2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
22 * AudienceRestrictionRule.cpp
24 * SAML AudienceRestriction SecurityPolicyRule
28 #include "exceptions.h"
29 #include "binding/SecurityPolicy.h"
30 #include "binding/SecurityPolicyRule.h"
31 #include "saml1/core/Assertions.h"
32 #include "saml2/core/Assertions.h"
34 #include <boost/bind.hpp>
35 #include <xmltooling/logging.h>
37 using namespace opensaml;
38 using namespace xmltooling::logging;
39 using namespace xmltooling;
40 using namespace boost;
44 class SAML_DLLLOCAL AudienceRestrictionRule : public SecurityPolicyRule
47 AudienceRestrictionRule(const DOMElement* e);
49 virtual ~AudienceRestrictionRule() {
51 const char* getType() const {
52 return AUDIENCE_POLICY_RULE;
54 bool evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const;
57 vector<const XMLCh*> m_audiences;
60 SecurityPolicyRule* SAML_DLLLOCAL AudienceRestrictionRuleFactory(const DOMElement* const & e)
62 return new AudienceRestrictionRule(e);
66 AudienceRestrictionRule::AudienceRestrictionRule(const DOMElement* e)
68 e = e ? XMLHelper::getFirstChildElement(e, saml2::Audience::LOCAL_NAME) : nullptr;
70 if (e->hasChildNodes())
71 m_audiences.push_back(e->getFirstChild()->getNodeValue());
72 e = XMLHelper::getNextSiblingElement(e, saml2::Audience::LOCAL_NAME);
76 bool AudienceRestrictionRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const
78 static bool (*equals_fn)(const XMLCh*, const XMLCh*) = &XMLString::equals;
80 const saml2::AudienceRestriction* ac2=dynamic_cast<const saml2::AudienceRestriction*>(&message);
82 const vector<saml2::Audience*>& auds2 = ac2->getAudiences();
83 for (vector<saml2::Audience*>::const_iterator a1 = auds2.begin(); a1 != auds2.end(); ++a1) {
84 const XMLCh* a1val = (*a1)->getAudienceURI();
86 vector<xstring>::const_iterator policyMatch = find_if(
87 policy.getAudiences().begin(), policy.getAudiences().end(),
88 boost::bind(equals_fn, a1val, boost::bind(&xstring::c_str, _1))
90 if (policyMatch != policy.getAudiences().end())
93 vector<const XMLCh*>::const_iterator ruleMatch = find_if(
94 m_audiences.begin(), m_audiences.end(),
95 boost::bind(equals_fn, a1val, _1)
97 if (ruleMatch != m_audiences.end())
103 Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.AudienceRestriction").error(
104 "unacceptable AudienceRestriction in assertion (%s)", os.str().c_str()
106 throw SecurityPolicyException("Assertion contains an unacceptable AudienceRestriction.");
109 const saml1::AudienceRestrictionCondition* ac1=dynamic_cast<const saml1::AudienceRestrictionCondition*>(&message);
111 const vector<saml1::Audience*>& auds1 = ac1->getAudiences();
112 for (vector<saml1::Audience*>::const_iterator a1 = auds1.begin(); a1 != auds1.end(); ++a1) {
113 const XMLCh* a1val = (*a1)->getAudienceURI();
115 vector<xstring>::const_iterator policyMatch = find_if(
116 policy.getAudiences().begin(), policy.getAudiences().end(),
117 boost::bind(equals_fn, a1val, boost::bind(&xstring::c_str, _1))
119 if (policyMatch != policy.getAudiences().end())
122 vector<const XMLCh*>::const_iterator ruleMatch = find_if(
123 m_audiences.begin(), m_audiences.end(),
124 boost::bind(equals_fn, a1val, _1)
126 if (ruleMatch != m_audiences.end())
132 Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.AudienceRestriction").error(
133 "unacceptable AudienceRestrictionCondition in assertion (%s)", os.str().c_str()
135 throw SecurityPolicyException("Assertion contains an unacceptable AudienceRestrictionCondition.");