entrouvert
/
lasso
16
0
Fork 0
Code Issues Pull Requests Releases Activity
lasso/lasso/id-ff/server.c

821 lines
25 KiB
C
Raw Blame History

/* $Id$
*
* Lasso - A free implementation of the Liberty Alliance specifications.
*
* Copyright (C) 2004-2007 Entr'ouvert
* http://lasso.entrouvert.org
*
* Authors: See AUTHORS file in top-level directory.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
/**
* SECTION:server
* @short_description: Representation of the current server
*
* It holds the data about a provider, other providers it knows, which
* certificates to use, etc.
**/
#include "../xml/private.h"
#include <xmlsec/base64.h>
#include <config.h>
#include "server.h"
#include "providerprivate.h"
#include "serverprivate.h"
#include "../saml-2.0/serverprivate.h"
#include "../utils.h"
#include "../debug.h"
#include "../lasso_config.h"
#ifdef LASSO_WSF_ENABLED
#include "../id-wsf/id_ff_extensions_private.h"
#include "../id-wsf-2.0/serverprivate.h"
#endif
/*****************************************************************************/
/* public methods */
/*****************************************************************************/
static gint
lasso_server_add_provider_helper(LassoServer *server, LassoProviderRole role,
const gchar *metadata, const gchar *public_key, const gchar *ca_cert_chain,
LassoProvider *(*provider_constructor)(LassoProviderRole role,
const char *metadata, const char *public_key, const char *ca_cert_chain))
{
LassoProvider *provider;
g_return_val_if_fail(LASSO_IS_SERVER(server), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
g_return_val_if_fail(metadata != NULL, LASSO_PARAM_ERROR_INVALID_VALUE);
provider = provider_constructor(role, metadata, public_key, ca_cert_chain);
if (provider == NULL) {
return critical_error(LASSO_SERVER_ERROR_ADD_PROVIDER_FAILED);
}
provider->role = role;
if (LASSO_PROVIDER(server)->private_data->conformance == LASSO_PROTOCOL_SAML_2_0 &&
provider->private_data->conformance != LASSO_PROTOCOL_SAML_2_0) {
lasso_node_destroy(LASSO_NODE(provider));
return LASSO_SERVER_ERROR_ADD_PROVIDER_PROTOCOL_MISMATCH;
}
if (LASSO_PROVIDER(server)->private_data->conformance == LASSO_PROTOCOL_LIBERTY_1_2 &&
provider->private_data->conformance > LASSO_PROTOCOL_LIBERTY_1_2) {
lasso_node_destroy(LASSO_NODE(provider));
return LASSO_SERVER_ERROR_ADD_PROVIDER_PROTOCOL_MISMATCH;
}
g_hash_table_insert(server->providers, g_strdup(provider->ProviderID), provider);
return 0;
}
/**
* lasso_server_add_provider:
* @server: a #LassoServer
* @role: provider role, identity provider or service provider
* @metadata: path to the provider metadata file
* @public_key:(allow-none): provider public key file (may be a certificate) or NULL
* @ca_cert_chain:(allow-none): provider CA certificate chain file or NULL
*
* Creates a new #LassoProvider and makes it known to the @server
*
* Return value: 0 on success; a negative value if an error occured.
**/
gint
lasso_server_add_provider(LassoServer *server, LassoProviderRole role,
const gchar *metadata, const gchar *public_key, const gchar *ca_cert_chain)
{
return lasso_server_add_provider_helper(server, role, metadata,
public_key, ca_cert_chain, lasso_provider_new);
}
/**
* lasso_server_add_provider_from_buffer:
* @server: a #LassoServer
* @role: provider role, identity provider or service provider
* @metadata: a string buffer containg the metadata file for a new provider
* @public_key:(allow-none): provider public key file (may be a certificate) or NULL
* @ca_cert_chain:(allow-none): provider CA certificate chain file or NULL
*
* Creates a new #LassoProvider and makes it known to the @server
*
* Return value: 0 on success; a negative value if an error occured.
