1 /* $Id$
2 *
3 * Lasso - A free implementation of the Liberty Alliance specifications.
4 *
5 * Copyright (C) 2004-2007 Entr'ouvert
6 * http://lasso.entrouvert.org
7 *
8 * Authors: See AUTHORS file in top-level directory.
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 */
23
24 /**
25 * SECTION:provider
26 * @short_description: Service or identity provider
27 *
28 * <para>The #LassoProvider object holds metadata about a provider. Metadata are sorted into descriptors,
29 * each descriptor being assigned a role. We refer you to <citetitle>Liberty Metadata Description
30 * and Discovery
31 Specification </citetitle> and <citetitle>Metadata for the OASIS Security Assertion Markup Language
32 (SAML) V2.0</citetitle>.</para>
33
34 <para>Roles are represented by the enumeration #LassoProviderRole, you can access descriptors
35 content using lasso_provider_get_metadata_list_for_role() and lasso_provider_get_metadata_by_role().
36 Descriptors resources are flattened inside a simple hashtable. For example to get the URL(s) for the
37 SAML 2.0 single logout response endpoint using binding HTTP-POST of the SP descriptor of a provider
38 called x, you would call:</para>
39
40 <programlisting>
41 GList *urls = lasso_provider_get_metadata_list_for_role(x, LASSO_PROVIDER_ROLE_SP, "SingleLogoutService HTTP-POST ResponseLocation");
42 </programlisting>
43
44 <para>A provider usually possess a default role stored in the #LassoProvider.role field, which is
45 initialized by the lasso_server_add_provider() method when registering a new remote provider to our
46 current provider. The methods lasso_provider_get_metadata() and lasso_provider_get_metadata_list()
47 use this default role to access descriptors.</para>
48
49 **/
50
51 #include "../xml/private.h"
52 #include <libxml/xpath.h>
53 #include <libxml/xpathInternals.h>
54
55 #include <xmlsec/base64.h>
56 #include <xmlsec/errors.h>
57 #include <xmlsec/xmldsig.h>
58 #include <xmlsec/xmltree.h>
59 #include <xmlsec/templates.h>
60
61 #include "provider.h"
62 #include "providerprivate.h"
63
64 #include "../saml-2.0/providerprivate.h"
65 #include <unistd.h>
66 #include "../utils.h"
67 #include "../debug.h"
68 #include "../keyprivate.h"
69
70 static char *protocol_uris[LASSO_MD_PROTOCOL_TYPE_LAST] = {
71 "http://projectliberty.org/profiles/fedterm",
72 "http://projectliberty.org/profiles/nim",
73 "http://projectliberty.org/profiles/rni",
74 "http://projectliberty.org/profiles/slo",
75 NULL /* none for single sign on */
76 };
77 static char *protocol_md_nodename[LASSO_MD_PROTOCOL_TYPE_LAST] = {
78 "FederationTerminationNotificationProtocolProfile",
79 "NameIdentifierMappingProtocolProfile",
80 "RegisterNameIdentifierProtocolProfile",
81 "SingleLogoutProtocolProfile",
82 "SingleSignOnProtocolProfile"
83 };
84 static char *protocol_roles[LASSO_PROVIDER_ROLE_LAST] = {
85 NULL, "idp", "sp",
86 "authn-authority", "pdp", "attribute-authority"
87 };
88 char *protocol_methods[LASSO_HTTP_METHOD_LAST] = {
89 "", "", "", "",
90 "", "-http", "-soap"
91 };
92
93 static gboolean _lasso_provider_load_metadata_from_xmlnode(LassoProvider *provider, xmlNode *node);
94 static int _lasso_provider_get_role_index(LassoProviderRole role);
95 void _lasso_provider_add_metadata_value_for_role(LassoProvider *provider,
96 LassoProviderRole role, const char *name, const char *value);
97 typedef int LassoProviderRoleIndex;
98
99 static int
lasso_provider_try_loading_public_keys(LassoProvider * provider,GList ** public_keys,gboolean mandatory)100 lasso_provider_try_loading_public_keys(LassoProvider *provider, GList **public_keys, gboolean mandatory) {
101 if (provider->public_key || provider->private_data->signing_key_descriptors) {
102 *public_keys = lasso_provider_get_public_keys(provider);
103 if (*public_keys == NULL)
104 return LASSO_DS_ERROR_PUBLIC_KEY_LOAD_FAILED;
105 } else {
106 *public_keys = NULL;
107 }
108 if (*public_keys == NULL && mandatory)
109 return LASSO_PROVIDER_ERROR_MISSING_PUBLIC_KEY;
110 return 0;
111 }
112
113 static int
lasso_provider_try_loading_ca_cert_chain(LassoProvider * provider,xmlSecKeysMngrPtr * keys_mngr)114 lasso_provider_try_loading_ca_cert_chain(LassoProvider *provider, xmlSecKeysMngrPtr *keys_mngr)
115 {
116 if (provider->ca_cert_chain != NULL) {
117 *keys_mngr = lasso_load_certs_from_pem_certs_chain_file(
118 provider->ca_cert_chain);
119 if (*keys_mngr == NULL)
120 return LASSO_DS_ERROR_CA_CERT_CHAIN_LOAD_FAILED;
121 } else {
122 *keys_mngr = NULL;
123 }
124 return 0;
125 }
126
127 /*****************************************************************************/
128 /* public methods */
129 /*****************************************************************************/
130
131 /**
132 * lasso_provider_get_assertion_consumer_service_url:
133 * @provider: a #LassoProvider
134 * @service_id:(allow-none): the AssertionConsumerServiceID, NULL for default
135 *
136 * Extracts the AssertionConsumerServiceURL from the provider metadata
137 * descriptor.
138 *
139 * Return value:(allow-none)(transfer full): the element value, NULL if the element was not found. This
140 * string must be freed by the caller.
141 **/
142 gchar*
lasso_provider_get_assertion_consumer_service_url(LassoProvider * provider,const char * service_id)143 lasso_provider_get_assertion_consumer_service_url(LassoProvider *provider, const char *service_id)
144 {
145 char *name = NULL;
146 char *assertion_consumer_service_url = NULL;
147
148 g_return_val_if_fail(LASSO_IS_PROVIDER(provider), NULL);
149
150 if (provider->private_data->conformance == LASSO_PROTOCOL_SAML_2_0) {
151 long sid = -1;
152 if (service_id != NULL) {
153 if (lasso_string_to_xsd_integer(service_id, &sid)) {
154 if (sid < 0) {
155 sid = -1;
156 }
157 }
158 }
159 return lasso_saml20_provider_get_assertion_consumer_service_url(provider, sid);
160 }
161
162 if (service_id == NULL)
163 service_id = provider->private_data->default_assertion_consumer;
164 name = g_strdup_printf("AssertionConsumerServiceURL %s", service_id);
165 assertion_consumer_service_url = lasso_provider_get_metadata_one_for_role(provider, LASSO_PROVIDER_ROLE_SP, name);
166 lasso_release(name);
167
168 return assertion_consumer_service_url;
169 }
170
171 static LassoProviderRoleIndex
_lasso_provider_get_role_index(LassoProviderRole role)172 _lasso_provider_get_role_index(LassoProviderRole role) {
173 switch (role) {
174 case LASSO_PROVIDER_ROLE_IDP:
175 return 1;
176 case LASSO_PROVIDER_ROLE_SP:
177 return 2;
178 case LASSO_PROVIDER_ROLE_AUTHN_AUTHORITY:
179 return 3;
180 case LASSO_PROVIDER_ROLE_AUTHZ_AUTHORITY:
181 return 4;
182 case LASSO_PROVIDER_ROLE_ATTRIBUTE_AUTHORITY:
183 return 5;
184 default:
185 return 0;
186 }
187 }
188
role_to_prefix(LassoProviderRole role)189 const char *role_to_prefix(LassoProviderRole role) {
190 return protocol_roles[_lasso_provider_get_role_index(role)];
191 }
192
193 void
_lasso_provider_add_metadata_value_for_role(LassoProvider * provider,LassoProviderRole role,const char * name,const char * value)194 _lasso_provider_add_metadata_value_for_role(LassoProvider *provider, LassoProviderRole role, const char *name, const char *value)
195 {
196 GList *l;
197 GHashTable *descriptor;
198 char *symbol;
199 const char *role_prefix;
200
201 g_return_if_fail(LASSO_IS_PROVIDER(provider) && name && value);
202 descriptor = provider->private_data->Descriptors; /* default to SP */
203 g_return_if_fail (descriptor);
204 l = (GList*)lasso_provider_get_metadata_list_for_role(provider, role, name);
205 lasso_list_add_string(l, value);
206 if (! l->next) { /* first element added to this key */
207 role_prefix = role_to_prefix(role);
208 g_return_if_fail(role_prefix);
209 symbol = g_strdup_printf("%s %s", role_prefix, name);
210 g_hash_table_insert(descriptor, symbol, l);
211 }
212 }
213
214 /**
215 * lasso_provider_get_metadata_list_for_role:
216 * @provider: a #LassoProvider
217 * @role: a #LassoProviderRole value
218 * @name: the element name
219 *
220 * Extracts zero to many elements from the @provider descriptor for the given @role.
221 *
222 * Return value:(transfer none)(element-type string): a #GList with the elements. This GList is internally
223 * allocated and points to internally allocated strings. It must
224 * not be freed, modified or stored.
225 **/
226 GList*
lasso_provider_get_metadata_list_for_role(const LassoProvider * provider,LassoProviderRole role,const char * name)227 lasso_provider_get_metadata_list_for_role(const LassoProvider *provider, LassoProviderRole role, const char *name)
228 {
229 GList *l = NULL;
230 GHashTable *descriptor;
231 char *symbol;
232 const char *role_prefix;
233
234 g_return_val_if_fail(LASSO_IS_PROVIDER(provider) && name, NULL);
235 g_return_val_if_fail(_lasso_provider_get_role_index(role), NULL);
236
237 descriptor = provider->private_data->Descriptors; /* default to SP */
238 if (descriptor == NULL)
239 return NULL;
240
241 role_prefix = role_to_prefix(role);
242 g_return_val_if_fail(role_prefix, NULL);
243 symbol = g_strdup_printf("%s %s", role_prefix, name);
244 l = g_hash_table_lookup(descriptor, symbol);
245 lasso_release(symbol);
246
247 return l;
248 }
249
250 /**
251 * lasso_provider_get_metadata_one_for_role:
252 * @provider: a #LassoProvider object
253 * @role: a #LassoProviderRole value
254 * @name: a metadata information name
255 *
256 * Return the given information extracted from the metadata of the given #LassoProvider for the
257 * given @role descriptor.
