search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
filetransfer: use 'deallocate' callback in sipe_file_transfer
[siplcs.git] / src / core / sipe-webticket.c
blob26a54c2f66c21418bff26f2ce1d85c59b3952282
1 /**
2 * @file sipe-webticket.c
3 *
4 * pidgin-sipe
5 *
6 * Copyright (C) 2011-2013 SIPE Project <http://sipe.sourceforge.net/>
7 *
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 *
23 *
24 * Specification references:
25 *
26 * - [MS-OCAUTHWS]: http://msdn.microsoft.com/en-us/library/ff595592.aspx
27 * - MS Tech-Ed Europe 2010 "UNC310: Microsoft Lync 2010 Technology Explained"
28 * http://ecn.channel9.msdn.com/o9/te/Europe/2010/pptx/unc310.pptx
29 */
30
31 #include <string.h>
32 #include <time.h>
33
34 #include <glib.h>
35
36 #include "sipe-common.h"
37 #include "sipe-backend.h"
38 #include "sipe-core.h"
39 #include "sipe-core-private.h"
40 #include "sipe-digest.h"
41 #include "sipe-svc.h"
42 #include "sipe-tls.h"
43 #include "sipe-webticket.h"
44 #include "sipe-utils.h"
45 #include "sipe-xml.h"
46
47 struct webticket_queued_data {
48 sipe_webticket_callback *callback;
49 gpointer callback_data;
50 };
51
52 struct webticket_callback_data {
53 gchar *service_uri;
54 const gchar *service_port;
55 gchar *service_auth_uri;
56
57 gchar *webticket_negotiate_uri;
58 gchar *webticket_fedbearer_uri;
59
60 gboolean tried_fedbearer;
61 gboolean requires_signing;
62 enum {
63 TOKEN_STATE_NONE = 0,
64 TOKEN_STATE_SERVICE,
65 TOKEN_STATE_FEDERATION,
66 TOKEN_STATE_FED_BEARER,
67 } token_state;
68
69 struct sipe_tls_random entropy;
70
71 sipe_webticket_callback *callback;
72 gpointer callback_data;
73
74 struct sipe_svc_session *session;
75
76 GSList *queued;
77 };
78
79 struct webticket_token {
80 gchar *auth_uri;
81 gchar *token;
82 time_t expires;
83 };
84
85 struct sipe_webticket {
86 GHashTable *cache;
87 GHashTable *pending;
88
89 gchar *webticket_adfs_uri;
90 gchar *adfs_token;
91 time_t adfs_token_expires;
92
93 gboolean retrieved_realminfo;
94 gboolean shutting_down;
95 };
96
97 void sipe_webticket_free(struct sipe_core_private *sipe_private)
98 {
99 struct sipe_webticket *webticket = sipe_private->webticket;
100 if (!webticket)
101 return;
102
103 /* Web Ticket stack is shutting down: reject all new requests */
104 webticket->shutting_down = TRUE;
105
106 g_free(webticket->webticket_adfs_uri);
107 g_free(webticket->adfs_token);
108 if (webticket->pending)
109 g_hash_table_destroy(webticket->pending);
110 if (webticket->cache)
111 g_hash_table_destroy(webticket->cache);
112 g_free(webticket);
113 sipe_private->webticket = NULL;
114 }
115
116 static void free_token(gpointer data)
117 {
118 struct webticket_token *wt = data;
119 g_free(wt->auth_uri);
120 g_free(wt->token);
121 g_free(wt);
122 }
123
124 static void sipe_webticket_init(struct sipe_core_private *sipe_private)
125 {
126 struct sipe_webticket *webticket;
127
128 if (sipe_private->webticket)
129 return;
130
131 sipe_private->webticket = webticket = g_new0(struct sipe_webticket, 1);
132
133 webticket->cache = g_hash_table_new_full(g_str_hash,
134 g_str_equal,
135 g_free,
136 free_token);
137 webticket->pending = g_hash_table_new(g_str_hash,
138 g_str_equal);
139 }
140
141 /* takes ownership of "token" */
142 static void cache_token(struct sipe_core_private *sipe_private,
