2 * Copyright 2001-2010 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * XMLAccessControl.cpp
20 * XML-based access control syntax.
24 #include "exceptions.h"
25 #include "AccessControl.h"
26 #include "SessionCache.h"
27 #include "SPRequest.h"
28 #include "attribute/Attribute.h"
31 #include <xmltooling/unicode.h>
32 #include <xmltooling/util/ReloadableXMLFile.h>
33 #include <xmltooling/util/Threads.h>
34 #include <xmltooling/util/XMLHelper.h>
35 #include <xercesc/util/XMLUniDefs.hpp>
36 #include <xercesc/util/regx/RegularExpression.hpp>
38 #ifndef HAVE_STRCASECMP
39 # define strcasecmp _stricmp
42 using namespace shibsp;
43 using namespace xmltooling;
48 class Rule : public AccessControl
51 Rule(const DOMElement* e);
54 Lockable* lock() {return this;}
57 aclresult_t authorized(const SPRequest& request, const Session* session) const;
61 vector <string> m_vals;
64 class RuleRegex : public AccessControl
67 RuleRegex(const DOMElement* e);
72 Lockable* lock() {return this;}
75 aclresult_t authorized(const SPRequest& request, const Session* session) const;
79 auto_arrayptr<char> m_exp;
80 RegularExpression* m_re;
83 class Operator : public AccessControl
86 Operator(const DOMElement* e);
89 Lockable* lock() {return this;}
92 aclresult_t authorized(const SPRequest& request, const Session* session) const;
95 enum operator_t { OP_NOT, OP_AND, OP_OR } m_op;
96 vector<AccessControl*> m_operands;
99 #if defined (_MSC_VER)
100 #pragma warning( push )
101 #pragma warning( disable : 4250 )
104 class XMLAccessControl : public AccessControl, public ReloadableXMLFile
107 XMLAccessControl(const DOMElement* e)
108 : ReloadableXMLFile(e, Category::getInstance(SHIBSP_LOGCAT".AccessControl.XML")), m_rootAuthz(nullptr) {
109 background_load(); // guarantees an exception or the policy is loaded
112 ~XMLAccessControl() {
117 aclresult_t authorized(const SPRequest& request, const Session* session) const;
120 pair<bool,DOMElement*> background_load();
123 AccessControl* m_rootAuthz;
126 #if defined (_MSC_VER)
127 #pragma warning( pop )
130 AccessControl* SHIBSP_DLLLOCAL XMLAccessControlFactory(const DOMElement* const & e)
132 return new XMLAccessControl(e);
135 static const XMLCh _AccessControl[] = UNICODE_LITERAL_13(A,c,c,e,s,s,C,o,n,t,r,o,l);
136 static const XMLCh ignoreCase[] = UNICODE_LITERAL_10(i,g,n,o,r,e,C,a,s,e);
137 static const XMLCh ignoreOption[] = UNICODE_LITERAL_1(i);
138 static const XMLCh _list[] = UNICODE_LITERAL_4(l,i,s,t);
139 static const XMLCh require[] = UNICODE_LITERAL_7(r,e,q,u,i,r,e);
140 static const XMLCh NOT[] = UNICODE_LITERAL_3(N,O,T);
141 static const XMLCh AND[] = UNICODE_LITERAL_3(A,N,D);
142 static const XMLCh OR[] = UNICODE_LITERAL_2(O,R);
143 static const XMLCh _Rule[] = UNICODE_LITERAL_4(R,u,l,e);
144 static const XMLCh _RuleRegex[] = UNICODE_LITERAL_9(R,u,l,e,R,e,g,e,x);
147 Rule::Rule(const DOMElement* e)
149 auto_ptr_char req(e->getAttributeNS(nullptr,require));
150 if (!req.get() || !*req.get())
151 throw ConfigurationException("Access control rule missing require attribute");
154 auto_arrayptr<char> vals(toUTF8(e->hasChildNodes() ? e->getFirstChild()->getNodeValue() : nullptr));
158 const XMLCh* flag = e->getAttributeNS(nullptr,_list);
159 if (flag && (*flag == chLatin_f || *flag == chDigit_0)) {
161 m_vals.push_back(vals.get());
167 const char* token=strtok_r(const_cast<char*>(vals.get())," ",&pos);
169 const char* token=strtok(const_cast<char*>(vals.get())," ");
172 m_vals.push_back(token);
174 token=strtok_r(nullptr," ",&pos);
176 token=strtok(nullptr," ");
181 AccessControl::aclresult_t Rule::authorized(const SPRequest& request, const Session* session) const
183 // We can make this more complex later using pluggable comparison functions,
184 // but for now, just a straight port to the new Attribute API.
186 // Map alias in rule to the attribute.
