From 7d897f427b1ca756046d85dea5dc533bf2df784d Mon Sep 17 00:00:00 2001
From: Scott Cantor <cantor.2@osu.edu>
Date: Fri, 17 Aug 2007 22:02:02 +0000
Subject: [PATCH] Fix condition validation

---
 saml/saml1/profile/AssertionValidator.cpp   | 33 +++++++++++++++++------------
 saml/saml1/profile/AssertionValidator.h     |  7 +++---
 saml/saml2/profile/Assertion20Validator.cpp | 33 +++++++++++++++++------------
 saml/saml2/profile/AssertionValidator.h     |  7 +++---
 4 files changed, 46 insertions(+), 34 deletions(-)

diff --git a/saml/saml1/profile/AssertionValidator.cpp b/saml/saml1/profile/AssertionValidator.cpp
index 82c94e1..69cdf25 100644
--- a/saml/saml1/profile/AssertionValidator.cpp
+++ b/saml/saml1/profile/AssertionValidator.cpp
@@ -58,22 +58,29 @@ void AssertionValidator::validateAssertion(const Assertion& assertion) const
             throw ValidationException("Assertion is no longer valid.");
     }
 
-    // Now we process conditions. Only audience restrictions at the moment.
+    // Now we process conditions, starting with the known types and then extensions.
+
+    const vector<AudienceRestrictionCondition*>& acvec = conds->getAudienceRestrictionConditions();
+    for (vector<AudienceRestrictionCondition*>::const_iterator ac = acvec.begin(); ac!=acvec.end(); ++ac)
+        validateCondition(*ac);
+
+    const vector<DoNotCacheCondition*>& dncvec = conds->getDoNotCacheConditions();
+    for (vector<DoNotCacheCondition*>::const_iterator dnc = dncvec.begin(); dnc!=dncvec.end(); ++dnc) 
+        validateCondition(*dnc);
+
     const vector<Condition*>& convec = conds->getConditions();
-    for (vector<Condition*>::const_iterator c = convec.begin(); c!=convec.end(); ++c) {
-        if (!validateCondition(*c)) {
-            Category::getInstance(SAML_LOGCAT".AssertionValidator").error("unrecognized Condition in assertion (%s)",
-                (*c)->getSchemaType() ? (*c)->getSchemaType()->toString().c_str() : (*c)->getElementQName().toString().c_str());
-            throw ValidationException("Assertion contains an unrecognized condition.");
-        }
-    }
+    for (vector<Condition*>::const_iterator c = convec.begin(); c!=convec.end(); ++c)
+        validateCondition(*c);
 }
 
-bool AssertionValidator::validateCondition(const Condition* condition) const
+void AssertionValidator::validateCondition(const Condition* c) const
 {
-    const AudienceRestrictionCondition* ac=dynamic_cast<const AudienceRestrictionCondition*>(condition);
-    if (!ac)
-        return false;
+    const AudienceRestrictionCondition* ac=dynamic_cast<const AudienceRestrictionCondition*>(c);
+    if (!ac) {
+        Category::getInstance(SAML_LOGCAT".AssertionValidator").error("unrecognized Condition in assertion (%s)",
+            c->getSchemaType() ? c->getSchemaType()->toString().c_str() : c->getElementQName().toString().c_str());
+        throw ValidationException("Assertion contains an unrecognized condition.");
+    }
 
     bool found = false;
     const vector<Audience*>& auds1 = ac->getAudiences();
@@ -91,6 +98,4 @@ bool AssertionValidator::validateCondition(const Condition* condition) const
             );
         throw ValidationException("Assertion contains an unacceptable AudienceRestrictionCondition.");
     }
-
-    return found;
 }
diff --git a/saml/saml1/profile/AssertionValidator.h b/saml/saml1/profile/AssertionValidator.h
index 72477ad..650ddfb 100644
--- a/saml/saml1/profile/AssertionValidator.h
+++ b/saml/saml1/profile/AssertionValidator.h
@@ -60,12 +60,13 @@ namespace opensaml {
             /**
              * Condition validation.
              *
-             * <p>Base class version only understands AudienceRestrictionConditions.
+             * <p>The base class version only understands AudienceRestrictionConditions.
+             * All other condition types will be rejected and require subclassing to
+             * prevent validation failure.
              * 
              * @param condition condition to validate
-             * @return true iff condition was understood
              */
-            virtual bool validateCondition(const Condition* condition) const;
+            virtual void validateCondition(const Condition* condition) const;
 
