2 * Copyright 2010 Internet2
\r
4 * Licensed under the Apache License, Version 2.0 (the "License");
\r
5 * you may not use this file except in compliance with the License.
\r
6 * You may obtain a copy of the License at
\r
8 * http://www.apache.org/licenses/LICENSE-2.0
\r
10 * Unless required by applicable law or agreed to in writing, software
\r
11 * distributed under the License is distributed on an "AS IS" BASIS,
\r
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
13 * See the License for the specific language governing permissions and
\r
14 * limitations under the License.
\r
18 * NameIDQualifierStringFunctor.cpp
\r
20 * A match function that ensures that a NameID-valued attribute's qualifier(s)
\r
21 * match particular values.
\r
24 #include "internal.h"
\r
25 #include "exceptions.h"
\r
26 #include "attribute/NameIDAttribute.h"
\r
27 #include "attribute/filtering/FilteringContext.h"
\r
28 #include "attribute/filtering/FilterPolicyContext.h"
\r
29 #include "attribute/filtering/MatchFunctor.h"
\r
31 #include <saml/saml2/core/Assertions.h>
\r
32 #include <xmltooling/util/XMLHelper.h>
\r
34 using namespace shibsp;
\r
35 using namespace xmltooling::logging;
\r
36 using namespace xmltooling;
\r
37 using namespace std;
\r
38 using opensaml::saml2::NameID;
\r
42 static const XMLCh attributeID[] = UNICODE_LITERAL_11(a,t,t,r,i,b,u,t,e,I,D);
\r
45 * A match function that ensures that a NameID-valued attribute's qualifier(s)
\r
46 * match particular values.
\r
48 class SHIBSP_DLLLOCAL NameIDQualifierStringFunctor : public MatchFunctor
\r
50 string m_attributeID,m_matchNameQualifier,m_matchSPNameQualifier;
\r
52 bool hasValue(const FilteringContext& filterContext) const;
\r
53 bool matches(const FilteringContext& filterContext, const Attribute& attribute, size_t index) const;
\r
56 NameIDQualifierStringFunctor(const DOMElement* e)
\r
57 : m_attributeID(XMLHelper::getAttrString(e, nullptr, attributeID)),
\r
58 m_matchNameQualifier(XMLHelper::getAttrString(e, nullptr, NameID::NAMEQUALIFIER_ATTRIB_NAME)),
\r
59 m_matchSPNameQualifier(XMLHelper::getAttrString(e, nullptr, NameID::SPNAMEQUALIFIER_ATTRIB_NAME)) {
\r
62 virtual ~NameIDQualifierStringFunctor() {
\r
65 bool evaluatePolicyRequirement(const FilteringContext& filterContext) const {
\r
66 if (m_attributeID.empty())
\r
67 throw AttributeFilteringException("No attributeID specified.");
\r
68 return hasValue(filterContext);
\r
71 bool evaluatePermitValue(const FilteringContext& filterContext, const Attribute& attribute, size_t index) const {
\r
72 if (m_attributeID.empty() || m_attributeID == attribute.getId())
\r
73 return matches(filterContext, attribute, index);
\r
74 return hasValue(filterContext);
\r
78 MatchFunctor* SHIBSP_DLLLOCAL NameIDQualifierStringFactory(const std::pair<const FilterPolicyContext*,const DOMElement*>& p)
\r
80 return new NameIDQualifierStringFunctor(p.second);
\r
85 bool NameIDQualifierStringFunctor::hasValue(const FilteringContext& filterContext) const
\r
88 pair<multimap<string,Attribute*>::const_iterator,multimap<string,Attribute*>::const_iterator> attrs =
\r
89 filterContext.getAttributes().equal_range(m_attributeID);
\r
90 for (; attrs.first != attrs.second; ++attrs.first) {
\r
91 count = attrs.first->second->valueCount();
\r
92 for (size_t index = 0; index < count; ++index) {
\r
93 if (matches(filterContext, *(attrs.first->second), index))
\r
100 bool NameIDQualifierStringFunctor::matches(const FilteringContext& filterContext, const Attribute& attribute, size_t index) const
\r
102 const NameIDAttribute* nameattr = dynamic_cast<const NameIDAttribute*>(&attribute);
\r
104 Category::getInstance(SHIBSP_LOGCAT".AttributeFilter").warn(
\r
105 "NameIDQualifierString MatchFunctor applied to non-NameID-valued attribute (%s)", attribute.getId()
\r
110 const NameIDAttribute::Value& val = nameattr->getValues()[index];
\r
111 if (!val.m_NameQualifier.empty()) {
\r
112 if (m_matchNameQualifier.empty()) {
\r
113 auto_ptr_char issuer(filterContext.getAttributeIssuer());
\r
114 if (issuer.get() && *issuer.get()) {
\r
115 if (val.m_NameQualifier != issuer.get()) {
\r
116 Category::getInstance(SHIBSP_LOGCAT".AttributeFilter").warn(
\r
117 "NameIDQualifierString MatchFunctor rejecting NameQualifier (%s), should be (%s)",
\r
118 val.m_NameQualifier.c_str(), issuer.get()
\r
124 Category::getInstance(SHIBSP_LOGCAT".AttributeFilter").warn(
\r
125 "NameIDQualifierString MatchFunctor rejecting NameQualifier (%s), attribute issuer unknown",
\r
126 val.m_NameQualifier.c_str()
\r
131 else if (m_matchNameQualifier != val.m_NameQualifier) {
\r
132 Category::getInstance(SHIBSP_LOGCAT".AttributeFilter").warn(
\r
133 "NameIDQualifierString MatchFunctor rejecting NameQualifier (%s), should be (%s)",
\r
134 val.m_NameQualifier.c_str(), m_matchNameQualifier.c_str()
\r
139 if (!val.m_SPNameQualifier.empty()) {
\r
140 if (m_matchSPNameQualifier.empty()) {
\r
141 auto_ptr_char req(filterContext.getAttributeRequester());
\r
142 if (req.get() && *req.get()) {
\r
143 if (val.m_SPNameQualifier != req.get()) {
\r
144 Category::getInstance(SHIBSP_LOGCAT".AttributeFilter").warn(
\r
145 "NameIDQualifierString MatchFunctor rejecting SPNameQualifier (%s), should be (%s)",
\r
146 val.m_SPNameQualifier.c_str(), req.get()
\r
152 Category::getInstance(SHIBSP_LOGCAT".AttributeFilter").warn(
\r
153 "NameIDQualifierString MatchFunctor rejecting SPNameQualifier (%s), attribute requester unknown",
\r
154 val.m_SPNameQualifier.c_str()
\r
159 else if (m_matchSPNameQualifier != val.m_SPNameQualifier) {
\r
160 Category::getInstance(SHIBSP_LOGCAT".AttributeFilter").warn(
\r
161 "NameIDQualifierString MatchFunctor rejecting SPNameQualifier (%s), should be (%s)",
\r
162 val.m_SPNameQualifier.c_str(), m_matchSPNameQualifier.c_str()
\r