From: Scott Cantor Date: Tue, 12 Dec 2006 17:28:41 +0000 (+0000) Subject: Revert to exception-based policy errors, add "secure" flag to policy to track authn. X-Git-Tag: 2.0-alpha1~125 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fcpp-opensaml.git;a=commitdiff_plain;h=6b5c75d27994ca1f9d450a81576a1bde4873edf3 Revert to exception-based policy errors, add "secure" flag to policy to track authn. --- diff --git a/saml/binding/ClientCertAuthRule.h b/saml/binding/ClientCertAuthRule.h index 6d94823..b9a39d2 100644 --- a/saml/binding/ClientCertAuthRule.h +++ b/saml/binding/ClientCertAuthRule.h @@ -20,6 +20,9 @@ * TLS client authentication SecurityPolicyRule */ +#ifndef __saml_certrule_h__ +#define __saml_certrule_h__ + #include @@ -33,6 +36,8 @@ namespace opensaml { ClientCertAuthRule(const DOMElement* e) {} virtual ~ClientCertAuthRule() {} - bool evaluate(const xmltooling::XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const; + void evaluate(const xmltooling::XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const; }; }; + +#endif /* __saml_certrule_h__ */ diff --git a/saml/binding/MessageFlowRule.h b/saml/binding/MessageFlowRule.h index fc3e816..0dfc97d 100644 --- a/saml/binding/MessageFlowRule.h +++ b/saml/binding/MessageFlowRule.h @@ -20,6 +20,9 @@ * SAML replay and freshness checking SecurityPolicyRule */ +#ifndef __saml_flowrule_h__ +#define __saml_flowrule_h__ + #include @@ -36,7 +39,7 @@ namespace opensaml { MessageFlowRule(const DOMElement* e); virtual ~MessageFlowRule() {} - bool evaluate(const xmltooling::XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const; + void evaluate(const xmltooling::XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const; /** * Controls whether rule executes replay checking. @@ -62,3 +65,5 @@ namespace opensaml { }; }; + +#endif /* __saml_flowrule_h__ */ diff --git a/saml/binding/SecurityPolicy.h b/saml/binding/SecurityPolicy.h index a9ab6e0..8d680d1 100644 --- a/saml/binding/SecurityPolicy.h +++ b/saml/binding/SecurityPolicy.h @@ -72,7 +72,7 @@ namespace opensaml { const saml2md::MetadataProvider* metadataProvider=NULL, const xmltooling::QName* role=NULL, const xmltooling::TrustEngine* trustEngine=NULL - ) : m_messageQName(NULL), m_messageID(NULL), m_issueInstant(0), m_issuer(NULL), m_issuerRole(NULL), + ) : m_messageQName(NULL), m_messageID(NULL), m_issueInstant(0), m_issuer(NULL), m_issuerRole(NULL), m_secure(false), m_matchingPolicy(NULL), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine) { if (role) m_role = new xmltooling::QName(*role); @@ -92,7 +92,7 @@ namespace opensaml { const saml2md::MetadataProvider* metadataProvider=NULL, const xmltooling::QName* role=NULL, const xmltooling::TrustEngine* trustEngine=NULL - ) : m_messageQName(NULL), m_messageID(NULL), m_issueInstant(0), m_issuer(NULL), m_issuerRole(NULL), + ) : m_messageQName(NULL), m_messageID(NULL), m_issueInstant(0), m_issuer(NULL), m_issuerRole(NULL), m_secure(false), m_matchingPolicy(NULL), m_rules(rules), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine) { if (role) m_role = new xmltooling::QName(*role); @@ -171,8 +171,8 @@ namespace opensaml { * * @param message the incoming message * @param request the protocol request - * - * @throws BindingException thrown if the request/message do not meet the requirements of this policy + * + * @throws BindingException raised if the message/request is invalid according to the supplied rules */ void evaluate(const xmltooling::XMLObject& message, const GenericRequest* request=NULL); @@ -227,6 +227,15 @@ namespace opensaml { } /** + * Returns the security status as determined by the registered policies. + * + * @return true iff a SecurityPolicyRule has indicated the issuer/message has been authenticated + */ + bool isSecure() const { + return m_secure; + } + + /** * Sets the message element/type as determined by the registered policies. * * @param messageQName message element/type @@ -269,6 +278,15 @@ namespace opensaml { * @param issuerRole metadata for the role the issuer is operating in */ void setIssuerMetadata(const saml2md::RoleDescriptor* issuerRole); + + /** + * Sets the security status as determined by the registered policies. + * + * @param secure indicates whether the issuer/message has been authenticated + */ + void setSecure(bool secure) { + m_secure = secure; + } /** Allows override of rules for comparing saml2:Issuer information. */ class SAML_API IssuerMatchingPolicy { @@ -324,6 +342,7 @@ namespace opensaml { time_t m_issueInstant; saml2::Issuer* m_issuer; const saml2md::RoleDescriptor* m_issuerRole; + bool m_secure; // components governing policy rules IssuerMatchingPolicy* m_matchingPolicy; diff --git a/saml/binding/SecurityPolicyRule.h b/saml/binding/SecurityPolicyRule.h index 68760f7..9a324bb 100644 --- a/saml/binding/SecurityPolicyRule.h +++ b/saml/binding/SecurityPolicyRule.h @@ -45,18 +45,13 @@ namespace opensaml { /** * Evaluates the rule against the given request and message. * - *

Exceptions should be reserved for fatal request processing errors; - * otherwise rules should return false to indicate they were not applicable - * or unsuccessful. - * * @param message the incoming message * @param request the protocol request * @param policy SecurityPolicy to provide various components and track message data - * @return true iff the rule ran successfully, false otherwise - * - * @throws BindingException thrown if the request/message is invalid in some way + * + * @throws BindingException raised if the message/request is not acceptable to the policy rule */ - virtual bool evaluate( + virtual void evaluate( const xmltooling::XMLObject& message, const GenericRequest* request, SecurityPolicy& policy ) const=0; }; diff --git a/saml/binding/SimpleSigningRule.h b/saml/binding/SimpleSigningRule.h index b8a42a4..dbe5f2f 100644 --- a/saml/binding/SimpleSigningRule.h +++ b/saml/binding/SimpleSigningRule.h @@ -20,6 +20,9 @@ * Blob-oriented signature checking SecurityPolicyRule */ +#ifndef __saml_simplesignrule_h__ +#define __saml_simplesignrule_h__ + #include @@ -34,7 +37,9 @@ namespace opensaml { SimpleSigningRule(const DOMElement* e) {} virtual ~SimpleSigningRule() {} - bool evaluate(const xmltooling::XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const; + void evaluate(const xmltooling::XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const; }; }; + +#endif /* __saml_simplesignrule_h__ */ diff --git a/saml/binding/XMLSigningRule.h b/saml/binding/XMLSigningRule.h index 0b65c62..4806282 100644 --- a/saml/binding/XMLSigningRule.h +++ b/saml/binding/XMLSigningRule.h @@ -20,6 +20,9 @@ * XML Signature checking SecurityPolicyRule */ +#ifndef __saml_xmlsignrule_h__ +#define __saml_xmlsignrule_h__ + #include @@ -33,7 +36,9 @@ namespace opensaml { XMLSigningRule(const DOMElement* e) {} virtual ~XMLSigningRule() {} - bool evaluate(const xmltooling::XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const; + void evaluate(const xmltooling::XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const; }; }; + +#endif /* __saml_xmlsignrule_h__ */ diff --git a/saml/binding/impl/ClientCertAuthRule.cpp b/saml/binding/impl/ClientCertAuthRule.cpp index aaa3c8c..c1c3f7d 100644 --- a/saml/binding/impl/ClientCertAuthRule.cpp +++ b/saml/binding/impl/ClientCertAuthRule.cpp @@ -17,7 +17,7 @@ /** * ClientCertAuthRule.cpp * - * XML Signature checking SecurityPolicyRule + * TLS client authentication SecurityPolicyRule */ #include "internal.h" @@ -43,38 +43,38 @@ namespace opensaml { } }; -bool ClientCertAuthRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const +void ClientCertAuthRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const { Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.ClientCertAuth"); log.debug("evaluating client certificate authentication policy"); if (!request) { log.debug("ignoring message, no protocol request available"); - return false; + return; } else if (!policy.getIssuerMetadata()) { log.debug("ignoring message, no issuer metadata supplied"); - return false; + return; } const X509TrustEngine* x509trust; if (!