2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
22 * BearerConfirmationRule.cpp
24 * SAML 2.0 Bearer SubjectConfirmation SecurityPolicyRule.
28 #include "exceptions.h"
29 #include "binding/SecurityPolicyRule.h"
30 #include "saml2/core/Assertions.h"
31 #include "saml2/profile/SAML2AssertionPolicy.h"
33 #include <xercesc/util/XMLUniDefs.hpp>
34 #include <xmltooling/logging.h>
35 #include <xmltooling/XMLToolingConfig.h>
36 #include <xmltooling/io/HTTPRequest.h>
38 using namespace opensaml::saml2;
39 using namespace xmltooling;
45 class SAML_DLLLOCAL BearerConfirmationRule : public opensaml::SecurityPolicyRule
48 BearerConfirmationRule(const DOMElement* e);
50 virtual ~BearerConfirmationRule() {
52 const char* getType() const {
53 return BEARER_POLICY_RULE;
55 bool evaluate(const XMLObject& message, const GenericRequest* request, opensaml::SecurityPolicy& policy) const;
58 bool m_validity, m_recipient, m_correlation, m_fatal;
61 opensaml::SecurityPolicyRule* SAML_DLLLOCAL BearerConfirmationRuleFactory(const DOMElement* const & e)
63 return new BearerConfirmationRule(e);
66 static const XMLCh checkValidity[] = UNICODE_LITERAL_13(c,h,e,c,k,V,a,l,i,d,i,t,y);
67 static const XMLCh checkRecipient[] = UNICODE_LITERAL_14(c,h,e,c,k,R,e,c,i,p,i,e,n,t);
68 static const XMLCh checkCorrelation[] = UNICODE_LITERAL_16(c,h,e,c,k,C,o,r,r,e,l,a,t,i,o,n);
69 static const XMLCh missingFatal[] = UNICODE_LITERAL_12(m,i,s,s,i,n,g,F,a,t,a,l);
73 BearerConfirmationRule::BearerConfirmationRule(const DOMElement* e)
74 : m_validity(XMLHelper::getAttrBool(e, true, checkValidity)),
75 m_recipient(XMLHelper::getAttrBool(e, true, checkRecipient)),
76 m_correlation(XMLHelper::getAttrBool(e, true, checkCorrelation)),
77 m_fatal(XMLHelper::getAttrBool(e, true, missingFatal))
81 bool BearerConfirmationRule::evaluate(const XMLObject& message, const GenericRequest* request, opensaml::SecurityPolicy& policy) const
83 const Assertion* a=dynamic_cast<const Assertion*>(&message);
87 logging::Category& log = logging::Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.BearerConfirmation");
89 const char* msg="assertion is missing bearer SubjectConfirmation";
90 const Subject* subject = a->getSubject();
92 const vector<SubjectConfirmation*>& confs = subject->getSubjectConfirmations();
93 for (vector<SubjectConfirmation*>::const_iterator sc = confs.begin(); sc!=confs.end(); ++sc) {
94 if (XMLString::equals((*sc)->getMethod(), SubjectConfirmation::BEARER)) {
96 const SubjectConfirmationDataType* data = dynamic_cast<const SubjectConfirmationDataType*>((*sc)->getSubjectConfirmationData());
99 const HTTPRequest* httpRequest = dynamic_cast<const HTTPRequest*>(request);
100 if (httpRequest && httpRequest->getRequestURL()) {
101 string dest = httpRequest->getRequestURL();
102 auto_ptr_XMLCh destination(dest.substr(0,dest.find('?')).c_str());
103 if (!XMLString::equals(destination.get(), data ? data->getRecipient() : nullptr)) {
104 msg = "bearer confirmation failed with recipient mismatch";
110 if (m_correlation && policy.getCorrelationID() && *(policy.getCorrelationID())) {
111 if (!XMLString::equals(policy.getCorrelationID(), data ? data->getInResponseTo() : nullptr)) {
112 msg = "bearer confirmation failed with request correlation mismatch";
118 if (!data || !data->getNotOnOrAfter()) {
119 msg = "bearer SubjectConfirmationData missing NotOnOrAfter attribute";
122 else if (data->getNotOnOrAfterEpoch() <= policy.getTime() - XMLToolingConfig::getConfig().clock_skew_secs) {
123 msg = "bearer confirmation has expired";
127 if (data && data->getNotBefore() && policy.getTime() + XMLToolingConfig::getConfig().clock_skew_secs < data->getNotBeforeEpoch()) {
128 msg = "bearer confirmation not yet valid";
133 SAML2AssertionPolicy* saml2policy = dynamic_cast<SAML2AssertionPolicy*>(&policy);
135 saml2policy->setSubjectConfirmation(*sc);
136 log.debug("assertion satisfied bearer confirmation requirements");
142 log.error(msg ? msg : "no error message");
144 throw SecurityPolicyException("Unable to locate satisfiable bearer SubjectConfirmation in assertion.");