2 * Copyright 2001-2007 Internet2
\r
4 * Licensed under the Apache License, Version 2.0 (the "License");
\r
5 * you may not use this file except in compliance with the License.
\r
6 * You may obtain a copy of the License at
\r
8 * http://www.apache.org/licenses/LICENSE-2.0
\r
10 * Unless required by applicable law or agreed to in writing, software
\r
11 * distributed under the License is distributed on an "AS IS" BASIS,
\r
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
13 * See the License for the specific language governing permissions and
\r
14 * limitations under the License.
\r
18 * XMLAccessControl.cpp
\r
20 * XML-based access control syntax
\r
23 #include "internal.h"
\r
24 #include "exceptions.h"
\r
25 #include "AccessControl.h"
\r
26 #include "SessionCache.h"
\r
27 #include "SPRequest.h"
\r
28 #include "attribute/Attribute.h"
\r
30 #include <xmltooling/util/ReloadableXMLFile.h>
\r
31 #include <xmltooling/util/XMLHelper.h>
\r
32 #include <xercesc/util/XMLUniDefs.hpp>
\r
33 #include <xercesc/util/regx/RegularExpression.hpp>
\r
35 #ifndef HAVE_STRCASECMP
\r
36 # define strcasecmp _stricmp
\r
39 using namespace shibsp;
\r
40 using namespace xmltooling;
\r
41 using namespace std;
\r
45 class Rule : public AccessControl
\r
48 Rule(const DOMElement* e);
\r
51 Lockable* lock() {return this;}
\r
54 aclresult_t authorized(const SPRequest& request, const Session* session) const;
\r
58 vector <string> m_vals;
\r
61 class RuleRegex : public AccessControl
\r
64 RuleRegex(const DOMElement* e);
\r
69 Lockable* lock() {return this;}
\r
72 aclresult_t authorized(const SPRequest& request, const Session* session) const;
\r
76 auto_arrayptr<char> m_exp;
\r
77 RegularExpression* m_re;
\r
80 class Operator : public AccessControl
\r
83 Operator(const DOMElement* e);
\r
86 Lockable* lock() {return this;}
\r
89 aclresult_t authorized(const SPRequest& request, const Session* session) const;
\r
92 enum operator_t { OP_NOT, OP_AND, OP_OR } m_op;
\r
93 vector<AccessControl*> m_operands;
\r
96 #if defined (_MSC_VER)
\r
97 #pragma warning( push )
\r
98 #pragma warning( disable : 4250 )
\r
101 class XMLAccessControl : public AccessControl, public ReloadableXMLFile
\r
104 XMLAccessControl(const DOMElement* e)
\r
105 : ReloadableXMLFile(e, Category::getInstance(SHIBSP_LOGCAT".AccessControl.XML")), m_rootAuthz(NULL) {
\r
106 load(); // guarantees an exception or the policy is loaded
\r
109 ~XMLAccessControl() {
\r
110 delete m_rootAuthz;
\r
113 aclresult_t authorized(const SPRequest& request, const Session* session) const;
\r
116 pair<bool,DOMElement*> load();
\r
119 AccessControl* m_rootAuthz;
\r
122 #if defined (_MSC_VER)
\r
123 #pragma warning( pop )
\r
126 AccessControl* SHIBSP_DLLLOCAL XMLAccessControlFactory(const DOMElement* const & e)
\r
128 return new XMLAccessControl(e);
\r
131 static const XMLCh _AccessControl[] = UNICODE_LITERAL_13(A,c,c,e,s,s,C,o,n,t,r,o,l);
\r
132 static const XMLCh ignoreCase[] = UNICODE_LITERAL_10(i,g,n,o,r,e,C,a,s,e);
\r
133 static const XMLCh ignoreOption[] = UNICODE_LITERAL_1(i);
\r
134 static const XMLCh _list[] = UNICODE_LITERAL_4(l,i,s,t);
\r
135 static const XMLCh require[] = UNICODE_LITERAL_7(r,e,q,u,i,r,e);
\r
136 static const XMLCh NOT[] = UNICODE_LITERAL_3(N,O,T);
\r
137 static const XMLCh AND[] = UNICODE_LITERAL_3(A,N,D);
\r
138 static const XMLCh OR[] = UNICODE_LITERAL_2(O,R);
\r
139 static const XMLCh _Rule[] = UNICODE_LITERAL_4(R,u,l,e);
