2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
22 * Protocols20SchemaValidators.cpp
24 * Schema-based validators for SAML 2.0 Protocols classes.
28 #include "exceptions.h"
29 #include "saml2/core/Protocols.h"
31 #include <xmltooling/validation/Validator.h>
32 #include <xmltooling/validation/ValidatorSuite.h>
34 using namespace opensaml::saml2p;
35 using namespace opensaml::saml2;
36 using namespace opensaml;
37 using namespace xmltooling;
39 using samlconstants::SAML20P_NS;
44 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Artifact);
45 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,GetComplete);
46 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,NewID);
47 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,RequesterID);
48 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,SessionIndex);
49 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,StatusMessage);
51 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,RespondTo);
53 //TODO wildcard NS ##other - spec says must be a "non-SAML defined" namespace,
54 // not just other than the target namespace
55 class SAML_DLLLOCAL checkWildcardNS {
57 void operator()(const XMLObject* xmlObject) const {
58 const XMLCh* ns=xmlObject->getElementQName().getNamespaceURI();
59 if (XMLString::equals(ns,SAML20P_NS) || !ns || !*ns) {
60 throw ValidationException(
61 "Object contains an illegal extension child element ($1).",
62 params(1,xmlObject->getElementQName().toString().c_str())
68 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,RequestAbstractType);
69 XMLOBJECTVALIDATOR_REQUIRE(RequestAbstractType,ID);
70 XMLOBJECTVALIDATOR_REQUIRE(RequestAbstractType,Version);
71 XMLOBJECTVALIDATOR_REQUIRE(RequestAbstractType,IssueInstant);
72 if (!XMLString::equals(samlconstants::SAML20_VERSION, ptr->getVersion()))
73 throw ValidationException("Request has wrong SAML Version.");
74 END_XMLOBJECTVALIDATOR;
76 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,SubjectQuery,RequestAbstractType);
77 RequestAbstractTypeSchemaValidator::validate(xmlObject);
78 XMLOBJECTVALIDATOR_REQUIRE(SubjectQuery,Subject);
79 END_XMLOBJECTVALIDATOR;
81 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,StatusResponseType);
82 XMLOBJECTVALIDATOR_REQUIRE(StatusResponseType,ID);
83 XMLOBJECTVALIDATOR_REQUIRE(StatusResponseType,Version);
84 XMLOBJECTVALIDATOR_REQUIRE(StatusResponseType,IssueInstant);
85 XMLOBJECTVALIDATOR_REQUIRE(StatusResponseType,Status);
86 if (!XMLString::equals(samlconstants::SAML20_VERSION, ptr->getVersion()))
87 throw ValidationException("StatusResponse has wrong SAML Version.");
88 END_XMLOBJECTVALIDATOR;
90 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Extensions);
91 if (!ptr->hasChildren())
92 throw ValidationException("Extensions must have at least one child element.");
93 const vector<XMLObject*>& anys=ptr->getUnknownXMLObjects();
94 for_each(anys.begin(),anys.end(),checkWildcardNS());
95 END_XMLOBJECTVALIDATOR;
97 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,StatusCode);
98 XMLOBJECTVALIDATOR_REQUIRE(StatusCode,Value);
101 // If this is a top-level StatusCode (ie. parent is a Status),
102 // then there are only 4 valid values per SAML Core.
