2 * Copyright 2001-2009 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
20 * Overall policy used to verify the security of an incoming message.
24 #include "exceptions.h"
25 #include "binding/SecurityPolicy.h"
26 #include "binding/SecurityPolicyRule.h"
27 #include "saml2/core/Assertions.h"
29 #include <xercesc/util/XMLUniDefs.hpp>
31 using namespace opensaml::saml2md;
32 using namespace opensaml::saml2;
33 using namespace opensaml;
34 using namespace xmltooling;
38 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory AudienceRestrictionRuleFactory;
39 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory ClientCertAuthRuleFactory;
40 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory ConditionsRuleFactory;
41 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory IgnoreRuleFactory;
42 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory MessageFlowRuleFactory;
43 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory NullSecurityRuleFactory;
44 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory SimpleSigningRuleFactory;
45 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory XMLSigningRuleFactory;
48 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory BrowserSSORuleFactory;
52 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory BearerConfirmationRuleFactory;
53 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory DelegationRestrictionRuleFactory;
57 void SAML_API opensaml::registerSecurityPolicyRules()
59 SAMLConfig& conf=SAMLConfig::getConfig();
60 conf.SecurityPolicyRuleManager.registerFactory(AUDIENCE_POLICY_RULE, AudienceRestrictionRuleFactory);
61 conf.SecurityPolicyRuleManager.registerFactory(CLIENTCERTAUTH_POLICY_RULE, ClientCertAuthRuleFactory);
62 conf.SecurityPolicyRuleManager.registerFactory(CONDITIONS_POLICY_RULE, ConditionsRuleFactory);
63 conf.SecurityPolicyRuleManager.registerFactory(IGNORE_POLICY_RULE, IgnoreRuleFactory);
64 conf.SecurityPolicyRuleManager.registerFactory(MESSAGEFLOW_POLICY_RULE, MessageFlowRuleFactory);
65 conf.SecurityPolicyRuleManager.registerFactory(NULLSECURITY_POLICY_RULE, NullSecurityRuleFactory);
66 conf.SecurityPolicyRuleManager.registerFactory(SIMPLESIGNING_POLICY_RULE, SimpleSigningRuleFactory);
67 conf.SecurityPolicyRuleManager.registerFactory(XMLSIGNING_POLICY_RULE, XMLSigningRuleFactory);
68 conf.SecurityPolicyRuleManager.registerFactory(SAML1BROWSERSSO_POLICY_RULE, saml1::BrowserSSORuleFactory);
69 conf.SecurityPolicyRuleManager.registerFactory(BEARER_POLICY_RULE, saml2::BearerConfirmationRuleFactory);
70 conf.SecurityPolicyRuleManager.registerFactory(DELEGATION_POLICY_RULE, saml2::DelegationRestrictionRuleFactory);
73 SecurityPolicyRule::SecurityPolicyRule()
77 SecurityPolicyRule::~SecurityPolicyRule()
81 SecurityPolicy::SecurityPolicy(
82 const saml2md::MetadataProvider* metadataProvider,
83 const xmltooling::QName* role,
84 const xmltooling::TrustEngine* trustEngine,
86 ) : m_metadataCriteria(NULL),
90 m_authenticated(false),
91 m_matchingPolicy(NULL),
92 m_metadata(metadataProvider),
100 m_role = new xmltooling::QName(*role);
103 SecurityPolicy::~SecurityPolicy()
105 delete m_metadataCriteria;
109 const MetadataProvider* SecurityPolicy::getMetadataProvider() const
114 MetadataProvider::Criteria& SecurityPolicy::getMetadataProviderCriteria() const
116 if (!m_metadataCriteria)
117 m_metadataCriteria=new MetadataProvider::Criteria();
119 m_metadataCriteria->reset();
120 return *m_metadataCriteria;
123 const xmltooling::QName* SecurityPolicy::getRole() const
128 const TrustEngine* SecurityPolicy::getTrustEngine() const
133 bool SecurityPolicy::getValidating() const
138 bool SecurityPolicy::requireEntityIssuer() const
143 const vector<xstring>& SecurityPolicy::getAudiences() const
148 vector<xstring>& SecurityPolicy::getAudiences()
153 time_t SecurityPolicy::getTime() const
156 return m_ts = time(NULL);
160 const XMLCh* SecurityPolicy::getCorrelationID() const
162 return m_correlationID.c_str();
165 vector<const SecurityPolicyRule*>& SecurityPolicy::getRules()
170 void SecurityPolicy::setMetadataProvider(const MetadataProvider* metadata)
172 m_metadata = metadata;
175 void SecurityPolicy::setMetadataProviderCriteria(MetadataProvider::Criteria* criteria)
177 if (m_metadataCriteria)
178 delete m_metadataCriteria;
