Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100644 472 lines (402 sloc) 20.913 kb
df1fb37 Garrett Holmstrom Update GPL file headers
gholms authored
1 /*************************************************************************
2 * Copyright 2009-2012 Eucalyptus Systems, Inc.
3 *
4 * This program is free software: you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; version 3 of the License.
7 *
8 * This program is distributed in the hope that it will be useful,
9 * but WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 * GNU General Public License for more details.
12 *
13 * You should have received a copy of the GNU General Public License
14 * along with this program. If not, see http://www.gnu.org/licenses/.
15 *
16 * Please contact Eucalyptus Systems, Inc., 6755 Hollister Ave., Goleta
17 * CA 93117, USA or visit http://www.eucalyptus.com/licenses/ if you need
18 * additional information or have any questions.
47b5fb5 Garrett Holmstrom Tweak GPL headers
gholms authored
19 *
20 * This file may incorporate work covered under the following copyright
21 * and permission notice:
22 *
23 * Software License Agreement (BSD License)
24 *
25 * Copyright (c) 2008, Regents of the University of California
26 * All rights reserved.
27 *
28 * Redistribution and use of this software in source and binary forms,
29 * with or without modification, are permitted provided that the
30 * following conditions are met:
31 *
32 * Redistributions of source code must retain the above copyright
33 * notice, this list of conditions and the following disclaimer.
34 *
35 * Redistributions in binary form must reproduce the above copyright
36 * notice, this list of conditions and the following disclaimer
37 * in the documentation and/or other materials provided with the
38 * distribution.
39 *
40 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
41 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
42 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
43 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
44 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
45 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
46 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
48 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
50 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
51 * POSSIBILITY OF SUCH DAMAGE. USERS OF THIS SOFTWARE ACKNOWLEDGE
52 * THE POSSIBLE PRESENCE OF OTHER OPEN SOURCE LICENSED MATERIAL,
53 * COPYRIGHTED MATERIAL OR PATENTED MATERIAL IN THIS SOFTWARE,
54 * AND IF ANY SUCH MATERIAL IS DISCOVERED THE PARTY DISCOVERING
55 * IT MAY INFORM DR. RICH WOLSKI AT THE UNIVERSITY OF CALIFORNIA,
56 * SANTA BARBARA WHO WILL THEN ASCERTAIN THE MOST APPROPRIATE REMEDY,
57 * WHICH IN THE REGENTS' DISCRETION MAY INCLUDE, WITHOUT LIMITATION,
58 * REPLACEMENT OF THE CODE SO IDENTIFIED, LICENSING OF THE CODE SO
59 * IDENTIFIED, OR WITHDRAWAL OF THE CODE CAPABILITY TO THE EXTENT
60 * NEEDED TO COMPLY WITH ANY SUCH LICENSES OR RIGHTS.
df1fb37 Garrett Holmstrom Update GPL file headers
gholms authored
61 ************************************************************************/
dcf801c brought in euca_imager files
root authored
62
63 /* BRIEF EXAMPLE MSG:
64 <soapenv:Envelope>.
65 <soapenv:Header>
66 [..snip..]
67 <wsse:Security>
68 [..snip..]
69 <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
70 EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
71 ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
72 wsu:Id="CertId-469">[..snip..]</wsse:BinarySecurityToken>
73 [..snip..]
74 <ds:Signature>
72e564e rusvika + applied CC/NC patch for SOAP attacks
rusvika authored
75 <ds:SignedInfo>
76 <!-- <ref-id> points to a signed element. Body, Timestamp, To, Action, and MessageId element are expected to be signed-->
77 <ds:Reference URI="#<ref-id>>
78 [..snip..]
79 </ds:Reference>
80 </ds:SignedInfo>
dcf801c brought in euca_imager files
root authored
81 <ds:KeyInfo Id="KeyId-374652">
82 <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-22112351">
83 <!-- this thing points to the wsse:BinarySecurityToken above -->
84 <wsse:Reference URI="#CertId-469" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
85 </wsse:SecurityTokenReference>
86 </ds:KeyInfo>
87 </ds:Signature>
88 </wsse:Security>
89 </soapenv:Header>
90 <soapenv:Body>...</soapenv:Body>
91 </soapenv:Envelope>.
