2 * Copyright 2001-2006 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * @file saml/binding/SecurityPolicy.h
20 * Overall policy used to verify the security of an incoming message.
23 #ifndef __saml_secpol_h__
24 #define __saml_secpol_h__
26 #include <saml/binding/SecurityPolicyRule.h>
29 #if defined (_MSC_VER)
30 #pragma warning( push )
31 #pragma warning( disable : 4250 4251 )
37 class SAML_API MetadataProvider;
41 * A policy used to verify the security of an incoming message.
43 * <p>Its security mechanisms may be used to examine the transport layer
44 * (e.g client certificates and HTTP basic auth passwords) or to check the
45 * payload of a request to ensure it meets certain criteria (e.g. valid
46 * digital signature, freshness, replay).
48 * <p>Policy objects can be reused, but are not thread-safe.
50 class SAML_API SecurityPolicy
52 MAKE_NONCOPYABLE(SecurityPolicy);
55 * Constructor for policy.
57 * @param metadataProvider locked MetadataProvider instance
58 * @param role identifies the role (generally IdP or SP) of the policy peer
59 * @param trustEngine TrustEngine to authenticate policy peer
62 const saml2md::MetadataProvider* metadataProvider=NULL,
63 const xmltooling::QName* role=NULL,
64 const xmltooling::TrustEngine* trustEngine=NULL
65 ) : m_issuer(NULL), m_issuerRole(NULL), m_matchingPolicy(NULL), m_metadata(metadataProvider),
66 m_role(role ? *role : xmltooling::QName()), m_trust(trustEngine) {
70 * Constructor for policy using existing rules. The lifetime of the policy rules
71 * must be at least as long as the policy object.
73 * @param rules reference to array of policy rules to use
74 * @param metadataProvider locked MetadataProvider instance
75 * @param role identifies the role (generally IdP or SP) of the policy peer
76 * @param trustEngine TrustEngine to authenticate policy peer
79 const std::vector<const SecurityPolicyRule*>& rules,
80 const saml2md::MetadataProvider* metadataProvider=NULL,
81 const xmltooling::QName* role=NULL,
82 const xmltooling::TrustEngine* trustEngine=NULL
83 ) : m_issuer(NULL), m_issuerRole(NULL), m_matchingPolicy(NULL), m_rules(rules), m_metadata(metadataProvider),
84 m_role(role ? *role : xmltooling::QName()), m_trust(trustEngine) {
87 virtual ~SecurityPolicy();
90 * Returns the locked MetadataProvider supplied to the policy.
92 * @return the supplied MetadataProvider or NULL
94 const saml2md::MetadataProvider* getMetadataProvider() const {
99 * Returns the peer role element/type supplied to the policy.
101 * @return the peer role element/type, or an empty QName
103 const xmltooling::QName* getRole() const {
108 * Returns the TrustEngine supplied to the policy.
110 * @return the supplied TrustEngine or NULL
112 const xmltooling::TrustEngine* getTrustEngine() const {
117 * Adds a SecurityPolicyRule to the policy. The lifetime of the policy rule
118 * must be at least as long as the policy object.
120 * @param rule SecurityPolicyRule to add
122 void addRule(const SecurityPolicyRule* rule) {
123 m_rules.push_back(rule);
127 * Sets a locked MetadataProvider for the policy.
129 * @param metadata a locked MetadataProvider or NULL
131 void setMetadataProvider(const saml2md::MetadataProvider* metadata) {
132 m_metadata = metadata;
136 * Sets a peer role element/type for to the policy.
138 * @param role the peer role element/type or NULL
140 void setRole(const xmltooling::QName* role) {
141 m_role = (role ? *role : xmltooling::QName());
145 * Sets a TrustEngine for the policy.
147 * @param trust a TrustEngine or NULL
149 void setTrustEngine(const xmltooling::TrustEngine* trust) {
154 * Evaluates the policy against the given request and message,
155 * possibly populating issuer information in the policy object.
157 * @param message the incoming message
158 * @param request the protocol request
160 * @throws BindingException thrown if the request/message do not meet the requirements of this policy
162 void evaluate(const xmltooling::XMLObject& message, const GenericRequest* request=NULL);
165 * Gets the issuer of the message as determined by the registered policies.
167 * @return issuer of the message as determined by the registered policies
169 const saml2::Issuer* getIssuer() const {
174 * Gets the metadata for the role the issuer is operating in.
176 * @return metadata for the role the issuer is operating in
178 const saml2md::RoleDescriptor* getIssuerMetadata() const {
183 * Sets the issuer of the message as determined by external factors.
184 * The policy object takes ownership of the Issuer object.
186 * @param issuer issuer of the message
188 void setIssuer(saml2::Issuer* issuer);
191 * Sets the metadata for the role the issuer is operating in.
193 * @param issuerRole metadata for the role the issuer is operating in
195 void setIssuerMetadata(const saml2md::RoleDescriptor* issuerRole);
197 /** Allows override of rules for comparing saml2:Issuer information. */
198 class SAML_API IssuerMatchingPolicy {
199 MAKE_NONCOPYABLE(IssuerMatchingPolicy);
201 IssuerMatchingPolicy() {}
202 virtual ~IssuerMatchingPolicy() {}
205 * Returns true iff the two operands "match". Applications can override this method to
206 * support non-standard issuer matching for complex policies.
208 * <p>The default implementation does a basic comparison of the XML content, treating
209 * an unsupplied Format as an "entityID".
211 * @param issuer1 the first Issuer to match
212 * @param issuer2 the second Issuer to match
213 * @return true iff the operands match
215 virtual bool issuerMatches(const saml2::Issuer* issuer1, const saml2::Issuer* issuer2) const;
219 * Returns the IssuerMatchingPolicy in effect.
221 * @return the effective IssuerMatchingPolicy
223 const IssuerMatchingPolicy& getIssuerMatchingPolicy() const {
224 return m_matchingPolicy ? *m_matchingPolicy : m_defaultMatching;
228 * Sets the IssuerMatchingPolicy in effect. Setting no policy will
229 * cause the simple, default approach to be used.
231 * <p>The matching object will be freed by the SecurityPolicy.
233 * @param matchingPolicy the IssuerMatchingPolicy to use
235 void setIssuerMatchingPolicy(IssuerMatchingPolicy* matchingPolicy) {
236 delete m_matchingPolicy;
237 m_matchingPolicy = matchingPolicy;
241 /** A shared matching object that just supports the default matching rules. */
242 static IssuerMatchingPolicy m_defaultMatching;
245 saml2::Issuer* m_issuer;
246 const saml2md::RoleDescriptor* m_issuerRole;
248 IssuerMatchingPolicy* m_matchingPolicy;
249 std::vector<const SecurityPolicyRule*> m_rules;
250 const saml2md::MetadataProvider* m_metadata;
251 xmltooling::QName m_role;
252 const xmltooling::TrustEngine* m_trust;
257 #if defined (_MSC_VER)
258 #pragma warning( pop )
261 #endif /* __saml_secpol_h__ */