projects / shibboleth / sp.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Remove extra lf from decryption logging.
[shibboleth/sp.git] / shibsp / handler / impl / SAML2Consumer.cpp
diff --git a/shibsp/handler/impl/SAML2Consumer.cpp b/shibsp/handler/impl/SAML2Consumer.cpp
index d8fc3ec..0a2ebd8 100644 (file)
--- a/shibsp/handler/impl/SAML2Consumer.cpp
+++ b/shibsp/handler/impl/SAML2Consumer.cpp
@@ -132,17 +132,20 @@ void SAML2Consumer::implementProtocol(
     // And also track "owned" tokens that we decrypt here.
     vector<saml2::Assertion*> ownedtokens;
 
-    // Profile validator.
+    // With this flag on, we ignore any unsigned assertions.
+    const EntityDescriptor* entity = NULL;
+    pair<bool,bool> flag = make_pair(false,false);
+    if (alreadySecured && policy.getIssuerMetadata()) {
+        entity = dynamic_cast<const EntityDescriptor*>(policy.getIssuerMetadata()->getParent());
+        flag = application.getRelyingParty(entity)->getBool("requireSignedAssertions");
+    }
+
     time_t now = time(NULL);
     string dest = httpRequest.getRequestURL();
-    BrowserSSOProfileValidator ssoValidator(application.getAudiences(), now, dest.substr(0,dest.find('?')).c_str());
-
-    // With this flag on, we ignore any unsigned assertions.
-    pair<bool,bool> flag = settings->getBool("signedAssertions");
 
     // authnskew allows rejection of SSO if AuthnInstant is too old.
     const PropertySet* sessionProps = application.getPropertySet("Sessions");
-    pair<bool,unsigned int> authnskew = sessionProps ? sessionProps->getUnsignedInt("authnskew") : pair<bool,unsigned int>(false,0);
+    pair<bool,unsigned int> authnskew = sessionProps ? sessionProps->getUnsignedInt("maxTimeSinceAuthn") : pair<bool,unsigned int>(false,0);
 
     // Saves off error messages potentially helpful for users.
     string contextualError;
@@ -168,7 +171,18 @@ void SAML2Consumer::implementProtocol(
             if (!alreadySecured && !policy.isAuthenticated())
                 throw SecurityPolicyException("Unable to establish security of incoming assertion.");
 
+            // If we hadn't established Issuer yet, redo the signedAssertions check.
+            if (!entity && policy.getIssuerMetadata()) {
+                entity = dynamic_cast<const EntityDescriptor*>(policy.getIssuerMetadata()->getParent());
+                flag = application.getRelyingParty(entity)->getBool("requireSignedAssertions");
+                if (!(*a)->getSignature() && flag.first && flag.second)
+                    throw SecurityPolicyException("The incoming assertion was unsigned, violating local security policy.");
+            }
+
             // Now do profile and core semantic validation to ensure we can use it for SSO.
+            BrowserSSOProfileValidator ssoValidator(
+                application.getRelyingParty(entity)->getXMLString("entityID").second, application.getAudiences(), now, dest.substr(0,dest.find('?')).c_str()
+                );
             ssoValidator.validateAssertion(*(*a));
 
             // Address checking.
@@ -211,11 +225,13 @@ void SAML2Consumer::implementProtocol(
             auto_ptr<MetadataCredentialCriteria> mcc(
                 policy.getIssuerMetadata() ? new MetadataCredentialCriteria(*policy.getIssuerMetadata()) : NULL
                 );
-            auto_ptr<XMLObject> wrapper((*ea)->decrypt(*cr, application.getXMLString("entityID").second, mcc.get()));
+            auto_ptr<XMLObject> wrapper((*ea)->decrypt(*cr, application.getRelyingParty(entity)->getXMLString("entityID").second, mcc.get()));
             decrypted = dynamic_cast<saml2::Assertion*>(wrapper.get());
             if (decrypted) {
                 wrapper.release();
                 ownedtokens.push_back(decrypted);
+                if (m_log.isDebugEnabled())
+                    m_log.debugStream() << "decrypted Assertion: " << *decrypted << logging::eol;
             }
         }
         catch (exception& ex) {
@@ -248,6 +264,9 @@ void SAML2Consumer::implementProtocol(
                 throw SecurityPolicyException("Unable to establish security of incoming assertion.");
 
             // Now do profile and core semantic validation to ensure we can use it for SSO.
+            BrowserSSOProfileValidator ssoValidator(
+                application.getRelyingParty(entity)->getXMLString("entityID").second, application.getAudiences(), now, dest.substr(0,dest.find('?')).c_str()
+                );
             ssoValidator.validateAssertion(*decrypted);
 
             // Address checking.
@@ -298,11 +317,13 @@ void SAML2Consumer::implementProtocol(
                     policy.getIssuerMetadata() ? new MetadataCredentialCriteria(*policy.getIssuerMetadata()) : NULL
                     );
                 try {
-                    auto_ptr<XMLObject> decryptedID(encname->decrypt(*cr,application.getXMLString("entityID").second,mcc.get()));
+                    auto_ptr<XMLObject> decryptedID(encname->decrypt(*cr,application.getRelyingParty(entity)->getXMLString("entityID").second,mcc.get()));
                     ssoName = dynamic_cast<NameID*>(decryptedID.get());
                     if (ssoName) {
                         ownedName = true;
                         decryptedID.release();
+                        if (m_log.isDebugEnabled())
+                            m_log.debugStream() << "decrypted NameID: " << *ssoName << logging::eol;
                     }
                 }
                 catch (exception& ex) {
@@ -359,7 +380,7 @@ void SAML2Consumer::implementProtocol(
             httpRequest,
             httpResponse,
             sessionExp,
-            policy.getIssuerMetadata() ? dynamic_cast<const EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : NULL,
+            entity,
             samlconstants::SAML20P_NS,
             ssoName,
             ssoStatement->getAuthnInstant() ? ssoStatement->getAuthnInstant()->getRawData() : NULL,
Shibboleth SP