorageService)); - if (ssid.get() && *ssid.get()) { - replaySS = m_outer->m_storage[ssid.get()]; - if (replaySS) - log.info("building ReplayCache on top of StorageService (%s)...", ssid.get()); - else - log.crit("unable to locate StorageService (%s) in configuration", ssid.get()); - } - } - if (!replaySS) { - log.info("building ReplayCache using in-memory StorageService..."); - if (inmemID.empty()) { - inmemID = "memory"; - log.info("no StorageServices configured, providing in-memory version for legacy config"); - m_outer->m_storage[inmemID] = xmlConf.StorageServiceManager.newPlugin(MEMORY_STORAGE_SERVICE,NULL); - } - replaySS = m_outer->m_storage[inmemID]; - } - xmlConf.setReplayCache(new ReplayCache(replaySS)); } } // end of first-time-only stuff // Back to the fully dynamic stuff...next up is the RequestMapper. if (conf.isEnabled(SPConfig::RequestMapping)) { - child=XMLHelper::getFirstChildElement(SHIRE,RequestMapProvider); + child=XMLHelper::getFirstChildElement(SHIRE,_RequestMapper); if (child) { auto_ptr_char type(child->getAttributeNS(NULL,_type)); log.info("building RequestMapper of type %s...",type.get()); m_requestMapper=conf.RequestMapperManager.newPlugin(type.get(),child); } - else { - log.fatal("can't build RequestMapper, missing conf:RequestMapProvider element?"); - throw ConfigurationException("can't build RequestMapper, missing conf:RequestMapProvider element?"); - } } // Now we load the credentials map. if (conf.isEnabled(SPConfig::Credentials)) { - // Old format was to wrap it in a CredentialsProvider plugin, we're inlining that... - child = XMLHelper::getFirstChildElement(e,CredentialsProvider); - child = XMLHelper::getFirstChildElement(child ? child : e,Credentials); + child = XMLHelper::getLastChildElement(e,Credentials); if (child) { // Step down and process resolvers. child=XMLHelper::getFirstChildElement(child); while (child) { - auto_ptr_char id(child->getAttributeNS(NULL,Id)); - if (!id.get() || !*(id.get())) { - log.warn("skipping CredentialResolver with no Id attribute"); - child = XMLHelper::getNextSiblingElement(child); - continue; - } - - if (XMLString::equals(child->getLocalName(),FileResolver)) - plugtype=FILESYSTEM_CREDENTIAL_RESOLVER; - else { - auto_ptr_char c(child->getAttributeNS(NULL,_type)); - plugtype=c.get(); - } - - if (!plugtype.empty()) { - try { - CredentialResolver* cr= - XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(plugtype.c_str(),child); - m_credResolverMap[id.get()] = cr; - } - catch (exception& ex) { - log.crit("failed to instantiate CredentialResolver (%s): %s", id.get(), ex.what()); - } + auto_ptr_char id(child->getAttributeNS(NULL,_id)); + auto_ptr_char type(child->getAttributeNS(NULL,_type)); + try { + CredentialResolver* cr=xmlConf.CredentialResolverManager.newPlugin(type.get(),child); + m_credResolverMap[id.get()] = cr; } - else { - log.error("unknown type of CredentialResolver with Id (%s)", id.get()); + catch (exception& ex) { + log.crit("failed to instantiate CredentialResolver (%s): %s", id.get(), ex.what()); } - child = XMLHelper::getNextSiblingElement(child); } } } // Load the default application. This actually has a fixed ID of "default". ;-) - child=XMLHelper::getFirstChildElement(e,Applications); + child=XMLHelper::getLastChildElement(e,Applications); if (!child) { log.fatal("can't build default Application object, missing conf:Applications element?"); throw ConfigurationException("can't build default Application object, missing conf:Applications element?"); @@ -1055,13 +951,39 @@ XMLConfigImpl::XMLConfigImpl(const DOMElement* e, bool first, const XMLConfig* o child = XMLHelper::getFirstChildElement(child,_Application); while (child) { auto_ptr iapp(new XMLApplication(m_outer,child,defapp)); - if (m_appmap.find(iapp->getId())!