From c0b92549e28e1fca5e7c4a8d09dc06fd09f65292 Mon Sep 17 00:00:00 2001 From: Scott Cantor Date: Mon, 23 Oct 2006 03:10:48 +0000 Subject: [PATCH] Replace "trusted" output flag with security mech ID. --- saml/binding/MessageDecoder.h | 17 ++++---- saml/saml1/binding/SAML1ArtifactDecoder.h | 2 +- saml/saml1/binding/SAML1POSTDecoder.h | 2 +- saml/saml1/binding/impl/SAML1ArtifactDecoder.cpp | 16 ++++---- saml/saml1/binding/impl/SAML1POSTDecoder.cpp | 16 ++++---- saml/saml2/binding/SAML2ArtifactDecoder.h | 2 +- saml/saml2/binding/SAML2POSTDecoder.h | 2 +- saml/saml2/binding/impl/SAML2ArtifactDecoder.cpp | 22 ++++++----- saml/saml2/binding/impl/SAML2POSTDecoder.cpp | 14 ++++--- samltest/saml1/binding/SAML1ArtifactTest.h | 49 ++++++++++++++++++++---- samltest/saml1/binding/SAML1POSTTest.h | 14 +++---- samltest/saml2/binding/SAML2ArtifactTest.h | 14 +++---- samltest/saml2/binding/SAML2POSTTest.h | 14 +++---- 13 files changed, 112 insertions(+), 72 deletions(-) diff --git a/saml/binding/MessageDecoder.h b/saml/binding/MessageDecoder.h index a55f0a7..70a4768 100644 --- a/saml/binding/MessageDecoder.h +++ b/saml/binding/MessageDecoder.h @@ -175,14 +175,14 @@ namespace opensaml { * Resolves one or more SAML 1.x artifacts into a response containing a set of * resolved Assertions. The caller is responsible for the resulting Response. * - * @param authenticated output flag set to true iff the resolution channel was authenticated + * @param securityMech will be set to identifier of security mechanism that authenticated the resolution * @param artifacts one or more SAML 1.x artifacts * @param idpDescriptor reference to IdP role of artifact issuer * @param trustEngine optional pointer to X509TrustEngine supplied to MessageDecoder * @return the corresponding SAML Assertions wrapped in a Response. */ virtual saml1p::Response* resolve( - bool& authenticated, + const XMLCh*& securityMech, const std::vector& artifacts, const saml2md::IDPSSODescriptor& idpDescriptor, const X509TrustEngine* trustEngine=NULL @@ -192,14 +192,14 @@ namespace opensaml { * Resolves a SAML 2.0 artifact into the corresponding SAML protocol message. * The caller is responsible for the resulting ArtifactResponse message. * - * @param authenticated output flag set to true iff the resolution channel was authenticated + * @param securityMech will be set to identifier of security mechanism that authenticated the resolution * @param artifact reference to a SAML 2.0 artifact * @param ssoDescriptor reference to SSO role of artifact issuer (may be SP or IdP) * @param trustEngine optional pointer to X509TrustEngine supplied to MessageDecoder * @return the corresponding SAML protocol message or NULL */ virtual saml2p::ArtifactResponse* resolve( - bool& authenticated, + const XMLCh*& securityMech, const saml2p::SAML2Artifact& artifact, const saml2md::SSODescriptorType& ssoDescriptor, const X509TrustEngine* trustEngine=NULL @@ -245,10 +245,9 @@ namespace opensaml { *

