/*
- * Copyright 2001-2007 Internet2
- *
+ * Copyright 2001-2009 Internet2
+ *
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
/**
* @file saml/saml2/core/Assertions.h
- *
- * XMLObjects representing the SAML 2.0 Assertions schema
+ *
+ * XMLObjects representing the SAML 2.0 Assertions schema.
*/
#ifndef __saml2_assertions_h__
#define __saml2_assertions_h__
-#include <saml/RootObject.h>
+#include <saml/Assertion.h>
#include <saml/util/SAMLConstants.h>
-#include <xmltooling/XMLObjectBuilder.h>
-#include <xmltooling/encryption/Encryption.h>
-#include <xmltooling/signature/KeyResolver.h>
-#include <xmltooling/signature/Signature.h>
-#include <xmltooling/util/DateTime.h>
+#include <xmltooling/ConcreteXMLObjectBuilder.h>
+#include <xmltooling/ElementProxy.h>
#define DECL_SAML2OBJECTBUILDER(cname) \
DECL_XMLOBJECTBUILDER(SAML_API,cname,samlconstants::SAML20_NS,samlconstants::SAML20_PREFIX)
+namespace xmltooling {
+ class XMLTOOL_API CredentialCriteria;
+ class XMLTOOL_API CredentialResolver;
+ class XMLTOOL_API DateTime;
+};
+
+namespace xmlencryption {
+ class XMLTOOL_API EncryptedData;
+ class XMLTOOL_API EncryptedKey;
+};
+
+namespace xmlsignature {
+ class XMLTOOL_API KeyInfo;
+ class XMLTOOL_API Signature;
+};
+
namespace opensaml {
+ namespace saml2md {
+ class SAML_API MetadataProvider;
+ class SAML_API MetadataCredentialCriteria;
+ };
+
/**
* @namespace opensaml::saml2
* SAML 2.0 assertion namespace
*/
namespace saml2 {
-
+
// Forward references
class SAML_API Assertion;
class SAML_API EncryptedAssertion;
-
+
+ /**
+ * Marker interface for SAML types that can be encrypted.
+ */
+ class SAML_API EncryptableObject : public virtual xmltooling::XMLObject
+ {
+ protected:
+ EncryptableObject() {}
+ virtual ~EncryptableObject() {}
+ };
+
DECL_XMLOBJECT_SIMPLE(SAML_API,AssertionIDRef,AssertionID,SAML 2.0 AssertionIDRef element);
DECL_XMLOBJECT_SIMPLE(SAML_API,AssertionURIRef,AssertionURI,SAML 2.0 AssertionURIRef element);
DECL_XMLOBJECT_SIMPLE(SAML_API,Audience,AudienceURI,SAML 2.0 Audience element);
DECL_TYPED_FOREIGN_CHILDREN(EncryptedKey,xmlencryption);
/** EncryptedElementType local name */
static const XMLCh TYPE_NAME[];
-
+
+ /**
+ * Encrypts an object to a single recipient using this object as a container.
+ *
+ * @param xmlObject object to encrypt
+ * @param metadataProvider a locked MetadataProvider to supply encryption keys
+ * @param criteria metadata-based CredentialCriteria to use
+ * @param compact true iff compact KeyInfo should be used
+ * @param algorithm optionally specifies data encryption algorithm if none can be determined from metadata
+ * @return the encrypted object
+ */
+ virtual void encrypt(
+ const EncryptableObject& xmlObject,
+ const saml2md::MetadataProvider& metadataProvider,
+ saml2md::MetadataCredentialCriteria& criteria,
+ bool compact=false,
+ const XMLCh* algorithm=NULL
+ );
+
+ /**
+ * Encrypts an object to multiple recipients using this object as a container.
+ *
+ * @param xmlObject object to encrypt
+ * @param recipients pairs containing a locked MetadataProvider to supply encryption keys,
+ * and a metadata-based CredentialCriteria to use
+ * @param compact true iff compact KeyInfo should be used
+ * @param algorithm optionally specifies data encryption algorithm if none can be determined from metadata
+ * @return the encrypted object
+ */
+ virtual void encrypt(
+ const EncryptableObject& xmlObject,
+ const std::vector< std::pair<const saml2md::MetadataProvider*, saml2md::MetadataCredentialCriteria*> >& recipients,
+ bool compact=false,
+ const XMLCh* algorithm=NULL
+ );
+
/**
- * Decrypts the element using a standard approach based on a wrapped decryption key
- * inside the message. The key decryption key should be supplied using the provided
- * resolver. The recipient name may be used when multiple encrypted keys are found.