143 const gchar *service_uri,
144 const gchar *auth_uri,
145 gchar *token,
146 time_t expires)
147 {
148 struct webticket_token *wt = g_new0(struct webticket_token, 1);
149 wt->auth_uri = g_strdup(auth_uri);
150 wt->token = token;
151 wt->expires = expires;
152 g_hash_table_insert(sipe_private->webticket->cache,
153 g_strdup(service_uri),
154 wt);
155 }
156
157 static const struct webticket_token *cache_hit(struct sipe_core_private *sipe_private,
158 const gchar *service_uri)
159 {
160 const struct webticket_token *wt;
161
162 /* make sure a cached Web Ticket is still valid for 60 seconds */
163 wt = g_hash_table_lookup(sipe_private->webticket->cache,
164 service_uri);
165 if (wt && (wt->expires < time(NULL) + 60)) {
166 SIPE_DEBUG_INFO("cache_hit: cached token for URI %s has expired",
167 service_uri);
168 wt = NULL;
169 }
170
171 return(wt);
172 }
173
174 /* frees just the main request data, when this is called "queued" is cleared */
175 static void callback_data_free(struct webticket_callback_data *wcd)
176 {
177 if (wcd) {
178 sipe_tls_free_random(&wcd->entropy);
179 g_free(wcd->webticket_negotiate_uri);
180 g_free(wcd->webticket_fedbearer_uri);
181 g_free(wcd->service_auth_uri);
182 g_free(wcd->service_uri);
183 g_free(wcd);
184 }
185 }
186
187 static void queue_request(struct webticket_callback_data *wcd,
188 sipe_webticket_callback *callback,
189 gpointer callback_data)
190 {
191 struct webticket_queued_data *wqd = g_new0(struct webticket_queued_data, 1);
192
193 wqd->callback = callback;
194 wqd->callback_data = callback_data;
195
196 wcd->queued = g_slist_prepend(wcd->queued, wqd);
197 }
198
199 static void callback_execute(struct sipe_core_private *sipe_private,
200 struct webticket_callback_data *wcd,
201 const gchar *auth_uri,
202 const gchar *wsse_security,
203 const gchar *failure_msg)
204 {
205 GSList *entry = wcd->queued;
206
207 /* complete main request */
208 wcd->callback(sipe_private,
209 wcd->service_uri,
210 auth_uri,
211 wsse_security,
212 failure_msg,
213 wcd->callback_data);
214
215 /* complete queued requests */
216 while (entry) {
217 struct webticket_queued_data *wqd = entry->data;
218
219 SIPE_DEBUG_INFO("callback_execute: completing queue request URI %s (Auth URI %s)",
220 wcd->service_uri, auth_uri);
221 wqd->callback(sipe_private,
222 wcd->service_uri,
223 auth_uri,
224 wsse_security,
225 failure_msg,
226 wqd->callback_data);
227
228 g_free(wqd);
229 entry = entry->next;
230 }
231 g_slist_free(wcd->queued);
232
233 /* drop request from pending hash */
234 g_hash_table_remove(sipe_private->webticket->pending,
235 wcd->service_uri);
236 }
237
238 static gchar *extract_raw_xml_attribute(const gchar *xml,
239 const gchar *name)
240 {
241 gchar *attr_start = g_strdup_printf("%s=\"", name);
242 gchar *data = NULL;
243 const gchar *start = strstr(xml, attr_start);
244
245 if (start) {
246 const gchar *value = start + strlen(attr_start);
247 const gchar *end = strchr(value, '"');
248 if (end) {
249 data = g_strndup(value, end - value);
250 }
251 }
252
253 g_free(attr_start);
254 return(data);
255 }
256
257 static gchar *generate_timestamp(const gchar *raw,
258 const gchar *lifetime_tag)
259 {
260 gchar *lifetime = sipe_xml_extract_raw(raw, lifetime_tag, FALSE);
261 gchar *timestamp = NULL;
262 if (lifetime)
