From: cantor Date: Wed, 9 May 2007 04:29:56 +0000 (+0000) Subject: Metadata based functors. X-Git-Tag: 2.4~941 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fsp.git;a=commitdiff_plain;h=48483cfaef93a108d2cdc4af4e9e5c60432ba821 Metadata based functors. git-svn-id: https://svn.middleware.georgetown.edu/cpp-sp/trunk@2243 cb58f699-b61c-0410-a6fe-9272a202ed29 --- diff --git a/schemas/shibboleth-2.0-afp-mf-saml.xsd b/schemas/shibboleth-2.0-afp-mf-saml.xsd index 9b98ed2..3203e25 100644 --- a/schemas/shibboleth-2.0-afp-mf-saml.xsd +++ b/schemas/shibboleth-2.0-afp-mf-saml.xsd @@ -35,7 +35,7 @@ - + diff --git a/shibsp/Makefile.am b/shibsp/Makefile.am index 161000c..07ba4a3 100644 --- a/shibsp/Makefile.am +++ b/shibsp/Makefile.am @@ -118,6 +118,9 @@ libshibsp_la_SOURCES = \ attribute/filtering/AttributeValueRegexFunctor.cpp \ attribute/filtering/AuthenticationMethodRegexFunctor.cpp \ attribute/filtering/NumberOfAttributeValuesFunctor.cpp \ + attribute/filtering/AttributeIssuerInEntityGroupFunctor.cpp \ + attribute/filtering/AttributeRequesterInEntityGroupFunctor.cpp \ + attribute/filtering/AttributeScopeMatchesShibMDScopeFunctor.cpp \ attribute/resolver/impl/ChainingAttributeResolver.cpp \ attribute/resolver/impl/QueryAttributeResolver.cpp \ attribute/resolver/impl/XMLAttributeExtractor.cpp \ diff --git a/shibsp/attribute/filtering/MatchFunctor.h b/shibsp/attribute/filtering/MatchFunctor.h index 69c5b9f..6018414 100644 --- a/shibsp/attribute/filtering/MatchFunctor.h +++ b/shibsp/attribute/filtering/MatchFunctor.h @@ -109,6 +109,15 @@ namespace shibsp { /** Matches based on the number of values. */ extern SHIBSP_API xmltooling::QName NumberOfAttributeValuesType; + /** Matches based on metadata groups of issuer. */ + extern SHIBSP_API xmltooling::QName AttributeIssuerInEntityGroupType; + + /** Matches based on metadata groups of requester. */ + extern SHIBSP_API xmltooling::QName AttributeRequesterInEntityGroupType; + + /** Matches based on metadata Scope extensions. */ + extern SHIBSP_API xmltooling::QName AttributeScopeMatchesShibMDScopeType; + /** * Registers MatchFunctor classes into the runtime. */ diff --git a/shibsp/attribute/filtering/impl/AttributeIssuerInEntityGroupFunctor.cpp b/shibsp/attribute/filtering/impl/AttributeIssuerInEntityGroupFunctor.cpp new file mode 100644 index 0000000..6825fe3 --- /dev/null +++ b/shibsp/attribute/filtering/impl/AttributeIssuerInEntityGroupFunctor.cpp @@ -0,0 +1,72 @@ +/* + * Copyright 2001-2007 Internet2 + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * AttributeIssuerInEntityGroupFunctor.cpp + * + * A match function that evaluates to true if the attribute issuer is found in metadata and is a member + * of the given entity group. + */ + +#include "internal.h" +#include "exceptions.h" +#include "attribute/filtering/FilteringContext.h" +#include "attribute/filtering/FilterPolicyContext.h" + +using namespace opensaml::saml2md; + +namespace shibsp { + + static const XMLCh groupID[] = UNICODE_LITERAL_7(g,r,o,u,p,I,D); + + /** + * A match function that evaluates to true if the attribute issuer is found in metadata and is a member + * of the given entity group. + */ + class SHIBSP_DLLLOCAL AttributeIssuerInEntityGroupFunctor : public MatchFunctor + { + const XMLCh* m_group; + public: + AttributeIssuerInEntityGroupFunctor(const DOMElement* e) { + m_group = e ? e->getAttributeNS(NULL,groupID) : NULL; + if (!m_group || !