2 * Copyright 2001-2006 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * AssertionsSchemaValidators.cpp
20 * Schema-based validators for SAML 1.x Assertions classes
24 #include "exceptions.h"
25 #include "saml1/core/Assertions.h"
27 using namespace opensaml::saml1;
28 using namespace opensaml;
29 using namespace xmltooling;
35 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Action);
36 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AssertionIDReference);
37 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Audience);
38 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,ConfirmationMethod);
39 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,NameIdentifier);
41 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AudienceRestrictionCondition);
42 XMLOBJECTVALIDATOR_NONEMPTY(AudienceRestrictionCondition,Audience);
43 END_XMLOBJECTVALIDATOR;
45 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Conditions);
46 if (!ptr->hasChildren()) {
47 XMLOBJECTVALIDATOR_ONEOF(Conditions,NotBefore,NotOnOrAfter);
49 END_XMLOBJECTVALIDATOR;
51 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,SubjectConfirmation);
52 XMLOBJECTVALIDATOR_NONEMPTY(SubjectConfirmation,ConfirmationMethod);
53 END_XMLOBJECTVALIDATOR;
55 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Subject);
56 XMLOBJECTVALIDATOR_ONEOF(Subject,NameIdentifier,SubjectConfirmation);
57 END_XMLOBJECTVALIDATOR;
59 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,SubjectLocality);
60 XMLOBJECTVALIDATOR_ONEOF(SubjectLocality,IPAddress,DNSAddress);
61 END_XMLOBJECTVALIDATOR;
63 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthorityBinding);
64 XMLOBJECTVALIDATOR_REQUIRE(AuthorityBinding,AuthorityKind);
65 XMLOBJECTVALIDATOR_REQUIRE(AuthorityBinding,Location);
66 XMLOBJECTVALIDATOR_REQUIRE(AuthorityBinding,Binding);
67 END_XMLOBJECTVALIDATOR;
69 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthenticationStatement);
70 XMLOBJECTVALIDATOR_REQUIRE(AuthenticationStatement,AuthenticationMethod);
71 XMLOBJECTVALIDATOR_REQUIRE(AuthenticationStatement,AuthenticationInstant);
72 XMLOBJECTVALIDATOR_REQUIRE(AuthenticationStatement,Subject);
73 END_XMLOBJECTVALIDATOR;
75 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Evidence);
76 if (!ptr->hasChildren())
77 throw ValidationException("Evidence must have at least one child element.");
78 END_XMLOBJECTVALIDATOR;
80 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthorizationDecisionStatement);
81 XMLOBJECTVALIDATOR_REQUIRE(AuthorizationDecisionStatement,Resource);
82 XMLOBJECTVALIDATOR_REQUIRE(AuthorizationDecisionStatement,Decision);
83 if (!XMLString::equals(ptr->getDecision(),AuthorizationDecisionStatement::DECISION_PERMIT) &&
84 !XMLString::equals(ptr->getDecision(),AuthorizationDecisionStatement::DECISION_DENY) &&
85 !XMLString::equals(ptr->getDecision(),AuthorizationDecisionStatement::DECISION_INDETERMINATE))
86 throw ValidationException("Decision must be one of Deny, Permit, or Indeterminate.");
87 XMLOBJECTVALIDATOR_REQUIRE(AuthorizationDecisionStatement,Subject);
88 XMLOBJECTVALIDATOR_NONEMPTY(AuthorizationDecisionStatement,Action);
89 END_XMLOBJECTVALIDATOR;
91 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AttributeDesignator);
92 XMLOBJECTVALIDATOR_REQUIRE(AttributeDesignator,AttributeName);
93 XMLOBJECTVALIDATOR_REQUIRE(AttributeDesignator,AttributeNamespace);
94 END_XMLOBJECTVALIDATOR;
96 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Attribute);
97 XMLOBJECTVALIDATOR_REQUIRE(Attribute,AttributeName);
98 XMLOBJECTVALIDATOR_REQUIRE(Attribute,AttributeNamespace);
99 XMLOBJECTVALIDATOR_NONEMPTY(Attribute,AttributeValue);
100 END_XMLOBJECTVALIDATOR;
102 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AttributeStatement);
103 XMLOBJECTVALIDATOR_NONEMPTY(AttributeStatement,Attribute);
104 END_XMLOBJECTVALIDATOR;
