2 * Copyright 2001-2006 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * Assertions20SchemaValidators.cpp
20 * Schema-based validators for SAML 2.0 Assertions classes
24 #include "exceptions.h"
25 #include "saml2/core/Assertions.h"
27 #include <xmltooling/validation/ValidatorSuite.h>
29 using namespace opensaml::saml2;
30 using namespace opensaml;
31 using namespace xmltooling;
33 using samlconstants::SAML20_NS;
38 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Action);
39 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AssertionIDRef);
40 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AssertionURIRef);
41 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Audience);
42 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AuthnContextClassRef);
43 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AuthnContextDeclRef);
44 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AuthenticatingAuthority);
45 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,NameIDType);
46 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,NameID);
47 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Issuer);
49 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,EncryptedElementType);
50 XMLOBJECTVALIDATOR_REQUIRE(EncryptedElementType,EncryptedData);
51 END_XMLOBJECTVALIDATOR;
53 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,EncryptedID,EncryptedElementType);
54 EncryptedElementTypeSchemaValidator::validate(xmlObject);
55 END_XMLOBJECTVALIDATOR;
57 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,EncryptedAttribute,EncryptedElementType);
58 EncryptedElementTypeSchemaValidator::validate(xmlObject);
59 END_XMLOBJECTVALIDATOR;
61 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,EncryptedAssertion,EncryptedElementType);
62 EncryptedElementTypeSchemaValidator::validate(xmlObject);
63 END_XMLOBJECTVALIDATOR;
65 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AudienceRestriction);
66 XMLOBJECTVALIDATOR_NONEMPTY(AudienceRestriction,Audience);
67 END_XMLOBJECTVALIDATOR;
69 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,ProxyRestriction);
70 if (ptr->getAudiences().empty()) {
71 XMLOBJECTVALIDATOR_REQUIRE_INTEGER(ProxyRestriction,Count);
73 END_XMLOBJECTVALIDATOR;
75 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Conditions);
76 if (!ptr->hasChildren()) {
77 XMLOBJECTVALIDATOR_ONEOF(Conditions,NotBefore,NotOnOrAfter);
79 END_XMLOBJECTVALIDATOR;
81 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,KeyInfoConfirmationDataType);
82 XMLOBJECTVALIDATOR_NONEMPTY(KeyInfoConfirmationDataType,KeyInfo);
83 END_XMLOBJECTVALIDATOR;
85 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,SubjectConfirmation);
86 XMLOBJECTVALIDATOR_REQUIRE(SubjectConfirmation,Method);
92 if (ptr->getEncryptedID())
95 throw ValidationException("SubjectConfirmation cannot contain multiple identifier elements.");
96 END_XMLOBJECTVALIDATOR;
98 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Subject);
100 if (ptr->getBaseID())
102 if (ptr->getNameID())
104 if (ptr->getEncryptedID())
107 throw ValidationException("Subject cannot contain multiple identifier elements.");
108 END_XMLOBJECTVALIDATOR;
110 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,SubjectLocality);
111 XMLOBJECTVALIDATOR_ONEOF(SubjectLocality,Address,DNSName);
112 END_XMLOBJECTVALIDATOR;
114 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthnContext);
115 if (!ptr->getAuthnContextClassRef()) {
116 XMLOBJECTVALIDATOR_ONLYONEOF(AuthnContext,AuthnContextDeclRef,AuthnContextDecl);
118 END_XMLOBJECTVALIDATOR;
120 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthnStatement);
121 XMLOBJECTVALIDATOR_REQUIRE(AuthnStatement,AuthnInstant);
122 XMLOBJECTVALIDATOR_REQUIRE(AuthnStatement,AuthnContext);
123 END_XMLOBJECTVALIDATOR;
125 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Evidence);
126 if (!ptr->hasChildren())
127 throw ValidationException("Evidence must have at least one child element.");
128 END_XMLOBJECTVALIDATOR;
130 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthzDecisionStatement);
131 XMLOBJECTVALIDATOR_REQUIRE(AuthzDecisionStatement,Resource);
132 XMLOBJECTVALIDATOR_REQUIRE(AuthzDecisionStatement,Decision);
133 if (!XMLString::equals(ptr->getDecision(),AuthzDecisionStatement::DECISION_PERMIT) &&
134 !XMLString::equals(ptr->getDecision(),AuthzDecisionStatement::DECISION_DENY) &&
