1 /**
2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
6 *
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
10 * License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
19 */
20
21 /**
22 * EntityRoleMetadataFilter.cpp
23 *
24 * Removes non-included roles from a metadata instance.
25 */
26
27 #include "internal.h"
28 #include "saml2/metadata/Metadata.h"
29 #include "saml2/metadata/MetadataFilter.h"
30
31 #include <xmltooling/logging.h>
32
33 using namespace opensaml::saml2md;
34 using namespace xmltooling::logging;
35 using namespace xmltooling;
36 using namespace std;
37
38 using boost::scoped_ptr;
39
40 namespace opensaml {
41 namespace saml2md {
42
43 class SAML_DLLLOCAL EntityRoleMetadataFilter : public MetadataFilter
44 {
45 public:
46 EntityRoleMetadataFilter(const DOMElement* e);
~EntityRoleMetadataFilter()47 ~EntityRoleMetadataFilter() {}
48
getId() const49 const char* getId() const { return ENTITYROLE_METADATA_FILTER; }
50 void doFilter(const MetadataFilterContext* ctx, XMLObject& xmlObject) const;
51
52 private:
53 void doFilter(EntityDescriptor& entity) const;
54 void doFilter(EntitiesDescriptor& entities) const;
55
56 bool m_removeRolelessEntityDescriptors, m_removeEmptyEntitiesDescriptors;
57 set<xmltooling::QName> m_roles;
58 bool m_idp, m_sp, m_authn, m_attr, m_pdp, m_authnq, m_attrq, m_authzq;
59 };
60
EntityRoleMetadataFilterFactory(const DOMElement * const & e,bool deprecationSupport)61 MetadataFilter* SAML_DLLLOCAL EntityRoleMetadataFilterFactory(const DOMElement* const & e, bool deprecationSupport)
62 {
63 return new EntityRoleMetadataFilter(e);
64 }
65
66 };
67 };
68
69 static const XMLCh RetainedRole[] = UNICODE_LITERAL_12(R,e,t,a,i,n,e,d,R,o,l,e);
70 static const XMLCh removeRolelessEntityDescriptors[] = UNICODE_LITERAL_31(r,e,m,o,v,e,R,o,l,e,l,e,s,s,E,n,t,i,t,y,D,e,s,c,r,i,p,t,o,r,s);
71 static const XMLCh removeEmptyEntitiesDescriptors[] = UNICODE_LITERAL_30(r,e,m,o,v,e,E,m,p,t,y,E,n,t,i,t,i,e,s,D,e,s,c,r,i,p,t,o,r,s);
72
EntityRoleMetadataFilter(const DOMElement * e)73 EntityRoleMetadataFilter::EntityRoleMetadataFilter(const DOMElement* e)
74 : m_removeRolelessEntityDescriptors(XMLHelper::getAttrBool(e, true, removeRolelessEntityDescriptors)),
75 m_removeEmptyEntitiesDescriptors(XMLHelper::getAttrBool(e, true, removeEmptyEntitiesDescriptors)),
76 m_idp(false), m_sp(false), m_authn(false), m_attr(false), m_pdp(false), m_authnq(false), m_attrq(false), m_authzq(false)
77 {
78 e = XMLHelper::getFirstChildElement(e, RetainedRole);
79 while (e) {
80 scoped_ptr<xmltooling::QName> q(XMLHelper::getNodeValueAsQName(e));
81 if (q) {
82 if (*q == IDPSSODescriptor::ELEMENT_QNAME)
83 m_idp = true;
84 else if (*q == SPSSODescriptor::ELEMENT_QNAME)
85 m_sp = true;
86 else if (*q == AuthnAuthorityDescriptor::ELEMENT_QNAME)
87 m_authn = true;
88 else if (*q == AttributeAuthorityDescriptor::ELEMENT_QNAME)
89 m_attr = true;
90 else if (*q == PDPDescriptor::ELEMENT_QNAME)
91 m_pdp = true;
92 else if (*q == AuthnQueryDescriptorType::TYPE_QNAME)
93 m_authnq = true;
94 else if (*q == AttributeQueryDescriptorType::TYPE_QNAME)
95 m_attrq = true;
96 else if (*q == AuthzDecisionQueryDescriptorType::TYPE_QNAME)
97 m_authzq = true;
98 else
99 m_roles.insert(*q);
100 }
101 e = XMLHelper::getNextSiblingElement(e, RetainedRole);
102 }
103 }
104
