*
* @return the attributes to be released
*/
- public void filterAttributes(Collection<ArpAttribute> attributes, Principal principal, String requester,
+ public void filterAttributes(Collection<? extends ArpAttribute> attributes, Principal principal, String requester,
URL resource) throws ArpProcessingException {
if (attributes.isEmpty()) {
log.info("Applying Attribute Release Policies.");
if (log.isDebugEnabled()) {
log.debug("Processing the following attributes:");
- for (Iterator<ArpAttribute> attrIterator = attributes.iterator(); attrIterator.hasNext();) {
+ for (Iterator<? extends ArpAttribute> attrIterator = attributes.iterator(); attrIterator.hasNext();) {
log.debug("Attribute: (" + attrIterator.next().getName() + ")");
}
}
// Gather all applicable ARP attribute specifiers
Set<String> attributeNames = new HashSet<String>();
- for (Iterator<ArpAttribute> nameIterator = attributes.iterator(); nameIterator.hasNext();) {
+ for (Iterator<? extends ArpAttribute> nameIterator = attributes.iterator(); nameIterator.hasNext();) {
attributeNames.add(nameIterator.next().getName());
}
Rule[] rules = createEffectiveArp(principal, requester, resource).getAllRules();
.toArray(new Rule.Attribute[0]));
// Filter
- for (Iterator<ArpAttribute> returnIterator = attributes.iterator(); returnIterator.hasNext();) {
+ for (Iterator<? extends ArpAttribute> returnIterator = attributes.iterator(); returnIterator.hasNext();) {
ArpAttribute arpAttribute = returnIterator.next();
Rule.Attribute attribute = (Rule.Attribute) arpAttributeSpecs.get(arpAttribute.getName());
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
+import java.util.Collection;
+import java.util.HashMap;
import java.util.Iterator;
+import java.util.Map;
import org.apache.log4j.Logger;
import org.apache.xml.security.signature.XMLSignature;
import org.w3c.dom.Element;
import edu.internet2.middleware.shibboleth.aa.AAAttribute;
-import edu.internet2.middleware.shibboleth.aa.AAAttributeSet;
import edu.internet2.middleware.shibboleth.aa.AAException;
import edu.internet2.middleware.shibboleth.aa.arp.ArpEngine;
import edu.internet2.middleware.shibboleth.aa.arp.ArpProcessingException;
import edu.internet2.middleware.shibboleth.metadata.EntitiesDescriptor;
import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
import edu.internet2.middleware.shibboleth.metadata.Metadata;
-import edu.internet2.middleware.shibboleth.metadata.MetadataProviderFactory;
import edu.internet2.middleware.shibboleth.metadata.MetadataException;
+import edu.internet2.middleware.shibboleth.metadata.MetadataProviderFactory;
/**
* Delivers core IdP functionality (Attribute resolution, ARP filtering, Metadata lookup, Signing, Mapping between local &
return null;
}
- public SAMLAttribute[] getReleaseAttributes(Principal principal, RelyingParty relyingParty, String requester,
- URL resource) throws AAException {
+ public Collection<? extends SAMLAttribute> getReleaseAttributes(Principal principal, RelyingParty relyingParty,
+ String requester, URL resource) throws AAException {
try {
- URI[] potentialAttributes = arpEngine.listPossibleReleaseAttributes(principal, requester, resource);
+ Collection<URI> potentialAttributes = arpEngine.listPossibleReleaseAttributes(principal, requester,
+ resource);
return getReleaseAttributes(principal, relyingParty, requester, resource, potentialAttributes);
} catch (ArpProcessingException e) {
}
}
- public SAMLAttribute[] getReleaseAttributes(Principal principal, RelyingParty relyingParty, String requester,
- URL resource, URI[] attributeNames) throws AAException {
+ public Collection<? extends SAMLAttribute> getReleaseAttributes(Principal principal, RelyingParty relyingParty,
+ String requester, URL resource, Collection<URI> attributeNames) throws AAException {
try {
- AAAttributeSet attributeSet = new AAAttributeSet();
- for (int i = 0; i < attributeNames.length; i++) {
+ Map<String, AAAttribute> attributes = new HashMap<String, AAAttribute>();
+ for (URI name : attributeNames) {
