2 * Copyright 2001-2007 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
20 * Shibboleth ISAPI filter
24 #include "config_win32.h"
26 #define _CRT_NONSTDC_NO_DEPRECATE 1
27 #define _CRT_SECURE_NO_DEPRECATE 1
29 #include <shibsp/AbstractSPRequest.h>
30 #include <shibsp/SPConfig.h>
31 #include <shibsp/ServiceProvider.h>
32 #include <xmltooling/unicode.h>
33 #include <xmltooling/XMLToolingConfig.h>
34 #include <xmltooling/util/NDC.h>
35 #include <xmltooling/util/XMLConstants.h>
36 #include <xmltooling/util/XMLHelper.h>
37 #include <xercesc/util/Base64.hpp>
38 #include <xercesc/util/XMLUniDefs.hpp>
49 using namespace shibsp;
50 using namespace xmltooling;
51 using namespace xercesc;
56 static const XMLCh path[] = UNICODE_LITERAL_4(p,a,t,h);
57 static const XMLCh validate[] = UNICODE_LITERAL_8(v,a,l,i,d,a,t,e);
58 static const XMLCh name[] = UNICODE_LITERAL_4(n,a,m,e);
59 static const XMLCh port[] = UNICODE_LITERAL_4(p,o,r,t);
60 static const XMLCh sslport[] = UNICODE_LITERAL_7(s,s,l,p,o,r,t);
61 static const XMLCh scheme[] = UNICODE_LITERAL_6(s,c,h,e,m,e);
62 static const XMLCh id[] = UNICODE_LITERAL_2(i,d);
63 static const XMLCh Implementation[] = UNICODE_LITERAL_14(I,m,p,l,e,m,e,n,t,a,t,i,o,n);
64 static const XMLCh ISAPI[] = UNICODE_LITERAL_5(I,S,A,P,I);
65 static const XMLCh Alias[] = UNICODE_LITERAL_5(A,l,i,a,s);
66 static const XMLCh normalizeRequest[] = UNICODE_LITERAL_16(n,o,r,m,a,l,i,z,e,R,e,q,u,e,s,t);
67 static const XMLCh Site[] = UNICODE_LITERAL_4(S,i,t,e);
70 site_t(const DOMElement* e)
72 auto_ptr_char n(e->getAttributeNS(NULL,name));
73 auto_ptr_char s(e->getAttributeNS(NULL,scheme));
74 auto_ptr_char p(e->getAttributeNS(NULL,port));
75 auto_ptr_char p2(e->getAttributeNS(NULL,sslport));
76 if (n.get()) m_name=n.get();
77 if (s.get()) m_scheme=s.get();
78 if (p.get()) m_port=p.get();
79 if (p2.get()) m_sslport=p2.get();
80 e = XMLHelper::getFirstChildElement(e, Alias);
82 if (e->hasChildNodes()) {
83 auto_ptr_char alias(e->getFirstChild()->getNodeValue());
84 m_aliases.insert(alias.get());
86 e = XMLHelper::getNextSiblingElement(e, Alias);
89 string m_scheme,m_port,m_sslport,m_name;
90 set<string> m_aliases;
94 SPConfig* g_Config = NULL;
95 map<string,site_t> g_Sites;
96 bool g_bNormalizeRequest = true;
97 string g_unsetHeaderValue;
98 bool g_checkSpoofing = true;
99 bool g_catchAll = false;
100 vector<string> g_NoCerts;
104 LPCSTR lpUNCServerName,
110 LPCSTR messages[] = {message, NULL};
112 HANDLE hElog = RegisterEventSource(lpUNCServerName, "Shibboleth ISAPI Filter");
113 BOOL res = ReportEvent(hElog, wType, 0, dwEventID, lpUserSid, 1, 0, messages, NULL);
114 return (DeregisterEventSource(hElog) && res);
117 extern "C" __declspec(dllexport) BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID)
119 if (fdwReason==DLL_PROCESS_ATTACH)
124 extern "C" BOOL WINAPI GetExtensionVersion(HSE_VERSION_INFO* pVer)
130 LogEvent(NULL, EVENTLOG_ERROR_TYPE, 2100, NULL,
131 "Extension mode startup not possible, is the DLL loaded as a filter?");
135 pVer->dwExtensionVersion=HSE_VERSION;
136 strncpy(pVer->lpszExtensionDesc,"Shibboleth ISAPI Extension",HSE_MAX_EXT_DLL_NAME_LEN-1);
