X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=saml%2Fbinding%2Fimpl%2FSecurityPolicy.cpp;h=ed2a8dac3bd2fb43a03e7d1e84572ae0234342a2;hb=e9554c255ad3c91c7c4976e7a1a54905903e66a2;hp=2bae01d4e11bfafddff76643f4758e8712fcd1f2;hpb=96437360be3fa1f0c182bdd13b54e00110e45f11;p=shibboleth%2Fcpp-opensaml.git diff --git a/saml/binding/impl/SecurityPolicy.cpp b/saml/binding/impl/SecurityPolicy.cpp index 2bae01d..ed2a8da 100644 --- a/saml/binding/impl/SecurityPolicy.cpp +++ b/saml/binding/impl/SecurityPolicy.cpp @@ -1,6 +1,6 @@ /* - * Copyright 2001-2007 Internet2 - * + * Copyright 2001-2010 Internet2 + * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -16,15 +16,18 @@ /** * SecurityPolicy.cpp - * - * Overall policy used to verify the security of an incoming message. + * + * Overall policy used to verify the security of an incoming message. */ #include "internal.h" #include "exceptions.h" +#include "binding/SecurityPolicy.h" #include "binding/SecurityPolicyRule.h" #include "saml2/core/Assertions.h" +#include + using namespace opensaml::saml2md; using namespace opensaml::saml2; using namespace opensaml; @@ -32,56 +35,252 @@ using namespace xmltooling; using namespace std; namespace opensaml { + SAML_DLLLOCAL PluginManager::Factory AudienceRestrictionRuleFactory; SAML_DLLLOCAL PluginManager::Factory ClientCertAuthRuleFactory; + SAML_DLLLOCAL PluginManager::Factory ConditionsRuleFactory; + SAML_DLLLOCAL PluginManager::Factory IgnoreRuleFactory; SAML_DLLLOCAL PluginManager::Factory MessageFlowRuleFactory; SAML_DLLLOCAL PluginManager::Factory NullSecurityRuleFactory; SAML_DLLLOCAL PluginManager::Factory SimpleSigningRuleFactory; SAML_DLLLOCAL PluginManager::Factory XMLSigningRuleFactory; + + namespace saml1 { + SAML_DLLLOCAL PluginManager::Factory BrowserSSORuleFactory; + } + + namespace saml2 { + SAML_DLLLOCAL PluginManager::Factory BearerConfirmationRuleFactory; + SAML_DLLLOCAL PluginManager::Factory DelegationRestrictionRuleFactory; + } }; void SAML_API opensaml::registerSecurityPolicyRules() { SAMLConfig& conf=SAMLConfig::getConfig(); + conf.SecurityPolicyRuleManager.registerFactory(AUDIENCE_POLICY_RULE, AudienceRestrictionRuleFactory); conf.SecurityPolicyRuleManager.registerFactory(CLIENTCERTAUTH_POLICY_RULE, ClientCertAuthRuleFactory); + conf.SecurityPolicyRuleManager.registerFactory(CONDITIONS_POLICY_RULE, ConditionsRuleFactory); + conf.SecurityPolicyRuleManager.registerFactory(IGNORE_POLICY_RULE, IgnoreRuleFactory); conf.SecurityPolicyRuleManager.registerFactory(MESSAGEFLOW_POLICY_RULE, MessageFlowRuleFactory); conf.SecurityPolicyRuleManager.registerFactory(NULLSECURITY_POLICY_RULE, NullSecurityRuleFactory); conf.SecurityPolicyRuleManager.registerFactory(SIMPLESIGNING_POLICY_RULE, SimpleSigningRuleFactory); conf.SecurityPolicyRuleManager.registerFactory(XMLSIGNING_POLICY_RULE, XMLSigningRuleFactory); + conf.SecurityPolicyRuleManager.registerFactory(SAML1BROWSERSSO_POLICY_RULE, saml1::BrowserSSORuleFactory); + conf.SecurityPolicyRuleManager.registerFactory(BEARER_POLICY_RULE, saml2::BearerConfirmationRuleFactory); + conf.SecurityPolicyRuleManager.registerFactory(DELEGATION_POLICY_RULE, saml2::DelegationRestrictionRuleFactory); } -SecurityPolicy::IssuerMatchingPolicy SecurityPolicy::m_defaultMatching; +SecurityPolicyRule::SecurityPolicyRule() +{ +} + +SecurityPolicyRule::~SecurityPolicyRule() +{ +} + +SecurityPolicy::SecurityPolicy( + const saml2md::MetadataProvider* metadataProvider, + const xmltooling::QName* role, + const xmltooling::TrustEngine* trustEngine, + bool validate + ) : m_metadataCriteria(nullptr), + m_issueInstant(0), + m_issuer(nullptr), + m_issuerRole(nullptr), + m_authenticated(false), + m_matchingPolicy(nullptr), + m_metadata(metadataProvider), + m_role(nullptr), + m_trust(trustEngine), + m_validate(validate), + m_entityOnly(true), + m_ts(0) +{ + if (role) + m_role = new xmltooling::QName(*role); +} SecurityPolicy::~SecurityPolicy() { - reset(false); + delete m_metadataCriteria; + delete m_issuer; +} + +const MetadataProvider* SecurityPolicy::getMetadataProvider() const +{ + return m_metadata; +} + +MetadataProvider::Criteria& SecurityPolicy::getMetadataProviderCriteria() const +{ + if (!m_metadataCriteria) + m_metadataCriteria=new MetadataProvider::Criteria(); + else + m_metadataCriteria->reset(); + return *m_metadataCriteria; +} + +const xmltooling::QName* SecurityPolicy::getRole() const +{ + return m_role; +} + +const TrustEngine* SecurityPolicy::getTrustEngine() const +{ + return m_trust; +} + +bool SecurityPolicy::getValidating() const +{ + return m_validate; +} + +bool SecurityPolicy::requireEntityIssuer() const +{ + return m_entityOnly; +} + +const vector& SecurityPolicy::getAudiences() const +{ + return m_audiences; +} + +vector& SecurityPolicy::getAudiences() +{ + return m_audiences; +} + +time_t SecurityPolicy::getTime() const +{ + if (m_ts == 0) + return m_ts = time(nullptr); + return m_ts; +} + +const XMLCh* SecurityPolicy::getCorrelationID() const +{ + return m_correlationID.c_str(); +} + +vector& SecurityPolicy::getRules() +{ + return m_rules; +} + +void SecurityPolicy::setMetadataProvider(const MetadataProvider* metadata) +{ + m_metadata = metadata; +} + +void SecurityPolicy::setMetadataProviderCriteria(MetadataProvider::Criteria* criteria) +{ + if (m_metadataCriteria) + delete m_metadataCriteria; + m_metadataCriteria=criteria; +} + +void SecurityPolicy::setRole(const xmltooling::QName* role) +{ + delete m_role; + m_role = role ? new xmltooling::QName(*role) : nullptr; +} + +void SecurityPolicy::setTrustEngine(const TrustEngine* trust) +{ + m_trust = trust; +} + +void SecurityPolicy::setValidating(bool validate) +{ + m_validate = validate; +} + +void SecurityPolicy::requireEntityIssuer(bool entityOnly) +{ + m_entityOnly = entityOnly; +} + +void SecurityPolicy::setTime(time_t ts) +{ + m_ts = ts; +} + +void SecurityPolicy::setCorrelationID(const XMLCh* correlationID) +{ + m_correlationID.erase(); + if (correlationID) + m_correlationID = correlationID; +} + +void SecurityPolicy::evaluate(const XMLObject& message, const GenericRequest* request) +{ + for (vector::const_iterator i=m_rules.begin(); i!=m_rules.end(); ++i) + (*i)->evaluate(message,request,*this); } void SecurityPolicy::reset(bool messageOnly) { - XMLString::release(&m_messageID); - m_messageID=NULL; + _reset(messageOnly); +} + +void SecurityPolicy::_reset(bool messageOnly) +{ + m_messageID.erase(); m_issueInstant=0; if (!messageOnly) { delete m_issuer; - m_issuer=NULL; - m_issuerRole=NULL; + m_issuer=nullptr; + m_issuerRole=nullptr; m_authenticated=false; } } -void SecurityPolicy::evaluate(const XMLObject& message, const GenericRequest* request) +const XMLCh* SecurityPolicy::getMessageID() const { - for (vector::const_iterator i=m_rules.begin(); i!