Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Newer
Older
100644 472 lines (402 sloc) 20.913 kB
df1fb37 @gholms Update GPL file headers
gholms authored
1 /*************************************************************************
2 * Copyright 2009-2012 Eucalyptus Systems, Inc.
3 *
4 * This program is free software: you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; version 3 of the License.
7 *
8 * This program is distributed in the hope that it will be useful,
9 * but WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 * GNU General Public License for more details.
12 *
13 * You should have received a copy of the GNU General Public License
14 * along with this program. If not, see http://www.gnu.org/licenses/.
15 *
16 * Please contact Eucalyptus Systems, Inc., 6755 Hollister Ave., Goleta
17 * CA 93117, USA or visit http://www.eucalyptus.com/licenses/ if you need
18 * additional information or have any questions.
47b5fb5 @gholms Tweak GPL headers
gholms authored
19 *
20 * This file may incorporate work covered under the following copyright
21 * and permission notice:
22 *
23 * Software License Agreement (BSD License)
24 *
25 * Copyright (c) 2008, Regents of the University of California
26 * All rights reserved.
27 *
28 * Redistribution and use of this software in source and binary forms,
29 * with or without modification, are permitted provided that the
30 * following conditions are met:
31 *
32 * Redistributions of source code must retain the above copyright
33 * notice, this list of conditions and the following disclaimer.
34 *
35 * Redistributions in binary form must reproduce the above copyright
36 * notice, this list of conditions and the following disclaimer
37 * in the documentation and/or other materials provided with the
38 * distribution.
39 *
40 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
41 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
42 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
43 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
44 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
45 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
46 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
48 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
50 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
51 * POSSIBILITY OF SUCH DAMAGE. USERS OF THIS SOFTWARE ACKNOWLEDGE
52 * THE POSSIBLE PRESENCE OF OTHER OPEN SOURCE LICENSED MATERIAL,
53 * COPYRIGHTED MATERIAL OR PATENTED MATERIAL IN THIS SOFTWARE,
54 * AND IF ANY SUCH MATERIAL IS DISCOVERED THE PARTY DISCOVERING
55 * IT MAY INFORM DR. RICH WOLSKI AT THE UNIVERSITY OF CALIFORNIA,
56 * SANTA BARBARA WHO WILL THEN ASCERTAIN THE MOST APPROPRIATE REMEDY,
57 * WHICH IN THE REGENTS' DISCRETION MAY INCLUDE, WITHOUT LIMITATION,
58 * REPLACEMENT OF THE CODE SO IDENTIFIED, LICENSING OF THE CODE SO
59 * IDENTIFIED, OR WITHDRAWAL OF THE CODE CAPABILITY TO THE EXTENT
60 * NEEDED TO COMPLY WITH ANY SUCH LICENSES OR RIGHTS.
df1fb37 @gholms Update GPL file headers
gholms authored
61 ************************************************************************/
dcf801c brought in euca_imager files
root authored
62
63 /* BRIEF EXAMPLE MSG:
64 <soapenv:Envelope>.
65 <soapenv:Header>
66 [..snip..]
67 <wsse:Security>
68 [..snip..]
69 <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
70 EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
71 ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
72 wsu:Id="CertId-469">[..snip..]</wsse:BinarySecurityToken>
73 [..snip..]
74 <ds:Signature>
72e564e @rusvika + applied CC/NC patch for SOAP attacks
rusvika authored
75 <ds:SignedInfo>
76 <!-- <ref-id> points to a signed element. Body, Timestamp, To, Action, and MessageId element are expected to be signed-->
77 <ds:Reference URI="#<ref-id>>
78 [..snip..]
79 </ds:Reference>
80 </ds:SignedInfo>
dcf801c brought in euca_imager files
root authored
81 <ds:KeyInfo Id="KeyId-374652">
82 <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-22112351">
83 <!-- this thing points to the wsse:BinarySecurityToken above -->
84 <wsse:Reference URI="#CertId-469" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
85 </wsse:SecurityTokenReference>
86 </ds:KeyInfo>
87 </ds:Signature>
88 </wsse:Security>
89 </soapenv:Header>
90 <soapenv:Body>...</soapenv:Body>
91 </soapenv:Envelope>.
