Expose audience collection on security policy.
[shibboleth/cpp-opensaml.git] / saml / saml2 / profile / impl / BrowserSSOProfile20Validator.cpp
1 /*
2  *  Copyright 2001-2007 Internet2
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16
17 /**
18  * BrowserSSOProfile20Validator.cpp
19  *
20  * SAML 2.0 Browser SSO Profile Assertion Validator
21  */
22
23 #include "internal.h"
24 #include "saml2/core/Assertions.h"
25 #include "saml2/profile/BrowserSSOProfileValidator.h"
26
27 #include <xmltooling/logging.h>
28 #include <xmltooling/util/NDC.h>
29
30 using namespace opensaml::saml2;
31 using namespace xmltooling::logging;
32 using namespace xmltooling;
33 using namespace std;
34
35 void BrowserSSOProfileValidator::validateAssertion(const Assertion& assertion) const
36 {
37 #ifdef _DEBUG
38     xmltooling::NDC ndc("validate");
39 #endif
40     Category& log = Category::getInstance(SAML_LOGCAT".AssertionValidator");
41
42     // The assertion MUST have proper confirmation requirements.
43     const char* msg=NULL;
44     const Subject* subject = assertion.getSubject();
45     if (subject) {
46         const vector<SubjectConfirmation*>& confs = subject->getSubjectConfirmations();
47         for (vector<SubjectConfirmation*>::const_iterator sc = confs.begin(); sc!=confs.end(); ++sc) {
48             if (XMLString::equals((*sc)->getMethod(), SubjectConfirmation::BEARER)) {
49                 const SubjectConfirmationDataType* data = dynamic_cast<const SubjectConfirmationDataType*>((*sc)->getSubjectConfirmationData());
50
51                 if (m_destination.get()) {
52                     if (!XMLString::equals(m_destination.get(), data ? data->getRecipient() : NULL)) {
53                         msg = "bearer confirmation failed with recipient mismatch";
54                         continue;
55                     }
56                 }
57
58                 if (m_requestID.get()) {
59                     if (!XMLString::equals(m_requestID.get(), data ? data->getInResponseTo() : NULL)) {
60                         msg = "bearer confirmation failed with request correlation mismatch";
61                         continue;
62                     }
63                 }
64
65                 if (m_ts) {
66                     if (!data || !data->getNotOnOrAfter()) {
67                         msg = "bearer confirmation missing NotOnOrAfter attribute";
68                         continue;
69                     }
70                     else if (data->getNotOnOrAfterEpoch() <= m_ts - XMLToolingConfig::getConfig().clock_skew_secs) {
71                         msg = "bearer confirmation has expired";
72                         continue;
73                     }
74                 }
75
76                 // Save off client address.
77                 if (data) {
78                     auto_ptr_char ip(data->getAddress());
79                     if (ip.get())
80                         m_address = ip.get();
81                 }
82
83                 // Pass up for additional checking.
84                 return AssertionValidator::validateAssertion(assertion);
85             }
86         }
87     }
88
89     log.error(msg);
90     throw ValidationException("Unable to locate satisfiable bearer SubjectConfirmation in assertion.");
91 }