- * The object returned will be unmarshalled around the decrypted DOM element, but the
- * DOM itself will be released.
- *
- * @param KEKresolver resolver supplying key decryption key
+ * Decrypts the element using the supplied CredentialResolver.
+ *
+ * <p>The object returned will be unmarshalled around the decrypted DOM element in a
+ * new Document owned by the object.
+ *
+ * @param credResolver locked resolver supplying decryption keys
* @param recipient identifier naming the recipient (the entity performing the decryption)
+ * @param criteria optional external criteria to use with resolver
* @return the decrypted and unmarshalled object
*/
- virtual xmltooling::XMLObject* decrypt(xmlsignature::KeyResolver* KEKresolver, const XMLCh* recipient) const=0;
+ virtual xmltooling::XMLObject* decrypt(
+ const xmltooling::CredentialResolver& credResolver, const XMLCh* recipient, xmltooling::CredentialCriteria* criteria=NULL
+ ) const;
END_XMLOBJECT;
BEGIN_XMLOBJECT(SAML_API,EncryptedID,EncryptedElementType,SAML 2.0 EncryptedID element);
END_XMLOBJECT;
- BEGIN_XMLOBJECT(SAML_API,BaseID,xmltooling::XMLObject,SAML 2.0 BaseID abstract element);
+ BEGIN_XMLOBJECT(SAML_API,BaseID,EncryptableObject,SAML 2.0 BaseID abstract element);
DECL_STRING_ATTRIB(NameQualifier,NAMEQUALIFIER);
DECL_STRING_ATTRIB(SPNameQualifier,SPNAMEQUALIFIER);
END_XMLOBJECT;
static const XMLCh TRANSIENT[];
END_XMLOBJECT;
- BEGIN_XMLOBJECT(SAML_API,NameID,NameIDType,SAML 2.0 NameID element);
+ BEGIN_XMLOBJECT2(SAML_API,NameID,NameIDType,EncryptableObject,SAML 2.0 NameID element);
END_XMLOBJECT;
BEGIN_XMLOBJECT(SAML_API,Issuer,NameIDType,SAML 2.0 Issuer element);
BEGIN_XMLOBJECT(SAML_API,Condition,xmltooling::XMLObject,SAML 2.0 Condition element);
END_XMLOBJECT;
-
+
BEGIN_XMLOBJECT(SAML_API,AudienceRestriction,Condition,SAML 2.0 AudienceRestriction element);
DECL_TYPED_CHILDREN(Audience);
/** AudienceRestrictionType local name */
static const XMLCh TYPE_NAME[];
END_XMLOBJECT;
+ BEGIN_XMLOBJECT(SAML_API,Delegate,xmltooling::XMLObject,SAML 2.0 Delegation Restriction Condition Delegate element);
+ DECL_STRING_ATTRIB(ConfirmationMethod,CONFIRMATIONMETHOD);
+ DECL_DATETIME_ATTRIB(DelegationInstant,DELEGATIONINSTANT);
+ DECL_TYPED_CHILD(BaseID);
+ DECL_TYPED_CHILD(NameID);
+ DECL_TYPED_CHILD(EncryptedID);
+ /** DelegateType local name */
+ static const XMLCh TYPE_NAME[];
+ END_XMLOBJECT;
+
+ BEGIN_XMLOBJECT(SAML_API,DelegationRestrictionType,Condition,SAML 2.0 Delegation Restriction Condition type);
+ DECL_TYPED_CHILDREN(Delegate);
+ /** DelegationRestrictionType local name */
+ static const XMLCh TYPE_NAME[];
+ END_XMLOBJECT;
+
BEGIN_XMLOBJECT(SAML_API,Conditions,xmltooling::XMLObject,SAML 2.0 Conditions element);
DECL_DATETIME_ATTRIB(NotBefore,NOTBEFORE);
DECL_DATETIME_ATTRIB(NotOnOrAfter,NOTONORAFTER);
static const XMLCh TYPE_NAME[];
END_XMLOBJECT;
- BEGIN_XMLOBJECT(SAML_API,SubjectConfirmationData,xmltooling::ElementProxy,SAML 2.0 SubjectConfirmationData element);
