saml/binding/impl/SecurityPolicy.cpp

   1 /**
   2  * Licensed to the University Corporation for Advanced Internet
   3  * Development, Inc. (UCAID) under one or more contributor license
   4  * agreements. See the NOTICE file distributed with this work for
   5  * additional information regarding copyright ownership.
   6  *
   7  * UCAID licenses this file to you under the Apache License,
   8  * Version 2.0 (the "License"); you may not use this file except
   9  * in compliance with the License. You may obtain a copy of the
  10  * License at
  11  *
  12  * http://www.apache.org/licenses/LICENSE-2.0
  13  *
  14  * Unless required by applicable law or agreed to in writing,
  15  * software distributed under the License is distributed on an
  16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
  17  * either express or implied. See the License for the specific
  18  * language governing permissions and limitations under the License.
  19  */
  20
  21 /**
  22  * SecurityPolicy.cpp
  23  *
  24  * Overall policy used to verify the security of an incoming message.
  25  */
  26
  27 #include "internal.h"
  28 #include "exceptions.h"
  29 #include "binding/SecurityPolicy.h"
  30 #include "binding/SecurityPolicyRule.h"
  31 #include "saml2/core/Assertions.h"
  32
  33 #include <xercesc/util/XMLUniDefs.hpp>
  34
  35 using namespace opensaml::saml2md;
  36 using namespace opensaml::saml2;
  37 using namespace opensaml;
  38 using namespace xmltooling;
  39 using namespace std;
  40
  41 namespace opensaml {
  42     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory AudienceRestrictionRuleFactory;
  43     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory ClientCertAuthRuleFactory;
  44     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory ConditionsRuleFactory;
  45     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory IgnoreRuleFactory;
  46     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory MessageFlowRuleFactory;
  47     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory NullSecurityRuleFactory;
  48     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory SimpleSigningRuleFactory;
  49     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory XMLSigningRuleFactory;
  50
  51     namespace saml1 {
  52         SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory BrowserSSORuleFactory;
  53     }
  54
  55     namespace saml2 {
  56         SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory BearerConfirmationRuleFactory;
  57         SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory DelegationRestrictionRuleFactory;
  58     }
  59 };
  60
  61 void SAML_API opensaml::registerSecurityPolicyRules()
  62 {
  63     SAMLConfig& conf=SAMLConfig::getConfig();
  64     conf.SecurityPolicyRuleManager.registerFactory(AUDIENCE_POLICY_RULE, AudienceRestrictionRuleFactory);
  65     conf.SecurityPolicyRuleManager.registerFactory(CLIENTCERTAUTH_POLICY_RULE, ClientCertAuthRuleFactory);
  66     conf.SecurityPolicyRuleManager.registerFactory(CONDITIONS_POLICY_RULE, ConditionsRuleFactory);
  67     conf.SecurityPolicyRuleManager.registerFactory(IGNORE_POLICY_RULE, IgnoreRuleFactory);
  68     conf.SecurityPolicyRuleManager.registerFactory(MESSAGEFLOW_POLICY_RULE, MessageFlowRuleFactory);
  69     conf.SecurityPolicyRuleManager.registerFactory(NULLSECURITY_POLICY_RULE, NullSecurityRuleFactory);
  70     conf.SecurityPolicyRuleManager.registerFactory(SIMPLESIGNING_POLICY_RULE, SimpleSigningRuleFactory);
  71     conf.SecurityPolicyRuleManager.registerFactory(XMLSIGNING_POLICY_RULE, XMLSigningRuleFactory);
  72     conf.SecurityPolicyRuleManager.registerFactory(SAML1BROWSERSSO_POLICY_RULE, saml1::BrowserSSORuleFactory);
  73     conf.SecurityPolicyRuleManager.registerFactory(BEARER_POLICY_RULE, saml2::BearerConfirmationRuleFactory);
  74     conf.SecurityPolicyRuleManager.registerFactory(DELEGATION_POLICY_RULE, saml2::DelegationRestrictionRuleFactory);
  75 }
  76
  77 SecurityPolicyRule::SecurityPolicyRule()
  78 {
  79 }
  80
  81 SecurityPolicyRule::~SecurityPolicyRule()
  82 {
  83 }
  84
  85 SecurityPolicy::SecurityPolicy(
  86     const saml2md::MetadataProvider* metadataProvider,
  87     const xmltooling::QName* role,
