2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
22 * AssertionsSchemaValidators.cpp
24 * Schema-based validators for SAML 1.x Assertions classes.
28 #include "exceptions.h"
29 #include "saml1/core/Assertions.h"
31 #include <xmltooling/validation/Validator.h>
32 #include <xmltooling/validation/ValidatorSuite.h>
34 using namespace opensaml::saml1;
35 using namespace opensaml;
36 using namespace xmltooling;
38 using samlconstants::SAML1_NS;
43 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Action);
44 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AssertionIDReference);
45 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Audience);
46 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,ConfirmationMethod);
47 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,NameIdentifier);
49 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AudienceRestrictionCondition);
50 XMLOBJECTVALIDATOR_NONEMPTY(AudienceRestrictionCondition,Audience);
51 END_XMLOBJECTVALIDATOR;
53 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Conditions);
54 if (!ptr->hasChildren()) {
55 XMLOBJECTVALIDATOR_ONEOF(Conditions,NotBefore,NotOnOrAfter);
57 else if (ptr->getDoNotCacheConditions().size() > 1) {
58 throw ValidationException("Multiple DoNotCacheCondition elements are not permitted.");
60 END_XMLOBJECTVALIDATOR;
62 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,SubjectConfirmation);
63 XMLOBJECTVALIDATOR_NONEMPTY(SubjectConfirmation,ConfirmationMethod);
64 END_XMLOBJECTVALIDATOR;
66 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Subject);
67 XMLOBJECTVALIDATOR_ONEOF(Subject,NameIdentifier,SubjectConfirmation);
68 END_XMLOBJECTVALIDATOR;
70 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,SubjectLocality);
71 XMLOBJECTVALIDATOR_ONEOF(SubjectLocality,IPAddress,DNSAddress);
72 END_XMLOBJECTVALIDATOR;
74 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthorityBinding);
75 XMLOBJECTVALIDATOR_REQUIRE(AuthorityBinding,AuthorityKind);
76 XMLOBJECTVALIDATOR_REQUIRE(AuthorityBinding,Location);
77 XMLOBJECTVALIDATOR_REQUIRE(AuthorityBinding,Binding);
78 END_XMLOBJECTVALIDATOR;
80 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthenticationStatement);
81 XMLOBJECTVALIDATOR_REQUIRE(AuthenticationStatement,AuthenticationMethod);
82 XMLOBJECTVALIDATOR_REQUIRE(AuthenticationStatement,AuthenticationInstant);
83 XMLOBJECTVALIDATOR_REQUIRE(AuthenticationStatement,Subject);
84 END_XMLOBJECTVALIDATOR;
86 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Evidence);
87 if (!ptr->hasChildren())
88 throw ValidationException("Evidence must have at least one child element.");
89 END_XMLOBJECTVALIDATOR;
91 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthorizationDecisionStatement);
92 XMLOBJECTVALIDATOR_REQUIRE(AuthorizationDecisionStatement,Resource);
93 XMLOBJECTVALIDATOR_REQUIRE(AuthorizationDecisionStatement,Decision);
94 if (!XMLString::equals(ptr->getDecision(),AuthorizationDecisionStatement::DECISION_PERMIT) &&
95 !XMLString::equals(ptr->getDecision(),AuthorizationDecisionStatement::DECISION_DENY) &&
96 !XMLString::equals(ptr->getDecision(),AuthorizationDecisionStatement::DECISION_INDETERMINATE))
97 throw ValidationException("Decision must be one of Deny, Permit, or Indeterminate.");
98 XMLOBJECTVALIDATOR_REQUIRE(AuthorizationDecisionStatement,Subject);
99 XMLOBJECTVALIDATOR_NONEMPTY(AuthorizationDecisionStatement,Action);
100 END_XMLOBJECTVALIDATOR;
102 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AttributeDesignator);
103 XMLOBJECTVALIDATOR_REQUIRE(AttributeDesignator,AttributeName);
104 XMLOBJECTVALIDATOR_REQUIRE(AttributeDesignator,AttributeNamespace);
105 END_XMLOBJECTVALIDATOR;
107 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Attribute);
108 XMLOBJECTVALIDATOR_REQUIRE(Attribute,AttributeName);
109 XMLOBJECTVALIDATOR_REQUIRE(Attribute,AttributeNamespace);
110 XMLOBJECTVALIDATOR_NONEMPTY(Attribute,AttributeValue);
111 END_XMLOBJECTVALIDATOR;
113 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AttributeStatement);