263 timestamp = g_strdup_printf("<wsu:Timestamp xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\" wsu:Id=\"timestamp\">%s</wsu:Timestamp>",
264 lifetime);
265 g_free(lifetime);
266 return(timestamp);
267 }
268
269 static gchar *generate_fedbearer_wsse(const gchar *raw)
270 {
271 gchar *timestamp = generate_timestamp(raw, "wst:Lifetime");
272 gchar *keydata = sipe_xml_extract_raw(raw, "EncryptedData", TRUE);
273 gchar *wsse_security = NULL;
274
275 if (timestamp && keydata) {
276 SIPE_DEBUG_INFO_NOFORMAT("generate_fedbearer_wsse: found timestamp & keydata");
277 wsse_security = g_strconcat(timestamp, keydata, NULL);
278 }
279
280 g_free(keydata);
281 g_free(timestamp);
282 return(wsse_security);
283 }
284
285 static void generate_federation_wsse(struct sipe_webticket *webticket,
286 const gchar *raw)
287 {
288 gchar *timestamp = generate_timestamp(raw, "t:Lifetime");
289 gchar *keydata = sipe_xml_extract_raw(raw, "saml:Assertion", TRUE);
290
291 /* try alternative names */
292 if (!timestamp)
293 timestamp = generate_timestamp(raw, "wst:Lifetime");
294 if (!keydata)
295 keydata = sipe_xml_extract_raw(raw, "saml1:Assertion", TRUE);
296
297 /* clear old ADFS token */
298 g_free(webticket->adfs_token);
299 webticket->adfs_token = NULL;
300
301 if (timestamp && keydata) {
302 gchar *expires_string = sipe_xml_extract_raw(timestamp,
303 "wsu:Expires",
304 FALSE);
305
306 if (expires_string) {
307
308 SIPE_DEBUG_INFO("generate_federation_wsse: found timestamp & keydata, expires %s",
309 expires_string);
310
311 /* cache ADFS token */
312 webticket->adfs_token = g_strconcat(timestamp,
313 keydata,
314 NULL);
315 webticket->adfs_token_expires = sipe_utils_str_to_time(expires_string);
316 g_free(expires_string);
317 }
318 }
319
320 g_free(keydata);
321 g_free(timestamp);
322 }
323
324 static gchar *generate_sha1_proof_wsse(const gchar *raw,
325 struct sipe_tls_random *entropy,
326 time_t *expires)
327 {
328 gchar *timestamp = generate_timestamp(raw, "Lifetime");
329 gchar *keydata = sipe_xml_extract_raw(raw, "saml:Assertion", TRUE);
330 gchar *wsse_security = NULL;
331
332 if (timestamp && keydata) {
333 gchar *expires_string = sipe_xml_extract_raw(timestamp,
334 "Expires",
335 FALSE);
336
337 if (entropy) {
338 gchar *assertionID = extract_raw_xml_attribute(keydata,
339 "AssertionID");
340
341 /*
342 * WS-Trust 1.3
343 *
344 * http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1:
345 *
346 * "The key is computed using P_SHA1() from the TLS sepcification to generate
347 * a bit stream using entropy from both sides. The exact form is:
348 *
349 * key = P_SHA1(Entropy_REQ, Entropy_RES)"
350 */
351 gchar *entropy_res_base64 = sipe_xml_extract_raw(raw, "BinarySecret", FALSE);
352 gsize entropy_res_length;
353 guchar *entropy_response = g_base64_decode(entropy_res_base64,
354 &entropy_res_length);
355 guchar *key = sipe_tls_p_sha1(entropy->buffer,
356 entropy->length,
357 entropy_response,
358 entropy_res_length,
359 entropy->length);
360 g_free(entropy_response);
361 g_free(entropy_res_base64);
362
363 SIPE_DEBUG_INFO_NOFORMAT("generate_sha1_proof_wsse: found timestamp & keydata");
364
365 if (assertionID && key) {
366 /* same as SIPE_DIGEST_HMAC_SHA1_LENGTH */
367 guchar digest[SIPE_DIGEST_SHA1_LENGTH];
368 gchar *base64;
369 gchar *signed_info;
370 gchar *canon;
371