AAAttribute attribute = null;
if (relyingParty.wantsSchemaHack()) {
- attribute = new AAAttribute(attributeNames[i].toString(), true);
+ attribute = new AAAttribute(name.toString(), true);
} else {
- attribute = new AAAttribute(attributeNames[i].toString(), false);
+ attribute = new AAAttribute(name.toString(), false);
}
-
- attributeSet.add(attribute);
+ attributes.put(attribute.getName(), attribute);
}
return resolveAttributes(principal, requester, relyingParty.getIdentityProvider().getProviderId(),
- resource, attributeSet);
+ resource, attributes);
} catch (SAMLException e) {
log.error("An error occurred while creating attributes for principal (" + principal.getName() + ") :"
}
}
- public SAMLAttribute[] resolveAttributes(Principal principal, String requester, String responder, URL resource,
- AAAttributeSet attributeSet) throws ArpProcessingException {
+ public Collection<? extends SAMLAttribute> resolveAttributes(Principal principal, String requester,
+ String responder, URL resource, Map<String, AAAttribute> attributeSet) throws ArpProcessingException {
resolver.resolveAttributes(principal, requester, responder, attributeSet);
- arpEngine.filterAttributes(attributeSet, principal, requester, resource);
- return attributeSet.getAttributes();
+ arpEngine.filterAttributes(attributeSet.values(), principal, requester, resource);
+ return attributeSet.values();
}
- public SAMLAttribute[] resolveAttributesNoPolicies(Principal principal, String requester, String responder,
- AAAttributeSet attributeSet) {
+ public Collection<? extends SAMLAttribute> resolveAttributesNoPolicies(Principal principal, String requester,
+ String responder, Map<String, AAAttribute> attributeSet) {
resolver.resolveAttributes(principal, requester, responder, attributeSet);
- return attributeSet.getAttributes();
+ return attributeSet.values();
}
/**
import org.opensaml.SAMLAttributeStatement;
import org.opensaml.SAMLAudienceRestrictionCondition;
import org.opensaml.SAMLAuthenticationStatement;
+import org.opensaml.SAMLCondition;
import org.opensaml.SAMLConfig;
import org.opensaml.SAMLException;
import org.opensaml.SAMLNameIdentifier;
SAMLAssertion assertion, HttpServletRequest request) throws SAMLException {
try {
- SAMLAttribute[] attributes = support.getReleaseAttributes(principal, relyingParty, relyingParty
- .getProviderId(), null);
- log.info("Found " + attributes.length + " attribute(s) for " + principal.getName());
+ Collection<? extends SAMLAttribute> attributes = support.getReleaseAttributes(principal, relyingParty,
+ relyingParty.getProviderId(), null);
+ log.info("Found " + attributes.size() + " attribute(s) for " + principal.getName());
// Bail if we didn't get any attributes
- if (attributes == null || attributes.length < 1) {
+ if (attributes == null || attributes.size() < 1) {
log.info("No attributes resolved.");
return;
}
// The ADFS spec recommends that all attributes have this URI, but it doesn't require it
- for (int i = 0; i < attributes.length; i++) {
- if (!attributes[i].getNamespace().equals(CLAIMS_URI)) {
+ for (SAMLAttribute attribute : attributes) {
+ if (!attribute.getNamespace().equals(CLAIMS_URI)) {
log.warn("It is recommended that all attributes sent via the ADFS SSO handler "
- + "have a namespace of (" + CLAIMS_URI + "). The attribute (" + attributes[i].getName()
- + ") has a namespace of (" + attributes[i].getNamespace() + ").");
+ + "have a namespace of (" + CLAIMS_URI + "). The attribute (" + attribute.getName()
+ + ") has a namespace of (" + attribute.getNamespace() + ").");
}
}
subject.addConfirmationMethod(SAMLSubject.CONF_BEARER);
// ADFS spec requires a single audience of the SP
- ArrayList audiences = new ArrayList();
+ ArrayList<String> audiences = new ArrayList<String>();
if (relyingParty.getProviderId() != null) {
audiences.add(relyingParty.getProviderId());
}
- Vector conditions = new Vector(1);
+ Vector<SAMLCondition> conditions = new Vector<SAMLCondition>(1);