=m_appmap.end()) - log.crit("found conf:Application element with duplicate Id attribute (%s), skipping it", iapp->getId()); + if (m_appmap.count(iapp->getId())) + log.crit("found conf:Application element with duplicate id attribute (%s), skipping it", iapp->getId()); else m_appmap[iapp->getId()]=iapp.release(); child = XMLHelper::getNextSiblingElement(child,_Application); } + + // Load security policies. + child = XMLHelper::getLastChildElement(e,SecurityPolicies); + if (child) { + auto_ptr_char def(child->getAttributeNS(NULL,_default)); + m_policyDefault = def.get(); + child = XMLHelper::getFirstChildElement(child,Policy); + while (child) { + auto_ptr_char id(child->getAttributeNS(NULL,_id)); + vector& rules = m_policyMap[id.get()]; + const DOMElement* rule = XMLHelper::getFirstChildElement(child,Rule); + while (rule) { + auto_ptr_char type(rule->getAttributeNS(NULL,_type)); + try { + rules.push_back(samlConf.SecurityPolicyRuleManager.newPlugin(type.get(),rule)); + } + catch (exception& ex) { + log.crit("error instantiating policy rule (%s) in policy (%s): %s", type.get(), id.get(), ex.what()); + } + rule = XMLHelper::getNextSiblingElement(rule,Rule); + } + child = XMLHelper::getNextSiblingElement(child,Policy); + } + if (!m_policyMap.count(m_policyDefault)) + throw ConfigurationException("Default security policy ($1) not found in conf:SecurityPolicies element.", params(1,m_policyDefault.c_str())); + } } catch (exception&) { this->~XMLConfigImpl(); @@ -1079,6 +1001,8 @@ XMLConfigImpl::~XMLConfigImpl() { for_each(m_appmap.begin(),m_appmap.end(),cleanup_pair()); for_each(m_credResolverMap.begin(),m_credResolverMap.end(),cleanup_pair()); + for (map< string,vector >::iterator i=m_policyMap.begin(); i!=m_policyMap.end(); ++i) + for_each(i->second.begin(), i->second.end(), xmltooling::cleanup()); delete m_requestMapper; if (m_document) m_document->release(); diff --git a/shibsp/security/PKIXTrustEngine.h b/shibsp/security/PKIXTrustEngine.h index 11ec151..c01f9ac 100644 --- a/shibsp/security/PKIXTrustEngine.h +++ b/shibsp/security/PKIXTrustEngine.h @@ -32,7 +32,7 @@ namespace shibsp { void SHIBSP_API registerPKIXTrustEngine(); /** TrustEngine based on Shibboleth PKIX metadata extension. */ - #define SHIBBOLETH_PKIX_TRUSTENGINE "edu.internet2.middleware.shibboleth.security.provider.PKIXTrustEngine" + #define SHIBBOLETH_PKIX_TRUSTENGINE "PKIX" }; #endif /* __shibsp_pkixtrust_h__ */ diff --git a/shibsp/util/DOMPropertySet.cpp b/shibsp/util/DOMPropertySet.cpp index c9d2db9..58632cb 100644 --- a/shibsp/util/DOMPropertySet.cpp +++ b/shibsp/util/DOMPropertySet.cpp @@ -72,8 +72,7 @@ void DOMPropertySet::load( } } if (ns.get()) { - remap=remapper->find(ns.get()); - if (remap!=remapper->end()) + if (remapper && (remap=remapper->find(ns.get()))!=remapper->end()) m_map[string("{") + remap->second.c_str() + '}' + realname]=pair(val,a->getNodeValue()); else m_map[string("{") + ns.get() + '}' + realname]=pair(val,a->getNodeValue()); @@ -106,8 +105,7 @@ void DOMPropertySet::load( } string key; if (ns.get()) { - remap=remapper->find(ns.get()); - if (remap!=remapper->end()) + if (remapper && (remap=remapper->find(ns.get()))!=remapper->end()) key=string("{") + remap->second.c_str() + '}' + realname; else key=string("{") + ns.get() + '}' + realname; diff --git a/shibsp/util/SPConstants.cpp b/shibsp/util/SPConstants.cpp index e5f05d2..2c44f52 100644 --- a/shibsp/util/SPConstants.cpp +++ b/shibsp/util/SPConstants.cpp @@ -48,14 +48,6 @@ const XMLCh shibspconstants::SHIB2SPCONFIG_NS[] = // urn:mace:shibboleth:sp:conf chDigit_2, chPeriod, chDigit_0, chNull }; -const XMLCh shibspconstants::SHIB1SPCONFIG_NS[] = // urn:mace:shibboleth:target:config:1.0 -{ chLatin_u, chLatin_r, chLatin_n, chColon, chLatin_m, chLatin_a, chLatin_c, chLatin_e, chColon, - chLatin_s, chLatin_h, chLatin_i, chLatin_b, chLatin_b, chLatin_o, chLatin_l, chLatin_e, chLatin_t, chLatin_h, chColon, - chLatin_t, chLatin_a, chLatin_r, chLatin_g, chLatin_e, chLatin_t, chColon, - chLatin_c, chLatin_o, chLatin_n, chLatin_f, chLatin_i, chLatin_g, chColon, - chDigit_1, chPeriod, chDigit_0, chNull -}; - const XMLCh shibspconstants::SHIB1_ATTRIBUTE_NAMESPACE_URI[] = // urn:mace:shibboleth:1.0:attributeNamespace:uri { chLatin_u, chLatin_r, chLatin_n, chColon, chLatin_m, chLatin_a, chLatin_c, chLatin_e, chColon, chLatin_s, chLatin_h, chLatin_i, chLatin_b, chLatin_b, chLatin_o, chLatin_l, chLatin_e, chLatin_t, chLatin_h, chColon, diff --git a/shibsp/util/SPConstants.h b/shibsp/util/SPConstants.h index d1ef478..74372c3 100644 --- a/shibsp/util/SPConstants.h +++ b/shibsp/util/SPConstants.h @@ -40,9 +40,6 @@ namespace shibspconstants { /** Shibboleth 2.0 SP configuration namespace ("urn:mace:shibboleth:sp:config:2.0") */ extern SHIBSP_API const XMLCh SHIB2SPCONFIG_NS[]; - /** Shibboleth 1.x "target" (SP) configuration namespace ("urn:mace:shibboleth:target:config:1.0") */ - extern SHIBSP_API const XMLCh SHIB1SPCONFIG_NS[]; - /** Shibboleth 1.x Protocol Enumeration constant ("urn:mace:shibboleth:1.0") */ extern SHIBSP_API const XMLCh SHIB1_PROTOCOL_ENUM[];