372 SIPE_DEBUG_INFO_NOFORMAT("generate_sha1_proof_wsse: found assertionID and successfully computed the key");
373
374 /* Digest over reference element (#timestamp -> wsu:Timestamp) */
375 sipe_digest_sha1((guchar *) timestamp,
376 strlen(timestamp),
377 digest);
378 base64 = g_base64_encode(digest,
379 SIPE_DIGEST_SHA1_LENGTH);
380
381 /* XML-Sig: SignedInfo for reference element */
382 signed_info = g_strdup_printf("<SignedInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\">"
383 "<CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>"
384 "<SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#hmac-sha1\"/>"
385 "<Reference URI=\"#timestamp\">"
386 "<Transforms>"
387 "<Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>"
388 "</Transforms>"
389 "<DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\"/>"
390 "<DigestValue>%s</DigestValue>"
391 "</Reference>"
392 "</SignedInfo>",
393 base64);
394 g_free(base64);
395
396 /* XML-Sig: SignedInfo in canonical form */
397 canon = sipe_xml_exc_c14n(signed_info);
398 g_free(signed_info);
399
400 if (canon) {
401 gchar *signature;
402
403 /* calculate signature */
404 sipe_digest_hmac_sha1(key, entropy->length,
405 (guchar *)canon,
406 strlen(canon),
407 digest);
408 base64 = g_base64_encode(digest,
409 SIPE_DIGEST_HMAC_SHA1_LENGTH);
410
411 /* XML-Sig: Signature from SignedInfo + Key */
412 signature = g_strdup_printf("<Signature xmlns=\"http://www.w3.org/2000/09/xmldsig#\">"
413 " %s"
414 " <SignatureValue>%s</SignatureValue>"
415 " <KeyInfo>"
416 " <wsse:SecurityTokenReference wsse:TokenType=\"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1\">"
417 " <wsse:KeyIdentifier ValueType=\"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID\">%s</wsse:KeyIdentifier>"
418 " </wsse:SecurityTokenReference>"
419 " </KeyInfo>"
420 "</Signature>",
421 canon,
422 base64,
423 assertionID);
424 g_free(base64);
425 g_free(canon);
426
427 wsse_security = g_strconcat(timestamp,
428 keydata,
429 signature,
430 NULL);
431 g_free(signature);
432 }
433
434 }
435
436 g_free(key);
437 g_free(assertionID);
438 } else {
439 /* token doesn't require signature */
440 SIPE_DEBUG_INFO_NOFORMAT("generate_sha1_proof_wsse: found timestamp & keydata, no signing required");
441 wsse_security = g_strconcat(timestamp,
442 keydata,
443 NULL);
444 }
445
446 *expires = 0;
447 if (expires_string) {
448 *expires = sipe_utils_str_to_time(expires_string);
449 g_free(expires_string);
450 }
451 }
452
453 g_free(keydata);
454 g_free(timestamp);
455 return(wsse_security);
456 }
457
458 static gboolean federated_authentication(struct sipe_core_private *sipe_private,
459 struct webticket_callback_data *wcd);
460 static gboolean initiate_fedbearer(struct sipe_core_private *sipe_private,
461 struct webticket_callback_data *wcd);
462 static void webticket_token(struct sipe_core_private *sipe_private,
463 const gchar *uri,
464 const gchar *raw,
465 sipe_xml *soap_body,
466 gpointer callback_data)
467 {
468 struct webticket_callback_data *wcd = callback_data;
469 gboolean failed = TRUE;
470
471 if (soap_body) {
472 switch (wcd->token_state) {
473 case TOKEN_STATE_NONE:
474 SIPE_DEBUG_INFO_NOFORMAT("webticket_token: ILLEGAL STATE - should not happen...");
475 break;
476
477 case TOKEN_STATE_SERVICE: {
478 /* WebTicket for Web Service */