103 if (ptr->getParent()!=nullptr && ptr->getParent()->getElementQName().hasLocalPart())
105 xmltooling::QName pq = ptr->getParent()->getElementQName();
107 if ( XMLString::equals(pq.getNamespaceURI(), SAML20P_NS) &&
108 XMLString::equals(pq.getLocalPart(), Status::LOCAL_NAME))
110 const XMLCh* code = ptr->getValue();
112 if (!XMLString::equals(code, StatusCode::SUCCESS) &&
113 !XMLString::equals(code, StatusCode::REQUESTER) &&
114 !XMLString::equals(code, StatusCode::RESPONDER) &&
115 !XMLString::equals(code, StatusCode::VERSION_MISMATCH) )
117 throw ValidationException("Invalid value for top-level StatusCode");
121 END_XMLOBJECTVALIDATOR;
123 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Status);
124 XMLOBJECTVALIDATOR_REQUIRE(Status,StatusCode);
125 END_XMLOBJECTVALIDATOR;
127 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,AssertionIDRequest,RequestAbstractType);
128 RequestAbstractTypeSchemaValidator::validate(xmlObject);
129 XMLOBJECTVALIDATOR_NONEMPTY(AssertionIDRequest,AssertionIDRef);
130 END_XMLOBJECTVALIDATOR;
132 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,RequestedAuthnContext);
133 if (ptr->getAuthnContextClassRefs().empty() && ptr->getAuthnContextDeclRefs().empty())
134 throw xmltooling::ValidationException("RequestedAuthnContext must have at least one AuthnContextClassRef or AuthnContextDeclRef");
135 if (!ptr->getAuthnContextClassRefs().empty() && !ptr->getAuthnContextDeclRefs().empty())
136 throw xmltooling::ValidationException("RequestedAuthnContext may not have both AuthnContextClassRef and AuthnContextDeclRef");
137 if (!XMLString::equals(ptr->getComparison(),RequestedAuthnContext::COMPARISON_EXACT) &&
138 !XMLString::equals(ptr->getComparison(),RequestedAuthnContext::COMPARISON_MINIMUM) &&
139 !XMLString::equals(ptr->getComparison(),RequestedAuthnContext::COMPARISON_MAXIMUM) &&
140 !XMLString::equals(ptr->getComparison(),RequestedAuthnContext::COMPARISON_BETTER))
141 throw ValidationException("RequestedAuthnContext Comparison attribute must be one of: 'exact', 'minimum', 'maximum', or 'better'.");
142 END_XMLOBJECTVALIDATOR;
144 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,AuthnQuery,SubjectQuery);
145 SubjectQuerySchemaValidator::validate(xmlObject);
146 END_XMLOBJECTVALIDATOR;
148 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,AttributeQuery,SubjectQuery);
149 SubjectQuerySchemaValidator::validate(xmlObject);
150 //TODO Name/NameFormat pairs of child Attributes must be unique
151 // - whether and how to implement efficiently?
152 END_XMLOBJECTVALIDATOR;
154 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,AuthzDecisionQuery,SubjectQuery);
155 SubjectQuerySchemaValidator::validate(xmlObject);
156 XMLOBJECTVALIDATOR_REQUIRE(AuthzDecisionQuery,Resource);
157 XMLOBJECTVALIDATOR_NONEMPTY(AuthzDecisionQuery,Action);
158 END_XMLOBJECTVALIDATOR;
160 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,IDPEntry);
161 XMLOBJECTVALIDATOR_REQUIRE(IDPEntry,ProviderID);
162 END_XMLOBJECTVALIDATOR;
164 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,IDPList);
165 XMLOBJECTVALIDATOR_NONEMPTY(IDPList,IDPEntry);
166 END_XMLOBJECTVALIDATOR;
168 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Scoping);
