</complexContent>
</complexType>
- <complexType name="EntityGroupMatchType">
+ <complexType name="EntityGroupMatchType" abstract="true">
<complexContent>
<extension base="afp:MatchFunctorType">
<attribute name="groupID" type="string" use="required">
attribute/filtering/AttributeValueRegexFunctor.cpp \
attribute/filtering/AuthenticationMethodRegexFunctor.cpp \
attribute/filtering/NumberOfAttributeValuesFunctor.cpp \
+ attribute/filtering/AttributeIssuerInEntityGroupFunctor.cpp \
+ attribute/filtering/AttributeRequesterInEntityGroupFunctor.cpp \
+ attribute/filtering/AttributeScopeMatchesShibMDScopeFunctor.cpp \
attribute/resolver/impl/ChainingAttributeResolver.cpp \
attribute/resolver/impl/QueryAttributeResolver.cpp \
attribute/resolver/impl/XMLAttributeExtractor.cpp \
/** Matches based on the number of values. */
extern SHIBSP_API xmltooling::QName NumberOfAttributeValuesType;
+ /** Matches based on metadata groups of issuer. */
+ extern SHIBSP_API xmltooling::QName AttributeIssuerInEntityGroupType;
+
+ /** Matches based on metadata groups of requester. */
+ extern SHIBSP_API xmltooling::QName AttributeRequesterInEntityGroupType;
+
+ /** Matches based on metadata Scope extensions. */
+ extern SHIBSP_API xmltooling::QName AttributeScopeMatchesShibMDScopeType;
+
/**
* Registers MatchFunctor classes into the runtime.
*/
--- /dev/null
+/*
+ * Copyright 2001-2007 Internet2
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * AttributeIssuerInEntityGroupFunctor.cpp
+ *
+ * A match function that evaluates to true if the attribute issuer is found in metadata and is a member
+ * of the given entity group.
+ */
+
+#include "internal.h"
+#include "exceptions.h"
+#include "attribute/filtering/FilteringContext.h"
+#include "attribute/filtering/FilterPolicyContext.h"
+
+using namespace opensaml::saml2md;
+
+namespace shibsp {
+
+ static const XMLCh groupID[] = UNICODE_LITERAL_7(g,r,o,u,p,I,D);
+
+ /**
+ * A match function that evaluates to true if the attribute issuer is found in metadata and is a member
+ * of the given entity group.
+ */
+ class SHIBSP_DLLLOCAL AttributeIssuerInEntityGroupFunctor : public MatchFunctor
+ {
+ const XMLCh* m_group;
+ public:
+ AttributeIssuerInEntityGroupFunctor(const DOMElement* e) {
+ m_group = e ? e->getAttributeNS(NULL,groupID) : NULL;
+ if (!m_group || !*m_group)
+ throw ConfigurationException("AttributeIssuerInEntityGroup MatchFunctor requires non-empty groupID attribute.");
+ }
+
+ bool evaluatePolicyRequirement(const FilteringContext& filterContext) const {
+ const RoleDescriptor* issuer = filterContext.getAttributeIssuerMetadata();
+ if (!issuer)
+ return false;
+ const EntitiesDescriptor* group = dynamic_cast<const EntitiesDescriptor*>(issuer->getParent()->getParent());
+ while (group) {
+ if (XMLString::equals(group->getName(), m_group))
+ return true;
+ group = dynamic_cast<const EntitiesDescriptor*>(group->getParent());
+ }
+ return false;
+ }
+
+ bool evaluatePermitValue(const FilteringContext& filterContext, const Attribute& attribute, size_t index) const {
+ return evaluatePolicyRequirement(filterContext);
+ }
+ };
+
+ MatchFunctor* SHIBSP_DLLLOCAL AttributeIssuerInEntityGroupFactory(const std::pair<const FilterPolicyContext*,const DOMElement*>& p)
+ {
+ return new AttributeIssuerInEntityGroupFunctor(p.second);
+ }
+
+};
/**
* AttributeIssuerRegexFunctor.cpp
*
- * A match function that evaluates to true if the Attribute issuer matches the provided regular\r
+ * A match function that evaluates to true if the Attribute issuer matches the provided regular
* expression.
*/
static const XMLCh regex[] = UNICODE_LITERAL_5(r,e,g,e,x);
/**
- * A match function that evaluates to true if the Attribute issuer matches the provided regular\r
+ * A match function that evaluates to true if the Attribute issuer matches the provided regular
* expression.