479 time_t expires;
480 gchar *wsse_security = generate_sha1_proof_wsse(raw,
481 wcd->requires_signing ? &wcd->entropy : NULL,
482 &expires);
483
484 if (wsse_security) {
485 /* cache takes ownership of wsse_security */
486 cache_token(sipe_private,
487 wcd->service_uri,
488 wcd->service_auth_uri,
489 wsse_security,
490 expires);
491 callback_execute(sipe_private,
492 wcd,
493 wcd->service_auth_uri,
494 wsse_security,
495 NULL);
496 failed = FALSE;
497 }
498 break;
499 }
500
501 case TOKEN_STATE_FEDERATION:
502 /* WebTicket from ADFS for federated authentication */
503 generate_federation_wsse(sipe_private->webticket,
504 raw);
505
506 if (sipe_private->webticket->adfs_token) {
507
508 SIPE_DEBUG_INFO("webticket_token: received valid SOAP message from ADFS %s",
509 uri);
510
511 if (federated_authentication(sipe_private,
512 wcd)) {
513 /* callback data passed down the line */
514 wcd = NULL;
515 }
516 }
517 break;
518
519 case TOKEN_STATE_FED_BEARER: {
520 /* WebTicket for federated authentication */
521 gchar *wsse_security = generate_fedbearer_wsse(raw);
522
523 if (wsse_security) {
524
525 SIPE_DEBUG_INFO("webticket_token: received valid SOAP message from service %s",
526 uri);
527
528 if (sipe_svc_webticket(sipe_private,
529 wcd->session,
530 wcd->webticket_fedbearer_uri,
531 wsse_security,
532 wcd->service_auth_uri,
533 &wcd->entropy,
534 webticket_token,
535 wcd)) {
536 wcd->token_state = TOKEN_STATE_SERVICE;
537
538 /* callback data passed down the line */
539 wcd = NULL;
540 }
541 g_free(wsse_security);
542 }
543 break;
544 }
545
546 /* end of: switch (wcd->token_state) { */
547 }
548
549 } else if (uri) {
550 /* Retry with federated authentication? */
551 if (wcd->webticket_fedbearer_uri) {
552
553 /* Authentication against ADFS failed? */
554 if (wcd->token_state == TOKEN_STATE_FEDERATION) {
555 struct sipe_webticket *webticket = sipe_private->webticket;
556
557 SIPE_DEBUG_INFO_NOFORMAT("webticket_token: ADFS authentication failed - assuming Multi-Factor Authentication (MFA)");
558
559 /* forget ADFS URI */
560 g_free(webticket->webticket_adfs_uri);
561 webticket->webticket_adfs_uri = NULL;
562 }
563
564 if (!wcd->tried_fedbearer) {
565 SIPE_DEBUG_INFO("webticket_token: anonymous authentication to service %s failed, retrying with federated authentication",
566 uri);
567
568 if (initiate_fedbearer(sipe_private, wcd)) {
569 /* callback data passed down the line */
570 wcd = NULL;
571 }
572 }
573 }
574 }
575
576 if (wcd) {
577 if (failed) {
578 gchar *failure_msg = NULL;
579
580 if (soap_body) {
581 failure_msg = sipe_xml_data(sipe_xml_child(soap_body,
582 "Body/Fault/Detail/error/internalerror/text"));
583 /* XML data can end in &#x000D;&#x000A; */
584 g_strstrip(failure_msg);
585 }
586
587 callback_execute(sipe_private,
588 wcd,
589 uri,
590 NULL,
591 failure_msg);
592 g_free(failure_msg);
593 }
594 callback_data_free(wcd);
595 }
596 }
597
598 static gboolean federated_authentication(struct sipe_core_private *sipe_private,
599 struct webticket_callback_data *wcd)
600 {
601 gboolean success;
602
603 if ((success = sipe_svc_webticket_lmc_federated(sipe_private,
604 wcd->session,
605 sipe_private->webticket->adfs_token,
606 wcd->webticket_fedbearer_uri,
607 webticket_token,
608 wcd)))
609 wcd->token_state = TOKEN_STATE_FED_BEARER;
610
