2 * Copyright 2001-2009 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * DynamicMetadataProvider.cpp
20 * Advanced implementation of a dynamic caching MetadataProvider.
24 #include "exceptions.h"
25 #include "ServiceProvider.h"
26 #include "metadata/MetadataProviderCriteria.h"
28 #include <saml/version.h>
29 #include <saml/binding/SAMLArtifact.h>
30 #include <saml/saml2/metadata/Metadata.h>
31 #include <saml/saml2/metadata/DynamicMetadataProvider.h>
33 #include <xmltooling/logging.h>
34 #include <xmltooling/util/NDC.h>
35 #include <xmltooling/security/Credential.h>
36 #include <xmltooling/security/CredentialCriteria.h>
37 #include <xmltooling/security/CredentialResolver.h>
38 #include <xmltooling/security/X509TrustEngine.h>
39 #include <xmltooling/soap/HTTPSOAPTransport.h>
40 #include <xmltooling/util/XMLHelper.h>
42 #include <xercesc/framework/Wrapper4InputSource.hpp>
43 #include <xercesc/util/XMLUniDefs.hpp>
45 using namespace shibsp;
46 using namespace opensaml;
47 using namespace xmltooling::logging;
48 using namespace xmltooling;
52 class SAML_DLLLOCAL DummyCredentialResolver : public CredentialResolver
55 DummyCredentialResolver() {}
56 ~DummyCredentialResolver() {}
58 Lockable* lock() {return this;}
61 const Credential* resolve(const CredentialCriteria* criteria=NULL) const {return NULL;}
62 vector<const Credential*>::size_type resolve(
63 vector<const Credential*>& results, const CredentialCriteria* criteria=NULL
67 class SHIBSP_DLLLOCAL DynamicMetadataProvider : public saml2md::DynamicMetadataProvider
70 DynamicMetadataProvider(const xercesc::DOMElement* e=NULL);
72 virtual ~DynamicMetadataProvider() {
77 saml2md::EntityDescriptor* resolve(const saml2md::MetadataProvider::Criteria& criteria) const;
80 bool m_verifyHost,m_ignoreTransport;
81 X509TrustEngine* m_trust;
85 saml2md::MetadataProvider* SHIBSP_DLLLOCAL DynamicMetadataProviderFactory(const DOMElement* const & e)
87 return new DynamicMetadataProvider(e);
90 static const XMLCh ignoreTransport[] = UNICODE_LITERAL_15(i,g,n,o,r,e,T,r,a,n,s,p,o,r,t);
91 static const XMLCh _TrustEngine[] = UNICODE_LITERAL_11(T,r,u,s,t,E,n,g,i,n,e);
92 static const XMLCh type[] = UNICODE_LITERAL_4(t,y,p,e);
93 static const XMLCh verifyHost[] = UNICODE_LITERAL_10(v,e,r,i,f,y,H,o,s,t);
96 DynamicMetadataProvider::DynamicMetadataProvider(const DOMElement* e)
97 : saml2md::DynamicMetadataProvider(e), m_verifyHost(true), m_ignoreTransport(false), m_trust(NULL)
99 const XMLCh* flag = e ? e->getAttributeNS(NULL, verifyHost) : NULL;
100 if (flag && (*flag == chLatin_f || *flag == chDigit_0))
101 m_verifyHost = false;
102 flag = e ? e->getAttributeNS(NULL, ignoreTransport) : NULL;
103 if (flag && (*flag == chLatin_t || *flag == chDigit_1)) {
104 m_ignoreTransport = true;
108 e = e ? XMLHelper::getFirstChildElement(e, _TrustEngine) : NULL;
109 auto_ptr_char t2(e ? e->getAttributeNS(NULL,type) : NULL);
111 TrustEngine* trust = XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(t2.get(),e);
112 if (!(m_trust = dynamic_cast<X509TrustEngine*>(trust))) {
114 throw ConfigurationException("DynamicMetadataProvider requires an X509TrustEngine plugin.");
119 throw ConfigurationException("DynamicMetadataProvider requires an X509TrustEngine plugin unless ignoreTransport is true.");
122 saml2md::EntityDescriptor* DynamicMetadataProvider::resolve(const saml2md::MetadataProvider::Criteria& criteria) const
125 xmltooling::NDC("resolve");
127 Category& log=Category::getInstance(SHIBSP_LOGCAT".MetadataProvider.Dynamic");
130 if (criteria.entityID_ascii) {
131 name = criteria.entityID_ascii;
133 else if (criteria.entityID_unicode) {
134 auto_ptr_char temp(criteria.entityID_unicode);
137 else if (criteria.artifact) {
138 throw saml2md::MetadataException("Unable to resolve metadata dynamically from an artifact.");
\r
141 // Establish networking properties based on calling application.
142 const MetadataProviderCriteria* mpc = dynamic_cast<const MetadataProviderCriteria*>(&criteria);
144 throw saml2md::MetadataException("Dynamic MetadataProvider requires Shibboleth-aware lookup criteria, check calling code.");
145 const PropertySet* relyingParty;
146 if (criteria.entityID_unicode)
147 relyingParty = mpc->application.getRelyingParty(criteria.entityID_unicode);
149 auto_ptr_XMLCh temp2(name.c_str());
150 relyingParty = mpc->application.getRelyingParty(temp2.get());
153 // Prepare a transport object addressed appropriately.