\r
140 static const XMLCh _RuleRegex[] = UNICODE_LITERAL_9(R,u,l,e,R,e,g,e,x);
\r
143 Rule::Rule(const DOMElement* e)
\r
145 auto_ptr_char req(e->getAttributeNS(NULL,require));
\r
146 if (!req.get() || !*req.get())
\r
147 throw ConfigurationException("Access control rule missing require attribute");
\r
150 auto_arrayptr<char> vals(toUTF8(e->hasChildNodes() ? e->getFirstChild()->getNodeValue() : NULL));
\r
154 const XMLCh* flag = e->getAttributeNS(NULL,_list);
\r
155 if (flag && (*flag == chLatin_f || *flag == chDigit_0)) {
\r
157 m_vals.push_back(vals.get());
\r
161 #ifdef HAVE_STRTOK_R
\r
163 const char* token=strtok_r(const_cast<char*>(vals.get())," ",&pos);
\r
165 const char* token=strtok(const_cast<char*>(vals.get())," ");
\r
168 m_vals.push_back(token);
\r
169 #ifdef HAVE_STRTOK_R
\r
170 token=strtok_r(NULL," ",&pos);
\r
172 token=strtok(NULL," ");
\r
177 AccessControl::aclresult_t Rule::authorized(const SPRequest& request, const Session* session) const
\r
179 // We can make this more complex later using pluggable comparison functions,
\r
180 // but for now, just a straight port to the new Attribute API.
\r
182 // Map alias in rule to the attribute.
\r
184 request.log(SPRequest::SPWarn, "AccessControl plugin not given a valid session to evaluate, are you using lazy sessions?");
\r
185 return shib_acl_false;
\r
188 if (m_alias == "valid-user") {
\r
190 request.log(SPRequest::SPDebug,"AccessControl plugin accepting valid-user based on active session");
\r
191 return shib_acl_true;
\r
193 return shib_acl_false;
\r
195 if (m_alias == "user") {
\r
196 for (vector<string>::const_iterator i=m_vals.begin(); i!=m_vals.end(); ++i) {
\r
197 if (*i == request.getRemoteUser()) {
\r
198 request.log(SPRequest::SPDebug, string("AccessControl plugin expecting REMOTE_USER (") + *i + "), authz granted");
\r
199 return shib_acl_true;
\r
202 return shib_acl_false;
\r
204 else if (m_alias == "authnContextClassRef") {
\r
205 const char* ref = session->getAuthnContextClassRef();
\r
206 for (vector<string>::const_iterator i=m_vals.begin(); ref && i!=m_vals.end(); ++i) {
\r
207 if (!strcmp(i->c_str(),ref)) {
\r
208 request.log(SPRequest::SPDebug, string("AccessControl plugin expecting authnContextClassRef (") + *i + "), authz granted");
\r
209 return shib_acl_true;
\r
212 return shib_acl_false;
\r
214 else if (m_alias == "authnContextDeclRef") {
\r
215 const char* ref = session->getAuthnContextDeclRef();
\r
216 for (vector<string>::const_iterator i=m_vals.begin(); ref && i!=m_vals.end(); ++i) {
\r
217 if (!strcmp(i->c_str(),ref)) {
\r
218 request.log(SPRequest::SPDebug, string("AccessControl plugin expecting authnContextDeclRef (") + *i + "), authz granted");
\r
219 return shib_acl_true;
\r
222 return shib_acl_false;
\r
225 // Find the attribute(s) matching the require rule.
\r
226 pair<multimap<string,const Attribute*>::const_iterator, multimap<string,const Attribute*>::const_iterator> attrs =
\r
227 session->getIndexedAttributes().equal_range(m_alias);
\r
228 if (attrs.first == attrs.second) {
\r
229 request.log(SPRequest::SPWarn, string("rule requires attribute (") + m_alias + "), not found in session");
\r
230 return shib_acl_false;
\r
233 for (; attrs.first != attrs.second; ++attrs.first) {
\r
234 bool caseSensitive = attrs.first->second->isCaseSensitive();
\r
236 // Now we have to intersect the attribute's values against the rule's list.
