X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=saml%2Fbinding%2FMessageDecoder.h;h=80254ba837c7af4370d92bcd610c4a3829861e45;hb=a30857e2c0f4bcd1817aa2939ffdc0856e93a533;hp=364d6a5c2739bb66c5916ab2484838d9b9409966;hpb=1ffcb743f90aeb3da11054316f3d005ff7edbf7b;p=shibboleth%2Fcpp-opensaml.git diff --git a/saml/binding/MessageDecoder.h b/saml/binding/MessageDecoder.h index 364d6a5..80254ba 100644 --- a/saml/binding/MessageDecoder.h +++ b/saml/binding/MessageDecoder.h @@ -23,14 +23,13 @@ #ifndef __saml_decoder_h__ #define __saml_decoder_h__ -#include - +#include +#include #include namespace opensaml { class SAML_API SAMLArtifact; - class SAML_API X509TrustEngine; namespace saml1p { class SAML_API Response; }; @@ -43,7 +42,7 @@ namespace opensaml { class SAML_API IDPSSODescriptor; class SAML_API RoleDescriptor; class SAML_API SSODescriptorType; - } + }; /** * Interface to SAML protocol binding message decoders. @@ -55,65 +54,6 @@ namespace opensaml { virtual ~MessageDecoder() {} /** - * Interface to caller-supplied shim for accessing HTTP request context. - * - * To supply information from the surrounding web server environment, - * a shim must be supplied in the form of this interface to adapt the - * library to different proprietary server APIs. - */ - class SAML_API HTTPRequest { - MAKE_NONCOPYABLE(HTTPRequest); - protected: - HTTPRequest() {} - public: - virtual ~HTTPRequest() {} - - /** - * Returns the HTTP method of the request (GET, POST, etc.) - * - * @return the HTTP method - */ - virtual const char* getMethod() const=0; - - /** - * Returns the complete request URL, including scheme, host, port. - * - * @return the request URL - */ - virtual const char* getRequestURL() const=0; - - /** - * Returns the HTTP query string appened to the request. The query - * string is returned without any decoding applied, everything found - * after the ? delimiter. - * - * @return the query string - */ - virtual const char* getQueryString() const=0; - - /** - * Returns a decoded named parameter value from the query string or form body. - * If a parameter has multiple values, only one will be returned. - * - * @param name the name of the parameter to return - * @return a single parameter value or NULL - */ - virtual const char* getParameter(const char* name) const=0; - - /** - * Returns all of the decoded values of a named parameter from the query string - * or form body. All values found will be returned. - * - * @param name the name of the parameter to return - * @param values a vector in which to return pointers to the decoded values - * @return the number of values returned - */ - virtual std::vector::size_type getParameters( - const char* name, std::vector& values - ) const=0; - }; - - /** * Interface to caller-supplied artifact resolution mechanism. * * Resolving artifacts requires internally performing a SOAP-based @@ -148,36 +88,36 @@ namespace opensaml { /** * Resolves one or more SAML 1.x artifacts into a response containing a set of - * resolved Assertions. The caller is responsible for the resulting Response. + * resolved Assertions. The caller is responsible for the resulting Response. + * The supplied SecurityPolicy is used to access caller-supplied infrastructure + * and to pass back the result of authenticating the resolution process. * - * @param authenticated output flag set to true iff the resolution channel was authenticated * @param artifacts one or more SAML 1.x artifacts * @param idpDescriptor reference to IdP role of artifact issuer - * @param trustEngine optional pointer to X509TrustEngine supplied to MessageDecoder + * @param policy reference to policy containing rules, MetadataProvider, TrustEngine, etc. * @return the corresponding SAML Assertions wrapped in a Response. */ virtual saml1p::Response* resolve( - bool& authenticated, const std::vector& artifacts, const saml2md::IDPSSODescriptor& idpDescriptor, - const X509TrustEngine* trustEngine=NULL + SecurityPolicy& policy ) const=0; /** * Resolves a SAML 2.0 artifact into the corresponding SAML protocol message. * The caller is responsible for the resulting ArtifactResponse message. + * The