From 42780648201c0ef5d4c63ba7d79cea4af91eade9 Mon Sep 17 00:00:00 2001 From: cantor Date: Wed, 26 Dec 2007 04:46:54 +0000 Subject: [PATCH] Fix handling of errorFatal flag in rules. git-svn-id: https://svn.middleware.georgetown.edu/cpp-opensaml2/trunk@358 fb386ef7-a10c-0410-8ebf-fd3f8e989ab0 --- saml/binding/impl/ClientCertAuthRule.cpp | 17 ++++++++++++++++- saml/binding/impl/SimpleSigningRule.cpp | 14 +++++++------- saml/binding/impl/XMLSigningRule.cpp | 16 ++++++++-------- 3 files changed, 31 insertions(+), 16 deletions(-) diff --git a/saml/binding/impl/ClientCertAuthRule.cpp b/saml/binding/impl/ClientCertAuthRule.cpp index 8c30310..a083baf 100644 --- a/saml/binding/impl/ClientCertAuthRule.cpp +++ b/saml/binding/impl/ClientCertAuthRule.cpp @@ -41,21 +41,34 @@ namespace opensaml { class SAML_DLLLOCAL ClientCertAuthRule : public SecurityPolicyRule { public: - ClientCertAuthRule(const DOMElement* e) {} + ClientCertAuthRule(const DOMElement* e); virtual ~ClientCertAuthRule() {} const char* getType() const { return CLIENTCERTAUTH_POLICY_RULE; } void evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const; + + private: + bool m_errorFatal; }; SecurityPolicyRule* SAML_DLLLOCAL ClientCertAuthRuleFactory(const DOMElement* const & e) { return new ClientCertAuthRule(e); } + + static const XMLCh errorFatal[] = UNICODE_LITERAL_10(e,r,r,o,r,F,a,t,a,l); }; +ClientCertAuthRule::ClientCertAuthRule(const DOMElement* e) : m_errorFatal(false) +{ + if (e) { + const XMLCh* flag = e->getAttributeNS(NULL, errorFatal); + m_errorFatal = (flag && (*flag==chLatin_t || *flag==chDigit_1)); + } +} + void ClientCertAuthRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const { Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.ClientCertAuth"); @@ -85,6 +98,8 @@ void ClientCertAuthRule::evaluate(const XMLObject& message, const GenericRequest cc.setUsage(Credential::TLS_CREDENTIAL); if (!x509trust->validate(chain.front(), chain, *(policy.getMetadataProvider()), &cc)) { + if (m_errorFatal) + throw SecurityPolicyException("Client certificate supplied, but could not be verified."); log.error("unable to verify certificate chain with supplied trust engine"); return; } diff --git a/saml/binding/impl/SimpleSigningRule.cpp b/saml/binding/impl/SimpleSigningRule.cpp index c8cbf5f..0fc1a1d 100644 --- a/saml/binding/impl/SimpleSigningRule.cpp +++ b/saml/binding/impl/SimpleSigningRule.cpp @@ -58,7 +58,7 @@ namespace opensaml { // Appends a raw parameter=value pair to the string. static bool appendParameter(string& s, const char* data, const char* name); - bool m_errorsFatal; + bool m_errorFatal; }; SecurityPolicyRule* SAML_DLLLOCAL SimpleSigningRuleFactory(const DOMElement* const & e) @@ -66,7 +66,7 @@ namespace opensaml { return new SimpleSigningRule(e); } - static const XMLCh errorsFatal[] = UNICODE_LITERAL_11(e,r,r,o,r,s,F,a,t,a,l); + static const XMLCh errorFatal[] = UNICODE_LITERAL_10(e,r,r,o,r,F,a,t,a,l); }; bool SimpleSigningRule::appendParameter(string& s, const char* data, const char* name) @@ -84,11 +84,11 @@ bool SimpleSigningRule::appendParameter(string& s, const char* data, const char* return true; } -SimpleSigningRule::SimpleSigningRule(const DOMElement* e) : m_errorsFatal(false) +SimpleSigningRule::SimpleSigningRule(const DOMElement* e) : m_errorFatal(false) { if (e) { - const XMLCh* flag = e->getAttributeNS(NULL, errorsFatal); - m_errorsFatal = (flag && (*flag==chLatin_t || *flag==chDigit_1)); + const XMLCh* flag = e->getAttributeNS(NULL, errorFatal); + m_errorFatal = (flag && (*flag==chLatin_t || *flag==chDigit_1)); } } @@ -208,8 +208,8 @@ void SimpleSigningRule::evaluate(const XMLObject& message, const GenericRequest* if (!sigtrust->validate(alg.get(), signature, keyInfo, input.c_str(), input.length(), *(policy.getMetadataProvider()), &cc)) { log.error("unable to verify message signature with supplied trust engine"); - if (m_errorsFatal) - throw SignatureException("Message was signed, but signature could not be verified."); + if (m_errorFatal) + throw SecurityPolicyException("Message was signed, but signature could not be verified."); return; } diff --git a/saml/binding/impl/XMLSigningRule.cpp b/saml/binding/impl/XMLSigningRule.cpp index b76e2b6..047de86 100644 --- a/saml/binding/impl/XMLSigningRule.cpp +++ b/saml/binding/impl/XMLSigningRule.cpp @@ -53,7 +53,7 @@ namespace opensaml { void evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const; private: - bool m_errorsFatal; + bool m_errorFatal; }; SecurityPolicyRule* SAML_DLLLOCAL XMLSigningRuleFactory(const DOMElement* const & e) @@ -61,14 +61,14 @@ namespace opensaml { return new XMLSigningRule(e); } - static const XMLCh errorsFatal[] = UNICODE_LITERAL_11(e,r,r,o,r,s,F,a,t,a,l); + static const XMLCh errorFatal[] = UNICODE_LITERAL_10(e,r,r,o,r,F,a,t,a,l); }; -XMLSigningRule::XMLSigningRule(const DOMElement* e) : m_errorsFatal(false) +XMLSigningRule::XMLSigningRule(const DOMElement* e) : m_errorFatal(false) { if (e) { - const XMLCh* flag = e->getAttributeNS(NULL, errorsFatal); - m_errorsFatal = (flag && (*flag==chLatin_t || *flag==chDigit_1)); + const XMLCh* flag = e->getAttributeNS(NULL, errorFatal); + m_errorFatal = (flag && (*flag==chLatin_t || *flag==chDigit_1)); } } @@ -98,7 +98,7 @@ void XMLSigningRule::evaluate(const XMLObject& message, const GenericRequest* re } catch (ValidationException& ve) { log.error("signature profile failed to validate: %s", ve.what()); - if (m_errorsFatal) + if (m_errorFatal) throw; return; } @@ -108,8 +108,8 @@ void XMLSigningRule::evaluate(const XMLObject& message, const GenericRequest* re if (!sigtrust->validate(*(signable->getSignature()), *(policy.getMetadataProvider()), &cc)) { log.error("unable to verify message signature with supplied trust engine"); - if (m_errorsFatal) - throw SignatureException("Message was signed, but signature could not be verified."); + if (m_errorFatal) + throw SecurityPolicyException("Message was signed, but signature could not be verified."); return; } -- 2.1.4