X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=saml%2Fbinding%2FSecurityPolicy.h;h=fed55f7f74b9c01bc14dae49d3a5b3705eb41cfd;hb=80118fcbdf5d121c495f4db3246c150275641f74;hp=96fdffed9d6a2da97c8206623437e39c91acacdf;hpb=b7c9dedddf0c9b1a799d993bf69ee8f130c6b8a9;p=shibboleth%2Fopensaml2.git diff --git a/saml/binding/SecurityPolicy.h b/saml/binding/SecurityPolicy.h index 96fdffe..fed55f7 100644 --- a/saml/binding/SecurityPolicy.h +++ b/saml/binding/SecurityPolicy.h @@ -1,5 +1,5 @@ /* - * Copyright 2001-2006 Internet2 + * Copyright 2001-2007 Internet2 * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -23,8 +23,13 @@ #ifndef __saml_secpol_h__ #define __saml_secpol_h__ -#include +#include + +#include #include +#include +#include +#include #if defined (_MSC_VER) #pragma warning( push ) @@ -33,10 +38,16 @@ namespace opensaml { + namespace saml2 { + class SAML_API Issuer; + }; namespace saml2md { class SAML_API MetadataProvider; + class SAML_API RoleDescriptor; }; + class SAML_API SecurityPolicyRule; + /** * A policy used to verify the security of an incoming message. * @@ -53,35 +64,21 @@ namespace opensaml { public: /** * Constructor for policy. - * - * @param metadataProvider locked MetadataProvider instance - * @param role identifies the role (generally IdP or SP) of the policy peer - * @param trustEngine TrustEngine to authenticate policy peer - */ - SecurityPolicy( - const saml2md::MetadataProvider* metadataProvider=NULL, - const xmltooling::QName* role=NULL, - const xmltooling::TrustEngine* trustEngine=NULL - ) : m_issuer(NULL), m_issuerRole(NULL), m_matchingPolicy(NULL), m_metadata(metadataProvider), - m_role(role ? *role : xmltooling::QName()), m_trust(trustEngine) { - } - - /** - * Constructor for policy using existing rules. The lifetime of the policy rules - * must be at least as long as the policy object. - * - * @param rules reference to array of policy rules to use + * * @param metadataProvider locked MetadataProvider instance * @param role identifies the role (generally IdP or SP) of the policy peer * @param trustEngine TrustEngine to authenticate policy peer + * @param validate true iff XML parsing should be done with validation */ SecurityPolicy( - const std::vector& rules, const saml2md::MetadataProvider* metadataProvider=NULL, const xmltooling::QName* role=NULL, - const xmltooling::TrustEngine* trustEngine=NULL - ) : m_issuer(NULL), m_issuerRole(NULL), m_matchingPolicy(NULL), m_rules(rules), m_metadata(metadataProvider), - m_role(role ? *role : xmltooling::QName()), m_trust(trustEngine) { + const xmltooling::TrustEngine* trustEngine=NULL, + bool validate=true + ) : m_messageID(NULL), m_issueInstant(0), m_issuer(NULL), m_issuerRole(NULL), m_authenticated(false), + m_matchingPolicy(NULL), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine), m_validate(validate), m_entityOnly(true) { + if (role) + m_role = new xmltooling::QName(*role); } virtual ~SecurityPolicy(); @@ -101,7 +98,7 @@ namespace opensaml { * @return the peer role element/type, or an empty QName */ const xmltooling::QName* getRole() const { - return &m_role; + return m_role; } /** @@ -114,13 +111,32 @@ namespace opensaml { } /** - * Adds a SecurityPolicyRule to the policy. The lifetime of the policy rule - * must be at least as long as the policy object. + * Returns XML message validation setting. * - * @param rule SecurityPolicyRule to add + * @return validation flag */ - void addRule(const SecurityPolicyRule* rule) { - m_rules.push_back(rule); + bool getValidating() const { + return m_validate; + } + + /** + * Returns flag controlling non-entity issuer support. + * + * @return flag controlling non-entity issuer support + */ + bool requireEntityIssuer() const { + return m_entityOnly; + } + + /** + * Gets a mutable array of installed policy rules. + * + *

