saml/saml1/core/impl/AssertionsSchemaValidators.cpp

   1 /**
   2  * Licensed to the University Corporation for Advanced Internet
   3  * Development, Inc. (UCAID) under one or more contributor license
   4  * agreements. See the NOTICE file distributed with this work for
   5  * additional information regarding copyright ownership.
   6  *
   7  * UCAID licenses this file to you under the Apache License,
   8  * Version 2.0 (the "License"); you may not use this file except
   9  * in compliance with the License. You may obtain a copy of the
  10  * License at
  11  *
  12  * http://www.apache.org/licenses/LICENSE-2.0
  13  *
  14  * Unless required by applicable law or agreed to in writing,
  15  * software distributed under the License is distributed on an
  16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
  17  * either express or implied. See the License for the specific
  18  * language governing permissions and limitations under the License.
  19  */
  20
  21 /**
  22  * AssertionsSchemaValidators.cpp
  23  *
  24  * Schema-based validators for SAML 1.x Assertions classes.
  25  */
  26
  27 #include "internal.h"
  28 #include "exceptions.h"
  29 #include "saml1/core/Assertions.h"
  30
  31 #include <xmltooling/validation/Validator.h>
  32 #include <xmltooling/validation/ValidatorSuite.h>
  33
  34 using namespace opensaml::saml1;
  35 using namespace opensaml;
  36 using namespace xmltooling;
  37 using namespace std;
  38 using samlconstants::SAML1_NS;
  39
  40 namespace opensaml {
  41     namespace saml1 {
  42
  43         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Action);
  44         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AssertionIDReference);
  45         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Audience);
  46         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,ConfirmationMethod);
  47         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,NameIdentifier);
  48
  49         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AudienceRestrictionCondition);
  50             XMLOBJECTVALIDATOR_NONEMPTY(AudienceRestrictionCondition,Audience);
  51         END_XMLOBJECTVALIDATOR;
  52
  53         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Conditions);
  54             if (!ptr->hasChildren()) {
  55                 XMLOBJECTVALIDATOR_ONEOF(Conditions,NotBefore,NotOnOrAfter);
  56             }
  57             else if (ptr->getDoNotCacheConditions().size() > 1) {
  58                 throw ValidationException("Multiple DoNotCacheCondition elements are not permitted.");
  59             }
  60         END_XMLOBJECTVALIDATOR;
  61
  62         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,SubjectConfirmation);
  63             XMLOBJECTVALIDATOR_NONEMPTY(SubjectConfirmation,ConfirmationMethod);
  64         END_XMLOBJECTVALIDATOR;
  65
  66         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Subject);
  67             XMLOBJECTVALIDATOR_ONEOF(Subject,NameIdentifier,SubjectConfirmation);
  68         END_XMLOBJECTVALIDATOR;
  69
  70         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,SubjectLocality);
  71             XMLOBJECTVALIDATOR_ONEOF(SubjectLocality,IPAddress,DNSAddress);
  72         END_XMLOBJECTVALIDATOR;
  73
  74         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthorityBinding);
  75             XMLOBJECTVALIDATOR_REQUIRE(AuthorityBinding,AuthorityKind);
  76             XMLOBJECTVALIDATOR_REQUIRE(AuthorityBinding,Location);
  77             XMLOBJECTVALIDATOR_REQUIRE(AuthorityBinding,Binding);
