2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
22 * WhitelistMetadataFilter.cpp
24 * Removes non-whitelisted entities from a metadata instance
28 #include "saml2/metadata/Metadata.h"
29 #include "saml2/metadata/MetadataFilter.h"
31 #include <boost/lambda/bind.hpp>
32 #include <boost/lambda/casts.hpp>
33 #include <boost/lambda/lambda.hpp>
34 #include <boost/shared_ptr.hpp>
35 #include <boost/iterator/indirect_iterator.hpp>
36 #include <xmltooling/logging.h>
38 using namespace opensaml::saml2;
39 using namespace opensaml::saml2md;
40 using namespace xmltooling::logging;
41 using namespace xmltooling;
42 using namespace boost::lambda;
43 using namespace boost;
48 class SAML_DLLLOCAL WhitelistMetadataFilter : public MetadataFilter
51 WhitelistMetadataFilter(const DOMElement* e);
52 ~WhitelistMetadataFilter() {}
54 const char* getId() const { return WHITELIST_METADATA_FILTER; }
55 void doFilter(XMLObject& xmlObject) const;
58 void filterGroup(EntitiesDescriptor&) const;
59 bool included(const EntityDescriptor&) const;
60 bool matches(const EntityAttributes*, const Attribute*) const;
62 set<xstring> m_entities;
64 vector< boost::shared_ptr<Attribute> > m_tags;
67 MetadataFilter* SAML_DLLLOCAL WhitelistMetadataFilterFactory(const DOMElement* const & e)
69 return new WhitelistMetadataFilter(e);
72 static const XMLCh Include[] = UNICODE_LITERAL_7(I,n,c,l,u,d,e);
73 static const XMLCh trimTags[] = UNICODE_LITERAL_8(t,r,i,m,T,a,g,s);
78 WhitelistMetadataFilter::WhitelistMetadataFilter(const DOMElement* e)
79 : m_trimTags(XMLHelper::getAttrBool(e, false, trimTags))
81 DOMElement* child = XMLHelper::getFirstChildElement(e);
83 if (XMLString::equals(child->getLocalName(), Include) && child->hasChildNodes()) {
84 m_entities.insert(child->getFirstChild()->getTextContent());
86 else if (XMLHelper::isNodeNamed(child, samlconstants::SAML20_NS, Attribute::LOCAL_NAME)) {
87 boost::shared_ptr<XMLObject> obj(AttributeBuilder::buildOneFromElement(child));
88 m_tags.push_back(boost::shared_dynamic_cast<Attribute>(obj));
90 child = XMLHelper::getNextSiblingElement(child);
94 void WhitelistMetadataFilter::doFilter(XMLObject& xmlObject) const
96 EntitiesDescriptor* group = dynamic_cast<EntitiesDescriptor*>(&xmlObject);
101 EntityDescriptor* entity = dynamic_cast<EntityDescriptor*>(&xmlObject);
103 if (!included(*entity))
104 throw MetadataFilterException(WHITELIST_METADATA_FILTER" MetadataFilter instructed to filter the root/only entity in the metadata.");
107 throw MetadataFilterException(WHITELIST_METADATA_FILTER" MetadataFilter was given an improper metadata instance to filter.");
112 void WhitelistMetadataFilter::filterGroup(EntitiesDescriptor& entities) const
114 Category& log=Category::getInstance(SAML_LOGCAT".MetadataFilter."WHITELIST_METADATA_FILTER);
116 VectorOf(EntityDescriptor) v = entities.getEntityDescriptors();
117 for (VectorOf(EntityDescriptor)::size_type i = 0; i < v.size(); ) {
118 if (!included(*v[i])) {
119 auto_ptr_char id(v[i]->getEntityID());
120 log.info("filtering out non-whitelisted entity (%s)", id.get());
121 v.erase(v.begin() + i);
128 const vector<EntitiesDescriptor*>& groups = const_cast<const EntitiesDescriptor&>(entities).getEntitiesDescriptors();
130 make_indirect_iterator(groups.begin()), make_indirect_iterator(groups.end()),
131 lambda::bind(&WhitelistMetadataFilter::filterGroup, this, _1)
135 bool WhitelistMetadataFilter::included(const EntityDescriptor& entity) const
137 // Check for entityID.
