Code for default security policy, make policyId optional.

[shibboleth/sp.git] / shibsp / impl / XMLSecurityPolicyProvider.cpp

/*\r
 *  Copyright 2010 Internet2\r
 *\r
 * Licensed under the Apache License, Version 2.0 (the "License");\r
 * you may not use this file except in compliance with the License.\r
 * You may obtain a copy of the License at\r
 *\r
 *     http://www.apache.org/licenses/LICENSE-2.0\r
 *\r
 * Unless required by applicable law or agreed to in writing, software\r
 * distributed under the License is distributed on an "AS IS" BASIS,\r
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
 * See the License for the specific language governing permissions and\r
 * limitations under the License.\r
 */\r
\r
/**\r
 * XMLSecurityPolicyProvider.cpp\r
 *\r
 * XML-based security policy provider.\r
 */\r
\r
#include "internal.h"\r
#include "exceptions.h"\r
#include "Application.h"\r
#include "security/SecurityPolicy.h"\r
#include "security/SecurityPolicyProvider.h"\r
#include "util/DOMPropertySet.h"\r
#include "util/SPConstants.h"\r
\r
#include <map>\r
#include <saml/SAMLConfig.h>\r
#include <saml/binding/SecurityPolicyRule.h>\r
#include <xmltooling/io/HTTPResponse.h>\r
#include <xmltooling/util/NDC.h>\r
#include <xmltooling/util/ReloadableXMLFile.h>\r
#include <xmltooling/util/Threads.h>\r
#include <xmltooling/util/XMLHelper.h>\r
#include <xercesc/util/XMLStringTokenizer.hpp>\r
#include <xercesc/util/XMLUniDefs.hpp>\r
\r
using shibspconstants::SHIB2SPCONFIG_NS;\r
using opensaml::SAMLConfig;\r
using opensaml::SecurityPolicyRule;\r
using namespace shibsp;\r
using namespace xmltooling;\r
using namespace std;\r
\r
namespace shibsp {\r
\r
#if defined (_MSC_VER)\r
    #pragma warning( push )\r
    #pragma warning( disable : 4250 )\r
#endif\r
\r
    class SHIBSP_DLLLOCAL XMLSecurityPolicyProviderImpl\r
    {\r
    public:\r
        XMLSecurityPolicyProviderImpl(const DOMElement* e, Category& log);\r
        ~XMLSecurityPolicyProviderImpl() {\r
            for (map< string,pair<PropertySet*,vector<const SecurityPolicyRule*> > >::iterator i = m_policyMap.begin(); i != m_policyMap.end(); ++i) {\r
                delete i->second.first;\r
                for_each(i->second.second.begin(), i->second.second.end(), xmltooling::cleanup<SecurityPolicyRule>());\r
            }\r
            if (m_document)\r
                m_document->release();\r
        }\r
\r
        void setDocument(DOMDocument* doc) {\r
            m_document = doc;\r
        }\r
\r
    private:\r
        DOMDocument* m_document;\r
        vector<xstring> m_whitelist,m_blacklist;\r
        map< string,pair< PropertySet*,vector<const SecurityPolicyRule*> > > m_policyMap;\r
        map< string,pair< PropertySet*,vector<const SecurityPolicyRule*> > >::const_iterator m_defaultPolicy;\r
\r
        friend class SHIBSP_DLLLOCAL XMLSecurityPolicyProvider;\r
    };\r
\r
    class XMLSecurityPolicyProvider : public SecurityPolicyProvider, public ReloadableXMLFile\r
    {\r
    public:\r
        XMLSecurityPolicyProvider(const DOMElement* e)\r
                : ReloadableXMLFile(e, Category::getInstance(SHIBSP_LOGCAT".SecurityPolicyProvider.XML")), m_impl(nullptr) {\r
            background_load(); // guarantees an exception or the policy is loaded\r
        }\r
\r
        ~XMLSecurityPolicyProvider() {\r
            shutdown();\r
            delete m_impl;\r
        }\r
\r
        const PropertySet* getPolicySettings(const char* id=nullptr) const {\r
            if (!id || !*id)\r
                return m_impl->m_defaultPolicy->second.first;\r
            map<string,pair<PropertySet*,vector<const SecurityPolicyRule*> > >::const_iterator i = m_impl->m_policyMap.find(id);\r
            if (i != m_impl->m_policyMap.end())\r
                return i->second.first;\r
            throw ConfigurationException("Security Policy ($1) not found, check <SecurityPolicies> element.", params(1,id));\r
        }\r
\r
        const vector<const SecurityPolicyRule*>& getPolicyRules(const char* id=nullptr) const {\r
            if (!id || !*id)\r
                return m_impl->m_defaultPolicy->second.second;\r
