2 * Copyright 2001-2006 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * Assertions20SchemaValidators.cpp
20 * Schema-based validators for SAML 2.0 Assertions classes
24 #include "exceptions.h"
25 #include "saml2/core/Assertions.h"
27 #include <xmltooling/validation/ValidatorSuite.h>
29 using namespace opensaml::saml2;
30 using namespace opensaml;
31 using namespace xmltooling;
37 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Action);
38 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AssertionIDRef);
39 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AssertionURIRef);
40 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Audience);
41 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AuthnContextClassRef);
42 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AuthnContextDeclRef);
43 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AuthenticatingAuthority);
44 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,NameIDType);
45 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,NameID);
46 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Issuer);
48 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,EncryptedElementType);
49 XMLOBJECTVALIDATOR_REQUIRE(EncryptedElementType,EncryptedData);
50 END_XMLOBJECTVALIDATOR;
52 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,EncryptedID,EncryptedElementType);
53 EncryptedElementTypeSchemaValidator::validate(xmlObject);
54 END_XMLOBJECTVALIDATOR;
56 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,EncryptedAttribute,EncryptedElementType);
57 EncryptedElementTypeSchemaValidator::validate(xmlObject);
58 END_XMLOBJECTVALIDATOR;
60 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,EncryptedAssertion,EncryptedElementType);
61 EncryptedElementTypeSchemaValidator::validate(xmlObject);
62 END_XMLOBJECTVALIDATOR;
64 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AudienceRestriction);
65 XMLOBJECTVALIDATOR_NONEMPTY(AudienceRestriction,Audience);
66 END_XMLOBJECTVALIDATOR;
68 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,ProxyRestriction);
69 if (ptr->getAudiences().empty()) {
70 XMLOBJECTVALIDATOR_REQUIRE_INTEGER(ProxyRestriction,Count);
72 END_XMLOBJECTVALIDATOR;
74 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Conditions);
75 if (!ptr->hasChildren()) {
76 XMLOBJECTVALIDATOR_ONEOF(Conditions,NotBefore,NotOnOrAfter);
78 END_XMLOBJECTVALIDATOR;
80 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,KeyInfoConfirmationDataType);
81 XMLOBJECTVALIDATOR_NONEMPTY(KeyInfoConfirmationDataType,KeyInfo);
82 END_XMLOBJECTVALIDATOR;
84 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,SubjectConfirmation);
85 XMLOBJECTVALIDATOR_REQUIRE(SubjectConfirmation,Method);
91 if (ptr->getEncryptedID())
94 throw ValidationException("SubjectConfirmation cannot contain multiple identifier elements.");
95 END_XMLOBJECTVALIDATOR;
97 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Subject);
101 if (ptr->getNameID())
103 if (ptr->getEncryptedID())
106 throw ValidationException("Subject cannot contain multiple identifier elements.");
107 END_XMLOBJECTVALIDATOR;
109 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,SubjectLocality);
110 XMLOBJECTVALIDATOR_ONEOF(SubjectLocality,Address,DNSName);
111 END_XMLOBJECTVALIDATOR;
113 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthnContext);
114 if (!ptr->getAuthnContextClassRef()) {
115 XMLOBJECTVALIDATOR_ONLYONEOF(AuthnContext,AuthnContextDeclRef,AuthnContextDecl);
117 END_XMLOBJECTVALIDATOR;
119 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthnStatement);
120 XMLOBJECTVALIDATOR_REQUIRE(AuthnStatement,AuthnInstant);
121 XMLOBJECTVALIDATOR_REQUIRE(AuthnStatement,AuthnContext);
122 END_XMLOBJECTVALIDATOR;
124 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Evidence);
125 if (!ptr->hasChildren())
126 throw ValidationException("Evidence must have at least one child element.");
127 END_XMLOBJECTVALIDATOR;
129 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthzDecisionStatement);
130 XMLOBJECTVALIDATOR_REQUIRE(AuthzDecisionStatement,Resource);
131 XMLOBJECTVALIDATOR_REQUIRE(AuthzDecisionStatement,Decision);
132 if (!XMLString::equals(ptr->getDecision(),AuthzDecisionStatement::DECISION_PERMIT) &&
133 !XMLString::equals(ptr->getDecision(),AuthzDecisionStatement::DECISION_DENY) &&
