Permalink
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
inc-meta/mdx/uk/beans.xml
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Sorting the aggregate used to generate statistics means there's no need to sort by ID within the XSL transform, avoiding a probably JDK bug.
655 lines (526 sloc)
21.6 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!-- | |
| Common beans for this channel. | |
| --> | |
| <beans xmlns="http://www.springframework.org/schema/beans" | |
| default-lazy-init="true" | |
| xmlns:c="http://www.springframework.org/schema/c" | |
| xmlns:p="http://www.springframework.org/schema/p" | |
| xmlns:util="http://www.springframework.org/schema/util" | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xsi:schemaLocation=" | |
| http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd | |
| http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"> | |
| <!-- | |
| ***************************** | |
| *** *** | |
| *** U T I L I T I E S *** | |
| *** *** | |
| ***************************** | |
| --> | |
| <!-- | |
| uk_fix_mailto | |
| Adds "mailto:" to md:EmailAddress elements which don't already have it. | |
| --> | |
| <bean id="uk_fix_mailto" parent="mda.XSLTransformationStage" | |
| p:XSLResource="classpath:uk/fix_mailto.xsl"/> | |
| <!-- | |
| uk_stripAdminContacts | |
| Remove any md:ContactPerson elements with contactType of "administrative". | |
| --> | |
| <bean id="uk_stripAdminContacts" parent="mda.ContactPersonFilterStage"> | |
| <property name="designatedTypes"> | |
| <list> | |
| <value>administrative</value> | |
| </list> | |
| </property> | |
| <property name="keepingTypes" value="false"/> | |
| </bean> | |
| <!-- | |
| Populate UKId values from entities. | |
| --> | |
| <bean id="uk_populateIds" parent="ukf.EntityDescriptorUKIdPopulationStage"/> | |
| <!-- | |
| UK federation named EntitiesDescriptor assembler pipeline stage. | |
| Name attribute is set to the federation URI. UK ordering is applied. | |
| --> | |
| <bean id="uk_assemble" parent="mda.EntitiesDescriptorAssemblerStage"> | |
| <property name="descriptorName" ref="uk_federation_uri"/> | |
| <property name="itemOrderingStrategy"> | |
| <bean parent="ukf.UKEntityOrderingStrategy"/> | |
| </property> | |
| </bean> | |
| <!-- | |
| *********************************************** | |
| *** *** | |
| *** A G G R E G A T E H A N D L I N G *** | |
| *** *** | |
| *********************************************** | |
| --> | |
| <!-- | |
| Location of various resources. | |
| --> | |
| <bean id="uk_productionAggregate_url" parent="String"> | |
| <constructor-arg value="http://metadata.ukfederation.org.uk/ukfederation-metadata.xml"/> | |
| </bean> | |
| <bean id="uk_exportAggregate_url" parent="String"> | |
| <constructor-arg value="http://metadata.ukfederation.org.uk/ukfederation-export.xml"/> | |
| </bean> | |
| <!-- | |
| uk_federation_uri | |
| URI for the UK federation. Used in several contexts: | |
| * as the Name attribute for the main EntitiesDescriptor in UK federation metadata | |
| (not always the document element) | |
| * in mdrpi:PublicationInfo, as the unique identifier for the UK federation publisher | |
| It is the same as the URI used to indicate the UK federation as a registrar, so is made | |
| an alias of that bean. | |
| --> | |
| <alias name="uk_ukf_registrar" alias="uk_federation_uri"/> | |
| <!-- | |
| Fetch the export aggregate. | |
| --> | |
| <bean id="uk_exportAggregate" parent="mda.DOMResourceSourceStage"> | |
| <property name="parserPool" ref="parserPool"/> | |
| <property name="DOMResource"> | |
| <bean parent="mda.HTTPResource"> | |
| <constructor-arg name="client" ref="httpClient"/> | |
| <constructor-arg name="url" ref="uk_exportAggregate_url"/> | |
| </bean> | |
| </property> | |
| </bean> | |
| <!-- | |
| Fetch the production aggregate. | |
| --> | |
| <bean id="uk_productionAggregate" parent="mda.DOMResourceSourceStage"> | |
