From 3185ab3551b141aa705254f25f656dbcd9b1186b Mon Sep 17 00:00:00 2001 From: cantor Date: Fri, 28 May 2010 19:43:37 +0000 Subject: [PATCH] https://bugs.internet2.edu/jira/browse/SSPCPP-293 git-svn-id: https://svn.middleware.georgetown.edu/cpp-sp/branches/REL_2@3259 cb58f699-b61c-0410-a6fe-9272a202ed29 --- Shibboleth.sln | 1 + configs/Makefile.am | 1 + configs/security-policy.xml | 36 ++++++++++++++ configs/shibboleth2.xml | 26 +--------- .../resolver/impl/QueryAttributeResolver.cpp | 56 +++++++++++----------- .../impl/SimpleAggregationAttributeResolver.cpp | 37 +++++++------- shibsp/handler/impl/SAML2ArtifactResolution.cpp | 19 ++++---- shibsp/handler/impl/SAML2Logout.cpp | 44 +++++++++-------- shibsp/handler/impl/SAML2NameIDMgmt.cpp | 41 ++++++++-------- shibsp/impl/XMLSecurityPolicyProvider.cpp | 2 +- shibsp/security/SecurityPolicyProvider.h | 4 +- 11 files changed, 142 insertions(+), 125 deletions(-) create mode 100644 configs/security-policy.xml diff --git a/Shibboleth.sln b/Shibboleth.sln index 6283aa3..bc0d585 100644 --- a/Shibboleth.sln +++ b/Shibboleth.sln @@ -51,6 +51,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Config", "Config", "{2543BC configs\native.logger.in = configs\native.logger.in configs\partialLogout.html = configs\partialLogout.html configs\postTemplate.html = configs\postTemplate.html + configs\security-policy.xml = configs\security-policy.xml configs\sessionError.html = configs\sessionError.html configs\shibboleth2.xml = configs\shibboleth2.xml configs\shibd-debian.in = configs\shibd-debian.in diff --git a/configs/Makefile.am b/configs/Makefile.am index 4e83e94..5657d95 100644 --- a/configs/Makefile.am +++ b/configs/Makefile.am @@ -35,6 +35,7 @@ CONFIGFILES = \ shibboleth2.xml \ attribute-map.xml \ attribute-policy.xml \ + security-policy.xml \ example-metadata.xml \ console.logger \ syslog.logger \ diff --git a/configs/security-policy.xml b/configs/security-policy.xml new file mode 100644 index 0000000..c0a5393 --- /dev/null +++ b/configs/security-policy.xml @@ -0,0 +1,36 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + http://www.w3.org/2001/04/xmldsig-more#md5 + http://www.w3.org/2001/04/xmldsig-more#rsa-md5 + + + diff --git a/configs/shibboleth2.xml b/configs/shibboleth2.xml index aa1086e..f64d1a4 100644 --- a/configs/shibboleth2.xml +++ b/configs/shibboleth2.xml @@ -233,29 +233,7 @@ - - - - - - - - - - - - - - - - - - http://www.w3.org/2001/04/xmldsig-more#md5 - http://www.w3.org/2001/04/xmldsig-more#rsa-md5 - - + + diff --git a/shibsp/attribute/resolver/impl/QueryAttributeResolver.cpp b/shibsp/attribute/resolver/impl/QueryAttributeResolver.cpp index 5013173..838cec0 100644 --- a/shibsp/attribute/resolver/impl/QueryAttributeResolver.cpp +++ b/shibsp/attribute/resolver/impl/QueryAttributeResolver.cpp @@ -33,6 +33,7 @@ #include "binding/SOAPClient.h" #include "metadata/MetadataProviderCriteria.h" #include "security/SecurityPolicy.h" +#include "security/SecurityPolicyProvider.h" #include "util/SPConstants.h" #include @@ -281,14 +282,13 @@ bool QueryResolver::SAML1Query(QueryContext& ctx) const // Locate policy key. const char* policyId = m_policyId.empty() ? application.getString("policyId").second : m_policyId.c_str(); - // Access policy properties. - const PropertySet* settings = application.getServiceProvider().getPolicySettings(policyId); - pair validate = settings->getBool("validate"); - - shibsp::SecurityPolicy policy(application, nullptr, validate.first && validate.second, policyId); - policy.getAudiences().push_back(relyingParty->getXMLString("entityID").second); + // Set up policy and SOAP client. + auto_ptr policy( + application.getServiceProvider().getSecurityPolicyProvider()->createSecurityPolicy(application, nullptr, policyId) + ); + policy->getAudiences().push_back(relyingParty->getXMLString("entityID").second); MetadataCredentialCriteria