140 extern "C" BOOL WINAPI TerminateExtension(DWORD)
142 return TRUE; // cleanup should happen when filter unloads
145 extern "C" BOOL WINAPI GetFilterVersion(PHTTP_FILTER_VERSION pVer)
150 LogEvent(NULL, EVENTLOG_ERROR_TYPE, 2100, NULL,
151 "Reentrant filter initialization, ignoring...");
155 LPCSTR schemadir=getenv("SHIBSP_SCHEMAS");
157 schemadir=SHIBSP_SCHEMAS;
158 LPCSTR config=getenv("SHIBSP_CONFIG");
160 config=SHIBSP_CONFIG;
161 g_Config=&SPConfig::getConfig();
162 g_Config->setFeatures(
165 SPConfig::RequestMapping |
166 SPConfig::InProcess |
170 if (!g_Config->init(schemadir)) {
172 LogEvent(NULL, EVENTLOG_ERROR_TYPE, 2100, NULL,
173 "Filter startup failed during library initialization, check native log for help.");
178 DOMDocument* dummydoc=XMLToolingConfig::getConfig().getParser().newDocument();
179 XercesJanitor<DOMDocument> docjanitor(dummydoc);
180 DOMElement* dummy = dummydoc->createElementNS(NULL,path);
181 auto_ptr_XMLCh src(config);
182 dummy->setAttributeNS(NULL,path,src.get());
183 dummy->setAttributeNS(NULL,validate,xmlconstants::XML_ONE);
185 g_Config->setServiceProvider(g_Config->ServiceProviderManager.newPlugin(XML_SERVICE_PROVIDER,dummy));
186 g_Config->getServiceProvider()->init();
188 catch (exception& ex) {
191 LogEvent(NULL, EVENTLOG_ERROR_TYPE, 2100, NULL, ex.what());
192 LogEvent(NULL, EVENTLOG_ERROR_TYPE, 2100, NULL,
193 "Filter startup failed to load configuration, check native log for details.");
197 // Access the implementation-specifics for site mappings.
198 ServiceProvider* sp=g_Config->getServiceProvider();
200 const PropertySet* props=sp->getPropertySet("InProcess");
202 pair<bool,const char*> unsetValue=props->getString("unsetHeaderValue");
203 if (unsetValue.first)
204 g_unsetHeaderValue = unsetValue.second;
205 pair<bool,bool> flag=props->getBool("checkSpoofing");
206 g_checkSpoofing = !flag.first || flag.second;
207 flag=props->getBool("catchAll");
208 g_catchAll = flag.first && flag.second;
210 const DOMElement* impl=XMLHelper::getFirstChildElement(props->getElement(),Implementation);
211 if (impl && (impl=XMLHelper::getFirstChildElement(impl,ISAPI))) {
212 const XMLCh* flag=impl->getAttributeNS(NULL,normalizeRequest);
213 g_bNormalizeRequest=(!flag || !*flag || *flag==chDigit_1 || *flag==chLatin_t);
214 impl=XMLHelper::getFirstChildElement(impl,Site);
216 auto_ptr_char id(impl->getAttributeNS(NULL,id));
218 g_Sites.insert(pair<string,site_t>(id.get(),site_t(impl)));
219 impl=XMLHelper::getNextSiblingElement(impl,Site);
224 pVer->dwFilterVersion=HTTP_FILTER_REVISION;
225 strncpy(pVer->lpszFilterDesc,"Shibboleth ISAPI Filter",SF_MAX_FILTER_DESC_LEN);
226 pVer->dwFlags=(SF_NOTIFY_ORDER_HIGH |
227 SF_NOTIFY_SECURE_PORT |
228 SF_NOTIFY_NONSECURE_PORT |
229 SF_NOTIFY_PREPROC_HEADERS |
231 LogEvent(NULL, EVENTLOG_INFORMATION_TYPE, 7701, NULL, "Filter initialized...");
235 extern "C" BOOL WINAPI TerminateFilter(DWORD)
240 LogEvent(NULL, EVENTLOG_INFORMATION_TYPE, 7701, NULL, "Filter shut down...");
244 /* Next up, some suck-free versions of various APIs.
