saml/binding/impl/SecurityPolicy.cpp

   1 /*
   2  *  Copyright 2001-2009 Internet2
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 /**
  18  * SecurityPolicy.cpp
  19  *
  20  * Overall policy used to verify the security of an incoming message.
  21  */
  22
  23 #include "internal.h"
  24 #include "exceptions.h"
  25 #include "binding/SecurityPolicy.h"
  26 #include "binding/SecurityPolicyRule.h"
  27 #include "saml2/core/Assertions.h"
  28
  29 using namespace opensaml::saml2md;
  30 using namespace opensaml::saml2;
  31 using namespace opensaml;
  32 using namespace xmltooling;
  33 using namespace std;
  34
  35 namespace opensaml {
  36     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory AudienceRestrictionRuleFactory;
  37     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory ClientCertAuthRuleFactory;
  38     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory ConditionsRuleFactory;
  39     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory IgnoreRuleFactory;
  40     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory MessageFlowRuleFactory;
  41     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory NullSecurityRuleFactory;
  42     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory SimpleSigningRuleFactory;
  43     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory XMLSigningRuleFactory;
  44
  45     namespace saml1 {
  46         SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory BrowserSSORuleFactory;
  47     }
  48
  49     namespace saml2 {
  50         SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory BearerConfirmationRuleFactory;
  51         SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory DelegationRestrictionRuleFactory;
  52     }
  53 };
  54
  55 void SAML_API opensaml::registerSecurityPolicyRules()
  56 {
  57     SAMLConfig& conf=SAMLConfig::getConfig();
  58     conf.SecurityPolicyRuleManager.registerFactory(AUDIENCE_POLICY_RULE, AudienceRestrictionRuleFactory);
  59     conf.SecurityPolicyRuleManager.registerFactory(CLIENTCERTAUTH_POLICY_RULE, ClientCertAuthRuleFactory);
  60     conf.SecurityPolicyRuleManager.registerFactory(CONDITIONS_POLICY_RULE, ConditionsRuleFactory);
  61     conf.SecurityPolicyRuleManager.registerFactory(IGNORE_POLICY_RULE, IgnoreRuleFactory);
  62     conf.SecurityPolicyRuleManager.registerFactory(MESSAGEFLOW_POLICY_RULE, MessageFlowRuleFactory);
  63     conf.SecurityPolicyRuleManager.registerFactory(NULLSECURITY_POLICY_RULE, NullSecurityRuleFactory);
  64     conf.SecurityPolicyRuleManager.registerFactory(SIMPLESIGNING_POLICY_RULE, SimpleSigningRuleFactory);
  65     conf.SecurityPolicyRuleManager.registerFactory(XMLSIGNING_POLICY_RULE, XMLSigningRuleFactory);
  66     conf.SecurityPolicyRuleManager.registerFactory(SAML1BROWSERSSO_POLICY_RULE, saml1::BrowserSSORuleFactory);
  67     conf.SecurityPolicyRuleManager.registerFactory(BEARER_POLICY_RULE, saml2::BearerConfirmationRuleFactory);
  68     conf.SecurityPolicyRuleManager.registerFactory(DELEGATION_POLICY_RULE, saml2::DelegationRestrictionRuleFactory);
  69 }
  70
  71 SecurityPolicy::IssuerMatchingPolicy SecurityPolicy::m_defaultMatching;
  72
  73 SecurityPolicy::SecurityPolicy(
  74     const saml2md::MetadataProvider* metadataProvider,
  75     const xmltooling::QName* role,
  76     const xmltooling::TrustEngine* trustEngine,
  77     bool validate
  78     ) : m_metadataCriteria(NULL),
  79         m_issueInstant(0),
  80         m_issuer(NULL),
  81         m_issuerRole(NULL),
  82         m_authenticated(false),
  83         m_matchingPolicy(NULL),
  84         m_metadata(metadataProvider),
  85         m_role(NULL),
  86         m_trust(trustEngine),
  87         m_validate(validate),
  88         m_entityOnly(true),
  89         m_ts(0)
  90 {
  91     if (role)
  92         m_role = new xmltooling::QName(*role);
  93 }
  94
  95 SecurityPolicy::~SecurityPolicy()
  96 {
  97     delete m_metadataCriteria;
  98     delete m_issuer;
  99 }
 100
 101 void SecurityPolicy::reset(bool messageOnly)
 102 {
 103     _reset(messageOnly);
 104 }
 105
 106 void SecurityPolicy::_reset(bool messageOnly)
 107 {
 108     m_messageID.erase();
 109     m_issueInstant=0;