258 *
259 * Retun value: a newly allocated string or NULL. If non-NULL must be freed by the caller.
260 */
261 char*
lasso_provider_get_metadata_one_for_role(LassoProvider * provider,LassoProviderRole role,const char * name)262 lasso_provider_get_metadata_one_for_role(LassoProvider *provider, LassoProviderRole role, const char *name)
263 {
264 const GList *l;
265
266 l = lasso_provider_get_metadata_list_for_role(provider, role, name);
267
268 if (l)
269 return g_strdup(l->data);
270 return NULL;
271 }
272
273 /**
274 * lasso_provider_get_metadata_one:
275 * @provider: a #LassoProvider
276 * @name: the element name
277 *
278 * Extracts the element @name from the provider metadata descriptor.
279 *
280 * Return value:(transfer full)(allow-none): the element value, NULL if the element was not found.
281 * This string must be freed by the caller.
282 **/
283 gchar*
lasso_provider_get_metadata_one(LassoProvider * provider,const char * name)284 lasso_provider_get_metadata_one(LassoProvider *provider, const char *name)
285 {
286 return lasso_provider_get_metadata_one_for_role(provider, provider->role, name);
287 }
288
289 /**
290 * lasso_provider_get_metadata_list:
291 * @provider: a #LassoProvider
292 * @name: the element name
293 *
294 * Extracts zero to many elements from the provider metadata descriptor.
295 *
296 * Return value:(transfer none)(element-type string): a #GList with the elements. This GList is internally
297 * allocated and points to internally allocated strings. It must
298 * not be freed, modified or stored.
299 **/
300 GList*
lasso_provider_get_metadata_list(LassoProvider * provider,const char * name)301 lasso_provider_get_metadata_list(LassoProvider *provider, const char *name)
302 {
303 return lasso_provider_get_metadata_list_for_role(provider, provider->role, name);
304 }
305
306 /**
307 * lasso_provider_get_first_http_method:
308 * @provider: (transfer none): a #LassoProvider
309 * @remote_provider: a #LassoProvider depicting the remote provider
310 * @protocol_type: a Liberty profile
311 *
312 * Looks up and returns a #LassoHttpMethod appropriate for performing the
313 * @protocol_type between @provider and @remote_provider.
314 *
315 * Return value: the #LassoHttpMethod
316 **/
317 LassoHttpMethod
lasso_provider_get_first_http_method(LassoProvider * provider,LassoProvider * remote_provider,LassoMdProtocolType protocol_type)318 lasso_provider_get_first_http_method(LassoProvider *provider,
319 LassoProvider *remote_provider, LassoMdProtocolType protocol_type)
320 {
321 char *protocol_profile_prefix;
322 const GList *local_supported_profiles;
323 const GList *remote_supported_profiles;
324 const GList *t1, *t2 = NULL;
325 gboolean found;
326 const gchar *role_prefix;
327
328 g_return_val_if_fail(LASSO_IS_PROVIDER(provider), LASSO_HTTP_METHOD_NONE);
329 g_return_val_if_fail(remote_provider != NULL, LASSO_HTTP_METHOD_NONE);
330 if (provider->private_data->conformance == LASSO_PROTOCOL_SAML_2_0) {
331 return lasso_saml20_provider_get_first_http_method(
332 provider, remote_provider, protocol_type);
333 }
334
335 if (remote_provider->role == LASSO_PROVIDER_ROLE_SP)
336 provider->role = LASSO_PROVIDER_ROLE_IDP;
337 if (remote_provider->role == LASSO_PROVIDER_ROLE_IDP)
338 provider->role = LASSO_PROVIDER_ROLE_SP;
339
340 role_prefix = role_to_prefix(provider->role);
341 g_return_val_if_fail(role_prefix, LASSO_HTTP_METHOD_NONE);
342 protocol_profile_prefix = g_strdup_printf("%s-%s",
343 protocol_uris[protocol_type], role_prefix);
344
345 local_supported_profiles = lasso_provider_get_metadata_list(
346 provider, protocol_md_nodename[protocol_type]);
347 remote_supported_profiles = lasso_provider_get_metadata_list(
348 remote_provider, protocol_md_nodename[protocol_type]);
349
350 found = FALSE;
351 t1 = local_supported_profiles;
352 while (t1 && !found) {
353 if (g_str_has_prefix(t1->data, protocol_profile_prefix)) {
354 t2 = remote_supported_profiles;
355 while (t2 && !found) {
356 if (strcmp(t1->data, t2->data) == 0) {
357 found = TRUE;
358 break; /* avoid the g_list_next */
359 }
360 t2 = g_list_next(t2);
361 }
362 }
363 t1 = g_list_next(t1);
364 }
365 lasso_release(protocol_profile_prefix);
366
367 if (found) {
368 if (g_str_has_suffix(t2->data, "http"))
369 return LASSO_HTTP_METHOD_REDIRECT;
370 if (g_str_has_suffix(t2->data, "soap"))
371 return LASSO_HTTP_METHOD_SOAP;
372 g_assert_not_reached();
373 }
374
375 return LASSO_HTTP_METHOD_NONE;
376 }
377
378 /**
379 * lasso_provider_accept_http_method:
380 * @provider: a #LassoProvider
381 * @remote_provider: a #LassoProvider depicting the remote provider
382 * @protocol_type: a Liberty profile type
383 * @http_method: an HTTP method
384 * @initiate_profile: whether @provider initiates the profile
385 *
386 * Gets if @http_method is an appropriate method for the @protocol_type profile
387 * between @provider and @remote_provider.
388 *
389 * Return value: %TRUE if it is appropriate
390 **/
391 gboolean
lasso_provider_accept_http_method(LassoProvider * provider,LassoProvider * remote_provider,LassoMdProtocolType protocol_type,LassoHttpMethod http_method,gboolean initiate_profile)392 lasso_provider_accept_http_method(LassoProvider *provider, LassoProvider *remote_provider,
393 LassoMdProtocolType protocol_type, LassoHttpMethod http_method,
394 gboolean initiate_profile)
395 {
396 LassoProviderRole initiating_role;
397 char *protocol_profile;
398 const gchar *role_prefix;
399
400 g_return_val_if_fail(LASSO_IS_PROVIDER(provider), FALSE); /* Be conservative */
401 if (provider->private_data->conformance == LASSO_PROTOCOL_SAML_2_0) {
402 return lasso_saml20_provider_accept_http_method(
403 provider, remote_provider, protocol_type,
404 http_method, initiate_profile);
405 }
406
407 initiating_role = remote_provider->role;
408 if (remote_provider->role == LASSO_PROVIDER_ROLE_SP) {
409 provider->role = LASSO_PROVIDER_ROLE_IDP;
410 }
411 if (remote_provider->role == LASSO_PROVIDER_ROLE_IDP) {
412 provider->role = LASSO_PROVIDER_ROLE_SP;
413 }
414 if (initiate_profile)
415 initiating_role = provider->role;
416
417 role_prefix = role_to_prefix(initiating_role);
418 g_return_val_if_fail(role_prefix, FALSE);
419 protocol_profile = g_strdup_printf("%s-%s%s",
420 protocol_uris[protocol_type],
421 role_prefix,
422 protocol_methods[http_method+1]);
423
424 if (lasso_provider_has_protocol_profile(provider,
425 protocol_type, protocol_profile) == FALSE) {
426 lasso_release(protocol_profile);
427 return FALSE;
428 }
429
430 if (lasso_provider_has_protocol_profile(remote_provider,
431 protocol_type, protocol_profile) == FALSE) {
432 lasso_release(protocol_profile);
433 return FALSE;
434 }
435
436 lasso_release(protocol_profile);
437
438 return TRUE;
439 }
440
441 /**
442 * lasso_provider_has_protocol_profile:
443 * @provider: a #LassoProvider
444 * @protocol_type: a Liberty profile type
445 * @protocol_profile: a fully-qualified Liberty profile
446 *
447 * Gets if @provider supports @protocol_profile.
448 *
449 * Return value: %TRUE if it is supported
450 **/
451 gboolean
lasso_provider_has_protocol_profile(LassoProvider * provider,LassoMdProtocolType protocol_type,const char * protocol_profile)452 lasso_provider_has_protocol_profile(LassoProvider *provider,
453 LassoMdProtocolType protocol_type, const char *protocol_profile)
454 {
455 const GList *supported;
456
457 g_return_val_if_fail(LASSO_IS_PROVIDER(provider), FALSE); /* Be conservative */
458 supported = lasso_provider_get_metadata_list(
459 provider, protocol_md_nodename[protocol_type]);
460
461 if (g_list_find_custom((GList*)supported, protocol_profile, (GCompareFunc)strcmp) == NULL)
462 return FALSE;
463 return TRUE;
464 }
465
466 /**
467 * lasso_provider_get_base64_succinct_id:
468 * @provider: a #LassoProvider
469 *
470 * Computes and returns the base64-encoded provider succinct ID.
471 *
472 * Return value:(transfer full)(allow-none): the provider succinct ID. This string must be freed by the
473 * caller.
474 **/
475 char*
lasso_provider_get_base64_succinct_id(const LassoProvider * provider)476 lasso_provider_get_base64_succinct_id(const LassoProvider *provider)
477 {
478 char *succinct_id, *base64_succinct_id, *ret;
479
480 g_return_val_if_fail(LASSO_IS_PROVIDER(provider), NULL);
481 succinct_id = lasso_sha1(provider->ProviderID);
482 base64_succinct_id = (char*)xmlSecBase64Encode((xmlChar*)succinct_id, 20, 0);
483 xmlFree(succinct_id);
484 ret = g_strdup(base64_succinct_id);
485 xmlFree(base64_succinct_id);
486 return ret;
487 }
488
489 /**
490 * lasso_provider_get_organization
491 * @provider: a #LassoProvider
492 *
493 * Returns the provider metadata <Organization> XML node.