**/
gint
lasso_server_add_provider_from_buffer(LassoServer *server, LassoProviderRole role,
const gchar *metadata, const gchar *public_key, const gchar *ca_cert_chain)
{
return lasso_server_add_provider_helper(server, role, metadata,
public_key, ca_cert_chain, lasso_provider_new_from_buffer);
}
/**
* lasso_server_destroy:
* @server: a #LassoServer
*
* Destroys a server.
**/
void
lasso_server_destroy(LassoServer *server)
{
lasso_node_destroy(LASSO_NODE(server));
}
/**
* lasso_server_set_encryption_private_key:
* @server: a #LassoServer
* @filename_or_buffer:(allow-none): file name of the encryption key to load or its content as a
* NULL-terminated string.
*
* Load an encryption private key from a file and set it in the server object
*
* If @filename_or_buffer is NULL, it frees the currently setted key.
*
* Return value: 0 on success; another value if an error occured.
* Deprecated: 2.3: Use lasso_server_set_encryption_private_key_with_password() instead.
**/
int
lasso_server_set_encryption_private_key(LassoServer *server, const gchar *filename_or_buffer)
{
return lasso_server_set_encryption_private_key_with_password(server, filename_or_buffer,
NULL);
}
/**
* lasso_server_set_encryption_private_key_with_password:
* @server: a #LassoServer
* @filename_or_buffer:(allow-none): file name of the encryption key to load or its content as a
* NULL-terminated string.
* @password:(allow-none): an optional password to decrypt the encryption key.
*
* Load an encryption private key from a file and set it in the server object. If @password is
* non-NULL try to decrypt the key with it.
*
* If @filename_or_buffer is NULL, it frees the currently setted key.
*
* Return value: 0 on success; another value if an error occured.
* Since: 2.3
**/
int
lasso_server_set_encryption_private_key_with_password(LassoServer *server,
const gchar *filename_or_buffer, const gchar *password)
{
if (filename_or_buffer) {
xmlSecKey *key = lasso_xmlsec_load_private_key(filename_or_buffer, password);
if (! key || ! (xmlSecKeyGetType(key) & xmlSecKeyDataTypePrivate)) {
return LASSO_SERVER_ERROR_SET_ENCRYPTION_PRIVATE_KEY_FAILED;
}
lasso_release_sec_key(server->private_data->encryption_private_key);
server->private_data->encryption_private_key = key;
} else {
lasso_release_sec_key(server->private_data->encryption_private_key);
}
return 0;
}
/**
* lasso_server_load_affiliation:
* @server: a #LassoServer
* @filename: file name of the affiliation metadata to load
*
* Load an affiliation metadata file into @server; this must be called after
* providers have been added to @server.
*
* Return value: 0 on success; another value if an error occured.
