Added filter on assertions for condition checking.

git-svn-id: https://svn.middleware.georgetown.edu/cpp-sp/trunk@280 cb58f699-b61c-0410-a6fe-9272a202ed29

diff --git a/shib-target/shib-rm.cpp b/shib-target/shib-rm.cpp
index 2cb2541..f64ae16 100644 (file)
--- a/shib-target/shib-rm.cpp
+++ b/shib-target/shib-rm.cpp
@@ -135,7 +135,23 @@ RPCError* RM::getAssertions(const char* cookie, const char* ip,
       }
 
       if (as)
-       assertions.push_back(as);
+      {
+        // XXX: Should move this audience check up to the RPC server side, and cache each assertion one
+        // by one instead of the whole response.
+        bool ok=true;
+        Iteration<SAMLCondition*> conds=as->getConditions();
+        while (conds.hasNext())
+        {
+            SAMLAudienceRestrictionCondition* cond=dynaptr(SAMLAudienceRestrictionCondition,conds.next());
+            if (!cond->eval(ShibTargetConfig::getConfig().getPolicies()))
+            {
+                m_priv->log->warning("Assertion failed AudienceRestrictionCondition check, skipping it...");
+                ok=false;
+            }
+        }
+        if (ok)
+               assertions.push_back(as);
+      }
     }
 
     if (!retval)