https://issues.shibboleth.net/jira/browse/SSPCPP-132

diff --git a/saml/binding/SecurityPolicy.h b/saml/binding/SecurityPolicy.h
index fed55f7..7f879ec 100644 (file)
--- a/saml/binding/SecurityPolicy.h
+++ b/saml/binding/SecurityPolicy.h
@@ -1,6 +1,6 @@
 /*
  *  Copyright 2001-2007 Internet2
 /*
  *  Copyright 2001-2007 Internet2

- * 
+ *

  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at


@@ -16,18 +16,17 @@
 
 /**
  * @file saml/binding/SecurityPolicy.h
 
 /**
  * @file saml/binding/SecurityPolicy.h

- * 
+ *

  * Overall policy used to verify the security of an incoming message.
  */
 
 #ifndef __saml_secpol_h__
 #define __saml_secpol_h__
 
  * Overall policy used to verify the security of an incoming message.
  */
 
 #ifndef __saml_secpol_h__
 #define __saml_secpol_h__
 

-#include <saml/base.h>
+#include <saml/saml2/metadata/MetadataProvider.h>

 
 #include <ctime>
 #include <vector>
 
 #include <ctime>
 #include <vector>

-#include <xmltooling/XMLObject.h>

 #include <xmltooling/io/GenericRequest.h>
 #include <xmltooling/security/TrustEngine.h>
 
 #include <xmltooling/io/GenericRequest.h>
 #include <xmltooling/security/TrustEngine.h>
 


@@ -41,22 +40,18 @@ namespace opensaml {
     namespace saml2 {
         class SAML_API Issuer;
     };
     namespace saml2 {
         class SAML_API Issuer;
     };

-    namespace saml2md {
-        class SAML_API MetadataProvider;
-        class SAML_API RoleDescriptor;
-    };
-    
+

     class SAML_API SecurityPolicyRule;
     class SAML_API SecurityPolicyRule;

-    
+

     /**
      * A policy used to verify the security of an incoming message.
     /**
      * A policy used to verify the security of an incoming message.

-     * 
+     *

      * <p>Its security mechanisms may be used to examine the transport layer
      * (e.g client certificates and HTTP basic auth passwords) or to check the
      * payload of a request to ensure it meets certain criteria (e.g. valid
      * digital signature, freshness, replay).
      * <p>Its security mechanisms may be used to examine the transport layer
      * (e.g client certificates and HTTP basic auth passwords) or to check the
      * payload of a request to ensure it meets certain criteria (e.g. valid
      * digital signature, freshness, replay).

-     * 
-     * <p>Policy objects can be reused, but are not thread-safe. 
+     *
+     * <p>Policy objects can be reused, but are not thread-safe.

      */
     class SAML_API SecurityPolicy
     {
      */
     class SAML_API SecurityPolicy
     {


@@ -64,9 +59,9 @@ namespace opensaml {
     public:
         /**
          * Constructor for policy.
     public:
         /**
          * Constructor for policy.

-         * 
+         *

          * @param metadataProvider  locked MetadataProvider instance
          * @param metadataProvider  locked MetadataProvider instance

-         * @param role              identifies the role (generally IdP or SP) of the policy peer 
+         * @param role              identifies the role (generally IdP or SP) of the policy peer

          * @param trustEngine       TrustEngine to authenticate policy peer
          * @param validate          true iff XML parsing should be done with validation
          */
          * @param trustEngine       TrustEngine to authenticate policy peer
          * @param validate          true iff XML parsing should be done with validation
          */


@@ -75,7 +70,7 @@ namespace opensaml {
             const xmltooling::QName* role=NULL,
             const xmltooling::TrustEngine* trustEngine=NULL,
             bool validate=true
             const xmltooling::QName* role=NULL,
             const xmltooling::TrustEngine* trustEngine=NULL,
             bool validate=true

-            ) : m_messageID(NULL), m_issueInstant(0), m_issuer(NULL), m_issuerRole(NULL), m_authenticated(false),
+            ) : m_metadataCriteria(NULL), m_messageID(NULL), m_issueInstant(0), m_issuer(NULL), m_issuerRole(NULL), m_authenticated(false),

                 m_matchingPolicy(NULL), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine), m_validate(validate), m_entityOnly(true) {
             if (role)
                 m_role = new xmltooling::QName(*role);
                 m_matchingPolicy(NULL), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine), m_validate(validate), m_entityOnly(true) {
             if (role)
                 m_role = new xmltooling::QName(*role);


@@ -85,7 +80,7 @@ namespace opensaml {
 
         /**
          * Returns the locked MetadataProvider supplied to the policy.
 
         /**
          * Returns the locked MetadataProvider supplied to the policy.

-         * 
+         *

          * @return the supplied MetadataProvider or NULL
          */
         const saml2md::MetadataProvider* getMetadataProvider() const {
          * @return the supplied MetadataProvider or NULL
          */
         const saml2md::MetadataProvider* getMetadataProvider() const {


@@ -93,8 +88,16 @@ namespace opensaml {
         }
 
         /**
         }
 
         /**

+         * Returns a reference to a MetadataProvider::Criteria instance suitable for use with the
+         * installed MetadataProvider.
+         *
+         * @return reference to a MetadataProvider::Criteria instance
+         */
+        virtual saml2md::MetadataProvider::Criteria& getMetadataProviderCriteria() const;
+
+        /**

          * Returns the peer role element/type supplied to the policy.
          * Returns the peer role element/type supplied to the policy.

-         * 
+         *

          * @return the peer role element/type, or an empty QName
          */
         const xmltooling::QName* getRole() const {
          * @return the peer role element/type, or an empty QName
          */
         const xmltooling::QName* getRole() const {


@@ -103,7 +106,7 @@ namespace opensaml {
 
         /**
          * Returns the TrustEngine supplied to the policy.
 