611 /* If TRUE then callback data has been passed down the line */
612 return(success);
613 }
614
615 static gboolean fedbearer_authentication(struct sipe_core_private *sipe_private,
616 struct webticket_callback_data *wcd)
617 {
618 struct sipe_webticket *webticket = sipe_private->webticket;
619 gboolean success;
620
621 /* make sure a cached ADFS token is still valid for 60 seconds */
622 if (webticket->adfs_token &&
623 (webticket->adfs_token_expires >= time(NULL) + 60)) {
624
625 SIPE_DEBUG_INFO_NOFORMAT("fedbearer_authentication: reusing cached ADFS token");
626 success = federated_authentication(sipe_private, wcd);
627
628 } else if (webticket->webticket_adfs_uri) {
629 if ((success = sipe_svc_webticket_adfs(sipe_private,
630 wcd->session,
631 webticket->webticket_adfs_uri,
632 webticket_token,
633 wcd)))
634 wcd->token_state = TOKEN_STATE_FEDERATION;
635 } else {
636 if ((success = sipe_svc_webticket_lmc(sipe_private,
637 wcd->session,
638 wcd->webticket_fedbearer_uri,
639 webticket_token,
640 wcd)))
641 wcd->token_state = TOKEN_STATE_FED_BEARER;
642 }
643
644 /* If TRUE then callback data has been passed down the line */
645 return(success);
646 }
647
648 static void realminfo(struct sipe_core_private *sipe_private,
649 const gchar *uri,
650 SIPE_UNUSED_PARAMETER const gchar *raw,
651 sipe_xml *realminfo,
652 gpointer callback_data)
653 {
654 struct sipe_webticket *webticket = sipe_private->webticket;
655 struct webticket_callback_data *wcd = callback_data;
656
657 /* Only try retrieving of RealmInfo once */
658 webticket->retrieved_realminfo = TRUE;
659
660 /*
661 * We must specifically check for abort, because
662 * realminfo == NULL is a valid response
663 */
664 if (uri) {
665 if (realminfo) {
666 /* detect ADFS setup. See also:
667 *
668 * http://en.wikipedia.org/wiki/Active_Directory_Federation_Services
669 *
670 * NOTE: this is based on observed behaviour.
671 * It is unkown if this is documented somewhere...
672 */
673 SIPE_DEBUG_INFO("realminfo: data for user %s retrieved successfully",
674 sipe_private->username);
675
676 webticket->webticket_adfs_uri = sipe_xml_data(sipe_xml_child(realminfo,
677 "STSAuthURL"));
678 }
679
680 if (webticket->webticket_adfs_uri)
681 SIPE_DEBUG_INFO("realminfo: ADFS setup detected: %s",
682 webticket->webticket_adfs_uri);
683 else
684 SIPE_DEBUG_INFO_NOFORMAT("realminfo: no RealmInfo found or no ADFS setup detected - try direct login");
685
686 if (fedbearer_authentication(sipe_private, wcd)) {
687 /* callback data passed down the line */
688 wcd = NULL;
689 }
690 }
691
692 if (wcd) {
693 callback_execute(sipe_private,
694 wcd,
695 uri,
696 NULL,
697 NULL);
698 callback_data_free(wcd);
699 }
700 }
701
702 static gboolean initiate_fedbearer(struct sipe_core_private *sipe_private,
703 struct webticket_callback_data *wcd)
704 {
705 gboolean success;
706
707 if (sipe_private->webticket->retrieved_realminfo) {
708 /* skip retrieval and go to authentication */
709 wcd->tried_fedbearer = TRUE;
710 success = fedbearer_authentication(sipe_private, wcd);
711 } else {
712 success = sipe_svc_realminfo(sipe_private,
713 wcd->session,
714 realminfo,
715 wcd);
716 }
717
718 return(success);
719 }
720
721 static void webticket_metadata(struct sipe_core_private *sipe_private,
722 const gchar *uri,
