Merged trust engines back into a unified version, made metadata roles a "KeyInfoSource".

[shibboleth/cpp-opensaml.git] / saml / binding / impl / ClientCertAuthRule.cpp

diff --git a/saml/binding/impl/ClientCertAuthRule.cpp b/saml/binding/impl/ClientCertAuthRule.cpp
index 63a6bb1..307a1d7 100644 (file)
--- a/saml/binding/impl/ClientCertAuthRule.cpp
+++ b/saml/binding/impl/ClientCertAuthRule.cpp
@@ -25,8 +25,8 @@
 #include "binding/ClientCertAuthRule.h"
 #include "saml2/metadata/Metadata.h"
 #include "saml2/metadata/MetadataProvider.h"
-#include "security/X509TrustEngine.h"
 
+#include <xmltooling/security/X509TrustEngine.h>
 #include <xmltooling/util/NDC.h>
 #include <xmltooling/util/ReplayCache.h>
 #include <log4cpp/Category.hh>
@@ -49,8 +49,7 @@ pair<saml2::Issuer*,const RoleDescriptor*> ClientCertAuthRule::evaluate(
     const XMLObject& message,
     const MetadataProvider* metadataProvider,
     const QName* role,
-    const opensaml::TrustEngine* trustEngine,
-    const MessageExtractor& extractor
+    const TrustEngine* trustEngine
     ) const
 {
     Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.ClientCertAuth");
@@ -58,8 +57,8 @@ pair<saml2::Issuer*,const RoleDescriptor*> ClientCertAuthRule::evaluate(
     
     pair<saml2::Issuer*,const RoleDescriptor*> ret = pair<saml2::Issuer*,const RoleDescriptor*>(NULL,NULL);  
     
-    const opensaml::X509TrustEngine* x509trust;
-    if (!metadataProvider || !role || !(x509trust=dynamic_cast<const opensaml::X509TrustEngine*>(trustEngine))) {
+    const X509TrustEngine* x509trust;
+    if (!metadataProvider || !role || !(x509trust=dynamic_cast<const X509TrustEngine*>(trustEngine))) {
         log.debug("ignoring message, no metadata or X509TrustEngine supplied");
         return ret;
     }
@@ -72,7 +71,7 @@ pair<saml2::Issuer*,const RoleDescriptor*> ClientCertAuthRule::evaluate(
     
     try {
         log.debug("extracting issuer from message");
-        pair<saml2::Issuer*,const XMLCh*> issuerInfo = extractor.getIssuerAndProtocol(message);
+        pair<saml2::Issuer*,const XMLCh*> issuerInfo = getIssuerAndProtocol(message);
         
         auto_ptr<saml2::Issuer> issuer(issuerInfo.first);
         if (!issuerInfo.first || !issuerInfo.second ||
@@ -115,3 +114,21 @@ pair<saml2::Issuer*,const RoleDescriptor*> ClientCertAuthRule::evaluate(
     }
     return ret;
 }
+
+pair<saml2::Issuer*,const XMLCh*> ClientCertAuthRule::getIssuerAndProtocol(const XMLObject& message) const
+{
+    // We just let any bad casts throw here.
+
+    // Shortcuts some of the casting.
+    const XMLCh* ns = message.getElementQName().getNamespaceURI();
+    if (ns) {
+        if (XMLString::equals(ns, samlconstants::SAML20P_NS)) {
+            // 2.0 namespace should be castable to a specialized 2.0 root.
+            const saml2::RootObject& root = dynamic_cast<const saml2::RootObject&>(message);
+            saml2::Issuer* issuer = root.getIssuer();
+            if (issuer && issuer->getName())
+                return make_pair(issuer->cloneIssuer(), samlconstants::SAML20P_NS);
+        }
+    }
+    return pair<saml2::Issuer*,const XMLCh*>(NULL,NULL);
+}