=m_rules.end(); ++i) - (*i)->evaluate(message,request,*this); + return m_messageID.c_str(); +} + +time_t SecurityPolicy::getIssueInstant() const +{ + return m_issueInstant; +} + +const Issuer* SecurityPolicy::getIssuer() const +{ + return m_issuer; +} + +const RoleDescriptor* SecurityPolicy::getIssuerMetadata() const +{ + return m_issuerRole; +} + +bool SecurityPolicy::isAuthenticated() const +{ + return m_authenticated; +} + +void SecurityPolicy::setMessageID(const XMLCh* id) +{ + m_messageID.erase(); + if (id) + m_messageID = id; +} + +void SecurityPolicy::setIssueInstant(time_t issueInstant) +{ + m_issueInstant = issueInstant; } void SecurityPolicy::setIssuer(const Issuer* issuer) { if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer)) - throw SecurityPolicyException("A rule supplied an Issuer that conflicts with previous results."); - + throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results."); + if (!m_issuer) { - m_issuerRole = NULL; + if (m_entityOnly && issuer->getFormat() && !XMLString::equals(issuer->getFormat(), NameIDType::ENTITY)) + throw SecurityPolicyException("A non-entity Issuer was supplied, violating policy."); + m_issuerRole = nullptr; m_issuer=issuer->cloneIssuer(); } } @@ -89,10 +288,10 @@ void SecurityPolicy::setIssuer(const Issuer* issuer) void SecurityPolicy::setIssuer(const XMLCh* issuer) { if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer)) - throw SecurityPolicyException("A rule supplied an Issuer that conflicts with previous results."); - + throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results."); + if (!m_issuer && issuer && *issuer) { - m_issuerRole = NULL; + m_issuerRole = nullptr; m_issuer = IssuerBuilder::buildIssuer(); m_issuer->setName(issuer); } @@ -105,22 +304,35 @@ void SecurityPolicy::setIssuerMetadata(const RoleDescriptor* issuerRole) m_issuerRole=issuerRole; } +void SecurityPolicy::setAuthenticated(bool auth) +{ + m_authenticated = auth; +} + +SecurityPolicy::IssuerMatchingPolicy::IssuerMatchingPolicy() +{ +} + +SecurityPolicy::IssuerMatchingPolicy::~IssuerMatchingPolicy() +{ +} + bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, const Issuer* issuer2) const { - // NULL matches anything for the purposes of this interface. + // nullptr matches anything for the purposes of this interface. if (!issuer1 || !issuer2) return true; - + const XMLCh* op1=issuer1->getName(); const XMLCh* op2=issuer2->getName(); if (!op1 || !op2 || !XMLString::equals(op1,op2)) return false; - + op1=issuer1->getFormat(); op2=issuer2->getFormat(); if (!XMLString::equals(op1 ? op1 : NameIDType::ENTITY, op2 ? op2 : NameIDType::ENTITY)) return false; - + op1=issuer1->getNameQualifier(); op2=issuer2->getNameQualifier(); if (!XMLString::equals(op1 ? op1 : &chNull, op2 ? op2 : &chNull)) @@ -130,24 +342,24 @@ bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, op2=issuer2->getSPNameQualifier(); if (!XMLString::equals(op1 ? op1 : &chNull, op2 ? op2 : &chNull)) return false; - + return true; } bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, const XMLCh* issuer2) const { - // NULL matches anything for the purposes of this interface. + // nullptr matches anything for the purposes of this interface. if (!issuer1 || !issuer2 || !*issuer2) return true; - + const XMLCh* op1=issuer1->getName(); if (!op1 || !XMLString::equals(op1,issuer2)) return false; - + op1=issuer1->getFormat(); if (op1 && *op1 && !XMLString::equals(op1, NameIDType::ENTITY)) return false; - + op1=issuer1->getNameQualifier(); if (op1 && *op1) return false; @@ -155,6 +367,19 @@ bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, op1=issuer1->getSPNameQualifier(); if (op1 && *op1) return false; - + return true; } + +SecurityPolicy::IssuerMatchingPolicy SecurityPolicy::m_defaultMatching; + +const SecurityPolicy::IssuerMatchingPolicy& SecurityPolicy::getIssuerMatchingPolicy() const +{ + return m_matchingPolicy ? *m_matchingPolicy : m_defaultMatching; +} + +void SecurityPolicy::setIssuerMatchingPolicy(IssuerMatchingPolicy* matchingPolicy) +{ + delete m_matchingPolicy; + m_matchingPolicy = matchingPolicy; +}