<ClCompile Include="..\..\..\shibsp\attribute\filtering\impl\AttributeRequesterInEntityGroupFunctor.cpp" />\r
<ClCompile Include="..\..\..\shibsp\attribute\filtering\impl\AttributeRequesterRegexFunctor.cpp" />\r
<ClCompile Include="..\..\..\shibsp\attribute\filtering\impl\AttributeRequesterStringFunctor.cpp" />\r
- <ClCompile Include="..\..\..\shibsp\attribute\filtering\impl\AttributeScopeMatchesShibMDScopeFunctor.cpp" />\r
+ <ClCompile Include="..\..\..\shibsp\attribute\filtering\impl\AttributeMatchesShibMDScopeFunctor.cpp" />\r
<ClCompile Include="..\..\..\shibsp\attribute\filtering\impl\AttributeScopeRegexFunctor.cpp" />\r
<ClCompile Include="..\..\..\shibsp\attribute\filtering\impl\AttributeScopeStringFunctor.cpp" />\r
<ClCompile Include="..\..\..\shibsp\attribute\filtering\impl\AttributeValueRegexFunctor.cpp" />\r
<ClCompile Include="..\..\..\shibsp\attribute\filtering\impl\AttributeRequesterStringFunctor.cpp">\r
<Filter>Source Files\attribute\filtering\impl</Filter>\r
</ClCompile>\r
- <ClCompile Include="..\..\..\shibsp\attribute\filtering\impl\AttributeScopeMatchesShibMDScopeFunctor.cpp">\r
- <Filter>Source Files\attribute\filtering\impl</Filter>\r
- </ClCompile>\r
<ClCompile Include="..\..\..\shibsp\attribute\filtering\impl\AttributeScopeRegexFunctor.cpp">\r
<Filter>Source Files\attribute\filtering\impl</Filter>\r
</ClCompile>\r
<ClCompile Include="..\..\..\shibsp\attribute\filtering\impl\RegistrationAuthorityFunctor.cpp">\r
<Filter>Source Files\attribute\filtering\impl</Filter>\r
</ClCompile>\r
+ <ClCompile Include="..\..\..\shibsp\attribute\filtering\impl\AttributeMatchesShibMDScopeFunctor.cpp">\r
+ <Filter>Source Files\attribute\filtering\impl</Filter>\r
+ </ClCompile>\r
</ItemGroup>\r
<ItemGroup>\r
<ClInclude Include="..\..\..\shibsp\GSSRequest.h">\r
-->
<!-- First some useful eduPerson attributes that many sites might use. -->
-
- <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
+
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
- <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
-
- <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
+
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
- <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
-
- <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
+
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
- <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
-
- <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
+
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
<!-- A persistent id attribute that supports personalized anonymous access. -->
<!-- Some more eduPerson attributes, uncomment these to use them... -->
<!--
- <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation">
- <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
- </Attribute>
- <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/>
- <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/>
- <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/>
- <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>
+
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/>
+
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>
- <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>
-
- <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/>
-
- <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/>
- <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/>
-->
+ <!-- SCHAC attributes, uncomment to use... -->
+ <!--
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" id="schacHomeOrganization"/>
+ -->
+
<!-- Examples of LDAP-based attributes, uncomment to use these... -->
<!--
- <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
- <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
- <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
- <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
- <Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/>
- <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
- <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
- <Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
- <Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/>
- <Attribute name="urn:mace:dir:attribute-def:description" id="description"/>
- <Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/>
- <Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/>
- <Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
- <Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/>
- <Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/>
- <Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/>
- <Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/>
- <Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/>
- <Attribute name="urn:mace:dir:attribute-def:street" id="street"/>
- <Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/>
- <Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/>
- <Attribute name="urn:mace:dir:attribute-def:st" id="st"/>
- <Attribute name="urn:mace:dir:attribute-def:l" id="l"/>
- <Attribute name="urn:mace:dir:attribute-def:o" id="o"/>
- <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
- <Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/>
- <Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/>
-
<Attribute name="urn:oid:2.5.4.3" id="cn"/>
<Attribute name="urn:oid:2.5.4.4" id="sn"/>
<Attribute name="urn:oid:2.5.4.42" id="givenName"/>
<Attribute name="urn:oid:2.5.4.11" id="ou"/>
<Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
<Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/>
+
+ <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
+ <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
+ <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
+ <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
+ <Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/>
+ <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
+ <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
+ <Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
+ <Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/>
+ <Attribute name="urn:mace:dir:attribute-def:description" id="description"/>
+ <Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/>
+ <Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/>
+ <Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
+ <Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/>
+ <Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/>
+ <Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/>
+ <Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/>
+ <Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/>
+ <Attribute name="urn:mace:dir:attribute-def:street" id="street"/>
+ <Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/>
+ <Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/>
+ <Attribute name="urn:mace:dir:attribute-def:st" id="st"/>
+ <Attribute name="urn:mace:dir:attribute-def:l" id="l"/>
+ <Attribute name="urn:mace:dir:attribute-def:o" id="o"/>
+ <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
+ <Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/>
+ <Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/>
-->
</Attributes>
<afp:AttributeRule attributeID="persistent-id">
<afp:PermitValueRule xsi:type="saml:NameIDQualifierString"/>
</afp:AttributeRule>
+
+ <!-- Enforce that the values of schacHomeOrganization are a valid Scope. -->
+ <afp:AttributeRule attributeID="schacHomeOrganization">
+ <afp:PermitValueRule xsi:type="saml:AttributeValueMatchesShibMDScope" />
+ </afp:AttributeRule>
<!-- Catch-all that passes everything else through unmolested. -->
<afp:AttributeRule attributeID="*">
</complexContent>
</complexType>
+ <complexType name="AttributeValueMatchesShibMDScope">
+ <annotation>
+ <documentation>
+ A match function that ensures that an attribute's value matches a scope given in metadata for the entity or role.
