2 * Copyright 2001-2010 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * Protocols20SchemaValidators.cpp
20 * Schema-based validators for SAML 2.0 Protocols classes.
24 #include "exceptions.h"
25 #include "saml2/core/Protocols.h"
27 #include <xmltooling/validation/Validator.h>
28 #include <xmltooling/validation/ValidatorSuite.h>
30 using namespace opensaml::saml2p;
31 using namespace opensaml::saml2;
32 using namespace opensaml;
33 using namespace xmltooling;
35 using samlconstants::SAML20P_NS;
40 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,Artifact);
41 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,GetComplete);
42 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,NewID);
43 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,RequesterID);
44 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,SessionIndex);
45 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,StatusMessage);
47 XMLOBJECTVALIDATOR_SIMPLE(SAML_DLLLOCAL,RespondTo);
49 //TODO wildcard NS ##other - spec says must be a "non-SAML defined" namespace,
50 // not just other than the target namespace
51 class SAML_DLLLOCAL checkWildcardNS {
53 void operator()(const XMLObject* xmlObject) const {
54 const XMLCh* ns=xmlObject->getElementQName().getNamespaceURI();
55 if (XMLString::equals(ns,SAML20P_NS) || !ns || !*ns) {
56 throw ValidationException(
57 "Object contains an illegal extension child element ($1).",
58 params(1,xmlObject->getElementQName().toString().c_str())
64 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,RequestAbstractType);
65 XMLOBJECTVALIDATOR_REQUIRE(RequestAbstractType,ID);
66 XMLOBJECTVALIDATOR_REQUIRE(RequestAbstractType,Version);
67 XMLOBJECTVALIDATOR_REQUIRE(RequestAbstractType,IssueInstant);
68 if (!XMLString::equals(samlconstants::SAML20_VERSION, ptr->getVersion()))
69 throw ValidationException("Request has wrong SAML Version.");
70 END_XMLOBJECTVALIDATOR;
72 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,SubjectQuery,RequestAbstractType);
73 RequestAbstractTypeSchemaValidator::validate(xmlObject);
74 XMLOBJECTVALIDATOR_REQUIRE(SubjectQuery,Subject);
75 END_XMLOBJECTVALIDATOR;
77 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,StatusResponseType);
78 XMLOBJECTVALIDATOR_REQUIRE(StatusResponseType,ID);
79 XMLOBJECTVALIDATOR_REQUIRE(StatusResponseType,Version);
80 XMLOBJECTVALIDATOR_REQUIRE(StatusResponseType,IssueInstant);
81 XMLOBJECTVALIDATOR_REQUIRE(StatusResponseType,Status);
82 if (!XMLString::equals(samlconstants::SAML20_VERSION, ptr->getVersion()))
83 throw ValidationException("StatusResponse has wrong SAML Version.");
84 END_XMLOBJECTVALIDATOR;
86 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Extensions);
87 if (!ptr->hasChildren())
88 throw ValidationException("Extensions must have at least one child element.");
89 const vector<XMLObject*>& anys=ptr->getUnknownXMLObjects();
90 for_each(anys.begin(),anys.end(),checkWildcardNS());
91 END_XMLOBJECTVALIDATOR;
93 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,StatusCode);
94 XMLOBJECTVALIDATOR_REQUIRE(StatusCode,Value);
97 // If this is a top-level StatusCode (ie. parent is a Status),
98 // then there are only 4 valid values per SAML Core.
99 if (ptr->getParent()!=nullptr && ptr->getParent()->getElementQName().hasLocalPart())
101 xmltooling::QName pq = ptr->getParent()->getElementQName();
103 if ( XMLString::equals(pq.getNamespaceURI(), SAML20P_NS) &&
104 XMLString::equals(pq.getLocalPart(), Status::LOCAL_NAME))
106 const XMLCh* code = ptr->getValue();
108 if (!XMLString::equals(code, StatusCode::SUCCESS) &&
109 !XMLString::equals(code, StatusCode::REQUESTER) &&
110 !XMLString::equals(code, StatusCode::RESPONDER) &&
111 !XMLString::equals(code, StatusCode::VERSION_MISMATCH) )
113 throw ValidationException("Invalid value for top-level StatusCode");
117 END_XMLOBJECTVALIDATOR;
119 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Status);
120 XMLOBJECTVALIDATOR_REQUIRE(Status,StatusCode);
121 END_XMLOBJECTVALIDATOR;
123 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,AssertionIDRequest,RequestAbstractType);
124 RequestAbstractTypeSchemaValidator::validate(xmlObject);
125 XMLOBJECTVALIDATOR_NONEMPTY(AssertionIDRequest,AssertionIDRef);
126 END_XMLOBJECTVALIDATOR;
128 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,RequestedAuthnContext);
129 if (ptr->getAuthnContextClassRefs().empty() && ptr->getAuthnContextDeclRefs().empty())
130 throw xmltooling::ValidationException("RequestedAuthnContext must have at least one AuthnContextClassRef or AuthnContextDeclRef");
131 if (!ptr->getAuthnContextClassRefs().empty() && !ptr->getAuthnContextDeclRefs().empty())
132 throw xmltooling::ValidationException("RequestedAuthnContext may not have both AuthnContextClassRef and AuthnContextDeclRef");
133 if (!XMLString::equals(ptr->getComparison(),RequestedAuthnContext::COMPARISON_EXACT) &&
134 !XMLString::equals(ptr->getComparison(),RequestedAuthnContext::COMPARISON_MINIMUM) &&
135 !XMLString::equals(ptr->getComparison(),RequestedAuthnContext::COMPARISON_MAXIMUM) &&
136 !XMLString::equals(ptr->getComparison(),RequestedAuthnContext::COMPARISON_BETTER))
137 throw ValidationException("RequestedAuthnContext Comparison attribute must be one of: 'exact', 'minimum', 'maximum', or 'better'.");
138 END_XMLOBJECTVALIDATOR;
140 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,AuthnQuery,SubjectQuery);
141 SubjectQuerySchemaValidator::validate(xmlObject);
142 END_XMLOBJECTVALIDATOR;
144 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,AttributeQuery,SubjectQuery);
145 SubjectQuerySchemaValidator::validate(xmlObject);
146 //TODO Name/NameFormat pairs of child Attributes must be unique
147 // - whether and how to implement efficiently?
