2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
22 * @file saml/binding/SecurityPolicy.h
24 * Overall policy used to verify the security of an incoming message.
27 #ifndef __saml_secpol_h__
28 #define __saml_secpol_h__
30 #include <saml/saml2/metadata/MetadataProvider.h>
35 #include <xmltooling/unicode.h>
37 #if defined (_MSC_VER)
38 #pragma warning( push )
39 #pragma warning( disable : 4250 4251 )
42 namespace xmltooling {
43 class XMLTOOL_API GenericRequest;
44 class XMLTOOL_API TrustEngine;
50 class SAML_API Issuer;
53 class SAML_API SecurityPolicyRule;
56 * A policy used to verify the security of an incoming message.
58 * <p>Its security mechanisms may be used to examine the transport layer
59 * (e.g client certificates and HTTP basic auth passwords) or to check the
60 * payload of a request to ensure it meets certain criteria (e.g. valid
61 * digital signature, freshness, replay).
63 * <p>Policy objects can be reused, but are not thread-safe.
65 class SAML_API SecurityPolicy
67 MAKE_NONCOPYABLE(SecurityPolicy);
70 * Constructor for policy.
72 * @param metadataProvider locked MetadataProvider instance
73 * @param role identifies the role (generally IdP or SP) of the policy peer
74 * @param trustEngine TrustEngine to authenticate policy peer
75 * @param validate true iff XML parsing should be done with validation
78 const saml2md::MetadataProvider* metadataProvider=nullptr,
79 const xmltooling::QName* role=nullptr,
80 const xmltooling::TrustEngine* trustEngine=nullptr,
84 virtual ~SecurityPolicy();
87 * Returns the locked MetadataProvider supplied to the policy.
89 * @return the supplied MetadataProvider or nullptr
91 const saml2md::MetadataProvider* getMetadataProvider() const;
94 * Returns a reference to a MetadataProvider::Criteria instance suitable for use with the
95 * installed MetadataProvider.
97 * <p>The object will be cleared/reset when returned, so do not mutate it and then
98 * call the method again before using it.
100 * @return reference to a MetadataProvider::Criteria instance
102 virtual saml2md::MetadataProvider::Criteria& getMetadataProviderCriteria() const;
105 * Returns the peer role element/type supplied to the policy.
107 * @return the peer role element/type, or an empty QName
109 const xmltooling::QName* getRole() const;
112 * Returns the TrustEngine supplied to the policy.
114 * @return the supplied TrustEngine or nullptr
116 const xmltooling::TrustEngine* getTrustEngine() const;
119 * Returns XML message validation setting.
121 * @return validation flag
123 bool getValidating() const;
126 * Returns flag controlling non-entity issuer support.
128 * @return flag controlling non-entity issuer support
130 bool requireEntityIssuer() const;
133 * Returns the SAML audiences that represent the receiving peer.
135 * @return audience values of the peer processing the message
137 const std::vector<xmltooling::xstring>& getAudiences() const;
140 * Returns the SAML audiences that represent the receiving peer.
142 * @return audience values of the peer processing the message
144 std::vector<xmltooling::xstring>& getAudiences();
147 * Gets the effective time of message processing.
149 * @return the time at which the message is being processed
151 time_t getTime() const;
154 * Returns the message identifier to which the message being evaluated
157 * @return correlated message identifier
159 const XMLCh* getCorrelationID() const;
162 * Gets a mutable array of installed policy rules.
164 * <p>If adding rules, their lifetime must be at least as long as the policy object.
166 * @return mutable array of rules
168 std::vector<const SecurityPolicyRule*>& getRules();
171 * Sets a locked MetadataProvider for the policy.
173 * @param metadata a locked MetadataProvider or nullptr
175 void setMetadataProvider(const saml2md::MetadataProvider* metadata);
178 * Sets a MetadataProvider::Criteria instance suitable for use with the
179 * installed MetadataProvider.
181 * <p>The policy will take ownership of the criteria object when this
184 * @param criteria a MetadataProvider::Criteria instance, or nullptr
186 void setMetadataProviderCriteria(saml2md::MetadataProvider::Criteria* criteria);
189 * Sets a peer role element/type for to the policy.
191 * @param role the peer role element/type or nullptr
193 void setRole(const xmltooling::QName* role);
196 * Sets a TrustEngine for the policy.
198 * @param trust a TrustEngine or nullptr
200 void setTrustEngine(const xmltooling::TrustEngine* trust);
203 * Controls schema validation of incoming XML messages.
204 * This is separate from other forms of programmatic validation of objects,
205 * but can detect a much wider range of syntax errors.
207 * @param validate validation setting
209 void setValidating(bool validate=true);
212 * Sets flag controlling non-entity issuer support.
214 * @param entityOnly require that Issuer be in entity format
216 void requireEntityIssuer(bool entityOnly=true);
219 * Sets effective time of message processing.
221 * <p>Assumed to be the time of policy instantiation, can be adjusted to pre- or post-date
222 * message processing.
224 * @param ts the time at which the message is being processed
226 void setTime(time_t ts);
229 * Sets the message identifier to which the message being evaluated
232 * @param correlationID correlated message identifier
234 void setCorrelationID(const XMLCh* correlationID);
237 * Evaluates the policy against the given request and message,
238 * possibly populating message information in the policy object.
