xmltooling/soap/impl/CURLSOAPTransport.cpp

   1 /*
   2  *  Copyright 2001-2006 Internet2
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 /**
  18  * CURLSOAPTransport.cpp
  19  *
  20  * libcurl-based SOAPTransport implementation
  21  */
  22
  23 #include "internal.h"
  24 #include "exceptions.h"
  25 #include "security/OpenSSLTrustEngine.h"
  26 #include "signature/OpenSSLCredentialResolver.h"
  27 #include "soap/HTTPSOAPTransport.h"
  28 #include "soap/OpenSSLSOAPTransport.h"
  29 #include "util/NDC.h"
  30 #include "util/Threads.h"
  31
  32 #include <list>
  33 #include <curl/curl.h>
  34 #include <log4cpp/Category.hh>
  35 #include <openssl/x509_vfy.h>
  36
  37 using namespace xmlsignature;
  38 using namespace xmltooling;
  39 using namespace log4cpp;
  40 using namespace std;
  41
  42 namespace xmltooling {
  43
  44     // Manages cache of socket connections via CURL handles.
  45     class XMLTOOL_DLLLOCAL CURLPool
  46     {
  47     public:
  48         CURLPool() : m_size(256), m_lock(Mutex::create()),
  49             m_log(Category::getInstance(XMLTOOLING_LOGCAT".SOAPTransport.CURLPool")) {}
  50         ~CURLPool();
  51
  52         CURL* get(const string& to, const char* endpoint);
  53         void put(const string& to, const char* endpoint, CURL* handle);
  54
  55     private:
  56         typedef map<string,vector<CURL*> > poolmap_t;
  57         poolmap_t m_bindingMap;
  58         list< vector<CURL*>* > m_pools;
  59         long m_size;
  60         Mutex* m_lock;
  61         Category& m_log;
  62     };
  63
  64     static XMLTOOL_DLLLOCAL CURLPool* g_CURLPool = NULL;
  65
  66     class XMLTOOL_DLLLOCAL CURLSOAPTransport : public HTTPSOAPTransport, public OpenSSLSOAPTransport
  67     {
  68     public:
  69         CURLSOAPTransport(const KeyInfoSource& peer, const char* endpoint)
  70                 : m_peer(peer), m_endpoint(endpoint), m_handle(NULL), m_headers(NULL),
  71 #ifndef XMLTOOLING_NO_XMLSEC
  72                     m_credResolver(NULL), m_trustEngine(NULL), m_mandatory(false), m_keyResolver(NULL),
  73 #endif
  74                     m_ssl_callback(NULL), m_ssl_userptr(NULL), m_secure(false) {
  75             m_handle = g_CURLPool->get(peer.getName(), endpoint);
  76             curl_easy_setopt(m_handle,CURLOPT_URL,endpoint);
  77             curl_easy_setopt(m_handle,CURLOPT_CONNECTTIMEOUT,15);
  78             curl_easy_setopt(m_handle,CURLOPT_TIMEOUT,30);
  79             curl_easy_setopt(m_handle,CURLOPT_HTTPAUTH,0);
  80             curl_easy_setopt(m_handle,CURLOPT_USERPWD,NULL);
  81             curl_easy_setopt(m_handle,CURLOPT_HEADERDATA,this);
  82             m_headers=curl_slist_append(m_headers,"Content-Type: text/xml");
  83         }
  84
  85         virtual ~CURLSOAPTransport() {
  86             curl_slist_free_all(m_headers);
  87             curl_easy_setopt(m_handle,CURLOPT_ERRORBUFFER,NULL);
  88             curl_easy_setopt(m_handle,CURLOPT_PRIVATE,m_secure ? "secure" : NULL); // Save off security "state".
