Fixed an IdP configuration schema bug.
[java-idp.git] / src / edu / internet2 / middleware / shibboleth / idp / IdPProtocolSupport.java
index 1c7aa68..cde7985 100644 (file)
@@ -32,8 +32,6 @@ import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Iterator;
 
-import javax.servlet.http.HttpServletRequest;
-
 import org.apache.log4j.Logger;
 import org.apache.xml.security.signature.XMLSignature;
 import org.opensaml.InvalidCryptoException;
@@ -51,16 +49,16 @@ import edu.internet2.middleware.shibboleth.aa.arp.ArpEngine;
 import edu.internet2.middleware.shibboleth.aa.arp.ArpProcessingException;
 import edu.internet2.middleware.shibboleth.aa.attrresolv.AttributeResolver;
 import edu.internet2.middleware.shibboleth.artifact.ArtifactMapper;
-import edu.internet2.middleware.shibboleth.artifact.provider.MemoryArtifactMapper;
 import edu.internet2.middleware.shibboleth.common.Credential;
 import edu.internet2.middleware.shibboleth.common.NameMapper;
 import edu.internet2.middleware.shibboleth.common.RelyingParty;
 import edu.internet2.middleware.shibboleth.common.ServiceProviderMapper;
 import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
+import edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrust;
+import edu.internet2.middleware.shibboleth.common.Trust;
 import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
 import edu.internet2.middleware.shibboleth.metadata.Metadata;
 import edu.internet2.middleware.shibboleth.metadata.MetadataException;
-import edu.internet2.middleware.shibboleth.metadata.SPSSODescriptor;
 
 /**
  * Delivers core IdP functionality (Attribute resolution, ARP filtering, Metadata lookup, Signing, Mapping between local &
@@ -73,15 +71,18 @@ public class IdPProtocolSupport implements Metadata {
        private static Logger log = Logger.getLogger(IdPProtocolSupport.class.getName());
        private Logger transactionLog;
        private IdPConfig config;
-       private ArrayList fedMetadata = new ArrayList();
+       private ArrayList metadata = new ArrayList();
        private NameMapper nameMapper;
        private ServiceProviderMapper spMapper;
        private ArpEngine arpEngine;
        private AttributeResolver resolver;
        private ArtifactMapper artifactMapper;
+       private Semaphore throttle;
+       private Trust trust = new ShibbolethTrust();
 
        IdPProtocolSupport(IdPConfig config, Logger transactionLog, NameMapper nameMapper, ServiceProviderMapper spMapper,
-                       ArpEngine arpEngine, AttributeResolver resolver) throws ShibbolethConfigurationException {
+                       ArpEngine arpEngine, AttributeResolver resolver, ArtifactMapper artifactMapper)
+                       throws ShibbolethConfigurationException {
 
                this.transactionLog = transactionLog;
                this.config = config;
@@ -90,16 +91,10 @@ public class IdPProtocolSupport implements Metadata {
                spMapper.setMetadata(this);
                this.arpEngine = arpEngine;
                this.resolver = resolver;
-               // TODO make this pluggable... and clean up memory impl
-               artifactMapper = new MemoryArtifactMapper();
-       }
-
-       public static void validateEngineData(HttpServletRequest req) throws InvalidClientDataException {
+               this.artifactMapper = artifactMapper;
 
-               // TODO this should be pulled out into handlers
-
-               if ((req.getRemoteAddr() == null) || (req.getRemoteAddr().equals(""))) { throw new InvalidClientDataException(
-                               "Unable to obtain client address."); }
+               // Load a semaphore that throttles how many requests the IdP will handle at once
+               throttle = new Semaphore(config.getMaxThreads());
        }
 
        public Logger getTransactionLog() {
@@ -122,86 +117,84 @@ public class IdPProtocolSupport implements Metadata {
                return spMapper;
        }
 
-       public static void addSignatures(SAMLResponse response, RelyingParty relyingParty, EntityDescriptor provider,
-                       boolean signResponse) throws SAMLException {
-
-               if (provider != null) {
-                       boolean signAssertions = false;
-
-                       SPSSODescriptor sp = provider.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM);
-                       if (sp == null) {
-                               log.info("Inappropriate metadata for provider: " + provider.getId() + ".  Expected SPSSODescriptor.");
-                       }
-                       if (sp.getWantAssertionsSigned()) {
-                               signAssertions = true;
-                       }
-
-                       if (signAssertions && relyingParty.getIdentityProvider().getSigningCredential() != null
-                                       && relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey() != null) {
-
-                               Iterator assertions = response.getAssertions();
-
-                               while (assertions.hasNext()) {
-                                       SAMLAssertion assertion = (SAMLAssertion) assertions.next();
-                                       String assertionAlgorithm;
-                                       if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.RSA) {
-                                               assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
-                                       } else if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.DSA) {
-                                               assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
-                                       } else {
-                                               throw new InvalidCryptoException(SAMLException.RESPONDER,
-                                                               "The Shibboleth IdP currently only supports signing with RSA and DSA keys.");
-                                       }
-
-                                       assertion.sign(assertionAlgorithm, relyingParty.getIdentityProvider().getSigningCredential()
-                                                       .getPrivateKey(), Arrays.asList(relyingParty.getIdentityProvider().getSigningCredential()
-                                                       .getX509CertificateChain()));
-                               }
-                       }
-               }
+       public void signAssertions(SAMLAssertion[] assertions, RelyingParty relyingParty) throws InvalidCryptoException,
+                       SAMLException {
 