| <property name="parserPool" ref="parserPool"/> | |
| <property name="DOMResource"> | |
| <bean parent="mda.HTTPResource"> | |
| <constructor-arg name="client" ref="httpClient"/> | |
| <constructor-arg name="url" ref="uk_productionAggregate_url"/> | |
| </bean> | |
| </property> | |
| </bean> | |
| <!-- | |
| Metadata signing certificate. | |
| --> | |
| <bean id="uk_signingCertificate" parent="mda.X509CertificateFactoryBean" | |
| p:resource="classpath:uk/ukfederation-2014.pem"/> | |
| <!-- | |
| Check the signature on a document. | |
| --> | |
| <bean id="uk_checkSignature" parent="XMLSignatureValidationStage"> | |
| <property name="verificationCertificate" ref="uk_signingCertificate"/> | |
| </bean> | |
| <!-- | |
| uk_check_validUntil | |
| Check that an aggregate has a validUntil instant specified, and that it has not | |
| yet expired. Sets a bound of 30 days on the validity interval; 14 days is the | |
| expected value. | |
| --> | |
| <bean id="uk_check_validUntil" parent="mda.ValidateValidUntilStage"> | |
| <!-- | |
| The validUntil attribute must be present. | |
| --> | |
| <property name="requireValidUntil" value="true"/> | |
| <!-- | |
| Validity interval must not exceed 30 days. | |
| --> | |
| <property name="maxValidityInterval" value="#{ 1000L * 60 * 60 * 24 * 30 }"/> | |
| </bean> | |
| <!-- | |
| ******************************************* | |
| *** *** | |
| *** M E M B E R S D O C U M E N T *** | |
| *** *** | |
| ******************************************* | |
| --> | |
| <!-- | |
| uk_membersDocument | |
| This bean contains the contents of the members.xml file as a DOM Document. | |
| --> | |
| <bean id="uk_membersDocument" parent="mda.DOMDocumentFactoryBean"> | |
| <property name="resource"> | |
| <bean parent="FileSystemResource" c:_="${members.dir}/members.xml"/> | |
| </property> | |
| <property name="parserPool" ref="parserPool"/> | |
| </bean> | |
| <!-- | |
| uk_membersSchemaDocument | |
| This bean loads the schema for the members.xml file as a DOM Document. | |
| --> | |
| <bean id="uk_membersSchemaDocument" parent="mda.DOMDocumentFactoryBean"> | |
| <property name="resource"> | |
| <bean parent="FileSystemResource" c:_="${members.dir}/ukfederation-members.xsd"/> | |
| </property> | |
| <property name="parserPool" ref="parserPool"/> | |
| </bean> | |
| <!-- | |
| uk_members | |
| This bean implements an API for access to the contents of the members.xml document. | |
| --> | |
| <bean id="uk_members" class="uk.org.ukfederation.members.Members" | |
| c:_0-ref="uk_membersDocument" | |
| c:_1-ref="uk_membersSchemaDocument"/> | |
| <!-- | |
| ************************************************* | |
| *** *** | |
| *** U K f - S P E C I F I C C H E C K S *** | |
| *** *** | |
| ************************************************* | |
| --> | |
| <!-- | |
| check_ukreg | |
| Checks specific to the UK registrar function. | |
| --> | |
| <bean id="check_ukreg" parent="mda.XSLValidationStage" | |
| p:XSLResource="classpath:uk/check_ukreg.xsl"/> | |
| <!-- | |
| check_owner | |
| Checks that entities are owned by UK federation members. | |
| --> | |
| <bean id="check_owner" parent="ukf.EntityOwnerCheckingStage" | |
| p:members-ref="uk_members"/> | |
| <!-- | |
| compromised.ukf | |
| Check against UKf-specific list of compromised RSA keys. | |
| --> | |
| <bean id="compromised.ukf" parent="mda.X509RSAOpenSSLKeylistValidator" | |
| p:id="compromised.ukf"> | |
| <property name="keylistResource"> | |
| <bean parent="FileSystemResource" c:_="${blocklists.dir}/compromised-keys.txt"/> | |
| </property> | |
| </bean> | |
| <!-- | |
| check_ukf_compromised | |
| Validation bean which just checks against the UKf-specific list of compromised RSA keys. | |
| --> | |
| <bean id="check_ukf_compromised" parent="mda.X509ValidationStage"> | |
| <property name="validators"> | |
| <list> | |
| <ref bean="compromised.ukf"/> | |
| </list> | |
| </property> | |
| </bean> | |
| <!-- | |
