projects
/
shibboleth
/
sp.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
https://bugs.internet2.edu/jira/browse/SSPCPP-293
[shibboleth/sp.git]
/
shibsp
/
handler
/
impl
/
SAML2Logout.cpp
diff --git
a/shibsp/handler/impl/SAML2Logout.cpp
b/shibsp/handler/impl/SAML2Logout.cpp
index
919a0b5
..
1ea0ef1
100644
(file)
--- a/
shibsp/handler/impl/SAML2Logout.cpp
+++ b/
shibsp/handler/impl/SAML2Logout.cpp
@@
-32,6
+32,7
@@
#ifndef SHIBSP_LITE
# include "SessionCacheEx.h"
# include "security/SecurityPolicy.h"
#ifndef SHIBSP_LITE
# include "SessionCacheEx.h"
# include "security/SecurityPolicy.h"
+# include "security/SecurityPolicyProvider.h"
# include "metadata/MetadataProviderCriteria.h"
# include "util/TemplateParameters.h"
# include <fstream>
# include "metadata/MetadataProviderCriteria.h"
# include "util/TemplateParameters.h"
# include <fstream>
@@
-334,22
+335,20
@@
pair<bool,long> SAML2Logout::doRequest(const Application& application, const HTT
if (!policyId.first)
policyId = application.getString("policyId"); // unqualified in Application(s) element
if (!policyId.first)
policyId = application.getString("policyId"); // unqualified in Application(s) element
- // Access policy properties.
- const PropertySet* settings = application.getServiceProvider().getPolicySettings(policyId.second);
- pair<bool,bool> validate = settings->getBool("validate");
-
// Lock metadata for use by policy.
Locker metadataLocker(application.getMetadataProvider());
// Create the policy.
// Lock metadata for use by policy.
Locker metadataLocker(application.getMetadataProvider());
// Create the policy.
- shibsp::SecurityPolicy policy(application, &m_role, validate.first && validate.second, policyId.second);
+ auto_ptr<SecurityPolicy> policy(
+ application.getServiceProvider().getSecurityPolicyProvider()->createSecurityPolicy(application, &m_role, policyId.second)
+ );
// Decode the message.
string relayState;
// Decode the message.
string relayState;
- auto_ptr<XMLObject> msg(m_decoder->decode(relayState, request,
policy
));
+ auto_ptr<XMLObject> msg(m_decoder->decode(relayState, request,
*policy.get()
));
const LogoutRequest* logoutRequest = dynamic_cast<LogoutRequest*>(msg.get());
if (logoutRequest) {
const LogoutRequest* logoutRequest = dynamic_cast<LogoutRequest*>(msg.get());
if (logoutRequest) {
- if (!policy
.
isAuthenticated())
+ if (!policy
->
isAuthenticated())
throw SecurityPolicyException("Security of LogoutRequest not established.");
// Message from IdP to logout one or more sessions.
throw SecurityPolicyException("Security of LogoutRequest not established.");
// Message from IdP to logout one or more sessions.
@@
-361,7
+360,7
@@
pair<bool,long> SAML2Logout::doRequest(const Application& application, const HTT
logoutRequest->getID(),
StatusCode::REQUESTER, StatusCode::UNKNOWN_PRINCIPAL, "No active session found in request.",
relayState.c_str(),
logoutRequest->getID(),
StatusCode::REQUESTER, StatusCode::UNKNOWN_PRINCIPAL, "No active session found in request.",
relayState.c_str(),
- policy
.
getIssuerMetadata(),
+ policy
->
getIssuerMetadata(),
application,
response,
true
application,
response,
true
@@
-380,13
+379,16
@@
pair<bool,long> SAML2Logout::doRequest(const Application& application, const HTT
else {
Locker credlocker(cr);
auto_ptr<MetadataCredentialCriteria> mcc(
else {
Locker credlocker(cr);
auto_ptr<MetadataCredentialCriteria> mcc(
- policy
.getIssuerMetadata() ? new MetadataCredentialCriteria(*policy.
getIssuerMetadata()) : nullptr
+ policy
->getIssuerMetadata() ? new MetadataCredentialCriteria(*policy->
getIssuerMetadata()) : nullptr
);
try {
auto_ptr<XMLObject> decryptedID(
encname->decrypt(
*cr,
);
try {
auto_ptr<XMLObject> decryptedID(
encname->decrypt(
*cr,
- application.getRelyingParty(policy.getIssuerMetadata() ? dynamic_cast<EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : nullptr)->getXMLString("entityID").second,
+ application.getRelyingParty(
+ policy->getIssuerMetadata() ?