148 END_XMLOBJECTVALIDATOR;
150 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,AuthzDecisionQuery,SubjectQuery);
151 SubjectQuerySchemaValidator::validate(xmlObject);
152 XMLOBJECTVALIDATOR_REQUIRE(AuthzDecisionQuery,Resource);
153 XMLOBJECTVALIDATOR_NONEMPTY(AuthzDecisionQuery,Action);
154 END_XMLOBJECTVALIDATOR;
156 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,IDPEntry);
157 XMLOBJECTVALIDATOR_REQUIRE(IDPEntry,ProviderID);
158 END_XMLOBJECTVALIDATOR;
160 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,IDPList);
161 XMLOBJECTVALIDATOR_NONEMPTY(IDPList,IDPEntry);
162 END_XMLOBJECTVALIDATOR;
164 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,Scoping);
165 pair<bool,int> pc = ptr->getProxyCount();
166 if (pc.first && pc.second < 0)
167 throw xmltooling::ValidationException("ProxyCount attribute on Scoping element must be non-negative");
168 END_XMLOBJECTVALIDATOR;
170 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,AuthnRequest,RequestAbstractType);
171 RequestAbstractTypeSchemaValidator::validate(xmlObject);
172 if (ptr->getAssertionConsumerServiceIndex().first
173 && (ptr->getAssertionConsumerServiceURL()!=nullptr || ptr->getProtocolBinding()!=nullptr))
174 throw xmltooling::ValidationException("On AuthnRequest AssertionConsumerServiceIndex is mutually exclusive with both AssertionConsumerServiceURL and ProtocolBinding");
175 END_XMLOBJECTVALIDATOR;
177 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,Response,StatusResponseType);
178 StatusResponseTypeSchemaValidator::validate(xmlObject);
179 END_XMLOBJECTVALIDATOR;
181 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,ArtifactResolve,RequestAbstractType);
182 RequestAbstractTypeSchemaValidator::validate(xmlObject);
183 XMLOBJECTVALIDATOR_REQUIRE(ArtifactResolve,Artifact);
184 END_XMLOBJECTVALIDATOR;
186 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,ArtifactResponse,StatusResponseType);
187 StatusResponseTypeSchemaValidator::validate(xmlObject);
188 END_XMLOBJECTVALIDATOR;
190 BEGIN_XMLOBJECTVALIDATOR(SAML_DLLLOCAL,NewEncryptedID);
191 XMLOBJECTVALIDATOR_REQUIRE(NewEncryptedID,EncryptedData);
192 END_XMLOBJECTVALIDATOR;
194 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,ManageNameIDRequest,RequestAbstractType);
195 RequestAbstractTypeSchemaValidator::validate(xmlObject);
196 XMLOBJECTVALIDATOR_ONLYONEOF(ManageNameIDRequest,NameID,EncryptedID);
197 XMLOBJECTVALIDATOR_ONLYONEOF3(ManageNameIDRequest,NewID,NewEncryptedID,Terminate);
198 END_XMLOBJECTVALIDATOR;
200 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,ManageNameIDResponse,StatusResponseType);
201 StatusResponseTypeSchemaValidator::validate(xmlObject);
202 END_XMLOBJECTVALIDATOR;
204 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,LogoutRequest,RequestAbstractType);
205 RequestAbstractTypeSchemaValidator::validate(xmlObject);
206 XMLOBJECTVALIDATOR_ONLYONEOF3(LogoutRequest,BaseID,NameID,EncryptedID);
207 END_XMLOBJECTVALIDATOR;
209 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,LogoutResponse,StatusResponseType);
210 StatusResponseTypeSchemaValidator::validate(xmlObject);
211 END_XMLOBJECTVALIDATOR;
213 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,NameIDMappingRequest,RequestAbstractType);
214 RequestAbstractTypeSchemaValidator::validate(xmlObject);
215 XMLOBJECTVALIDATOR_ONLYONEOF3(NameIDMappingRequest,BaseID,NameID,EncryptedID);
