1 /**
2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
6 *
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
10 * License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
19 */
20
21 /**
22 * SessionInitiator.cpp
23 *
24 * Pluggable runtime functionality that handles initiating sessions.
25 */
26
27 #include "internal.h"
28 #include "exceptions.h"
29 #include "SPRequest.h"
30 #include "TransactionLog.h"
31 #include "handler/SessionInitiator.h"
32
33 using namespace shibsp;
34 using namespace xmltooling;
35 using namespace std;
36
37 #ifndef SHIBSP_LITE
38 # include <saml/saml2/metadata/Metadata.h>
39 using namespace opensaml::saml2md;
40 #endif
41
42 namespace shibsp {
43 SHIBSP_DLLLOCAL PluginManager< SessionInitiator,string,pair<const DOMElement*,const char*> >::Factory ChainingSessionInitiatorFactory;
44 SHIBSP_DLLLOCAL PluginManager< SessionInitiator,string,pair<const DOMElement*,const char*> >::Factory Shib1SessionInitiatorFactory;
45 SHIBSP_DLLLOCAL PluginManager< SessionInitiator,string,pair<const DOMElement*,const char*> >::Factory SAML2SessionInitiatorFactory;
46 SHIBSP_DLLLOCAL PluginManager< SessionInitiator,string,pair<const DOMElement*,const char*> >::Factory WAYFSessionInitiatorFactory;
47 SHIBSP_DLLLOCAL PluginManager< SessionInitiator,string,pair<const DOMElement*,const char*> >::Factory SAMLDSSessionInitiatorFactory;
48 SHIBSP_DLLLOCAL PluginManager< SessionInitiator,string,pair<const DOMElement*,const char*> >::Factory TransformSessionInitiatorFactory;
49 SHIBSP_DLLLOCAL PluginManager< SessionInitiator,string,pair<const DOMElement*,const char*> >::Factory FormSessionInitiatorFactory;
50 SHIBSP_DLLLOCAL PluginManager< SessionInitiator,string,pair<const DOMElement*,const char*> >::Factory CookieSessionInitiatorFactory;
51 };
52
registerSessionInitiators()53 void SHIBSP_API shibsp::registerSessionInitiators()
54 {
55 SPConfig& conf=SPConfig::getConfig();
56 conf.SessionInitiatorManager.registerFactory(CHAINING_SESSION_INITIATOR, ChainingSessionInitiatorFactory);
57 conf.SessionInitiatorManager.registerFactory(SHIB1_SESSION_INITIATOR, Shib1SessionInitiatorFactory);
58 conf.SessionInitiatorManager.registerFactory(SAML2_SESSION_INITIATOR, SAML2SessionInitiatorFactory);
59 conf.SessionInitiatorManager.registerFactory(WAYF_SESSION_INITIATOR, WAYFSessionInitiatorFactory);
60 conf.SessionInitiatorManager.registerFactory(SAMLDS_SESSION_INITIATOR, SAMLDSSessionInitiatorFactory);
61 conf.SessionInitiatorManager.registerFactory(TRANSFORM_SESSION_INITIATOR, TransformSessionInitiatorFactory);
62 conf.SessionInitiatorManager.registerFactory(FORM_SESSION_INITIATOR, FormSessionInitiatorFactory);
63 conf.SessionInitiatorManager.registerFactory(COOKIE_SESSION_INITIATOR, CookieSessionInitiatorFactory);
64 }
65
SessionInitiator()66 SessionInitiator::SessionInitiator()
67 {
68 }
69
~SessionInitiator()70 SessionInitiator::~SessionInitiator()
71 {
72 }
73
remap(const char * src,Category & log) const74 const char* SessionInitiator::remap(const char* src, Category& log) const
75 {
76 if (XMLString::equals(src, "defaultACSIndex")) {
77 SPConfig::getConfig().deprecation().warn("old setting - remapping property (defaultACSIndex) to (acsIndex)");
78 return "acsIndex";
79 }
80 else {
81 return src;
82 }
83 }
84
getEventType() const85 const char* SessionInitiator::getEventType() const {
86 return LOGIN_EVENT;
87 }
88
89 #ifndef SHIBSP_LITE
getType() const90 const char* SessionInitiator::getType() const
91 {
92 return "SessionInitiator";
93 }
94
generateMetadata(SPSSODescriptor & role,const char * handlerURL) const95 void SessionInitiator::generateMetadata(SPSSODescriptor& role, const char* handlerURL) const
96 {
97 // In case any plugins were directly calling this before, we stub it out.
