From 07c1454be1d1ed5ffaf3f5494c90a75e2b937f0b Mon Sep 17 00:00:00 2001
From: cantor <cantor@cb58f699-b61c-0410-a6fe-9272a202ed29>
Date: Mon, 21 May 2007 04:00:43 +0000
Subject: [PATCH] Add a RP-based key name to credential lookup.

git-svn-id: https://svn.middleware.georgetown.edu/cpp-sp/trunk@2255 cb58f699-b61c-0410-a6fe-9272a202ed29
---
 configs/shibboleth.xml.in                     |  35 ++++-
 schemas/shibboleth-2.0-native-sp-config.xsd   |   7 +-
 shibsp/binding/impl/SOAPClient.cpp            |   6 +
 shibsp/handler/impl/SAML2SessionInitiator.cpp |   3 +
 shibsp/shibsp.vcproj                          | 200 +++++++++++++-------------
 5 files changed, 145 insertions(+), 106 deletions(-)

diff --git a/configs/shibboleth.xml.in b/configs/shibboleth.xml.in
index 462d902..93b6bb7 100644
--- a/configs/shibboleth.xml.in
+++ b/configs/shibboleth.xml.in
@@ -207,8 +207,13 @@
 			logoLocation="/shibboleth-sp/logo.jpg"
 			styleSheet="/shibboleth-sp/main.css"/>
 		
-		<!-- Configure handling of outgoing messages. -->
-		<DefaultRelyingParty authType="TLS" signRequests="false" encryptRequests="true"/>
+		<!-- Configure handling of outgoing messages and SOAP client authentication. -->
+		<DefaultRelyingParty authType="TLS" signRequests="false" encryptRequests="true">
+			<!-- Uncomment and modify to tweak settings for specific IdPs or groups. -->
+			<!--
+			<RelyingParty Name="SpecialFederation" keyName="SpecialKey"/>
+			-->
+		</DefaultRelyingParty>
 
 		<!-- Chains together all your metadata sources. -->
 		<MetadataProvider type="Chaining">
@@ -231,7 +236,7 @@
 		<!-- Default filtering policy for recognized attributes, lets other data pass. -->
 		<AttributeFilter type="XML" path="@-PKGSYSCONFDIR-@/attribute-policy.xml"/>
 
-		<!-- Simple file-based resolver for key/certificate information. -->
+		<!-- Simple file-based resolver for using a single keypair. -->
 		<CredentialResolver type="File">
 			<Key>
 				<Path>@-PKGSYSCONFDIR-@/sp-example.key</Path>
@@ -240,6 +245,30 @@
 				<Path>@-PKGSYSCONFDIR-@/sp-example.crt</Path>
 			</Certificate>
 		</CredentialResolver>
+
+		<!-- Advanced resolver allowing for multiple keypairs. -->
+		<!--
+		<CredentialResolver type="Chaining">
+			<CredentialResolver type="File">
+				<Key>
+					<Name>DefaultKey</Name>
+					<Path>@-PKGSYSCONFDIR-@/sp-example.key</Path>
+				</Key>
+				<Certificate>
+					<Path>@-PKGSYSCONFDIR-@/sp-example.crt</Path>
+				</Certificate>
+			</CredentialResolver>
+			<CredentialResolver type="File">
+				<Key>
+					<Name>SpecialKey</Name>
+					<Path>@-PKGSYSCONFDIR-@/special.key</Path>
+				</Key>
+				<Certificate>
+					<Path>@-PKGSYSCONFDIR-@/special.crt</Path>
+				</Certificate>
+			</CredentialResolver>
+		</CredentialResolver>
+		-->
 	</Applications>
 	
 	<!-- Each policy defines a set of rules to use to secure SAML and SOAP messages. -->
diff --git a/schemas/shibboleth-2.0-native-sp-config.xsd b/schemas/shibboleth-2.0-native-sp-config.xsd
index 9f1a0f5..5d9118d 100644
--- a/schemas/shibboleth-2.0-native-sp-config.xsd
+++ b/schemas/shibboleth-2.0-native-sp-config.xsd
@@ -504,14 +504,15 @@
 	</element>
 	
 	<attributeGroup name="RelyingPartyGroup">
-		<attribute name="authType" type="conf:string" default="TLS"/>
+		<attribute name="authType" type="conf:string"/>
 		<attribute name="authUsername" type="conf:string"/>
 		<attribute name="authPassword" type="conf:string"/>
-		<attribute name="signRequests" type="boolean" default="false"/>
+		<attribute name="signRequests" type="boolean"/>
 		<attribute name="signatureAlg" type="anyURI"/>
 		<attribute name="digestAlg" type="anyURI"/>
-		<attribute name="encryptRequests" type="boolean" default="true"/>
+		<attribute name="encryptRequests" type="boolean"/>
 		<attribute name="encryptionAlg" type="anyURI"/>
+		<attribute name="keyName" type="conf:string"/>
 	</attributeGroup>
 	
