/*\r
* Copyright 2001-2007 Internet2\r
- * \r
+ *\r
* Licensed under the Apache License, Version 2.0 (the "License");\r
* you may not use this file except in compliance with the License.\r
* You may obtain a copy of the License at\r
using namespace xmltooling;\r
using namespace std;\r
\r
-namespace {\r
- \r
+namespace shibsp {\r
+\r
class Rule : public AccessControl\r
{\r
public:\r
void unlock() {}\r
\r
aclresult_t authorized(const SPRequest& request, const Session* session) const;\r
- \r
+\r
private:\r
string m_alias;\r
vector <string> m_vals;\r
};\r
- \r
+\r
class RuleRegex : public AccessControl\r
{\r
public:\r
~RuleRegex() {\r
delete m_re;\r
}\r
- \r
+\r
Lockable* lock() {return this;}\r
void unlock() {}\r
\r
aclresult_t authorized(const SPRequest& request, const Session* session) const;\r
- \r
+\r
private:\r
string m_alias;\r
auto_arrayptr<char> m_exp;\r
RegularExpression* m_re;\r
};\r
- \r
+\r
class Operator : public AccessControl\r
{\r
public:\r
void unlock() {}\r
\r
aclresult_t authorized(const SPRequest& request, const Session* session) const;\r
- \r
+\r
private:\r
enum operator_t { OP_NOT, OP_AND, OP_OR } m_op;\r
vector<AccessControl*> m_operands;\r
{\r
public:\r
XMLAccessControl(const DOMElement* e)\r
- : ReloadableXMLFile(e, Category::getInstance(SHIBSP_LOGCAT".AccessControl")), m_rootAuthz(NULL) {\r
+ : ReloadableXMLFile(e, Category::getInstance(SHIBSP_LOGCAT".AccessControl.XML")), m_rootAuthz(NULL) {\r
load(); // guarantees an exception or the policy is loaded\r
}\r
- \r
+\r
~XMLAccessControl() {\r
delete m_rootAuthz;\r
}\r
static const XMLCh _RuleRegex[] = UNICODE_LITERAL_9(R,u,l,e,R,e,g,e,x);\r
}\r
\r
-void SHIBSP_API shibsp::registerAccessControls()\r
-{\r
- SPConfig& conf=SPConfig::getConfig();\r
- conf.AccessControlManager.registerFactory(XML_ACCESS_CONTROL, XMLAccessControlFactory);\r
- conf.AccessControlManager.registerFactory("edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl", XMLAccessControlFactory);\r
-}\r
-\r
Rule::Rule(const DOMElement* e)\r
{\r
auto_ptr_char req(e->getAttributeNS(NULL,require));\r
auto_arrayptr<char> vals(toUTF8(e->hasChildNodes() ? e->getFirstChild()->getNodeValue() : NULL));\r
if (!vals.get())\r
return;\r
- \r
+\r
const XMLCh* flag = e->getAttributeNS(NULL,_list);\r
if (flag && (*flag == chLatin_f || *flag == chDigit_0)) {\r
if (*vals.get())\r
m_vals.push_back(vals.get());\r
return;\r
}\r
- \r
+\r
#ifdef HAVE_STRTOK_R\r
char* pos=NULL;\r
const char* token=strtok_r(const_cast<char*>(vals.get())," ",&pos);\r
request.log(SPRequest::SPWarn, "AccessControl plugin not given a valid session to evaluate, are you using lazy sessions?");\r
return shib_acl_false;\r
}\r
- \r
+\r
if (m_alias == "valid-user") {\r
if (session) {\r
request.log(SPRequest::SPDebug,"AccessControl plugin accepting valid-user based on active session");\r
if (!req.get() || !*req.get() || !m_exp.get() || !*m_exp.get())\r
throw ConfigurationException("Access control rule missing require attribute or element content.");\r
m_alias=req.get();\r
- \r
+\r
const XMLCh* flag = e->getAttributeNS(NULL,ignoreCase);\r
bool ignore = (flag && (*flag == chLatin_t || *flag == chDigit_1));\r
try {\r
- m_re = new RegularExpression(e->getFirstChild()->getNodeValue(), (ignore ? ignoreOption : &chNull)); \r
+ m_re = new RegularExpression(e->getFirstChild()->getNodeValue(), (ignore ? ignoreOption : &chNull));\r
}\r
catch (XMLException& ex) {\r
auto_ptr_char tmp(ex.getMessage());\r
request.log(SPRequest::SPWarn, "AccessControl plugin not given a valid session to evaluate, are you using lazy sessions?");\r
return shib_acl_false;\r
}\r
- \r
+\r
if (m_alias == "valid-user") {\r
if (session) {\r
request.log(SPRequest::SPDebug,"AccessControl plugin accepting valid-user based on active session");\r
auto_ptr_char tmp(ex.getMessage());\r
request.log(SPRequest::SPError, string("caught exception while parsing RuleRegex regular expression: ") + tmp.get());\r
}\r
- \r
+\r
return shib_acl_false;\r
}\r
\r
m_op=OP_OR;\r
else\r
throw ConfigurationException("Unrecognized operator in access control rule");\r
- \r
+\r
try {\r
e=XMLHelper::getFirstChildElement(e);\r
if (XMLString::equals(e->getLocalName(),_Rule))\r
m_operands.push_back(new RuleRegex(e));\r
else\r
m_operands.push_back(new Operator(e));\r
- \r
+\r
if (m_op==OP_NOT)\r
return;\r
- \r
+\r
e=XMLHelper::getNextSiblingElement(e);\r
while (e) {\r
if (XMLString::equals(e->getLocalName(),_Rule))\r
default:\r
return shib_acl_indeterminate;\r
}\r
- \r
+\r
case OP_AND:\r
{\r
for (vector<AccessControl*>::const_iterator i=m_operands.begin(); i!=m_operands.end(); i++) {\r
}\r
return shib_acl_true;\r
}\r
- \r
+\r
case OP_OR:\r
{\r
for (vector<AccessControl*>::const_iterator i=m_operands.begin(); i!=m_operands.end(); i++) {\r
{\r
// Load from source using base class.\r
pair<bool,DOMElement*> raw = ReloadableXMLFile::load();\r
- \r
+\r
// If we own it, wrap it.\r
XercesJanitor<DOMDocument> docjanitor(raw.first ? raw.second->getOwnerDocument() : NULL);\r
\r
// Check for AccessControl wrapper and drop a level.\r
if (XMLString::equals(raw.second->getLocalName(),_AccessControl))\r
raw.second = XMLHelper::getFirstChildElement(raw.second);\r
- \r
+\r
AccessControl* authz;\r
if (XMLString::equals(raw.second->getLocalName(),_Rule))\r
authz=new Rule(raw.second);\r