2 * Copyright 2001-2006 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * AssertionsSchemaValidators.cpp
20 * Schema-based validators for SAML 2.0 Assertions classes
24 #include "exceptions.h"
25 #include "saml2/core/Assertions.h"
27 using namespace opensaml::saml2;
28 using namespace opensaml;
29 using namespace xmltooling;
35 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Action);
36 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AssertionIDRef);
37 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AssertionURIRef);
38 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Audience);
39 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AuthnContextClassRef);
40 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AuthnContextDeclRef);
41 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AuthenticatingAuthority);
42 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,NameIDType);
43 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,NameID);
44 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Issuer);
46 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AudienceRestriction);
47 XMLOBJECTVALIDATOR_NONEMPTY(AudienceRestriction,Audience);
48 END_XMLOBJECTVALIDATOR;
50 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,ProxyRestriction);
51 if (ptr->getAudiences().empty()) {
52 XMLOBJECTVALIDATOR_REQUIRE(ProxyRestriction,Count);
54 END_XMLOBJECTVALIDATOR;
56 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Conditions);
57 if (!ptr->hasChildren()) {
58 XMLOBJECTVALIDATOR_ONEOF(Conditions,NotBefore,NotOnOrAfter);
60 END_XMLOBJECTVALIDATOR;
62 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,KeyInfoConfirmationDataType);
63 XMLOBJECTVALIDATOR_NONEMPTY(KeyInfoConfirmationDataType,KeyInfo);
64 END_XMLOBJECTVALIDATOR;
66 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,SubjectConfirmation);
67 XMLOBJECTVALIDATOR_REQUIRE(SubjectConfirmation,Method);
73 //if (ptr->getEncryptedID())
76 throw ValidationException("SubjectConfirmation cannot contain multiple identifier elements.");
77 END_XMLOBJECTVALIDATOR;
79 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Subject);
85 //if (ptr->getEncryptedID())
88 throw ValidationException("Subject cannot contain multiple identifier elements.");
89 END_XMLOBJECTVALIDATOR;
91 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,SubjectLocality);
92 XMLOBJECTVALIDATOR_ONEOF(SubjectLocality,Address,DNSName);
93 END_XMLOBJECTVALIDATOR;
95 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthnContext);
96 if (!ptr->getAuthnContextClassRef()) {
97 XMLOBJECTVALIDATOR_ONLYONEOF(AuthnContext,AuthnContextDeclRef,AuthnContextDecl);
99 END_XMLOBJECTVALIDATOR;
101 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthnStatement);
102 XMLOBJECTVALIDATOR_REQUIRE(AuthnStatement,AuthnInstant);
103 XMLOBJECTVALIDATOR_REQUIRE(AuthnStatement,AuthnContext);
104 END_XMLOBJECTVALIDATOR;
106 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Evidence);
107 if (!ptr->hasChildren())
108 throw ValidationException("Evidence must have at least one child element.");
109 END_XMLOBJECTVALIDATOR;
111 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthzDecisionStatement);
112 XMLOBJECTVALIDATOR_REQUIRE(AuthzDecisionStatement,Resource);
113 XMLOBJECTVALIDATOR_REQUIRE(AuthzDecisionStatement,Decision);
114 if (!XMLString::equals(ptr->getDecision(),AuthzDecisionStatement::DECISION_PERMIT) &&
115 !XMLString::equals(ptr->getDecision(),AuthzDecisionStatement::DECISION_DENY) &&
116 !XMLString::equals(ptr->getDecision(),AuthzDecisionStatement::DECISION_INDETERMINATE))
117 throw ValidationException("Decision must be one of Deny, Permit, or Indeterminate.");
118 XMLOBJECTVALIDATOR_NONEMPTY(AuthzDecisionStatement,Action);
119 END_XMLOBJECTVALIDATOR;
121 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Attribute);