In some cases, a message may be returned but not authenticated. The caller * should examine the issuerTrusted output value to establish this. * - * @param relayState RelayState/TARGET value accompanying message - * @param issuer role descriptor of issuing party - * @param issuerTrusted output flag set to true iff the message was authenticated - * (signed or obtained via secure backchannel) + * @param relayState will be set to RelayState/TARGET value accompanying message + * @param issuer will be set to role descriptor of issuing party, if known + * @param securityMech will be set to identifier of security mechanism that authenticates the message * @param httpRequest reference to interface for accessing HTTP message to decode * @param metadataProvider optional MetadataProvider instance to authenticate the message * @param role optional, identifies the role (generally IdP or SP) of the peer who issued the message @@ -258,7 +257,7 @@ namespace opensaml { virtual xmltooling::XMLObject* decode( std::string& relayState, const saml2md::RoleDescriptor*& issuer, - bool& issuerTrusted, + const XMLCh*& securityMech, const HTTPRequest& httpRequest, const saml2md::MetadataProvider* metadataProvider=NULL, const xmltooling::QName* role=NULL, diff --git a/saml/saml1/binding/SAML1ArtifactDecoder.h b/saml/saml1/binding/SAML1ArtifactDecoder.h index 7e2da54..141a83e 100644 --- a/saml/saml1/binding/SAML1ArtifactDecoder.h +++ b/saml/saml1/binding/SAML1ArtifactDecoder.h @@ -39,7 +39,7 @@ namespace opensaml { Response* decode( std::string& relayState, const saml2md::RoleDescriptor*& issuer, - bool& issuerTrusted, + const XMLCh*& securityMech, const HTTPRequest& httpRequest, const saml2md::MetadataProvider* metadataProvider=NULL, const xmltooling::QName* role=NULL, diff --git a/saml/saml1/binding/SAML1POSTDecoder.h b/saml/saml1/binding/SAML1POSTDecoder.h index 0ce6524..2236239 100644 --- a/saml/saml1/binding/SAML1POSTDecoder.h +++ b/saml/saml1/binding/SAML1POSTDecoder.h @@ -39,7 +39,7 @@ namespace opensaml { Response* decode( std::string& relayState, const saml2md::RoleDescriptor*& issuer, - bool& issuerTrusted, + const XMLCh*& securityMech, const HTTPRequest& httpRequest, const saml2md::MetadataProvider* metadataProvider=NULL, const xmltooling::QName* role=NULL, diff --git a/saml/saml1/binding/impl/SAML1ArtifactDecoder.cpp b/saml/saml1/binding/impl/SAML1ArtifactDecoder.cpp index 5e679f5..72ce569 100644 --- a/saml/saml1/binding/impl/SAML1ArtifactDecoder.cpp +++ b/saml/saml1/binding/impl/SAML1ArtifactDecoder.cpp @@ -57,7 +57,7 @@ SAML1ArtifactDecoder::~SAML1ArtifactDecoder() {} Response* SAML1ArtifactDecoder::decode( string& relayState, const RoleDescriptor*& issuer, - bool& issuerTrusted, + const XMLCh*& securityMech, const HTTPRequest& httpRequest, const MetadataProvider* metadataProvider, const QName* role, @@ -112,7 +112,7 @@ Response* SAML1ArtifactDecoder::decode( } issuer = NULL; - issuerTrusted = false; + securityMech = false; log.debug("attempting to determine source of artifact(s)..."); const EntityDescriptor* provider=metadataProvider->getEntityDescriptor(artifacts.front()); if (!provider) { @@ -143,7 +143,7 @@ Response* SAML1ArtifactDecoder::decode( try { auto_ptr response( m_artifactResolver->resolve( - issuerTrusted, + securityMech, artifacts, dynamic_cast(*issuer), dynamic_cast(trustEngine) @@ -151,14 +151,16 @@ Response* SAML1ArtifactDecoder::decode( ); if (trustEngine && response->getSignature()) { - issuerTrusted = trustEngine->validate(*(response->getSignature()), *issuer, metadataProvider->getKeyResolver()); - if (!issuerTrusted) { + if (!trustEngine->validate(*(response->getSignature()), *issuer, metadataProvider->getKeyResolver())) { log.error("unable