         /**
          * Returns the TrustEngine supplied to the policy.

-         * 
+         *

          * @return the supplied TrustEngine or NULL
          */
         const xmltooling::TrustEngine* getTrustEngine() const {
          * @return the supplied TrustEngine or NULL
          */
         const xmltooling::TrustEngine* getTrustEngine() const {


@@ -112,16 +115,16 @@ namespace opensaml {
 
         /**
          * Returns XML message validation setting.
 
         /**
          * Returns XML message validation setting.

-         * 
+         *

          * @return validation flag
          */
         bool getValidating() const {
             return m_validate;
         }
          * @return validation flag
          */
         bool getValidating() const {
             return m_validate;
         }

-        
+

         /**
          * Returns flag controlling non-entity issuer support.
         /**
          * Returns flag controlling non-entity issuer support.

-         * 
+         *

          * @return flag controlling non-entity issuer support
          */
         bool requireEntityIssuer() const {
          * @return flag controlling non-entity issuer support
          */
         bool requireEntityIssuer() const {


@@ -132,7 +135,7 @@ namespace opensaml {
          * Gets a mutable array of installed policy rules.
          *
          * <p>If adding rules, their lifetime must be at least as long as the policy object.
          * Gets a mutable array of installed policy rules.
          *
          * <p>If adding rules, their lifetime must be at least as long as the policy object.

-         * 
+         *

          * @return  mutable array of rules
          */
         std::vector<const SecurityPolicyRule*>& getRules() {
          * @return  mutable array of rules
          */
         std::vector<const SecurityPolicyRule*>& getRules() {


@@ -141,7 +144,7 @@ namespace opensaml {
 
         /**
          * Sets a locked MetadataProvider for the policy.
 
         /**
          * Sets a locked MetadataProvider for the policy.

-         * 
+         *

          * @param metadata a locked MetadataProvider or NULL
          */
         void setMetadataProvider(const saml2md::MetadataProvider* metadata) {
          * @param metadata a locked MetadataProvider or NULL
          */
         void setMetadataProvider(const saml2md::MetadataProvider* metadata) {


@@ -150,7 +153,7 @@ namespace opensaml {
 
         /**
          * Sets a peer role element/type for to the policy.
 
         /**
          * Sets a peer role element/type for to the policy.

-         * 
+         *

          * @param role the peer role element/type or NULL
          */
         void setRole(const xmltooling::QName* role) {
          * @param role the peer role element/type or NULL
          */
         void setRole(const xmltooling::QName* role) {


@@ -160,7 +163,7 @@ namespace opensaml {
 
         /**
          * Sets a TrustEngine for the policy.
 
         /**
          * Sets a TrustEngine for the policy.

-         * 
+         *

          * @param trust a TrustEngine or NULL
          */
         void setTrustEngine(const xmltooling::TrustEngine* trust) {
          * @param trust a TrustEngine or NULL
          */
         void setTrustEngine(const xmltooling::TrustEngine* trust) {


@@ -170,8 +173,8 @@ namespace opensaml {
         /**
          * Controls schema validation of incoming XML messages.
          * This is separate from other forms of programmatic validation of objects,
         /**
          * Controls schema validation of incoming XML messages.
          * This is separate from other forms of programmatic validation of objects,

-         * but can detect a much wider range of syntax errors. 
-         * 
+         * but can detect a much wider range of syntax errors.
+         *

          * @param validate  validation setting
          */
         void setValidating(bool validate=true) {
          * @param validate  validation setting
          */
         void setValidating(bool validate=true) {


@@ -180,17 +183,17 @@ namespace opensaml {
 
         /**
          * Sets flag controlling non-entity issuer support.
 
         /**
          * Sets flag controlling non-entity issuer support.

-         * 
-         * @param entityOnly require that Issuer be in entity format 
+         *
+         * @param entityOnly require that Issuer be in entity format

          */
         void requireEntityIssuer(bool entityOnly=true) {
             m_entityOnly = entityOnly;
         }
          */
         void requireEntityIssuer(bool entityOnly=true) {
             m_entityOnly = entityOnly;
         }

-        
+

         /**
          * Evaluates the policy against the given request and message,
          * possibly populating message information in the policy object.
         /**
          * Evaluates the policy against the given request and message,
          * possibly populating message information in the policy object.

-         * 
+         *

          * @param message           the incoming message
          * @param request           the protocol request
          *
          * @param message           the incoming message
          * @param request           the protocol request
          *


@@ -209,10 +212,10 @@ namespace opensaml {
          * @param messageOnly   true iff security and issuer state should be left in place
          */
         void reset(bool messageOnly=false);
          * @param messageOnly   true iff security and issuer state should be left in place
          */
         void reset(bool messageOnly=false);

-        
+

         /**
          * Returns the message identifier as determined by the registered policies.
         /**
          * Returns the message identifier as determined by the registered policies.

-         * 
+         *

          * @return message identifier as determined by the registered policies
          */
         const XMLCh* getMessageID() const {
          * @return message identifier as determined by the registered policies
          */
         const XMLCh* getMessageID() const {


@@ -221,7 +224,7 @@ namespace opensaml {
 
         /**
          * Returns the message timestamp as determined by the registered policies.
 
         /**
          * Returns the message timestamp as determined by the registered policies.

-         * 
+         *

          * @return message timestamp as determined by the registered policies
          */
         time_t getIssueInstant() const {
          * @return message timestamp as determined by the registered policies
          */
         time_t getIssueInstant() const {


@@ -230,7 +233,7 @@ namespace opensaml {
 
         /**
          * Gets the issuer of the message as determined by the registered policies.
 