         protected:
             /** Set of audience values representing recipient. */
diff --git a/saml/saml2/profile/Assertion20Validator.cpp b/saml/saml2/profile/Assertion20Validator.cpp
index 3109ec7..373df27 100644
--- a/saml/saml2/profile/Assertion20Validator.cpp
+++ b/saml/saml2/profile/Assertion20Validator.cpp
@@ -58,22 +58,29 @@ void AssertionValidator::validateAssertion(const Assertion& assertion) const
             throw ValidationException("Assertion is no longer valid.");
     }
 
-    // Now we process conditions. Only audience restrictions at the moment.
+    // Now we process conditions, starting with the known types and then extensions.
+
+    const vector<AudienceRestriction*>& acvec = conds->getAudienceRestrictions();
+    for (vector<AudienceRestriction*>::const_iterator ac = acvec.begin(); ac!=acvec.end(); ++ac)
+        validateCondition(*ac);
+
+    const vector<OneTimeUse*>& dncvec = conds->getOneTimeUses();
+    for (vector<OneTimeUse*>::const_iterator dnc = dncvec.begin(); dnc!=dncvec.end(); ++dnc)
+        validateCondition(*dnc);
+
     const vector<Condition*>& convec = conds->getConditions();
-    for (vector<Condition*>::const_iterator c = convec.begin(); c!=convec.end(); ++c) {
-        if (!validateCondition(*c)) {
-            Category::getInstance(SAML_LOGCAT".AssertionValidator").error("unrecognized Condition in assertion (%s)",
-                (*c)->getSchemaType() ? (*c)->getSchemaType()->toString().c_str() : (*c)->getElementQName().toString().c_str());
-            throw ValidationException("Assertion contains an unrecognized condition.");
-        }
-    }
+    for (vector<Condition*>::const_iterator c = convec.begin(); c!=convec.end(); ++c)
+        validateCondition(*c);
 }
 
-bool AssertionValidator::validateCondition(const Condition* condition) const
+void AssertionValidator::validateCondition(const Condition* c) const
 {
-    const AudienceRestriction* ac=dynamic_cast<const AudienceRestriction*>(condition);
-    if (!ac)
-        return false;
+    const AudienceRestriction* ac=dynamic_cast<const AudienceRestriction*>(c);
+    if (!ac) {
+        Category::getInstance(SAML_LOGCAT".AssertionValidator").error("unrecognized Condition in assertion (%s)",
+            c->getSchemaType() ? c->getSchemaType()->toString().c_str() : c->getElementQName().toString().c_str());
+        throw ValidationException("Assertion contains an unrecognized condition.");
+    }
 
     bool found = false;
     const vector<Audience*>& auds1 = ac->getAudiences();
@@ -89,6 +96,4 @@ bool AssertionValidator::validateCondition(const Condition* condition) const
         Category::getInstance(SAML_LOGCAT".AssertionValidator").error("unacceptable AudienceRestriction in assertion (%s)", os.str().c_str());
         throw ValidationException("Assertion contains an unacceptable AudienceRestriction.");
     }
-
-    return found;
 }
diff --git a/saml/saml2/profile/AssertionValidator.h b/saml/saml2/profile/AssertionValidator.h
index f1276bd..f427bce 100644
--- a/saml/saml2/profile/AssertionValidator.h
+++ b/saml/saml2/profile/AssertionValidator.h
@@ -60,12 +60,13 @@ namespace opensaml {
             /**
              * Condition validation.
              *
-             * <p>Base class version only understands AudienceRestrictions.
+             * <p>The base class version only understands AudienceRestriction conditions.
+             * All other condition types will be rejected and require subclassing to
+             * prevent validation failure.
              * 
              * @param condition condition to validate
-             * @return true iff condition was understood
              */
-            virtual bool validateCondition(const Condition* condition) const;
+            virtual void validateCondition(const Condition* condition) const;
 
         protected:
             /** Set of audience values representing recipient. */
-- 
2.1.4