SSPCPP-616 - clean up concatenated string literals

[shibboleth/cpp-sp.git] / shibsp / handler / impl / SAML2Consumer.cpp

diff --git a/shibsp/handler/impl/SAML2Consumer.cpp b/shibsp/handler/impl/SAML2Consumer.cpp
index f90f7ca..d7d8fa9 100644 (file)
--- a/shibsp/handler/impl/SAML2Consumer.cpp
+++ b/shibsp/handler/impl/SAML2Consumer.cpp
@@ -44,6 +44,7 @@
 # include <xmltooling/XMLToolingConfig.h>
 # include <xmltooling/io/HTTPRequest.h>
 # include <xmltooling/util/DateTime.h>
+# include <xmltooling/validation/ValidatorSuite.h>
 using namespace opensaml::saml2;
 using namespace opensaml::saml2p;
 using namespace opensaml::saml2md;
@@ -71,7 +72,7 @@ namespace shibsp {
     {
     public:
         SAML2Consumer(const DOMElement* e, const char* appId)
-            : AssertionConsumerService(e, appId, Category::getInstance(SHIBSP_LOGCAT".SSO.SAML2")) {
+            : AssertionConsumerService(e, appId, Category::getInstance(SHIBSP_LOGCAT ".SSO.SAML2")) {
 #ifndef SHIBSP_LITE
             if (SPConfig::getConfig().isEnabled(SPConfig::OutOfProcess))
                 m_ssoRule.reset(SAMLConfig::getConfig().SecurityPolicyRuleManager.newPlugin(BEARER_POLICY_RULE, e));
@@ -170,9 +171,9 @@ void SAML2Consumer::implementProtocol(
 
     // With this flag on, we block unauthenticated ciphertext when decrypting,
     // unless the protocol was authenticated.
-    pair<bool,bool> requireAuthenticatedCipher = application.getBool("requireAuthenticatedCipher");
+    pair<bool,bool> requireAuthenticatedEncryption = application.getBool("requireAuthenticatedEncryption");
     if (alreadySecured)
-        requireAuthenticatedCipher.second = false;
+        requireAuthenticatedEncryption.second = false;
 
     // With this flag on, we ignore any unsigned assertions.
     const EntityDescriptor* entity = nullptr;
@@ -291,7 +292,7 @@ void SAML2Consumer::implementProtocol(
                     *cr,
                     application.getRelyingParty(entity)->getXMLString("entityID").second,
                     mcc.get(),
-                    requireAuthenticatedCipher.first && requireAuthenticatedCipher.second
+                    requireAuthenticatedEncryption.first && requireAuthenticatedEncryption.second
                     )
                 );
             decrypted = dynamic_pointer_cast<saml2::Assertion>(wrapper);
@@ -312,6 +313,9 @@ void SAML2Consumer::implementProtocol(
             if (!decrypted->getSignature() && requireSignedAssertions.first && requireSignedAssertions.second)
                 throw SecurityPolicyException("The incoming assertion was unsigned, violating local security policy.");
 
+            // Run the schema validators against the assertion, since it was hidden by encryption.
+            SchemaValidators.validate(decrypted.get());
+
             // We clear the security flag, so we can tell whether the token was secured on its own.
             policy.setAuthenticated(false);
             policy.reset(true);