if (audiences != null && audiences.size() > 0) conditions.add(new SAMLAudienceRestrictionCondition(audiences));
// Determine the correct issuer
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
+import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
private String authenticateAs(String assertedId, X509Certificate[] chain, IdPProtocolSupport support)
throws InvalidProviderCredentialException {
+
// See if we have metadata for this provider
EntityDescriptor provider = support.lookup(assertedId);
if (provider == null) {
log.info("No metadata found for providerId: (" + assertedId + ").");
return null;
- }
- else {
+ } else {
log.info("Metadata found for providerId: (" + assertedId + ").");
}
RoleDescriptor ar_role = provider.getAttributeRequesterDescriptor(XML.SAML11_PROTOCOL_ENUM);
RoleDescriptor sp_role = provider.getSPSSODescriptor(XML.SAML11_PROTOCOL_ENUM);
if (ar_role == null && sp_role == null) {
- log.info("SPSSO and Stand-Alone Requester roles not found in metadata for provider: ("
- + assertedId + ").");
+ log.info("SPSSO and Stand-Alone Requester roles not found in metadata for provider: (" + assertedId + ").");
return null;
}
// Make sure that the supplied credential is valid for the selected provider role.
- if ((ar_role != null && support.getTrust().validate(chain[0], chain, ar_role)) ||
- (sp_role != null && support.getTrust().validate(chain[0], chain, sp_role))) {
+ if ((ar_role != null && support.getTrust().validate(chain[0], chain, ar_role))
+ || (sp_role != null && support.getTrust().validate(chain[0], chain, sp_role))) {
log.info("Supplied credentials validated for this provider.");
return assertedId;
} else {
- log.error("Supplied credentials ("
- + chain[0].getSubjectX500Principal().getName(X500Principal.RFC2253)
+ log.error("Supplied credentials (" + chain[0].getSubjectX500Principal().getName(X500Principal.RFC2253)
+ ") are NOT valid for provider (" + assertedId + ").");
throw new InvalidProviderCredentialException("Invalid credentials.");
}
public SAMLResponse processRequest(HttpServletRequest request, HttpServletResponse response,
SAMLRequest samlRequest, IdPProtocolSupport support) throws SAMLException, IOException, ServletException {
- if (samlRequest == null || samlRequest.getQuery() == null || !(samlRequest.getQuery() instanceof SAMLAttributeQuery)) {
+ if (samlRequest == null || samlRequest.getQuery() == null
+ || !(samlRequest.getQuery() instanceof SAMLAttributeQuery)) {
log.error("Protocol Handler can only respond to SAML Attribute Queries.");
throw new SAMLException("General error processing request.");
}
String effectiveName = null;
// Log the physical credential supplied, if any.
- X509Certificate[] credentials = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
- if (credentials == null || credentials.length == 0 ||
- credentials[0].getSubjectX500Principal().getName(X500Principal.RFC2253).equals("")) {
+ X509Certificate[] credentials = (X509Certificate[]) request
+ .getAttribute("javax.servlet.request.X509Certificate");
+ if (credentials == null || credentials.length == 0
+ || credentials[0].getSubjectX500Principal().getName(X500Principal.RFC2253).equals("")) {
log.info("Request contained no credentials, treating as an unauthenticated service provider.");
- }
- else {
+ } else {
log.info("Request contains credentials: ("
+ credentials[0].getSubjectX500Principal().getName(X500Principal.RFC2253) + ").");
- // Try and authenticate the requester as any of the potentially relevant identifiers we know.
+ // Try and authenticate the requester as any of the potentially relevant identifiers we know.
try {
if (attributeQuery.getResource() != null) {
log.info("Remote provider has identified itself as: (" + attributeQuery.getResource() + ").");
}
if (effectiveName == null) {
- log.info("Remote provider not yet identified, attempting to derive requesting provider from credentials.");
+ log
+ .info("Remote provider not yet identified, attempting to derive requesting provider from credentials.");
// Try the additional candidates.
