X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=saml%2Fbinding%2FSecurityPolicy.h;h=1c02ab83eb16e785dea8b054c88ff4dcc9c76b95;hb=a66789863e59746d4215de44d9758c40d2b477c6;hp=a9ab6e0653121465e314a565a50409fc2d48a955;hpb=3e40c0e62375c069e7860a87ca4f65fb2003f018;p=shibboleth%2Fcpp-opensaml.git diff --git a/saml/binding/SecurityPolicy.h b/saml/binding/SecurityPolicy.h index a9ab6e0..1c02ab8 100644 --- a/saml/binding/SecurityPolicy.h +++ b/saml/binding/SecurityPolicy.h @@ -1,5 +1,5 @@ /* - * Copyright 2001-2006 Internet2 + * Copyright 2001-2007 Internet2 * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -67,13 +67,16 @@ namespace opensaml { * @param metadataProvider locked MetadataProvider instance * @param role identifies the role (generally IdP or SP) of the policy peer * @param trustEngine TrustEngine to authenticate policy peer + * @param validate true iff XML parsing should be done with validation */ SecurityPolicy( const saml2md::MetadataProvider* metadataProvider=NULL, const xmltooling::QName* role=NULL, - const xmltooling::TrustEngine* trustEngine=NULL - ) : m_messageQName(NULL), m_messageID(NULL), m_issueInstant(0), m_issuer(NULL), m_issuerRole(NULL), - m_matchingPolicy(NULL), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine) { + const xmltooling::TrustEngine* trustEngine=NULL, + bool validate=true + ) : m_messageQName(NULL), m_messageID(NULL), m_issueInstant(0), + m_issuer(NULL), m_issuerRole(NULL), m_secure(false), m_matchingPolicy(NULL), + m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine), m_validate(validate) { if (role) m_role = new xmltooling::QName(*role); } @@ -86,14 +89,17 @@ namespace opensaml { * @param metadataProvider locked MetadataProvider instance * @param role identifies the role (generally IdP or SP) of the policy peer * @param trustEngine TrustEngine to authenticate policy peer + * @param validate true iff XML parsing should be done with validation */ SecurityPolicy( const std::vector& rules, const saml2md::MetadataProvider* metadataProvider=NULL, const xmltooling::QName* role=NULL, - const xmltooling::TrustEngine* trustEngine=NULL - ) : m_messageQName(NULL), m_messageID(NULL), m_issueInstant(0), m_issuer(NULL), m_issuerRole(NULL), - m_matchingPolicy(NULL), m_rules(rules), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine) { + const xmltooling::TrustEngine* trustEngine=NULL, + bool validate=true + ) : m_messageQName(NULL), m_messageID(NULL), m_issueInstant(0), + m_issuer(NULL), m_issuerRole(NULL), m_secure(false), m_matchingPolicy(NULL), + m_rules(rules), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine), m_validate(validate) { if (role) m_role = new xmltooling::QName(*role); } @@ -128,6 +134,15 @@ namespace opensaml { } /** + * Returns XML message validation setting. + * + * @return validation flag + */ + bool getValidating() const { + return m_validate; + } + + /** * Adds a SecurityPolicyRule to the policy. The lifetime of the policy rule * must be at least as long as the policy object. * @@ -166,13 +181,24 @@ namespace opensaml { } /** + * Controls schema validation of incoming XML messages. + * This is separate from other forms of programmatic validation of objects, + * but can detect a much wider range of syntax errors. + * + * @param validate validation setting + */ + void setValidating(bool validate=true) { + m_validate = validate; + } + + /** * Evaluates the policy against the given request and message, * possibly populating message information in the policy object. * * @param message the incoming message * @param request the protocol request - * - * @throws BindingException thrown if the request/message do not meet the requirements of this policy + * + * @throws BindingException raised if the message/request is invalid according to the supplied rules */ void evaluate(const xmltooling::XMLObject& message, const GenericRequest* request=NULL); @@ -227,6 +253,15 @@ namespace opensaml { } /** + * Returns the security status as determined by the registered policies. + * + * @return true iff a SecurityPolicyRule has indicated the issuer/message has been authenticated + */ + bool isSecure() const { + return m_secure; + } + + /** * Sets the message element/type as determined by the registered policies. * * @param messageQName message element/type @@ -257,11 +292,17 @@ namespace opensaml { /** * Sets the issuer of the message as determined by the registered policies. - * The policy object takes ownership of the Issuer object. * * @param issuer issuer of the message */ - void setIssuer(saml2::Issuer* issuer); + void setIssuer(const saml2::Issuer* issuer); + + /** + * Sets the issuer of the message as determined by the registered policies. + * + * @param issuer issuer of the message + */ + void setIssuer(const XMLCh* issuer); /** * Sets the metadata for the role the issuer is operating in. @@ -269,6 +310,15 @@ namespace opensaml { * @param issuerRole metadata for the role the issuer is operating in */ void setIssuerMetadata(const saml2md::RoleDescriptor* issuerRole); + + /** + * Sets the security status as determined by the registered policies. + * + * @param secure indicates whether the issuer/message has been authenticated + */ + void setSecure(bool secure) { + m_secure = secure; + } /** Allows override of rules for comparing saml2:Issuer information. */ class SAML_API IssuerMatchingPolicy { @@ -289,6 +339,19 @@ namespace opensaml { * @return true iff the operands match */ virtual bool issuerMatches(const saml2::Issuer* issuer1, const saml2::Issuer* issuer2) const; + + /** + * Returns true iff the two operands "match". Applications can override this method to + * support non-standard issuer matching for complex policies. + * + *

The default implementation does a basic comparison of the XML content, treating + * an unsupplied Format as an "entityID". + * + * @param issuer1 the first Issuer to match + * @param issuer2 the second Issuer to match + * @return true iff the operands match + */ + virtual bool issuerMatches(const saml2::Issuer* issuer1, const XMLCh* issuer2) const; }; /** @@ -324,6 +387,7 @@ namespace opensaml { time_t m_issueInstant; saml2::Issuer* m_issuer; const saml2md::RoleDescriptor* m_issuerRole; + bool m_secure; // components governing policy rules IssuerMatchingPolicy* m_matchingPolicy; @@ -331,6 +395,7 @@ namespace opensaml { const saml2md::MetadataProvider* m_metadata; xmltooling::QName* m_role; const xmltooling::TrustEngine* m_trust; + bool m_validate; }; };