X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fcpp-opensaml.git;a=blobdiff_plain;f=saml%2Fbinding%2Fimpl%2FSecurityPolicy.cpp;h=02812a4e882a58f434bbb4cd52beb378cbc374f8;hp=882dfacfad10cc184743a2fed047f61042435db2;hb=003e73203da5cdf8c3d001a75a56b9e45ef6465b;hpb=ceba6432d156e82a9016190c06ae4640c651a257 diff --git a/saml/binding/impl/SecurityPolicy.cpp b/saml/binding/impl/SecurityPolicy.cpp index 882dfac..02812a4 100644 --- a/saml/binding/impl/SecurityPolicy.cpp +++ b/saml/binding/impl/SecurityPolicy.cpp @@ -1,6 +1,6 @@ /* - * Copyright 2001-2006 Internet2 - * + * Copyright 2001-2007 Internet2 + * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -16,13 +16,13 @@ /** * SecurityPolicy.cpp - * - * Overall policy used to verify the security of an incoming message. + * + * Overall policy used to verify the security of an incoming message. */ #include "internal.h" #include "exceptions.h" -#include "binding/SecurityPolicy.h" +#include "binding/SecurityPolicyRule.h" #include "saml2/core/Assertions.h" using namespace opensaml::saml2md; @@ -32,86 +32,106 @@ using namespace xmltooling; using namespace std; namespace opensaml { - SAML_DLLLOCAL PluginManager::Factory MessageFlowRuleFactory; - SAML_DLLLOCAL PluginManager::Factory MessageRoutingRuleFactory; - SAML_DLLLOCAL PluginManager::Factory MessageSigningRuleFactory; - SAML_DLLLOCAL PluginManager::Factory SimpleSigningRuleFactory; + SAML_DLLLOCAL PluginManager::Factory ClientCertAuthRuleFactory; + SAML_DLLLOCAL PluginManager::Factory MessageFlowRuleFactory; + SAML_DLLLOCAL PluginManager::Factory NullSecurityRuleFactory; + SAML_DLLLOCAL PluginManager::Factory SimpleSigningRuleFactory; + SAML_DLLLOCAL PluginManager::Factory XMLSigningRuleFactory; }; void SAML_API opensaml::registerSecurityPolicyRules() { SAMLConfig& conf=SAMLConfig::getConfig(); + conf.SecurityPolicyRuleManager.registerFactory(CLIENTCERTAUTH_POLICY_RULE, ClientCertAuthRuleFactory); conf.SecurityPolicyRuleManager.registerFactory(MESSAGEFLOW_POLICY_RULE, MessageFlowRuleFactory); - conf.SecurityPolicyRuleManager.registerFactory(MESSAGEROUTING_POLICY_RULE, MessageRoutingRuleFactory); - conf.SecurityPolicyRuleManager.registerFactory(MESSAGESIGNING_POLICY_RULE, MessageSigningRuleFactory); + conf.SecurityPolicyRuleManager.registerFactory(NULLSECURITY_POLICY_RULE, NullSecurityRuleFactory); conf.SecurityPolicyRuleManager.registerFactory(SIMPLESIGNING_POLICY_RULE, SimpleSigningRuleFactory); + conf.SecurityPolicyRuleManager.registerFactory(XMLSIGNING_POLICY_RULE, XMLSigningRuleFactory); } +SecurityPolicy::IssuerMatchingPolicy SecurityPolicy::m_defaultMatching; + SecurityPolicy::~SecurityPolicy() { - delete m_issuer; + reset(false); } -void SecurityPolicy::evaluate(const GenericRequest& request, const XMLObject& message) +void SecurityPolicy::reset(bool messageOnly) { - for (vector::const_iterator i=m_rules.begin(); i!=m_rules.end(); ++i) { - - // Run the rule... - pair ident = (*i)->evaluate(request,message,m_metadata,&m_role,m_trust); - - // Make sure returned issuer doesn't conflict. - - if (ident.first) { - if (!issuerMatches(ident.first, m_issuer)) { - delete ident.first; - throw BindingException("Policy rules returned differing Issuers."); - } - delete m_issuer; - m_issuer=ident.first; - } - - if (ident.second) { - if (m_issuerRole && ident.second!