  88     const xmltooling::TrustEngine* trustEngine,
  89     bool validate
  90     ) : m_metadataCriteria(nullptr),
  91         m_issueInstant(0),
  92         m_issuer(nullptr),
  93         m_issuerRole(nullptr),
  94         m_authenticated(false),
  95         m_matchingPolicy(nullptr),
  96         m_metadata(metadataProvider),
  97         m_role(nullptr),
  98         m_trust(trustEngine),
  99         m_validate(validate),
 100         m_entityOnly(true),
 101         m_ts(0)
 102 {
 103     if (role)
 104         m_role = new xmltooling::QName(*role);
 105 }
 106
 107 SecurityPolicy::~SecurityPolicy()
 108 {
 109     delete m_metadataCriteria;
 110     delete m_issuer;
 111 }
 112
 113 const MetadataProvider* SecurityPolicy::getMetadataProvider() const
 114 {
 115     return m_metadata;
 116 }
 117
 118 MetadataProvider::Criteria& SecurityPolicy::getMetadataProviderCriteria() const
 119 {
 120     if (!m_metadataCriteria)
 121         m_metadataCriteria=new MetadataProvider::Criteria();
 122     else
 123         m_metadataCriteria->reset();
 124     return *m_metadataCriteria;
 125 }
 126
 127 const xmltooling::QName* SecurityPolicy::getRole() const
 128 {
 129     return m_role;
 130 }
 131
 132 const TrustEngine* SecurityPolicy::getTrustEngine() const
 133 {
 134     return m_trust;
 135 }
 136
 137 bool SecurityPolicy::getValidating() const
 138 {
 139     return m_validate;
 140 }
 141
 142 bool SecurityPolicy::requireEntityIssuer() const
 143 {
 144     return m_entityOnly;
 145 }
 146
 147 const vector<xstring>& SecurityPolicy::getAudiences() const
 148 {
 149     return m_audiences;
 150 }
 151
 152 vector<xstring>& SecurityPolicy::getAudiences()
 153 {
 154     return m_audiences;
 155 }
 156
 157 time_t SecurityPolicy::getTime() const
 158 {
 159     if (m_ts == 0)
 160         return m_ts = time(nullptr);
 161     return m_ts;
 162 }
 163
 164 const XMLCh* SecurityPolicy::getCorrelationID() const
 165 {
 166     return m_correlationID.c_str();
 167 }
 168
 169 vector<const SecurityPolicyRule*>& SecurityPolicy::getRules()
 170 {
 171     return m_rules;
 172 }
 173
 174 void SecurityPolicy::setMetadataProvider(const MetadataProvider* metadata)
 175 {
 176     m_metadata = metadata;
 177 }
 178
 179 void SecurityPolicy::setMetadataProviderCriteria(MetadataProvider::Criteria* criteria)
 180 {
 181     if (m_metadataCriteria)
 182         delete m_metadataCriteria;
 183     m_metadataCriteria=criteria;
 184 }
 185
 186 void SecurityPolicy::setRole(const xmltooling::QName* role)
 187 {
 188     delete m_role;
 189     m_role = role ? new xmltooling::QName(*role) : nullptr;
 190 }
 191
 192 void SecurityPolicy::setTrustEngine(const TrustEngine* trust)
 193 {
 194     m_trust = trust;
 195 }
 196
 197 void SecurityPolicy::setValidating(bool validate)
 198 {
 199     m_validate = validate;
 200 }
 201
 202 void SecurityPolicy::requireEntityIssuer(bool entityOnly)
 203 {
 204     m_entityOnly = entityOnly;
 205 }
 206
 207 void SecurityPolicy::setTime(time_t ts)
 208 {
 209     m_ts = ts;
 210 }
 211
 212 void SecurityPolicy::setCorrelationID(const XMLCh* correlationID)
 213 {
 214     m_correlationID.erase();
 215     if (correlationID)
 216         m_correlationID = correlationID;
 217 }
 218
 219 void SecurityPolicy::evaluate(const XMLObject& message, const GenericRequest* request)
 220 {
 221     for (vector<const SecurityPolicyRule*>::const_iterator i=m_rules.begin(); i!=m_rules.end(); ++i)
 222         (*i)->evaluate(message,request,*this);
 223 }
 224
 225 void SecurityPolicy::reset(bool messageOnly)
 226 {
 227     _reset(messageOnly);
 228 }
 229
 230 void SecurityPolicy::_reset(bool messageOnly)
 231 {
 232     m_messageID.erase();
 233     m_issueInstant=0;
 234     if (!messageOnly) {
 235         delete m_issuer;
 236         m_issuer=nullptr;
 237         m_issuerRole=nullptr;
 238         m_authenticated=false;
 239     }
 240 }
 241
 242 const XMLCh* SecurityPolicy::getMessageID() const
 243 {
 244     return m_messageID.c_str();
 245 }
 246
 247 time_t SecurityPolicy::getIssueInstant() const
 248 {
 249     return m_issueInstant;
 250 }
 251
 252 const Issuer* SecurityPolicy::getIssuer() const
 253 {
 254     return m_issuer;
 255 }
 256
 257 const RoleDescriptor* SecurityPolicy::getIssuerMetadata() const