98 }
99
doGenerateMetadata(SPSSODescriptor & role,const char * handlerURL) const100 void SessionInitiator::doGenerateMetadata(SPSSODescriptor& role, const char* handlerURL) const
101 {
102 if (getParent())
103 return;
104 const char* loc = getString("Location").second;
105 string hurl(handlerURL);
106 if (*loc != '/')
107 hurl += '/';
108 hurl += loc;
109 auto_ptr_XMLCh widen(hurl.c_str());
110
111 RequestInitiator* ep = RequestInitiatorBuilder::buildRequestInitiator();
112 ep->setLocation(widen.get());
113 ep->setBinding(samlconstants::SP_REQUEST_INIT_NS);
114 Extensions* ext = role.getExtensions();
115 if (!ext) {
116 ext = ExtensionsBuilder::buildExtensions();
117 role.setExtensions(ext);
118 }
119 ext->getUnknownXMLObjects().push_back(ep);
120 }
121 #endif
122
getSupportedOptions() const123 const set<string>& SessionInitiator::getSupportedOptions() const
124 {
125 return m_supportedOptions;
126 }
127
checkCompatibility(SPRequest & request,bool isHandler) const128 bool SessionInitiator::checkCompatibility(SPRequest& request, bool isHandler) const
129 {
130 bool isPassive = false;
131 if (isHandler) {
132 const char* flag = request.getParameter("isPassive");
133 if (flag) {
134 isPassive = (*flag=='1' || *flag=='t');
135 }
136 else {
137 pair<bool,bool> flagprop = getBool("isPassive");
138 isPassive = (flagprop.first && flagprop.second);
139 }
140 }
141 else {
142 // It doesn't really make sense to use isPassive with automated sessions, but...
143 pair<bool,bool> flagprop = request.getRequestSettings().first->getBool("isPassive");
144 if (!flagprop.first)
145 flagprop = getBool("isPassive");
146 isPassive = (flagprop.first && flagprop.second);
147 }
148
149 // Check for support of isPassive if it's used.
150 if (isPassive && getSupportedOptions().count("isPassive") == 0) {
151 if (getParent()) {
152 log(SPRequest::SPInfo, "handler does not support isPassive option");
153 return false;
154 }
155 throw ConfigurationException("Unsupported option (isPassive) supplied to SessionInitiator.");
156 }
157
158 return true;
159 }
160
run(SPRequest & request,bool isHandler) const161 pair<bool,long> SessionInitiator::run(SPRequest& request, bool isHandler) const
162 {
163 cleanRelayState(request.getApplication(), request, request);
164
165 const char* entityID = nullptr;
166 pair<bool,const char*> param = getString("entityIDParam");
167 if (isHandler) {
168 entityID = request.getParameter(param.first ? param.second : "entityID");
169 if (!param.first && (!entityID || !*entityID))
170 entityID=request.getParameter("providerId");
171 }
172 if (!entityID || !*entityID) {
173 param = request.getRequestSettings().first->getString("entityID");
174 if (param.first)
175 entityID = param.second;
176 }
177 if (!entityID || !*entityID)
178 entityID = getString("entityID").second;
179
180 string copy(entityID ? entityID : "");
181
182 try {
183 return run(request, copy, isHandler);
184 }
185 catch (exception& ex) {
186 // If it's a handler operation, and isPassive is used or returnOnError is set, we trap the error.
187 if (isHandler) {
188 bool returnOnError = false;
189 const char* flag = request.getParameter("isPassive");
190 if (flag && (*flag == 't' || *flag == '1')) {
191 returnOnError = true;
192 }
193 else {
194 pair<bool,bool> flagprop = getBool("isPassive");
195 if (flagprop.first && flagprop.second) {
196 returnOnError = true;
197 }
198 else {
199 flag = request.getParameter("returnOnError");
200 if (flag) {
201 returnOnError = (*flag=='1' || *flag=='t');
202 }
203 else {
204 flagprop = getBool("returnOnError");
205 returnOnError = (flagprop.first && flagprop.second);
206 }
207 }
208 }
209
210 if (returnOnError) {
211 // Log it and attempt to recover relay state so we can get back.
212 log(SPRequest::SPError, ex.what());
213 log(SPRequest::SPInfo, "trapping SessionInitiator error condition and returning to target location");
214 flag = request.getParameter("target");
215 string target(flag ? flag : "");
216 recoverRelayState(request.getApplication(), request, request, target, false);
217 request.getApplication().limitRedirect(request, target.c_str());
218 return make_pair(true, request.sendRedirect(target.c_str()));
219 }
220 }
221 throw;
222 }
223 }
224
225 #ifndef SHIBSP_LITE
226
newAuthnRequestEvent(const Application & application,const xmltooling::HTTPRequest * request) const227 AuthnRequestEvent* SessionInitiator::newAuthnRequestEvent(const Application& application, const xmltooling::HTTPRequest* request) const
228 {
229 if (!SPConfig::getConfig().isEnabled(SPConfig::Logging))
230 return nullptr;
231 try {
232 auto_ptr<TransactionLog::Event> event(SPConfig::getConfig().EventManager.newPlugin(AUTHNREQUEST_EVENT, nullptr, false));
233 AuthnRequestEvent* ar_event = dynamic_cast<AuthnRequestEvent*>(event.get());
234 if (ar_event) {
235 ar_event->m_request = request;
236 ar_event->m_app = &application;
237 event.release();
238 return ar_event;
239 }
240 else {
241 Category::getInstance(SHIBSP_LOGCAT ".SessionInitiator").warn("unable to audit event, log event object was of an incorrect type");
242 }
243 }
244 catch (exception& ex) {
245 Category::getInstance(SHIBSP_LOGCAT ".SessionInitiator").warn("exception auditing event: %s", ex.what());
246 }
247 return nullptr;
248 }
249
250 #endif
251