179 m_metadataCriteria=criteria;
182 void SecurityPolicy::setRole(const xmltooling::QName* role)
185 m_role = role ? new xmltooling::QName(*role) : NULL;
188 void SecurityPolicy::setTrustEngine(const TrustEngine* trust)
193 void SecurityPolicy::setValidating(bool validate)
195 m_validate = validate;
198 void SecurityPolicy::requireEntityIssuer(bool entityOnly)
200 m_entityOnly = entityOnly;
203 void SecurityPolicy::setTime(time_t ts)
208 void SecurityPolicy::setCorrelationID(const XMLCh* correlationID)
210 m_correlationID.erase();
212 m_correlationID = correlationID;
215 void SecurityPolicy::evaluate(const XMLObject& message, const GenericRequest* request)
217 for (vector<const SecurityPolicyRule*>::const_iterator i=m_rules.begin(); i!=m_rules.end(); ++i)
218 (*i)->evaluate(message,request,*this);
221 void SecurityPolicy::reset(bool messageOnly)
226 void SecurityPolicy::_reset(bool messageOnly)
234 m_authenticated=false;
238 const XMLCh* SecurityPolicy::getMessageID() const
240 return m_messageID.c_str();
243 time_t SecurityPolicy::getIssueInstant() const
245 return m_issueInstant;
248 const Issuer* SecurityPolicy::getIssuer() const
253 const RoleDescriptor* SecurityPolicy::getIssuerMetadata() const
258 bool SecurityPolicy::isAuthenticated() const
260 return m_authenticated;
263 void SecurityPolicy::setMessageID(const XMLCh* id)
270 void SecurityPolicy::setIssueInstant(time_t issueInstant)
272 m_issueInstant = issueInstant;
275 void SecurityPolicy::setIssuer(const Issuer* issuer)
277 if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
278 throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results.");
281 if (m_entityOnly && issuer->getFormat() && !XMLString::equals(issuer->getFormat(), NameIDType::ENTITY))
282 throw SecurityPolicyException("A non-entity Issuer was supplied, violating policy.");
284 m_issuer=issuer->cloneIssuer();
288 void SecurityPolicy::setIssuer(const XMLCh* issuer)
290 if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
291 throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results.");
293 if (!m_issuer && issuer && *issuer) {
295 m_issuer = IssuerBuilder::buildIssuer();
296 m_issuer->setName(issuer);
300 void SecurityPolicy::setIssuerMetadata(const RoleDescriptor* issuerRole)
302 if (issuerRole && m_issuerRole && issuerRole!=m_issuerRole)
303 throw SecurityPolicyException("A rule supplied a RoleDescriptor that conflicts with previous results.");
304 m_issuerRole=issuerRole;
307 void SecurityPolicy::setAuthenticated(bool auth)
309 m_authenticated = auth;
312 SecurityPolicy::IssuerMatchingPolicy::IssuerMatchingPolicy()
316 SecurityPolicy::IssuerMatchingPolicy::~IssuerMatchingPolicy()
320 bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, const Issuer* issuer2) const
322 // NULL matches anything for the purposes of this interface.
323 if (!issuer1 || !issuer2)
326 const XMLCh* op1=issuer1->getName();
327 const XMLCh* op2=issuer2->getName();
328 if (!op1 || !op2 || !XMLString::equals(op1,op2))
331 op1=issuer1->getFormat();
332 op2=issuer2->getFormat();
333 if (!XMLString::equals(op1 ? op1 : NameIDType::ENTITY, op2 ? op2 : NameIDType::ENTITY))
336 op1=issuer1->getNameQualifier();
337 op2=issuer2->getNameQualifier();
338 if (!XMLString::equals(op1 ? op1 : &chNull, op2 ? op2 : &chNull))
341 op1=issuer1->getSPNameQualifier();
342 op2=issuer2->getSPNameQualifier();
343 if (!XMLString::equals(op1 ? op1 : &chNull, op2 ? op2 : &chNull))
349 bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, const XMLCh* issuer2) const
351 // NULL matches anything for the purposes of this interface.
352 if (!issuer1 || !issuer2 || !*issuer2)
355 const XMLCh* op1=issuer1->getName();
356 if (!op1 || !XMLString::equals(op1,issuer2))
359 op1=issuer1->getFormat();
360 if (op1 && *op1 && !XMLString::equals(op1, NameIDType::ENTITY))
363 op1=issuer1->getNameQualifier();
367 op1=issuer1->getSPNameQualifier();
374 SecurityPolicy::IssuerMatchingPolicy SecurityPolicy::m_defaultMatching;
376 const SecurityPolicy::IssuerMatchingPolicy& SecurityPolicy::getIssuerMatchingPolicy() const
378 return m_matchingPolicy ? *m_matchingPolicy : m_defaultMatching;
381 void SecurityPolicy::setIssuerMatchingPolicy(IssuerMatchingPolicy* matchingPolicy)
383 delete m_matchingPolicy;
384 m_matchingPolicy = matchingPolicy;