/*
- * Copyright 2001-2006 Internet2
+ * Copyright 2001-2007 Internet2
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*/
/**
- * @file Assertions.h
+ * @file saml/saml2/core/Assertions.h
*
* XMLObjects representing the SAML 2.0 Assertions schema
*/
#ifndef __saml2_assertions_h__
#define __saml2_assertions_h__
-#include <saml/signature/SignableObject.h>
+#include <saml/Assertion.h>
#include <saml/util/SAMLConstants.h>
-#include <xmltooling/AttributeExtensibleXMLObject.h>
-#include <xmltooling/ElementProxy.h>
-#include <xmltooling/SimpleElement.h>
#include <xmltooling/XMLObjectBuilder.h>
-#include <xmltooling/signature/KeyInfo.h>
+#include <xmltooling/encryption/Encryption.h>
+#include <xmltooling/security/CredentialCriteria.h>
+#include <xmltooling/security/CredentialResolver.h>
#include <xmltooling/signature/Signature.h>
#include <xmltooling/util/DateTime.h>
-#include <xmltooling/validation/ValidatingXMLObject.h>
#define DECL_SAML2OBJECTBUILDER(cname) \
- DECL_XMLOBJECTBUILDER(SAML_API,cname,opensaml::SAMLConstants::SAML20_NS,opensaml::SAMLConstants::SAML20_PREFIX)
+ DECL_XMLOBJECTBUILDER(SAML_API,cname,samlconstants::SAML20_NS,samlconstants::SAML20_PREFIX)
namespace opensaml {
+ namespace saml2md {
+ class SAML_API MetadataProvider;
+ class SAML_API MetadataCredentialCriteria;
+ };
+
/**
- * @namespace saml2
+ * @namespace opensaml::saml2
* SAML 2.0 assertion namespace
*/
namespace saml2 {
// Forward references
class SAML_API Assertion;
+ class SAML_API EncryptedAssertion;
+
+ /**
+ * Marker interface for SAML types that can be encrypted.
+ */
+ class SAML_API EncryptableObject : public virtual xmltooling::XMLObject
+ {
+ protected:
+ EncryptableObject() {}
+ virtual ~EncryptableObject() {}
+ };
DECL_XMLOBJECT_SIMPLE(SAML_API,AssertionIDRef,AssertionID,SAML 2.0 AssertionIDRef element);
DECL_XMLOBJECT_SIMPLE(SAML_API,AssertionURIRef,AssertionURI,SAML 2.0 AssertionURIRef element);
DECL_XMLOBJECT_SIMPLE(SAML_API,AuthnContextDeclRef,Reference,SAML 2.0 AuthnContextDeclRef element);
DECL_XMLOBJECT_SIMPLE(SAML_API,AuthenticatingAuthority,ID,SAML 2.0 AuthenticatingAuthority element);
- BEGIN_XMLOBJECT(SAML_API,BaseID,xmltooling::XMLObject,SAML 2.0 BaseIDAbstractType abstract type);
+ BEGIN_XMLOBJECT(SAML_API,EncryptedElementType,xmltooling::XMLObject,SAML 2.0 EncryptedElementType type);
+ DECL_TYPED_FOREIGN_CHILD(EncryptedData,xmlencryption);
+ DECL_TYPED_FOREIGN_CHILDREN(EncryptedKey,xmlencryption);
+ /** EncryptedElementType local name */
+ static const XMLCh TYPE_NAME[];
+
+ /**
+ * Encrypts an object to a single recipient using this object as a container.
+ *
+ * @param xmlObject object to encrypt
+ * @param metadataProvider a locked MetadataProvider to supply encryption keys
+ * @param criteria metadata-based CredentialCriteria to use
+ * @param compact true iff compact KeyInfo should be used
+ * @param algorithm optionally specifies data encryption algorithm if none can be determined from metadata
+ * @return the encrypted object
+ */
+ virtual void encrypt(
+ const EncryptableObject& xmlObject,
+ const saml2md::MetadataProvider& metadataProvider,
+ saml2md::MetadataCredentialCriteria& criteria,
+ bool compact=false,
+ const XMLCh* algorithm=NULL
+ );
+
+ /**
+ * Encrypts an object to multiple recipients using this object as a container.