114 XMLOBJECTVALIDATOR_NONEMPTY(AttributeStatement,Attribute);
115 END_XMLOBJECTVALIDATOR;
117 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Assertion);
118 XMLOBJECTVALIDATOR_REQUIRE(Assertion,AssertionID);
119 XMLOBJECTVALIDATOR_REQUIRE(Assertion,Issuer);
120 XMLOBJECTVALIDATOR_REQUIRE(Assertion,IssueInstant);
121 if (ptr->getAuthenticationStatements().empty() &&
122 ptr->getAttributeStatements().empty() &&
123 ptr->getAuthorizationDecisionStatements().empty() &&
124 ptr->getSubjectStatements().empty() &&
125 ptr->getStatements().empty())
126 throw ValidationException("Assertion must have at least one statement.");
127 pair<bool,int> minor=ptr->getMinorVersion();
129 throw ValidationException("Assertion must have MinorVersion");
130 if (minor.second==0 && ptr->getConditions() && !ptr->getConditions()->getDoNotCacheConditions().empty())
131 throw ValidationException("SAML 1.0 assertions cannot contain DoNotCacheCondition elements.");
132 END_XMLOBJECTVALIDATOR;
134 class SAML_DLLLOCAL checkWildcardNS {
136 void operator()(const XMLObject* xmlObject) const {
137 const XMLCh* ns=xmlObject->getElementQName().getNamespaceURI();
138 if (XMLString::equals(ns,SAML1_NS) || !ns || !*ns) {
139 throw ValidationException(
140 "Object contains an illegal extension child element ($1).",
141 params(1,xmlObject->getElementQName().toString().c_str())
147 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Advice);
148 const vector<XMLObject*>& anys=ptr->getUnknownXMLObjects();
149 for_each(anys.begin(),anys.end(),checkWildcardNS());
150 END_XMLOBJECTVALIDATOR;
155 #define REGISTER_ELEMENT(cname) \
156 q=xmltooling::QName(SAML1_NS,cname::LOCAL_NAME); \
157 XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
158 SchemaValidators.registerValidator(q,new cname##SchemaValidator())
160 #define REGISTER_TYPE(cname) \
161 q=xmltooling::QName(SAML1_NS,cname::TYPE_NAME); \
162 XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
163 SchemaValidators.registerValidator(q,new cname##SchemaValidator())
165 #define REGISTER_ELEMENT_NOVAL(cname) \
166 q=xmltooling::QName(SAML1_NS,cname::LOCAL_NAME); \
167 XMLObjectBuilder::registerBuilder(q,new cname##Builder());
169 #define REGISTER_TYPE_NOVAL(cname) \
170 q=xmltooling::QName(SAML1_NS,cname::TYPE_NAME); \
171 XMLObjectBuilder::registerBuilder(q,new cname##Builder());
173 void opensaml::saml1::registerAssertionClasses() {
175 REGISTER_ELEMENT(Action);
176 REGISTER_ELEMENT(Advice);
177 REGISTER_ELEMENT(Assertion);
178 REGISTER_ELEMENT(AssertionIDReference);
179 REGISTER_ELEMENT(Attribute);
180 REGISTER_ELEMENT(AttributeDesignator);
181 REGISTER_ELEMENT(AttributeStatement);
182 REGISTER_ELEMENT_NOVAL(AttributeValue);
183 REGISTER_ELEMENT(Audience);
184 REGISTER_ELEMENT(AudienceRestrictionCondition);
185 REGISTER_ELEMENT(AuthenticationStatement);
186 REGISTER_ELEMENT(AuthorityBinding);
187 REGISTER_ELEMENT(AuthorizationDecisionStatement);
188 REGISTER_ELEMENT_NOVAL(Condition);
189 REGISTER_ELEMENT(Conditions);
190 REGISTER_ELEMENT(ConfirmationMethod);
191 REGISTER_ELEMENT_NOVAL(DoNotCacheCondition);
192 REGISTER_ELEMENT(Evidence);
193 REGISTER_ELEMENT(NameIdentifier);
194 REGISTER_ELEMENT_NOVAL(Statement);
195 REGISTER_ELEMENT(Subject);
196 REGISTER_ELEMENT(SubjectConfirmation);
197 REGISTER_ELEMENT_NOVAL(SubjectConfirmationData);
198 REGISTER_ELEMENT(SubjectLocality);
199 REGISTER_TYPE(Action);
200 REGISTER_TYPE(Advice);
201 REGISTER_TYPE(Assertion);
202 REGISTER_TYPE(Attribute);
203 REGISTER_TYPE(AttributeDesignator);
204 REGISTER_TYPE(AttributeStatement);
205 REGISTER_TYPE(AudienceRestrictionCondition);
206 REGISTER_TYPE(AuthenticationStatement);
207 REGISTER_TYPE(AuthorityBinding);
208 REGISTER_TYPE(AuthorizationDecisionStatement);
209 REGISTER_TYPE(Conditions);
210 REGISTER_TYPE_NOVAL(DoNotCacheCondition);
211 REGISTER_TYPE(Evidence);
212 REGISTER_TYPE(NameIdentifier);
213 REGISTER_TYPE(Subject);
214 REGISTER_TYPE(SubjectConfirmation);
215 REGISTER_TYPE(SubjectLocality);