            map<string,pair<PropertySet*,vector<const SecurityPolicyRule*> > >::const_iterator i = m_impl->m_policyMap.find(id);\r
            if (i != m_impl->m_policyMap.end())\r
                return i->second.second;\r
            throw ConfigurationException("Security Policy ($1) not found, check <SecurityPolicies> element.", params(1,id));\r
        }\r
        const vector<xstring>& getAlgorithmBlacklist() const {\r
            return m_impl->m_blacklist;\r
        }\r
        const vector<xstring>& getAlgorithmWhitelist() const {\r
            return m_impl->m_whitelist;\r
        }\r
        \r
    protected:\r
        pair<bool,DOMElement*> load(bool backup);\r
        pair<bool,DOMElement*> background_load();\r
\r
    private:\r
        XMLSecurityPolicyProviderImpl* m_impl;\r
    };\r
\r
#if defined (_MSC_VER)\r
    #pragma warning( pop )\r
#endif\r
\r
    SecurityPolicyProvider* SHIBSP_DLLLOCAL XMLSecurityPolicyProviderFactory(const DOMElement* const & e)\r
    {\r
        return new XMLSecurityPolicyProvider(e);\r
    }\r
\r
    class SHIBSP_DLLLOCAL PolicyNodeFilter : public DOMNodeFilter\r
    {\r
    public:\r
#ifdef SHIBSP_XERCESC_SHORT_ACCEPTNODE\r
        short\r
#else\r
        FilterAction\r
#endif\r
        acceptNode(const DOMNode* node) const {\r
            return FILTER_REJECT;\r
        }\r
    };\r
\r
    static const XMLCh _id[] =                  UNICODE_LITERAL_2(i,d);\r
    static const XMLCh _type[] =                UNICODE_LITERAL_4(t,y,p,e);\r
    static const XMLCh AlgorithmBlacklist[] =   UNICODE_LITERAL_18(A,l,g,o,r,i,t,h,m,B,l,a,c,k,l,i,s,t);\r
    static const XMLCh AlgorithmWhitelist[] =   UNICODE_LITERAL_18(A,l,g,o,r,i,t,h,m,W,h,i,t,e,l,i,s,t);\r
    static const XMLCh Policy[] =               UNICODE_LITERAL_6(P,o,l,i,c,y);\r
    static const XMLCh PolicyRule[] =           UNICODE_LITERAL_10(P,o,l,i,c,y,R,u,l,e);\r
    static const XMLCh Rule[] =                 UNICODE_LITERAL_4(R,u,l,e);\r
    static const XMLCh SecurityPolicies[] =     UNICODE_LITERAL_16(S,e,c,u,r,i,t,y,P,o,l,i,c,i,e,s);\r
}\r
\r
void SHIBSP_API shibsp::registerSecurityPolicyProviders()\r
{\r
    SPConfig::getConfig().SecurityPolicyProviderManager.registerFactory(XML_SECURITYPOLICY_PROVIDER, XMLSecurityPolicyProviderFactory);\r
}\r
\r
SecurityPolicyProvider::SecurityPolicyProvider()\r
{\r
}\r
\r
SecurityPolicyProvider::~SecurityPolicyProvider()\r
{\r
}\r
\r
SecurityPolicy* SecurityPolicyProvider::createSecurityPolicy(\r
    const Application& application, const xmltooling::QName* role, const char* policyId\r
    ) const\r
{\r
    pair<bool,bool> validate = getPolicySettings(policyId ? policyId : application.getString("policyId").second)->getBool("validate");\r
    return new SecurityPolicy(application, role, (validate.first && validate.second), policyId);\r
}\r
\r
XMLSecurityPolicyProviderImpl::XMLSecurityPolicyProviderImpl(const DOMElement* e, Category& log)\r
    : m_document(nullptr), m_defaultPolicy(m_policyMap.end())\r
{\r
#ifdef _DEBUG\r
    xmltooling::NDC ndc("XMLSecurityPolicyProviderImpl");\r
#endif\r
\r
    if (!XMLHelper::isNodeNamed(e, SHIB2SPCONFIG_NS, SecurityPolicies))\r
        throw ConfigurationException("XML SecurityPolicyProvider requires conf:SecurityPolicies at root of configuration.");\r
\r
    const XMLCh* algs = nullptr;\r
    const DOMElement* alglist = XMLHelper::getLastChildElement(e, AlgorithmBlacklist);\r
    if (alglist && alglist->hasChildNodes()) {\r
        algs = alglist->getFirstChild()->getNodeValue();\r
    }\r
    else if ((alglist = XMLHelper::getLastChildElement(e, AlgorithmWhitelist)) && alglist->hasChildNodes()) {\r
        algs = alglist->getFirstChild()->getNodeValue();\r
    }\r
    if (algs) {\r
        const XMLCh* token;\r
        XMLStringTokenizer tokenizer(algs);\r
        while (tokenizer.hasMoreTokens()) {\r
            token = tokenizer.nextToken();\r
            if (token) {\r
                if (XMLString::equals(alglist->getLocalName(), AlgorithmBlacklist))\r
                    m_blacklist.push_back(token);\r
                else\r
                    m_whitelist.push_back(token);\r
            }\r
        }\r
    }\r
