2 * Copyright 2001-2009 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * AssertionValidator.cpp
20 * SAML 1.x basic assertion validator
24 #include "saml1/core/Assertions.h"
25 #include "saml1/profile/AssertionValidator.h"
27 #include <xmltooling/logging.h>
28 #include <xmltooling/XMLToolingConfig.h>
29 #include <xmltooling/util/NDC.h>
31 using namespace opensaml::saml1;
32 using namespace xmltooling::logging;
33 using namespace xmltooling;
36 AssertionValidator::AssertionValidator(const XMLCh* recipient, const vector<const XMLCh*>* audiences, time_t ts)
37 : m_recipient(recipient), m_audiences(audiences), m_ts(ts)
41 AssertionValidator::~AssertionValidator()
45 void AssertionValidator::validate(const xmltooling::XMLObject* xmlObject) const
47 const Assertion* a=dynamic_cast<const Assertion*>(xmlObject);
49 throw ValidationException("Validator only applies to SAML 1.x Assertion objects.");
50 validateAssertion(*a);
53 void AssertionValidator::validateAssertion(const Assertion& assertion) const
56 xmltooling::NDC ndc("validate");
59 const Conditions* conds = assertion.getConditions();
63 // First verify the time conditions, using the specified timestamp, if non-zero.
65 unsigned int skew = XMLToolingConfig::getConfig().clock_skew_secs;
66 time_t t=conds->getNotBeforeEpoch();
68 throw ValidationException("Assertion is not yet valid.");
69 t=conds->getNotOnOrAfterEpoch();
71 throw ValidationException("Assertion is no longer valid.");
74 // Now we process conditions, starting with the known types and then extensions.
76 const vector<AudienceRestrictionCondition*>& acvec = conds->getAudienceRestrictionConditions();
77 for (vector<AudienceRestrictionCondition*>::const_iterator ac = acvec.begin(); ac!=acvec.end(); ++ac)
78 validateCondition(*ac);
80 const vector<DoNotCacheCondition*>& dncvec = conds->getDoNotCacheConditions();
81 for (vector<DoNotCacheCondition*>::const_iterator dnc = dncvec.begin(); dnc!=dncvec.end(); ++dnc)
82 validateCondition(*dnc);
84 const vector<Condition*>& convec = conds->getConditions();
85 for (vector<Condition*>::const_iterator c = convec.begin(); c!=convec.end(); ++c)
86 validateCondition(*c);
89 void AssertionValidator::validateCondition(const Condition* c) const
91 const AudienceRestrictionCondition* ac=dynamic_cast<const AudienceRestrictionCondition*>(c);
93 Category::getInstance(SAML_LOGCAT".AssertionValidator").error("unrecognized Condition in assertion (%s)",
94 c->getSchemaType() ? c->getSchemaType()->toString().c_str() : c->getElementQName().toString().c_str());
95 throw ValidationException("Assertion contains an unrecognized condition.");
99 const vector<Audience*>& auds1 = ac->getAudiences();
100 for (vector<Audience*>::const_iterator a = auds1.begin(); !found && a!=auds1.end(); ++a) {
101 if (XMLString::equals(m_recipient, (*a)->getAudienceURI())) {
104 else if (m_audiences) {
105 for (vector<const XMLCh*>::const_iterator a2 = m_audiences->begin(); !found && a2!=m_audiences->end(); ++a2) {
106 found = XMLString::equals((*a)->getAudienceURI(), *a2);
114 Category::getInstance(SAML_LOGCAT".AssertionValidator").error(
115 "unacceptable AudienceRestrictionCondition in assertion (%s)", os.str().c_str()
117 throw ValidationException("Assertion contains an unacceptable AudienceRestrictionCondition.");