494 *
495 * Return value:(transfer full)(allow-none): the <Organization/> node (libxml2 xmlNode*); or NULL if it is
496 * not found. This xmlnode must be freed by the caller.
497 **/
498 xmlNode*
lasso_provider_get_organization(const LassoProvider * provider)499 lasso_provider_get_organization(const LassoProvider *provider)
500 {
501 g_return_val_if_fail(LASSO_IS_PROVIDER(provider), NULL);
502 if (provider->private_data->organization) {
503 return xmlCopyNode(provider->private_data->organization, 1);
504 } else {
505 return NULL;
506 }
507 }
508
509
510 /*****************************************************************************/
511 /* private methods */
512 /*****************************************************************************/
513
514 static struct XmlSnippet schema_snippets[] = {
515 { "PublicKeyFilePath", SNIPPET_CONTENT, G_STRUCT_OFFSET(LassoProvider, public_key), NULL, NULL, NULL},
516 { "CaCertChainFilePath", SNIPPET_CONTENT, G_STRUCT_OFFSET(LassoProvider, ca_cert_chain), NULL, NULL, NULL},
517 { "MetadataFilePath", SNIPPET_CONTENT, G_STRUCT_OFFSET(LassoProvider, metadata_filename), NULL, NULL, NULL},
518 { "ProviderID", SNIPPET_ATTRIBUTE, G_STRUCT_OFFSET(LassoProvider, ProviderID), NULL, NULL, NULL},
519 { "ProviderRole", SNIPPET_ATTRIBUTE, 0, NULL, NULL, NULL},
520 { "EncryptionMode", SNIPPET_ATTRIBUTE, 0, NULL, NULL, NULL},
521 { "ProviderDumpVersion", SNIPPET_ATTRIBUTE, 0, NULL, NULL, NULL},
522 {NULL, 0, 0, NULL, NULL, NULL}
523 };
524
525 static LassoNodeClass *parent_class = NULL;
526
527 /**
528 * lasso_provider_get_public_keys:
529 * @provider: a #LassoProvider object
530 *
531 * Return the public keys associated with this provider.
532 *
533 * Return value: an #xmlSecKey object.
534 */
535 GList*
lasso_provider_get_public_keys(const LassoProvider * provider)536 lasso_provider_get_public_keys(const LassoProvider *provider)
537 {
538 g_return_val_if_fail(LASSO_IS_PROVIDER(provider), NULL);
539 return provider->private_data->signing_public_keys;
540 }
541
542 /**
543 * lasso_provider_get_encryption_public_key:
544 * @provider: a #LassoProvider object.
545 *
546 * Return the #xmlSecKey public key to use for encrypting content target at @provider.
547 *
548 * Return value:(transfer none)(allow-none): an #xmlSecKey object, or NULL if no key is known or @provider is not a
549 * #LassoProvider.
550 */
551 xmlSecKey*
lasso_provider_get_encryption_public_key(const LassoProvider * provider)552 lasso_provider_get_encryption_public_key(const LassoProvider *provider)
553 {
554 g_return_val_if_fail(LASSO_IS_PROVIDER(provider), NULL);
555 GList *keys;
556
557 keys = provider->private_data->encryption_public_keys;
558 /* encrypt using the first given key, multiple encryption key in the metadata is generally
559 * useless. roll-over of the encryption key is done mainly at the receiving side, by trying
560 * to decipher using the two private keys, the old and the new. */
561 if (keys && keys->data) {
562 return (xmlSecKey*)keys->data;
563 }
564 return NULL;
565 }
566
567 static void
_lasso_provider_load_endpoint_type(LassoProvider * provider,xmlNode * endpoint,LassoProviderRole role)568 _lasso_provider_load_endpoint_type(LassoProvider *provider, xmlNode *endpoint,
569 LassoProviderRole role)
570 {
571 char *name = (char*)endpoint->name;
572 xmlChar *value = NULL;
573
574 if (strcmp(name, "AssertionConsumerServiceURL") == 0) {
575 char *isDefault = (char*)xmlGetProp(endpoint, (xmlChar*)"isDefault");
576 char *id = (char*)xmlGetProp(endpoint, (xmlChar*)"id");
577 name = g_strdup_printf("%s %s", name, id);
578 if (isDefault) {
579 if (strcmp(isDefault, "true") == 0 || strcmp(isDefault, "1") == 0)
580 lasso_assign_string(provider->private_data->default_assertion_consumer,
581 id);
582 xmlFree(isDefault);
583 }
584 xmlFree(id);
585 } else {
586 name = g_strdup_printf("%s", (char*)name);
587 }
588 value = xmlNodeGetContent(endpoint);
589 _lasso_provider_add_metadata_value_for_role(provider, role, name, (char*)value);
590 lasso_release_string(name);
591 xmlFree(value);
592 }
593
594 static void
_lasso_provider_load_descriptor(LassoProvider * provider,xmlNode * xmlnode,LassoProviderRole role)595 _lasso_provider_load_descriptor(LassoProvider *provider, xmlNode *xmlnode, LassoProviderRole role)
596 {
597 xmlNode *t;
598
599 t = xmlSecGetNextElementNode(xmlnode->children);
600 while (t) {
601 if (xmlSecCheckNodeName(t,
602 BAD_CAST "KeyDescriptor",
603 BAD_CAST LASSO_METADATA_HREF)) {
604 _lasso_provider_load_key_descriptor(provider, t);
605 } else {
606 _lasso_provider_load_endpoint_type(provider, t, role);
607 }
608 t = xmlSecGetNextElementNode(t->next);
609 }
610 }
611
612 static xmlNode*
get_xmlNode(LassoNode * node,gboolean lasso_dump)613 get_xmlNode(LassoNode *node, gboolean lasso_dump)
614 {
615 xmlNode *xmlnode;
616 LassoProvider *provider = LASSO_PROVIDER(node);
617 char *roles[LASSO_PROVIDER_ROLE_LAST] = {
618 "None",
619 "SP",
620 "IdP",
621 "AuthnAuthority",
622 "PDP",
623 "AttributeAuthority"
624 };
625 char *encryption_mode[] = {
626 "None",
627 "NameId",
628 "Assertion",
629 "Both"
630 };
631
632 xmlnode = parent_class->get_xmlNode(node, lasso_dump);
633
634 /* Save provider role */
635 xmlSetProp(xmlnode, (xmlChar*)"ProviderDumpVersion", (xmlChar*)"2");
636 if (provider->role) {
637 xmlSetProp(xmlnode, (xmlChar*)"ProviderRole", (xmlChar*)roles[provider->role]);
638 }
639
640 /* Save encryption mode */
641 xmlSetProp(xmlnode, (xmlChar*)"EncryptionMode",
642 (xmlChar*)encryption_mode[provider->private_data->encryption_mode]);
643
644 return xmlnode;
645 }
646
647 void
_lasso_provider_load_key_descriptor(LassoProvider * provider,xmlNode * key_descriptor)648 _lasso_provider_load_key_descriptor(LassoProvider *provider, xmlNode *key_descriptor)
649 {
650 LassoProviderPrivate *private_data;
651 xmlChar *use;
652
653 g_return_if_fail(LASSO_IS_PROVIDER(provider));
654 g_return_if_fail(provider->private_data);
655
656 private_data = provider->private_data;
657 use = xmlGetProp(key_descriptor, (xmlChar*)"use");
658 if (use == NULL || lasso_strisequal((char *)use,"signing")) {
659 lasso_list_add_xml_node(private_data->signing_key_descriptors,
660 key_descriptor);
661 }
662 if (use == NULL || strcmp((char*)use, "encryption") == 0) {
663 lasso_assign_xml_node(private_data->encryption_key_descriptor, key_descriptor);
664 }
665 lasso_release_xml_string(use);
666 }
667
668
669 static int
init_from_xml(LassoNode * node,xmlNode * xmlnode)670 init_from_xml(LassoNode *node, xmlNode *xmlnode)
671 {
672 LassoProvider *provider = LASSO_PROVIDER(node);
673 static char * const roles[LASSO_PROVIDER_ROLE_LAST] = {
674 "None",
675 "SP",
676 "IdP",
677 "AuthnAuthority",
678 "PDP",
679 "AttributeAuthority"
680 };
681 xmlChar *s;
682 int i;
683 int rc = 0;
684
685 parent_class->init_from_xml(node, xmlnode);
686
687 if (xmlnode == NULL) {
688 return LASSO_XML_ERROR_OBJECT_CONSTRUCTION_FAILED;
689 }
690
691 /* Load provider role */
692 s = xmlGetProp(xmlnode, (xmlChar*)"ProviderRole");
693 provider->role = LASSO_PROVIDER_ROLE_NONE;
694 if (s) {
695 i = LASSO_PROVIDER_ROLE_NONE;
696 while (i < LASSO_PROVIDER_ROLE_LAST) {
697 if (strcmp((char*)s, roles[i]) == 0) {
698 provider->role = i;
699 break;
700 }
701 i++;
702 }
703 lasso_release_xml_string(s);
704 }
705
706 /* Load encryption mode */
707 s = xmlGetProp(xmlnode, (xmlChar*)"EncryptionMode");
708 if (s != NULL && strcmp((char*)s, "NameId") == 0) {
709 provider->private_data->encryption_mode = LASSO_ENCRYPTION_MODE_NAMEID;
710 } else if (s != NULL && strcmp((char*)s, "Assertion") == 0) {
711 provider->private_data->encryption_mode = LASSO_ENCRYPTION_MODE_ASSERTION;
712 } else if (s != NULL && strcmp((char*)s, "Both") == 0) {
713 provider->private_data->encryption_mode =
714 LASSO_ENCRYPTION_MODE_NAMEID | LASSO_ENCRYPTION_MODE_ASSERTION;
715 }
716 if (s != NULL) {
717 xmlFree(s);
718 }
719
720 /* Load metadata */
721 if (provider->metadata_filename) {
722 if (! lasso_provider_load_metadata(provider, provider->metadata_filename)) {
723 if (! lasso_provider_load_metadata_from_buffer(provider, provider->metadata_filename)) {
724 message(G_LOG_LEVEL_WARNING, "Metadata unrecoverable from dump");
725 return 1;
726 }
727 }
728 }
729
730 /* Load signing and encryption public keys */
731 if (!lasso_provider_load_public_key(provider, LASSO_PUBLIC_KEY_SIGNING)) {
732 message(G_LOG_LEVEL_WARNING, "Could not load public signing key of %s",
733 provider->ProviderID);
734 rc = 1;
735 }
736 if (!lasso_provider_load_public_key(provider, LASSO_PUBLIC_KEY_ENCRYPTION)) {
737 message(G_LOG_LEVEL_WARNING, "Could not load public encryption key of %s",
738 provider->ProviderID);
739 rc = 1;
740 }
741
742 return rc;
743 }
744
745 static void*
_lasso_provider_get_pdata_thing(LassoProvider * provider,ptrdiff_t offset)746 _lasso_provider_get_pdata_thing(LassoProvider *provider, ptrdiff_t offset)
747 {
748 LassoProviderPrivate *pdata;
749
750 lasso_return_val_if_fail(LASSO_IS_PROVIDER(provider), NULL);
751 pdata = provider->private_data;
752 if (pdata)
753 return G_STRUCT_MEMBER_P(pdata, offset);
754
755 return NULL;
756 }
757
758 /**
759 * lasso_provider_get_idp_supported_attributes:
760 * @provider: a #LassoProvider object
761 *
762 * If the provider supports the IDP SSO role, then return the list of Attribute definition that this
763 * provider declared supporting.
