projects / shibboleth / cpp-opensaml.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
New policy rules for handling conditions.
[shibboleth/cpp-opensaml.git] / saml / profile / impl / ConditionsRule.cpp
1 /*
2  *  Copyright 2009 Internet2
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16
17 /**
18  * ConditionsRule.cpp
19  *
20  * SAML Conditions SecurityPolicyRule
21  */
22
23 #include "internal.h"
24 #include "exceptions.h"
25 #include "binding/SecurityPolicyRule.h"
26 #include "saml1/core/Assertions.h"
27 #include "saml2/core/Assertions.h"
28
29 #include <xmltooling/logging.h>
30
31 using namespace opensaml;
32 using namespace xmltooling::logging;
33 using namespace xmltooling;
34 using namespace std;
35
36 namespace opensaml {
37     class SAML_DLLLOCAL ConditionsRule : public SecurityPolicyRule
38     {
39     public:
40         ConditionsRule(const DOMElement* e);
41
42         virtual ~ConditionsRule() {
43             for_each(m_rules.begin(), m_rules.end(), xmltooling::cleanup<SecurityPolicyRule>());
44             if (m_doc)
45                 m_doc->release();
46         }
47         const char* getType() const {
48             return CONDITIONS_POLICY_RULE;
49         }
50         bool evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const;
51
52     private:
53         DOMDocument* m_doc;
54         vector<SecurityPolicyRule*> m_rules;
55     };
56
57     SecurityPolicyRule* SAML_DLLLOCAL ConditionsRuleFactory(const DOMElement* const & e)
58     {
59         return new ConditionsRule(e);
60     }
61
62     static const XMLCh Rule[] =     UNICODE_LITERAL_4(R,u,l,e);
63     static const XMLCh type[] =     UNICODE_LITERAL_4(t,y,p,e);
64
65     const char config[] =
66         "<Rule type=\"Conditions\" xmlns:saml2=\"urn:oasis:names:tc:SAML:2.0:assertion\" xmlns:saml=\"urn:oasis:names:tc:SAML:1.0:assertion\">"\r
67             "<Rule type=\"Audience\"/>"\r
68             "<Rule type=\"Ignore\">saml:DoNotCacheCondition</Rule>"\r
69             "<Rule type=\"Ignore\">saml2:OneTimeUse</Rule>"\r
70             "<Rule type=\"Ignore\">saml2:ProxyRestriction</Rule>"\r
71         "</Rule>";\r
72 };
73
74 ConditionsRule::ConditionsRule(const DOMElement* e) : m_doc(NULL)
75 {
76     Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.Conditions");
77
78     if (!e || !e->hasChildNodes()) {
79         // Default the configuration.
80         istringstream in(config);
81         m_doc = XMLToolingConfig::getConfig().getParser().parse(in);
82         e = m_doc->getDocumentElement();
83     }
84
85     e = XMLHelper::getFirstChildElement(e, Rule);
86     while (e) {
87         auto_ptr_char temp(e->getAttributeNS(NULL, type));
88         if (temp.get() && *temp.get()) {
89             try {
90                 log.info("building SecurityPolicyRule of type %s", temp.get());
91                 m_rules.push_back(SAMLConfig::getConfig().SecurityPolicyRuleManager.newPlugin(temp.get(),e));
92             }
93             catch (exception& ex) {
94                 log.crit("error building SecurityPolicyRule: %s", ex.what());
95             }
96         }
97         e = XMLHelper::getNextSiblingElement(e, Rule);
98     }
99 }
100
101 bool ConditionsRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const
102 {
103     const saml2::Assertion* a2=dynamic_cast<const saml2::Assertion*>(&message);
104     if (a2) {
105         const saml2::Conditions* conds = a2->getConditions();
106         if (!conds)
107             return true;
108
109         // First verify the time conditions, using the specified timestamp.
110         time_t now = policy.getTime();
111         unsigned int skew = XMLToolingConfig::getConfig().clock_skew_secs;
112         time_t t = conds->getNotBeforeEpoch();
113         if (now + skew < t)
114             throw SecurityPolicyException("Assertion is not yet valid.");
115         t = conds->getNotOnOrAfterEpoch();
116         if (t <= now - skew)
117             throw SecurityPolicyException("Assertion is no longer valid.");
118
119         // Now we process conditions, starting with the known types and then extensions.