246 You DON'T require people to guess the buffer size and THEN tell them the right size.
247 Returning an LPCSTR is apparently way beyond their ken. Not to mention the fact that
248 constant strings aren't typed as such, making it just that much harder. These versions
249 are now updated to use a special growable buffer object, modeled after the standard
250 string class. The standard string won't work because they left out the option to
251 pre-allocate a non-constant buffer.
257 dynabuf() { bufptr=NULL; buflen=0; }
258 dynabuf(size_t s) { bufptr=new char[buflen=s]; *bufptr=0; }
259 ~dynabuf() { delete[] bufptr; }
260 size_t length() const { return bufptr ? strlen(bufptr) : 0; }
261 size_t size() const { return buflen; }
262 bool empty() const { return length()==0; }
263 void reserve(size_t s, bool keep=false);
264 void erase() { if (bufptr) memset(bufptr,0,buflen); }
265 operator char*() { return bufptr; }
266 bool operator ==(const char* s) const;
267 bool operator !=(const char* s) const { return !(*this==s); }
273 void dynabuf::reserve(size_t s, bool keep)
280 p[buflen]=bufptr[buflen];
286 bool dynabuf::operator==(const char* s) const
288 if (buflen==NULL || s==NULL)
289 return (buflen==NULL && s==NULL);
291 return strcmp(bufptr,s)==0;
294 void GetServerVariable(PHTTP_FILTER_CONTEXT pfc, LPSTR lpszVariable, dynabuf& s, DWORD size=80, bool bRequired=true)
300 while (!pfc->GetServerVariable(pfc,lpszVariable,s,&size)) {
301 // Grumble. Check the error.
302 DWORD e=GetLastError();
303 if (e==ERROR_INSUFFICIENT_BUFFER)
308 if (bRequired && s.empty())
312 void GetServerVariable(LPEXTENSION_CONTROL_BLOCK lpECB, LPSTR lpszVariable, dynabuf& s, DWORD size=80, bool bRequired=true)
318 while (!lpECB->GetServerVariable(lpECB->ConnID,lpszVariable,s,&size)) {
319 // Grumble. Check the error.
320 DWORD e=GetLastError();
321 if (e==ERROR_INSUFFICIENT_BUFFER)
326 if (bRequired && s.empty())
330 void GetHeader(PHTTP_FILTER_PREPROC_HEADERS pn, PHTTP_FILTER_CONTEXT pfc,
331 LPSTR lpszName, dynabuf& s, DWORD size=80, bool bRequired=true)
337 while (!pn->GetHeader(pfc,lpszName,s,&size)) {
338 // Grumble. Check the error.
339 DWORD e=GetLastError();
340 if (e==ERROR_INSUFFICIENT_BUFFER)
345 if (bRequired && s.empty())
349 /****************************************************************************/
352 class ShibTargetIsapiF : public AbstractSPRequest
354 PHTTP_FILTER_CONTEXT m_pfc;
355 PHTTP_FILTER_PREPROC_HEADERS m_pn;
356 multimap<string,string> m_headers;
358 string m_scheme,m_hostname,m_uri;
359 mutable string m_remote_addr,m_content_type,m_method;
363 ShibTargetIsapiF(PHTTP_FILTER_CONTEXT pfc, PHTTP_FILTER_PREPROC_HEADERS pn, const site_t& site)
364 : m_pfc(pfc), m_pn(pn), m_allhttp(4096) {
366 // URL path always come from IIS.
368 GetHeader(pn,pfc,"url",var,256,false);
371 // Port may come from IIS or from site def.
372 if (!g_bNormalizeRequest || (pfc->fIsSecurePort && site.m_sslport.empty()) || (!pfc->fIsSecurePort && site.m_port.empty())) {
373 GetServerVariable(pfc,"SERVER_PORT",var,10);
376 else if (pfc->fIsSecurePort) {
377 m_port = atoi(site.m_sslport.c_str());
380 m_port = atoi(site.m_port.c_str());
383 // Scheme may come from site def or be derived from IIS.
384 m_scheme=site.m_scheme;
385 if (m_scheme.empty() || !g_bNormalizeRequest)
386 m_scheme=pfc->fIsSecurePort ? "https" : "http";
388 GetServerVariable(pfc,"SERVER_NAME",var,32);
390 // Make sure SERVER_NAME is "authorized" for use on this site. If not, set to canonical name.