mcc(*AA); - shibsp::SOAPClient soaper(policy); + shibsp::SOAPClient soaper(*policy.get()); auto_ptr_XMLCh binding(samlconstants::SAML1_BINDING_SOAP); saml1p::Response* response=nullptr; @@ -355,14 +355,14 @@ bool QueryResolver::SAML1Query(QueryContext& ctx) const try { // We're going to insist that the assertion issuer is the same as the peer. // Reset the policy's message bits and extract them from the assertion. - policy.reset(true); - policy.setMessageID(newtoken->getAssertionID()); - policy.setIssueInstant(newtoken->getIssueInstantEpoch()); - policy.setIssuer(newtoken->getIssuer()); - policy.evaluate(*newtoken); + policy->reset(true); + policy->setMessageID(newtoken->getAssertionID()); + policy->setIssueInstant(newtoken->getIssueInstantEpoch()); + policy->setIssuer(newtoken->getIssuer()); + policy->evaluate(*newtoken); // Now we can check the security status of the policy. - if (!policy.isAuthenticated()) + if (!policy->isAuthenticated()) throw SecurityPolicyException("Security of SAML 1.x query result not established."); } catch (exception& ex) { @@ -430,21 +430,19 @@ bool QueryResolver::SAML2Query(QueryContext& ctx) const const Application& application = ctx.getApplication(); const PropertySet* relyingParty = application.getRelyingParty(ctx.getEntityDescriptor()); + pair signedAssertions = relyingParty->getBool("requireSignedAssertions"); + pair encryption = relyingParty->getString("encryption"); // Locate policy key. const char* policyId = m_policyId.empty() ? application.getString("policyId").second : m_policyId.c_str(); - // Access policy properties. - const PropertySet* settings = application.getServiceProvider().getPolicySettings(policyId); - pair validate = settings->getBool("validate"); - - pair signedAssertions = relyingParty->getBool("requireSignedAssertions"); - pair encryption = relyingParty->getString("encryption"); - - shibsp::SecurityPolicy policy(application, nullptr, validate.first && validate.second, policyId); - policy.getAudiences().push_back(relyingParty->getXMLString("entityID").second); + // Set up policy and SOAP client. + auto_ptr policy( + application.getServiceProvider().getSecurityPolicyProvider()->createSecurityPolicy(application, nullptr, policyId) + ); + policy->getAudiences().push_back(relyingParty->getXMLString("entityID").second); MetadataCredentialCriteria mcc(*AA); - shibsp::SOAPClient soaper(policy); + shibsp::SOAPClient soaper(*policy.get()); auto_ptr_XMLCh binding(samlconstants::SAML20_BINDING_SOAP); saml2p::StatusResponseType* srt=nullptr; @@ -566,14 +564,14 @@ bool QueryResolver::SAML2Query(QueryContext& ctx) const try { // We're going to insist that the assertion issuer is the same as the peer. // Reset the policy's message bits and extract them from the assertion. - policy.reset(true); - policy.setMessageID(newtoken->getID()); - policy.setIssueInstant(newtoken->getIssueInstantEpoch()); - policy.setIssuer(newtoken->getIssuer()); - policy.evaluate(*newtoken); + policy->reset(true); + policy->setMessageID(newtoken->getID()); + policy->setIssueInstant(newtoken->getIssueInstantEpoch()); + policy->setIssuer(newtoken->getIssuer()); + policy->evaluate(*newtoken); // Now we can check the security status of the policy. - if (!policy.isAuthenticated()) + if (!policy->isAuthenticated()) throw SecurityPolicyException("Security of SAML 2.0 query result not established."); if (m_subjectMatch) { diff --git a/shibsp/attribute/resolver/impl/SimpleAggregationAttributeResolver.cpp b/shibsp/attribute/resolver/impl/SimpleAggregationAttributeResolver.cpp index 7f8cc26..fe28825 100644 --- a/shibsp/attribute/resolver/impl/SimpleAggregationAttributeResolver.cpp +++ b/shibsp/attribute/resolver/impl/SimpleAggregationAttributeResolver.cpp @@ -34,6 +34,7 @@ #include "binding/SOAPClient.h" #include "metadata/MetadataProviderCriteria.h" #include "security/SecurityPolicy.h" +#include "security/SecurityPolicyProvider.h" #include "util/SPConstants.h" #include @@ -333,26 +334,24 @@ bool SimpleAggregationResolver::doQuery(SimpleAggregationContext& ctx, const cha } const PropertySet* relyingParty = application.getRelyingParty(mdresult.first); + pair signedAssertions = relyingParty->getBool("requireSignedAssertions"); + pair encryption = relyingParty->getString("encryption"); // Locate policy key. const char* policyId = m_policyId.empty() ? application.getString("policyId").second : m_policyId.c_str(); - // Access policy properties. - const PropertySet* settings = application.getServiceProvider().getPolicySettings(policyId); - pair validate = settings->getBool("validate"); - - pair signedAssertions = relyingParty->getBool("requireSignedAssertions"); - pair encryption = relyingParty->getString("encryption"); - - shibsp::SecurityPolicy policy(application, nullptr, validate.first && validate.second, policyId); + // Set up policy and SOAP client. + auto_ptr policy( + application.getServiceProvider().getSecurityPolicyProvider()->createSecurityPolicy(application, nullptr, policyId) + ); if (m_metadata) - policy.setMetadataProvider(m_metadata); + policy->setMetadataProvider(m_metadata); if (m_trust) - policy.setTrustEngine(m_trust); - policy.getAudiences().push_back(relyingParty->getXMLString("entityID").second); + policy->setTrustEngine(m_trust); + policy->getAudiences().push_back(relyingParty->getXMLString("entityID").second); MetadataCredentialCriteria mcc(*AA); - shibsp::SOAPClient soaper(policy); + shibsp::SOAPClient soaper(*policy.get()); auto_ptr_XMLCh binding(samlconstants::SAML20_BINDING_SOAP); saml2p::StatusResponseType* srt=nullptr; @@ -369,7 +368,7 @@ bool SimpleAggregationResolver::doQuery(SimpleAggregationContext& ctx, const cha auto_ptr encrypted(EncryptedIDBuilder::buildEncryptedID()); encrypted->encrypt( *name, - *(policy.getMetadataProvider()), + *(policy->getMetadataProvider()), mcc, false, relyingParty->getXMLString("encryptionAlg").second @@ -475,14 +474,14 @@ bool SimpleAggregationResolver::doQuery(SimpleAggregationContext& ctx, const cha try { // We're going to insist that the assertion issuer is the same as the peer. // Reset the policy's message bits and extract them from the assertion. - policy.reset(true); - policy.setMessageID(newtoken->getID()); - policy.setIssueInstant(newtoken->getIssueInstantEpoch()); - policy.setIssuer(newtoken->getIssuer()); - policy.evaluate(*newtoken); + policy->reset(true); + policy->setMessageID(newtoken->getID()); + policy->setIssueInstant(newtoken->getIssueInstantEpoch()); + policy->setIssuer(newtoken->getIssuer()); + policy->evaluate(*newtoken); // Now we can check the security status of the policy. - if (!policy.isAuthenticated()) + if (!policy->isAuthenticated()) throw SecurityPolicyException("Security of SAML 2.0 query result not established."); if (m_subjectMatch) { diff --git a/shibsp/handler/impl/SAML2ArtifactResolution.cpp b/shibsp/handler/impl/SAML2ArtifactResolution.cpp index 7d17e83..7857965 100644 --- a/shibsp/handler/impl/SAML2ArtifactResolution.cpp +++ b/shibsp/handler/impl/SAML2ArtifactResolution.cpp @@ -31,6 +31,7 @@ #ifndef SHIBSP_LITE # include "security/SecurityPolicy.h" +# include "security/SecurityPolicyProvider.h" # include # include # include @@ -284,32 +285,30 @@ pair SAML2ArtifactResolution::processMessage(const Application& appli if (!policyId.first) policyId = application.getString("policyId"); // unqualified in Application(s) element - // Access policy properties. - const