2 * Copyright 2001-2006 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * Protocols20SchemaValidators.cpp
20 * Schema-based validators for SAML 2.0 Protocols classes
24 #include "exceptions.h"
25 #include "saml2/core/Protocols.h"
27 #include <xmltooling/validation/ValidatorSuite.h>
29 using namespace opensaml::saml2p;
30 using namespace opensaml::saml2;
31 using namespace opensaml;
32 using namespace xmltooling;
38 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Artifact);
39 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,GetComplete);
40 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,NewID);
41 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,RequesterID);
42 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,SessionIndex);
43 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,StatusMessage);
45 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,RespondTo);
47 //TODO wildcard NS ##other - spec says must be a "non-SAML defined" namespace,
48 // not just other than the target namespace
49 class SAML_DLLLOCAL checkWildcardNS {
51 void operator()(const XMLObject* xmlObject) const {
52 const XMLCh* ns=xmlObject->getElementQName().getNamespaceURI();
53 if (XMLString::equals(ns,SAMLConstants::SAML20P_NS) || !ns || !*ns) {
54 throw ValidationException(
55 "Object contains an illegal extension child element ($1).",
56 params(1,xmlObject->getElementQName().toString().c_str())
62 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,RequestAbstractType);
63 XMLOBJECTVALIDATOR_REQUIRE(RequestAbstractType,ID);
64 XMLOBJECTVALIDATOR_REQUIRE(RequestAbstractType,Version);
65 XMLOBJECTVALIDATOR_REQUIRE(RequestAbstractType,IssueInstant);
66 if (!XMLString::equals(SAMLConstants::SAML20_VERSION, ptr->getVersion()))
67 throw ValidationException("Request has wrong SAML Version.");
68 END_XMLOBJECTVALIDATOR;
70 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,SubjectQuery,RequestAbstractType);
71 RequestAbstractTypeSchemaValidator::validate(xmlObject);
72 XMLOBJECTVALIDATOR_REQUIRE(SubjectQuery,Subject);
73 END_XMLOBJECTVALIDATOR;
75 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,StatusResponseType);
76 XMLOBJECTVALIDATOR_REQUIRE(StatusResponseType,ID);
77 XMLOBJECTVALIDATOR_REQUIRE(StatusResponseType,Version);
78 XMLOBJECTVALIDATOR_REQUIRE(StatusResponseType,IssueInstant);
79 XMLOBJECTVALIDATOR_REQUIRE(StatusResponseType,Status);
80 if (!XMLString::equals(SAMLConstants::SAML20_VERSION, ptr->getVersion()))
81 throw ValidationException("StatusResponse has wrong SAML Version.");
82 END_XMLOBJECTVALIDATOR;
84 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Extensions);
85 if (!ptr->hasChildren())
86 throw ValidationException("Extensions must have at least one child element.");
87 const list<XMLObject*>& anys=ptr->getXMLObjects();
88 for_each(anys.begin(),anys.end(),checkWildcardNS());
89 END_XMLOBJECTVALIDATOR;
91 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,StatusCode);
92 XMLOBJECTVALIDATOR_REQUIRE(StatusCode,Value);
95 // If this is a top-level StatusCode (ie. parent is a Status),
96 // then there are only 4 valid values per SAML Core.
97 if (ptr->getParent()!=NULL && ptr->getParent()->getElementQName().hasLocalPart())
99 QName pq = ptr->getParent()->getElementQName();
101 if ( XMLString::equals(pq.getNamespaceURI(), SAMLConstants::SAML20P_NS) &&
102 XMLString::equals(pq.getLocalPart(), Status::LOCAL_NAME))
104 const XMLCh* code = ptr->getValue();
106 if (!XMLString::equals(code, StatusCode::SUCCESS) &&
107 !XMLString::equals(code, StatusCode::REQUESTER) &&
108 !XMLString::equals(code, StatusCode::RESPONDER) &&
109 !XMLString::equals(code, StatusCode::VERSION_MISMATCH) )
111 throw ValidationException("Invalid value for top-level StatusCode");
115 END_XMLOBJECTVALIDATOR;
117 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Status);
118 XMLOBJECTVALIDATOR_REQUIRE(Status,StatusCode);
119 END_XMLOBJECTVALIDATOR;
121 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,AssertionIDRequest,RequestAbstractType);
122 RequestAbstractTypeSchemaValidator::validate(xmlObject);
123 XMLOBJECTVALIDATOR_NONEMPTY(AssertionIDRequest,AssertionIDRef);
124 END_XMLOBJECTVALIDATOR;
126 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,RequestedAuthnContext);
127 if (ptr->getAuthnContextClassRefs().empty() && ptr->getAuthnContextDeclRefs().empty())
128 throw xmltooling::ValidationException("RequestedAuthnContext must have at least one AuthnContextClassRef or AuthnContextDeclRef");
129 if (!ptr->getAuthnContextClassRefs().empty() && !ptr->getAuthnContextDeclRefs().empty())
130 throw xmltooling::ValidationException("RequestedAuthnContext may not have both AuthnContextClassRef and AuthnContextDeclRef");
131 if (!XMLString::equals(ptr->getComparison(),RequestedAuthnContext::COMPARISON_EXACT) &&
132 !XMLString::equals(ptr->getComparison(),RequestedAuthnContext::COMPARISON_MINIMUM) &&
133 !XMLString::equals(ptr->getComparison(),RequestedAuthnContext::COMPARISON_MAXIMUM) &&
134 !XMLString::equals(ptr->getComparison(),RequestedAuthnContext::COMPARISON_BETTER))
135 throw ValidationException("RequestedAuthnContext Comparison attribute must be one of: 'exact', 'minimum', 'maximum', or 'better'.");
136 END_XMLOBJECTVALIDATOR;
138 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,AuthnQuery,SubjectQuery);
139 SubjectQuerySchemaValidator::validate(xmlObject);
140 END_XMLOBJECTVALIDATOR;
142 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,AttributeQuery,SubjectQuery);
143 SubjectQuerySchemaValidator::validate(xmlObject);
144 //TODO Name/NameFormat pairs of child Attributes must be unique
145 // - whether and how to implement efficiently?