392 if (site.m_name!=m_hostname && site.m_aliases.find(m_hostname)==site.m_aliases.end())
393 m_hostname=site.m_name;
395 ~ShibTargetIsapiF() { }
397 const char* getScheme() const {
398 return m_scheme.c_str();
400 const char* getHostname() const {
401 return m_hostname.c_str();
403 int getPort() const {
406 const char* getRequestURI() const {
407 return m_uri.c_str();
409 const char* getMethod() const {
410 if (m_method.empty()) {
412 GetServerVariable(m_pfc,"REQUEST_METHOD",var,5,false);
416 return m_method.c_str();
418 string getContentType() const {
419 if (m_content_type.empty()) {
421 GetServerVariable(m_pfc,"CONTENT_TYPE",var,32,false);
423 m_content_type = var;
425 return m_content_type;
427 long getContentLength() const {
430 string getRemoteAddr() const {
431 if (m_remote_addr.empty()) {
433 GetServerVariable(m_pfc,"REMOTE_ADDR",var,16,false);
437 return m_remote_addr;
439 void log(SPLogLevel level, const string& msg) {
440 AbstractSPRequest::log(level,msg);
441 if (level >= SPError)
442 LogEvent(NULL, EVENTLOG_ERROR_TYPE, 2100, NULL, msg.c_str());
444 void clearHeader(const char* rawname, const char* cginame) {
445 if (g_checkSpoofing) {
446 if (m_allhttp.empty())
447 GetServerVariable(m_pfc,"ALL_HTTP",m_allhttp,4096);
448 if (strstr(m_allhttp, cginame))
449 throw opensaml::SecurityPolicyException("Attempt to spoof header ($1) was detected.", params(1, rawname));
451 string hdr(!strcmp(rawname,"REMOTE_USER") ? "remote-user" : rawname);
453 m_pn->SetHeader(m_pfc, const_cast<char*>(hdr.c_str()), const_cast<char*>(g_unsetHeaderValue.c_str()));
455 void setHeader(const char* name, const char* value) {
458 m_pn->SetHeader(m_pfc, const_cast<char*>(hdr.c_str()), const_cast<char*>(value));
460 string getHeader(const char* name) const {
464 GetHeader(m_pn, m_pfc, const_cast<char*>(hdr.c_str()), buf, 256, false);
467 void setRemoteUser(const char* user) {
468 setHeader("remote-user", user);
470 string getRemoteUser() const {
471 return getHeader("remote-user");
473 void setResponseHeader(const char* name, const char* value) {
476 m_headers.insert(make_pair(name,value));
478 m_headers.erase(name);
480 long sendResponse(istream& in, long status) {
481 string hdr = string("Connection: close\r\n");
482 for (multimap<string,string>::const_iterator i=m_headers.begin(); i!=m_headers.end(); ++i)
483 hdr += i->first + ": " + i->second + "\r\n";
485 const char* codestr="200 OK";
487 case XMLTOOLING_HTTP_STATUS_FORBIDDEN:codestr="403 Forbidden"; break;
488 case XMLTOOLING_HTTP_STATUS_NOTFOUND: codestr="404 Not Found"; break;
489 case XMLTOOLING_HTTP_STATUS_ERROR: codestr="500 Server Error"; break;
491 m_pfc->ServerSupportFunction(m_pfc, SF_REQ_SEND_RESPONSE_HEADER, (void*)codestr, (DWORD)hdr.c_str(), 0);
495 DWORD resplen = in.gcount();
496 m_pfc->WriteClient(m_pfc, buf, &resplen, 0);
498 return SF_STATUS_REQ_FINISHED;
500 long sendRedirect(const char* url) {
501 // XXX: Don't support the httpRedirect option, yet.
