#ifndef __saml_secpol_h__
#define __saml_secpol_h__
-#include <saml/binding/GenericRequest.h>
+#include <saml/base.h>
#include <ctime>
#include <vector>
#include <xmltooling/XMLObject.h>
+#include <xmltooling/io/GenericRequest.h>
#include <xmltooling/security/TrustEngine.h>
#if defined (_MSC_VER)
const xmltooling::QName* role=NULL,
const xmltooling::TrustEngine* trustEngine=NULL,
bool validate=true
- ) : m_messageQName(NULL), m_messageID(NULL), m_issueInstant(0),
- m_issuer(NULL), m_issuerRole(NULL), m_secure(false), m_matchingPolicy(NULL),
- m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine), m_validate(validate) {
- if (role)
- m_role = new xmltooling::QName(*role);
- }
-
- /**
- * Constructor for policy using existing rules. The lifetime of the policy rules
- * must be at least as long as the policy object.
- *
- * @param rules reference to array of policy rules to use
- * @param metadataProvider locked MetadataProvider instance
- * @param role identifies the role (generally IdP or SP) of the policy peer
- * @param trustEngine TrustEngine to authenticate policy peer
- * @param validate true iff XML parsing should be done with validation
- */
- SecurityPolicy(
- const std::vector<const SecurityPolicyRule*>& rules,
- const saml2md::MetadataProvider* metadataProvider=NULL,
- const xmltooling::QName* role=NULL,
- const xmltooling::TrustEngine* trustEngine=NULL,
- bool validate=true
- ) : m_messageQName(NULL), m_messageID(NULL), m_issueInstant(0),
- m_issuer(NULL), m_issuerRole(NULL), m_secure(false), m_matchingPolicy(NULL),
- m_rules(rules), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine), m_validate(validate) {
+ ) : m_messageID(NULL), m_issueInstant(0), m_issuer(NULL), m_issuerRole(NULL), m_authenticated(false),
+ m_matchingPolicy(NULL), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine), m_validate(validate), m_entityOnly(true) {
if (role)
m_role = new xmltooling::QName(*role);
}
*/
bool getValidating() const {
return m_validate;
- }
+ }
+
+ /**
+ * Returns flag controlling non-entity issuer support.
+ *
+ * @return flag controlling non-entity issuer support
+ */
+ bool requireEntityIssuer() const {
+ return m_entityOnly;
+ }
/**
- * Adds a SecurityPolicyRule to the policy. The lifetime of the policy rule
- * must be at least as long as the policy object.
+ * Gets a mutable array of installed policy rules.
+ *
+ * <p>If adding rules, their lifetime must be at least as long as the policy object.
*
- * @param rule SecurityPolicyRule to add
+ * @return mutable array of rules
*/
- void addRule(const SecurityPolicyRule* rule) {
- m_rules.push_back(rule);
+ std::vector<const SecurityPolicyRule*>& getRules() {
+ return m_rules;
}
/**
void setValidating(bool validate=true) {
m_validate = validate;
}
+
+ /**
+ * Sets flag controlling non-entity issuer support.
+ *
+ * @param entityOnly require that Issuer be in entity format
+ */
+ void requireEntityIssuer(bool entityOnly=true) {
+ m_entityOnly = entityOnly;
+ }
/**
* Evaluates the policy against the given request and message,
*
* @throws BindingException raised if the message/request is invalid according to the supplied rules
*/
- void evaluate(const xmltooling::XMLObject& message, const GenericRequest* request=NULL);
+ void evaluate(
+ const xmltooling::XMLObject& message, const xmltooling::GenericRequest* request=NULL
+ );
/**
- * Resets the policy object and clears any per-message state.
+ * Resets the policy object and/or clears any per-message state.
+ *
+ * <p>Resets can be complete (the default) or merely clear the previous message ID and timestamp
+ * when evaluating multiple layers of a message.
+ *
+ * @param messageOnly true iff security and issuer state should be left in place
*/
- void reset();
+ void reset(bool messageOnly=false);
/**
- * Returns the message element/type as determined by the registered policies.
- *
- * @return message element/type as determined by the registered policies
- */
- const xmltooling::QName* getMessageQName() const {
- return m_messageQName;
- }
-
- /**
* Returns the message identifier as determined by the registered policies.
*
* @return message identifier as determined by the registered policies
}
/**
- * Returns the security status as determined by the registered policies.
+ * Returns the authentication status of the message as determined by the registered policies.
*
* @return true iff a SecurityPolicyRule has indicated the issuer/message has been authenticated
*/
- bool isSecure() const {
- return m_secure;
- }
-
- /**
- * Sets the message element/type as determined by the registered policies.
- *
- * @param messageQName message element/type
- */
- void setMessageQName(const xmltooling::QName* messageQName) {
- delete m_messageQName;
- m_messageQName = messageQName ? new xmltooling::QName(*messageQName) : NULL;
+ bool isAuthenticated() const {
+ return m_authenticated;
}
/**
* @param id message identifier
*/
void setMessageID(const XMLCh* id) {
- XMLString::release(&m_messageID);
- m_messageID = XMLString::replicate(id);
+ xercesc::XMLString::release(&m_messageID);
+ m_messageID = xercesc::XMLString::replicate(id);
}
/**
void setIssuerMetadata(const saml2md::RoleDescriptor* issuerRole);
/**
- * Sets the security status as determined by the registered policies.
+ * Sets the authentication status of the message as determined by the registered policies.
*
- * @param secure indicates whether the issuer/message has been authenticated
+ * @param auth indicates whether the issuer/message has been authenticated
*/
- void setSecure(bool secure) {
- m_secure = secure;
+ void setAuthenticated(bool auth) {
+ m_authenticated = auth;
}
/** Allows override of rules for comparing saml2:Issuer information. */
private:
// information extracted from message
- xmltooling::QName* m_messageQName;
XMLCh* m_messageID;
time_t m_issueInstant;
saml2::Issuer* m_issuer;
const saml2md::RoleDescriptor* m_issuerRole;
- bool m_secure;
+ bool m_authenticated;
// components governing policy rules
IssuerMatchingPolicy* m_matchingPolicy;
xmltooling::QName* m_role;
const xmltooling::TrustEngine* m_trust;
bool m_validate;
+ bool m_entityOnly;
};
};