2 * Copyright 2009-2010 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * EntityRoleMetadataFilter.cpp
20 * Removes non-whitelisted roles from a metadata instance.
24 #include "saml2/metadata/Metadata.h"
25 #include "saml2/metadata/MetadataFilter.h"
27 #include <xmltooling/logging.h>
28 #include <xmltooling/util/NDC.h>
30 using namespace opensaml::saml2md;
31 using namespace xmltooling::logging;
32 using namespace xmltooling;
38 class SAML_DLLLOCAL EntityRoleMetadataFilter : public MetadataFilter
41 EntityRoleMetadataFilter(const DOMElement* e);
42 ~EntityRoleMetadataFilter() {}
44 const char* getId() const { return ENTITYROLE_METADATA_FILTER; }
45 void doFilter(XMLObject& xmlObject) const;
48 void doFilter(EntityDescriptor& entity) const;
49 void doFilter(EntitiesDescriptor& entities) const;
51 bool m_removeRolelessEntityDescriptors, m_removeEmptyEntitiesDescriptors;
52 set<xmltooling::QName> m_roles;
53 bool m_idp, m_sp, m_authn, m_attr, m_pdp, m_authnq, m_attrq, m_authzq;
56 MetadataFilter* SAML_DLLLOCAL EntityRoleMetadataFilterFactory(const DOMElement* const & e)
58 return new EntityRoleMetadataFilter(e);
64 static const XMLCh RetainedRole[] = UNICODE_LITERAL_12(R,e,t,a,i,n,e,d,R,o,l,e);
65 static const XMLCh removeRolelessEntityDescriptors[] = UNICODE_LITERAL_31(r,e,m,o,v,e,R,o,l,e,l,e,s,s,E,n,t,i,t,y,D,e,s,c,r,i,p,t,o,r,s);
66 static const XMLCh removeEmptyEntitiesDescriptors[] = UNICODE_LITERAL_30(r,e,m,o,v,e,E,m,p,t,y,E,n,t,i,t,i,e,s,D,e,s,c,r,i,p,t,o,r,s);
68 EntityRoleMetadataFilter::EntityRoleMetadataFilter(const DOMElement* e)
69 : m_removeRolelessEntityDescriptors(true), m_removeEmptyEntitiesDescriptors(true),
70 m_idp(false), m_sp(false), m_authn(false), m_attr(false), m_pdp(false), m_authnq(false), m_attrq(false), m_authzq(false)
72 const XMLCh* flag = e ? e->getAttributeNS(nullptr, removeRolelessEntityDescriptors) : nullptr;
73 if (flag && (*flag == chLatin_f || *flag == chDigit_0))
74 m_removeRolelessEntityDescriptors = false;
75 flag = e ? e->getAttributeNS(nullptr, removeEmptyEntitiesDescriptors) : nullptr;
76 if (flag && (*flag == chLatin_f || *flag == chDigit_0))
77 m_removeEmptyEntitiesDescriptors = false;
79 e = XMLHelper::getFirstChildElement(e, RetainedRole);
81 auto_ptr<xmltooling::QName> q(XMLHelper::getNodeValueAsQName(e));
83 if (*q == IDPSSODescriptor::ELEMENT_QNAME)
85 else if (*q == SPSSODescriptor::ELEMENT_QNAME)
87 else if (*q == AuthnAuthorityDescriptor::ELEMENT_QNAME)
89 else if (*q == AttributeAuthorityDescriptor::ELEMENT_QNAME)
91 else if (*q == PDPDescriptor::ELEMENT_QNAME)
93 else if (*q == AuthnQueryDescriptorType::TYPE_QNAME)
95 else if (*q == AttributeQueryDescriptorType::TYPE_QNAME)
97 else if (*q == AuthzDecisionQueryDescriptorType::TYPE_QNAME)
100 m_roles.insert(*q.get());
102 e = XMLHelper::getNextSiblingElement(e, RetainedRole);
106 void EntityRoleMetadataFilter::doFilter(XMLObject& xmlObject) const
113 doFilter(dynamic_cast<EntitiesDescriptor&>(xmlObject));
120 doFilter(dynamic_cast<EntityDescriptor&>(xmlObject));
126 throw MetadataFilterException("EntityRoleWhiteList MetadataFilter was given an improper metadata instance to filter.");
129 void EntityRoleMetadataFilter::doFilter(EntitiesDescriptor& entities) const
131 Category& log=Category::getInstance(SAML_LOGCAT".MetadataFilter.EntityRoleWhiteList");
133 VectorOf(EntityDescriptor) v=entities.getEntityDescriptors();
134 for (VectorOf(EntityDescriptor)::size_type i=0; i<v.size(); ) {
136 if (m_removeRolelessEntityDescriptors) {
137 const EntityDescriptor& e = const_cast<const EntityDescriptor&>(*v[i]);
138 if (e.getIDPSSODescriptors().empty() &&
139 e.getSPSSODescriptors().empty() &&
140 e.getAuthnAuthorityDescriptors().empty() &&
141 e.getAttributeAuthorityDescriptors().empty() &&
142 e.getPDPDescriptors().empty() &&
143 e.getAuthnQueryDescriptorTypes().empty() &&
144 e.getAttributeQueryDescriptorTypes().empty() &&
145 e.getAuthzDecisionQueryDescriptorTypes().empty() &&
146 e.getRoleDescriptors().empty()) {
147 auto_ptr_char temp(e.getEntityID());
148 log.debug("filtering out role-less entity (%s)", temp.get());
149 v.erase(v.begin() + i);
156 VectorOf(EntitiesDescriptor) groups=entities.getEntitiesDescriptors();
157 for (VectorOf(EntitiesDescriptor)::size_type j=0; j<groups.size(); ) {
158 EntitiesDescriptor* group = groups[j];
160 if (m_removeEmptyEntitiesDescriptors && group->getEntitiesDescriptors().empty() && group->getEntityDescriptors().empty()) {
161 auto_ptr_char temp(entities.getName());
162 auto_ptr_char temp2(group->getName());
164 "filtering out empty EntitiesDescriptor (%s) from EntitiesDescriptor (%s)",
165 temp2.get() ? temp2.get() : "unnamed",
166 temp.get() ? temp.get() : "unnamed"
168 groups.erase(groups.begin() + j);
176 void EntityRoleMetadataFilter::doFilter(EntityDescriptor& entity) const
179 entity.getIDPSSODescriptors().clear();
181 entity.getSPSSODescriptors().clear();
183 entity.getAuthnAuthorityDescriptors().clear();
185 entity.getAttributeAuthorityDescriptors().clear();
187 entity.getPDPDescriptors().clear();
189 entity.getAuthnQueryDescriptorTypes().clear();
191 entity.getAttributeQueryDescriptorTypes().clear();
193 entity.getAuthzDecisionQueryDescriptorTypes().clear();
195 VectorOf(RoleDescriptor) v = entity.getRoleDescriptors();
196 for (VectorOf(RoleDescriptor)::size_type i=0; i<v.size(); ) {
197 const xmltooling::QName* type = v[i]->getSchemaType();
198 if (!type || m_roles.find(*type) != m_roles.end())
199 v.erase(v.begin() + i);