502 string hdr=string("Location: ") + url + "\r\n"
503 "Content-Type: text/html\r\n"
504 "Content-Length: 40\r\n"
505 "Expires: 01-Jan-1997 12:00:00 GMT\r\n"
506 "Cache-Control: private,no-store,no-cache\r\n";
507 for (multimap<string,string>::const_iterator i=m_headers.begin(); i!=m_headers.end(); ++i)
508 hdr += i->first + ": " + i->second + "\r\n";
510 m_pfc->ServerSupportFunction(m_pfc, SF_REQ_SEND_RESPONSE_HEADER, "302 Please Wait", (DWORD)hdr.c_str(), 0);
511 static const char* redmsg="<HTML><BODY>Redirecting...</BODY></HTML>";
513 m_pfc->WriteClient(m_pfc, (LPVOID)redmsg, &resplen, 0);
514 return SF_STATUS_REQ_FINISHED;
516 long returnDecline() {
517 return SF_STATUS_REQ_NEXT_NOTIFICATION;
520 return SF_STATUS_REQ_NEXT_NOTIFICATION;
523 const vector<string>& getClientCertificates() const {
527 // The filter never processes the POST, so stub these methods.
528 const char* getQueryString() const { throw IOException("getQueryString not implemented"); }
529 const char* getRequestBody() const { throw IOException("getRequestBody not implemented"); }
532 DWORD WriteClientError(PHTTP_FILTER_CONTEXT pfc, const char* msg)
534 LogEvent(NULL, EVENTLOG_ERROR_TYPE, 2100, NULL, msg);
535 static const char* ctype="Connection: close\r\nContent-Type: text/html\r\n\r\n";
536 pfc->ServerSupportFunction(pfc,SF_REQ_SEND_RESPONSE_HEADER,"200 OK",(DWORD)ctype,0);
537 static const char* xmsg="<HTML><HEAD><TITLE>Shibboleth Filter Error</TITLE></HEAD><BODY>"
538 "<H1>Shibboleth Filter Error</H1>";
539 DWORD resplen=strlen(xmsg);
540 pfc->WriteClient(pfc,(LPVOID)xmsg,&resplen,0);
542 pfc->WriteClient(pfc,(LPVOID)msg,&resplen,0);
543 static const char* xmsg2="</BODY></HTML>";
544 resplen=strlen(xmsg2);
545 pfc->WriteClient(pfc,(LPVOID)xmsg2,&resplen,0);
546 return SF_STATUS_REQ_FINISHED;
549 extern "C" DWORD WINAPI HttpFilterProc(PHTTP_FILTER_CONTEXT pfc, DWORD notificationType, LPVOID pvNotification)
551 // Is this a log notification?
552 if (notificationType==SF_NOTIFY_LOG)
554 if (pfc->pFilterContext)
555 ((PHTTP_FILTER_LOG)pvNotification)->pszClientUserName=static_cast<LPCSTR>(pfc->pFilterContext);
556 return SF_STATUS_REQ_NEXT_NOTIFICATION;
559 PHTTP_FILTER_PREPROC_HEADERS pn=(PHTTP_FILTER_PREPROC_HEADERS)pvNotification;
562 // Determine web site number. This can't really fail, I don't think.
564 GetServerVariable(pfc,"INSTANCE_ID",buf,10);
566 // Match site instance to host name, skip if no match.
567 map<string,site_t>::const_iterator map_i=g_Sites.find(static_cast<char*>(buf));
568 if (map_i==g_Sites.end())
569 return SF_STATUS_REQ_NEXT_NOTIFICATION;
571 ostringstream threadid;
572 threadid << "[" << getpid() << "] isapi_shib" << '\0';
573 xmltooling::NDC ndc(threadid.str().c_str());
575 ShibTargetIsapiF stf(pfc, pn, map_i->second);
577 // "false" because we don't override the Shib settings
578 pair<bool,long> res = stf.getServiceProvider().doAuthentication(stf);
579 if (res.first) return res.second;
581 // "false" because we don't override the Shib settings
582 res = stf.getServiceProvider().doExport(stf);
583 if (res.first) return res.second;
585 res = stf.getServiceProvider().doAuthorization(stf);
586 if (res.first) return res.second;
588 return SF_STATUS_REQ_NEXT_NOTIFICATION;
591 return WriteClientError(pfc,"Out of Memory");
594 if (e==ERROR_NO_DATA)
595 return WriteClientError(pfc,"A required variable or header was empty.");