*m_group) + throw ConfigurationException("AttributeIssuerInEntityGroup MatchFunctor requires non-empty groupID attribute."); + } + + bool evaluatePolicyRequirement(const FilteringContext& filterContext) const { + const RoleDescriptor* issuer = filterContext.getAttributeIssuerMetadata(); + if (!issuer) + return false; + const EntitiesDescriptor* group = dynamic_cast(issuer->getParent()->getParent()); + while (group) { + if (XMLString::equals(group->getName(), m_group)) + return true; + group = dynamic_cast(group->getParent()); + } + return false; + } + + bool evaluatePermitValue(const FilteringContext& filterContext, const Attribute& attribute, size_t index) const { + return evaluatePolicyRequirement(filterContext); + } + }; + + MatchFunctor* SHIBSP_DLLLOCAL AttributeIssuerInEntityGroupFactory(const std::pair& p) + { + return new AttributeIssuerInEntityGroupFunctor(p.second); + } + +}; diff --git a/shibsp/attribute/filtering/impl/AttributeIssuerRegexFunctor.cpp b/shibsp/attribute/filtering/impl/AttributeIssuerRegexFunctor.cpp index 7c678ab..f342f61 100644 --- a/shibsp/attribute/filtering/impl/AttributeIssuerRegexFunctor.cpp +++ b/shibsp/attribute/filtering/impl/AttributeIssuerRegexFunctor.cpp @@ -17,7 +17,7 @@ /** * AttributeIssuerRegexFunctor.cpp * - * A match function that evaluates to true if the Attribute issuer matches the provided regular + * A match function that evaluates to true if the Attribute issuer matches the provided regular * expression. */ @@ -34,7 +34,7 @@ namespace shibsp { static const XMLCh regex[] = UNICODE_LITERAL_5(r,e,g,e,x); /** - * A match function that evaluates to true if the Attribute issuer matches the provided regular + * A match function that evaluates to true if the Attribute issuer matches the provided regular * expression. */ class SHIBSP_DLLLOCAL AttributeIssuerRegexFunctor : public MatchFunctor @@ -48,10 +48,10 @@ namespace shibsp { try { m_regex = new RegularExpression(r, e->getAttributeNS(NULL,options)); } - catch (XMLException& ex) { - xmltooling::auto_ptr_char temp(ex.getMessage()); - throw ConfigurationException(temp.get()); - } + catch (XMLException& ex) { + xmltooling::auto_ptr_char temp(ex.getMessage()); + throw ConfigurationException(temp.get()); + } } virtual ~AttributeIssuerRegexFunctor() { diff --git a/shibsp/attribute/filtering/impl/AttributeRequesterInEntityGroupFunctor.cpp b/shibsp/attribute/filtering/impl/AttributeRequesterInEntityGroupFunctor.cpp new file mode 100644 index 0000000..e774a7a --- /dev/null +++ b/shibsp/attribute/filtering/impl/AttributeRequesterInEntityGroupFunctor.cpp @@ -0,0 +1,72 @@ +/* + * Copyright 2001-2007 Internet2 + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * AttributeRequesterInEntityGroupFunctor.cpp + * + * A match function that evaluates to true if the attribute requester is found in metadata and is a member + * of the given entity group. + */ + +#include "internal.h" +#include "exceptions.h" +#include "attribute/filtering/FilteringContext.h" +#include "attribute/filtering/FilterPolicyContext.h" + +using namespace opensaml::saml2md; + +namespace shibsp { + + static const XMLCh groupID[] = UNICODE_LITERAL_7(g,r,o,u,p,I,D); + + /** + * A match function that evaluates to true if the attribute requester is found in metadata and is a member + * of the given entity group. + */ + class SHIBSP_DLLLOCAL AttributeRequesterInEntityGroupFunctor : public MatchFunctor + { + const XMLCh* m_group; + public: + AttributeRequesterInEntityGroupFunctor(const DOMElement* e) { + m_group = e ? e->getAttributeNS(NULL,groupID) : NULL; + if (!m_group || !