supplied SecurityPolicy is used to access caller-supplied infrastructure + * and to pass back the result of authenticating the resolution process. * - * @param authenticated output flag set to true iff the resolution channel was authenticated * @param artifact reference to a SAML 2.0 artifact * @param ssoDescriptor reference to SSO role of artifact issuer (may be SP or IdP) - * @param trustEngine optional pointer to X509TrustEngine supplied to MessageDecoder + * @param policy reference to policy containing rules, MetadataProvider, TrustEngine, etc. * @return the corresponding SAML protocol message or NULL */ virtual saml2p::ArtifactResponse* resolve( - bool& authenticated, const saml2p::SAML2Artifact& artifact, const saml2md::SSODescriptorType& ssoDescriptor, - const X509TrustEngine* trustEngine=NULL + SecurityPolicy& policy ) const=0; }; @@ -208,36 +148,23 @@ namespace opensaml { } /** - * Decodes an HTTP request into a SAML protocol message, and returns related - * information about the issuer of the message and whether it can be trusted. - * If the HTTP request does not contain the information necessary to decode - * the request, a NULL will be returned. Errors during the decoding process - * will be raised as exceptions. + * Decodes a transport request into a SAML protocol message, and evaluates it + * against a supplied SecurityPolicy. If the transport request does not contain + * the information necessary to decode the request, NULL will be returned. + * Errors during the decoding process will be raised as exceptions. * *

Artifact-based bindings require an ArtifactResolver be set to * turn an artifact into the corresponding message. * - *

In some cases, a message may be returned but not authenticated. The caller - * should examine the issuerTrusted output value to establish this. - * - * @param relayState RelayState/TARGET value accompanying message - * @param issuer role descriptor of issuing party - * @param issuerTrusted output flag set to true iff the message was authenticated - * (signed or obtained via secure backchannel) - * @param httpRequest reference to interface for accessing HTTP message to decode - * @param metadataProvider optional MetadataProvider instance to authenticate the message - * @param role optional, identifies the role (generally IdP or SP) of the peer who issued the message - * @param trustEngine optional TrustEngine to authenticate the message + * @param relayState will be set to RelayState/TARGET value accompanying message + * @param genericRequest reference to interface for accessing transport request to decode + * @param policy reference to policy containing rules, MetadataProvider, TrustEngine, etc. * @return the decoded message, or NULL if the decoder did not recognize the request content */ virtual xmltooling::XMLObject* decode( std::string& relayState, - const saml2md::RoleDescriptor*& issuer, - bool& issuerTrusted, - const HTTPRequest& httpRequest, - const saml2md::MetadataProvider* metadataProvider=NULL, - const xmltooling::QName* role=NULL, - const TrustEngine* trustEngine=NULL + const GenericRequest& genericRequest, + SecurityPolicy& policy ) const=0; protected: @@ -254,21 +181,6 @@ namespace opensaml { * Registers MessageDecoder plugins into the runtime. */ void SAML_API registerMessageDecoders(); - - /** MessageDecoder for SAML 1.x Browser/Artifact "binding" (really part of profile) */ - #define SAML1_ARTIFACT_DECODER "urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" - - /** MessageDecoder for SAML 1.x Browser/POST "binding" (really part of profile) */ - #define SAML1_POST_DECODER "urn:oasis:names:tc:SAML:1.0:profiles:browser-post" - - /** MessageDecoder for SAML 2.0 HTTP-Artifact binding */ - #define SAML2_ARTIFACT_DECODER "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" - - /** MessageDecoder for SAML 2.0 HTTP-POST binding */ - #define SAML2_POST_DECODER "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" - - /** MessageDecoder for SAML 2.0 HTTP-Redirect binding */ - #define SAML2_REDIRECT_DECODER "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" }; #endif /* __saml_decoder_h__ */