**/
int
lasso_server_load_affiliation(LassoServer *server, const gchar *filename)
{
LassoProvider *provider = LASSO_PROVIDER(server);
xmlDoc *doc;
xmlNode *node;
int rc = 0;
doc = lasso_xml_parse_file(filename);
goto_cleanup_if_fail_with_rc (doc != NULL, LASSO_XML_ERROR_INVALID_FILE);
node = xmlDocGetRootElement(doc);
goto_cleanup_if_fail_with_rc (node != NULL && node->ns != NULL, LASSO_XML_ERROR_NODE_NOT_FOUND);
if (provider->private_data->conformance == LASSO_PROTOCOL_SAML_2_0) {
rc = lasso_saml20_server_load_affiliation(server, node);
} else {
/* affiliations are not supported in ID-FF 1.2 mode */
rc = LASSO_ERROR_UNIMPLEMENTED;
}
cleanup:
lasso_release_doc(doc);
return rc;
}
/*****************************************************************************/
/* private methods */
/*****************************************************************************/
static struct XmlSnippet schema_snippets[] = {
{ "PrivateKeyFilePath", SNIPPET_CONTENT, G_STRUCT_OFFSET(LassoServer, private_key), NULL, NULL, NULL},
{ "PrivateKeyPassword", SNIPPET_CONTENT,
G_STRUCT_OFFSET(LassoServer, private_key_password), NULL, NULL, NULL},
{ "CertificateFilePath", SNIPPET_CONTENT, G_STRUCT_OFFSET(LassoServer, certificate), NULL, NULL, NULL},
{NULL, 0, 0, NULL, NULL, NULL}
};
static LassoNodeClass *parent_class = NULL;
static void
add_provider_childnode(G_GNUC_UNUSED gchar *key, LassoProvider *value, xmlNode *xmlnode)
{
xmlAddChild(xmlnode, lasso_node_get_xmlNode(LASSO_NODE(value), TRUE));
}
static xmlNode*
get_xmlNode(LassoNode *node, gboolean lasso_dump)
{
LassoServer *server = LASSO_SERVER(node);
char *signature_methods[] = { NULL, "RSA_SHA1", "DSA_SHA1"};
xmlNode *xmlnode;
xmlnode = parent_class->get_xmlNode(node, lasso_dump);
xmlSetProp(xmlnode, (xmlChar*)"ServerDumpVersion", (xmlChar*)"2");
xmlSetProp(xmlnode, (xmlChar*)"SignatureMethod",
(xmlChar*)signature_methods[server->signature_method]);
/* Providers */
if (g_hash_table_size(server->providers)) {
xmlNode *t;
t = xmlNewTextChild(xmlnode, NULL, (xmlChar*)"Providers", NULL);
g_hash_table_foreach(server->providers,
(GHFunc)add_provider_childnode, t);
}
#ifdef LASSO_WSF_ENABLED
lasso_server_dump_id_wsf_services(server, xmlnode);
lasso_server_dump_id_wsf20_svcmds(server, xmlnode);
#endif
xmlCleanNs(xmlnode);
return xmlnode;
}
static int
init_from_xml(LassoNode *node, xmlNode *xmlnode)
{
LassoServer *server = LASSO_SERVER(node);
xmlNode *t;
xmlChar *s;
int rc = 0;
rc = parent_class->init_from_xml(node, xmlnode);
if (server->private_key) {
server->private_data->encryption_private_key =
lasso_xmlsec_load_private_key(server->private_key, server->private_key_password);
}
if (rc)
return rc;
s = xmlGetProp(xmlnode, (xmlChar*)"SignatureMethod");
if (s && strcmp((char*)s, "RSA_SHA1") == 0)
server->signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
if (s && strcmp((char*)s, "DSA_SHA1") == 0)
server->signature_method = LASSO_SIGNATURE_METHOD_DSA_SHA1;
if (s)
xmlFree(s);
t = xmlnode->children;
while (t) {
xmlNode *t2 = t->children;
if (t->type != XML_ELEMENT_NODE) {
t = t->next;
continue;
}
/* Providers */
if (strcmp((char*)t->name, "Providers") == 0) {
while (t2) {
LassoProvider *p;
if (t2->type != XML_ELEMENT_NODE) {
t2 = t2->next;
continue;
}
p = g_object_new(LASSO_TYPE_PROVIDER, NULL);
LASSO_NODE_GET_CLASS(p)->init_from_xml(LASSO_NODE(p), t2);
if (lasso_provider_load_public_key(p, LASSO_PUBLIC_KEY_SIGNING)) {
g_hash_table_insert(server->providers,
g_strdup(p->ProviderID), p);
} else {
message(G_LOG_LEVEL_CRITICAL,
"Failed to load signing public key for %s.",
p->ProviderID);
}
t2 = t2->next;
}
}
#ifdef LASSO_WSF_ENABLED
lasso_server_init_id_wsf_services(server, t);
lasso_server_init_id_wsf20_svcmds(server, t);
#endif
t = t->next;
}
return 0;
}
static gboolean
get_first_providerID(gchar *key, G_GNUC_UNUSED gpointer value, char **providerID)
{
*providerID = key;
return TRUE;
}
static gboolean
get_first_providerID_by_role(G_GNUC_UNUSED gchar *key, gpointer value, LassoProviderRole role) {
LassoProvider *provider = (LassoProvider*)value;
if (provider->role == role || role == LASSO_PROVIDER_ROLE_ANY) {
return TRUE;
}
return FALSE;
}
/**
* lasso_server_get_first_providerID_by_role
* @server: a #LassoServer
* @role: the #LassoProviderRole of the researched provider
*
* Looks up and returns the provider ID of known provider with the given role.