 258 {
 259     return m_issuerRole;
 260 }
 261
 262 bool SecurityPolicy::isAuthenticated() const
 263 {
 264     return m_authenticated;
 265 }
 266
 267 void SecurityPolicy::setMessageID(const XMLCh* id)
 268 {
 269     m_messageID.erase();
 270     if (id)
 271         m_messageID = id;
 272 }
 273
 274 void SecurityPolicy::setIssueInstant(time_t issueInstant)
 275 {
 276     m_issueInstant = issueInstant;
 277 }
 278
 279 void SecurityPolicy::setIssuer(const Issuer* issuer)
 280 {
 281     if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
 282         throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results.");
 283
 284     if (!m_issuer) {
 285         if (m_entityOnly && issuer->getFormat() && !XMLString::equals(issuer->getFormat(), NameIDType::ENTITY))
 286             throw SecurityPolicyException("A non-entity Issuer was supplied, violating policy.");
 287         m_issuerRole = nullptr;
 288         m_issuer=issuer->cloneIssuer();
 289     }
 290 }
 291
 292 void SecurityPolicy::setIssuer(const XMLCh* issuer)
 293 {
 294     if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
 295         throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results.");
 296
 297     if (!m_issuer && issuer && *issuer) {
 298         m_issuerRole = nullptr;
 299         m_issuer = IssuerBuilder::buildIssuer();
 300         m_issuer->setName(issuer);
 301     }
 302 }
 303
 304 void SecurityPolicy::setIssuerMetadata(const RoleDescriptor* issuerRole)
 305 {
 306     if (issuerRole && m_issuerRole && issuerRole!=m_issuerRole)
 307         throw SecurityPolicyException("A rule supplied a RoleDescriptor that conflicts with previous results.");
 308     m_issuerRole=issuerRole;
 309 }
 310
 311 void SecurityPolicy::setAuthenticated(bool auth)
 312 {
 313     m_authenticated = auth;
 314 }
 315
 316 SecurityPolicy::IssuerMatchingPolicy::IssuerMatchingPolicy()
 317 {
 318 }
 319
 320 SecurityPolicy::IssuerMatchingPolicy::~IssuerMatchingPolicy()
 321 {
 322 }
 323
 324 bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, const Issuer* issuer2) const
 325 {
 326     // nullptr matches anything for the purposes of this interface.
 327     if (!issuer1 || !issuer2)
 328         return true;
 329
 330     const XMLCh* op1=issuer1->getName();
 331     const XMLCh* op2=issuer2->getName();
 332     if (!op1 || !op2 || !XMLString::equals(op1,op2))
 333         return false;
 334
 335     op1=issuer1->getFormat();
 336     op2=issuer2->getFormat();
 337     if (!XMLString::equals(op1 ? op1 : NameIDType::ENTITY, op2 ? op2 : NameIDType::ENTITY))
 338         return false;
 339
 340     op1=issuer1->getNameQualifier();
 341     op2=issuer2->getNameQualifier();
 342     if (!XMLString::equals(op1 ? op1 : &chNull, op2 ? op2 : &chNull))
 343         return false;
 344
 345     op1=issuer1->getSPNameQualifier();
 346     op2=issuer2->getSPNameQualifier();
 347     if (!XMLString::equals(op1 ? op1 : &chNull, op2 ? op2 : &chNull))
 348         return false;
 349
 350     return true;
 351 }
 352
 353 bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, const XMLCh* issuer2) const
 354 {
 355     // nullptr matches anything for the purposes of this interface.
 356     if (!issuer1 || !issuer2 || !*issuer2)
 357         return true;
 358
 359     const XMLCh* op1=issuer1->getName();
 360     if (!op1 || !XMLString::equals(op1,issuer2))
 361         return false;
 362
 363     op1=issuer1->getFormat();
 364     if (op1 && *op1 && !XMLString::equals(op1, NameIDType::ENTITY))
 365         return false;
 366
 367     op1=issuer1->getNameQualifier();
 368     if (op1 && *op1)
 369         return false;
 370
 371     op1=issuer1->getSPNameQualifier();
 372     if (op1 && *op1)
 373         return false;
 374
 375     return true;
 376 }
 377
 378 SecurityPolicy::IssuerMatchingPolicy SecurityPolicy::m_defaultMatching;
 379
 380 const SecurityPolicy::IssuerMatchingPolicy& SecurityPolicy::getIssuerMatchingPolicy() const
 381 {
 382     return m_matchingPolicy ? *m_matchingPolicy : m_defaultMatching;
 383 }
 384
 385 void SecurityPolicy::setIssuerMatchingPolicy(IssuerMatchingPolicy* matchingPolicy)
 386 {
 387     delete m_matchingPolicy;
 388     m_matchingPolicy = matchingPolicy;
 389 }