\r
    PolicyNodeFilter filter;\r
    SAMLConfig& samlConf = SAMLConfig::getConfig();\r
    e = XMLHelper::getFirstChildElement(e, Policy);\r
    while (e) {\r
        string id(XMLHelper::getAttrString(e, nullptr, _id));\r
        pair< PropertySet*,vector<const SecurityPolicyRule*> >& rules = m_policyMap[id];\r
        rules.first = nullptr;\r
        auto_ptr<DOMPropertySet> settings(new DOMPropertySet());\r
        settings->load(e, nullptr, &filter);\r
        rules.first = settings.release();\r
\r
        // Set default policy if not set, or id is "default".\r
        if (m_defaultPolicy == m_policyMap.end() || id == "default")\r
            m_defaultPolicy = m_policyMap.find(id);\r
\r
        // Process PolicyRule elements.\r
        const DOMElement* rule = XMLHelper::getFirstChildElement(e, PolicyRule);\r
        while (rule) {\r
            string t(XMLHelper::getAttrString(rule, nullptr, _type));\r
            if (!t.empty()) {\r
                try {\r
                    rules.second.push_back(samlConf.SecurityPolicyRuleManager.newPlugin(t.c_str(), rule));\r
                }\r
                catch (exception& ex) {\r
                    log.crit("error instantiating policy rule (%s) in policy (%s): %s", t.c_str(), id.c_str(), ex.what());\r
                }\r
            }\r
            rule = XMLHelper::getNextSiblingElement(rule, PolicyRule);\r
        }\r
\r
        if (rules.second.size() == 0) {\r
            // Process Rule elements.\r
            log.warn("detected legacy Policy configuration, please convert to new PolicyRule syntax");\r
            rule = XMLHelper::getFirstChildElement(e, Rule);\r
            while (rule) {\r
                string t(XMLHelper::getAttrString(rule, nullptr, _type));\r
                if (!t.empty()) {\r
                    try {\r
                        rules.second.push_back(samlConf.SecurityPolicyRuleManager.newPlugin(t.c_str(), rule));\r
                    }\r
                    catch (exception& ex) {\r
                        log.crit("error instantiating policy rule (%s) in policy (%s): %s", t.c_str(), id.c_str(), ex.what());\r
                    }\r
                }\r
                rule = XMLHelper::getNextSiblingElement(rule, Rule);\r
            }\r
\r
            // Manually add a basic Conditions rule.\r
            log.info("installing a default Conditions rule in policy (%s) for compatibility with legacy configuration", id.c_str());\r
            rules.second.push_back(samlConf.SecurityPolicyRuleManager.newPlugin(CONDITIONS_POLICY_RULE, nullptr));\r
        }\r
\r
        e = XMLHelper::getNextSiblingElement(e, Policy);\r
    }\r
\r
    if (m_defaultPolicy == m_policyMap.end())\r
        throw ConfigurationException("XML SecurityPolicyProvider requires at least one Policy.");\r
}\r
\r
pair<bool,DOMElement*> XMLSecurityPolicyProvider::load(bool backup)\r
{\r
    // Load from source using base class.\r
    pair<bool,DOMElement*> raw = ReloadableXMLFile::load(backup);\r
\r
    // If we own it, wrap it.\r
    XercesJanitor<DOMDocument> docjanitor(raw.first ? raw.second->getOwnerDocument() : nullptr);\r
\r
    XMLSecurityPolicyProviderImpl* impl = new XMLSecurityPolicyProviderImpl(raw.second, m_log);\r
\r
    // If we held the document, transfer it to the impl. If we didn't, it's a no-op.\r
    impl->setDocument(docjanitor.release());\r
\r
    // Perform the swap inside a lock.\r
    if (m_lock)\r
        m_lock->wrlock();\r
    SharedLock locker(m_lock, false);\r
    delete m_impl;\r
    m_impl = impl;\r
\r
\r
    return make_pair(false,(DOMElement*)nullptr);\r
}\r
\r
pair<bool,DOMElement*> XMLSecurityPolicyProvider::background_load()\r
{\r
    try {\r
        return load(false);\r
    }\r
    catch (long& ex) {\r
        if (ex == HTTPResponse::XMLTOOLING_HTTP_STATUS_NOTMODIFIED)\r
            m_log.info("remote resource (%s) unchanged", m_source.c_str());\r
        if (!m_loaded && !m_backing.empty())\r
            return load(true);\r
        throw;\r
    }\r
    catch (exception&) {\r
        if (!m_loaded && !m_backing.empty())\r
            return load(true);\r
        throw;\r
    }\r
}\r