private:
bool SAML1Query(QueryContext& ctx) const;
bool SAML2Query(QueryContext& ctx) const;
- void signMessage(const Application& app, const RoleDescriptor& role, SignableObject& msg) const;
Category& m_log;
vector<AttributeDesignator*> m_SAML1Designators;
}
}
-void QueryResolver::signMessage(const Application& application, const RoleDescriptor& role, SignableObject& msg) const
-{
- const PropertySet* relyingParty = application.getRelyingParty(dynamic_cast<const EntityDescriptor*>(role.getParent()));
- pair<bool,const char*> prop = relyingParty->getString("signing");
- if (prop.first && (!strcmp(prop.second, "true") || !strcmp(prop.second, "back"))) {
- CredentialResolver* credResolver=application.getCredentialResolver();
- if (credResolver) {
- Locker credLocker(credResolver);
- // Fill in criteria to use.
- MetadataCredentialCriteria mcc(role);
- mcc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);
- prop = relyingParty->getString("keyName");
- if (prop.first)
- mcc.getKeyNames().insert(prop.second);
- pair<bool,const XMLCh*> sigalg = relyingParty->getXMLString("signingAlg");
- if (sigalg.first)
- mcc.setXMLAlgorithm(sigalg.second);
- const Credential* cred = credResolver->resolve(&mcc);
- if (cred) {
- xmlsignature::Signature* sig = xmlsignature::SignatureBuilder::buildSignature();
- msg.setSignature(sig);
- if (sigalg.first)
- sig->setSignatureAlgorithm(sigalg.second);
- sigalg = relyingParty->getXMLString("digestAlg");
- if (sigalg.first) {
- ContentReference* cr = dynamic_cast<ContentReference*>(sig->getContentReference());
- if (cr)
- cr->setDigestAlgorithm(sigalg.second);
- }
-
- // Sign response while marshalling.
- vector<xmlsignature::Signature*> sigs(1,sig);
- msg.marshall((DOMDocument*)NULL,&sigs,cred);
- }
- else {
- m_log.warn("no signing credential resolved, leaving query unsigned");
- }
- }
- else {
- m_log.warn("no credential resolver installed, leaving query unsigned");
- }
- }
-}
-
bool QueryResolver::SAML1Query(QueryContext& ctx) const
{
#ifdef _DEBUG
#endif
int version = XMLString::equals(ctx.getProtocol(), samlconstants::SAML11_PROTOCOL_ENUM) ? 1 : 0;
- const AttributeAuthorityDescriptor* AA = ctx.getEntityDescriptor()->getAttributeAuthorityDescriptor(ctx.getProtocol());
+ const AttributeAuthorityDescriptor* AA =
+ find_if(ctx.getEntityDescriptor()->getAttributeAuthorityDescriptors(), isValidForProtocol(ctx.getProtocol()));
if (!AA) {
m_log.warn("no SAML 1.%d AttributeAuthority role found in metadata", version);
return false;
}
- shibsp::SecurityPolicy policy(ctx.getApplication());
+ const Application& application = ctx.getApplication();
+ shibsp::SecurityPolicy policy(application);
MetadataCredentialCriteria mcc(*AA);
shibsp::SOAPClient soaper(policy);
const PropertySet* policySettings =
- ctx.getApplication().getServiceProvider().getPolicySettings(ctx.getApplication().getString("policyId").second);
+ application.getServiceProvider().getPolicySettings(application.getString("policyId").second);
pair<bool,bool> signedAssertions = policySettings->getBool("signedAssertions");
auto_ptr_XMLCh binding(samlconstants::SAML1_BINDING_SOAP);
if (!XMLString::equals((*ep)->getBinding(),binding.get()))
continue;
auto_ptr_char loc((*ep)->getLocation());
- auto_ptr_XMLCh issuer(ctx.getApplication().getString("entityID").second);
+ auto_ptr_XMLCh issuer(application.getString("entityID").second);
NameIdentifier* nameid = NameIdentifierBuilder::buildNameIdentifier();
nameid->setName(ctx.getNameID()->getName());
nameid->setFormat(ctx.getNameID()->getFormat());
Request* request = RequestBuilder::buildRequest();
request->setAttributeQuery(query);
request->setMinorVersion(version);
- signMessage(ctx.getApplication(), *AA, *request);
SAML1SOAPClient client(soaper, false);
- client.sendSAML(request, mcc, loc.get());
+ client.sendSAML(request, application.getId(), mcc, loc.get());
response = client.receiveSAML();
}
catch (exception& ex) {
}
try {
+ // We're going to insist that the assertion issuer is the same as the peer.
+ // Reset the policy's message bits and extract them from the assertion.
+ policy.reset(true);
+ policy.setMessageID(newtoken->getAssertionID());
+ policy.setIssueInstant(newtoken->getIssueInstantEpoch());
+ policy.setIssuer(newtoken->getIssuer());
policy.evaluate(*newtoken);
- if (!policy.isSecure())
+
+ // Now we can check the security status of the policy.
+ if (!policy.isAuthenticated())
throw SecurityPolicyException("Security of SAML 1.x query result not established.");
- saml1::AssertionValidator tokval(ctx.getApplication().getAudiences(), time(NULL));
+
+ // Lastly, check it over.