*
* Return value: the provider ID, NULL if there are no providers. This string
* must be freed by the caller.
*/
gchar *
lasso_server_get_first_providerID_by_role(const LassoServer *server, LassoProviderRole role)
{
LassoProvider *a_provider;
a_provider = LASSO_PROVIDER(g_hash_table_find(server->providers,
(GHRFunc) get_first_providerID_by_role,
(gpointer)role));
if (a_provider) {
return g_strdup(a_provider->ProviderID);
} else {
return NULL;
}
}
/**
* lasso_server_get_first_providerID:
* @server: a #LassoServer
*
* Looks up and returns the provider ID of a known provider
*
* Return value:(transfer full)(allow-none): the provider ID, NULL if there are no providers. This
* string must be freed by the caller.
**/
gchar*
lasso_server_get_first_providerID(LassoServer *server)
{
gchar *providerID = NULL;
g_hash_table_find(server->providers, (GHRFunc)get_first_providerID, &providerID);
return g_strdup(providerID);
}
/**
* lasso_server_get_provider:
* @server: a #LassoServer
* @providerID: the provider ID
*
* Looks up for a #LassoProvider whose ID is @providerID and returns it.
*
* Return value: (transfer none): the #LassoProvider, NULL if it was not found. The
* #LassoProvider is owned by Lasso and should not be freed.
**/
LassoProvider*
lasso_server_get_provider(const LassoServer *server, const gchar *providerID)
{
if (! LASSO_IS_SERVER(server) || providerID == NULL || strlen(providerID) == 0) {
return NULL;
}
return g_hash_table_lookup(server->providers, providerID);
}
static gboolean
get_providerID_with_hash(gchar *key, G_GNUC_UNUSED gpointer value, char **providerID)
{
char *hash = *providerID;
xmlChar *hash_providerID;
char *b64_hash_providerID;
hash_providerID = (xmlChar*)lasso_sha1(key);
b64_hash_providerID = (char*)xmlSecBase64Encode(hash_providerID, 20, 0);
xmlFree(hash_providerID);
if (strcmp(b64_hash_providerID, hash) == 0) {
xmlFree(b64_hash_providerID);
*providerID = key;
return TRUE;
}
xmlFree(b64_hash_providerID);
return FALSE;
}
/**
* lasso_server_get_providerID_from_hash:
* @server: a #LassoServer
* @b64_hash: the base64-encoded provider ID hash
*
* Looks up a #LassoProvider whose ID hash is @b64_hash and returns its
* provider ID.
*
* Return value:(transfer full)(allow-none): the provider ID, NULL if it was not found.
