Shibboleth Developers

[Derek Atkins <>]

Ok, one more try.


// This usurps the existing SHIRE and RM apis into a single class.

class ShibTargetPriv;
class ShibTarget {
public:
  virtual ~ShibTarget() {}

  // These are defined here so the subclass does not need to specifically
  // depend on log4cpp.  We could use log4cpp::Priority::PriorityLevel
  // but this is just as easy, IMHO.  It's just a case statement in the
  // implementation to handle the event level.
  enum ShibLogLevel {
    LogLevelDebug,
    LogLevelInfo,
    LogLevelWarn,
    LogLevelError
  };

  // Send a message to the Webserver log
  virtual void log(ShibLogLevel level, String msg) = 0;

  // Get/Set a cookie for this connection
  virtual String getCookie(String name) = 0;
  virtual String setCookie(String name, String value) = 0;

  // Get the request's POST data from the server
  virtual String getPostData(void) = 0;

  // Not sure if I need these, but I might for something like Apache
  // in order to "fix" the auth type in the case of basicHijack.  In
  // particular we need to maintain some state between the different
  // APIs to know whether or not to proceed with shib processing.
  virtual String getAuthType(void) = 0;
  virtual void setAuthType(String) = 0;

  // Note: we still need to define exactly what kind of data in contained
  // in the HTAccessInfo -- perhaps we can stub it out so non-htaccess
  // systems have something they can plug in?
  virtual HTAccessInfo& getAccessInfo(void) = 0;

  // We're done.  Finish up.  Send either a result (error?) page or a 
redirect.
  virtual void* sendPage(String msg, pair<String,String> headers[] = null,
                         int code = 200) = 0;
  virtual void* sendRedirect(String url) = 0;

  // These functions implement the server-agnostic shibboleth engine
  // The web server modules implement a subclass and then call into 
  // these methods once they instantiate their request object.
  void* doCheckAuthN(void);
  void* doHandlePOST(void);
  void* doCheckAuthZ(void);

  // SHIRE APIs

  // Get the session cookie name and properties for the application
  std::pair<const char*,const char*> getCookieNameProps() const;
        
  // Find the default assertion consumer service for the resource
  const char* getShireURL(const char* resource) const;
        
  // Generate a Shib 1.x AuthnRequest redirect URL for the resource
  const char* getAuthnRequest(const char* resource) const;
        
  // Process a lazy session setup request and turn it into an AuthnRequest
  const char* getLazyAuthnRequest(const char* query_string) const;
        
  // Process a POST profile submission, and return (SAMLResponse,TARGET) pair.
  std::pair<const char*,const char*>
      getFormSubmission(const char* post, unsigned int len) const;
        
  RPCError* sessionCreate(const char* response, const char* ip,
                          std::string &cookie) const;
  RPCError* sessionIsValid(const char* session_id, const char* ip) const;

  // RM APIS

  RPCError* getAssertions(
            const char* cookie,
            const char* ip,
            std::vector<saml::SAMLAssertion*>& assertions,
            saml::SAMLAuthenticationStatement **statement = NULL
            );
  static void serialize(saml::SAMLAssertion &assertion, std::string &result);


protected:
  // These are the actual request parameters that must be set in the subclass
  // constructor.
  String m_url;
  String m_method;
  String m_content_type;
  String m_remote_addr;
  int m_total_bytes;

private:
  ShibTargetPriv *m_priv;
};

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       

                        PGP key available