Skip to content

Commit

Permalink
Add MDQ generation for AWS CloudHSM
Browse files Browse the repository at this point in the history 
Excludes the inc-mda-cloudhsm assembly.
See incommon/inc-meta#92.
  • Loading branch information
@iay
iay committed Jul 24, 2018
1 parent a6326cf commit 02c6c76
Show file tree
Hide file tree
Showing 2 changed files with 132 additions and 0 deletions.
34 changes: 34 additions & 0 deletions build.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2653,6 +2653,12 @@
Generate per-entity metadata for the InCommon federation
using the localkey configuration.
Properties:
Set sign.uk.keyPassword (note the slightly anomalous "uk" in that
identifier) to set the password to access the key resource. If not set,
this will be prompted for.
-->
<target name="inc.mdq.generate.localkey" depends="get.sign.uk.keyPassword">
<property name="mda.mdq.input" value="${mda.inc.imported.xml}"/>
Expand All @@ -2674,6 +2680,34 @@
<!-- temporary alias for inc.mdq.generate.localkey -->
</target>

<!--
inc.mdq.generate.cloudhsm
Generate per-entity metadata for the InCommon federation
using AWS CloudHSM.
Properties:
Set sign.keyHandle to indicate the key to be used for signing.
Set sign.keyUser and sign.keyPassword with credentials for the HSM user
accessing the key.
-->
<target name="inc.mdq.generate.cloudhsm">
<property name="mda.mdq.input" value="${mda.inc.imported.xml}"/>
<property name="mda.sign.keyHandle" value="${sign.keyHandle}"/>
<property name="mda.sign.keyUser" value="${sign.keyUser}"/>
<property name="mda.sign.keyPassword" value="${sign.keyPassword}"/>
<property name="mda.classpath.extra" value="inc-mda-cloudhsm"/>
<property name="mda.jni.path" value="/opt/cloudhsm/lib"/>
<echo>Generating per-entity metadata in ${mda.mdq.output}</echo>
<echo> from unsigned aggregate in ${mda.mdq.input}</echo>
<delete dir="${mdq.output.dir}" quiet="true"/>
<mkdir dir="${mdq.output.dir}"/>
<CHANNEL.do channel="incommon" verb="mdq-multisign-cloudhsm"/>
<echo>Generation complete.</echo>
</target>

<!--
inc.edugain.report
Expand Down
98 changes: 98 additions & 0 deletions mdx/incommon/mdq-multisign-cloudhsm.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Generate and sign per-entity metadata using AWS CloudHSM.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
default-lazy-init="true"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">

<!--
Import commonly used beans.
-->
<import resource="classpath:common-beans.xml"/>

<!--
Import channel-specific beans.
-->
<import resource="classpath:incommon/beans.xml"/>

<!-- This bean MUST be called "conversionService" to work properly. -->
<bean id="conversionService" class="org.springframework.context.support.ConversionServiceFactoryBean">
<property name="converters">
<set>
<bean class="net.shibboleth.ext.spring.config.DurationToLongConverter" />
<bean class="net.shibboleth.ext.spring.config.StringToIPRangeConverter" />
<bean class="net.shibboleth.ext.spring.config.BooleanToPredicateConverter" />
<bean class="net.shibboleth.ext.spring.config.StringBooleanToPredicateConverter" />
<bean class="net.shibboleth.ext.spring.config.StringToResourceConverter" />
</set>
</property>
</bean>

<!--
Generate per-entity metadata.
-->
<bean id="mdq-multisign-cloudhsm" parent="mda.SimplePipeline">
<property name="stages">
<list>
<!--
Start with the unsigned production aggregate.
-->
<bean id="production_aggregate" parent="mda.DOMResourceSourceStage">
<property name="parserPool" ref="parserPool"/>
<property name="DOMResource">
<bean parent="FileSystemResource" c:_0="${mdq.input}"/>
</property>
</bean>

<!-- Break down into individual entities. -->
<ref bean="disassemble"/>

<!-- Populate ItemId with the entityID. -->
<ref bean="populateItemIds"/>

<!-- Set ID, cacheDuration and validUntil attributes. -->
<bean parent="mda.GenerateIdStage"/>
<bean parent="mda.SetValidUntilStage" p:validityDuration="P14D"/>

<!-- Identity transform fixes signing issues. -->
<bean parent="mda.XSLTransformationStage"
p:XSLResource="classpath:identity.xsl"/>

<!-- Sign each item. -->
<bean id="perform.signature" parent="mda.XMLSignatureSigningStage">
<property name="privateKey">
<bean class="uk.org.iay.incommon.mda.cloudhsm.CaviumPrivateKeyFactoryBean"
p:username="${sign.keyUser}"
p:password="${sign.keyPassword}"
p:keyHandle="${sign.keyHandle}"
/>
</property>
</bean>

<!-- Write individual entity documents to files. -->
<bean id="write.perentity" parent="mda.MultiOutputSerializationStage">
<property name="serializer" ref="serializer"/>
<property name="outputStrategy">
<bean parent="mda.FilesInDirectoryMultiOutputStrategy" p:nameSuffix=".xml">
<property name="directory">
<bean parent="File" c:_="${mdq.output}"/>
</property>
<property name="nameTransformer">
<bean parent="mda.PathSegmentStringTransformer"/>
</property>
</bean>
</property>
</bean>

</list>
</property>
</bean>

</beans>

0 comments on commit 02c6c76

Please sign in to comment.