  89             g_CURLPool->put(m_peer.getName(), m_endpoint.c_str(), m_handle);
  90         }
  91
  92         bool setConnectTimeout(long timeout) const {
  93             return (curl_easy_setopt(m_handle,CURLOPT_CONNECTTIMEOUT,timeout)==CURLE_OK);
  94         }
  95
  96         bool setTimeout(long timeout) const {
  97             return (curl_easy_setopt(m_handle,CURLOPT_TIMEOUT,timeout)==CURLE_OK);
  98         }
  99
 100         bool setAuth(transport_auth_t authType, const char* username=NULL, const char* password=NULL) const;
 101
 102 #ifndef XMLTOOLING_NO_XMLSEC
 103         bool setCredentialResolver(const CredentialResolver* credResolver) const {
 104             const OpenSSLCredentialResolver* down = dynamic_cast<const OpenSSLCredentialResolver*>(credResolver);
 105             if (!down) {
 106                 m_credResolver = NULL;
 107                 return (credResolver==NULL);
 108             }
 109             m_credResolver = down;
 110             return true;
 111         }
 112
 113         bool setTrustEngine(const X509TrustEngine* trustEngine, bool mandatory=true, const KeyResolver* keyResolver=NULL) const {
 114             const OpenSSLTrustEngine* down = dynamic_cast<const OpenSSLTrustEngine*>(trustEngine);
 115             if (!down) {
 116                 m_trustEngine = NULL;
 117                 m_keyResolver = NULL;
 118                 return (trustEngine==NULL);
 119             }
 120             m_trustEngine = down;
 121             m_keyResolver = keyResolver;
 122             m_mandatory = mandatory;
 123             return true;
 124         }
 125
 126 #endif
 127
 128         void send(istream& in);
 129
 130         istream& receive() {
 131             return m_stream;
 132         }
 133
 134         bool isSecure() const {
 135             return m_secure;
 136         }
 137
 138         void setSecure(bool secure) {
 139             m_secure = secure;
 140         }
 141
 142         string getContentType() const;
 143
 144         bool setRequestHeader(const char* name, const char* val) const {
 145             string temp(name);
 146             temp=temp + ": " + val;
 147             m_headers=curl_slist_append(m_headers,temp.c_str());
 148             return true;
 149         }
 150
 151         const vector<string>& getResponseHeader(const char* val) const;
 152
 153         bool setSSLCallback(ssl_ctx_callback_fn fn, void* userptr=NULL) const {
 154             m_ssl_callback=fn;
 155             m_ssl_userptr=userptr;
 156             return true;
 157         }
 158
 159     private:
 160         // per-call state
 161         const KeyInfoSource& m_peer;
 162         string m_endpoint;
 163         CURL* m_handle;
 164         stringstream m_stream;
 165         mutable struct curl_slist* m_headers;
 166         map<string,vector<string> > m_response_headers;
 167 #ifndef XMLTOOLING_NO_XMLSEC
 168         mutable const OpenSSLCredentialResolver* m_credResolver;
 169         mutable const OpenSSLTrustEngine* m_trustEngine;
 170         mutable bool m_mandatory;
 171         mutable const KeyResolver* m_keyResolver;
 172 #endif
 173         mutable ssl_ctx_callback_fn m_ssl_callback;
 174         mutable void* m_ssl_userptr;
 175         bool m_secure;
 176
 177         friend size_t XMLTOOL_DLLLOCAL curl_header_hook(void* ptr, size_t size, size_t nmemb, void* stream);
 178         friend CURLcode XMLTOOL_DLLLOCAL xml_ssl_ctx_callback(CURL* curl, SSL_CTX* ssl_ctx, void* userptr);
 179         friend int XMLTOOL_DLLLOCAL verify_callback(X509_STORE_CTX* x509_ctx, void* arg);
 180     };
 181
 182     // libcurl callback functions
 183     size_t XMLTOOL_DLLLOCAL curl_header_hook(void* ptr, size_t size, size_t nmemb, void* stream);
 184     size_t XMLTOOL_DLLLOCAL curl_write_hook(void* ptr, size_t size, size_t nmemb, void* stream);