If adding rules, their lifetime must be at least as long as the policy object. + * + * @return mutable array of rules + */ + std::vector& getRules() { + return m_rules; } /** @@ -138,7 +154,8 @@ namespace opensaml { * @param role the peer role element/type or NULL */ void setRole(const xmltooling::QName* role) { - m_role = (role ? *role : xmltooling::QName()); + delete m_role; + m_role = role ? new xmltooling::QName(*role) : NULL; } /** @@ -151,15 +168,65 @@ namespace opensaml { } /** + * Controls schema validation of incoming XML messages. + * This is separate from other forms of programmatic validation of objects, + * but can detect a much wider range of syntax errors. + * + * @param validate validation setting + */ + void setValidating(bool validate=true) { + m_validate = validate; + } + + /** + * Sets flag controlling non-entity issuer support. + * + * @param entityOnly require that Issuer be in entity format + */ + void requireEntityIssuer(bool entityOnly=true) { + m_entityOnly = entityOnly; + } + + /** * Evaluates the policy against the given request and message, - * possibly populating issuer information in the policy object. + * possibly populating message information in the policy object. * * @param message the incoming message * @param request the protocol request + * + * @throws BindingException raised if the message/request is invalid according to the supplied rules + */ + void evaluate( + const xmltooling::XMLObject& message, const xmltooling::GenericRequest* request=NULL + ); + + /** + * Resets the policy object and/or clears any per-message state. + * + *

Resets can be complete (the default) or merely clear the previous message ID and timestamp + * when evaluating multiple layers of a message. + * + * @param messageOnly true iff security and issuer state should be left in place + */ + void reset(bool messageOnly=false); + + /** + * Returns the message identifier as determined by the registered policies. * - * @throws BindingException thrown if the request/message do not meet the requirements of this policy + * @return message identifier as determined by the registered policies */ - void evaluate(const xmltooling::XMLObject& message, const GenericRequest* request=NULL); + const XMLCh* getMessageID() const { + return m_messageID; + } + + /** + * Returns the message timestamp as determined by the registered policies. + * + * @return message timestamp as determined by the registered policies + */ + time_t getIssueInstant() const { + return m_issueInstant; + } /** * Gets the issuer of the message as determined by the registered policies. @@ -180,12 +247,46 @@ namespace opensaml { } /** - * Sets the issuer of the message as determined by external factors. - * The policy object takes ownership of the Issuer object. + * Returns the authentication status of the message as determined by the registered policies. + * + * @return true iff a SecurityPolicyRule has indicated the issuer/message has been authenticated + */ + bool isAuthenticated() const { + return m_authenticated; + } + + /** + * Sets the message identifier as determined by the registered policies. + * + * @param id message identifier + */ + void setMessageID(const XMLCh* id) { + xercesc::XMLString::release(&m_messageID); + m_messageID = xercesc::XMLString::replicate(id); + } + + /** + * Sets the message timestamp as determined by the registered policies. + * + * @param issueInstant message timestamp + */ + void setIssueInstant(time_t issueInstant) { + m_issueInstant = issueInstant; + } + + /** + * Sets the issuer of the message as determined by the registered policies. * * @param issuer issuer of the message */ - void setIssuer(saml2::Issuer* issuer); + void setIssuer(const saml2::Issuer* issuer); + + /** + * Sets the issuer of the message as determined by the registered policies. + * + * @param issuer issuer of the message + */ + void setIssuer(const XMLCh* issuer); /** * Sets the metadata for the role the issuer is operating in. @@ -193,6 +294,15 @@ namespace opensaml { * @param issuerRole metadata for the role the issuer is operating in */ void setIssuerMetadata(const saml2md::RoleDescriptor* issuerRole); + + /** + * Sets the authentication status of the message as determined by the registered policies. + * + * @param auth indicates whether the issuer/message has been authenticated + */ + void setAuthenticated(bool auth) { + m_authenticated = auth; + } /** Allows override of rules for comparing saml2:Issuer information. */ class SAML_API IssuerMatchingPolicy { @@ -213,6 +323,19 @@ namespace opensaml { * @return true iff the operands match */ virtual bool issuerMatches(const saml2::Issuer* issuer1, const saml2::Issuer* issuer2) const; + + /** + * Returns true iff the two operands "match". Applications can override this method to + * support non-standard issuer matching for complex policies. + * + *

The default implementation does a basic comparison of the XML content, treating + * an unsupplied Format as an "entityID". + * + * @param issuer1 the first Issuer to match + * @param issuer2 the second Issuer to match + * @return true iff the operands match + */ + virtual bool issuerMatches(const saml2::Issuer* issuer1, const XMLCh* issuer2) const; }; /** @@ -242,14 +365,21 @@ namespace opensaml { static IssuerMatchingPolicy m_defaultMatching; private: + // information extracted from message + XMLCh* m_messageID; + time_t m_issueInstant; saml2::Issuer* m_issuer; const saml2md::RoleDescriptor* m_issuerRole; + bool m_authenticated; + // components governing policy rules IssuerMatchingPolicy* m_matchingPolicy; std::vector m_rules; const saml2md::MetadataProvider* m_metadata; - xmltooling::QName m_role; + xmltooling::QName* m_role; const xmltooling::TrustEngine* m_trust; + bool m_validate; + bool m_entityOnly; }; };