Back to index

nordugrid-arc-nox  1.1.0~rc6
Public Member Functions | Protected Member Functions | Protected Attributes | Static Protected Attributes | Private Attributes
ArcSec::Service_SLCS Class Reference

A Service which signs the short-lived certificate; it accepts the certificate signing request (CSR) from from client side through soap, signs a short-lived certificate and sends back through soap. This service is supposed to be deployed together with the SPService and saml2sso.serviceprovider handler, in order to sign certificate based on the authentication result from saml2sso profile. Also the saml attribute (inside the saml assertion from saml2sso profile) will be put into the signed short-lived certificate. By deploying this service together with SPService and saml2sso.serviceprovider handler, we can get the convertion from username/password ------> x509 certificate. More...

#include <slcs.h>

Inheritance diagram for ArcSec::Service_SLCS:
Inheritance graph
[legend]
Collaboration diagram for ArcSec::Service_SLCS:
Collaboration graph
[legend]

List of all members.

Public Member Functions

 Service_SLCS (Arc::Config *cfg)
virtual ~Service_SLCS (void)
virtual Arc::MCC_Status process (Arc::Message &inmsg, Arc::Message &outmsg)
 Method for processing of requests and responses.
bool RegistrationCollector (Arc::XMLNode &doc)
 Service specific registartion collector, used for generate service registartions.
virtual void AddSecHandler (Config *cfg, ArcSec::SecHandler *sechandler, const std::string &label="")
 Add security components/handlers to this MCC.
virtual std::string getID ()
 Service may implement own service identitifer gathering method.

Protected Member Functions

Arc::MCC_Status make_soap_fault (Arc::Message &outmsg)
bool ProcessSecHandlers (Message &message, const std::string &label="") const
 Executes security handlers of specified queue.

Protected Attributes

Arc::NS ns_
Arc::Logger logger_
std::string endpoint_
std::string expiration_
Arc::InformationContainer infodoc
std::map< std::string,
std::list< ArcSec::SecHandler * > > 
sechandlers_
 Set of labeled authentication and authorization handlers.

Static Protected Attributes

static Logger logger
 Logger object used to print messages generated by this class.

Private Attributes

Arc::Credentialca_credential_

Detailed Description

A Service which signs the short-lived certificate; it accepts the certificate signing request (CSR) from from client side through soap, signs a short-lived certificate and sends back through soap. This service is supposed to be deployed together with the SPService and saml2sso.serviceprovider handler, in order to sign certificate based on the authentication result from saml2sso profile. Also the saml attribute (inside the saml assertion from saml2sso profile) will be put into the signed short-lived certificate. By deploying this service together with SPService and saml2sso.serviceprovider handler, we can get the convertion from username/password ------> x509 certificate.

Definition at line 19 of file slcs.h.


Constructor & Destructor Documentation

Definition at line 185 of file slcs.cpp.

                                        :RegisteredService(cfg), 
    logger_(Arc::Logger::rootLogger, "SLCS_Service"), ca_credential_(NULL) {

  logger_.addDestination(logcerr);
  ns_["slcs"]="http://www.nordugrid.org/schemas/slcs";

  std::string CAcert, CAkey, CAserial;
  CAcert = (std::string)((*cfg)["CACertificate"]);
  CAkey = (std::string)((*cfg)["CAKey"]);
  CAserial = (std::string)((*cfg)["CASerial"]);
  ca_credential_ = new Arc::Credential(CAcert, CAkey, CAserial, 0, "", "", "");
}

Here is the call graph for this function:

Definition at line 198 of file slcs.cpp.

                                {
  if(ca_credential_) delete ca_credential_;
}

Member Function Documentation

void Arc::Service::AddSecHandler ( Config cfg,
ArcSec::SecHandler sechandler,
const std::string &  label = "" 
) [virtual, inherited]

Add security components/handlers to this MCC.

For more information please see description of MCC::AddSecHandler

Definition at line 14 of file Service.cpp.

                                                                                           {
    if(sechandler) {
        sechandlers_[label].push_back(sechandler); //need polishing to put the SecHandlerFactory->getinstance here
        XMLNode cn = (*cfg)["SecHandler"];
        Config cfg_(cn);
    }
}

Here is the caller graph for this function:

virtual std::string Arc::Service::getID ( ) [inline, virtual, inherited]

Service may implement own service identitifer gathering method.

This method return identifier of service which is used for registering it Information Services.

Reimplemented in ARex::ARexService.

Definition at line 69 of file Service.h.

{ return ""; };

Definition at line 28 of file slcs.cpp.

