From f96a6b36f47a4a2fcba7a29ca04856a0089cfe5d Mon Sep 17 00:00:00 2001 From: Scott Cantor Date: Tue, 22 May 2012 00:36:00 +0000 Subject: [PATCH] Add context API to metadata filters. --- saml/profile/impl/ConditionsRule.cpp | 2 +- saml/saml2/metadata/MetadataFilter.h | 38 +++++++++++++++++++++------ saml/saml2/metadata/MetadataProvider.h | 12 +++++++++ saml/saml2/metadata/impl/MetadataProvider.cpp | 38 ++++++++++++++++++++++----- 4 files changed, 75 insertions(+), 15 deletions(-) diff --git a/saml/profile/impl/ConditionsRule.cpp b/saml/profile/impl/ConditionsRule.cpp index 3c36517..a390c2c 100644 --- a/saml/profile/impl/ConditionsRule.cpp +++ b/saml/profile/impl/ConditionsRule.cpp @@ -99,7 +99,7 @@ ConditionsRule::ConditionsRule(const DOMElement* e) : m_doc(nullptr) log.info("building SecurityPolicyRule of type %s", t.c_str()); m_rules.push_back(SAMLConfig::getConfig().SecurityPolicyRuleManager.newPlugin(t.c_str(), e)); } - catch (exception& ex) { + catch (std::exception& ex) { log.crit("error building SecurityPolicyRule: %s", ex.what()); } } diff --git a/saml/saml2/metadata/MetadataFilter.h b/saml/saml2/metadata/MetadataFilter.h index ed89cbb..641decb 100644 --- a/saml/saml2/metadata/MetadataFilter.h +++ b/saml/saml2/metadata/MetadataFilter.h @@ -33,6 +33,18 @@ namespace opensaml { namespace saml2md { /** + * Marker interface for supplying environmental context to filters. + */ + class SAML_API MetadataFilterContext + { + MAKE_NONCOPYABLE(MetadataFilterContext); + protected: + MetadataFilterContext(); + public: + virtual ~MetadataFilterContext(); + }; + + /** * A metadata filter is used to process metadata after resolution and unmarshalling. * * Some filters might remove everything but identity provider roles, decreasing the data a service provider @@ -55,12 +67,22 @@ namespace opensaml { virtual const char* getId() const=0; /** + * @deprecated + * Filters the given metadata. Exceptions should generally not be thrown to + * signal the removal of information, only for systemic processing failure. + * + * @param xmlObject the metadata to be filtered + */ + virtual void doFilter(xmltooling::XMLObject& xmlObject) const; + + /** * Filters the given metadata. Exceptions should generally not be thrown to * signal the removal of information, only for systemic processing failure. * - * @param xmlObject the metadata to be filtered. + * @param ctx context interface, or nullptr + * @param xmlObject the metadata to be filtered */ - virtual void doFilter(xmltooling::XMLObject& xmlObject) const=0; + virtual void doFilter(MetadataFilterContext* ctx, xmltooling::XMLObject& xmlObject) const; }; /** @@ -69,22 +91,22 @@ namespace opensaml { void SAML_API registerMetadataFilters(); /** MetadataFilter that deletes blacklisted entities. */ - #define BLACKLIST_METADATA_FILTER "Blacklist" + #define BLACKLIST_METADATA_FILTER "Blacklist" /** MetadataFilter that deletes all but whitelisted entities. */ - #define WHITELIST_METADATA_FILTER "Whitelist" + #define WHITELIST_METADATA_FILTER "Whitelist" /** MetadataFilter that verifies signatures and filters out any that don't pass. */ - #define SIGNATURE_METADATA_FILTER "Signature" + #define SIGNATURE_METADATA_FILTER "Signature" /** MetadataFilter that enforces expiration requirements. */ - #define REQUIREVALIDUNTIL_METADATA_FILTER "RequireValidUntil" + #define REQUIREVALIDUNTIL_METADATA_FILTER "RequireValidUntil" /** MetadataFilter that removes non-retained roles. */ - #define ENTITYROLE_METADATA_FILTER "EntityRoleWhiteList" + #define ENTITYROLE_METADATA_FILTER "EntityRoleWhiteList" /** MetadataFilter that adds