188 request.log(SPRequest::SPWarn, "AccessControl plugin not given a valid session to evaluate, are you using lazy sessions?");
189 return shib_acl_false;
192 if (m_alias == "valid-user") {
194 request.log(SPRequest::SPDebug,"AccessControl plugin accepting valid-user based on active session");
195 return shib_acl_true;
197 return shib_acl_false;
199 if (m_alias == "user") {
200 for (vector<string>::const_iterator i=m_vals.begin(); i!=m_vals.end(); ++i) {
201 if (*i == request.getRemoteUser()) {
202 request.log(SPRequest::SPDebug, string("AccessControl plugin expecting REMOTE_USER (") + *i + "), authz granted");
203 return shib_acl_true;
206 return shib_acl_false;
208 else if (m_alias == "authnContextClassRef") {
209 const char* ref = session->getAuthnContextClassRef();
210 for (vector<string>::const_iterator i=m_vals.begin(); ref && i!=m_vals.end(); ++i) {
211 if (!strcmp(i->c_str(),ref)) {
212 request.log(SPRequest::SPDebug, string("AccessControl plugin expecting authnContextClassRef (") + *i + "), authz granted");
213 return shib_acl_true;
216 return shib_acl_false;
218 else if (m_alias == "authnContextDeclRef") {
219 const char* ref = session->getAuthnContextDeclRef();
220 for (vector<string>::const_iterator i=m_vals.begin(); ref && i!=m_vals.end(); ++i) {
221 if (!strcmp(i->c_str(),ref)) {
222 request.log(SPRequest::SPDebug, string("AccessControl plugin expecting authnContextDeclRef (") + *i + "), authz granted");
223 return shib_acl_true;
226 return shib_acl_false;
229 // Find the attribute(s) matching the require rule.
230 pair<multimap<string,const Attribute*>::const_iterator, multimap<string,const Attribute*>::const_iterator> attrs =
231 session->getIndexedAttributes().equal_range(m_alias);
232 if (attrs.first == attrs.second) {
233 request.log(SPRequest::SPWarn, string("rule requires attribute (") + m_alias + "), not found in session");
234 return shib_acl_false;
237 for (; attrs.first != attrs.second; ++attrs.first) {
238 bool caseSensitive = attrs.first->second->isCaseSensitive();
240 // Now we have to intersect the attribute's values against the rule's list.
241 const vector<string>& vals = attrs.first->second->getSerializedValues();
242 for (vector<string>::const_iterator i=m_vals.begin(); i!=m_vals.end(); ++i) {
243 for (vector<string>::const_iterator j=vals.begin(); j!=vals.end(); ++j) {
244 if ((caseSensitive && *i == *j) || (!caseSensitive && !strcasecmp(i->c_str(),j->c_str()))) {
245 request.log(SPRequest::SPDebug, string("AccessControl plugin expecting (") + *j + "), authz granted");
246 return shib_acl_true;
252 return shib_acl_false;
255 RuleRegex::RuleRegex(const DOMElement* e) : m_exp(toUTF8(e->hasChildNodes() ? e->getFirstChild()->getNodeValue() : nullptr))
257 auto_ptr_char req(e->getAttributeNS(nullptr,require));
258 if (!req.get() || !*req.get() || !m_exp.get() || !*m_exp.get())
259 throw ConfigurationException("Access control rule missing require attribute or element content.");
262 const XMLCh* flag = e->getAttributeNS(nullptr,ignoreCase);
263 bool ignore = (flag && (*flag == chLatin_t || *flag == chDigit_1));
265 m_re = new RegularExpression(e->getFirstChild()->getNodeValue(), (ignore ? ignoreOption : &chNull));
267 catch (XMLException& ex) {
268 auto_ptr_char tmp(ex.getMessage());
269 throw ConfigurationException("Caught exception while parsing RuleRegex regular expression: $1", params(1,tmp.get()));
273 AccessControl::aclresult_t RuleRegex::authorized(const SPRequest& request, const Session* session) const
275 // Map alias in rule to the attribute.
277 request.log(SPRequest::SPWarn, "AccessControl plugin not given a valid session to evaluate, are you using lazy sessions?");
278 return shib_acl_false;
281 if (m_alias == "valid-user") {
283 request.log(SPRequest::SPDebug,"AccessControl plugin accepting valid-user based on active session");
284 return shib_acl_true;
286 return shib_acl_false;
290 if (m_alias == "user") {
291 if (m_re->matches(request.getRemoteUser().c_str())) {
292 request.log(SPRequest::SPDebug, string("AccessControl plugin expecting REMOTE_USER (") + m_exp.get() + "), authz granted");
293 return shib_acl_true;
295 return shib_acl_false;
297 else if (m_alias == "authnContextClassRef") {
298 if (session->getAuthnContextClassRef() && m_re->matches(session->getAuthnContextClassRef())) {
299 request.log(SPRequest::SPDebug, string("AccessControl plugin expecting authnContextClassRef (") + m_exp.get() + "), authz granted");
300 return shib_acl_true;
302 return shib_acl_false;
304 else if (m_alias == "authnContextDeclRef") {
305 if (session->getAuthnContextDeclRef() && m_re->matches(session->getAuthnContextDeclRef())) {
306 request.log(SPRequest::SPDebug, string("AccessControl plugin expecting authnContextDeclRef (") + m_exp.get() + "), authz granted");
307 return shib_acl_true;
309 return shib_acl_false;
312 // Find the attribute(s) matching the require rule.