String[] candidateNames = getCredentialNames(credentials[0]);
throw new SAMLException(SAMLException.REQUESTER, "Invalid credentials for request.");
}
}
-
+
if (effectiveName == null) {
log.info("Unable to locate metadata about provider, treating as an unauthenticated service provider.");
relyingParty = support.getServiceProviderMapper().getRelyingParty(null);
- if(log.isDebugEnabled()) {
- log.debug("Using default Relying Party, " + relyingParty.getName() + " for unauthenticated provider.");
- }
- }
- else {
+ if (log.isDebugEnabled()) {
+ log.debug("Using default Relying Party, " + relyingParty.getName() + " for unauthenticated provider.");
+ }
+ } else {
// Identify a Relying Party
log.debug("Mapping authenticated provider (" + effectiveName + ") to Relying Party.");
relyingParty = support.getServiceProviderMapper().getRelyingParty(effectiveName);
String method = (String) iterator.next();
log.info("Request contains SAML Subject Confirmation method: (" + method + ").");
hasConfirmationMethod = true;
- if (!method.equals(SAMLSubject.CONF_BEARER))
- hasOnlyBearer = false;
- }
- if (hasConfirmationMethod && !hasOnlyBearer) {
- throw new SAMLException(SAMLException.REQUESTER,
- "This SAML authority cannot honor requests containing the supplied SAML Subject Confirmation Method(s).");
+ if (!method.equals(SAMLSubject.CONF_BEARER)) hasOnlyBearer = false;
}
+ if (hasConfirmationMethod && !hasOnlyBearer) { throw new SAMLException(SAMLException.REQUESTER,
+ "This SAML authority cannot honor requests containing the supplied SAML Subject Confirmation Method(s)."); }
// Map Subject to local principal
Principal principal = null;
log.info("Request is for principal (" + principal.getName() + ").");
// Get attributes from resolver
- SAMLAttribute[] attrs;
+ Collection<? extends SAMLAttribute> attrs;
Iterator requestedAttrsIterator = attributeQuery.getDesignators();
if (requestedAttrsIterator.hasNext()) {
log.info("Request designates specific attributes, resolving this set.");
- ArrayList requestedAttrs = new ArrayList();
+ ArrayList<URI> requestedAttrs = new ArrayList<URI>();
while (requestedAttrsIterator.hasNext()) {
SAMLAttributeDesignator attribute = (SAMLAttributeDesignator) requestedAttrsIterator.next();
try {
}
}
- attrs = support.getReleaseAttributes(principal, relyingParty, effectiveName, null,
- (URI[]) requestedAttrs.toArray(new URI[0]));
+ attrs = support.getReleaseAttributes(principal, relyingParty, effectiveName, null, requestedAttrs);
} else {
log.info("Request does not designate specific attributes, resolving all available.");
attrs = support.getReleaseAttributes(principal, relyingParty, effectiveName, null);
}
- log.info("Found " + attrs.length + " attribute(s) for " + principal.getName());
+ log.info("Found " + attrs.size() + " attribute(s) for " + principal.getName());
// Put attributes names in the transaction log when it is set to DEBUG
- if (support.getTransactionLog().isDebugEnabled() && attrs.length > 0) {
+ if (support.getTransactionLog().isDebugEnabled() && attrs.size() > 0) {
StringBuffer attrNameBuffer = new StringBuffer();
- for (int i = 0; i < attrs.length; i++) {
- attrNameBuffer.append("(" + attrs[i].getName() + ")");
+ for (SAMLAttribute attr : attrs) {
+ attrNameBuffer.append("(" + attr.getName() + ")");
}
support.getTransactionLog()
.debug(
SAMLResponse samlResponse = null;
- if (attrs == null || attrs.length == 0) {
+ if (attrs == null || attrs.size() == 0) {
// No attribute found
samlResponse = new SAMLResponse(samlRequest.getId(), null, null, null);
// Reference requested subject
SAMLSubject rSubject = (SAMLSubject) attributeQuery.getSubject().clone();
- ArrayList audiences = new ArrayList();
+ ArrayList<String> audiences = new ArrayList<String>();
if (relyingParty.getProviderId() != null) {
audiences.add(relyingParty.getProviderId());
}
// Set assertion expiration to longest attribute expiration