 185     size_t XMLTOOL_DLLLOCAL curl_read_hook( void *ptr, size_t size, size_t nmemb, void *stream);
 186     int XMLTOOL_DLLLOCAL curl_debug_hook(CURL* handle, curl_infotype type, char* data, size_t len, void* ptr);
 187     CURLcode XMLTOOL_DLLLOCAL xml_ssl_ctx_callback(CURL* curl, SSL_CTX* ssl_ctx, void* userptr);
 188 #ifndef XMLTOOLING_NO_XMLSEC
 189     int XMLTOOL_DLLLOCAL verify_callback(X509_STORE_CTX* x509_ctx, void* arg);
 190 #endif
 191
 192     SOAPTransport* CURLSOAPTransportFactory(const pair<const KeyInfoSource*,const char*>& dest)
 193     {
 194         return new CURLSOAPTransport(*dest.first, dest.second);
 195     }
 196 };
 197
 198 void xmltooling::registerSOAPTransports()
 199 {
 200     XMLToolingConfig& conf=XMLToolingConfig::getConfig();
 201     conf.SOAPTransportManager.registerFactory("http", CURLSOAPTransportFactory);
 202     conf.SOAPTransportManager.registerFactory("https", CURLSOAPTransportFactory);
 203 }
 204
 205 void xmltooling::initSOAPTransports()
 206 {
 207     g_CURLPool=new CURLPool();
 208 }
 209
 210 void xmltooling::termSOAPTransports()
 211 {
 212     delete g_CURLPool;
 213     g_CURLPool = NULL;
 214 }
 215
 216 CURLPool::~CURLPool()
 217 {
 218     for (poolmap_t::iterator i=m_bindingMap.begin(); i!=m_bindingMap.end(); i++) {
 219         for (vector<CURL*>::iterator j=i->second.begin(); j!=i->second.end(); j++)
 220             curl_easy_cleanup(*j);
 221     }
 222     delete m_lock;
 223 }
 224
 225 CURL* CURLPool::get(const string& to, const char* endpoint)
 226 {
 227 #ifdef _DEBUG
 228     xmltooling::NDC("get");
 229 #endif
 230     m_log.debug("getting connection handle to %s", endpoint);
 231     m_lock->lock();
 232     poolmap_t::iterator i=m_bindingMap.find(to + "|" + endpoint);
 233
 234     if (i!=m_bindingMap.end()) {
 235         // Move this pool to the front of the list.
 236         m_pools.remove(&(i->second));
 237         m_pools.push_front(&(i->second));
 238
 239         // If a free connection exists, return it.
 240         if (!(i->second.empty())) {
 241             CURL* handle=i->second.back();
 242             i->second.pop_back();
 243             m_size--;
 244             m_lock->unlock();
 245             m_log.debug("returning existing connection handle from pool");
 246             return handle;
 247         }
 248     }
 249
 250     m_lock->unlock();
 251     m_log.debug("nothing free in pool, returning new connection handle");
 252
 253     // Create a new connection and set non-varying options.
 254     CURL* handle=curl_easy_init();
 255     if (!handle)
 256         return NULL;
 257     curl_easy_setopt(handle,CURLOPT_NOPROGRESS,1);
 258     curl_easy_setopt(handle,CURLOPT_NOSIGNAL,1);
 259     curl_easy_setopt(handle,CURLOPT_FAILONERROR,1);
 260     curl_easy_setopt(handle,CURLOPT_SSLVERSION,3);
 261     curl_easy_setopt(handle,CURLOPT_SSL_VERIFYHOST,2);
 262     curl_easy_setopt(handle,CURLOPT_HEADERFUNCTION,&curl_header_hook);
 263     curl_easy_setopt(handle,CURLOPT_READFUNCTION,&curl_read_hook);
 264     curl_easy_setopt(handle,CURLOPT_WRITEFUNCTION,&curl_write_hook);
 265     curl_easy_setopt(handle,CURLOPT_DEBUGFUNCTION,&curl_debug_hook);
 266
 267     return handle;
 268 }
 269
 270 void CURLPool::put(const string& to, const char* endpoint, CURL* handle)
 271 {
 272     string key = to + "|" + endpoint;
 273     m_lock->lock();
 274     poolmap_t::iterator i=m_bindingMap.find(key);
 275     if (i==m_bindingMap.end())
 276         m_pools.push_front(&(m_bindingMap.insert(poolmap_t::value_type(key,vector<CURL*>(1,handle))).first->second));
 277     else
 278         i->second.push_back(handle);
 279
 280     CURL* killit=NULL;
 281     if (++m_size > 256) {
 282         // Kick a handle out from the back of the bus.
