--- /dev/null
+/*\r
+ * Copyright 2009 Internet2\r
+ *\r
+ * Licensed under the Apache License, Version 2.0 (the "License");\r
+ * you may not use this file except in compliance with the License.\r
+ * You may obtain a copy of the License at\r
+ *\r
+ * http://www.apache.org/licenses/LICENSE-2.0\r
+ *\r
+ * Unless required by applicable law or agreed to in writing, software\r
+ * distributed under the License is distributed on an "AS IS" BASIS,\r
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+ * See the License for the specific language governing permissions and\r
+ * limitations under the License.\r
+ */\r
+\r
+/**\r
+ * ChainingAccessControl.cpp\r
+ *\r
+ * Access control plugin that combines other plugins.\r
+ */\r
+\r
+#include "internal.h"\r
+#include "exceptions.h"\r
+#include "AccessControl.h"\r
+#include "SessionCache.h"\r
+#include "SPRequest.h"\r
+\r
+#include <xmltooling/util/XMLHelper.h>\r
+#include <xercesc/util/XMLUniDefs.hpp>\r
+\r
+using namespace shibsp;\r
+using namespace xmltooling;\r
+using namespace std;\r
+\r
+namespace shibsp {\r
+\r
+ class ChainingAccessControl : public AccessControl\r
+ {\r
+ public:\r
+ ChainingAccessControl(const DOMElement* e);\r
+\r
+ ~ChainingAccessControl() {\r
+ for_each(m_ac.begin(), m_ac.end(), xmltooling::cleanup<AccessControl>());\r
+ }\r
+\r
+ Lockable* lock() {\r
+ for_each(m_ac.begin(), m_ac.end(), mem_fun<Lockable*,Lockable>(&Lockable::lock));\r
+ return this;\r
+ }\r
+ void unlock() {\r
+ for_each(m_ac.begin(), m_ac.end(), mem_fun<void,Lockable>(&Lockable::unlock));\r
+ }\r
+\r
+ aclresult_t authorized(const SPRequest& request, const Session* session) const;\r
+\r
+ private:\r
+ enum operator_t { OP_AND, OP_OR } m_op;\r
+ vector<AccessControl*> m_ac;\r
+ };\r
+\r
+ AccessControl* SHIBSP_DLLLOCAL ChainingAccessControlFactory(const DOMElement* const & e)\r
+ {\r
+ return new ChainingAccessControl(e);\r
+ }\r
+\r
+ static const XMLCh _AccessControl[] = UNICODE_LITERAL_13(A,c,c,e,s,s,C,o,n,t,r,o,l);\r
+ static const XMLCh _operator[] = UNICODE_LITERAL_8(o,p,e,r,a,t,o,r);\r
+ static const XMLCh _type[] = UNICODE_LITERAL_4(t,y,p,e);\r
+ static const XMLCh AND[] = UNICODE_LITERAL_3(A,N,D);\r
+ static const XMLCh OR[] = UNICODE_LITERAL_2(O,R);\r
+\r
+ extern AccessControl* SHIBSP_DLLLOCAL XMLAccessControlFactory(const DOMElement* const & e);\r
+}\r
+\r
+void SHIBSP_API shibsp::registerAccessControls()\r
+{\r
+ SPConfig& conf=SPConfig::getConfig();\r
+ conf.AccessControlManager.registerFactory(CHAINING_ACCESS_CONTROL, ChainingAccessControlFactory);\r
+ conf.AccessControlManager.registerFactory(XML_ACCESS_CONTROL, XMLAccessControlFactory);\r
+ conf.AccessControlManager.registerFactory("edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl", XMLAccessControlFactory);\r
+}\r
+\r
+ChainingAccessControl::ChainingAccessControl(const DOMElement* e)\r
+{\r
+ const XMLCh* op = e ? e->getAttributeNS(NULL, _operator) : NULL;\r
+ if (XMLString::equals(op, AND))\r
+ m_op=OP_AND;\r
+ else if (XMLString::equals(op, OR))\r
+ m_op=OP_OR;\r
+ else\r
+ throw ConfigurationException("Missing or unrecognized operator in Chaining AccessControl configuration.");\r
+\r
+ try {\r
+ e = e ? XMLHelper::getFirstChildElement(e, _AccessControl) : NULL;\r
+ while (e) {\r
+ auto_ptr_char type(e->getAttributeNS(NULL, _type));\r
+ if (type.get() && *type.get()) {\r
+ Category::getInstance(SHIBSP_LOGCAT".AccessControl.Chaining").info("building AccessControl provider of type (%s)...", type.get());\r
+ m_ac.push_back(SPConfig::getConfig().AccessControlManager.newPlugin(type.get(), e));\r
+ }\r
+ e = XMLHelper::getNextSiblingElement(e, _AccessControl);\r
+ }\r
+ }\r
+ catch (exception&) {\r
+ for_each(m_ac.begin(), m_ac.end(), xmltooling::cleanup<AccessControl>());\r
+ throw;\r
+ }\r
+ if (m_ac.empty())\r
+ throw ConfigurationException("Chaining AccessControl plugin requires at least one child plugin.");\r
+}\r
+\r
+AccessControl::aclresult_t ChainingAccessControl::authorized(const SPRequest& request, const Session* session) const\r
+{\r
+ switch (m_op) {\r
+ case OP_AND:\r
+ {\r
+ for (vector<AccessControl*>::const_iterator i=m_ac.begin(); i!=m_ac.end(); ++i) {\r
+ if ((*i)->authorized(request, session) != shib_acl_true)\r
+ return shib_acl_false;\r
+ }\r
+ return shib_acl_true;\r
+ }\r
+\r
+ case OP_OR:\r
+ {\r
+ for (vector<AccessControl*>::const_iterator i=m_ac.begin(); i!=m_ac.end(); ++i) {\r
+ if ((*i)->authorized(request,session) == shib_acl_true)\r
+ return shib_acl_true;\r
+ }\r
+ return shib_acl_false;\r
+ }\r
+ }\r
+ request.log(SPRequest::SPWarn, "unknown operation in access control policy, denying access");\r
+ return shib_acl_false;\r
+}\r