Permalink
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
inc-meta/mdx/incommon/edugain-policy.xml
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
502 lines (417 sloc)
22.5 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <beans xmlns="http://www.springframework.org/schema/beans" | |
| default-lazy-init="true" | |
| xmlns:c="http://www.springframework.org/schema/c" | |
| xmlns:p="http://www.springframework.org/schema/p" | |
| xmlns:util="http://www.springframework.org/schema/util" | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xsi:schemaLocation=" | |
| http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd | |
| http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"> | |
| <!-- | |
| edugainPolicy | |
| Applies policy to entities sourced from eduGAIN. | |
| Entities may be transformed by policy, or marked as being in error. | |
| Entities with errors are NOT removed here, so that this policy can be | |
| used in contexts where reporting is more appropriate than just removal. | |
| Rule number references are to the Interfederation Technical Policy | |
| pages on the Internet2 wiki. There are two versions: | |
| * Interfederation Technical Policy Development | |
| * at https://spaces.internet2.edu/x/ugDABg | |
| * documents the expected *next* deployment | |
| * updated as changes are made in the master branch | |
| * use this if you want to cross-reference numbers against | |
| the development tooling | |
| * Interfederation Technical Policy | |
| * at https://spaces.internet2.edu/x/TgCNBQ | |
| * documents the *current* deployment | |
| * to cross-reference against this page, check out the specific | |
| release mentioned there | |
| --> | |
| <bean id="edugainPolicy" parent="mda.CompositeStage"> | |
| <property name="stages"> | |
| <list> | |
| <!-- | |
| ************************************* | |
| *** *** | |
| *** P O L I C Y R U L E 1 *** | |
| *** *** | |
| ************************************* | |
| "Silently remove all imported entities with XML attribute | |
| mdrpi:RegistrationInfo[@registrationAuthority='https://incommon.org'] | |
| Entities so marked must come from primary sources only." | |
| Filter out entities that declare themselves as registered | |
| by our federation. We don't want those coming back in | |
| from another registrar or metadata exchange as they may be | |
| old versions of entities we have deregistered, or spoofed. | |
| This rule is executed first as a performance optimisation | |
| so as to reduce the amount of metadata being processed. | |
| --> | |
| <bean id="removeInCommonEntities" parent="mda.EntityRegistrationAuthorityFilterStage"> | |
| <property name="designatedRegistrationAuthorities"> | |
| <list> | |
| <ref bean="us_incommon_registrar"/> | |
| </list> | |
| </property> | |
| <property name="requiringRegistrationInformation" value="true"/> | |
| <property name="keepingRegistrationAuthorities" value="false"/> | |
| </bean> | |
| <!-- | |
| ************************************* | |
| *** *** | |
| *** P O L I C Y R U L E 2 *** | |
| *** *** | |
| ************************************* | |
| "Remove (and log the removal of) the following XML | |
| elements (not entities)" | |
| Removal of elements should in general be performed before | |
| checking, so that errors corrected by a removal are let | |
| through. | |
| --> | |
| <!-- | |
| Sub-rule a. | |
| "mdui:Logo elements with a URL that is not HTTPS-protected" | |
| --> | |
| <ref bean="stripMDUILogoHttp"/> | |
| <!-- | |
| ************************************* | |
| *** *** | |
| *** P O L I C Y R U L E 3 *** | |
| *** *** | |
| ************************************* | |
| "Silently remove the following XML elements | |
| (not entities)" | |
| Removal of elements should in general be performed before | |
| checking, so that errors corrected by a removal are let | |
| through. | |
| --> | |
| <!-- | |
| Sub-rule a. | |
| All MDUI metadata (e.g., mdui:UIInfo elements) within | |