169 pair<bool,int> pc = ptr->getProxyCount();
170 if (pc.first && pc.second < 0)
171 throw xmltooling::ValidationException("ProxyCount attribute on Scoping element must be non-negative");
172 END_XMLOBJECTVALIDATOR;
174 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,AuthnRequest,RequestAbstractType);
175 RequestAbstractTypeSchemaValidator::validate(xmlObject);
176 if (ptr->getAssertionConsumerServiceIndex().first
177 && (ptr->getAssertionConsumerServiceURL()!=nullptr || ptr->getProtocolBinding()!=nullptr))
178 throw xmltooling::ValidationException("On AuthnRequest AssertionConsumerServiceIndex is mutually exclusive with both AssertionConsumerServiceURL and ProtocolBinding");
179 END_XMLOBJECTVALIDATOR;
181 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,Response,StatusResponseType);
182 StatusResponseTypeSchemaValidator::validate(xmlObject);
183 END_XMLOBJECTVALIDATOR;
185 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,ArtifactResolve,RequestAbstractType);
186 RequestAbstractTypeSchemaValidator::validate(xmlObject);
187 XMLOBJECTVALIDATOR_REQUIRE(ArtifactResolve,Artifact);
188 END_XMLOBJECTVALIDATOR;
190 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,ArtifactResponse,StatusResponseType);
191 StatusResponseTypeSchemaValidator::validate(xmlObject);
192 END_XMLOBJECTVALIDATOR;
194 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,NewEncryptedID);
195 XMLOBJECTVALIDATOR_REQUIRE(NewEncryptedID,EncryptedData);
196 END_XMLOBJECTVALIDATOR;
198 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,ManageNameIDRequest,RequestAbstractType);
199 RequestAbstractTypeSchemaValidator::validate(xmlObject);
200 XMLOBJECTVALIDATOR_ONLYONEOF(ManageNameIDRequest,NameID,EncryptedID);
201 XMLOBJECTVALIDATOR_ONLYONEOF3(ManageNameIDRequest,NewID,NewEncryptedID,Terminate);
202 END_XMLOBJECTVALIDATOR;
204 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,ManageNameIDResponse,StatusResponseType);
205 StatusResponseTypeSchemaValidator::validate(xmlObject);
206 END_XMLOBJECTVALIDATOR;
208 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,LogoutRequest,RequestAbstractType);
209 RequestAbstractTypeSchemaValidator::validate(xmlObject);
210 XMLOBJECTVALIDATOR_ONLYONEOF3(LogoutRequest,BaseID,NameID,EncryptedID);
211 END_XMLOBJECTVALIDATOR;
213 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,LogoutResponse,StatusResponseType);
214 StatusResponseTypeSchemaValidator::validate(xmlObject);
215 END_XMLOBJECTVALIDATOR;
217 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,NameIDMappingRequest,RequestAbstractType);
218 RequestAbstractTypeSchemaValidator::validate(xmlObject);
219 XMLOBJECTVALIDATOR_ONLYONEOF3(NameIDMappingRequest,BaseID,NameID,EncryptedID);
220 XMLOBJECTVALIDATOR_REQUIRE(NameIDMappingRequest,NameIDPolicy);
221 END_XMLOBJECTVALIDATOR;
223 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,NameIDMappingResponse,StatusResponseType);
224 StatusResponseTypeSchemaValidator::validate(xmlObject);
225 XMLOBJECTVALIDATOR_ONLYONEOF(NameIDMappingResponse,NameID,EncryptedID);
226 END_XMLOBJECTVALIDATOR;
232 #define REGISTER_ELEMENT(cname) \
233 q=xmltooling::QName(SAML20P_NS,cname::LOCAL_NAME); \