154 SOAPTransport::Address addr(relyingParty->getString("entityID").second, name.c_str(), name.c_str());
155 const char* pch = strchr(addr.m_endpoint,':');
157 throw IOException("entityID was not a URL.");
158 string scheme(addr.m_endpoint, pch-addr.m_endpoint);
159 SOAPTransport* transport=NULL;
161 transport = XMLToolingConfig::getConfig().SOAPTransportManager.newPlugin(scheme.c_str(), addr);
163 catch (exception& ex) {
164 log.error("exception while building transport object to resolve URL: %s", ex.what());
165 throw IOException("Unable to resolve entityID with a known transport protocol.");
167 auto_ptr<SOAPTransport> transportwrapper(transport);
169 // Apply properties as directed.
170 transport->setVerifyHost(m_verifyHost);
171 DummyCredentialResolver dcr;
172 if (m_trust && !transport->setTrustEngine(m_trust, &dcr))
173 throw IOException("Unable to install X509TrustEngine into metadata resolver.");
175 Locker credlocker(NULL, false);
176 CredentialResolver* credResolver = NULL;
177 pair<bool,const char*> authType=relyingParty->getString("authType");
178 if (!authType.first || !strcmp(authType.second,"TLS")) {
179 credResolver = mpc->application.getCredentialResolver();
181 credlocker.assign(credResolver);
183 CredentialCriteria cc;
184 cc.setUsage(Credential::TLS_CREDENTIAL);
185 authType = relyingParty->getString("keyName");
187 cc.getKeyNames().insert(authType.second);
188 const Credential* cred = credResolver->resolve(&cc);
189 cc.getKeyNames().clear();
191 if (!transport->setCredential(cred))
192 log.error("failed to load Credential into metadata resolver");
195 log.error("no TLS credential supplied");
199 log.error("no CredentialResolver available for TLS");
203 SOAPTransport::transport_auth_t type=SOAPTransport::transport_auth_none;
204 pair<bool,const char*> username=relyingParty->getString("authUsername");
205 pair<bool,const char*> password=relyingParty->getString("authPassword");
206 if (!username.first || !password.first)
207 log.error("transport authType (%s) specified but authUsername or authPassword was missing", authType.second);
208 else if (!strcmp(authType.second,"basic"))
209 type = SOAPTransport::transport_auth_basic;
210 else if (!strcmp(authType.second,"digest"))
211 type = SOAPTransport::transport_auth_digest;
212 else if (!strcmp(authType.second,"ntlm"))
213 type = SOAPTransport::transport_auth_ntlm;
214 else if (!strcmp(authType.second,"gss"))
215 type = SOAPTransport::transport_auth_gss;
216 else if (strcmp(authType.second,"none"))
217 log.error("unknown authType (%s) specified for RelyingParty", authType.second);
218 if (type > SOAPTransport::transport_auth_none) {
219 if (transport->setAuth(type,username.second,password.second))
220 log.debug("configured for transport authentication (method=%s, username=%s)", authType.second, username.second);
222 log.error("failed to configure transport authentication (method=%s)", authType.second);
226 pair<bool,unsigned int> timeout = relyingParty->getUnsignedInt("connectTimeout");
227 transport->setConnectTimeout(timeout.first ? timeout.second : 10);
228 timeout = relyingParty->getUnsignedInt("timeout");
229 transport->setTimeout(timeout.first ? timeout.second : 20);
230 mpc->application.getServiceProvider().setTransportOptions(*transport);
232 HTTPSOAPTransport* http = dynamic_cast<HTTPSOAPTransport*>(transport);
234 pair<bool,bool> flag = relyingParty->getBool("chunkedEncoding");
235 http->useChunkedEncoding(flag.first && flag.second);
236 http->setRequestHeader("Xerces-C", XERCES_FULLVERSIONDOT);
237 http->setRequestHeader("XML-Security-C", XSEC_FULLVERSIONDOT);
238 http->setRequestHeader("OpenSAML-C", OPENSAML_FULLVERSIONDOT);
239 http->setRequestHeader("User-Agent", PACKAGE_NAME);
240 http->setRequestHeader(PACKAGE_NAME, PACKAGE_VERSION);
244 // Use a NULL stream to trigger a body-less "GET" operation.
246 istream& msg = transport->receive();
248 DOMDocument* doc=NULL;
249 StreamInputSource src(msg, "DynamicMetadataProvider");
250 Wrapper4InputSource dsrc(&src,false);
252 doc=XMLToolingConfig::getConfig().getValidatingParser().parse(dsrc);
254 doc=XMLToolingConfig::getConfig().getParser().parse(dsrc);
256 // Wrap the document for now.
257 XercesJanitor<DOMDocument> docjanitor(doc);
259 // Unmarshall objects, binding the document.
260 auto_ptr<XMLObject> xmlObject(XMLObjectBuilder::buildOneFromElement(doc->getDocumentElement(), true));
261 docjanitor.release();
263 // Make sure it's metadata.
264 saml2md::EntityDescriptor* entity = dynamic_cast<saml2md::EntityDescriptor*>(xmlObject.get());
266 throw saml2md::MetadataException(
267 "Root of metadata instance not recognized: $1", params(1,xmlObject->getElementQName().toString().c_str())
273 catch (XMLException& e) {
274 auto_ptr_char msg(e.getMessage());
275 log.error("Xerces error while resolving entityID (%s): %s", name.c_str(), msg.get());
276 throw saml2md::MetadataException(msg.get());