2 * Copyright 2001-2006 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * AssertionsSchemaValidators.cpp
20 * Schema-based validators for SAML 2.0 Assertions classes
24 #include "exceptions.h"
25 #include "saml2/core/Assertions.h"
27 using namespace opensaml::saml2;
28 using namespace opensaml;
29 using namespace xmltooling;
35 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Action);
36 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AssertionIDRef);
37 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AssertionURIRef);
38 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Audience);
39 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AuthnContextClassRef);
40 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AuthnContextDeclRef);
41 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AuthenticatingAuthority);
42 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,NameIDType);
43 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,NameID);
44 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Issuer);
46 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,EncryptedElementType);
47 XMLOBJECTVALIDATOR_REQUIRE(EncryptedElementType,EncryptedData);
48 END_XMLOBJECTVALIDATOR;
50 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,EncryptedID,EncryptedElementType);
51 EncryptedElementTypeSchemaValidator::validate(xmlObject);
52 END_XMLOBJECTVALIDATOR;
54 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,EncryptedAttribute,EncryptedElementType);
55 EncryptedElementTypeSchemaValidator::validate(xmlObject);
56 END_XMLOBJECTVALIDATOR;
58 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,EncryptedAssertion,EncryptedElementType);
59 EncryptedElementTypeSchemaValidator::validate(xmlObject);
60 END_XMLOBJECTVALIDATOR;
62 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AudienceRestriction);
63 XMLOBJECTVALIDATOR_NONEMPTY(AudienceRestriction,Audience);
64 END_XMLOBJECTVALIDATOR;
66 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,ProxyRestriction);
67 if (ptr->getAudiences().empty()) {
68 XMLOBJECTVALIDATOR_REQUIRE(ProxyRestriction,Count);
70 END_XMLOBJECTVALIDATOR;
72 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Conditions);
73 if (!ptr->hasChildren()) {
74 XMLOBJECTVALIDATOR_ONEOF(Conditions,NotBefore,NotOnOrAfter);
76 END_XMLOBJECTVALIDATOR;
78 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,KeyInfoConfirmationDataType);
79 XMLOBJECTVALIDATOR_NONEMPTY(KeyInfoConfirmationDataType,KeyInfo);
80 END_XMLOBJECTVALIDATOR;
82 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,SubjectConfirmation);
83 XMLOBJECTVALIDATOR_REQUIRE(SubjectConfirmation,Method);
89 if (ptr->getEncryptedID())
92 throw ValidationException("SubjectConfirmation cannot contain multiple identifier elements.");
93 END_XMLOBJECTVALIDATOR;
95 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Subject);
101 if (ptr->getEncryptedID())
104 throw ValidationException("Subject cannot contain multiple identifier elements.");
105 END_XMLOBJECTVALIDATOR;
107 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,SubjectLocality);
108 XMLOBJECTVALIDATOR_ONEOF(SubjectLocality,Address,DNSName);
109 END_XMLOBJECTVALIDATOR;
111 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthnContext);
112 if (!ptr->getAuthnContextClassRef()) {
113 XMLOBJECTVALIDATOR_ONLYONEOF(AuthnContext,AuthnContextDeclRef,AuthnContextDecl);
115 END_XMLOBJECTVALIDATOR;
117 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthnStatement);
118 XMLOBJECTVALIDATOR_REQUIRE(AuthnStatement,AuthnInstant);
119 XMLOBJECTVALIDATOR_REQUIRE(AuthnStatement,AuthnContext);
120 END_XMLOBJECTVALIDATOR;
122 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Evidence);
123 if (!ptr->hasChildren())
124 throw ValidationException("Evidence must have at least one child element.");
125 END_XMLOBJECTVALIDATOR;
127 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthzDecisionStatement);
128 XMLOBJECTVALIDATOR_REQUIRE(AuthzDecisionStatement,Resource);
129 XMLOBJECTVALIDATOR_REQUIRE(AuthzDecisionStatement,Decision);
130 if (!XMLString::equals(ptr->getDecision(),AuthzDecisionStatement::DECISION_PERMIT) &&
131 !XMLString::equals(ptr->getDecision(),AuthzDecisionStatement::DECISION_DENY) &&
132 !XMLString::equals(ptr->getDecision(),AuthzDecisionStatement::DECISION_INDETERMINATE))
