1 /** 2 * Licensed to the University Corporation for Advanced Internet 3 * Development, Inc. (UCAID) under one or more contributor license 4 * agreements. See the NOTICE file distributed with this work for 5 * additional information regarding copyright ownership. 6 * 7 * UCAID licenses this file to you under the Apache License, 8 * Version 2.0 (the "License"); you may not use this file except 9 * in compliance with the License. You may obtain a copy of the 10 * License at 11 * 12 * http://www.apache.org/licenses/LICENSE-2.0 13 * 14 * Unless required by applicable law or agreed to in writing, 15 * software distributed under the License is distributed on an 16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, 17 * either express or implied. See the License for the specific 18 * language governing permissions and limitations under the License. 19 */ 20 21 /** 22 * @file saml/binding/SecurityPolicyRule.h 23 * 24 * Policy rules that secure and authenticate bindings. 25 */ 26 27 #ifndef __saml_secrule_h__ 28 #define __saml_secrule_h__ 29 30 #include <saml/base.h> 31 32 #include <set> 33 #include <string> 34 35 #if defined (_MSC_VER) 36 #pragma warning( push ) 37 #pragma warning( disable : 4251 ) 38 #endif 39 40 namespace xmltooling { 41 class XMLTOOL_API GenericRequest; 42 class XMLTOOL_API XMLObject; 43 }; 44 45 namespace opensaml { 46 class SAML_API SecurityPolicy; 47 48 /** 49 * A rule that a protocol request and message must meet in order to be valid and secure. 50 * 51 * <p>Rules must be stateless and thread-safe across evaluations. Evaluation should not 52 * result in an exception if the request/message properties do not apply to the rule 53 * (e.g. particular security mechanisms that are not present). 54 */ 55 class SAML_API SecurityPolicyRule 56 { 57 MAKE_NONCOPYABLE(SecurityPolicyRule); 58 protected: 59 /** 60 * Constructor. 61 * 62 * @param e root of configuration 63 */ 64 SecurityPolicyRule(const xercesc::DOMElement* e=nullptr); 65 public: 66 virtual ~SecurityPolicyRule(); 67 68 /** 69 * Returns the rule's class/type. 70 * 71 * @return the class/type of the object 72 */ 73 virtual const char* getType() const=0; 74 75 /** 76 * Evaluates the rule against the given request and message. 77 * 78 * <p>An exception will be raised if the message is fatally invalid according to 79 * a policy rule.</p> 80 * 81 * <p>The return value is used to indicate whether a message was ignored or 82 * successfully processed. A false value signals that the rule wasn't successful 83 * because the rule was inapplicable to the message, but allows other rules to 84 * return an alternate result.</p> 85 * 86 * <p>The base class version of this method will check for a non-empty profile set 87 * and return false iff the active profile from the policy is not in the set.</p> 88 * 89 * @param message the incoming message 90 * @param request the protocol request 91 * @param policy SecurityPolicy to provide various components and track message data 92 * @return indicator as to whether a message was understood and processed 93 */ 94 virtual bool evaluate( 95 const xmltooling::XMLObject& message, 96 const xmltooling::GenericRequest* request, 97 SecurityPolicy& policy 98 ) const; 99 100 protected: 101 std::set<std::string> m_profiles; 102 }; 103 104 /** 105 * Registers SecurityPolicyRule plugins into the runtime. 106 */ 107 void SAML_API registerSecurityPolicyRules(); 108 109 /** 110 * SecurityPolicyRule for evaluation of SAML AudienceRestriction Conditions. 111 */ 112 #define AUDIENCE_POLICY_RULE "Audience" 113 114 /** 115 * SecurityPolicyRule for evaluation of SAML DelegationRestriction Conditions. 116 */ 117 #define DELEGATION_POLICY_RULE "Delegation" 118 119 /** 120 * SecurityPolicyRule for TLS client certificate authentication. 121 * 122 * Evaluates client certificates against the issuer's metadata. 123 */ 124 #define CLIENTCERTAUTH_POLICY_RULE "ClientCertAuth" 125 126 /** 127 * SecurityPolicyRule for evaluation of SAML Conditions. 128 */ 129 #define CONDITIONS_POLICY_RULE "Conditions" 130 131 /** 132 * SecurityPolicyRule for ignoring a SAML Condition. 133 */ 134 #define IGNORE_POLICY_RULE "Ignore" 135 136 /** 137 * SecurityPolicyRule for replay detection and freshness checking. 138 * 139 * <p>A ReplayCache instance must be available from the runtime, unless 140 * a "checkReplay" XML attribute is set to "0" or "false" when instantiating 141 * the policy rule. 142 * 143 * <p>Messages must have been issued in the past, but no more than 60 seconds ago, 144 * or up to a number of seconds set by an "expires" XML attribute when 145 * instantiating the policy rule. 146 */ 147 #define MESSAGEFLOW_POLICY_RULE "MessageFlow" 148 149 /** 150 * SecurityPolicyRule for disabling security. 151 * 152 * Allows the message issuer to be authenticated regardless of the message or 153 * transport. Used mainly for debugging or in situations that I wouldn't care to 154 * comment on. 155 */ 156 #define NULLSECURITY_POLICY_RULE "NullSecurity" 157 158 /** 159 * SecurityPolicyRule for protocol message "blob" signing. 160 * 161 * Allows the message issuer to be authenticated using a non-XML digital signature 162 * over the message body. The transport layer is not considered. 163 */ 164 #define SIMPLESIGNING_POLICY_RULE "SimpleSigning" 165 166 /** 167 * SecurityPolicyRule for protocol message XML signing. 168 * 169 * Allows the message issuer to be authenticated using an XML digital signature 170 * over the message. The transport layer is not considered. 171 */ 172 #define XMLSIGNING_POLICY_RULE "XMLSigning" 173 174 /** 175 * SecurityPolicyRule for SAML 1.x Browser SSO profile validation. 176 * 177 * Enforces presence of time conditions and proper subject confirmation. 178 */ 179 #define SAML1BROWSERSSO_POLICY_RULE "SAML1BrowserSSO" 180 181 /** 182 * SecurityPolicyRule for SAML 2.0 bearer SubjectConfirmation. 183 * 184 * <p>Optionally enforces message delivery requirements based on SubjectConfirmationData. 185 * 186 * <p>The XML attributes "checkValidity", "checkRecipient", and "checkCorrelation" can be set 187 * "false" to disable checks of NotBefore/NotOnOrAfter, Recipient, and InResponseTo confirmation 188 * data respectively. 189 */ 190 #define BEARER_POLICY_RULE "Bearer" 191 }; 192 193 #if defined (_MSC_VER) 194 #pragma warning( pop ) 195 #endif 196 197 #endif /* __saml_secrule_h__ */ 198