*m_group) + throw ConfigurationException("AttributeRequesterInEntityGroup MatchFunctor requires non-empty groupID attribute."); + } + + bool evaluatePolicyRequirement(const FilteringContext& filterContext) const { + const RoleDescriptor* req = filterContext.getAttributeRequesterMetadata(); + if (!req) + return false; + const EntitiesDescriptor* group = dynamic_cast(req->getParent()->getParent()); + while (group) { + if (XMLString::equals(group->getName(), m_group)) + return true; + group = dynamic_cast(group->getParent()); + } + return false; + } + + bool evaluatePermitValue(const FilteringContext& filterContext, const Attribute& attribute, size_t index) const { + return evaluatePolicyRequirement(filterContext); + } + }; + + MatchFunctor* SHIBSP_DLLLOCAL AttributeRequesterInEntityGroupFactory(const std::pair& p) + { + return new AttributeRequesterInEntityGroupFunctor(p.second); + } + +}; diff --git a/shibsp/attribute/filtering/impl/AttributeRequesterRegexFunctor.cpp b/shibsp/attribute/filtering/impl/AttributeRequesterRegexFunctor.cpp index d4d1bd0..1bbdc23 100644 --- a/shibsp/attribute/filtering/impl/AttributeRequesterRegexFunctor.cpp +++ b/shibsp/attribute/filtering/impl/AttributeRequesterRegexFunctor.cpp @@ -17,7 +17,7 @@ /** * AttributeRequesterRegexFunctor.cpp * - * A match function that evaluates to true if the Attribute requester matches the provided regular + * A match function that evaluates to true if the Attribute requester matches the provided regular * expression. */ @@ -34,7 +34,7 @@ namespace shibsp { static const XMLCh regex[] = UNICODE_LITERAL_5(r,e,g,e,x); /** - * A match function that evaluates to true if the Attribute requester matches the provided regular + * A match function that evaluates to true if the Attribute requester matches the provided regular * expression. */ class SHIBSP_DLLLOCAL AttributeRequesterRegexFunctor : public MatchFunctor @@ -48,10 +48,10 @@ namespace shibsp { try { m_regex = new RegularExpression(r, e->getAttributeNS(NULL,options)); } - catch (XMLException& ex) { - xmltooling::auto_ptr_char temp(ex.getMessage()); - throw ConfigurationException(temp.get()); - } + catch (XMLException& ex) { + xmltooling::auto_ptr_char temp(ex.getMessage()); + throw ConfigurationException(temp.get()); + } } virtual ~AttributeRequesterRegexFunctor() { diff --git a/shibsp/attribute/filtering/impl/AttributeScopeMatchesShibMDScopeFunctor.cpp b/shibsp/attribute/filtering/impl/AttributeScopeMatchesShibMDScopeFunctor.cpp new file mode 100644 index 0000000..5b7b26c --- /dev/null +++ b/shibsp/attribute/filtering/impl/AttributeScopeMatchesShibMDScopeFunctor.cpp @@ -0,0 +1,118 @@ +/* + * Copyright 2001-2007 Internet2 + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * AttributeScopeMatchesShibMDScopeFunctor.cpp + * + * A match function that ensures that an attributes value's scope matches a scope given in metadata for the entity or role. + */ + +#include "internal.h" +#include "exceptions.h" +#include "attribute/Attribute.h" +#include "attribute/filtering/FilteringContext.h" +#include "attribute/filtering/FilterPolicyContext.h" +#include "metadata/MetadataExt.h" + +#include + +using namespace opensaml::saml2md; +using namespace xmltooling; +using namespace std; + +namespace shibsp { + + static const XMLCh groupID[] = UNICODE_LITERAL_7(g,r,o,u,p,I,D); + + /** + * A match function that ensures that an attributes value's scope matches a scope given in metadata for the entity or role. + */ + class SHIBSP_DLLLOCAL AttributeScopeMatchesShibMDScopeFunctor : public MatchFunctor + { + public: + bool evaluatePolicyRequirement(const FilteringContext& filterContext) const { + return false; + } + + bool evaluatePermitValue(const FilteringContext& filterContext, const Attribute& attribute, size_t index) const { + const RoleDescriptor* issuer = filterContext.getAttributeIssuerMetadata(); + if (!issuer) + return false; + + const char* scope = attribute.getScope(index); + if (!scope || !*scope) + return false; + + const Scope* rule; + const XMLCh* widescope=NULL; + const Extensions* ext = issuer->getExtensions(); + if (ext) { + const vector& exts = ext->getUnknownXMLObjects(); + for (vector::const_iterator e = exts.begin(); e!=exts.end(); ++e) { + rule = dynamic_cast(*e); + if (rule) { + if (!widescope) + widescope = fromUTF8(scope); + if (matches(*rule, widescope)) { + delete[] widescope; + return true; + } + } + } + } + + ext = dynamic_cast(issuer->getParent())->getExtensions(); + if (ext) { + const vector& exts = ext->getUnknownXMLObjects(); + for (vector::const_iterator e = exts.begin(); e!=exts.end(); ++e) { + rule = dynamic_cast(*e); + if (rule) { + if (!widescope) + widescope = fromUTF8(scope); + if (matches(*rule, widescope)) { + delete[] widescope; + return true; + } + } + } + } + + delete[] widescope; + return false; + } + + private: + bool matches(const Scope& rule, const XMLCh* scope) const { + const XMLCh* val = rule.getValue(); + if (val && *val) { + if (rule.Regexp()) { + RegularExpression re(val); + return re.matches(scope); + } + else { + return XMLString::equals(val, scope); + } + } + return false; + } + }; + + MatchFunctor* SHIBSP_DLLLOCAL AttributeScopeMatchesShibMDScopeFactory(const std::pair& p) + { + return new AttributeScopeMatchesShibMDScopeFunctor(); + } + +}; diff --git a/shibsp/attribute/filtering/impl/MatchFunctor.cpp b/shibsp/attribute/filtering/impl/MatchFunctor.cpp index edb4f1a..06fd7b2 100644 --- a/shibsp/attribute/filtering/impl/MatchFunctor.cpp +++ b/shibsp/attribute/filtering/impl/MatchFunctor.cpp @@ -36,6 +36,9 @@ using namespace std; #define DECL_BASIC_QNAME(name,lit) \ QName shibsp::name##Type(shibspconstants::SHIB2ATTRIBUTEFILTER_MF_BASIC_NS, lit) +#define DECL_SAML_QNAME(name,lit) \ + QName shibsp::name##Type(shibspconstants::SHIB2ATTRIBUTEFILTER_MF_SAML_NS, lit) + #define REGISTER_FACTORY(name) \ mgr.registerFactory(name##Type, name##Factory) @@ -55,6 +58,10 @@ namespace shibsp { DECL_FACTORY(AttributeValueRegex); DECL_FACTORY(AttributeScopeRegex); DECL_FACTORY(NumberOfAttributeValues); + DECL_FACTORY(AttributeIssuerInEntityGroup); + DECL_FACTORY(AttributeRequesterInEntityGroup); + DECL_FACTORY(AttributeScopeMatchesShibMDScope); + static const XMLCh ANY[] = UNICODE_LITERAL_3(A,N,Y); static const XMLCh AND[] = UNICODE_LITERAL_3(A,N,D); @@ -71,6 +78,9 @@ namespace shibsp { static const XMLCh AttributeValueRegex[] = UNICODE_LITERAL_19(A,t,t,r,i,b,u,t,e,V,a,l,u,e,R,e,g,e,x); static const XMLCh AttributeScopeRegex[] = UNICODE_LITERAL_19(A,t,t,r,i,b,u,t,e,S,c,o,p,e,R,e,g,e,x); static const XMLCh NumberOfAttributeValues[] = UNICODE_LITERAL_23(N,u,m,b,e,r,O,f,A,t,t,r,i,b,u,t,e,V,a,l,u,e,s); + static const XMLCh AttributeIssuerInEntityGroup[] = UNICODE_LITERAL_28(A,t,t,r,i,b,u,t,e,I,s,s,u,e,r,I,n,E,n,t,i,t,y,G,r,o,u,p); + static const XMLCh AttributeRequesterInEntityGroup[] = UNICODE_LITERAL_31(A,t,t,r,i,b,u,t,e,R,e,q,u,e,s,t,e,r,I,n,E,n,t,i,t,y,G,r,o,u,p); + static const XMLCh AttributeScopeMatchesShibMDScope[] = UNICODE_LITERAL_32(A,t,t,r,i,b,u,t,e,S,c,o,p,e,M,a,t,c,h,e,s,S,h,i,b,M,D,S,c,o,p,e); }; DECL_BASIC_QNAME(AnyMatchFunctor, ANY); @@ -88,6 +98,9 @@ DECL_BASIC_QNAME(AuthenticationMethodRegex, AuthenticationMethodRegex); DECL_BASIC_QNAME(AttributeValueRegex, AttributeValueRegex); DECL_BASIC_QNAME(AttributeScopeRegex, AttributeScopeRegex); DECL_BASIC_QNAME(NumberOfAttributeValues, NumberOfAttributeValues); +DECL_SAML_QNAME(AttributeIssuerInEntityGroup, AttributeIssuerInEntityGroup); +DECL_SAML_QNAME(AttributeRequesterInEntityGroup, AttributeRequesterInEntityGroup); +DECL_SAML_QNAME(AttributeScopeMatchesShibMDScope, AttributeScopeMatchesShibMDScope); void SHIBSP_API shibsp::registerMatchFunctors() { @@ -108,4 +121,7 @@ void SHIBSP_API shibsp::registerMatchFunctors() REGISTER_FACTORY(AttributeValueRegex); REGISTER_FACTORY(AttributeScopeRegex); REGISTER_FACTORY(NumberOfAttributeValues); + REGISTER_FACTORY(AttributeIssuerInEntityGroup); + REGISTER_FACTORY(AttributeRequesterInEntityGroup); + REGISTER_FACTORY(AttributeScopeMatchesShibMDScope); } diff --git a/shibsp/attribute/filtering/impl/NumberOfAttributeValuesFunctor.cpp b/shibsp/attribute/filtering/impl/NumberOfAttributeValuesFunctor.cpp index b5e3dec..91d1106 100644 --- a/shibsp/attribute/filtering/impl/NumberOfAttributeValuesFunctor.cpp +++ b/shibsp/attribute/filtering/impl/NumberOfAttributeValuesFunctor.cpp @@ -17,7 +17,7 @@ /** * NumberOfAttributeValuesFunctor.cpp * - * A match function that evaluates to true if the given attribute has as a number + * A match function that evaluates to true if the given attribute has as a number * of values that falls between the minimum and maximum. */ @@ -37,7 +37,8 @@ namespace shibsp { static const XMLCh minimum[] = UNICODE_LITERAL_7(m,i,n,i,m,u,m); /** - * A match function that matches the scope of an attribute value against the specified value. + * A match function that evaluates to true if the given attribute has as a number + * of values that falls between the minimum and maximum. */ class SHIBSP_DLLLOCAL NumberOfAttributeValuesFunctor : public MatchFunctor { diff --git a/shibsp/shibsp.vcproj b/shibsp/shibsp.vcproj index 3a1cc0d..fc9857e 100644 --- a/shibsp/shibsp.vcproj +++ b/shibsp/shibsp.vcproj @@ -203,6 +203,10 @@ > + + @@ -211,6 +215,10 @@ > + + @@ -219,6 +227,10 @@ > + +