2 * Copyright 2010 Internet2
\r
4 * Licensed under the Apache License, Version 2.0 (the "License");
\r
5 * you may not use this file except in compliance with the License.
\r
6 * You may obtain a copy of the License at
\r
8 * http://www.apache.org/licenses/LICENSE-2.0
\r
10 * Unless required by applicable law or agreed to in writing, software
\r
11 * distributed under the License is distributed on an "AS IS" BASIS,
\r
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
13 * See the License for the specific language governing permissions and
\r
14 * limitations under the License.
\r
18 * XMLSecurityPolicyProvider.cpp
\r
20 * XML-based security policy provider.
\r
23 #include "internal.h"
\r
24 #include "exceptions.h"
\r
25 #include "Application.h"
\r
26 #include "security/SecurityPolicy.h"
\r
27 #include "security/SecurityPolicyProvider.h"
\r
28 #include "util/DOMPropertySet.h"
\r
29 #include "util/SPConstants.h"
\r
32 #include <saml/SAMLConfig.h>
\r
33 #include <saml/binding/SecurityPolicyRule.h>
\r
34 #include <xmltooling/io/HTTPResponse.h>
\r
35 #include <xmltooling/util/NDC.h>
\r
36 #include <xmltooling/util/ReloadableXMLFile.h>
\r
37 #include <xmltooling/util/Threads.h>
\r
38 #include <xmltooling/util/XMLHelper.h>
\r
39 #include <xercesc/util/XMLStringTokenizer.hpp>
\r
40 #include <xercesc/util/XMLUniDefs.hpp>
\r
42 using shibspconstants::SHIB2SPCONFIG_NS;
\r
43 using opensaml::SAMLConfig;
\r
44 using opensaml::SecurityPolicyRule;
\r
45 using namespace shibsp;
\r
46 using namespace xmltooling;
\r
47 using namespace std;
\r
51 #if defined (_MSC_VER)
\r
52 #pragma warning( push )
\r
53 #pragma warning( disable : 4250 )
\r
56 class SHIBSP_DLLLOCAL XMLSecurityPolicyProviderImpl
\r
59 XMLSecurityPolicyProviderImpl(const DOMElement* e, Category& log);
\r
60 ~XMLSecurityPolicyProviderImpl() {
\r
61 for (map< string,pair<PropertySet*,vector<const SecurityPolicyRule*> > >::iterator i = m_policyMap.begin(); i != m_policyMap.end(); ++i) {
\r
62 delete i->second.first;
\r
63 for_each(i->second.second.begin(), i->second.second.end(), xmltooling::cleanup<SecurityPolicyRule>());
\r
66 m_document->release();
\r
69 void setDocument(DOMDocument* doc) {
\r
74 DOMDocument* m_document;
\r
75 vector<xstring> m_whitelist,m_blacklist;
\r
76 map< string,pair< PropertySet*,vector<const SecurityPolicyRule*> > > m_policyMap;
\r
77 map< string,pair< PropertySet*,vector<const SecurityPolicyRule*> > >::const_iterator m_defaultPolicy;
\r
79 friend class SHIBSP_DLLLOCAL XMLSecurityPolicyProvider;
\r
82 class XMLSecurityPolicyProvider : public SecurityPolicyProvider, public ReloadableXMLFile
\r
85 XMLSecurityPolicyProvider(const DOMElement* e)
\r
86 : ReloadableXMLFile(e, Category::getInstance(SHIBSP_LOGCAT".SecurityPolicyProvider.XML")), m_impl(nullptr) {
\r
87 background_load(); // guarantees an exception or the policy is loaded
\r
90 ~XMLSecurityPolicyProvider() {
\r
95 const PropertySet* getPolicySettings(const char* id=nullptr) const {
\r
97 return m_impl->m_defaultPolicy->second.first;
\r
98 map<string,pair<PropertySet*,vector<const SecurityPolicyRule*> > >::const_iterator i = m_impl->m_policyMap.find(id);
\r
99 if (i != m_impl->m_policyMap.end())
\r
100 return i->second.first;
\r
101 throw ConfigurationException("Security Policy ($1) not found, check <SecurityPolicies> element.", params(1,id));
\r
104 const vector<const SecurityPolicyRule*>& getPolicyRules(const char* id=nullptr) const {
\r
106 return m_impl->m_defaultPolicy->second.second;
\r
107 map<string,pair<PropertySet*,vector<const SecurityPolicyRule*> > >::const_iterator i = m_impl->m_policyMap.find(id);
\r
108 if (i != m_impl->m_policyMap.end())
\r
109 return i->second.second;
\r
110 throw ConfigurationException("Security Policy ($1) not found, check <SecurityPolicies> element.", params(1,id));