122 XMLOBJECTVALIDATOR_REQUIRE(Attribute,Name);
123 END_XMLOBJECTVALIDATOR;
125 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AttributeStatement);
126 XMLOBJECTVALIDATOR_NONEMPTY(AttributeStatement,Attribute);
127 END_XMLOBJECTVALIDATOR;
129 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Assertion);
130 XMLOBJECTVALIDATOR_REQUIRE(Assertion,Version);
131 XMLOBJECTVALIDATOR_REQUIRE(Assertion,ID);
132 XMLOBJECTVALIDATOR_REQUIRE(Assertion,IssueInstant);
133 XMLOBJECTVALIDATOR_REQUIRE(Assertion,Issuer);
134 if ((!ptr->getAuthnStatements().empty() ||
135 !ptr->getAttributeStatements().empty() ||
136 !ptr->getAuthzDecisionStatements().empty()) && !ptr->getSubject())
137 throw ValidationException("Assertion with standard statements must have a Subject.");
138 END_XMLOBJECTVALIDATOR;
140 class SAML_DLLLOCAL checkWildcardNS {
142 void operator()(const XMLObject* xmlObject) const {
143 const XMLCh* ns=xmlObject->getElementQName().getNamespaceURI();
144 if (XMLString::equals(ns,SAMLConstants::SAML20_NS) || !ns || !*ns) {
145 throw ValidationException(
146 "Object contains an illegal extension child element ($1).",
147 params(1,xmlObject->getElementQName().toString().c_str())
153 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Advice);
154 const vector<XMLObject*>& anys=ptr->getOthers();
155 for_each(anys.begin(),anys.end(),checkWildcardNS());
156 END_XMLOBJECTVALIDATOR;
161 #define REGISTER_ELEMENT(cname) \
162 q=QName(SAMLConstants::SAML20_NS,cname::LOCAL_NAME); \
163 XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
164 Validator::registerValidator(q,new cname##SchemaValidator())
166 #define REGISTER_TYPE(cname) \
167 q=QName(SAMLConstants::SAML20_NS,cname::TYPE_NAME); \
168 XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
169 Validator::registerValidator(q,new cname##SchemaValidator())
171 #define REGISTER_ELEMENT_NOVAL(cname) \
172 q=QName(SAMLConstants::SAML20_NS,cname::LOCAL_NAME); \
173 XMLObjectBuilder::registerBuilder(q,new cname##Builder());
175 #define REGISTER_TYPE_NOVAL(cname) \
176 q=QName(SAMLConstants::SAML20_NS,cname::TYPE_NAME); \
177 XMLObjectBuilder::registerBuilder(q,new cname##Builder());
179 void opensaml::saml2::registerAssertionClasses() {
181 REGISTER_ELEMENT(Action);
182 REGISTER_ELEMENT(Advice);
183 REGISTER_ELEMENT(Assertion);
184 REGISTER_ELEMENT(AssertionIDRef);
185 REGISTER_ELEMENT(AssertionURIRef);
186 REGISTER_ELEMENT(Attribute);
187 REGISTER_ELEMENT(AttributeStatement);
188 REGISTER_ELEMENT_NOVAL(AttributeValue);
189 REGISTER_ELEMENT(Audience);
190 REGISTER_ELEMENT(AudienceRestriction);
191 REGISTER_ELEMENT(AuthenticatingAuthority);
192 REGISTER_ELEMENT(AuthnContext);
193 REGISTER_ELEMENT(AuthnContextClassRef);
194 REGISTER_ELEMENT_NOVAL(AuthnContextDecl);
195 REGISTER_ELEMENT(AuthnContextDeclRef);
196 REGISTER_ELEMENT(AuthnStatement);
197 REGISTER_ELEMENT(AuthzDecisionStatement);
198 REGISTER_ELEMENT(Conditions);
199 REGISTER_ELEMENT(Evidence);
200 REGISTER_ELEMENT(Issuer);
201 REGISTER_ELEMENT(NameID);
202 REGISTER_ELEMENT_NOVAL(OneTimeUse);
203 REGISTER_ELEMENT(ProxyRestriction);
204 REGISTER_ELEMENT(Subject);
205 REGISTER_ELEMENT(SubjectConfirmation);
206 REGISTER_ELEMENT_NOVAL(SubjectConfirmationData);
207 REGISTER_ELEMENT(SubjectLocality);
208 REGISTER_TYPE(Action);
209 REGISTER_TYPE(Advice);
210 REGISTER_TYPE(Assertion);
211 REGISTER_TYPE(Attribute);
212 REGISTER_TYPE(AttributeStatement);
213 REGISTER_TYPE(AudienceRestriction);
214 REGISTER_TYPE(AuthnContext);
215 REGISTER_TYPE(AuthnStatement);
216 REGISTER_TYPE(AuthzDecisionStatement);
217 REGISTER_TYPE(Conditions);
218 REGISTER_TYPE(Evidence);
219 REGISTER_TYPE(KeyInfoConfirmationDataType);
220 REGISTER_TYPE(NameIDType);
221 REGISTER_TYPE_NOVAL(OneTimeUse);
222 REGISTER_TYPE(ProxyRestriction);
223 REGISTER_TYPE(Subject);
224 REGISTER_TYPE(SubjectConfirmation);
225 REGISTER_TYPE(SubjectLocality);