saml/saml2/core/impl/Assertions20SchemaValidators.cpp

   1 /*
   2 *  Copyright 2001-2006 Internet2
   3  *
   4 * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 /**
  18  * Assertions20SchemaValidators.cpp
  19  *
  20  * Schema-based validators for SAML 2.0 Assertions classes
  21  */
  22
  23 #include "internal.h"
  24 #include "exceptions.h"
  25 #include "saml2/core/Assertions.h"
  26
  27 #include <xmltooling/validation/ValidatorSuite.h>
  28
  29 using namespace opensaml::saml2;
  30 using namespace opensaml;
  31 using namespace xmltooling;
  32 using namespace std;
  33
  34 namespace opensaml {
  35     namespace saml2 {
  36
  37         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Action);
  38         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AssertionIDRef);
  39         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AssertionURIRef);
  40         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Audience);
  41         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AuthnContextClassRef);
  42         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AuthnContextDeclRef);
  43         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,AuthenticatingAuthority);
  44         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,NameIDType);
  45         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,NameID);
  46         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Issuer);
  47
  48         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,EncryptedElementType);
  49             XMLOBJECTVALIDATOR_REQUIRE(EncryptedElementType,EncryptedData);
  50         END_XMLOBJECTVALIDATOR;
  51
  52         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,EncryptedID,EncryptedElementType);
  53             EncryptedElementTypeSchemaValidator::validate(xmlObject);
  54         END_XMLOBJECTVALIDATOR;
  55
  56         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,EncryptedAttribute,EncryptedElementType);
  57             EncryptedElementTypeSchemaValidator::validate(xmlObject);
  58         END_XMLOBJECTVALIDATOR;
  59
  60         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,EncryptedAssertion,EncryptedElementType);
  61             EncryptedElementTypeSchemaValidator::validate(xmlObject);
  62         END_XMLOBJECTVALIDATOR;
  63
  64         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AudienceRestriction);
  65             XMLOBJECTVALIDATOR_NONEMPTY(AudienceRestriction,Audience);
  66         END_XMLOBJECTVALIDATOR;
  67
  68         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,ProxyRestriction);
  69             if (ptr->getAudiences().empty()) {
  70                 XMLOBJECTVALIDATOR_REQUIRE_INTEGER(ProxyRestriction,Count);
  71             }
  72         END_XMLOBJECTVALIDATOR;
  73
  74         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Conditions);
  75             if (!ptr->hasChildren()) {
  76                 XMLOBJECTVALIDATOR_ONEOF(Conditions,NotBefore,NotOnOrAfter);
  77             }
  78         END_XMLOBJECTVALIDATOR;
  79
  80         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,KeyInfoConfirmationDataType);
  81             XMLOBJECTVALIDATOR_NONEMPTY(KeyInfoConfirmationDataType,KeyInfo);
  82         END_XMLOBJECTVALIDATOR;
  83
  84         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,SubjectConfirmation);
  85             XMLOBJECTVALIDATOR_REQUIRE(SubjectConfirmation,Method);
  86             int count=0;
  87             if (ptr->getBaseID())
  88                 count++;
  89             if (ptr->getNameID())
  90                 count++;
  91             if (ptr->getEncryptedID())
  92                 count++;