+ BEGIN_XMLOBJECT(SAML_API,SubjectConfirmationDataType,xmltooling::XMLObject,SAML 2.0 SubjectConfirmationDataType base type);
DECL_DATETIME_ATTRIB(NotBefore,NOTBEFORE);
DECL_DATETIME_ATTRIB(NotOnOrAfter,NOTONORAFTER);
DECL_STRING_ATTRIB(Recipient,RECIPIENT);
DECL_STRING_ATTRIB(InResponseTo,INRESPONSETO);
DECL_STRING_ATTRIB(Address,ADDRESS);
+ END_XMLOBJECT;
+
+ BEGIN_XMLOBJECT2(SAML_API,SubjectConfirmationData,SubjectConfirmationDataType,xmltooling::ElementProxy,SAML 2.0 SubjectConfirmationData element);
DECL_SIMPLE_CONTENT(Data);
END_XMLOBJECT;
- BEGIN_XMLOBJECT(SAML_API,KeyInfoConfirmationDataType,xmltooling::AttributeExtensibleXMLObject,SAML 2.0 KeyInfoConfirmationDataType type);
- DECL_DATETIME_ATTRIB(NotBefore,NOTBEFORE);
- DECL_DATETIME_ATTRIB(NotOnOrAfter,NOTONORAFTER);
- DECL_STRING_ATTRIB(Recipient,RECIPIENT);
- DECL_STRING_ATTRIB(InResponseTo,INRESPONSETO);
- DECL_STRING_ATTRIB(Address,ADDRESS);
+ BEGIN_XMLOBJECT2(SAML_API,KeyInfoConfirmationDataType,SubjectConfirmationDataType,xmltooling::AttributeExtensibleXMLObject,SAML 2.0 KeyInfoConfirmationDataType type);
DECL_TYPED_FOREIGN_CHILDREN(KeyInfo,xmlsignature);
/** KeyInfoConfirmationDataType local name */
static const XMLCh TYPE_NAME[];
END_XMLOBJECT;
-
+
BEGIN_XMLOBJECT(SAML_API,SubjectConfirmation,xmltooling::XMLObject,SAML 2.0 SubjectConfirmation element);
DECL_STRING_ATTRIB(Method,METHOD);
DECL_TYPED_CHILD(BaseID);
DECL_TYPED_CHILD(NameID);
DECL_TYPED_CHILD(EncryptedID);
DECL_XMLOBJECT_CHILD(SubjectConfirmationData);
- DECL_TYPED_CHILD(KeyInfoConfirmationDataType);
/** SubjectConfirmationType local name */
static const XMLCh TYPE_NAME[];
/** Bearer confirmation method */
BEGIN_XMLOBJECT(SAML_API,AttributeValue,xmltooling::ElementProxy,SAML 2.0 AttributeValue element);
END_XMLOBJECT;
- BEGIN_XMLOBJECT(SAML_API,Attribute,xmltooling::AttributeExtensibleXMLObject,SAML 2.0 Attribute element);
+ BEGIN_XMLOBJECT2(SAML_API,Attribute,xmltooling::AttributeExtensibleXMLObject,EncryptableObject,SAML 2.0 Attribute element);
DECL_STRING_ATTRIB(Name,NAME);
DECL_STRING_ATTRIB(NameFormat,NAMEFORMAT);
DECL_STRING_ATTRIB(FriendlyName,FRIENDLYNAME);
RootObject() {}
public:
virtual ~RootObject() {}
-
+
/** Gets the Version attribute. */
virtual const XMLCh* getVersion() const=0;
-
+
/** Gets the Issuer. */
virtual Issuer* getIssuer() const=0;
};
- BEGIN_XMLOBJECT(SAML_API,Assertion,saml2::RootObject,SAML 2.0 Assertion element);
- bool isAssertion() const {
- return true;
- }
+ BEGIN_XMLOBJECT3(SAML_API,Assertion,saml2::RootObject,opensaml::Assertion,EncryptableObject,SAML 2.0 Assertion element);
DECL_INHERITED_STRING_ATTRIB(Version,VER);
DECL_INHERITED_STRING_ATTRIB(ID,ID);
DECL_INHERITED_DATETIME_ATTRIB(IssueInstant,ISSUEINSTANT);
DECL_SAML2OBJECTBUILDER(SubjectConfirmation);
DECL_SAML2OBJECTBUILDER(SubjectConfirmationData);
DECL_SAML2OBJECTBUILDER(SubjectLocality);
-
+
+ DECL_XMLOBJECTBUILDER(SAML_API,Delegate,samlconstants::SAML20_DELEGATION_CONDITION_NS,samlconstants::SAML20_DELEGATION_CONDITION_PREFIX);
+
/**
* Builder for NameIDType objects.