| AttributeAuthority roles. | |
| --> | |
| <ref bean="stripAAMDUI"/> | |
| <!-- | |
| Sub-rule b. | |
| All entity attributes on the Entity Attribute Blacklist. | |
| --> | |
| <bean id="entityAttributes" parent="mda.EntityAttributeFilteringStage" | |
| p:keeping="false"> | |
| <property name="rules"> | |
| <list> | |
| <!-- "registered by InCommon" entity category. --> | |
| <bean parent="mda.EntityCategoryMatcher" | |
| c:category="http://id.incommon.org/category/registered-by-incommon"/> | |
| <!-- InCommon Research and Scholarship category. --> | |
| <bean parent="mda.EntityCategoryMatcher" | |
| c:category="http://id.incommon.org/category/research-and-scholarship"/> | |
| <bean parent="mda.EntityCategorySupportMatcher" | |
| c:category="http://id.incommon.org/category/research-and-scholarship"/> | |
| <!-- InCommon Bronze assurance certification. --> | |
| <bean parent="mda.MultiPredicateMatcher"> | |
| <property name="nameFormatPredicate"> | |
| <bean class="com.google.common.base.Predicates" | |
| factory-method="equalTo" | |
| c:_="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" | |
| /> | |
| </property> | |
| <property name="namePredicate"> | |
| <bean class="com.google.common.base.Predicates" | |
| factory-method="equalTo" | |
| c:_="urn:oasis:names:tc:SAML:attribute:assurance-certification" | |
| /> | |
| </property> | |
| <property name="valuePredicate"> | |
| <bean class="com.google.common.base.Predicates" | |
| factory-method="equalTo" | |
| c:_="http://id.incommon.org/assurance/bronze" | |
| /> | |
| </property> | |
| </bean> | |
| <!-- InCommon Silver assurance certification. --> | |
| <bean parent="mda.MultiPredicateMatcher"> | |
| <property name="nameFormatPredicate"> | |
| <bean class="com.google.common.base.Predicates" | |
| factory-method="equalTo" | |
| c:_="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" | |
| /> | |
| </property> | |
| <property name="namePredicate"> | |
| <bean class="com.google.common.base.Predicates" | |
| factory-method="equalTo" | |
| c:_="urn:oasis:names:tc:SAML:attribute:assurance-certification" | |
| /> | |
| </property> | |
| <property name="valuePredicate"> | |
| <bean class="com.google.common.base.Predicates" | |
| factory-method="equalTo" | |
| c:_="http://id.incommon.org/assurance/silver" | |
| /> | |
| </property> | |
| </bean> | |
| </list> | |
| </property> | |
| </bean> | |
| <!-- | |
| Sub-rule c. | |
| All extended XML elements and attributes | |
| defined in namespaces not on the XML Namespace Whitelist. | |
| --> | |
| <bean id="whitelistImportedNamespaces" parent="mda.NamespacesStrippingStage" | |
| p:keeping="true"> | |
| <property name="namespaces"> | |
| <set> | |
| <ref bean="alg_namespace"/> | |
| <ref bean="ds_namespace"/> | |
| <ref bean="hoksso_namespace"/> | |
| <ref bean="idpdisc_namespace"/> | |
| <ref bean="init_namespace"/> | |
| <ref bean="md_namespace"/> | |
| <ref bean="mdattr_namespace"/> | |
| <ref bean="mdrpi_namespace"/> | |
| <ref bean="mdui_namespace"/> | |
| <ref bean="remd_namespace"/> | |
| <ref bean="saml_namespace"/> | |
| <ref bean="shibmd_namespace"/> | |
| <ref bean="xenc_namespace"/> | |
| <ref bean="xml_namespace"/> | |
| </set> | |
| </property> | |
| </bean> | |
| <!-- | |
| The following minor mutations don't rise to the level where | |
| they are explicitly documented in the policy wiki page. | |
| --> | |
| <ref bean="cleanImport"/> | |
| <ref bean="wrapX509Certificates"/> | |
| <ref bean="trimImportElementWhitespace"/> | |
| <!-- | |
| Remove empty md:Extensions elements; these are most | |
| likely to have come about as a result of operations | |
| above. They need to be removed to avoid schema-invalid | |
| resulting XML. | |
| --> | |
| <ref bean="stripEmptyExtensions"/> | |
| <!-- | |
| ************************************* | |
| *** *** | |
| *** P O L I C Y R U L E 4 *** | |
| *** *** | |
| ************************************* | |
| "Remove (and log the removal of) all imported | |