to verify signature on message with supplied trust engine"); throw BindingException("Message signature failed verification."); } + else if (!securityMech) { + securityMech = samlconstants::SAML1P_NS; + } } - else if (!issuerTrusted) { - log.warn("unable to verify integrity of the message, leaving untrusted"); + else if (!securityMech) { + log.warn("unable to authenticate the message, leaving untrusted"); } for_each(artifacts.begin(), artifacts.end(), xmltooling::cleanup()); diff --git a/saml/saml1/binding/impl/SAML1POSTDecoder.cpp b/saml/saml1/binding/impl/SAML1POSTDecoder.cpp index 52c3d0e..ebdb2a4 100644 --- a/saml/saml1/binding/impl/SAML1POSTDecoder.cpp +++ b/saml/saml1/binding/impl/SAML1POSTDecoder.cpp @@ -59,7 +59,7 @@ SAML1POSTDecoder::~SAML1POSTDecoder() {} Response* SAML1POSTDecoder::decode( string& relayState, const RoleDescriptor*& issuer, - bool& issuerTrusted, + const XMLCh*& securityMech, const HTTPRequest& httpRequest, const MetadataProvider* metadataProvider, const QName* role, @@ -140,7 +140,7 @@ Response* SAML1POSTDecoder::decode( * applied. */ issuer = NULL; - issuerTrusted = false; + securityMech = NULL; log.debug("attempting to establish issuer and integrity of message..."); const vector& assertions=const_cast(response)->getAssertions(); if (!assertions.empty()) { @@ -155,16 +155,16 @@ Response* SAML1POSTDecoder::decode( ); if (issuer) { if (trustEngine && response->getSignature()) { - issuerTrusted = trustEngine->validate( - *(response->getSignature()), *issuer, metadataProvider->getKeyResolver() - ); - if (!issuerTrusted) { + if (trustEngine->validate(*(response->getSignature()), *issuer, metadataProvider->getKeyResolver())) { + securityMech = samlconstants::SAML1P_NS; + } + else { log.error("unable to verify signature on message with supplied trust engine"); throw BindingException("Message signature failed verification."); } } else { - log.warn("unable to verify integrity of the message, leaving untrusted"); + log.warn("unable to authenticate the message, leaving untrusted"); } } else { @@ -176,7 +176,7 @@ Response* SAML1POSTDecoder::decode( } if (log.isDebugEnabled()) { auto_ptr_char iname(assertions.front()->getIssuer()); - log.debug("message from (%s), integrity %sverified", iname.get(), issuerTrusted ? "" : "NOT "); + log.debug("message from (%s), integrity %sverified", iname.get(), securityMech ? "" : "NOT "); } } else { diff --git a/saml/saml2/binding/SAML2ArtifactDecoder.h b/saml/saml2/binding/SAML2ArtifactDecoder.h index fc681eb..9c3cd96 100644 --- a/saml/saml2/binding/SAML2ArtifactDecoder.h +++ b/saml/saml2/binding/SAML2ArtifactDecoder.h @@ -42,7 +42,7 @@ namespace opensaml { xmltooling::XMLObject* decode( std::string& relayState, const saml2md::RoleDescriptor*& issuer, - bool& issuerTrusted, + const XMLCh*& securityMech, const HTTPRequest& httpRequest, const saml2md::MetadataProvider* metadataProvider=NULL, const xmltooling::QName* role=NULL, diff --git a/saml/saml2/binding/SAML2POSTDecoder.h b/saml/saml2/binding/SAML2POSTDecoder.h index 19cc520..31c2f6a 100644 --- a/saml/saml2/binding/SAML2POSTDecoder.h +++ b/saml/saml2/binding/SAML2POSTDecoder.h @@ -37,7 +37,7 @@ namespace opensaml { xmltooling::XMLObject* decode( std::string& relayState, const