- *
+ *
* This is customized to force the element name to be specified.
*/
class SAML_API NameIDTypeBuilder : public xmltooling::XMLObjectBuilder {
#endif
const XMLCh* nsURI, const XMLCh* localName, const XMLCh* prefix=NULL, const xmltooling::QName* schemaType=NULL
) const;
-
+
/** Singleton builder. */
static NameIDType* buildNameIDType(const XMLCh* nsURI, const XMLCh* localName, const XMLCh* prefix=NULL) {
const NameIDTypeBuilder* b = dynamic_cast<const NameIDTypeBuilder*>(
};
/**
+ * Builder for Condition extension objects.
+ *
+ * This is customized to force the schema type to be specified.
+ */
+ class SAML_API ConditionBuilder : public xmltooling::XMLObjectBuilder {
+ public:
+ virtual ~ConditionBuilder() {}
+ /** Builder that allows element/type override. */
+#ifdef HAVE_COVARIANT_RETURNS
+ virtual Condition* buildObject(
+#else
+ virtual xmltooling::XMLObject* buildObject(
+#endif
+ const XMLCh* nsURI, const XMLCh* localName, const XMLCh* prefix=NULL, const xmltooling::QName* schemaType=NULL
+ ) const;
+
+ /** Singleton builder. */
+ static Condition* buildCondition(const xmltooling::QName& schemaType) {
+ const ConditionBuilder* b = dynamic_cast<const ConditionBuilder*>(
+ XMLObjectBuilder::getBuilder(xmltooling::QName(samlconstants::SAML20_NS,Condition::LOCAL_NAME))
+ );
+ if (b) {
+#ifdef HAVE_COVARIANT_RETURNS
+ return b->buildObject(samlconstants::SAML20_NS, Condition::LOCAL_NAME, samlconstants::SAML20_PREFIX, &schemaType);
+#else
+ return dynamic_cast<Condition*>(b->buildObject(samlconstants::SAML20_NS, Condition::LOCAL_NAME, samlconstants::SAML20_PREFIX, &schemaType));
+#endif
+ }
+ throw xmltooling::XMLObjectException("Unable to obtain typed builder for Condition.");
+ }
+ };
+
+ /**
+ * Builder for DelegationRestrictionType objects.
+ *
+ * This is customized to return a Condition element with an xsi:type of DelegationRestrictionType.