146 END_XMLOBJECTVALIDATOR;
148 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,AuthzDecisionQuery,SubjectQuery);
149 SubjectQuerySchemaValidator::validate(xmlObject);
150 XMLOBJECTVALIDATOR_REQUIRE(AuthzDecisionQuery,Resource);
151 XMLOBJECTVALIDATOR_NONEMPTY(AuthzDecisionQuery,Action);
152 END_XMLOBJECTVALIDATOR;
154 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,IDPEntry);
155 XMLOBJECTVALIDATOR_REQUIRE(IDPEntry,ProviderID);
156 END_XMLOBJECTVALIDATOR;
158 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,IDPList);
159 XMLOBJECTVALIDATOR_NONEMPTY(IDPList,IDPEntry);
160 END_XMLOBJECTVALIDATOR;
162 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Scoping);
163 pair<bool,int> pc = ptr->getProxyCount();
164 if (pc.first && pc.second < 0)
165 throw xmltooling::ValidationException("ProxyCount attribute on Scoping element must be non-negative");
166 END_XMLOBJECTVALIDATOR;
168 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,AuthnRequest,RequestAbstractType);
169 RequestAbstractTypeSchemaValidator::validate(xmlObject);
170 if (ptr->getAssertionConsumerServiceIndex().first
171 && (ptr->getAssertionConsumerServiceURL()!=NULL || ptr->getProtocolBinding()!=NULL))
172 throw xmltooling::ValidationException("On AuthnRequest AssertionConsumerServiceIndex is mutually exclusive with both AssertionConsumerServiceURL and ProtocolBinding");
173 END_XMLOBJECTVALIDATOR;
175 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,Response,StatusResponseType);
176 StatusResponseTypeSchemaValidator::validate(xmlObject);
177 END_XMLOBJECTVALIDATOR;
179 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,ArtifactResolve,RequestAbstractType);
180 RequestAbstractTypeSchemaValidator::validate(xmlObject);
181 XMLOBJECTVALIDATOR_REQUIRE(ArtifactResolve,Artifact);
182 END_XMLOBJECTVALIDATOR;
184 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,ArtifactResponse,StatusResponseType);
185 StatusResponseTypeSchemaValidator::validate(xmlObject);
186 END_XMLOBJECTVALIDATOR;
188 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,NewEncryptedID);
189 XMLOBJECTVALIDATOR_REQUIRE(NewEncryptedID,EncryptedData);
190 END_XMLOBJECTVALIDATOR;
192 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,ManageNameIDRequest,RequestAbstractType);
193 RequestAbstractTypeSchemaValidator::validate(xmlObject);
194 XMLOBJECTVALIDATOR_ONLYONEOF(ManageNameIDRequest,NameID,EncryptedID);
195 XMLOBJECTVALIDATOR_ONLYONEOF3(ManageNameIDRequest,NewID,NewEncryptedID,Terminate);
196 END_XMLOBJECTVALIDATOR;
198 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,ManageNameIDResponse,StatusResponseType);
199 StatusResponseTypeSchemaValidator::validate(xmlObject);
200 END_XMLOBJECTVALIDATOR;
202 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,LogoutRequest,RequestAbstractType);
203 RequestAbstractTypeSchemaValidator::validate(xmlObject);
204 XMLOBJECTVALIDATOR_ONLYONEOF3(LogoutRequest,BaseID,NameID,EncryptedID);
205 END_XMLOBJECTVALIDATOR;
207 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,LogoutResponse,StatusResponseType);
208 StatusResponseTypeSchemaValidator::validate(xmlObject);
209 END_XMLOBJECTVALIDATOR;
211 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,NameIDMappingRequest,RequestAbstractType);
212 RequestAbstractTypeSchemaValidator::validate(xmlObject);
213 XMLOBJECTVALIDATOR_ONLYONEOF3(NameIDMappingRequest,BaseID,NameID,EncryptedID);