long max = 0;
- for (int i = 0; i < attrs.length; i++) {
- if (max < attrs[i].getLifetime()) {
- max = attrs[i].getLifetime();
+ for (SAMLAttribute attr : attrs) {
+ if (max < attr.getLifetime()) {
+ max = attr.getLifetime();
}
}
Date now = new Date();
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.Arrays;
+import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
SAMLSubject authNSubject) throws SAMLException, IOException, UnsupportedEncodingException {
log.debug("Responding with Artifact profile.");
- ArrayList assertions = new ArrayList();
+ ArrayList<SAMLAssertion> assertions = new ArrayList<SAMLAssertion>();
authNSubject.addConfirmationMethod(SAMLSubject.CONF_ARTIFACT);
assertions.add(generateAuthNAssertion(request, relyingParty, descriptor, nameId, authenticationMethod,
}
// Create artifacts for each assertion
- ArrayList artifacts = new ArrayList();
+ ArrayList<Artifact> artifacts = new ArrayList<Artifact>();
for (int i = 0; i < assertions.size(); i++) {
SAMLAssertion assertion = (SAMLAssertion) assertions.get(i);
Artifact artifact = support.getArtifactMapper().generateArtifact(assertion, relyingParty);
+ nameId.getFormat() + ").");
}
- public static boolean pushAttributeDefault = false;
-
+ public static boolean pushAttributeDefault = false;
+
private void respondWithPOST(HttpServletRequest request, HttpServletResponse response, IdPProtocolSupport support,
LocalPrincipal principal, RelyingParty relyingParty, EntityDescriptor descriptor, String acceptanceURL,
SAMLNameIdentifier nameId, String authenticationMethod, SAMLSubject authNSubject) throws SAMLException,
IOException, ServletException {
log.debug("Responding with POST profile.");
- ArrayList assertions = new ArrayList();
+ ArrayList<SAMLAssertion> assertions = new ArrayList<SAMLAssertion>();
authNSubject.addConfirmationMethod(SAMLSubject.CONF_BEARER);
assertions.add(generateAuthNAssertion(request, relyingParty, descriptor, nameId, authenticationMethod,
getAuthNTime(request), authNSubject));
}
private void generateAttributes(IdPProtocolSupport support, LocalPrincipal principal, RelyingParty relyingParty,
- ArrayList assertions, HttpServletRequest request) throws SAMLException {
+ ArrayList<SAMLAssertion> assertions, HttpServletRequest request) throws SAMLException {
try {
- SAMLAttribute[] attributes = support.getReleaseAttributes(principal, relyingParty, relyingParty
- .getProviderId(), null);
- log.info("Found " + attributes.length + " attribute(s) for " + principal.getName());
+ Collection<? extends SAMLAttribute> attributes = support.getReleaseAttributes(principal, relyingParty,
+ relyingParty.getProviderId(), null);
+ log.info("Found " + attributes.size() + " attribute(s) for " + principal.getName());
// Bail if we didn't get any attributes
- if (attributes == null || attributes.length < 1) {
+ if (attributes == null || attributes.size() < 1) {
log.info("No attributes resolved.");
return;
}
+ assertions.get(0).toString());
}
} else {
- ArrayList audiences = new ArrayList();
+ ArrayList<String> audiences = new ArrayList<String>();
if (relyingParty.getProviderId() != null) {
audiences.add(relyingParty.getProviderId());
}
// Set assertion expiration to longest attribute expiration
long max = 0;
- for (int i = 0; i < attributes.length; i++) {
- if (max < attributes[i].getLifetime()) {
- max = attributes[i].getLifetime();
+ for (SAMLAttribute attribute : attributes) {
+ if (max < attribute.getLifetime()) {
+ max = attribute.getLifetime();
}
}
Date now = new Date();
SAMLSubject subject) throws SAMLException, IOException {
// Determine the correct audiences
- ArrayList audiences = new ArrayList();
+ ArrayList<String> audiences = new ArrayList<String>();
if (relyingParty.getProviderId() != null) {
audiences.add(relyingParty.getProviderId());
}
}
// For compatibility with pre-1.2 shibboleth targets, include a pointer to the AA
