2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
24 * Overall policy used to verify the security of an incoming message.
28 #include "exceptions.h"
29 #include "binding/SecurityPolicy.h"
30 #include "binding/SecurityPolicyRule.h"
31 #include "saml2/core/Assertions.h"
33 #include <xercesc/util/XMLUniDefs.hpp>
35 using namespace opensaml::saml2md;
36 using namespace opensaml::saml2;
37 using namespace opensaml;
38 using namespace xmltooling;
42 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory AudienceRestrictionRuleFactory;
43 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory ClientCertAuthRuleFactory;
44 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory ConditionsRuleFactory;
45 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory IgnoreRuleFactory;
46 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory MessageFlowRuleFactory;
47 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory NullSecurityRuleFactory;
48 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory SimpleSigningRuleFactory;
49 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory XMLSigningRuleFactory;
52 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory BrowserSSORuleFactory;
56 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory BearerConfirmationRuleFactory;
57 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory DelegationRestrictionRuleFactory;
61 void SAML_API opensaml::registerSecurityPolicyRules()
63 SAMLConfig& conf=SAMLConfig::getConfig();
64 conf.SecurityPolicyRuleManager.registerFactory(AUDIENCE_POLICY_RULE, AudienceRestrictionRuleFactory);
65 conf.SecurityPolicyRuleManager.registerFactory(CLIENTCERTAUTH_POLICY_RULE, ClientCertAuthRuleFactory);
66 conf.SecurityPolicyRuleManager.registerFactory(CONDITIONS_POLICY_RULE, ConditionsRuleFactory);
67 conf.SecurityPolicyRuleManager.registerFactory(IGNORE_POLICY_RULE, IgnoreRuleFactory);
68 conf.SecurityPolicyRuleManager.registerFactory(MESSAGEFLOW_POLICY_RULE, MessageFlowRuleFactory);
69 conf.SecurityPolicyRuleManager.registerFactory(NULLSECURITY_POLICY_RULE, NullSecurityRuleFactory);
70 conf.SecurityPolicyRuleManager.registerFactory(SIMPLESIGNING_POLICY_RULE, SimpleSigningRuleFactory);
71 conf.SecurityPolicyRuleManager.registerFactory(XMLSIGNING_POLICY_RULE, XMLSigningRuleFactory);
72 conf.SecurityPolicyRuleManager.registerFactory(SAML1BROWSERSSO_POLICY_RULE, saml1::BrowserSSORuleFactory);
73 conf.SecurityPolicyRuleManager.registerFactory(BEARER_POLICY_RULE, saml2::BearerConfirmationRuleFactory);
74 conf.SecurityPolicyRuleManager.registerFactory(DELEGATION_POLICY_RULE, saml2::DelegationRestrictionRuleFactory);
77 SecurityPolicyRule::SecurityPolicyRule()
81 SecurityPolicyRule::~SecurityPolicyRule()
85 SecurityPolicy::SecurityPolicy(
86 const saml2md::MetadataProvider* metadataProvider,
87 const xmltooling::QName* role,
88 const xmltooling::TrustEngine* trustEngine,
90 ) : m_metadataCriteria(nullptr),
93 m_issuerRole(nullptr),
94 m_authenticated(false),
95 m_matchingPolicy(nullptr),
96 m_metadata(metadataProvider),
104 m_role = new xmltooling::QName(*role);
107 SecurityPolicy::~SecurityPolicy()
109 delete m_metadataCriteria;
113 const MetadataProvider* SecurityPolicy::getMetadataProvider() const
118 MetadataProvider::Criteria& SecurityPolicy::getMetadataProviderCriteria() const
120 if (!m_metadataCriteria)
121 m_metadataCriteria=new MetadataProvider::Criteria();
123 m_metadataCriteria->reset();
124 return *m_metadataCriteria;
127 const xmltooling::QName* SecurityPolicy::getRole() const
132 const TrustEngine* SecurityPolicy::getTrustEngine() const
137 bool SecurityPolicy::getValidating() const
142 bool SecurityPolicy::requireEntityIssuer() const
147 const vector<xstring>& SecurityPolicy::getAudiences() const
152 vector<xstring>& SecurityPolicy::getAudiences()
157 time_t SecurityPolicy::getTime() const
160 return m_ts = time(nullptr);
164 const XMLCh* SecurityPolicy::getCorrelationID() const
166 return m_correlationID.c_str();
169 vector<const SecurityPolicyRule*>& SecurityPolicy::getRules()
174 void SecurityPolicy::setMetadataProvider(const MetadataProvider* metadata)
176 m_metadata = metadata;
179 void SecurityPolicy::setMetadataProviderCriteria(MetadataProvider::Criteria* criteria)
181 if (m_metadataCriteria)
182 delete m_metadataCriteria;
183 m_metadataCriteria=criteria;