\r
112 const vector<xstring>& getAlgorithmBlacklist() const {
\r
113 return m_impl->m_blacklist;
\r
115 const vector<xstring>& getAlgorithmWhitelist() const {
\r
116 return m_impl->m_whitelist;
\r
120 pair<bool,DOMElement*> load(bool backup);
\r
121 pair<bool,DOMElement*> background_load();
\r
124 XMLSecurityPolicyProviderImpl* m_impl;
\r
127 #if defined (_MSC_VER)
\r
128 #pragma warning( pop )
\r
131 SecurityPolicyProvider* SHIBSP_DLLLOCAL XMLSecurityPolicyProviderFactory(const DOMElement* const & e)
\r
133 return new XMLSecurityPolicyProvider(e);
\r
136 class SHIBSP_DLLLOCAL PolicyNodeFilter : public DOMNodeFilter
\r
139 #ifdef SHIBSP_XERCESC_SHORT_ACCEPTNODE
\r
144 acceptNode(const DOMNode* node) const {
\r
145 return FILTER_REJECT;
\r
149 static const XMLCh _id[] = UNICODE_LITERAL_2(i,d);
\r
150 static const XMLCh _type[] = UNICODE_LITERAL_4(t,y,p,e);
\r
151 static const XMLCh AlgorithmBlacklist[] = UNICODE_LITERAL_18(A,l,g,o,r,i,t,h,m,B,l,a,c,k,l,i,s,t);
\r
152 static const XMLCh AlgorithmWhitelist[] = UNICODE_LITERAL_18(A,l,g,o,r,i,t,h,m,W,h,i,t,e,l,i,s,t);
\r
153 static const XMLCh Policy[] = UNICODE_LITERAL_6(P,o,l,i,c,y);
\r
154 static const XMLCh PolicyRule[] = UNICODE_LITERAL_10(P,o,l,i,c,y,R,u,l,e);
\r
155 static const XMLCh Rule[] = UNICODE_LITERAL_4(R,u,l,e);
\r
156 static const XMLCh SecurityPolicies[] = UNICODE_LITERAL_16(S,e,c,u,r,i,t,y,P,o,l,i,c,i,e,s);
\r
159 void SHIBSP_API shibsp::registerSecurityPolicyProviders()
\r
161 SPConfig::getConfig().SecurityPolicyProviderManager.registerFactory(XML_SECURITYPOLICY_PROVIDER, XMLSecurityPolicyProviderFactory);
\r
164 SecurityPolicyProvider::SecurityPolicyProvider()
\r
168 SecurityPolicyProvider::~SecurityPolicyProvider()
\r
172 SecurityPolicy* SecurityPolicyProvider::createSecurityPolicy(
\r
173 const Application& application, const xmltooling::QName* role, const char* policyId
\r
176 pair<bool,bool> validate = getPolicySettings(policyId ? policyId : application.getString("policyId").second)->getBool("validate");
\r
177 return new SecurityPolicy(application, role, (validate.first && validate.second), policyId);
\r
180 XMLSecurityPolicyProviderImpl::XMLSecurityPolicyProviderImpl(const DOMElement* e, Category& log)
\r
181 : m_document(nullptr), m_defaultPolicy(m_policyMap.end())
\r
184 xmltooling::NDC ndc("XMLSecurityPolicyProviderImpl");
\r
187 if (!XMLHelper::isNodeNamed(e, SHIB2SPCONFIG_NS, SecurityPolicies))
\r
188 throw ConfigurationException("XML SecurityPolicyProvider requires conf:SecurityPolicies at root of configuration.");
\r
190 const XMLCh* algs = nullptr;
\r
191 const DOMElement* alglist = XMLHelper::getLastChildElement(e, AlgorithmBlacklist);
\r
192 if (alglist && alglist->hasChildNodes()) {
\r
193 algs = alglist->getFirstChild()->getNodeValue();
\r
195 else if ((alglist = XMLHelper::getLastChildElement(e, AlgorithmWhitelist)) && alglist->hasChildNodes()) {
\r
196 algs = alglist->getFirstChild()->getNodeValue();
\r
199 const XMLCh* token;
\r
200 XMLStringTokenizer tokenizer(algs);
\r
201 while (tokenizer.hasMoreTokens()) {
\r
202 token = tokenizer.nextToken();
\r
204 if (XMLString::equals(alglist->getLocalName(), AlgorithmBlacklist))
\r
205 m_blacklist.push_back(token);
\r
207 m_whitelist.push_back(token);
\r
212 PolicyNodeFilter filter;
\r
213 SAMLConfig& samlConf = SAMLConfig::getConfig();
\r
214 e = XMLHelper::getFirstChildElement(e, Policy);
\r
216 string id(XMLHelper::getAttrString(e, nullptr, _id));
\r
217 pair< PropertySet*,vector<const SecurityPolicyRule*> >& rules = m_policyMap[id];
\r
218 rules.first = nullptr;
\r
219 auto_ptr<DOMPropertySet> settings(new DOMPropertySet());
\r
220 settings->load(e, nullptr, &filter);
\r
221 rules.first = settings.release();
\r
223 // Set default policy if not set, or id is "default".
