2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
22 * WhitelistMetadataFilter.cpp
24 * Removes non-whitelisted entities from a metadata instance
28 #include "saml2/metadata/Metadata.h"
29 #include "saml2/metadata/MetadataFilter.h"
31 #include <boost/lambda/bind.hpp>
32 #include <boost/lambda/casts.hpp>
33 #include <boost/lambda/lambda.hpp>
34 #include <boost/shared_ptr.hpp>
35 #include <boost/iterator/indirect_iterator.hpp>
36 #include <xmltooling/logging.h>
38 using namespace opensaml::saml2;
39 using namespace opensaml::saml2md;
40 using namespace xmltooling::logging;
41 using namespace xmltooling;
42 using namespace boost::lambda;
43 using namespace boost;
48 class SAML_DLLLOCAL WhitelistMetadataFilter : public MetadataFilter
51 WhitelistMetadataFilter(const DOMElement* e);
52 ~WhitelistMetadataFilter() {}
54 const char* getId() const { return WHITELIST_METADATA_FILTER; }
55 void doFilter(XMLObject& xmlObject) const;
58 void filterGroup(EntitiesDescriptor*) const;
59 bool included(const EntityDescriptor&) const;
60 bool matches(const EntityAttributes*, const Attribute*) const;
62 set<xstring> m_entities;
64 vector< boost::shared_ptr<Attribute> > m_tags;
67 MetadataFilter* SAML_DLLLOCAL WhitelistMetadataFilterFactory(const DOMElement* const & e)
69 return new WhitelistMetadataFilter(e);
72 static const XMLCh Include[] = UNICODE_LITERAL_7(I,n,c,l,u,d,e);
73 static const XMLCh trimTags[] = UNICODE_LITERAL_8(t,r,i,m,T,a,g,s);
78 WhitelistMetadataFilter::WhitelistMetadataFilter(const DOMElement* e)
79 : m_trimTags(XMLHelper::getAttrBool(e, false, trimTags))
81 DOMElement* child = XMLHelper::getFirstChildElement(e);
83 if (XMLString::equals(child->getLocalName(), Include) && child->hasChildNodes()) {
84 m_entities.insert(child->getFirstChild()->getTextContent());
86 else if (XMLHelper::isNodeNamed(child, samlconstants::SAML20_NS, Attribute::LOCAL_NAME)) {
87 boost::shared_ptr<XMLObject> obj(AttributeBuilder::buildOneFromElement(child));
88 m_tags.push_back(boost::shared_dynamic_cast<Attribute>(obj));
90 child = XMLHelper::getNextSiblingElement(child);
94 void WhitelistMetadataFilter::doFilter(XMLObject& xmlObject) const
96 EntitiesDescriptor* group = dynamic_cast<EntitiesDescriptor*>(&xmlObject);
101 EntityDescriptor* entity = dynamic_cast<EntityDescriptor*>(&xmlObject);
103 if (!included(*entity))
104 throw MetadataFilterException(WHITELIST_METADATA_FILTER" MetadataFilter instructed to filter the root/only entity in the metadata.");
107 throw MetadataFilterException(WHITELIST_METADATA_FILTER" MetadataFilter was given an improper metadata instance to filter.");
112 void WhitelistMetadataFilter::filterGroup(EntitiesDescriptor* entities) const
114 Category& log=Category::getInstance(SAML_LOGCAT".MetadataFilter."WHITELIST_METADATA_FILTER);
116 VectorOf(EntityDescriptor) v = entities->getEntityDescriptors();
117 for (VectorOf(EntityDescriptor)::size_type i = 0; i < v.size(); ) {
118 if (!included(*v[i])) {
119 auto_ptr_char id(v[i]->getEntityID());
120 log.info("filtering out non-whitelisted entity (%s)", id.get());
121 v.erase(v.begin() + i);
128 const vector<EntitiesDescriptor*>& groups = const_cast<const EntitiesDescriptor*>(entities)->getEntitiesDescriptors();
129 for_each(groups.begin(), groups.end(), lambda::bind(&WhitelistMetadataFilter::filterGroup, this, _1));
132 bool WhitelistMetadataFilter::included(const EntityDescriptor& entity) const
134 // Check for entityID.
