2 * Copyright 2001-2009 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
20 * Overall policy used to verify the security of an incoming message.
24 #include "exceptions.h"
25 #include "binding/SecurityPolicy.h"
26 #include "binding/SecurityPolicyRule.h"
27 #include "saml2/core/Assertions.h"
29 using namespace opensaml::saml2md;
30 using namespace opensaml::saml2;
31 using namespace opensaml;
32 using namespace xmltooling;
36 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory AudienceRestrictionRuleFactory;
37 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory ClientCertAuthRuleFactory;
38 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory ConditionsRuleFactory;
39 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory IgnoreRuleFactory;
40 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory MessageFlowRuleFactory;
41 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory NullSecurityRuleFactory;
42 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory SimpleSigningRuleFactory;
43 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory XMLSigningRuleFactory;
46 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory BrowserSSORuleFactory;
50 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory BearerConfirmationRuleFactory;
51 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory DelegationRestrictionRuleFactory;
55 void SAML_API opensaml::registerSecurityPolicyRules()
57 SAMLConfig& conf=SAMLConfig::getConfig();
58 conf.SecurityPolicyRuleManager.registerFactory(AUDIENCE_POLICY_RULE, AudienceRestrictionRuleFactory);
59 conf.SecurityPolicyRuleManager.registerFactory(CLIENTCERTAUTH_POLICY_RULE, ClientCertAuthRuleFactory);
60 conf.SecurityPolicyRuleManager.registerFactory(CONDITIONS_POLICY_RULE, ConditionsRuleFactory);
61 conf.SecurityPolicyRuleManager.registerFactory(IGNORE_POLICY_RULE, IgnoreRuleFactory);
62 conf.SecurityPolicyRuleManager.registerFactory(MESSAGEFLOW_POLICY_RULE, MessageFlowRuleFactory);
63 conf.SecurityPolicyRuleManager.registerFactory(NULLSECURITY_POLICY_RULE, NullSecurityRuleFactory);
64 conf.SecurityPolicyRuleManager.registerFactory(SIMPLESIGNING_POLICY_RULE, SimpleSigningRuleFactory);
65 conf.SecurityPolicyRuleManager.registerFactory(XMLSIGNING_POLICY_RULE, XMLSigningRuleFactory);
66 conf.SecurityPolicyRuleManager.registerFactory(SAML1BROWSERSSO_POLICY_RULE, saml1::BrowserSSORuleFactory);
67 conf.SecurityPolicyRuleManager.registerFactory(BEARER_POLICY_RULE, saml2::BearerConfirmationRuleFactory);
68 conf.SecurityPolicyRuleManager.registerFactory(DELEGATION_POLICY_RULE, saml2::DelegationRestrictionRuleFactory);
71 SecurityPolicyRule::SecurityPolicyRule()
75 SecurityPolicyRule::~SecurityPolicyRule()
79 SecurityPolicy::SecurityPolicy(
80 const saml2md::MetadataProvider* metadataProvider,
81 const xmltooling::QName* role,
82 const xmltooling::TrustEngine* trustEngine,
84 ) : m_metadataCriteria(NULL),
88 m_authenticated(false),
89 m_matchingPolicy(NULL),
90 m_metadata(metadataProvider),
98 m_role = new xmltooling::QName(*role);
101 SecurityPolicy::~SecurityPolicy()
103 delete m_metadataCriteria;
107 const MetadataProvider* SecurityPolicy::getMetadataProvider() const
112 MetadataProvider::Criteria& SecurityPolicy::getMetadataProviderCriteria() const
114 if (!m_metadataCriteria)
115 m_metadataCriteria=new MetadataProvider::Criteria();
117 m_metadataCriteria->reset();
118 return *m_metadataCriteria;
121 const xmltooling::QName* SecurityPolicy::getRole() const
126 const TrustEngine* SecurityPolicy::getTrustEngine() const
131 bool SecurityPolicy::getValidating() const
136 bool SecurityPolicy::requireEntityIssuer() const
141 const vector<xstring>& SecurityPolicy::getAudiences() const
146 vector<xstring>& SecurityPolicy::getAudiences()
151 time_t SecurityPolicy::getTime() const
154 return m_ts = time(NULL);
158 const XMLCh* SecurityPolicy::getCorrelationID() const
160 return m_correlationID.c_str();
163 vector<const SecurityPolicyRule*>& SecurityPolicy::getRules()
168 void SecurityPolicy::setMetadataProvider(const MetadataProvider* metadata)
170 m_metadata = metadata;
173 void SecurityPolicy::setMetadataProviderCriteria(MetadataProvider::Criteria* criteria)
175 if (m_metadataCriteria)
176 delete m_metadataCriteria;
177 m_metadataCriteria=criteria;