214 XMLOBJECTVALIDATOR_REQUIRE(NameIDMappingRequest,NameIDPolicy);
215 END_XMLOBJECTVALIDATOR;
217 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,NameIDMappingResponse,StatusResponseType);
218 StatusResponseTypeSchemaValidator::validate(xmlObject);
219 XMLOBJECTVALIDATOR_ONLYONEOF(NameIDMappingResponse,NameID,EncryptedID);
220 END_XMLOBJECTVALIDATOR;
226 #define REGISTER_ELEMENT(cname) \
227 q=QName(SAMLConstants::SAML20P_NS,cname::LOCAL_NAME); \
228 XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
229 SchemaValidators.registerValidator(q,new cname##SchemaValidator())
231 #define REGISTER_TYPE(cname) \
232 q=QName(SAMLConstants::SAML20P_NS,cname::TYPE_NAME); \
233 XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
234 SchemaValidators.registerValidator(q,new cname##SchemaValidator())
236 #define REGISTER_ELEMENT_NOVAL(cname) \
237 q=QName(SAMLConstants::SAML20P_NS,cname::LOCAL_NAME); \
238 XMLObjectBuilder::registerBuilder(q,new cname##Builder());
240 #define REGISTER_TYPE_NOVAL(cname) \
241 q=QName(SAMLConstants::SAML20P_NS,cname::TYPE_NAME); \
242 XMLObjectBuilder::registerBuilder(q,new cname##Builder());
244 void opensaml::saml2p::registerProtocolClasses() {
246 REGISTER_ELEMENT(Artifact);
247 REGISTER_ELEMENT(ArtifactResolve);
248 REGISTER_ELEMENT(ArtifactResponse);
249 REGISTER_ELEMENT(AssertionIDRequest);
250 REGISTER_ELEMENT(AttributeQuery);
251 REGISTER_ELEMENT(AuthnQuery);
252 REGISTER_ELEMENT(AuthnRequest);
253 REGISTER_ELEMENT(AuthzDecisionQuery);
254 REGISTER_ELEMENT(Extensions);
255 REGISTER_ELEMENT(GetComplete);
256 REGISTER_ELEMENT(IDPEntry);
257 REGISTER_ELEMENT(IDPList);
258 REGISTER_ELEMENT(LogoutRequest);
259 REGISTER_ELEMENT(LogoutResponse);
260 REGISTER_ELEMENT(ManageNameIDRequest);
261 REGISTER_ELEMENT(ManageNameIDResponse);
262 REGISTER_ELEMENT(NameIDMappingRequest);
263 REGISTER_ELEMENT(NameIDMappingResponse);
264 REGISTER_ELEMENT_NOVAL(NameIDPolicy);
265 REGISTER_ELEMENT(NewEncryptedID);
266 REGISTER_ELEMENT(NewID);
267 REGISTER_ELEMENT(RequestedAuthnContext);
268 REGISTER_ELEMENT(RequesterID);
269 REGISTER_ELEMENT(Response);
270 REGISTER_ELEMENT(Scoping);
271 REGISTER_ELEMENT(SessionIndex);
272 REGISTER_ELEMENT(Status);
273 REGISTER_ELEMENT(StatusCode);
274 REGISTER_ELEMENT_NOVAL(StatusDetail);
275 REGISTER_ELEMENT(StatusMessage);
276 REGISTER_ELEMENT_NOVAL(Terminate);
277 REGISTER_TYPE(ArtifactResolve);
278 REGISTER_TYPE(ArtifactResponse);
279 REGISTER_TYPE(AssertionIDRequest);
280 REGISTER_TYPE(AttributeQuery);
281 REGISTER_TYPE(AuthnQuery);
282 REGISTER_TYPE(AuthnRequest);
283 REGISTER_TYPE(AuthzDecisionQuery);
284 REGISTER_TYPE(Extensions);
285 REGISTER_TYPE(IDPEntry);
286 REGISTER_TYPE(IDPList);
287 REGISTER_TYPE(LogoutRequest);
288 REGISTER_TYPE(ManageNameIDRequest);
289 REGISTER_TYPE(NameIDMappingRequest);
290 REGISTER_TYPE(NameIDMappingResponse);
291 REGISTER_TYPE_NOVAL(NameIDPolicy);
292 REGISTER_TYPE(RequestedAuthnContext);
293 REGISTER_TYPE(Response);
294 REGISTER_TYPE(Scoping);
295 REGISTER_TYPE(Status);
296 REGISTER_TYPE(StatusCode);
297 REGISTER_TYPE_NOVAL(StatusDetail);
298 REGISTER_TYPE_NOVAL(Terminate);
300 q=QName(SAMLConstants::SAML20P_THIRDPARTY_EXT_NS,RespondTo::LOCAL_NAME);
301 XMLObjectBuilder::registerBuilder(q,new RespondToBuilder());
302 SchemaValidators.registerValidator(q,new RespondToSchemaValidator());