764 *
765 * Return value:(transfer none)(element-type LassoNode): a list of #LassoSaml2Attribute or #LassoSamlAttribute
766 */
767 GList*
lasso_provider_get_idp_supported_attributes(LassoProvider * provider)768 lasso_provider_get_idp_supported_attributes(LassoProvider *provider)
769 {
770 return _lasso_provider_get_pdata_thing(provider, G_STRUCT_OFFSET(LassoProviderPrivate,
771 attributes));
772 }
773
774 /**
775 * lasso_provider_get_valid_until:
776 * @provider: a #LassoProvider object
777 *
778 * Return the time after which the metadata for this provider will become invalid. This is an
779 * ISO-8601 formatted string.
780 *
781 * Return value:(transfer none): an internally allocated string, you can copy it but not store it.
782 */
783 char*
lasso_provider_get_valid_until(LassoProvider * provider)784 lasso_provider_get_valid_until(LassoProvider *provider)
785 {
786 return _lasso_provider_get_pdata_thing(provider,
787 G_STRUCT_OFFSET(LassoProviderPrivate, valid_until));
788 }
789
790 /**
791 * lasso_provider_get_cache_duration:
792 * @provider: a #LassoProvider object
793 *
794 * Return the time during which the metadata for this provider can be kept.
795 *
796 * Return value:(transfer none): an internally allocated string, you can copy it but not store it.
797 */
798 char*
lasso_provider_get_cache_duration(LassoProvider * provider)799 lasso_provider_get_cache_duration(LassoProvider *provider)
800 {
801 return _lasso_provider_get_pdata_thing(provider,
802 G_STRUCT_OFFSET(LassoProviderPrivate, cache_duration));
803 }
804
805
806 /*****************************************************************************/
807 /* overridden parent class methods */
808 /*****************************************************************************/
809
810 static void
free_list_strings(GList * list)811 free_list_strings(GList *list)
812 {
813 lasso_release_list_of_strings(list);
814 }
815
816 static void
lasso_endpoint_free(EndpointType * endpoint_type)817 lasso_endpoint_free(EndpointType *endpoint_type) {
818 g_free(endpoint_type->binding);
819 g_free(endpoint_type->url);
820 g_free(endpoint_type->kind);
821 g_free(endpoint_type->return_url);
822 g_free(endpoint_type);
823 }
824
825
826 static void
dispose(GObject * object)827 dispose(GObject *object)
828 {
829 LassoProvider *provider = LASSO_PROVIDER(object);
830
831 if (provider->private_data->dispose_has_run) {
832 return;
833 }
834 provider->private_data->dispose_has_run = TRUE;
835
836 lasso_release_ghashtable(provider->private_data->Descriptors);
837
838 if (provider->private_data->organization) {
839 xmlFreeNode(provider->private_data->organization);
840 provider->private_data->organization = NULL;
841 }
842
843 if (provider->private_data->default_assertion_consumer) {
844 lasso_release(provider->private_data->default_assertion_consumer);
845 provider->private_data->default_assertion_consumer = NULL;
846 }
847
848 if (provider->private_data->signing_public_keys) {
849 lasso_release_list_of_sec_key(provider->private_data->signing_public_keys);
850 }
851
852 if (provider->private_data->signing_key_descriptors) {
853 lasso_release_list_of_xml_node(provider->private_data->signing_key_descriptors);
854 }
855
856 if (provider->private_data->encryption_key_descriptor) {
857 xmlFreeNode(provider->private_data->encryption_key_descriptor);
858 provider->private_data->encryption_key_descriptor = NULL;
859 }
860
861 if (provider->private_data->encryption_public_key_str) {
862 lasso_release(provider->private_data->encryption_public_key_str);
863 provider->private_data->encryption_public_key_str = NULL;
864 }
865
866 lasso_release_list_of_sec_key(provider->private_data->encryption_public_keys);
867
868 lasso_release(provider->private_data->affiliation_id);
869 provider->private_data->affiliation_id = NULL;
870 lasso_release(provider->private_data->affiliation_owner_id);
871 provider->private_data->affiliation_owner_id = NULL;
872 lasso_release_list_of_full(provider->private_data->endpoints, lasso_endpoint_free);
873
874 lasso_assign_new_signature_context(provider->private_data->signature_context,
875 LASSO_SIGNATURE_CONTEXT_NONE);
876
877 G_OBJECT_CLASS(parent_class)->dispose(G_OBJECT(provider));
878 }
879
880 /*****************************************************************************/
881 /* instance and class init functions */
882 /*****************************************************************************/
883
884 static void
instance_init(LassoProvider * provider)885 instance_init(LassoProvider *provider)
886 {
887 provider->role = LASSO_PROVIDER_ROLE_NONE;
888 provider->ProviderID = NULL;
889 provider->metadata_filename = NULL;
890 provider->public_key = NULL;
891 provider->ca_cert_chain = NULL;
892 provider->private_data = G_TYPE_INSTANCE_GET_PRIVATE(provider, LASSO_TYPE_PROVIDER,
893 LassoProviderPrivate);
894 provider->private_data->dispose_has_run = FALSE;
895 provider->private_data->default_assertion_consumer = NULL;
896 provider->private_data->affiliation_id = NULL;
897 provider->private_data->affiliation_owner_id = NULL;
898 provider->private_data->organization = NULL;
899 provider->private_data->signing_public_keys = NULL;
900 provider->private_data->signing_key_descriptors = NULL;
901 provider->private_data->encryption_key_descriptor = NULL;
902 provider->private_data->encryption_public_key_str = NULL;
903 provider->private_data->encryption_public_keys = NULL;
904 provider->private_data->encryption_mode = LASSO_ENCRYPTION_MODE_NONE;
905 provider->private_data->encryption_sym_key_type = LASSO_ENCRYPTION_SYM_KEY_TYPE_AES_128;
906 provider->private_data->signature_context = LASSO_SIGNATURE_CONTEXT_NONE;
907
908 /* no value_destroy_func since it shouldn't destroy the GList on insert */
909 provider->private_data->Descriptors = g_hash_table_new_full(
910 g_str_hash, g_str_equal, g_free, (GFreeFunc)free_list_strings);
911 provider->private_data->attributes = NULL;
912 }
913
914 static void
class_init(LassoProviderClass * klass,void * unused G_GNUC_UNUSED)915 class_init(LassoProviderClass *klass, void *unused G_GNUC_UNUSED)
916 {
917 LassoNodeClass *nclass = LASSO_NODE_CLASS(klass);
918
919 parent_class = g_type_class_peek_parent(klass);
920 nclass->node_data = g_new0(LassoNodeClassData, 1);
921 lasso_node_class_set_nodename(nclass, "Provider");
922 lasso_node_class_set_ns(nclass, LASSO_LASSO_HREF, LASSO_LASSO_PREFIX);
923 lasso_node_class_add_snippets(nclass, schema_snippets);
924 nclass->get_xmlNode = get_xmlNode;
925 nclass->init_from_xml = init_from_xml;
926
927 G_OBJECT_CLASS(klass)->dispose = dispose;
928 g_type_class_add_private(G_OBJECT_CLASS(klass), sizeof(LassoProviderPrivate));
929 }
930
931 GType
lasso_provider_get_type()932 lasso_provider_get_type()
933 {
934 static GType this_type = 0;
935
936 if (!this_type) {
937 static const GTypeInfo this_info = {
938 sizeof (LassoProviderClass),
939 NULL,
940 NULL,
941 (GClassInitFunc) class_init,
942 NULL,
943 NULL,
944 sizeof(LassoProvider),
945 0,
946 (GInstanceInitFunc) instance_init,
947 NULL
948 };
949
950 this_type = g_type_register_static(LASSO_TYPE_NODE,
951 "LassoProvider", &this_info, 0);
952 }
953 return this_type;
954 }
955
956 /**
957 * lasso_provider_get_protocol_conformance:
958 * @provider: a #LassoProvider object
959 *
960 * Return the protocol conformance of the given provider, it should allow to switch behaviour of SP
961 * and IdP code toward a specific protocol. See also #LassoProtocolConformance.
962 *
963 * Return value: a value in the #LassoProtocolConformance enumeration.
964 */
965 LassoProtocolConformance
lasso_provider_get_protocol_conformance(const LassoProvider * provider)966 lasso_provider_get_protocol_conformance(const LassoProvider *provider)
967 {
968 g_return_val_if_fail(LASSO_IS_PROVIDER(provider), LASSO_PROTOCOL_NONE);
969 return provider->private_data->conformance;
970 }
971
972 /**
973 * lasso_provider_set_protocol_conformance:
974 * @provider: a #LassoProvider object
975 * @protocol_conformance: #LassoProtocolConformance enumerated value.
976 *
977 * Normally the protocol conformance is set when the metadata for the
978 * provider is loaded because the metadata defines the type of
979 * server. However some #LassoServer variants do not have metadata
980 * (e.g. ECP) therefore instead of loading the metadata it is
981 * necessary to explicitly set the protocol conformance because parts
982 * of the Lasso library dispatch based on the protocol conformance.