  78         END_XMLOBJECTVALIDATOR;
  79
  80         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthenticationStatement);
  81             XMLOBJECTVALIDATOR_REQUIRE(AuthenticationStatement,AuthenticationMethod);
  82             XMLOBJECTVALIDATOR_REQUIRE(AuthenticationStatement,AuthenticationInstant);
  83             XMLOBJECTVALIDATOR_REQUIRE(AuthenticationStatement,Subject);
  84         END_XMLOBJECTVALIDATOR;
  85
  86         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Evidence);
  87             if (!ptr->hasChildren())
  88                 throw ValidationException("Evidence must have at least one child element.");
  89         END_XMLOBJECTVALIDATOR;
  90
  91         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthorizationDecisionStatement);
  92             XMLOBJECTVALIDATOR_REQUIRE(AuthorizationDecisionStatement,Resource);
  93             XMLOBJECTVALIDATOR_REQUIRE(AuthorizationDecisionStatement,Decision);
  94             if (!XMLString::equals(ptr->getDecision(),AuthorizationDecisionStatement::DECISION_PERMIT) &&
  95                 !XMLString::equals(ptr->getDecision(),AuthorizationDecisionStatement::DECISION_DENY) &&
  96                 !XMLString::equals(ptr->getDecision(),AuthorizationDecisionStatement::DECISION_INDETERMINATE))
  97                 throw ValidationException("Decision must be one of Deny, Permit, or Indeterminate.");
  98             XMLOBJECTVALIDATOR_REQUIRE(AuthorizationDecisionStatement,Subject);
  99             XMLOBJECTVALIDATOR_NONEMPTY(AuthorizationDecisionStatement,Action);
 100         END_XMLOBJECTVALIDATOR;
 101
 102         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AttributeDesignator);
 103             XMLOBJECTVALIDATOR_REQUIRE(AttributeDesignator,AttributeName);
 104             XMLOBJECTVALIDATOR_REQUIRE(AttributeDesignator,AttributeNamespace);
 105         END_XMLOBJECTVALIDATOR;
 106
 107         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Attribute);
 108             XMLOBJECTVALIDATOR_REQUIRE(Attribute,AttributeName);
 109             XMLOBJECTVALIDATOR_REQUIRE(Attribute,AttributeNamespace);
 110             XMLOBJECTVALIDATOR_NONEMPTY(Attribute,AttributeValue);
 111         END_XMLOBJECTVALIDATOR;
 112
 113         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AttributeStatement);
 114             XMLOBJECTVALIDATOR_NONEMPTY(AttributeStatement,Attribute);
 115         END_XMLOBJECTVALIDATOR;
 116
 117         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Assertion);
 118             XMLOBJECTVALIDATOR_REQUIRE(Assertion,AssertionID);
 119             XMLOBJECTVALIDATOR_REQUIRE(Assertion,Issuer);
 120             XMLOBJECTVALIDATOR_REQUIRE(Assertion,IssueInstant);
 121             if (ptr->getAuthenticationStatements().empty() &&
 122                 ptr->getAttributeStatements().empty() &&
 123                 ptr->getAuthorizationDecisionStatements().empty() &&
 124                 ptr->getSubjectStatements().empty() &&
 125                 ptr->getStatements().empty())
 126                 throw ValidationException("Assertion must have at least one statement.");
 127             pair<bool,int> minor=ptr->getMinorVersion();
 128             if (!minor.first)
 129                 throw ValidationException("Assertion must have MinorVersion");
 130             if (minor.second==0 && ptr->getConditions() && !ptr->getConditions()->getDoNotCacheConditions().empty())
 131                 throw ValidationException("SAML 1.0 assertions cannot contain DoNotCacheCondition elements.");
 132         END_XMLOBJECTVALIDATOR;
 133