| check_uk_keydesc_key | |
| --> | |
| <bean id="check_uk_keydesc_key" parent="mda.XSLValidationStage" | |
| p:XSLResource="classpath:uk/check_uk_keydesc_key.xsl"/> | |
| <!-- | |
| check_uk_email | |
| Check that md:EmailAddress elements match our format, as | |
| described by the EmailAddressStringValidator. In particular, | |
| this requires the "mailto:" scheme." | |
| --> | |
| <bean id="check_uk_email" parent="mda.StringElementValidationStage" | |
| p:elementName-ref="md-EmailAddress"> | |
| <property name="validators"> | |
| <bean id="format" parent="ukf.EmailAddressStringValidator"/> | |
| </property> | |
| </bean> | |
| <!-- | |
| check_uk_extensions | |
| --> | |
| <bean id="check_uk_extensions" parent="mda.XSLValidationStage" | |
| p:XSLResource="classpath:uk/check_uk_extensions.xsl"/> | |
| <!-- | |
| check_uk_mdattr | |
| --> | |
| <bean id="check_uk_mdattr" parent="mda.XSLValidationStage" | |
| p:XSLResource="classpath:uk/check_uk_mdattr.xsl"/> | |
| <!-- | |
| check_uk_mdrps | |
| --> | |
| <bean id="check_uk_mdrps" parent="mda.XSLValidationStage" | |
| p:XSLResource="classpath:uk/check_uk_mdrps.xsl"/> | |
| <!-- | |
| check_uk_urlenc | |
| --> | |
| <bean id="check_uk_urlenc" parent="mda.XSLValidationStage" | |
| p:XSLResource="classpath:uk/check_uk_urlenc.xsl"/> | |
| <!-- | |
| check_uk_mdui_dn_en_match | |
| If an IdP has both an OrganizationDisplayName in English, and an | |
| mdui:DisplayName in English, they must be identical. | |
| UKFTS 1.4 section 3.3 | |
| --> | |
| <bean id="check_uk_mdui_dn_en_match" parent="mda.XSLValidationStage" | |
| p:XSLResource="classpath:uk/check_uk_mdui_dn_en_match.xsl"/> | |
| <!-- | |
| check_uk_mdui_dn_en_present | |
| If an entity has mdui:UIInfo, then that must include at least an | |
| mdui:DisplayName with an English name. | |
| --> | |
| <bean id="check_uk_mdui_dn_en_present" parent="mda.XSLValidationStage" | |
| p:XSLResource="classpath:uk/check_uk_mdui_dn_en_present.xsl"/> | |
| <!-- | |
| check_uk_rands | |
| If an SP has the R&S entity category, it MUST have an MDRPS | |
| --> | |
| <bean id="check_uk_rands" parent="mda.XSLValidationStage" | |
| p:XSLResource="classpath:uk/check_uk_rands.xsl"/> | |
| <!-- | |
| check_ukfedlabel | |
| Check use of elements from the ukfedlabel namespace. | |
| --> | |
| <bean id="check_ukfedlabel" parent="mda.XSLValidationStage" | |
| p:XSLResource="classpath:uk/check_ukfedlabel.xsl"/> | |
| <!-- | |
| *************************************** | |
| *** *** | |
| *** F R A G M E N T F I L E S *** | |
| *** *** | |
| *************************************** | |
| --> | |
| <!-- | |
| uk_processFragment | |
| This stage performs any standard cleanup required for UK federation fragment files. | |
| --> | |
| <bean id="uk_processFragment" parent="mda.XSLTransformationStage" | |
| p:XSLResource="classpath:uk/fragment.xsl"/> | |
| <!-- | |
| uk_fetchFragmentFiles | |
| Collects all the UK metadata "fragment files" from the /entities directory. | |
| Each fragment file contains a single EntityDescriptor. The name of each | |
| eligible file matches a particular regular expression. | |
| --> | |
| <bean id="uk_fetchFragmentFiles" parent="mda.DOMFilesystemSourceStage"> | |
| <property name="parserPool" ref="parserPool"/> | |
| <property name="source"> | |
| <bean parent="File"> | |
| <constructor-arg value="${entities.dir}"/> | |
| </bean> | |
| </property> | |
| <property name="sourceFileFilter"> | |
| <bean parent="mda.RegexFileFilter"> | |
| <constructor-arg value="uk\d{6}.xml"/> | |
| </bean> | |
| </property> | |
| </bean> | |
| <!-- | |
| Fetch and process the registered entities as a collection. | |
| --> | |
| <bean id="uk_registeredEntities" parent="mda.CompositeStage"> | |
| <property name="stages"> | |
| <list> | |
| <ref bean="uk_fetchFragmentFiles"/> | |
| <ref bean="uk_processFragment"/> | |
| <!-- | |
| Make all three potential scope lists equivalent (on the entity, on | |