EntityAttributes extension. */ - #define ENTITYATTR_METADATA_FILTER "EntityAttributes" + #define ENTITYATTR_METADATA_FILTER "EntityAttributes" DECL_XMLTOOLING_EXCEPTION(MetadataFilterException,SAML_EXCEPTIONAPI(SAML_API),opensaml::saml2md,MetadataException,Exceptions related to metadata filtering); }; diff --git a/saml/saml2/metadata/MetadataProvider.h b/saml/saml2/metadata/MetadataProvider.h index 05d2493..eea4120 100644 --- a/saml/saml2/metadata/MetadataProvider.h +++ b/saml/saml2/metadata/MetadataProvider.h @@ -31,6 +31,7 @@ #include #include +#include #include #include #include @@ -51,6 +52,7 @@ namespace opensaml { class SAML_API RoleDescriptor; class SAML_API MetadataCredentialResolver; class SAML_API MetadataFilter; + class SAML_API MetadataFilterContext; #if defined (_MSC_VER) #pragma warning( push ) @@ -121,6 +123,15 @@ namespace opensaml { virtual MetadataFilter* removeMetadataFilter(MetadataFilter* oldFilter); /** + * Sets a filtering context object for use by the filtering process. + *

The MetadataProvider takes ownership of the object. Any existing + * object is cleared. + * + * @param ctx a context object + */ + void setContext(MetadataFilterContext* ctx); + + /** * Should be called after instantiating provider and adding filters, but before * performing any lookup operations. Allows the provider to defer initialization * processes that are likely to result in exceptions until after the provider is @@ -251,6 +262,7 @@ namespace opensaml { void doFilters(xmltooling::XMLObject& xmlObject) const; private: + boost::shared_ptr m_filterContext; boost::ptr_vector m_filters; }; diff --git a/saml/saml2/metadata/impl/MetadataProvider.cpp b/saml/saml2/metadata/impl/MetadataProvider.cpp index f7b98d0..98acde7 100644 --- a/saml/saml2/metadata/impl/MetadataProvider.cpp +++ b/saml/saml2/metadata/impl/MetadataProvider.cpp @@ -107,7 +107,12 @@ MetadataProvider::MetadataProvider(const DOMElement* e) string t = XMLHelper::getAttrString(child, nullptr, _type); if (!t.empty()) { log.info("building MetadataFilter of type %s", t.c_str()); - m_filters.push_back(conf.MetadataFilterManager.newPlugin(t.c_str(), child)); + auto_ptr np(conf.MetadataFilterManager.newPlugin(t.c_str(), child)); + m_filters.push_back(np.get()); + np.release(); + } + else { + log.error("MetadataFilter element missing type attribute."); } } else if (XMLString::equals(child->getLocalName(), SigFilter)) { @@ -162,15 +167,17 @@ MetadataFilter* MetadataProvider::removeMetadataFilter(MetadataFilter* oldFilter return nullptr; } +void MetadataProvider::setContext(MetadataFilterContext* ctx) +{ + m_filterContext.reset(ctx); +} + void MetadataProvider::doFilters(XMLObject& xmlObject) const { -#ifdef _DEBUG - NDC ndc("doFilters"); -#endif - Category& log=Category::getInstance(SAML_LOGCAT".Metadata"); + Category& log = Category::getInstance(SAML_LOGCAT".Metadata"); for (ptr_vector::const_iterator i = m_filters.begin(); i != m_filters.end(); i++) { log.info("applying metadata filter (%s)", i->getId()); - i->doFilter(xmlObject); + i->doFilter(m_filterContext.get(), xmlObject); } } @@ -226,3 +233,22 @@ MetadataFilter::MetadataFilter() MetadataFilter::~MetadataFilter() { } + +void MetadataFilter::doFilter(MetadataFilterContext* ctx, xmltooling::XMLObject& xmlObject) const +{ + // Default call into deprecated method. + doFilter(xmlObject); +} + +void MetadataFilter::doFilter(xmltooling::XMLObject& xmlObject) const +{ + // Empty default for deprecated method. +} + +MetadataFilterContext::MetadataFilterContext() +{ +} + +MetadataFilterContext::~MetadataFilterContext() +{ +} -- 2.1.4