597 return WriteClientError(pfc,"Shibboleth Filter detected unexpected IIS error.");
599 catch (exception& e) {
600 LogEvent(NULL, EVENTLOG_ERROR_TYPE, 2100, NULL, e.what());
601 return WriteClientError(pfc,"Shibboleth Filter caught an exception, check Event Log for details.");
604 LogEvent(NULL, EVENTLOG_ERROR_TYPE, 2100, NULL, "Shibboleth Filter threw an unknown exception.");
606 return WriteClientError(pfc,"Shibboleth Filter threw an unknown exception.");
610 return WriteClientError(pfc,"Shibboleth Filter reached unreachable code, save my walrus!");
614 /****************************************************************************/
617 DWORD WriteClientError(LPEXTENSION_CONTROL_BLOCK lpECB, const char* msg)
619 LogEvent(NULL, EVENTLOG_ERROR_TYPE, 2100, NULL, msg);
620 static const char* ctype="Connection: close\r\nContent-Type: text/html\r\n\r\n";
621 lpECB->ServerSupportFunction(lpECB->ConnID,HSE_REQ_SEND_RESPONSE_HEADER,"200 OK",0,(LPDWORD)ctype);
622 static const char* xmsg="<HTML><HEAD><TITLE>Shibboleth Error</TITLE></HEAD><BODY><H1>Shibboleth Error</H1>";
623 DWORD resplen=strlen(xmsg);
624 lpECB->WriteClient(lpECB->ConnID,(LPVOID)xmsg,&resplen,HSE_IO_SYNC);
626 lpECB->WriteClient(lpECB->ConnID,(LPVOID)msg,&resplen,HSE_IO_SYNC);
627 static const char* xmsg2="</BODY></HTML>";
628 resplen=strlen(xmsg2);
629 lpECB->WriteClient(lpECB->ConnID,(LPVOID)xmsg2,&resplen,HSE_IO_SYNC);
630 return HSE_STATUS_SUCCESS;
634 class ShibTargetIsapiE : public AbstractSPRequest
636 LPEXTENSION_CONTROL_BLOCK m_lpECB;
637 multimap<string,string> m_headers;
638 mutable vector<string> m_certs;
639 mutable string m_body;
640 mutable bool m_gotBody;
642 string m_scheme,m_hostname,m_uri;
643 mutable string m_remote_addr,m_remote_user;
646 ShibTargetIsapiE(LPEXTENSION_CONTROL_BLOCK lpECB, const site_t& site) : m_lpECB(lpECB), m_gotBody(false) {
648 GetServerVariable(lpECB,"HTTPS",ssl,5);
649 bool SSL=(ssl=="on" || ssl=="ON");
651 // Scheme may come from site def or be derived from IIS.
652 m_scheme=site.m_scheme;
653 if (m_scheme.empty() || !g_bNormalizeRequest)
654 m_scheme = SSL ? "https" : "http";
656 // URL path always come from IIS.
658 GetServerVariable(lpECB,"URL",url,255);
660 // Port may come from IIS or from site def.
662 if (!g_bNormalizeRequest || (SSL && site.m_sslport.empty()) || (!SSL && site.m_port.empty()))
663 GetServerVariable(lpECB,"SERVER_PORT",port,10);
665 strncpy(port,site.m_sslport.c_str(),10);
666 static_cast<char*>(port)[10]=0;
669 strncpy(port,site.m_port.c_str(),10);
670 static_cast<char*>(port)[10]=0;
675 GetServerVariable(lpECB, "SERVER_NAME", var, 32);
677 // Make sure SERVER_NAME is "authorized" for use on this site. If not, set to canonical name.
679 if (site.m_name!=m_hostname && site.m_aliases.find(m_hostname)==site.m_aliases.end())
680 m_hostname=site.m_name;
683 * IIS screws us over on PATH_INFO (the hits keep on coming). We need to figure out if
684 * the server is set up for proper PATH_INFO handling, or "IIS sucks rabid weasels mode",
685 * which is the default. No perfect way to tell, but we can take a good guess by checking
686 * whether the URL is a substring of the PATH_INFO:
688 * e.g. for /Shibboleth.sso/SAML/POST
690 * Bad mode (default):
691 * URL: /Shibboleth.sso
692 * PathInfo: /Shibboleth.sso/SAML/POST
695 * URL: /Shibboleth.sso
696 * PathInfo: /SAML/POST
699 // Clearly we're only in bad mode if path info exists at all.