PropertySet* settings = application.getServiceProvider().getPolicySettings(policyId.second); - pair validate = settings->getBool("validate"); - // Lock metadata for use by policy. Locker metadataLocker(application.getMetadataProvider()); // Create the policy. - shibsp::SecurityPolicy policy(application, &m_role, validate.first && validate.second); + auto_ptr policy( + application.getServiceProvider().getSecurityPolicyProvider()->createSecurityPolicy(application, &m_role, policyId.second) + ); // Decode the message and verify that it's a secured ArtifactResolve request. string relayState; - auto_ptr msg(m_decoder->decode(relayState, httpRequest, policy)); + auto_ptr msg(m_decoder->decode(relayState, httpRequest, *policy.get())); if (!msg.get()) throw BindingException("Failed to decode a SAML request."); const ArtifactResolve* req = dynamic_cast(msg.get()); if (!req) throw FatalProfileException("Decoded message was not a samlp::ArtifactResolve request."); - const EntityDescriptor* entity = policy.getIssuerMetadata() ? dynamic_cast(policy.getIssuerMetadata()->getParent()) : nullptr; + const EntityDescriptor* entity = policy->getIssuerMetadata() ? dynamic_cast(policy->getIssuerMetadata()->getParent()) : nullptr; try { auto_ptr_char artifact(req->getArtifact() ? req->getArtifact()->getArtifact() : nullptr); if (!artifact.get() || !*artifact.get()) return emptyResponse(application, *req, httpResponse, entity); - auto_ptr_char issuer(policy.getIssuer() ? policy.getIssuer()->getName() : nullptr); + auto_ptr_char issuer(policy->getIssuer() ? policy->getIssuer()->getName() : nullptr); m_log.info("resolving artifact (%s) for (%s)", artifact.get(), issuer.get() ? issuer.get() : "unknown"); @@ -317,7 +316,7 @@ pair SAML2ArtifactResolution::processMessage(const Application& appli auto_ptr artobj(SAMLArtifact::parse(artifact.get())); auto_ptr payload(artmap->retrieveContent(artobj.get(), issuer.get())); - if (!policy.isAuthenticated()) { + if (!policy->isAuthenticated()) { m_log.error("request for artifact was unauthenticated, purging the artifact mapping"); return emptyResponse(application, *req, httpResponse, entity); } @@ -332,7 +331,7 @@ pair SAML2ArtifactResolution::processMessage(const Application& appli resp->setPayload(payload.release()); long ret = sendMessage( - *m_encoder, resp.get(), relayState.c_str(), nullptr, policy.getIssuerMetadata(), application, httpResponse, "signResponses" + *m_encoder, resp.get(), relayState.c_str(), nullptr, policy->getIssuerMetadata(), application, httpResponse, "signResponses" ); resp.release(); // freed by encoder return make_pair(true,ret); diff --git a/shibsp/handler/impl/SAML2Logout.cpp b/shibsp/handler/impl/SAML2Logout.cpp index 919a0b5..1ea0ef1 100644 --- a/shibsp/handler/impl/SAML2Logout.cpp +++ b/shibsp/handler/impl/SAML2Logout.cpp @@ -32,6 +32,7 @@ #ifndef SHIBSP_LITE # include "SessionCacheEx.h" # include "security/SecurityPolicy.h" +# include "security/SecurityPolicyProvider.h" # include "metadata/MetadataProviderCriteria.h" # include "util/TemplateParameters.h" # include @@ -334,22 +335,20 @@ pair SAML2Logout::doRequest(const Application& application, const HTT if (!policyId.first) policyId = application.getString("policyId"); // unqualified in Application(s) element - // Access policy properties. - const PropertySet* settings = application.getServiceProvider().getPolicySettings(policyId.second); - pair validate = settings->getBool("validate"); - // Lock metadata for use by policy. Locker metadataLocker(application.getMetadataProvider()); // Create the policy. - shibsp::SecurityPolicy policy(application, &m_role, validate.first && validate.second, policyId.second); + auto_ptr