92 */
93
94 #include "oxs_axiom.h"
95 #include "oxs_x509_cert.h"
96 #include "oxs_key_mgr.h"
97 #include "rampart_handler_util.h"
98 #include "rampart_sec_processed_result.h"
99 #include "rampart_error.h"
100 #include "axis2_op_ctx.h"
101 #include "rampart_context.h"
72e564e @rusvika + applied CC/NC patch for SOAP attacks
rusvika authored
102 #include "rampart_constants.h"
103 #include "axis2_addr.h"
104 #include "axiom_util.h"
105 #include "rampart_timestamp_token.h"
dcf801c brought in euca_imager files
root authored
106
107 #include <neethi_policy.h>
108 #include <neethi_util.h>
109 #include <axutil_utils.h>
110 #include <axis2_client.h>
111 #include <axis2_stub.h>
112
113 #include "misc.h" /* check_file, logprintf */
081cba3 @dmitrii Keys mismatched fault and 'patch' fix in Makefile
dmitrii authored
114 #include "fault.h" // log_eucafault
dcf801c brought in euca_imager files
root authored
115 #include "euca_axis.h"
116
117 #define NO_U_FAIL(x) do{ \
118 AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][eucalyptus-verify] " #x );\
119 AXIS2_ERROR_SET(env->error, RAMPART_ERROR_FAILED_AUTHENTICATION, AXIS2_FAILURE);\
120 return AXIS2_FAILURE; \
121 }while(0)
122
123 axis2_status_t __euca_authenticate(const axutil_env_t *env,axis2_msg_ctx_t *out_msg_ctx, axis2_op_ctx_t *op_ctx)
124 {
125 //***** First get the message context before doing anything dumb w/ a NULL pointer *****/
126 axis2_msg_ctx_t *msg_ctx = NULL; //<--- incoming msg context, it is NULL, see?
127 msg_ctx = axis2_op_ctx_get_msg_ctx(op_ctx, env, AXIS2_WSDL_MESSAGE_LABEL_IN);
128
129 //***** Print everything from the security results, just for testing now *****//
130 rampart_context_t *rampart_context = NULL;
131 axutil_property_t *property = NULL;
132
133 property = axis2_msg_ctx_get_property(msg_ctx, env, RAMPART_CONTEXT);
134 if(property)
135 {
136 rampart_context = (rampart_context_t *)axutil_property_get_value(property, env);
137 // AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI," ======== PRINTING PROCESSED WSSEC TOKENS ======== ");
138 rampart_print_security_processed_results_set(env,msg_ctx);
139 }
140
141 //***** Extract Security Node from header from enveloper from msg_ctx *****//
142 axiom_soap_envelope_t *soap_envelope = NULL;
143 axiom_soap_header_t *soap_header = NULL;
144 axiom_node_t *sec_node = NULL;
145
146
147 soap_envelope = axis2_msg_ctx_get_soap_envelope(msg_ctx, env);
148 if(!soap_envelope) NO_U_FAIL("SOAP envelope cannot be found.");
149 soap_header = axiom_soap_envelope_get_header(soap_envelope, env);
150 if (!soap_header) NO_U_FAIL("SOAP header cannot be found.");
151 sec_node = rampart_get_security_header(env, msg_ctx, soap_header); // <---- here it is!