+ *
+ * @param xmlObject object to encrypt
+ * @param recipients pairs containing a locked MetadataProvider to supply encryption keys,
+ * and a metadata-based CredentialCriteria to use
+ * @param compact true iff compact KeyInfo should be used
+ * @param algorithm optionally specifies data encryption algorithm if none can be determined from metadata
+ * @return the encrypted object
+ */
+ virtual void encrypt(
+ const EncryptableObject& xmlObject,
+ const std::vector< std::pair<const saml2md::MetadataProvider*, saml2md::MetadataCredentialCriteria*> >& recipients,
+ bool compact=false,
+ const XMLCh* algorithm=NULL
+ );
+
+ /**
+ * Decrypts the element using the supplied CredentialResolver.
+ *
+ * <p>The object returned will be unmarshalled around the decrypted DOM element in a
+ * new Document owned by the object.
+ *
+ * @param credResolver locked resolver supplying decryption keys
+ * @param recipient identifier naming the recipient (the entity performing the decryption)
+ * @param criteria optional external criteria to use with resolver
+ * @return the decrypted and unmarshalled object
+ */
+ virtual xmltooling::XMLObject* decrypt(
+ const xmltooling::CredentialResolver& credResolver, const XMLCh* recipient, xmltooling::CredentialCriteria* criteria=NULL
+ ) const;
+ END_XMLOBJECT;
+
+ BEGIN_XMLOBJECT(SAML_API,EncryptedID,EncryptedElementType,SAML 2.0 EncryptedID element);
+ END_XMLOBJECT;
+
+ BEGIN_XMLOBJECT(SAML_API,BaseID,EncryptableObject,SAML 2.0 BaseID abstract element);
DECL_STRING_ATTRIB(NameQualifier,NAMEQUALIFIER);
DECL_STRING_ATTRIB(SPNameQualifier,SPNAMEQUALIFIER);
END_XMLOBJECT;
- BEGIN_XMLOBJECT(SAML_API,NameIDType,xmltooling::SimpleElement,SAML 2.0 NameIDType type);
+ BEGIN_XMLOBJECT(SAML_API,NameIDType,xmltooling::XMLObject,SAML 2.0 NameIDType type);
DECL_STRING_ATTRIB(NameQualifier,NAMEQUALIFIER);
DECL_STRING_ATTRIB(SPNameQualifier,SPNAMEQUALIFIER);
DECL_STRING_ATTRIB(Format,FORMAT);
DECL_STRING_ATTRIB(SPProvidedID,SPPROVIDEDID);
- DECL_XMLOBJECT_CONTENT(Name);
+ DECL_SIMPLE_CONTENT(Name);
/** NameIDType local name */
static const XMLCh TYPE_NAME[];
+ /** Unspecified name format ID */
+ static const XMLCh UNSPECIFIED[];
+ /** Email address name format ID */
+ static const XMLCh EMAIL[];
+ /** X.509 subject name format ID */
+ static const XMLCh X509_SUBJECT[];
+ /** Windows domain qualified name format ID */
+ static const XMLCh WIN_DOMAIN_QUALIFIED[];
+ /** Kerberos principal name format ID */
+ static const XMLCh KERBEROS[];
+ /** Entity identifier name format ID */
+ static const XMLCh ENTITY[];
+ /** Persistent identifier name format ID */
+ static const XMLCh PERSISTENT[];
+ /** Transient identifier name format ID */
+ static const XMLCh TRANSIENT[];
END_XMLOBJECT;
