X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=saml%2Fbinding%2FSecurityPolicy.h;h=96fdffed9d6a2da97c8206623437e39c91acacdf;hb=750aa26530f9e8993eae37cd9e68e25497be66b5;hp=67259caae04a44e71af6c61d4144d4b6ef5cadcb;hpb=1bc8e721db3a50294df852662e1eddcdbdae8f9f;p=shibboleth%2Fcpp-opensaml.git

diff --git a/saml/binding/SecurityPolicy.h b/saml/binding/SecurityPolicy.h
index 67259ca..96fdffe 100644
--- a/saml/binding/SecurityPolicy.h
+++ b/saml/binding/SecurityPolicy.h
@@ -54,6 +54,22 @@ namespace opensaml {
         /**
          * Constructor for policy.
          *
+         * @param metadataProvider  locked MetadataProvider instance
+         * @param role              identifies the role (generally IdP or SP) of the policy peer 
+         * @param trustEngine       TrustEngine to authenticate policy peer
+         */
+        SecurityPolicy(
+            const saml2md::MetadataProvider* metadataProvider=NULL,
+            const xmltooling::QName* role=NULL,
+            const xmltooling::TrustEngine* trustEngine=NULL
+            ) : m_issuer(NULL), m_issuerRole(NULL), m_matchingPolicy(NULL), m_metadata(metadataProvider),
+                m_role(role ? *role : xmltooling::QName()), m_trust(trustEngine) {
+        }
+
+        /**
+         * Constructor for policy using existing rules. The lifetime of the policy rules
+         * must be at least as long as the policy object.
+         *
          * @param rules             reference to array of policy rules to use 
          * @param metadataProvider  locked MetadataProvider instance
          * @param role              identifies the role (generally IdP or SP) of the policy peer 
@@ -63,10 +79,11 @@ namespace opensaml {
             const std::vector<const SecurityPolicyRule*>& rules,
             const saml2md::MetadataProvider* metadataProvider=NULL,
             const xmltooling::QName* role=NULL,
-            const TrustEngine* trustEngine=NULL
-            ) : m_issuer(NULL), m_issuerRole(NULL), m_rules(rules), m_metadata(metadataProvider),
+            const xmltooling::TrustEngine* trustEngine=NULL
+            ) : m_issuer(NULL), m_issuerRole(NULL), m_matchingPolicy(NULL), m_rules(rules), m_metadata(metadataProvider),
                 m_role(role ? *role : xmltooling::QName()), m_trust(trustEngine) {
         }
+
         virtual ~SecurityPolicy();
 
         /**
@@ -92,21 +109,57 @@ namespace opensaml {
          * 
          * @return the supplied TrustEngine or NULL
          */
-        const TrustEngine* getTrustEngine() const {
+        const xmltooling::TrustEngine* getTrustEngine() const {
             return m_trust;
         }
 
         /**
-         * Evaluates the rule against the given request and message,
+         * Adds a SecurityPolicyRule to the policy. The lifetime of the policy rule
+         * must be at least as long as the policy object.
+         * 
+         * @param rule  SecurityPolicyRule to add
+         */
+        void addRule(const SecurityPolicyRule* rule) {
+            m_rules.push_back(rule);
+        }
+
+        /**
+         * Sets a locked MetadataProvider for the policy.
+         * 
+         * @param metadata a locked MetadataProvider or NULL
+         */
+        void setMetadataProvider(const saml2md::MetadataProvider* metadata) {
+            m_metadata = metadata;
+        }
+
+        /**
+         * Sets a peer role element/type for to the policy.
+         * 
+         * @param role the peer role element/type or NULL
+         */
+        void setRole(const xmltooling::QName* role) {
+            m_role = (role ? *role : xmltooling::QName());
+        }
+
+        /**
+         * Sets a TrustEngine for the policy.
+         * 
+         * @param trust a TrustEngine or NULL
+         */
+        void setTrustEngine(const xmltooling::TrustEngine* trust) {
+            m_trust = trust;
+        }
+
+        /**
+         * Evaluates the policy against the given request and message,
          * possibly populating issuer information in the policy object.
          * 
-         * @param request           the protocol request
          * @param message           the incoming message
-         * @return the identity of the message issuer, in one or more of two forms, or NULL
+         * @param request           the protocol request
          * 
-         * @throws BindingException thrown if the request/message do not meet the requirements of this rule
+         * @throws BindingException thrown if the request/message do not meet the requirements of this policy
          */
-        void evaluate(const GenericRequest& request, const xmltooling::XMLObject& message);
+        void evaluate(const xmltooling::XMLObject& message, const GenericRequest* request=NULL);
 
         /**
          * Gets the issuer of the message as determined by the registered policies.
@@ -140,29 +193,63 @@ namespace opensaml {
          * @param issuerRole metadata for the role the issuer is operating in
          */
         void setIssuerMetadata(const saml2md::RoleDescriptor* issuerRole);
+        
+        /** Allows override of rules for comparing saml2:Issuer information. */
+        class SAML_API IssuerMatchingPolicy {
+            MAKE_NONCOPYABLE(IssuerMatchingPolicy);
+        public:
+            IssuerMatchingPolicy() {}
+            virtual ~IssuerMatchingPolicy() {}
+            
+            /**
+             * Returns true iff the two operands "match". Applications can override this method to
+             * support non-standard issuer matching for complex policies. 
+             * 
+             * <p>The default implementation does a basic comparison of the XML content, treating
+             * an unsupplied Format as an "entityID".
+             * 
+             * @param issuer1   the first Issuer to match
+             * @param issuer2   the second Issuer to match
+             * @return  true iff the operands match
+             */
+            virtual bool issuerMatches(const saml2::Issuer* issuer1, const saml2::Issuer* issuer2) const;
+        };
 
-    protected:
         /**
-         * Returns true iff the two operands "match". Applications can override this method to
-         * support non-standard issuer matching for complex policies. 
+         * Returns the IssuerMatchingPolicy in effect.
          * 
-         * <p>The default implementation does a basic comparison of the XML content, treating
-         * an unsupplied Format as "entityID".
+         * @return the effective IssuerMatchingPolicy
+         */
+        const IssuerMatchingPolicy& getIssuerMatchingPolicy() const {
+            return m_matchingPolicy ? *m_matchingPolicy : m_defaultMatching;
+        }
+
+        /**
+         * Sets the IssuerMatchingPolicy in effect. Setting no policy will
+         * cause the simple, default approach to be used.
+         * 
+         * <p>The matching object will be freed by the SecurityPolicy.
          * 
-         * @param issuer1   the first Issuer to match
-         * @param issuer2   the second Issuer to match
-         * @return  true iff the operands match
+         * @param matchingPolicy the IssuerMatchingPolicy to use
          */
-        virtual bool issuerMatches(const saml2::Issuer* issuer1, const saml2::Issuer* issuer2) const;
+        void setIssuerMatchingPolicy(IssuerMatchingPolicy* matchingPolicy) {
+            delete m_matchingPolicy;
+            m_matchingPolicy = matchingPolicy;
+        }
+
+    protected:
+        /** A shared matching object that just supports the default matching rules. */
+        static IssuerMatchingPolicy m_defaultMatching;
 
     private:
         saml2::Issuer* m_issuer;
         const saml2md::RoleDescriptor* m_issuerRole;
         
+        IssuerMatchingPolicy* m_matchingPolicy;
         std::vector<const SecurityPolicyRule*> m_rules;
         const saml2md::MetadataProvider* m_metadata;
         xmltooling::QName m_role;
-        const TrustEngine* m_trust;
+        const xmltooling::TrustEngine* m_trust;
     };
 
 };