         /**
          * Gets the issuer of the message as determined by the registered policies.

-         * 
+         *

          * @return issuer of the message as determined by the registered policies
          */
         const saml2::Issuer* getIssuer() const {
          * @return issuer of the message as determined by the registered policies
          */
         const saml2::Issuer* getIssuer() const {


@@ -239,7 +242,7 @@ namespace opensaml {
 
         /**
          * Gets the metadata for the role the issuer is operating in.
 
         /**
          * Gets the metadata for the role the issuer is operating in.

-         * 
+         *

          * @return metadata for the role the issuer is operating in
          */
         const saml2md::RoleDescriptor* getIssuerMetadata() const {
          * @return metadata for the role the issuer is operating in
          */
         const saml2md::RoleDescriptor* getIssuerMetadata() const {


@@ -248,8 +251,8 @@ namespace opensaml {
 
         /**
          * Returns the authentication status of the message as determined by the registered policies.
 
         /**
          * Returns the authentication status of the message as determined by the registered policies.

-         * 
-         * @return true iff a SecurityPolicyRule has indicated the issuer/message has been authenticated 
+         *
+         * @return true iff a SecurityPolicyRule has indicated the issuer/message has been authenticated

          */
         bool isAuthenticated() const {
             return m_authenticated;
          */
         bool isAuthenticated() const {
             return m_authenticated;


@@ -257,7 +260,7 @@ namespace opensaml {
 
         /**
          * Sets the message identifier as determined by the registered policies.
 
         /**
          * Sets the message identifier as determined by the registered policies.

-         * 
+         *

          * @param id message identifier
          */
         void setMessageID(const XMLCh* id) {
          * @param id message identifier
          */
         void setMessageID(const XMLCh* id) {


@@ -267,7 +270,7 @@ namespace opensaml {
 
         /**
          * Sets the message timestamp as determined by the registered policies.
 
         /**
          * Sets the message timestamp as determined by the registered policies.

-         * 
+         *

          * @param issueInstant message timestamp
          */
         void setIssueInstant(time_t issueInstant) {
          * @param issueInstant message timestamp
          */
         void setIssueInstant(time_t issueInstant) {


@@ -276,48 +279,48 @@ namespace opensaml {
 
         /**
          * Sets the issuer of the message as determined by the registered policies.
 
         /**
          * Sets the issuer of the message as determined by the registered policies.

-         * 
+         *

          * @param issuer issuer of the message
          */
         void setIssuer(const saml2::Issuer* issuer);
 
         /**
          * Sets the issuer of the message as determined by the registered policies.
          * @param issuer issuer of the message
          */
         void setIssuer(const saml2::Issuer* issuer);
 
         /**
          * Sets the issuer of the message as determined by the registered policies.

-         * 
+         *

          * @param issuer issuer of the message
          */
         void setIssuer(const XMLCh* issuer);
          * @param issuer issuer of the message
          */
         void setIssuer(const XMLCh* issuer);

-        
+

         /**
          * Sets the metadata for the role the issuer is operating in.
         /**
          * Sets the metadata for the role the issuer is operating in.

-         * 
+         *

          * @param issuerRole metadata for the role the issuer is operating in
          */
         void setIssuerMetadata(const saml2md::RoleDescriptor* issuerRole);
 
         /**
          * Sets the authentication status of the message as determined by the registered policies.
          * @param issuerRole metadata for the role the issuer is operating in
          */
         void setIssuerMetadata(const saml2md::RoleDescriptor* issuerRole);
 
         /**
          * Sets the authentication status of the message as determined by the registered policies.

-         * 
+         *

          * @param auth indicates whether the issuer/message has been authenticated
          */
         void setAuthenticated(bool auth) {
             m_authenticated = auth;
         }
          * @param auth indicates whether the issuer/message has been authenticated
          */
         void setAuthenticated(bool auth) {
             m_authenticated = auth;
         }

-        
+

         /** Allows override of rules for comparing saml2:Issuer information. */
         class SAML_API IssuerMatchingPolicy {
             MAKE_NONCOPYABLE(IssuerMatchingPolicy);
         public:
             IssuerMatchingPolicy() {}
             virtual ~IssuerMatchingPolicy() {}
         /** Allows override of rules for comparing saml2:Issuer information. */
         class SAML_API IssuerMatchingPolicy {
             MAKE_NONCOPYABLE(IssuerMatchingPolicy);
         public:
             IssuerMatchingPolicy() {}
             virtual ~IssuerMatchingPolicy() {}

-            
+

             /**
              * Returns true iff the two operands "match". Applications can override this method to
             /**
              * Returns true iff the two operands "match". Applications can override this method to

-             * support non-standard issuer matching for complex policies. 
-             * 
+             * support non-standard issuer matching for complex policies.
+             *

              * <p>The default implementation does a basic comparison of the XML content, treating
              * an unsupplied Format as an "entityID".
              * <p>The default implementation does a basic comparison of the XML content, treating
              * an unsupplied Format as an "entityID".

-             * 
+             *

              * @param issuer1   the first Issuer to match
              * @param issuer2   the second Issuer to match
              * @return  true iff the operands match
              * @param issuer1   the first Issuer to match
              * @param issuer2   the second Issuer to match
              * @return  true iff the operands match


@@ -326,11 +329,11 @@ namespace opensaml {
 
             /**
              * Returns true iff the two operands "match". Applications can override this method to
 
             /**
              * Returns true iff the two operands "match". Applications can override this method to

-             * support non-standard issuer matching for complex policies. 
-             * 
+             * support non-standard issuer matching for complex policies.
+             *

              * <p>The default implementation does a basic comparison of the XML content, treating
              * an unsupplied Format as an "entityID".
              * <p>The default implementation does a basic comparison of the XML content, treating
              * an unsupplied Format as an "entityID".

