shibsp/binding/impl/ArtifactResolver.cpp

   1 /*
   2  *  Copyright 2001-2010 Internet2
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 /**
  18  * ArtifactResolver.cpp
  19  *
  20  * SAML artifact resolver for SP use.
  21  */
  22
  23 #include "internal.h"
  24 #include "Application.h"
  25 #include "binding/ArtifactResolver.h"
  26 #include "binding/SOAPClient.h"
  27 #include "security/SecurityPolicy.h"
  28
  29 #include <saml/exceptions.h>
  30 #include <saml/saml1/core/Protocols.h>
  31 #include <saml/saml1/binding/SAML1SOAPClient.h>
  32 #include <saml/saml2/core/Protocols.h>
  33 #include <saml/saml2/binding/SAML2Artifact.h>
  34 #include <saml/saml2/binding/SAML2SOAPClient.h>
  35 #include <saml/saml2/metadata/Metadata.h>
  36 #include <saml/saml2/metadata/MetadataCredentialCriteria.h>
  37 #include <saml/util/SAMLConstants.h>
  38
  39 using namespace shibsp;
  40 using namespace opensaml::saml1p;
  41 using namespace opensaml::saml2;
  42 using namespace opensaml::saml2p;
  43 using namespace opensaml::saml2md;
  44 using namespace opensaml;
  45 using namespace xmltooling;
  46 using namespace std;
  47
  48 ArtifactResolver::ArtifactResolver()
  49 {
  50 }
  51
  52 ArtifactResolver::~ArtifactResolver()
  53 {
  54 }
  55
  56 saml1p::Response* ArtifactResolver::resolve(
  57     const vector<SAMLArtifact*>& artifacts,
  58     const IDPSSODescriptor& idpDescriptor,
  59     opensaml::SecurityPolicy& policy
  60     ) const
  61 {
  62     MetadataCredentialCriteria mcc(idpDescriptor);
  63     shibsp::SecurityPolicy& sppolicy = dynamic_cast<shibsp::SecurityPolicy&>(policy);
  64     shibsp::SOAPClient soaper(sppolicy);
  65
  66     bool foundEndpoint = false;
  67     auto_ptr_XMLCh binding(samlconstants::SAML1_BINDING_SOAP);
  68     saml1p::Response* response=nullptr;
  69     const vector<ArtifactResolutionService*>& endpoints=idpDescriptor.getArtifactResolutionServices();
  70     for (vector<ArtifactResolutionService*>::const_iterator ep=endpoints.begin(); !response && ep!=endpoints.end(); ++ep) {
  71         try {
  72             if (!XMLString::equals((*ep)->getBinding(),binding.get()))
  73                 continue;
  74             foundEndpoint = true;
  75             auto_ptr_char loc((*ep)->getLocation());
  76             saml1p::Request* request = saml1p::RequestBuilder::buildRequest();
  77             request->setMinorVersion(idpDescriptor.hasSupport(samlconstants::SAML11_PROTOCOL_ENUM) ? 1 : 0);
  78             for (vector<SAMLArtifact*>::const_iterator a = artifacts.begin(); a!=artifacts.end(); ++a) {
  79                 auto_ptr_XMLCh artbuf((*a)->encode().c_str());
  80                 AssertionArtifact* aa = AssertionArtifactBuilder::buildAssertionArtifact();
  81                 aa->setArtifact(artbuf.get());
  82                 request->getAssertionArtifacts().push_back(aa);
  83             }
  84
  85             SAML1SOAPClient client(soaper, false);
  86             client.sendSAML(request, sppolicy.getApplication().getId(), mcc, loc.get());
  87             response = client.receiveSAML();
  88         }
  89         catch (exception& ex) {
  90             Category::getInstance(SHIBSP_LOGCAT".ArtifactResolver").error("exception resolving SAML 1.x artifact(s): %s", ex.what());
  91             soaper.reset();
  92         }
  93     }
  94
  95     if (!foundEndpoint)
  96         throw MetadataException("No compatible endpoint found in issuer's metadata.");
  97     else if (!response)
  98         throw BindingException("Unable to resolve artifact(s) into a SAML response.");
  99     const xmltooling::QName* code = (response->getStatus() && response->getStatus()->getStatusCode()) ? response->getStatus()->getStatusCode()->getValue() : nullptr;
 100     if (!code || *code != saml1p::StatusCode::SUCCESS) {
 101         delete response;
 102         throw BindingException("Identity provider returned a SAML error in response to artifact(s).");
 103     }
 104
 105     // The SOAP client handles policy evaluation against the SOAP and Response layer,
 106     // but no security checking is done here.