saml2md::RoleDescriptor*& issuer, - bool& issuerTrusted, + const XMLCh*& securityMech, const HTTPRequest& httpRequest, const saml2md::MetadataProvider* metadataProvider=NULL, const xmltooling::QName* role=NULL, diff --git a/saml/saml2/binding/impl/SAML2ArtifactDecoder.cpp b/saml/saml2/binding/impl/SAML2ArtifactDecoder.cpp index 5ba166e..846254a 100644 --- a/saml/saml2/binding/impl/SAML2ArtifactDecoder.cpp +++ b/saml/saml2/binding/impl/SAML2ArtifactDecoder.cpp @@ -59,7 +59,7 @@ SAML2ArtifactDecoder::~SAML2ArtifactDecoder() {} XMLObject* SAML2ArtifactDecoder::decode( string& relayState, const RoleDescriptor*& issuer, - bool& issuerTrusted, + const XMLCh*& securityMech, const HTTPRequest& httpRequest, const MetadataProvider* metadataProvider, const QName* role, @@ -113,7 +113,7 @@ XMLObject* SAML2ArtifactDecoder::decode( } issuer = NULL; - issuerTrusted = false; + securityMech = NULL; log.debug("attempting to determine source of artifact..."); const EntityDescriptor* provider=metadataProvider->getEntityDescriptor(artifact); if (!provider) { @@ -140,7 +140,7 @@ XMLObject* SAML2ArtifactDecoder::decode( try { auto_ptr response( m_artifactResolver->resolve( - issuerTrusted, + securityMech, *(artifact2.get()), dynamic_cast(*issuer), dynamic_cast(trustEngine) @@ -184,24 +184,28 @@ XMLObject* SAML2ArtifactDecoder::decode( // Check signatures. if (trustEngine) { if (response->getSignature()) { - issuerTrusted = trustEngine->validate(*(response->getSignature()), *issuer, metadataProvider->getKeyResolver()); - if (!issuerTrusted) { + if (!trustEngine->validate(*(response->getSignature()), *issuer, metadataProvider->getKeyResolver())) { log.error("unable to verify signature on ArtifactResponse message with supplied trust engine"); throw BindingException("Message signature failed verification."); } + else if (!securityMech) { + securityMech = samlconstants::SAML20P_NS; + } } Signature* sig = (res ? res->getSignature() : req->getSignature()); if (sig) { - issuerTrusted = trustEngine->validate(*sig, *issuer, metadataProvider->getKeyResolver()); - if (!issuerTrusted) { + if (!trustEngine->validate(*sig, *issuer, metadataProvider->getKeyResolver())) { log.error("unable to verify signature on ArtifactResponse payload with supplied trust engine"); throw BindingException("Message signature failed verification."); } + else if (!securityMech) { + securityMech = samlconstants::SAML20P_NS; + } } } - if (!issuerTrusted) { - log.warn("unable to verify integrity of ArtifactResponse message or payload, leaving untrusted"); + if (!securityMech) { + log.warn("unable to authenticate ArtifactResponse message or payload, leaving untrusted"); } // Return the payload only. diff --git a/saml/saml2/binding/impl/SAML2POSTDecoder.cpp b/saml/saml2/binding/impl/SAML2POSTDecoder.cpp index 5f659a5..2258304 100644 --- a/saml/saml2/binding/impl/SAML2POSTDecoder.cpp +++ b/saml/saml2/binding/impl/SAML2POSTDecoder.cpp @@ -59,7 +59,7 @@ SAML2POSTDecoder::~SAML2POSTDecoder() {} XMLObject* SAML2POSTDecoder::decode( string& relayState, const RoleDescriptor*& issuer, - bool& issuerTrusted, + const XMLCh*& securityMech, const HTTPRequest& httpRequest, const MetadataProvider* metadataProvider, const QName* role, @@ -162,7 +162,7 @@ XMLObject* SAML2POSTDecoder::decode( log.warn("replay cache was not provided, this is a serious