- BEGIN_XMLOBJECT(SAML_API,NameID,NameIDType,SAML 2.0 NameID element);
+ BEGIN_XMLOBJECT2(SAML_API,NameID,NameIDType,EncryptableObject,SAML 2.0 NameID element);
END_XMLOBJECT;
BEGIN_XMLOBJECT(SAML_API,Issuer,NameIDType,SAML 2.0 Issuer element);
static const XMLCh TYPE_NAME[];
END_XMLOBJECT;
- BEGIN_XMLOBJECT2(SAML_API,SubjectConfirmationData,xmltooling::ElementProxy,xmltooling::AttributeExtensibleXMLObject,SAML 2.0 SubjectConfirmationData element);
+ BEGIN_XMLOBJECT(SAML_API,SubjectConfirmationDataType,xmltooling::XMLObject,SAML 2.0 SubjectConfirmationDataType base type);
DECL_DATETIME_ATTRIB(NotBefore,NOTBEFORE);
DECL_DATETIME_ATTRIB(NotOnOrAfter,NOTONORAFTER);
DECL_STRING_ATTRIB(Recipient,RECIPIENT);
DECL_STRING_ATTRIB(InResponseTo,INRESPONSETO);
DECL_STRING_ATTRIB(Address,ADDRESS);
- DECL_XMLOBJECT_CONTENT(Data);
END_XMLOBJECT;
- BEGIN_XMLOBJECT(SAML_API,KeyInfoConfirmationDataType,xmltooling::AttributeExtensibleXMLObject,SAML 2.0 KeyInfoConfirmationDataType type);
- DECL_DATETIME_ATTRIB(NotBefore,NOTBEFORE);
- DECL_DATETIME_ATTRIB(NotOnOrAfter,NOTONORAFTER);
- DECL_STRING_ATTRIB(Recipient,RECIPIENT);
- DECL_STRING_ATTRIB(InResponseTo,INRESPONSETO);
- DECL_STRING_ATTRIB(Address,ADDRESS);
+ BEGIN_XMLOBJECT2(SAML_API,SubjectConfirmationData,SubjectConfirmationDataType,xmltooling::ElementProxy,SAML 2.0 SubjectConfirmationData element);
+ DECL_SIMPLE_CONTENT(Data);
+ END_XMLOBJECT;
+
+ BEGIN_XMLOBJECT2(SAML_API,KeyInfoConfirmationDataType,SubjectConfirmationDataType,xmltooling::AttributeExtensibleXMLObject,SAML 2.0 KeyInfoConfirmationDataType type);
DECL_TYPED_FOREIGN_CHILDREN(KeyInfo,xmlsignature);
/** KeyInfoConfirmationDataType local name */
static const XMLCh TYPE_NAME[];
DECL_STRING_ATTRIB(Method,METHOD);
DECL_TYPED_CHILD(BaseID);
DECL_TYPED_CHILD(NameID);
- //DECL_TYPED_CHILD(EncryptedID);
+ DECL_TYPED_CHILD(EncryptedID);
DECL_XMLOBJECT_CHILD(SubjectConfirmationData);
- DECL_TYPED_CHILD(KeyInfoConfirmationDataType);
/** SubjectConfirmationType local name */
static const XMLCh TYPE_NAME[];
+ /** Bearer confirmation method */
+ static const XMLCh BEARER[];
+ /** Holder of key confirmation method */
+ static const XMLCh HOLDER_KEY[];
+ /** Sender vouches confirmation method */
+ static const XMLCh SENDER_VOUCHES[];
END_XMLOBJECT;
BEGIN_XMLOBJECT(SAML_API,Subject,xmltooling::XMLObject,SAML 2.0 Subject element);
DECL_TYPED_CHILD(BaseID);
DECL_TYPED_CHILD(NameID);
- //DECL_TYPED_CHILD(EncryptedID);
+ DECL_TYPED_CHILD(EncryptedID);
DECL_TYPED_CHILDREN(SubjectConfirmation);
/** SubjectType local name */
static const XMLCh TYPE_NAME[];
static const XMLCh TYPE_NAME[];
END_XMLOBJECT;
- BEGIN_XMLOBJECT2(SAML_API,AuthnContextDecl,xmltooling::ElementProxy,xmltooling::AttributeExtensibleXMLObject,SAML 2.0 AuthnContextDecl element);
