#ifndef __saml_decoder_h__
#define __saml_decoder_h__
-#include <saml/base.h>
-
+#include <saml/binding/GenericRequest.h>
+#include <saml/binding/SecurityPolicy.h>
#include <xmltooling/XMLObject.h>
namespace opensaml {
class SAML_API SAMLArtifact;
- class SAML_API X509TrustEngine;
namespace saml1p {
class SAML_API Response;
};
class SAML_API IDPSSODescriptor;
class SAML_API RoleDescriptor;
class SAML_API SSODescriptorType;
- }
+ };
/**
* Interface to SAML protocol binding message decoders.
virtual ~MessageDecoder() {}
/**
- * Interface to caller-supplied shim for accessing HTTP request context.
- *
- * To supply information from the surrounding web server environment,
- * a shim must be supplied in the form of this interface to adapt the
- * library to different proprietary server APIs.
- */
- class SAML_API HTTPRequest {
- MAKE_NONCOPYABLE(HTTPRequest);
- protected:
- HTTPRequest() {}
- public:
- virtual ~HTTPRequest() {}
-
- /**
- * Returns the HTTP method of the request (GET, POST, etc.)
- *
- * @return the HTTP method
- */
- virtual const char* getMethod() const=0;
-
- /**
- * Returns the complete request URL, including scheme, host, port.
- *
- * @return the request URL
- */
- virtual const char* getRequestURL() const=0;
-
- /**
- * Returns the HTTP query string appened to the request. The query
- * string is returned without any decoding applied, everything found
- * after the ? delimiter.
- *
- * @return the query string
- */
- virtual const char* getQueryString() const=0;
-
- /**
- * Returns a decoded named parameter value from the query string or form body.
- * If a parameter has multiple values, only one will be returned.
- *
- * @param name the name of the parameter to return
- * @return a single parameter value or NULL
- */
- virtual const char* getParameter(const char* name) const=0;
-
- /**
- * Returns all of the decoded values of a named parameter from the query string
- * or form body. All values found will be returned.
- *
- * @param name the name of the parameter to return
- * @param values a vector in which to return pointers to the decoded values
- * @return the number of values returned
- */
- virtual std::vector<const char*>::size_type getParameters(
- const char* name, std::vector<const char*>& values
- ) const=0;
- };
-
- /**
* Interface to caller-supplied artifact resolution mechanism.
*
* Resolving artifacts requires internally performing a SOAP-based
/**
* Resolves one or more SAML 1.x artifacts into a response containing a set of
- * resolved Assertions. The caller is responsible for the resulting Response.
+ * resolved Assertions. The caller is responsible for the resulting Response.
+ * The supplied SecurityPolicy is used to access caller-supplied infrastructure
+ * and to pass back the result of authenticating the resolution process.
*
- * @param authenticated output flag set to true iff the resolution channel was authenticated
* @param artifacts one or more SAML 1.x artifacts
* @param idpDescriptor reference to IdP role of artifact issuer
- * @param trustEngine optional pointer to X509TrustEngine supplied to MessageDecoder
+ * @param policy reference to policy containing rules, MetadataProvider, TrustEngine, etc.
* @return the corresponding SAML Assertions wrapped in a Response.
*/
virtual saml1p::Response* resolve(
- bool& authenticated,
const std::vector<SAMLArtifact*>& artifacts,
const saml2md::IDPSSODescriptor& idpDescriptor,
- const X509TrustEngine* trustEngine=NULL
+ SecurityPolicy& policy
) const=0;
/**
* Resolves a SAML 2.0 artifact into the corresponding SAML protocol message.
* The caller is responsible for the resulting ArtifactResponse message.
+ * The supplied SecurityPolicy is used to access caller-supplied infrastructure
+ * and to pass back the result of authenticating the resolution process.
*
- * @param authenticated output flag set to true iff the resolution channel was authenticated
* @param artifact reference to a SAML 2.0 artifact
* @param ssoDescriptor reference to SSO role of artifact issuer (may be SP or IdP)
- * @param trustEngine optional pointer to X509TrustEngine supplied to MessageDecoder
+ * @param policy reference to policy containing rules, MetadataProvider, TrustEngine, etc.
* @return the corresponding SAML protocol message or NULL
*/
virtual saml2p::ArtifactResponse* resolve(
- bool& authenticated,
const saml2p::SAML2Artifact& artifact,
const saml2md::SSODescriptorType& ssoDescriptor,
- const X509TrustEngine* trustEngine=NULL
+ SecurityPolicy& policy
) const=0;
};
}
/**
- * Decodes an HTTP request into a SAML protocol message, and returns related
- * information about the issuer of the message and whether it can be trusted.
- * If the HTTP request does not contain the information necessary to decode
- * the request, a NULL will be returned. Errors during the decoding process
- * will be raised as exceptions.
+ * Decodes a transport request into a SAML protocol message, and evaluates it
+ * against a supplied SecurityPolicy. If the transport request does not contain
+ * the information necessary to decode the request, NULL will be returned.
+ * Errors during the decoding process will be raised as exceptions.
*
* <p>Artifact-based bindings require an ArtifactResolver be set to
* turn an artifact into the corresponding message.
*
- * <p>In some cases, a message may be returned but not authenticated. The caller
- * should examine the issuerTrusted output value to establish this.
- *
- * @param relayState RelayState/TARGET value accompanying message
- * @param issuer role descriptor of issuing party
- * @param issuerTrusted output flag set to true iff the message was authenticated
- * (signed or obtained via secure backchannel)
- * @param httpRequest reference to interface for accessing HTTP message to decode
- * @param metadataProvider optional MetadataProvider instance to authenticate the message
- * @param role optional, identifies the role (generally IdP or SP) of the peer who issued the message
- * @param trustEngine optional TrustEngine to authenticate the message
+ * @param relayState will be set to RelayState/TARGET value accompanying message
+ * @param genericRequest reference to interface for accessing transport request to decode
+ * @param policy reference to policy containing rules, MetadataProvider, TrustEngine, etc.
* @return the decoded message, or NULL if the decoder did not recognize the request content
*/
virtual xmltooling::XMLObject* decode(
std::string& relayState,
- const saml2md::RoleDescriptor*& issuer,
- bool& issuerTrusted,
- const HTTPRequest& httpRequest,
- const saml2md::MetadataProvider* metadataProvider=NULL,
- const xmltooling::QName* role=NULL,
- const TrustEngine* trustEngine=NULL
+ const GenericRequest& genericRequest,
+ SecurityPolicy& policy
) const=0;
protected:
* Registers MessageDecoder plugins into the runtime.
*/
void SAML_API registerMessageDecoders();
-
- /** MessageDecoder for SAML 1.x Browser/Artifact "binding" (really part of profile) */
- #define SAML1_ARTIFACT_DECODER "urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
-
- /** MessageDecoder for SAML 1.x Browser/POST "binding" (really part of profile) */
- #define SAML1_POST_DECODER "urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
-
- /** MessageDecoder for SAML 2.0 HTTP-Artifact binding */
- #define SAML2_ARTIFACT_DECODER "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
-
- /** MessageDecoder for SAML 2.0 HTTP-POST binding */
- #define SAML2_POST_DECODER "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-
- /** MessageDecoder for SAML 2.0 HTTP-Redirect binding */
- #define SAML2_REDIRECT_DECODER "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
};
#endif /* __saml_decoder_h__ */