(x509trust=dynamic_cast(policy.getTrustEngine()))) { log.debug("ignoring message, no X509TrustEngine supplied"); - return false; + return; } const std::vector& chain = request->getClientCertificates(); if (chain.empty()) { log.debug("ignoring message, no client certificates in request"); - return false; + return; } if (!x509trust->validate(chain.front(), chain, *(policy.getIssuerMetadata()), true, policy.getMetadataProvider()->getKeyResolver())) { log.error("unable to verify certificate chain with supplied trust engine"); - return false; + return; } log.debug("client certificate verified against message issuer"); - return true; + policy.setSecure(true); } diff --git a/saml/binding/impl/MessageFlowRule.cpp b/saml/binding/impl/MessageFlowRule.cpp index b5e0882..ce04682 100644 --- a/saml/binding/impl/MessageFlowRule.cpp +++ b/saml/binding/impl/MessageFlowRule.cpp @@ -56,7 +56,7 @@ MessageFlowRule::MessageFlowRule(const DOMElement* e) } } -bool MessageFlowRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const +void MessageFlowRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const { Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.MessageFlow"); log.debug("evaluating message flow policy (replay checking %s, expiration %lu)", m_checkReplay ? "on" : "off", m_expires); @@ -94,6 +94,4 @@ bool MessageFlowRule::evaluate(const XMLObject& message, const GenericRequest* r throw BindingException("Rejecting replayed message ID ($1).", params(1,temp.get())); } } - - return true; } diff --git a/saml/binding/impl/SOAPClient.cpp b/saml/binding/impl/SOAPClient.cpp index 15aaa82..d71d59c 100644 --- a/saml/binding/impl/SOAPClient.cpp +++ b/saml/binding/impl/SOAPClient.cpp @@ -78,6 +78,7 @@ soap11::Envelope* SOAPClient::receive() issuer->setName(parent->getEntityID()); m_policy.setIssuer(issuer); m_policy.setIssuerMetadata(m_peer); + m_policy.setSecure(true); } } m_policy.evaluate(*(env.get())); diff --git a/saml/binding/impl/SecurityPolicy.cpp b/saml/binding/impl/SecurityPolicy.cpp index 4091df7..116bf44 100644 --- a/saml/binding/impl/SecurityPolicy.cpp +++ b/saml/binding/impl/SecurityPolicy.cpp @@ -68,6 +68,7 @@ void SecurityPolicy::reset() m_issueInstant=0; m_issuer=NULL; m_issuerRole=NULL; + m_secure=false; } void SecurityPolicy::evaluate(const XMLObject& message, const GenericRequest* request) diff --git a/saml/binding/impl/SimpleSigningRule.cpp b/saml/binding/impl/SimpleSigningRule.cpp index 1079e88..8acc34b 100644 --- a/saml/binding/impl/SimpleSigningRule.cpp +++ b/saml/binding/impl/SimpleSigningRule.cpp @@ -62,36 +62,36 @@ namespace opensaml { }; -bool SimpleSigningRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const +void SimpleSigningRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const { Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.SimpleSigning"); log.debug("evaluating simple signing policy"); if (!policy.getIssuerMetadata()) { log.debug("ignoring message, no issuer metadata supplied"); - return false; + return; } else if (!policy.getTrustEngine()) { log.debug("ignoring message, no TrustEngine supplied"); - return false; + return; } const HTTPRequest* httpRequest = dynamic_cast(request); if (!request || !httpRequest) { log.debug("ignoring message, no HTTP protocol request available"); - return false; + return; } const char* signature = request->getParameter("Signature"); if (!signature) { log.debug("ignoring unsigned message"); - return false; + return; } const char* sigAlgorithm = request->getParameter("SigAlg"); if (!sigAlgorithm) { log.error("SigAlg parameter not found, no way to verify the signature"); - return false; + return; } string input; @@ -148,9 +148,9 @@ bool SimpleSigningRule::evaluate(const XMLObject& message, const GenericRequest* *(policy.getIssuerMetadata()), policy.getMetadataProvider()->getKeyResolver() )) { log.error("unable