#include "security/SecurityPolicyProvider.h"
#include "util/SPConstants.h"
-#include <boost/scoped_ptr.hpp>
#include <boost/iterator/indirect_iterator.hpp>
#include <boost/ptr_container/ptr_vector.hpp>
#include <saml/exceptions.h>
{
public:
QueryContext(const Application& application, const Session& session)
- : m_query(true), m_app(application), m_session(&session), m_metadata(nullptr), m_entity(nullptr), m_nameid(nullptr) {
+ : m_query(true), m_app(application), m_request(nullptr), m_session(&session), m_metadata(nullptr), m_entity(nullptr), m_nameid(nullptr) {
m_protocol = XMLString::transcode(session.getProtocol());
m_class = XMLString::transcode(session.getAuthnContextClassRef());
m_decl = XMLString::transcode(session.getAuthnContextDeclRef());
QueryContext(
const Application& application,
+ const GenericRequest* request,
const EntityDescriptor* issuer,
const XMLCh* protocol,
const NameID* nameid=nullptr,
const XMLCh* authncontext_class=nullptr,
const XMLCh* authncontext_decl=nullptr,
const vector<const opensaml::Assertion*>* tokens=nullptr
- ) : m_query(true), m_app(application), m_session(nullptr), m_metadata(nullptr), m_entity(issuer),
+ ) : m_query(true), m_app(application), m_request(request), m_session(nullptr), m_metadata(nullptr), m_entity(issuer),
m_protocol(protocol), m_nameid(nameid), m_class(authncontext_class), m_decl(authncontext_decl) {
if (tokens) {
const Application& getApplication() const {
return m_app;
}
+ const GenericRequest* getRequest() const {
+ return m_request;
+ }
const EntityDescriptor* getEntityDescriptor() const {
if (m_entity)
return m_entity;
private:
bool m_query;
const Application& m_app;
+ const GenericRequest* m_request;
const Session* m_session;
mutable MetadataProvider* m_metadata;
mutable const EntityDescriptor* m_entity;
Lockable* lock() {return this;}
void unlock() {}
+ // deprecated method
+ ResolutionContext* createResolutionContext(
+ const Application& application,
+ const EntityDescriptor* issuer,
+ const XMLCh* protocol,
+ const NameID* nameid=nullptr,
+ const XMLCh* authncontext_class=nullptr,
+ const XMLCh* authncontext_decl=nullptr,
+ const vector<const opensaml::Assertion*>* tokens=nullptr,
+ const vector<shibsp::Attribute*>* attributes=nullptr
+ ) const {
+ return createResolutionContext(application, nullptr, issuer, protocol, nameid, authncontext_class, authncontext_decl, tokens);
+ }
+
ResolutionContext* createResolutionContext(
const Application& application,
+ const GenericRequest* request,
const EntityDescriptor* issuer,
const XMLCh* protocol,
const NameID* nameid=nullptr,
const vector<const opensaml::Assertion*>* tokens=nullptr,
const vector<shibsp::Attribute*>* attributes=nullptr
) const {
- return new QueryContext(application,issuer,protocol,nameid,authncontext_class,authncontext_decl,tokens);
+ return new QueryContext(application, request, issuer, protocol, nameid, authncontext_class, authncontext_decl, tokens);
}
ResolutionContext* createResolutionContext(const Application& application, const Session& session) const {
};
QueryResolver::QueryResolver(const DOMElement* e)
- : m_log(Category::getInstance(SHIBSP_LOGCAT".AttributeResolver.Query")),
+ : m_log(Category::getInstance(SHIBSP_LOGCAT ".AttributeResolver.Query")),
m_policyId(XMLHelper::getAttrString(e, nullptr, policyId)),
m_subjectMatch(XMLHelper::getAttrBool(e, false, subjectMatch))
{
continue;
}
}
- extractor->extractAttributes(application, AA, *s, ctx.getResolvedAttributes());
+ extractor->extractAttributes(application, ctx.getRequest(), AA, *s, ctx.getResolvedAttributes());
}
}
m_log.warn("simple resolver only supports one assertion in the query response");
}
- CredentialResolver* cr=application.getCredentialResolver();
+ CredentialResolver* cr = application.getCredentialResolver();
if (!cr) {
m_log.warn("found encrypted assertion, but no CredentialResolver was available");
throw FatalProfileException("Assertion was encrypted, but no decryption credentials are available.");
}
+ // With this flag on, we block unauthenticated ciphertext when decrypting,
+ // unless the protocol was authenticated.
+ pair<bool,bool> authenticatedCipher = application.getBool("requireAuthenticatedEncryption");
+ if (policy->isAuthenticated())
+ authenticatedCipher.second = false;
+
// Attempt to decrypt it.
try {
Locker credlocker(cr);
- auto_ptr<XMLObject> tokenwrapper(encassertions.front()->decrypt(*cr, relyingParty->getXMLString("entityID").second, &mcc));
+ auto_ptr<XMLObject> tokenwrapper(
+ encassertions.front()->decrypt(
+ *cr, relyingParty->getXMLString("entityID").second, &mcc, authenticatedCipher.first && authenticatedCipher.second
+ )
+ );
newtoken = dynamic_cast<saml2::Assertion*>(tokenwrapper.get());
if (newtoken) {
tokenwrapper.release();
newtokenwrapper.reset(newtoken);
if (m_log.isDebugEnabled())
- m_log.debugStream() << "decrypted Assertion: " << *newtoken << logging::eol;
+ m_log.debugStream() << "decrypted assertion: " << *newtoken << logging::eol;
}
}
catch (exception& ex) {
- m_log.error(ex.what());
+ m_log.error("failed to decrypt assertion: %s", ex.what());
throw;
}
}
AttributeExtractor* extractor = application.getAttributeExtractor();
if (extractor) {
Locker extlocker(extractor);
- extractor->extractAttributes(application, AA, *newtoken, ctx.getResolvedAttributes());
+ extractor->extractAttributes(application, ctx.getRequest(), AA, *newtoken, ctx.getResolvedAttributes());
}
AttributeFilter* filter = application.getAttributeFilter();