projects / shibboleth / cpp-opensaml.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Reducing header overuse, non-inlining selected methods (CPPOST-35).
[shibboleth/cpp-opensaml.git] / saml / saml2 / core / impl / Protocols20SchemaValidators.cpp
1 /*
2 *  Copyright 2001-2009 Internet2
3  * 
4 * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16
17 /**
18  * Protocols20SchemaValidators.cpp
19  * 
20  * Schema-based validators for SAML 2.0 Protocols classes.
21  */
22
23 #include "internal.h"
24 #include "exceptions.h"
25 #include "saml2/core/Protocols.h"
26
27 #include <xmltooling/validation/Validator.h>
28 #include <xmltooling/validation/ValidatorSuite.h>
29
30 using namespace opensaml::saml2p;
31 using namespace opensaml::saml2;
32 using namespace opensaml;
33 using namespace xmltooling;
34 using namespace std;
35 using samlconstants::SAML20P_NS;
36
37 namespace opensaml {
38     namespace saml2p {
39         
40         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Artifact);
41         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,GetComplete);
42         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,NewID);
43         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,RequesterID);
44         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,SessionIndex);
45         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,StatusMessage);
46         
47         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,RespondTo);
48
49         //TODO wildcard NS ##other - spec says must be a "non-SAML defined" namespace,
50         // not just other than the target namespace
51         class SAML_DLLLOCAL checkWildcardNS {
52         public:
53             void operator()(const XMLObject* xmlObject) const {
54                 const XMLCh* ns=xmlObject->getElementQName().getNamespaceURI();
55                 if (XMLString::equals(ns,SAML20P_NS) || !ns || !*ns) {
56                     throw ValidationException(
57                         "Object contains an illegal extension child element ($1).",
58                         params(1,xmlObject->getElementQName().toString().c_str())
59                         );
60                 }
61             }
62         };
63
64         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,RequestAbstractType);
65             XMLOBJECTVALIDATOR_REQUIRE(RequestAbstractType,ID);
66             XMLOBJECTVALIDATOR_REQUIRE(RequestAbstractType,Version);
67             XMLOBJECTVALIDATOR_REQUIRE(RequestAbstractType,IssueInstant);
68             if (!XMLString::equals(samlconstants::SAML20_VERSION, ptr->getVersion()))
69                 throw ValidationException("Request has wrong SAML Version.");
70         END_XMLOBJECTVALIDATOR;
71
72         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,SubjectQuery,RequestAbstractType);
73             RequestAbstractTypeSchemaValidator::validate(xmlObject);
74             XMLOBJECTVALIDATOR_REQUIRE(SubjectQuery,Subject);
75         END_XMLOBJECTVALIDATOR;
76
77         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,StatusResponseType);
78             XMLOBJECTVALIDATOR_REQUIRE(StatusResponseType,ID);
79             XMLOBJECTVALIDATOR_REQUIRE(StatusResponseType,Version);
80             XMLOBJECTVALIDATOR_REQUIRE(StatusResponseType,IssueInstant);
81             XMLOBJECTVALIDATOR_REQUIRE(StatusResponseType,Status);
82             if (!XMLString::equals(samlconstants::SAML20_VERSION, ptr->getVersion()))
83                 throw ValidationException("StatusResponse has wrong SAML Version.");
84         END_XMLOBJECTVALIDATOR;
85
86         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Extensions);
87             if (!ptr->hasChildren())
88                 throw ValidationException("Extensions must have at least one child element.");
89             const vector<XMLObject*>& anys=ptr->getUnknownXMLObjects();
90             for_each(anys.begin(),anys.end(),checkWildcardNS());
91         END_XMLOBJECTVALIDATOR;
92
93         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,StatusCode);
94             XMLOBJECTVALIDATOR_REQUIRE(StatusCode,Value);
95
96             //TODO test this !!!
97             // If this is a top-level StatusCode (ie. parent is a Status),
98             // then there are only 4 valid values per SAML Core.