983 * Without the protocol conformance being set it is likely the wrong
984 * code will execute.
985 *
986 * **WARNING**, do not manually set the protocol conformance if
987 * metadata has been loaded, metadata is the final arbiter of protocol
988 * conformance.
989 *
990 * Return value: 0 on success; another value if an error occured.
991 **/
992 void
lasso_provider_set_protocol_conformance(LassoProvider * provider,LassoProtocolConformance protocol_conformance)993 lasso_provider_set_protocol_conformance(LassoProvider *provider, LassoProtocolConformance protocol_conformance)
994 {
995 provider->private_data->conformance = protocol_conformance;
996 }
997
998 gboolean
_lasso_provider_load_metadata_from_buffer(LassoProvider * provider,const gchar * metadata,int length)999 _lasso_provider_load_metadata_from_buffer(LassoProvider *provider, const gchar *metadata, int length)
1000 {
1001 xmlDoc *doc;
1002 xmlNode *node;
1003 gboolean rc = TRUE;
1004
1005 lasso_return_val_if_fail(LASSO_IS_PROVIDER(provider), FALSE);
1006 if (length == -1) {
1007 length = strlen(metadata);
1008 }
1009 doc = lasso_xml_parse_memory(metadata, length);
1010 if (doc == NULL) {
1011 return FALSE;
1012 }
1013 node = xmlDocGetRootElement(doc);
1014 goto_cleanup_if_fail_with_rc (_lasso_provider_load_metadata_from_xmlnode(provider, node), FALSE);
1015 lasso_assign_string(provider->metadata_filename, metadata);
1016 cleanup:
1017 lasso_release_doc(doc);
1018 return rc;
1019 }
1020
1021 /**
1022 * lasso_provider_load_metadata_from_buffer:
1023 * @provider: a #LassProvider object
1024 * @metadata: a char* string containing a metadata XML file.
1025 *
1026 * Load metadata into this provider object using the given string buffer.
1027 *
1028 * Return value: TRUE if successfull, FALSE otherwise.
1029 **/
1030 gboolean
lasso_provider_load_metadata_from_buffer(LassoProvider * provider,const gchar * metadata)1031 lasso_provider_load_metadata_from_buffer(LassoProvider *provider, const gchar *metadata)
1032 {
1033 return _lasso_provider_load_metadata_from_buffer(provider, metadata, -1);
1034 }
1035
1036 /**
1037 * lasso_provider_load_metadata:
1038 * @provider: a #LassProvider object
1039 * @path: the path to a SAML 2.0 of ID-FF 1.2 metadata file.
1040 *
1041 * Load metadata into this provider object by reading them from the given file.
1042 *
1043 * Return value: TRUE if successfull, FALSE otherwise.
1044 **/
1045 gboolean
lasso_provider_load_metadata(LassoProvider * provider,const gchar * path)1046 lasso_provider_load_metadata(LassoProvider *provider, const gchar *path)
1047 {
1048 char *file_content;
1049 size_t file_length;
1050
1051 if (g_file_get_contents(path, &file_content, &file_length, NULL)) {
1052 gboolean ret;
1053 ret = _lasso_provider_load_metadata_from_buffer(provider, file_content, file_length);
1054 lasso_release(file_content);
1055 return ret;
1056 }
1057 return FALSE;
1058 }
1059
1060 static gboolean
_lasso_provider_load_metadata_from_xmlnode(LassoProvider * provider,xmlNode * node)1061 _lasso_provider_load_metadata_from_xmlnode(LassoProvider *provider, xmlNode *node)
1062 {
1063 xmlDoc *doc = NULL;
1064 xmlXPathContext *xpathCtx;
1065 xmlXPathObject *xpathObj;
1066 const char *xpath_idp = "/md:EntityDescriptor/md:IDPDescriptor";
1067 const char *xpath_sp = "/md:EntityDescriptor/md:SPDescriptor";
1068 const char *xpath_organization = "/md:EntityDescriptor/md:Organization";
1069 xmlChar *providerID = NULL;
1070
1071 g_return_val_if_fail(LASSO_IS_PROVIDER(provider), FALSE);
1072 g_return_val_if_fail(node != NULL && node->ns != NULL, FALSE);
1073 g_return_val_if_fail (node->doc != NULL, FALSE);
1074
1075 /* In the future it could be necessary to handle node without a document, and to create one
1076 * to hold them. */
1077 doc = node->doc;
1078
1079 if (strcmp((char*)node->ns->href, LASSO_SAML2_METADATA_HREF) == 0) {
1080 gboolean result;
1081 provider->private_data->conformance = LASSO_PROTOCOL_SAML_2_0;
1082 result = lasso_saml20_provider_load_metadata(provider, node);
1083 return result;
1084 }
1085
1086 provider->private_data->conformance = LASSO_PROTOCOL_LIBERTY_1_2;
1087
1088 xpathCtx = xmlXPathNewContext(doc);
1089 xmlXPathRegisterNs(xpathCtx, (xmlChar*)"md", (xmlChar*)LASSO_METADATA_HREF);
1090 xpathObj = xmlXPathEvalExpression((xmlChar*)"/md:EntityDescriptor", xpathCtx);
1091 /* if empty: not a ID-FF 1.2 metadata file -> bails out */
1092 if (xpathObj->nodesetval == NULL || xpathObj->nodesetval->nodeNr == 0) {
1093 xmlXPathFreeObject(xpathObj);
1094 xmlXPathRegisterNs(xpathCtx, (xmlChar*)"md11",
1095 (xmlChar*)"http://projectliberty.org/schemas/core/2002/12");
1096 xpathObj = xmlXPathEvalExpression(
1097 (xmlChar*)"/md11:SPDescriptor|/md11:IDPDescriptor", xpathCtx);
1098 if (xpathObj->nodesetval == NULL || xpathObj->nodesetval->nodeNr == 0) {
1099 message (G_LOG_LEVEL_CRITICAL, "lasso_saml20_provider_load_metadata_from_xmlnode: no md12:EntityDescriptor or md11:SPDesriptor or md11:IDPDescriptor");
1100 xmlXPathFreeObject(xpathObj);
1101 xmlXPathFreeContext(xpathCtx);
1102 return FALSE;
1103 }
1104 provider->private_data->conformance = LASSO_PROTOCOL_LIBERTY_1_1;
1105 xpath_idp = "/md11:IDPDescriptor";
1106 xpath_sp = "/md11:SPDescriptor";
1107 }
1108 node = xpathObj->nodesetval->nodeTab[0];
1109 providerID = xmlGetProp(node, (xmlChar*)"providerID");
1110 lasso_assign_string(provider->ProviderID, (char*)providerID);
1111 lasso_release_xml_string(providerID);
1112 xmlXPathFreeObject(xpathObj);
1113
1114 xpathObj = xmlXPathEvalExpression((xmlChar*)xpath_idp, xpathCtx);
1115 if (xpathObj && xpathObj->nodesetval && xpathObj->nodesetval->nodeNr == 1) {
1116 _lasso_provider_load_descriptor(provider, xpathObj->nodesetval->nodeTab[0],
1117 LASSO_PROVIDER_ROLE_IDP);
1118 if (provider->private_data->conformance < LASSO_PROTOCOL_LIBERTY_1_2) {
1119 /* lookup ProviderID */
1120 node = xpathObj->nodesetval->nodeTab[0]->children;
1121 while (node) {
1122 if (strcmp((char*)node->name, "ProviderID") == 0) {
1123 providerID = xmlNodeGetContent(node);
1124 lasso_assign_string(provider->ProviderID, (char*)providerID);
1125 lasso_release_xml_string(providerID);
1126 break;
1127 }
1128 node = node->next;
1129 }
1130 }
1131 }
1132 xmlXPathFreeObject(xpathObj);
1133
1134 xpathObj = xmlXPathEvalExpression((xmlChar*)xpath_sp, xpathCtx);
1135 if (xpathObj && xpathObj->nodesetval && xpathObj->nodesetval->nodeNr == 1) {
1136 _lasso_provider_load_descriptor(provider, xpathObj->nodesetval->nodeTab[0],
1137 LASSO_PROVIDER_ROLE_SP);
1138 if (provider->private_data->conformance < LASSO_PROTOCOL_LIBERTY_1_2) {
1139 /* lookup ProviderID */
1140 node = xpathObj->nodesetval->nodeTab[0]->children;
1141 while (node) {
1142 if (strcmp((char*)node->name, "ProviderID") == 0) {
1143 providerID = xmlNodeGetContent(node);
1144 lasso_assign_string(provider->ProviderID, (char*)providerID);
1145 lasso_release_xml_string(providerID);
1146 break;
1147 }
1148 node = node->next;
1149 }
1150 }
1151 }
1152 xmlXPathFreeObject(xpathObj);
1153
1154 xpathObj = xmlXPathEvalExpression((xmlChar*)xpath_organization, xpathCtx);
1155 if (xpathObj && xpathObj->nodesetval && xpathObj->nodesetval->nodeNr == 1) {
1156 lasso_assign_xml_node(provider->private_data->organization,
1157 xpathObj->nodesetval->nodeTab[0]);
1158 }
1159 xmlXPathFreeObject(xpathObj);
1160
1161 xmlXPathFreeContext(xpathCtx);
1162
1163 return TRUE;
1164 }
1165
1166 /**
1167 * lasso_provider_new_helper:
1168 *
1169 * Helper function for the two other constructors, lasso_provider_new and lasso_provider_new_from_buffer.
1170 * Help to factorize common code.