                                                              {
  Arc::PayloadSOAP* outpayload = new Arc::PayloadSOAP(ns_,true);
  Arc::SOAPFault* fault = outpayload?outpayload->Fault():NULL;
  if(fault) {
    fault->Code(Arc::SOAPFault::Sender);
    fault->Reason("Failed processing slcs(short-lived certificate) request");
  };
  outmsg.Payload(outpayload);
  return Arc::MCC_Status(Arc::STATUS_OK);
}

Here is the call graph for this function:

Here is the caller graph for this function:

Arc::MCC_Status ArcSec::Service_SLCS::process ( Arc::Message request,
Arc::Message response 
) [virtual]

Method for processing of requests and responses.

This method is called by preceeding MCC in chain when a request needs to be processed. This method must call similar method of next MCC in chain unless any failure happens. Result returned by call to next MCC should be processed and passed back to previous MCC. In case of failure this method is expected to generate valid error response and return it back to previous MCC without calling the next one.

Parameters:
requestThe request that needs to be processed.
responseA Message object that will contain the response of the request when the method returns.
Returns:
An object representing the status of the call.

Implements Arc::MCCInterface.

Definition at line 39 of file slcs.cpp.

                                                                        {
  std::string method = inmsg.Attributes()->get("HTTP:METHOD");

  if(!ProcessSecHandlers(inmsg,"incoming")) {
    logger_.msg(Arc::ERROR, "Security Handlers processing failed");
    return Arc::MCC_Status();
  };

  //Get identity-related information from saml assertion which has been put 
  //as MessageAuthContext by SPService on the same connection as this slcs service
  std::string identity;
  std::string ou, cn;
  std::string saml_assertion_str; 
  {
    Arc::SecAttr* sattr = inmsg.Auth()->get("SAMLAssertion");
    if(!sattr) { 
      logger_.msg(Arc::ERROR, "Can not get SAMLAssertion SecAttr from message context");
      return Arc::MCC_Status();
    }
    Arc::XMLNode saml_assertion_nd;
    if(sattr->Export(Arc::SecAttr::SAML, saml_assertion_nd)) {
      saml_assertion_nd.GetXML(saml_assertion_str);
      //The following code is IdP implementation specific. So for
      //different types of saml assertion got from IdP, different 
      //ways should be implemented here to get the identity-related
      //information. 
      //Probably, a specific sec handler is needed here for the identity parsing.
      Arc::XMLNode attr_statement = saml_assertion_nd["AttributeStatement"];
      for(int i=0;; i++) {
        Arc::XMLNode cnd = attr_statement.Child(i);
        if(!cnd) break;
        //Since here we are specifically using shibboleth as IdP, and there
        //is one distinguished attribute value which is created by Shibboleth IdP,
        //see the following as an example:
        //<saml:Attribute FriendlyName="eduPersonPrincipalName" 
        //   Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" 
        //   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        //   <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" 
        //      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
        //      xsi:type="xs:string">
        //      staff@knowarc.eu
        //   </saml:AttributeValue>
        //</saml:Attribute>
        //Therefore we base on "eduPersonPrincipalName" to create the DN 
        //for the short-lived certificate. In addition, the "O=KnowARC" is 
        //fixedly used as "/O=KnowARC".
        //So in case of the above example, the DN is: /CN=staff/OU=knowarc.eu/O=KnowARC
        //
        //However, there should be more elegant and configurable way for creating DN.
        if((std::string)(cnd.Attribute("FriendlyName")) == "eduPersonPrincipalName") {
          identity = (std::string)(cnd["AttributeValue"]);
          std::size_t pos;
          pos = identity.find("@");
          if(pos != std::string::npos) {
            cn = identity.substr(0, pos);
            ou = identity.substr(pos+1);
          };
        };
      };
    };
  };

  // Identify which of served endpoints request is for.
  // SLCS can only accept POST method
  if(method == "POST") {
    logger.msg(Arc::VERBOSE, "process: POST");
    // Both input and output are supposed to be SOAP
    // Extracting payload
    Arc::PayloadSOAP* inpayload = NULL;
    try {
      inpayload = dynamic_cast<Arc::PayloadSOAP*>(inmsg.Payload());
    } catch(std::exception& e) { };
    if(!inpayload) {
      logger.msg(Arc::ERROR, "input is not SOAP");
      return make_soap_fault(outmsg);
    };
    // Analyzing request
    Arc::XMLNode request = (*inpayload)["GetSLCSCertificateRequest"];
    if(!request) {
      logger.msg(Arc::ERROR, "soap body does not include any request node");
      return make_soap_fault(outmsg);
    };
    {
      std::string req_xml;
      request.GetXML(req_xml);
      logger.msg(Arc::VERBOSE, "Request: %s",req_xml);
    };

    Arc::XMLNode x509_req_nd = request["X509Request"];
    if(!x509_req_nd) {
      logger.msg(Arc::ERROR, "There is no X509Request node in the request message");
      return make_soap_fault(outmsg);
    };
    //If no lifetime specified from request, default lifetime (12hours) will be used
    Arc::XMLNode lifetime_nd = request["LifeTime"];
    
    std::string x509_req = (std::string)x509_req_nd;
    std::string lifetime;
    if((bool)lifetime_nd) lifetime = (std::string)lifetime_nd;