- ArrayList bindings = new ArrayList();
+ ArrayList<SAMLAuthorityBinding> bindings = new ArrayList<SAMLAuthorityBinding>();
if (relyingParty.isLegacyProvider()) {
SAMLAuthorityBinding binding = new SAMLAuthorityBinding(SAMLBinding.SOAP, relyingParty.getAAUrl()
}
// Create the assertion
- Vector conditions = new Vector(1);
+ Vector<SAMLCondition> conditions = new Vector<SAMLCondition>(1);
if (audiences != null && audiences.size() > 0) conditions.add(new SAMLAudienceRestrictionCondition(audiences));
SAMLStatement[] statements = {new SAMLAuthenticationStatement(subject, authenticationMethod, authTime, request
import jargs.gnu.CmdLineParser;
-import java.io.ByteArrayOutputStream;
import java.io.PrintStream;
import java.io.PrintWriter;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.Principal;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.Map;
import org.apache.log4j.ConsoleAppender;
import org.apache.log4j.Level;
import org.w3c.dom.NodeList;
import edu.internet2.middleware.shibboleth.aa.AAAttribute;
-import edu.internet2.middleware.shibboleth.aa.AAAttributeSet;
-import edu.internet2.middleware.shibboleth.aa.AAAttributeSet.ShibAttributeIterator;
import edu.internet2.middleware.shibboleth.aa.arp.ArpEngine;
import edu.internet2.middleware.shibboleth.aa.arp.ArpException;
import edu.internet2.middleware.shibboleth.aa.arp.ArpProcessingException;
parseCommandLine(args);
initializeResolver();
- AAAttributeSet attributeSet = createAttributeSet();
+ Map<String, AAAttribute> attributeSet = createAttributeSet();
resolveAttributes(attributeSet);
System.out.println("Received the following from the Attribute Resolver:");
System.out.println();
- printAttributes(System.out, attributeSet);
+ printAttributes(System.out, attributeSet.values());
}
- private static void resolveAttributes(AAAttributeSet attributeSet) {
+ private static void resolveAttributes(Map<String, AAAttribute> attributeSet) {
Principal principal = new LocalPrincipal(user);
try {
if (arpEngine != null) {
- arpEngine.filterAttributes(attributeSet, principal, requester, resourceUrl);
+ arpEngine.filterAttributes(attributeSet.values(), principal, requester, resourceUrl);
}
} catch (ArpProcessingException e) {
System.err.println("Error applying Attribute Release Policy: " + e.getMessage());
}
}
- private static AAAttributeSet createAttributeSet() {
+ private static Map<String, AAAttribute> createAttributeSet() {
- String[] attributes = resolver.listRegisteredAttributeDefinitionPlugIns();
- AAAttributeSet attributeSet = new AAAttributeSet();
+ Collection<String> attributes = resolver.listRegisteredAttributeDefinitionPlugIns();
+ Map<String, AAAttribute> attributeSet = new HashMap<String, AAAttribute>();
- for (int i = 0; i < attributes.length; i++) {
+ for (String attrName : attributes) {
try {
- attributeSet.add(new AAAttribute(attributes[i]));
+ attributeSet.put(attrName, new AAAttribute(attrName));
} catch (SAMLException e) {
- System.err.println("Error creating AAAttribute (" + attributes[i] + "): " + e.getMessage());
+ System.err.println("Error creating AAAttribute (" + attrName + "): " + e.getMessage());
System.exit(1);
}
}
}
}
- private static void printAttributes(PrintStream out, AAAttributeSet attributeSet) {
+ private static void printAttributes(PrintStream out, Collection<AAAttribute> attributeSet) {
try {
- for (ShibAttributeIterator iterator = attributeSet.shibAttributeIterator(); iterator.hasNext();) {
- AAAttribute attribute = iterator.nextShibAttribute();
+ for (Iterator<AAAttribute> iterator = attributeSet.iterator(); iterator.hasNext();) {
+ AAAttribute attribute = iterator.next();
Node node = attribute.toDOM();
- ByteArrayOutputStream xml = new ByteArrayOutputStream();
if (!(node instanceof Element)) {
System.err.println("Received bad Element data from SAML library.");
System.exit(1);
projects / java-idp.git / commitdiff