99             if (ptr->getParent()!=NULL && ptr->getParent()->getElementQName().hasLocalPart())
100             {
101                 xmltooling::QName pq = ptr->getParent()->getElementQName();
102
103                 if ( XMLString::equals(pq.getNamespaceURI(), SAML20P_NS) &&
104                         XMLString::equals(pq.getLocalPart(), Status::LOCAL_NAME))
105                 {
106                     const XMLCh* code = ptr->getValue();
107
108                     if (!XMLString::equals(code, StatusCode::SUCCESS) &&
109                         !XMLString::equals(code, StatusCode::REQUESTER) &&
110                         !XMLString::equals(code, StatusCode::RESPONDER) &&
111                         !XMLString::equals(code, StatusCode::VERSION_MISMATCH) )
112                     {
113                         throw ValidationException("Invalid value for top-level StatusCode");
114                     }
115                 }
116             }
117         END_XMLOBJECTVALIDATOR;
118
119         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Status);
120             XMLOBJECTVALIDATOR_REQUIRE(Status,StatusCode);
121         END_XMLOBJECTVALIDATOR;
122
123         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,AssertionIDRequest,RequestAbstractType);
124             RequestAbstractTypeSchemaValidator::validate(xmlObject);
125             XMLOBJECTVALIDATOR_NONEMPTY(AssertionIDRequest,AssertionIDRef);
126         END_XMLOBJECTVALIDATOR;
127
128         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,RequestedAuthnContext);
129             if (ptr->getAuthnContextClassRefs().empty() && ptr->getAuthnContextDeclRefs().empty())
130                 throw xmltooling::ValidationException("RequestedAuthnContext must have at least one AuthnContextClassRef or AuthnContextDeclRef"); 
131             if (!ptr->getAuthnContextClassRefs().empty() && !ptr->getAuthnContextDeclRefs().empty())
132                 throw xmltooling::ValidationException("RequestedAuthnContext may not have both AuthnContextClassRef and AuthnContextDeclRef"); 
133             if (!XMLString::equals(ptr->getComparison(),RequestedAuthnContext::COMPARISON_EXACT) &&
134                 !XMLString::equals(ptr->getComparison(),RequestedAuthnContext::COMPARISON_MINIMUM) &&
135                 !XMLString::equals(ptr->getComparison(),RequestedAuthnContext::COMPARISON_MAXIMUM) &&
136                 !XMLString::equals(ptr->getComparison(),RequestedAuthnContext::COMPARISON_BETTER))
137                 throw ValidationException("RequestedAuthnContext Comparison attribute must be one of: 'exact', 'minimum', 'maximum', or 'better'.");
138         END_XMLOBJECTVALIDATOR;
139
140         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,AuthnQuery,SubjectQuery);
141             SubjectQuerySchemaValidator::validate(xmlObject);
142         END_XMLOBJECTVALIDATOR;
143
144         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,AttributeQuery,SubjectQuery);
145             SubjectQuerySchemaValidator::validate(xmlObject);
146             //TODO Name/NameFormat pairs of child Attributes must be unique 
147             //   - whether and how to implement efficiently?