**/
gchar*
lasso_server_get_providerID_from_hash(LassoServer *server, gchar *b64_hash)
{
gchar *providerID = b64_hash; /* kludge */
if (g_hash_table_find(server->providers, (GHRFunc)get_providerID_with_hash, &providerID))
return g_strdup(providerID);
return NULL;
}
/*****************************************************************************/
/* overridden parent class methods */
/*****************************************************************************/
static void
dispose(GObject *object)
{
LassoServer *server = LASSO_SERVER(object);
if (! server->private_data || server->private_data->dispose_has_run == TRUE) {
return;
}
server->private_data->dispose_has_run = TRUE;
lasso_release_sec_key(server->private_data->encryption_private_key);
lasso_release_list_of_gobjects(server->private_data->svc_metadatas);
lasso_release_ghashtable(server->services);
/* free allocated memory for hash tables */
lasso_mem_debug("LassoServer", "Providers", server->providers);
lasso_release_ghashtable(server->providers);
G_OBJECT_CLASS(parent_class)->dispose(G_OBJECT(server));
}
static void
finalize(GObject *object)
{
LassoServer *server = LASSO_SERVER(object);
int i = 0;
lasso_release(server->private_key);
if (server->private_key_password) {
/* don't use memset() because it may be optimised away by
* compiler (since the string is freed just after */
while (server->private_key_password[i])
server->private_key_password[i++] = 0;
lasso_release(server->private_key_password);
}
lasso_release(server->certificate);
lasso_release(server->private_data);
G_OBJECT_CLASS(parent_class)->finalize(G_OBJECT(server));
}
/*****************************************************************************/
/* instance and class init functions */
/*****************************************************************************/
static void
instance_init(LassoServer *server)
{
server->private_data = g_new0(LassoServerPrivate, 1);
server->private_data->dispose_has_run = FALSE;
server->private_data->encryption_private_key = NULL;
server->private_data->svc_metadatas = NULL;
server->providers = g_hash_table_new_full(
g_str_hash, g_str_equal, g_free,
g_object_unref);
server->private_key = NULL;
server->private_key_password = NULL;
server->certificate = NULL;
server->signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
server->services = g_hash_table_new_full(g_str_hash, g_str_equal,
(GDestroyNotify)g_free,
g_object_unref);
}
static void
class_init(LassoServerClass *klass)
{
LassoNodeClass *nclass = LASSO_NODE_CLASS(klass);
parent_class = g_type_class_peek_parent(klass);
nclass->node_data = g_new0(LassoNodeClassData, 1);
lasso_node_class_set_nodename(nclass, "Server");
lasso_node_class_set_ns(nclass, LASSO_LASSO_HREF, LASSO_LASSO_PREFIX);
lasso_node_class_add_snippets(nclass, schema_snippets);
nclass->get_xmlNode = get_xmlNode;
nclass->init_from_xml = init_from_xml;
G_OBJECT_CLASS(klass)->dispose = dispose;
G_OBJECT_CLASS(klass)->finalize = finalize;
}
GType
lasso_server_get_type()
{
static GType this_type = 0;
if (!this_type) {
static const GTypeInfo this_info = {
sizeof (LassoServerClass),
NULL,
NULL,
(GClassInitFunc) class_init,
NULL,
NULL,
sizeof(LassoServer),
0,
(GInstanceInitFunc) instance_init,
NULL
};
this_type = g_type_register_static(LASSO_TYPE_PROVIDER,
"LassoServer", &this_info, 0);
}
return this_type;
}
/**
* lasso_server_new:
* @metadata: path to the provider metadata file or NULL, for a LECP server
* @private_key:(allow-none): path to the the server private key file or NULL
* @private_key_password:(allow-none): password to private key if it is encrypted, or NULL
* @certificate:(allow-none): path to the server certificate file, or NULL
*
* Creates a new #LassoServer.