*/
class SHIBSP_DLLLOCAL AttributeIssuerRegexFunctor : public MatchFunctor
try {
m_regex = new RegularExpression(r, e->getAttributeNS(NULL,options));
}
- catch (XMLException& ex) {\r
- xmltooling::auto_ptr_char temp(ex.getMessage());\r
- throw ConfigurationException(temp.get());\r
- }\r
+ catch (XMLException& ex) {
+ xmltooling::auto_ptr_char temp(ex.getMessage());
+ throw ConfigurationException(temp.get());
+ }
}
virtual ~AttributeIssuerRegexFunctor() {
--- /dev/null
+/*
+ * Copyright 2001-2007 Internet2
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * AttributeRequesterInEntityGroupFunctor.cpp
+ *
+ * A match function that evaluates to true if the attribute requester is found in metadata and is a member\r
+ * of the given entity group.
+ */
+
+#include "internal.h"
+#include "exceptions.h"
+#include "attribute/filtering/FilteringContext.h"
+#include "attribute/filtering/FilterPolicyContext.h"
+
+using namespace opensaml::saml2md;
+
+namespace shibsp {
+
+ static const XMLCh groupID[] = UNICODE_LITERAL_7(g,r,o,u,p,I,D);
+
+ /**
+ * A match function that evaluates to true if the attribute requester is found in metadata and is a member\r
+ * of the given entity group.
+ */
+ class SHIBSP_DLLLOCAL AttributeRequesterInEntityGroupFunctor : public MatchFunctor
+ {
+ const XMLCh* m_group;
+ public:
+ AttributeRequesterInEntityGroupFunctor(const DOMElement* e) {
+ m_group = e ? e->getAttributeNS(NULL,groupID) : NULL;
+ if (!m_group || !*m_group)
+ throw ConfigurationException("AttributeRequesterInEntityGroup MatchFunctor requires non-empty groupID attribute.");
+ }
+
+ bool evaluatePolicyRequirement(const FilteringContext& filterContext) const {
+ const RoleDescriptor* req = filterContext.getAttributeRequesterMetadata();
+ if (!req)
+ return false;
+ const EntitiesDescriptor* group = dynamic_cast<const EntitiesDescriptor*>(req->getParent()->getParent());
+ while (group) {
+ if (XMLString::equals(group->getName(), m_group))
+ return true;
+ group = dynamic_cast<const EntitiesDescriptor*>(group->getParent());
+ }
+ return false;
+ }
+
+ bool evaluatePermitValue(const FilteringContext& filterContext, const Attribute& attribute, size_t index) const {
+ return evaluatePolicyRequirement(filterContext);
+ }
+ };
+
+ MatchFunctor* SHIBSP_DLLLOCAL AttributeRequesterInEntityGroupFactory(const std::pair<const FilterPolicyContext*,const DOMElement*>& p)
+ {
+ return new AttributeRequesterInEntityGroupFunctor(p.second);
+ }
+
+};
/**
* AttributeRequesterRegexFunctor.cpp
*
- * A match function that evaluates to true if the Attribute requester matches the provided regular\r
+ * A match function that evaluates to true if the Attribute requester matches the provided regular
* expression.
*/
static const XMLCh regex[] = UNICODE_LITERAL_5(r,e,g,e,x);
/**
- * A match function that evaluates to true if the Attribute requester matches the provided regular\r
+ * A match function that evaluates to true if the Attribute requester matches the provided regular
* expression.
*/
class SHIBSP_DLLLOCAL AttributeRequesterRegexFunctor : public MatchFunctor
try {
m_regex = new RegularExpression(r, e->getAttributeNS(NULL,options));
}
- catch (XMLException& ex) {\r
- xmltooling::auto_ptr_char temp(ex.getMessage());\r
- throw ConfigurationException(temp.get());\r
- }\r
+ catch (XMLException& ex) {
+ xmltooling::auto_ptr_char temp(ex.getMessage());
+ throw ConfigurationException(temp.get());
+ }
}
virtual ~AttributeRequesterRegexFunctor() {
--- /dev/null
+/*
+ * Copyright 2001-2007 Internet2
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * AttributeScopeMatchesShibMDScopeFunctor.cpp
+ *
+ * A match function that ensures that an attributes value's scope matches a scope given in metadata for the entity or role.