policy( + application.getServiceProvider().getSecurityPolicyProvider()->createSecurityPolicy(application, &m_role, policyId.second) + ); // Decode the message. string relayState; - auto_ptr msg(m_decoder->decode(relayState, request, policy)); + auto_ptr msg(m_decoder->decode(relayState, request, *policy.get())); const LogoutRequest* logoutRequest = dynamic_cast(msg.get()); if (logoutRequest) { - if (!policy.isAuthenticated()) + if (!policy->isAuthenticated()) throw SecurityPolicyException("Security of LogoutRequest not established."); // Message from IdP to logout one or more sessions. @@ -361,7 +360,7 @@ pair SAML2Logout::doRequest(const Application& application, const HTT logoutRequest->getID(), StatusCode::REQUESTER, StatusCode::UNKNOWN_PRINCIPAL, "No active session found in request.", relayState.c_str(), - policy.getIssuerMetadata(), + policy->getIssuerMetadata(), application, response, true @@ -380,13 +379,16 @@ pair SAML2Logout::doRequest(const Application& application, const HTT else { Locker credlocker(cr); auto_ptr mcc( - policy.getIssuerMetadata() ? new MetadataCredentialCriteria(*policy.getIssuerMetadata()) : nullptr + policy->getIssuerMetadata() ? new MetadataCredentialCriteria(*policy->getIssuerMetadata()) : nullptr ); try { auto_ptr decryptedID( encname->decrypt( *cr, - application.getRelyingParty(policy.getIssuerMetadata() ? dynamic_cast(policy.getIssuerMetadata()->getParent()) : nullptr)->getXMLString("entityID").second, + application.getRelyingParty( + policy->getIssuerMetadata() ? + dynamic_cast(policy->getIssuerMetadata()->getParent()) : + nullptr)->getXMLString("entityID").second, mcc.get() ) ); @@ -409,7 +411,7 @@ pair SAML2Logout::doRequest(const Application& application, const HTT logoutRequest->getID(), StatusCode::REQUESTER, StatusCode::UNKNOWN_PRINCIPAL, "NameID not found in request.", relayState.c_str(), - policy.getIssuerMetadata(), + policy->getIssuerMetadata(), application, response, m_decoder->isUserAgentPresent() @@ -420,7 +422,7 @@ pair SAML2Logout::doRequest(const Application& application, const HTT // Suck indexes out of the request for next steps. set indexes; - EntityDescriptor* entity = policy.getIssuerMetadata() ? dynamic_cast(policy.getIssuerMetadata()->getParent()) : nullptr; + EntityDescriptor* entity = policy->getIssuerMetadata() ? dynamic_cast(policy->getIssuerMetadata()->getParent()) : nullptr; const vector sindexes = logoutRequest->getSessionIndexs(); for (vector::const_iterator i = sindexes.begin(); i != sindexes.end(); ++i) { auto_ptr_char sindex((*i)->getSessionIndex()); @@ -435,7 +437,7 @@ pair SAML2Logout::doRequest(const Application& application, const HTT logoutRequest->getID(), StatusCode::REQUESTER, StatusCode::REQUEST_DENIED, "Active session did not match logout request.", relayState.c_str(), - policy.getIssuerMetadata(), + policy->getIssuerMetadata(), application, response, true @@ -470,7 +472,7 @@ pair SAML2Logout::doRequest(const Application& application, const HTT logoutRequest->getID(), StatusCode::RESPONDER, nullptr, ex.what(), relayState.c_str(), - policy.getIssuerMetadata(), + policy->getIssuerMetadata(), application, response, m_decoder->isUserAgentPresent() @@ -513,7 +515,7 @@ pair SAML2Logout::doRequest(const Application& application, const HTT (worked1 && worked2) ? nullptr : StatusCode::PARTIAL_LOGOUT, nullptr, relayState.c_str(), - policy.getIssuerMetadata(), + policy->getIssuerMetadata(), application, response, m_decoder->isUserAgentPresent() @@ -523,13 +525,13 @@ pair SAML2Logout::doRequest(const Application& application, const HTT // A LogoutResponse completes an SP-initiated logout sequence. const LogoutResponse* logoutResponse = dynamic_cast(msg.get()); if (logoutResponse) { - if (!policy.isAuthenticated()) { + if (!policy->isAuthenticated()) { SecurityPolicyException ex("Security