180 void SecurityPolicy::setRole(const xmltooling::QName* role)
183 m_role = role ? new xmltooling::QName(*role) : NULL;
186 void SecurityPolicy::setTrustEngine(const TrustEngine* trust)
191 void SecurityPolicy::setValidating(bool validate)
193 m_validate = validate;
196 void SecurityPolicy::requireEntityIssuer(bool entityOnly)
198 m_entityOnly = entityOnly;
201 void SecurityPolicy::setTime(time_t ts)
206 void SecurityPolicy::setCorrelationID(const XMLCh* correlationID)
208 m_correlationID.erase();
210 m_correlationID = correlationID;
213 void SecurityPolicy::evaluate(const XMLObject& message, const GenericRequest* request)
215 for (vector<const SecurityPolicyRule*>::const_iterator i=m_rules.begin(); i!=m_rules.end(); ++i)
216 (*i)->evaluate(message,request,*this);
219 void SecurityPolicy::reset(bool messageOnly)
224 void SecurityPolicy::_reset(bool messageOnly)
232 m_authenticated=false;
236 const XMLCh* SecurityPolicy::getMessageID() const
238 return m_messageID.c_str();
241 time_t SecurityPolicy::getIssueInstant() const
243 return m_issueInstant;
246 const Issuer* SecurityPolicy::getIssuer() const
251 const RoleDescriptor* SecurityPolicy::getIssuerMetadata() const
256 bool SecurityPolicy::isAuthenticated() const
258 return m_authenticated;
261 void SecurityPolicy::setMessageID(const XMLCh* id)
268 void SecurityPolicy::setIssueInstant(time_t issueInstant)
270 m_issueInstant = issueInstant;
273 void SecurityPolicy::setIssuer(const Issuer* issuer)
275 if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
276 throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results.");
279 if (m_entityOnly && issuer->getFormat() && !XMLString::equals(issuer->getFormat(), NameIDType::ENTITY))
280 throw SecurityPolicyException("A non-entity Issuer was supplied, violating policy.");
282 m_issuer=issuer->cloneIssuer();
286 void SecurityPolicy::setIssuer(const XMLCh* issuer)
288 if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
289 throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results.");
291 if (!m_issuer && issuer && *issuer) {
293 m_issuer = IssuerBuilder::buildIssuer();
294 m_issuer->setName(issuer);
298 void SecurityPolicy::setIssuerMetadata(const RoleDescriptor* issuerRole)
300 if (issuerRole && m_issuerRole && issuerRole!=m_issuerRole)
301 throw SecurityPolicyException("A rule supplied a RoleDescriptor that conflicts with previous results.");
302 m_issuerRole=issuerRole;
305 void SecurityPolicy::setAuthenticated(bool auth)
307 m_authenticated = auth;
310 SecurityPolicy::IssuerMatchingPolicy::IssuerMatchingPolicy()
314 SecurityPolicy::IssuerMatchingPolicy::~IssuerMatchingPolicy()
318 bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, const Issuer* issuer2) const
320 // NULL matches anything for the purposes of this interface.
321 if (!issuer1 || !issuer2)
324 const XMLCh* op1=issuer1->getName();
325 const XMLCh* op2=issuer2->getName();
326 if (!op1 || !op2 || !XMLString::equals(op1,op2))
329 op1=issuer1->getFormat();
330 op2=issuer2->getFormat();
331 if (!XMLString::equals(op1 ? op1 : NameIDType::ENTITY, op2 ? op2 : NameIDType::ENTITY))
334 op1=issuer1->getNameQualifier();
335 op2=issuer2->getNameQualifier();
336 if (!XMLString::equals(op1 ? op1 : &chNull, op2 ? op2 : &chNull))
339 op1=issuer1->getSPNameQualifier();
340 op2=issuer2->getSPNameQualifier();
341 if (!XMLString::equals(op1 ? op1 : &chNull, op2 ? op2 : &chNull))
347 bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, const XMLCh* issuer2) const
349 // NULL matches anything for the purposes of this interface.
350 if (!issuer1 || !issuer2 || !*issuer2)
353 const XMLCh* op1=issuer1->getName();
354 if (!op1 || !XMLString::equals(op1,issuer2))
357 op1=issuer1->getFormat();
358 if (op1 && *op1 && !XMLString::equals(op1, NameIDType::ENTITY))
361 op1=issuer1->getNameQualifier();
365 op1=issuer1->getSPNameQualifier();
372 SecurityPolicy::IssuerMatchingPolicy SecurityPolicy::m_defaultMatching;
374 const SecurityPolicy::IssuerMatchingPolicy& SecurityPolicy::getIssuerMatchingPolicy() const
376 return m_matchingPolicy ? *m_matchingPolicy : m_defaultMatching;
379 void SecurityPolicy::setIssuerMatchingPolicy(IssuerMatchingPolicy* matchingPolicy)
381 delete m_matchingPolicy;
382 m_matchingPolicy = matchingPolicy;