700 if (lpECB->lpszPathInfo && *(lpECB->lpszPathInfo)) {
701 if (strstr(lpECB->lpszPathInfo,url))
702 // Pretty good chance we're in bad mode, unless the PathInfo repeats the path itself.
703 m_uri = lpECB->lpszPathInfo;
706 m_uri += lpECB->lpszPathInfo;
713 // For consistency with Apache, let's add the query string.
714 if (lpECB->lpszQueryString && *(lpECB->lpszQueryString)) {
716 m_uri += lpECB->lpszQueryString;
719 ~ShibTargetIsapiE() { }
721 const char* getScheme() const {
722 return m_scheme.c_str();
724 const char* getHostname() const {
725 return m_hostname.c_str();
727 int getPort() const {
730 const char* getRequestURI() const {
731 return m_uri.c_str();
733 const char* getMethod() const {
734 return m_lpECB->lpszMethod;
736 string getContentType() const {
737 return m_lpECB->lpszContentType ? m_lpECB->lpszContentType : "";
739 long getContentLength() const {
740 return m_lpECB->cbTotalBytes;
742 string getRemoteUser() const {
743 if (m_remote_user.empty()) {
745 GetServerVariable(m_lpECB, "REMOTE_USER", var, 32, false);
749 return m_remote_user;
751 string getRemoteAddr() const {
752 if (m_remote_addr.empty()) {
754 GetServerVariable(m_lpECB, "REMOTE_ADDR", var, 16, false);
758 return m_remote_addr;
760 void log(SPLogLevel level, const string& msg) const {
761 AbstractSPRequest::log(level,msg);
762 if (level >= SPError)
763 LogEvent(NULL, EVENTLOG_ERROR_TYPE, 2100, NULL, msg.c_str());
765 string getHeader(const char* name) const {
767 for (; *name; ++name) {
771 hdr += toupper(*name);
774 GetServerVariable(m_lpECB, const_cast<char*>(hdr.c_str()), buf, 128, false);
775 return buf.empty() ? "" : buf;
777 void setResponseHeader(const char* name, const char* value) {
780 m_headers.insert(make_pair(name,value));
782 m_headers.erase(name);
784 const char* getQueryString() const {
785 return m_lpECB->lpszQueryString;
787 const char* getRequestBody() const {
789 return m_body.c_str();
790 if (m_lpECB->cbTotalBytes > 1024*1024) // 1MB?
791 throw opensaml::SecurityPolicyException("Size of request body exceeded 1M size limit.");
792 else if (m_lpECB->cbTotalBytes > m_lpECB->cbAvailable) {
795 DWORD datalen=m_lpECB->cbTotalBytes;
798 BOOL ret = m_lpECB->ReadClient(m_lpECB->ConnID, buf, &buflen);
800 throw IOException("Error reading request body from browser.");
801 m_body.append(buf, buflen);
805 else if (m_lpECB->cbAvailable) {
807 m_body.assign(reinterpret_cast<char*>(m_lpECB->lpbData),m_lpECB->cbAvailable);
809 return m_body.c_str();
811 long sendResponse(istream& in, long status) {
812 string hdr = string("Connection: close\r\n");
813 for (multimap<string,string>::const_iterator i=m_headers.begin(); i!=m_headers.end(); ++i)
814 hdr += i->first + ": " + i->second + "\r\n";
816 const char* codestr="200 OK";
818 case XMLTOOLING_HTTP_STATUS_FORBIDDEN:codestr="403 Forbidden"; break;
819 case XMLTOOLING_HTTP_STATUS_NOTFOUND: codestr="404 Not Found"; break;
820 case XMLTOOLING_HTTP_STATUS_ERROR: codestr="500 Server Error"; break;
822 m_lpECB->ServerSupportFunction(m_lpECB->ConnID, HSE_REQ_SEND_RESPONSE_HEADER, (void*)codestr, 0, (LPDWORD)hdr.c_str());
826 DWORD resplen = in.gcount();
827 m_lpECB->WriteClient(m_lpECB->ConnID, buf, &resplen, HSE_IO_SYNC);
829 return HSE_STATUS_SUCCESS;
831 long sendRedirect(const char* url) {
832 string hdr=string("Location: ") + url + "\r\n"
833 "Content-Type: text/html\r\n"
834 "Content-Length: 40\r\n"
835 "Expires: 01-Jan-1997 12:00:00 GMT\r\n"
836 "Cache-Control: private,no-store,no-cache\r\n";
837 for (multimap<string,string>::const_iterator i=m_headers.begin(); i!=m_headers.end(); ++i)
838 hdr += i->first + ": " + i->second + "\r\n";
840 m_lpECB->ServerSupportFunction(m_lpECB->ConnID, HSE_REQ_SEND_RESPONSE_HEADER, "302 Moved", 0, (LPDWORD)hdr.c_str());
841 static const char* redmsg="<HTML><BODY>Redirecting...</BODY></HTML>";
843 m_lpECB->WriteClient(m_lpECB->ConnID, (LPVOID)redmsg, &resplen, HSE_IO_SYNC);
844 return HSE_STATUS_SUCCESS;
846 // Decline happens in the POST processor if this isn't the shire url
847 // Note that it can also happen with HTAccess, but we don't support that, yet.
