X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=saml%2Fbinding%2FSecurityPolicy.h;h=8d680d1fe4250565fc3832868e4f793a1701b76e;hb=6b5c75d27994ca1f9d450a81576a1bde4873edf3;hp=81f990e4fd8d954f4d00fb091e3043d0674588b9;hpb=9e5f5fd6b4d0dfd3cb062e98dcb087640bf82414;p=shibboleth%2Fcpp-opensaml.git diff --git a/saml/binding/SecurityPolicy.h b/saml/binding/SecurityPolicy.h index 81f990e..8d680d1 100644 --- a/saml/binding/SecurityPolicy.h +++ b/saml/binding/SecurityPolicy.h @@ -23,8 +23,12 @@ #ifndef __saml_secpol_h__ #define __saml_secpol_h__ -#include +#include + +#include #include +#include +#include #if defined (_MSC_VER) #pragma warning( push ) @@ -33,10 +37,16 @@ namespace opensaml { + namespace saml2 { + class SAML_API Issuer; + }; namespace saml2md { class SAML_API MetadataProvider; + class SAML_API RoleDescriptor; }; + class SAML_API SecurityPolicyRule; + /** * A policy used to verify the security of an incoming message. * @@ -53,7 +63,7 @@ namespace opensaml { public: /** * Constructor for policy. - * + * * @param metadataProvider locked MetadataProvider instance * @param role identifies the role (generally IdP or SP) of the policy peer * @param trustEngine TrustEngine to authenticate policy peer @@ -61,13 +71,16 @@ namespace opensaml { SecurityPolicy( const saml2md::MetadataProvider* metadataProvider=NULL, const xmltooling::QName* role=NULL, - const TrustEngine* trustEngine=NULL - ) : m_issuer(NULL), m_issuerRole(NULL), m_matchingPolicy(NULL), m_metadata(metadataProvider), - m_role(role ? *role : xmltooling::QName()), m_trust(trustEngine) { + const xmltooling::TrustEngine* trustEngine=NULL + ) : m_messageQName(NULL), m_messageID(NULL), m_issueInstant(0), m_issuer(NULL), m_issuerRole(NULL), m_secure(false), + m_matchingPolicy(NULL), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine) { + if (role) + m_role = new xmltooling::QName(*role); } /** - * Constructor for policy using existing rules. + * Constructor for policy using existing rules. The lifetime of the policy rules + * must be at least as long as the policy object. * * @param rules reference to array of policy rules to use * @param metadataProvider locked MetadataProvider instance @@ -78,9 +91,11 @@ namespace opensaml { const std::vector& rules, const saml2md::MetadataProvider* metadataProvider=NULL, const xmltooling::QName* role=NULL, - const TrustEngine* trustEngine=NULL - ) : m_issuer(NULL), m_issuerRole(NULL), m_matchingPolicy(NULL), m_rules(rules), m_metadata(metadataProvider), - m_role(role ? *role : xmltooling::QName()), m_trust(trustEngine) { + const xmltooling::TrustEngine* trustEngine=NULL + ) : m_messageQName(NULL), m_messageID(NULL), m_issueInstant(0), m_issuer(NULL), m_issuerRole(NULL), m_secure(false), + m_matchingPolicy(NULL), m_rules(rules), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine) { + if (role) + m_role = new xmltooling::QName(*role); } virtual ~SecurityPolicy(); @@ -100,7 +115,7 @@ namespace opensaml { * @return the peer role element/type, or an empty QName */ const xmltooling::QName* getRole() const { - return &m_role; + return m_role; } /** @@ -108,11 +123,21 @@ namespace opensaml { * * @return the supplied TrustEngine or NULL */ - const TrustEngine* getTrustEngine() const { + const xmltooling::TrustEngine* getTrustEngine() const { return m_trust; } /** + * Adds a SecurityPolicyRule to the policy. The lifetime of the policy rule + * must be at least as long as the policy object. + * + * @param rule SecurityPolicyRule to add + */ + void addRule(const SecurityPolicyRule* rule) { + m_rules.push_back(rule); + } + + /** * Sets a locked MetadataProvider for the policy. * * @param metadata a locked MetadataProvider or NULL @@ -127,7 +152,8 @@ namespace opensaml { * @param role the peer role element/type or NULL */ void setRole(const xmltooling::QName* role) { - m_role = (role ? *role : xmltooling::QName()); + delete m_role; + m_role = role ? new xmltooling::QName(*role) : NULL; } /** @@ -135,21 +161,52 @@ namespace opensaml { * * @param trust a TrustEngine or NULL */ - void setTrustEngine(const TrustEngine* trust) { + void setTrustEngine(const xmltooling::TrustEngine* trust) { m_trust = trust; } /** - * Evaluates the rule against the given request and message, - * possibly populating issuer information in the policy object. + * Evaluates the policy against the given request and message, + * possibly populating message information in the policy object. * - * @param request the protocol request * @param message