[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RE : RE : zxid/Fedora



Romain Ferrari <romain.ferrari@xxxxxxxxx> said:
> Hi,
> 
> I'm wondering if it's possible to create a request simple XACML with zxid
> without the SAML's headers ? To be able to talk to a jboss XACML pdp for
> instance.

There is no totally easy API, but you can use

zxid_mk_xac_az()
zxid_mk_az()
zxid_mk_az_cd1()

to crete the requests as internal objects and then serialize them to string using

zx_easy_enc_elem_opt()

Another approach is to use parse and reserialize approach:

char* req = "<xac:Request>...</xac:Request>";  // Your request goes here
struct zx_root_s* r = zx_dec_zx_root(cf->ctx, strlen(req), req, "add_env");
struct zx_str* s = zx_easy_enc_elem_opt(cf, r->xac_Request);

In parse and serialize, you formulate the XML first as a string (e.g. with sprintf(3))
and then use the zxid machinery to parse and reformulate it in formally correct
XML.

> Thanks for your answer.

Thanks for the patch. Please see further comments inline with the patch, below.

> Best regards
> Romain Ferrari
> 
> 2011/7/7 Romain Ferrari <romain.ferrari@xxxxxxxxx>
> 
> > Sampo,
> >
> > I some modifications because of a segmentation fault while using zxid with
> > my pam module. Here is the diff -u result on zxidcurl.c
> > Hope you'll find it helpful (of course the syslog message was just for me
> > ;) )!
> > I also made a deb package for libzxid, I will send it to you as soon as I
> > can.

This would be appreciated. As I have moved to 1.0 release series it is
appropriate to start providing binaries for common distributions.

> > diff -u old_zxidcurl.c /home/t0101841/svn/zxid-1.0/zxidcurl.c
> > --- zxidcurl.c    2011-06-02 06:51:51.000000000 +0200
> > +++ /home/t0101841/svn/zxid-1.0/zxidcurl.c    2011-07-06 11:50:24.935278059
> > +0200
> > @@ -209,6 +210,9 @@
> >    char* urli;
> >    rc.buf = rc.p = ZX_ALLOC(cf->ctx, ZXID_INIT_SOAP_BUF+1);
> >    rc.lim = rc.buf + ZXID_INIT_SOAP_BUF;
> > +  cf->curl = curl_easy_init();
> > +  curl_easy_reset(cf->curl);
> > +  LOCK_INIT(cf->curl_mx);

The above three lines are not wrong, but should not have been necessary. They
are (slightly) wasteful as they initialize  the curl object that should already
have been initialized anyway when cf object was created, e.g. in
zxid_init_conf_ctx(), zxid_new_conf(), or zxid_conf_to_cf_len().

Can you try just calling curl_easy_reset()?