313 pair<multimap<string,const Attribute*>::const_iterator, multimap<string,const Attribute*>::const_iterator> attrs =
314 session->getIndexedAttributes().equal_range(m_alias);
315 if (attrs.first == attrs.second) {
316 request.log(SPRequest::SPWarn, string("rule requires attribute (") + m_alias + "), not found in session");
317 return shib_acl_false;
320 for (; attrs.first != attrs.second; ++attrs.first) {
321 // Now we have to intersect the attribute's values against the regular expression.
322 const vector<string>& vals = attrs.first->second->getSerializedValues();
323 for (vector<string>::const_iterator j=vals.begin(); j!=vals.end(); ++j) {
324 if (m_re->matches(j->c_str())) {
325 request.log(SPRequest::SPDebug, string("AccessControl plugin expecting (") + m_exp.get() + "), authz granted");
326 return shib_acl_true;
331 catch (XMLException& ex) {
332 auto_ptr_char tmp(ex.getMessage());
333 request.log(SPRequest::SPError, string("caught exception while parsing RuleRegex regular expression: ") + tmp.get());
336 return shib_acl_false;
339 Operator::Operator(const DOMElement* e)
341 if (XMLString::equals(e->getLocalName(),NOT))
343 else if (XMLString::equals(e->getLocalName(),AND))
345 else if (XMLString::equals(e->getLocalName(),OR))
348 throw ConfigurationException("Unrecognized operator in access control rule");
351 e=XMLHelper::getFirstChildElement(e);
352 if (XMLString::equals(e->getLocalName(),_Rule))
353 m_operands.push_back(new Rule(e));
354 else if (XMLString::equals(e->getLocalName(),_RuleRegex))
355 m_operands.push_back(new RuleRegex(e));
357 m_operands.push_back(new Operator(e));
362 e=XMLHelper::getNextSiblingElement(e);
364 if (XMLString::equals(e->getLocalName(),_Rule))
365 m_operands.push_back(new Rule(e));
366 else if (XMLString::equals(e->getLocalName(),_RuleRegex))
367 m_operands.push_back(new RuleRegex(e));
369 m_operands.push_back(new Operator(e));
370 e=XMLHelper::getNextSiblingElement(e);
374 for_each(m_operands.begin(),m_operands.end(),xmltooling::cleanup<AccessControl>());
379 Operator::~Operator()
381 for_each(m_operands.begin(),m_operands.end(),xmltooling::cleanup<AccessControl>());
384 AccessControl::aclresult_t Operator::authorized(const SPRequest& request, const Session* session) const
388 switch (m_operands.front()->authorized(request,session)) {
390 return shib_acl_false;
392 return shib_acl_true;
394 return shib_acl_indeterminate;
399 for (vector<AccessControl*>::const_iterator i=m_operands.begin(); i!=m_operands.end(); i++) {
400 if ((*i)->authorized(request,session) != shib_acl_true)
401 return shib_acl_false;
403 return shib_acl_true;
408 for (vector<AccessControl*>::const_iterator i=m_operands.begin(); i!=m_operands.end(); i++) {
409 if ((*i)->authorized(request,session) == shib_acl_true)
410 return shib_acl_true;
412 return shib_acl_false;
415 request.log(SPRequest::SPWarn,"unknown operation in access control policy, denying access");
416 return shib_acl_false;
419 pair<bool,DOMElement*> XMLAccessControl::background_load()
421 // Load from source using base class.
422 pair<bool,DOMElement*> raw = ReloadableXMLFile::load();
424 // If we own it, wrap it.
425 XercesJanitor<DOMDocument> docjanitor(raw.first ? raw.second->getOwnerDocument() : nullptr);
427 // Check for AccessControl wrapper and drop a level.
428 if (XMLString::equals(raw.second->getLocalName(),_AccessControl))
429 raw.second = XMLHelper::getFirstChildElement(raw.second);
431 AccessControl* authz;
432 if (XMLString::equals(raw.second->getLocalName(),_Rule))
433 authz=new Rule(raw.second);
434 else if (XMLString::equals(raw.second->getLocalName(),_RuleRegex))
435 authz=new RuleRegex(raw.second);
437 authz=new Operator(raw.second);
439 // Perform the swap inside a lock.
442 SharedLock locker(m_lock, false);
446 return make_pair(false,(DOMElement*)nullptr);
449 AccessControl::aclresult_t XMLAccessControl::authorized(const SPRequest& request, const Session* session) const
451 return m_rootAuthz ? m_rootAuthz->authorized(request,session) : shib_acl_false;