+ </documentation>
+ </annotation>
+ <complexContent>
+ <extension base="afp:MatchFunctorType" />
+ </complexContent>
+ </complexType>
+
<complexType name="AttributeIssuerRegistrationAuthority">
<annotation>
<documentation>
attribute/filtering/impl/AttributeRequesterEntityAttributeFunctor.cpp \\r
attribute/filtering/impl/AttributeIssuerEntityMatcherFunctor.cpp \\r
attribute/filtering/impl/AttributeRequesterEntityMatcherFunctor.cpp \\r
- attribute/filtering/impl/AttributeScopeMatchesShibMDScopeFunctor.cpp \\r
+ attribute/filtering/impl/AttributeMatchesShibMDScopeFunctor.cpp \\r
attribute/filtering/impl/RegistrationAuthorityFunctor.cpp \\r
attribute/resolver/impl/ChainingAttributeResolver.cpp \\r
attribute/resolver/impl/QueryAttributeResolver.cpp \\r
/** Matches based on requester and pluggable criteria. */
extern SHIBSP_API xmltooling::QName AttributeRequesterEntityMatcherType;
- /** Matches based on metadata Scope extensions. */
+ /** Matches scope based on metadata Scope extensions. */
extern SHIBSP_API xmltooling::QName AttributeScopeMatchesShibMDScopeType;
+ /** Matches value based on metadata Scope extensions. */
+ extern SHIBSP_API xmltooling::QName AttributeValueMatchesShibMDScopeType;
+
/** Matches based on NameID NameQualifiers. */
extern SHIBSP_API xmltooling::QName NameIDQualifierStringType;
namespace shibsp {
- static const XMLCh groupID[] = UNICODE_LITERAL_7(g,r,o,u,p,I,D);
-
/**
- * A match function that ensures that an attributes value's scope matches a scope given in metadata for the entity or role.
+ * A match function that ensures that a string matches a scope given in metadata for the entity or role.
*/
- class SHIBSP_DLLLOCAL AttributeScopeMatchesShibMDScopeFunctor : public MatchFunctor
+ class SHIBSP_DLLLOCAL AbstractAttributeMatchesShibMDScopeFunctor : public MatchFunctor
{
public:
bool evaluatePolicyRequirement(const FilteringContext& filterContext) const {
if (!issuer)
return false;
- const char* scope = attribute.getScope(index);
- if (!scope || !*scope)
+ const char* s = getStringToMatch(attribute, index);
+ if (!s || !*s)
return false;
- auto_arrayptr<XMLCh> widescope(fromUTF8(scope));
+ auto_arrayptr<XMLCh> widestr(fromUTF8(s));
const Scope* rule;
const Extensions* ext = issuer->getExtensions();
const vector<XMLObject*>& exts = ext->getUnknownXMLObjects();
for (vector<XMLObject*>::const_iterator e = exts.begin(); e != exts.end(); ++e) {
rule = dynamic_cast<const Scope*>(*e);
- if (rule && matches(*rule, widescope)) {
+ if (rule && matches(*rule, widestr)) {
return true;
}
}
const vector<XMLObject*>& exts = ext->getUnknownXMLObjects();
for (vector<XMLObject*>::const_iterator e = exts.begin(); e != exts.end(); ++e) {
rule = dynamic_cast<const Scope*>(*e);
- if (rule && matches(*rule, widescope)) {
+ if (rule && matches(*rule, widestr)) {
return true;
}
}
return false;
}
+ protected:
+ virtual const char* getStringToMatch(const Attribute& attribute, size_t index) const = 0;
+
private:
bool matches(const Scope& rule, auto_arrayptr<XMLCh>& scope) const {
