From: Scott Cantor <cantor.2@osu.edu>
Date: Fri, 14 Dec 2007 18:35:59 +0000 (+0000)
Subject: Add flag to block non-entity issuers.
X-Git-Tag: 2.0-rc1~9
X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fcpp-opensaml.git;a=commitdiff_plain;h=0542de711d105e1cdfd2d9273764e01ccf2fa92a

Add flag to block non-entity issuers.
---

diff --git a/saml/binding/SecurityPolicy.h b/saml/binding/SecurityPolicy.h
index 5f696a9..fed55f7 100644
--- a/saml/binding/SecurityPolicy.h
+++ b/saml/binding/SecurityPolicy.h
@@ -76,7 +76,7 @@ namespace opensaml {
             const xmltooling::TrustEngine* trustEngine=NULL,
             bool validate=true
             ) : m_messageID(NULL), m_issueInstant(0), m_issuer(NULL), m_issuerRole(NULL), m_authenticated(false),
-                m_matchingPolicy(NULL), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine), m_validate(validate) {
+                m_matchingPolicy(NULL), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine), m_validate(validate), m_entityOnly(true) {
             if (role)
                 m_role = new xmltooling::QName(*role);
         }
@@ -117,7 +117,16 @@ namespace opensaml {
          */
         bool getValidating() const {
             return m_validate;
-        } 
+        }
+        
+        /**
+         * Returns flag controlling non-entity issuer support.
+         * 
+         * @return flag controlling non-entity issuer support
+         */
+        bool requireEntityIssuer() const {
+            return m_entityOnly;
+        }
 
         /**
          * Gets a mutable array of installed policy rules.
@@ -168,6 +177,15 @@ namespace opensaml {
         void setValidating(bool validate=true) {
             m_validate = validate;
         }
+
+        /**
+         * Sets flag controlling non-entity issuer support.
+         * 
+         * @param entityOnly require that Issuer be in entity format 
+         */
+        void requireEntityIssuer(bool entityOnly=true) {
+            m_entityOnly = entityOnly;
+        }
         
         /**
          * Evaluates the policy against the given request and message,
@@ -361,6 +379,7 @@ namespace opensaml {
         xmltooling::QName* m_role;
         const xmltooling::TrustEngine* m_trust;
         bool m_validate;
+        bool m_entityOnly;
     };
 
 };
diff --git a/saml/binding/impl/SecurityPolicy.cpp b/saml/binding/impl/SecurityPolicy.cpp
index 2bae01d..371410e 100644
--- a/saml/binding/impl/SecurityPolicy.cpp
+++ b/saml/binding/impl/SecurityPolicy.cpp
@@ -78,9 +78,11 @@ void SecurityPolicy::evaluate(const XMLObject& message, const GenericRequest* re
 void SecurityPolicy::setIssuer(const Issuer* issuer)
 {
     if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
-        throw SecurityPolicyException("A rule supplied an Issuer that conflicts with previous results.");
+        throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results.");
     
     if (!m_issuer) {
+        if (m_entityOnly && issuer->getFormat() && !XMLString::equals(issuer->getFormat(), NameIDType::ENTITY))
+            throw SecurityPolicyException("A non-entity Issuer was supplied, violating policy.");
         m_issuerRole = NULL;
         m_issuer=issuer->cloneIssuer();
     }
@@ -89,7 +91,7 @@ void SecurityPolicy::setIssuer(const Issuer* issuer)
 void SecurityPolicy::setIssuer(const XMLCh* issuer)
 {
     if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
-        throw SecurityPolicyException("A rule supplied an Issuer that conflicts with previous results.");
+        throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results.");
     
     if (!m_issuer && issuer && *issuer) {
         m_issuerRole = NULL;