projects / shibboleth / cpp-opensaml.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Register extension element/type.
[shibboleth/cpp-opensaml.git] / saml / saml2 / core / impl / Protocols20SchemaValidators.cpp
1 /**
2  * Licensed to the University Corporation for Advanced Internet
3  * Development, Inc. (UCAID) under one or more contributor license
4  * agreements. See the NOTICE file distributed with this work for
5  * additional information regarding copyright ownership.
6  *
7  * UCAID licenses this file to you under the Apache License,
8  * Version 2.0 (the "License"); you may not use this file except
9  * in compliance with the License. You may obtain a copy of the
10  * License at
11  *
12  * http://www.apache.org/licenses/LICENSE-2.0
13  *
14  * Unless required by applicable law or agreed to in writing,
15  * software distributed under the License is distributed on an
16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17  * either express or implied. See the License for the specific
18  * language governing permissions and limitations under the License.
19  */
20
21 /**
22  * Protocols20SchemaValidators.cpp
23  * 
24  * Schema-based validators for SAML 2.0 Protocols classes.
25  */
26
27 #include "internal.h"
28 #include "exceptions.h"
29 #include "saml2/core/Protocols.h"
30
31 #include <xmltooling/validation/Validator.h>
32 #include <xmltooling/validation/ValidatorSuite.h>
33
34 using namespace opensaml::saml2p;
35 using namespace opensaml::saml2;
36 using namespace opensaml;
37 using namespace xmltooling;
38 using namespace std;
39 using samlconstants::SAML20P_NS;
40
41 namespace opensaml {
42     namespace saml2p {
43         
44         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Artifact);
45         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,GetComplete);
46         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,NewID);
47         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,RequesterID);
48         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,SessionIndex);
49         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,StatusMessage);
50         
51         XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,RespondTo);
52
53         //TODO wildcard NS ##other - spec says must be a "non-SAML defined" namespace,
54         // not just other than the target namespace
55         class SAML_DLLLOCAL checkWildcardNS {
56         public:
57             void operator()(const XMLObject* xmlObject) const {
58                 const XMLCh* ns=xmlObject->getElementQName().getNamespaceURI();
59                 if (XMLString::equals(ns,SAML20P_NS) || !ns || !*ns) {
60                     throw ValidationException(
61                         "Object contains an illegal extension child element ($1).",
62                         params(1,xmlObject->getElementQName().toString().c_str())
63                         );
64                 }
65             }
66         };
67
68         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,RequestAbstractType);
69             XMLOBJECTVALIDATOR_REQUIRE(RequestAbstractType,ID);
70             XMLOBJECTVALIDATOR_REQUIRE(RequestAbstractType,Version);
71             XMLOBJECTVALIDATOR_REQUIRE(RequestAbstractType,IssueInstant);
72             if (!XMLString::equals(samlconstants::SAML20_VERSION, ptr->getVersion()))
73                 throw ValidationException("Request has wrong SAML Version.");
74         END_XMLOBJECTVALIDATOR;
75
76         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,SubjectQuery,RequestAbstractType);
77             RequestAbstractTypeSchemaValidator::validate(xmlObject);
78             XMLOBJECTVALIDATOR_REQUIRE(SubjectQuery,Subject);
79         END_XMLOBJECTVALIDATOR;
80
81         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,StatusResponseType);
82             XMLOBJECTVALIDATOR_REQUIRE(StatusResponseType,ID);
83             XMLOBJECTVALIDATOR_REQUIRE(StatusResponseType,Version);
84             XMLOBJECTVALIDATOR_REQUIRE(StatusResponseType,IssueInstant);
85             XMLOBJECTVALIDATOR_REQUIRE(StatusResponseType,Status);
86             if (!XMLString::equals(samlconstants::SAML20_VERSION, ptr->getVersion()))
87                 throw ValidationException("StatusResponse has wrong SAML Version.");
88         END_XMLOBJECTVALIDATOR;
89
90         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Extensions);
91             if (!ptr->hasChildren())
92                 throw ValidationException("Extensions must have at least one child element.");
93             const vector<XMLObject*>& anys=ptr->getUnknownXMLObjects();
94             for_each(anys.begin(),anys.end(),checkWildcardNS());
95         END_XMLOBJECTVALIDATOR;
96
97         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,StatusCode);
98             XMLOBJECTVALIDATOR_REQUIRE(StatusCode,Value);
99
100             //TODO test this !!!
