1 /**
2  * Licensed to the University Corporation for Advanced Internet
3  * Development, Inc. (UCAID) under one or more contributor license
4  * agreements. See the NOTICE file distributed with this work for
5  * additional information regarding copyright ownership.
6  *
7  * UCAID licenses this file to you under the Apache License,
8  * Version 2.0 (the "License"); you may not use this file except
9  * in compliance with the License. You may obtain a copy of the
10  * License at
11  *
12  * http://www.apache.org/licenses/LICENSE-2.0
13  *
14  * Unless required by applicable law or agreed to in writing,
15  * software distributed under the License is distributed on an
16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17  * either express or implied. See the License for the specific
18  * language governing permissions and limitations under the License.
19  */
20 
21 /**
22  * @file saml/binding/SecurityPolicyRule.h
23  *
24  * Policy rules that secure and authenticate bindings.
25  */
26 
27 #ifndef __saml_secrule_h__
28 #define __saml_secrule_h__
29 
30 #include <saml/base.h>
31 
32 #include <set>
33 #include <string>
34 
35 #if defined (_MSC_VER)
36 #pragma warning( push )
37 #pragma warning( disable : 4251 )
38 #endif
39 
40 namespace xmltooling {
41     class XMLTOOL_API GenericRequest;
42     class XMLTOOL_API XMLObject;
43 };
44 
45 namespace opensaml {
46     class SAML_API SecurityPolicy;
47 
48     /**
49      * A rule that a protocol request and message must meet in order to be valid and secure.
50      *
51      * <p>Rules must be stateless and thread-safe across evaluations. Evaluation should not
52      * result in an exception if the request/message properties do not apply to the rule
53      * (e.g. particular security mechanisms that are not present).
54      */
55     class SAML_API SecurityPolicyRule
56     {
57         MAKE_NONCOPYABLE(SecurityPolicyRule);
58     protected:
59         /**
60          * Constructor.
61          *
62          * @param e root of configuration
63          */
64         SecurityPolicyRule(const xercesc::DOMElement* e=nullptr);
65     public:
66         virtual ~SecurityPolicyRule();
67 
68         /**
69          * Returns the rule's class/type.
70          *
71          * @return  the class/type of the object
72          */
73         virtual const char* getType() const=0;
74 
75         /**
76          * Evaluates the rule against the given request and message.
77          *
78          * <p>An exception will be raised if the message is fatally invalid according to
79          * a policy rule.</p>
80          *
81          * <p>The return value is used to indicate whether a message was ignored or
82          * successfully processed. A false value signals that the rule wasn't successful
83          * because the rule was inapplicable to the message, but allows other rules to
84          * return an alternate result.</p>
85          *
86          * <p>The base class version of this method will check for a non-empty profile set
87          * and return false iff the active profile from the policy is not in the set.</p>
88          *
89          * @param message   the incoming message
90          * @param request   the protocol request
91          * @param policy    SecurityPolicy to provide various components and track message data
92          * @return  indicator as to whether a message was understood and processed
93          */
94         virtual bool evaluate(
95             const xmltooling::XMLObject& message,
96             const xmltooling::GenericRequest* request,
97             SecurityPolicy& policy
98             ) const;
99 
100     protected:
101         std::set<std::string> m_profiles;
102     };
103 
104     /**
105      * Registers SecurityPolicyRule plugins into the runtime.
106      */
107     void SAML_API registerSecurityPolicyRules();
108 
109     /**
110      * SecurityPolicyRule for evaluation of SAML AudienceRestriction Conditions.
111      */
112     #define AUDIENCE_POLICY_RULE        "Audience"
113 
114     /**
115      * SecurityPolicyRule for evaluation of SAML DelegationRestriction Conditions.
116      */
117     #define DELEGATION_POLICY_RULE        "Delegation"
118 
119     /**
120      * SecurityPolicyRule for TLS client certificate authentication.
121      *
122      * Evaluates client certificates against the issuer's metadata.
123      */
124     #define CLIENTCERTAUTH_POLICY_RULE  "ClientCertAuth"
125 
126     /**
127      * SecurityPolicyRule for evaluation of SAML Conditions.
128      */
129     #define CONDITIONS_POLICY_RULE      "Conditions"
130 
131     /**
132      * SecurityPolicyRule for ignoring a SAML Condition.
133      */
134     #define IGNORE_POLICY_RULE          "Ignore"
135 
136     /**
137      * SecurityPolicyRule for replay detection and freshness checking.
138      *
139      * <p>A ReplayCache instance must be available from the runtime, unless
140      * a "checkReplay" XML attribute is set to "0" or "false" when instantiating
141      * the policy rule.
142      *
143      * <p>Messages must have been issued in the past, but no more than 60 seconds ago,
144      * or up to a number of seconds set by an "expires" XML attribute when
145      * instantiating the policy rule.
146      */
147     #define MESSAGEFLOW_POLICY_RULE     "MessageFlow"
148 
149     /**
150      * SecurityPolicyRule for disabling security.
151      *
152      * Allows the message issuer to be authenticated regardless of the message or
153      * transport. Used mainly for debugging or in situations that I wouldn't care to
154      * comment on.
155      */
156     #define NULLSECURITY_POLICY_RULE    "NullSecurity"
157 
158     /**
159      * SecurityPolicyRule for protocol message "blob" signing.
160      *
161      * Allows the message issuer to be authenticated using a non-XML digital signature
162      * over the message body. The transport layer is not considered.
163      */
164     #define SIMPLESIGNING_POLICY_RULE   "SimpleSigning"
165 
166     /**
167      * SecurityPolicyRule for protocol message XML signing.
168      *
169      * Allows the message issuer to be authenticated using an XML digital signature
170      * over the message. The transport layer is not considered.
171      */
172     #define XMLSIGNING_POLICY_RULE      "XMLSigning"
173 
174     /**
175      * SecurityPolicyRule for SAML 1.x Browser SSO profile validation.
176      *
177      * Enforces presence of time conditions and proper subject confirmation.
178      */
179     #define SAML1BROWSERSSO_POLICY_RULE "SAML1BrowserSSO"
180 
181     /**
182      * SecurityPolicyRule for SAML 2.0 bearer SubjectConfirmation.
183      *
184      * <p>Optionally enforces message delivery requirements based on SubjectConfirmationData.
185      *
186      * <p>The XML attributes "checkValidity", "checkRecipient", and "checkCorrelation" can be set
187      * "false" to disable checks of NotBefore/NotOnOrAfter, Recipient, and InResponseTo confirmation
188      * data respectively.
189      */
190     #define BEARER_POLICY_RULE "Bearer"
191 };
192 
193 #if defined (_MSC_VER)
194 #pragma warning( pop )
195 #endif
196 
197 #endif /* __saml_secrule_h__ */
198