106 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Assertion);
107 XMLOBJECTVALIDATOR_REQUIRE(Assertion,AssertionID);
108 XMLOBJECTVALIDATOR_REQUIRE(Assertion,Issuer);
109 XMLOBJECTVALIDATOR_REQUIRE(Assertion,IssueInstant);
110 if (ptr->getAuthenticationStatements().empty() &&
111 ptr->getAttributeStatements().empty() &&
112 ptr->getAuthorizationDecisionStatements().empty() &&
113 ptr->getSubjectStatements().empty() &&
114 ptr->getStatements().empty())
115 throw ValidationException("Assertion must have at least one statement.");
116 if (ptr->getMinorVersion()==0 && ptr->getConditions() && !ptr->getConditions()->getDoNotCacheConditions().empty())
117 throw ValidationException("SAML 1.0 assertions cannot contain DoNotCacheCondition elements.");
118 END_XMLOBJECTVALIDATOR;
120 class SAML_DLLLOCAL checkWildcardNS {
122 void operator()(const XMLObject* xmlObject) const {
123 const XMLCh* ns=xmlObject->getElementQName().getNamespaceURI();
124 if (XMLString::equals(ns,SAMLConstants::SAML1_NS) || !ns || !*ns) {
125 throw ValidationException(
126 "Object contains an illegal extension child element ($1).",
127 params(1,xmlObject->getElementQName().toString().c_str())
133 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Advice);
134 const vector<XMLObject*>& anys=ptr->getOthers();
135 for_each(anys.begin(),anys.end(),checkWildcardNS());
136 END_XMLOBJECTVALIDATOR;
141 #define REGISTER_ELEMENT(cname) \
142 q=QName(SAMLConstants::SAML1_NS,cname::LOCAL_NAME); \
143 XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
144 AssertionSchemaValidators.registerValidator(q,new cname##SchemaValidator())
146 #define REGISTER_TYPE(cname) \
147 q=QName(SAMLConstants::SAML1_NS,cname::TYPE_NAME); \
148 XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
149 AssertionSchemaValidators.registerValidator(q,new cname##SchemaValidator())
151 #define REGISTER_ELEMENT_NOVAL(cname) \
152 q=QName(SAMLConstants::SAML1_NS,cname::LOCAL_NAME); \
153 XMLObjectBuilder::registerBuilder(q,new cname##Builder());
155 #define REGISTER_TYPE_NOVAL(cname) \
156 q=QName(SAMLConstants::SAML1_NS,cname::TYPE_NAME); \
157 XMLObjectBuilder::registerBuilder(q,new cname##Builder());
159 ValidatorSuite opensaml::saml1::AssertionSchemaValidators("AssertionSchemaValidators");
161 void opensaml::saml1::registerAssertionClasses() {
163 REGISTER_ELEMENT(Action);
164 REGISTER_ELEMENT(Advice);
165 REGISTER_ELEMENT(Assertion);
166 REGISTER_ELEMENT(AssertionIDReference);
167 REGISTER_ELEMENT(Attribute);
168 REGISTER_ELEMENT(AttributeDesignator);
169 REGISTER_ELEMENT(AttributeStatement);
170 REGISTER_ELEMENT_NOVAL(AttributeValue);
171 REGISTER_ELEMENT(Audience);
172 REGISTER_ELEMENT(AudienceRestrictionCondition);
173 REGISTER_ELEMENT(AuthenticationStatement);
174 REGISTER_ELEMENT(AuthorityBinding);
175 REGISTER_ELEMENT(AuthorizationDecisionStatement);
176 REGISTER_ELEMENT(Conditions);
177 REGISTER_ELEMENT(ConfirmationMethod);
178 REGISTER_ELEMENT_NOVAL(DoNotCacheCondition);
179 REGISTER_ELEMENT(Evidence);
180 REGISTER_ELEMENT(NameIdentifier);
181 REGISTER_ELEMENT(Subject);
182 REGISTER_ELEMENT(SubjectConfirmation);
183 REGISTER_ELEMENT_NOVAL(SubjectConfirmationData);
184 REGISTER_ELEMENT(SubjectLocality);
185 REGISTER_TYPE(Action);
186 REGISTER_TYPE(Advice);
187 REGISTER_TYPE(Assertion);
188 REGISTER_TYPE(Attribute);
189 REGISTER_TYPE(AttributeDesignator);
190 REGISTER_TYPE(AttributeStatement);
191 REGISTER_TYPE(AudienceRestrictionCondition);
192 REGISTER_TYPE(AuthenticationStatement);
193 REGISTER_TYPE(AuthorityBinding);
194 REGISTER_TYPE(AuthorizationDecisionStatement);
195 REGISTER_TYPE(Conditions);
196 REGISTER_TYPE_NOVAL(DoNotCacheCondition);
197 REGISTER_TYPE(Evidence);
198 REGISTER_TYPE(NameIdentifier);
199 REGISTER_TYPE(Subject);
200 REGISTER_TYPE(SubjectConfirmation);
201 REGISTER_TYPE(SubjectLocality);