2 * Copyright 2001-2009 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * AssertionsSchemaValidators.cpp
20 * Schema-based validators for SAML 1.x Assertions classes.
24 #include "exceptions.h"
25 #include "saml1/core/Assertions.h"
27 #include <xmltooling/validation/Validator.h>
28 #include <xmltooling/validation/ValidatorSuite.h>
30 using namespace opensaml::saml1;
31 using namespace opensaml;
32 using namespace xmltooling;
34 using samlconstants::SAML1_NS;
39 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Action);
40 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AssertionIDReference);
41 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Audience);
42 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,ConfirmationMethod);
43 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,NameIdentifier);
45 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AudienceRestrictionCondition);
46 XMLOBJECTVALIDATOR_NONEMPTY(AudienceRestrictionCondition,Audience);
47 END_XMLOBJECTVALIDATOR;
49 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Conditions);
50 if (!ptr->hasChildren()) {
51 XMLOBJECTVALIDATOR_ONEOF(Conditions,NotBefore,NotOnOrAfter);
53 else if (ptr->getDoNotCacheConditions().size() > 1) {
54 throw ValidationException("Multiple DoNotCacheCondition elements are not permitted.");
56 END_XMLOBJECTVALIDATOR;
58 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,SubjectConfirmation);
59 XMLOBJECTVALIDATOR_NONEMPTY(SubjectConfirmation,ConfirmationMethod);
60 END_XMLOBJECTVALIDATOR;
62 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Subject);
63 XMLOBJECTVALIDATOR_ONEOF(Subject,NameIdentifier,SubjectConfirmation);
64 END_XMLOBJECTVALIDATOR;
66 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,SubjectLocality);
67 XMLOBJECTVALIDATOR_ONEOF(SubjectLocality,IPAddress,DNSAddress);
68 END_XMLOBJECTVALIDATOR;
70 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthorityBinding);
71 XMLOBJECTVALIDATOR_REQUIRE(AuthorityBinding,AuthorityKind);
72 XMLOBJECTVALIDATOR_REQUIRE(AuthorityBinding,Location);
73 XMLOBJECTVALIDATOR_REQUIRE(AuthorityBinding,Binding);
74 END_XMLOBJECTVALIDATOR;
76 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthenticationStatement);
77 XMLOBJECTVALIDATOR_REQUIRE(AuthenticationStatement,AuthenticationMethod);
78 XMLOBJECTVALIDATOR_REQUIRE(AuthenticationStatement,AuthenticationInstant);
79 XMLOBJECTVALIDATOR_REQUIRE(AuthenticationStatement,Subject);
80 END_XMLOBJECTVALIDATOR;
82 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Evidence);
83 if (!ptr->hasChildren())
84 throw ValidationException("Evidence must have at least one child element.");
85 END_XMLOBJECTVALIDATOR;
87 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthorizationDecisionStatement);
88 XMLOBJECTVALIDATOR_REQUIRE(AuthorizationDecisionStatement,Resource);
89 XMLOBJECTVALIDATOR_REQUIRE(AuthorizationDecisionStatement,Decision);
90 if (!XMLString::equals(ptr->getDecision(),AuthorizationDecisionStatement::DECISION_PERMIT) &&
91 !XMLString::equals(ptr->getDecision(),AuthorizationDecisionStatement::DECISION_DENY) &&
92 !XMLString::equals(ptr->getDecision(),AuthorizationDecisionStatement::DECISION_INDETERMINATE))
93 throw ValidationException("Decision must be one of Deny, Permit, or Indeterminate.");
94 XMLOBJECTVALIDATOR_REQUIRE(AuthorizationDecisionStatement,Subject);
95 XMLOBJECTVALIDATOR_NONEMPTY(AuthorizationDecisionStatement,Action);
96 END_XMLOBJECTVALIDATOR;
98 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AttributeDesignator);
99 XMLOBJECTVALIDATOR_REQUIRE(AttributeDesignator,AttributeName);
100 XMLOBJECTVALIDATOR_REQUIRE(AttributeDesignator,AttributeNamespace);
101 END_XMLOBJECTVALIDATOR;
103 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Attribute);
104 XMLOBJECTVALIDATOR_REQUIRE(Attribute,AttributeName);
105 XMLOBJECTVALIDATOR_REQUIRE(Attribute,AttributeNamespace);
106 XMLOBJECTVALIDATOR_NONEMPTY(Attribute,AttributeValue);
107 END_XMLOBJECTVALIDATOR;
109 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AttributeStatement);