const XMLCh* val = rule.getValue();
}
};
+ class AttributeScopeMatchesShibMDScopeFunctor : public AbstractAttributeMatchesShibMDScopeFunctor
+ {
+ protected:
+ const char* getStringToMatch(const Attribute& attribute, size_t index) const {
+ return attribute.getScope(index);
+ }
+ };
+
+ class AttributeValueMatchesShibMDScopeFunctor : public AbstractAttributeMatchesShibMDScopeFunctor
+ {
+ protected:
+ const char* getStringToMatch(const Attribute& attribute, size_t index) const {
+ return attribute.getString(index);
+ }
+ };
+
MatchFunctor* SHIBSP_DLLLOCAL AttributeScopeMatchesShibMDScopeFactory(const pair<const FilterPolicyContext*,const DOMElement*>& p)
{
return new AttributeScopeMatchesShibMDScopeFunctor();
}
+ MatchFunctor* SHIBSP_DLLLOCAL AttributeValueMatchesShibMDScopeFactory(const pair<const FilterPolicyContext*,const DOMElement*>& p)
+ {
+ return new AttributeValueMatchesShibMDScopeFunctor();
+ }
+
};
DECL_FACTORY(AttributeIssuerEntityMatcher);
DECL_FACTORY(AttributeRequesterEntityMatcher);
DECL_FACTORY(AttributeScopeMatchesShibMDScope);
+ DECL_FACTORY(AttributeValueMatchesShibMDScope);
DECL_FACTORY(NameIDQualifierString);
DECL_FACTORY(AttributeIssuerRegistrationAuthority);
DECL_FACTORY(RegistrationAuthority);
static const XMLCh AttributeIssuerEntityMatcher[] = UNICODE_LITERAL_28(A,t,t,r,i,b,u,t,e,I,s,s,u,e,r,E,n,t,i,t,y,M,a,t,c,h,e,r);
static const XMLCh AttributeRequesterEntityMatcher[] = UNICODE_LITERAL_31(A,t,t,r,i,b,u,t,e,R,e,q,u,e,s,t,e,r,E,n,t,i,t,y,M,a,t,c,h,e,r);
static const XMLCh AttributeScopeMatchesShibMDScope[] = UNICODE_LITERAL_32(A,t,t,r,i,b,u,t,e,S,c,o,p,e,M,a,t,c,h,e,s,S,h,i,b,M,D,S,c,o,p,e);
+ static const XMLCh AttributeValueMatchesShibMDScope[] = UNICODE_LITERAL_32(A,t,t,r,i,b,u,t,e,V,a,l,u,e,M,a,t,c,h,e,s,S,h,i,b,M,D,S,c,o,p,e);
static const XMLCh NameIDQualifierString[] = UNICODE_LITERAL_21(N,a,m,e,I,D,Q,u,a,l,i,f,i,e,r,S,t,r,i,n,g);
static const XMLCh AttributeIssuerRegistrationAuthority[] = UNICODE_LITERAL_36(A,t,t,r,i,b,u,t,e,I,s,s,u,e,r,R,e,g,i,s,t,r,a,t,i,o,n,A,u,t,h,o,r,i,t,y);
static const XMLCh RegistrationAuthority[] = UNICODE_LITERAL_21(R,e,g,i,s,t,r,a,t,i,o,n,A,u,t,h,o,r,i,t,y);
DECL_SAML_QNAME(AttributeIssuerEntityMatcher, AttributeIssuerEntityMatcher);
DECL_SAML_QNAME(AttributeRequesterEntityMatcher, AttributeRequesterEntityMatcher);
DECL_SAML_QNAME(AttributeScopeMatchesShibMDScope, AttributeScopeMatchesShibMDScope);
+DECL_SAML_QNAME(AttributeValueMatchesShibMDScope, AttributeValueMatchesShibMDScope);
DECL_SAML_QNAME(NameIDQualifierString, NameIDQualifierString);
DECL_SAML_QNAME(AttributeIssuerRegistrationAuthority, AttributeIssuerRegistrationAuthority);
DECL_SAML_QNAME(RegistrationAuthority, RegistrationAuthority);
REGISTER_FACTORY(AttributeIssuerEntityMatcher);
REGISTER_FACTORY(AttributeRequesterEntityMatcher);
REGISTER_FACTORY(AttributeScopeMatchesShibMDScope);
+ REGISTER_FACTORY(AttributeValueMatchesShibMDScope);
REGISTER_FACTORY(NameIDQualifierString);
REGISTER_FACTORY(AttributeIssuerRegistrationAuthority);
REGISTER_FACTORY(RegistrationAuthority);