2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
22 * NameIDQualifierStringFunctor.cpp
24 * A match function that ensures that a NameID-valued attribute's qualifier(s)
25 * match particular values.
29 #include "exceptions.h"
30 #include "attribute/NameIDAttribute.h"
31 #include "attribute/filtering/FilteringContext.h"
32 #include "attribute/filtering/FilterPolicyContext.h"
33 #include "attribute/filtering/MatchFunctor.h"
35 #include <saml/saml2/core/Assertions.h>
36 #include <xmltooling/util/XMLHelper.h>
38 using namespace shibsp;
39 using namespace xmltooling::logging;
40 using namespace xmltooling;
42 using opensaml::saml2::NameID;
46 static const XMLCh attributeID[] = UNICODE_LITERAL_11(a,t,t,r,i,b,u,t,e,I,D);
49 * A match function that ensures that a NameID-valued attribute's qualifier(s)
50 * match particular values.
52 class SHIBSP_DLLLOCAL NameIDQualifierStringFunctor : public MatchFunctor
54 string m_attributeID,m_matchNameQualifier,m_matchSPNameQualifier;
56 bool hasValue(const FilteringContext& filterContext) const;
57 bool matches(const FilteringContext& filterContext, const Attribute& attribute, size_t index) const;
60 NameIDQualifierStringFunctor(const DOMElement* e)
61 : m_attributeID(XMLHelper::getAttrString(e, nullptr, attributeID)),
62 m_matchNameQualifier(XMLHelper::getAttrString(e, nullptr, NameID::NAMEQUALIFIER_ATTRIB_NAME)),
63 m_matchSPNameQualifier(XMLHelper::getAttrString(e, nullptr, NameID::SPNAMEQUALIFIER_ATTRIB_NAME)) {
66 virtual ~NameIDQualifierStringFunctor() {
69 bool evaluatePolicyRequirement(const FilteringContext& filterContext) const {
70 if (m_attributeID.empty())
71 throw AttributeFilteringException("No attributeID specified.");
72 return hasValue(filterContext);
75 bool evaluatePermitValue(const FilteringContext& filterContext, const Attribute& attribute, size_t index) const {
76 if (m_attributeID.empty() || m_attributeID == attribute.getId())
77 return matches(filterContext, attribute, index);
78 return hasValue(filterContext);
82 MatchFunctor* SHIBSP_DLLLOCAL NameIDQualifierStringFactory(const std::pair<const FilterPolicyContext*,const DOMElement*>& p)
84 return new NameIDQualifierStringFunctor(p.second);
89 bool NameIDQualifierStringFunctor::hasValue(const FilteringContext& filterContext) const
92 pair<multimap<string,Attribute*>::const_iterator,multimap<string,Attribute*>::const_iterator> attrs =
93 filterContext.getAttributes().equal_range(m_attributeID);
94 for (; attrs.first != attrs.second; ++attrs.first) {
95 count = attrs.first->second->valueCount();
96 for (size_t index = 0; index < count; ++index) {
97 if (matches(filterContext, *(attrs.first->second), index))
104 bool NameIDQualifierStringFunctor::matches(const FilteringContext& filterContext, const Attribute& attribute, size_t index) const
106 const NameIDAttribute* nameattr = dynamic_cast<const NameIDAttribute*>(&attribute);
108 Category::getInstance(SHIBSP_LOGCAT ".AttributeFilter").warn(
109 "NameIDQualifierString MatchFunctor applied to non-NameID-valued attribute (%s)", attribute.getId()
114 const NameIDAttribute::Value& val = nameattr->getValues()[index];
115 if (!val.m_NameQualifier.empty()) {
116 if (m_matchNameQualifier.empty()) {
117 auto_ptr_char issuer(filterContext.getAttributeIssuer());
118 if (issuer.get() && *issuer.get()) {
119 if (val.m_NameQualifier != issuer.get()) {
120 Category::getInstance(SHIBSP_LOGCAT ".AttributeFilter").warn(
121 "NameIDQualifierString MatchFunctor rejecting NameQualifier (%s), should be (%s)",
122 val.m_NameQualifier.c_str(), issuer.get()
128 Category::getInstance(SHIBSP_LOGCAT ".AttributeFilter").warn(
129 "NameIDQualifierString MatchFunctor rejecting NameQualifier (%s), attribute issuer unknown",
130 val.m_NameQualifier.c_str()
135 else if (m_matchNameQualifier != val.m_NameQualifier) {
136 Category::getInstance(SHIBSP_LOGCAT ".AttributeFilter").warn(
137 "NameIDQualifierString MatchFunctor rejecting NameQualifier (%s), should be (%s)",
138 val.m_NameQualifier.c_str(), m_matchNameQualifier.c_str()
143 if (!val.m_SPNameQualifier.empty()) {
144 if (m_matchSPNameQualifier.empty()) {
145 auto_ptr_char req(filterContext.getAttributeRequester());
146 if (req.get() && *req.get()) {
147 if (val.m_SPNameQualifier != req.get()) {
148 Category::getInstance(SHIBSP_LOGCAT ".AttributeFilter").warn(
149 "NameIDQualifierString MatchFunctor rejecting SPNameQualifier (%s), should be (%s)",
150 val.m_SPNameQualifier.c_str(), req.get()
156 Category::getInstance(SHIBSP_LOGCAT ".AttributeFilter").warn(
157 "NameIDQualifierString MatchFunctor rejecting SPNameQualifier (%s), attribute requester unknown",
158 val.m_SPNameQualifier.c_str()
163 else if (m_matchSPNameQualifier != val.m_SPNameQualifier) {
164 Category::getInstance(SHIBSP_LOGCAT ".AttributeFilter").warn(
165 "NameIDQualifierString MatchFunctor rejecting SPNameQualifier (%s), should be (%s)",
166 val.m_SPNameQualifier.c_str(), m_matchSPNameQualifier.c_str()