saml/binding/impl/SecurityPolicy.cpp

   1 /*
   2  *  Copyright 2001-2009 Internet2
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 /**
  18  * SecurityPolicy.cpp
  19  *
  20  * Overall policy used to verify the security of an incoming message.
  21  */
  22
  23 #include "internal.h"
  24 #include "exceptions.h"
  25 #include "binding/SecurityPolicy.h"
  26 #include "binding/SecurityPolicyRule.h"
  27 #include "saml2/core/Assertions.h"
  28
  29 using namespace opensaml::saml2md;
  30 using namespace opensaml::saml2;
  31 using namespace opensaml;
  32 using namespace xmltooling;
  33 using namespace std;
  34
  35 namespace opensaml {
  36     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory AudienceRestrictionRuleFactory;
  37     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory ClientCertAuthRuleFactory;
  38     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory ConditionsRuleFactory;
  39     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory IgnoreRuleFactory;
  40     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory MessageFlowRuleFactory;
  41     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory NullSecurityRuleFactory;
  42     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory SimpleSigningRuleFactory;
  43     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory XMLSigningRuleFactory;
  44
  45     namespace saml1 {
  46         SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory BrowserSSORuleFactory;
  47     }
  48
  49     namespace saml2 {
  50         SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory BearerConfirmationRuleFactory;
  51         SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory DelegationRestrictionRuleFactory;
  52     }
  53 };
  54
  55 void SAML_API opensaml::registerSecurityPolicyRules()
  56 {
  57     SAMLConfig& conf=SAMLConfig::getConfig();
  58     conf.SecurityPolicyRuleManager.registerFactory(AUDIENCE_POLICY_RULE, AudienceRestrictionRuleFactory);
  59     conf.SecurityPolicyRuleManager.registerFactory(CLIENTCERTAUTH_POLICY_RULE, ClientCertAuthRuleFactory);
  60     conf.SecurityPolicyRuleManager.registerFactory(CONDITIONS_POLICY_RULE, ConditionsRuleFactory);
  61     conf.SecurityPolicyRuleManager.registerFactory(IGNORE_POLICY_RULE, IgnoreRuleFactory);
  62     conf.SecurityPolicyRuleManager.registerFactory(MESSAGEFLOW_POLICY_RULE, MessageFlowRuleFactory);
  63     conf.SecurityPolicyRuleManager.registerFactory(NULLSECURITY_POLICY_RULE, NullSecurityRuleFactory);
  64     conf.SecurityPolicyRuleManager.registerFactory(SIMPLESIGNING_POLICY_RULE, SimpleSigningRuleFactory);
  65     conf.SecurityPolicyRuleManager.registerFactory(XMLSIGNING_POLICY_RULE, XMLSigningRuleFactory);
  66     conf.SecurityPolicyRuleManager.registerFactory(SAML1BROWSERSSO_POLICY_RULE, saml1::BrowserSSORuleFactory);
  67     conf.SecurityPolicyRuleManager.registerFactory(BEARER_POLICY_RULE, saml2::BearerConfirmationRuleFactory);
  68     conf.SecurityPolicyRuleManager.registerFactory(DELEGATION_POLICY_RULE, saml2::DelegationRestrictionRuleFactory);
  69 }
  70
  71 SecurityPolicy::IssuerMatchingPolicy SecurityPolicy::m_defaultMatching;
  72
  73 SecurityPolicy::SecurityPolicy(
  74     const saml2md::MetadataProvider* metadataProvider,
  75     const xmltooling::QName* role,
  76     const xmltooling::TrustEngine* trustEngine,
  77     bool validate
  78     ) : m_metadataCriteria(NULL),
  79         m_issueInstant(0),
  80         m_issuer(NULL),
  81         m_issuerRole(NULL),
  82         m_authenticated(false),
  83         m_matchingPolicy(NULL),
  84         m_metadata(metadataProvider),
  85         m_role(NULL),
  86         m_trust(trustEngine),
  87         m_validate(validate),
  88         m_entityOnly(true),
  89         m_ts(0)
  90 {
  91     if (role)
  92         m_role = new xmltooling::QName(*role);
  93 }
  94
  95 SecurityPolicy::~SecurityPolicy()
  96 {
  97     delete m_metadataCriteria;
  98     delete m_issuer;
  99 }
 100
 101 void SecurityPolicy::reset(bool messageOnly)
 102 {
 103     _reset(messageOnly);
 104 }
 105
