saml/saml1/core/impl/AssertionsSchemaValidators.cpp

   1 /*
   2 *  Copyright 2001-2006 Internet2
   3  *
   4 * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 /**
  18  * AssertionsSchemaValidators.cpp
  19  *
  20  * Schema-based validators for SAML 1.x Assertions classes
  21  */
  22
  23 #include "internal.h"
  24 #include "exceptions.h"
  25 #include "saml1/core/Assertions.h"
  26
  27 using namespace opensaml::saml1;
  28 using namespace opensaml;
  29 using namespace xmltooling;
  30 using namespace std;
  31
  32 namespace opensaml {
  33     namespace saml1 {
  34
  35         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Action);
  36         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AssertionIDReference);
  37         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Audience);
  38         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,ConfirmationMethod);
  39         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,NameIdentifier);
  40
  41         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AudienceRestrictionCondition);
  42             XMLOBJECTVALIDATOR_NONEMPTY(AudienceRestrictionCondition,Audience);
  43         END_XMLOBJECTVALIDATOR;
  44
  45         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Conditions);
  46             if (!ptr->hasChildren()) {
  47                 XMLOBJECTVALIDATOR_ONEOF(Conditions,NotBefore,NotOnOrAfter);
  48             }
  49         END_XMLOBJECTVALIDATOR;
  50
  51         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,SubjectConfirmation);
  52             XMLOBJECTVALIDATOR_NONEMPTY(SubjectConfirmation,ConfirmationMethod);
  53         END_XMLOBJECTVALIDATOR;
  54
  55         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Subject);
  56             XMLOBJECTVALIDATOR_ONEOF(Subject,NameIdentifier,SubjectConfirmation);
  57         END_XMLOBJECTVALIDATOR;
  58
  59         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,SubjectLocality);
  60             XMLOBJECTVALIDATOR_ONEOF(SubjectLocality,IPAddress,DNSAddress);
  61         END_XMLOBJECTVALIDATOR;
  62
  63         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthorityBinding);
  64             XMLOBJECTVALIDATOR_REQUIRE(AuthorityBinding,AuthorityKind);
  65             XMLOBJECTVALIDATOR_REQUIRE(AuthorityBinding,Location);
  66             XMLOBJECTVALIDATOR_REQUIRE(AuthorityBinding,Binding);
  67         END_XMLOBJECTVALIDATOR;
  68
  69         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthenticationStatement);
  70             XMLOBJECTVALIDATOR_REQUIRE(AuthenticationStatement,AuthenticationMethod);
  71             XMLOBJECTVALIDATOR_REQUIRE(AuthenticationStatement,AuthenticationInstant);
  72             XMLOBJECTVALIDATOR_REQUIRE(AuthenticationStatement,Subject);
  73         END_XMLOBJECTVALIDATOR;
  74
  75         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Evidence);
  76             if (!ptr->hasChildren())
  77                 throw ValidationException("Evidence must have at least one child element.");
  78         END_XMLOBJECTVALIDATOR;
  79
  80         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthorizationDecisionStatement);
  81             XMLOBJECTVALIDATOR_REQUIRE(AuthorizationDecisionStatement,Resource);
  82             XMLOBJECTVALIDATOR_REQUIRE(AuthorizationDecisionStatement,Decision);
  83             if (!XMLString::equals(ptr->getDecision(),AuthorizationDecisionStatement::DECISION_PERMIT) &&
  84                 !XMLString::equals(ptr->getDecision(),AuthorizationDecisionStatement::DECISION_DENY) &&
  85                 !XMLString::equals(ptr->getDecision(),AuthorizationDecisionStatement::DECISION_INDETERMINATE))
  86                 throw ValidationException("Decision must be one of Deny, Permit, or Indeterminate.");
  87             XMLOBJECTVALIDATOR_REQUIRE(AuthorizationDecisionStatement,Subject);
  88             XMLOBJECTVALIDATOR_NONEMPTY(AuthorizationDecisionStatement,Action);
  89         END_XMLOBJECTVALIDATOR;
  90
  91         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AttributeDesignator);
  92             XMLOBJECTVALIDATOR_REQUIRE(AttributeDesignator,AttributeName);
  93             XMLOBJECTVALIDATOR_REQUIRE(AttributeDesignator,AttributeNamespace);
  94         END_XMLOBJECTVALIDATOR;
  95
  96         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Attribute);
  97             XMLOBJECTVALIDATOR_REQUIRE(Attribute,AttributeName);
