[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE : zxid/Fedora



Romain Ferrari <romain.ferrari@xxxxxxxxx> said:
> Thanks for the answer. I tried what you say about zxidcurl.c and when I
> leave out curl_easy_init() a segmentation fault still occur.
 
gdb bt, please.
 
The curl_easy_init() is supposed to be necessary only once (per libcurl documentation),
so I want to understand what is going on here. It could be lack of locking in multithreaded
environment (my bug), or in extreme case it could be libcurl not behaving as documented.
 
> I still have some issues with the creation of my XACML request. I end up
> with a request like this
> 
> <e:Envelope xmlns:e="http://schemas.xmlsoap.org/soap/envelope/";>
>     <e:Header/>
>     <e:Body>
>         <xasp:XACMLAuthzDecisionQuery
> xmlns:xasp="urn:oasis:xacml:2.0:saml:protocol:schema:os"
> ID="RfIZHlUPQjFj40Ru8igY7I7eN" IssueInstant="2011-07-06T14:21:12Z"
> Version="2.0">
>             <sa:Issuer xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion">
> http://localhost:8080/AuthzForce/PDPService?o=B</sa:Issuer>
>         <xac:Request
> xmlns:xac="urn:oasis:names:tc:xacml:2.0:context:schema:os">
(snip)
>         </xac:Request>
>         </xasp:XACMLAuthzDecisionQuery>
>     </e:Body>
> </e:Envelope>
> 
> When I want a request like that
> 
> <e:Envelope xmlns:e="http://schemas.xmlsoap.org/soap/envelope/";>
>     <e:Header/>
>     <e:Body>
>             <sa:Issuer xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion">
> http://localhost:8080/AuthzForce/PDPService?o=B</sa:Issuer>
>         <xac:Request
> xmlns:xac="urn:oasis:names:tc:xacml:2.0:context:schema:os">
(snip)
>         </xac:Request>
>     </e:Body>
> </e:Envelope>
> 
> What's your advice about that ? I've tried with zxid_mk* methods but I can't
> get what I want. Maybe it's an initilialisation problem in my own code but I
> can't see what's what.
 
First, if you use my integrated HTTP client, then setting configuration option (e.g. in
config string or in /var/zxid/zxid.conf):

XASP_VERS=xac-soap

will accomplish what you want. You can see the code in zxid_az_soap(). This
same code is also used by APIs zxid_pep_az_soap_pepmap() ,
zxid_pep_az_base_soap_pepmap(), zxid_pep_az_soap(),
zxid_pep_az_base_soap(), zxid_az_cf_ses(), zxid_az_base_cf_ses(),
zxid_az_cf(), zxid_az_base_cf(), zxid_az(), and zxid_az_base().
 
Second, if you really want to go the lowlevel API route, the function
you would call is zxid_mk_xac_az(). As you can see, it expects
attribute lists as arguments. These can be extracted from a session
object using zxid_pepmap_extract() or hand crafted using
zxid_mk_xacml_simple_at().

Third, as can be seen, attribute passing is easy if you use my session
concept and tedious if you do not. In some higher level APIs like
zxid_az() it is possible to pass additional attributes using query string.
These attributes are still classified as subject, resouce, action, and
environment using the PEPMAP. It would be possible for me to add
an API that allows you to get the string representation of XACML request
in a similar manner, using query string format to pass attributes.
Would you like me to add such an API? Can you specify what you
think the API should look like?
 