152 if(!sec_node)NO_U_FAIL("No node wsse:Security -- required: ws-security");
153
154 //***** Find the wsse:Reference to the BinarySecurityToken *****//
155 //** Path is: Security/
156 //** *sec_node must be non-NULL, kkthx **//
157 axiom_node_t *sig_node = NULL;
158 axiom_node_t *key_info_node = NULL;
159 axiom_node_t *sec_token_ref_node = NULL;
160 /** the ds:Signature node **/
161 sig_node = oxs_axiom_get_first_child_node_by_name(env,sec_node, OXS_NODE_SIGNATURE, OXS_DSIG_NS, OXS_DS );
162 if(!sig_node)NO_U_FAIL("No node ds:Signature -- required: signature");
163 /** the ds:KeyInfo **/
164 key_info_node = oxs_axiom_get_first_child_node_by_name(env, sig_node, OXS_NODE_KEY_INFO, OXS_DSIG_NS, NULL );
165 if(!key_info_node)NO_U_FAIL("No node ds:KeyInfo -- required: signature key");
166 /** the wsse:SecurityTokenReference **/
167 sec_token_ref_node = oxs_axiom_get_first_child_node_by_name(env, key_info_node,OXS_NODE_SECURITY_TOKEN_REFRENCE, OXS_WSSE_XMLNS, NULL);
168 if(!sec_token_ref_node)NO_U_FAIL("No node wsse:SecurityTokenReference -- required: signing token");
169 //** in theory this is the branching point for supporting all kinds of tokens -- we only do BST Direct Reference **/
170
171 //***** Find the wsse:Reference to the BinarySecurityToken *****//
172 //** *sec_token_ref_node must be non-NULL **/
173 axis2_char_t *ref = NULL;
174 axis2_char_t *ref_id = NULL;
175 axiom_node_t *token_ref_node = NULL;
176 axiom_node_t *bst_node = NULL;
177 /** the wsse:Reference node **/
178 token_ref_node = oxs_axiom_get_first_child_node_by_name(env, sec_token_ref_node,OXS_NODE_REFERENCE, OXS_WSSE_XMLNS, NULL);
179 /** pull out the name of the BST node **/
180 ref = oxs_token_get_reference(env, token_ref_node);
181 ref_id = axutil_string_substring_starting_at(axutil_strdup(env, ref), 1);
182 /** get the wsse:BinarySecurityToken used to sign the message **/
183 bst_node = oxs_axiom_get_node_by_id(env, sec_node, "Id", ref_id, OXS_WSU_XMLNS);
184 if(!bst_node){oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Error retrieving elementwith ID=%s", ref_id);NO_U_FAIL("Cant find the required node");}
185
186
187 //***** Find the wsse:Reference to the BinarySecurityToken *****//
188 //** *bst_node must be non-NULL **/
189 axis2_char_t *data = NULL;
190 oxs_x509_cert_t *_cert = NULL;
191 oxs_x509_cert_t *recv_cert = NULL;
192 axis2_char_t *file_name = NULL;
193 axis2_char_t *recv_x509_buf = NULL;
194 axis2_char_t *msg_x509_buf = NULL;
195
196 /** pull out the data from the BST **/
197 data = oxs_axiom_get_node_content(env, bst_node);
198 /** create an oxs_X509_cert **/
199 _cert = oxs_key_mgr_load_x509_cert_from_string(env, data);
200 if(_cert)
201 {
202 //***** FINALLY -- we have the certificate used to sign the message. authenticate it HERE *****//
203 msg_x509_buf = oxs_x509_cert_get_data(_cert,env);
204 if(!msg_x509_buf)NO_U_FAIL("OMG WHAT NOW?!");
205 /*
206 recv_x509_buf = (axis2_char_t *)rampart_context_get_receiver_certificate(rampart_context, env);
207 if(recv_x509_buf)
208 recv_cert = oxs_key_mgr_load_x509_cert_from_string(env, recv_x509_buf);
209 else
210 {
211 file_name = rampart_context_get_receiver_certificate_file(rampart_context, env);
212 if(!file_name) NO_U_FAIL("Policy for the service is incorrect -- ReceiverCertificate is not set!!");
213 if (check_file(file_name)) NO_U_FAIL("No cert file ($EUCALYPTUS/var/lib/eucalyptus/keys/cloud-cert.pem) found, failing");
214 recv_cert = oxs_key_mgr_load_x509_cert_from_pem_file(env, file_name);
215 }
216 */
217
218 file_name = rampart_context_get_receiver_certificate_file(rampart_context, env);
219 if(!file_name) NO_U_FAIL("Policy for the service is incorrect -- ReceiverCertificate is not set!!");
220 if (check_file(file_name)) NO_U_FAIL("No cert file ($EUCALYPTUS/var/lib/eucalyptus/keys/cloud-cert.pem) found, failing");
