Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

inc-meta/mdx/incommon/edugain-policy.xml

Go to file
 
 
Cannot retrieve contributors at this time
499 lines (414 sloc) 22.4 KB
Raw Blame
Open in GitHub Desktop
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
default-lazy-init="true"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
<!--
edugainPolicy
Applies policy to entities sourced from eduGAIN.
Entities may be transformed by policy, or marked as being in error.
Entities with errors are NOT removed here, so that this policy can be
used in contexts where reporting is more appropriate than just removal.
Rule number references are to the Interfederation Technical Policy
pages on the Internet2 wiki. There are two versions:
* Interfederation Technical Policy Development
* at https://spaces.internet2.edu/x/ugDABg
* documents the expected *next* deployment
* updated as changes are made in the master branch
* use this if you want to cross-reference numbers against
the development tooling
* Interfederation Technical Policy
* at https://spaces.internet2.edu/x/TgCNBQ
* documents the *current* deployment
* to cross-reference against this page, check out the specific
release mentioned there
-->
<bean id="edugainPolicy" parent="mda.CompositeStage">
<property name="composedStages">
<list>
<!--
*************************************
*** ***
*** P O L I C Y R U L E 1 ***
*** ***
*************************************
"Silently remove all imported entities with XML attribute
mdrpi:RegistrationInfo[@registrationAuthority='https://incommon.org']
Entities so marked must come from primary sources only."
Filter out entities that declare themselves as registered
by our federation. We don't want those coming back in
from another registrar or metadata exchange as they may be
old versions of entities we have deregistered, or spoofed.
This rule is executed first as a performance optimisation
so as to reduce the amount of metadata being processed.
-->
<bean id="removeInCommonEntities" parent="mda.EntityRegistrationAuthorityFilterStage">
<property name="designatedRegistrationAuthorities">
<list>
<ref bean="us_incommon_registrar"/>
</list>
</property>
<property name="requiringRegistrationInformation" value="true"/>
<property name="whitelistingRegistrationAuthorities" value="false"/>
</bean>
<!--
*************************************
*** ***
*** P O L I C Y R U L E 2 ***
*** ***
*************************************
"Remove (and log the removal of) the following XML
elements (not entities)"
Removal of elements should in general be performed before
checking, so that errors corrected by a removal are let
through.
-->
<!--
Sub-rule a.
"mdui:Logo elements with a URL that is not HTTPS-protected"
-->
<ref bean="stripMDUILogoHttp"/>
<!--
*************************************
*** ***
*** P O L I C Y R U L E 3 ***
*** ***
*************************************
"Silently remove the following XML elements
(not entities)"
Removal of elements should in general be performed before
checking, so that errors corrected by a removal are let
through.
-->
<!--
Sub-rule a.
All MDUI metadata (e.g., mdui:UIInfo elements) within
AttributeAuthority roles.
-->
<ref bean="stripAAMDUI"/>
<!--
Sub-rule b.
All entity attributes on the Entity Attribute Blacklist.
-->
<bean id="entityAttributes" parent="mda.EntityAttributeFilteringStage"
p:whitelisting="false">
<property name="rules">
<list>
<!-- "registered by InCommon" entity category. -->
<bean parent="mda.EntityCategoryMatcher"
c:category="http://id.incommon.org/category/registered-by-incommon"/>
<!-- InCommon Research and Scholarship category. -->
<bean parent="mda.EntityCategoryMatcher"
c:category="http://id.incommon.org/category/research-and-scholarship"/>
<bean parent="mda.EntityCategorySupportMatcher"
c:category="http://id.incommon.org/category/research-and-scholarship"/>
<!-- InCommon Bronze assurance certification. -->
<bean parent="mda.MultiPredicateMatcher">
<property name="nameFormatPredicate">
<bean class="com.google.common.base.Predicates"
factory-method="equalTo"
c:_="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
/>
</property>
<property name="namePredicate">
<bean class="com.google.common.base.Predicates"
factory-method="equalTo"
c:_="urn:oasis:names:tc:SAML:attribute:assurance-certification"
/>
</property>
<property name="valuePredicate">
<bean class="com.google.common.base.Predicates"
factory-method="equalTo"
c:_="http://id.incommon.org/assurance/bronze"
/>
</property>
</bean>
<!-- InCommon Silver assurance certification. -->
<bean parent="mda.MultiPredicateMatcher">
<property name="nameFormatPredicate">
<bean class="com.google.common.base.Predicates"
factory-method="equalTo"
c:_="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
/>
</property>
<property name="namePredicate">
<bean class="com.google.common.base.Predicates"
factory-method="equalTo"
c:_="urn:oasis:names:tc:SAML:attribute:assurance-certification"
/>
</property>
<property name="valuePredicate">
<bean class="com.google.common.base.Predicates"
factory-method="equalTo"
c:_="http://id.incommon.org/assurance/silver"
/>
</property>
</bean>
</list>
</property>
</bean>
<!--
Sub-rule c.