92 */
93
94 #include "oxs_axiom.h"
95 #include "oxs_x509_cert.h"
96 #include "oxs_key_mgr.h"
97 #include "rampart_handler_util.h"
98 #include "rampart_sec_processed_result.h"
99 #include "rampart_error.h"
100 #include "axis2_op_ctx.h"
101 #include "rampart_context.h"
72e564e rusvika + applied CC/NC patch for SOAP attacks
rusvika authored
102 #include "rampart_constants.h"
103 #include "axis2_addr.h"
104 #include "axiom_util.h"
105 #include "rampart_timestamp_token.h"
dcf801c brought in euca_imager files
root authored
106
107 #include <neethi_policy.h>
108 #include <neethi_util.h>
109 #include <axutil_utils.h>
110 #include <axis2_client.h>
111 #include <axis2_stub.h>
112
113 #include "misc.h" /* check_file, logprintf */
081cba3 Dmitrii Zagorodnov Keys mismatched fault and 'patch' fix in Makefile
dmitrii authored
114 #include "fault.h" // log_eucafault
dcf801c brought in euca_imager files
root authored
115 #include "euca_axis.h"
116
117 #define NO_U_FAIL(x) do{ \
118 AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][eucalyptus-verify] " #x );\
119 AXIS2_ERROR_SET(env->error, RAMPART_ERROR_FAILED_AUTHENTICATION, AXIS2_FAILURE);\
120 return AXIS2_FAILURE; \
121 }while(0)
122
123 axis2_status_t __euca_authenticate(const axutil_env_t *env,axis2_msg_ctx_t *out_msg_ctx, axis2_op_ctx_t *op_ctx)
124 {
125 //***** First get the message context before doing anything dumb w/ a NULL pointer *****/
126 axis2_msg_ctx_t *msg_ctx = NULL; //<--- incoming msg context, it is NULL, see?
127 msg_ctx = axis2_op_ctx_get_msg_ctx(op_ctx, env, AXIS2_WSDL_MESSAGE_LABEL_IN);
128
129 //***** Print everything from the security results, just for testing now *****//
130 rampart_context_t *rampart_context = NULL;
131 axutil_property_t *property = NULL;
132
133 property = axis2_msg_ctx_get_property(msg_ctx, env, RAMPART_CONTEXT);
134 if(property)
135 {
136 rampart_context = (rampart_context_t *)axutil_property_get_value(property, env);
137 // AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI," ======== PRINTING PROCESSED WSSEC TOKENS ======== ");
138 rampart_print_security_processed_results_set(env,msg_ctx);
139 }
140
141 //***** Extract Security Node from header from enveloper from msg_ctx *****//
142 axiom_soap_envelope_t *soap_envelope = NULL;
143 axiom_soap_header_t *soap_header = NULL;
144 axiom_node_t *sec_node = NULL;
145
146
147 soap_envelope = axis2_msg_ctx_get_soap_envelope(msg_ctx, env);
148 if(!soap_envelope) NO_U_FAIL("SOAP envelope cannot be found.");
149 soap_header = axiom_soap_envelope_get_header(soap_envelope, env);
150 if (!soap_header) NO_U_FAIL("SOAP header cannot be found.");
151 sec_node = rampart_get_security_header(env, msg_ctx, soap_header); // <---- here it is!