221 recv_cert = oxs_key_mgr_load_x509_cert_from_pem_file(env, file_name);
222
223 if (recv_cert) {
224 recv_x509_buf = oxs_x509_cert_get_data(recv_cert,env);
225 } else {
226 NO_U_FAIL("could not populate receiver cert");
227 }
228
229 if( axutil_strcmp(recv_x509_buf,msg_x509_buf)!=0){
230 AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI," --------- Received x509 certificate value ---------" );
231 AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI, msg_x509_buf );
232 AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI," --------- Local x509 certificate value! ---------" );
233 AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI, recv_x509_buf );
234 AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI," ---------------------------------------------------" );
081cba3 @dmitrii Keys mismatched fault and 'patch' fix in Makefile
dmitrii authored
235 init_eucafaults (euca_this_component_name);
236 log_eucafault ("1009",
237 "sender", euca_client_component_name,
238 "receiver", euca_this_component_name,
239 "keys_dir", "$EUCALYPTUS/var/lib/eucalyptus/keys/",
240 NULL);
dcf801c brought in euca_imager files
root authored
241 NO_U_FAIL("The certificate specified is invalid!");
242 }
1bd925a @rusvika make clock skew between CC/NC configurable using rampartc' ClockSkewB…
rusvika authored
243 if(verify_references(sig_node, env, out_msg_ctx, soap_envelope, rampart_context) == AXIS2_FAILURE) {
72e564e @rusvika + applied CC/NC patch for SOAP attacks
rusvika authored
244 return AXIS2_FAILURE;
245 }
246
dcf801c brought in euca_imager files
root authored
247 }
248 else
249 {
250 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_DEFAULT, "Cannot load certificate from string =%s", data);
251 NO_U_FAIL("Failed to build certificate from BinarySecurityToken");
252 }
253 oxs_x509_cert_free(_cert, env);
254 oxs_x509_cert_free(recv_cert, env);
72e564e @rusvika + applied CC/NC patch for SOAP attacks
rusvika authored
255
dcf801c brought in euca_imager files
root authored
256 return AXIS2_SUCCESS;
257
258 }
259
72e564e @rusvika + applied CC/NC patch for SOAP attacks
rusvika authored
260 /**
261 * Verifes that Body, Timestamp, To, Action, and MessageId elements are signed and located
262 * where expected by the application logic. Timestamp is checked for expiration regardless
263 * of its actual location.
264 */
1bd925a @rusvika make clock skew between CC/NC configurable using rampartc' ClockSkewB…
rusvika authored
265 axis2_status_t verify_references(axiom_node_t *sig_node, const axutil_env_t *env, axis2_msg_ctx_t *msg_ctx,
266 axiom_soap_envelope_t *envelope, rampart_context_t *rampart_context) {
72e564e @rusvika + applied CC/NC patch for SOAP attacks
rusvika authored
267 axiom_node_t *si_node = NULL;
268 axiom_node_t *ref_node = NULL;
269 axis2_status_t status = AXIS2_SUCCESS;
270
271 si_node = oxs_axiom_get_first_child_node_by_name(env,sig_node, OXS_NODE_SIGNEDINFO, OXS_DSIG_NS, OXS_DS);
272
273 if(!si_node) {
274 axis2_char_t *tmp = axiom_node_to_string(sig_node, env);
275 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart]sig = %s", tmp);
276 NO_U_FAIL("Couldn't find SignedInfo!");
277 }
278
279 axutil_qname_t *qname = NULL;
280 axiom_element_t *parent_elem = NULL;
281 axiom_children_qname_iterator_t *qname_iter = NULL;
282
283 parent_elem = axiom_node_get_data_element(si_node, env);
284 if(!parent_elem)
285 {
286 NO_U_FAIL("Could not get Reference elem");
287 }
288
289 axis2_char_t *ref = NULL;
290 axis2_char_t *ref_id = NULL;
291 axiom_node_t *signed_node = NULL;
292 axiom_node_t *envelope_node = NULL;
293
294 short signed_elems[5] = {0,0,0,0,0};
295
296 envelope_node = axiom_soap_envelope_get_base_node(envelope, env);
297
