X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fcpp-opensaml.git;a=blobdiff_plain;f=saml%2Fbinding%2FMessageDecoder.h;h=9f3905df64816105e84651034939d876452e5bdf;hp=535dfc456d2653742d4dd63133eaed6079094e59;hb=7748ee29f760b74bca03c744deacba466a333c43;hpb=b66d32ed939fcf6db7bc52c8626b6ac06a2e97f9 diff --git a/saml/binding/MessageDecoder.h b/saml/binding/MessageDecoder.h index 535dfc4..9f3905d 100644 --- a/saml/binding/MessageDecoder.h +++ b/saml/binding/MessageDecoder.h @@ -1,5 +1,5 @@ /* - * Copyright 2001-2006 Internet2 + * Copyright 2001-2007 Internet2 * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -23,14 +23,13 @@ #ifndef __saml_decoder_h__ #define __saml_decoder_h__ -#include - +#include #include +#include namespace opensaml { class SAML_API SAMLArtifact; - class SAML_API X509TrustEngine; namespace saml1p { class SAML_API Response; }; @@ -43,7 +42,7 @@ namespace opensaml { class SAML_API IDPSSODescriptor; class SAML_API RoleDescriptor; class SAML_API SSODescriptorType; - } + }; /** * Interface to SAML protocol binding message decoders. @@ -55,63 +54,13 @@ namespace opensaml { virtual ~MessageDecoder() {} /** - * Interface to caller-supplied shim for accessing HTTP request context. - * - * To supply information from the surrounding web server environment, - * a shim must be supplied in the form of this interface to adapt the - * library to different proprietary server APIs. + * Indicates whether a web browser or similar user agent delivered the message. + * + * @return true iff the message was delivered by a user agent */ - class SAML_API HTTPRequest { - MAKE_NONCOPYABLE(HTTPRequest); - protected: - HTTPRequest() {} - public: - virtual ~HTTPRequest() {} - - /** - * Returns the HTTP method of the request (GET, POST, etc.) - * - * @return the HTTP method - */ - virtual const char* getMethod() const=0; - - /** - * Returns the complete request URL, including scheme, host, port. - * - * @return the request URL - */ - virtual const char* getRequestURL() const=0; - - /** - * Returns the HTTP query string appened to the request. The query - * string is returned without any decoding applied, everything found - * after the ? delimiter. - * - * @return the query string - */ - virtual const char* getQueryString() const=0; - - /** - * Returns a decoded named parameter value from the query string or form body. - * If a parameter has multiple values, only one will be returned. - * - * @param name the name of the parameter to return - * @return a single parameter value or NULL - */ - virtual const char* getParameter(const char* name) const=0; - - /** - * Returns all of the decoded values of a named parameter from the query string - * or form body. All values found will be returned. - * - * @param name the name of the parameter to return - * @param values a vector in which to return pointers to the decoded values - * @return the number of values returned - */ - virtual std::vector::size_type getParameters( - const char* name, std::vector& values - ) const=0; - }; + virtual bool isUserAgentPresent() const { + return true; + } /** * Interface to caller-supplied artifact resolution mechanism. @@ -128,56 +77,42 @@ namespace opensaml { MAKE_NONCOPYABLE(ArtifactResolver); protected: ArtifactResolver() {} - - /** Flag controlling schema validation. */ - bool m_validate; public: virtual ~ArtifactResolver() {} /** - * Controls schema validation of incoming XML messages. - * This is separate from other forms of programmatic validation of objects, - * but can detect a much wider range of syntax errors. - * - * @param validate true iff the resolver should use a validating XML parser - */ - void setValidating(bool validate=true) { - m_validate = validate; - } - - /** * Resolves one or more SAML 1.x artifacts into a response containing a set of - * resolved Assertions. The caller is responsible for the resulting Response. + * resolved Assertions. The caller is responsible for the resulting Response. + * The supplied SecurityPolicy is used to access caller-supplied infrastructure + * and to pass back the result of authenticating the resolution process. * - * @param authenticated output flag set to true iff the resolution channel was authenticated * @param artifacts one or more SAML 1.x artifacts * @param idpDescriptor reference to IdP role of artifact issuer - * @param trustEngine optional pointer to X509TrustEngine supplied to MessageDecoder + * @param policy reference to policy containing rules, MetadataProvider, TrustEngine, etc. * @return the corresponding SAML Assertions wrapped in a Response. */ virtual saml1p::Response* resolve( - bool& authenticated, const std::vector& artifacts, const saml2md::IDPSSODescriptor& idpDescriptor, - const X509TrustEngine* trustEngine=NULL + SecurityPolicy& policy ) const=0; /** * Resolves a SAML 2.0 artifact into the