110 XMLOBJECTVALIDATOR_NONEMPTY(AttributeStatement,Attribute);
111 END_XMLOBJECTVALIDATOR;
113 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Assertion);
114 XMLOBJECTVALIDATOR_REQUIRE(Assertion,AssertionID);
115 XMLOBJECTVALIDATOR_REQUIRE(Assertion,Issuer);
116 XMLOBJECTVALIDATOR_REQUIRE(Assertion,IssueInstant);
117 if (ptr->getAuthenticationStatements().empty() &&
118 ptr->getAttributeStatements().empty() &&
119 ptr->getAuthorizationDecisionStatements().empty() &&
120 ptr->getSubjectStatements().empty() &&
121 ptr->getStatements().empty())
122 throw ValidationException("Assertion must have at least one statement.");
123 pair<bool,int> minor=ptr->getMinorVersion();
125 throw ValidationException("Assertion must have MinorVersion");
126 if (minor.second==0 && ptr->getConditions() && !ptr->getConditions()->getDoNotCacheConditions().empty())
127 throw ValidationException("SAML 1.0 assertions cannot contain DoNotCacheCondition elements.");
128 END_XMLOBJECTVALIDATOR;
130 class SAML_DLLLOCAL checkWildcardNS {
132 void operator()(const XMLObject* xmlObject) const {
133 const XMLCh* ns=xmlObject->getElementQName().getNamespaceURI();
134 if (XMLString::equals(ns,SAML1_NS) || !ns || !*ns) {
135 throw ValidationException(
136 "Object contains an illegal extension child element ($1).",
137 params(1,xmlObject->getElementQName().toString().c_str())
143 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Advice);
144 const vector<XMLObject*>& anys=ptr->getUnknownXMLObjects();
145 for_each(anys.begin(),anys.end(),checkWildcardNS());
146 END_XMLOBJECTVALIDATOR;
151 #define REGISTER_ELEMENT(cname) \
152 q=xmltooling::QName(SAML1_NS,cname::LOCAL_NAME); \
153 XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
154 SchemaValidators.registerValidator(q,new cname##SchemaValidator())
156 #define REGISTER_TYPE(cname) \
157 q=xmltooling::QName(SAML1_NS,cname::TYPE_NAME); \
158 XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
159 SchemaValidators.registerValidator(q,new cname##SchemaValidator())
161 #define REGISTER_ELEMENT_NOVAL(cname) \
162 q=xmltooling::QName(SAML1_NS,cname::LOCAL_NAME); \
163 XMLObjectBuilder::registerBuilder(q,new cname##Builder());
165 #define REGISTER_TYPE_NOVAL(cname) \
166 q=xmltooling::QName(SAML1_NS,cname::TYPE_NAME); \
167 XMLObjectBuilder::registerBuilder(q,new cname##Builder());
169 void opensaml::saml1::registerAssertionClasses() {
171 REGISTER_ELEMENT(Action);
172 REGISTER_ELEMENT(Advice);
173 REGISTER_ELEMENT(Assertion);
174 REGISTER_ELEMENT(AssertionIDReference);
175 REGISTER_ELEMENT(Attribute);
176 REGISTER_ELEMENT(AttributeDesignator);
177 REGISTER_ELEMENT(AttributeStatement);
178 REGISTER_ELEMENT_NOVAL(AttributeValue);
179 REGISTER_ELEMENT(Audience);
180 REGISTER_ELEMENT(AudienceRestrictionCondition);
181 REGISTER_ELEMENT(AuthenticationStatement);
182 REGISTER_ELEMENT(AuthorityBinding);
183 REGISTER_ELEMENT(AuthorizationDecisionStatement);
184 REGISTER_ELEMENT_NOVAL(Condition);
185 REGISTER_ELEMENT(Conditions);
186 REGISTER_ELEMENT(ConfirmationMethod);
187 REGISTER_ELEMENT_NOVAL(DoNotCacheCondition);
188 REGISTER_ELEMENT(Evidence);
189 REGISTER_ELEMENT(NameIdentifier);
190 REGISTER_ELEMENT_NOVAL(Statement);
191 REGISTER_ELEMENT(Subject);
192 REGISTER_ELEMENT(SubjectConfirmation);
193 REGISTER_ELEMENT_NOVAL(SubjectConfirmationData);
194 REGISTER_ELEMENT(SubjectLocality);
195 REGISTER_TYPE(Action);
196 REGISTER_TYPE(Advice);
197 REGISTER_TYPE(Assertion);
198 REGISTER_TYPE(Attribute);
199 REGISTER_TYPE(AttributeDesignator);
200 REGISTER_TYPE(AttributeStatement);
201 REGISTER_TYPE(AudienceRestrictionCondition);
202 REGISTER_TYPE(AuthenticationStatement);
203 REGISTER_TYPE(AuthorityBinding);
204 REGISTER_TYPE(AuthorizationDecisionStatement);
205 REGISTER_TYPE(Conditions);
206 REGISTER_TYPE_NOVAL(DoNotCacheCondition);
207 REGISTER_TYPE(Evidence);
208 REGISTER_TYPE(NameIdentifier);
209 REGISTER_TYPE(Subject);
210 REGISTER_TYPE(SubjectConfirmation);
211 REGISTER_TYPE(SubjectLocality);