120
121         bool valid;
122
123         const vector<saml2::AudienceRestriction*>& acvec = conds->getAudienceRestrictions();
124         for (vector<saml2::AudienceRestriction*>::const_iterator ac = acvec.begin(); ac!=acvec.end(); ++ac) {
125             valid = false;
126             for (vector<SecurityPolicyRule*>::const_iterator r = m_rules.begin(); r != m_rules.end(); ++r) {
127                 if ((*r)->evaluate(*(*ac), request, policy))
128                     valid = true;
129             }
130             if (!valid)
131                 throw SecurityPolicyException("AudienceRestriction was not understood by policy.");
132         }
133
134         const vector<saml2::OneTimeUse*>& otvec = conds->getOneTimeUses();
135         for (vector<saml2::OneTimeUse*>::const_iterator ot = otvec.begin(); ot!=otvec.end(); ++ot) {
136             valid = false;
137             for (vector<SecurityPolicyRule*>::const_iterator r = m_rules.begin(); r != m_rules.end(); ++r) {
138                 if ((*r)->evaluate(*(*ot), request, policy))
139                     valid = true;
140             }
141             if (!valid)
142                 throw SecurityPolicyException("OneTimeUse was not understood by policy.");
143         }
144
145         const vector<saml2::ProxyRestriction*> pvec = conds->getProxyRestrictions();
146         for (vector<saml2::ProxyRestriction*>::const_iterator p = pvec.begin(); p!=pvec.end(); ++p) {
147             valid = false;
148             for (vector<SecurityPolicyRule*>::const_iterator r = m_rules.begin(); r != m_rules.end(); ++r) {
149                 if ((*r)->evaluate(*(*p), request, policy))
150                     valid = true;
151             }
152             if (!valid)
153                 throw SecurityPolicyException("ProxyRestriction was not understood by policy.");
154         }
155
156         const vector<saml2::Condition*>& convec = conds->getConditions();
157         for (vector<saml2::Condition*>::const_iterator c = convec.begin(); c!=convec.end(); ++c) {
158             valid = false;
159             for (vector<SecurityPolicyRule*>::const_iterator r = m_rules.begin(); r != m_rules.end(); ++r) {
160                 if ((*r)->evaluate(*(*c), request, policy))
161                     valid = true;
162             }
163             if (!valid)
164                 throw SecurityPolicyException("Condition ($1) was not understood by policy.", params(1,(*c)->getElementQName().toString().c_str()));
165         }
166
167         return true;
168     }
169
170     const saml1::Assertion* a1=dynamic_cast<const saml1::Assertion*>(&message);
171     if (a1) {
172         const saml1::Conditions* conds = a1->getConditions();
173         if (!conds)
174             return true;
175
176         // First verify the time conditions, using the specified timestamp.
177         time_t now = policy.getTime();
178         unsigned int skew = XMLToolingConfig::getConfig().clock_skew_secs;
179         time_t t = conds->getNotBeforeEpoch();
180         if (now + skew < t)
181             throw SecurityPolicyException("Assertion is not yet valid.");
182         t = conds->getNotOnOrAfterEpoch();
183         if (t <= now - skew)
184             throw SecurityPolicyException("Assertion is no longer valid.");
185
186         // Now we process conditions, starting with the known types and then extensions.
187
188         bool valid;
189
190         const vector<saml1::AudienceRestrictionCondition*>& acvec = conds->getAudienceRestrictionConditions();
191         for (vector<saml1::AudienceRestrictionCondition*>::const_iterator ac = acvec.begin(); ac!=acvec.end(); ++ac) {
192             valid = false;
193             for (vector<SecurityPolicyRule*>::const_iterator r = m_rules.begin(); r != m_rules.end(); ++r) {
194                 if ((*r)->evaluate(*(*ac), request, policy))
195                     valid = true;
196             }
197             if (!valid)
198                 throw SecurityPolicyException("AudienceRestrictionCondition was not understood by policy.");
199         }
200
201         const vector<saml1::DoNotCacheCondition*>& dncvec = conds->getDoNotCacheConditions();
202         for (vector<saml1::DoNotCacheCondition*>::const_iterator dnc = dncvec.begin(); dnc!=dncvec.end(); ++dnc) {
203             valid = false;
204             for (vector<SecurityPolicyRule*>::const_iterator r = m_rules.begin(); r != m_rules.end(); ++r) {
205                 if ((*r)->evaluate(*(*dnc), request, policy))
206                     valid = true;
207             }
208             if (!valid)
209                 throw SecurityPolicyException("DoNotCacheCondition was not understood by policy.");
210         }
211
212         const vector<saml1::Condition*>& convec = conds->getConditions();
213         for (vector<saml1::Condition*>::const_iterator c = convec.begin(); c!=convec.end(); ++c) {
214             valid = false;
215             for (vector<SecurityPolicyRule*>::const_iterator r = m_rules.begin(); r != m_rules.end(); ++r) {
216                 if ((*r)->evaluate(*(*c), request, policy))
217                     valid = true;
218             }
219             if (!valid)
220                 throw SecurityPolicyException("Condition ($1) was not understood by policy.", params(1,(*c)->getElementQName().toString().c_str()));
221         }
222
223         return true;
224     }
225
226     return false;
227 }
Unnamed repository; edit this file 'description' to name the repository.