Merged trust engines back into a unified version, made metadata roles a "KeyInfoSource".

[shibboleth/cpp-opensaml.git] / saml / binding / SecurityPolicyRule.h

diff --git a/saml/binding/SecurityPolicyRule.h b/saml/binding/SecurityPolicyRule.h
index 668d097..517d4b4 100644 (file)
--- a/saml/binding/SecurityPolicyRule.h
+++ b/saml/binding/SecurityPolicyRule.h
@@ -25,10 +25,9 @@
 
 #include <saml/binding/GenericRequest.h>
 #include <xmltooling/XMLObject.h>
+#include <xmltooling/security/TrustEngine.h>
 
 namespace opensaml {
-    class SAML_API TrustEngine;
-    
     namespace saml2 {
         class SAML_API Issuer;
     };
@@ -61,6 +60,7 @@ namespace opensaml {
          * @param metadataProvider  locked MetadataProvider instance to authenticate the message
          * @param role              identifies the role (generally IdP or SP) of the peer who issued the message 
          * @param trustEngine       TrustEngine to authenticate the message
+         * @param extractor         MessageExtractor to use in examining message
          * @return the identity of the message issuer, in two forms, or NULL
          * 
          * @throws BindingException thrown if the request/message do not meet the requirements of this rule
@@ -70,7 +70,7 @@ namespace opensaml {
             const xmltooling::XMLObject& message,
             const saml2md::MetadataProvider* metadataProvider,
             const xmltooling::QName* role,
-            const TrustEngine* trustEngine
+            const xmltooling::TrustEngine* trustEngine
             ) const=0;
     };
 
@@ -80,6 +80,14 @@ namespace opensaml {
     void SAML_API registerSecurityPolicyRules();
 
     /**
+     * SecurityPolicyRule for TLS client certificate authentication.
+     * 
+     * Requires that messages carry information about the issuer, and then
+     * evaluates the claimed certificates against the issuer's metadata.
+     */
+    #define CLIENTCERTAUTH_POLICY_RULE  "org.opensaml.binding.ClientCertAuthRule"
+
+    /**
      * SecurityPolicyRule for replay detection and freshness checking.
      * 
      * <p>A ReplayCache instance must be available from the runtime, unless
@@ -93,13 +101,12 @@ namespace opensaml {
     #define MESSAGEFLOW_POLICY_RULE  "org.opensaml.binding.MessageFlowRule"
 
     /**
-     * SecurityPolicyRule for ensuring messages are delivered to the right place.
+     * SecurityPolicyRule for protocol message "blob" signing.
      * 
-     * <p>Enforcement is mandatory and the message must be explicitly addressed,
-     * unless a "mandatory" XML attribute is set to "0" or "false" when instantiating
-     * the policy rule.
+     * Allows the message issuer to be authenticated using a non-XML digital signature
+     * over the message body. The transport layer is not considered.
      */
-    #define MESSAGEROUTING_POLICY_RULE  "org.opensaml.binding.MessageRoutingRule"
+    #define SIMPLESIGNING_POLICY_RULE  "org.opensaml.binding.SimpleSigningRule"
 
     /**
      * SecurityPolicyRule for protocol message XML signing.
@@ -107,15 +114,7 @@ namespace opensaml {
      * Allows the message issuer to be authenticated using an XML digital signature
      * over the message. The transport layer is not considered.
      */
-    #define MESSAGESIGNING_POLICY_RULE  "org.opensaml.binding.MessageSigningRule"
-
-    /**
-     * SecurityPolicyRule for protocol message "blob" signing.
-     * 
-     * Allows the message issuer to be authenticated using a non-XML digital signature
-     * over the message body. The transport layer is not considered.
-     */
-    #define SIMPLESIGNING_POLICY_RULE  "org.opensaml.binding.SimpleSigningRule"
+    #define XMLSIGNING_POLICY_RULE  "org.opensaml.binding.XMLSigningRule"
 };
 
 #endif /* __saml_secrule_h__ */