298 qname = axutil_qname_create(env, OXS_NODE_REFERENCE, OXS_DSIG_NS, NULL);
299 qname_iter = axiom_element_get_children_with_qname(parent_elem, env, qname, si_node);
300 while (axiom_children_qname_iterator_has_next(qname_iter , env)) {
301 ref_node = axiom_children_qname_iterator_next(qname_iter, env);
302 axis2_char_t *txt = axiom_node_to_string(ref_node, env);
303
304 /* get reference to a signed element */
305 ref = oxs_token_get_reference(env, ref_node);
306 if(ref == NULL || strlen(ref) == 0 || ref[0] != '#') {
307 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unsupported reference ID in %s", txt);
308 status = AXIS2_FAILURE;
309 break;
310 }
311
312 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] %s, ref = %s", txt, ref);
313
314 /* get rid of '#' */
315 ref_id = axutil_string_substring_starting_at(axutil_strdup(env, ref), 1);
316 signed_node = oxs_axiom_get_node_by_id(env, envelope_node, OXS_ATTR_ID, ref_id, OXS_WSU_XMLNS);
317 if(!signed_node) {
318 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Error retrieving elementwith ID=%s", ref_id);
319 status = AXIS2_FAILURE;
320 break;
321 }
1bd925a @rusvika make clock skew between CC/NC configurable using rampartc' ClockSkewB…
rusvika authored
322 if(verify_node(signed_node, env, msg_ctx, ref, signed_elems, rampart_context)) {
72e564e @rusvika + applied CC/NC patch for SOAP attacks
rusvika authored
323 status = AXIS2_FAILURE;
324 break;
325 }
326 }
327
328
329 axutil_qname_free(qname, env);
330 qname = NULL;
331
332 if(status == AXIS2_FAILURE) {
333 NO_U_FAIL("Failed to verify location of signed elements!");
334 }
335
336 /* This is needed to make sure that all security-critical elements are signed */
337 for(int i = 0; i < 5; i++) {
338 if(signed_elems[i] == 0) {
339 NO_U_FAIL("Not all required elements are signed");
340 }
341 }
342
343 return status;
344
345 }
346
347 /**
348 * Verifies XPath location of signed elements.
349 */
1bd925a @rusvika make clock skew between CC/NC configurable using rampartc' ClockSkewB…
rusvika authored
350 int verify_node(axiom_node_t *signed_node, const axutil_env_t *env, axis2_msg_ctx_t *msg_ctx, axis2_char_t *ref,
351 short *signed_elems, rampart_context_t *rampart_context) {
72e564e @rusvika + applied CC/NC patch for SOAP attacks
rusvika authored
352
353 if(!axutil_strcmp(OXS_NODE_BODY, axiom_util_get_localname(signed_node, env))) {
354 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is Body", ref);
355 signed_elems[0] = 1;
356
357 axiom_node_t *parent = axiom_node_get_parent(signed_node,env);
358 if(axutil_strcmp(OXS_NODE_ENVELOPE, axiom_util_get_localname(parent, env))) {
359 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unexpected parent element for Body with ID = %s", ref);
360 return 1;
361 }
362
363 parent = axiom_node_get_parent(parent,env);
364 if(parent) {
365 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] parent of Envelope = %s", axiom_node_to_string(parent, env));
366 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unexpected location of signed Body with ID = %s", ref);
367 return 1;
368 }
369
370 } else if(!axutil_strcmp(RAMPART_SECURITY_TIMESTAMP, axiom_util_get_localname(signed_node, env))) {
371 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is Timestamp", ref);
372 signed_elems[1] = 1;
373
374 /* Regardless of the location of the Timestamp, verify the one that is signed */
1bd925a @rusvika make clock skew between CC/NC configurable using rampartc' ClockSkewB…
rusvika authored
375 if(AXIS2_FAILURE == rampart_timestamp_token_validate(env, msg_ctx, signed_node,
376 rampart_context_get_clock_skew_buffer(rampart_context, env))) {
72e564e @rusvika + applied CC/NC patch for SOAP attacks
rusvika authored
377 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Validation failed for Timestamp with ID = %s", ref);
