[shibboleth-sp2] 02/05: Added Scoped indicator, avoids reliance on sender.
Ferenc Wágner
wferi-guest at moszumanska.debian.org
Tue Jan 26 21:29:25 UTC 2016
This is an automated email from the git hooks/post-receive script.
wferi-guest pushed a commit to annotated tag 1.2.1a
in repository shibboleth-sp2.
commit 6c4cf07d3dedc47bf169c97d92e81d50bff255cf
Author: Scott Cantor <cantor.2 at osu.edu>
Date: Sun Dec 12 03:46:09 2004 +0000
Added Scoped indicator, avoids reliance on sender.
---
configs/AAP.xml | 4 ++--
schemas/shibboleth.xsd | 1 +
xmlproviders/XML.cpp | 2 ++
xmlproviders/XMLAAP.cpp | 24 ++++++++++++++++++------
xmlproviders/internal.h | 1 +
5 files changed, 24 insertions(+), 8 deletions(-)
diff --git a/configs/AAP.xml b/configs/AAP.xml
index 4e8846b..f01f9db 100644
--- a/configs/AAP.xml
+++ b/configs/AAP.xml
@@ -16,7 +16,7 @@
<!-- First some useful eduPerson attributes that many sites might use. -->
- <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" Header="Shib-EP-Affiliation" Alias="affiliation">
+ <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" Scoped="true" Header="Shib-EP-Affiliation" Alias="affiliation">
<!-- Filtering rule to limit values to eduPerson-defined enumeration. -->
<AnySite>
<Value Type="regexp">^[M|m][E|e][M|m][B|b][E|e][R|r]$</Value>
@@ -47,7 +47,7 @@
</AnySite>
</AttributeRule>
- <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" Header="REMOTE_USER" Alias="user">
+ <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" Scoped="true" Header="REMOTE_USER" Alias="user">
<!-- Basic rule to pass through any value. -->
<AnySite>
<Value Type="regexp">^[^@]+$</Value>
diff --git a/schemas/shibboleth.xsd b/schemas/shibboleth.xsd
index 392fed4..4189c90 100644
--- a/schemas/shibboleth.xsd
+++ b/schemas/shibboleth.xsd
@@ -104,6 +104,7 @@
<attribute name="Factory" type="string" use="optional"/>
<attribute name="Alias" type="string" use="optional"/>
<attribute name="Header" type="string" use="optional"/>
+ <attribute name="Scoped" type="boolean" use="optional" default="false"/>
<anyAttribute namespace="##other" processContents="lax"/>
</complexType>
diff --git a/xmlproviders/XML.cpp b/xmlproviders/XML.cpp
index b3de64f..9707fd5 100644
--- a/xmlproviders/XML.cpp
+++ b/xmlproviders/XML.cpp
@@ -268,6 +268,8 @@ const XMLCh XML::Literals::Header[]=
const XMLCh XML::Literals::Namespace[]=
{ chLatin_N, chLatin_a, chLatin_m, chLatin_e, chLatin_s, chLatin_p, chLatin_a, chLatin_c, chLatin_e, chNull };
+const XMLCh XML::Literals::Scoped[] = { chLatin_S, chLatin_c, chLatin_o, chLatin_p, chLatin_e, chLatin_d, chNull };
+
const XMLCh XML::Literals::SiteRule[] =
{ chLatin_S, chLatin_i, chLatin_t, chLatin_e, chLatin_R, chLatin_u, chLatin_l, chLatin_e, chNull };
diff --git a/xmlproviders/XMLAAP.cpp b/xmlproviders/XMLAAP.cpp
index 40bd3fa..eddaf10 100644
--- a/xmlproviders/XMLAAP.cpp
+++ b/xmlproviders/XMLAAP.cpp
@@ -88,6 +88,7 @@ namespace {
const char* getFactory() const { return m_factory.get(); }
const char* getAlias() const { return m_alias.get(); }
const char* getHeader() const { return m_header.get(); }
+ const bool getScoped() const { return m_scoped; }
void apply(const IProvider* originSite, SAMLAttribute& attribute) const;
enum value_type { literal, regexp, xpath };
@@ -97,6 +98,7 @@ namespace {
auto_ptr_char m_factory;
auto_ptr_char m_alias;
auto_ptr_char m_header;
+ bool m_scoped;
value_type toValueType(const DOMElement* e);
bool scopeCheck(const IProvider* originSite, const DOMElement* e) const;
@@ -244,7 +246,8 @@ XMLAAPImpl::~XMLAAPImpl()
XMLAAPImpl::AttributeRule::AttributeRule(const DOMElement* e) :
m_factory(e->hasAttributeNS(NULL,SHIB_L(Factory)) ? e->getAttributeNS(NULL,SHIB_L(Factory)) : NULL),
m_alias(e->hasAttributeNS(NULL,SHIB_L(Alias)) ? e->getAttributeNS(NULL,SHIB_L(Alias)) : NULL),
- m_header(e->hasAttributeNS(NULL,SHIB_L(Header)) ? e->getAttributeNS(NULL,SHIB_L(Header)) : NULL)
+ m_header(e->hasAttributeNS(NULL,SHIB_L(Header)) ? e->getAttributeNS(NULL,SHIB_L(Header)) : NULL),
+ m_scoped(false)
{
static const XMLCh wTrue[] = {chLatin_t, chLatin_r, chLatin_u, chLatin_e, chNull};
@@ -254,6 +257,9 @@ XMLAAPImpl::AttributeRule::AttributeRule(const DOMElement* e) :
if (!m_namespace || !*m_namespace)
m_namespace=Constants::SHIB_ATTRIBUTE_NAMESPACE_URI;
+ const XMLCh* scoped=e->getAttributeNS(NULL,SHIB_L(Scoped));
+ m_scoped=(scoped && (*scoped==chDigit_1 || !XMLString::compareString(scoped,wTrue)));
+
// Check for an AnySite rule.
DOMNode* anysite = e->getFirstChild();
while (anysite && anysite->getNodeType()!=DOMNode::ELEMENT_NODE)
@@ -417,14 +423,20 @@ namespace {
bool XMLAAPImpl::AttributeRule::scopeCheck(const IProvider* originSite, const DOMElement* e) const
{
- // Are we scoped?
- const XMLCh* scope=e->getAttributeNS(NULL,SHIB_L(Scope));
- if (!scope || !*scope)
- return true;
-
NDC ndc("scopeCheck");
Category& log=Category::getInstance(XMLPROVIDERS_LOGCAT".XMLAAPImpl");
+ // Are we scoped?
+ const XMLCh* scope=e->getAttributeNS(NULL,SHIB_L(Scope));
+ if (!scope || !*scope) {
+ // Are we allowed to be unscoped?
+ if (m_scoped && log.isWarnEnabled()) {
+ auto_ptr_char temp(m_name);
+ log.warn("attribute %s is scoped, no scope supplied, rejecting it",temp.get());
+ }
+ return !m_scoped;
+ }
+
vector<pair<value_type,const XMLCh*> >::const_iterator i;
// Denials take precedence, always.
diff --git a/xmlproviders/internal.h b/xmlproviders/internal.h
index 3686346..ae74ba2 100644
--- a/xmlproviders/internal.h
+++ b/xmlproviders/internal.h
@@ -172,6 +172,7 @@ public:
static const XMLCh Factory[];
static const XMLCh Header[];
static const XMLCh Namespace[];
+ static const XMLCh Scoped[];
static const XMLCh SiteRule[];
static const XMLCh Type[];
static const XMLCh Value[];
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/shibboleth-sp2.git
More information about the Pkg-shibboleth-devel
mailing list