Cheers,
--Sampo
 
> Cheers
> 
> Romain Ferrari
> 
> > 2011/7/13 <sampo@xxxxxxxxx>
> > 
> > > Romain Ferrari <romain.ferrari@xxxxxxxxx> said:
> > > > Hi,
> > > >
> > > > I'm wondering if it's possible to create a request simple XACML with zxid
> > > > without the SAML's headers ? To be able to talk to a jboss XACML pdp for
> > > > instance.
> > >
> > > There is no totally easy API, but you can use
> > >
> > > zxid_mk_xac_az()
> > > zxid_mk_az()
> > > zxid_mk_az_cd1()
> > >
> > > to crete the requests as internal objects and then serialize them to string
> > > using
> > >
> > > zx_easy_enc_elem_opt()
> > >
> > > Another approach is to use parse and reserialize approach:
> > >
> > > char* req = "<xac:Request>...</xac:Request>";  // Your request goes here
> > > struct zx_root_s* r = zx_dec_zx_root(cf->ctx, strlen(req), req, "add_env");
> > > struct zx_str* s = zx_easy_enc_elem_opt(cf, r->xac_Request);
> > >
> > > In parse and serialize, you formulate the XML first as a string (e.g. with
> > > sprintf(3))
> > > and then use the zxid machinery to parse and reformulate it in formally
> > > correct
> > > XML.
> > >
> > > > Thanks for your answer.
> > >
> > > Thanks for the patch. Please see further comments inline with the patch,
> > > below.
> > >
> > > > Best regards
> > > > Romain Ferrari
> > > >
> > > > 2011/7/7 Romain Ferrari <romain.ferrari@xxxxxxxxx>
> > > >
> > > > > Sampo,
> > > > >
> > > > > I some modifications because of a segmentation fault while using zxid
> > > with
> > > > > my pam module. Here is the diff -u result on zxidcurl.c
> > > > > Hope you'll find it helpful (of course the syslog message was just for
> > > me
> > > > > ;) )!
> > > > > I also made a deb package for libzxid, I will send it to you as soon as
> > > I
> > > > > can.
> > >
> > > This would be appreciated. As I have moved to 1.0 release series it is
> > > appropriate to start providing binaries for common distributions.
> > >
> > > > > diff -u old_zxidcurl.c /home/t0101841/svn/zxid-1.0/zxidcurl.c
> > > > > --- zxidcurl.c    2011-06-02 06:51:51.000000000 +0200
> > > > > +++ /home/t0101841/svn/zxid-1.0/zxidcurl.c    2011-07-06
> > > 11:50:24.935278059
> > > > > +0200
> > > > > @@ -209,6 +210,9 @@
> > > > >    char* urli;
> > > > >    rc.buf = rc.p = ZX_ALLOC(cf->ctx, ZXID_INIT_SOAP_BUF+1);
> > > > >    rc.lim = rc.buf + ZXID_INIT_SOAP_BUF;
> > > > > +  cf->curl = curl_easy_init();
> > > > > +  curl_easy_reset(cf->curl);
> > > > > +  LOCK_INIT(cf->curl_mx);
> > >
> > > The above three lines are not wrong, but should not have been necessary.
> > > They
> > > are (slightly) wasteful as they initialize  the curl object that should
> > > already
> > > have been initialized anyway when cf object was created, e.g. in
> > > zxid_init_conf_ctx(), zxid_new_conf(), or zxid_conf_to_cf_len().
> > >
> > > Can you try just calling curl_easy_reset()?
> > >
> > > Cheers,
> > > --Sampo
> > >
> > > > >    LOCK(cf->curl_mx, "curl soap");
> > > > >    curl_easy_setopt(cf->curl, CURLOPT_WRITEDATA, &rc);
> > > > >    curl_easy_setopt(cf->curl, CURLOPT_WRITEFUNCTION,
> > > zxid_curl_write_data);
> > > > >
> > > > > Best Regards
> > > > >
> > > > >
> > > > > Romain Ferrari
> > > > > Thales Services
> > > > > ThereSIS Innovation lab, ICT Security Unit
> > > > >
> > > > > [@@THALES GROUP RESTRICTED@@]
> > > > >
> > > > > Thales Research&  Technology
> > > > > Campus Polytechnique
> > > > > 1, avenue Augustin Fresnel
> > > > > 91767 Palaiseau cedex
> > > > > France
> > > > >
> > > > > 2011/1/3 JAKOBI Pascal <pascal.jakobi@xxxxxxxxxxxxxxx>
> > > > >
> > > > >> Sampo
> > > > >>
> > > > >>
> > > > >> First of all, all the best for the new year.
> > > > >>
> > > > >> Then regarding zxid packaging here is another piece : the spec file
> > > that
> > > > >> builds an rpm for the C library. You may extend it or just create
> > > additional
> > > > >> rpms for the other languages....
> > > > >> The spec file calls a specific make file that does the "install" for
> > > > >> RPM's. (the tar file should go in the SOURCES directory). It is in a
> > > > >> specific makefile in order to avoid touching your files. Hoowever, if
> > > you
> > > > >> accept it, it might well go into the main Makefile.
> > > > >>
> > > > >> Let me know !
> > > > >> Cheers
> > > > >>
> > > > >> Pascal Jakobi