 106 void SecurityPolicy::_reset(bool messageOnly)
 107 {
 108     m_messageID.erase();
 109     m_issueInstant=0;
 110     if (!messageOnly) {
 111         delete m_issuer;
 112         m_issuer=NULL;
 113         m_issuerRole=NULL;
 114         m_authenticated=false;
 115     }
 116 }
 117
 118 MetadataProvider::Criteria& SecurityPolicy::getMetadataProviderCriteria() const
 119 {
 120     if (!m_metadataCriteria)
 121         m_metadataCriteria=new MetadataProvider::Criteria();
 122     else
 123         m_metadataCriteria->reset();
 124     return *m_metadataCriteria;
 125 }
 126
 127 void SecurityPolicy::setMetadataProviderCriteria(saml2md::MetadataProvider::Criteria* criteria)
 128 {
 129     if (m_metadataCriteria)
 130         delete m_metadataCriteria;
 131     m_metadataCriteria=criteria;
 132 }
 133
 134 void SecurityPolicy::evaluate(const XMLObject& message, const GenericRequest* request)
 135 {
 136     for (vector<const SecurityPolicyRule*>::const_iterator i=m_rules.begin(); i!=m_rules.end(); ++i)
 137         (*i)->evaluate(message,request,*this);
 138 }
 139
 140 void SecurityPolicy::setIssuer(const Issuer* issuer)
 141 {
 142     if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
 143         throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results.");
 144
 145     if (!m_issuer) {
 146         if (m_entityOnly && issuer->getFormat() && !XMLString::equals(issuer->getFormat(), NameIDType::ENTITY))
 147             throw SecurityPolicyException("A non-entity Issuer was supplied, violating policy.");
 148         m_issuerRole = NULL;
 149         m_issuer=issuer->cloneIssuer();
 150     }
 151 }
 152
 153 void SecurityPolicy::setIssuer(const XMLCh* issuer)
 154 {
 155     if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
 156         throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results.");
 157
 158     if (!m_issuer && issuer && *issuer) {
 159         m_issuerRole = NULL;
 160         m_issuer = IssuerBuilder::buildIssuer();
 161         m_issuer->setName(issuer);
 162     }
 163 }
 164
 165 void SecurityPolicy::setIssuerMetadata(const RoleDescriptor* issuerRole)
 166 {
 167     if (issuerRole && m_issuerRole && issuerRole!=m_issuerRole)
 168         throw SecurityPolicyException("A rule supplied a RoleDescriptor that conflicts with previous results.");
 169     m_issuerRole=issuerRole;
 170 }
 171
 172 bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, const Issuer* issuer2) const
 173 {
 174     // NULL matches anything for the purposes of this interface.
 175     if (!issuer1 || !issuer2)
 176         return true;
 177
 178     const XMLCh* op1=issuer1->getName();
 179     const XMLCh* op2=issuer2->getName();
 180     if (!op1 || !op2 || !XMLString::equals(op1,op2))
 181         return false;
 182
 183     op1=issuer1->getFormat();
 184     op2=issuer2->getFormat();
 185     if (!XMLString::equals(op1 ? op1 : NameIDType::ENTITY, op2 ? op2 : NameIDType::ENTITY))
 186         return false;
 187
 188     op1=issuer1->getNameQualifier();
 189     op2=issuer2->getNameQualifier();
 190     if (!XMLString::equals(op1 ? op1 : &chNull, op2 ? op2 : &chNull))
 191         return false;
 192
 193     op1=issuer1->getSPNameQualifier();
 194     op2=issuer2->getSPNameQualifier();
 195     if (!XMLString::equals(op1 ? op1 : &chNull, op2 ? op2 : &chNull))
 196         return false;
 197
 198     return true;
 199 }
 200
 201 bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, const XMLCh* issuer2) const
 202 {
 203     // NULL matches anything for the purposes of this interface.
 204     if (!issuer1 || !issuer2 || !*issuer2)
 205         return true;
 206
 207     const XMLCh* op1=issuer1->getName();
 208     if (!op1 || !XMLString::equals(op1,issuer2))
 209         return false;
 210
 211     op1=issuer1->getFormat();
 212     if (op1 && *op1 && !XMLString::equals(op1, NameIDType::ENTITY))
 213         return false;
 214
 215     op1=issuer1->getNameQualifier();
 216     if (op1 && *op1)
 217         return false;
 218
 219     op1=issuer1->getSPNameQualifier();
 220     if (op1 && *op1)
 221         return false;
 222
 223     return true;
 224 }