All extended XML elements and attributes
defined in namespaces not on the XML Namespace Whitelist.
-->
<bean id="whitelistImportedNamespaces" parent="mda.NamespacesStrippingStage"
p:whitelisting="true">
<property name="namespaces">
<set>
<ref bean="alg_namespace"/>
<ref bean="ds_namespace"/>
<ref bean="hoksso_namespace"/>
<ref bean="idpdisc_namespace"/>
<ref bean="init_namespace"/>
<ref bean="md_namespace"/>
<ref bean="mdattr_namespace"/>
<ref bean="mdrpi_namespace"/>
<ref bean="mdui_namespace"/>
<ref bean="remd_namespace"/>
<ref bean="saml_namespace"/>
<ref bean="shibmd_namespace"/>
<ref bean="xenc_namespace"/>
<ref bean="xml_namespace"/>
</set>
</property>
</bean>
<!--
The following minor mutations don't rise to the level where
they are explicitly documented in the policy wiki page.
-->
<ref bean="cleanImport"/>
<ref bean="wrapX509Certificates"/>
<ref bean="trimImportElementWhitespace"/>
<!--
Remove empty md:Extensions elements; these are most
likely to have come about as a result of operations
above. They need to be removed to avoid schema-invalid
resulting XML.
-->
<ref bean="stripEmptyExtensions"/>
<!--
*************************************
*** ***
*** P O L I C Y R U L E 4 ***
*** ***
*************************************
"Remove (and log the removal of) all imported
entities matching one or more of the following conditions:"
This rule is performed by the error-detecting beans below
in combination with the caller of this CompositeStage
taking action on any resulting ErrorStatus objects in
item metadata.
-->
<!--
Sub-rule a.
Mark entities with an entityID that does not begin with one of the
following prefixes: urn:mace:, http://, https://.
-->
<ref bean="check_entityid_prefix"/>
<!--
Sub-rule b.
Mark entities with weak keys.
-->
<bean p:id="certificateValidation" parent="mda.X509ValidationStage">
<property name="validators">
<list>
<!-- Error on RSA key length less than 2048 bits. -->
<bean parent="mda.X509RSAKeyLengthValidator"
p:warningBoundary="0" p:errorBoundary="2048"/>
<!-- Error on small RSA public exponents. -->
<bean parent="mda.X509RSAExponentValidator"/>
<!--
Debian weak key blacklists.
Don't need to check for keys below our minimum key size.
-->
<ref bean="debian.2048"/>
<ref bean="debian.4096"/>
<!--
Compromised key blacklists.
Again, don't need to check for keys below our minimum key size.
-->
<ref bean="compromised.2048"/>
</list>
</property>
</bean>
<!--
Sub-rule c.i.
Require regexp attribute on shibmd:Scope.
-->
<ref bean="check_shib_noregscope"/>
<!--
Sub-rule c.ii.
Perform detailed scope checking.
-->
<bean id="checkScopes" parent="inc.stage_parent"
class="uk.org.iay.incommon.mda.dom.saml.shib.ScopeValidationStage">
<property name="validators">
<list>
<bean p:id="empty" parent="inc.RejectStringRegexValidator"
p:regex="" p:message="scope element must not be empty"/>
<bean p:id="whiteSpace" parent="inc.RejectStringRegexValidator"
p:regex=".*\s.*" p:message="scope '%s' includes white space"/>
<!--
Explicitly accept domains which, although they
fall afoul of the public suffic heuristic, are
nevertheless known to be legitimately used as
security domains.