723 SIPE_UNUSED_PARAMETER const gchar *raw,
724 sipe_xml *metadata,
725 gpointer callback_data)
726 {
727 struct webticket_callback_data *wcd = callback_data;
728
729 if (metadata) {
730 const sipe_xml *node;
731
732 SIPE_DEBUG_INFO("webticket_metadata: metadata for service %s retrieved successfully",
733 uri);
734
735 /* Authentication ports accepted by WebTicket Service */
736 for (node = sipe_xml_child(metadata, "service/port");
737 node;
738 node = sipe_xml_twin(node)) {
739 const gchar *auth_uri = sipe_xml_attribute(sipe_xml_child(node,
740 "address"),
741 "location");
742
743 if (auth_uri) {
744 if (sipe_strcase_equal(sipe_xml_attribute(node, "name"),
745 "WebTicketServiceWinNegotiate")) {
746 SIPE_DEBUG_INFO("webticket_metadata: WebTicket Windows Negotiate Auth URI %s", auth_uri);
747 g_free(wcd->webticket_negotiate_uri);
748 wcd->webticket_negotiate_uri = g_strdup(auth_uri);
749 } else if (sipe_strcase_equal(sipe_xml_attribute(node, "name"),
750 "WsFedBearer")) {
751 SIPE_DEBUG_INFO("webticket_metadata: WebTicket FedBearer Auth URI %s", auth_uri);
752 g_free(wcd->webticket_fedbearer_uri);
753 wcd->webticket_fedbearer_uri = g_strdup(auth_uri);
754 }
755 }
756 }
757
758 if (wcd->webticket_negotiate_uri || wcd->webticket_fedbearer_uri) {
759 gboolean success;
760
761 /* Entropy: 256 random bits */
762 if (!wcd->entropy.buffer)
763 sipe_tls_fill_random(&wcd->entropy, 256);
764
765 if (wcd->webticket_negotiate_uri) {
766 /* Try Negotiate authentication first */
767
768 success = sipe_svc_webticket(sipe_private,
769 wcd->session,
770 wcd->webticket_negotiate_uri,
771 NULL,
772 wcd->service_auth_uri,
773 &wcd->entropy,
774 webticket_token,
775 wcd);
776 wcd->token_state = TOKEN_STATE_SERVICE;
777 } else {
778 success = initiate_fedbearer(sipe_private,
779 wcd);
780 }
781
782 if (success) {
783 /* callback data passed down the line */
784 wcd = NULL;
785 }
786 }
787 }
788
789 if (wcd) {
790 callback_execute(sipe_private,
791 wcd,
792 uri,
793 NULL,
794 NULL);
795 callback_data_free(wcd);
796 }
797 }
798
799 static void service_metadata(struct sipe_core_private *sipe_private,
800 const gchar *uri,
801 SIPE_UNUSED_PARAMETER const gchar *raw,
802 sipe_xml *metadata,
803 gpointer callback_data)
804 {
805 struct webticket_callback_data *wcd = callback_data;
806
807 if (metadata) {
808 const sipe_xml *node;
809 gchar *policy = g_strdup_printf("%s_policy", wcd->service_port);
810 gchar *ticket_uri = NULL;
811
812 SIPE_DEBUG_INFO("webservice_metadata: metadata for service %s retrieved successfully",
813 uri);
814
815 /* WebTicket policies accepted by Web Service */
816 for (node = sipe_xml_child(metadata, "Policy");
817 node;
818 node = sipe_xml_twin(node)) {
819 if (sipe_strcase_equal(sipe_xml_attribute(node, "Id"),
820 policy)) {
821
822 SIPE_DEBUG_INFO_NOFORMAT("webservice_metadata: WebTicket policy found");
823
824 ticket_uri = sipe_xml_data(sipe_xml_child(node,
825 "ExactlyOne/All/EndorsingSupportingTokens/Policy/IssuedToken/Issuer/Address"));
826 if (ticket_uri) {
827 /* this token type requires signing */
828 wcd->requires_signing = TRUE;
829 } else {
830 /* try alternative token type */
831 ticket_uri = sipe_xml_data(sipe_xml_child(node,
832 "ExactlyOne/All/SignedSupportingTokens/Policy/IssuedToken/Issuer/Address"));
833 }
834 if (ticket_uri) {