  98             XMLOBJECTVALIDATOR_REQUIRE(Attribute,AttributeNamespace);
  99             XMLOBJECTVALIDATOR_NONEMPTY(Attribute,AttributeValue);
 100         END_XMLOBJECTVALIDATOR;
 101
 102         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AttributeStatement);
 103             XMLOBJECTVALIDATOR_NONEMPTY(AttributeStatement,Attribute);
 104         END_XMLOBJECTVALIDATOR;
 105
 106         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Assertion);
 107             XMLOBJECTVALIDATOR_REQUIRE(Assertion,AssertionID);
 108             XMLOBJECTVALIDATOR_REQUIRE(Assertion,Issuer);
 109             XMLOBJECTVALIDATOR_REQUIRE(Assertion,IssueInstant);
 110             if (ptr->getAuthenticationStatements().empty() &&
 111                 ptr->getSubjectStatements().empty() &&
 112                 ptr->getStatements().empty())
 113                 throw ValidationException("Assertion must have at least one statement.");
 114         END_XMLOBJECTVALIDATOR;
 115
 116         class SAML_DLLLOCAL checkWildcardNS {
 117         public:
 118             void operator()(const XMLObject* xmlObject) const {
 119                 const XMLCh* ns=xmlObject->getElementQName().getNamespaceURI();
 120                 if (XMLString::equals(ns,SAMLConstants::SAML1_NS) || !ns || !*ns) {
 121                     throw ValidationException(
 122                         "Object contains an illegal extension child element ($1).",
 123                         params(1,xmlObject->getElementQName().toString().c_str())
 124                         );
 125                 }
 126             }
 127         };
 128
 129         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Advice);
 130             const vector<XMLObject*>& anys=ptr->getOthers();
 131             for_each(anys.begin(),anys.end(),checkWildcardNS());
 132         END_XMLOBJECTVALIDATOR;
 133
 134     };
 135 };
 136
 137 #define REGISTER_ELEMENT(cname) \
 138     q=QName(SAMLConstants::SAML1_NS,cname::LOCAL_NAME); \
 139     XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
 140     Validator::registerValidator(q,new cname##SchemaValidator())
 141
 142 #define REGISTER_TYPE(cname) \
 143     q=QName(SAMLConstants::SAML1_NS,cname::TYPE_NAME); \
 144     XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
 145     Validator::registerValidator(q,new cname##SchemaValidator())
 146
 147 #define REGISTER_ELEMENT_NOVAL(cname) \
 148     q=QName(SAMLConstants::SAML1_NS,cname::LOCAL_NAME); \
 149     XMLObjectBuilder::registerBuilder(q,new cname##Builder());
 150
 151 #define REGISTER_TYPE_NOVAL(cname) \
 152     q=QName(SAMLConstants::SAML1_NS,cname::TYPE_NAME); \
 153     XMLObjectBuilder::registerBuilder(q,new cname##Builder());
 154
 155 void opensaml::saml1::registerAssertionClasses() {
 156     QName q;
 157     REGISTER_ELEMENT(Action);
 158     REGISTER_ELEMENT(Advice);
 159     REGISTER_ELEMENT(Assertion);
 160     REGISTER_ELEMENT(AssertionIDReference);
 161     REGISTER_ELEMENT(Attribute);
 162     REGISTER_ELEMENT(AttributeDesignator);
 163     REGISTER_ELEMENT(AttributeStatement);
 164     REGISTER_ELEMENT_NOVAL(AttributeValue);
 165     REGISTER_ELEMENT(Audience);
 166     REGISTER_ELEMENT(AudienceRestrictionCondition);
 167     REGISTER_ELEMENT(AuthenticationStatement);
 168     REGISTER_ELEMENT(AuthorityBinding);
 169     REGISTER_ELEMENT(AuthorizationDecisionStatement);
 170     REGISTER_ELEMENT(Conditions);
 171     REGISTER_ELEMENT(ConfirmationMethod);
 172     REGISTER_ELEMENT_NOVAL(DoNotCacheCondition);
 173     REGISTER_ELEMENT(Evidence);
 174     REGISTER_ELEMENT(NameIdentifier);
 175     REGISTER_ELEMENT(Subject);
 176     REGISTER_ELEMENT(SubjectConfirmation);
 177     REGISTER_ELEMENT_NOVAL(SubjectConfirmationData);
 178     REGISTER_ELEMENT(SubjectLocality);
 179     REGISTER_TYPE(Action);
 180     REGISTER_TYPE(Advice);
 181     REGISTER_TYPE(Assertion);
 182     REGISTER_TYPE(Attribute);
 183     REGISTER_TYPE(AttributeDesignator);
 184     REGISTER_TYPE(AttributeStatement);
 185     REGISTER_TYPE(AudienceRestrictionCondition);
 186     REGISTER_TYPE(AuthenticationStatement);
 187     REGISTER_TYPE(AuthorityBinding);
 188     REGISTER_TYPE(AuthorizationDecisionStatement);
 189     REGISTER_TYPE(Conditions);
 190     REGISTER_TYPE_NOVAL(DoNotCacheCondition);
 191     REGISTER_TYPE(Evidence);
 192     REGISTER_TYPE(NameIdentifier);
 193     REGISTER_TYPE(Subject);
 194     REGISTER_TYPE(SubjectConfirmation);
 195     REGISTER_TYPE(SubjectLocality);
 196 }