From e55b84cb9abdf342e3f3b8988e54c1e5328e278f Mon Sep 17 00:00:00 2001 From: cantor Date: Thu, 16 Aug 2007 03:20:05 +0000 Subject: [PATCH] Add "sender" to SOAP APIs to avoid reuse of connections across apps. git-svn-id: https://svn.middleware.georgetown.edu/cpp-sp/trunk@2426 cb58f699-b61c-0410-a6fe-9272a202ed29 --- .../resolver/impl/QueryAttributeResolver.cpp | 43 +++++++++++----------- shibsp/binding/SOAPClient.h | 5 ++- shibsp/binding/impl/ArtifactResolver.cpp | 10 ++--- shibsp/binding/impl/SOAPClient.cpp | 18 ++++----- shibsp/handler/impl/LogoutHandler.cpp | 2 +- shibsp/handler/impl/SAML2LogoutInitiator.cpp | 2 +- util/samlquery.cpp | 4 +- 7 files changed, 43 insertions(+), 41 deletions(-) diff --git a/shibsp/attribute/resolver/impl/QueryAttributeResolver.cpp b/shibsp/attribute/resolver/impl/QueryAttributeResolver.cpp index b4cdaa2..7a9988e 100644 --- a/shibsp/attribute/resolver/impl/QueryAttributeResolver.cpp +++ b/shibsp/attribute/resolver/impl/QueryAttributeResolver.cpp @@ -267,11 +267,12 @@ bool QueryResolver::SAML1Query(QueryContext& ctx) const return false; } - shibsp::SecurityPolicy policy(ctx.getApplication()); + const Application& application = ctx.getApplication(); + shibsp::SecurityPolicy policy(application); MetadataCredentialCriteria mcc(*AA); shibsp::SOAPClient soaper(policy); const PropertySet* policySettings = - ctx.getApplication().getServiceProvider().getPolicySettings(ctx.getApplication().getString("policyId").second); + application.getServiceProvider().getPolicySettings(application.getString("policyId").second); pair signedAssertions = policySettings->getBool("signedAssertions"); auto_ptr_XMLCh binding(samlconstants::SAML1_BINDING_SOAP); @@ -282,7 +283,7 @@ bool QueryResolver::SAML1Query(QueryContext& ctx) const if (!XMLString::equals((*ep)->getBinding(),binding.get())) continue; auto_ptr_char loc((*ep)->getLocation()); - auto_ptr_XMLCh issuer(ctx.getApplication().getString("entityID").second); + auto_ptr_XMLCh issuer(application.getString("entityID").second); NameIdentifier* nameid = NameIdentifierBuilder::buildNameIdentifier(); nameid->setName(ctx.getNameID()->getName()); nameid->setFormat(ctx.getNameID()->getFormat()); @@ -299,7 +300,7 @@ bool QueryResolver::SAML1Query(QueryContext& ctx) const request->setMinorVersion(version); SAML1SOAPClient client(soaper, false); - client.sendSAML(request, mcc, loc.get()); + client.sendSAML(request, application.getId(), mcc, loc.get()); response = client.receiveSAML(); } catch (exception& ex) { @@ -340,7 +341,7 @@ bool QueryResolver::SAML1Query(QueryContext& ctx) const policy.evaluate(*newtoken); if (!policy.isSecure()) throw SecurityPolicyException("Security of SAML 1.x query result not established."); - saml1::AssertionValidator tokval(ctx.getApplication().getAudiences(), time(NULL)); + saml1::AssertionValidator tokval(application.getAudiences(), time(NULL)); tokval.validateAssertion(*newtoken); } catch (exception& ex) { @@ -354,15 +355,15 @@ bool QueryResolver::SAML1Query(QueryContext& ctx) const // Finally, extract and filter the result. try { - AttributeExtractor* extractor = ctx.getApplication().getAttributeExtractor(); + AttributeExtractor* extractor = application.getAttributeExtractor(); if (extractor) { Locker extlocker(extractor); - extractor->extractAttributes(ctx.getApplication(), AA, *newtoken, ctx.getResolvedAttributes()); + extractor->extractAttributes(application, AA, *newtoken, ctx.getResolvedAttributes()); } - AttributeFilter* filter = ctx.getApplication().getAttributeFilter(); + AttributeFilter* filter = application.getAttributeFilter(); if (filter) { - BasicFilteringContext fc(ctx.getApplication(), ctx.getResolvedAttributes(), AA, ctx.getClassRef(), ctx.getDeclRef()); + BasicFilteringContext fc(application, ctx.getResolvedAttributes(), AA, ctx.getClassRef(), ctx.getDeclRef()); Locker filtlocker(filter); filter->filterAttributes(fc, ctx.getResolvedAttributes()); } @@ -388,14 +389,14 @@ bool QueryResolver::SAML2Query(QueryContext& ctx) const return false; } - shibsp::SecurityPolicy policy(ctx.getApplication()); + const Application& application = ctx.getApplication(); + shibsp::SecurityPolicy policy(application); MetadataCredentialCriteria mcc(*AA); shibsp::SOAPClient soaper(policy); - const PropertySet* policySettings = - ctx.getApplication().getServiceProvider().getPolicySettings(ctx.getApplication().getString("policyId").second); + const PropertySet* policySettings = application.getServiceProvider().getPolicySettings(application.getString("policyId").second); pair signedAssertions = policySettings->getBool("signedAssertions"); - const PropertySet* relyingParty = ctx.getApplication().getRelyingParty(ctx.getEntityDescriptor()); + const PropertySet* relyingParty = application.getRelyingParty(ctx.getEntityDescriptor()); pair encryption = relyingParty->getString("encryption"); auto_ptr_XMLCh binding(samlconstants::SAML20_BINDING_SOAP); @@ -406,7 +407,7 @@ bool QueryResolver::SAML2Query(QueryContext& ctx) const if (!XMLString::equals((*ep)->getBinding(),binding.get())) continue; auto_ptr_char loc((*ep)->getLocation()); - auto_ptr_XMLCh issuer(ctx.getApplication().getString("entityID").second); + auto_ptr_XMLCh issuer(application.getString("entityID").second); auto_ptr subject(saml2::SubjectBuilder::buildSubject()); @@ -416,7 +417,7 @@ bool QueryResolver::SAML2Query(QueryContext& ctx) const MetadataCredentialCriteria mcc(*AA); encrypted->encrypt( *ctx.getNameID(), - *(ctx.getApplication().getMetadataProvider()), + *(application.getMetadataProvider()), mcc, false, relyingParty->getXMLString("encryptionAlg").second @@ -436,7 +437,7 @@ bool QueryResolver::SAML2Query(QueryContext& ctx) const query->getAttributes().push_back((*ad)->cloneAttribute()); SAML2SOAPClient client(soaper, false); - client.sendSAML(query, mcc, loc.get()); + client.sendSAML(query, application.getId(), mcc, loc.get()); srt = client.receiveSAML(); } catch (exception& ex) { @@ -483,7 +484,7 @@ bool QueryResolver::SAML2Query(QueryContext& ctx) const policy.evaluate(*newtoken); if (!policy.isSecure()) throw SecurityPolicyException("Security of SAML 2.0 query result not established."); - saml2::AssertionValidator tokval(ctx.getApplication().getAudiences(), time(NULL)); + saml2::AssertionValidator tokval(application.getAudiences(), time(NULL)); tokval.validateAssertion(*newtoken); } catch (exception& ex) { @@ -497,15 +498,15 @@ bool QueryResolver::SAML2Query(QueryContext& ctx) const // Finally, extract and filter the result. try { - AttributeExtractor* extractor = ctx.getApplication().getAttributeExtractor(); + AttributeExtractor* extractor = application.getAttributeExtractor(); if (extractor) { Locker extlocker(extractor); - extractor->extractAttributes(ctx.getApplication(), AA, *newtoken, ctx.getResolvedAttributes()); + extractor->extractAttributes(application, AA, *newtoken, ctx.getResolvedAttributes()); } - AttributeFilter* filter = ctx.getApplication().getAttributeFilter(); + AttributeFilter* filter = application.getAttributeFilter(); if (filter) { - BasicFilteringContext fc(ctx.getApplication(), ctx.getResolvedAttributes(), AA, ctx.getClassRef(), ctx.getDeclRef()); + BasicFilteringContext fc(application, ctx.getResolvedAttributes(), AA, ctx.getClassRef(), ctx.getDeclRef()); Locker filtlocker(filter); filter->filterAttributes(fc, ctx.getResolvedAttributes()); } diff --git a/shibsp/binding/SOAPClient.h b/shibsp/binding/SOAPClient.h index 70c7b1f..573f3f1 100644 --- a/shibsp/binding/SOAPClient.h +++ b/shibsp/binding/SOAPClient.h @@ -53,10 +53,11 @@ namespace shibsp { * Override handles message signing for SAML payloads. * * @param env SOAP envelope to send - * @param peer peer to send message to, expressed in metadata terms + * @param from identity of sending application + * @param to peer to send message to, expressed in metadata terms * @param endpoint URL of endpoint to recieve message */ - void send(const soap11::Envelope& env, opensaml::saml2md::MetadataCredentialCriteria& peer, const char* endpoint); + void send(const soap11::Envelope& env, const char* from, opensaml::saml2md::MetadataCredentialCriteria& to, const char* endpoint); void reset(); diff --git a/shibsp/binding/impl/ArtifactResolver.cpp b/shibsp/binding/impl/ArtifactResolver.cpp index 33863d4..b62e3b6 100644 --- a/shibsp/binding/impl/ArtifactResolver.cpp +++ b/shibsp/binding/impl/ArtifactResolver.cpp @@ -51,7 +51,8 @@ saml1p::Response* ArtifactResolver::resolve( ) const { MetadataCredentialCriteria mcc(idpDescriptor); - shibsp::SOAPClient soaper(dynamic_cast(policy)); + shibsp::SecurityPolicy& sppolicy = dynamic_cast(policy); + shibsp::SOAPClient soaper(sppolicy); bool foundEndpoint = false; auto_ptr_XMLCh binding(samlconstants::SAML1_BINDING_SOAP); @@ -73,7 +74,7 @@ saml1p::Response* ArtifactResolver::resolve( } SAML1SOAPClient client(soaper, false); - client.sendSAML(request, mcc, loc.get()); + client.sendSAML(request, sppolicy.getApplication().getId(), mcc, loc.get()); response = client.receiveSAML(); } catch (exception& ex) { @@ -115,18 +116,17 @@ ArtifactResponse* ArtifactResolver::resolve( continue; foundEndpoint = true; auto_ptr_char loc((*ep)->getLocation()); - auto_ptr_XMLCh issuer(sppolicy.getApplication().getString("entityID").second); ArtifactResolve* request = ArtifactResolveBuilder::buildArtifactResolve(); Issuer* iss = IssuerBuilder::buildIssuer(); request->setIssuer(iss); - iss->setName(issuer.get()); + iss->setName(sppolicy.getApplication().getXMLString("entityID").second); auto_ptr_XMLCh artbuf(artifact.encode().c_str()); Artifact* a = ArtifactBuilder::buildArtifact(); a->setArtifact(artbuf.get()); request->setArtifact(a); SAML2SOAPClient client(soaper, false); - client.sendSAML(request, mcc, loc.get()); + client.sendSAML(request, sppolicy.getApplication().getId(), mcc, loc.get()); StatusResponseType* srt = client.receiveSAML(); if (!