/*
- * Copyright 2001-2006 Internet2
+ * Copyright 2001-2007 Internet2
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
#include "binding/SAMLArtifact.h"
#include "saml2/metadata/Metadata.h"
#include "saml2/metadata/AbstractMetadataProvider.h"
+#include "saml2/metadata/MetadataCredentialContext.h"
+#include "saml2/metadata/MetadataCredentialCriteria.h"
#include <xercesc/util/XMLUniDefs.hpp>
-#include <xmltooling/signature/CachingKeyResolver.h>
+#include <xmltooling/security/KeyInfoResolver.h>
#include <xmltooling/util/XMLHelper.h>
using namespace opensaml::saml2md;
-using namespace opensaml;
using namespace xmltooling;
using namespace std;
+using opensaml::SAMLArtifact;
-static const XMLCh GenericKeyResolver[] = UNICODE_LITERAL_11(K,e,y,R,e,s,o,l,v,e,r);
-static const XMLCh type[] = UNICODE_LITERAL_4(t,y,p,e);
+static const XMLCh _KeyInfoResolver[] = UNICODE_LITERAL_15(K,e,y,I,n,f,o,R,e,s,o,l,v,e,r);
+static const XMLCh type[] = UNICODE_LITERAL_4(t,y,p,e);
-AbstractMetadataProvider::AbstractMetadataProvider(const DOMElement* e) : ObservableMetadataProvider(e), m_resolver(NULL)
+AbstractMetadataProvider::AbstractMetadataProvider(const DOMElement* e)
+ : ObservableMetadataProvider(e), m_resolver(NULL), m_credentialLock(NULL)
{
- e = e ? XMLHelper::getFirstChildElement(e, GenericKeyResolver) : NULL;
+ e = e ? XMLHelper::getFirstChildElement(e, _KeyInfoResolver) : NULL;
if (e) {
auto_ptr_char t(e->getAttributeNS(NULL,type));
if (t.get())
- m_resolver = XMLToolingConfig::getConfig().KeyResolverManager.newPlugin(t.get(),e);
+ m_resolver = XMLToolingConfig::getConfig().KeyInfoResolverManager.newPlugin(t.get(),e);
else
- throw UnknownExtensionException("<KeyResolver> element found with no type attribute");
- }
-
- if (!m_resolver) {
- m_resolver = XMLToolingConfig::getConfig().KeyResolverManager.newPlugin(INLINE_KEY_RESOLVER, NULL);
+ throw UnknownExtensionException("<KeyInfoResolver> element found with no type attribute");
}
+ m_credentialLock = Mutex::create();
}
AbstractMetadataProvider::~AbstractMetadataProvider()
{
+ for (credmap_t::iterator c = m_credentialMap.begin(); c!=m_credentialMap.end(); ++c)
+ for_each(c->second.begin(), c->second.end(), xmltooling::cleanup<Credential>());
+ delete m_credentialLock;
delete m_resolver;
}
-void AbstractMetadataProvider::emitChangeEvent()
+void AbstractMetadataProvider::emitChangeEvent() const
{
- xmlsignature::CachingKeyResolver* ckr=dynamic_cast<xmlsignature::CachingKeyResolver*>(m_resolver);
- if (ckr)
- ckr->clearCache();
- ObservableMetadataProvider::emitChangeEvent();
+ for (credmap_t::iterator c = m_credentialMap.begin(); c!=m_credentialMap.end(); ++c)
+ for_each(c->second.begin(), c->second.end(), xmltooling::cleanup<Credential>());
+ m_credentialMap.clear();
+ ObservableMetadataProvider::emitChangeEvent();
}
-void AbstractMetadataProvider::index(EntityDescriptor* site, time_t validUntil)
+void AbstractMetadataProvider::index(EntityDescriptor* site, time_t validUntil, bool replace) const
{
if (validUntil < site->getValidUntilEpoch())
site->setValidUntil(validUntil);
auto_ptr_char id(site->getEntityID());
if (id.get()) {
- m_sites.insert(make_pair(id.get(),site));
+ if (replace) {
+ m_sites.erase(id.get());
+ for (sitemap_t::iterator s = m_sources.begin(); s != m_sources.end();) {
+ if (s->second == site) {
+ sitemap_t::iterator temp = s;
+ ++s;
+ m_sources.erase(temp);
+ }
+ else {
+ ++s;
+ }
+ }
+ }
+ m_sites.insert(sitemap_t::value_type(id.get(),site));
}
// Process each IdP role.
if ((*i)->hasSupport(samlconstants::SAML10_PROTOCOL_ENUM) || (*i)->hasSupport(samlconstants::SAML11_PROTOCOL_ENUM)) {
// Check for SourceID extension element.
const Extensions* exts=(*i)->getExtensions();
- if (exts) {
- const list<XMLObject*>& children=exts->getXMLObjects();
- for (list<XMLObject*>::const_iterator ext=children.begin(); ext!=children.end(); ext++) {
+ if (exts && exts->hasChildren()) {
+ const vector<XMLObject*>& children=exts->getUnknownXMLObjects();
+ for (vector<XMLObject*>::const_iterator ext=children.begin(); ext!=children.end(); ++ext) {
SourceID* sid=dynamic_cast<SourceID*>(*ext);
if (sid) {
auto_ptr_char sourceid(sid->getID());
if (sourceid.get()) {
- m_sources.insert(pair<string,const EntityDescriptor*>(sourceid.get(),site));
+ m_sources.insert(sitemap_t::value_type(sourceid.get(),site));
break;
}
}
}
// Hash the ID.