 134         class SAML_DLLLOCAL checkWildcardNS {
 135         public:
 136             void operator()(const XMLObject* xmlObject) const {
 137                 const XMLCh* ns=xmlObject->getElementQName().getNamespaceURI();
 138                 if (XMLString::equals(ns,SAML1_NS) || !ns || !*ns) {
 139                     throw ValidationException(
 140                         "Object contains an illegal extension child element ($1).",
 141                         params(1,xmlObject->getElementQName().toString().c_str())
 142                         );
 143                 }
 144             }
 145         };
 146
 147         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Advice);
 148             const vector<XMLObject*>& anys=ptr->getUnknownXMLObjects();
 149             for_each(anys.begin(),anys.end(),checkWildcardNS());
 150         END_XMLOBJECTVALIDATOR;
 151
 152     };
 153 };
 154
 155 #define REGISTER_ELEMENT(cname) \
 156     q=xmltooling::QName(SAML1_NS,cname::LOCAL_NAME); \
 157     XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
 158     SchemaValidators.registerValidator(q,new cname##SchemaValidator())
 159
 160 #define REGISTER_TYPE(cname) \
 161     q=xmltooling::QName(SAML1_NS,cname::TYPE_NAME); \
 162     XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
 163     SchemaValidators.registerValidator(q,new cname##SchemaValidator())
 164
 165 #define REGISTER_ELEMENT_NOVAL(cname) \
 166     q=xmltooling::QName(SAML1_NS,cname::LOCAL_NAME); \
 167     XMLObjectBuilder::registerBuilder(q,new cname##Builder());
 168
 169 #define REGISTER_TYPE_NOVAL(cname) \
 170     q=xmltooling::QName(SAML1_NS,cname::TYPE_NAME); \
 171     XMLObjectBuilder::registerBuilder(q,new cname##Builder());
 172
 173 void opensaml::saml1::registerAssertionClasses() {
 174     xmltooling::QName q;
 175     REGISTER_ELEMENT(Action);
 176     REGISTER_ELEMENT(Advice);
 177     REGISTER_ELEMENT(Assertion);
 178     REGISTER_ELEMENT(AssertionIDReference);
 179     REGISTER_ELEMENT(Attribute);
 180     REGISTER_ELEMENT(AttributeDesignator);
 181     REGISTER_ELEMENT(AttributeStatement);
 182     REGISTER_ELEMENT_NOVAL(AttributeValue);
 183     REGISTER_ELEMENT(Audience);
 184     REGISTER_ELEMENT(AudienceRestrictionCondition);
 185     REGISTER_ELEMENT(AuthenticationStatement);
 186     REGISTER_ELEMENT(AuthorityBinding);
 187     REGISTER_ELEMENT(AuthorizationDecisionStatement);
 188     REGISTER_ELEMENT_NOVAL(Condition);
 189     REGISTER_ELEMENT(Conditions);
 190     REGISTER_ELEMENT(ConfirmationMethod);
 191     REGISTER_ELEMENT_NOVAL(DoNotCacheCondition);
 192     REGISTER_ELEMENT(Evidence);
 193     REGISTER_ELEMENT(NameIdentifier);
 194     REGISTER_ELEMENT_NOVAL(Statement);
 195     REGISTER_ELEMENT(Subject);
 196     REGISTER_ELEMENT(SubjectConfirmation);
 197     REGISTER_ELEMENT_NOVAL(SubjectConfirmationData);
 198     REGISTER_ELEMENT(SubjectLocality);
 199     REGISTER_TYPE(Action);
 200     REGISTER_TYPE(Advice);
 201     REGISTER_TYPE(Assertion);
 202     REGISTER_TYPE(Attribute);
 203     REGISTER_TYPE(AttributeDesignator);
 204     REGISTER_TYPE(AttributeStatement);
 205     REGISTER_TYPE(AudienceRestrictionCondition);
 206     REGISTER_TYPE(AuthenticationStatement);
 207     REGISTER_TYPE(AuthorityBinding);
 208     REGISTER_TYPE(AuthorizationDecisionStatement);
 209     REGISTER_TYPE(Conditions);
 210     REGISTER_TYPE_NOVAL(DoNotCacheCondition);
 211     REGISTER_TYPE(Evidence);
 212     REGISTER_TYPE(NameIdentifier);
 213     REGISTER_TYPE(Subject);
 214     REGISTER_TYPE(SubjectConfirmation);
 215     REGISTER_TYPE(SubjectLocality);
 216 }