(response = dynamic_cast(srt))) { delete srt; diff --git a/shibsp/binding/impl/SOAPClient.cpp b/shibsp/binding/impl/SOAPClient.cpp index 03de42b..607bd74 100644 --- a/shibsp/binding/impl/SOAPClient.cpp +++ b/shibsp/binding/impl/SOAPClient.cpp @@ -46,27 +46,27 @@ SOAPClient::SOAPClient(SecurityPolicy& policy) setValidating(validate.first && validate.second); } -void SOAPClient::send(const soap11::Envelope& env, MetadataCredentialCriteria& peer, const char* endpoint) +void SOAPClient::send(const soap11::Envelope& env, const char* from, MetadataCredentialCriteria& to, const char* endpoint) { // Check for message signing requirements. - m_relyingParty = m_app.getRelyingParty(dynamic_cast(peer.getRole().getParent())); + m_relyingParty = m_app.getRelyingParty(dynamic_cast(to.getRole().getParent())); pair flag = m_relyingParty->getString("signing"); if (flag.first && (!strcmp(flag.second, "true") || !strcmp(flag.second, "back"))) { m_credResolver=m_app.getCredentialResolver(); if (m_credResolver) { m_credResolver->lock(); // Fill in criteria to use. - peer.setUsage(CredentialCriteria::SIGNING_CREDENTIAL); + to.setUsage(CredentialCriteria::SIGNING_CREDENTIAL); pair keyName = m_relyingParty->getString("keyName"); if (keyName.first) - peer.getKeyNames().insert(keyName.second); + to.getKeyNames().insert(keyName.second); pair sigalg = m_relyingParty->getXMLString("signingAlg"); if (sigalg.first) - peer.setXMLAlgorithm(sigalg.second); - const Credential* cred = m_credResolver->resolve(&peer); + to.setXMLAlgorithm(sigalg.second); + const Credential* cred = m_credResolver->resolve(&to); // Reset criteria back. - peer.setKeyAlgorithm(NULL); - peer.setKeySize(0); + to.setKeyAlgorithm(NULL); + to.setKeySize(0); if (cred) { // Check for message. @@ -98,7 +98,7 @@ void SOAPClient::send(const soap11::Envelope& env, MetadataCredentialCriteria& p } } - opensaml::SOAPClient::send(env, peer, endpoint); + opensaml::SOAPClient::send(env, from, to, endpoint); } void SOAPClient::prepareTransport(SOAPTransport& transport) diff --git a/shibsp/handler/impl/LogoutHandler.cpp b/shibsp/handler/impl/LogoutHandler.cpp index 39c3e92..336492f 100644 --- a/shibsp/handler/impl/LogoutHandler.cpp +++ b/shibsp/handler/impl/LogoutHandler.cpp @@ -211,7 +211,7 @@ bool LogoutHandler::notifyBackChannel( SOAPNotifier soaper; while (!endpoint.empty()) { try { - soaper.send(*env.get(), application.getId(), endpoint.c_str()); + soaper.send(*env.get(), SOAPTransport::Address(application.getId(), application.getId(), endpoint.c_str())); delete soaper.receive(); } catch (exception& ex) { diff --git a/shibsp/handler/impl/SAML2LogoutInitiator.cpp b/shibsp/handler/impl/SAML2LogoutInitiator.cpp index 17e190d..6d9274f 100644 --- a/shibsp/handler/impl/SAML2LogoutInitiator.cpp +++ b/shibsp/handler/impl/SAML2LogoutInitiator.cpp @@ -325,7 +325,7 @@ pair SAML2LogoutInitiator::doRequest( auto_ptr_char dest((*epit)->getLocation()); SAML2SOAPClient client(soaper, false); - client.sendSAML(msg, mcc, dest.get()); + client.sendSAML(msg, application.getId(), mcc, dest.get()); StatusResponseType* srt = client.receiveSAML(); if (!(logoutResponse = dynamic_cast(srt))) { delete srt; diff --git a/util/samlquery.cpp b/util/samlquery.cpp index e00c546..cc8081f 100644 --- a/util/samlquery.cpp +++ b/util/samlquery.cpp @@ -184,7 +184,7 @@ int main(int argc,char* argv[]) nameid->setNameQualifier(domain.get()); iss->setName(issuer.get()); SAML2SOAPClient client(soaper, false); - client.sendSAML(query, mcc, loc.get()); + client.sendSAML(query, app->getId(), mcc, loc.get()); srt = client.receiveSAML(); } catch (exception& ex) { @@ -231,7 +231,7 @@ int main(int argc,char* argv[]) query->setResource(issuer.get()); request->setMinorVersion(ver==v11 ? 1 : 0); SAML1SOAPClient client(soaper, false); - client.sendSAML(request, mcc, loc.get()); + client.sendSAML(request, app->getId(), mcc, loc.get()); response = client.receiveSAML(); } catch (exception& ex) { -- 2.1.4