-             * 
+             *

              * @param issuer1   the first Issuer to match
              * @param issuer2   the second Issuer to match
              * @return  true iff the operands match
              * @param issuer1   the first Issuer to match
              * @param issuer2   the second Issuer to match
              * @return  true iff the operands match


@@ -340,7 +343,7 @@ namespace opensaml {
 
         /**
          * Returns the IssuerMatchingPolicy in effect.
 
         /**
          * Returns the IssuerMatchingPolicy in effect.

-         * 
+         *

          * @return the effective IssuerMatchingPolicy
          */
         const IssuerMatchingPolicy& getIssuerMatchingPolicy() const {
          * @return the effective IssuerMatchingPolicy
          */
         const IssuerMatchingPolicy& getIssuerMatchingPolicy() const {


@@ -350,9 +353,9 @@ namespace opensaml {
         /**
          * Sets the IssuerMatchingPolicy in effect. Setting no policy will
          * cause the simple, default approach to be used.
         /**
          * Sets the IssuerMatchingPolicy in effect. Setting no policy will
          * cause the simple, default approach to be used.

-         * 
+         *

          * <p>The matching object will be freed by the SecurityPolicy.
          * <p>The matching object will be freed by the SecurityPolicy.

-         * 
+         *

          * @param matchingPolicy the IssuerMatchingPolicy to use
          */
         void setIssuerMatchingPolicy(IssuerMatchingPolicy* matchingPolicy) {
          * @param matchingPolicy the IssuerMatchingPolicy to use
          */
         void setIssuerMatchingPolicy(IssuerMatchingPolicy* matchingPolicy) {


@@ -364,14 +367,17 @@ namespace opensaml {
         /** A shared matching object that just supports the default matching rules. */
         static IssuerMatchingPolicy m_defaultMatching;
 
         /** A shared matching object that just supports the default matching rules. */
         static IssuerMatchingPolicy m_defaultMatching;
 

+        /** Manufactured MetadataProvider::Criteria instance. */
+        mutable saml2md::MetadataProvider::Criteria* m_metadataCriteria;
+

     private:
     private:

-        // information extracted from message 
+        // information extracted from message

         XMLCh* m_messageID;
         time_t m_issueInstant;
         saml2::Issuer* m_issuer;
         const saml2md::RoleDescriptor* m_issuerRole;
         bool m_authenticated;
         XMLCh* m_messageID;
         time_t m_issueInstant;
         saml2::Issuer* m_issuer;
         const saml2md::RoleDescriptor* m_issuerRole;
         bool m_authenticated;

-        
+

         // components governing policy rules
         IssuerMatchingPolicy* m_matchingPolicy;
         std::vector<const SecurityPolicyRule*> m_rules;
         // components governing policy rules
         IssuerMatchingPolicy* m_matchingPolicy;
         std::vector<const SecurityPolicyRule*> m_rules;

diff --git a/saml/binding/impl/SecurityPolicy.cpp b/saml/binding/impl/SecurityPolicy.cpp
index 371410e..02812a4 100644 (file)
--- a/saml/binding/impl/SecurityPolicy.cpp
+++ b/saml/binding/impl/SecurityPolicy.cpp
@@ -1,6 +1,6 @@
 /*
  *  Copyright 2001-2007 Internet2
 /*
  *  Copyright 2001-2007 Internet2

- * 
+ *

  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at


@@ -16,8 +16,8 @@
 
 /**
  * SecurityPolicy.cpp
 
 /**
  * SecurityPolicy.cpp

- * 
- * Overall policy used to verify the security of an incoming message. 
+ *
+ * Overall policy used to verify the security of an incoming message.

  */
 
 #include "internal.h"
  */
 
 #include "internal.h"


@@ -61,6 +61,8 @@ void SecurityPolicy::reset(bool messageOnly)
     XMLString::release(&m_messageID);
     m_messageID=NULL;
     m_issueInstant=0;
     XMLString::release(&m_messageID);
     m_messageID=NULL;
     m_issueInstant=0;

+    delete m_metadataCriteria;
+    m_metadataCriteria=NULL;

     if (!messageOnly) {
         delete m_issuer;
         m_issuer=NULL;
     if (!messageOnly) {
         delete m_issuer;
         m_issuer=NULL;


@@ -69,6 +71,13 @@ void SecurityPolicy::reset(bool messageOnly)
     }
 }
 
     }
 }
 

+MetadataProvider::Criteria& SecurityPolicy::getMetadataProviderCriteria() const
+{
+    if (!m_metadataCriteria)
+        m_metadataCriteria=new MetadataProvider::Criteria();
+    return *m_metadataCriteria;
+}
+

 void SecurityPolicy::evaluate(const XMLObject& message, const GenericRequest* request)
 {
     for (vector<const SecurityPolicyRule*>::const_iterator i=m_rules.begin(); i!=m_rules.end(); ++i)
 void SecurityPolicy::evaluate(const XMLObject& message, const GenericRequest* request)
 {
     for (vector<const SecurityPolicyRule*>::const_iterator i=m_rules.begin(); i!=m_rules.end(); ++i)


@@ -79,7 +88,7 @@ void SecurityPolicy::setIssuer(const Issuer* issuer)
 {
     if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
         throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results.");
 {
     if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
         throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results.");