135 !XMLString::equals(ptr->getDecision(),AuthzDecisionStatement::DECISION_INDETERMINATE))
136 throw ValidationException("Decision must be one of Deny, Permit, or Indeterminate.");
137 XMLOBJECTVALIDATOR_NONEMPTY(AuthzDecisionStatement,Action);
138 END_XMLOBJECTVALIDATOR;
140 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Attribute);
141 XMLOBJECTVALIDATOR_REQUIRE(Attribute,Name);
142 END_XMLOBJECTVALIDATOR;
144 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AttributeStatement);
145 XMLOBJECTVALIDATOR_NONEMPTY(AttributeStatement,Attribute);
146 END_XMLOBJECTVALIDATOR;
148 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Assertion);
149 XMLOBJECTVALIDATOR_REQUIRE(Assertion,Version);
150 if (!XMLString::equals(samlconstants::SAML20_VERSION, ptr->getVersion()))
151 throw ValidationException("Assertion has wrong SAML Version.");
152 XMLOBJECTVALIDATOR_REQUIRE(Assertion,ID);
153 XMLOBJECTVALIDATOR_REQUIRE(Assertion,IssueInstant);
154 XMLOBJECTVALIDATOR_REQUIRE(Assertion,Issuer);
155 if ((!ptr->getAuthnStatements().empty() ||
156 !ptr->getAttributeStatements().empty() ||
157 !ptr->getAuthzDecisionStatements().empty()) && !ptr->getSubject())
158 throw ValidationException("Assertion with standard statements must have a Subject.");
159 END_XMLOBJECTVALIDATOR;
161 class SAML_DLLLOCAL checkWildcardNS {
163 void operator()(const XMLObject* xmlObject) const {
164 const XMLCh* ns=xmlObject->getElementQName().getNamespaceURI();
165 if (XMLString::equals(ns,SAML20_NS) || !ns || !*ns) {
166 throw ValidationException(
167 "Object contains an illegal extension child element ($1).",
168 params(1,xmlObject->getElementQName().toString().c_str())
174 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Advice);
175 const vector<XMLObject*>& anys=ptr->getOthers();
176 for_each(anys.begin(),anys.end(),checkWildcardNS());
177 END_XMLOBJECTVALIDATOR;
182 #define REGISTER_ELEMENT(cname) \
183 q=QName(SAML20_NS,cname::LOCAL_NAME); \
184 XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
185 SchemaValidators.registerValidator(q,new cname##SchemaValidator())
187 #define REGISTER_TYPE(cname) \
188 q=QName(SAML20_NS,cname::TYPE_NAME); \
189 XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
190 SchemaValidators.registerValidator(q,new cname##SchemaValidator())
192 #define REGISTER_ELEMENT_NOVAL(cname) \
193 q=QName(SAML20_NS,cname::LOCAL_NAME); \
194 XMLObjectBuilder::registerBuilder(q,new cname##Builder());
196 #define REGISTER_TYPE_NOVAL(cname) \
197 q=QName(SAML20_NS,cname::TYPE_NAME); \
198 XMLObjectBuilder::registerBuilder(q,new cname##Builder());
200 void opensaml::saml2::registerAssertionClasses() {
202 REGISTER_ELEMENT(Action);
203 REGISTER_ELEMENT(Advice);
204 REGISTER_ELEMENT(Assertion);
205 REGISTER_ELEMENT(AssertionIDRef);
206 REGISTER_ELEMENT(AssertionURIRef);
207 REGISTER_ELEMENT(Attribute);
208 REGISTER_ELEMENT(AttributeStatement);
209 REGISTER_ELEMENT_NOVAL(AttributeValue);
210 REGISTER_ELEMENT(Audience);
211 REGISTER_ELEMENT(AudienceRestriction);
212 REGISTER_ELEMENT(AuthenticatingAuthority);
213 REGISTER_ELEMENT(AuthnContext);
214 REGISTER_ELEMENT(AuthnContextClassRef);
215 REGISTER_ELEMENT_NOVAL(AuthnContextDecl);
216 REGISTER_ELEMENT(AuthnContextDeclRef);
217 REGISTER_ELEMENT(AuthnStatement);
218 REGISTER_ELEMENT(AuthzDecisionStatement);
219 REGISTER_ELEMENT(Conditions);
220 REGISTER_ELEMENT(EncryptedAssertion);
221 REGISTER_ELEMENT(EncryptedAttribute);
222 REGISTER_ELEMENT(EncryptedID);
223 REGISTER_ELEMENT(Evidence);
224 REGISTER_ELEMENT(Issuer);
225 REGISTER_ELEMENT(NameID);
226 REGISTER_ELEMENT_NOVAL(OneTimeUse);
227 REGISTER_ELEMENT(ProxyRestriction);
228 REGISTER_ELEMENT(Subject);
229 REGISTER_ELEMENT(SubjectConfirmation);
230 REGISTER_ELEMENT_NOVAL(SubjectConfirmationData);
231 REGISTER_ELEMENT(SubjectLocality);
232 REGISTER_TYPE(Action);
233 REGISTER_TYPE(Advice);
234 REGISTER_TYPE(Assertion);
235 REGISTER_TYPE(Attribute);
236 REGISTER_TYPE(AttributeStatement);
237 REGISTER_TYPE(AudienceRestriction);
238 REGISTER_TYPE(AuthnContext);
239 REGISTER_TYPE(AuthnStatement);
240 REGISTER_TYPE(AuthzDecisionStatement);
241 REGISTER_TYPE(Conditions);
242 REGISTER_TYPE(Evidence);
243 REGISTER_TYPE(KeyInfoConfirmationDataType);
244 REGISTER_TYPE(NameIDType);
245 REGISTER_TYPE_NOVAL(OneTimeUse);
246 REGISTER_TYPE(ProxyRestriction);
247 REGISTER_TYPE(Subject);
248 REGISTER_TYPE(SubjectConfirmation);
249 REGISTER_TYPE(SubjectLocality);