2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
22 * AudienceRestrictionRule.cpp
24 * SAML AudienceRestriction SecurityPolicyRule
28 #include "exceptions.h"
29 #include "binding/SecurityPolicy.h"
30 #include "binding/SecurityPolicyRule.h"
31 #include "saml1/core/Assertions.h"
32 #include "saml2/core/Assertions.h"
34 #include <xmltooling/logging.h>
36 using namespace opensaml;
37 using namespace xmltooling::logging;
38 using namespace xmltooling;
42 class SAML_DLLLOCAL AudienceRestrictionRule : public SecurityPolicyRule
45 AudienceRestrictionRule(const DOMElement* e);
47 virtual ~AudienceRestrictionRule() {
49 const char* getType() const {
50 return AUDIENCE_POLICY_RULE;
52 bool evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const;
55 vector<const XMLCh*> m_audiences;
58 SecurityPolicyRule* SAML_DLLLOCAL AudienceRestrictionRuleFactory(const DOMElement* const & e)
60 return new AudienceRestrictionRule(e);
64 AudienceRestrictionRule::AudienceRestrictionRule(const DOMElement* e)
66 e = e ? XMLHelper::getFirstChildElement(e, saml2::Audience::LOCAL_NAME) : nullptr;
68 if (e->hasChildNodes())
69 m_audiences.push_back(e->getFirstChild()->getNodeValue());
70 e = XMLHelper::getNextSiblingElement(e, saml2::Audience::LOCAL_NAME);
74 bool AudienceRestrictionRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const
76 const saml2::AudienceRestriction* ac2=dynamic_cast<const saml2::AudienceRestriction*>(&message);
78 const vector<saml2::Audience*>& auds2 = ac2->getAudiences();
79 for (vector<saml2::Audience*>::const_iterator a1 = auds2.begin(); a1!=auds2.end(); ++a1) {
80 for (vector<xstring>::const_iterator a2 = policy.getAudiences().begin(); a2!=policy.getAudiences().end(); ++a2) {
81 if (XMLString::equals((*a1)->getAudienceURI(), a2->c_str()))
84 for (vector<const XMLCh*>::const_iterator a2 = m_audiences.begin(); a2!=m_audiences.end(); ++a2) {
85 if (XMLString::equals((*a1)->getAudienceURI(), *a2))
92 Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.AudienceRestriction").error(
93 "unacceptable AudienceRestriction in assertion (%s)", os.str().c_str()
95 throw SecurityPolicyException("Assertion contains an unacceptable AudienceRestriction.");
98 const saml1::AudienceRestrictionCondition* ac1=dynamic_cast<const saml1::AudienceRestrictionCondition*>(&message);
100 const vector<saml1::Audience*>& auds1 = ac1->getAudiences();
101 for (vector<saml1::Audience*>::const_iterator a1 = auds1.begin(); a1!=auds1.end(); ++a1) {
102 for (vector<xstring>::const_iterator a2 = policy.getAudiences().begin(); a2!=policy.getAudiences().end(); ++a2) {
103 if (XMLString::equals((*a1)->getAudienceURI(), a2->c_str()))
106 for (vector<const XMLCh*>::const_iterator a2 = m_audiences.begin(); a2!=m_audiences.end(); ++a2) {
107 if (XMLString::equals((*a1)->getAudienceURI(), *a2))
114 Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.AudienceRestriction").error(
115 "unacceptable AudienceRestrictionCondition in assertion (%s)", os.str().c_str()
117 throw SecurityPolicyException("Assertion contains an unacceptable AudienceRestrictionCondition.");