Imported Upstream version 2.2.1+dfsg

[shibboleth/sp.git] / shibsp / impl / ChainingAccessControl.cpp
diff --git a/shibsp/impl/ChainingAccessControl.cpp b/shibsp/impl/ChainingAccessControl.cpp

new file mode 100644 (file)

index 0000000..8b73906
--- /dev/null
+++ b/shibsp/impl/ChainingAccessControl.cpp
@@ -0,0 +1,136 @@
+/*\r
+ *  Copyright 2009 Internet2\r
+ *\r
+ * Licensed under the Apache License, Version 2.0 (the "License");\r
+ * you may not use this file except in compliance with the License.\r
+ * You may obtain a copy of the License at\r
+ *\r
+ *     http://www.apache.org/licenses/LICENSE-2.0\r
+ *\r
+ * Unless required by applicable law or agreed to in writing, software\r
+ * distributed under the License is distributed on an "AS IS" BASIS,\r
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+ * See the License for the specific language governing permissions and\r
+ * limitations under the License.\r
+ */\r
+\r
+/**\r
+ * ChainingAccessControl.cpp\r
+ *\r
+ * Access control plugin that combines other plugins.\r
+ */\r
+\r
+#include "internal.h"\r
+#include "exceptions.h"\r
+#include "AccessControl.h"\r
+#include "SessionCache.h"\r
+#include "SPRequest.h"\r
+\r
+#include <xmltooling/util/XMLHelper.h>\r
+#include <xercesc/util/XMLUniDefs.hpp>\r
+\r
+using namespace shibsp;\r
+using namespace xmltooling;\r
+using namespace std;\r
+\r
+namespace shibsp {\r
+\r
+    class ChainingAccessControl : public AccessControl\r
+    {\r
+    public:\r
+        ChainingAccessControl(const DOMElement* e);\r
+\r
+        ~ChainingAccessControl() {\r
+            for_each(m_ac.begin(), m_ac.end(), xmltooling::cleanup<AccessControl>());\r
+        }\r
+\r
+        Lockable* lock() {\r
+            for_each(m_ac.begin(), m_ac.end(), mem_fun<Lockable*,Lockable>(&Lockable::lock));\r
+            return this;\r
+        }\r
+        void unlock() {\r
+            for_each(m_ac.begin(), m_ac.end(), mem_fun<void,Lockable>(&Lockable::unlock));\r
+        }\r
+\r
+        aclresult_t authorized(const SPRequest& request, const Session* session) const;\r
+\r
+    private:\r
+        enum operator_t { OP_AND, OP_OR } m_op;\r
+        vector<AccessControl*> m_ac;\r
+    };\r
+\r
+    AccessControl* SHIBSP_DLLLOCAL ChainingAccessControlFactory(const DOMElement* const & e)\r
+    {\r
+        return new ChainingAccessControl(e);\r
+    }\r
+\r
+    static const XMLCh _AccessControl[] =   UNICODE_LITERAL_13(A,c,c,e,s,s,C,o,n,t,r,o,l);\r
+    static const XMLCh _operator[] =        UNICODE_LITERAL_8(o,p,e,r,a,t,o,r);\r
+    static const XMLCh _type[] =            UNICODE_LITERAL_4(t,y,p,e);\r
+    static const XMLCh AND[] =              UNICODE_LITERAL_3(A,N,D);\r
+    static const XMLCh OR[] =               UNICODE_LITERAL_2(O,R);\r
+\r
+    extern AccessControl* SHIBSP_DLLLOCAL XMLAccessControlFactory(const DOMElement* const & e);\r
+}\r
+\r
+void SHIBSP_API shibsp::registerAccessControls()\r
+{\r
+    SPConfig& conf=SPConfig::getConfig();\r
+    conf.AccessControlManager.registerFactory(CHAINING_ACCESS_CONTROL, ChainingAccessControlFactory);\r
+    conf.AccessControlManager.registerFactory(XML_ACCESS_CONTROL, XMLAccessControlFactory);\r
+    conf.AccessControlManager.registerFactory("edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl", XMLAccessControlFactory);\r
+}\r
+\r
+ChainingAccessControl::ChainingAccessControl(const DOMElement* e)\r
+{\r
+    const XMLCh* op = e ? e->getAttributeNS(NULL, _operator) : NULL;\r
+    if (XMLString::equals(op, AND))\r
+        m_op=OP_AND;\r
+    else if (XMLString::equals(op, OR))\r
+        m_op=OP_OR;\r
+    else\r
+        throw ConfigurationException("Missing or unrecognized operator in Chaining AccessControl configuration.");\r
+\r
+    try {\r
+        e = e ? XMLHelper::getFirstChildElement(e, _AccessControl) : NULL;\r
+        while (e) {\r
+            auto_ptr_char type(e->getAttributeNS(NULL, _type));\r
+            if (type.get() && *type.get()) {\r
+                Category::getInstance(SHIBSP_LOGCAT".AccessControl.Chaining").info("building AccessControl provider of type (%s)...", type.get());\r
+                m_ac.push_back(SPConfig::getConfig().AccessControlManager.newPlugin(type.get(), e));\r
+            }\r
+            e = XMLHelper::getNextSiblingElement(e, _AccessControl);\r
+        }\r
+    }\r
+    catch (exception&) {\r
+        for_each(m_ac.begin(), m_ac.end(), xmltooling::cleanup<AccessControl>());\r
+        throw;\r
+    }\r
+    if (m_ac.empty())\r
+        throw ConfigurationException("Chaining AccessControl plugin requires at least one child plugin.");\r
+}\r
+\r
+AccessControl::aclresult_t ChainingAccessControl::authorized(const SPRequest& request, const Session* session) const\r
+{\r
+    switch (m_op) {\r
+        case OP_AND:\r
+        {\r
+            for (vector<AccessControl*>::const_iterator i=m_ac.begin(); i!=m_ac.end(); ++i) {\r
+                if ((*i)->authorized(request, session) != shib_acl_true)\r
+                    return shib_acl_false;\r
+            }\r
+            return shib_acl_true;\r
+        }\r
+\r
+        case OP_OR:\r
+        {\r
+            for (vector<AccessControl*>::const_iterator i=m_ac.begin(); i!=m_ac.end(); ++i) {\r
+                if ((*i)->authorized(request,session) == shib_acl_true)\r
+                    return shib_acl_true;\r
+            }\r
+            return shib_acl_false;\r
+        }\r
+    }\r
+    request.log(SPRequest::SPWarn, "unknown operation in access control policy, denying access");\r
+    return shib_acl_false;\r
+}\r