 110     if (!messageOnly) {
 111         delete m_issuer;
 112         m_issuer=NULL;
 113         m_issuerRole=NULL;
 114         m_authenticated=false;
 115     }
 116 }
 117
 118 void SecurityPolicy::setRole(const xmltooling::QName* role)
 119 {
 120     delete m_role;
 121     m_role = role ? new xmltooling::QName(*role) : NULL;
 122 }
 123
 124 MetadataProvider::Criteria& SecurityPolicy::getMetadataProviderCriteria() const
 125 {
 126     if (!m_metadataCriteria)
 127         m_metadataCriteria=new MetadataProvider::Criteria();
 128     else
 129         m_metadataCriteria->reset();
 130     return *m_metadataCriteria;
 131 }
 132
 133 void SecurityPolicy::setMetadataProviderCriteria(saml2md::MetadataProvider::Criteria* criteria)
 134 {
 135     if (m_metadataCriteria)
 136         delete m_metadataCriteria;
 137     m_metadataCriteria=criteria;
 138 }
 139
 140 void SecurityPolicy::evaluate(const XMLObject& message, const GenericRequest* request)
 141 {
 142     for (vector<const SecurityPolicyRule*>::const_iterator i=m_rules.begin(); i!=m_rules.end(); ++i)
 143         (*i)->evaluate(message,request,*this);
 144 }
 145
 146 void SecurityPolicy::setIssuer(const Issuer* issuer)
 147 {
 148     if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
 149         throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results.");
 150
 151     if (!m_issuer) {
 152         if (m_entityOnly && issuer->getFormat() && !XMLString::equals(issuer->getFormat(), NameIDType::ENTITY))
 153             throw SecurityPolicyException("A non-entity Issuer was supplied, violating policy.");
 154         m_issuerRole = NULL;
 155         m_issuer=issuer->cloneIssuer();
 156     }
 157 }
 158
 159 void SecurityPolicy::setIssuer(const XMLCh* issuer)
 160 {
 161     if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
 162         throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results.");
 163
 164     if (!m_issuer && issuer && *issuer) {
 165         m_issuerRole = NULL;
 166         m_issuer = IssuerBuilder::buildIssuer();
 167         m_issuer->setName(issuer);
 168     }
 169 }
 170
 171 void SecurityPolicy::setIssuerMetadata(const RoleDescriptor* issuerRole)
 172 {
 173     if (issuerRole && m_issuerRole && issuerRole!=m_issuerRole)
 174         throw SecurityPolicyException("A rule supplied a RoleDescriptor that conflicts with previous results.");
 175     m_issuerRole=issuerRole;
 176 }
 177
 178 bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, const Issuer* issuer2) const
 179 {
 180     // NULL matches anything for the purposes of this interface.
 181     if (!issuer1 || !issuer2)
 182         return true;
 183
 184     const XMLCh* op1=issuer1->getName();
 185     const XMLCh* op2=issuer2->getName();
 186     if (!op1 || !op2 || !XMLString::equals(op1,op2))
 187         return false;
 188
 189     op1=issuer1->getFormat();
 190     op2=issuer2->getFormat();
 191     if (!XMLString::equals(op1 ? op1 : NameIDType::ENTITY, op2 ? op2 : NameIDType::ENTITY))
 192         return false;
 193
 194     op1=issuer1->getNameQualifier();
 195     op2=issuer2->getNameQualifier();
 196     if (!XMLString::equals(op1 ? op1 : &chNull, op2 ? op2 : &chNull))
 197         return false;
 198
 199     op1=issuer1->getSPNameQualifier();
 200     op2=issuer2->getSPNameQualifier();
 201     if (!XMLString::equals(op1 ? op1 : &chNull, op2 ? op2 : &chNull))
 202         return false;
 203
 204     return true;
 205 }
 206
 207 bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, const XMLCh* issuer2) const
 208 {
 209     // NULL matches anything for the purposes of this interface.
 210     if (!issuer1 || !issuer2 || !*issuer2)
 211         return true;
 212
 213     const XMLCh* op1=issuer1->getName();
 214     if (!op1 || !XMLString::equals(op1,issuer2))
 215         return false;
 216
 217     op1=issuer1->getFormat();
 218     if (op1 && *op1 && !XMLString::equals(op1, NameIDType::ENTITY))
 219         return false;
 220
 221     op1=issuer1->getNameQualifier();
 222     if (op1 && *op1)
 223         return false;
 224
 225     op1=issuer1->getSPNameQualifier();
 226     if (op1 && *op1)
 227         return false;
 228
 229     return true;
 230 }