Add flag to block non-entity issuers.

[shibboleth/opensaml2.git] / saml / binding / impl / SecurityPolicy.cpp

diff --git a/saml/binding/impl/SecurityPolicy.cpp b/saml/binding/impl/SecurityPolicy.cpp
index 5fd35fa..371410e 100644 (file)
--- a/saml/binding/impl/SecurityPolicy.cpp
+++ b/saml/binding/impl/SecurityPolicy.cpp
@@ -34,8 +34,7 @@ using namespace std;
 namespace opensaml {
     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory ClientCertAuthRuleFactory;
     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory MessageFlowRuleFactory;
-    SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory SAML1MessageRuleFactory;
-    SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory SAML2MessageRuleFactory;
+    SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory NullSecurityRuleFactory;
     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory SimpleSigningRuleFactory;
     SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory XMLSigningRuleFactory;
 };
@@ -45,8 +44,7 @@ void SAML_API opensaml::registerSecurityPolicyRules()
     SAMLConfig& conf=SAMLConfig::getConfig();
     conf.SecurityPolicyRuleManager.registerFactory(CLIENTCERTAUTH_POLICY_RULE, ClientCertAuthRuleFactory);
     conf.SecurityPolicyRuleManager.registerFactory(MESSAGEFLOW_POLICY_RULE, MessageFlowRuleFactory);
-    conf.SecurityPolicyRuleManager.registerFactory(SAML1MESSAGE_POLICY_RULE, SAML1MessageRuleFactory);
-    conf.SecurityPolicyRuleManager.registerFactory(SAML2MESSAGE_POLICY_RULE, SAML2MessageRuleFactory);
+    conf.SecurityPolicyRuleManager.registerFactory(NULLSECURITY_POLICY_RULE, NullSecurityRuleFactory);
     conf.SecurityPolicyRuleManager.registerFactory(SIMPLESIGNING_POLICY_RULE, SimpleSigningRuleFactory);
     conf.SecurityPolicyRuleManager.registerFactory(XMLSIGNING_POLICY_RULE, XMLSigningRuleFactory);
 }
@@ -55,20 +53,20 @@ SecurityPolicy::IssuerMatchingPolicy SecurityPolicy::m_defaultMatching;
 
 SecurityPolicy::~SecurityPolicy()
 {
-    reset();
+    reset(false);
 }
 
-void SecurityPolicy::reset()
+void SecurityPolicy::reset(bool messageOnly)
 {
-    delete m_messageQName;
     XMLString::release(&m_messageID);
-    delete m_issuer;
-    m_messageQName=NULL;
     m_messageID=NULL;
     m_issueInstant=0;
-    m_issuer=NULL;
-    m_issuerRole=NULL;
-    m_secure=false;
+    if (!messageOnly) {
+        delete m_issuer;
+        m_issuer=NULL;
+        m_issuerRole=NULL;
+        m_authenticated=false;
+    }
 }
 
 void SecurityPolicy::evaluate(const XMLObject& message, const GenericRequest* request)
@@ -80,9 +78,11 @@ void SecurityPolicy::evaluate(const XMLObject& message, const GenericRequest* re
 void SecurityPolicy::setIssuer(const Issuer* issuer)
 {
     if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
-        throw SecurityPolicyException("A rule supplied an Issuer that conflicts with previous results.");
+        throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results.");
     
     if (!m_issuer) {
+        if (m_entityOnly && issuer->getFormat() && !XMLString::equals(issuer->getFormat(), NameIDType::ENTITY))
+            throw SecurityPolicyException("A non-entity Issuer was supplied, violating policy.");
         m_issuerRole = NULL;
         m_issuer=issuer->cloneIssuer();
     }
@@ -91,7 +91,7 @@ void SecurityPolicy::setIssuer(const Issuer* issuer)
 void SecurityPolicy::setIssuer(const XMLCh* issuer)
 {
     if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
-        throw SecurityPolicyException("A rule supplied an Issuer that conflicts with previous results.");
+        throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results.");
     
     if (!m_issuer && issuer && *issuer) {
         m_issuerRole = NULL;