security risk!"); issuer = NULL; - issuerTrusted = false; + securityMech = false; log.debug("attempting to establish issuer and integrity of message..."); // If we can't identify the issuer, we're done, since we can't lookup or verify anything. @@ -183,14 +183,16 @@ XMLObject* SAML2POSTDecoder::decode( issuer=provider->getRoleDescriptor(*role, samlconstants::SAML20P_NS); if (issuer) { if (trustEngine && signature) { - issuerTrusted = trustEngine->validate(*signature, *issuer, metadataProvider->getKeyResolver()); - if (!issuerTrusted) { + if (!trustEngine->validate(*signature, *issuer, metadataProvider->getKeyResolver())) { log.error("unable to verify signature on message with supplied trust engine"); throw BindingException("Message signature failed verification."); } + else { + securityMech = samlconstants::SAML20P_NS; + } } else { - log.warn("unable to verify integrity of the message, leaving untrusted"); + log.warn("unable to authenticate the message, leaving untrusted"); } } else { @@ -198,7 +200,7 @@ XMLObject* SAML2POSTDecoder::decode( } if (log.isDebugEnabled()) { auto_ptr_char iname(provider->getEntityID()); - log.debug("message from (%s), integrity %sverified", iname.get(), issuerTrusted ? "" : "NOT "); + log.debug("message from (%s), integrity %sverified", iname.get(), securityMech ? "" : "NOT "); } } else { diff --git a/samltest/saml1/binding/SAML1ArtifactTest.h b/samltest/saml1/binding/SAML1ArtifactTest.h index e3628aa..cfa8a2c 100644 --- a/samltest/saml1/binding/SAML1ArtifactTest.h +++ b/samltest/saml1/binding/SAML1ArtifactTest.h @@ -25,6 +25,18 @@ using namespace opensaml::saml1p; using namespace opensaml::saml1; +namespace { + class SAML_DLLLOCAL _addcert : public binary_function { + public: + void operator()(X509Data* bag, XSECCryptoX509* cert) const { + safeBuffer& buf=cert->getDEREncodingSB(); + X509Certificate* x=X509CertificateBuilder::buildX509Certificate(); + x->setValue(buf.sbStrToXMLCh()); + bag->getX509Certificates().push_back(x); + } + }; +}; + class SAML1ArtifactTest : public CxxTest::TestSuite, public SAMLBindingBaseTestCase, public MessageEncoder::ArtifactGenerator, public MessageDecoder::ArtifactResolver { public: @@ -59,7 +71,7 @@ public: // Decode message. string relayState; const RoleDescriptor* issuer=NULL; - bool trusted=false; + const XMLCh* securityMech=NULL; QName idprole(samlconstants::SAML20MD_NS, IDPSSODescriptor::LOCAL_NAME); auto_ptr decoder( SAMLConfig::getConfig().MessageDecoderManager.newPlugin(samlconstants::SAML1_PROFILE_BROWSER_ARTIFACT, NULL) @@ -68,21 +80,21 @@ public: Locker locker(m_metadata); auto_ptr response( dynamic_cast( - decoder->decode(relayState,issuer,trusted,*this,m_metadata,&idprole,m_trust) + decoder->decode(relayState,issuer,securityMech,*this,m_metadata,&idprole,m_trust) ) ); // Test the results. TSM_ASSERT_EQUALS("TARGET was not the expected result.", relayState, "state"); TSM_ASSERT("SAML Response not decoded successfully.", response.get()); - TSM_ASSERT("Message was not verified.", issuer && trusted); + TSM_ASSERT("Message was not verified.", issuer && securityMech && securityMech==samlconstants::SAML1P_NS); auto_ptr_char entityID(dynamic_cast(issuer->getParent())->getEntityID()); TSM_ASSERT("Issuer was not expected.", !strcmp(entityID.get(),"https://idp.example.org/")); TSM_ASSERT_EQUALS("Assertion