2 * Copyright 2001-2006 Internet2
\r
4 * Licensed under the Apache License, Version 2.0 (the "License");
\r
5 * you may not use this file except in compliance with the License.
\r
6 * You may obtain a copy of the License at
\r
8 * http://www.apache.org/licenses/LICENSE-2.0
\r
10 * Unless required by applicable law or agreed to in writing, software
\r
11 * distributed under the License is distributed on an "AS IS" BASIS,
\r
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
13 * See the License for the specific language governing permissions and
\r
14 * limitations under the License.
\r
18 * @file saml/binding/MessageDecoder.h
\r
20 * Interface to SAML protocol binding message decoders.
\r
23 #ifndef __saml_decoder_h__
\r
24 #define __saml_decoder_h__
\r
26 #include <saml/base.h>
\r
28 #include <xmltooling/XMLObject.h>
\r
30 namespace opensaml {
\r
32 class SAML_API SAMLArtifact;
\r
33 class SAML_API X509TrustEngine;
\r
35 class SAML_API Response;
\r
38 class SAML_API SAML2Artifact;
\r
41 class SAML_API MetadataProvider;
\r
42 class SAML_API IDPSSODescriptor;
\r
43 class SAML_API RoleDescriptor;
\r
44 class SAML_API SSODescriptorType;
\r
48 * Interface to SAML protocol binding message decoders.
\r
50 class SAML_API MessageDecoder
\r
52 MAKE_NONCOPYABLE(MessageDecoder);
\r
54 virtual ~MessageDecoder() {}
\r
57 * Interface to caller-supplied shim for accessing HTTP request context.
\r
59 * To supply information from the surrounding web server environment,
\r
60 * a shim must be supplied in the form of this interface to adapt the
\r
61 * library to different proprietary server APIs.
\r
63 class SAML_API HTTPRequest {
\r
64 MAKE_NONCOPYABLE(HTTPRequest);
\r
68 virtual ~HTTPRequest() {}
\r
71 * Returns the HTTP method of the request (GET, POST, etc.)
\r
73 * @return the HTTP method
\r
75 virtual const char* getMethod() const=0;
\r
78 * Returns the complete request URL, including scheme, host, port.
\r
80 * @return the request URL
\r
82 virtual const char* getRequestURL() const=0;
\r
85 * Returns the HTTP query string appened to the request. The query
\r
86 * string is returned without any decoding applied, everything found
\r
87 * after the ? delimiter.
\r
89 * @return the query string
\r
91 virtual const char* getQueryString() const=0;
\r
94 * Returns a decoded named parameter value from the query string or form body.
\r
95 * If a parameter has multiple values, only one will be returned.
\r
97 * @param name the name of the parameter to return
\r
98 * @return a single parameter value or NULL
\r
100 virtual const char* getParameter(const char* name) const=0;
\r
103 * Returns all of the decoded values of a named parameter from the query string
\r
104 * or form body. All values found will be returned.
\r
106 * @param name the name of the parameter to return
\r
107 * @param values a vector in which to return pointers to the decoded values
\r
108 * @return the number of values returned
\r
110 virtual std::vector<const char*>::size_type getParameters(
\r
111 const char* name, std::vector<const char*>& values
\r
116 * Interface to caller-supplied artifact resolution mechanism.
\r
118 * Resolving artifacts requires internally performing a SOAP-based
\r
119 * call to the artifact source, usually in a mutually authenticated fashion.
\r
120 * The potential options vary widely, so the work is encapsulated by this
\r
121 * interface, though of course other library facilities may be used.
\r
123 * <p>A MessageDecoder implementation will invoke the supplied interface
\r
124 * when it requires an artifact be resolved.
\r
126 class SAML_API ArtifactResolver {
\r
127 MAKE_NONCOPYABLE(ArtifactResolver);
\r
129 ArtifactResolver() {}
\r
131 /** Flag controlling schema validation. */
\r
135 virtual ~ArtifactResolver() {}
\r
138 * Controls schema validation of incoming XML messages.
\r
139 * This is separate from other forms of programmatic validation of objects,
\r
140 * but can detect a much wider range of syntax errors.
\r
142 * @param validate true iff the resolver should use a validating XML parser
\r
144 void setValidating(bool validate=true) {
\r
145 m_validate = validate;
\r
149 * Resolves one or more SAML 1.x artifacts into a response containing a set of
\r
150 * resolved Assertions. The caller is responsible for the resulting Response.
\r
152 * @param authenticated output flag set to true iff the resolution channel was authenticated
\r
153 * @param artifacts one or more SAML 1.x artifacts
\r
154 * @param idpDescriptor reference to IdP role of artifact issuer
\r
155 * @param trustEngine optional pointer to X509TrustEngine supplied to MessageDecoder
\r
156 * @return the corresponding SAML Assertions wrapped in a Response.
