#include <saml/binding/SecurityPolicy.h>
Public Member Functions | |
SecurityPolicy (const saml2md::MetadataProvider *metadataProvider=nullptr, const xmltooling::QName *role=nullptr, const xmltooling::TrustEngine *trustEngine=nullptr, bool validate=true) | |
Constructor for policy. | |
const saml2md::MetadataProvider * | getMetadataProvider () const |
Returns the locked MetadataProvider supplied to the policy. | |
virtual saml2md::MetadataProvider::Criteria & | getMetadataProviderCriteria () const |
Returns a reference to a MetadataProvider::Criteria instance suitable for use with the installed MetadataProvider. | |
const xmltooling::QName * | getRole () const |
Returns the peer role element/type supplied to the policy. | |
const xmltooling::TrustEngine * | getTrustEngine () const |
Returns the TrustEngine supplied to the policy. | |
bool | getValidating () const |
Returns XML message validation setting. | |
bool | requireEntityIssuer () const |
Returns flag controlling non-entity issuer support. | |
const std::vector < xmltooling::xstring > & | getAudiences () const |
Returns the SAML audiences that represent the receiving peer. | |
std::vector < xmltooling::xstring > & | getAudiences () |
Returns the SAML audiences that represent the receiving peer. | |
time_t | getTime () const |
Gets the effective time of message processing. | |
const XMLCh * | getCorrelationID () const |
Returns the message identifier to which the message being evaluated is a response. | |
std::vector< const SecurityPolicyRule * > & | getRules () |
Gets a mutable array of installed policy rules. | |
void | setMetadataProvider (const saml2md::MetadataProvider *metadata) |
Sets a locked MetadataProvider for the policy. | |
void | setMetadataProviderCriteria (saml2md::MetadataProvider::Criteria *criteria) |
Sets a MetadataProvider::Criteria instance suitable for use with the installed MetadataProvider. | |
void | setRole (const xmltooling::QName *role) |
Sets a peer role element/type for to the policy. | |
void | setTrustEngine (const xmltooling::TrustEngine *trust) |
Sets a TrustEngine for the policy. | |
void | setValidating (bool validate=true) |
Controls schema validation of incoming XML messages. | |
void | requireEntityIssuer (bool entityOnly=true) |
Sets flag controlling non-entity issuer support. | |
void | setTime (time_t ts) |
Sets effective time of message processing. | |
void | setCorrelationID (const XMLCh *correlationID) |
Sets the message identifier to which the message being evaluated is a response. | |
void | evaluate (const xmltooling::XMLObject &message, const xmltooling::GenericRequest *request=nullptr) |
Evaluates the policy against the given request and message, possibly populating message information in the policy object. | |
virtual void | reset (bool messageOnly=false) |
Resets the policy object and/or clears any per-message state. | |
void | _reset (bool messageOnly=false) |
Resets the policy object and/or clears any per-message state for only this specific class. | |
const XMLCh * | getMessageID () const |
Returns the message identifier as determined by the registered policies. | |
time_t | getIssueInstant () const |
Returns the message timestamp as determined by the registered policies. | |
const saml2::Issuer * | getIssuer () const |
Gets the issuer of the message as determined by the registered policies. | |
const saml2md::RoleDescriptor * | getIssuerMetadata () const |
Gets the metadata for the role the issuer is operating in. | |
bool | isAuthenticated () const |
Returns the authentication status of the message as determined by the registered policies. | |
void | setMessageID (const XMLCh *id) |
Sets the message identifier as determined by the registered policies. | |
void | setIssueInstant (time_t issueInstant) |
Sets the message timestamp as determined by the registered policies. | |
void | setIssuer (const saml2::Issuer *issuer) |
Sets the issuer of the message as determined by the registered policies. | |
void | setIssuer (const XMLCh *issuer) |
Sets the issuer of the message as determined by the registered policies. | |
void | setIssuerMetadata (const saml2md::RoleDescriptor *issuerRole) |
Sets the metadata for the role the issuer is operating in. | |
void | setAuthenticated (bool auth) |
Sets the authentication status of the message as determined by the registered policies. | |
const IssuerMatchingPolicy & | getIssuerMatchingPolicy () const |
Returns the IssuerMatchingPolicy in effect. | |
void | setIssuerMatchingPolicy (IssuerMatchingPolicy *matchingPolicy) |
Sets the IssuerMatchingPolicy in effect. | |
Protected Attributes | |
saml2md::MetadataProvider::Criteria * | m_metadataCriteria |
Manufactured MetadataProvider::Criteria instance. | |
Static Protected Attributes | |
static IssuerMatchingPolicy | m_defaultMatching |
A shared matching object that just supports the default matching rules. | |
Classes | |
class | IssuerMatchingPolicy |
Allows override of rules for comparing saml2:Issuer information. More... |
Its security mechanisms may be used to examine the transport layer (e.g client certificates and HTTP basic auth passwords) or to check the payload of a request to ensure it meets certain criteria (e.g. valid digital signature, freshness, replay).