133 throw ValidationException("Decision must be one of Deny, Permit, or Indeterminate.");
134 XMLOBJECTVALIDATOR_NONEMPTY(AuthzDecisionStatement,Action);
135 END_XMLOBJECTVALIDATOR;
137 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Attribute);
138 XMLOBJECTVALIDATOR_REQUIRE(Attribute,Name);
139 END_XMLOBJECTVALIDATOR;
141 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AttributeStatement);
142 XMLOBJECTVALIDATOR_NONEMPTY(AttributeStatement,Attribute);
143 END_XMLOBJECTVALIDATOR;
145 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Assertion);
146 XMLOBJECTVALIDATOR_REQUIRE(Assertion,Version);
147 XMLOBJECTVALIDATOR_REQUIRE(Assertion,ID);
148 XMLOBJECTVALIDATOR_REQUIRE(Assertion,IssueInstant);
149 XMLOBJECTVALIDATOR_REQUIRE(Assertion,Issuer);
150 if ((!ptr->getAuthnStatements().empty() ||
151 !ptr->getAttributeStatements().empty() ||
152 !ptr->getAuthzDecisionStatements().empty()) && !ptr->getSubject())
153 throw ValidationException("Assertion with standard statements must have a Subject.");
154 END_XMLOBJECTVALIDATOR;
156 class SAML_DLLLOCAL checkWildcardNS {
158 void operator()(const XMLObject* xmlObject) const {
159 const XMLCh* ns=xmlObject->getElementQName().getNamespaceURI();
160 if (XMLString::equals(ns,SAMLConstants::SAML20_NS) || !ns || !*ns) {
161 throw ValidationException(
162 "Object contains an illegal extension child element ($1).",
163 params(1,xmlObject->getElementQName().toString().c_str())
169 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Advice);
170 const vector<XMLObject*>& anys=ptr->getOthers();
171 for_each(anys.begin(),anys.end(),checkWildcardNS());
172 END_XMLOBJECTVALIDATOR;
177 #define REGISTER_ELEMENT(cname) \
178 q=QName(SAMLConstants::SAML20_NS,cname::LOCAL_NAME); \
179 XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
180 Validator::registerValidator(q,new cname##SchemaValidator())
182 #define REGISTER_TYPE(cname) \
183 q=QName(SAMLConstants::SAML20_NS,cname::TYPE_NAME); \
184 XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
185 Validator::registerValidator(q,new cname##SchemaValidator())
187 #define REGISTER_ELEMENT_NOVAL(cname) \
188 q=QName(SAMLConstants::SAML20_NS,cname::LOCAL_NAME); \
189 XMLObjectBuilder::registerBuilder(q,new cname##Builder());
191 #define REGISTER_TYPE_NOVAL(cname) \
192 q=QName(SAMLConstants::SAML20_NS,cname::TYPE_NAME); \
193 XMLObjectBuilder::registerBuilder(q,new cname##Builder());
195 void opensaml::saml2::registerAssertionClasses() {
197 REGISTER_ELEMENT(Action);
198 REGISTER_ELEMENT(Advice);
199 REGISTER_ELEMENT(Assertion);
200 REGISTER_ELEMENT(AssertionIDRef);
201 REGISTER_ELEMENT(AssertionURIRef);
202 REGISTER_ELEMENT(Attribute);
203 REGISTER_ELEMENT(AttributeStatement);
204 REGISTER_ELEMENT_NOVAL(AttributeValue);
205 REGISTER_ELEMENT(Audience);
206 REGISTER_ELEMENT(AudienceRestriction);
207 REGISTER_ELEMENT(AuthenticatingAuthority);
208 REGISTER_ELEMENT(AuthnContext);
209 REGISTER_ELEMENT(AuthnContextClassRef);
210 REGISTER_ELEMENT_NOVAL(AuthnContextDecl);
211 REGISTER_ELEMENT(AuthnContextDeclRef);
212 REGISTER_ELEMENT(AuthnStatement);
213 REGISTER_ELEMENT(AuthzDecisionStatement);
214 REGISTER_ELEMENT(Conditions);
215 REGISTER_ELEMENT(EncryptedAssertion);
216 REGISTER_ELEMENT(EncryptedAttribute);
217 REGISTER_ELEMENT(EncryptedID);
218 REGISTER_ELEMENT(Evidence);
219 REGISTER_ELEMENT(Issuer);
220 REGISTER_ELEMENT(NameID);
221 REGISTER_ELEMENT_NOVAL(OneTimeUse);
222 REGISTER_ELEMENT(ProxyRestriction);
223 REGISTER_ELEMENT(Subject);
224 REGISTER_ELEMENT(SubjectConfirmation);
225 REGISTER_ELEMENT_NOVAL(SubjectConfirmationData);
226 REGISTER_ELEMENT(SubjectLocality);
227 REGISTER_TYPE(Action);
228 REGISTER_TYPE(Advice);
229 REGISTER_TYPE(Assertion);
230 REGISTER_TYPE(Attribute);
231 REGISTER_TYPE(AttributeStatement);
232 REGISTER_TYPE(AudienceRestriction);
233 REGISTER_TYPE(AuthnContext);
234 REGISTER_TYPE(AuthnStatement);
235 REGISTER_TYPE(AuthzDecisionStatement);
236 REGISTER_TYPE(Conditions);
237 REGISTER_TYPE(Evidence);
238 REGISTER_TYPE(KeyInfoConfirmationDataType);
239 REGISTER_TYPE(NameIDType);
240 REGISTER_TYPE_NOVAL(OneTimeUse);
241 REGISTER_TYPE(ProxyRestriction);
242 REGISTER_TYPE(Subject);
243 REGISTER_TYPE(SubjectConfirmation);
244 REGISTER_TYPE(SubjectLocality);