 	<element name="SecurityPolicies">
diff --git a/shibsp/binding/impl/SOAPClient.cpp b/shibsp/binding/impl/SOAPClient.cpp
index 3b11ade..9e1158f 100644
--- a/shibsp/binding/impl/SOAPClient.cpp
+++ b/shibsp/binding/impl/SOAPClient.cpp
@@ -59,6 +59,9 @@ void SOAPClient::send(const soap11::Envelope& env, MetadataCredentialCriteria& p
             m_credResolver->lock();
             // Fill in criteria to use.
             peer.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);
+            pair<bool,const char*> keyName = m_relyingParty->getString("keyName");
+            if (keyName.first)
+                peer.getKeyNames().insert(keyName.second);
             pair<bool,const XMLCh*> sigalg = m_relyingParty->getXMLString("signatureAlg");
             if (sigalg.first)
                 peer.setXMLAlgorithm(sigalg.second);
@@ -128,6 +131,9 @@ void SOAPClient::prepareTransport(SOAPTransport& transport)
         }
         if (m_credResolver) {
             m_criteria->setUsage(CredentialCriteria::TLS_CREDENTIAL);
+            authType = m_relyingParty->getString("keyName");
+            if (authType.first)
+                m_criteria->getKeyNames().insert(authType.second);
             const Credential* cred = m_credResolver->resolve(m_criteria);
             if (cred) {
                 if (!transport.setCredential(cred))
diff --git a/shibsp/handler/impl/SAML2SessionInitiator.cpp b/shibsp/handler/impl/SAML2SessionInitiator.cpp
index 57ee0e5..c904614 100644
--- a/shibsp/handler/impl/SAML2SessionInitiator.cpp
+++ b/shibsp/handler/impl/SAML2SessionInitiator.cpp
@@ -491,6 +491,9 @@ pair<bool,long> SAML2SessionInitiator::doRequest(
             // Fill in criteria to use.
             MetadataCredentialCriteria mcc(*role);
             mcc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);
+            pair<bool,const char*> keyName = relyingParty->getString("keyName");
+            if (keyName.first)
+                mcc.getKeyNames().insert(keyName.second);
             pair<bool,const XMLCh*> sigalg = relyingParty->getXMLString("signatureAlg");
             if (sigalg.first)
                 mcc.setXMLAlgorithm(sigalg.second);
diff --git a/shibsp/shibsp.vcproj b/shibsp/shibsp.vcproj
index 715ca77..5f514b5 100644
--- a/shibsp/shibsp.vcproj
+++ b/shibsp/shibsp.vcproj
@@ -188,94 +188,10 @@
 				>
 			</File>
 			<File
-				RelativePath=".\attribute\filtering\impl\AndMatchFunctor.cpp"
-				>
-			</File>
-			<File
-				RelativePath=".\attribute\filtering\impl\AnyMatchFunctor.cpp"
-				>
-			</File>
-			<File
 				RelativePath=".\Application.cpp"
 				>
 			</File>
 			<File
-				RelativePath=".\attribute\filtering\impl\AttributeFilter.cpp"
-				>
-			</File>
-			<File
-				RelativePath=".\attribute\filtering\impl\AttributeIssuerInEntityGroupFunctor.cpp"
-				>
-			</File>
-			<File
-				RelativePath=".\attribute\filtering\impl\AttributeIssuerRegexFunctor.cpp"
-				>
-			</File>
-			<File
-				RelativePath=".\attribute\filtering\impl\AttributeIssuerStringFunctor.cpp"
-				>
-			</File>
-			<File
-				RelativePath=".\attribute\filtering\impl\AttributeRequesterInEntityGroupFunctor.cpp"
-				>
-			</File>
-			<File
-				RelativePath=".\attribute\filtering\impl\AttributeRequesterRegexFunctor.cpp"
-				>
-			</File>
-			<File
-				RelativePath=".\attribute\filtering\impl\AttributeRequesterStringFunctor.cpp"
-				>
-			</File>
-			<File
-				RelativePath=".\attribute\filtering\impl\AttributeScopeMatchesShibMDScopeFunctor.cpp"
-				>
-			</File>
-			<File
-				RelativePath=".\attribute\filtering\impl\AttributeScopeRegexFunctor.cpp"
-				>
-			</File>
-			<File
-				RelativePath=".\attribute\filtering\impl\AttributeScopeStringFunctor.cpp"
-				>
-			</File>
-			<File
-				RelativePath=".\attribute\filtering\impl\AttributeValueRegexFunctor.cpp"
-				>
-			</File>
-			<File
-				RelativePath=".\attribute\filtering\impl\AttributeValueStringFunctor.cpp"
-				>
-			</File>
-			<File
-				RelativePath=".\attribute\filtering\impl\AuthenticationMethodRegexFunctor.cpp"
-				>
-			</File>
-			<File
-				RelativePath=".\attribute\filtering\impl\AuthenticationMethodStringFunctor.cpp"
-				>
-			</File>
-			<File
-				RelativePath=".\attribute\filtering\impl\ChainingAttributeFilter.cpp"
-				>
-			</File>
-			<File
-				RelativePath=".\attribute\filtering\impl\MatchFunctor.cpp"