135 if (entity.getEntityID() && !m_entities.empty() && m_entities.count(entity.getEntityID()) == 1)
138 // Check for a tag match in the EntityAttributes extension of the entity and its parent(s).
139 if (!m_tags.empty()) {
140 const Extensions* exts = entity.getExtensions();
142 const vector<XMLObject*>& children = exts->getUnknownXMLObjects();
143 const XMLObject* xo = find_if(children, ll_dynamic_cast<EntityAttributes*>(_1) != ((EntityAttributes*)nullptr));
145 // If we find a matching tag, we win. Each tag is treated in OR fashion.
146 if (find_if(m_tags.begin(), m_tags.end(),
147 lambda::bind(&WhitelistMetadataFilter::matches, this, dynamic_cast<const EntityAttributes*>(xo),
148 lambda::bind(&boost::shared_ptr<Attribute>::get, _1))) != m_tags.end()) {
154 const EntitiesDescriptor* group = dynamic_cast<EntitiesDescriptor*>(entity.getParent());
156 exts = group->getExtensions();
158 const vector<XMLObject*>& children = exts->getUnknownXMLObjects();
159 const XMLObject* xo = find_if(children, ll_dynamic_cast<EntityAttributes*>(_1) != ((EntityAttributes*)nullptr));
161 // If we find a matching tag, we win. Each tag is treated in OR fashion.
162 if (find_if(m_tags.begin(), m_tags.end(),
163 lambda::bind(&WhitelistMetadataFilter::matches, this, dynamic_cast<const EntityAttributes*>(xo),
164 lambda::bind(&boost::shared_ptr<Attribute>::get, _1))) != m_tags.end()) {
169 group = dynamic_cast<EntitiesDescriptor*>(group->getParent());
175 bool WhitelistMetadataFilter::matches(const EntityAttributes* ea, const Attribute* tag) const
177 const vector<Attribute*>& attrs = ea->getAttributes();
178 const vector<XMLObject*>& tagvals = tag->getAttributeValues();
179 if (!attrs.empty() && !tagvals.empty()) {
180 // Track whether we've found every tag value.
181 vector<bool> flags(tagvals.size());
183 // Check each attribute/tag in the candidate.
184 for (indirect_iterator<vector<Attribute*>::const_iterator> a = make_indirect_iterator(attrs.begin());
185 a != make_indirect_iterator(attrs.end()); ++a) {
186 // Compare Name and NameFormat for a matching tag.
187 if (XMLString::equals(a->getName(), tag->getName()) &&
188 (!tag->getNameFormat() || XMLString::equals(tag->getNameFormat(), Attribute::UNSPECIFIED) ||
189 XMLString::equals(tag->getNameFormat(), a->getNameFormat()))) {
190 // Check each tag value's simple content for a match.
191 for (vector<XMLObject*>::size_type tagindex = 0; tagindex < tagvals.size(); ++tagindex) {
192 const XMLObject* tagval = tagvals[tagindex];
193 const XMLCh* tagvalstr = (tagval->getDOM()) ? tagval->getDOM()->getTextContent() : tagval->getTextContent();
194 const vector<XMLObject*>& cvals = const_cast<const Attribute&>(*a).getAttributeValues();
195 for (indirect_iterator<vector<XMLObject*>::const_iterator> cval = make_indirect_iterator(cvals.begin());
196 cval != make_indirect_iterator(cvals.end()); ++cval) {
197 const XMLCh* cvalstr = cval->getDOM() ? cval->getDOM()->getTextContent() : cval->getTextContent();
198 if (tagvalstr && cvalstr) {
199 if (XMLString::equals(tagvalstr, cvalstr)) {
200 flags[tagindex] = true;
203 else if (m_trimTags) {
204 XMLCh* dup = XMLString::replicate(cvalstr);
205 XMLString::trim(dup);
206 if (XMLString::equals(tagvalstr, dup)) {
207 XMLString::release(&dup);
208 flags[tagindex] = true;
211 XMLString::release(&dup);
219 if (find(flags.begin(), flags.end(), false) == flags.end())