saml/binding/impl/SecurityPolicy.cpp

   1 /*
   2  *  Copyright 2001-2006 Internet2
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 /**
  18  * SecurityPolicy.cpp
  19  *
  20  * Overall policy used to verify the security of an incoming message.
  21  */
  22
  23 #include "internal.h"
  24 #include "exceptions.h"
  25 #include "binding/SecurityPolicy.h"
  26 #include "saml1/core/Assertions.h"
  27 #include "saml1/core/Protocols.h"
  28 #include "saml2/core/Assertions.h"
  29 #include "saml2/core/Protocols.h"
  30
  31 using namespace opensaml::saml2md;
  32 using namespace opensaml::saml2;
  33 using namespace opensaml;
  34 using namespace xmltooling;
  35 using namespace std;
  36
  37 namespace opensaml {
  38     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,const DOMElement*>::Factory ClientCertAuthRuleFactory;
  39     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,const DOMElement*>::Factory MessageFlowRuleFactory;
  40     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,const DOMElement*>::Factory SimpleSigningRuleFactory;
  41     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,const DOMElement*>::Factory XMLSigningRuleFactory;
  42 };
  43
  44 void SAML_API opensaml::registerSecurityPolicyRules()
  45 {
  46     SAMLConfig& conf=SAMLConfig::getConfig();
  47     conf.SecurityPolicyRuleManager.registerFactory(CLIENTCERTAUTH_POLICY_RULE, ClientCertAuthRuleFactory);
  48     conf.SecurityPolicyRuleManager.registerFactory(MESSAGEFLOW_POLICY_RULE, MessageFlowRuleFactory);
  49     conf.SecurityPolicyRuleManager.registerFactory(SIMPLESIGNING_POLICY_RULE, SimpleSigningRuleFactory);
  50     conf.SecurityPolicyRuleManager.registerFactory(XMLSIGNING_POLICY_RULE, XMLSigningRuleFactory);
  51 }
  52
  53 SecurityPolicy::IssuerMatchingPolicy SecurityPolicy::m_defaultMatching;
  54
  55 SecurityPolicy::~SecurityPolicy()
  56 {
  57     delete m_matchingPolicy;
  58     delete m_issuer;
  59 }
  60
  61 void SecurityPolicy::evaluate(const GenericRequest& request, const XMLObject& message)
  62 {
  63     for (vector<const SecurityPolicyRule*>::const_iterator i=m_rules.begin(); i!=m_rules.end(); ++i) {
  64
  65         // Run the rule...
  66         pair<Issuer*,const RoleDescriptor*> ident = (*i)->evaluate(request,message,m_metadata,&m_role,m_trust);
  67
  68         // Make sure returned issuer doesn't conflict.
  69
  70         if (ident.first) {
  71             if (!getIssuerMatchingPolicy().issuerMatches(ident.first, m_issuer)) {
  72                 delete ident.first;
  73                 throw BindingException("Policy rules returned differing Issuers.");
  74             }
  75             delete m_issuer;
  76             m_issuer=ident.first;
  77         }
  78
  79         if (ident.second) {
  80             if (m_issuerRole && ident.second!=m_issuerRole)
  81                 throw BindingException("Policy rules returned differing issuer RoleDescriptors.");
  82             m_issuerRole=ident.second;
  83         }
  84     }
  85 }
  86
  87 void SecurityPolicy::setIssuer(saml2::Issuer* issuer)
  88 {
  89     if (!getIssuerMatchingPolicy().issuerMatches(issuer, m_issuer)) {
  90         delete issuer;
  91         throw BindingException("Externally provided Issuer conflicts with policy results.");
  92     }
  93
  94     delete m_issuer;
  95     m_issuer=issuer;
  96 }
  97
  98 void SecurityPolicy::setIssuerMetadata(const RoleDescriptor* issuerRole)
  99 {
 100     if (issuerRole && m_issuerRole && issuerRole!=m_issuerRole)
 101         throw BindingException("Externally provided RoleDescriptor conflicts with policy results.");
 102     m_issuerRole=issuerRole;
 103 }
 104
 105 bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, const Issuer* issuer2) const
 106 {
 107     // NULL matches anything for the purposes of this interface.
 108     if (!issuer1 || !issuer2)
 109         return true;
 110
 111     const XMLCh* op1=issuer1->getName();
 112     const XMLCh* op2=issuer2->getName();
 113     if (!op1 || !op2 || !XMLString::equals(op1,op2))
 114         return false;
 115
 116     op1=issuer1->getFormat();
 117     op2=issuer2->getFormat();
 118     if (!XMLString::equals(op1 ? op1 : NameIDType::ENTITY, op2 ? op2 : NameIDType::ENTITY))
 119         return false;
 120
 121     op1=issuer1->getNameQualifier();
 122     op2=issuer2->getNameQualifier();
 123     if (!XMLString::equals(op1 ? op1 : &chNull, op2 ? op2 : &chNull))
 124         return false;
 125
 126     op1=issuer1->getSPNameQualifier();
 127     op2=issuer2->getSPNameQualifier();
 128     if (!XMLString::equals(op1 ? op1 : &chNull, op2 ? op2 : &chNull))
 129         return false;
 130
 131     return true;
 132 }