From bf32f9265ac717ee1537ec442e5a2d54e169d486 Mon Sep 17 00:00:00 2001 From: Scott Cantor Date: Sun, 11 Mar 2007 04:58:33 +0000 Subject: [PATCH] Scale back logging. --- saml/binding/impl/ClientCertAuthRule.cpp | 12 ++++-------- saml/binding/impl/MessageFlowRule.cpp | 17 ++++++++--------- saml/binding/impl/SimpleSigningRule.cpp | 9 ++------- saml/binding/impl/XMLSigningRule.cpp | 5 +---- saml/saml.vcproj | 8 ++++---- saml/saml1/binding/impl/SAML1MessageRule.cpp | 2 -- saml/saml2/binding/impl/SAML2MessageRule.cpp | 1 - 7 files changed, 19 insertions(+), 35 deletions(-) diff --git a/saml/binding/impl/ClientCertAuthRule.cpp b/saml/binding/impl/ClientCertAuthRule.cpp index 4662392..f185090 100644 --- a/saml/binding/impl/ClientCertAuthRule.cpp +++ b/saml/binding/impl/ClientCertAuthRule.cpp @@ -55,13 +55,11 @@ namespace opensaml { void ClientCertAuthRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const { Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.ClientCertAuth"); - log.debug("evaluating client certificate authentication policy"); - if (!request) { - log.debug("ignoring message, no protocol request available"); + if (!request) return; - } - else if (!policy.getIssuerMetadata()) { + + if (!policy.getIssuerMetadata()) { log.debug("ignoring message, no issuer metadata supplied"); return; } @@ -73,10 +71,8 @@ void ClientCertAuthRule::evaluate(const XMLObject& message, const GenericRequest } const std::vector& chain = request->getClientCertificates(); - if (chain.empty()) { - log.debug("ignoring message, no client certificates in request"); + if (chain.empty()) return; - } if (!x509trust->validate(chain.front(), chain, *(policy.getIssuerMetadata()), true, policy.getMetadataProvider()->getKeyResolver())) { diff --git a/saml/binding/impl/MessageFlowRule.cpp b/saml/binding/impl/MessageFlowRule.cpp index 93a2649..1b19ae1 100644 --- a/saml/binding/impl/MessageFlowRule.cpp +++ b/saml/binding/impl/MessageFlowRule.cpp @@ -78,38 +78,37 @@ void MessageFlowRule::evaluate(const XMLObject& message, const GenericRequest* r time_t skew = XMLToolingConfig::getConfig().clock_skew_secs; time_t issueInstant = policy.getIssueInstant(); if (issueInstant == 0) { - log.debug("unknown message timestamp, assuming current time for replay checking"); issueInstant = now; } else { if (issueInstant > now + skew) { log.errorStream() << "rejected not-yet-valid message, timestamp (" << issueInstant << "), newest allowed (" << now + skew << ")" << CategoryStream::ENDLINE; - throw BindingException("Message rejected, was issued in the future."); + throw SecurityPolicyException("Message rejected, was issued in the future."); } else if (issueInstant < now - skew - m_expires) { log.errorStream() << "rejected expired message, timestamp (" << issueInstant << "), oldest allowed (" << (now - skew - m_expires) << ")" << CategoryStream::ENDLINE; - throw BindingException("Message expired, was issued too long ago."); + throw SecurityPolicyException("Message expired, was issued too long ago."); } } // Check replay. if (m_checkReplay) { + const XMLCh* id = policy.getMessageID(); + if (!id || !*id) + return; + ReplayCache* replayCache = XMLToolingConfig::getConfig().getReplayCache(); if (!replayCache) { log.warn("no ReplayCache available, skipping requested replay check"); return; } - const XMLCh* id = policy.getMessageID(); - if (!id || !*id) { - log.debug("unknown message ID, no replay check possible"); - return; - } + auto_ptr_char temp(id); if (!replayCache->check("MessageFlow", temp.get(), issueInstant + skew + m_expires)) { log.error("replay detected of message ID (%s)", temp.get()); - throw BindingException("Rejecting replayed message ID ($1).", params(1,temp.get())); + throw SecurityPolicyException("Rejecting replayed message ID ($1).", params(1,temp.get())); } } } diff --git a/saml/binding/impl/SimpleSigningRule.cpp b/saml/binding/impl/SimpleSigningRule.cpp index c27f7c2..82f98d9 100644 --- a/saml/binding/impl/SimpleSigningRule.cpp +++ b/saml/binding/impl/SimpleSigningRule.cpp @@ -90,7 +90,6 @@ SimpleSigningRule::SimpleSigningRule(const DOMElement* e) : m_errorsFatal(false) void SimpleSigningRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const { Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.SimpleSigning"); - log.debug("evaluating simple signing policy"); if (!policy.getIssuerMetadata()) { log.debug("ignoring message, no issuer metadata supplied"); @@ -102,16 +101,12 @@ void SimpleSigningRule::evaluate(const XMLObject& message, const GenericRequest* } const HTTPRequest* httpRequest = dynamic_cast(request); - if (!request || !httpRequest) { - log.debug("ignoring message, no HTTP protocol request available"); + if (!request || !httpRequest) return; - } const char* signature = request->getParameter("Signature"); - if (!signature) { - log.debug("ignoring unsigned message"); + if (!signature) return; - } const char* sigAlgorithm = request->getParameter("SigAlg"); if (!sigAlgorithm) { diff --git a/saml/binding/impl/XMLSigningRule.cpp b/saml/binding/impl/XMLSigningRule.cpp index fab79bc..bd2c5e6 100644 --- a/saml/binding/impl/XMLSigningRule.cpp +++ b/saml/binding/impl/XMLSigningRule.cpp @@ -70,7 +70,6 @@ XMLSigningRule::XMLSigningRule(const DOMElement* e) : m_errorsFatal(false) void XMLSigningRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const { Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.XMLSigning"); - log.debug("evaluating message signing policy"); if (!policy.getIssuerMetadata()) { log.debug("ignoring message, no issuer metadata supplied"); @@ -82,10 +81,8 @@ void XMLSigningRule::evaluate(const XMLObject& message, const GenericRequest* re } const SignableObject* signable = dynamic_cast(&message); - if (!signable || !signable->getSignature()) { - log.debug("ignoring unsigned or unrecognized message"); + if (!signable || !signable->getSignature()) return; - } log.debug("validating signature profile"); try { diff --git a/saml/saml.vcproj b/saml/saml.vcproj index 8681d6a..200de7a 100644 --- a/saml/saml.vcproj +++ b/saml/saml.vcproj @@ -283,6 +283,10 @@ RelativePath=".\saml1\profile\AssertionValidator.cpp" > + + - - (message); diff --git a/saml/saml2/binding/impl/SAML2MessageRule.cpp b/saml/saml2/binding/impl/SAML2MessageRule.cpp index c1e632a..26a2ba4 100644 --- a/saml/saml2/binding/impl/SAML2MessageRule.cpp +++ b/saml/saml2/binding/impl/SAML2MessageRule.cpp @@ -63,7 +63,6 @@ void SAML2MessageRule::evaluate(const XMLObject& message, const GenericRequest* if (!XMLString::equals(q.getNamespaceURI(), samlconstants::SAML20P_NS)&& !XMLString::equals(q.getNamespaceURI(), samlconstants::SAML20_NS)) { - log.debug("not a SAML 2.0 protocol message or assertion"); return; } -- 2.1.4