doFilter(const MetadataFilterContext * ctx,XMLObject & xmlObject) const105 void EntityRoleMetadataFilter::doFilter(const MetadataFilterContext* ctx, XMLObject& xmlObject) const
106 {
107 EntitiesDescriptor* group = dynamic_cast<EntitiesDescriptor*>(&xmlObject);
108 if (group) {
109 doFilter(*group);
110 }
111 else {
112 EntityDescriptor* entity = dynamic_cast<EntityDescriptor*>(&xmlObject);
113 if (entity) {
114 doFilter(*entity);
115 }
116 else {
117 throw MetadataFilterException(ENTITYROLE_METADATA_FILTER " MetadataFilter was given an improper metadata instance to filter.");
118 }
119 }
120 }
121
doFilter(EntitiesDescriptor & entities) const122 void EntityRoleMetadataFilter::doFilter(EntitiesDescriptor& entities) const
123 {
124 Category& log=Category::getInstance(SAML_LOGCAT ".MetadataFilter." ENTITYROLE_METADATA_FILTER);
125
126 VectorOf(EntityDescriptor) v = entities.getEntityDescriptors();
127 for (VectorOf(EntityDescriptor)::size_type i = 0; i < v.size(); ) {
128 doFilter(*v[i]);
129 if (m_removeRolelessEntityDescriptors) {
130 const EntityDescriptor& e = const_cast<const EntityDescriptor&>(*v[i]);
131 if (e.getIDPSSODescriptors().empty() &&
132 e.getSPSSODescriptors().empty() &&
133 e.getAuthnAuthorityDescriptors().empty() &&
134 e.getAttributeAuthorityDescriptors().empty() &&
135 e.getPDPDescriptors().empty() &&
136 e.getAuthnQueryDescriptorTypes().empty() &&
137 e.getAttributeQueryDescriptorTypes().empty() &&
138 e.getAuthzDecisionQueryDescriptorTypes().empty() &&
139 e.getRoleDescriptors().empty()) {
140 auto_ptr_char temp(e.getEntityID());
141 log.debug("filtering out role-less entity (%s)", temp.get());
142 v.erase(v.begin() + i);
143 continue;
144 }
145 }
146 i++;
147 }
148
149 VectorOf(EntitiesDescriptor) groups = entities.getEntitiesDescriptors();
150 for (VectorOf(EntitiesDescriptor)::size_type j = 0; j < groups.size(); ) {
151 EntitiesDescriptor* group = groups[j];
152 doFilter(*group);
153 if (m_removeEmptyEntitiesDescriptors && group->getEntitiesDescriptors().empty() && group->getEntityDescriptors().empty()) {
154 auto_ptr_char temp(entities.getName());
155 auto_ptr_char temp2(group->getName());
156 log.debug(
157 "filtering out empty EntitiesDescriptor (%s) from EntitiesDescriptor (%s)",
158 temp2.get() ? temp2.get() : "unnamed",
159 temp.get() ? temp.get() : "unnamed"
160 );
161 groups.erase(groups.begin() + j);
162 }
163 else {
164 j++;
165 }
166 }
167 }
168
doFilter(EntityDescriptor & entity) const169 void EntityRoleMetadataFilter::doFilter(EntityDescriptor& entity) const
170 {
171 if (!m_idp)
172 entity.getIDPSSODescriptors().clear();
173 if (!m_sp)
174 entity.getSPSSODescriptors().clear();
175 if (!m_authn)
176 entity.getAuthnAuthorityDescriptors().clear();
177 if (!m_attr)
178 entity.getAttributeAuthorityDescriptors().clear();
179 if (!m_pdp)
180 entity.getPDPDescriptors().clear();
181 if (!m_authnq)
182 entity.getAuthnQueryDescriptorTypes().clear();
183 if (!m_attrq)
184 entity.getAttributeQueryDescriptorTypes().clear();
185 if (!m_authzq)
186 entity.getAuthzDecisionQueryDescriptorTypes().clear();
187
188 VectorOf(RoleDescriptor) v = entity.getRoleDescriptors();
189 for (VectorOf(RoleDescriptor)::size_type i = 0; i < v.size(); ) {
190 const xmltooling::QName* type = v[i]->getSchemaType();
191 if (!type || m_roles.find(*type) != m_roles.end())
192 v.erase(v.begin() + i);
193 else
194 i++;
195 }
196 }
197