\r
224 if (m_defaultPolicy == m_policyMap.end() || id == "default")
\r
225 m_defaultPolicy = m_policyMap.find(id);
\r
227 // Process PolicyRule elements.
\r
228 const DOMElement* rule = XMLHelper::getFirstChildElement(e, PolicyRule);
\r
230 string t(XMLHelper::getAttrString(rule, nullptr, _type));
\r
233 rules.second.push_back(samlConf.SecurityPolicyRuleManager.newPlugin(t.c_str(), rule));
\r
235 catch (exception& ex) {
\r
236 log.crit("error instantiating policy rule (%s) in policy (%s): %s", t.c_str(), id.c_str(), ex.what());
\r
239 rule = XMLHelper::getNextSiblingElement(rule, PolicyRule);
\r
242 if (rules.second.size() == 0) {
\r
243 // Process Rule elements.
\r
244 log.warn("detected legacy Policy configuration, please convert to new PolicyRule syntax");
\r
245 rule = XMLHelper::getFirstChildElement(e, Rule);
\r
247 string t(XMLHelper::getAttrString(rule, nullptr, _type));
\r
250 rules.second.push_back(samlConf.SecurityPolicyRuleManager.newPlugin(t.c_str(), rule));
\r
252 catch (exception& ex) {
\r
253 log.crit("error instantiating policy rule (%s) in policy (%s): %s", t.c_str(), id.c_str(), ex.what());
\r
256 rule = XMLHelper::getNextSiblingElement(rule, Rule);
\r
259 // Manually add a basic Conditions rule.
\r
260 log.info("installing a default Conditions rule in policy (%s) for compatibility with legacy configuration", id.c_str());
\r
261 rules.second.push_back(samlConf.SecurityPolicyRuleManager.newPlugin(CONDITIONS_POLICY_RULE, nullptr));
\r
264 e = XMLHelper::getNextSiblingElement(e, Policy);
\r
267 if (m_defaultPolicy == m_policyMap.end())
\r
268 throw ConfigurationException("XML SecurityPolicyProvider requires at least one Policy.");
\r
271 pair<bool,DOMElement*> XMLSecurityPolicyProvider::load(bool backup)
\r
273 // Load from source using base class.
\r
274 pair<bool,DOMElement*> raw = ReloadableXMLFile::load(backup);
\r
276 // If we own it, wrap it.
\r
277 XercesJanitor<DOMDocument> docjanitor(raw.first ? raw.second->getOwnerDocument() : nullptr);
\r
279 XMLSecurityPolicyProviderImpl* impl = new XMLSecurityPolicyProviderImpl(raw.second, m_log);
\r
281 // If we held the document, transfer it to the impl. If we didn't, it's a no-op.
\r
282 impl->setDocument(docjanitor.release());
\r
284 // Perform the swap inside a lock.
\r
287 SharedLock locker(m_lock, false);
\r
292 return make_pair(false,(DOMElement*)nullptr);
\r
295 pair<bool,DOMElement*> XMLSecurityPolicyProvider::background_load()
\r
298 return load(false);
\r
301 if (ex == HTTPResponse::XMLTOOLING_HTTP_STATUS_NOTMODIFIED)
\r
302 m_log.info("remote resource (%s) unchanged", m_source.c_str());
\r
303 if (!m_loaded && !m_backing.empty())
\r
307 catch (exception&) {
\r
308 if (!m_loaded && !m_backing.empty())
\r