148         END_XMLOBJECTVALIDATOR;
149
150         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,AuthzDecisionQuery,SubjectQuery);
151             SubjectQuerySchemaValidator::validate(xmlObject);
152             XMLOBJECTVALIDATOR_REQUIRE(AuthzDecisionQuery,Resource);
153             XMLOBJECTVALIDATOR_NONEMPTY(AuthzDecisionQuery,Action);
154         END_XMLOBJECTVALIDATOR;
155
156         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,IDPEntry);
157             XMLOBJECTVALIDATOR_REQUIRE(IDPEntry,ProviderID);
158         END_XMLOBJECTVALIDATOR;
159
160         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,IDPList);
161             XMLOBJECTVALIDATOR_NONEMPTY(IDPList,IDPEntry);
162         END_XMLOBJECTVALIDATOR;
163
164         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Scoping);
165             pair<bool,int> pc = ptr->getProxyCount();
166             if (pc.first && pc.second < 0) 
167                 throw xmltooling::ValidationException("ProxyCount attribute on Scoping element must be non-negative"); 
168         END_XMLOBJECTVALIDATOR;
169
170         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,AuthnRequest,RequestAbstractType);
171             RequestAbstractTypeSchemaValidator::validate(xmlObject);
172             if (ptr->getAssertionConsumerServiceIndex().first 
173                     && (ptr->getAssertionConsumerServiceURL()!=NULL || ptr->getProtocolBinding()!=NULL))
174                 throw xmltooling::ValidationException("On AuthnRequest AssertionConsumerServiceIndex is mutually exclusive with both AssertionConsumerServiceURL and ProtocolBinding");
175         END_XMLOBJECTVALIDATOR;
176
177         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,Response,StatusResponseType);
178             StatusResponseTypeSchemaValidator::validate(xmlObject);
179         END_XMLOBJECTVALIDATOR;
180
181         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,ArtifactResolve,RequestAbstractType);
182             RequestAbstractTypeSchemaValidator::validate(xmlObject);
183             XMLOBJECTVALIDATOR_REQUIRE(ArtifactResolve,Artifact);
184         END_XMLOBJECTVALIDATOR;
185
186         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,ArtifactResponse,StatusResponseType);
187             StatusResponseTypeSchemaValidator::validate(xmlObject);
188         END_XMLOBJECTVALIDATOR;
189
190         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,NewEncryptedID);
191             XMLOBJECTVALIDATOR_REQUIRE(NewEncryptedID,EncryptedData);
192         END_XMLOBJECTVALIDATOR;
193
194         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,ManageNameIDRequest,RequestAbstractType);
195             RequestAbstractTypeSchemaValidator::validate(xmlObject);
196             XMLOBJECTVALIDATOR_ONLYONEOF(ManageNameIDRequest,NameID,EncryptedID);
197             XMLOBJECTVALIDATOR_ONLYONEOF3(ManageNameIDRequest,NewID,NewEncryptedID,Terminate);
198         END_XMLOBJECTVALIDATOR;
199
200         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,ManageNameIDResponse,StatusResponseType);
201             StatusResponseTypeSchemaValidator::validate(xmlObject);
202         END_XMLOBJECTVALIDATOR;
203
204         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,LogoutRequest,RequestAbstractType);
205             RequestAbstractTypeSchemaValidator::validate(xmlObject);
206             XMLOBJECTVALIDATOR_ONLYONEOF3(LogoutRequest,BaseID,NameID,EncryptedID);
207         END_XMLOBJECTVALIDATOR;
208
209         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,LogoutResponse,StatusResponseType);
210             StatusResponseTypeSchemaValidator::validate(xmlObject);
211         END_XMLOBJECTVALIDATOR;
212
213         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,NameIDMappingRequest,RequestAbstractType);
214             RequestAbstractTypeSchemaValidator::validate(xmlObject);