835 SIPE_DEBUG_INFO("webservice_metadata: WebTicket URI %s", ticket_uri);
836 }
837 break;
838 }
839 }
840 g_free(policy);
841
842 if (ticket_uri) {
843
844 /* Authentication ports accepted by Web Service */
845 for (node = sipe_xml_child(metadata, "service/port");
846 node;
847 node = sipe_xml_twin(node)) {
848 if (sipe_strcase_equal(sipe_xml_attribute(node, "name"),
849 wcd->service_port)) {
850 const gchar *auth_uri;
851
852 SIPE_DEBUG_INFO_NOFORMAT("webservice_metadata: authentication port found");
853
854 auth_uri = sipe_xml_attribute(sipe_xml_child(node,
855 "address"),
856 "location");
857 if (auth_uri) {
858 SIPE_DEBUG_INFO("webservice_metadata: Auth URI %s", auth_uri);
859
860 if (sipe_svc_metadata(sipe_private,
861 wcd->session,
862 ticket_uri,
863 webticket_metadata,
864 wcd)) {
865 /* Remember for later */
866 wcd->service_auth_uri = g_strdup(auth_uri);
867
868 /* callback data passed down the line */
869 wcd = NULL;
870 }
871 }
872 break;
873 }
874 }
875 g_free(ticket_uri);
876 }
877 }
878
879 if (wcd) {
880 callback_execute(sipe_private,
881 wcd,
882 uri,
883 NULL,
884 NULL);
885 callback_data_free(wcd);
886 }
887 }
888
889 gboolean sipe_webticket_request(struct sipe_core_private *sipe_private,
890 struct sipe_svc_session *session,
891 const gchar *base_uri,
892 const gchar *port_name,
893 sipe_webticket_callback *callback,
894 gpointer callback_data)
895 {
896 struct sipe_webticket *webticket;
897 gboolean ret = FALSE;
898
899 sipe_webticket_init(sipe_private);
900 webticket = sipe_private->webticket;
901
902 if (webticket->shutting_down) {
903 SIPE_DEBUG_ERROR("sipe_webticket_request: new Web Ticket request during shutdown: THIS SHOULD NOT HAPPEN! Debugging information:\n"
904 "Base URI: %s\n"
905 "Port Name: %s\n",
906 base_uri,
907 port_name);
908
909 } else {
910 const struct webticket_token *wt = cache_hit(sipe_private, base_uri);
911
912 /* cache hit for this URI? */
913 if (wt) {
914 SIPE_DEBUG_INFO("sipe_webticket_request: using cached token for URI %s (Auth URI %s)",
915 base_uri, wt->auth_uri);
916 callback(sipe_private,
917 base_uri,
918 wt->auth_uri,
919 wt->token,
920 NULL,
921 callback_data);
922 ret = TRUE;
923 } else {
924 GHashTable *pending = webticket->pending;
925 struct webticket_callback_data *wcd = g_hash_table_lookup(pending,
926 base_uri);
927
928 /* is there already a pending request for this URI? */
929 if (wcd) {
930 SIPE_DEBUG_INFO("sipe_webticket_request: pending request found for URI %s - queueing",
931 base_uri);
932 queue_request(wcd, callback, callback_data);
933 ret = TRUE;
934 } else {
935 wcd = g_new0(struct webticket_callback_data, 1);
936
937 ret = sipe_svc_metadata(sipe_private,
938 session,
939 base_uri,
940 service_metadata,
941 wcd);
942
943 if (ret) {
944 wcd->service_uri = g_strdup(base_uri);
945 wcd->service_port = port_name;
946 wcd->callback = callback;
947 wcd->callback_data = callback_data;
948 wcd->session = session;
949 wcd->token_state = TOKEN_STATE_NONE;
950 g_hash_table_insert(pending,
951 wcd->service_uri, /* borrowed */
952 wcd); /* borrowed */
953 } else {
954 g_free(wcd);
955 }
956 }
957 }
958 }
959
960 return(ret);
961 }
962
963 /*
964 Local Variables:
965 mode: c
966 c-file-style: "bsd"
967 indent-tabs-mode: t
968 tab-width: 8
969 End:
970 */
A third-party Pidgin plugin for Microsoft LCS/OCS