count was not correct.", response->getAssertions().size(), 1); // Trigger a replay. TSM_ASSERT_THROWS("Did not catch the replay.", - decoder->decode(relayState,issuer,trusted,*this,m_metadata,&idprole,m_trust), + decoder->decode(relayState,issuer,securityMech,*this,m_metadata,&idprole,m_trust), BindingException); } catch (XMLToolingException& ex) { @@ -99,8 +111,27 @@ public: throw BindingException("Not implemented."); } + Signature* buildSignature(const CredentialResolver* credResolver) const + { + // Build a Signature. + Signature* sig = SignatureBuilder::buildSignature(); + sig->setSigningKey(credResolver->getKey()); + + // Build KeyInfo. + const vector& certs = credResolver->getCertificates(); + if (!certs.empty()) { + KeyInfo* keyInfo=KeyInfoBuilder::buildKeyInfo(); + X509Data* x509Data=X509DataBuilder::buildX509Data(); + keyInfo->getX509Datas().push_back(x509Data); + for_each(certs.begin(),certs.end(),bind1st(_addcert(),x509Data)); + sig->setKeyInfo(keyInfo); + } + + return sig; + } + Response* resolve( - bool& authenticated, + const XMLCh*& securityMech, const vector& artifacts, const IDPSSODescriptor& idpDescriptor, const X509TrustEngine* trustEngine=NULL @@ -117,14 +148,16 @@ public: StatusCode* sc = StatusCodeBuilder::buildStatusCode(); status->setStatusCode(sc); sc->setValue(&StatusCode::SUCCESS); - response->marshall(); + response->setSignature(buildSignature(m_creds)); + vector sigs(1,response->getSignature()); + response->marshall((DOMDocument*)NULL,&sigs); SchemaValidators.validate(response.get()); - authenticated = true; + securityMech = NULL; return response.release(); } saml2p::ArtifactResponse* resolve( - bool& authenticated, + const XMLCh*& securityMech, const saml2p::SAML2Artifact& artifact, const SSODescriptorType& ssoDescriptor, const X509TrustEngine* trustEngine=NULL diff --git a/samltest/saml1/binding/SAML1POSTTest.h b/samltest/saml1/binding/SAML1POSTTest.h index 23593a0..f84bf8a 100644 --- a/samltest/saml1/binding/SAML1POSTTest.h +++ b/samltest/saml1/binding/SAML1POSTTest.h @@ -66,7 +66,7 @@ public: // Decode message. string relayState; const RoleDescriptor* issuer=NULL; - bool trusted=false; + const XMLCh* securityMech=NULL; QName idprole(samlconstants::SAML20MD_NS, IDPSSODescriptor::LOCAL_NAME); auto_ptr decoder( SAMLConfig::getConfig().MessageDecoderManager.newPlugin(samlconstants::SAML1_PROFILE_BROWSER_POST, NULL) @@ -74,14 +74,14 @@ public: Locker locker(m_metadata); auto_ptr response( dynamic_cast( - decoder->decode(relayState,issuer,trusted,*this,m_metadata,&idprole,m_trust) + decoder->decode(relayState,issuer,securityMech,*this,m_metadata,&idprole,m_trust) ) ); // Test the results. TSM_ASSERT_EQUALS("TARGET was not the expected result.", relayState, "state"); TSM_ASSERT("SAML Response not decoded successfully.", response.get()); - TSM_ASSERT("Message was not verified.", issuer && trusted); + TSM_ASSERT("Message was not verified.", issuer && securityMech && securityMech==samlconstants::SAML1P_NS); auto_ptr_char entityID(dynamic_cast(issuer->getParent())->getEntityID()); TSM_ASSERT("Issuer was not expected.", !strcmp(entityID.get(),"https://idp.example.org/")); TSM_ASSERT_EQUALS("Assertion count was not correct.", response->getAssertions().size(), 1); @@ -128,7 +128,7 @@ public: // Decode message. string