| the IDPSSODescriptor and on the AttributeAuthority). | |
| --> | |
| <bean id="scopes_copy" parent="mda.XSLTransformationStage" | |
| p:XSLResource="classpath:uk/scopes_copy.xsl"/> | |
| <!-- | |
| Inject scopes "pushed" to entities from the members.xml file. | |
| --> | |
| <bean id="scopes_inject" parent="ukf.ScopeInjectionStage" | |
| p:members-ref="uk_members"/> | |
| <ref bean="uk_add_cbc_encryption"/> | |
| <!-- | |
| Remove entity-level Scope elements, leaving only the ones associated | |
| with role descriptors. | |
| --> | |
| <bean id="stripEntityScopes" parent="mda.XSLTransformationStage" | |
| p:XSLResource="classpath:uk/entity_scopes.xsl"/> | |
| <ref bean="populateItemIds"/> | |
| <ref bean="uk_populateIds"/> | |
| <bean id="uk_populateFlowConstraints" | |
| parent="ukf.EntityDescriptorFlowConstraintPopulationStage"/> | |
| <ref bean="uk_default_regauth"/> | |
| <ref bean="populateRegistrationAuthorities"/> | |
| <ref bean="checkSchemas"/> | |
| <ref bean="CHECK_std"/> | |
| <ref bean="check_ukfedlabel"/> | |
| <ref bean="check_ukreg"/> | |
| <ref bean="check_uk_email"/> | |
| <ref bean="check_owner"/> | |
| <ref bean="check_uk_keydesc_key"/> | |
| <ref bean="check_uk_mdattr"/> | |
| <ref bean="check_uk_extensions"/> | |
| <ref bean="check_uk_mdrps"/> | |
| <ref bean="check_uk_urlenc"/> | |
| <ref bean="check_uk_mdui_dn_en_present"/> | |
| <ref bean="check_uk_mdui_dn_en_match"/> | |
| <ref bean="check_uk_rands"/> | |
| <ref bean="check_dup_display"/> | |
| <bean id="checkCertificates" parent="mda.X509ValidationStage"> | |
| <property name="validators"> | |
| <list> | |
| <!-- Error on DSA keys. --> | |
| <bean p:id="DSA" parent="mda.X509DSADetector"/> | |
| <!-- Error on RSA key length less than 2048 bits. --> | |
| <bean p:id="RSAKeyLength" parent="mda.X509RSAKeyLengthValidator" | |
| p:warningBoundary="0" p:errorBoundary="2048"/> | |
| <!-- Error on small RSA public exponents. --> | |
| <bean p:id="RSAExponent" parent="mda.X509RSAExponentValidator"/> | |
| <!-- Error on keys vulnerable to ROCA. --> | |
| <bean p:id="ROCA" parent="mda.X509ROCAValidator"/> | |
| <!-- | |
| Debian weak key lists. | |
| Don't need to check for keys below our minimum key size. | |
| --> | |
| <ref bean="debian.2048"/> | |
| <ref bean="debian.4096"/> | |
| <!-- | |
| Compromised key lists. | |
| Again, don't need to check for keys below our minimum key size. | |
| --> | |
| <ref bean="compromised.2048"/> | |
| <!-- | |
| Check against UKf-specific list of compromised RSA keys. | |
| --> | |
| <ref bean="compromised.ukf"/> | |
| </list> | |
| </property> | |
| </bean> | |
| <!-- failure of any check on registered metadata is fatal --> | |
| <ref bean="errorTerminatingFilter"/> | |
| </list> | |
| </property> | |
| </bean> | |
| <!-- | |
| uk_stripExtensions | |
| Strip those UK federation extensions which we never publish. | |
| --> | |
| <bean id="uk_stripExtensions" parent="mda.XSLTransformationStage" | |
| p:XSLResource="classpath:uk/strip_extensions.xsl"/> | |
| <!-- | |
| *********************************************** | |
| *** *** | |
| *** N A M E S P A C E H A N D L I N G *** | |
| *** *** | |
| *********************************************** | |
| --> | |
| <!-- | |
| uk_normaliseNamespaces | |
| A pipeline stage that can be used before serialisation to normalise the namespaces | |
| used in an XML document. This one is UK-specific, as it makes specific choices | |
| in order to limit the number of prefixes used. | |
| --> | |
| <bean id="uk_normaliseNamespaces" parent="mda.XSLTransformationStage" | |
| p:XSLResource="classpath:uk/ns_norm_uk.xsl"/> | |
| <!-- | |
| ************************************************* | |
| *** *** | |
| *** M D R P I S P E C I F I C A T I O N *** | |
| *** *** | |
| ************************************************* | |
| --> | |
| <!-- | |
| uk_check_regauth | |
| Any registrationAuthority already present on an entity in this | |