-    
+

     if (!m_issuer) {
         if (m_entityOnly && issuer->getFormat() && !XMLString::equals(issuer->getFormat(), NameIDType::ENTITY))
             throw SecurityPolicyException("A non-entity Issuer was supplied, violating policy.");
     if (!m_issuer) {
         if (m_entityOnly && issuer->getFormat() && !XMLString::equals(issuer->getFormat(), NameIDType::ENTITY))
             throw SecurityPolicyException("A non-entity Issuer was supplied, violating policy.");


@@ -92,7 +101,7 @@ void SecurityPolicy::setIssuer(const XMLCh* issuer)
 {
     if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
         throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results.");
 {
     if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
         throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results.");

-    
+

     if (!m_issuer && issuer && *issuer) {
         m_issuerRole = NULL;
         m_issuer = IssuerBuilder::buildIssuer();
     if (!m_issuer && issuer && *issuer) {
         m_issuerRole = NULL;
         m_issuer = IssuerBuilder::buildIssuer();


@@ -112,17 +121,17 @@ bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1,
     // NULL matches anything for the purposes of this interface.
     if (!issuer1 || !issuer2)
         return true;
     // NULL matches anything for the purposes of this interface.
     if (!issuer1 || !issuer2)
         return true;

-    
+

     const XMLCh* op1=issuer1->getName();
     const XMLCh* op2=issuer2->getName();
     if (!op1 || !op2 || !XMLString::equals(op1,op2))
         return false;
     const XMLCh* op1=issuer1->getName();
     const XMLCh* op2=issuer2->getName();
     if (!op1 || !op2 || !XMLString::equals(op1,op2))
         return false;

-    
+

     op1=issuer1->getFormat();
     op2=issuer2->getFormat();
     if (!XMLString::equals(op1 ? op1 : NameIDType::ENTITY, op2 ? op2 : NameIDType::ENTITY))
         return false;
     op1=issuer1->getFormat();
     op2=issuer2->getFormat();
     if (!XMLString::equals(op1 ? op1 : NameIDType::ENTITY, op2 ? op2 : NameIDType::ENTITY))
         return false;

-        
+

     op1=issuer1->getNameQualifier();
     op2=issuer2->getNameQualifier();
     if (!XMLString::equals(op1 ? op1 : &chNull, op2 ? op2 : &chNull))
     op1=issuer1->getNameQualifier();
     op2=issuer2->getNameQualifier();
     if (!XMLString::equals(op1 ? op1 : &chNull, op2 ? op2 : &chNull))


@@ -132,7 +141,7 @@ bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1,
     op2=issuer2->getSPNameQualifier();
     if (!XMLString::equals(op1 ? op1 : &chNull, op2 ? op2 : &chNull))
         return false;
     op2=issuer2->getSPNameQualifier();
     if (!XMLString::equals(op1 ? op1 : &chNull, op2 ? op2 : &chNull))
         return false;

-    
+

     return true;
 }
 
     return true;
 }
 


@@ -141,15 +150,15 @@ bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1,
     // NULL matches anything for the purposes of this interface.
     if (!issuer1 || !issuer2 || !*issuer2)
         return true;
     // NULL matches anything for the purposes of this interface.
     if (!issuer1 || !issuer2 || !*issuer2)
         return true;

-    
+

     const XMLCh* op1=issuer1->getName();
     if (!op1 || !XMLString::equals(op1,issuer2))
         return false;
     const XMLCh* op1=issuer1->getName();
     if (!op1 || !XMLString::equals(op1,issuer2))
         return false;

-    
+

     op1=issuer1->getFormat();
     if (op1 && *op1 && !XMLString::equals(op1, NameIDType::ENTITY))
         return false;
     op1=issuer1->getFormat();
     if (op1 && *op1 && !XMLString::equals(op1, NameIDType::ENTITY))
         return false;

-        
+

     op1=issuer1->getNameQualifier();
     if (op1 && *op1)
         return false;
     op1=issuer1->getNameQualifier();
     if (op1 && *op1)
         return false;


@@ -157,6 +166,6 @@ bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1,
     op1=issuer1->getSPNameQualifier();
     if (op1 && *op1)
         return false;
     op1=issuer1->getSPNameQualifier();
     if (op1 && *op1)
         return false;

-    
+

     return true;
 }
     return true;
 }

diff --git a/saml/saml1/binding/impl/SAML1ArtifactDecoder.cpp b/saml/saml1/binding/impl/SAML1ArtifactDecoder.cpp
index e24dda1..4c56f2e 100644 (file)
--- a/saml/saml1/binding/impl/SAML1ArtifactDecoder.cpp
+++ b/saml/saml1/binding/impl/SAML1ArtifactDecoder.cpp
@@ -1,6 +1,6 @@
 /*
  *  Copyright 2001-2007 Internet2
 /*
  *  Copyright 2001-2007 Internet2

- * 
+ *

  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at


@@ -16,7 +16,7 @@
 
 /**
  * SAML1ArtifactDecoder.cpp
 
 /**
  * SAML1ArtifactDecoder.cpp

- * 
+ *

  * SAML 1.x Artifact binding/profile message decoder
  */
 
  * SAML 1.x Artifact binding/profile message decoder
  */
 


@@ -41,19 +41,19 @@ using namespace xmltooling;
 using namespace std;
 
 namespace opensaml {
 using namespace std;
 
 namespace opensaml {

-    namespace saml1p {              
+    namespace saml1p {

         class SAML_DLLLOCAL SAML1ArtifactDecoder : public SAML1MessageDecoder
         {
         public:
             SAML1ArtifactDecoder() {}
             virtual ~SAML1ArtifactDecoder() {}
         class SAML_DLLLOCAL SAML1ArtifactDecoder : public SAML1MessageDecoder
         {
         public:
             SAML1ArtifactDecoder() {}
             virtual ~SAML1ArtifactDecoder() {}