=m_issuerRole) - throw BindingException("Policy rules returned differing issuer RoleDescriptors."); - m_issuerRole=ident.second; - } + XMLString::release(&m_messageID); + m_messageID=NULL; + m_issueInstant=0; + delete m_metadataCriteria; + m_metadataCriteria=NULL; + if (!messageOnly) { + delete m_issuer; + m_issuer=NULL; + m_issuerRole=NULL; + m_authenticated=false; } } -void SecurityPolicy::setIssuer(saml2::Issuer* issuer) +MetadataProvider::Criteria& SecurityPolicy::getMetadataProviderCriteria() const +{ + if (!m_metadataCriteria) + m_metadataCriteria=new MetadataProvider::Criteria(); + return *m_metadataCriteria; +} + +void SecurityPolicy::evaluate(const XMLObject& message, const GenericRequest* request) { - if (!issuerMatches(issuer, m_issuer)) { - delete issuer; - throw BindingException("Externally provided Issuer conflicts with policy results."); + for (vector::const_iterator i=m_rules.begin(); i!=m_rules.end(); ++i) + (*i)->evaluate(message,request,*this); +} + +void SecurityPolicy::setIssuer(const Issuer* issuer) +{ + if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer)) + throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results."); + + if (!m_issuer) { + if (m_entityOnly && issuer->getFormat() && !XMLString::equals(issuer->getFormat(), NameIDType::ENTITY)) + throw SecurityPolicyException("A non-entity Issuer was supplied, violating policy."); + m_issuerRole = NULL; + m_issuer=issuer->cloneIssuer(); + } +} + +void SecurityPolicy::setIssuer(const XMLCh* issuer) +{ + if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer)) + throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results."); + + if (!m_issuer && issuer && *issuer) { + m_issuerRole = NULL; + m_issuer = IssuerBuilder::buildIssuer(); + m_issuer->setName(issuer); } - - delete m_issuer; - m_issuer=issuer; } void SecurityPolicy::setIssuerMetadata(const RoleDescriptor* issuerRole) { if (issuerRole && m_issuerRole && issuerRole!=m_issuerRole) - throw BindingException("Externally provided RoleDescriptor conflicts with policy results."); + throw SecurityPolicyException("A rule supplied a RoleDescriptor that conflicts with previous results."); m_issuerRole=issuerRole; } -bool SecurityPolicy::issuerMatches(const Issuer* issuer1, const Issuer* issuer2) const +bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, const Issuer* issuer2) const { // NULL matches anything for the purposes of this interface. if (!issuer1 || !issuer2) return true; - + const XMLCh* op1=issuer1->getName(); const XMLCh* op2=issuer2->getName(); if (!op1 || !op2 || !XMLString::equals(op1,op2)) return false; - + op1=issuer1->getFormat(); op2=issuer2->getFormat(); if (!XMLString::equals(op1 ? op1 : NameIDType::ENTITY, op2 ? op2 : NameIDType::ENTITY)) return false; - + op1=issuer1->getNameQualifier(); op2=issuer2->getNameQualifier(); if (!XMLString::equals(op1 ? op1 : &chNull, op2 ? op2 : &chNull)) @@ -121,6 +141,31 @@ bool SecurityPolicy::issuerMatches(const Issuer* issuer1, const Issuer* issuer2) op2=issuer2->getSPNameQualifier(); if (!XMLString::equals(op1 ? op1 : &chNull, op2 ? op2 : &chNull)) return false; - + + return true; +} + +bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, const XMLCh* issuer2) const +{ + // NULL matches anything for the purposes of this interface. + if (!issuer1 || !issuer2 || !*issuer2) + return true; + + const XMLCh* op1=issuer1->getName(); + if (!op1 || !XMLString::equals(op1,issuer2)) + return false; + + op1=issuer1->getFormat(); + if (op1 && *op1 && !XMLString::equals(op1, NameIDType::ENTITY)) + return false; + + op1=issuer1->getNameQualifier(); + if (op1 && *op1) + return false; + + op1=issuer1->getSPNameQualifier(); + if (op1 && *op1) + return false; + return true; }