| channel must match the known registration authority value. | |
| --> | |
| <bean id="uk_check_regauth" parent="check_regauth_parent"> | |
| <property name="transformParameters"> | |
| <map> | |
| <entry key="expectedAuthority" value-ref="uk_ukf_registrar"/> | |
| </map> | |
| </property> | |
| </bean> | |
| <!-- | |
| uk_default_regauth | |
| Provide a default registrationAuthority appropriate to | |
| this channel. | |
| --> | |
| <bean id="uk_default_regauth" parent="default_regauth_parent"> | |
| <property name="transformParameters"> | |
| <map> | |
| <entry key="defaultAuthority" value-ref="uk_ukf_registrar"/> | |
| </map> | |
| </property> | |
| </bean> | |
| <!-- | |
| ********************************************* | |
| *** *** | |
| *** S T A T I S T I C S O U T P U T *** | |
| *** *** | |
| ********************************************* | |
| --> | |
| <!-- | |
| uk_serializeStatistics | |
| Serialise the (assumed HTML) DomDocumentItem into the UK federation statistics | |
| output file in the production XML directory. | |
| --> | |
| <bean id="uk_serializeStatistics" parent="mda.SerializationStage"> | |
| <property name="serializer" ref="serializer"/> | |
| <property name="outputFile"> | |
| <bean parent="File"> | |
| <constructor-arg value="${output.dir}/ukfederation-stats.html"/> | |
| </bean> | |
| </property> | |
| </bean> | |
| <!-- | |
| uk_generateStatistics | |
| Input is an aggregate of all registered entities, output is the HTML statistics. | |
| --> | |
| <bean id="uk_generateStatistics" parent="mda.XSLTransformationStage" | |
| p:XSLResource="classpath:uk/statistics.xsl"> | |
| <property name="transformParameters"> | |
| <map> | |
| <entry key="memberDocumentLocation" value="${members.dir}/members.xml"/> | |
| <entry key="now_ISO" value-ref="now_ISO"/> | |
| </map> | |
| </property> | |
| </bean> | |
| <!-- | |
| uk_statisticsPipeline | |
| Pipeline to generate the registrar statistics for the UK federation's | |
| registered entities. Input is assumed to be a collection of the entities in question; | |
| resulting HTML output is written into the appropriate file in the production | |
| XML directory. | |
| --> | |
| <bean id="uk_statisticsPipeline" parent="mda.SimplePipeline"> | |
| <property name="stages"> | |
| <list> | |
| <!-- Apply flow constraints for this flow. --> | |
| <bean id="flowConstraints" parent="ukf.FlowConstraintApplyingStage" | |
| p:flowName="statistics"/> | |
| <ref bean="uk_assemble"/> | |
| <ref bean="uk_generateStatistics"/> | |
| <ref bean="uk_serializeStatistics"/> | |
| </list> | |
| </property> | |
| </bean> | |
| <!-- | |
| ################################################# | |
| ### ### | |
| ### U K E X P O R T A S I M P O R T ### | |
| ### ### | |
| ################################################# | |
| --> | |
| <!-- | |
| Fetch the export entities as a collection. | |
| --> | |
| <bean id="uk_exportedEntities" parent="mda.CompositeStage"> | |
| <property name="stages"> | |
| <list> | |
| <ref bean="uk_exportAggregate"/> | |
| <!-- | |
| Check for fatal errors at the aggregate level: | |
| missing or expired validUntil attribute | |
| invalid signature | |
| --> | |
| <ref bean="uk_check_validUntil"/> | |
| <ref bean="uk_checkSignature"/> | |
| <ref bean="errorTerminatingFilter"/> | |
| <ref bean="disassemble"/> | |
| <ref bean="uk_default_regauth"/> | |
| <ref bean="uk_check_regauth"/> | |
| </list> | |
| </property> | |
| </bean> | |
| <!-- | |
| ############################################################# | |
| ### ### | |
| ### A D D E N C R Y P T I O N A L G O R I T H M S ### | |
| ### ### | |
| ############################################################# | |
| --> | |
| <!-- | |
| Add CBC EncryptionMethod where there is no other block algorithm | |
| --> | |
| <bean id="uk_add_cbc_encryption" parent="mda.XSLTransformationStage" | |
| p:XSLResource="classpath:uk/add_cbc_encryption.xsl"/> | |
| </beans> |