<!-- First some useful eduPerson attributes that many sites might use. -->
- <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" Header="Shib-EP-Affiliation" Alias="affiliation">
+ <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" Scoped="true" Header="Shib-EP-Affiliation" Alias="affiliation">
<!-- Filtering rule to limit values to eduPerson-defined enumeration. -->
<AnySite>
<Value Type="regexp">^[M|m][E|e][M|m][B|b][E|e][R|r]$</Value>
</AnySite>
</AttributeRule>
- <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" Header="REMOTE_USER" Alias="user">
+ <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" Scoped="true" Header="REMOTE_USER" Alias="user">
<!-- Basic rule to pass through any value. -->
<AnySite>
<Value Type="regexp">^[^@]+$</Value>
const XMLCh XML::Literals::Namespace[]=
{ chLatin_N, chLatin_a, chLatin_m, chLatin_e, chLatin_s, chLatin_p, chLatin_a, chLatin_c, chLatin_e, chNull };
+const XMLCh XML::Literals::Scoped[] = { chLatin_S, chLatin_c, chLatin_o, chLatin_p, chLatin_e, chLatin_d, chNull };
+
const XMLCh XML::Literals::SiteRule[] =
{ chLatin_S, chLatin_i, chLatin_t, chLatin_e, chLatin_R, chLatin_u, chLatin_l, chLatin_e, chNull };
const char* getFactory() const { return m_factory.get(); }
const char* getAlias() const { return m_alias.get(); }
const char* getHeader() const { return m_header.get(); }
+ const bool getScoped() const { return m_scoped; }
void apply(const IProvider* originSite, SAMLAttribute& attribute) const;
enum value_type { literal, regexp, xpath };
auto_ptr_char m_factory;
auto_ptr_char m_alias;
auto_ptr_char m_header;
+ bool m_scoped;
value_type toValueType(const DOMElement* e);
bool scopeCheck(const IProvider* originSite, const DOMElement* e) const;
XMLAAPImpl::AttributeRule::AttributeRule(const DOMElement* e) :
m_factory(e->hasAttributeNS(NULL,SHIB_L(Factory)) ? e->getAttributeNS(NULL,SHIB_L(Factory)) : NULL),
m_alias(e->hasAttributeNS(NULL,SHIB_L(Alias)) ? e->getAttributeNS(NULL,SHIB_L(Alias)) : NULL),
- m_header(e->hasAttributeNS(NULL,SHIB_L(Header)) ? e->getAttributeNS(NULL,SHIB_L(Header)) : NULL)
+ m_header(e->hasAttributeNS(NULL,SHIB_L(Header)) ? e->getAttributeNS(NULL,SHIB_L(Header)) : NULL),
+ m_scoped(false)
{
static const XMLCh wTrue[] = {chLatin_t, chLatin_r, chLatin_u, chLatin_e, chNull};
if (!m_namespace || !*m_namespace)
m_namespace=Constants::SHIB_ATTRIBUTE_NAMESPACE_URI;
+ const XMLCh* scoped=e->getAttributeNS(NULL,SHIB_L(Scoped));
+ m_scoped=(scoped && (*scoped==chDigit_1 || !XMLString::compareString(scoped,wTrue)));
+
// Check for an AnySite rule.
DOMNode* anysite = e->getFirstChild();
while (anysite && anysite->getNodeType()!=DOMNode::ELEMENT_NODE)
bool XMLAAPImpl::AttributeRule::scopeCheck(const IProvider* originSite, const DOMElement* e) const
{
- // Are we scoped?
- const XMLCh* scope=e->getAttributeNS(NULL,SHIB_L(Scope));
- if (!scope || !*scope)
- return true;
-
NDC ndc("scopeCheck");
Category& log=Category::getInstance(XMLPROVIDERS_LOGCAT".XMLAAPImpl");
+ // Are we scoped?
+ const XMLCh* scope=e->getAttributeNS(NULL,SHIB_L(Scope));
+ if (!scope || !*scope) {
+ // Are we allowed to be unscoped?
+ if (m_scoped && log.isWarnEnabled()) {
+ auto_ptr_char temp(m_name);
+ log.warn("attribute %s is scoped, no scope supplied, rejecting it",temp.get());
+ }
+ return !m_scoped;
+ }
+
vector<pair<value_type,const XMLCh*> >::const_iterator i;
// Denials take precedence, always.