X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=saml%2Fsaml2%2Fprofile%2Fimpl%2FDelegationRestrictionRule.cpp;h=27274aaab34db768a08fce244cfea84941f53b89;hb=16d5976c9821b70d95675983702e0032d8769467;hp=5bc3bea99d47a55f4b1efccd7497beb37d1af3d9;hpb=7e35c8e03d4e018a5a26cc4c3536ef2166340931;p=shibboleth%2Fcpp-opensaml.git

diff --git a/saml/saml2/profile/impl/DelegationRestrictionRule.cpp b/saml/saml2/profile/impl/DelegationRestrictionRule.cpp
index 5bc3bea..27274aa 100644
--- a/saml/saml2/profile/impl/DelegationRestrictionRule.cpp
+++ b/saml/saml2/profile/impl/DelegationRestrictionRule.cpp
@@ -1,5 +1,5 @@
 /*
- *  Copyright 2009 Internet2
+ *  Copyright 2009-2010 Internet2
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,7 +17,7 @@
 /**
  * DelegationRestrictionRule.cpp
  *
- * SAML DelegationRestriction SecurityPolicyRule
+ * SAML DelegationRestriction SecurityPolicyRule.
  */
 
 #include "internal.h"
@@ -26,7 +26,10 @@
 #include "saml2/core/Assertions.h"
 #include "util/SAMLConstants.h"
 
+#include <ctime>
+#include <xercesc/util/XMLUniDefs.hpp>
 #include <xmltooling/logging.h>
+#include <xmltooling/XMLToolingConfig.h>
 
 using namespace opensaml::saml2;
 using namespace opensaml;
@@ -56,6 +59,7 @@ namespace opensaml {
                 MATCH_NEWEST,
                 MATCH_OLDEST
             } m_match;
+            time_t m_maxTime;
         };
 
         SecurityPolicyRule* SAML_DLLLOCAL DelegationRestrictionRuleFactory(const DOMElement* const & e)
@@ -81,7 +85,7 @@ namespace opensaml {
                         XMLString::equals(n1->getSPNameQualifier(), n2->getSPNameQualifier()));
             }
         public:
-            _isSameDelegate() : m_operand(NULL) {}
+            _isSameDelegate() : m_operand(nullptr) {}
             _isSameDelegate(const Delegate* d) : m_operand(d) {}
 
             // d1 is the input from the message, d2 is from the policy
@@ -108,14 +112,15 @@ namespace opensaml {
         static XMLCh any[] =    UNICODE_LITERAL_8(a,n,y,O,r,d,e,r);
         static XMLCh newest[] = UNICODE_LITERAL_6(n,e,w,e,s,t);
         static XMLCh oldest[] = UNICODE_LITERAL_6(o,l,d,e,s,t);
-
+        static XMLCh maxTimeSinceDelegation[] = UNICODE_LITERAL_22(m,a,x,T,i,m,e,S,i,n,c,e,D,e,l,e,g,a,t,i,o,n);
     }
 };
 
-DelegationRestrictionRule::DelegationRestrictionRule(const DOMElement* e) : m_match(MATCH_ANY)
+DelegationRestrictionRule::DelegationRestrictionRule(const DOMElement* e)
+    : m_match(MATCH_ANY), m_maxTime(XMLHelper::getAttrInt(e, 0, maxTimeSinceDelegation))
 {
     if (e) {
-        const XMLCh* m = e->getAttributeNS(NULL, match);
+        const XMLCh* m = e ? e->getAttributeNS(nullptr, match) : nullptr;
         if (XMLString::equals(m, newest))
             m_match = MATCH_NEWEST;
         else if (XMLString::equals(m, oldest))
@@ -147,24 +152,29 @@ bool DelegationRestrictionRule::evaluate(const XMLObject& message, const Generic
     const DelegationRestrictionType* drt=dynamic_cast<const DelegationRestrictionType*>(&message);
     if (!drt)
         return false;
-
-    // If we have no embedded Delegates, the condition evaluates to true.
-    if (m_delegates.empty())
-        return true;
-
     const vector<Delegate*>& dels = drt->getDelegates();
-    if (m_match == MATCH_ANY) {
-        // Each Delegate in the condition MUST match an embedded Delegate.
-        for (vector<Delegate*>::const_iterator d1 = dels.begin(); d1 != dels.end(); ++d1) {
-            if (find_if(m_delegates.begin(), m_delegates.end(), _isSameDelegate(*d1)) == m_delegates.end())
+
+    if (!m_delegates.empty()) {
+        if (m_match == MATCH_ANY) {
+            // Each Delegate in the condition MUST match an embedded Delegate.
+            for (vector<Delegate*>::const_iterator d1 = dels.begin(); d1 != dels.end(); ++d1) {
+                if (find_if(m_delegates.begin(), m_delegates.end(), _isSameDelegate(*d1)) == m_delegates.end())
+                    return false;
+            }
+        }
+        else if (m_match == MATCH_OLDEST) {
+            if (search(dels.begin(), dels.end(), m_delegates.begin(), m_delegates.end(), _isSameDelegate()) != dels.begin())
+                return false;
+        }
+        else if (m_match == MATCH_NEWEST) {
+            if (search(dels.rbegin(), dels.rend(), m_delegates.begin(), m_delegates.end(), _isSameDelegate()) != dels.rbegin())
                 return false;
         }
     }
-    else if (m_match == MATCH_OLDEST) {
-        return (search(dels.begin(), dels.end(), m_delegates.begin(), m_delegates.end(), _isSameDelegate()) == dels.begin());
-    }
-    else if (m_match == MATCH_NEWEST) {
-        return (search(dels.rbegin(), dels.rend(), m_delegates.begin(), m_delegates.end(), _isSameDelegate()) == dels.rbegin());
+
+    if (m_maxTime > 0) {
+        return (!dels.empty() && dels.front()->getDelegationInstant() &&
+            (time(nullptr) - dels.front()->getDelegationInstantEpoch() - XMLToolingConfig::getConfig().clock_skew_secs <= m_maxTime));
     }
 
     return true;