2 * Copyright 2009 Internet2
\r
4 * Licensed under the Apache License, Version 2.0 (the "License");
\r
5 * you may not use this file except in compliance with the License.
\r
6 * You may obtain a copy of the License at
\r
8 * http://www.apache.org/licenses/LICENSE-2.0
\r
10 * Unless required by applicable law or agreed to in writing, software
\r
11 * distributed under the License is distributed on an "AS IS" BASIS,
\r
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
13 * See the License for the specific language governing permissions and
\r
14 * limitations under the License.
\r
18 * ChainingAccessControl.cpp
\r
20 * Access control plugin that combines other plugins.
\r
23 #include "internal.h"
\r
24 #include "exceptions.h"
\r
25 #include "AccessControl.h"
\r
26 #include "SessionCache.h"
\r
27 #include "SPRequest.h"
\r
29 #include <algorithm>
\r
30 #include <xmltooling/unicode.h>
\r
31 #include <xmltooling/util/XMLHelper.h>
\r
32 #include <xercesc/util/XMLUniDefs.hpp>
\r
34 using namespace shibsp;
\r
35 using namespace xmltooling;
\r
36 using namespace std;
\r
40 class ChainingAccessControl : public AccessControl
\r
43 ChainingAccessControl(const DOMElement* e);
\r
45 ~ChainingAccessControl() {
\r
46 for_each(m_ac.begin(), m_ac.end(), xmltooling::cleanup<AccessControl>());
\r
50 for_each(m_ac.begin(), m_ac.end(), mem_fun<Lockable*,Lockable>(&Lockable::lock));
\r
54 for_each(m_ac.begin(), m_ac.end(), mem_fun<void,Lockable>(&Lockable::unlock));
\r
57 aclresult_t authorized(const SPRequest& request, const Session* session) const;
\r
60 enum operator_t { OP_AND, OP_OR } m_op;
\r
61 vector<AccessControl*> m_ac;
\r
64 AccessControl* SHIBSP_DLLLOCAL ChainingAccessControlFactory(const DOMElement* const & e)
\r
66 return new ChainingAccessControl(e);
\r
69 static const XMLCh _AccessControl[] = UNICODE_LITERAL_13(A,c,c,e,s,s,C,o,n,t,r,o,l);
\r
70 static const XMLCh _operator[] = UNICODE_LITERAL_8(o,p,e,r,a,t,o,r);
\r
71 static const XMLCh _type[] = UNICODE_LITERAL_4(t,y,p,e);
\r
72 static const XMLCh AND[] = UNICODE_LITERAL_3(A,N,D);
\r
73 static const XMLCh OR[] = UNICODE_LITERAL_2(O,R);
\r
75 extern AccessControl* SHIBSP_DLLLOCAL XMLAccessControlFactory(const DOMElement* const & e);
\r
78 void SHIBSP_API shibsp::registerAccessControls()
\r
80 SPConfig& conf=SPConfig::getConfig();
\r
81 conf.AccessControlManager.registerFactory(CHAINING_ACCESS_CONTROL, ChainingAccessControlFactory);
\r
82 conf.AccessControlManager.registerFactory(XML_ACCESS_CONTROL, XMLAccessControlFactory);
\r
83 conf.AccessControlManager.registerFactory("edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl", XMLAccessControlFactory);
\r
86 AccessControl::AccessControl()
\r
90 AccessControl::~AccessControl()
\r
94 ChainingAccessControl::ChainingAccessControl(const DOMElement* e)
\r
96 const XMLCh* op = e ? e->getAttributeNS(NULL, _operator) : NULL;
\r
97 if (XMLString::equals(op, AND))
\r
99 else if (XMLString::equals(op, OR))
\r
102 throw ConfigurationException("Missing or unrecognized operator in Chaining AccessControl configuration.");
\r
105 e = e ? XMLHelper::getFirstChildElement(e, _AccessControl) : NULL;
\r
107 auto_ptr_char type(e->getAttributeNS(NULL, _type));
\r
108 if (type.get() && *type.get()) {
\r
109 Category::getInstance(SHIBSP_LOGCAT".AccessControl.Chaining").info("building AccessControl provider of type (%s)...", type.get());
\r
110 m_ac.push_back(SPConfig::getConfig().AccessControlManager.newPlugin(type.get(), e));
\r
112 e = XMLHelper::getNextSiblingElement(e, _AccessControl);
\r
115 catch (exception&) {
\r
116 for_each(m_ac.begin(), m_ac.end(), xmltooling::cleanup<AccessControl>());
\r
120 throw ConfigurationException("Chaining AccessControl plugin requires at least one child plugin.");
\r
123 AccessControl::aclresult_t ChainingAccessControl::authorized(const SPRequest& request, const Session* session) const
\r
128 for (vector<AccessControl*>::const_iterator i=m_ac.begin(); i!=m_ac.end(); ++i) {
\r
129 if ((*i)->authorized(request, session) != shib_acl_true)
\r
130 return shib_acl_false;
\r
132 return shib_acl_true;
\r
137 for (vector<AccessControl*>::const_iterator i=m_ac.begin(); i!=m_ac.end(); ++i) {
\r
138 if ((*i)->authorized(request,session) == shib_acl_true)
\r
139 return shib_acl_true;
\r
141 return shib_acl_false;
\r
144 request.log(SPRequest::SPWarn, "unknown operation in access control policy, denying access");
\r
145 return shib_acl_false;
\r