+ dynamic_cast<EntityDescriptor*>(policy->getIssuerMetadata()->getParent()) :
+ nullptr)->getXMLString("entityID").second,
mcc.get()
)
);
mcc.get()
)
);
@@
-409,7
+411,7
@@
pair<bool,long> SAML2Logout::doRequest(const Application& application, const HTT
logoutRequest->getID(),
StatusCode::REQUESTER, StatusCode::UNKNOWN_PRINCIPAL, "NameID not found in request.",
relayState.c_str(),
logoutRequest->getID(),
StatusCode::REQUESTER, StatusCode::UNKNOWN_PRINCIPAL, "NameID not found in request.",
relayState.c_str(),
- policy
.
getIssuerMetadata(),
+ policy
->
getIssuerMetadata(),
application,
response,
m_decoder->isUserAgentPresent()
application,
response,
m_decoder->isUserAgentPresent()
@@
-420,7
+422,7
@@
pair<bool,long> SAML2Logout::doRequest(const Application& application, const HTT
// Suck indexes out of the request for next steps.
set<string> indexes;
// Suck indexes out of the request for next steps.
set<string> indexes;
- EntityDescriptor* entity = policy
.getIssuerMetadata() ? dynamic_cast<EntityDescriptor*>(policy.
getIssuerMetadata()->getParent()) : nullptr;
+ EntityDescriptor* entity = policy
->getIssuerMetadata() ? dynamic_cast<EntityDescriptor*>(policy->
getIssuerMetadata()->getParent()) : nullptr;
const vector<SessionIndex*> sindexes = logoutRequest->getSessionIndexs();
for (vector<SessionIndex*>::const_iterator i = sindexes.begin(); i != sindexes.end(); ++i) {
auto_ptr_char sindex((*i)->getSessionIndex());
const vector<SessionIndex*> sindexes = logoutRequest->getSessionIndexs();
for (vector<SessionIndex*>::const_iterator i = sindexes.begin(); i != sindexes.end(); ++i) {
auto_ptr_char sindex((*i)->getSessionIndex());
@@
-435,7
+437,7
@@
pair<bool,long> SAML2Logout::doRequest(const Application& application, const HTT
logoutRequest->getID(),
StatusCode::REQUESTER, StatusCode::REQUEST_DENIED, "Active session did not match logout request.",
relayState.c_str(),
logoutRequest->getID(),
StatusCode::REQUESTER, StatusCode::REQUEST_DENIED, "Active session did not match logout request.",
relayState.c_str(),
- policy
.
getIssuerMetadata(),
+ policy
->
getIssuerMetadata(),
application,
response,
true
application,
response,
true
@@
-470,7
+472,7
@@
pair<bool,long> SAML2Logout::doRequest(const Application& application, const HTT
logoutRequest->getID(),
StatusCode::RESPONDER, nullptr, ex.what(),
relayState.c_str(),
logoutRequest->getID(),
StatusCode::RESPONDER, nullptr, ex.what(),
relayState.c_str(),
- policy
.
getIssuerMetadata(),
+ policy
->
getIssuerMetadata(),
application,
response,
m_decoder->isUserAgentPresent()
application,
response,
m_decoder->isUserAgentPresent()
@@
-513,7
+515,7
@@
pair<bool,long> SAML2Logout::doRequest(const Application& application, const HTT
(worked1 && worked2) ? nullptr : StatusCode::PARTIAL_LOGOUT,
nullptr,
relayState.c_str(),
(worked1 && worked2) ? nullptr : StatusCode::PARTIAL_LOGOUT,
nullptr,
relayState.c_str(),
- policy
.
getIssuerMetadata(),
+ policy
->
getIssuerMetadata(),
application,
response,
m_decoder->isUserAgentPresent()
application,
response,
m_decoder->isUserAgentPresent()
@@
-523,13
+525,13
@@
pair<bool,long> SAML2Logout::doRequest(const Application& application, const HTT
// A LogoutResponse completes an SP-initiated logout sequence.
const LogoutResponse* logoutResponse = dynamic_cast<LogoutResponse*>(msg.get());
if (logoutResponse) {
// A LogoutResponse completes an SP-initiated logout sequence.
const LogoutResponse* logoutResponse = dynamic_cast<LogoutResponse*>(msg.get());
if (logoutResponse) {
- if (!policy
.
isAuthenticated()) {
+ if (!policy
->
isAuthenticated()) {
SecurityPolicyException ex("Security of LogoutResponse not established.");
SecurityPolicyException ex("Security of LogoutResponse not established.");
- if (policy
.
getIssuerMetadata())
- annotateException(&ex, policy
.
getIssuerMetadata()); // throws it
+ if (policy
->
getIssuerMetadata())
+ annotateException(&ex, policy
->
getIssuerMetadata()); // throws it
ex.raise();
}
ex.raise();
}
- checkError(logoutResponse, policy
.
getIssuerMetadata()); // throws if Status doesn't look good...
+ checkError(logoutResponse, policy
->
getIssuerMetadata()); // throws if Status doesn't look good...
// If relay state is set, recover the original return URL.
if (!relayState.empty())
// If relay state is set, recover the original return URL.
if (!relayState.empty())
@@
-549,8
+551,8
@@
pair<bool,long> SAML2Logout::doRequest(const Application& application, const HTT
}
FatalProfileException ex("Incoming message was not a samlp:LogoutRequest or samlp:LogoutResponse.");
}
FatalProfileException ex("Incoming message was not a samlp:LogoutRequest or samlp:LogoutResponse.");
- if (policy
.
getIssuerMetadata())
- annotateException(&ex, policy
.
getIssuerMetadata()); // throws it
+ if (policy
->
getIssuerMetadata())
+ annotateException(&ex, policy
->
getIssuerMetadata()); // throws it
ex.raise();
return make_pair(false,0L); // never happen, satisfies compiler
#else
ex.raise();
return make_pair(false,0L); // never happen, satisfies compiler
#else