216 XMLOBJECTVALIDATOR_REQUIRE(NameIDMappingRequest,NameIDPolicy);
217 END_XMLOBJECTVALIDATOR;
219 BEGIN_XMLOBJECTVALIDATOR_SUB(SAML_DLLLOCAL,NameIDMappingResponse,StatusResponseType);
220 StatusResponseTypeSchemaValidator::validate(xmlObject);
221 XMLOBJECTVALIDATOR_ONLYONEOF(NameIDMappingResponse,NameID,EncryptedID);
222 END_XMLOBJECTVALIDATOR;
228 #define REGISTER_ELEMENT(cname) \
229 q=xmltooling::QName(SAML20P_NS,cname::LOCAL_NAME); \
230 XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
231 SchemaValidators.registerValidator(q,new cname##SchemaValidator())
233 #define REGISTER_TYPE(cname) \
234 q=xmltooling::QName(SAML20P_NS,cname::TYPE_NAME); \
235 XMLObjectBuilder::registerBuilder(q,new cname##Builder()); \
236 SchemaValidators.registerValidator(q,new cname##SchemaValidator())
238 #define REGISTER_ELEMENT_NOVAL(cname) \
239 q=xmltooling::QName(SAML20P_NS,cname::LOCAL_NAME); \
240 XMLObjectBuilder::registerBuilder(q,new cname##Builder());
242 #define REGISTER_TYPE_NOVAL(cname) \
243 q=xmltooling::QName(SAML20P_NS,cname::TYPE_NAME); \
244 XMLObjectBuilder::registerBuilder(q,new cname##Builder());
246 void opensaml::saml2p::registerProtocolClasses() {
248 REGISTER_ELEMENT(Artifact);
249 REGISTER_ELEMENT(ArtifactResolve);
250 REGISTER_ELEMENT(ArtifactResponse);
251 REGISTER_ELEMENT(AssertionIDRequest);
252 REGISTER_ELEMENT(AttributeQuery);
253 REGISTER_ELEMENT(AuthnQuery);
254 REGISTER_ELEMENT(AuthnRequest);
255 REGISTER_ELEMENT(AuthzDecisionQuery);
256 REGISTER_ELEMENT(Extensions);
257 REGISTER_ELEMENT(GetComplete);
258 REGISTER_ELEMENT(IDPEntry);
259 REGISTER_ELEMENT(IDPList);
260 REGISTER_ELEMENT(LogoutRequest);
261 REGISTER_ELEMENT(LogoutResponse);
262 REGISTER_ELEMENT(ManageNameIDRequest);
263 REGISTER_ELEMENT(ManageNameIDResponse);
264 REGISTER_ELEMENT(NameIDMappingRequest);
265 REGISTER_ELEMENT(NameIDMappingResponse);
266 REGISTER_ELEMENT_NOVAL(NameIDPolicy);
267 REGISTER_ELEMENT(NewEncryptedID);
268 REGISTER_ELEMENT(NewID);
269 REGISTER_ELEMENT(RequestedAuthnContext);
270 REGISTER_ELEMENT(RequesterID);
271 REGISTER_ELEMENT(Response);
272 REGISTER_ELEMENT(Scoping);
273 REGISTER_ELEMENT(SessionIndex);
274 REGISTER_ELEMENT(Status);
275 REGISTER_ELEMENT(StatusCode);
276 REGISTER_ELEMENT_NOVAL(StatusDetail);
277 REGISTER_ELEMENT(StatusMessage);
278 REGISTER_ELEMENT_NOVAL(Terminate);
279 REGISTER_TYPE(ArtifactResolve);
280 REGISTER_TYPE(ArtifactResponse);
281 REGISTER_TYPE(AssertionIDRequest);
282 REGISTER_TYPE(AttributeQuery);
283 REGISTER_TYPE(AuthnQuery);
284 REGISTER_TYPE(AuthnRequest);
285 REGISTER_TYPE(AuthzDecisionQuery);
286 REGISTER_TYPE(Extensions);
287 REGISTER_TYPE(IDPEntry);
288 REGISTER_TYPE(IDPList);
289 REGISTER_TYPE(LogoutRequest);
290 REGISTER_TYPE(ManageNameIDRequest);
291 REGISTER_TYPE(NameIDMappingRequest);
292 REGISTER_TYPE(NameIDMappingResponse);
293 REGISTER_TYPE_NOVAL(NameIDPolicy);
294 REGISTER_TYPE(RequestedAuthnContext);
295 REGISTER_TYPE(Response);
296 REGISTER_TYPE(Scoping);
297 REGISTER_TYPE(Status);
298 REGISTER_TYPE(StatusCode);
299 REGISTER_TYPE_NOVAL(StatusDetail);
300 REGISTER_TYPE_NOVAL(Terminate);
302 q=xmltooling::QName(samlconstants::SAML20P_THIRDPARTY_EXT_NS,RespondTo::LOCAL_NAME);
303 XMLObjectBuilder::registerBuilder(q,new RespondToBuilder());
304 SchemaValidators.registerValidator(q,new RespondToSchemaValidator());