+RuleRegex::RuleRegex(const DOMElement* e) : m_exp(toUTF8(e->hasChildNodes() ? e->getFirstChild()->getNodeValue() : NULL))\r
+{\r
+ auto_ptr_char req(e->getAttributeNS(NULL,require));\r
+ if (!req.get() || !*req.get() || !m_exp.get() || !*m_exp.get())\r
+ throw ConfigurationException("Access control rule missing require attribute or element content.");\r
+ m_alias=req.get();\r
+ \r
+ const XMLCh* flag = e->getAttributeNS(NULL,ignoreCase);\r
+ bool ignore = (flag && (*flag == chLatin_t || *flag == chDigit_1));\r
+ try {\r
+ m_re = new RegularExpression(e->getFirstChild()->getNodeValue(), (ignore ? ignoreOption : &chNull)); \r
+ }\r
+ catch (XMLException& ex) {\r
+ auto_ptr_char tmp(ex.getMessage());\r
+ throw ConfigurationException("Caught exception while parsing RuleRegex regular expression: $1", params(1,tmp.get()));\r
+ }\r
+}\r
+\r
+AccessControl::aclresult_t RuleRegex::authorized(const SPRequest& request, const Session* session) const\r
+{\r
+ // Map alias in rule to the attribute.\r
+ if (!session) {\r
+ request.log(SPRequest::SPWarn, "AccessControl plugin not given a valid session to evaluate, are you using lazy sessions?");\r
+ return shib_acl_false;\r
+ }\r
+ \r
+ if (m_alias == "valid-user") {\r
+ if (session) {\r
+ request.log(SPRequest::SPDebug,"AccessControl plugin accepting valid-user based on active session");\r
+ return shib_acl_true;\r
+ }\r
+ return shib_acl_false;\r
+ }\r
+\r
+ try {\r
+ if (m_alias == "user") {\r
+ if (m_re->matches(request.getRemoteUser().c_str())) {\r
+ request.log(SPRequest::SPDebug, string("AccessControl plugin expecting REMOTE_USER (") + m_exp.get() + "), authz granted");\r
+ return shib_acl_true;\r
+ }\r
+ return shib_acl_false;\r
+ }\r
+ else if (m_alias == "authnContextClassRef") {\r
+ if (session->getAuthnContextClassRef() && m_re->matches(session->getAuthnContextClassRef())) {\r
+ request.log(SPRequest::SPDebug, string("AccessControl plugin expecting authnContextClassRef (") + m_exp.get() + "), authz granted");\r
+ return shib_acl_true;\r
+ }\r
+ return shib_acl_false;\r
+ }\r
+ else if (m_alias == "authnContextDeclRef") {\r
+ if (session->getAuthnContextDeclRef() && m_re->matches(session->getAuthnContextDeclRef())) {\r
+ request.log(SPRequest::SPDebug, string("AccessControl plugin expecting authnContextDeclRef (") + m_exp.get() + "), authz granted");\r
+ return shib_acl_true;\r
+ }\r
+ return shib_acl_false;\r
+ }\r
+\r
+ // Find the attribute(s) matching the require rule.\r
+ pair<multimap<string,const Attribute*>::const_iterator, multimap<string,const Attribute*>::const_iterator> attrs =\r
+ session->getIndexedAttributes().equal_range(m_alias);\r
+ if (attrs.first == attrs.second) {\r
+ request.log(SPRequest::SPWarn, string("rule requires attribute (") + m_alias + "), not found in session");\r
+ return shib_acl_false;\r
+ }\r
+\r
+ for (; attrs.first != attrs.second; ++attrs.first) {\r
+ // Now we have to intersect the attribute's values against the regular expression.\r
+ const vector<string>& vals = attrs.first->second->getSerializedValues();\r
+ for (vector<string>::const_iterator j=vals.begin(); j!=vals.end(); ++j) {\r
+ if (m_re->matches(j->c_str())) {\r
+ request.log(SPRequest::SPDebug, string("AccessControl plugin expecting (") + m_exp.get() + "), authz granted");\r
+ return shib_acl_true;\r
+ }\r
+ }\r
+ }\r
+ }\r
+ catch (XMLException& ex) {\r
+ auto_ptr_char tmp(ex.getMessage());\r
+ request.log(SPRequest::SPError, string("caught exception while parsing RuleRegex regular expression: ") + tmp.get());\r
+ }\r
+ \r
+ return shib_acl_false;\r
+}\r
+\r