X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fcpp-opensaml.git;a=blobdiff_plain;f=saml%2Fsaml2%2Fmetadata%2Fimpl%2FSignatureMetadataFilter.cpp;h=e87ba5ef72b5c49d104f94a5afc6b414ce4fb0bd;hp=2082e4fe96cf8552d55eb447525648040d9df3ee;hb=1462057b3b9ae7e165d34d988e30b14c213672ca;hpb=16d5976c9821b70d95675983702e0032d8769467 diff --git a/saml/saml2/metadata/impl/SignatureMetadataFilter.cpp b/saml/saml2/metadata/impl/SignatureMetadataFilter.cpp index 2082e4f..e87ba5e 100644 --- a/saml/saml2/metadata/impl/SignatureMetadataFilter.cpp +++ b/saml/saml2/metadata/impl/SignatureMetadataFilter.cpp @@ -1,17 +1,21 @@ -/* - * Copyright 2001-2010 Internet2 +/** + * Licensed to the University Corporation for Advanced Internet + * Development, Inc. (UCAID) under one or more contributor license + * agreements. See the NOTICE file distributed with this work for + * additional information regarding copyright ownership. * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at + * UCAID licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the + * License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, + * either express or implied. See the License for the specific + * language governing permissions and limitations under the License. */ /** @@ -45,29 +49,11 @@ using namespace std; namespace opensaml { namespace saml2md { - class SAML_DLLLOCAL DummyCredentialResolver : public CredentialResolver - { - public: - DummyCredentialResolver() {} - ~DummyCredentialResolver() {} - - Lockable* lock() {return this;} - void unlock() {} - - const Credential* resolve(const CredentialCriteria* criteria=nullptr) const {return nullptr;} - vector::size_type resolve( - vector& results, const CredentialCriteria* criteria=nullptr - ) const {return 0;} - }; - class SAML_DLLLOCAL SignatureMetadataFilter : public MetadataFilter { public: SignatureMetadataFilter(const DOMElement* e); - ~SignatureMetadataFilter() { - delete m_credResolver; - delete m_trust; - } + ~SignatureMetadataFilter() {} const char* getId() const { return SIGNATURE_METADATA_FILTER; } void doFilter(XMLObject& xmlObject) const; @@ -78,8 +64,8 @@ namespace opensaml { void verifySignature(Signature* sig, const XMLCh* peerName) const; bool m_verifyRoles,m_verifyName; - CredentialResolver* m_credResolver; - SignatureTrustEngine* m_trust; + auto_ptr m_credResolver,m_dummyResolver; + auto_ptr m_trust; SignatureProfileValidator m_profileValidator; Category& m_log; }; @@ -104,12 +90,11 @@ static const XMLCh verifyName[] = UNICODE_LITERAL_10(v,e,r,i,f,y,N,a,m SignatureMetadataFilter::SignatureMetadataFilter(const DOMElement* e) : m_verifyRoles(XMLHelper::getAttrBool(e, false, verifyRoles)), m_verifyName(XMLHelper::getAttrBool(e, true, verifyName)), - m_credResolver(nullptr), m_trust(nullptr), - m_log(Category::getInstance(SAML_LOGCAT".MetadataFilter.Signature")) + m_log(Category::getInstance(SAML_LOGCAT ".MetadataFilter.Signature")) { if (e && e->hasAttributeNS(nullptr,certificate)) { // Use a file-based credential resolver rooted here. - m_credResolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(FILESYSTEM_CREDENTIAL_RESOLVER, e); + m_credResolver.reset(XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(FILESYSTEM_CREDENTIAL_RESOLVER, e)); return; } @@ -117,7 +102,7 @@ SignatureMetadataFilter::SignatureMetadataFilter(const DOMElement* e) if (sub) { string t = XMLHelper::getAttrString(sub, nullptr, type); if (!t.empty()) { - m_credResolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(t.c_str(), sub); + m_credResolver.reset(XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(t.c_str(), sub)); return; } } @@ -127,10 +112,15 @@ SignatureMetadataFilter::SignatureMetadataFilter(const DOMElement* e) string t = XMLHelper::getAttrString(sub, nullptr, type); if (!t.empty()) { TrustEngine* trust = XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(t.c_str(), sub); - if (!