relayState; const RoleDescriptor* issuer=NULL; - bool trusted=false; + const XMLCh* securityMech=NULL; QName idprole(samlconstants::SAML20MD_NS, IDPSSODescriptor::LOCAL_NAME); auto_ptr decoder( SAMLConfig::getConfig().MessageDecoderManager.newPlugin(samlconstants::SAML1_PROFILE_BROWSER_POST, NULL) @@ -136,21 +136,21 @@ public: Locker locker(m_metadata); auto_ptr response( dynamic_cast( - decoder->decode(relayState,issuer,trusted,*this,m_metadata,&idprole) + decoder->decode(relayState,issuer,securityMech,*this,m_metadata,&idprole) ) ); // Test the results. TSM_ASSERT_EQUALS("TARGET was not the expected result.", relayState, "state"); TSM_ASSERT("SAML Response not decoded successfully.", response.get()); - TSM_ASSERT("Message was verified.", issuer && !trusted); + TSM_ASSERT("Message was verified.", issuer && !securityMech); auto_ptr_char entityID(dynamic_cast(issuer->getParent())->getEntityID()); TSM_ASSERT("Issuer was not expected.", !strcmp(entityID.get(),"https://idp.example.org/")); TSM_ASSERT_EQUALS("Assertion count was not correct.", response->getAssertions().size(), 1); // Trigger a replay. TSM_ASSERT_THROWS("Did not catch the replay.", - decoder->decode(relayState,issuer,trusted,*this,m_metadata,&idprole,m_trust), + decoder->decode(relayState,issuer,securityMech,*this,m_metadata,&idprole,m_trust), BindingException); } catch (XMLToolingException& ex) { diff --git a/samltest/saml2/binding/SAML2ArtifactTest.h b/samltest/saml2/binding/SAML2ArtifactTest.h index d0189e5..958e5ed 100644 --- a/samltest/saml2/binding/SAML2ArtifactTest.h +++ b/samltest/saml2/binding/SAML2ArtifactTest.h @@ -61,7 +61,7 @@ public: // Decode message. string relayState; const RoleDescriptor* issuer=NULL; - bool trusted=false; + const XMLCh* securityMech=NULL; QName idprole(samlconstants::SAML20MD_NS, IDPSSODescriptor::LOCAL_NAME); auto_ptr decoder( SAMLConfig::getConfig().MessageDecoderManager.newPlugin(samlconstants::SAML20_BINDING_HTTP_ARTIFACT, NULL) @@ -70,21 +70,21 @@ public: Locker locker(m_metadata); auto_ptr response( dynamic_cast( - decoder->decode(relayState,issuer,trusted,*this,m_metadata,&idprole,m_trust) + decoder->decode(relayState,issuer,securityMech,*this,m_metadata,&idprole,m_trust) ) ); // Test the results. TSM_ASSERT_EQUALS("RelayState was not the expected result.", relayState, "state"); TSM_ASSERT("SAML Response not decoded successfully.", response.get()); - TSM_ASSERT("Message was not verified.", issuer && trusted); + TSM_ASSERT("Message was not verified.", issuer && securityMech && securityMech==samlconstants::SAML20P_NS); auto_ptr_char entityID(dynamic_cast(issuer->getParent())->getEntityID()); TSM_ASSERT("Issuer was not expected.", !strcmp(entityID.get(),"https://idp.example.org/")); TSM_ASSERT_EQUALS("Assertion count was not correct.", response->getAssertions().size(), 1); // Trigger a replay. TSM_ASSERT_THROWS("Did not catch the replay.", - decoder->decode(relayState,issuer,trusted,*this,m_metadata,&idprole,m_trust), + decoder->decode(relayState,issuer,securityMech,*this,m_metadata,&idprole,m_trust), BindingException); } catch (XMLToolingException& ex) { @@ -102,7 +102,7 @@ public: } saml1p::Response* resolve( - bool& authenticated, + const XMLCh*& securityMech, const vector& artifacts, const IDPSSODescriptor& idpDescriptor, const X509TrustEngine* trustEngine=NULL @@ -111,7 +111,7 @@ public: } ArtifactResponse* resolve( - bool& authenticated, + const XMLCh*& securityMech, const SAML2Artifact& artifact, const SSODescriptorType& ssoDescriptor, const X509TrustEngine* trustEngine=NULL @@ -129,7 +129,7 @@ public: sc->setValue(StatusCode::SUCCESS); response->marshall(); SchemaValidators.validate(response.get()); - authenticated = true; + securityMech = NULL; return response.release(); } }; diff --git a/samltest/saml2/binding/SAML2POSTTest.h b/samltest/saml2/binding/SAML2POSTTest.h index 6b6018b..6245b6e 100644 --- a/samltest/saml2/binding/SAML2POSTTest.h +++ b/samltest/saml2/binding/SAML2POSTTest.h @@ -66,7 +66,7 @@ public: // Decode message. string relayState; const RoleDescriptor* issuer=NULL; - bool trusted=false; + const XMLCh* securityMech=NULL; QName idprole(samlconstants::SAML20MD_NS, IDPSSODescriptor::LOCAL_NAME); auto_ptr decoder( SAMLConfig::getConfig().MessageDecoderManager.newPlugin(samlconstants::SAML20_BINDING_HTTP_POST, NULL) @@ -74,14 +74,14 @@ public: Locker locker(m_metadata); auto_ptr response( dynamic_cast( - decoder->decode(relayState,issuer,trusted,*this,m_metadata,&idprole,m_trust) + decoder->decode(relayState,issuer,securityMech,*this,m_metadata,&idprole,m_trust) ) ); // Test the results. TSM_ASSERT_EQUALS("RelayState was not the expected result.", relayState, "state"); TSM_ASSERT("SAML Response not decoded successfully.", response.get()); - TSM_ASSERT("Message was not verified.", issuer && trusted); + TSM_ASSERT("Message was not verified.", issuer && securityMech && securityMech==samlconstants::SAML20P_NS); auto_ptr_char entityID(dynamic_cast(issuer->getParent())->getEntityID()); TSM_ASSERT("Issuer was not expected.", !strcmp(entityID.get(),"https://idp.example.org/")); TSM_ASSERT_EQUALS("Assertion count was not correct.", response->getAssertions().size(), 1); @@ -128,7 +128,7 @@ public: // Decode message. string relayState; const RoleDescriptor* issuer=NULL; - bool trusted=false; + const XMLCh* securityMech=NULL; QName idprole(samlconstants::SAML20MD_NS, IDPSSODescriptor::LOCAL_NAME); auto_ptr decoder( SAMLConfig::getConfig().MessageDecoderManager.newPlugin(samlconstants::SAML20_BINDING_HTTP_POST, NULL) @@ -136,21 +136,21 @@ public: Locker locker(m_metadata); auto_ptr response( dynamic_cast( - decoder->decode(relayState,issuer,trusted,*this,m_metadata,&idprole) + decoder->decode(relayState,issuer,securityMech,*this,m_metadata,&idprole) ) ); // Test the results. TSM_ASSERT_EQUALS("RelayState was not the expected result.", relayState, "state"); TSM_ASSERT("SAML Response not decoded successfully.", response.get()); - TSM_ASSERT("Message was verified.", issuer && !trusted); + TSM_ASSERT("Message was verified.", issuer && !securityMech); auto_ptr_char entityID(dynamic_cast(issuer->getParent())->getEntityID()); TSM_ASSERT("Issuer was not expected.", !strcmp(entityID.get(),"https://idp.example.org/")); TSM_ASSERT_EQUALS("Assertion count was not correct.", response->getAssertions().size(), 1); // Trigger a replay. TSM_ASSERT_THROWS("Did not catch the replay.", - decoder->decode(relayState,issuer,trusted,*this,m_metadata,&idprole,m_trust), + decoder->decode(relayState,issuer,securityMech,*this,m_metadata,&idprole,m_trust), BindingException); } catch (XMLToolingException& ex) { -- 2.1.4