\r
158 virtual saml1p::Response* resolve(
\r
159 bool& authenticated,
\r
160 const std::vector<SAMLArtifact*>& artifacts,
\r
161 const saml2md::IDPSSODescriptor& idpDescriptor,
\r
162 const X509TrustEngine* trustEngine=NULL
\r
166 * Resolves a SAML 2.0 artifact into the corresponding SAML protocol message.
\r
167 * The caller is responsible for the resulting XMLObject.
\r
169 * @param authenticated output flag set to true iff the resolution channel was authenticated
\r
170 * @param artifact reference to a SAML 2.0 artifact
\r
171 * @param ssoDescriptor reference to SSO role of artifact issuer (may be SP or IdP)
\r
172 * @param trustEngine optional pointer to X509TrustEngine supplied to MessageDecoder
\r
173 * @return the corresponding SAML protocol message or NULL
\r
175 virtual xmltooling::XMLObject* resolve(
\r
176 bool& authenticated,
\r
177 const saml2p::SAML2Artifact& artifact,
\r
178 const saml2md::SSODescriptorType& ssoDescriptor,
\r
179 const X509TrustEngine* trustEngine=NULL
\r
184 * Provides an ArtifactResolver implementation for the MessageDecoder to use.
\r
185 * The implementation's lifetime must be longer than the lifetime of this object.
\r
186 * This method must be externally synchronized.
\r
188 * @param artifactResolver an ArtifactResolver implementation to use
\r
190 void setArtifactResolver(ArtifactResolver* artifactResolver) {
\r
191 m_artifactResolver = artifactResolver;
\r
192 if (m_artifactResolver)
\r
193 m_artifactResolver->setValidating(m_validate);
\r
197 * Controls schema validation of incoming XML messages.
\r
198 * This is separate from other forms of programmatic validation of objects,
\r
199 * but can detect a much wider range of syntax errors.
\r
201 * @param validate true iff the decoder should use a validating XML parser
\r
203 void setValidating(bool validate=true) {
\r
204 m_validate = validate;
\r
205 if (m_artifactResolver)
\r
206 m_artifactResolver->setValidating(m_validate);
\r
210 * Decodes an HTTP request into a SAML protocol message, and returns related
\r
211 * information about the issuer of the message and whether it can be trusted.
\r
212 * If the HTTP request does not contain the information necessary to decode
\r
213 * the request, a NULL will be returned. Errors during the decoding process
\r
214 * will be raised as exceptions.
\r
216 * <p>Artifact-based bindings require an ArtifactResolver be set to
\r
217 * turn an artifact into the corresponding message.
\r
219 * <p>In some cases, a message may be returned but not authenticated. The caller
\r
220 * should examine the issuerTrusted output value to establish this.
\r
222 * @param relayState RelayState/TARGET value accompanying message
\r
223 * @param issuer role descriptor of issuing party
\r
224 * @param issuerTrusted output flag set to true iff the message was authenticated
\r
225 * (signed or obtained via secure backchannel)
\r
226 * @param httpRequest reference to interface for accessing HTTP message to decode
\r
227 * @param metadataProvider optional MetadataProvider instance to authenticate the message
\r
228 * @param role optional, identifies the role (generally IdP or SP) of the peer who issued the message
\r
229 * @param trustEngine optional TrustEngine to authenticate the message
\r
230 * @return the decoded message, or NULL if the decoder did not recognize the request content
\r
232 virtual xmltooling::XMLObject* decode(
\r
233 std::string& relayState,
\r
234 const saml2md::RoleDescriptor*& issuer,
\r
235 bool& issuerTrusted,
\r
236 const HTTPRequest& httpRequest,
\r
237 const saml2md::MetadataProvider* metadataProvider=NULL,
\r
238 const xmltooling::QName* role=NULL,
\r
239 const TrustEngine* trustEngine=NULL
\r
243 MessageDecoder() : m_artifactResolver(NULL), m_validate(false) {}
\r
245 /** Pointer to an ArtifactResolver implementation. */
\r
246 ArtifactResolver* m_artifactResolver;
\r
248 /** Flag controlling schema validation. */
\r
253 * Registers MessageDecoder plugins into the runtime.
\r
255 void SAML_API registerMessageDecoders();
\r
257 /** MessageDecoder for SAML 1.x Browser/Artifact "binding" (really part of profile) */
\r
258 #define SAML1_ARTIFACT_DECODER "urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
\r
260 /** MessageDecoder for SAML 1.x Browser/POST "binding" (really part of profile) */
\r
261 #define SAML1_POST_DECODER "urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
\r
263 /** MessageDecoder for SAML 2.0 HTTP-Artifact binding */
\r
264 #define SAML2_ARTIFACT_DECODER "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
\r
266 /** MessageDecoder for SAML 2.0 HTTP-POST binding */
\r
267 #define SAML2_POST_DECODER "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
\r
269 /** MessageDecoder for SAML 2.0 HTTP-Redirect binding */
\r
270 #define SAML2_REDIRECT_DECODER "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
\r
273 #endif /* __saml_decoder_h__ */
\r
projects / shibboleth / cpp-opensaml.git / blob