2 * Copyright 2001-2007 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
20 * Specialized SOAPClient for SP environment.
24 #include "exceptions.h"
25 #include "ServiceProvider.h"
26 #include "binding/SOAPClient.h"
28 #include <log4cpp/Category.hh>
29 #include <saml/saml2/metadata/Metadata.h>
30 #include <xmltooling/soap/SOAP.h>
31 #include <xmltooling/soap/HTTPSOAPTransport.h>
32 #include <xmltooling/util/NDC.h>
34 using namespace shibsp;
35 using namespace opensaml::saml2md;
36 using namespace xmlsignature;
37 using namespace xmltooling;
38 using namespace log4cpp;
41 SOAPClient::SOAPClient(const Application& application, opensaml::SecurityPolicy& policy)
42 : opensaml::SOAPClient(policy), m_app(application), m_settings(NULL), m_relyingParty(NULL), m_credResolver(NULL)
44 pair<bool,const char*> policyId = m_app.getString("policyId");
45 m_settings = application.getServiceProvider().getPolicySettings(policyId.second);
46 const vector<const opensaml::SecurityPolicyRule*>& rules = application.getServiceProvider().getPolicyRules(policyId.second);
47 for (vector<const opensaml::SecurityPolicyRule*>::const_iterator rule=rules.begin(); rule!=rules.end(); ++rule)
48 policy.addRule(*rule);
49 policy.setMetadataProvider(application.getMetadataProvider());
50 policy.setTrustEngine(application.getTrustEngine());
51 pair<bool,bool> validate = m_settings->getBool("validate");
52 policy.setValidating(validate.first && validate.second);
53 setValidating(validate.first && validate.second);
56 void SOAPClient::send(const soap11::Envelope& env, MetadataCredentialCriteria& peer, const char* endpoint)
58 // Check for message signing requirements.
59 m_relyingParty = m_app.getRelyingParty(dynamic_cast<const EntityDescriptor*>(peer.getRole().getParent()));
60 pair<bool,bool> flag = m_relyingParty->getBool("signRequests");
61 if (flag.first && flag.second) {
62 m_credResolver=m_app.getCredentialResolver();
64 m_credResolver->lock();
65 // Fill in criteria to use.
66 peer.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);
67 pair<bool,const char*> algcrit = m_relyingParty->getString("sigAlgorithm");
69 peer.setKeyAlgorithm(algcrit.second);
70 const Credential* cred = m_credResolver->resolve(&peer);
71 peer.setKeyAlgorithm(NULL);
75 const vector<XMLObject*>& bodies=const_cast<const soap11::Body*>(env.getBody())->getUnknownXMLObjects();
76 if (!bodies.empty()) {
77 opensaml::SignableObject* msg = dynamic_cast<opensaml::SignableObject*>(bodies.front());
80 Signature* sig = SignatureBuilder::buildSignature();
81 msg->setSignature(sig);
82 pair<bool,const XMLCh*> alg = m_relyingParty->getXMLString("sigAlgorithm");
84 sig->setSignatureAlgorithm(alg.second);
86 // Sign it. The marshalling step in the base class should be a no-op.
87 vector<Signature*> sigs(1,sig);
88 env.marshall((DOMDocument*)NULL,&sigs,cred);
93 Category::getInstance(SHIBSP_LOGCAT".SOAPClient").error("no signing credential supplied, leaving unsigned.");
97 Category::getInstance(SHIBSP_LOGCAT".SOAPClient").error("no CredentialResolver available, leaving unsigned.");
101 opensaml::SOAPClient::send(env, peer, endpoint);
104 void SOAPClient::prepareTransport(SOAPTransport& transport)
107 xmltooling::NDC("prepareTransport");
109 Category& log=Category::getInstance(SHIBSP_LOGCAT".SOAPClient");
110 log.debug("prepping SOAP transport for use by application (%s)", m_app.getId());
112 pair<bool,bool> flag = m_settings->getBool("requireConfidentiality");
113 if ((!flag.first || flag.second) && !transport.isConfidential())
114 throw opensaml::BindingException("Transport confidentiality required, but not available.");
116 flag = m_settings->getBool("validate");
117 setValidating(flag.first && flag.second);
118 flag = m_settings->getBool("requireTransportAuth");
119 forceTransportAuthentication(!flag.first || flag.second);
121 opensaml::SOAPClient::prepareTransport(transport);
123 pair<bool,const char*> authType=m_relyingParty->getString("authType");
124 if (!authType.first || !strcmp(authType.second,"TLS")) {
125 if (!m_credResolver) {
126 m_credResolver = m_app.getCredentialResolver();
128 m_credResolver->lock();
130 if (m_credResolver) {
131 m_criteria->setUsage(CredentialCriteria::TLS_CREDENTIAL);
132 const Credential* cred = m_credResolver->resolve(m_criteria);
134 if (!transport.setCredential(cred))
135 log.error("failed to load Credential into SOAPTransport");
138 log.error("no TLS credential supplied");
142 log.error("no CredentialResolver available for TLS");
146 SOAPTransport::transport_auth_t type=SOAPTransport::transport_auth_none;
147 pair<bool,const char*> username=m_relyingParty->getString("authUsername");
148 pair<bool,const char*> password=m_relyingParty->getString("authPassword");
149 if (!username.first || !password.first)
150 log.error("transport authType (%s) specified but authUsername or authPassword was missing", authType.second);
151 else if (!strcmp(authType.second,"basic"))
152 type = SOAPTransport::transport_auth_basic;
153 else if (!strcmp(authType.second,"digest"))
154 type = SOAPTransport::transport_auth_digest;
155 else if (!strcmp(authType.second,"ntlm"))
156 type = SOAPTransport::transport_auth_ntlm;
157 else if (!strcmp(authType.second,"gss"))
158 type = SOAPTransport::transport_auth_gss;
160 log.error("unknown authType (%s) specified for RelyingParty", authType.second);
161 if (type > SOAPTransport::transport_auth_none) {
162 if (transport.setAuth(type,username.second,password.second))
163 log.debug("configured for transport authentication (method=%s, username=%s)", authType.second, username.second);
165 log.error("failed to configure transport authentication (method=%s)", authType.second);
169 transport.setConnectTimeout(m_settings->getUnsignedInt("connectTimeout").second);
170 transport.setTimeout(m_settings->getUnsignedInt("timeout").second);
172 HTTPSOAPTransport* http = dynamic_cast<HTTPSOAPTransport*>(&transport);
174 flag = m_settings->getBool("chunkedEncoding");
175 http->useChunkedEncoding(!flag.first || flag.second);
176 http->setRequestHeader("Shibboleth", PACKAGE_VERSION);
180 void SOAPClient::reset()
182 m_relyingParty = NULL;
184 m_credResolver->unlock();
185 m_credResolver = NULL;
186 opensaml::SOAPClient::reset();