-            
+

             xmltooling::XMLObject* decode(
                 std::string& relayState,
                 const GenericRequest& genericRequest,
                 SecurityPolicy& policy
                 ) const;
             xmltooling::XMLObject* decode(
                 std::string& relayState,
                 const GenericRequest& genericRequest,
                 SecurityPolicy& policy
                 ) const;

-        };                
+        };

 
         MessageDecoder* SAML_DLLLOCAL SAML1ArtifactDecoderFactory(const pair<const DOMElement*,const XMLCh*>& p)
         {
 
         MessageDecoder* SAML_DLLLOCAL SAML1ArtifactDecoderFactory(const pair<const DOMElement*,const XMLCh*>& p)
         {


@@ -93,7 +93,7 @@ XMLObject* SAML1ArtifactDecoder::decode(
     for (vector<const char*>::const_iterator raw=SAMLart.begin(); raw!=SAMLart.end(); ++raw) {
         try {
             log.debug("processing encoded artifact (%s)", *raw);
     for (vector<const char*>::const_iterator raw=SAMLart.begin(); raw!=SAMLart.end(); ++raw) {
         try {
             log.debug("processing encoded artifact (%s)", *raw);

-            
+

             // Check replay.
             ReplayCache* replayCache = XMLToolingConfig::getConfig().getReplayCache();
             if (replayCache) {
             // Check replay.
             ReplayCache* replayCache = XMLToolingConfig::getConfig().getReplayCache();
             if (replayCache) {


@@ -117,9 +117,12 @@ XMLObject* SAML1ArtifactDecoder::decode(
             throw;
         }
     }
             throw;
         }
     }

-    
+

     log.debug("attempting to determine source of artifact(s)...");
     log.debug("attempting to determine source of artifact(s)...");

-    MetadataProvider::Criteria mc(artifacts.front(), policy.getRole(), samlconstants::SAML11_PROTOCOL_ENUM);
+    MetadataProvider::Criteria& mc = policy.getMetadataProviderCriteria();
+    mc.artifact = artifacts.front();
+    mc.role = policy.getRole();
+    mc.protocol = samlconstants::SAML11_PROTOCOL_ENUM;

     mc.protocol2 = samlconstants::SAML10_PROTOCOL_ENUM;
     pair<const EntityDescriptor*,const RoleDescriptor*> provider=policy.getMetadataProvider()->getEntityDescriptor(mc);
     if (!provider.first) {
     mc.protocol2 = samlconstants::SAML10_PROTOCOL_ENUM;
     pair<const EntityDescriptor*,const RoleDescriptor*> provider=policy.getMetadataProvider()->getEntityDescriptor(mc);
     if (!provider.first) {


@@ -130,7 +133,7 @@ XMLObject* SAML1ArtifactDecoder::decode(
         for_each(artifacts.begin(), artifacts.end(), xmltooling::cleanup<SAMLArtifact>());
         throw BindingException("Metadata lookup failed, unable to determine artifact issuer");
     }
         for_each(artifacts.begin(), artifacts.end(), xmltooling::cleanup<SAMLArtifact>());
         throw BindingException("Metadata lookup failed, unable to determine artifact issuer");
     }

-    
+

     if (log.isDebugEnabled()) {
         auto_ptr_char issuer(provider.first->getEntityID());
         log.debug("artifact issued by (%s)", issuer.get());
     if (log.isDebugEnabled()) {
         auto_ptr_char issuer(provider.first->getEntityID());
         log.debug("artifact issued by (%s)", issuer.get());


@@ -144,15 +147,15 @@ XMLObject* SAML1ArtifactDecoder::decode(
     // Set Issuer for the policy.
     policy.setIssuer(provider.first->getEntityID());
     policy.setIssuerMetadata(provider.second);
     // Set Issuer for the policy.
     policy.setIssuer(provider.first->getEntityID());
     policy.setIssuerMetadata(provider.second);

-    
+

     try {
         log.debug("calling ArtifactResolver...");
         auto_ptr<Response> response(
             m_artifactResolver->resolve(artifacts, dynamic_cast<const IDPSSODescriptor&>(*provider.second), policy)
             );
     try {
         log.debug("calling ArtifactResolver...");
         auto_ptr<Response> response(
             m_artifactResolver->resolve(artifacts, dynamic_cast<const IDPSSODescriptor&>(*provider.second), policy)
             );

-        
+

         // The policy should be enforced against the Response by the resolve step.
         // The policy should be enforced against the Response by the resolve step.

-        
+

         for_each(artifacts.begin(), artifacts.end(), xmltooling::cleanup<SAMLArtifact>());
         return response.release();
     }
         for_each(artifacts.begin(), artifacts.end(), xmltooling::cleanup<SAMLArtifact>());
         return response.release();
     }

diff --git a/saml/saml1/binding/impl/SAML1MessageDecoder.cpp b/saml/saml1/binding/impl/SAML1MessageDecoder.cpp
index 8fe02a1..b0079ac 100644 (file)
--- a/saml/saml1/binding/impl/SAML1MessageDecoder.cpp
+++ b/saml/saml1/binding/impl/SAML1MessageDecoder.cpp
@@ -1,6 +1,6 @@
 /*
  *  Copyright 2001-2007 Internet2
 /*
  *  Copyright 2001-2007 Internet2

- * 
+ *

  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at


@@ -16,7 +16,7 @@
 
 /**
  * SAML1MessageDecoder.cpp
 
 /**
  * SAML1MessageDecoder.cpp

- * 
+ *

  * Base class for SAML 1.x MessageDecoders.
  */
 
  * Base class for SAML 1.x MessageDecoders.
  */
 


@@ -93,8 +93,10 @@ void SAML1MessageDecoder::extractMessageDetails(
 
     if (policy.getMetadataProvider() && policy.getRole()) {
         log.debug("searching metadata for response issuer...");
 
     if (policy.getMetadataProvider() && policy.getRole()) {
         log.debug("searching metadata for response issuer...");