*
* Return value: a newly created #LassoServer object; or NULL if an error
* occured
**/
LassoServer*
lasso_server_new(const gchar *metadata,
const gchar *private_key,
const gchar *private_key_password,
const gchar *certificate)
{
LassoServer *server;
server = g_object_new(LASSO_TYPE_SERVER, NULL);
/* metadata can be NULL (if server is a LECP) */
if (metadata != NULL) {
if (lasso_provider_load_metadata(LASSO_PROVIDER(server), metadata) == FALSE) {
message(G_LOG_LEVEL_CRITICAL,
"Failed to load metadata from %s.", metadata);
lasso_node_destroy(LASSO_NODE(server));
return NULL;
}
}
lasso_assign_string(server->certificate, certificate);
if (private_key) {
lasso_assign_string(server->private_key, private_key);
lasso_assign_string(server->private_key_password, private_key_password);
server->private_data->encryption_private_key = lasso_xmlsec_load_private_key(private_key,
private_key_password);
if (! server->private_data->encryption_private_key) {
message(G_LOG_LEVEL_WARNING, "Cannot load the private key");
lasso_release_gobject(server);
}
}
lasso_provider_load_public_key(&server->parent, LASSO_PUBLIC_KEY_SIGNING);
lasso_provider_load_public_key(&server->parent, LASSO_PUBLIC_KEY_ENCRYPTION);
return server;
}
/**
* lasso_server_new_from_buffers:
* @metadata: NULL terminated string containing the content of an ID-FF 1.2 metadata file
* @private_key_content:(allow-none): NULL terminated string containing a PEM formatted private key
* @private_key_password:(allow-none): a NULL terminated string which is the optional password of
* the private key
* @certificate_content:(allow-none): NULL terminated string containing a PEM formatted X509
* certificate
*
* Creates a new #LassoServer.
*
* Return value: a newly created #LassoServer object; or NULL if an error occured
*/
LassoServer*
lasso_server_new_from_buffers(const char *metadata, const char *private_key_content, const char
*private_key_password, const char *certificate_content)
{
LassoServer *server;
server = g_object_new(LASSO_TYPE_SERVER, NULL);
/* metadata can be NULL (if server is a LECP) */
if (metadata != NULL) {
if (lasso_provider_load_metadata_from_buffer(LASSO_PROVIDER(server), metadata) == FALSE) {
message(G_LOG_LEVEL_CRITICAL,
"Failed to load metadata from preloaded buffer");
lasso_node_destroy(LASSO_NODE(server));
return NULL;
}
}
lasso_assign_string(server->certificate, certificate_content);
if (private_key_content) {
lasso_assign_string(server->private_key, private_key_content);
lasso_assign_string(server->private_key_password, private_key_password);
server->private_data->encryption_private_key =
lasso_xmlsec_load_private_key_from_buffer(private_key_content,
strlen(private_key_content), private_key_password);
if (! server->private_data->encryption_private_key) {
message(G_LOG_LEVEL_WARNING, "Cannot load the private key");
lasso_release_gobject(server);
}
}
lasso_provider_load_public_key(&server->parent, LASSO_PUBLIC_KEY_SIGNING);
lasso_provider_load_public_key(&server->parent, LASSO_PUBLIC_KEY_ENCRYPTION);
return server;
}
/**
* lasso_server_new_from_dump:
* @dump: XML server dump
*
* Restores the @dump to a new #LassoServer.
*
* Return value: a newly created #LassoServer; or NULL if an error occured
**/
LassoServer*
lasso_server_new_from_dump(const gchar *dump)
{
LassoServer *server;
server = (LassoServer*)lasso_node_new_from_dump(dump);
if (! LASSO_IS_SERVER(server)) {
lasso_release_gobject(server);
}
return server;
}
/**
* lasso_server_dump:
* @server: a #LassoServer
*
* Dumps @server content to an XML string.
*
* Return value:(transfer full): the dump string. It must be freed by the caller.
**/
gchar*
lasso_server_dump(LassoServer *server)
{
return lasso_node_dump(LASSO_NODE(server));
}
/**
* lasso_server_get_private_key:
* @server: a #LassoServer object
*
* Return value:(transfer full): a newly created #xmlSecKey object.
*/
xmlSecKey*
lasso_server_get_private_key(LassoServer *server)
{
if (! LASSO_IS_SERVER(server))
return NULL;
if (! server->private_key)
return NULL;
return lasso_xmlsec_load_private_key(server->private_key, server->private_key_password);
}
/**
* lasso_server_get_encryption_private_key:
* @server: a #LassoServer object
*
* Return:(transfer none): a xmlSecKey object, it is owned by the #LassoServer object, so do not
* free it.