\r
237 const vector<string>& vals = attrs.first->second->getSerializedValues();
\r
238 for (vector<string>::const_iterator i=m_vals.begin(); i!=m_vals.end(); ++i) {
\r
239 for (vector<string>::const_iterator j=vals.begin(); j!=vals.end(); ++j) {
\r
240 if ((caseSensitive && *i == *j) || (!caseSensitive && !strcasecmp(i->c_str(),j->c_str()))) {
\r
241 request.log(SPRequest::SPDebug, string("AccessControl plugin expecting (") + *j + "), authz granted");
\r
242 return shib_acl_true;
\r
248 return shib_acl_false;
\r
251 RuleRegex::RuleRegex(const DOMElement* e) : m_exp(toUTF8(e->hasChildNodes() ? e->getFirstChild()->getNodeValue() : NULL))
\r
253 auto_ptr_char req(e->getAttributeNS(NULL,require));
\r
254 if (!req.get() || !*req.get() || !m_exp.get() || !*m_exp.get())
\r
255 throw ConfigurationException("Access control rule missing require attribute or element content.");
\r
258 const XMLCh* flag = e->getAttributeNS(NULL,ignoreCase);
\r
259 bool ignore = (flag && (*flag == chLatin_t || *flag == chDigit_1));
\r
261 m_re = new RegularExpression(e->getFirstChild()->getNodeValue(), (ignore ? ignoreOption : &chNull));
\r
263 catch (XMLException& ex) {
\r
264 auto_ptr_char tmp(ex.getMessage());
\r
265 throw ConfigurationException("Caught exception while parsing RuleRegex regular expression: $1", params(1,tmp.get()));
\r
269 AccessControl::aclresult_t RuleRegex::authorized(const SPRequest& request, const Session* session) const
\r
271 // Map alias in rule to the attribute.
\r
273 request.log(SPRequest::SPWarn, "AccessControl plugin not given a valid session to evaluate, are you using lazy sessions?");
\r
274 return shib_acl_false;
\r
277 if (m_alias == "valid-user") {
\r
279 request.log(SPRequest::SPDebug,"AccessControl plugin accepting valid-user based on active session");
\r
280 return shib_acl_true;
\r
282 return shib_acl_false;
\r
286 if (m_alias == "user") {
\r
287 if (m_re->matches(request.getRemoteUser().c_str())) {
\r
288 request.log(SPRequest::SPDebug, string("AccessControl plugin expecting REMOTE_USER (") + m_exp.get() + "), authz granted");
\r
289 return shib_acl_true;
\r
291 return shib_acl_false;
\r
293 else if (m_alias == "authnContextClassRef") {
\r
294 if (session->getAuthnContextClassRef() && m_re->matches(session->getAuthnContextClassRef())) {
\r
295 request.log(SPRequest::SPDebug, string("AccessControl plugin expecting authnContextClassRef (") + m_exp.get() + "), authz granted");
\r
296 return shib_acl_true;
\r
298 return shib_acl_false;
\r
300 else if (m_alias == "authnContextDeclRef") {
\r
301 if (session->getAuthnContextDeclRef() && m_re->matches(session->getAuthnContextDeclRef())) {
\r
302 request.log(SPRequest::SPDebug, string("AccessControl plugin expecting authnContextDeclRef (") + m_exp.get() + "), authz granted");
\r
303 return shib_acl_true;
\r
305 return shib_acl_false;
\r
308 // Find the attribute(s) matching the require rule.
\r
309 pair<multimap<string,const Attribute*>::const_iterator, multimap<string,const Attribute*>::const_iterator> attrs =
\r
310 session->getIndexedAttributes().equal_range(m_alias);
\r
311 if (attrs.first == attrs.second) {
\r
312 request.log(SPRequest::SPWarn, string("rule requires attribute (") + m_alias + "), not found in session");
\r
313 return shib_acl_false;
\r
316 for (; attrs.first != attrs.second; ++attrs.first) {
\r
317 // Now we have to intersect the attribute's values against the regular expression.