101             // If this is a top-level StatusCode (ie. parent is a Status),
102             // then there are only 4 valid values per SAML Core.
103             if (ptr->getParent()!=nullptr && ptr->getParent()->getElementQName().hasLocalPart())
104             {
105                 xmltooling::QName pq = ptr->getParent()->getElementQName();
106
107                 if ( XMLString::equals(pq.getNamespaceURI(), SAML20P_NS) &&
108                         XMLString::equals(pq.getLocalPart(), Status::LOCAL_NAME))
109                 {
110                     const XMLCh* code = ptr->getValue();
111
112                     if (!XMLString::equals(code, StatusCode::SUCCESS) &&
113                         !XMLString::equals(code, StatusCode::REQUESTER) &&
114                         !XMLString::equals(code, StatusCode::RESPONDER) &&
115                         !XMLString::equals(code, StatusCode::VERSION_MISMATCH) )
116                     {
117                         throw ValidationException("Invalid value for top-level StatusCode");
118                     }
119                 }
120             }
121         END_XMLOBJECTVALIDATOR;
122
123         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Status);
124             XMLOBJECTVALIDATOR_REQUIRE(Status,StatusCode);
125         END_XMLOBJECTVALIDATOR;
126
127         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,AssertionIDRequest,RequestAbstractType);
128             RequestAbstractTypeSchemaValidator::validate(xmlObject);
129             XMLOBJECTVALIDATOR_NONEMPTY(AssertionIDRequest,AssertionIDRef);
130         END_XMLOBJECTVALIDATOR;
131
132         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,RequestedAuthnContext);
133             if (ptr->getAuthnContextClassRefs().empty() && ptr->getAuthnContextDeclRefs().empty())
134                 throw xmltooling::ValidationException("RequestedAuthnContext must have at least one AuthnContextClassRef or AuthnContextDeclRef"); 
135             if (!ptr->getAuthnContextClassRefs().empty() && !ptr->getAuthnContextDeclRefs().empty())
136                 throw xmltooling::ValidationException("RequestedAuthnContext may not have both AuthnContextClassRef and AuthnContextDeclRef"); 
137             if (!XMLString::equals(ptr->getComparison(),RequestedAuthnContext::COMPARISON_EXACT) &&
138                 !XMLString::equals(ptr->getComparison(),RequestedAuthnContext::COMPARISON_MINIMUM) &&
139                 !XMLString::equals(ptr->getComparison(),RequestedAuthnContext::COMPARISON_MAXIMUM) &&
140                 !XMLString::equals(ptr->getComparison(),RequestedAuthnContext::COMPARISON_BETTER))
141                 throw ValidationException("RequestedAuthnContext Comparison attribute must be one of: 'exact', 'minimum', 'maximum', or 'better'.");
142         END_XMLOBJECTVALIDATOR;
143
144         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,AuthnQuery,SubjectQuery);
145             SubjectQuerySchemaValidator::validate(xmlObject);
146         END_XMLOBJECTVALIDATOR;
147
148         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,AttributeQuery,SubjectQuery);
149             SubjectQuerySchemaValidator::validate(xmlObject);
150             //TODO Name/NameFormat pairs of child Attributes must be unique 
151             //   - whether and how to implement efficiently?
152         END_XMLOBJECTVALIDATOR;
153
154         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,AuthzDecisionQuery,SubjectQuery);
155             SubjectQuerySchemaValidator::validate(xmlObject);
156             XMLOBJECTVALIDATOR_REQUIRE(AuthzDecisionQuery,Resource);
157             XMLOBJECTVALIDATOR_NONEMPTY(AuthzDecisionQuery,Action);
158         END_XMLOBJECTVALIDATOR;
159
160         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,IDPEntry);
161             XMLOBJECTVALIDATOR_REQUIRE(IDPEntry,ProviderID);
162         END_XMLOBJECTVALIDATOR;
163
164         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,IDPList);
165             XMLOBJECTVALIDATOR_NONEMPTY(IDPList,IDPEntry);
166         END_XMLOBJECTVALIDATOR;
167
168         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Scoping);
169             pair<bool,int> pc = ptr->getProxyCount();
170             if (pc.first && pc.second < 0) 
171                 throw xmltooling::ValidationException("ProxyCount attribute on Scoping element must be non-negative"); 
172         END_XMLOBJECTVALIDATOR;
173
174         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,AuthnRequest,RequestAbstractType);
175             RequestAbstractTypeSchemaValidator::validate(xmlObject);
176             if (ptr->getAssertionConsumerServiceIndex().first 
177                     && (ptr->getAssertionConsumerServiceURL()!=nullptr || ptr->getProtocolBinding()!=nullptr))
178                 throw xmltooling::ValidationException("On AuthnRequest AssertionConsumerServiceIndex is mutually exclusive with both AssertionConsumerServiceURL and ProtocolBinding");
179         END_XMLOBJECTVALIDATOR;
180
181         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,Response,StatusResponseType);
182             StatusResponseTypeSchemaValidator::validate(xmlObject);
183         END_XMLOBJECTVALIDATOR;
184
185         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,ArtifactResolve,RequestAbstractType);
186             RequestAbstractTypeSchemaValidator::validate(xmlObject);
187             XMLOBJECTVALIDATOR_REQUIRE(ArtifactResolve,Artifact);
188         END_XMLOBJECTVALIDATOR;
189
190         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,ArtifactResponse,StatusResponseType);
191             StatusResponseTypeSchemaValidator::validate(xmlObject);
192         END_XMLOBJECTVALIDATOR;
193
194         BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,NewEncryptedID);
195             XMLOBJECTVALIDATOR_REQUIRE(NewEncryptedID,EncryptedData);
196         END_XMLOBJECTVALIDATOR;
197
198         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,ManageNameIDRequest,RequestAbstractType);
199             RequestAbstractTypeSchemaValidator::validate(xmlObject);
200             XMLOBJECTVALIDATOR_ONLYONEOF(ManageNameIDRequest,NameID,EncryptedID);
201             XMLOBJECTVALIDATOR_ONLYONEOF3(ManageNameIDRequest,NewID,NewEncryptedID,Terminate);
202         END_XMLOBJECTVALIDATOR;
203
204         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,ManageNameIDResponse,StatusResponseType);
205             StatusResponseTypeSchemaValidator::validate(xmlObject);
206         END_XMLOBJECTVALIDATOR;
207
208         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,LogoutRequest,RequestAbstractType);
209             RequestAbstractTypeSchemaValidator::validate(xmlObject);
210             XMLOBJECTVALIDATOR_ONLYONEOF3(LogoutRequest,BaseID,NameID,EncryptedID);
211         END_XMLOBJECTVALIDATOR;
212
213         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,LogoutResponse,StatusResponseType);
214             StatusResponseTypeSchemaValidator::validate(xmlObject);
215         END_XMLOBJECTVALIDATOR;
216
217         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,NameIDMappingRequest,RequestAbstractType);
218             RequestAbstractTypeSchemaValidator::validate(xmlObject);
219             XMLOBJECTVALIDATOR_ONLYONEOF3(NameIDMappingRequest,BaseID,NameID,EncryptedID);
220             XMLOBJECTVALIDATOR_REQUIRE(NameIDMappingRequest,NameIDPolicy);
