Streamline setIssuer call in policy.

[shibboleth/cpp-opensaml.git] / saml / binding / SecurityPolicy.h

diff --git a/saml/binding/SecurityPolicy.h b/saml/binding/SecurityPolicy.h
index 1870595..1c02ab8 100644 (file)
--- a/saml/binding/SecurityPolicy.h
+++ b/saml/binding/SecurityPolicy.h
@@ -67,13 +67,16 @@ namespace opensaml {
          * @param metadataProvider  locked MetadataProvider instance
          * @param role              identifies the role (generally IdP or SP) of the policy peer 
          * @param trustEngine       TrustEngine to authenticate policy peer
+         * @param validate          true iff XML parsing should be done with validation
          */
         SecurityPolicy(
             const saml2md::MetadataProvider* metadataProvider=NULL,
             const xmltooling::QName* role=NULL,
-            const xmltooling::TrustEngine* trustEngine=NULL
-            ) : m_messageQName(NULL), m_messageID(NULL), m_issueInstant(0), m_issuer(NULL), m_issuerRole(NULL), m_secure(false),
-                m_matchingPolicy(NULL), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine) {
+            const xmltooling::TrustEngine* trustEngine=NULL,
+            bool validate=true
+            ) : m_messageQName(NULL), m_messageID(NULL), m_issueInstant(0),
+                m_issuer(NULL), m_issuerRole(NULL), m_secure(false), m_matchingPolicy(NULL),
+                m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine), m_validate(validate) {
             if (role)
                 m_role = new xmltooling::QName(*role);
         }
@@ -86,14 +89,17 @@ namespace opensaml {
          * @param metadataProvider  locked MetadataProvider instance
          * @param role              identifies the role (generally IdP or SP) of the policy peer 
          * @param trustEngine       TrustEngine to authenticate policy peer
+         * @param validate          true iff XML parsing should be done with validation
          */
         SecurityPolicy(
             const std::vector<const SecurityPolicyRule*>& rules,
             const saml2md::MetadataProvider* metadataProvider=NULL,
             const xmltooling::QName* role=NULL,
-            const xmltooling::TrustEngine* trustEngine=NULL
-            ) : m_messageQName(NULL), m_messageID(NULL), m_issueInstant(0), m_issuer(NULL), m_issuerRole(NULL), m_secure(false),
-                m_matchingPolicy(NULL), m_rules(rules), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine) {
+            const xmltooling::TrustEngine* trustEngine=NULL,
+            bool validate=true
+            ) : m_messageQName(NULL), m_messageID(NULL), m_issueInstant(0),
+                m_issuer(NULL), m_issuerRole(NULL), m_secure(false), m_matchingPolicy(NULL),
+                m_rules(rules), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine), m_validate(validate) {
             if (role)
                 m_role = new xmltooling::QName(*role);
         }
@@ -128,6 +134,15 @@ namespace opensaml {
         }
 
         /**
+         * Returns XML message validation setting.
+         * 
+         * @return validation flag
+         */
+        bool getValidating() const {
+            return m_validate;
+        } 
+
+        /**
          * Adds a SecurityPolicyRule to the policy. The lifetime of the policy rule
          * must be at least as long as the policy object.
          * 
@@ -166,6 +181,17 @@ namespace opensaml {
         }
 
         /**
+         * Controls schema validation of incoming XML messages.
+         * This is separate from other forms of programmatic validation of objects,
+         * but can detect a much wider range of syntax errors. 
+         * 
+         * @param validate  validation setting
+         */
+        void setValidating(bool validate=true) {
+            m_validate = validate;
+        }
+        
+        /**
          * Evaluates the policy against the given request and message,
          * possibly populating message information in the policy object.
          * 
@@ -266,11 +292,17 @@ namespace opensaml {
 
         /**
          * Sets the issuer of the message as determined by the registered policies.
-         * The policy object takes ownership of the Issuer object.
          * 
          * @param issuer issuer of the message
          */
-        void setIssuer(saml2::Issuer* issuer);
+        void setIssuer(const saml2::Issuer* issuer);
+
+        /**
+         * Sets the issuer of the message as determined by the registered policies.
+         * 
+         * @param issuer issuer of the message
+         */
+        void setIssuer(const XMLCh* issuer);
         
         /**
          * Sets the metadata for the role the issuer is operating in.
@@ -307,6 +339,19 @@ namespace opensaml {
              * @return  true iff the operands match
              */
             virtual bool issuerMatches(const saml2::Issuer* issuer1, const saml2::Issuer* issuer2) const;
+
+            /**
+             * Returns true iff the two operands "match". Applications can override this method to
+             * support non-standard issuer matching for complex policies. 
+             * 
+             * <p>The default implementation does a basic comparison of the XML content, treating
+             * an unsupplied Format as an "entityID".
+             * 
+             * @param issuer1   the first Issuer to match
+             * @param issuer2   the second Issuer to match
+             * @return  true iff the operands match
+             */
+            virtual bool issuerMatches(const saml2::Issuer* issuer1, const XMLCh* issuer2) const;
         };
 
         /**
@@ -350,6 +395,7 @@ namespace opensaml {
         const saml2md::MetadataProvider* m_metadata;
         xmltooling::QName* m_role;
         const xmltooling::TrustEngine* m_trust;
+        bool m_validate;
     };
 
 };