+ */
+ class SAML_API DelegationRestrictionTypeBuilder : public xmltooling::ConcreteXMLObjectBuilder {
+ public:
+ virtual ~DelegationRestrictionTypeBuilder() {}
+ /** Default builder. */
+#ifdef HAVE_COVARIANT_RETURNS
+ virtual DelegationRestrictionType* buildObject() const {
+#else
+ virtual xmltooling::XMLObject* buildObject() const {
+#endif
+ xmltooling::QName schemaType(
+ samlconstants::SAML20_DELEGATION_CONDITION_NS,
+ DelegationRestrictionType::TYPE_NAME,
+ samlconstants::SAML20_DELEGATION_CONDITION_PREFIX
+ );
+ return buildObject(
+ samlconstants::SAML20_DELEGATION_CONDITION_NS,
+ DelegationRestrictionType::LOCAL_NAME,
+ samlconstants::SAML20_DELEGATION_CONDITION_PREFIX,
+ &schemaType
+ );
+ }
+ /** Builder that allows element/type override. */
+#ifdef HAVE_COVARIANT_RETURNS
+ virtual DelegationRestrictionType* buildObject(
+#else
+ virtual xmltooling::XMLObject* buildObject(
+#endif
+ const XMLCh* nsURI, const XMLCh* localName, const XMLCh* prefix=NULL, const xmltooling::QName* schemaType=NULL
+ ) const;
+
+ /** Singleton builder. */
+ static DelegationRestrictionType* buildDelegationRestrictionType() {
+ const DelegationRestrictionTypeBuilder* b = dynamic_cast<const DelegationRestrictionTypeBuilder*>(
+ XMLObjectBuilder::getBuilder(xmltooling::QName(samlconstants::SAML20_DELEGATION_CONDITION_NS,DelegationRestrictionType::TYPE_NAME))
+ );
+ if (b)
+#ifdef HAVE_COVARIANT_RETURNS
+ return b->buildObject();
+#else
+ return dynamic_cast<DelegationRestrictionType*>(b->buildObject());
+#endif
+ throw xmltooling::XMLObjectException("Unable to obtain typed builder for DelegationRestrictionType.");
+ }
+ };
+
+ /**
* Builder for KeyInfoConfirmationDataType objects.
- *
+ *
* This is customized to return a SubjectConfirmationData element with an
* xsi:type of KeyInfoConfirmationDataType.
*/
- class SAML_API KeyInfoConfirmationDataTypeBuilder : public xmltooling::XMLObjectBuilder {
+ class SAML_API KeyInfoConfirmationDataTypeBuilder : public xmltooling::ConcreteXMLObjectBuilder {
public:
virtual ~KeyInfoConfirmationDataTypeBuilder() {}
/** Default builder. */
#endif
const XMLCh* nsURI, const XMLCh* localName, const XMLCh* prefix=NULL, const xmltooling::QName* schemaType=NULL
) const;
-
+
/** Singleton builder. */
static KeyInfoConfirmationDataType* buildKeyInfoConfirmationDataType() {
const KeyInfoConfirmationDataTypeBuilder* b = dynamic_cast<const KeyInfoConfirmationDataTypeBuilder*>(
throw xmltooling::XMLObjectException("Unable to obtain typed builder for KeyInfoConfirmationDataType.");
}
};
-
+
+ /**
+ * Builder for Statement extension objects.
+ *
+ * This is customized to force the schema type to be specified.
+ */
+ class SAML_API StatementBuilder : public xmltooling::XMLObjectBuilder {
+ public:
+ virtual ~StatementBuilder() {}
+ /** Builder that allows element/type override. */
+#ifdef HAVE_COVARIANT_RETURNS
+ virtual Statement* buildObject(
+#else
+ virtual xmltooling::XMLObject* buildObject(
+#endif
+ const XMLCh* nsURI, const XMLCh* localName, const XMLCh* prefix=NULL, const xmltooling::QName* schemaType=NULL
+ ) const;
+
+ /** Singleton builder. */
+ static Statement* buildStatement(const xmltooling::QName& schemaType) {
+ const StatementBuilder* b = dynamic_cast<const StatementBuilder*>(
+ XMLObjectBuilder::getBuilder(xmltooling::QName(samlconstants::SAML20_NS,Statement::LOCAL_NAME))
+ );
+ if (b) {
+#ifdef HAVE_COVARIANT_RETURNS
+ return b->buildObject(samlconstants::SAML20_NS, Statement::LOCAL_NAME, samlconstants::SAML20_PREFIX, &schemaType);
+#else
+ return dynamic_cast<Statement*>(b->buildObject(samlconstants::SAML20_NS, Statement::LOCAL_NAME, samlconstants::SAML20_PREFIX, &schemaType));
+#endif
+ }
+ throw xmltooling::XMLObjectException("Unable to obtain typed builder for Statement.");
+ }
+ };
+
/**
* Registers builders and validators for SAML 2.0 Assertion classes into the runtime.
*/