shibsp/binding/impl/ArtifactResolver.cpp

   1 /*
   2  *  Copyright 2001-2007 Internet2
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 /**
  18  * ArtifactResolver.cpp
  19  *
  20  * SAML artifact resolver for SP use.
  21  */
  22
  23 #include "internal.h"
  24 #include "Application.h"
  25 #include "exceptions.h"
  26 #include "binding/ArtifactResolver.h"
  27 #include "binding/SOAPClient.h"
  28 #include "security/SecurityPolicy.h"
  29
  30 #include <saml/saml1/core/Protocols.h>
  31 #include <saml/saml1/binding/SAML1SOAPClient.h>
  32 #include <saml/saml2/core/Protocols.h>
  33 #include <saml/saml2/binding/SAML2Artifact.h>
  34 #include <saml/saml2/binding/SAML2SOAPClient.h>
  35 #include <saml/saml2/metadata/MetadataCredentialCriteria.h>
  36 #include <saml/util/SAMLConstants.h>
  37
  38 using namespace shibsp;
  39 using namespace opensaml::saml1p;
  40 using namespace opensaml::saml2;
  41 using namespace opensaml::saml2p;
  42 using namespace opensaml::saml2md;
  43 using namespace opensaml;
  44 using namespace xmltooling;
  45 using namespace std;
  46
  47 saml1p::Response* ArtifactResolver::resolve(
  48     const vector<SAMLArtifact*>& artifacts,
  49     const IDPSSODescriptor& idpDescriptor,
  50     opensaml::SecurityPolicy& policy
  51     ) const
  52 {
  53     MetadataCredentialCriteria mcc(idpDescriptor);
  54     shibsp::SecurityPolicy& sppolicy = dynamic_cast<shibsp::SecurityPolicy&>(policy);
  55     shibsp::SOAPClient soaper(sppolicy);
  56
  57     bool foundEndpoint = false;
  58     auto_ptr_XMLCh binding(samlconstants::SAML1_BINDING_SOAP);
  59     saml1p::Response* response=NULL;
  60     const vector<ArtifactResolutionService*>& endpoints=idpDescriptor.getArtifactResolutionServices();
  61     for (vector<ArtifactResolutionService*>::const_iterator ep=endpoints.begin(); !response && ep!=endpoints.end(); ++ep) {
  62         try {
  63             if (!XMLString::equals((*ep)->getBinding(),binding.get()))
  64                 continue;
  65             foundEndpoint = true;
  66             auto_ptr_char loc((*ep)->getLocation());
  67             saml1p::Request* request = saml1p::RequestBuilder::buildRequest();
  68             request->setMinorVersion(idpDescriptor.hasSupport(samlconstants::SAML11_PROTOCOL_ENUM) ? 1 : 0);
  69             for (vector<SAMLArtifact*>::const_iterator a = artifacts.begin(); a!=artifacts.end(); ++a) {
  70                 auto_ptr_XMLCh artbuf((*a)->encode().c_str());
  71                 AssertionArtifact* aa = AssertionArtifactBuilder::buildAssertionArtifact();
  72                 aa->setArtifact(artbuf.get());
  73                 request->getAssertionArtifacts().push_back(aa);
  74             }
  75
  76             SAML1SOAPClient client(soaper, false);
  77             client.sendSAML(request, sppolicy.getApplication().getId(), mcc, loc.get());
  78             response = client.receiveSAML();
  79         }
  80         catch (exception& ex) {
  81             Category::getInstance(SHIBSP_LOGCAT".ArtifactResolver").error("exception resolving SAML 1.x artifact(s): %s", ex.what());
  82             soaper.reset();
  83         }
  84     }
  85
  86     if (!foundEndpoint)
  87         throw MetadataException("No compatible endpoint found in issuer's metadata.");
  88     else if (!response)
  89         throw BindingException("Unable to resolve artifact(s) into a SAML response.");
  90     const QName* code = (response->getStatus() && response->getStatus()->getStatusCode()) ? response->getStatus()->getStatusCode()->getValue() : NULL;
  91     if (!code || *code != saml1p::StatusCode::SUCCESS) {
  92         delete response;
  93         throw BindingException("Identity provider returned a SAML error in response to artifact(s).");
  94     }
  95
  96     // The SOAP client handles policy evaluation against the SOAP and Response layer,
  97     // but no security checking is done here.
  98     return response;
  99 }
 100
 101 ArtifactResponse* ArtifactResolver::resolve(
 102     const SAML2Artifact& artifact,
 103     const SSODescriptorType& ssoDescriptor,
 104     opensaml::SecurityPolicy& policy
 105     ) const
 106 {
 107     MetadataCredentialCriteria mcc(ssoDescriptor);
 108     shibsp::SecurityPolicy& sppolicy = dynamic_cast<shibsp::SecurityPolicy&>(policy);
 109     shibsp::SOAPClient soaper(sppolicy);
 110
 111     bool foundEndpoint = false;
 112     auto_ptr_XMLCh binding(samlconstants::SAML20_BINDING_SOAP);
 113     ArtifactResponse* response=NULL;
 114     const vector<ArtifactResolutionService*>& endpoints=ssoDescriptor.getArtifactResolutionServices();
 115     for (vector<ArtifactResolutionService*>::const_iterator ep=endpoints.begin(); !response && ep!=endpoints.end(); ++ep) {
 116         try {
 117             if (!XMLString::equals((*ep)->getBinding(),binding.get()))
 118                 continue;
 119             foundEndpoint = true;
 120             auto_ptr_char loc((*ep)->getLocation());
 121             ArtifactResolve* request = ArtifactResolveBuilder::buildArtifactResolve();
 122             Issuer* iss = IssuerBuilder::buildIssuer();
 123             request->setIssuer(iss);
 124             iss->setName(sppolicy.getApplication().getRelyingParty(dynamic_cast<EntityDescriptor*>(ssoDescriptor.getParent()))->getXMLString("entityID").second);
 125             auto_ptr_XMLCh artbuf(artifact.encode().c_str());
 126             Artifact* a = ArtifactBuilder::buildArtifact();
 127             a->setArtifact(artbuf.get());
 128             request->setArtifact(a);
 129
 130             SAML2SOAPClient client(soaper, false);
 131             client.sendSAML(request, sppolicy.getApplication().getId(), mcc, loc.get());
 132             StatusResponseType* srt = client.receiveSAML();
 133             if (!(response = dynamic_cast<ArtifactResponse*>(srt))) {
 134                 delete srt;
 135                 break;
 136             }
 137         }
 138         catch (exception& ex) {
 139             Category::getInstance(SHIBSP_LOGCAT".ArtifactResolver").error("exception resolving SAML 2.0 artifact: %s", ex.what());
 140             soaper.reset();
 141         }
 142     }
 143
 144     if (!foundEndpoint)
 145         throw MetadataException("No compatible endpoint found in issuer's metadata.");
 146     else if (!response)
 147         throw BindingException("Unable to resolve artifact(s) into a SAML response.");
 148     else if (!response->getStatus() || !response->getStatus()->getStatusCode() ||
 149            !XMLString::equals(response->getStatus()->getStatusCode()->getValue(), saml2p::StatusCode::SUCCESS)) {
 150         auto_ptr<ArtifactResponse> wrapper(response);
 151         BindingException ex("Identity provider returned a SAML error in response to artifact.");
 152         annotateException(&ex, &ssoDescriptor, response->getStatus());  // rethrow
 153     }
 154
 155     // The SOAP client handles policy evaluation against the SOAP and Response layer,
 156     // but no security checking is done here.
 157     return response;
 158 }