\r
318 const vector<string>& vals = attrs.first->second->getSerializedValues();
\r
319 for (vector<string>::const_iterator j=vals.begin(); j!=vals.end(); ++j) {
\r
320 if (m_re->matches(j->c_str())) {
\r
321 request.log(SPRequest::SPDebug, string("AccessControl plugin expecting (") + m_exp.get() + "), authz granted");
\r
322 return shib_acl_true;
\r
327 catch (XMLException& ex) {
\r
328 auto_ptr_char tmp(ex.getMessage());
\r
329 request.log(SPRequest::SPError, string("caught exception while parsing RuleRegex regular expression: ") + tmp.get());
\r
332 return shib_acl_false;
\r
335 Operator::Operator(const DOMElement* e)
\r
337 if (XMLString::equals(e->getLocalName(),NOT))
\r
339 else if (XMLString::equals(e->getLocalName(),AND))
\r
341 else if (XMLString::equals(e->getLocalName(),OR))
\r
344 throw ConfigurationException("Unrecognized operator in access control rule");
\r
347 e=XMLHelper::getFirstChildElement(e);
\r
348 if (XMLString::equals(e->getLocalName(),_Rule))
\r
349 m_operands.push_back(new Rule(e));
\r
350 else if (XMLString::equals(e->getLocalName(),_RuleRegex))
\r
351 m_operands.push_back(new RuleRegex(e));
\r
353 m_operands.push_back(new Operator(e));
\r
358 e=XMLHelper::getNextSiblingElement(e);
\r
360 if (XMLString::equals(e->getLocalName(),_Rule))
\r
361 m_operands.push_back(new Rule(e));
\r
362 else if (XMLString::equals(e->getLocalName(),_RuleRegex))
\r
363 m_operands.push_back(new RuleRegex(e));
\r
365 m_operands.push_back(new Operator(e));
\r
366 e=XMLHelper::getNextSiblingElement(e);
\r
369 catch (exception&) {
\r
370 for_each(m_operands.begin(),m_operands.end(),xmltooling::cleanup<AccessControl>());
\r
375 Operator::~Operator()
\r
377 for_each(m_operands.begin(),m_operands.end(),xmltooling::cleanup<AccessControl>());
\r
380 AccessControl::aclresult_t Operator::authorized(const SPRequest& request, const Session* session) const
\r
384 switch (m_operands.front()->authorized(request,session)) {
\r
385 case shib_acl_true:
\r
386 return shib_acl_false;
\r
387 case shib_acl_false:
\r
388 return shib_acl_true;
\r
390 return shib_acl_indeterminate;
\r
395 for (vector<AccessControl*>::const_iterator i=m_operands.begin(); i!=m_operands.end(); i++) {
\r
396 if ((*i)->authorized(request,session) != shib_acl_true)
\r
397 return shib_acl_false;
\r
399 return shib_acl_true;
\r
404 for (vector<AccessControl*>::const_iterator i=m_operands.begin(); i!=m_operands.end(); i++) {
\r
405 if ((*i)->authorized(request,session) == shib_acl_true)
\r
406 return shib_acl_true;
\r
408 return shib_acl_false;
\r
411 request.log(SPRequest::SPWarn,"unknown operation in access control policy, denying access");
\r
412 return shib_acl_false;
\r
415 pair<bool,DOMElement*> XMLAccessControl::load()
\r
417 // Load from source using base class.
\r
418 pair<bool,DOMElement*> raw = ReloadableXMLFile::load();
\r
420 // If we own it, wrap it.
\r
421 XercesJanitor<DOMDocument> docjanitor(raw.first ? raw.second->getOwnerDocument() : NULL);
\r
423 // Check for AccessControl wrapper and drop a level.
\r
424 if (XMLString::equals(raw.second->getLocalName(),_AccessControl))
\r
425 raw.second = XMLHelper::getFirstChildElement(raw.second);
\r
427 AccessControl* authz;
\r
428 if (XMLString::equals(raw.second->getLocalName(),_Rule))
\r
429 authz=new Rule(raw.second);
\r
430 else if (XMLString::equals(raw.second->getLocalName(),_RuleRegex))
\r
431 authz=new RuleRegex(raw.second);
\r
433 authz=new Operator(raw.second);
\r
435 delete m_rootAuthz;
\r
436 m_rootAuthz = authz;
\r
437 return make_pair(false,(DOMElement*)NULL);
\r
440 AccessControl::aclresult_t XMLAccessControl::authorized(const SPRequest& request, const Session* session) const
\r
442 return m_rootAuthz ? m_rootAuthz->authorized(request,session) : shib_acl_false;
\r