221         END_XMLOBJECTVALIDATOR;
222
223         BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,NameIDMappingResponse,StatusResponseType);
224             StatusResponseTypeSchemaValidator::validate(xmlObject);
225             XMLOBJECTVALIDATOR_ONLYONEOF(NameIDMappingResponse,NameID,EncryptedID);
226         END_XMLOBJECTVALIDATOR;
227
228
229     };
230 };
231
232 #define REGISTER_ELEMENT(cname) \
233     q=xmltooling::QName(SAML20P_NS,cname::LOCAL_NAME); \
234     XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
235     SchemaValidators.registerValidator(q,new cname##SchemaValidator())
236     
237 #define REGISTER_TYPE(cname) \
238     q=xmltooling::QName(SAML20P_NS,cname::TYPE_NAME); \
239     XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
240     SchemaValidators.registerValidator(q,new cname##SchemaValidator())
241
242 #define REGISTER_ELEMENT_NOVAL(cname) \
243     q=xmltooling::QName(SAML20P_NS,cname::LOCAL_NAME); \
244     XMLObjectBuilder::registerBuilder(q,new cname##Builder());
245     
246 #define REGISTER_TYPE_NOVAL(cname) \
247     q=xmltooling::QName(SAML20P_NS,cname::TYPE_NAME); \
248     XMLObjectBuilder::registerBuilder(q,new cname##Builder());
249
250 void opensaml::saml2p::registerProtocolClasses() {
251     xmltooling::QName q;
252     REGISTER_ELEMENT(Artifact);
253     REGISTER_ELEMENT(ArtifactResolve);
254     REGISTER_ELEMENT(ArtifactResponse);
255     REGISTER_ELEMENT(AssertionIDRequest);
256     REGISTER_ELEMENT(AttributeQuery);
257     REGISTER_ELEMENT(AuthnQuery);
258     REGISTER_ELEMENT(AuthnRequest);
259     REGISTER_ELEMENT(AuthzDecisionQuery);
260     REGISTER_ELEMENT(Extensions);
261     REGISTER_ELEMENT(GetComplete);
262     REGISTER_ELEMENT(IDPEntry);
263     REGISTER_ELEMENT(IDPList);
264     REGISTER_ELEMENT(LogoutRequest);
265     REGISTER_ELEMENT(LogoutResponse);
266     REGISTER_ELEMENT(ManageNameIDRequest);
267     REGISTER_ELEMENT(ManageNameIDResponse);
268     REGISTER_ELEMENT(NameIDMappingRequest);
269     REGISTER_ELEMENT(NameIDMappingResponse);
270     REGISTER_ELEMENT_NOVAL(NameIDPolicy);
271     REGISTER_ELEMENT(NewEncryptedID);
272     REGISTER_ELEMENT(NewID);
273     REGISTER_ELEMENT(RequestedAuthnContext);
274     REGISTER_ELEMENT(RequesterID);
275     REGISTER_ELEMENT(Response);
276     REGISTER_ELEMENT(Scoping);
277     REGISTER_ELEMENT(SessionIndex);
278     REGISTER_ELEMENT(Status);
279     REGISTER_ELEMENT(StatusCode);
280     REGISTER_ELEMENT_NOVAL(StatusDetail);
281     REGISTER_ELEMENT(StatusMessage);
282     REGISTER_ELEMENT_NOVAL(Terminate);
283     REGISTER_TYPE(ArtifactResolve);
284     REGISTER_TYPE(ArtifactResponse);
285     REGISTER_TYPE(AssertionIDRequest);
286     REGISTER_TYPE(AttributeQuery);
287     REGISTER_TYPE(AuthnQuery);
288     REGISTER_TYPE(AuthnRequest);
289     REGISTER_TYPE(AuthzDecisionQuery);
290     REGISTER_TYPE(Extensions);
291     REGISTER_TYPE(IDPEntry);
292     REGISTER_TYPE(IDPList);
293     REGISTER_TYPE(LogoutRequest);
294     REGISTER_TYPE(ManageNameIDRequest);
295     REGISTER_TYPE(NameIDMappingRequest);
296     REGISTER_TYPE(NameIDMappingResponse);
297     REGISTER_TYPE_NOVAL(NameIDPolicy);
298     REGISTER_TYPE(RequestedAuthnContext);
299     REGISTER_TYPE(Response);
300     REGISTER_TYPE(Scoping);
301     REGISTER_TYPE(Status);
302     REGISTER_TYPE(StatusCode);
303     REGISTER_TYPE_NOVAL(StatusDetail);
304     REGISTER_TYPE_NOVAL(Terminate);
305
306     q=xmltooling::QName(samlconstants::SAML20P_THIRDPARTY_EXT_NS,RespondTo::LOCAL_NAME);
307     XMLObjectBuilder::registerBuilder(q,new RespondToBuilder());
308     SchemaValidators.registerValidator(q,new RespondToSchemaValidator());
309
310     q=xmltooling::QName(samlconstants::SAML20P_ASYNCSLO_EXT_NS,Asynchronous::LOCAL_NAME);
311     XMLObjectBuilder::registerBuilder(q,new AsynchronousBuilder());
312     q=xmltooling::QName(samlconstants::SAML20P_ASYNCSLO_EXT_NS,Asynchronous::TYPE_NAME);
313     XMLObjectBuilder::registerBuilder(q,new AsynchronousBuilder());
314 }
Unnamed repository; edit this file 'description' to name the repository.