X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=saml%2Fbinding%2Fimpl%2FMessageFlowRule.cpp;h=c6fb740f5a4d648d5611c7cbc9f0671a5f182c8a;hb=f1208cd2f514700244816377443c4951dc22c848;hp=af43c8e61d6d3829c41143b6712d39b3e170c681;hpb=0f6286d0ffd9371c187ecb1775cbd199ed051af5;p=shibboleth%2Fcpp-opensaml.git diff --git a/saml/binding/impl/MessageFlowRule.cpp b/saml/binding/impl/MessageFlowRule.cpp index af43c8e..c6fb740 100644 --- a/saml/binding/impl/MessageFlowRule.cpp +++ b/saml/binding/impl/MessageFlowRule.cpp @@ -1,31 +1,38 @@ -/* - * Copyright 2001-2007 Internet2 - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at +/** + * Licensed to the University Corporation for Advanced Internet + * Development, Inc. (UCAID) under one or more contributor license + * agreements. See the NOTICE file distributed with this work for + * additional information regarding copyright ownership. + * + * UCAID licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the + * License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, + * either express or implied. See the License for the specific + * language governing permissions and limitations under the License. */ /** * MessageFlowRule.cpp - * - * SAML replay and freshness checking SecurityPolicyRule + * + * SAML replay and freshness checking SecurityPolicyRule. */ #include "internal.h" #include "exceptions.h" +#include "binding/SecurityPolicy.h" #include "binding/SecurityPolicyRule.h" #include +#include #include +#include #include using namespace opensaml; @@ -39,9 +46,12 @@ namespace opensaml { public: MessageFlowRule(const DOMElement* e); virtual ~MessageFlowRule() {} - - void evaluate(const xmltooling::XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const; - + + const char* getType() const { + return MESSAGEFLOW_POLICY_RULE; + } + bool evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const; + private: bool m_checkReplay; time_t m_expires; @@ -57,24 +67,17 @@ static const XMLCh checkReplay[] = UNICODE_LITERAL_11(c,h,e,c,k,R,e,p,l,a,y); static const XMLCh expires[] = UNICODE_LITERAL_7(e,x,p,i,r,e,s); MessageFlowRule::MessageFlowRule(const DOMElement* e) - : m_checkReplay(true), m_expires(XMLToolingConfig::getConfig().clock_skew_secs) + : m_checkReplay(XMLHelper::getAttrBool(e, true, checkReplay)), + m_expires(XMLHelper::getAttrInt(e, XMLToolingConfig::getConfig().clock_skew_secs, expires)) { - if (e) { - const XMLCh* attr = e->getAttributeNS(NULL, checkReplay); - if (attr && (*attr==chLatin_f || *attr==chDigit_0)) - m_checkReplay = false; - attr = e->getAttributeNS(NULL, expires); - if (attr) - m_expires = XMLString::parseInt(attr); - } } -void MessageFlowRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const +bool MessageFlowRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const { Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.MessageFlow"); log.debug("evaluating message flow policy (replay checking %s, expiration %lu)", m_checkReplay ? "on" : "off", m_expires); - time_t now = time(NULL); + time_t now = policy.getTime(); time_t skew = XMLToolingConfig::getConfig().clock_skew_secs; time_t issueInstant = policy.getIssueInstant(); if (issueInstant == 0) { @@ -83,26 +86,26 @@ void MessageFlowRule::evaluate(const XMLObject& message, const GenericRequest* r else { if (issueInstant > now + skew) { log.errorStream() << "rejected not-yet-valid message, timestamp (" << issueInstant << - "), newest allowed (" << now + skew << ")" << CategoryStream::ENDLINE; + "), newest allowed (" << now + skew << ")" << logging::eol; throw SecurityPolicyException("Message rejected, was issued in the future."); } else if (issueInstant < now - skew - m_expires) { log.errorStream() << "rejected expired message, timestamp (" << issueInstant << - "), oldest allowed (" << (now - skew - m_expires) << ")" << CategoryStream::ENDLINE; + "), oldest allowed (" << (now - skew - m_expires) << ")" << logging::eol; throw SecurityPolicyException("Message expired, was issued too long ago."); } } - + // Check replay. if (m_checkReplay) { const XMLCh* id = policy.getMessageID(); if (!id || !*id) - return; + return false; ReplayCache* replayCache = XMLToolingConfig::getConfig().getReplayCache(); if (!replayCache) { log.warn("no ReplayCache available, skipping requested replay check"); - return; + return false; } auto_ptr_char temp(id); @@ -110,5 +113,7 @@ void MessageFlowRule::evaluate(const XMLObject& message, const GenericRequest* r log.error("replay detected of message ID (%s)", temp.get()); throw SecurityPolicyException("Rejecting replayed message ID ($1).", params(1,temp.get())); } + return true; } + return false; }