240 * @param message the incoming message
241 * @param request the protocol request
243 * @throws BindingException raised if the message/request is invalid according to the supplied rules
245 void evaluate(const xmltooling::XMLObject& message, const xmltooling::GenericRequest* request=nullptr);
248 * Resets the policy object and/or clears any per-message state.
250 * <p>Resets can be complete (the default) or merely clear the previous message ID and timestamp
251 * when evaluating multiple layers of a message.
253 * @param messageOnly true iff security and issuer state should be left in place
255 virtual void reset(bool messageOnly=false);
258 * Resets the policy object and/or clears any per-message state for only this specific class.
260 * <p>Resets can be complete (the default) or merely clear the previous message ID and timestamp
261 * when evaluating multiple layers of a message.
263 * @param messageOnly true iff security and issuer state should be left in place
265 void _reset(bool messageOnly=false);
268 * Returns the message identifier as determined by the registered policies.
270 * @return message identifier as determined by the registered policies
272 const XMLCh* getMessageID() const;
275 * Returns the message timestamp as determined by the registered policies.
277 * @return message timestamp as determined by the registered policies
279 time_t getIssueInstant() const;
282 * Gets the issuer of the message as determined by the registered policies.
284 * @return issuer of the message as determined by the registered policies
286 const saml2::Issuer* getIssuer() const;
289 * Gets the metadata for the role the issuer is operating in.
291 * @return metadata for the role the issuer is operating in
293 const saml2md::RoleDescriptor* getIssuerMetadata() const;
296 * Returns the authentication status of the message as determined by the registered policies.
298 * @return true iff a SecurityPolicyRule has indicated the issuer/message has been authenticated
300 bool isAuthenticated() const;
303 * Sets the message identifier as determined by the registered policies.
305 * @param id message identifier
307 void setMessageID(const XMLCh* id);
310 * Sets the message timestamp as determined by the registered policies.
312 * @param issueInstant message timestamp
314 void setIssueInstant(time_t issueInstant);
317 * Sets the issuer of the message as determined by the registered policies.
319 * @param issuer issuer of the message
321 void setIssuer(const saml2::Issuer* issuer);
324 * Sets the issuer of the message as determined by the registered policies.
326 * @param issuer issuer of the message
328 void setIssuer(const XMLCh* issuer);
331 * Sets the metadata for the role the issuer is operating in.
333 * @param issuerRole metadata for the role the issuer is operating in
335 void setIssuerMetadata(const saml2md::RoleDescriptor* issuerRole);
338 * Sets the authentication status of the message as determined by the registered policies.
340 * @param auth indicates whether the issuer/message has been authenticated
342 void setAuthenticated(bool auth);
344 /** Allows override of rules for comparing saml2:Issuer information. */
345 class SAML_API IssuerMatchingPolicy {
346 MAKE_NONCOPYABLE(IssuerMatchingPolicy);
348 IssuerMatchingPolicy();
349 virtual ~IssuerMatchingPolicy();
352 * Returns true iff the two operands "match". Applications can override this method to
353 * support non-standard issuer matching for complex policies.
355 * <p>The default implementation does a basic comparison of the XML content, treating
356 * an unsupplied Format as an "entityID".
358 * @param issuer1 the first Issuer to match
359 * @param issuer2 the second Issuer to match
360 * @return true iff the operands match
362 virtual bool issuerMatches(const saml2::Issuer* issuer1, const saml2::Issuer* issuer2) const;
365 * Returns true iff the two operands "match". Applications can override this method to
366 * support non-standard issuer matching for complex policies.
368 * <p>The default implementation does a basic comparison of the XML content, treating
369 * an unsupplied Format as an "entityID".
371 * @param issuer1 the first Issuer to match
372 * @param issuer2 the second Issuer to match
373 * @return true iff the operands match
375 virtual bool issuerMatches(const saml2::Issuer* issuer1, const XMLCh* issuer2) const;
379 * Returns the IssuerMatchingPolicy in effect.
381 * @return the effective IssuerMatchingPolicy
383 const IssuerMatchingPolicy& getIssuerMatchingPolicy() const;
386 * Sets the IssuerMatchingPolicy in effect. Setting no policy will
387 * cause the simple, default approach to be used.
389 * <p>The matching object will be freed by the SecurityPolicy.
391 * @param matchingPolicy the IssuerMatchingPolicy to use
393 void setIssuerMatchingPolicy(IssuerMatchingPolicy* matchingPolicy);
396 /** A shared matching object that just supports the default matching rules. */
397 static IssuerMatchingPolicy m_defaultMatching;
399 /** Manufactured MetadataProvider::Criteria instance. */
400 mutable saml2md::MetadataProvider::Criteria* m_metadataCriteria;
403 // information extracted from message
404 xmltooling::xstring m_messageID;
405 time_t m_issueInstant;
406 std::auto_ptr<saml2::Issuer> m_issuer;
407 const saml2md::RoleDescriptor* m_issuerRole;
408 bool m_authenticated;
410 // components governing policy rules
411 std::auto_ptr<IssuerMatchingPolicy> m_matchingPolicy;
412 std::vector<const SecurityPolicyRule*> m_rules;
413 const saml2md::MetadataProvider* m_metadata;
414 std::auto_ptr<xmltooling::QName> m_role;
415 const xmltooling::TrustEngine* m_trust;
419 // contextual information
421 xmltooling::xstring m_correlationID;
422 std::vector<xmltooling::xstring> m_audiences;
427 #if defined (_MSC_VER)
428 #pragma warning( pop )
431 #endif /* __saml_secpol_h__ */