+ BEGIN_XMLOBJECT(SAML_API,AuthnContextDecl,xmltooling::ElementProxy,SAML 2.0 AuthnContextDecl element);
END_XMLOBJECT;
BEGIN_XMLOBJECT(SAML_API,AuthnContext,xmltooling::XMLObject,SAML 2.0 AuthnContext element);
static const XMLCh TYPE_NAME[];
END_XMLOBJECT;
- BEGIN_XMLOBJECT(SAML_API,Action,xmltooling::SimpleElement,SAML 2.0 Action element);
+ BEGIN_XMLOBJECT(SAML_API,Action,xmltooling::XMLObject,SAML 2.0 Action element);
DECL_STRING_ATTRIB(Namespace,NAMESPACE);
- DECL_XMLOBJECT_CONTENT(Action);
+ DECL_SIMPLE_CONTENT(Action);
/** ActionType local name */
static const XMLCh TYPE_NAME[];
+ /** Read/Write/Execute/Delete/Control Action Namespace */
+ static const XMLCh RWEDC_NEG_ACTION_NAMESPACE[];
+ /** Read/Write/Execute/Delete/Control with Negation Action Namespace */
+ static const XMLCh RWEDC_ACTION_NAMESPACE[];
+ /** Get/Head/Put/Post Action Namespace */
+ static const XMLCh GHPP_ACTION_NAMESPACE[];
+ /** UNIX File Permissions Action Namespace */
+ static const XMLCh UNIX_ACTION_NAMESPACE[];
END_XMLOBJECT;
BEGIN_XMLOBJECT(SAML_API,Evidence,xmltooling::XMLObject,SAML 2.0 Evidence element);
DECL_TYPED_CHILDREN(AssertionIDRef);
DECL_TYPED_CHILDREN(AssertionURIRef);
DECL_TYPED_CHILDREN(Assertion);
- //DECL_TYPED_CHILDREN(EncryptedAssertion);
+ DECL_TYPED_CHILDREN(EncryptedAssertion);
/** EvidenceType local name */
static const XMLCh TYPE_NAME[];
END_XMLOBJECT;
static const XMLCh DECISION_INDETERMINATE[];
END_XMLOBJECT;
- BEGIN_XMLOBJECT2(SAML_API,AttributeValue,xmltooling::ElementProxy,xmltooling::AttributeExtensibleXMLObject,SAML 2.0 AttributeValue element);
+ BEGIN_XMLOBJECT(SAML_API,AttributeValue,xmltooling::ElementProxy,SAML 2.0 AttributeValue element);
END_XMLOBJECT;
- BEGIN_XMLOBJECT(SAML_API,Attribute,xmltooling::AttributeExtensibleXMLObject,SAML 2.0 Attribute element);
+ BEGIN_XMLOBJECT2(SAML_API,Attribute,xmltooling::AttributeExtensibleXMLObject,EncryptableObject,SAML 2.0 Attribute element);
DECL_STRING_ATTRIB(Name,NAME);
DECL_STRING_ATTRIB(NameFormat,NAMEFORMAT);
DECL_STRING_ATTRIB(FriendlyName,FRIENDLYNAME);
DECL_XMLOBJECT_CHILDREN(AttributeValue);
/** AttributeType local name */
static const XMLCh TYPE_NAME[];
+ /** Unspecified attribute name format ID */
+ static const XMLCh UNSPECIFIED[];
+ /** URI reference attribute name format ID */
+ static const XMLCh URI_REFERENCE[];
+ /** Basic attribute name format ID */
+ static const XMLCh BASIC[];
+ END_XMLOBJECT;
+
+ BEGIN_XMLOBJECT(SAML_API,EncryptedAttribute,EncryptedElementType,SAML 2.0 EncryptedAttribute element);
END_XMLOBJECT;
BEGIN_XMLOBJECT(SAML_API,AttributeStatement,Statement,SAML 2.0 AttributeStatement element);
DECL_TYPED_CHILDREN(Attribute);
- //DECL_TYPED_CHILDREN(EncryptedAttribute);
+ DECL_TYPED_CHILDREN(EncryptedAttribute);
/** AttributeStatementType local name */