-               // Sign the response, if appropriate
-               if (signResponse && relyingParty.getIdentityProvider().getSigningCredential() != null
-                               && relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey() != null) {
+               if (relyingParty.getIdentityProvider().getSigningCredential() == null
+                               || relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey() == null) { throw new InvalidCryptoException(
+                               SAMLException.RESPONDER, "Invalid signing credential."); }
 
-                       String responseAlgorithm;
+               for (int i = 0; i < assertions.length; i++) {
+                       String assertionAlgorithm;
                        if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.RSA) {
-                               responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
+                               assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
                        } else if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.DSA) {
-                               responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
+                               assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
                        } else {
                                throw new InvalidCryptoException(SAMLException.RESPONDER,
                                                "The Shibboleth IdP currently only supports signing with RSA and DSA keys.");
                        }
 
+                       try {
+                               throttle.enter();
+                               assertions[i].sign(assertionAlgorithm, relyingParty.getIdentityProvider().getSigningCredential()
+                                               .getPrivateKey(), Arrays.asList(relyingParty.getIdentityProvider().getSigningCredential()
+                                               .getX509CertificateChain()));
+                       } finally {
+                               throttle.exit();
+                       }
+               }
+       }
+
+       public void signResponse(SAMLResponse response, RelyingParty relyingParty) throws SAMLException {
+
+               // Make sure we have an appropriate credential
+               if (relyingParty.getIdentityProvider().getSigningCredential() == null
+                               || relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey() == null) { throw new InvalidCryptoException(
+                               SAMLException.RESPONDER, "Invalid signing credential."); }
+
+               // Sign the response
+               String responseAlgorithm;
+               if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.RSA) {
+                       responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
+               } else if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.DSA) {
+                       responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
+               } else {
+                       throw new InvalidCryptoException(SAMLException.RESPONDER,
+                                       "The Shibboleth IdP currently only supports signing with RSA and DSA keys.");
+               }
+               try {
+                       throttle.enter();
                        response.sign(responseAlgorithm, relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey(),
                                        Arrays.asList(relyingParty.getIdentityProvider().getSigningCredential().getX509CertificateChain()));
+               } finally {
+                       throttle.exit();
                }
        }
 
-       protected void addFederationProvider(Element element) {
+       protected void addMetadataProvider(Element element) {
 
-               log.debug("Found Federation Provider configuration element.");
-               if (!element.getTagName().equals("FederationProvider")) {
-                       log.error("Error while attemtping to load Federation Provider.  Malformed provider specificaion.");
+               log.debug("Found Metadata Provider configuration element.");
+               if (!element.getTagName().equals("MetadataProvider")) {
+                       log.error("Error while attemtping to load Metadata Provider.  Malformed provider specificaion.");
                        return;
                }
 
                try {
-                       fedMetadata.add(FederationProviderFactory.loadProvider(element));
+                       metadata.add(MetadataProviderFactory.loadProvider(element));
                } catch (MetadataException e) {
-                       log.error("Unable to load Federation Provider.  Skipping...");
+                       log.error("Unable to load Metadata Provider.  Skipping...");
                }
        }
 
        public int providerCount() {
 
-               return fedMetadata.size();
+               return metadata.size();
        }
 
        public EntityDescriptor lookup(String providerId) {
 
-               Iterator iterator = fedMetadata.iterator();
+               Iterator iterator = metadata.iterator();
                while (iterator.hasNext()) {
                        EntityDescriptor provider = ((Metadata) iterator.next()).lookup(providerId);
                        if (provider != null) { return provider; }
@@ -211,7 +204,7 @@ public class IdPProtocolSupport implements Metadata {
 
        public EntityDescriptor lookup(Artifact artifact) {
 
-               Iterator iterator = fedMetadata.iterator();
+               Iterator iterator = metadata.iterator();
                while (iterator.hasNext()) {
                        EntityDescriptor provider = ((Metadata) iterator.next()).lookup(artifact);
                        if (provider != null) { return provider; }
@@ -277,4 +270,37 @@ public class IdPProtocolSupport implements Metadata {
 
                return artifactMapper;
        }
+
+       public Trust getTrust() {
+
+               return trust;
+       }
+
+       private class Semaphore {
+
+               private int value;
+
+               public Semaphore(int value) {
+
+                       this.value = value;
+               }
+
+               public synchronized void enter() {
+
+                       --value;
+                       if (value < 0) {
+                               try {
+                                       wait();
+                               } catch (InterruptedException e) {
+                                       // squelch and continue
+                               }
+                       }
+               }
+
+               public synchronized void exit() {
+
+                       ++value;
+                       notify();
+               }
+       }
 }
\ No newline at end of file