/**
* Constructor for policy.
*
+ * @param metadataProvider locked MetadataProvider instance
+ * @param role identifies the role (generally IdP or SP) of the policy peer
+ * @param trustEngine TrustEngine to authenticate policy peer
+ */
+ SecurityPolicy(
+ const saml2md::MetadataProvider* metadataProvider=NULL,
+ const xmltooling::QName* role=NULL,
+ const xmltooling::TrustEngine* trustEngine=NULL
+ ) : m_issuer(NULL), m_issuerRole(NULL), m_matchingPolicy(NULL), m_metadata(metadataProvider),
+ m_role(role ? *role : xmltooling::QName()), m_trust(trustEngine) {
+ }
+
+ /**
+ * Constructor for policy using existing rules. The lifetime of the policy rules
+ * must be at least as long as the policy object.
+ *
* @param rules reference to array of policy rules to use
* @param metadataProvider locked MetadataProvider instance
* @param role identifies the role (generally IdP or SP) of the policy peer
const std::vector<const SecurityPolicyRule*>& rules,
const saml2md::MetadataProvider* metadataProvider=NULL,
const xmltooling::QName* role=NULL,
- const TrustEngine* trustEngine=NULL
- ) : m_issuer(NULL), m_issuerRole(NULL), m_rules(rules), m_metadata(metadataProvider),
+ const xmltooling::TrustEngine* trustEngine=NULL
+ ) : m_issuer(NULL), m_issuerRole(NULL), m_matchingPolicy(NULL), m_rules(rules), m_metadata(metadataProvider),
m_role(role ? *role : xmltooling::QName()), m_trust(trustEngine) {
}
+
virtual ~SecurityPolicy();
/**
*
* @return the supplied TrustEngine or NULL
*/
- const TrustEngine* getTrustEngine() const {
+ const xmltooling::TrustEngine* getTrustEngine() const {
return m_trust;
}
/**
- * Evaluates the rule against the given request and message,
+ * Adds a SecurityPolicyRule to the policy. The lifetime of the policy rule
+ * must be at least as long as the policy object.
+ *
+ * @param rule SecurityPolicyRule to add
+ */
+ void addRule(const SecurityPolicyRule* rule) {
+ m_rules.push_back(rule);
+ }
+
+ /**
+ * Sets a locked MetadataProvider for the policy.
+ *
+ * @param metadata a locked MetadataProvider or NULL
+ */
+ void setMetadataProvider(const saml2md::MetadataProvider* metadata) {
+ m_metadata = metadata;
+ }
+
+ /**
+ * Sets a peer role element/type for to the policy.
+ *
+ * @param role the peer role element/type or NULL
+ */
+ void setRole(const xmltooling::QName* role) {
+ m_role = (role ? *role : xmltooling::QName());
+ }
+
+ /**
+ * Sets a TrustEngine for the policy.
+ *
+ * @param trust a TrustEngine or NULL
+ */
+ void setTrustEngine(const xmltooling::TrustEngine* trust) {
+ m_trust = trust;
+ }
+
+ /**
+ * Evaluates the policy against the given request and message,
* possibly populating issuer information in the policy object.
*
- * @param request the protocol request
* @param message the incoming message
- * @return the identity of the message issuer, in one or more of two forms, or NULL
+ * @param request the protocol request
*
- * @throws BindingException thrown if the request/message do not meet the requirements of this rule
+ * @throws BindingException thrown if the request/message do not meet the requirements of this policy
*/
- void evaluate(const GenericRequest& request, const xmltooling::XMLObject& message);
+ void evaluate(const xmltooling::XMLObject& message, const GenericRequest* request=NULL);
/**
* Gets the issuer of the message as determined by the registered policies.
* @param issuerRole metadata for the role the issuer is operating in
*/
void setIssuerMetadata(const saml2md::RoleDescriptor* issuerRole);
+
+ /** Allows override of rules for comparing saml2:Issuer information. */
+ class SAML_API IssuerMatchingPolicy {
+ MAKE_NONCOPYABLE(IssuerMatchingPolicy);
+ public:
+ IssuerMatchingPolicy() {}
+ virtual ~IssuerMatchingPolicy() {}
+
+ /**
+ * Returns true iff the two operands "match". Applications can override this method to
+ * support non-standard issuer matching for complex policies.
+ *
+ * <p>The default implementation does a basic comparison of the XML content, treating
+ * an unsupplied Format as an "entityID".
+ *
+ * @param issuer1 the first Issuer to match
+ * @param issuer2 the second Issuer to match
+ * @return true iff the operands match
+ */
+ virtual bool issuerMatches(const saml2::Issuer* issuer1, const saml2::Issuer* issuer2) const;
+ };
- protected:
/**
- * Returns true iff the two operands "match". Applications can override this method to
- * support non-standard issuer matching for complex policies.
+ * Returns the IssuerMatchingPolicy in effect.
*
- * <p>The default implementation does a basic comparison of the XML content, treating
- * an unsupplied Format as "entityID".
+ * @return the effective IssuerMatchingPolicy
+ */
+ const IssuerMatchingPolicy& getIssuerMatchingPolicy() const {
+ return m_matchingPolicy ? *m_matchingPolicy : m_defaultMatching;
+ }
+
+ /**
+ * Sets the IssuerMatchingPolicy in effect. Setting no policy will
+ * cause the simple, default approach to be used.
+ *
+ * <p>The matching object will be freed by the SecurityPolicy.
*
- * @param issuer1 the first Issuer to match
- * @param issuer2 the second Issuer to match
- * @return true iff the operands match
+ * @param matchingPolicy the IssuerMatchingPolicy to use
*/
- virtual bool issuerMatches(const saml2::Issuer* issuer1, const saml2::Issuer* issuer2) const;
+ void setIssuerMatchingPolicy(IssuerMatchingPolicy* matchingPolicy) {
+ delete m_matchingPolicy;
+ m_matchingPolicy = matchingPolicy;
+ }
+
+ protected:
+ /** A shared matching object that just supports the default matching rules. */
+ static IssuerMatchingPolicy m_defaultMatching;
private:
saml2::Issuer* m_issuer;
const saml2md::RoleDescriptor* m_issuerRole;
+ IssuerMatchingPolicy* m_matchingPolicy;
std::vector<const SecurityPolicyRule*> m_rules;
const saml2md::MetadataProvider* m_metadata;
xmltooling::QName m_role;
- const TrustEngine* m_trust;
+ const xmltooling::TrustEngine* m_trust;
};
};