+ saml1::AssertionValidator tokval(application.getAudiences(), time(NULL));
tokval.validateAssertion(*newtoken);
}
catch (exception& ex) {
// Finally, extract and filter the result.
try {
- AttributeExtractor* extractor = ctx.getApplication().getAttributeExtractor();
+ AttributeExtractor* extractor = application.getAttributeExtractor();
if (extractor) {
Locker extlocker(extractor);
- extractor->extractAttributes(ctx.getApplication(), AA, *newtoken, ctx.getResolvedAttributes());
+ extractor->extractAttributes(application, AA, *newtoken, ctx.getResolvedAttributes());
}
- AttributeFilter* filter = ctx.getApplication().getAttributeFilter();
+ AttributeFilter* filter = application.getAttributeFilter();
if (filter) {
- BasicFilteringContext fc(ctx.getApplication(), ctx.getResolvedAttributes(), AA, ctx.getClassRef(), ctx.getDeclRef());
+ BasicFilteringContext fc(application, ctx.getResolvedAttributes(), AA, ctx.getClassRef(), ctx.getDeclRef());
Locker filtlocker(filter);
filter->filterAttributes(fc, ctx.getResolvedAttributes());
}
xmltooling::NDC ndc("query");
#endif
- const AttributeAuthorityDescriptor* AA = ctx.getEntityDescriptor()->getAttributeAuthorityDescriptor(samlconstants::SAML20P_NS);
+ const AttributeAuthorityDescriptor* AA =
+ find_if(ctx.getEntityDescriptor()->getAttributeAuthorityDescriptors(), isValidForProtocol(samlconstants::SAML20P_NS));
if (!AA) {
m_log.warn("no SAML 2 AttributeAuthority role found in metadata");
return false;
}
- shibsp::SecurityPolicy policy(ctx.getApplication());
+ const Application& application = ctx.getApplication();
+ shibsp::SecurityPolicy policy(application);
MetadataCredentialCriteria mcc(*AA);
shibsp::SOAPClient soaper(policy);
- const PropertySet* policySettings =
- ctx.getApplication().getServiceProvider().getPolicySettings(ctx.getApplication().getString("policyId").second);
+ const PropertySet* policySettings = application.getServiceProvider().getPolicySettings(application.getString("policyId").second);
pair<bool,bool> signedAssertions = policySettings->getBool("signedAssertions");
- const PropertySet* relyingParty = ctx.getApplication().getRelyingParty(ctx.getEntityDescriptor());
+ const PropertySet* relyingParty = application.getRelyingParty(ctx.getEntityDescriptor());
pair<bool,const char*> encryption = relyingParty->getString("encryption");
auto_ptr_XMLCh binding(samlconstants::SAML20_BINDING_SOAP);
if (!XMLString::equals((*ep)->getBinding(),binding.get()))
continue;
auto_ptr_char loc((*ep)->getLocation());
- auto_ptr_XMLCh issuer(ctx.getApplication().getString("entityID").second);
+ auto_ptr_XMLCh issuer(application.getString("entityID").second);
auto_ptr<saml2::Subject> subject(saml2::SubjectBuilder::buildSubject());
MetadataCredentialCriteria mcc(*AA);
encrypted->encrypt(
*ctx.getNameID(),
- *(ctx.getApplication().getMetadataProvider()),
+ *(application.getMetadataProvider()),
mcc,
false,
relyingParty->getXMLString("encryptionAlg").second
query->setIssuer(iss);
for (vector<saml2::Attribute*>::const_iterator ad = m_SAML2Designators.begin(); ad!=m_SAML2Designators.end(); ++ad)
query->getAttributes().push_back((*ad)->cloneAttribute());
- signMessage(ctx.getApplication(), *AA, *query);
SAML2SOAPClient client(soaper, false);
- client.sendSAML(query, mcc, loc.get());
+ client.sendSAML(query, application.getId(), mcc, loc.get());
srt = client.receiveSAML();
}
catch (exception& ex) {
}
try {
+ // We're going to insist that the assertion issuer is the same as the peer.
+ // Reset the policy's message bits and extract them from the assertion.
+ policy.reset(true);
+ policy.setMessageID(newtoken->getID());
+ policy.setIssueInstant(newtoken->getIssueInstantEpoch());
+ policy.setIssuer(newtoken->getIssuer());
policy.evaluate(*newtoken);
- if (!policy.isSecure())
+
+ // Now we can check the security status of the policy.
+ if (!policy.isAuthenticated())
throw SecurityPolicyException("Security of SAML 2.0 query result not established.");
- saml2::AssertionValidator tokval(ctx.getApplication().getAudiences(), time(NULL));
+
+ // Lastly, check it over.
+ saml2::AssertionValidator tokval(application.getAudiences(), time(NULL));
tokval.validateAssertion(*newtoken);
}
catch (exception& ex) {
// Finally, extract and filter the result.
try {
- AttributeExtractor* extractor = ctx.getApplication().getAttributeExtractor();
+ AttributeExtractor* extractor = application.getAttributeExtractor();
if (extractor) {
Locker extlocker(extractor);
- extractor->extractAttributes(ctx.getApplication(), AA, *newtoken, ctx.getResolvedAttributes());
+ extractor->extractAttributes(application, AA, *newtoken, ctx.getResolvedAttributes());
}
- AttributeFilter* filter = ctx.getApplication().getAttributeFilter();
+ AttributeFilter* filter = application.getAttributeFilter();
if (filter) {
- BasicFilteringContext fc(ctx.getApplication(), ctx.getResolvedAttributes(), AA, ctx.getClassRef(), ctx.getDeclRef());
+ BasicFilteringContext fc(application, ctx.getResolvedAttributes(), AA, ctx.getClassRef(), ctx.getDeclRef());
Locker filtlocker(filter);
filter->filterAttributes(fc, ctx.getResolvedAttributes());
}