X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fcpp-opensaml.git;a=blobdiff_plain;f=saml%2Fsaml1%2Fprofile%2FAssertionValidator.cpp;h=a7b2ada103bc025704450558796f07e9653b628b;hp=4d3b875d445119efee6a898e4660763c4a6a85b1;hb=df39928338a40f7a2980406e9737893289673611;hpb=daf3f79d9624614fb13ca7f618c9fe5742392a3e diff --git a/saml/saml1/profile/AssertionValidator.cpp b/saml/saml1/profile/AssertionValidator.cpp index 4d3b875..a7b2ada 100644 --- a/saml/saml1/profile/AssertionValidator.cpp +++ b/saml/saml1/profile/AssertionValidator.cpp @@ -24,12 +24,12 @@ #include "saml1/core/Assertions.h" #include "saml1/profile/AssertionValidator.h" -#include +#include #include using namespace opensaml::saml1; +using namespace xmltooling::logging; using namespace xmltooling; -using namespace log4cpp; using namespace std; void AssertionValidator::validate(const xmltooling::XMLObject* xmlObject) const @@ -47,8 +47,11 @@ void AssertionValidator::validateAssertion(const Assertion& assertion) const #endif const Conditions* conds = assertion.getConditions(); + if (!conds) + return; + // First verify the time conditions, using the specified timestamp, if non-zero. - if (m_ts>0 && conds) { + if (m_ts>0) { unsigned int skew = XMLToolingConfig::getConfig().clock_skew_secs; time_t t=conds->getNotBeforeEpoch(); if (m_ts+skew < t) @@ -58,28 +61,40 @@ void AssertionValidator::validateAssertion(const Assertion& assertion) const throw ValidationException("Assertion is no longer valid."); } - // Now we process conditions. Only audience restrictions at the moment. + // Now we process conditions, starting with the known types and then extensions. + + const vector& acvec = conds->getAudienceRestrictionConditions(); + for (vector::const_iterator ac = acvec.begin(); ac!=acvec.end(); ++ac) + validateCondition(*ac); + + const vector& dncvec = conds->getDoNotCacheConditions(); + for (vector::const_iterator dnc = dncvec.begin(); dnc!=dncvec.end(); ++dnc) + validateCondition(*dnc); + const vector& convec = conds->getConditions(); - for (vector::const_iterator c = convec.begin(); c!=convec.end(); ++c) { - if (!validateCondition(*c)) { - Category::getInstance(SAML_LOGCAT".AssertionValidator").error("unrecognized Condition in assertion (%s)", - (*c)->getSchemaType() ? (*c)->getSchemaType()->toString().c_str() : (*c)->getElementQName().toString().c_str()); - throw ValidationException("Assertion contains an unrecognized condition."); - } - } + for (vector::const_iterator c = convec.begin(); c!=convec.end(); ++c) + validateCondition(*c); } -bool AssertionValidator::validateCondition(const Condition* condition) const +void AssertionValidator::validateCondition(const Condition* c) const { - const AudienceRestrictionCondition* ac=dynamic_cast(condition); - if (!ac) - return false; + const AudienceRestrictionCondition* ac=dynamic_cast(c); + if (!ac) { + Category::getInstance(SAML_LOGCAT".AssertionValidator").error("unrecognized Condition in assertion (%s)", + c->getSchemaType() ? c->getSchemaType()->toString().c_str() : c->getElementQName().toString().c_str()); + throw ValidationException("Assertion contains an unrecognized condition."); + } bool found = false; const vector& auds1 = ac->getAudiences(); for (vector::const_iterator a = auds1.begin(); !found && a!=auds1.end(); ++a) { - for (vector::const_iterator a2 = m_audiences.begin(); !found && a2!=m_audiences.end(); ++a2) { - found = XMLString::equals((*a)->getAudienceURI(), *a2); + if (XMLString::equals(m_recipient, (*a)->getAudienceURI())) { + found = true; + } + else if (m_audiences) { + for (vector::const_iterator a2 = m_audiences->begin(); !found && a2!=m_audiences->end(); ++a2) { + found = XMLString::equals((*a)->getAudienceURI(), *a2); + } } } @@ -91,6 +106,4 @@ bool AssertionValidator::validateCondition(const Condition* condition) const ); throw ValidationException("Assertion contains an unacceptable AudienceRestrictionCondition."); } - - return found; }