234 XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
235 SchemaValidators.registerValidator(q,new cname##SchemaValidator())
237 #define REGISTER_TYPE(cname) \
238 q=xmltooling::QName(SAML20P_NS,cname::TYPE_NAME); \
239 XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
240 SchemaValidators.registerValidator(q,new cname##SchemaValidator())
242 #define REGISTER_ELEMENT_NOVAL(cname) \
243 q=xmltooling::QName(SAML20P_NS,cname::LOCAL_NAME); \
244 XMLObjectBuilder::registerBuilder(q,new cname##Builder());
246 #define REGISTER_TYPE_NOVAL(cname) \
247 q=xmltooling::QName(SAML20P_NS,cname::TYPE_NAME); \
248 XMLObjectBuilder::registerBuilder(q,new cname##Builder());
250 void opensaml::saml2p::registerProtocolClasses() {
252 REGISTER_ELEMENT(Artifact);
253 REGISTER_ELEMENT(ArtifactResolve);
254 REGISTER_ELEMENT(ArtifactResponse);
255 REGISTER_ELEMENT(AssertionIDRequest);
256 REGISTER_ELEMENT(AttributeQuery);
257 REGISTER_ELEMENT(AuthnQuery);
258 REGISTER_ELEMENT(AuthnRequest);
259 REGISTER_ELEMENT(AuthzDecisionQuery);
260 REGISTER_ELEMENT(Extensions);
261 REGISTER_ELEMENT(GetComplete);
262 REGISTER_ELEMENT(IDPEntry);
263 REGISTER_ELEMENT(IDPList);
264 REGISTER_ELEMENT(LogoutRequest);
265 REGISTER_ELEMENT(LogoutResponse);
266 REGISTER_ELEMENT(ManageNameIDRequest);
267 REGISTER_ELEMENT(ManageNameIDResponse);
268 REGISTER_ELEMENT(NameIDMappingRequest);
269 REGISTER_ELEMENT(NameIDMappingResponse);
270 REGISTER_ELEMENT_NOVAL(NameIDPolicy);
271 REGISTER_ELEMENT(NewEncryptedID);
272 REGISTER_ELEMENT(NewID);
273 REGISTER_ELEMENT(RequestedAuthnContext);
274 REGISTER_ELEMENT(RequesterID);
275 REGISTER_ELEMENT(Response);
276 REGISTER_ELEMENT(Scoping);
277 REGISTER_ELEMENT(SessionIndex);
278 REGISTER_ELEMENT(Status);
279 REGISTER_ELEMENT(StatusCode);
280 REGISTER_ELEMENT_NOVAL(StatusDetail);
281 REGISTER_ELEMENT(StatusMessage);
282 REGISTER_ELEMENT_NOVAL(Terminate);
283 REGISTER_TYPE(ArtifactResolve);
284 REGISTER_TYPE(ArtifactResponse);
285 REGISTER_TYPE(AssertionIDRequest);
286 REGISTER_TYPE(AttributeQuery);
287 REGISTER_TYPE(AuthnQuery);
288 REGISTER_TYPE(AuthnRequest);
289 REGISTER_TYPE(AuthzDecisionQuery);
290 REGISTER_TYPE(Extensions);
291 REGISTER_TYPE(IDPEntry);
292 REGISTER_TYPE(IDPList);
293 REGISTER_TYPE(LogoutRequest);
294 REGISTER_TYPE(ManageNameIDRequest);
295 REGISTER_TYPE(NameIDMappingRequest);
296 REGISTER_TYPE(NameIDMappingResponse);
297 REGISTER_TYPE_NOVAL(NameIDPolicy);
298 REGISTER_TYPE(RequestedAuthnContext);
299 REGISTER_TYPE(Response);
300 REGISTER_TYPE(Scoping);
301 REGISTER_TYPE(Status);
302 REGISTER_TYPE(StatusCode);
303 REGISTER_TYPE_NOVAL(StatusDetail);
304 REGISTER_TYPE_NOVAL(Terminate);
306 q=xmltooling::QName(samlconstants::SAML20P_THIRDPARTY_EXT_NS,RespondTo::LOCAL_NAME);
307 XMLObjectBuilder::registerBuilder(q,new RespondToBuilder());
308 SchemaValidators.registerValidator(q,new RespondToSchemaValidator());
310 q=xmltooling::QName(samlconstants::SAML20P_ASYNCSLO_EXT_NS,Asynchronous::LOCAL_NAME);
311 XMLObjectBuilder::registerBuilder(q,new AsynchronousBuilder());
312 q=xmltooling::QName(samlconstants::SAML20P_ASYNCSLO_EXT_NS,Asynchronous::TYPE_NAME);
313 XMLObjectBuilder::registerBuilder(q,new AsynchronousBuilder());