152 if(!sec_node)NO_U_FAIL("No node wsse:Security -- required: ws-security");
153
154 //***** Find the wsse:Reference to the BinarySecurityToken *****//
155 //** Path is: Security/
156 //** *sec_node must be non-NULL, kkthx **//
157 axiom_node_t *sig_node = NULL;
158 axiom_node_t *key_info_node = NULL;
159 axiom_node_t *sec_token_ref_node = NULL;
160 /** the ds:Signature node **/
161 sig_node = oxs_axiom_get_first_child_node_by_name(env,sec_node, OXS_NODE_SIGNATURE, OXS_DSIG_NS, OXS_DS );
162 if(!sig_node)NO_U_FAIL("No node ds:Signature -- required: signature");
163 /** the ds:KeyInfo **/
164 key_info_node = oxs_axiom_get_first_child_node_by_name(env, sig_node, OXS_NODE_KEY_INFO, OXS_DSIG_NS, NULL );
165 if(!key_info_node)NO_U_FAIL("No node ds:KeyInfo -- required: signature key");
166 /** the wsse:SecurityTokenReference **/
167 sec_token_ref_node = oxs_axiom_get_first_child_node_by_name(env, key_info_node,OXS_NODE_SECURITY_TOKEN_REFRENCE, OXS_WSSE_XMLNS, NULL);
168 if(!sec_token_ref_node)NO_U_FAIL("No node wsse:SecurityTokenReference -- required: signing token");
169 //** in theory this is the branching point for supporting all kinds of tokens -- we only do BST Direct Reference **/
170
171 //***** Find the wsse:Reference to the BinarySecurityToken *****//
172 //** *sec_token_ref_node must be non-NULL **/
173 axis2_char_t *ref = NULL;
174 axis2_char_t *ref_id = NULL;
175 axiom_node_t *token_ref_node = NULL;
176 axiom_node_t *bst_node = NULL;
177 /** the wsse:Reference node **/
178 token_ref_node = oxs_axiom_get_first_child_node_by_name(env, sec_token_ref_node,OXS_NODE_REFERENCE, OXS_WSSE_XMLNS, NULL);
179 /** pull out the name of the BST node **/
180 ref = oxs_token_get_reference(env, token_ref_node);
181 ref_id = axutil_string_substring_starting_at(axutil_strdup(env, ref), 1);
182 /** get the wsse:BinarySecurityToken used to sign the message **/
183 bst_node = oxs_axiom_get_node_by_id(env, sec_node, "Id", ref_id, OXS_WSU_XMLNS);
184 if(!bst_node){oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Error retrieving elementwith ID=%s", ref_id);NO_U_FAIL("Cant find the required node");}
185
186
187 //***** Find the wsse:Reference to the BinarySecurityToken *****//
188 //** *bst_node must be non-NULL **/
189 axis2_char_t *data = NULL;
190 oxs_x509_cert_t *_cert = NULL;
191 oxs_x509_cert_t *recv_cert = NULL;
192 axis2_char_t *file_name = NULL;
193 axis2_char_t *recv_x509_buf = NULL;
194 axis2_char_t *msg_x509_buf = NULL;
195
196 /** pull out the data from the BST **/
197 data = oxs_axiom_get_node_content(env, bst_node);
198 /** create an oxs_X509_cert **/
199 _cert = oxs_key_mgr_load_x509_cert_from_string(env, data);
200 if(_cert)
201 {
202 //***** FINALLY -- we have the certificate used to sign the message. authenticate it HERE *****//
203 msg_x509_buf = oxs_x509_cert_get_data(_cert,env);
204 if(!msg_x509_buf)NO_U_FAIL("OMG WHAT NOW?!");
205 /*
206 recv_x509_buf = (axis2_char_t *)rampart_context_get_receiver_certificate(rampart_context, env);
207 if(recv_x509_buf)
208 recv_cert = oxs_key_mgr_load_x509_cert_from_string(env, recv_x509_buf);
209 else
210 {
211 file_name = rampart_context_get_receiver_certificate_file(rampart_context, env);
212 if(!file_name) NO_U_FAIL("Policy for the service is incorrect -- ReceiverCertificate is not set!!");
213 if (check_file(file_name)) NO_U_FAIL("No cert file ($EUCALYPTUS/var/lib/eucalyptus/keys/cloud-cert.pem) found, failing");
214 recv_cert = oxs_key_mgr_load_x509_cert_from_pem_file(env, file_name);
215 }
216 */
217
218 file_name = rampart_context_get_receiver_certificate_file(rampart_context, env);
219 if(!file_name) NO_U_FAIL("Policy for the service is incorrect -- ReceiverCertificate is not set!!");