 283         while (true) {
 284             vector<CURL*>* corpse=m_pools.back();
 285             if (!corpse->empty()) {
 286                 killit=corpse->back();
 287                 corpse->pop_back();
 288                 m_size--;
 289                 break;
 290             }
 291
 292             // Move an empty pool up to the front so we don't keep hitting it.
 293             m_pools.pop_back();
 294             m_pools.push_front(corpse);
 295         }
 296     }
 297     m_lock->unlock();
 298     if (killit) {
 299         curl_easy_cleanup(killit);
 300 #ifdef _DEBUG
 301         xmltooling::NDC("put");
 302 #endif
 303         m_log.info("conn_pool_max limit reached, dropping an old connection");
 304     }
 305 }
 306
 307 bool CURLSOAPTransport::setAuth(transport_auth_t authType, const char* username, const char* password) const
 308 {
 309     if (authType==transport_auth_none) {
 310         if (curl_easy_setopt(m_handle,CURLOPT_HTTPAUTH,0)!=CURLE_OK)
 311             return false;
 312         return (curl_easy_setopt(m_handle,CURLOPT_USERPWD,NULL)==CURLE_OK);
 313     }
 314     long flag=0;
 315     switch (authType) {
 316         case transport_auth_basic:    flag = CURLAUTH_BASIC; break;
 317         case transport_auth_digest:   flag = CURLAUTH_DIGEST; break;
 318         case transport_auth_ntlm:     flag = CURLAUTH_NTLM; break;
 319         case transport_auth_gss:      flag = CURLAUTH_GSSNEGOTIATE; break;
 320         default:            return false;
 321     }
 322     if (curl_easy_setopt(m_handle,CURLOPT_HTTPAUTH,flag)!=CURLE_OK)
 323         return false;
 324     string creds = string(username ? username : "") + ':' + (password ? password : "");
 325     return (curl_easy_setopt(m_handle,CURLOPT_USERPWD,creds.c_str())==CURLE_OK);
 326 }
 327
 328 const vector<string>& CURLSOAPTransport::getResponseHeader(const char* name) const
 329 {
 330     static vector<string> emptyVector;
 331
 332     map<string,vector<string> >::const_iterator i=m_response_headers.find(name);
 333     if (i!=m_response_headers.end())
 334         return i->second;
 335
 336     for (map<string,vector<string> >::const_iterator j=m_response_headers.begin(); j!=m_response_headers.end(); j++) {
 337 #ifdef HAVE_STRCASECMP
 338         if (!strcasecmp(j->first.c_str(), name))
 339 #else
 340         if (!stricmp(j->first.c_str(), name))
 341 #endif
 342             return j->second;
 343     }
 344
 345     return emptyVector;
 346 }
 347
 348 string CURLSOAPTransport::getContentType() const
 349 {
 350     char* content_type=NULL;
 351     curl_easy_getinfo(m_handle,CURLINFO_CONTENT_TYPE,&content_type);
 352     return content_type ? content_type : "";
 353 }
 354
 355 void CURLSOAPTransport::send(istream& in)
 356 {
 357 #ifdef _DEBUG
 358     xmltooling::NDC ndc("send");
 359 #endif
 360     Category& log=Category::getInstance(XMLTOOLING_LOGCAT".SOAPTransport");
 361     Category& log_curl=Category::getInstance(XMLTOOLING_LOGCAT".libcurl");
 362
 363     // By this time, the handle has been prepared with the URL to use and the
 364     // caller should have executed any set functions to manipulate it.
 365
 366     // Setup standard per-call curl properties.