| entities matching one or more of the following conditions:" | |
| This rule is performed by the error-detecting beans below | |
| in combination with the caller of this CompositeStage | |
| taking action on any resulting ErrorStatus objects in | |
| item metadata. | |
| --> | |
| <!-- | |
| Sub-rule a. | |
| Mark entities with an entityID that does not begin with one of the | |
| following prefixes: urn:mace:, http://, https://. | |
| --> | |
| <ref bean="check_entityid_prefix"/> | |
| <!-- | |
| Sub-rule b. | |
| Mark entities with weak keys. | |
| --> | |
| <bean p:id="certificateValidation" parent="mda.X509ValidationStage"> | |
| <property name="validators"> | |
| <list> | |
| <!-- Error on RSA key length less than 2048 bits. --> | |
| <bean parent="mda.X509RSAKeyLengthValidator" | |
| p:warningBoundary="0" p:errorBoundary="2048"/> | |
| <!-- Error on small RSA public exponents. --> | |
| <bean parent="mda.X509RSAExponentValidator"/> | |
| <!-- | |
| Debian weak key blacklists. | |
| Don't need to check for keys below our minimum key size. | |
| --> | |
| <ref bean="debian.2048"/> | |
| <ref bean="debian.4096"/> | |
| <!-- | |
| Compromised key blacklists. | |
| Again, don't need to check for keys below our minimum key size. | |
| --> | |
| <ref bean="compromised.2048"/> | |
| </list> | |
| </property> | |
| </bean> | |
| <!-- | |
| Sub-rule c.i. | |
| Require regexp attribute on shibmd:Scope. | |
| --> | |
| <ref bean="check_shib_noregscope"/> | |
| <!-- | |
| Sub-rule c.ii. | |
| Perform detailed scope checking. | |
| --> | |
| <bean id="checkScopes" parent="mda.ScopeValidationStage"> | |
| <property name="validators"> | |
| <list> | |
| <bean p:id="empty" parent="mda.RejectStringRegexValidator" | |
| p:regex="" p:message="scope element must not be empty"/> | |
| <bean p:id="whiteSpace" parent="mda.RejectStringRegexValidator" | |
| p:regex=".*\s.*" p:message="scope '%s' includes white space"/> | |
| <!-- | |
| Explicitly accept domains which, although they | |
| fall afoul of the public suffic heuristic, are | |
| nevertheless known to be legitimately used as | |
| security domains. | |
| --> | |
| <bean p:id="mil.no" parent="mda.AcceptStringValueValidator" | |
| p:value="mil.no"/> | |
| <bean p:id="domainName" parent="mda.AsDomainNameStringValidator" | |
| p:message="scope is not a valid domain name: %s"> | |
| <property name="validators"> | |
| <list> | |
| <!-- DNS name validators --> | |
| <bean p:id="publicSuffix" parent="mda.RejectDomainNamePublicSuffixValidator" | |
| p:message="scope is a public suffix: '%s'"/> | |
| <bean p:id="noPublicSuffix" parent="mda.RejectDomainNameNotUnderPublicSuffixValidator" | |
| p:message="scope is not under a public suffix: '%s'"/> | |
| </list> | |
| </property> | |
| </bean> | |
| </list> | |
| </property> | |
| <property name="regexpValidators"> | |
| <list> | |
| <bean p:id="empty" parent="mda.RejectStringRegexValidator" | |
| p:regex="" p:message="regex scope element must not be empty"/> | |
| <bean p:id="whiteSpace" parent="mda.RejectStringRegexValidator" | |
| p:regex=".*\s.*" p:message="regex scope '%s' includes white space"/> | |
| <bean p:id="endAnchor" parent="mda.RejectStringRegexValidator" | |
| p:regex=".*[^$]" p:message="regex scope '%s' does not end with an anchor ('$')"/> | |
| <bean p:id="literalTail" parent="mda.AsLiteralTailStringValidator" | |
| p:message="regular expression '%s' does not end with a literal tail"> | |
| <property name="validators"> | |
| <!-- validators to apply to the literal tail --> | |
| <list> | |
| <bean p:id="domainName" parent="mda.AsDomainNameStringValidator" | |
| p:message="literal tail is not a valid domain name: %s"> | |
| <property name="validators"> | |
| <list> | |
| <!-- DNS name validators for the literal tail --> | |
| <bean p:id="publicSuffix" parent="mda.RejectDomainNamePublicSuffixValidator" | |
| p:message="literal tail is a public suffix: '%s'"/> | |
