2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
22 * ChainingAccessControl.cpp
24 * Access control plugin that combines other plugins.
28 #include "exceptions.h"
29 #include "AccessControl.h"
30 #include "SessionCache.h"
31 #include "SPRequest.h"
34 #include <boost/ptr_container/ptr_vector.hpp>
35 #include <xmltooling/unicode.h>
36 #include <xmltooling/util/XMLHelper.h>
37 #include <xercesc/util/XMLUniDefs.hpp>
39 using namespace shibsp;
40 using namespace xmltooling;
41 using namespace boost;
46 class ChainingAccessControl : public AccessControl
49 ChainingAccessControl(const DOMElement* e);
51 ~ChainingAccessControl() {}
54 for_each(m_ac.begin(), m_ac.end(), mem_fun_ref<Lockable*,Lockable>(&Lockable::lock));
58 for_each(m_ac.begin(), m_ac.end(), mem_fun_ref<void,Lockable>(&Lockable::unlock));
61 aclresult_t authorized(const SPRequest& request, const Session* session) const;
64 enum operator_t { OP_AND, OP_OR } m_op;
65 ptr_vector<AccessControl> m_ac;
68 AccessControl* SHIBSP_DLLLOCAL ChainingAccessControlFactory(const DOMElement* const & e)
70 return new ChainingAccessControl(e);
73 static const XMLCh _AccessControl[] = UNICODE_LITERAL_13(A,c,c,e,s,s,C,o,n,t,r,o,l);
74 static const XMLCh _operator[] = UNICODE_LITERAL_8(o,p,e,r,a,t,o,r);
75 static const XMLCh _type[] = UNICODE_LITERAL_4(t,y,p,e);
76 static const XMLCh AND[] = UNICODE_LITERAL_3(A,N,D);
77 static const XMLCh OR[] = UNICODE_LITERAL_2(O,R);
79 extern AccessControl* SHIBSP_DLLLOCAL XMLAccessControlFactory(const DOMElement* const & e);
82 void SHIBSP_API shibsp::registerAccessControls()
84 SPConfig& conf=SPConfig::getConfig();
85 conf.AccessControlManager.registerFactory(CHAINING_ACCESS_CONTROL, ChainingAccessControlFactory);
86 conf.AccessControlManager.registerFactory(XML_ACCESS_CONTROL, XMLAccessControlFactory);
87 conf.AccessControlManager.registerFactory("edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl", XMLAccessControlFactory);
90 AccessControl::AccessControl()
94 AccessControl::~AccessControl()
98 ChainingAccessControl::ChainingAccessControl(const DOMElement* e)
100 const XMLCh* op = e ? e->getAttributeNS(nullptr, _operator) : nullptr;
101 if (XMLString::equals(op, AND))
103 else if (XMLString::equals(op, OR))
106 throw ConfigurationException("Missing or unrecognized operator in Chaining AccessControl configuration.");
108 e = XMLHelper::getFirstChildElement(e, _AccessControl);
110 string t(XMLHelper::getAttrString(e, nullptr, _type));
112 Category::getInstance(SHIBSP_LOGCAT".AccessControl.Chaining").info("building AccessControl provider of type (%s)...", t.c_str());
113 auto_ptr<AccessControl> np(SPConfig::getConfig().AccessControlManager.newPlugin(t.c_str(), e));
114 m_ac.push_back(np.get());
117 e = XMLHelper::getNextSiblingElement(e, _AccessControl);
120 throw ConfigurationException("Chaining AccessControl plugin requires at least one child plugin.");
123 AccessControl::aclresult_t ChainingAccessControl::authorized(const SPRequest& request, const Session* session) const
128 for (ptr_vector<AccessControl>::const_iterator i = m_ac.begin(); i != m_ac.end(); ++i) {
129 if (i->authorized(request, session) != shib_acl_true) {
130 request.log(SPRequest::SPDebug, "embedded AccessControl plugin unsuccessful, denying access");
131 return shib_acl_false;
134 return shib_acl_true;
139 for (ptr_vector<AccessControl>::const_iterator i = m_ac.begin(); i != m_ac.end(); ++i) {
140 if (i->authorized(request,session) == shib_acl_true)
141 return shib_acl_true;
143 request.log(SPRequest::SPDebug, "all embedded AccessControl plugins unsuccessful, denying access");
144 return shib_acl_false;
147 request.log(SPRequest::SPWarn, "unknown operation in access control policy, denying access");
148 return shib_acl_false;