-				>
-			</File>
-			<File
-				RelativePath=".\attribute\filtering\impl\NotMatchFunctor.cpp"
-				>
-			</File>
-			<File
-				RelativePath=".\attribute\filtering\impl\NumberOfAttributeValuesFunctor.cpp"
-				>
-			</File>
-			<File
-				RelativePath=".\attribute\filtering\impl\OrMatchFunctor.cpp"
-				>
-			</File>
-			<File
 				RelativePath=".\ServiceProvider.cpp"
 				>
 			</File>
@@ -287,10 +203,6 @@
 				RelativePath=".\SPConfig.cpp"
 				>
 			</File>
-			<File
-				RelativePath=".\attribute\filtering\impl\XMLAttributeFilter.cpp"
-				>
-			</File>
 			<Filter
 				Name="util"
 				>
@@ -424,6 +336,94 @@
 					<Filter
 						Name="impl"
 						>
+						<File
+							RelativePath=".\attribute\filtering\impl\AndMatchFunctor.cpp"
+							>
+						</File>
+						<File
+							RelativePath=".\attribute\filtering\impl\AnyMatchFunctor.cpp"
+							>
+						</File>
+						<File
+							RelativePath=".\attribute\filtering\impl\AttributeFilter.cpp"
+							>
+						</File>
+						<File
+							RelativePath=".\attribute\filtering\impl\AttributeIssuerInEntityGroupFunctor.cpp"
+							>
+						</File>
+						<File
+							RelativePath=".\attribute\filtering\impl\AttributeIssuerRegexFunctor.cpp"
+							>
+						</File>
+						<File
+							RelativePath=".\attribute\filtering\impl\AttributeIssuerStringFunctor.cpp"
+							>
+						</File>
+						<File
+							RelativePath=".\attribute\filtering\impl\AttributeRequesterInEntityGroupFunctor.cpp"
+							>
+						</File>
+						<File
+							RelativePath=".\attribute\filtering\impl\AttributeRequesterRegexFunctor.cpp"
+							>
+						</File>
+						<File
+							RelativePath=".\attribute\filtering\impl\AttributeRequesterStringFunctor.cpp"
+							>
+						</File>
+						<File
+							RelativePath=".\attribute\filtering\impl\AttributeScopeMatchesShibMDScopeFunctor.cpp"
+							>
+						</File>
+						<File
+							RelativePath=".\attribute\filtering\impl\AttributeScopeRegexFunctor.cpp"
+							>
+						</File>
+						<File
+							RelativePath=".\attribute\filtering\impl\AttributeScopeStringFunctor.cpp"
+							>
+						</File>
+						<File
+							RelativePath=".\attribute\filtering\impl\AttributeValueRegexFunctor.cpp"
+							>
+						</File>
+						<File
+							RelativePath=".\attribute\filtering\impl\AttributeValueStringFunctor.cpp"
+							>
+						</File>
+						<File
+							RelativePath=".\attribute\filtering\impl\AuthenticationMethodRegexFunctor.cpp"
+							>
+						</File>
+						<File
+							RelativePath=".\attribute\filtering\impl\AuthenticationMethodStringFunctor.cpp"
+							>
+						</File>
+						<File
+							RelativePath=".\attribute\filtering\impl\ChainingAttributeFilter.cpp"
+							>
+						</File>
+						<File
+							RelativePath=".\attribute\filtering\impl\MatchFunctor.cpp"
+							>
+						</File>
+						<File
+							RelativePath=".\attribute\filtering\impl\NotMatchFunctor.cpp"
+							>
+						</File>
+						<File
+							RelativePath=".\attribute\filtering\impl\NumberOfAttributeValuesFunctor.cpp"
+							>
+						</File>
+						<File
+							RelativePath=".\attribute\filtering\impl\OrMatchFunctor.cpp"
+							>
+						</File>
+						<File
+							RelativePath=".\attribute\filtering\impl\XMLAttributeFilter.cpp"
+							>
+						</File>
 					</Filter>
 				</Filter>
 			</Filter>
@@ -518,26 +518,14 @@
 				>
 			</File>
 			<File
-				RelativePath=".\attribute\filtering\BasicFilteringContext.h"
-				>
-			</File>
-			<File
 				RelativePath=".\exceptions.h"
 				>
 			</File>
 			<File
-				RelativePath=".\attribute\filtering\FilterPolicyContext.h"
-				>
-			</File>
-			<File
 				RelativePath=".\internal.h"
 				>
 			</File>
 			<File
-				RelativePath=".\attribute\filtering\MatchFunctor.h"
-				>
-			</File>
-			<File
 				RelativePath=".\RequestMapper.h"
 				>
 			</File>
@@ -668,9 +656,21 @@
 						>
 					</File>
 					<File
+						RelativePath=".\attribute\filtering\BasicFilteringContext.h"
+						>
+					</File>
+					<File
 						RelativePath=".\attribute\filtering\FilteringContext.h"
 						>
 					</File>
+					<File
+						RelativePath=".\attribute\filtering\FilterPolicyContext.h"
+						>
+					</File>
+					<File
+						RelativePath=".\attribute\filtering\MatchFunctor.h"
+						>
+					</File>
 				</Filter>
 			</Filter>
 			<Filter
-- 
2.1.4