-
-        MetadataProvider::Criteria mc(issuer, policy.getRole(), protocol);
+        MetadataProvider::Criteria& mc = policy.getMetadataProviderCriteria();
+        mc.entityID_unicode = issuer;
+        mc.role = policy.getRole();
+        mc.protocol = protocol;

         pair<const EntityDescriptor*,const RoleDescriptor*> entity = policy.getMetadataProvider()->getEntityDescriptor(mc);
 
         if (!entity.first) {
         pair<const EntityDescriptor*,const RoleDescriptor*> entity = policy.getMetadataProvider()->getEntityDescriptor(mc);
 
         if (!entity.first) {

diff --git a/saml/saml2/binding/impl/SAML2ArtifactDecoder.cpp b/saml/saml2/binding/impl/SAML2ArtifactDecoder.cpp
index 47fc608..081787f 100644 (file)
--- a/saml/saml2/binding/impl/SAML2ArtifactDecoder.cpp
+++ b/saml/saml2/binding/impl/SAML2ArtifactDecoder.cpp
@@ -1,6 +1,6 @@
 /*
  *  Copyright 2001-2007 Internet2
 /*
  *  Copyright 2001-2007 Internet2

- * 
+ *

  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at


@@ -16,7 +16,7 @@
 
 /**
  * SAML2ArtifactDecoder.cpp
 
 /**
  * SAML2ArtifactDecoder.cpp

- * 
+ *

  * SAML 2.0 Artifact binding message decoder
  */
 
  * SAML 2.0 Artifact binding message decoder
  */
 


@@ -42,19 +42,19 @@ using namespace xmltooling;
 using namespace std;
 
 namespace opensaml {
 using namespace std;
 
 namespace opensaml {

-    namespace saml2p {              
+    namespace saml2p {

         class SAML_DLLLOCAL SAML2ArtifactDecoder : public SAML2MessageDecoder
         {
         public:
             SAML2ArtifactDecoder() {}
             virtual ~SAML2ArtifactDecoder() {}
         class SAML_DLLLOCAL SAML2ArtifactDecoder : public SAML2MessageDecoder
         {
         public:
             SAML2ArtifactDecoder() {}
             virtual ~SAML2ArtifactDecoder() {}

-            
+

             xmltooling::XMLObject* decode(
                 std::string& relayState,
                 const GenericRequest& genericRequest,
                 SecurityPolicy& policy
                 ) const;
             xmltooling::XMLObject* decode(
                 std::string& relayState,
                 const GenericRequest& genericRequest,
                 SecurityPolicy& policy
                 ) const;

-        };                
+        };

 
         MessageDecoder* SAML_DLLLOCAL SAML2ArtifactDecoderFactory(const pair<const DOMElement*,const XMLCh*>& p)
         {
 
         MessageDecoder* SAML_DLLLOCAL SAML2ArtifactDecoderFactory(const pair<const DOMElement*,const XMLCh*>& p)
         {


@@ -92,7 +92,7 @@ XMLObject* SAML2ArtifactDecoder::decode(
     SAMLArtifact* artifact=NULL;
     try {
         log.debug("processing encoded artifact (%s)", SAMLart);
     SAMLArtifact* artifact=NULL;
     try {
         log.debug("processing encoded artifact (%s)", SAMLart);

-        
+

         // Check replay.
         ReplayCache* replayCache = XMLToolingConfig::getConfig().getReplayCache();
         if (replayCache) {
         // Check replay.
         ReplayCache* replayCache = XMLToolingConfig::getConfig().getReplayCache();
         if (replayCache) {


@@ -110,16 +110,19 @@ XMLObject* SAML2ArtifactDecoder::decode(
         log.error("error parsing artifact (%s)", SAMLart);
         throw;
     }
         log.error("error parsing artifact (%s)", SAMLart);
         throw;
     }

-    
+

     // Check the type.
     auto_ptr<SAML2Artifact> artifact2(dynamic_cast<SAML2Artifact*>(artifact));
     if (!artifact2.get()) {
         throw BindingException("Artifact binding requires SAML 2.0 artifact.");
         delete artifact;
     }
     // Check the type.
     auto_ptr<SAML2Artifact> artifact2(dynamic_cast<SAML2Artifact*>(artifact));
     if (!artifact2.get()) {
         throw BindingException("Artifact binding requires SAML 2.0 artifact.");
         delete artifact;
     }

-    
+

     log.debug("attempting to determine source of artifact...");
     log.debug("attempting to determine source of artifact...");

-    MetadataProvider::Criteria mc(artifact, policy.getRole(), samlconstants::SAML20P_NS);
+    MetadataProvider::Criteria& mc = policy.getMetadataProviderCriteria();
+    mc.artifact = artifact;
+    mc.role = policy.getRole();
+    mc.protocol = samlconstants::SAML20P_NS;

     pair<const EntityDescriptor*,const RoleDescriptor*> provider=policy.getMetadataProvider()->getEntityDescriptor(mc);
     if (!provider.first) {
         log.error(
     pair<const EntityDescriptor*,const RoleDescriptor*> provider=policy.getMetadataProvider()->getEntityDescriptor(mc);
     if (!provider.first) {
         log.error(


@@ -128,7 +131,7 @@ XMLObject* SAML2ArtifactDecoder::decode(
             );
         throw BindingException("Metadata lookup failed, unable to determine artifact issuer.");
     }
             );
         throw BindingException("Metadata lookup failed, unable to determine artifact issuer.");
     }