*/
xmlSecKey*
lasso_server_get_encryption_private_key(LassoServer *server)
{
if (! LASSO_IS_SERVER(server))
return NULL;
if (! server->private_data)
return NULL;
return server->private_data->encryption_private_key;
}
/**
* lasso_server_load_metadata:
* @server: a #LassoServer object
* @role: a #LassoProviderRole value
* @federation_file: path to a SAML 2.0 metadata file
* @trusted_roots:(allow-none): a PEM encoded files containing the certificates to check signatures
* on the metadata file (optional)
* @blacklisted_entity_ids:(allow-none)(element-type string): a list of EntityID which should not be
* loaded, can be NULL.
* @loaded_entity_ids:(transfer full)(element-type string)(allow-none): an output parameter for the
* list of the loaded EntityID, can be NULL.
* @flags: flags modifying the behaviour for checking signatures on EntityDescriptor and
* EntitiesDescriptors nodes.
*
* Load all the SAML 2.0 entities from @federation_file which contains a declaration for @role. If
* @trusted_roots is non-NULL, use it to check a signature on the metadata file, otherwise ignore
* signature validation.
*
* Return value: 0 on success, an error code otherwise, among:
* <itemizedlist>
* <listitem><para>
* LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ if server is not a #LassoServer object or @role is not a
* valid role value,
* </para></listitem>
* <listitem><para>
* LASSO_DS_ERROR_CA_CERT_CHAIN_LOAD_FAILED if the @trusted_root file cannot be loaded,
* </listitem></para>
* </itemizedlist>
*/
lasso_error_t
lasso_server_load_metadata(LassoServer *server, LassoProviderRole role, const gchar *federation_file,
const gchar *trusted_roots, GList *blacklisted_entity_ids,
GList **loaded_entity_ids, enum LassoServerLoadMetadataFlag flags)
{
xmlDoc *doc = NULL;
xmlNode *root = NULL;
xmlSecKeysMngr *keys_mngr = NULL;
lasso_error_t rc = 0;
lasso_bad_param(SERVER, server);
g_return_val_if_fail(role == LASSO_PROVIDER_ROLE_SP || role == LASSO_PROVIDER_ROLE_IDP,
LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
if (flags == LASSO_SERVER_LOAD_METADATA_FLAG_DEFAULT) {
flags = LASSO_SERVER_LOAD_METADATA_FLAG_CHECK_ENTITIES_DESCRIPTOR_SIGNATURE
| LASSO_SERVER_LOAD_METADATA_FLAG_CHECK_ENTITY_DESCRIPTOR_SIGNATURE
| LASSO_SERVER_LOAD_METADATA_FLAG_INHERIT_SIGNATURE;
}
if (trusted_roots) {
keys_mngr = lasso_load_certs_from_pem_certs_chain_file(trusted_roots);
lasso_return_val_if_fail(keys_mngr != NULL,
LASSO_DS_ERROR_CA_CERT_CHAIN_LOAD_FAILED);
}
doc = lasso_xml_parse_file(federation_file);
goto_cleanup_if_fail_with_rc(doc, LASSO_SERVER_ERROR_INVALID_XML);
root = xmlDocGetRootElement(doc);
if (lasso_strisequal((char*)root->ns->href, LASSO_SAML2_METADATA_HREF)) {
lasso_check_good_rc(lasso_saml20_server_load_metadata(server, role, doc, root,
blacklisted_entity_ids, loaded_entity_ids, keys_mngr, flags));
} else {
goto_cleanup_with_rc(LASSO_ERROR_UNIMPLEMENTED);
}
cleanup:
lasso_release_key_manager(keys_mngr);
lasso_release_doc(doc);
return rc;
}
View Git Blame Copy Permalink