of LogoutResponse not established."); - if (policy.getIssuerMetadata()) - annotateException(&ex, policy.getIssuerMetadata()); // throws it + if (policy->getIssuerMetadata()) + annotateException(&ex, policy->getIssuerMetadata()); // throws it ex.raise(); } - checkError(logoutResponse, policy.getIssuerMetadata()); // throws if Status doesn't look good... + checkError(logoutResponse, policy->getIssuerMetadata()); // throws if Status doesn't look good... // If relay state is set, recover the original return URL. if (!relayState.empty()) @@ -549,8 +551,8 @@ pair SAML2Logout::doRequest(const Application& application, const HTT } FatalProfileException ex("Incoming message was not a samlp:LogoutRequest or samlp:LogoutResponse."); - if (policy.getIssuerMetadata()) - annotateException(&ex, policy.getIssuerMetadata()); // throws it + if (policy->getIssuerMetadata()) + annotateException(&ex, policy->getIssuerMetadata()); // throws it ex.raise(); return make_pair(false,0L); // never happen, satisfies compiler #else diff --git a/shibsp/handler/impl/SAML2NameIDMgmt.cpp b/shibsp/handler/impl/SAML2NameIDMgmt.cpp index 61fd3ba..8d0c17d 100644 --- a/shibsp/handler/impl/SAML2NameIDMgmt.cpp +++ b/shibsp/handler/impl/SAML2NameIDMgmt.cpp @@ -32,6 +32,7 @@ #ifndef SHIBSP_LITE # include "SessionCache.h" # include "security/SecurityPolicy.h" +# include "security/SecurityPolicyProvider.h" # include "util/TemplateParameters.h" # include # include @@ -260,22 +261,20 @@ pair SAML2NameIDMgmt::doRequest( if (!policyId.first) policyId = application.getString("policyId"); // unqualified in Application(s) element - // Access policy properties. - const PropertySet* settings = application.getServiceProvider().getPolicySettings(policyId.second); - pair validate = settings->getBool("validate"); - // Lock metadata for use by policy. Locker metadataLocker(application.getMetadataProvider()); // Create the policy. - shibsp::SecurityPolicy policy(application, &m_role, validate.first && validate.second, policyId.second); + auto_ptr policy( + application.getServiceProvider().getSecurityPolicyProvider()->createSecurityPolicy(application, &m_role, policyId.second) + ); // Decode the message. string relayState; - auto_ptr msg(m_decoder->decode(relayState, request, policy)); + auto_ptr msg(m_decoder->decode(relayState, request, *policy.get())); const ManageNameIDRequest* mgmtRequest = dynamic_cast(msg.get()); if (mgmtRequest) { - if (!policy.isAuthenticated()) + if (!policy->isAuthenticated()) throw SecurityPolicyException("Security of ManageNameIDRequest not established."); // Message from IdP to change or terminate a NameID. @@ -288,14 +287,14 @@ pair SAML2NameIDMgmt::doRequest( mgmtRequest->getID(), StatusCode::REQUESTER, StatusCode::UNKNOWN_PRINCIPAL, "No active session found in request.", relayState.c_str(), - policy.getIssuerMetadata(), + policy->getIssuerMetadata(), application, response, true ); } - EntityDescriptor* entity = policy.getIssuerMetadata() ? dynamic_cast(policy.getIssuerMetadata()->getParent()) : nullptr; + EntityDescriptor* entity = policy->getIssuerMetadata() ? dynamic_cast(policy->getIssuerMetadata()->getParent()) : nullptr; bool ownedName = false; NameID* nameid = mgmtRequest->getNameID(); @@ -309,10 +308,12 @@ pair SAML2NameIDMgmt::doRequest( else { Locker credlocker(cr); auto_ptr mcc( - policy.getIssuerMetadata() ? new MetadataCredentialCriteria(*policy.getIssuerMetadata()) : nullptr + policy->getIssuerMetadata() ? new MetadataCredentialCriteria(*policy->getIssuerMetadata()) : nullptr ); try { - auto_ptr decryptedID(encname->decrypt(*cr,application.getRelyingParty(entity)->getXMLString("entityID").second,mcc.get())); + auto_ptr decryptedID( + encname->decrypt(*cr,application.getRelyingParty(entity)->getXMLString("entityID").second,mcc.get()) + ); nameid = dynamic_cast(decryptedID.get()); if (nameid) { ownedName = true; @@ -332,7 +333,7 @@ pair SAML2NameIDMgmt::doRequest( mgmtRequest->getID(), StatusCode::REQUESTER, StatusCode::UNKNOWN_PRINCIPAL, "NameID not found in request.", relayState.c_str(), - policy.getIssuerMetadata(), + policy->getIssuerMetadata(), application, response, m_decoder->isUserAgentPresent() @@ -349,7 +350,7 @@ pair SAML2NameIDMgmt::doRequest( mgmtRequest->getID(), StatusCode::REQUESTER, StatusCode::REQUEST_DENIED, "Active session did not match NameID mgmt request.", relayState.c_str(), - policy.getIssuerMetadata(), + policy->getIssuerMetadata(), application, response, true @@ -374,10 +375,12 @@ pair SAML2NameIDMgmt::doRequest( else { Locker credlocker(cr); auto_ptr mcc( - policy.getIssuerMetadata() ? new MetadataCredentialCriteria(*policy.getIssuerMetadata()) : nullptr + policy->getIssuerMetadata() ? new MetadataCredentialCriteria(*policy->getIssuerMetadata()) : nullptr ); try { - auto_ptr decryptedID(encnewid->decrypt(*cr,application.getRelyingParty(entity)->getXMLString("entityID").second,mcc.get())); + auto_ptr decryptedID( + encnewid->decrypt(*cr,application.getRelyingParty(entity)->getXMLString("entityID").second,mcc.get()) + ); newid = dynamic_cast(decryptedID.get()); if (newid) { ownedNewID = true; @@ -398,7 +401,7 @@ pair SAML2NameIDMgmt::doRequest( mgmtRequest->getID(), StatusCode::REQUESTER, nullptr, "NewID not found in request.", relayState.c_str(), - policy.getIssuerMetadata(), + policy->getIssuerMetadata(), application, response, m_decoder->isUserAgentPresent() @@ -445,7 +448,7 @@ pair SAML2NameIDMgmt::doRequest( nullptr, nullptr, relayState.c_str(), - policy.getIssuerMetadata(), + policy->getIssuerMetadata(), application, response, m_decoder->isUserAgentPresent() @@ -470,8 +473,8 @@ pair SAML2NameIDMgmt::doRequest( */ FatalProfileException ex("Incoming message was not a samlp:ManageNameIDRequest."); - if (policy.getIssuerMetadata()) - annotateException(&ex, policy.getIssuerMetadata()); // throws it + if (policy->getIssuerMetadata()) + annotateException(&ex, policy->getIssuerMetadata()); // throws it ex.raise(); return make_pair(false,0L); // never happen, satisfies compiler #else diff --git a/shibsp/impl/XMLSecurityPolicyProvider.cpp b/shibsp/impl/XMLSecurityPolicyProvider.cpp index 5f0fdb0..e0eedc9 100644 --- a/shibsp/impl/XMLSecurityPolicyProvider.cpp +++ b/shibsp/impl/XMLSecurityPolicyProvider.cpp @@ -164,7 +164,7 @@ SecurityPolicyProvider::~SecurityPolicyProvider() { } -opensaml::SecurityPolicy* SecurityPolicyProvider::createSecurityPolicy( +SecurityPolicy* SecurityPolicyProvider::createSecurityPolicy( const Application& application, const xmltooling::QName* role, const char* policyId ) const { diff --git a/shibsp/security/SecurityPolicyProvider.h b/shibsp/security/SecurityPolicyProvider.h index 32734f9..3d8c41b 100644 --- a/shibsp/security/SecurityPolicyProvider.h +++ b/shibsp/security/SecurityPolicyProvider.h @@ -36,7 +36,6 @@ namespace xmltooling { }; namespace opensaml { - class SAML_API SecurityPolicy; class SAML_API SecurityPolicyRule; }; @@ -44,6 +43,7 @@ namespace shibsp { class SHIBSP_API Application; class SHIBSP_API PropertySet; + class SHIBSP_API SecurityPolicy; /** * Interface to a source of security policy settings and rules. @@ -97,7 +97,7 @@ namespace shibsp { * @param policyId identifies policy, defaults to the application's default * @return a new policy instance, which the caller is responsible for freeing */ - virtual opensaml::SecurityPolicy* createSecurityPolicy( + virtual SecurityPolicy* createSecurityPolicy( const Application& application, const xmltooling::QName* role, const char* policyId=nullptr ) const; }; -- 2.1.4