2 * Copyright 2009 Internet2
\r
4 * Licensed under the Apache License, Version 2.0 (the "License");
\r
5 * you may not use this file except in compliance with the License.
\r
6 * You may obtain a copy of the License at
\r
8 * http://www.apache.org/licenses/LICENSE-2.0
\r
10 * Unless required by applicable law or agreed to in writing, software
\r
11 * distributed under the License is distributed on an "AS IS" BASIS,
\r
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
13 * See the License for the specific language governing permissions and
\r
14 * limitations under the License.
\r
18 * ChainingAccessControl.cpp
\r
20 * Access control plugin that combines other plugins.
\r
23 #include "internal.h"
\r
24 #include "exceptions.h"
\r
25 #include "AccessControl.h"
\r
26 #include "SessionCache.h"
\r
27 #include "SPRequest.h"
\r
29 #include <xmltooling/util/XMLHelper.h>
\r
30 #include <xercesc/util/XMLUniDefs.hpp>
\r
32 using namespace shibsp;
\r
33 using namespace xmltooling;
\r
34 using namespace std;
\r
38 class ChainingAccessControl : public AccessControl
\r
41 ChainingAccessControl(const DOMElement* e);
\r
43 ~ChainingAccessControl() {
\r
44 for_each(m_ac.begin(), m_ac.end(), xmltooling::cleanup<AccessControl>());
\r
48 for_each(m_ac.begin(), m_ac.end(), mem_fun<Lockable*,AccessControl>(&AccessControl::lock));
\r
52 for_each(m_ac.begin(), m_ac.end(), mem_fun<void,AccessControl>(&AccessControl::unlock));
\r
55 aclresult_t authorized(const SPRequest& request, const Session* session) const;
\r
58 enum operator_t { OP_AND, OP_OR } m_op;
\r
59 vector<AccessControl*> m_ac;
\r
62 AccessControl* SHIBSP_DLLLOCAL ChainingAccessControlFactory(const DOMElement* const & e)
\r
64 return new ChainingAccessControl(e);
\r
67 static const XMLCh _AccessControl[] = UNICODE_LITERAL_13(A,c,c,e,s,s,C,o,n,t,r,o,l);
\r
68 static const XMLCh _operator[] = UNICODE_LITERAL_8(o,p,e,r,a,t,o,r);
\r
69 static const XMLCh _type[] = UNICODE_LITERAL_4(t,y,p,e);
\r
70 static const XMLCh AND[] = UNICODE_LITERAL_3(A,N,D);
\r
71 static const XMLCh OR[] = UNICODE_LITERAL_2(O,R);
\r
73 extern AccessControl* SHIBSP_DLLLOCAL XMLAccessControlFactory(const DOMElement* const & e);
\r
76 void SHIBSP_API shibsp::registerAccessControls()
\r
78 SPConfig& conf=SPConfig::getConfig();
\r
79 conf.AccessControlManager.registerFactory(CHAINING_ACCESS_CONTROL, ChainingAccessControlFactory);
\r
80 conf.AccessControlManager.registerFactory(XML_ACCESS_CONTROL, XMLAccessControlFactory);
\r
81 conf.AccessControlManager.registerFactory("edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl", XMLAccessControlFactory);
\r
84 ChainingAccessControl::ChainingAccessControl(const DOMElement* e)
\r
86 const XMLCh* op = e ? e->getAttributeNS(NULL, _operator) : NULL;
\r
87 if (XMLString::equals(op, AND))
\r
89 else if (XMLString::equals(op, OR))
\r
92 throw ConfigurationException("Missing or unrecognized operator in Chaining AccessControl configuration.");
\r
95 e = e ? XMLHelper::getFirstChildElement(e, _AccessControl) : NULL;
\r
97 auto_ptr_char type(e->getAttributeNS(NULL, _type));
\r
98 if (type.get() && *type.get()) {
\r
99 Category::getInstance(SHIBSP_LOGCAT".AccessControl.Chaining").info("building AccessControl provider of type (%s)...", type.get());
\r
100 m_ac.push_back(SPConfig::getConfig().AccessControlManager.newPlugin(type.get(), e));
\r
102 e = XMLHelper::getNextSiblingElement(e, _AccessControl);
\r
105 catch (exception&) {
\r
106 for_each(m_ac.begin(), m_ac.end(), xmltooling::cleanup<AccessControl>());
\r
111 AccessControl::aclresult_t ChainingAccessControl::authorized(const SPRequest& request, const Session* session) const
\r
116 for (vector<AccessControl*>::const_iterator i=m_ac.begin(); i!=m_ac.end(); ++i) {
\r
117 if ((*i)->authorized(request, session) != shib_acl_true)
\r
118 return shib_acl_false;
\r
120 return shib_acl_true;
\r
125 for (vector<AccessControl*>::const_iterator i=m_ac.begin(); i!=m_ac.end(); ++i) {
\r
126 if ((*i)->authorized(request,session) == shib_acl_true)
\r
127 return shib_acl_true;
\r
129 return shib_acl_false;
\r
132 request.log(SPRequest::SPWarn, "unknown operation in access control policy, denying access");
\r
133 return shib_acl_false;
\r