| <bean p:id="noPublicSuffix" parent="mda.RejectDomainNameNotUnderPublicSuffixValidator" | |
| p:message="literal tail is not under a public suffix: '%s'"/> | |
| </list> | |
| </property> | |
| </bean> | |
| </list> | |
| </property> | |
| </bean> | |
| </list> | |
| </property> | |
| </bean> | |
| <!-- | |
| Sub-rule d. | |
| Mark IdP entities with an endpoint location that | |
| is not HTTPS-protected. | |
| --> | |
| <ref bean="check_idp_tls"/> | |
| <!-- | |
| Sub-rule e. | |
| Mark IdP entities that do not have a SAML2 SingleSignOnService endpoint | |
| that supports the HTTP-Redirect binding. | |
| --> | |
| <bean id="check_idp_non_saml2" parent="mda.XSLValidationStage" | |
| p:XSLResource="classpath:incommon/check_idp_no_saml2.xsl"/> | |
| <!-- | |
| Sub-rule f. | |
| Mark SP entities that do not have at least one SAML2 AssertionConsumerService | |
| endpoint that supports the HTTP-POST binding. | |
| --> | |
| <bean id="check_sp_non_saml2" parent="mda.XSLValidationStage" | |
| p:XSLResource="classpath:incommon/check_sp_no_saml2.xsl"/> | |
| <!-- | |
| Sub-rule g. | |
| Mark entities containing literal CR characters. | |
| --> | |
| <ref bean="check_cr"/> | |
| <!-- | |
| Sub-rule h. | |
| Mark entities containing misplaced or duplicated | |
| EntityAttributes elements. | |
| --> | |
| <ref bean="check_mdattr"/> | |
| <!-- | |
| Sub-rule i. | |
| Entities containing XML failing schema validation. | |
| --> | |
| <ref bean="checkSchemas"/> | |
| <!-- Sub-rule j. --> | |
| <ref bean="check_algsupport"/> | |
| <!-- Sub-rule k. --> | |
| <ref bean="check_bindings"/> | |
| <!-- Sub-rule l. --> | |
| <ref bean="check_hoksso"/> | |
| <!-- Sub-rule m. --> | |
| <ref bean="check_idpdisc"/> | |
| <!-- Sub-rule n. --> | |
| <ref bean="check_init"/> | |
| <!-- Sub-rule o. --> | |
| <ref bean="check_mdiop"/> | |
| <!-- Sub-rule p. --> | |
| <ref bean="check_mdrpi"/> | |
| <!-- Sub-rule q. --> | |
| <ref bean="check_mdui_xslt"/> | |
| <ref bean="check_mdui_logo_url"/> | |
| <ref bean="check_mdui_urls"/> | |
| <!-- Sub-rule r. --> | |
| <ref bean="check_rands"/> | |
| <!-- Sub-rule s. --> | |
| <ref bean="check_sirtfi"/> | |
| <!-- Sub-rule t. --> | |
| <ref bean="check_saml2meta"/> | |
| <ref bean="check_saml2meta_urlattrs"/> | |
| <ref bean="check_saml2meta_urls"/> | |
| <ref bean="check_saml_strings"/> | |
| <ref bean="check_misc"/> | |
| <!-- | |
| Sub-rule u. | |
| Mark SP entities with an endpoint location that | |
| is not HTTPS-protected. | |
| --> | |
| <ref bean="check_sp_tls"/> | |
| <!-- Sub-rule v. --> | |
| <ref bean="check_adfs"/> | |
| <!-- Sub-rule w. --> | |
| <ref bean="check_saml1"/> | |
| <!-- Sub-rule x. --> | |
| <ref bean="check_reqattr"/> | |
| <!-- | |
| ************************************* | |
| *** *** | |
| *** P O L I C Y R U L E 7 *** | |
| *** *** | |
| ************************************* | |
| "Silently remove all imported entities that have the same entityID as an existing | |
| entity in the InCommon aggregate." | |
| This policy rule is implemented by the merge strategy used when these | |
| entities are merged in with the ones from InCommon. | |
| --> | |
| <!-- | |
| We do not currently apply the complete battery of checking rulesets used by | |
| the UK federation. Originally, this was because of issues porting some rules | |
| into the MDA 0.9 environment. | |
| The following is an expanded list of such individual checking beans | |
| not currently included here. Discussion of these takes place in GitLab. | |
| CHECK_std: | |
| <ref bean="check_incmd"/> | |
| <ref bean="check_mdui_iphint"/> (part of check_mdui) | |
| <ref bean="check_saml2"/> | |
| <ref bean="check_saml2int"/> | |
| <ref bean="check_shibboleth"/> | |
| <ref bean="check_uk_algorithms"/> | |
| <ref bean="check_uk_trust"/> | |
| <ref bean="check_uk_wayf"/> | |
| <ref bean="check_dup_display"/> | |
| <ref bean="check_namespaces"/> | |
| --> | |
| </list> | |
| </property> | |
| </bean> | |
| </beans> |