to verify message signature with supplied trust engine"); - return false; + return; } log.debug("signature verified against message issuer"); - return true; + policy.setSecure(true); } diff --git a/saml/binding/impl/XMLSigningRule.cpp b/saml/binding/impl/XMLSigningRule.cpp index 8675fc6..2bd4c11 100644 --- a/saml/binding/impl/XMLSigningRule.cpp +++ b/saml/binding/impl/XMLSigningRule.cpp @@ -43,24 +43,24 @@ namespace opensaml { } }; -bool XMLSigningRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const +void XMLSigningRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const { Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.XMLSigning"); log.debug("evaluating message signing policy"); if (!policy.getIssuerMetadata()) { log.debug("ignoring message, no issuer metadata supplied"); - return false; + return; } else if (!policy.getTrustEngine()) { log.debug("ignoring message, no TrustEngine supplied"); - return false; + return; } const SignableObject* signable = dynamic_cast(&message); if (!signable || !signable->getSignature()) { log.debug("ignoring unsigned or unrecognized message"); - return false; + return; } log.debug("validating signature profile"); @@ -70,16 +70,16 @@ bool XMLSigningRule::evaluate(const XMLObject& message, const GenericRequest* re } catch (ValidationException& ve) { log.error("signature profile failed to validate: %s", ve.what()); - return false; + return; } if (!policy.getTrustEngine()->validate( *(signable->getSignature()), *(policy.getIssuerMetadata()), policy.getMetadataProvider()->getKeyResolver() )) { log.error("unable to verify message signature with supplied trust engine"); - return false; + return; } log.debug("signature verified against message issuer"); - return true; + policy.setSecure(true); } diff --git a/saml/saml1/binding/SAML1MessageRule.h b/saml/saml1/binding/SAML1MessageRule.h index ad3f685..03a61c4 100644 --- a/saml/saml1/binding/SAML1MessageRule.h +++ b/saml/saml1/binding/SAML1MessageRule.h @@ -20,6 +20,9 @@ * SAML 1.x message extraction rule */ +#ifndef __saml_1msgrule_h__ +#define __saml_1msgrule_h__ + #include @@ -34,7 +37,9 @@ namespace opensaml { SAML1MessageRule(const DOMElement* e) {} virtual ~SAML1MessageRule() {} - bool evaluate(const xmltooling::XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const; + void evaluate(const xmltooling::XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const; }; }; }; + +#endif /* __saml_1msgrule_h__ */ diff --git a/saml/saml1/binding/impl/SAML1MessageRule.cpp b/saml/saml1/binding/impl/SAML1MessageRule.cpp index c821225..3d70d87 100644 --- a/saml/saml1/binding/impl/SAML1MessageRule.cpp +++ b/saml/saml1/binding/impl/SAML1MessageRule.cpp @@ -47,7 +47,7 @@ namespace opensaml { } }; -bool SAML1MessageRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const +void SAML1MessageRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const { Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.SAML1Message"); @@ -87,7 +87,7 @@ bool SAML1MessageRule::evaluate(const XMLObject& message, const GenericRequest* if (!protocol) { log.warn("issuer identity not extracted"); - return false; + return; } if (log.isDebugEnabled()) { @@ -101,23 +101,20 @@ bool SAML1MessageRule::evaluate(const XMLObject& message, const GenericRequest* if (!entity) { auto_ptr_char temp(policy.getIssuer()->getName()); log.warn("no metadata found, can't establish identity of issuer (%s)", temp.get()); - return false; + return; } log.debug("matched message issuer against metadata, searching for applicable role..."); const RoleDescriptor* roledesc=entity->getRoleDescriptor(*policy.getRole(), protocol); if (!roledesc) { log.warn("unable to find compatible role (%s) in metadata", policy.getRole()->toString().c_str()); - return false; + return; } policy.setIssuerMetadata(roledesc); - return true; } } catch (bad_cast&) { // Just trap it. log.warn("caught a bad_cast while examining message"); } - - return false; } diff --git