static const XMLCh TYPE_NAME[];
END_XMLOBJECT;
- BEGIN_XMLOBJECT(SAML_API,Advice,xmltooling::XMLObject,SAML 2.0 Advice element);
+ BEGIN_XMLOBJECT(SAML_API,EncryptedAssertion,EncryptedElementType,SAML 2.0 EncryptedAssertion element);
+ END_XMLOBJECT;
+
+ BEGIN_XMLOBJECT(SAML_API,Advice,xmltooling::ElementExtensibleXMLObject,SAML 2.0 Advice element);
DECL_TYPED_CHILDREN(AssertionIDRef);
DECL_TYPED_CHILDREN(AssertionURIRef);
DECL_TYPED_CHILDREN(Assertion);
- //DECL_TYPED_CHILDREN(EncryptedAssertion);
- DECL_XMLOBJECT_CHILDREN(Other);
+ DECL_TYPED_CHILDREN(EncryptedAssertion);
/** AdviceType local name */
static const XMLCh TYPE_NAME[];
END_XMLOBJECT;
- BEGIN_XMLOBJECT(SAML_API,Assertion,SignableObject,SAML 2.0 Assertion element);
- DECL_STRING_ATTRIB(Version,VER);
- DECL_STRING_ATTRIB(ID,ID);
- DECL_DATETIME_ATTRIB(IssueInstant,ISSUEINSTANT);
- DECL_TYPED_CHILD(Issuer);
- DECL_TYPED_FOREIGN_CHILD(Signature,xmlsignature);
+ /**
+ * SAML 2.0 assertion or protocol message.
+ */
+ class SAML_API RootObject : virtual public opensaml::RootObject
+ {
+ protected:
+ RootObject() {}
+ public:
+ virtual ~RootObject() {}
+
+ /** Gets the Version attribute. */
+ virtual const XMLCh* getVersion() const=0;
+
+ /** Gets the Issuer. */
+ virtual Issuer* getIssuer() const=0;
+ };
+
+ BEGIN_XMLOBJECT3(SAML_API,Assertion,saml2::RootObject,opensaml::Assertion,EncryptableObject,SAML 2.0 Assertion element);
+ DECL_INHERITED_STRING_ATTRIB(Version,VER);
+ DECL_INHERITED_STRING_ATTRIB(ID,ID);
+ DECL_INHERITED_DATETIME_ATTRIB(IssueInstant,ISSUEINSTANT);
+ DECL_INHERITED_TYPED_CHILD(Issuer);
DECL_TYPED_CHILD(Subject);
DECL_TYPED_CHILD(Conditions);
DECL_TYPED_CHILD(Advice);
DECL_SAML2OBJECTBUILDER(AuthnStatement);
DECL_SAML2OBJECTBUILDER(AuthzDecisionStatement);
DECL_SAML2OBJECTBUILDER(Conditions);
+ DECL_SAML2OBJECTBUILDER(EncryptedAssertion);
+ DECL_SAML2OBJECTBUILDER(EncryptedAttribute);
+ DECL_SAML2OBJECTBUILDER(EncryptedID);
DECL_SAML2OBJECTBUILDER(Evidence);
DECL_SAML2OBJECTBUILDER(Issuer);
DECL_SAML2OBJECTBUILDER(NameID);
public:
virtual ~NameIDTypeBuilder() {}
/** Builder that allows element/type override. */
+#ifdef HAVE_COVARIANT_RETURNS
virtual NameIDType* buildObject(
+#else
+ virtual xmltooling::XMLObject* buildObject(
+#endif
const XMLCh* nsURI, const XMLCh* localName, const XMLCh* prefix=NULL, const xmltooling::QName* schemaType=NULL
) const;
/** Singleton builder. */
static NameIDType* buildNameIDType(const XMLCh* nsURI, const XMLCh* localName, const XMLCh* prefix=NULL) {
const NameIDTypeBuilder* b = dynamic_cast<const NameIDTypeBuilder*>(
- XMLObjectBuilder::getBuilder(xmltooling::QName(SAMLConstants::SAML20_NS,NameIDType::TYPE_NAME))
+ XMLObjectBuilder::getBuilder(xmltooling::QName(samlconstants::SAML20_NS,NameIDType::TYPE_NAME))
