/*
* Copyright 2001-2007 Internet2
- *
+ *
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
/**
* MetadataProvider.cpp
- *
+ *
* Registration of factories for built-in providers
*/
SAML_DLLLOCAL PluginManager<MetadataFilter,string,const DOMElement*>::Factory BlacklistMetadataFilterFactory;
SAML_DLLLOCAL PluginManager<MetadataFilter,string,const DOMElement*>::Factory WhitelistMetadataFilterFactory;
SAML_DLLLOCAL PluginManager<MetadataFilter,string,const DOMElement*>::Factory SignatureMetadataFilterFactory;
+ SAML_DLLLOCAL PluginManager<MetadataFilter,string,const DOMElement*>::Factory RequireValidUntilMetadataFilterFactory;
};
};
SAMLConfig::getConfig().MetadataFilterManager.registerFactory(BLACKLIST_METADATA_FILTER, BlacklistMetadataFilterFactory);
SAMLConfig::getConfig().MetadataFilterManager.registerFactory(WHITELIST_METADATA_FILTER, WhitelistMetadataFilterFactory);
SAMLConfig::getConfig().MetadataFilterManager.registerFactory(SIGNATURE_METADATA_FILTER, SignatureMetadataFilterFactory);
+ SAMLConfig::getConfig().MetadataFilterManager.registerFactory(REQUIREVALIDUNTIL_METADATA_FILTER, RequireValidUntilMetadataFilterFactory);
}
static const XMLCh _MetadataFilter[] = UNICODE_LITERAL_14(M,e,t,a,d,a,t,a,F,i,l,t,e,r);
#endif
Category& log = Category::getInstance(SAML_LOGCAT".Metadata");
SAMLConfig& conf=SAMLConfig::getConfig();
-
+
// Locate any default recognized filters and plugins.
try {
DOMElement* child = e ? XMLHelper::getFirstChildElement(e) : NULL;
--- /dev/null
+/*
+ * Copyright 2001-2008 Internet2
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * RequireValidUntilMetadataFilter.cpp
+ *
+ * MetadataFilter that enforces expiration requirements.
+ */
+
+#include "internal.h"
+#include "saml2/metadata/Metadata.h"
+#include "saml2/metadata/MetadataFilter.h"
+
+#include <xmltooling/logging.h>
+#include <xmltooling/util/NDC.h>
+
+using namespace opensaml::saml2md;
+using namespace xmltooling::logging;
+using namespace xmltooling;
+using namespace std;
+
+namespace opensaml {
+ namespace saml2md {
+
+ class SAML_DLLLOCAL RequireValidUntilMetadataFilter : public MetadataFilter
+ {
+ public:
+ RequireValidUntilMetadataFilter(const DOMElement* e);
+ ~RequireValidUntilMetadataFilter() {}
+
+ const char* getId() const { return BLACKLIST_METADATA_FILTER; }
+ void doFilter(XMLObject& xmlObject) const;
+
+ private:
+ time_t m_maxValidityInterval;
+ };
+
+ MetadataFilter* SAML_DLLLOCAL RequireValidUntilMetadataFilterFactory(const DOMElement* const & e)
+ {
+ return new RequireValidUntilMetadataFilter(e);
+ }
+
+ };
+};
+
+static const XMLCh maxValidityInterval[] = UNICODE_LITERAL_19(m,a,x,V,a,l,i,d,i,t,y,I,n,t,e,r,v,a,l);
+
+RequireValidUntilMetadataFilter::RequireValidUntilMetadataFilter(const DOMElement* e) : m_maxValidityInterval(60 * 60 * 24 * 7)
+{
+ const XMLCh* mvi = e ? e->getAttributeNS(NULL,maxValidityInterval) : NULL;
+ if (mvi && *mvi) {
+ m_maxValidityInterval = XMLString::parseInt(mvi);
+ if (m_maxValidityInterval == 0)
+ m_maxValidityInterval = 60 * 60 * 24 * 7;
+ }
+}
+
+void RequireValidUntilMetadataFilter::doFilter(XMLObject& xmlObject) const
+{
+ const TimeBoundSAMLObject* tbo = dynamic_cast<const TimeBoundSAMLObject*>(&xmlObject);
+ if (!tbo)
+ throw MetadataFilterException("Metadata root element was invalid.");
+
+ if (!tbo->getValidUntil())
+ throw MetadataFilterException("Metadata did not include a validUntil attribute.");
+
+ if (tbo->getValidUntilEpoch() - time(NULL) > m_maxValidityInterval)
+ throw MetadataFilterException("Metadata validity interval is larger than permitted.");
+}
namespace opensaml {
namespace saml2md {
- static const XMLCh requireValidUntil[] = UNICODE_LITERAL_17(r,e,q,u,i,r,e,V,a,l,i,d,U,n,t,i,l);
-
class SAML_DLLLOCAL XMLMetadataProvider : public AbstractMetadataProvider, public ReloadableXMLFile
{
public:
XMLMetadataProvider(const DOMElement* e)
: AbstractMetadataProvider(e), ReloadableXMLFile(e, Category::getInstance(SAML_LOGCAT".MetadataProvider.XML")),
- m_object(NULL), m_requireValidUntil(false) {
- const XMLCh* flag = e ? e->getAttributeNS(NULL,requireValidUntil) : NULL;
- m_requireValidUntil = (flag && (*flag == chLatin_t || *flag == chDigit_1));
+ m_object(NULL), m_maxCacheDuration(m_reloadInterval) {
}
virtual ~XMLMetadataProvider() {
delete m_object;
void index();
XMLObject* m_object;
- bool m_requireValidUntil;
+ time_t m_maxCacheDuration;
};
MetadataProvider* SAML_DLLLOCAL XMLMetadataProviderFactory(const DOMElement* const & e)
"Root of metadata instance not recognized: $1", params(1,xmlObject->getElementQName().toString().c_str())
);
- if (m_requireValidUntil) {
- const TimeBoundSAMLObject* tbo = dynamic_cast<const TimeBoundSAMLObject*>(xmlObject.get());
- if (!tbo || tbo->getValidUntil() == NULL)
- throw MetadataException("Root of metadata instance does not have validUntil atttribute.");
- }
-
// Preprocess the metadata.
doFilters(*xmlObject.get());
xmlObject->releaseThisAndChildrenDOM();
index();
if (changed)
emitChangeEvent();
+
+ // If a remote resource, reduce the reload interval if cacheDuration is set.
+ if (!m_local) {
+ const CacheableSAMLObject* cacheable = dynamic_cast<const CacheableSAMLObject*>(m_object);
+ if (cacheable && cacheable->getCacheDuration() && cacheable->getCacheDurationEpoch() < m_maxCacheDuration)
+ m_reloadInterval = cacheable->getCacheDurationEpoch();
+ else
+ m_reloadInterval = m_maxCacheDuration;
+ }
+
return make_pair(false,(DOMElement*)NULL);
}