  93             if (count > 1)
  94                 throw ValidationException("SubjectConfirmation cannot contain multiple identifier elements.");
  95         END_XMLOBJECTVALIDATOR;
  96
  97         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Subject);
  98             int count=0;
  99             if (ptr->getBaseID())
 100                 count++;
 101             if (ptr->getNameID())
 102                 count++;
 103             if (ptr->getEncryptedID())
 104                 count++;
 105             if (count > 1)
 106                 throw ValidationException("Subject cannot contain multiple identifier elements.");
 107         END_XMLOBJECTVALIDATOR;
 108
 109         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,SubjectLocality);
 110             XMLOBJECTVALIDATOR_ONEOF(SubjectLocality,Address,DNSName);
 111         END_XMLOBJECTVALIDATOR;
 112
 113         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthnContext);
 114             if (!ptr->getAuthnContextClassRef()) {
 115                 XMLOBJECTVALIDATOR_ONLYONEOF(AuthnContext,AuthnContextDeclRef,AuthnContextDecl);
 116             }
 117         END_XMLOBJECTVALIDATOR;
 118
 119         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthnStatement);
 120             XMLOBJECTVALIDATOR_REQUIRE(AuthnStatement,AuthnInstant);
 121             XMLOBJECTVALIDATOR_REQUIRE(AuthnStatement,AuthnContext);
 122         END_XMLOBJECTVALIDATOR;
 123
 124         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Evidence);
 125             if (!ptr->hasChildren())
 126                 throw ValidationException("Evidence must have at least one child element.");
 127         END_XMLOBJECTVALIDATOR;
 128
 129         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AuthzDecisionStatement);
 130             XMLOBJECTVALIDATOR_REQUIRE(AuthzDecisionStatement,Resource);
 131             XMLOBJECTVALIDATOR_REQUIRE(AuthzDecisionStatement,Decision);
 132             if (!XMLString::equals(ptr->getDecision(),AuthzDecisionStatement::DECISION_PERMIT) &&
 133                 !XMLString::equals(ptr->getDecision(),AuthzDecisionStatement::DECISION_DENY) &&
 134                 !XMLString::equals(ptr->getDecision(),AuthzDecisionStatement::DECISION_INDETERMINATE))
 135                 throw ValidationException("Decision must be one of Deny, Permit, or Indeterminate.");
 136             XMLOBJECTVALIDATOR_NONEMPTY(AuthzDecisionStatement,Action);
 137         END_XMLOBJECTVALIDATOR;
 138
 139         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Attribute);
 140             XMLOBJECTVALIDATOR_REQUIRE(Attribute,Name);
 141         END_XMLOBJECTVALIDATOR;
 142
 143         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,AttributeStatement);
 144             XMLOBJECTVALIDATOR_NONEMPTY(AttributeStatement,Attribute);
 145         END_XMLOBJECTVALIDATOR;
 146
 147         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Assertion);
 148             XMLOBJECTVALIDATOR_REQUIRE(Assertion,Version);
 149             XMLOBJECTVALIDATOR_REQUIRE(Assertion,ID);
 150             XMLOBJECTVALIDATOR_REQUIRE(Assertion,IssueInstant);
 151             XMLOBJECTVALIDATOR_REQUIRE(Assertion,Issuer);
 152             if ((!ptr->getAuthnStatements().empty() ||
 153                 !ptr->getAttributeStatements().empty() ||
 154                 !ptr->getAuthzDecisionStatements().empty()) && !ptr->getSubject())
 155                 throw ValidationException("Assertion with standard statements must have a Subject.");
 156         END_XMLOBJECTVALIDATOR;
 157
 158         class SAML_DLLLOCAL checkWildcardNS {
 159         public:
 160             void operator()(const XMLObject* xmlObject) const {