1171 */
1172 static LassoProvider*
_lasso_provider_new_helper(LassoProviderRole role,const char * metadata,const char * public_key,const char * ca_cert_chain,gboolean (* loader)(LassoProvider * provider,const gchar * metadata))1173 _lasso_provider_new_helper(LassoProviderRole role, const char *metadata,
1174 const char *public_key, const char *ca_cert_chain, gboolean (*loader)(
1175 LassoProvider *provider, const gchar *metadata))
1176 {
1177 LassoProvider *provider = NULL, *ret = NULL;
1178
1179 provider = (LassoProvider*)g_object_new(LASSO_TYPE_PROVIDER, NULL);
1180 provider->role = role;
1181 if (loader(provider, metadata) == FALSE) {
1182 if (loader == lasso_provider_load_metadata) {
1183 message(G_LOG_LEVEL_WARNING, "Cannot load metadata from %s", metadata);
1184 }
1185 goto cleanup;
1186 }
1187
1188 lasso_assign_string(provider->public_key, public_key);
1189 lasso_assign_string(provider->ca_cert_chain, ca_cert_chain);
1190 if (!lasso_provider_load_public_key(provider, LASSO_PUBLIC_KEY_SIGNING)) {
1191 message(G_LOG_LEVEL_WARNING, "Could not load public signing key of %s",
1192 provider->ProviderID);
1193 goto cleanup;
1194 }
1195 if (!lasso_provider_load_public_key(provider, LASSO_PUBLIC_KEY_ENCRYPTION)) {
1196 message(G_LOG_LEVEL_WARNING, "Could not load public encryption key of %s",
1197 provider->ProviderID);
1198 goto cleanup;
1199 }
1200
1201 provider->private_data->encryption_mode = LASSO_ENCRYPTION_MODE_NONE;
1202 lasso_transfer_gobject(ret, provider);
1203 cleanup:
1204 lasso_release_gobject(provider);
1205 return ret;
1206 }
1207 /**
1208 * lasso_provider_new:
1209 * @role: provider role, identity provider or service provider
1210 * @metadata: path to the provider metadata file
1211 * @public_key:(allow-none): path to the provider public key file (may be a certificate) or NULL
1212 * @ca_cert_chain:(allow-none): path to the provider CA certificate chain file or NULL
1213 *
1214 * Creates a new #LassoProvider.
1215 *
1216 * Return value: a newly created #LassoProvider; or NULL if an error occured
1217 */
1218 LassoProvider*
lasso_provider_new(LassoProviderRole role,const char * metadata,const char * public_key,const char * ca_cert_chain)1219 lasso_provider_new(LassoProviderRole role, const char *metadata,
1220 const char *public_key, const char *ca_cert_chain)
1221 {
1222 return _lasso_provider_new_helper(role, metadata, public_key, ca_cert_chain,
1223 lasso_provider_load_metadata);
1224 }
1225
1226 /**
1227 * lasso_provider_new_from_buffer:
1228 * @role: provider role, identity provider or service provider
1229 * @metadata: string buffer containing a metadata file
1230 * @public_key:(allow-none): path to the provider public key file (may be a certificate) or NULL
1231 * @ca_cert_chain:(allow-none): path to the provider CA certificate chain file or NULL
1232 *
1233 * Creates a new #LassoProvider.
1234 *
1235 * Return value: a newly created #LassoProvider; or NULL if an error occured
1236 */
1237 LassoProvider*
lasso_provider_new_from_buffer(LassoProviderRole role,const char * metadata,const char * public_key,const char * ca_cert_chain)1238 lasso_provider_new_from_buffer(LassoProviderRole role, const char *metadata,
1239 const char *public_key, const char *ca_cert_chain)
1240 {
1241 return _lasso_provider_new_helper(role, metadata, public_key, ca_cert_chain,
1242 lasso_provider_load_metadata_from_buffer);
1243 }
1244
1245 /**
1246 * lasso_provider_load_public_key:
1247 * @provider: a #LassoProvider object
1248 * @public_key_type: the type of public key to load
1249 *
1250 * Load the public key from their transport format, a file or a KeyDescriptor #xmlNode.
1251 *
1252 * Return value: TRUE if loading was succesfull, FALSE otherwise.
1253 */
1254 gboolean
lasso_provider_load_public_key(LassoProvider * provider,LassoPublicKeyType public_key_type)1255 lasso_provider_load_public_key(LassoProvider *provider, LassoPublicKeyType public_key_type)
1256 {
1257 gchar *public_key = NULL;
1258 GList *keys_descriptors = NULL;
1259 xmlNode *key_descriptor = NULL;
1260 GList *keys = NULL;
1261 gboolean ret = FALSE;
1262
1263 g_return_val_if_fail(LASSO_IS_PROVIDER(provider), FALSE);
1264 if (public_key_type == LASSO_PUBLIC_KEY_SIGNING) {
1265 public_key = provider->public_key;
1266 keys_descriptors = provider->private_data->signing_key_descriptors;
1267 } else {
1268 key_descriptor = provider->private_data->encryption_key_descriptor;
1269 }
1270
1271 if (public_key == NULL && keys_descriptors == NULL && key_descriptor == NULL) {
1272 return TRUE;
1273 }
1274
1275 if (public_key != NULL) {
1276 xmlSecKey *key = lasso_xmlsec_load_private_key(public_key, NULL,
1277 LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL);
1278 if (key) {
1279 lasso_list_add_new_sec_key(keys, key);
1280 } else {
1281 message(G_LOG_LEVEL_WARNING, "Could not read public key from file %s", public_key);
1282 }
1283 }
1284 if (key_descriptor) {
1285 xmlSecKey *key = lasso_xmlsec_load_key_info(key_descriptor);
1286 if (key) {
1287 lasso_list_add_new_sec_key(keys, key);
1288 } else {
1289 message(G_LOG_LEVEL_WARNING, "Could not read KeyInfo from %s KeyDescriptor", public_key_type == LASSO_PUBLIC_KEY_SIGNING ? "signing" : "encryption");
1290 }
1291 }
1292
1293 if (keys_descriptors) {
1294 lasso_foreach_full_begin(xmlNode*, key_descriptor, it, keys_descriptors);
1295 {
1296 xmlSecKey *key = lasso_xmlsec_load_key_info(key_descriptor);
1297 if (key) {
1298 lasso_list_add_new_sec_key(keys, key);
1299 } else {
1300 message(G_LOG_LEVEL_WARNING, "Could not read KeyInfo from %s "
1301 "KeyDescriptor",
1302 public_key_type == LASSO_PUBLIC_KEY_SIGNING ? "signing" :
1303 "encryption");
1304 }
1305 }
1306 lasso_foreach_full_end();
1307 }
1308
1309 if (keys) {
1310 GList **dest = NULL;
1311 switch (public_key_type) {
1312 case LASSO_PUBLIC_KEY_SIGNING:
1313 dest = &provider->private_data->signing_public_keys;
1314 break;
1315 case LASSO_PUBLIC_KEY_ENCRYPTION:
1316 dest = &provider->private_data->encryption_public_keys;
1317 break;
1318 }
1319 if (dest) {
1320 lasso_transfer_full(*dest, keys, list_of_sec_key);
1321 ret = TRUE;
1322 }
1323 }
1324 lasso_release_list_of_sec_key(keys);
1325 return ret;
1326 }
1327
1328
1329 /**
1330 * lasso_provider_new_from_dump:
1331 * @dump: XML provider dump
1332 *
1333 * Restores the @dump to a new #LassoProvider.
1334 *
1335 * Return value: a newly created #LassoProvider; or NULL if an error occured.
1336 **/
1337 LassoProvider*
lasso_provider_new_from_dump(const gchar * dump)1338 lasso_provider_new_from_dump(const gchar *dump)
1339 {
1340 LassoProvider *provider;
1341
1342 provider = (LassoProvider*)lasso_node_new_from_dump(dump);
1343 if (! LASSO_IS_PROVIDER(provider)) {
1344 lasso_release_gobject(provider);
1345 }
1346 return provider;
1347 }
1348
1349 int
lasso_provider_verify_saml_signature(LassoProvider * provider,xmlNode * signed_node,xmlDoc * doc)1350 lasso_provider_verify_saml_signature(LassoProvider *provider,
1351 xmlNode *signed_node, xmlDoc *doc)
1352 {
1353 const char *id_attribute_name = NULL;
1354 const xmlChar *node_ns = NULL;
1355 GList *public_keys = NULL;
1356 xmlSecKeysMngr *keys_manager = NULL;
1357 int rc = 0;
1358 int signature_rc = 0;
1359
1360 lasso_bad_param(PROVIDER, provider);
1361 lasso_null_param(signed_node);
1362 g_return_val_if_fail((signed_node->doc && doc) || ! signed_node->doc, LASSO_PARAM_ERROR_INVALID_VALUE);
1363
1364 /* ID-FF 1.2 Signatures case */
1365 node_ns = xmlSecGetNodeNsHref(signed_node);
1366 if ((strcmp((char*)node_ns, LASSO_SAML2_PROTOCOL_HREF) == 0) ||
1367 (strcmp((char*)node_ns, LASSO_SAML2_ASSERTION_HREF) == 0)) {
1368 id_attribute_name = "ID";
1369 } else if (xmlSecCheckNodeName(signed_node, (xmlChar*)"Request", (xmlChar*)LASSO_SAML_PROTOCOL_HREF)) {
1370 id_attribute_name = "RequestID";
1371 } else if (xmlSecCheckNodeName(signed_node, (xmlChar*)"Response", (xmlChar*)LASSO_SAML_PROTOCOL_HREF)) {
1372 id_attribute_name = "ResponseID";
1373 } else if (xmlSecCheckNodeName(signed_node, (xmlChar*)"Assertion", (xmlChar*)LASSO_SAML_ASSERTION_HREF)) {
1374 id_attribute_name = "AssertionID";
1375 }
1376 goto_cleanup_if_fail_with_rc(id_attribute_name, LASSO_PARAM_ERROR_INVALID_VALUE);
1377 /* Get provider credentials */
1378 lasso_check_good_rc(lasso_provider_try_loading_ca_cert_chain(provider, &keys_manager));
1379 lasso_check_good_rc(lasso_provider_try_loading_public_keys(provider, &public_keys, keys_manager == NULL));
1380
1381 lasso_foreach_full_begin(xmlSecKey*, public_key, it, public_keys);
1382 {
1383 signature_rc = lasso_verify_signature(signed_node, doc, id_attribute_name, keys_manager, public_key,
1384 NO_OPTION, NULL);
1385 if (signature_rc == 0) {
1386 break;
1387 }
1388 }
1389 lasso_foreach_full_end();
1390 rc = signature_rc;
1391 cleanup:
1392 lasso_release_key_manager(keys_manager);
1393 return rc;
1394 }
1395
1396 int
lasso_provider_verify_signature(LassoProvider * provider,const char * message,const char * id_attr_name,LassoMessageFormat format)1397 lasso_provider_verify_signature(LassoProvider *provider,
1398 const char *message, const char *id_attr_name, LassoMessageFormat format)
1399 {
1400 /* this duplicates some code from lasso_node_init_from_message;
1401 * reflection about code reuse is under way...