    //Inquire the x509 request 
    Arc::Credential eec;
    eec.InquireRequest(x509_req, true);

    if(!(eec.AddExtension("1.3.6.1.4.1.3536.1.1.1.10", saml_assertion_str))) { //Need to investigate the OID 
      std::cout<<"Failed to add saml extension to certificate"<<std::endl;
    }

    //TODO: compose the base name from configuration and name from saml assertion?
    std::string dn("/O=KnowARC/OU=");
    dn.append(ou).append("/CN=").append(cn);
    logger_.msg(Arc::INFO, "Composed DN: %s",dn.c_str());


    //Sign the certificate
    std::string x509_cert;
    ca_credential_->SignEECRequest(&eec, dn, x509_cert);

    //Compose response message
    Arc::PayloadSOAP* outpayload = new Arc::PayloadSOAP(ns_);
    Arc::XMLNode response = outpayload->NewChild("slcs:GetSLCSCertificateResponse");
    Arc::XMLNode x509_res_nd = response.NewChild("slcs:X509Certificate");
    x509_res_nd = x509_cert;
    Arc::XMLNode ca_res_nd = response.NewChild("slcs:CACertificate");
    std::string ca_str;
    ca_credential_->OutputCertificate(ca_str);
    ca_res_nd = ca_str;

    outmsg.Payload(outpayload);

    if(!ProcessSecHandlers(outmsg,"outgoing")) {
      logger_.msg(Arc::ERROR, "Security Handlers processing failed");
      delete outmsg.Payload(NULL);
      return Arc::MCC_Status();
    };

    return Arc::MCC_Status(Arc::STATUS_OK);
  }
  else {
    delete inmsg.Payload();
    logger.msg(Arc::VERBOSE, "process: %s: not supported",method);
    return Arc::MCC_Status();
  }
  return Arc::MCC_Status();
}

Here is the call graph for this function:

bool Arc::Service::ProcessSecHandlers ( Message message,
const std::string &  label = "" 
) const [protected, inherited]

Executes security handlers of specified queue.

For more information please see description of MCC::ProcessSecHandlers

Definition at line 22 of file Service.cpp.

                                                                              {
    std::map<std::string,std::list<ArcSec::SecHandler*> >::const_iterator q = sechandlers_.find(label);
    if(q == sechandlers_.end()) {
        logger.msg(DEBUG, "No security processing/check requested for '%s'", label);
        return true;
    }

    std::list<ArcSec::SecHandler*>::const_iterator h = q->second.begin();
    for(;h!=q->second.end();++h) {
        const ArcSec::SecHandler* handler = *h;
        if(handler) if(!(handler->Handle(&message))) {
            logger.msg(DEBUG, "Security processing/check for '%s' failed", label);
            return false;
        }
    }
    logger.msg(DEBUG, "Security processing/check for '%s' passed", label);
    return true;
}

Here is the call graph for this function:

Here is the caller graph for this function:

Service specific registartion collector, used for generate service registartions.

In implemented service this method should generate GLUE2 document with part of service description which service wishes to advertise to Information Services.

Reimplemented from Arc::Service.

Definition at line 202 of file slcs.cpp.

                                                        {
  Arc::NS isis_ns; isis_ns["isis"] = "http://www.nordugrid.org/schemas/isis/2008/08";
  Arc::XMLNode regentry(isis_ns, "RegEntry");
  regentry.NewChild("SrcAdv").NewChild("Type") = "org.nordugrid.security.slcs";
  regentry.New(doc);
  return true;
}

Here is the call graph for this function:


Member Data Documentation

Definition at line 33 of file slcs.h.

std::string ArcSec::Service_SLCS::endpoint_ [protected]

Definition at line 23 of file slcs.h.

std::string ArcSec::Service_SLCS::expiration_ [protected]

Definition at line 24 of file slcs.h.

Definition at line 25 of file slcs.h.

Logger Arc::Service::logger [static, protected, inherited]

Logger object used to print messages generated by this class.

Reimplemented in Echo::Service_Echo, Arc::Service_JavaWrapper, SPService::Service_SP, Compiler::Service_Compiler, Hopi::Hopi, and Arc::Service_PythonWrapper.

Definition at line 43 of file Service.h.

Definition at line 22 of file slcs.h.

Definition at line 21 of file slcs.h.

std::map<std::string,std::list<ArcSec::SecHandler*> > Arc::Service::sechandlers_ [protected, inherited]

Set of labeled authentication and authorization handlers.

MCC calls sequence of handlers at specific point depending on associated identifier. in most aces those are "in" and "out" for incoming and outgoing messages correspondingly.

Definition at line 40 of file Service.h.


The documentation for this class was generated from the following files: