X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=saml%2Fbinding%2Fimpl%2FMessageFlowRule.cpp;h=c6fb740f5a4d648d5611c7cbc9f0671a5f182c8a;hb=f1208cd2f514700244816377443c4951dc22c848;hp=93a2649198f4d02f2002e3d54022350e74cbc061;hpb=0e738d39ba71958fe55692498c91fc6e6d402604;p=shibboleth%2Fcpp-opensaml.git diff --git a/saml/binding/impl/MessageFlowRule.cpp b/saml/binding/impl/MessageFlowRule.cpp index 93a2649..c6fb740 100644 --- a/saml/binding/impl/MessageFlowRule.cpp +++ b/saml/binding/impl/MessageFlowRule.cpp @@ -1,36 +1,43 @@ -/* - * Copyright 2001-2007 Internet2 - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at +/** + * Licensed to the University Corporation for Advanced Internet + * Development, Inc. (UCAID) under one or more contributor license + * agreements. See the NOTICE file distributed with this work for + * additional information regarding copyright ownership. + * + * UCAID licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the + * License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, + * either express or implied. See the License for the specific + * language governing permissions and limitations under the License. */ /** * MessageFlowRule.cpp - * - * SAML replay and freshness checking SecurityPolicyRule + * + * SAML replay and freshness checking SecurityPolicyRule. */ #include "internal.h" #include "exceptions.h" +#include "binding/SecurityPolicy.h" #include "binding/SecurityPolicyRule.h" -#include +#include +#include #include +#include #include using namespace opensaml; +using namespace xmltooling::logging; using namespace xmltooling; -using namespace log4cpp; using namespace std; namespace opensaml { @@ -39,9 +46,12 @@ namespace opensaml { public: MessageFlowRule(const DOMElement* e); virtual ~MessageFlowRule() {} - - void evaluate(const xmltooling::XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const; - + + const char* getType() const { + return MESSAGEFLOW_POLICY_RULE; + } + bool evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const; + private: bool m_checkReplay; time_t m_expires; @@ -57,59 +67,53 @@ static const XMLCh checkReplay[] = UNICODE_LITERAL_11(c,h,e,c,k,R,e,p,l,a,y); static const XMLCh expires[] = UNICODE_LITERAL_7(e,x,p,i,r,e,s); MessageFlowRule::MessageFlowRule(const DOMElement* e) - : m_checkReplay(true), m_expires(XMLToolingConfig::getConfig().clock_skew_secs) + : m_checkReplay(XMLHelper::getAttrBool(e, true, checkReplay)), + m_expires(XMLHelper::getAttrInt(e, XMLToolingConfig::getConfig().clock_skew_secs, expires)) { - if (e) { - const XMLCh* attr = e->getAttributeNS(NULL, checkReplay); - if (attr && (*attr==chLatin_f || *attr==chDigit_0)) - m_checkReplay = false; - attr = e->getAttributeNS(NULL, expires); - if (attr) - m_expires = XMLString::parseInt(attr); - } } -void MessageFlowRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const +bool MessageFlowRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const { Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.MessageFlow"); log.debug("evaluating message flow policy (replay checking %s, expiration %lu)", m_checkReplay ? "on" : "off", m_expires); - time_t now = time(NULL); + time_t now = policy.getTime(); time_t skew = XMLToolingConfig::getConfig().clock_skew_secs; time_t issueInstant = policy.getIssueInstant(); if (issueInstant == 0) { - log.debug("unknown message timestamp, assuming current time for replay checking"); issueInstant = now; } else { if (issueInstant > now + skew) { log.errorStream() << "rejected not-yet-valid message, timestamp (" << issueInstant << - "), newest allowed (" << now + skew << ")" << CategoryStream::ENDLINE; - throw BindingException("Message rejected, was issued in the future."); + "), newest allowed (" << now + skew << ")" << logging::eol; + throw SecurityPolicyException("Message rejected, was issued in the future."); } else if (issueInstant < now - skew - m_expires) { log.errorStream() << "rejected expired message, timestamp (" << issueInstant << - "), oldest allowed (" << (now - skew - m_expires) << ")" << CategoryStream::ENDLINE; - throw BindingException("Message expired, was issued too long ago."); + "), oldest allowed (" << (now - skew - m_expires) << ")" << logging::eol; + throw SecurityPolicyException("Message expired, was issued too long ago."); } } - + // Check replay. if (m_checkReplay) { + const XMLCh* id = policy.getMessageID(); + if (!id || !*id) + return false; + ReplayCache* replayCache = XMLToolingConfig::getConfig().getReplayCache(); if (!replayCache) { log.warn("no ReplayCache available, skipping requested replay check"); - return; - } - const XMLCh* id = policy.getMessageID(); - if (!id || !*id) { - log.debug("unknown message ID, no replay check possible"); - return; + return false; } + auto_ptr_char temp(id); if (!replayCache->check("MessageFlow", temp.get(), issueInstant + skew + m_expires)) { log.error("replay detected of message ID (%s)", temp.get()); - throw BindingException("Rejecting replayed message ID ($1).", params(1,temp.get())); + throw SecurityPolicyException("Rejecting replayed message ID ($1).", params(1,temp.get())); } + return true; } + return false; }