+ */
+
+#include "internal.h"
+#include "exceptions.h"
+#include "attribute/Attribute.h"
+#include "attribute/filtering/FilteringContext.h"
+#include "attribute/filtering/FilterPolicyContext.h"
+#include "metadata/MetadataExt.h"
+
+#include <xercesc/util/regx/RegularExpression.hpp>
+
+using namespace opensaml::saml2md;
+using namespace xmltooling;
+using namespace std;
+
+namespace shibsp {
+
+ static const XMLCh groupID[] = UNICODE_LITERAL_7(g,r,o,u,p,I,D);
+
+ /**
+ * A match function that ensures that an attributes value's scope matches a scope given in metadata for the entity or role.
+ */
+ class SHIBSP_DLLLOCAL AttributeScopeMatchesShibMDScopeFunctor : public MatchFunctor
+ {
+ public:
+ bool evaluatePolicyRequirement(const FilteringContext& filterContext) const {
+ return false;
+ }
+
+ bool evaluatePermitValue(const FilteringContext& filterContext, const Attribute& attribute, size_t index) const {
+ const RoleDescriptor* issuer = filterContext.getAttributeIssuerMetadata();
+ if (!issuer)
+ return false;
+
+ const char* scope = attribute.getScope(index);
+ if (!scope || !*scope)
+ return false;
+
+ const Scope* rule;
+ const XMLCh* widescope=NULL;
+ const Extensions* ext = issuer->getExtensions();
+ if (ext) {
+ const vector<XMLObject*>& exts = ext->getUnknownXMLObjects();
+ for (vector<XMLObject*>::const_iterator e = exts.begin(); e!=exts.end(); ++e) {
+ rule = dynamic_cast<const Scope*>(*e);
+ if (rule) {
+ if (!widescope)
+ widescope = fromUTF8(scope);
+ if (matches(*rule, widescope)) {
+ delete[] widescope;
+ return true;
+ }
+ }
+ }
+ }
+
+ ext = dynamic_cast<const EntityDescriptor*>(issuer->getParent())->getExtensions();
+ if (ext) {
+ const vector<XMLObject*>& exts = ext->getUnknownXMLObjects();
+ for (vector<XMLObject*>::const_iterator e = exts.begin(); e!=exts.end(); ++e) {
+ rule = dynamic_cast<const Scope*>(*e);
+ if (rule) {
+ if (!widescope)
+ widescope = fromUTF8(scope);
+ if (matches(*rule, widescope)) {
+ delete[] widescope;
+ return true;
+ }
+ }
+ }
+ }
+
+ delete[] widescope;
+ return false;
+ }
+
+ private:
+ bool matches(const Scope& rule, const XMLCh* scope) const {
+ const XMLCh* val = rule.getValue();
+ if (val && *val) {
+ if (rule.Regexp()) {
+ RegularExpression re(val);
+ return re.matches(scope);
+ }
+ else {
+ return XMLString::equals(val, scope);
+ }
+ }
+ return false;
+ }
+ };
+
+ MatchFunctor* SHIBSP_DLLLOCAL AttributeScopeMatchesShibMDScopeFactory(const std::pair<const FilterPolicyContext*,const DOMElement*>& p)
+ {
+ return new AttributeScopeMatchesShibMDScopeFunctor();
+ }
+
+};
#define DECL_BASIC_QNAME(name,lit) \
QName shibsp::name##Type(shibspconstants::SHIB2ATTRIBUTEFILTER_MF_BASIC_NS, lit)
+#define DECL_SAML_QNAME(name,lit) \
+ QName shibsp::name##Type(shibspconstants::SHIB2ATTRIBUTEFILTER_MF_SAML_NS, lit)
+
#define REGISTER_FACTORY(name) \
mgr.registerFactory(name##Type, name##Factory)
DECL_FACTORY(AttributeValueRegex);
DECL_FACTORY(AttributeScopeRegex);
DECL_FACTORY(NumberOfAttributeValues);
+ DECL_FACTORY(AttributeIssuerInEntityGroup);