220 if (check_file(file_name)) NO_U_FAIL("No cert file ($EUCALYPTUS/var/lib/eucalyptus/keys/cloud-cert.pem) found, failing");
221 recv_cert = oxs_key_mgr_load_x509_cert_from_pem_file(env, file_name);
222
223 if (recv_cert) {
224 recv_x509_buf = oxs_x509_cert_get_data(recv_cert,env);
225 } else {
226 NO_U_FAIL("could not populate receiver cert");
227 }
228
229 if( axutil_strcmp(recv_x509_buf,msg_x509_buf)!=0){
230 AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI," --------- Received x509 certificate value ---------" );
231 AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI, msg_x509_buf );
232 AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI," --------- Local x509 certificate value! ---------" );
233 AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI, recv_x509_buf );
234 AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI," ---------------------------------------------------" );
081cba3 Dmitrii Zagorodnov Keys mismatched fault and 'patch' fix in Makefile
dmitrii authored
235 init_eucafaults (euca_this_component_name);
236 log_eucafault ("1009",
237 "sender", euca_client_component_name,
238 "receiver", euca_this_component_name,
239 "keys_dir", "$EUCALYPTUS/var/lib/eucalyptus/keys/",
240 NULL);
dcf801c brought in euca_imager files
root authored
241 NO_U_FAIL("The certificate specified is invalid!");
242 }
1bd925a rusvika make clock skew between CC/NC configurable using rampartc' ClockSkewBuff...
rusvika authored
243 if(verify_references(sig_node, env, out_msg_ctx, soap_envelope, rampart_context) == AXIS2_FAILURE) {
72e564e rusvika + applied CC/NC patch for SOAP attacks
rusvika authored
244 return AXIS2_FAILURE;
245 }
246
dcf801c brought in euca_imager files
root authored
247 }
248 else
249 {
250 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_DEFAULT, "Cannot load certificate from string =%s", data);
251 NO_U_FAIL("Failed to build certificate from BinarySecurityToken");
252 }
253 oxs_x509_cert_free(_cert, env);
254 oxs_x509_cert_free(recv_cert, env);
72e564e rusvika + applied CC/NC patch for SOAP attacks
rusvika authored
255
dcf801c brought in euca_imager files
root authored
256 return AXIS2_SUCCESS;
257
258 }
259
72e564e rusvika + applied CC/NC patch for SOAP attacks
rusvika authored
260 /**
261 * Verifes that Body, Timestamp, To, Action, and MessageId elements are signed and located
262 * where expected by the application logic. Timestamp is checked for expiration regardless
263 * of its actual location.
264 */
1bd925a rusvika make clock skew between CC/NC configurable using rampartc' ClockSkewBuff...
rusvika authored
265 axis2_status_t verify_references(axiom_node_t *sig_node, const axutil_env_t *env, axis2_msg_ctx_t *msg_ctx,
266 axiom_soap_envelope_t *envelope, rampart_context_t *rampart_context) {
72e564e rusvika + applied CC/NC patch for SOAP attacks
rusvika authored
267 axiom_node_t *si_node = NULL;
268 axiom_node_t *ref_node = NULL;
269 axis2_status_t status = AXIS2_SUCCESS;
270
271 si_node = oxs_axiom_get_first_child_node_by_name(env,sig_node, OXS_NODE_SIGNEDINFO, OXS_DSIG_NS, OXS_DS);
272
273 if(!si_node) {
274 axis2_char_t *tmp = axiom_node_to_string(sig_node, env);
275 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart]sig = %s", tmp);
276 NO_U_FAIL("Couldn't find SignedInfo!");
277 }
278
279 axutil_qname_t *qname = NULL;
280 axiom_element_t *parent_elem = NULL;
281 axiom_children_qname_iterator_t *qname_iter = NULL;
282
283 parent_elem = axiom_node_get_data_element(si_node, env);
284 if(!parent_elem)
285 {
286 NO_U_FAIL("Could not get Reference elem");
287 }
288
289 axis2_char_t *ref = NULL;
290 axis2_char_t *ref_id = NULL;