 367     curl_easy_setopt(m_handle,CURLOPT_POST,1);
 368     curl_easy_setopt(m_handle,CURLOPT_READDATA,&in);
 369     curl_easy_setopt(m_handle,CURLOPT_FILE,&m_stream);
 370     curl_easy_setopt(m_handle,CURLOPT_DEBUGDATA,&log_curl);
 371
 372     char curl_errorbuf[CURL_ERROR_SIZE];
 373     curl_errorbuf[0]=0;
 374     curl_easy_setopt(m_handle,CURLOPT_ERRORBUFFER,curl_errorbuf);
 375     if (log_curl.isDebugEnabled())
 376         curl_easy_setopt(m_handle,CURLOPT_VERBOSE,1);
 377
 378     // Set request headers (possibly appended by hooks).
 379     curl_easy_setopt(m_handle,CURLOPT_HTTPHEADER,m_headers);
 380
 381     if (m_ssl_callback || m_credResolver || m_trustEngine) {
 382         curl_easy_setopt(m_handle,CURLOPT_SSL_CTX_FUNCTION,xml_ssl_ctx_callback);
 383         curl_easy_setopt(m_handle,CURLOPT_SSL_CTX_DATA,this);
 384
 385         // Restore security "state". Necessary because the callback only runs
 386         // when handshakes occur. Even new TCP connections won't execute it.
 387         char* priv=NULL;
 388         curl_easy_getinfo(m_handle,CURLINFO_PRIVATE,&priv);
 389         if (priv)
 390             m_secure=true;
 391     }
 392     else {
 393         curl_easy_setopt(m_handle,CURLOPT_SSL_CTX_FUNCTION,NULL);
 394         curl_easy_setopt(m_handle,CURLOPT_SSL_CTX_DATA,NULL);
 395     }
 396
 397     // Verification of the peer is via TrustEngine only.
 398     curl_easy_setopt(m_handle,CURLOPT_SSL_VERIFYPEER,0);
 399
 400     // Make the call.
 401     log.info("sending SOAP message to %s", m_endpoint.c_str());
 402     if (curl_easy_perform(m_handle) != CURLE_OK) {
 403         log.error("failed communicating with SOAP endpoint: %s",
 404             (curl_errorbuf[0] ? curl_errorbuf : "no further information available"));
 405         throw IOException(
 406             string("CURLSOAPTransport::send() failed while contacting SOAP responder: ") +
 407                 (curl_errorbuf[0] ? curl_errorbuf : "no further information available"));
 408     }
 409 }
 410
 411 // callback to buffer headers from server
 412 size_t xmltooling::curl_header_hook(void* ptr, size_t size, size_t nmemb, void* stream)
 413 {
 414     // only handle single-byte data
 415     if (size!=1)
 416         return 0;
 417     CURLSOAPTransport* ctx = reinterpret_cast<CURLSOAPTransport*>(stream);
 418     char* buf = (char*)malloc(nmemb + 1);
 419     if (buf) {
 420         memset(buf,0,nmemb + 1);
 421         memcpy(buf,ptr,nmemb);
 422         char* sep=(char*)strchr(buf,':');
 423         if (sep) {
 424             *(sep++)=0;
 425             while (*sep==' ')
 426                 *(sep++)=0;
 427             char* white=buf+nmemb-1;
 428             while (isspace(*white))
 429                 *(white--)=0;
 430             ctx->m_response_headers[buf].push_back(sep);
 431         }
 432         free(buf);
 433         return nmemb;
 434     }
 435     return 0;
 436 }
 437
 438 // callback to send data to server
 439 size_t xmltooling::curl_read_hook(void* ptr, size_t size, size_t nmemb, void* stream)
 440 {
 441     // *stream is actually an istream object
 442     istream& buf=*(reinterpret_cast<istream*>(stream));
 443     buf.read(reinterpret_cast<char*>(ptr),size*nmemb);
 444     return buf.gcount();
 445 }
 446
 447 // callback to buffer data from server
 448 size_t xmltooling::curl_write_hook(void* ptr, size_t size, size_t nmemb, void* stream)
 449 {
 450     size_t len = size*nmemb;