a/saml/saml2/binding/SAML2MessageRule.h b/saml/saml2/binding/SAML2MessageRule.h index 1d5a6ba..1c20e2f 100644 --- a/saml/saml2/binding/SAML2MessageRule.h +++ b/saml/saml2/binding/SAML2MessageRule.h @@ -20,6 +20,9 @@ * SAML 2.0 message extraction rule */ +#ifndef __saml_2msgrule_h__ +#define __saml_2msgrule_h__ + #include @@ -34,7 +37,9 @@ namespace opensaml { SAML2MessageRule(const DOMElement* e) {} virtual ~SAML2MessageRule() {} - bool evaluate(const xmltooling::XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const; + void evaluate(const xmltooling::XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const; }; }; }; + +#endif /* __saml_2msgrule_h__ */ diff --git a/saml/saml2/binding/impl/SAML2MessageRule.cpp b/saml/saml2/binding/impl/SAML2MessageRule.cpp index fc297cf..fe604c2 100644 --- a/saml/saml2/binding/impl/SAML2MessageRule.cpp +++ b/saml/saml2/binding/impl/SAML2MessageRule.cpp @@ -45,7 +45,7 @@ namespace opensaml { } }; -bool SAML2MessageRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const +void SAML2MessageRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const { Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.SAML2Message"); @@ -85,7 +85,7 @@ bool SAML2MessageRule::evaluate(const XMLObject& message, const GenericRequest* if (!policy.getIssuer()) { log.warn("issuer identity not extracted"); - return false; + return; } if (log.isDebugEnabled()) { @@ -96,7 +96,7 @@ bool SAML2MessageRule::evaluate(const XMLObject& message, const GenericRequest* if (policy.getMetadataProvider() && policy.getRole()) { if (policy.getIssuer()->getFormat() && !XMLString::equals(policy.getIssuer()->getFormat(), saml2::NameIDType::ENTITY)) { log.warn("non-system entity issuer, skipping metadata lookup"); - return false; + return; } log.debug("searching metadata for message issuer..."); @@ -104,23 +104,20 @@ bool SAML2MessageRule::evaluate(const XMLObject& message, const GenericRequest* if (!entity) { auto_ptr_char temp(policy.getIssuer()->getName()); log.warn("no metadata found, can't establish identity of issuer (%s)", temp.get()); - return false; + return; } log.debug("matched message issuer against metadata, searching for applicable role..."); const RoleDescriptor* roledesc=entity->getRoleDescriptor(*policy.getRole(), samlconstants::SAML20P_NS); if (!roledesc) { log.warn("unable to find compatible role (%s) in metadata", policy.getRole()->toString().c_str()); - return false; + return; } policy.setIssuerMetadata(roledesc); - return true; } } catch (bad_cast&) { // Just trap it. log.warn("caught a bad_cast while examining message"); } - - return false; } diff --git a/samltest/saml1/binding/SAML1ArtifactTest.h b/samltest/saml1/binding/SAML1ArtifactTest.h index 38a95fe..7ce89e2 100644 --- a/samltest/saml1/binding/SAML1ArtifactTest.h +++ b/samltest/saml1/binding/SAML1ArtifactTest.h @@ -83,7 +83,7 @@ public: // Test the results. TSM_ASSERT_EQUALS("TARGET was not the expected result.", relayState, "state"); TSM_ASSERT("SAML Response not decoded successfully.", response.get()); - TSM_ASSERT("Message was not verified.", policy.getIssuer()!=NULL); + TSM_ASSERT("Message was not verified.", policy.isSecure()); auto_ptr_char entityID(policy.getIssuer()->getName()); TSM_ASSERT("Issuer was not expected.", !strcmp(entityID.get(),"https://idp.example.org/")); TSM_ASSERT_EQUALS("Assertion count was not correct.", response->getAssertions().size(), 1); diff --git a/samltest/saml1/binding/SAML1POSTTest.h b/samltest/saml1/binding/SAML1POSTTest.h index 5808169..8fdd35e 100644 --- a/samltest/saml1/binding/SAML1POSTTest.h +++ b/samltest/saml1/binding/SAML1POSTTest.h @@ -78,13 +78,13 @@ public: // Test the results. TSM_ASSERT_EQUALS("TARGET was not the expected result.", relayState, "state"); TSM_ASSERT("SAML Response not decoded successfully.", response.get()); - TSM_ASSERT("Message was not verified.", policy.getIssuer()!