Policy objects can be reused, but are not thread-safe.
opensaml::SecurityPolicy::SecurityPolicy | ( | const saml2md::MetadataProvider * | metadataProvider = nullptr , |
|
const xmltooling::QName * | role = nullptr , |
|||
const xmltooling::TrustEngine * | trustEngine = nullptr , |
|||
bool | validate = true | |||
) |
Constructor for policy.
metadataProvider | locked MetadataProvider instance | |
role | identifies the role (generally IdP or SP) of the policy peer | |
trustEngine | TrustEngine to authenticate policy peer | |
validate | true iff XML parsing should be done with validation |
const saml2md::MetadataProvider* opensaml::SecurityPolicy::getMetadataProvider | ( | ) | const |
Returns the locked MetadataProvider supplied to the policy.
virtual saml2md::MetadataProvider::Criteria& opensaml::SecurityPolicy::getMetadataProviderCriteria | ( | ) | const [virtual] |
Returns a reference to a MetadataProvider::Criteria instance suitable for use with the installed MetadataProvider.
The object will be cleared/reset when returned, so do not mutate it and then call the method again before using it.
const xmltooling::QName* opensaml::SecurityPolicy::getRole | ( | ) | const |
Returns the peer role element/type supplied to the policy.
const xmltooling::TrustEngine* opensaml::SecurityPolicy::getTrustEngine | ( | ) | const |
Returns the TrustEngine supplied to the policy.
bool opensaml::SecurityPolicy::getValidating | ( | ) | const |
Returns XML message validation setting.
bool opensaml::SecurityPolicy::requireEntityIssuer | ( | ) | const |
Returns flag controlling non-entity issuer support.
const std::vector<xmltooling::xstring>& opensaml::SecurityPolicy::getAudiences | ( | ) | const |
Returns the SAML audiences that represent the receiving peer.
std::vector<xmltooling::xstring>& opensaml::SecurityPolicy::getAudiences | ( | ) |
Returns the SAML audiences that represent the receiving peer.
time_t opensaml::SecurityPolicy::getTime | ( | ) | const |
Gets the effective time of message processing.
const XMLCh* opensaml::SecurityPolicy::getCorrelationID | ( | ) | const |
Returns the message identifier to which the message being evaluated is a response.
std::vector<const SecurityPolicyRule*>& opensaml::SecurityPolicy::getRules | ( | ) |
Gets a mutable array of installed policy rules.
If adding rules, their lifetime must be at least as long as the policy object.
void opensaml::SecurityPolicy::setMetadataProvider | ( | const saml2md::MetadataProvider * | metadata | ) |
Sets a locked MetadataProvider for the policy.
metadata | a locked MetadataProvider or nullptr |
void opensaml::SecurityPolicy::setMetadataProviderCriteria | ( | saml2md::MetadataProvider::Criteria * | criteria | ) |
Sets a MetadataProvider::Criteria instance suitable for use with the installed MetadataProvider.
The policy will take ownership of the criteria object when this method completes.
criteria | a MetadataProvider::Criteria instance, or nullptr |
void opensaml::SecurityPolicy::setRole | ( | const xmltooling::QName * | role | ) |
Sets a peer role element/type for to the policy.
role | the peer role element/type or nullptr |
void opensaml::SecurityPolicy::setTrustEngine | ( | const xmltooling::TrustEngine * | trust | ) |
Sets a TrustEngine for the policy.
trust | a TrustEngine or nullptr |
void opensaml::SecurityPolicy::setValidating | ( | bool | validate = true |
) |
Controls schema validation of incoming XML messages.
This is separate from other forms of programmatic validation of objects, but can detect a much wider range of syntax errors.
validate | validation setting |
void opensaml::SecurityPolicy::requireEntityIssuer | ( | bool | entityOnly = true |
) |
Sets flag controlling non-entity issuer support.
entityOnly | require that Issuer be in entity format |
void opensaml::SecurityPolicy::setTime | ( | time_t | ts | ) |
Sets effective time of message processing.
