X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fcpp-opensaml.git;a=blobdiff_plain;f=saml%2Fbinding%2Fimpl%2FSecurityPolicy.cpp;h=98875f729f6fe1b0009efc222ac6a225056ea355;hp=d2b3bc360d67968441731a6ebbd2d194f12943c7;hb=f624e114cdd538215fa5d98ad4b4aedb9dfe4b07;hpb=cffbba976931b6e032c7014cb59593aba17005be diff --git a/saml/binding/impl/SecurityPolicy.cpp b/saml/binding/impl/SecurityPolicy.cpp index d2b3bc3..98875f7 100644 --- a/saml/binding/impl/SecurityPolicy.cpp +++ b/saml/binding/impl/SecurityPolicy.cpp @@ -1,6 +1,6 @@ /* - * Copyright 2001-2007 Internet2 - * + * Copyright 2001-2009 Internet2 + * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -16,8 +16,8 @@ /** * SecurityPolicy.cpp - * - * Overall policy used to verify the security of an incoming message. + * + * Overall policy used to verify the security of an incoming message. */ #include "internal.h" @@ -32,45 +32,100 @@ using namespace xmltooling; using namespace std; namespace opensaml { + SAML_DLLLOCAL PluginManager::Factory AudienceRestrictionRuleFactory; SAML_DLLLOCAL PluginManager::Factory ClientCertAuthRuleFactory; + SAML_DLLLOCAL PluginManager::Factory ConditionsRuleFactory; + SAML_DLLLOCAL PluginManager::Factory IgnoreRuleFactory; SAML_DLLLOCAL PluginManager::Factory MessageFlowRuleFactory; SAML_DLLLOCAL PluginManager::Factory NullSecurityRuleFactory; - SAML_DLLLOCAL PluginManager::Factory SAML1MessageRuleFactory; - SAML_DLLLOCAL PluginManager::Factory SAML2MessageRuleFactory; SAML_DLLLOCAL PluginManager::Factory SimpleSigningRuleFactory; SAML_DLLLOCAL PluginManager::Factory XMLSigningRuleFactory; + + namespace saml1 { + SAML_DLLLOCAL PluginManager::Factory BrowserSSORuleFactory; + } + + namespace saml2 { + SAML_DLLLOCAL PluginManager::Factory BearerConfirmationRuleFactory; + } }; void SAML_API opensaml::registerSecurityPolicyRules() { SAMLConfig& conf=SAMLConfig::getConfig(); + conf.SecurityPolicyRuleManager.registerFactory(AUDIENCE_POLICY_RULE, AudienceRestrictionRuleFactory); conf.SecurityPolicyRuleManager.registerFactory(CLIENTCERTAUTH_POLICY_RULE, ClientCertAuthRuleFactory); + conf.SecurityPolicyRuleManager.registerFactory(CONDITIONS_POLICY_RULE, ConditionsRuleFactory); + conf.SecurityPolicyRuleManager.registerFactory(IGNORE_POLICY_RULE, IgnoreRuleFactory); conf.SecurityPolicyRuleManager.registerFactory(MESSAGEFLOW_POLICY_RULE, MessageFlowRuleFactory); conf.SecurityPolicyRuleManager.registerFactory(NULLSECURITY_POLICY_RULE, NullSecurityRuleFactory); - conf.SecurityPolicyRuleManager.registerFactory(SAML1MESSAGE_POLICY_RULE, SAML1MessageRuleFactory); - conf.SecurityPolicyRuleManager.registerFactory(SAML2MESSAGE_POLICY_RULE, SAML2MessageRuleFactory); conf.SecurityPolicyRuleManager.registerFactory(SIMPLESIGNING_POLICY_RULE, SimpleSigningRuleFactory); conf.SecurityPolicyRuleManager.registerFactory(XMLSIGNING_POLICY_RULE, XMLSigningRuleFactory); + conf.SecurityPolicyRuleManager.registerFactory(SAML1BROWSERSSO_POLICY_RULE, saml1::BrowserSSORuleFactory); + conf.SecurityPolicyRuleManager.registerFactory(BEARER_POLICY_RULE, saml2::BearerConfirmationRuleFactory); } SecurityPolicy::IssuerMatchingPolicy SecurityPolicy::m_defaultMatching; -SecurityPolicy::~SecurityPolicy() +SecurityPolicy::SecurityPolicy( + const saml2md::MetadataProvider* metadataProvider, + const xmltooling::QName* role, + const xmltooling::TrustEngine* trustEngine, + bool validate + ) : m_metadataCriteria(NULL), + m_issueInstant(0), + m_issuer(NULL), + m_issuerRole(NULL), + m_authenticated(false), + m_matchingPolicy(NULL), + m_metadata(metadataProvider), + m_role(NULL), + m_trust(trustEngine), + m_validate(validate), + m_entityOnly(true), + m_ts(0) { - reset(); + if (role) + m_role = new xmltooling::QName(*role); } -void SecurityPolicy::reset() +SecurityPolicy::~SecurityPolicy() { - delete m_messageQName; - XMLString::release(&m_messageID); + delete m_metadataCriteria; delete m_issuer; - m_messageQName=NULL; - m_messageID=NULL; +} + +void SecurityPolicy::reset(bool messageOnly) +{ + _reset(messageOnly); +} + +void SecurityPolicy::_reset(bool messageOnly) +{ + m_messageID.erase(); m_issueInstant=0; - m_issuer=NULL; - m_issuerRole=NULL; - m_secure=false; + if (!messageOnly) { + delete m_issuer; + m_issuer=NULL; + m_issuerRole=NULL; + m_authenticated=false; + } +} + +MetadataProvider::Criteria& SecurityPolicy::getMetadataProviderCriteria() const +{ + if (!m_metadataCriteria) + m_metadataCriteria=new MetadataProvider::Criteria(); + else + m_metadataCriteria->reset(); + return *m_metadataCriteria; +} + +void SecurityPolicy::setMetadataProviderCriteria(saml2md::MetadataProvider::Criteria* criteria) +{ + if (m_metadataCriteria) + delete m_metadataCriteria; + m_metadataCriteria=criteria; } void SecurityPolicy::evaluate(const XMLObject& message, const GenericRequest* request) @@ -82,9 +137,11 @@ void SecurityPolicy::evaluate(const XMLObject& message, const GenericRequest* re void SecurityPolicy::setIssuer(const Issuer* issuer) { if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer)) - throw SecurityPolicyException("A rule supplied an Issuer that conflicts with previous results."); - + throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results."); + if (!m_issuer) { + if (m_entityOnly && issuer->getFormat() && !XMLString::equals(issuer->getFormat(), NameIDType::ENTITY)) + throw SecurityPolicyException("A non-entity Issuer was supplied, violating policy."); m_issuerRole = NULL; m_issuer=issuer->cloneIssuer(); } @@ -93,8 +150,8 @@ void SecurityPolicy::setIssuer(const Issuer* issuer) void SecurityPolicy::setIssuer(const XMLCh* issuer) { if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer)) - throw SecurityPolicyException("A rule supplied an Issuer that conflicts with previous results."); - + throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results."); + if (!m_issuer && issuer && *issuer) { m_issuerRole = NULL; m_issuer = IssuerBuilder::buildIssuer(); @@ -114,17 +171,17 @@ bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, // NULL matches anything for the purposes of this interface. if (!issuer1 || !issuer2) return true; - + const XMLCh* op1=issuer1->getName(); const XMLCh* op2=issuer2->getName(); if (!op1 || !op2 || !XMLString::equals(op1,op2)) return false; - + op1=issuer1->getFormat(); op2=issuer2->getFormat(); if (!XMLString::equals(op1 ? op1 : NameIDType::ENTITY, op2 ? op2 : NameIDType::ENTITY)) return false; - + op1=issuer1->getNameQualifier(); op2=issuer2->getNameQualifier(); if (!XMLString::equals(op1 ? op1 : &chNull, op2 ? op2 : &chNull)) @@ -134,7 +191,7 @@ bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, op2=issuer2->getSPNameQualifier(); if (!XMLString::equals(op1 ? op1 : &chNull, op2 ? op2 : &chNull)) return false; - + return true; } @@ -143,15 +200,15 @@ bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, // NULL matches anything for the purposes of this interface. if (!issuer1 || !issuer2 || !*issuer2) return true; - + const XMLCh* op1=issuer1->getName(); if (!op1 || !XMLString::equals(op1,issuer2)) return false; - + op1=issuer1->getFormat(); if (op1 && *op1 && !XMLString::equals(op1, NameIDType::ENTITY)) return false; - + op1=issuer1->getNameQualifier(); if (op1 && *op1) return false; @@ -159,6 +216,6 @@ bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, op1=issuer1->getSPNameQualifier(); if (op1 && *op1) return false; - + return true; }