 451     reinterpret_cast<stringstream*>(stream)->write(reinterpret_cast<const char*>(ptr),len);
 452     return len;
 453 }
 454
 455 // callback for curl debug data
 456 int xmltooling::curl_debug_hook(CURL* handle, curl_infotype type, char* data, size_t len, void* ptr)
 457 {
 458     // *ptr is actually a logging object
 459     if (!ptr) return 0;
 460     CategoryStream log=reinterpret_cast<Category*>(ptr)->debugStream();
 461     for (char* ch=data; len && (isprint(*ch) || isspace(*ch)); len--)
 462         log << *ch++;
 463     log << CategoryStream::ENDLINE;
 464     return 0;
 465 }
 466
 467 #ifndef XMLTOOLING_NO_XMLSEC
 468 int xmltooling::verify_callback(X509_STORE_CTX* x509_ctx, void* arg)
 469 {
 470     Category::getInstance("OpenSSL").debug("invoking X509 verify callback");
 471 #if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
 472     CURLSOAPTransport* ctx = reinterpret_cast<CURLSOAPTransport*>(arg);
 473 #else
 474     // Yes, this sucks. I'd use TLS, but there's no really obvious spot to put the thread key
 475     // and global variables suck too. We can't access the X509_STORE_CTX depth directly because
 476     // OpenSSL only copies it into the context if it's >=0, and the unsigned pointer may be
 477     // negative in the SSL structure's int member.
 478     CURLSOAPTransport* ctx = reinterpret_cast<CURLSOAPTransport*>(
 479         SSL_get_verify_depth(
 480             reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data(x509_ctx,SSL_get_ex_data_X509_STORE_CTX_idx()))
 481             )
 482         );
 483 #endif
 484
 485      // Bypass name check (handled for us by curl).
 486     if (!ctx->m_trustEngine->validate(x509_ctx->cert,x509_ctx->untrusted,ctx->m_peer,false,ctx->m_keyResolver)) {
 487         x509_ctx->error=X509_V_ERR_APPLICATION_VERIFICATION;     // generic error, check log for plugin specifics
 488         ctx->setSecure(false);
 489         return ctx->m_mandatory ? 0 : 1;
 490     }
 491
 492     // Signal success. Hopefully it doesn't matter what's actually in the structure now.
 493     ctx->setSecure(true);
 494     return 1;
 495 }
 496 #endif
 497
 498 // callback to invoke a caller-defined SSL callback
 499 CURLcode xmltooling::xml_ssl_ctx_callback(CURL* curl, SSL_CTX* ssl_ctx, void* userptr)
 500 {
 501     CURLSOAPTransport* conf = reinterpret_cast<CURLSOAPTransport*>(userptr);
 502
 503 #ifndef XMLTOOLING_NO_XMLSEC
 504     if (conf->m_credResolver)
 505         conf->m_credResolver->attach(ssl_ctx);
 506
 507     if (conf->m_trustEngine) {
 508         SSL_CTX_set_verify(ssl_ctx,SSL_VERIFY_PEER,NULL);
 509 #if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
 510         // With 0.9.7, we can pass a callback argument directly.
 511         SSL_CTX_set_cert_verify_callback(ssl_ctx,verify_callback,userptr);
 512 #else
 513         // With 0.9.6, there's no argument, so we're going to use a really embarrassing hack and
 514         // stuff the argument in the depth property where it will get copied to the context object
 515         // that's handed to the callback.
 516         SSL_CTX_set_cert_verify_callback(ssl_ctx,reinterpret_cast<int (*)()>(verify_callback),NULL);
 517         SSL_CTX_set_verify_depth(ssl_ctx,reinterpret_cast<int>(userptr));
 518 #endif
 519     }
 520 #endif
 521
 522     if (!conf->m_ssl_callback(conf, ssl_ctx, conf->m_ssl_userptr))
 523         return CURLE_SSL_CERTPROBLEM;
 524
 525     return CURLE_OK;
 526 }