Assumed to be the time of policy instantiation, can be adjusted to pre- or post-date message processing.
ts | the time at which the message is being processed |
void opensaml::SecurityPolicy::setCorrelationID | ( | const XMLCh * | correlationID | ) |
Sets the message identifier to which the message being evaluated is a response.
correlationID | correlated message identifier |
void opensaml::SecurityPolicy::evaluate | ( | const xmltooling::XMLObject & | message, | |
const xmltooling::GenericRequest * | request = nullptr | |||
) |
Evaluates the policy against the given request and message, possibly populating message information in the policy object.
message | the incoming message | |
request | the protocol request |
BindingException | raised if the message/request is invalid according to the supplied rules |
virtual void opensaml::SecurityPolicy::reset | ( | bool | messageOnly = false |
) | [virtual] |
Resets the policy object and/or clears any per-message state.
Resets can be complete (the default) or merely clear the previous message ID and timestamp when evaluating multiple layers of a message.
messageOnly | true iff security and issuer state should be left in place |
Reimplemented in opensaml::saml2::SAML2AssertionPolicy.
void opensaml::SecurityPolicy::_reset | ( | bool | messageOnly = false |
) |
Resets the policy object and/or clears any per-message state for only this specific class.
Resets can be complete (the default) or merely clear the previous message ID and timestamp when evaluating multiple layers of a message.
messageOnly | true iff security and issuer state should be left in place |
Reimplemented in opensaml::saml2::SAML2AssertionPolicy.
const XMLCh* opensaml::SecurityPolicy::getMessageID | ( | ) | const |
Returns the message identifier as determined by the registered policies.
time_t opensaml::SecurityPolicy::getIssueInstant | ( | ) | const |
Returns the message timestamp as determined by the registered policies.
const saml2::Issuer* opensaml::SecurityPolicy::getIssuer | ( | ) | const |
Gets the issuer of the message as determined by the registered policies.
const saml2md::RoleDescriptor* opensaml::SecurityPolicy::getIssuerMetadata | ( | ) | const |
Gets the metadata for the role the issuer is operating in.
bool opensaml::SecurityPolicy::isAuthenticated | ( | ) | const |
Returns the authentication status of the message as determined by the registered policies.
void opensaml::SecurityPolicy::setMessageID | ( | const XMLCh * | id | ) |
Sets the message identifier as determined by the registered policies.
id | message identifier |
void opensaml::SecurityPolicy::setIssueInstant | ( | time_t | issueInstant | ) |
Sets the message timestamp as determined by the registered policies.
issueInstant | message timestamp |
void opensaml::SecurityPolicy::setIssuer | ( | const saml2::Issuer * | issuer | ) |
Sets the issuer of the message as determined by the registered policies.
issuer | issuer of the message |
void opensaml::SecurityPolicy::setIssuer | ( | const XMLCh * | issuer | ) |
Sets the issuer of the message as determined by the registered policies.
issuer | issuer of the message |
void opensaml::SecurityPolicy::setIssuerMetadata | ( | const saml2md::RoleDescriptor * | issuerRole | ) |
Sets the metadata for the role the issuer is operating in.
issuerRole | metadata for the role the issuer is operating in |
void opensaml::SecurityPolicy::setAuthenticated | ( | bool | auth | ) |
Sets the authentication status of the message as determined by the registered policies.
auth | indicates whether the issuer/message has been authenticated |
const IssuerMatchingPolicy& opensaml::SecurityPolicy::getIssuerMatchingPolicy | ( | ) | const |
void opensaml::SecurityPolicy::setIssuerMatchingPolicy | ( | IssuerMatchingPolicy * | matchingPolicy | ) |
Sets the IssuerMatchingPolicy in effect.
Setting no policy will cause the simple, default approach to be used.
The matching object will be freed by the SecurityPolicy.
matchingPolicy | the IssuerMatchingPolicy to use |
IssuerMatchingPolicy opensaml::SecurityPolicy::m_defaultMatching [static, protected] |
A shared matching object that just supports the default matching rules.
saml2md::MetadataProvider::Criteria* opensaml::SecurityPolicy::m_metadataCriteria [mutable, protected] |
Manufactured MetadataProvider::Criteria instance.