the incoming message - * @return the identity of the message issuer, in one or more of two forms, or NULL + * @param request the protocol request + * + * @throws BindingException raised if the message/request is invalid according to the supplied rules + */ + void evaluate(const xmltooling::XMLObject& message, const GenericRequest* request=NULL); + + /** + * Resets the policy object and clears any per-message state. + */ + void reset(); + + /** + * Returns the message element/type as determined by the registered policies. + * + * @return message element/type as determined by the registered policies + */ + const xmltooling::QName* getMessageQName() const { + return m_messageQName; + } + + /** + * Returns the message identifier as determined by the registered policies. * - * @throws BindingException thrown if the request/message do not meet the requirements of this rule + * @return message identifier as determined by the registered policies */ - void evaluate(const GenericRequest& request, const xmltooling::XMLObject& message); + const XMLCh* getMessageID() const { + return m_messageID; + } + + /** + * Returns the message timestamp as determined by the registered policies. + * + * @return message timestamp as determined by the registered policies + */ + time_t getIssueInstant() const { + return m_issueInstant; + } /** * Gets the issuer of the message as determined by the registered policies. @@ -170,7 +227,45 @@ namespace opensaml { } /** - * Sets the issuer of the message as determined by external factors. + * Returns the security status as determined by the registered policies. + * + * @return true iff a SecurityPolicyRule has indicated the issuer/message has been authenticated + */ + bool isSecure() const { + return m_secure; + } + + /** + * Sets the message element/type as determined by the registered policies. + * + * @param messageQName message element/type + */ + void setMessageQName(const xmltooling::QName* messageQName) { + delete m_messageQName; + m_messageQName = messageQName ? new xmltooling::QName(*messageQName) : NULL; + } + + /** + * Sets the message identifier as determined by the registered policies. + * + * @param id message identifier + */ + void setMessageID(const XMLCh* id) { + XMLString::release(&m_messageID); + m_messageID = XMLString::replicate(id); + } + + /** + * Sets the message timestamp as determined by the registered policies. + * + * @param issueInstant message timestamp + */ + void setIssueInstant(time_t issueInstant) { + m_issueInstant = issueInstant; + } + + /** + * Sets the issuer of the message as determined by the registered policies. * The policy object takes ownership of the Issuer object. * * @param issuer issuer of the message @@ -183,6 +278,15 @@ namespace opensaml { * @param issuerRole metadata for the role the issuer is operating in */ void setIssuerMetadata(const saml2md::RoleDescriptor* issuerRole); + + /** + * Sets the security status as determined by the registered policies. + * + * @param secure indicates whether the issuer/message has been authenticated + */ + void setSecure(bool secure) { + m_secure = secure; + } /** Allows override of rules for comparing saml2:Issuer information. */ class SAML_API IssuerMatchingPolicy { @@ -210,8 +314,8 @@ namespace opensaml { * * @return the effective IssuerMatchingPolicy */ - const IssuerMatchingPolicy* getIssuerMatchingPolicy() const { - return m_matchingPolicy ? m_matchingPolicy : &m_defaultMatching; + const IssuerMatchingPolicy& getIssuerMatchingPolicy() const { + return m_matchingPolicy ? *m_matchingPolicy : m_defaultMatching; } /** @@ -222,7 +326,7 @@ namespace opensaml { * * @param matchingPolicy the IssuerMatchingPolicy to use */ - void getIssuerMatchingPolicy(IssuerMatchingPolicy* matchingPolicy) { + void setIssuerMatchingPolicy(IssuerMatchingPolicy* matchingPolicy) { delete m_matchingPolicy; m_matchingPolicy = matchingPolicy; } @@ -232,14 +336,20 @@ namespace opensaml { static IssuerMatchingPolicy m_defaultMatching; private: + // information extracted from message + xmltooling::QName* m_messageQName; + XMLCh* m_messageID; + time_t m_issueInstant; saml2::Issuer* m_issuer; const saml2md::RoleDescriptor* m_issuerRole; + bool m_secure; + // components governing policy rules IssuerMatchingPolicy* m_matchingPolicy; std::vector m_rules; const saml2md::MetadataProvider* m_metadata; - xmltooling::QName m_role; - const TrustEngine* m_trust; + xmltooling::QName* m_role; + const xmltooling::TrustEngine* m_trust; }; };