1402 */
1403 xmlDoc *doc = NULL;
1404 xmlNode *xmlnode = NULL;
1405 xmlSecKeysMngr *keys_mngr = NULL;
1406 int rc = 0;
1407 int signature_rc = 0;
1408 xmlXPathContext *xpathCtx = NULL;
1409 xmlXPathObject *xpathObj = NULL;
1410 GList *public_keys = NULL;
1411
1412 g_return_val_if_fail(LASSO_IS_PROVIDER(provider), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
1413
1414 if (lasso_flag_verify_signature == FALSE)
1415 return 0;
1416
1417 if (message == NULL)
1418 return LASSO_PROFILE_ERROR_INVALID_MSG;
1419
1420 if (format == LASSO_MESSAGE_FORMAT_ERROR)
1421 return LASSO_PROFILE_ERROR_INVALID_MSG;
1422
1423 if (format == LASSO_MESSAGE_FORMAT_UNKNOWN)
1424 return LASSO_PROFILE_ERROR_INVALID_MSG;
1425
1426 if (format == LASSO_MESSAGE_FORMAT_QUERY) {
1427 return lasso_provider_verify_query_signature(provider, message);
1428 }
1429 lasso_check_good_rc(lasso_provider_try_loading_ca_cert_chain(provider, &keys_mngr));
1430 /* public key is mandatory if no keys manager is present */
1431 lasso_check_good_rc(lasso_provider_try_loading_public_keys(provider, &public_keys,
1432 keys_mngr == NULL));
1433
1434 if (format == LASSO_MESSAGE_FORMAT_BASE64) {
1435 int len;
1436 char *msg = g_malloc(strlen(message));
1437 len = xmlSecBase64Decode((xmlChar*)message, (xmlChar*)msg, strlen(message));
1438 if (len < 0) {
1439 goto_cleanup_with_rc(LASSO_PROFILE_ERROR_INVALID_MSG);
1440 }
1441 doc = lasso_xml_parse_memory(msg, strlen(msg));
1442 lasso_release_string(msg);
1443 } else {
1444 doc = lasso_xml_parse_memory(message, strlen(message));
1445 }
1446
1447 if (format == LASSO_MESSAGE_FORMAT_SOAP) {
1448 xpathCtx = xmlXPathNewContext(doc);
1449 xmlXPathRegisterNs(xpathCtx, (xmlChar*)"s", (xmlChar*)LASSO_SOAP_ENV_HREF);
1450 xpathObj = xmlXPathEvalExpression((xmlChar*)"//s:Body/*", xpathCtx);
1451 if (xpathObj->nodesetval && xpathObj->nodesetval->nodeNr ) {
1452 xmlnode = xpathObj->nodesetval->nodeTab[0];
1453 }
1454 goto_cleanup_if_fail_with_rc (xmlnode != NULL, LASSO_PROFILE_ERROR_INVALID_MSG);
1455 } else {
1456 xmlnode = xmlDocGetRootElement(doc);
1457 }
1458
1459
1460 lasso_foreach_full_begin(xmlSecKeyPtr, public_key, it, public_keys);
1461 {
1462 signature_rc = lasso_verify_signature(xmlnode, doc, id_attr_name,
1463 keys_mngr, public_key, NO_OPTION, NULL);
1464 if (signature_rc == 0) {
1465 break;
1466 }
1467 }
1468 lasso_foreach_full_end();
1469 rc = signature_rc;
1470
1471 cleanup:
1472 lasso_release_key_manager(keys_mngr);
1473 lasso_release_xpath_job(xpathObj, xpathCtx, doc);
1474 return rc;
1475 }
1476
1477 /**
1478 * lasso_provider_set_encryption_mode:
1479 * @provider: provider to set encryption for
1480 * @encryption_mode: TRUE to activate, FALSE to desactivate
1481 *
1482 * Activate or desactivate encryption
1483 **/
1484 void
lasso_provider_set_encryption_mode(LassoProvider * provider,LassoEncryptionMode encryption_mode)1485 lasso_provider_set_encryption_mode(LassoProvider *provider, LassoEncryptionMode encryption_mode)
1486 {
1487 g_return_if_fail(LASSO_IS_PROVIDER(provider));
1488 provider->private_data->encryption_mode = encryption_mode;
1489 }
1490
1491 /**
1492 * lasso_provider_get_encryption_mode:
1493 * @provider: a #LassoProvider object
1494 *
1495 * Return the current encryption mode.
1496 *
1497 * Return value: a value in the #LassoEncryptionMode enumeration.
1498 */
1499 LassoEncryptionMode
lasso_provider_get_encryption_mode(LassoProvider * provider)1500 lasso_provider_get_encryption_mode(LassoProvider *provider) {
1501 if (! LASSO_IS_PROVIDER(provider) || ! provider->private_data)
1502 return LASSO_ENCRYPTION_MODE_NONE;
1503 return provider->private_data->encryption_mode;
1504 }
1505
1506 /**
1507 * lasso_provider_set_encryption_sym_key_type:
1508 * @provider: provider to set encryption for
1509 * @encryption_sym_key_type: enum type for generated symetric key
1510 *
1511 * Set the type of the generated encryption symetric key
1512 **/
1513 void
lasso_provider_set_encryption_sym_key_type(LassoProvider * provider,LassoEncryptionSymKeyType encryption_sym_key_type)1514 lasso_provider_set_encryption_sym_key_type(LassoProvider *provider,
1515 LassoEncryptionSymKeyType encryption_sym_key_type)
1516 {
1517 g_return_if_fail(LASSO_IS_PROVIDER(provider));
1518 provider->private_data->encryption_sym_key_type = encryption_sym_key_type;
1519 }
1520
1521 /**
1522 * lasso_provider_get_encryption_sym_key_type:
1523 * @provider: a #LassoProvider object
1524 *
1525 * Return the encryption sym key type for this provider.
1526 *
1527 * Return value: a #LassoEncryptionSymKeyType value.
1528 */
1529 LassoEncryptionSymKeyType
lasso_provider_get_encryption_sym_key_type(const LassoProvider * provider)1530 lasso_provider_get_encryption_sym_key_type(const LassoProvider *provider)
1531 {
1532 if (LASSO_IS_PROVIDER(provider) && provider->private_data)
1533 return provider->private_data->encryption_sym_key_type;
1534
1535 return LASSO_ENCRYPTION_SYM_KEY_TYPE_DEFAULT;
1536 }
1537
1538 /**
1539 * lasso_provider_verify_query_signature:
1540 * @provider: the #LassoProvider for the the provider issuing the query
1541 * @message: the URL query string UTF-8 encoded
1542 *
1543 * Retrieve the public key of the given provider and verify the signature of the query string.
1544 *
1545 * Return value: 0 if succesfull,
1546 * <itemizedlist>
1547 * <listitem><para>#LASSO_PROVIDER_ERROR_MISSING_PUBLIC_KEY if no public key is set for this provider,</para></listitem>
1548 * <listitem><para>#LASSO_DS_ERROR_INVALID_SIGNATURE if signature is invalid,</para></listitem>
1549 * <listitem><para>#LASSO_DS_ERROR_SIGNATURE_NOT_FOUND if no signature is found,</para></listitem>
1550 * <listitem><para>#LASSO_DS_ERROR_PUBLIC_KEY_LOAD_FAILED if the key cannot be loaded,</para></listitem>
1551 * <listitem><para>#LASSO_ERROR_UNIMPLEMENTED if the protocol profile of the provider is invalid or not supported.</para></listitem>
1552 * </itemizedlist>
1553 */
1554 int
lasso_provider_verify_query_signature(LassoProvider * provider,const char * message)1555 lasso_provider_verify_query_signature(LassoProvider *provider, const char *message)
1556 {
1557 int (*check)(const char *, const xmlSecKey *) = NULL;
1558 int rc = 0;
1559 int signature_rc = 0;
1560 GList *public_keys = NULL;
1561
1562 lasso_bad_param(PROVIDER, provider);
1563 lasso_null_param(message);
1564
1565 lasso_check_good_rc(lasso_provider_try_loading_public_keys(provider, &public_keys, TRUE));
1566
1567 switch (lasso_provider_get_protocol_conformance(provider)) {
1568 case LASSO_PROTOCOL_LIBERTY_1_0:
1569 case LASSO_PROTOCOL_LIBERTY_1_1:
1570 case LASSO_PROTOCOL_LIBERTY_1_2:
1571 check = lasso_query_verify_signature;
1572 break;
1573 case LASSO_PROTOCOL_SAML_2_0:
1574 check = lasso_saml2_query_verify_signature;
1575 break;
1576 default:
1577 return LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE;
1578 }
1579 /* Check with all known signing keys... */
1580 lasso_foreach_full_begin(xmlSecKeyPtr, public_key, it, public_keys);
1581 {
1582 signature_rc = check(message, public_key);
1583 if (signature_rc == 0) {
1584 break;
1585 }
1586 }
1587 lasso_foreach_full_end();
1588 rc = signature_rc;
1589 cleanup:
1590 return rc;
1591 }
1592
1593 /**
1594 * lasso_provider_get_default_name_id_format:
1595 * @provider: a #LassoProvider object
1596 *
1597 * If the provider has a list of supported name id formats in its metadatas, return the first one.
1598 *
1599 * Return value:(transfer full)(allow-none): a NameIDFormat URI or NULL, the returned value must be freed by the caller.
1600 */
1601 gchar*
lasso_provider_get_default_name_id_format(LassoProvider * provider)1602 lasso_provider_get_default_name_id_format(LassoProvider *provider)
1603 {
1604 return lasso_provider_get_metadata_one(provider, "NameIDFormat");
1605 }
1606
1607 /**
1608 * lasso_provider_get_sp_name_qualifier:
1609 * @provider: a #LassoPRovider object
1610 *
1611 * Return the entityID to use for qualifying NameIdentifier.
1612 *
1613 * Return value:(transfer none)(allow-none): a private string or NULL. Do not keep a reference on this string or
1614 * free it.