);
if (b) {
- xmltooling::QName schemaType(SAMLConstants::SAML20_NS,NameIDType::TYPE_NAME,SAMLConstants::SAML20_PREFIX);
+ xmltooling::QName schemaType(samlconstants::SAML20_NS,NameIDType::TYPE_NAME,samlconstants::SAML20_PREFIX);
+#ifdef HAVE_COVARIANT_RETURNS
return b->buildObject(nsURI, localName, prefix, &schemaType);
+#else
+ return dynamic_cast<NameIDType*>(b->buildObject(nsURI, localName, prefix, &schemaType));
+#endif
}
throw xmltooling::XMLObjectException("Unable to obtain typed builder for NameIDType.");
}
* This is customized to return a SubjectConfirmationData element with an
* xsi:type of KeyInfoConfirmationDataType.
*/
- class SAML_API KeyInfoConfirmationDataTypeBuilder : public xmltooling::XMLObjectBuilder {
+ class SAML_API KeyInfoConfirmationDataTypeBuilder : public xmltooling::ConcreteXMLObjectBuilder {
public:
virtual ~KeyInfoConfirmationDataTypeBuilder() {}
/** Default builder. */
+#ifdef HAVE_COVARIANT_RETURNS
virtual KeyInfoConfirmationDataType* buildObject() const {
+#else
+ virtual xmltooling::XMLObject* buildObject() const {
+#endif
xmltooling::QName schemaType(
- SAMLConstants::SAML20_NS,KeyInfoConfirmationDataType::TYPE_NAME,SAMLConstants::SAML20_PREFIX
+ samlconstants::SAML20_NS,KeyInfoConfirmationDataType::TYPE_NAME,samlconstants::SAML20_PREFIX
);
return buildObject(
- SAMLConstants::SAML20_NS,KeyInfoConfirmationDataType::LOCAL_NAME,SAMLConstants::SAML20_PREFIX,&schemaType
+ samlconstants::SAML20_NS,KeyInfoConfirmationDataType::LOCAL_NAME,samlconstants::SAML20_PREFIX,&schemaType
);
}
/** Builder that allows element/type override. */
+#ifdef HAVE_COVARIANT_RETURNS
virtual KeyInfoConfirmationDataType* buildObject(
+#else
+ virtual xmltooling::XMLObject* buildObject(
+#endif
const XMLCh* nsURI, const XMLCh* localName, const XMLCh* prefix=NULL, const xmltooling::QName* schemaType=NULL
) const;
/** Singleton builder. */
static KeyInfoConfirmationDataType* buildKeyInfoConfirmationDataType() {
const KeyInfoConfirmationDataTypeBuilder* b = dynamic_cast<const KeyInfoConfirmationDataTypeBuilder*>(
- XMLObjectBuilder::getBuilder(xmltooling::QName(SAMLConstants::SAML20_NS,KeyInfoConfirmationDataType::TYPE_NAME))
+ XMLObjectBuilder::getBuilder(xmltooling::QName(samlconstants::SAML20_NS,KeyInfoConfirmationDataType::TYPE_NAME))
);
if (b)
+#ifdef HAVE_COVARIANT_RETURNS
return b->buildObject();
+#else
+ return dynamic_cast<KeyInfoConfirmationDataType*>(b->buildObject());
+#endif
throw xmltooling::XMLObjectException("Unable to obtain typed builder for KeyInfoConfirmationDataType.");
}
};
-
+
/**
- * Registers builders and validators for Assertion classes into the runtime.
+ * Registers builders and validators for SAML 2.0 Assertion classes into the runtime.
*/
void SAML_API registerAssertionClasses();
};