- m_sources.insert(
- pair<string,const EntityDescriptor*>(SAMLConfig::getConfig().hashSHA1(id.get(), true),site)
- );
+ m_sources.insert(sitemap_t::value_type(SAMLConfig::getConfig().hashSHA1(id.get(), true),site));
// Load endpoints for type 0x0002 artifacts.
const vector<ArtifactResolutionService*>& locs=const_cast<const IDPSSODescriptor*>(*i)->getArtifactResolutionServices();
for (vector<ArtifactResolutionService*>::const_iterator loc=locs.begin(); loc!=locs.end(); loc++) {
auto_ptr_char location((*loc)->getLocation());
if (location.get())
- m_sources.insert(pair<string,const EntityDescriptor*>(location.get(),site));
+ m_sources.insert(sitemap_t::value_type(location.get(),site));
}
}
// SAML 2.0?
if ((*i)->hasSupport(samlconstants::SAML20P_NS)) {
// Hash the ID.
- m_sources.insert(
- pair<string,const EntityDescriptor*>(SAMLConfig::getConfig().hashSHA1(id.get(), true),site)
- );
+ m_sources.insert(sitemap_t::value_type(SAMLConfig::getConfig().hashSHA1(id.get(), true),site));
}
}
}
-void AbstractMetadataProvider::index(EntitiesDescriptor* group, time_t validUntil)
+void AbstractMetadataProvider::index(EntitiesDescriptor* group, time_t validUntil) const
{
if (validUntil < group->getValidUntilEpoch())
group->setValidUntil(validUntil);
auto_ptr_char name(group->getName());
if (name.get()) {
- m_groups.insert(make_pair(name.get(),group));
+ m_groups.insert(groupmap_t::value_type(name.get(),group));
}
const vector<EntitiesDescriptor*>& groups=const_cast<const EntitiesDescriptor*>(group)->getEntitiesDescriptors();
index(*j,group->getValidUntilEpoch());
}
-void AbstractMetadataProvider::clearDescriptorIndex()
+void AbstractMetadataProvider::clearDescriptorIndex(bool freeSites)
{
- m_sources.clear();
+ if (freeSites)
+ for_each(m_sites.begin(), m_sites.end(), cleanup_const_pair<string,EntityDescriptor>());
m_sites.clear();
m_groups.clear();
+ m_sources.clear();
}
const EntitiesDescriptor* AbstractMetadataProvider::getEntitiesDescriptor(const char* name, bool strict) const
return NULL;
}
+
+const Credential* AbstractMetadataProvider::resolve(const CredentialCriteria* criteria) const
+{
+ const MetadataCredentialCriteria* metacrit = dynamic_cast<const MetadataCredentialCriteria*>(criteria);
+ if (!metacrit)
+ throw MetadataException("Cannot resolve credentials without a MetadataCredentialCriteria object.");
+
+ Lock lock(m_credentialLock);
+ const credmap_t::mapped_type& creds = resolveCredentials(metacrit->getRole());
+
+ for (credmap_t::mapped_type::const_iterator c = creds.begin(); c!=creds.end(); ++c)
+ if (metacrit->matches(*(*c)))
+ return *c;
+ return NULL;
+}
+
+vector<const Credential*>::size_type AbstractMetadataProvider::resolve(
+ vector<const Credential*>& results, const CredentialCriteria* criteria
+ ) const
+{
+ const MetadataCredentialCriteria* metacrit = dynamic_cast<const MetadataCredentialCriteria*>(criteria);
+ if (!metacrit)
+ throw MetadataException("Cannot resolve credentials without a MetadataCredentialCriteria object.");
+
+ Lock lock(m_credentialLock);
+ const credmap_t::mapped_type& creds = resolveCredentials(metacrit->getRole());
+
+ for (credmap_t::mapped_type::const_iterator c = creds.begin(); c!=creds.end(); ++c)
+ if (metacrit->matches(*(*c)))
+ results.push_back(*c);
+ return results.size();
+}
+
+const AbstractMetadataProvider::credmap_t::mapped_type& AbstractMetadataProvider::resolveCredentials(const RoleDescriptor& role) const
+{
+ credmap_t::const_iterator i = m_credentialMap.find(&role);
+ if (i!=m_credentialMap.end())
+ return i->second;
+
+ const KeyInfoResolver* resolver = m_resolver ? m_resolver : XMLToolingConfig::getConfig().getKeyInfoResolver();
+ const vector<KeyDescriptor*>& keys = role.getKeyDescriptors();
+ AbstractMetadataProvider::credmap_t::mapped_type& resolved = m_credentialMap[&role];
+ for (vector<KeyDescriptor*>::const_iterator k = keys.begin(); k!=keys.end(); ++k) {
+ if ((*k)->getKeyInfo()) {
+ auto_ptr<MetadataCredentialContext> mcc(new MetadataCredentialContext(*(*k)));
+ Credential* c = resolver->resolve(mcc.get());
+ mcc.release();
+ resolved.push_back(c);
+ }
+ }
+ return resolved;
+}