(m_trust = dynamic_cast(trust))) { + SignatureTrustEngine* sigTrust = dynamic_cast(trust); + if (!sigTrust) { delete trust; throw MetadataFilterException("TrustEngine-based SignatureMetadataFilter requires a SignatureTrustEngine plugin."); } + m_trust.reset(sigTrust); + m_dummyResolver.reset(XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(DUMMY_CREDENTIAL_RESOLVER, nullptr)); + if (!m_dummyResolver.get()) + throw MetadataFilterException("Error creating dummy CredentialResolver."); return; } } @@ -149,7 +139,7 @@ void SignatureMetadataFilter::doFilter(XMLObject& xmlObject) const doFilter(entities, true); return; } - catch (bad_cast) { + catch (bad_cast&) { } catch (exception& ex) { m_log.warn("filtering out group at root of instance after failed signature check: %s", ex.what()); @@ -161,7 +151,7 @@ void SignatureMetadataFilter::doFilter(XMLObject& xmlObject) const doFilter(entity, true); return; } - catch (bad_cast) { + catch (bad_cast&) { } catch (exception& ex) { m_log.warn("filtering out entity at root of instance after failed signature check: %s", ex.what()); @@ -178,8 +168,8 @@ void SignatureMetadataFilter::doFilter(EntitiesDescriptor& entities, bool rootOb throw MetadataFilterException("Root metadata element was unsigned."); verifySignature(sig, entities.getName()); - VectorOf(EntityDescriptor) v=entities.getEntityDescriptors(); - for (VectorOf(EntityDescriptor)::size_type i=0; igetSignature(), entity.getEntityID()); i++; @@ -230,8 +220,8 @@ void SignatureMetadataFilter::doFilter(EntityDescriptor& entity, bool rootObject } } - VectorOf(SPSSODescriptor) sp=entity.getSPSSODescriptors(); - for (VectorOf(SPSSODescriptor)::size_type i=0; igetSignature(), entity.getEntityID()); i++; @@ -245,8 +235,8 @@ void SignatureMetadataFilter::doFilter(EntityDescriptor& entity, bool rootObject } } - VectorOf(AuthnAuthorityDescriptor) authn=entity.getAuthnAuthorityDescriptors(); - for (VectorOf(AuthnAuthorityDescriptor)::size_type i=0; igetSignature(), entity.getEntityID()); i++; @@ -260,8 +250,8 @@ void SignatureMetadataFilter::doFilter(EntityDescriptor& entity, bool rootObject } } - VectorOf(AttributeAuthorityDescriptor) aa=entity.getAttributeAuthorityDescriptors(); - for (VectorOf(AttributeAuthorityDescriptor)::size_type i=0; igetSignature(), entity.getEntityID()); i++; @@ -275,8 +265,8 @@ void SignatureMetadataFilter::doFilter(EntityDescriptor& entity, bool rootObject } } - VectorOf(PDPDescriptor) pdp=entity.getPDPDescriptors(); - for (VectorOf(AuthnAuthorityDescriptor)::size_type i=0; igetSignature(), entity.getEntityID()); i++; @@ -290,8 +280,8 @@ void SignatureMetadataFilter::doFilter(EntityDescriptor& entity, bool rootObject } } - VectorOf(AuthnQueryDescriptorType) authnq=entity.getAuthnQueryDescriptorTypes(); - for (VectorOf(AuthnQueryDescriptorType)::size_type i=0; igetSignature(), entity.getEntityID()); i++; @@ -305,8 +295,8 @@ void SignatureMetadataFilter::doFilter(EntityDescriptor& entity, bool rootObject } } - VectorOf(AttributeQueryDescriptorType) attrq=entity.getAttributeQueryDescriptorTypes(); - for (VectorOf(AttributeQueryDescriptorType)::size_type i=0; igetSignature(), entity.getEntityID()); i++; @@ -320,8 +310,8 @@ void SignatureMetadataFilter::doFilter(EntityDescriptor& entity, bool rootObject } } - VectorOf(AuthzDecisionQueryDescriptorType) authzq=entity.getAuthzDecisionQueryDescriptorTypes(); - for (VectorOf(AuthzDecisionQueryDescriptorType)::size_type i=0; igetSignature(), entity.getEntityID()); i++; @@ -335,8 +325,8 @@ void SignatureMetadataFilter::doFilter(EntityDescriptor& entity, bool rootObject } } - VectorOf(RoleDescriptor) v=entity.getRoleDescriptors(); - for (VectorOf(RoleDescriptor)::size_type i=0; igetSignature(), entity.getEntityID()); i++; @@ -375,12 +365,12 @@ void SignatureMetadataFilter::verifySignature(Signature* sig, const XMLCh* peerN cc.setUsage(Credential::SIGNING_CREDENTIAL); cc.setSignature(*sig, CredentialCriteria::KEYINFO_EXTRACTION_KEY); - if (m_credResolver) { + if (m_credResolver.get()) { if (peerName) { auto_ptr_char pname(peerName); cc.setPeerName(pname.get()); } - Locker locker(m_credResolver); + Locker locker(m_credResolver.get()); vector creds; if (m_credResolver->resolve(creds,&cc)) { SignatureValidator sigValidator; @@ -399,13 +389,12 @@ void SignatureMetadataFilter::verifySignature(Signature* sig, const XMLCh* peerN throw MetadataFilterException("CredentialResolver did not supply any candidate keys."); } } - else if (m_trust) { + else if (m_trust.get()) { if (m_verifyName && peerName) { auto_ptr_char pname(peerName); cc.setPeerName(pname.get()); } - DummyCredentialResolver dummy; - if (m_trust->validate(*sig, dummy, &cc)) + if (m_trust->validate(*sig, *m_dummyResolver, &cc)) return; throw MetadataFilterException("TrustEngine unable to verify signature."); }