Cheers,
--Sampo

> >    LOCK(cf->curl_mx, "curl soap");
> >    curl_easy_setopt(cf->curl, CURLOPT_WRITEDATA, &rc);
> >    curl_easy_setopt(cf->curl, CURLOPT_WRITEFUNCTION, zxid_curl_write_data);
> >
> > Best Regards
> >
> >
> > Romain Ferrari
> > Thales Services
> > ThereSIS Innovation lab, ICT Security Unit
> >
> > [@@THALES GROUP RESTRICTED@@]
> >
> > Thales Research&  Technology
> > Campus Polytechnique
> > 1, avenue Augustin Fresnel
> > 91767 Palaiseau cedex
> > France
> >
> > 2011/1/3 JAKOBI Pascal <pascal.jakobi@xxxxxxxxxxxxxxx>
> >
> >> Sampo
> >>
> >>
> >> First of all, all the best for the new year.
> >>
> >> Then regarding zxid packaging here is another piece : the spec file that
> >> builds an rpm for the C library. You may extend it or just create additional
> >> rpms for the other languages....
> >> The spec file calls a specific make file that does the "install" for
> >> RPM's. (the tar file should go in the SOURCES directory). It is in a
> >> specific makefile in order to avoid touching your files. Hoowever, if you
> >> accept it, it might well go into the main Makefile.
> >>
> >> Let me know !
> >> Cheers
> >>
> >> Pascal Jakobi
> >> Systems Architect
> >> Thales
> >> 1  av. A. Fresnel
> >> 91767 Palaiseau, France
> >> Tel : +33 1 69 41 60 51 / + 33 6 87 47 58 19
> >>
> >>
> >> ________________________________________
> >> De : sampo@xxxxxxxxx [sampo@xxxxxxxxx]
> >> Date d'envoi : mercredi 22 dicembre 2010 03:28
> >> @ : FERRARI Romain
> >> Cc : sampo@xxxxxxxxx; JAKOBI Pascal; GUIGNARD Romain
> >> Objet : Re: RE : zxid/Fedora
> >>
> >> FERRARI Romain <romain.ferrari@xxxxxxxxxxxxxxx> said:
> >> > Sampo,
> >> >
> >> > I'm working with Pascal Jakobi on this project. You can find with in
> >> this mail some diff -u you asked for. I will try to find others
> >> modifications in your code but it's kind of tricky because I did those while
> >> working on another project.
> >> >
> >>
> >> Re: tricky and time passes causing version skew: good reason to send in
> >> your patches
> >> rather sooner than later.
> >>
> >> I have merged your pep and Makefile patches. As far as I can tell, the pep
> >> patch does not
> >> fix any bug (or security vulnearability), it merely makes the debugging
> >> output more developer
> >> friendly. That, of course, is nice so I merged it.
> >>
> >> The Makefile patch may fix some build problem, but personally I have not
> >> had any .so
> >> build problems. Care to elaborate why the patch was needed?
> >>
> >> Your patches are in git now and will be in 0.74 release, hopefully coming
> >> by end of year. Since
> >> your patches do not seem bug/security critical I do not see any need for
> >> an urgent release.
> >>
> >> If at all possible, please submit any further patches against the recently
> >> released 0.73 version.
> >>
> >> Cheers,
> >> --Sampo
> >>
> >> > I will get back to you soon.
> >> >
> >> > Thanks
> >> > --
> >> > Romain Ferrari
> >> > Thales Services
> >> > ThereSIS Innovation lab, ICT Security Unit
> >> >
> >> > [@@THALES GROUP RESTRICTED@@]
> >> >
> >> > Thales Research&  Technology
> >> > Campus Polytechnique
> >> > 1, avenue Augustin Fresnel
> >> > 91767 Palaiseau cedex
> >> > France
> >> >
> >> >
> >> > -----Message d'origine-----
> >> > De : sampo@xxxxxxxxx [mailto:sampo@xxxxxxxxx]
> >> > Envoyi : mercredi 15 dicembre 2010 19:08
> >> > @ : JAKOBI Pascal
> >> > Cc : sampo@xxxxxxxxx; sampo@xxxxxxxxx; sampo@xxxxxx; sampo@xxxxxx;
> >> FERRARI Romain; GUIGNARD Romain
> >> > Objet : Re: RE : zxid/Fedora
> >> >
> >> > JAKOBI Pascal <pascal.jakobi@xxxxxxxxxxxxxxx> said:
> >> > > Please find already the Makefile & pkcs12.c. A "DISTRO variable has
> >> been set in the Makefile && used in pkcs12.C
> >> > >
> >> >
> >> > I see you forked off on 0.64 and I am now 0.72, so the makefile has
> >> changed a lot since. I'll
> >> > do manual merge.
> >> >
> >> > I see the pkcs12.c fixes involving STACK. This whole stuff needs
> >> overhaul for openssl-1.0.0.
> >> >
> >> > Thanks.
> >> > --Sampo
> >> >
> >> > > Pascal Jakobi
> >> > > Systems Architect
> >> > > Thales
> >> > > 1  av. A. Fresnel
> >> > > 91767 Palaiseau, France
> >> > > Tel : +33 1 69 41 60 51 / + 33 6 87 47 58 19
> >> > >
> >> > >
> >> > > ________________________________________
> >> > > De : sampo@xxxxxxxxx [sampo@xxxxxxxxx]
> >> > > Date d'envoi : mercredi 15 dicembre 2010 12:55
> >> > > @ : JAKOBI Pascal
> >> > > Cc : sampo@xxxxxx; FERRARI Romain; GUIGNARD Romain
> >> > > Objet : Re: zxid/Fedora
> >> > >
> >> > > JAKOBI Pascal <pascal.jakobi@xxxxxxxxxxxxxxx> said:
> >> > > > Sampo
> >> > > >
> >> > > > I am working in a team at Thales that uses zxid for the purpose of
> >> building a PAM XACML module that works against PERMIS. Results are OK,
> >> however, we had a few issues with the software.
> >> > > >
> >> > >
> >> > > I am curious to known which ZXID API functions you used. zxid_az()?
> >> How do you feed the
> >> > > attributes to it?
> >> > >
> >> > > > 1/ During our work, we encountered a few bugs that we fixed. Should
> >> we send them back to you ?
> >> > >
> >> > > Of course. diff -u
> >> > >
> >> > > > 2/ We have also created packages for Debian/Fedora instead of using
> >> your "make install". Would you consider integrating those into your stuff ?
> >> (C XACML libs only)
> >> > >
> >> > > I will.
> >> > >
> >> > > As ZXID approaches 1.0 release, I want to start supporting
> >> distributions. I'll create
> >> > > a special binaries download page and your fedora packages can be part
> >> of it.
> >> > >
> >> > > > 3/ At last, I work on Fedora. It turns out that your Makefile does
> >> not compile against it (pkcs12.c). This made me create an env. variable in
> >> the Makefile and use it in pkcs12.c. Againg would you consider to get those
> >> back in your source tree ?
> >> > >
> >> > > Yes. In future, if you will be making significant contributions, you
> >> should consider git access.
> >> > > For now diff -u is fine.
> >> > >
> >> > > Cheers,
> >> > > --Sampo
> >> > >
> >> > > > Thanks for letting me know. We'll see where we go based on your
> >> answer.
> >> > > >
> >> > > > Best rgds
> >> > > >
> >> > > >
> >> > > > Pascal Jakobi
> >> > > > Systems Architect
> >> > > > Thales
> >> > > > 1  av. A. Fresnel
> >> > > > 91767 Palaiseau, France
> >> > > > Tel : +33 1 69 41 60 51 / + 33 6 87 47 58 19