corresponding SAML protocol message. * The caller is responsible for the resulting ArtifactResponse message. + * The supplied SecurityPolicy is used to access caller-supplied infrastructure + * and to pass back the result of authenticating the resolution process. * - * @param authenticated output flag set to true iff the resolution channel was authenticated * @param artifact reference to a SAML 2.0 artifact * @param ssoDescriptor reference to SSO role of artifact issuer (may be SP or IdP) - * @param trustEngine optional pointer to X509TrustEngine supplied to MessageDecoder + * @param policy reference to policy containing rules, MetadataProvider, TrustEngine, etc. * @return the corresponding SAML protocol message or NULL */ virtual saml2p::ArtifactResponse* resolve( - bool& authenticated, const saml2p::SAML2Artifact& artifact, const saml2md::SSODescriptorType& ssoDescriptor, - const X509TrustEngine* trustEngine=NULL + SecurityPolicy& policy ) const=0; }; @@ -188,66 +123,50 @@ namespace opensaml { * * @param artifactResolver an ArtifactResolver implementation to use */ - void setArtifactResolver(ArtifactResolver* artifactResolver) { + void setArtifactResolver(const ArtifactResolver* artifactResolver) { m_artifactResolver = artifactResolver; - if (m_artifactResolver) - m_artifactResolver->setValidating(m_validate); } /** - * Controls schema validation of incoming XML messages. - * This is separate from other forms of programmatic validation of objects, - * but can detect a much wider range of syntax errors. - * - * @param validate true iff the decoder should use a validating XML parser - */ - void setValidating(bool validate=true) { - m_validate = validate; - if (m_artifactResolver) - m_artifactResolver->setValidating(m_validate); - } - - /** - * Decodes an HTTP request into a SAML protocol message, and returns related - * information about the issuer of the message and whether it can be trusted. - * If the HTTP request does not contain the information necessary to decode - * the request, a NULL will be returned. Errors during the decoding process - * will be raised as exceptions. + * Decodes a transport request into a SAML protocol message, and evaluates it + * against a supplied SecurityPolicy. If the transport request does not contain + * the information necessary to decode the request, NULL will be returned. + * Errors during the decoding process will be raised as exceptions. * *

Artifact-based bindings require an ArtifactResolver be set to * turn an artifact into the corresponding message. * - *

In some cases, a message may be returned but not authenticated. The caller - * should examine the issuerTrusted output value to establish this. - * - * @param relayState RelayState/TARGET value accompanying message - * @param issuer role descriptor of issuing party - * @param issuerTrusted output flag set to true iff the message was authenticated - * (signed or obtained via secure backchannel) - * @param httpRequest reference to interface for accessing HTTP message to decode - * @param metadataProvider optional MetadataProvider instance to authenticate the message - * @param role optional, identifies the role (generally IdP or SP) of the peer who issued the message - * @param trustEngine optional TrustEngine to authenticate the message + * @param relayState will be set to RelayState/TARGET value accompanying message + * @param genericRequest reference to interface for accessing transport request to decode + * @param policy reference to policy containing rules, MetadataProvider, TrustEngine, etc. * @return the decoded message, or NULL if the decoder did not recognize the request content */ virtual xmltooling::XMLObject* decode( std::string& relayState, - const saml2md::RoleDescriptor*& issuer, - bool& issuerTrusted, - const HTTPRequest& httpRequest, - const saml2md::MetadataProvider* metadataProvider=NULL, - const xmltooling::QName* role=NULL, - const TrustEngine* trustEngine=NULL + const xmltooling::GenericRequest& genericRequest, + SecurityPolicy& policy ) const=0; protected: - MessageDecoder() : m_artifactResolver(NULL), m_validate(false) {} + MessageDecoder() : m_artifactResolver(NULL) {} /** Pointer to an ArtifactResolver implementation. */ - ArtifactResolver* m_artifactResolver; - - /** Flag controlling schema validation. */ - bool m_validate; + const ArtifactResolver* m_artifactResolver; + + /** + * Extracts policy-relevant message details. + * + * @param message the incoming message + * @param request the protocol request + * @param protocol the protocol family in use + * @param policy SecurityPolicy to provide various components and track message data + */ + virtual void extractMessageDetails ( + const xmltooling::XMLObject& message, + const xmltooling::GenericRequest& request, + const XMLCh* protocol, + SecurityPolicy& policy + ) const=0; }; /**