2 * Copyright 2001-2010 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * @file saml/binding/SecurityPolicy.h
20 * Overall policy used to verify the security of an incoming message.
23 #ifndef __saml_secpol_h__
24 #define __saml_secpol_h__
26 #include <saml/saml2/metadata/MetadataProvider.h>
30 #include <xmltooling/unicode.h>
32 #if defined (_MSC_VER)
33 #pragma warning( push )
34 #pragma warning( disable : 4250 4251 )
37 namespace xmltooling {
38 class XMLTOOL_API GenericRequest;
39 class XMLTOOL_API TrustEngine;
45 class SAML_API Issuer;
48 class SAML_API SecurityPolicyRule;
51 * A policy used to verify the security of an incoming message.
53 * <p>Its security mechanisms may be used to examine the transport layer
54 * (e.g client certificates and HTTP basic auth passwords) or to check the
55 * payload of a request to ensure it meets certain criteria (e.g. valid
56 * digital signature, freshness, replay).
58 * <p>Policy objects can be reused, but are not thread-safe.
60 class SAML_API SecurityPolicy
62 MAKE_NONCOPYABLE(SecurityPolicy);
65 * Constructor for policy.
67 * @param metadataProvider locked MetadataProvider instance
68 * @param role identifies the role (generally IdP or SP) of the policy peer
69 * @param trustEngine TrustEngine to authenticate policy peer
70 * @param validate true iff XML parsing should be done with validation
73 const saml2md::MetadataProvider* metadataProvider=nullptr,
74 const xmltooling::QName* role=nullptr,
75 const xmltooling::TrustEngine* trustEngine=nullptr,
79 virtual ~SecurityPolicy();
82 * Returns the locked MetadataProvider supplied to the policy.
84 * @return the supplied MetadataProvider or nullptr
86 const saml2md::MetadataProvider* getMetadataProvider() const;
89 * Returns a reference to a MetadataProvider::Criteria instance suitable for use with the
90 * installed MetadataProvider.
92 * <p>The object will be cleared/reset when returned, so do not mutate it and then
93 * call the method again before using it.
95 * @return reference to a MetadataProvider::Criteria instance
97 virtual saml2md::MetadataProvider::Criteria& getMetadataProviderCriteria() const;
100 * Returns the peer role element/type supplied to the policy.
102 * @return the peer role element/type, or an empty QName
104 const xmltooling::QName* getRole() const;
107 * Returns the TrustEngine supplied to the policy.
109 * @return the supplied TrustEngine or nullptr
111 const xmltooling::TrustEngine* getTrustEngine() const;
114 * Returns XML message validation setting.
116 * @return validation flag
118 bool getValidating() const;
121 * Returns flag controlling non-entity issuer support.
123 * @return flag controlling non-entity issuer support
125 bool requireEntityIssuer() const;
128 * Returns the SAML audiences that represent the receiving peer.
130 * @return audience values of the peer processing the message
132 const std::vector<xmltooling::xstring>& getAudiences() const;
135 * Returns the SAML audiences that represent the receiving peer.
137 * @return audience values of the peer processing the message
139 std::vector<xmltooling::xstring>& getAudiences();
142 * Gets the effective time of message processing.
144 * @return the time at which the message is being processed
146 time_t getTime() const;
149 * Returns the message identifier to which the message being evaluated
152 * @return correlated message identifier
154 const XMLCh* getCorrelationID() const;
157 * Gets a mutable array of installed policy rules.
159 * <p>If adding rules, their lifetime must be at least as long as the policy object.
161 * @return mutable array of rules
163 std::vector<const SecurityPolicyRule*>& getRules();
166 * Sets a locked MetadataProvider for the policy.
168 * @param metadata a locked MetadataProvider or nullptr
170 void setMetadataProvider(const saml2md::MetadataProvider* metadata);
173 * Sets a MetadataProvider::Criteria instance suitable for use with the
174 * installed MetadataProvider.
176 * <p>The policy will take ownership of the criteria object when this
179 * @param criteria a MetadataProvider::Criteria instance, or nullptr
181 void setMetadataProviderCriteria(saml2md::MetadataProvider::Criteria* criteria);
184 * Sets a peer role element/type for to the policy.
186 * @param role the peer role element/type or nullptr
188 void setRole(const xmltooling::QName* role);
191 * Sets a TrustEngine for the policy.
193 * @param trust a TrustEngine or nullptr
195 void setTrustEngine(const xmltooling::TrustEngine* trust);
198 * Controls schema validation of incoming XML messages.
199 * This is separate from other forms of programmatic validation of objects,
200 * but can detect a much wider range of syntax errors.
202 * @param validate validation setting
204 void setValidating(bool validate=true);
207 * Sets flag controlling non-entity issuer support.
209 * @param entityOnly require that Issuer be in entity format
211 void requireEntityIssuer(bool entityOnly=true);
214 * Sets effective time of message processing.
216 * <p>Assumed to be the time of policy instantiation, can be adjusted to pre- or post-date
217 * message processing.
219 * @param ts the time at which the message is being processed
221 void setTime(time_t ts);
224 * Sets the message identifier to which the message being evaluated
227 * @param correlationID correlated message identifier
229 void setCorrelationID(const XMLCh* correlationID);
232 * Evaluates the policy against the given request and message,
233 * possibly populating message information in the policy object.