215             XMLOBJECTVALIDATOR_ONLYONEOF3(NameIDMappingRequest,BaseID,NameID,EncryptedID);
216             XMLOBJECTVALIDATOR_REQUIRE(NameIDMappingRequest,NameIDPolicy);
217         END_XMLOBJECTVALIDATOR;
218
219         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,NameIDMappingResponse,StatusResponseType);
220             StatusResponseTypeSchemaValidator::validate(xmlObject);
221             XMLOBJECTVALIDATOR_ONLYONEOF(NameIDMappingResponse,NameID,EncryptedID);
222         END_XMLOBJECTVALIDATOR;
223
224
225     };
226 };
227
228 #define REGISTER_ELEMENT(cname) \
229     q=xmltooling::QName(SAML20P_NS,cname::LOCAL_NAME); \
230     XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
231     SchemaValidators.registerValidator(q,new cname##SchemaValidator())
232     
233 #define REGISTER_TYPE(cname) \
234     q=xmltooling::QName(SAML20P_NS,cname::TYPE_NAME); \
235     XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
236     SchemaValidators.registerValidator(q,new cname##SchemaValidator())
237
238 #define REGISTER_ELEMENT_NOVAL(cname) \
239     q=xmltooling::QName(SAML20P_NS,cname::LOCAL_NAME); \
240     XMLObjectBuilder::registerBuilder(q,new cname##Builder());
241     
242 #define REGISTER_TYPE_NOVAL(cname) \
243     q=xmltooling::QName(SAML20P_NS,cname::TYPE_NAME); \
244     XMLObjectBuilder::registerBuilder(q,new cname##Builder());
245
246 void opensaml::saml2p::registerProtocolClasses() {
247     xmltooling::QName q;
248     REGISTER_ELEMENT(Artifact);
249     REGISTER_ELEMENT(ArtifactResolve);
250     REGISTER_ELEMENT(ArtifactResponse);
251     REGISTER_ELEMENT(AssertionIDRequest);
252     REGISTER_ELEMENT(AttributeQuery);
253     REGISTER_ELEMENT(AuthnQuery);
254     REGISTER_ELEMENT(AuthnRequest);
255     REGISTER_ELEMENT(AuthzDecisionQuery);
256     REGISTER_ELEMENT(Extensions);
257     REGISTER_ELEMENT(GetComplete);
258     REGISTER_ELEMENT(IDPEntry);
259     REGISTER_ELEMENT(IDPList);
260     REGISTER_ELEMENT(LogoutRequest);
261     REGISTER_ELEMENT(LogoutResponse);
262     REGISTER_ELEMENT(ManageNameIDRequest);
263     REGISTER_ELEMENT(ManageNameIDResponse);
264     REGISTER_ELEMENT(NameIDMappingRequest);
265     REGISTER_ELEMENT(NameIDMappingResponse);
266     REGISTER_ELEMENT_NOVAL(NameIDPolicy);
267     REGISTER_ELEMENT(NewEncryptedID);
268     REGISTER_ELEMENT(NewID);
269     REGISTER_ELEMENT(RequestedAuthnContext);
270     REGISTER_ELEMENT(RequesterID);
271     REGISTER_ELEMENT(Response);
272     REGISTER_ELEMENT(Scoping);
273     REGISTER_ELEMENT(SessionIndex);
274     REGISTER_ELEMENT(Status);
275     REGISTER_ELEMENT(StatusCode);
276     REGISTER_ELEMENT_NOVAL(StatusDetail);
277     REGISTER_ELEMENT(StatusMessage);
278     REGISTER_ELEMENT_NOVAL(Terminate);
279     REGISTER_TYPE(ArtifactResolve);
280     REGISTER_TYPE(ArtifactResponse);
281     REGISTER_TYPE(AssertionIDRequest);
282     REGISTER_TYPE(AttributeQuery);
283     REGISTER_TYPE(AuthnQuery);
284     REGISTER_TYPE(AuthnRequest);
285     REGISTER_TYPE(AuthzDecisionQuery);
286     REGISTER_TYPE(Extensions);
287     REGISTER_TYPE(IDPEntry);
288     REGISTER_TYPE(IDPList);
289     REGISTER_TYPE(LogoutRequest);
290     REGISTER_TYPE(ManageNameIDRequest);
291     REGISTER_TYPE(NameIDMappingRequest);
292     REGISTER_TYPE(NameIDMappingResponse);
293     REGISTER_TYPE_NOVAL(NameIDPolicy);
294     REGISTER_TYPE(RequestedAuthnContext);
295     REGISTER_TYPE(Response);
296     REGISTER_TYPE(Scoping);
297     REGISTER_TYPE(Status);
298     REGISTER_TYPE(StatusCode);
299     REGISTER_TYPE_NOVAL(StatusDetail);
300     REGISTER_TYPE_NOVAL(Terminate);
301
302     q=xmltooling::QName(samlconstants::SAML20P_THIRDPARTY_EXT_NS,RespondTo::LOCAL_NAME);
303     XMLObjectBuilder::registerBuilder(q,new RespondToBuilder());
304     SchemaValidators.registerValidator(q,new RespondToSchemaValidator());
305 }
Unnamed repository; edit this file 'description' to name the repository.