Added Scoped indicator, avoids reliance on sender.

diff --git a/configs/AAP.xml b/configs/AAP.xml
index 4e8846b..f01f9db 100644 (file)
--- a/configs/AAP.xml
+++ b/configs/AAP.xml
@@ -16,7 +16,7 @@
        
        <!-- First some useful eduPerson attributes that many sites might use. -->
        
-       <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" Header="Shib-EP-Affiliation" Alias="affiliation">
+       <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" Scoped="true" Header="Shib-EP-Affiliation" Alias="affiliation">
                <!-- Filtering rule to limit values to eduPerson-defined enumeration. -->
         <AnySite>
             <Value Type="regexp">^[M|m][E|e][M|m][B|b][E|e][R|r]$</Value>
@@ -47,7 +47,7 @@
         </AnySite>
        </AttributeRule>
        
-    <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" Header="REMOTE_USER" Alias="user">
+    <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" Scoped="true" Header="REMOTE_USER" Alias="user">
                <!-- Basic rule to pass through any value. -->
         <AnySite>
             <Value Type="regexp">^[^@]+$</Value>

diff --git a/schemas/shibboleth.xsd b/schemas/shibboleth.xsd
index 392fed4..4189c90 100644 (file)
--- a/schemas/shibboleth.xsd
+++ b/schemas/shibboleth.xsd
@@ -104,6 +104,7 @@
         <attribute name="Factory" type="string" use="optional"/>
         <attribute name="Alias" type="string" use="optional"/>
                <attribute name="Header" type="string" use="optional"/>
+               <attribute name="Scoped" type="boolean" use="optional" default="false"/>
                <anyAttribute namespace="##other" processContents="lax"/>
     </complexType>
 

diff --git a/xmlproviders/XML.cpp b/xmlproviders/XML.cpp
index b3de64f..9707fd5 100644 (file)
--- a/xmlproviders/XML.cpp
+++ b/xmlproviders/XML.cpp
@@ -268,6 +268,8 @@ const XMLCh XML::Literals::Header[]=
 const XMLCh XML::Literals::Namespace[]=
 { chLatin_N, chLatin_a, chLatin_m, chLatin_e, chLatin_s, chLatin_p, chLatin_a, chLatin_c, chLatin_e, chNull };
 
+const XMLCh XML::Literals::Scoped[] = { chLatin_S, chLatin_c, chLatin_o, chLatin_p, chLatin_e, chLatin_d, chNull };
+
 const XMLCh XML::Literals::SiteRule[] =
 { chLatin_S, chLatin_i, chLatin_t, chLatin_e, chLatin_R, chLatin_u, chLatin_l, chLatin_e, chNull };
 

diff --git a/xmlproviders/XMLAAP.cpp b/xmlproviders/XMLAAP.cpp
index 40bd3fa..eddaf10 100644 (file)
--- a/xmlproviders/XMLAAP.cpp
+++ b/xmlproviders/XMLAAP.cpp
@@ -88,6 +88,7 @@ namespace {
             const char* getFactory() const { return m_factory.get(); }
             const char* getAlias() const { return m_alias.get(); }
             const char* getHeader() const { return m_header.get(); }
+            const bool getScoped() const { return m_scoped; }
             void apply(const IProvider* originSite, SAMLAttribute& attribute) const;
     
             enum value_type { literal, regexp, xpath };
@@ -97,6 +98,7 @@ namespace {
             auto_ptr_char m_factory;
             auto_ptr_char m_alias;
             auto_ptr_char m_header;
+            bool m_scoped;
             
             value_type toValueType(const DOMElement* e);
             bool scopeCheck(const IProvider* originSite, const DOMElement* e) const;
@@ -244,7 +246,8 @@ XMLAAPImpl::~XMLAAPImpl()
 XMLAAPImpl::AttributeRule::AttributeRule(const DOMElement* e) :
     m_factory(e->hasAttributeNS(NULL,SHIB_L(Factory)) ? e->getAttributeNS(NULL,SHIB_L(Factory)) : NULL),
     m_alias(e->hasAttributeNS(NULL,SHIB_L(Alias)) ? e->getAttributeNS(NULL,SHIB_L(Alias)) : NULL),
-    m_header(e->hasAttributeNS(NULL,SHIB_L(Header)) ? e->getAttributeNS(NULL,SHIB_L(Header)) : NULL)
+    m_header(e->hasAttributeNS(NULL,SHIB_L(Header)) ? e->getAttributeNS(NULL,SHIB_L(Header)) : NULL),
+    m_scoped(false)
     
 {
     static const XMLCh wTrue[] = {chLatin_t, chLatin_r, chLatin_u, chLatin_e, chNull};
@@ -254,6 +257,9 @@ XMLAAPImpl::AttributeRule::AttributeRule(const DOMElement* e) :
     if (!m_namespace || !*m_namespace)
         m_namespace=Constants::SHIB_ATTRIBUTE_NAMESPACE_URI;
     
+    const XMLCh* scoped=e->getAttributeNS(NULL,SHIB_L(Scoped));
+    m_scoped=(scoped && (*scoped==chDigit_1 || !XMLString::compareString(scoped,wTrue)));
+    
     // Check for an AnySite rule.
     DOMNode* anysite = e->getFirstChild();
     while (anysite && anysite->getNodeType()!=DOMNode::ELEMENT_NODE)
@@ -417,14 +423,20 @@ namespace {
 
 bool XMLAAPImpl::AttributeRule::scopeCheck(const IProvider* originSite, const DOMElement* e) const
 {
-    // Are we scoped?
-    const XMLCh* scope=e->getAttributeNS(NULL,SHIB_L(Scope));
-    if (!scope || !*scope)
-        return true;
-
     NDC ndc("scopeCheck");
     Category& log=Category::getInstance(XMLPROVIDERS_LOGCAT".XMLAAPImpl");
 
+    // Are we scoped?
+    const XMLCh* scope=e->getAttributeNS(NULL,SHIB_L(Scope));
+    if (!scope || !*scope) {
+        // Are we allowed to be unscoped?
+        if (m_scoped && log.isWarnEnabled()) {
+                auto_ptr_char temp(m_name);
+                log.warn("attribute %s is scoped, no scope supplied, rejecting it",temp.get());
+        }
+        return !m_scoped;
+    }
+
     vector<pair<value_type,const XMLCh*> >::const_iterator i;
 
     // Denials take precedence, always.

diff --git a/xmlproviders/internal.h b/xmlproviders/internal.h
index 3686346..ae74ba2 100644 (file)
--- a/xmlproviders/internal.h
+++ b/xmlproviders/internal.h
@@ -172,6 +172,7 @@ public:
         static const XMLCh Factory[];
         static const XMLCh Header[];
         static const XMLCh Namespace[];
+        static const XMLCh Scoped[];
         static const XMLCh SiteRule[];
         static const XMLCh Type[];
         static const XMLCh Value[];