2 * Copyright 2001-2005 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 /* ArtifactMapper.cpp - a ShibTarget-aware SAML artifact->binding mapper
27 using namespace shibsp;
28 using namespace shibtarget;
29 using namespace shibboleth;
31 using namespace log4cpp;
34 SAMLResponse* STArtifactMapper::resolve(SAMLRequest* request)
36 Category& log=Category::getInstance("shibtarget.ArtifactMapper");
38 // First do a search for the issuer.
39 SAMLArtifact* artifact=request->getArtifacts().next();
40 Metadata m(m_app->getMetadataProviders());
41 const IEntityDescriptor* entity=m.lookup(artifact);
44 "metadata lookup failed, unable to determine issuer of artifact (0x%s)",
45 SAMLArtifact::toHex(artifact->getBytes()).c_str()
47 throw MetadataException("Metadata lookup failed, unable to determine artifact issuer");
50 auto_ptr_char issuer(entity->getId());
51 log.info("lookup succeeded, artifact issued by (%s)", issuer.get());
54 const PropertySet* credUse=m_app->getCredentialUse(entity);
55 pair<bool,bool> signRequest=credUse ? credUse->getBool("signRequest") : make_pair(false,false);
56 pair<bool,const char*> signatureAlg=credUse ? credUse->getString("signatureAlg") : pair<bool,const char*>(false,NULL);
57 if (!signatureAlg.first)
58 signatureAlg.second=URI_ID_RSA_SHA1;
59 pair<bool,const char*> digestAlg=credUse ? credUse->getString("digestAlg") : pair<bool,const char*>(false,NULL);
61 digestAlg.second=URI_ID_SHA1;
62 pair<bool,bool> signedResponse=credUse ? credUse->getBool("signedResponse") : make_pair(false,false);
63 pair<bool,const char*> signingCred=credUse ? credUse->getString("Signing") : pair<bool,const char*>(false,NULL);
64 if (signRequest.first && signRequest.second && signingCred.first) {
65 if (request->getMinorVersion()==1) {
66 Credentials creds(ShibTargetConfig::getConfig().getINI()->getCredentialsProviders());
67 const ICredResolver* cr=creds.lookup(signingCred.second);
69 request->sign(cr->getKey(),cr->getCertificates(),signatureAlg.second,digestAlg.second);
71 log.error("unable to sign artifact request, specified credential (%s) was not found",signingCred.second);
74 log.error("unable to sign SAML 1.0 artifact request, only SAML 1.1 defines signing adequately");
77 SAMLResponse* response = NULL;
78 bool authenticated = false;
79 static const XMLCh https[] = {chLatin_h, chLatin_t, chLatin_t, chLatin_p, chLatin_s, chColon, chNull};
81 // Depends on type of artifact.
82 const SAMLArtifactType0001* type1=dynamic_cast<const SAMLArtifactType0001*>(artifact);
84 // With type 01, any endpoint will do.
85 const IIDPSSODescriptor* idp=entity->getIDPSSODescriptor(
86 request->getMinorVersion()==1 ? saml::XML::SAML11_PROTOCOL_ENUM : saml::XML::SAML10_PROTOCOL_ENUM
89 ShibHTTPHook::ShibHTTPHookCallContext callCtx(credUse,idp);
90 const IEndpointManager* mgr=idp->getArtifactResolutionServiceManager();
91 Iterator<const IEndpoint*> eps=mgr ? mgr->getEndpoints() : EMPTY(const IEndpoint*);
92 while (!response && eps.hasNext()) {
93 const IEndpoint* ep=eps.next();
94 const SAMLBinding* binding = m_app->getBinding(ep->getBinding());
96 auto_ptr_char prot(ep->getBinding());
97 log.warn("skipping binding on unsupported protocol (%s)", prot.get());
101 response = binding->send(ep->getLocation(),*request,&callCtx);
102 if (log.isDebugEnabled())
103 log.debugStream() << "SAML response from artifact request:\n" << *response << CategoryStream::ENDLINE;
105 if (!response->getAssertions().hasNext()) {
107 throw FatalProfileException("No SAML assertions returned in response to artifact profile request.");
109 authenticated = callCtx.isAuthenticated() && !XMLString::compareNString(ep->getLocation(),https,6);
111 catch (SAMLException& ex) {
112 annotateException(&ex,idp); // rethrows it
118 const SAMLArtifactType0002* type2=dynamic_cast<const SAMLArtifactType0002*>(artifact);
120 // With type 02, we have to find the matching location.
121 const IIDPSSODescriptor* idp=entity->getIDPSSODescriptor(
122 request->getMinorVersion()==1 ? saml::XML::SAML11_PROTOCOL_ENUM : saml::XML::SAML10_PROTOCOL_ENUM
125 ShibHTTPHook::ShibHTTPHookCallContext callCtx(credUse,idp);
126 const IEndpointManager* mgr=idp->getArtifactResolutionServiceManager();
127 Iterator<const IEndpoint*> eps=mgr ? mgr->getEndpoints() : EMPTY(const IEndpoint*);
128 while (eps.hasNext()) {
129 const IEndpoint* ep=eps.next();
130 auto_ptr_char loc(ep->getLocation());
131 if (strcmp(loc.get(),type2->getSourceLocation()))
133 const SAMLBinding* binding = m_app->getBinding(ep->getBinding());
135 auto_ptr_char prot(ep->getBinding());
136 log.warn("skipping binding on unsupported protocol (%s)", prot.get());
140 response = binding->send(ep->getLocation(),*request,&callCtx);
141 if (log.isDebugEnabled())
142 log.debugStream() << "SAML response from artifact request:\n" << *response << CategoryStream::ENDLINE;
144 if (!response->getAssertions().hasNext()) {
146 throw FatalProfileException("No SAML assertions returned in response to artifact profile request.");
148 authenticated = callCtx.isAuthenticated() && !XMLString::compareNString(ep->getLocation(),https,6);
150 catch (SAMLException& ex) {
151 annotateException(&ex,idp); // rethrows it
157 log.error("unrecognized artifact type (0x%s)", SAMLArtifact::toHex(artifact->getTypeCode()).c_str());
158 throw UnsupportedExtensionException(
159 string("Received unrecognized artifact type (0x") + SAMLArtifact::toHex(artifact->getTypeCode()) + ")"
165 log.error("unable to locate acceptable binding/endpoint to resolve artifact");
166 MetadataException ex("Unable to locate acceptable binding/endpoint to resolve artifact.");
167 annotateException(&ex,entity); // throws it
169 else if (!response->isSigned()) {
170 if (!authenticated || (signedResponse.first && signedResponse.second)) {
171 log.error("unsigned response obtained, but it must be signed.");
172 TrustException ex("Unable to obtain a signed response from artifact request.");
173 annotateException(&ex,entity); // throws it