134 !XMLString::equals(ptr->getDecision(),AuthzDecisionStatement::DECISION_INDETERMINATE))
135 throw ValidationException("Decision must be one of Deny, Permit, or Indeterminate.");
136 XMLOBJECTVALIDATOR_NONEMPTY(AuthzDecisionStatement,Action);
137 END_XMLOBJECTVALIDATOR;
139 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Attribute);
140 XMLOBJECTVALIDATOR_REQUIRE(Attribute,Name);
141 END_XMLOBJECTVALIDATOR;
143 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AttributeStatement);
144 XMLOBJECTVALIDATOR_NONEMPTY(AttributeStatement,Attribute);
145 END_XMLOBJECTVALIDATOR;
147 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Assertion);
148 XMLOBJECTVALIDATOR_REQUIRE(Assertion,Version);
149 XMLOBJECTVALIDATOR_REQUIRE(Assertion,ID);
150 XMLOBJECTVALIDATOR_REQUIRE(Assertion,IssueInstant);
151 XMLOBJECTVALIDATOR_REQUIRE(Assertion,Issuer);
152 if ((!ptr->getAuthnStatements().empty() ||
153 !ptr->getAttributeStatements().empty() ||
154 !ptr->getAuthzDecisionStatements().empty()) && !ptr->getSubject())
155 throw ValidationException("Assertion with standard statements must have a Subject.");
156 END_XMLOBJECTVALIDATOR;
158 class SAML_DLLLOCAL checkWildcardNS {
160 void operator()(const XMLObject* xmlObject) const {
161 const XMLCh* ns=xmlObject->getElementQName().getNamespaceURI();
162 if (XMLString::equals(ns,SAMLConstants::SAML20_NS) || !ns || !*ns) {
163 throw ValidationException(
164 "Object contains an illegal extension child element ($1).",
165 params(1,xmlObject->getElementQName().toString().c_str())
171 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Advice);
172 const vector<XMLObject*>& anys=ptr->getOthers();
173 for_each(anys.begin(),anys.end(),checkWildcardNS());
174 END_XMLOBJECTVALIDATOR;
179 #define REGISTER_ELEMENT(cname) \
180 q=QName(SAMLConstants::SAML20_NS,cname::LOCAL_NAME); \
181 XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
182 SchemaValidators.registerValidator(q,new cname##SchemaValidator())
184 #define REGISTER_TYPE(cname) \
185 q=QName(SAMLConstants::SAML20_NS,cname::TYPE_NAME); \
186 XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
187 SchemaValidators.registerValidator(q,new cname##SchemaValidator())
189 #define REGISTER_ELEMENT_NOVAL(cname) \
190 q=QName(SAMLConstants::SAML20_NS,cname::LOCAL_NAME); \
191 XMLObjectBuilder::registerBuilder(q,new cname##Builder());
193 #define REGISTER_TYPE_NOVAL(cname) \
194 q=QName(SAMLConstants::SAML20_NS,cname::TYPE_NAME); \
195 XMLObjectBuilder::registerBuilder(q,new cname##Builder());
197 void opensaml::saml2::registerAssertionClasses() {
199 REGISTER_ELEMENT(Action);
200 REGISTER_ELEMENT(Advice);
201 REGISTER_ELEMENT(Assertion);
202 REGISTER_ELEMENT(AssertionIDRef);
203 REGISTER_ELEMENT(AssertionURIRef);
204 REGISTER_ELEMENT(Attribute);
205 REGISTER_ELEMENT(AttributeStatement);
206 REGISTER_ELEMENT_NOVAL(AttributeValue);
207 REGISTER_ELEMENT(Audience);
208 REGISTER_ELEMENT(AudienceRestriction);
209 REGISTER_ELEMENT(AuthenticatingAuthority);
210 REGISTER_ELEMENT(AuthnContext);
211 REGISTER_ELEMENT(AuthnContextClassRef);
212 REGISTER_ELEMENT_NOVAL(AuthnContextDecl);
213 REGISTER_ELEMENT(AuthnContextDeclRef);
214 REGISTER_ELEMENT(AuthnStatement);
215 REGISTER_ELEMENT(AuthzDecisionStatement);
216 REGISTER_ELEMENT(Conditions);
217 REGISTER_ELEMENT(EncryptedAssertion);
218 REGISTER_ELEMENT(EncryptedAttribute);
219 REGISTER_ELEMENT(EncryptedID);
220 REGISTER_ELEMENT(Evidence);
221 REGISTER_ELEMENT(Issuer);
222 REGISTER_ELEMENT(NameID);
223 REGISTER_ELEMENT_NOVAL(OneTimeUse);
224 REGISTER_ELEMENT(ProxyRestriction);
225 REGISTER_ELEMENT(Subject);
226 REGISTER_ELEMENT(SubjectConfirmation);
227 REGISTER_ELEMENT_NOVAL(SubjectConfirmationData);
228 REGISTER_ELEMENT(SubjectLocality);
229 REGISTER_TYPE(Action);
230 REGISTER_TYPE(Advice);
231 REGISTER_TYPE(Assertion);
232 REGISTER_TYPE(Attribute);
233 REGISTER_TYPE(AttributeStatement);
234 REGISTER_TYPE(AudienceRestriction);
235 REGISTER_TYPE(AuthnContext);
236 REGISTER_TYPE(AuthnStatement);
237 REGISTER_TYPE(AuthzDecisionStatement);
238 REGISTER_TYPE(Conditions);
239 REGISTER_TYPE(Evidence);
240 REGISTER_TYPE(KeyInfoConfirmationDataType);
241 REGISTER_TYPE(NameIDType);
242 REGISTER_TYPE_NOVAL(OneTimeUse);
243 REGISTER_TYPE(ProxyRestriction);
244 REGISTER_TYPE(Subject);
245 REGISTER_TYPE(SubjectConfirmation);
246 REGISTER_TYPE(SubjectLocality);