848 long returnDecline() {
849 return WriteClientError(
851 "ISAPI extension can only be invoked to process Shibboleth protocol requests."
852 "Make sure the mapped file extension doesn't match actual content."
856 return HSE_STATUS_SUCCESS;
859 const vector<string>& getClientCertificates() const {
860 if (m_certs.empty()) {
861 char CertificateBuf[8192];
862 CERT_CONTEXT_EX ccex;
863 ccex.cbAllocated = sizeof(CertificateBuf);
864 ccex.CertContext.pbCertEncoded = (BYTE*)CertificateBuf;
865 DWORD dwSize = sizeof(ccex);
867 if (m_lpECB->ServerSupportFunction(m_lpECB->ConnID, HSE_REQ_GET_CERT_INFO_EX, (LPVOID)&ccex, (LPDWORD)dwSize, NULL)) {
868 if (ccex.CertContext.cbCertEncoded) {
870 XMLByte* serialized = Base64::encode(reinterpret_cast<XMLByte*>(CertificateBuf), ccex.CertContext.cbCertEncoded, &outlen);
871 m_certs.push_back(reinterpret_cast<char*>(serialized));
872 XMLString::release(&serialized);
879 // Not used in the extension.
880 void clearHeader(const char* rawname, const char* cginame) { throw runtime_error("clearHeader not implemented"); }
881 void setHeader(const char* name, const char* value) { throw runtime_error("setHeader not implemented"); }
882 void setRemoteUser(const char* user) { throw runtime_error("setRemoteUser not implemented"); }
885 extern "C" DWORD WINAPI HttpExtensionProc(LPEXTENSION_CONTROL_BLOCK lpECB)
888 ostringstream threadid;
889 threadid << "[" << getpid() << "] isapi_shib_extension" << '\0';
890 xmltooling::NDC ndc(threadid.str().c_str());
892 // Determine web site number. This can't really fail, I don't think.
894 GetServerVariable(lpECB,"INSTANCE_ID",buf,10);
896 // Match site instance to host name, skip if no match.
897 map<string,site_t>::const_iterator map_i=g_Sites.find(static_cast<char*>(buf));
898 if (map_i==g_Sites.end())
899 return WriteClientError(lpECB, "Shibboleth Extension not configured for this web site.");
901 ShibTargetIsapiE ste(lpECB, map_i->second);
902 pair<bool,long> res = ste.getServiceProvider().doHandler(ste);
903 if (res.first) return res.second;
905 return WriteClientError(lpECB, "Shibboleth Extension failed to process request");
909 return WriteClientError(lpECB,"Out of Memory");
912 if (e==ERROR_NO_DATA)
913 return WriteClientError(lpECB,"A required variable or header was empty.");
915 return WriteClientError(lpECB,"Server detected unexpected IIS error.");
917 catch (exception& e) {
918 LogEvent(NULL, EVENTLOG_ERROR_TYPE, 2100, NULL, e.what());
919 return WriteClientError(lpECB,"Shibboleth Extension caught an exception, check Event Log for details.");
922 LogEvent(NULL, EVENTLOG_ERROR_TYPE, 2100, NULL, "Shibboleth Extension threw an unknown exception.");
924 return WriteClientError(lpECB,"Shibboleth Extension threw an unknown exception.");
928 // If we get here we've got an error.
929 return HSE_STATUS_ERROR;
projects / shibboleth / sp.git / blob