From 6056cca67278d65c4343928e4ceaebd1d6f04920 Mon Sep 17 00:00:00 2001 From: Scott Cantor Date: Fri, 2 Mar 2007 21:46:57 +0000 Subject: [PATCH] Add XML validation flag to policy. --- saml/binding/MessageDecoder.h | 38 ++--------------------- saml/binding/SOAPClient.h | 4 +-- saml/binding/SecurityPolicy.h | 39 ++++++++++++++++++++---- saml/saml1/binding/impl/SAML1POSTDecoder.cpp | 4 +-- saml/saml1/binding/impl/SAML1SOAPDecoder.cpp | 4 +-- saml/saml2/binding/impl/SAML2POSTDecoder.cpp | 4 +-- saml/saml2/binding/impl/SAML2RedirectDecoder.cpp | 4 +-- saml/saml2/binding/impl/SAML2SOAPDecoder.cpp | 4 +-- 8 files changed, 48 insertions(+), 53 deletions(-) diff --git a/saml/binding/MessageDecoder.h b/saml/binding/MessageDecoder.h index 9d1c8e5..d797f83 100644 --- a/saml/binding/MessageDecoder.h +++ b/saml/binding/MessageDecoder.h @@ -68,25 +68,11 @@ namespace opensaml { MAKE_NONCOPYABLE(ArtifactResolver); protected: ArtifactResolver() {} - - /** Flag controlling schema validation. */ - bool m_validate; public: virtual ~ArtifactResolver() {} /** - * Controls schema validation of incoming XML messages. - * This is separate from other forms of programmatic validation of objects, - * but can detect a much wider range of syntax errors. - * - * @param validate true iff the resolver should use a validating XML parser - */ - void setValidating(bool validate=true) { - m_validate = validate; - } - - /** * Resolves one or more SAML 1.x artifacts into a response containing a set of * resolved Assertions. The caller is responsible for the resulting Response. * The supplied SecurityPolicy is used to access caller-supplied infrastructure @@ -128,26 +114,11 @@ namespace opensaml { * * @param artifactResolver an ArtifactResolver implementation to use */ - void setArtifactResolver(ArtifactResolver* artifactResolver) { + void setArtifactResolver(const ArtifactResolver* artifactResolver) { m_artifactResolver = artifactResolver; - if (m_artifactResolver) - m_artifactResolver->setValidating(m_validate); } /** - * Controls schema validation of incoming XML messages. - * This is separate from other forms of programmatic validation of objects, - * but can detect a much wider range of syntax errors. - * - * @param validate true iff the decoder should use a validating XML parser - */ - void setValidating(bool validate=true) { - m_validate = validate; - if (m_artifactResolver) - m_artifactResolver->setValidating(m_validate); - } - - /** * Decodes a transport request into a SAML protocol message, and evaluates it * against a supplied SecurityPolicy. If the transport request does not contain * the information necessary to decode the request, NULL will be returned. @@ -168,13 +139,10 @@ namespace opensaml { ) const=0; protected: - MessageDecoder() : m_artifactResolver(NULL), m_validate(false) {} + MessageDecoder() : m_artifactResolver(NULL) {} /** Pointer to an ArtifactResolver implementation. */ - ArtifactResolver* m_artifactResolver; - - /** Flag controlling schema validation. */ - bool m_validate; + const ArtifactResolver* m_artifactResolver; }; /** diff --git a/saml/binding/SOAPClient.h b/saml/binding/SOAPClient.h index e26be48..433e44a 100644 --- a/saml/binding/SOAPClient.h +++ b/saml/binding/SOAPClient.h @@ -40,8 +40,8 @@ namespace opensaml { * @param policy reference to SecurityPolicy to apply * @param validating controls schema validation */ - SOAPClient(SecurityPolicy& policy, bool validating=false) - : soap11::SOAPClient(validating), m_policy(policy), m_force(true), m_peer(NULL) {} + SOAPClient(SecurityPolicy& policy) + : soap11::SOAPClient(policy.getValidating()), m_policy(policy), m_force(true), m_peer(NULL) {} virtual ~SOAPClient() {} diff --git a/saml/binding/SecurityPolicy.h b/saml/binding/SecurityPolicy.h index 1870595..2fcdbb7 100644 --- a/saml/binding/SecurityPolicy.h +++ b/saml/binding/SecurityPolicy.h @@ -67,13 +67,16 @@ namespace opensaml { * @param metadataProvider locked MetadataProvider