-    
+

     if (log.isDebugEnabled()) {
         auto_ptr_char issuer(provider.first->getEntityID());
         log.debug("lookup succeeded, artifact issued by (%s)", issuer.get());
     if (log.isDebugEnabled()) {
         auto_ptr_char issuer(provider.first->getEntityID());
         log.debug("lookup succeeded, artifact issued by (%s)", issuer.get());


@@ -141,12 +144,12 @@ XMLObject* SAML2ArtifactDecoder::decode(
     // Set issuer into policy.
     policy.setIssuer(provider.first->getEntityID());
     policy.setIssuerMetadata(provider.second);
     // Set issuer into policy.
     policy.setIssuer(provider.first->getEntityID());
     policy.setIssuerMetadata(provider.second);

-    
+

     log.debug("calling ArtifactResolver...");
     auto_ptr<ArtifactResponse> response(
         m_artifactResolver->resolve(*(artifact2.get()), dynamic_cast<const SSODescriptorType&>(*provider.second), policy)
         );
     log.debug("calling ArtifactResolver...");
     auto_ptr<ArtifactResponse> response(
         m_artifactResolver->resolve(*(artifact2.get()), dynamic_cast<const SSODescriptorType&>(*provider.second), policy)
         );

-    
+

     // The policy should be enforced against the ArtifactResponse by the resolve step.
     // Reset only the message state.
     policy.reset(true);
     // The policy should be enforced against the ArtifactResponse by the resolve step.
     // Reset only the message state.
     policy.reset(true);


@@ -160,6 +163,6 @@ XMLObject* SAML2ArtifactDecoder::decode(
 
     // Return the payload only.
     response.release();
 
     // Return the payload only.
     response.release();

-    payload->detach(); 
+    payload->detach();

     return payload;
 }
     return payload;
 }

diff --git a/saml/saml2/binding/impl/SAML2MessageDecoder.cpp b/saml/saml2/binding/impl/SAML2MessageDecoder.cpp
index 97a38ac..9e24de4 100644 (file)
--- a/saml/saml2/binding/impl/SAML2MessageDecoder.cpp
+++ b/saml/saml2/binding/impl/SAML2MessageDecoder.cpp
@@ -1,6 +1,6 @@
 /*
  *  Copyright 2001-2007 Internet2
 /*
  *  Copyright 2001-2007 Internet2

- * 
+ *

  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at


@@ -16,7 +16,7 @@
 
 /**
  * SAML2MessageDecoder.cpp
 
 /**
  * SAML2MessageDecoder.cpp

- * 
+ *

  * Base class for SAML 2.0 MessageDecoders.
  */
 
  * Base class for SAML 2.0 MessageDecoders.
  */
 


@@ -60,7 +60,7 @@ void SAML2MessageDecoder::extractMessageDetails(
             policy.setIssuer(issuer);
         }
         else if (XMLString::equals(q.getLocalPart(), Response::LOCAL_NAME)) {
             policy.setIssuer(issuer);
         }
         else if (XMLString::equals(q.getLocalPart(), Response::LOCAL_NAME)) {

-            // No issuer in the message, so we have to try the Response approach. 
+            // No issuer in the message, so we have to try the Response approach.

             const vector<saml2::Assertion*>& assertions = dynamic_cast<const Response&>(samlRoot).getAssertions();
             if (!assertions.empty()) {
                 issuer = assertions.front()->getIssuer();
             const vector<saml2::Assertion*>& assertions = dynamic_cast<const Response&>(samlRoot).getAssertions();
             if (!assertions.empty()) {
                 issuer = assertions.front()->getIssuer();


@@ -89,10 +89,12 @@ void SAML2MessageDecoder::extractMessageDetails(
                 log.warn("non-system entity issuer, skipping metadata lookup");
                 return;
             }
                 log.warn("non-system entity issuer, skipping metadata lookup");
                 return;
             }

-            
-            log.debug("searching metadata for message issuer...");

 
 

-            MetadataProvider::Criteria mc(issuer->getName(), policy.getRole(), protocol);
+            log.debug("searching metadata for message issuer...");
+            MetadataProvider::Criteria& mc = policy.getMetadataProviderCriteria();
+            mc.entityID_unicode = issuer->getName();
+            mc.role = policy.getRole();
+            mc.protocol = protocol;

             pair<const EntityDescriptor*,const RoleDescriptor*> entity = policy.getMetadataProvider()->getEntityDescriptor(mc);
             if (!entity.first) {
                 auto_ptr_char temp(issuer->getName());
             pair<const EntityDescriptor*,const RoleDescriptor*> entity = policy.getMetadataProvider()->getEntityDescriptor(mc);
             if (!entity.first) {
                 auto_ptr_char temp(issuer->getName());

diff --git a/saml/saml2/metadata/MetadataProvider.h b/saml/saml2/metadata/MetadataProvider.h
index 834e8ae..beced6e 100644 (file)
--- a/saml/saml2/metadata/MetadataProvider.h
+++ b/saml/saml2/metadata/MetadataProvider.h
@@ -157,6 +157,12 @@ namespace opensaml {
              */
             struct SAML_API Criteria {
                 /**
              */
             struct SAML_API Criteria {
                 /**

+                 * Default constructor.
+                 */
+                Criteria() : entityID_unicode(NULL), entityID_ascii(NULL), artifact(NULL), role(NULL), protocol(NULL), protocol2(NULL), validOnly(true) {
+                }
+            
+                /**

                  * Constructor.
                  * 
                  * @param id    entityID to lookup
                  * Constructor.
                  * 
                  * @param id    entityID to lookup