291 axiom_node_t *signed_node = NULL;
292 axiom_node_t *envelope_node = NULL;
293
294 short signed_elems[5] = {0,0,0,0,0};
295
296 envelope_node = axiom_soap_envelope_get_base_node(envelope, env);
297
298 qname = axutil_qname_create(env, OXS_NODE_REFERENCE, OXS_DSIG_NS, NULL);
299 qname_iter = axiom_element_get_children_with_qname(parent_elem, env, qname, si_node);
300 while (axiom_children_qname_iterator_has_next(qname_iter , env)) {
301 ref_node = axiom_children_qname_iterator_next(qname_iter, env);
302 axis2_char_t *txt = axiom_node_to_string(ref_node, env);
303
304 /* get reference to a signed element */
305 ref = oxs_token_get_reference(env, ref_node);
306 if(ref == NULL || strlen(ref) == 0 || ref[0] != '#') {
307 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unsupported reference ID in %s", txt);
308 status = AXIS2_FAILURE;
309 break;
310 }
311
312 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] %s, ref = %s", txt, ref);
313
314 /* get rid of '#' */
315 ref_id = axutil_string_substring_starting_at(axutil_strdup(env, ref), 1);
316 signed_node = oxs_axiom_get_node_by_id(env, envelope_node, OXS_ATTR_ID, ref_id, OXS_WSU_XMLNS);
317 if(!signed_node) {
318 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Error retrieving elementwith ID=%s", ref_id);
319 status = AXIS2_FAILURE;
320 break;
321 }
1bd925a rusvika make clock skew between CC/NC configurable using rampartc' ClockSkewBuff...
rusvika authored
322 if(verify_node(signed_node, env, msg_ctx, ref, signed_elems, rampart_context)) {
72e564e rusvika + applied CC/NC patch for SOAP attacks
rusvika authored
323 status = AXIS2_FAILURE;
324 break;
325 }
326 }
327
328
329 axutil_qname_free(qname, env);
330 qname = NULL;
331
332 if(status == AXIS2_FAILURE) {
333 NO_U_FAIL("Failed to verify location of signed elements!");
334 }
335
336 /* This is needed to make sure that all security-critical elements are signed */
337 for(int i = 0; i < 5; i++) {
338 if(signed_elems[i] == 0) {
339 NO_U_FAIL("Not all required elements are signed");
340 }
341 }
342
343 return status;
344
345 }
346
347 /**
348 * Verifies XPath location of signed elements.
349 */
1bd925a rusvika make clock skew between CC/NC configurable using rampartc' ClockSkewBuff...
rusvika authored
350 int verify_node(axiom_node_t *signed_node, const axutil_env_t *env, axis2_msg_ctx_t *msg_ctx, axis2_char_t *ref,
351 short *signed_elems, rampart_context_t *rampart_context) {
72e564e rusvika + applied CC/NC patch for SOAP attacks
rusvika authored
352
353 if(!axutil_strcmp(OXS_NODE_BODY, axiom_util_get_localname(signed_node, env))) {
354 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is Body", ref);
355 signed_elems[0] = 1;
356
357 axiom_node_t *parent = axiom_node_get_parent(signed_node,env);
358 if(axutil_strcmp(OXS_NODE_ENVELOPE, axiom_util_get_localname(parent, env))) {
359 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unexpected parent element for Body with ID = %s", ref);
360 return 1;
361 }
362
363 parent = axiom_node_get_parent(parent,env);
364 if(parent) {
365 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] parent of Envelope = %s", axiom_node_to_string(parent, env));
366 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unexpected location of signed Body with ID = %s", ref);
367 return 1;
368 }
369
370 } else if(!axutil_strcmp(RAMPART_SECURITY_TIMESTAMP, axiom_util_get_localname(signed_node, env))) {
371 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is Timestamp", ref);
372 signed_elems[1] = 1;
373
374 /* Regardless of the location of the Timestamp, verify the one that is signed */
1bd925a rusvika make clock skew between CC/NC configurable using rampartc' ClockSkewBuff...
