X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=saml%2Fbinding%2FSecurityPolicy.h;h=81f990e4fd8d954f4d00fb091e3043d0674588b9;hb=c69cbb33a8c6ed07ff80edd5ab2ddb2d8aad6bf2;hp=67259caae04a44e71af6c61d4144d4b6ef5cadcb;hpb=84c0834e26fc15d19f01ab5267f8433c07ee8001;p=shibboleth%2Fopensaml2.git
diff --git a/saml/binding/SecurityPolicy.h b/saml/binding/SecurityPolicy.h
index 67259ca..81f990e 100644
--- a/saml/binding/SecurityPolicy.h
+++ b/saml/binding/SecurityPolicy.h
@@ -54,6 +54,21 @@ namespace opensaml {
/**
* Constructor for policy.
*
+ * @param metadataProvider locked MetadataProvider instance
+ * @param role identifies the role (generally IdP or SP) of the policy peer
+ * @param trustEngine TrustEngine to authenticate policy peer
+ */
+ SecurityPolicy(
+ const saml2md::MetadataProvider* metadataProvider=NULL,
+ const xmltooling::QName* role=NULL,
+ const TrustEngine* trustEngine=NULL
+ ) : m_issuer(NULL), m_issuerRole(NULL), m_matchingPolicy(NULL), m_metadata(metadataProvider),
+ m_role(role ? *role : xmltooling::QName()), m_trust(trustEngine) {
+ }
+
+ /**
+ * Constructor for policy using existing rules.
+ *
* @param rules reference to array of policy rules to use
* @param metadataProvider locked MetadataProvider instance
* @param role identifies the role (generally IdP or SP) of the policy peer
@@ -64,9 +79,10 @@ namespace opensaml {
const saml2md::MetadataProvider* metadataProvider=NULL,
const xmltooling::QName* role=NULL,
const TrustEngine* trustEngine=NULL
- ) : m_issuer(NULL), m_issuerRole(NULL), m_rules(rules), m_metadata(metadataProvider),
+ ) : m_issuer(NULL), m_issuerRole(NULL), m_matchingPolicy(NULL), m_rules(rules), m_metadata(metadataProvider),
m_role(role ? *role : xmltooling::QName()), m_trust(trustEngine) {
}
+
virtual ~SecurityPolicy();
/**
@@ -97,6 +113,33 @@ namespace opensaml {
}
/**
+ * Sets a locked MetadataProvider for the policy.
+ *
+ * @param metadata a locked MetadataProvider or NULL
+ */
+ void setMetadataProvider(const saml2md::MetadataProvider* metadata) {
+ m_metadata = metadata;
+ }
+
+ /**
+ * Sets a peer role element/type for to the policy.
+ *
+ * @param role the peer role element/type or NULL
+ */
+ void setRole(const xmltooling::QName* role) {
+ m_role = (role ? *role : xmltooling::QName());
+ }
+
+ /**
+ * Sets a TrustEngine for the policy.
+ *
+ * @param trust a TrustEngine or NULL
+ */
+ void setTrustEngine(const TrustEngine* trust) {
+ m_trust = trust;
+ }
+
+ /**
* Evaluates the rule against the given request and message,
* possibly populating issuer information in the policy object.
*
@@ -140,25 +183,59 @@ namespace opensaml {
* @param issuerRole metadata for the role the issuer is operating in
*/
void setIssuerMetadata(const saml2md::RoleDescriptor* issuerRole);
+
+ /** Allows override of rules for comparing saml2:Issuer information. */
+ class SAML_API IssuerMatchingPolicy {
+ MAKE_NONCOPYABLE(IssuerMatchingPolicy);
+ public:
+ IssuerMatchingPolicy() {}
+ virtual ~IssuerMatchingPolicy() {}
+
+ /**
+ * Returns true iff the two operands "match". Applications can override this method to
+ * support non-standard issuer matching for complex policies.
+ *
+ * The default implementation does a basic comparison of the XML content, treating
+ * an unsupplied Format as an "entityID".
+ *
+ * @param issuer1 the first Issuer to match
+ * @param issuer2 the second Issuer to match
+ * @return true iff the operands match
+ */
+ virtual bool issuerMatches(const saml2::Issuer* issuer1, const saml2::Issuer* issuer2) const;
+ };
- protected:
/**
- * Returns true iff the two operands "match". Applications can override this method to
- * support non-standard issuer matching for complex policies.
+ * Returns the IssuerMatchingPolicy in effect.
*
- *
The default implementation does a basic comparison of the XML content, treating
- * an unsupplied Format as "entityID".
+ * @return the effective IssuerMatchingPolicy
+ */
+ const IssuerMatchingPolicy* getIssuerMatchingPolicy() const {
+ return m_matchingPolicy ? m_matchingPolicy : &m_defaultMatching;
+ }
+
+ /**
+ * Sets the IssuerMatchingPolicy in effect. Setting no policy will
+ * cause the simple, default approach to be used.
*
- * @param issuer1 the first Issuer to match
- * @param issuer2 the second Issuer to match
- * @return true iff the operands match
+ *
The matching object will be freed by the SecurityPolicy.
+ *
+ * @param matchingPolicy the IssuerMatchingPolicy to use
*/
- virtual bool issuerMatches(const saml2::Issuer* issuer1, const saml2::Issuer* issuer2) const;
+ void getIssuerMatchingPolicy(IssuerMatchingPolicy* matchingPolicy) {
+ delete m_matchingPolicy;
+ m_matchingPolicy = matchingPolicy;
+ }
+
+ protected:
+ /** A shared matching object that just supports the default matching rules. */
+ static IssuerMatchingPolicy m_defaultMatching;
private:
saml2::Issuer* m_issuer;
const saml2md::RoleDescriptor* m_issuerRole;
+ IssuerMatchingPolicy* m_matchingPolicy;
std::vector m_rules;
const saml2md::MetadataProvider* m_metadata;
xmltooling::QName m_role;