+ DECL_FACTORY(AttributeRequesterInEntityGroup);
+ DECL_FACTORY(AttributeScopeMatchesShibMDScope);
+
static const XMLCh ANY[] = UNICODE_LITERAL_3(A,N,Y);
static const XMLCh AND[] = UNICODE_LITERAL_3(A,N,D);
static const XMLCh AttributeValueRegex[] = UNICODE_LITERAL_19(A,t,t,r,i,b,u,t,e,V,a,l,u,e,R,e,g,e,x);
static const XMLCh AttributeScopeRegex[] = UNICODE_LITERAL_19(A,t,t,r,i,b,u,t,e,S,c,o,p,e,R,e,g,e,x);
static const XMLCh NumberOfAttributeValues[] = UNICODE_LITERAL_23(N,u,m,b,e,r,O,f,A,t,t,r,i,b,u,t,e,V,a,l,u,e,s);
+ static const XMLCh AttributeIssuerInEntityGroup[] = UNICODE_LITERAL_28(A,t,t,r,i,b,u,t,e,I,s,s,u,e,r,I,n,E,n,t,i,t,y,G,r,o,u,p);
+ static const XMLCh AttributeRequesterInEntityGroup[] = UNICODE_LITERAL_31(A,t,t,r,i,b,u,t,e,R,e,q,u,e,s,t,e,r,I,n,E,n,t,i,t,y,G,r,o,u,p);
+ static const XMLCh AttributeScopeMatchesShibMDScope[] = UNICODE_LITERAL_32(A,t,t,r,i,b,u,t,e,S,c,o,p,e,M,a,t,c,h,e,s,S,h,i,b,M,D,S,c,o,p,e);
};
DECL_BASIC_QNAME(AnyMatchFunctor, ANY);
DECL_BASIC_QNAME(AttributeValueRegex, AttributeValueRegex);
DECL_BASIC_QNAME(AttributeScopeRegex, AttributeScopeRegex);
DECL_BASIC_QNAME(NumberOfAttributeValues, NumberOfAttributeValues);
+DECL_SAML_QNAME(AttributeIssuerInEntityGroup, AttributeIssuerInEntityGroup);
+DECL_SAML_QNAME(AttributeRequesterInEntityGroup, AttributeRequesterInEntityGroup);
+DECL_SAML_QNAME(AttributeScopeMatchesShibMDScope, AttributeScopeMatchesShibMDScope);
void SHIBSP_API shibsp::registerMatchFunctors()
{
REGISTER_FACTORY(AttributeValueRegex);
REGISTER_FACTORY(AttributeScopeRegex);
REGISTER_FACTORY(NumberOfAttributeValues);
+ REGISTER_FACTORY(AttributeIssuerInEntityGroup);
+ REGISTER_FACTORY(AttributeRequesterInEntityGroup);
+ REGISTER_FACTORY(AttributeScopeMatchesShibMDScope);
}
/**
* NumberOfAttributeValuesFunctor.cpp
*
- * A match function that evaluates to true if the given attribute has as a number\r
+ * A match function that evaluates to true if the given attribute has as a number
* of values that falls between the minimum and maximum.
*/
static const XMLCh minimum[] = UNICODE_LITERAL_7(m,i,n,i,m,u,m);
/**
- * A match function that matches the scope of an attribute value against the specified value.
+ * A match function that evaluates to true if the given attribute has as a number
+ * of values that falls between the minimum and maximum.
*/
class SHIBSP_DLLLOCAL NumberOfAttributeValuesFunctor : public MatchFunctor
{
>\r
</File>\r
<File\r
+ RelativePath=".\attribute\filtering\impl\AttributeIssuerInEntityGroupFunctor.cpp"\r
+ >\r
+ </File>\r
+ <File\r
RelativePath=".\attribute\filtering\impl\AttributeIssuerRegexFunctor.cpp"\r
>\r
</File>\r
>\r
</File>\r
<File\r
+ RelativePath=".\attribute\filtering\impl\AttributeRequesterInEntityGroupFunctor.cpp"\r
+ >\r
+ </File>\r
+ <File\r
RelativePath=".\attribute\filtering\impl\AttributeRequesterRegexFunctor.cpp"\r
>\r
</File>\r
>\r
</File>\r
<File\r
+ RelativePath=".\attribute\filtering\impl\AttributeScopeMatchesShibMDScopeFunctor.cpp"\r
+ >\r
+ </File>\r
+ <File\r
RelativePath=".\attribute\filtering\impl\AttributeScopeRegexFunctor.cpp"\r
>\r
</File>\r