rusvika authored
375 if(AXIS2_FAILURE == rampart_timestamp_token_validate(env, msg_ctx, signed_node,
376 rampart_context_get_clock_skew_buffer(rampart_context, env))) {
72e564e rusvika + applied CC/NC patch for SOAP attacks
rusvika authored
377 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Validation failed for Timestamp with ID = %s", ref);
378 return 1;
379 }
380
381 } else if(!axutil_strcmp(AXIS2_WSA_ACTION, axiom_util_get_localname(signed_node, env))) {
382 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is Action", ref);
383 signed_elems[2] = 1;
384
385 if(verify_addr_hdr_elem_loc(signed_node, env, ref)) {
386 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Validation failed for Action with ID = %s", ref);
387 return 1;
388 }
389
390 } else if(!axutil_strcmp(AXIS2_WSA_TO, axiom_util_get_localname(signed_node, env))) {
391 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is To", ref);
392 signed_elems[3] = 1;
393
394 if(verify_addr_hdr_elem_loc(signed_node, env, ref)) {
395 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Validation failed for To with ID = %s", ref);
396 return 1;
397 }
398
399
400 } else if(!axutil_strcmp(AXIS2_WSA_MESSAGE_ID, axiom_util_get_localname(signed_node, env))) {
401 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is MessageId", ref);
402 signed_elems[4] = 1;
403
404 if(verify_addr_hdr_elem_loc(signed_node, env, ref)) {
405 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Validation failed for MessageId with ID = %s", ref);
406 return 1;
407 }
408
409 } else {
410 AXIS2_LOG_WARNING(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is UNKNOWN", ref);
411 }
412
413 return 0;
414 }
415
416 /**
417 * Verify that an addressing element is located in <Envelope>/<Header>
418 */
419 int verify_addr_hdr_elem_loc(axiom_node_t *signed_node, const axutil_env_t *env, axis2_char_t *ref) {
420
421 axiom_node_t *parent = axiom_node_get_parent(signed_node,env);
422
423 if(axutil_strcmp(OXS_NODE_HEADER, axiom_util_get_localname(parent, env))) {
424 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] parent of addressing elem is %s", axiom_node_to_string(parent, env));
425 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unexpected location of signed addressing elem with ID = %s", ref);
426 return 1;
427
428 }
429 parent = axiom_node_get_parent(parent,env);
430
431 if(axutil_strcmp(OXS_NODE_ENVELOPE, axiom_util_get_localname(parent, env))) {
432 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] second parent of addressing elem is %s", axiom_node_to_string(parent, env));
433 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unexpected location of signed addressing elem with ID = %s", ref);
434 return 1;
435
436 }
437
438 parent = axiom_node_get_parent(parent,env);
439 if(parent) {
440 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] parent of Envelope = %s", axiom_node_to_string(parent, env));
441 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unexpected location of signed Body with ID = %s", ref);
442 return 1;
443 }
444
445 return 0;
446 }
447
448
dcf801c brought in euca_imager files
root authored
449 int InitWSSEC(axutil_env_t *env, axis2_stub_t *stub, char *policyFile) {
450 axis2_svc_client_t *svc_client = NULL;
451 neethi_policy_t *policy = NULL;
452 axis2_status_t status = AXIS2_FAILURE;
453
454 //return(0);
455
456 svc_client = axis2_stub_get_svc_client(stub, env);
457 if (!svc_client) {
465f7f5 gelinasc Fixes EUCA-2208
gelinasc authored
458 logprintfl (EUCAERROR, "could not get svc_client from stub\n");
dcf801c brought in euca_imager files
root authored
459 return(1);
460 }
461 axis2_svc_client_engage_module(svc_client, env, "rampart");
462
463 policy = neethi_util_create_policy_from_file(env, policyFile);
464 if (!policy) {
465f7f5 gelinasc Fixes EUCA-2208
gelinasc authored
465 logprintfl (EUCAERROR, "could not initialize policy file %s\n", policyFile);
dcf801c brought in euca_imager files
root authored
466 return(1);
467 }
468 status = axis2_svc_client_set_policy(svc_client, env, policy);
469
470 return(0);
471 }
Something went wrong with that request. Please try again.