 161                 const XMLCh* ns=xmlObject->getElementQName().getNamespaceURI();
 162                 if (XMLString::equals(ns,SAMLConstants::SAML20_NS) || !ns || !*ns) {
 163                     throw ValidationException(
 164                         "Object contains an illegal extension child element ($1).",
 165                         params(1,xmlObject->getElementQName().toString().c_str())
 166                         );
 167                 }
 168             }
 169         };
 170
 171         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Advice);
 172             const vector<XMLObject*>& anys=ptr->getOthers();
 173             for_each(anys.begin(),anys.end(),checkWildcardNS());
 174         END_XMLOBJECTVALIDATOR;
 175
 176     };
 177 };
 178
 179 #define REGISTER_ELEMENT(cname) \
 180     q=QName(SAMLConstants::SAML20_NS,cname::LOCAL_NAME); \
 181     XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
 182     SchemaValidators.registerValidator(q,new cname##SchemaValidator())
 183
 184 #define REGISTER_TYPE(cname) \
 185     q=QName(SAMLConstants::SAML20_NS,cname::TYPE_NAME); \
 186     XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
 187     SchemaValidators.registerValidator(q,new cname##SchemaValidator())
 188
 189 #define REGISTER_ELEMENT_NOVAL(cname) \
 190     q=QName(SAMLConstants::SAML20_NS,cname::LOCAL_NAME); \
 191     XMLObjectBuilder::registerBuilder(q,new cname##Builder());
 192
 193 #define REGISTER_TYPE_NOVAL(cname) \
 194     q=QName(SAMLConstants::SAML20_NS,cname::TYPE_NAME); \
 195     XMLObjectBuilder::registerBuilder(q,new cname##Builder());
 196
 197 void opensaml::saml2::registerAssertionClasses() {
 198     QName q;
 199     REGISTER_ELEMENT(Action);
 200     REGISTER_ELEMENT(Advice);
 201     REGISTER_ELEMENT(Assertion);
 202     REGISTER_ELEMENT(AssertionIDRef);
 203     REGISTER_ELEMENT(AssertionURIRef);
 204     REGISTER_ELEMENT(Attribute);
 205     REGISTER_ELEMENT(AttributeStatement);
 206     REGISTER_ELEMENT_NOVAL(AttributeValue);
 207     REGISTER_ELEMENT(Audience);
 208     REGISTER_ELEMENT(AudienceRestriction);
 209     REGISTER_ELEMENT(AuthenticatingAuthority);
 210     REGISTER_ELEMENT(AuthnContext);
 211     REGISTER_ELEMENT(AuthnContextClassRef);
 212     REGISTER_ELEMENT_NOVAL(AuthnContextDecl);
 213     REGISTER_ELEMENT(AuthnContextDeclRef);
 214     REGISTER_ELEMENT(AuthnStatement);
 215     REGISTER_ELEMENT(AuthzDecisionStatement);
 216     REGISTER_ELEMENT(Conditions);
 217     REGISTER_ELEMENT(EncryptedAssertion);
 218     REGISTER_ELEMENT(EncryptedAttribute);
 219     REGISTER_ELEMENT(EncryptedID);
 220     REGISTER_ELEMENT(Evidence);
 221     REGISTER_ELEMENT(Issuer);
 222     REGISTER_ELEMENT(NameID);
 223     REGISTER_ELEMENT_NOVAL(OneTimeUse);
 224     REGISTER_ELEMENT(ProxyRestriction);
 225     REGISTER_ELEMENT(Subject);
 226     REGISTER_ELEMENT(SubjectConfirmation);
 227     REGISTER_ELEMENT_NOVAL(SubjectConfirmationData);
 228     REGISTER_ELEMENT(SubjectLocality);
 229     REGISTER_TYPE(Action);
 230     REGISTER_TYPE(Advice);
 231     REGISTER_TYPE(Assertion);
 232     REGISTER_TYPE(Attribute);
 233     REGISTER_TYPE(AttributeStatement);
 234     REGISTER_TYPE(AudienceRestriction);
 235     REGISTER_TYPE(AuthnContext);
 236     REGISTER_TYPE(AuthnStatement);
 237     REGISTER_TYPE(AuthzDecisionStatement);
 238     REGISTER_TYPE(Conditions);
 239     REGISTER_TYPE(Evidence);
 240     REGISTER_TYPE(KeyInfoConfirmationDataType);
 241     REGISTER_TYPE(NameIDType);
 242     REGISTER_TYPE_NOVAL(OneTimeUse);
 243     REGISTER_TYPE(ProxyRestriction);
 244     REGISTER_TYPE(Subject);
 245     REGISTER_TYPE(SubjectConfirmation);
 246     REGISTER_TYPE(SubjectLocality);
 247 }