138 if (entity.getEntityID() && !m_entities.empty() && m_entities.count(entity.getEntityID()) == 1)
141 // Check for a tag match in the EntityAttributes extension of the entity and its parent(s).
142 if (!m_tags.empty()) {
143 const Extensions* exts = entity.getExtensions();
145 const vector<XMLObject*>& children = exts->getUnknownXMLObjects();
146 const XMLObject* xo = find_if(children, ll_dynamic_cast<EntityAttributes*>(_1) != ((EntityAttributes*)nullptr));
148 // If we find a matching tag, we win. Each tag is treated in OR fashion.
149 if (find_if(m_tags.begin(), m_tags.end(),
150 lambda::bind(&WhitelistMetadataFilter::matches, this, dynamic_cast<const EntityAttributes*>(xo),
151 lambda::bind(&boost::shared_ptr<Attribute>::get, _1))) != m_tags.end()) {
157 const EntitiesDescriptor* group = dynamic_cast<EntitiesDescriptor*>(entity.getParent());
159 exts = group->getExtensions();
161 const vector<XMLObject*>& children = exts->getUnknownXMLObjects();
162 const XMLObject* xo = find_if(children, ll_dynamic_cast<EntityAttributes*>(_1) != ((EntityAttributes*)nullptr));
164 // If we find a matching tag, we win. Each tag is treated in OR fashion.
165 if (find_if(m_tags.begin(), m_tags.end(),
166 lambda::bind(&WhitelistMetadataFilter::matches, this, dynamic_cast<const EntityAttributes*>(xo),
167 lambda::bind(&boost::shared_ptr<Attribute>::get, _1))) != m_tags.end()) {
172 group = dynamic_cast<EntitiesDescriptor*>(group->getParent());
178 bool WhitelistMetadataFilter::matches(const EntityAttributes* ea, const Attribute* tag) const
180 const vector<Attribute*>& attrs = ea->getAttributes();
181 const vector<XMLObject*>& tagvals = tag->getAttributeValues();
182 if (!attrs.empty() && !tagvals.empty()) {
183 // Track whether we've found every tag value.
184 vector<bool> flags(tagvals.size());
186 // Check each attribute/tag in the candidate.
187 for (indirect_iterator<vector<Attribute*>::const_iterator> a = make_indirect_iterator(attrs.begin());
188 a != make_indirect_iterator(attrs.end()); ++a) {
189 // Compare Name and NameFormat for a matching tag.
190 if (XMLString::equals(a->getName(), tag->getName()) &&
191 (!tag->getNameFormat() || XMLString::equals(tag->getNameFormat(), Attribute::UNSPECIFIED) ||
192 XMLString::equals(tag->getNameFormat(), a->getNameFormat()))) {
193 // Check each tag value's simple content for a match.
194 for (vector<XMLObject*>::size_type tagindex = 0; tagindex < tagvals.size(); ++tagindex) {
195 const XMLObject* tagval = tagvals[tagindex];
196 const XMLCh* tagvalstr = (tagval->getDOM()) ? tagval->getDOM()->getTextContent() : tagval->getTextContent();
197 const vector<XMLObject*>& cvals = const_cast<const Attribute&>(*a).getAttributeValues();
198 for (indirect_iterator<vector<XMLObject*>::const_iterator> cval = make_indirect_iterator(cvals.begin());
199 cval != make_indirect_iterator(cvals.end()); ++cval) {
200 const XMLCh* cvalstr = cval->getDOM() ? cval->getDOM()->getTextContent() : cval->getTextContent();
201 if (tagvalstr && cvalstr) {
202 if (XMLString::equals(tagvalstr, cvalstr)) {
203 flags[tagindex] = true;
206 else if (m_trimTags) {
207 XMLCh* dup = XMLString::replicate(cvalstr);
208 XMLString::trim(dup);
209 if (XMLString::equals(tagvalstr, dup)) {
210 XMLString::release(&dup);
211 flags[tagindex] = true;
214 XMLString::release(&dup);
222 if (find(flags.begin(), flags.end(), false) == flags.end())
projects / shibboleth / cpp-opensaml.git / blob