1615 */
1616 const char*
lasso_provider_get_sp_name_qualifier(LassoProvider * provider)1617 lasso_provider_get_sp_name_qualifier(LassoProvider *provider)
1618 {
1619 const char *sp_name_qualifier;
1620
1621 g_return_val_if_fail(LASSO_IS_PROVIDER(provider), NULL);
1622 /* should not happen ! */
1623 g_return_val_if_fail(provider->private_data != NULL, NULL);
1624
1625 if (provider->private_data->affiliation_id) {
1626 sp_name_qualifier = provider->private_data->affiliation_id;
1627 } else {
1628 sp_name_qualifier = provider->ProviderID;
1629 }
1630
1631 if (sp_name_qualifier) {
1632 return sp_name_qualifier;
1633 } else {
1634 return NULL;
1635 }
1636 }
1637
1638 /**
1639 * lasso_provider_verify_single_node_signature:
1640 * @provider: a #LassoProvider object
1641 * @node: a #LassoNode object, still having its originalXmlnode content, and containing an XML
1642 * signature.
1643 * @id_attr_name: the name of the ID attribute to lookup.
1644 *
1645 * Return wheter the provider signed this node.
1646 *
1647 * Return value: 0 if the node is signed by this provider, an error code otherwise.
1648 */
1649 int
lasso_provider_verify_single_node_signature(LassoProvider * provider,LassoNode * node,const char * id_attr_name)1650 lasso_provider_verify_single_node_signature (LassoProvider *provider, LassoNode *node, const char *id_attr_name)
1651 {
1652 xmlNode *xmlnode = NULL;
1653 GList *public_keys = NULL;
1654 xmlSecKeysMngr *keys_mngr = NULL;
1655 int rc = 0;
1656
1657 xmlnode = lasso_node_get_original_xmlnode (node);
1658 if (xmlnode == NULL) {
1659 return LASSO_DS_ERROR_SIGNATURE_VERIFICATION_FAILED;
1660 }
1661 lasso_check_good_rc(lasso_provider_try_loading_ca_cert_chain(provider, &keys_mngr));
1662 lasso_check_good_rc(lasso_provider_try_loading_public_keys(provider, &public_keys,
1663 keys_mngr == NULL));
1664
1665 lasso_foreach_full_begin(xmlSecKey*, public_key, it, public_keys);
1666 {
1667 rc = lasso_verify_signature(xmlnode, NULL, id_attr_name, keys_mngr, public_key,
1668 NO_SINGLE_REFERENCE, NULL);
1669 if (rc == 0)
1670 break;
1671 }
1672 lasso_foreach_full_end();
1673 cleanup:
1674 return rc;
1675 }
1676
1677 struct AddForRoleHelper {
1678 GList *l;
1679 LassoProviderRole role;
1680 };
1681
1682
1683 static void
_add_for_role(gpointer key,G_GNUC_UNUSED gpointer data,struct AddForRoleHelper * helper)1684 _add_for_role(gpointer key, G_GNUC_UNUSED gpointer data, struct AddForRoleHelper *helper)
1685 {
1686 char role_prefix[64];
1687 int l;
1688
1689 l = sprintf(role_prefix, "%s ", role_to_prefix(helper->role));
1690
1691 if (key && strncmp(key, role_prefix, l) == 0) {
1692 lasso_list_add_string(helper->l, ((char*)key) + l);
1693 }
1694 }
1695
1696 /**
1697 * lasso_provider_get_metadata_keys_for_role:
1698 * @provider: a #LassoProvider object
1699 * @role: a #LassoProviderRole value
1700 *
1701 * Returns the list of metadata keys existing for the given provider.
1702 *
1703 * Return value:(element-type utf8)(transfer full): a newly allocated list of strings
1704 */
1705 GList*
lasso_provider_get_metadata_keys_for_role(LassoProvider * provider,LassoProviderRole role)1706 lasso_provider_get_metadata_keys_for_role(LassoProvider *provider, LassoProviderRole role)
1707 {
1708 struct AddForRoleHelper helper = { NULL, role };
1709
1710 lasso_return_val_if_fail(LASSO_IS_PROVIDER(provider), NULL);
1711 lasso_return_val_if_fail(provider->private_data != NULL, NULL);
1712 lasso_return_val_if_fail(role > LASSO_PROVIDER_ROLE_NONE && role < LASSO_PROVIDER_ROLE_LAST, NULL);
1713 g_return_val_if_fail(role_to_prefix(role) != NULL, NULL);
1714
1715 g_hash_table_foreach(provider->private_data->Descriptors, (GHFunc)_add_for_role, &helper);
1716
1717 return helper.l;
1718 }
1719
1720 /**
1721 * lasso_provider_get_roles:
1722 * @provider: a #LassoProvider object
1723 *
1724 * Return the bitmask of the supported roles.
1725 *
1726 * Return value: a #LassoProviderRole enumeration value.
1727 */
1728 LassoProviderRole
lasso_provider_get_roles(LassoProvider * provider)1729 lasso_provider_get_roles(LassoProvider *provider)
1730 {
1731 lasso_return_val_if_fail(LASSO_IS_PROVIDER(provider) && provider->private_data, LASSO_PROVIDER_ROLE_NONE);
1732
1733 return provider->private_data->roles;
1734 }
1735
1736 /**
1737 * lasso_provider_match_conformance:
1738 * @provider: a #LassoProvider object
1739 * @another_provider: a #LassoProvider object
1740 *
1741 * Return whether the two provider support a same protocol.
1742 * See also #LassoProtocolConformance.
1743 *
1744 * Return value: TRUE or FALSE.
1745 */
1746 gboolean
lasso_provider_match_conformance(LassoProvider * provider,LassoProvider * another_provider)1747 lasso_provider_match_conformance(LassoProvider *provider, LassoProvider *another_provider)
1748 {
1749 lasso_return_val_if_fail(LASSO_IS_PROVIDER(provider)
1750 && LASSO_IS_PROVIDER(another_provider),
1751 FALSE);
1752
1753 int conformance1 = lasso_provider_get_protocol_conformance(provider);
1754 int conformance2 = lasso_provider_get_protocol_conformance(another_provider);
1755
1756 return (conformance1 & conformance2) != 0;
1757 }
1758
1759 LassoProvider*
lasso_provider_new_from_xmlnode(LassoProviderRole role,xmlNode * node)1760 lasso_provider_new_from_xmlnode(LassoProviderRole role, xmlNode *node) {
1761 LassoProvider *provider = NULL, *ret = NULL;
1762
1763 provider = (LassoProvider*)g_object_new(LASSO_TYPE_PROVIDER, NULL);
1764 provider->role = role;
1765 goto_cleanup_if_fail(_lasso_provider_load_metadata_from_xmlnode(provider, node));
1766
1767 if (!lasso_provider_load_public_key(provider, LASSO_PUBLIC_KEY_SIGNING)) {
1768 message(G_LOG_LEVEL_WARNING, "Could not load public signing key of %s",
1769 provider->ProviderID);
1770 goto cleanup;
1771 }
1772 if (!lasso_provider_load_public_key(provider, LASSO_PUBLIC_KEY_ENCRYPTION)) {
1773 message(G_LOG_LEVEL_WARNING, "Could not load public encryption key of %s",
1774 provider->ProviderID);
1775 goto cleanup;
1776 }
1777
1778 provider->private_data->encryption_mode = LASSO_ENCRYPTION_MODE_NONE;
1779 lasso_transfer_gobject(ret, provider);
1780 cleanup:
1781 lasso_release_gobject(provider);
1782 return ret;
1783 }
1784
1785 /**
1786 * lasso_provider_add_key:
1787 * @provider: a #LassoProvider object
1788 * @key: a #LassoKey object
1789 * @after:(default FALSE): add the key at the end of the list, not on front.
1790 *
1791 * Add a new signature key for validating message received from @provider. If the key is used to
1792 * improve verification time add it first with @after as true, it the key is ther for continuity of
1793 * service (when doing a key rollover for example) at it last with @after as false.
1794 *
1795 * Return value: 0 if successful, an error code otherwise.
1796 */
1797 lasso_error_t
lasso_provider_add_key(LassoProvider * provider,LassoKey * key,gboolean after)1798 lasso_provider_add_key(LassoProvider *provider, LassoKey *key, gboolean after)
1799 {
1800 LassoSignatureContext context;
1801 lasso_error_t rc = 0;
1802 GList **list = NULL;
1803 xmlSecKey *xml_sec_key = NULL;
1804
1805 lasso_bad_param(PROVIDER, provider);
1806 lasso_bad_param(KEY, key);
1807
1808 switch (lasso_key_get_key_type(key)) {
1809 case LASSO_KEY_TYPE_FOR_SIGNATURE:
1810 context = lasso_key_get_signature_context(key);
1811 list = &provider->private_data->signing_public_keys;
1812 xml_sec_key = xmlSecKeyDuplicate(context.signature_key);
1813 break;
1814 }
1815 goto_cleanup_if_fail_with_rc(list && xml_sec_key, LASSO_PARAM_ERROR_INVALID_VALUE);
1816 if (after) {
1817 *list = g_list_append(*list, xml_sec_key);
1818 } else {
1819 *list = g_list_prepend(*list, xml_sec_key);
1820 }
1821 cleanup:
1822 return rc;
1823 }
1824
1825 /**
1826 * lasso_provider_set_server_signing_key:
1827 * @provider: a #LassoProvider object
1828 * @key: a #LassoKey object
1829 *
1830 * Return value: 0 if successful, an error code otherwise.
1831 */
1832 lasso_error_t
lasso_provider_set_server_signing_key(LassoProvider * provider,LassoKey * key)1833 lasso_provider_set_server_signing_key(LassoProvider *provider,
1834 LassoKey *key)
1835 {
1836 lasso_error_t rc = 0;
1837 LassoSignatureContext context;
1838
1839 lasso_bad_param(PROVIDER, provider);
1840 lasso_bad_param(KEY, key);
1841
1842 context = lasso_key_get_signature_context(key);
1843 goto_cleanup_if_fail_with_rc(lasso_validate_signature_context(context),
1844 LASSO_DS_ERROR_PRIVATE_KEY_LOAD_FAILED);
1845 lasso_assign_signature_context(provider->private_data->signature_context,
1846 context);
1847 cleanup:
1848 return rc;
1849 }
1850