378 return 1;
379 }
380
381 } else if(!axutil_strcmp(AXIS2_WSA_ACTION, axiom_util_get_localname(signed_node, env))) {
382 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is Action", ref);
383 signed_elems[2] = 1;
384
385 if(verify_addr_hdr_elem_loc(signed_node, env, ref)) {
386 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Validation failed for Action with ID = %s", ref);
387 return 1;
388 }
389
390 } else if(!axutil_strcmp(AXIS2_WSA_TO, axiom_util_get_localname(signed_node, env))) {
391 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is To", ref);
392 signed_elems[3] = 1;
393
394 if(verify_addr_hdr_elem_loc(signed_node, env, ref)) {
395 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Validation failed for To with ID = %s", ref);
396 return 1;
397 }
398
399
400 } else if(!axutil_strcmp(AXIS2_WSA_MESSAGE_ID, axiom_util_get_localname(signed_node, env))) {
401 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is MessageId", ref);
402 signed_elems[4] = 1;
403
404 if(verify_addr_hdr_elem_loc(signed_node, env, ref)) {
405 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Validation failed for MessageId with ID = %s", ref);
406 return 1;
407 }
408
409 } else {
410 AXIS2_LOG_WARNING(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is UNKNOWN", ref);
411 }
412
413 return 0;
414 }
415
416 /**
417 * Verify that an addressing element is located in <Envelope>/<Header>
418 */
419 int verify_addr_hdr_elem_loc(axiom_node_t *signed_node, const axutil_env_t *env, axis2_char_t *ref) {
420
421 axiom_node_t *parent = axiom_node_get_parent(signed_node,env);
422
423 if(axutil_strcmp(OXS_NODE_HEADER, axiom_util_get_localname(parent, env))) {
424 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] parent of addressing elem is %s", axiom_node_to_string(parent, env));
425 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unexpected location of signed addressing elem with ID = %s", ref);
426 return 1;
427
428 }
429 parent = axiom_node_get_parent(parent,env);
430
431 if(axutil_strcmp(OXS_NODE_ENVELOPE, axiom_util_get_localname(parent, env))) {
432 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] second parent of addressing elem is %s", axiom_node_to_string(parent, env));
433 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unexpected location of signed addressing elem with ID = %s", ref);
434 return 1;
435
436 }
437
438 parent = axiom_node_get_parent(parent,env);
439 if(parent) {
440 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] parent of Envelope = %s", axiom_node_to_string(parent, env));
441 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unexpected location of signed Body with ID = %s", ref);
442 return 1;
443 }
444
445 return 0;
446 }
447
448
dcf801c brought in euca_imager files
root authored
449 int InitWSSEC(axutil_env_t *env, axis2_stub_t *stub, char *policyFile) {
450 axis2_svc_client_t *svc_client = NULL;
451 neethi_policy_t *policy = NULL;
452 axis2_status_t status = AXIS2_FAILURE;
453
454 //return(0);
455
456 svc_client = axis2_stub_get_svc_client(stub, env);
457 if (!svc_client) {
465f7f5 @gelinasc Fixes EUCA-2208
gelinasc authored
458 logprintfl (EUCAERROR, "could not get svc_client from stub\n");
dcf801c brought in euca_imager files
root authored
459 return(1);
460 }
461 axis2_svc_client_engage_module(svc_client, env, "rampart");
462
463 policy = neethi_util_create_policy_from_file(env, policyFile);
464 if (!policy) {
465f7f5 @gelinasc Fixes EUCA-2208
gelinasc authored
465 logprintfl (EUCAERROR, "could not initialize policy file %s\n", policyFile);
dcf801c brought in euca_imager files
root authored
466 return(1);
467 }
468 status = axis2_svc_client_set_policy(svc_client, env, policy);
469
470 return(0);
471 }
Something went wrong with that request. Please try again.