 107     return response;
 108 }
 109
 110 ArtifactResponse* ArtifactResolver::resolve(
 111     const SAML2Artifact& artifact,
 112     const SSODescriptorType& ssoDescriptor,
 113     opensaml::SecurityPolicy& policy
 114     ) const
 115 {
 116     MetadataCredentialCriteria mcc(ssoDescriptor);
 117     shibsp::SecurityPolicy& sppolicy = dynamic_cast<shibsp::SecurityPolicy&>(policy);
 118     shibsp::SOAPClient soaper(sppolicy);
 119
 120     bool foundEndpoint = false;
 121     auto_ptr_XMLCh binding(samlconstants::SAML20_BINDING_SOAP);
 122     ArtifactResponse* response=nullptr;
 123     const vector<ArtifactResolutionService*>& endpoints=ssoDescriptor.getArtifactResolutionServices();
 124     for (vector<ArtifactResolutionService*>::const_iterator ep=endpoints.begin(); !response && ep!=endpoints.end(); ++ep) {
 125         try {
 126             if (!XMLString::equals((*ep)->getBinding(),binding.get()))
 127                 continue;
 128             foundEndpoint = true;
 129             auto_ptr_char loc((*ep)->getLocation());
 130             ArtifactResolve* request = ArtifactResolveBuilder::buildArtifactResolve();
 131             Issuer* iss = IssuerBuilder::buildIssuer();
 132             request->setIssuer(iss);
 133             iss->setName(sppolicy.getApplication().getRelyingParty(dynamic_cast<EntityDescriptor*>(ssoDescriptor.getParent()))->getXMLString("entityID").second);
 134             auto_ptr_XMLCh artbuf(artifact.encode().c_str());
 135             Artifact* a = ArtifactBuilder::buildArtifact();
 136             a->setArtifact(artbuf.get());
 137             request->setArtifact(a);
 138
 139             SAML2SOAPClient client(soaper, false);
 140             client.sendSAML(request, sppolicy.getApplication().getId(), mcc, loc.get());
 141             StatusResponseType* srt = client.receiveSAML();
 142             if (!(response = dynamic_cast<ArtifactResponse*>(srt))) {
 143                 delete srt;
 144                 break;
 145             }
 146         }
 147         catch (exception& ex) {
 148             Category::getInstance(SHIBSP_LOGCAT".ArtifactResolver").error("exception resolving SAML 2.0 artifact: %s", ex.what());
 149             soaper.reset();
 150         }
 151     }
 152
 153     if (!foundEndpoint)
 154         throw MetadataException("No compatible endpoint found in issuer's metadata.");
 155     else if (!response)
 156         throw BindingException("Unable to resolve artifact(s) into a SAML response.");
 157     else if (!response->getStatus() || !response->getStatus()->getStatusCode() ||
 158            !XMLString::equals(response->getStatus()->getStatusCode()->getValue(), saml2p::StatusCode::SUCCESS)) {
 159         auto_ptr<ArtifactResponse> wrapper(response);
 160         BindingException ex("Identity provider returned a SAML error in response to artifact.");
 161         annotateException(&ex, &ssoDescriptor, response->getStatus());  // rethrow
 162     }
 163
 164     // The SOAP client handles policy evaluation against the SOAP and Response layer,
 165     // but no security checking is done here.
 166     return response;
 167 }