instance * @param role identifies the role (generally IdP or SP) of the policy peer * @param trustEngine TrustEngine to authenticate policy peer + * @param validate true iff XML parsing should be done with validation */ SecurityPolicy( const saml2md::MetadataProvider* metadataProvider=NULL, const xmltooling::QName* role=NULL, - const xmltooling::TrustEngine* trustEngine=NULL - ) : m_messageQName(NULL), m_messageID(NULL), m_issueInstant(0), m_issuer(NULL), m_issuerRole(NULL), m_secure(false), - m_matchingPolicy(NULL), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine) { + const xmltooling::TrustEngine* trustEngine=NULL, + bool validate=true + ) : m_messageQName(NULL), m_messageID(NULL), m_issueInstant(0), + m_issuer(NULL), m_issuerRole(NULL), m_secure(false), m_matchingPolicy(NULL), + m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine), m_validate(validate) { if (role) m_role = new xmltooling::QName(*role); } @@ -86,14 +89,17 @@ namespace opensaml { * @param metadataProvider locked MetadataProvider instance * @param role identifies the role (generally IdP or SP) of the policy peer * @param trustEngine TrustEngine to authenticate policy peer + * @param validate true iff XML parsing should be done with validation */ SecurityPolicy( const std::vector& rules, const saml2md::MetadataProvider* metadataProvider=NULL, const xmltooling::QName* role=NULL, - const xmltooling::TrustEngine* trustEngine=NULL - ) : m_messageQName(NULL), m_messageID(NULL), m_issueInstant(0), m_issuer(NULL), m_issuerRole(NULL), m_secure(false), - m_matchingPolicy(NULL), m_rules(rules), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine) { + const xmltooling::TrustEngine* trustEngine=NULL, + bool validate=true + ) : m_messageQName(NULL), m_messageID(NULL), m_issueInstant(0), + m_issuer(NULL), m_issuerRole(NULL), m_secure(false), m_matchingPolicy(NULL), + m_rules(rules), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine), m_validate(validate) { if (role) m_role = new xmltooling::QName(*role); } @@ -128,6 +134,15 @@ namespace opensaml { } /** + * Returns XML message validation setting. + * + * @return validation flag + */ + bool getValidating() const { + return m_validate; + } + + /** * Adds a SecurityPolicyRule to the policy. The lifetime of the policy rule * must be at least as long as the policy object. * @@ -166,6 +181,17 @@ namespace opensaml { } /** + * Controls schema validation of incoming XML messages. + * This is separate from other forms of programmatic validation of objects, + * but can detect a much wider range of syntax errors. + * + * @param validate validation setting + */ + void setValidating(bool validate=true) { + m_validate = validate; + } + + /** * Evaluates the policy against the given request and message, * possibly populating message information in the policy object. * @@ -350,6 +376,7 @@ namespace opensaml { const saml2md::MetadataProvider* m_metadata; xmltooling::QName* m_role; const xmltooling::TrustEngine* m_trust; + bool m_validate; }; }; diff --git a/saml/saml1/binding/impl/SAML1POSTDecoder.cpp b/saml/saml1/binding/impl/SAML1POSTDecoder.cpp index 7815c19..2c823ae 100644 --- a/saml/saml1/binding/impl/SAML1POSTDecoder.cpp +++ b/saml/saml1/binding/impl/SAML1POSTDecoder.cpp @@ -87,7 +87,7 @@ XMLObject* SAML1POSTDecoder::decode( XMLString::release(&decoded); // Parse and bind the document into an XMLObject. - DOMDocument* doc = (m_validate ? XMLToolingConfig::getConfig().getValidatingParser() + DOMDocument* doc = (policy.getValidating() ? XMLToolingConfig::getConfig().getValidatingParser() : XMLToolingConfig::getConfig().getParser()).parse(is); XercesJanitor janitor(doc); auto_ptr xmlObject(XMLObjectBuilder::buildOneFromElement(doc->getDocumentElement(), true)); @@ -97,7 +97,7 @@ XMLObject* SAML1POSTDecoder::decode( if (!response) throw BindingException("Decoded message was not a SAML 1.x Response."); - if (!m_validate) + if (!policy.getValidating()) SchemaValidators.validate(xmlObject.get()); // Run through the policy. diff --git a/saml/saml1/binding/impl/SAML1SOAPDecoder.cpp b/saml/saml1/binding/impl/SAML1SOAPDecoder.cpp index 3ebdc0c..a6e51f3 100644 --- a/saml/saml1/binding/impl/SAML1SOAPDecoder.cpp +++ b/saml/saml1/binding/impl/SAML1SOAPDecoder.cpp @@ -73,7 +73,7 @@ XMLObject* SAML1SOAPDecoder::decode( istringstream is(data); // Parse and bind the document into an XMLObject. - DOMDocument* doc = (m_validate ? XMLToolingConfig::getConfig().getValidatingParser() + DOMDocument* doc = (policy.getValidating() ? XMLToolingConfig::getConfig().getValidatingParser() : XMLToolingConfig::getConfig().getParser()).parse(is); XercesJanitor janitor(doc); auto_ptr xmlObject(XMLObjectBuilder::buildOneFromElement(doc->getDocumentElement(), true)); @@ -83,7 +83,7 @@ XMLObject* SAML1SOAPDecoder::decode( if (!env) throw BindingException("Decoded message was not a SOAP 1.1 Envelope."); - if (!m_validate) + if (!policy.getValidating()) SchemaValidators.validate(env); Body* body = env->getBody(); diff --git a/saml/saml2/binding/impl/SAML2POSTDecoder.cpp b/saml/saml2/binding/impl/SAML2POSTDecoder.cpp index 5f763f5..90d0b63 100644 --- a/saml/saml2/binding/impl/SAML2POSTDecoder.cpp +++ b/saml/saml2/binding/impl/SAML2POSTDecoder.cpp @@ -92,7 +92,7 @@ XMLObject* SAML2POSTDecoder::decode( XMLString::release(&decoded); // Parse and bind the document into an XMLObject. - DOMDocument* doc = (m_validate ? XMLToolingConfig::getConfig().getValidatingParser() + DOMDocument* doc = (policy.getValidating() ? XMLToolingConfig::getConfig().getValidatingParser() : XMLToolingConfig::getConfig().getParser()).parse(is); XercesJanitor janitor(doc); auto_ptr xmlObject(XMLObjectBuilder::buildOneFromElement(doc->getDocumentElement(), true)); @@ -111,7 +111,7 @@ XMLObject* SAML2POSTDecoder::decode( root = static_cast(request); } - if (!m_validate) + if (!policy.getValidating()) SchemaValidators.validate(xmlObject.get()); // Run through the policy. diff --git a/saml/saml2/binding/impl/SAML2RedirectDecoder.cpp b/saml/saml2/binding/impl/SAML2RedirectDecoder.cpp index 489f709..63a324a 100644 --- a/saml/saml2/binding/impl/SAML2RedirectDecoder.cpp +++ b/saml/saml2/binding/impl/SAML2RedirectDecoder.cpp @@ -106,7 +106,7 @@ XMLObject* SAML2RedirectDecoder::decode( XMLString::release(&decoded); // Parse and bind the document into an XMLObject. - DOMDocument* doc = (m_validate ? XMLToolingConfig::getConfig().getValidatingParser() + DOMDocument* doc = (policy.getValidating() ? XMLToolingConfig::getConfig().getValidatingParser() : XMLToolingConfig::getConfig().getParser()).parse(s); XercesJanitor janitor(doc); auto_ptr xmlObject(XMLObjectBuilder::buildOneFromElement(doc->getDocumentElement(), true)); @@ -125,7 +125,7 @@ XMLObject* SAML2RedirectDecoder::decode( root = static_cast(request); } - if (!m_validate) + if (!policy.getValidating()) SchemaValidators.validate(xmlObject.get()); // Run through the policy. diff --git a/saml/saml2/binding/impl/SAML2SOAPDecoder.cpp b/saml/saml2/binding/impl/SAML2SOAPDecoder.cpp index 2ac83b9..f2fb1a9 100644 --- a/saml/saml2/binding/impl/SAML2SOAPDecoder.cpp +++ b/saml/saml2/binding/impl/SAML2SOAPDecoder.cpp @@ -73,7 +73,7 @@ XMLObject* SAML2SOAPDecoder::decode( istringstream is(data); // Parse and bind the document into an XMLObject. - DOMDocument* doc = (m_validate ? XMLToolingConfig::getConfig().getValidatingParser() + DOMDocument* doc = (policy.getValidating() ? XMLToolingConfig::getConfig().getValidatingParser() : XMLToolingConfig::getConfig().getParser()).parse(is); XercesJanitor janitor(doc); auto_ptr xmlObject(XMLObjectBuilder::buildOneFromElement(doc->getDocumentElement(), true)); @@ -83,7 +83,7 @@ XMLObject* SAML2SOAPDecoder::decode( if (!env) throw BindingException("Decoded message was not a SOAP 1.1 Envelope."); - if (!m_validate) + if (!policy.getValidating()) SchemaValidators.validate(env); Body* body = env->getBody(); -- 2.1.4