186 void SecurityPolicy::setRole(const xmltooling::QName* role)
189 m_role = role ? new xmltooling::QName(*role) : nullptr;
192 void SecurityPolicy::setTrustEngine(const TrustEngine* trust)
197 void SecurityPolicy::setValidating(bool validate)
199 m_validate = validate;
202 void SecurityPolicy::requireEntityIssuer(bool entityOnly)
204 m_entityOnly = entityOnly;
207 void SecurityPolicy::setTime(time_t ts)
212 void SecurityPolicy::setCorrelationID(const XMLCh* correlationID)
214 m_correlationID.erase();
216 m_correlationID = correlationID;
219 void SecurityPolicy::evaluate(const XMLObject& message, const GenericRequest* request)
221 for (vector<const SecurityPolicyRule*>::const_iterator i=m_rules.begin(); i!=m_rules.end(); ++i)
222 (*i)->evaluate(message,request,*this);
225 void SecurityPolicy::reset(bool messageOnly)
230 void SecurityPolicy::_reset(bool messageOnly)
237 m_issuerRole=nullptr;
238 m_authenticated=false;
242 const XMLCh* SecurityPolicy::getMessageID() const
244 return m_messageID.c_str();
247 time_t SecurityPolicy::getIssueInstant() const
249 return m_issueInstant;
252 const Issuer* SecurityPolicy::getIssuer() const
257 const RoleDescriptor* SecurityPolicy::getIssuerMetadata() const
262 bool SecurityPolicy::isAuthenticated() const
264 return m_authenticated;
267 void SecurityPolicy::setMessageID(const XMLCh* id)
274 void SecurityPolicy::setIssueInstant(time_t issueInstant)
276 m_issueInstant = issueInstant;
279 void SecurityPolicy::setIssuer(const Issuer* issuer)
281 if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
282 throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results.");
285 if (m_entityOnly && issuer->getFormat() && !XMLString::equals(issuer->getFormat(), NameIDType::ENTITY))
286 throw SecurityPolicyException("A non-entity Issuer was supplied, violating policy.");
287 m_issuerRole = nullptr;
288 m_issuer=issuer->cloneIssuer();
292 void SecurityPolicy::setIssuer(const XMLCh* issuer)
294 if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
295 throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results.");
297 if (!m_issuer && issuer && *issuer) {
298 m_issuerRole = nullptr;
299 m_issuer = IssuerBuilder::buildIssuer();
300 m_issuer->setName(issuer);
304 void SecurityPolicy::setIssuerMetadata(const RoleDescriptor* issuerRole)
306 if (issuerRole && m_issuerRole && issuerRole!=m_issuerRole)
307 throw SecurityPolicyException("A rule supplied a RoleDescriptor that conflicts with previous results.");
308 m_issuerRole=issuerRole;
311 void SecurityPolicy::setAuthenticated(bool auth)
313 m_authenticated = auth;
316 SecurityPolicy::IssuerMatchingPolicy::IssuerMatchingPolicy()
320 SecurityPolicy::IssuerMatchingPolicy::~IssuerMatchingPolicy()
324 bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, const Issuer* issuer2) const
326 // nullptr matches anything for the purposes of this interface.
327 if (!issuer1 || !issuer2)
330 const XMLCh* op1=issuer1->getName();
331 const XMLCh* op2=issuer2->getName();
332 if (!op1 || !op2 || !XMLString::equals(op1,op2))
335 op1=issuer1->getFormat();
336 op2=issuer2->getFormat();
337 if (!XMLString::equals(op1 ? op1 : NameIDType::ENTITY, op2 ? op2 : NameIDType::ENTITY))
340 op1=issuer1->getNameQualifier();
341 op2=issuer2->getNameQualifier();
342 if (!XMLString::equals(op1 ? op1 : &chNull, op2 ? op2 : &chNull))
345 op1=issuer1->getSPNameQualifier();
346 op2=issuer2->getSPNameQualifier();
347 if (!XMLString::equals(op1 ? op1 : &chNull, op2 ? op2 : &chNull))
353 bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, const XMLCh* issuer2) const
355 // nullptr matches anything for the purposes of this interface.
356 if (!issuer1 || !issuer2 || !*issuer2)
359 const XMLCh* op1=issuer1->getName();
360 if (!op1 || !XMLString::equals(op1,issuer2))
363 op1=issuer1->getFormat();
364 if (op1 && *op1 && !XMLString::equals(op1, NameIDType::ENTITY))
367 op1=issuer1->getNameQualifier();
371 op1=issuer1->getSPNameQualifier();
378 SecurityPolicy::IssuerMatchingPolicy SecurityPolicy::m_defaultMatching;
380 const SecurityPolicy::IssuerMatchingPolicy& SecurityPolicy::getIssuerMatchingPolicy() const
382 return m_matchingPolicy ? *m_matchingPolicy : m_defaultMatching;
385 void SecurityPolicy::setIssuerMatchingPolicy(IssuerMatchingPolicy* matchingPolicy)
387 delete m_matchingPolicy;
388 m_matchingPolicy = matchingPolicy;