-->
<bean p:id="mil.no" parent="inc.AcceptStringValueValidator"
p:value="mil.no"/>
<bean p:id="domainName" parent="inc.AsDomainNameStringValidator"
p:message="scope is not a valid domain name: %s">
<property name="validators">
<list>
<!-- DNS name validators -->
<bean p:id="publicSuffix" parent="inc.RejectDomainNamePublicSuffixValidator"
p:message="scope is a public suffix: '%s'"/>
<bean p:id="noPublicSuffix" parent="inc.RejectDomainNameNotUnderPublicSuffixValidator"
p:message="scope is not under a public suffix: '%s'"/>
</list>
</property>
</bean>
</list>
</property>
<property name="regexpValidators">
<list>
<bean p:id="empty" parent="inc.RejectStringRegexValidator"
p:regex="" p:message="regex scope element must not be empty"/>
<bean p:id="whiteSpace" parent="inc.RejectStringRegexValidator"
p:regex=".*\s.*" p:message="regex scope '%s' includes white space"/>
<bean p:id="endAnchor" parent="inc.RejectStringRegexValidator"
p:regex=".*[^$]" p:message="regex scope '%s' does not end with an anchor ('$')"/>
<bean p:id="literalTail" parent="inc.AsLiteralTailStringValidator"
p:message="regular expression '%s' does not end with a literal tail">
<property name="validators">
<!-- validators to apply to the literal tail -->
<list>
<bean p:id="domainName" parent="inc.AsDomainNameStringValidator"
p:message="literal tail is not a valid domain name: %s">
<property name="validators">
<list>
<!-- DNS name validators for the literal tail -->
<bean p:id="publicSuffix" parent="inc.RejectDomainNamePublicSuffixValidator"
p:message="literal tail is a public suffix: '%s'"/>
<bean p:id="noPublicSuffix" parent="inc.RejectDomainNameNotUnderPublicSuffixValidator"
p:message="literal tail is not under a public suffix: '%s'"/>
</list>
</property>
</bean>
</list>
</property>
</bean>
</list>
</property>
</bean>
<!--
Sub-rule d.
Mark IdP entities with an endpoint location that
is not HTTPS-protected.
-->
<ref bean="check_idp_tls"/>
<!--
Sub-rule e.
Mark IdP entities that do not have a SAML2 SingleSignOnService endpoint
that supports the HTTP-Redirect binding.
-->
<bean id="check_idp_non_saml2" parent="mda.XSLValidationStage"
p:XSLResource="classpath:incommon/check_idp_no_saml2.xsl"/>
<!--
Sub-rule f.
Mark SP entities that do not have at least one SAML2 AssertionConsumerService
endpoint that supports the HTTP-POST binding.
-->
<bean id="check_sp_non_saml2" parent="mda.XSLValidationStage"
p:XSLResource="classpath:incommon/check_sp_no_saml2.xsl"/>
<!--
Sub-rule g.
Mark entities containing literal CR characters.
-->
<ref bean="check_cr"/>
<!--
Sub-rule h.
Mark entities containing misplaced or duplicated
EntityAttributes elements.
-->
<ref bean="check_mdattr"/>
<!--
Sub-rule i.
Entities containing XML failing schema validation.
-->
<ref bean="checkSchemas"/>
<!-- Sub-rule j. -->
<ref bean="check_algsupport"/>
<!-- Sub-rule k. -->
<ref bean="check_bindings"/>
<!-- Sub-rule l. -->
<ref bean="check_hoksso"/>
<!-- Sub-rule m. -->
<ref bean="check_idpdisc"/>
<!-- Sub-rule n. -->
<ref bean="check_init"/>
<!-- Sub-rule o. -->
<ref bean="check_mdiop"/>
<!-- Sub-rule p. -->
<ref bean="check_mdrpi"/>
<!-- Sub-rule q. -->
<ref bean="check_mdui_xslt"/>
<!-- Sub-rule r. -->
<ref bean="check_rands"/>
<!-- Sub-rule s. -->
<ref bean="check_sirtfi"/>
<!-- Sub-rule t. -->
<ref bean="check_saml2meta"/>
<ref bean="check_saml_strings"/>
<ref bean="check_misc"/>
<!--
Sub-rule u.
Mark SP entities with an endpoint location that
is not HTTPS-protected.
-->
<ref bean="check_sp_tls"/>
<!-- Sub-rule v. -->
<ref bean="check_adfs"/>
<!-- Sub-rule w. -->
<ref bean="check_saml1"/>
<!-- Sub-rule x. -->
<ref bean="check_reqattr"/>
<!--
*************************************
*** ***
*** P O L I C Y R U L E 7 ***
*** ***
*************************************
"Silently remove all imported entities that have the same entityID as an existing
entity in the InCommon aggregate."
This policy rule is implemented by the merge strategy used when these
entities are merged in with the ones from InCommon.
-->
<!--
We do not currently apply the complete battery of checking rulesets used by
the UK federation. Originally, this was because of issues porting some rules
into the MDA 0.9 environment.
The following is an expanded list of such individual checking beans
not currently included here. Discussion of these takes place in GitLab.
CHECK_std:
<ref bean="check_incmd"/>
<ref bean="check_mdui_iphint"/> (part of check_mdui)
<ref bean="check_saml2"/>
<ref bean="check_saml2int"/>
<ref bean="check_shibboleth"/>
<ref bean="check_uk_algorithms"/>
<ref bean="check_uk_trust"/>
<ref bean="check_uk_wayf"/>
<ref bean="check_dup_display"/>
<ref bean="check_namespaces"/>
-->
</list>
</property>
</bean>
</beans>