=NULL); + TSM_ASSERT("Message was not verified.", policy.isSecure()); auto_ptr_char entityID(policy.getIssuer()->getName()); TSM_ASSERT("Issuer was not expected.", !strcmp(entityID.get(),"https://idp.example.org/")); TSM_ASSERT_EQUALS("Assertion count was not correct.", response->getAssertions().size(), 1); // Trigger a replay. - policy.reset(); + policy.reset(); TSM_ASSERT_THROWS("Did not catch the replay.", decoder->decode(relayState,*this,policy), BindingException); } catch (XMLToolingException& ex) { diff --git a/samltest/saml2/binding/SAML2ArtifactTest.h b/samltest/saml2/binding/SAML2ArtifactTest.h index dc968ef..593df73 100644 --- a/samltest/saml2/binding/SAML2ArtifactTest.h +++ b/samltest/saml2/binding/SAML2ArtifactTest.h @@ -73,7 +73,7 @@ public: // Test the results. TSM_ASSERT_EQUALS("RelayState was not the expected result.", relayState, "state"); TSM_ASSERT("SAML Response not decoded successfully.", response.get()); - TSM_ASSERT("Message was not verified.", policy.getIssuer()!=NULL); + TSM_ASSERT("Message was not verified.", policy.isSecure()); auto_ptr_char entityID(policy.getIssuer()->getName()); TSM_ASSERT("Issuer was not expected.", !strcmp(entityID.get(),"https://idp.example.org/")); TSM_ASSERT_EQUALS("Assertion count was not correct.", response->getAssertions().size(), 1); diff --git a/samltest/saml2/binding/SAML2POSTTest.h b/samltest/saml2/binding/SAML2POSTTest.h index ec94a04..4737679 100644 --- a/samltest/saml2/binding/SAML2POSTTest.h +++ b/samltest/saml2/binding/SAML2POSTTest.h @@ -78,13 +78,13 @@ public: // Test the results. TSM_ASSERT_EQUALS("RelayState was not the expected result.", relayState, "state"); TSM_ASSERT("SAML Response not decoded successfully.", response.get()); - TSM_ASSERT("Message was not verified.", policy.getIssuer()!=NULL); + TSM_ASSERT("Message was not verified.", policy.isSecure()); auto_ptr_char entityID(policy.getIssuer()->getName()); TSM_ASSERT("Issuer was not expected.", !strcmp(entityID.get(),"https://idp.example.org/")); TSM_ASSERT_EQUALS("Assertion count was not correct.", response->getAssertions().size(), 1); // Trigger a replay. - policy.reset(); + policy.reset(); TSM_ASSERT_THROWS("Did not catch the replay.", decoder->decode(relayState,*this,policy), BindingException); } catch (XMLToolingException& ex) { @@ -140,13 +140,13 @@ public: // Test the results. TSM_ASSERT_EQUALS("RelayState was not the expected result.", relayState, "state"); TSM_ASSERT("SAML Response not decoded successfully.", response.get()); - TSM_ASSERT("Message was not verified.", policy.getIssuer()!=NULL); + TSM_ASSERT("Message was not verified.", policy.isSecure()); auto_ptr_char entityID(policy.getIssuer()->getName()); TSM_ASSERT("Issuer was not expected.", !strcmp(entityID.get(),"https://idp.example.org/")); TSM_ASSERT_EQUALS("Assertion count was not correct.", response->getAssertions().size(), 1); // Trigger a replay. - policy.reset(); + policy.reset(); TSM_ASSERT_THROWS("Did not catch the replay.", decoder->decode(relayState,*this,policy), BindingException); } catch (XMLToolingException& ex) { diff --git a/samltest/saml2/binding/SAML2RedirectTest.h b/samltest/saml2/binding/SAML2RedirectTest.h index 96c0504..f0891f5 100644 --- a/samltest/saml2/binding/SAML2RedirectTest.h +++ b/samltest/saml2/binding/SAML2RedirectTest.h @@ -68,13 +68,13 @@ public: // Test the results. TSM_ASSERT_EQUALS("RelayState was not the expected result.", relayState, "state"); TSM_ASSERT("SAML Response not decoded successfully.", response.get()); - TSM_ASSERT("Message was not verified.", policy.getIssuer()!=NULL); + TSM_ASSERT("Message was not verified.", policy.isSecure()); auto_ptr_char entityID(policy.getIssuer()->getName()); TSM_ASSERT("Issuer was not expected.", !strcmp(entityID.get(),"https://idp.example.org/")); TSM_ASSERT_EQUALS("Assertion count was not correct.", response->getAssertions().size(), 1); // Trigger a replay. - policy.reset(); + policy.reset(); TSM_ASSERT_THROWS("Did not catch the replay.", decoder->decode(relayState,*this,policy), BindingException); } catch (XMLToolingException& ex) {