235 * @param message the incoming message
236 * @param request the protocol request
238 * @throws BindingException raised if the message/request is invalid according to the supplied rules
240 void evaluate(const xmltooling::XMLObject& message, const xmltooling::GenericRequest* request=nullptr);
243 * Resets the policy object and/or clears any per-message state.
245 * <p>Resets can be complete (the default) or merely clear the previous message ID and timestamp
246 * when evaluating multiple layers of a message.
248 * @param messageOnly true iff security and issuer state should be left in place
250 virtual void reset(bool messageOnly=false);
253 * Resets the policy object and/or clears any per-message state for only this specific class.
255 * <p>Resets can be complete (the default) or merely clear the previous message ID and timestamp
256 * when evaluating multiple layers of a message.
258 * @param messageOnly true iff security and issuer state should be left in place
260 void _reset(bool messageOnly=false);
263 * Returns the message identifier as determined by the registered policies.
265 * @return message identifier as determined by the registered policies
267 const XMLCh* getMessageID() const;
270 * Returns the message timestamp as determined by the registered policies.
272 * @return message timestamp as determined by the registered policies
274 time_t getIssueInstant() const;
277 * Gets the issuer of the message as determined by the registered policies.
279 * @return issuer of the message as determined by the registered policies
281 const saml2::Issuer* getIssuer() const;
284 * Gets the metadata for the role the issuer is operating in.
286 * @return metadata for the role the issuer is operating in
288 const saml2md::RoleDescriptor* getIssuerMetadata() const;
291 * Returns the authentication status of the message as determined by the registered policies.
293 * @return true iff a SecurityPolicyRule has indicated the issuer/message has been authenticated
295 bool isAuthenticated() const;
298 * Sets the message identifier as determined by the registered policies.
300 * @param id message identifier
302 void setMessageID(const XMLCh* id);
305 * Sets the message timestamp as determined by the registered policies.
307 * @param issueInstant message timestamp
309 void setIssueInstant(time_t issueInstant);
312 * Sets the issuer of the message as determined by the registered policies.
314 * @param issuer issuer of the message
316 void setIssuer(const saml2::Issuer* issuer);
319 * Sets the issuer of the message as determined by the registered policies.
321 * @param issuer issuer of the message
323 void setIssuer(const XMLCh* issuer);
326 * Sets the metadata for the role the issuer is operating in.
328 * @param issuerRole metadata for the role the issuer is operating in
330 void setIssuerMetadata(const saml2md::RoleDescriptor* issuerRole);
333 * Sets the authentication status of the message as determined by the registered policies.
335 * @param auth indicates whether the issuer/message has been authenticated
337 void setAuthenticated(bool auth);
339 /** Allows override of rules for comparing saml2:Issuer information. */
340 class SAML_API IssuerMatchingPolicy {
341 MAKE_NONCOPYABLE(IssuerMatchingPolicy);
343 IssuerMatchingPolicy();
344 virtual ~IssuerMatchingPolicy();
347 * Returns true iff the two operands "match". Applications can override this method to
348 * support non-standard issuer matching for complex policies.
350 * <p>The default implementation does a basic comparison of the XML content, treating
351 * an unsupplied Format as an "entityID".
353 * @param issuer1 the first Issuer to match
354 * @param issuer2 the second Issuer to match
355 * @return true iff the operands match
357 virtual bool issuerMatches(const saml2::Issuer* issuer1, const saml2::Issuer* issuer2) const;
360 * Returns true iff the two operands "match". Applications can override this method to
361 * support non-standard issuer matching for complex policies.
363 * <p>The default implementation does a basic comparison of the XML content, treating
364 * an unsupplied Format as an "entityID".
366 * @param issuer1 the first Issuer to match
367 * @param issuer2 the second Issuer to match
368 * @return true iff the operands match
370 virtual bool issuerMatches(const saml2::Issuer* issuer1, const XMLCh* issuer2) const;
374 * Returns the IssuerMatchingPolicy in effect.
376 * @return the effective IssuerMatchingPolicy
378 const IssuerMatchingPolicy& getIssuerMatchingPolicy() const;
381 * Sets the IssuerMatchingPolicy in effect. Setting no policy will
382 * cause the simple, default approach to be used.
384 * <p>The matching object will be freed by the SecurityPolicy.
386 * @param matchingPolicy the IssuerMatchingPolicy to use
388 void setIssuerMatchingPolicy(IssuerMatchingPolicy* matchingPolicy);
391 /** A shared matching object that just supports the default matching rules. */
392 static IssuerMatchingPolicy m_defaultMatching;
394 /** Manufactured MetadataProvider::Criteria instance. */
395 mutable saml2md::MetadataProvider::Criteria* m_metadataCriteria;
398 // information extracted from message
399 xmltooling::xstring m_messageID;
400 time_t m_issueInstant;
401 saml2::Issuer* m_issuer;
402 const saml2md::RoleDescriptor* m_issuerRole;
403 bool m_authenticated;
405 // components governing policy rules
406 IssuerMatchingPolicy* m_matchingPolicy;
407 std::vector<const SecurityPolicyRule*> m_rules;
408 const saml2md::MetadataProvider* m_metadata;
409 xmltooling::QName* m_role;
410 const xmltooling::TrustEngine* m_trust;
414 // contextual information
416 xmltooling::xstring m_correlationID;
417 std::vector<xmltooling::xstring> m_audiences;
422 #if defined (_MSC_VER)
423 #pragma warning( pop )
426 #endif /* __saml_secpol_h__ */