Promote check for SAML 2.0 SPs with KeyName-only KeyDescriptors to pr…

…oduction. Move this and related checks from check_misc into a new check_uk_trust ruleset, which will reflect the Trust Fabric section of the FTS as it develops, and as we perform our 2013 trust fabric evolution. Resolves bugzilla issue 959.
InCommon · Apr 1, 2013 · 17ae922 · 17ae922
1 parent fe208a1
commit 17ae922
Show file tree

Hide file tree

Showing 4 changed files with 108 additions and 54 deletions.
diff --git a/mdx/_rules/check_future_1.xsl b/mdx/_rules/check_future_1.xsl
@@ -29,15 +29,4 @@
 	-->
 	<xsl:import href="check_framework.xsl"/>
 
-	<!--
-		Check for SAML 2.0 SPs with KeyName-only KeyDescriptors.
-	-->
-	<xsl:template match="md:SPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 SP has KeyDescriptor without embedded key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_misc.xsl b/mdx/_rules/check_misc.xsl
@@ -22,29 +22,6 @@
 	<xsl:import href="check_framework.xsl"/>
 
 
-	<!--
-		Check for role descriptors with missing KeyDescriptor elements.
-	-->
-
-	<xsl:template match="md:IDPSSODescriptor[not(md:KeyDescriptor)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">IdP SSO Descriptor lacking KeyDescriptor</xsl:with-param>
-		</xsl:call-template>    
-	</xsl:template>
-
-	<xsl:template match="md:SPSSODescriptor[not(md:KeyDescriptor)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SP SSO Descriptor lacking KeyDescriptor</xsl:with-param>
-		</xsl:call-template>    
-	</xsl:template>
-
-	<xsl:template match="md:AttributeAuthorityDescriptor[not(md:KeyDescriptor)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">IdP AA Descriptor lacking KeyDescriptor</xsl:with-param>
-		</xsl:call-template>    
-	</xsl:template>
-
-
 	<!--
 		Entity IDs should not contain space characters.
 	-->
@@ -152,24 +129,4 @@
 		</xsl:call-template>
 	</xsl:template>
 
-	<!--
-        Look for SAML 2.0 IdPs whose metadata includes pure PKIX KeyDescriptor elements.
-        
-        This causes problems for some OpenAthens SP products.
-    -->
-	<xsl:template match="md:IDPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 IdP has KeyDescriptor without embedded key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	<xsl:template match="md:AttributeAuthorityDescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 AttributeAuthority has KeyDescriptor without embedded key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_uk_trust.xsl b/mdx/_rules/check_uk_trust.xsl
@@ -0,0 +1,79 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+	
+    check_uk_trust.xsl
+    
+    Checking ruleset for the UK federation trust fabric, as documented in the
+    Federation Technical Specifications.  Checks are labelled with a section
+    number and FTS version, as the section number may change between editions.
+    
+    Author: Ian A. Young <ian@iay.org.uk>
+    
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+        Common support functions.
+    -->
+	<xsl:import href="check_framework.xsl"/>
+
+
+	<!--
+        Check for role descriptors with missing KeyDescriptor elements.
+    -->
+
+	<xsl:template match="md:IDPSSODescriptor[not(md:KeyDescriptor)]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">IdP SSO Descriptor lacking KeyDescriptor</xsl:with-param>
+		</xsl:call-template>    
+	</xsl:template>
+
+	<xsl:template match="md:SPSSODescriptor[not(md:KeyDescriptor)]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">SP SSO Descriptor lacking KeyDescriptor</xsl:with-param>
+		</xsl:call-template>    
+	</xsl:template>
+
+	<xsl:template match="md:AttributeAuthorityDescriptor[not(md:KeyDescriptor)]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">IdP AA Descriptor lacking KeyDescriptor</xsl:with-param>
+		</xsl:call-template>    
+	</xsl:template>
+
+
+	<!--
+        Look for SAML 2.0 IdPs whose metadata includes pure PKIX KeyDescriptor elements.
+        
+        This causes problems for some OpenAthens SP products.
+    -->
+	<xsl:template match="md:IDPSSODescriptor
+		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">SAML 2.0 IdP has KeyDescriptor without embedded key</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	<xsl:template match="md:AttributeAuthorityDescriptor
+		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">SAML 2.0 AttributeAuthority has KeyDescriptor without embedded key</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+	<!--
+        Check for SAML 2.0 SPs with KeyName-only KeyDescriptors.
+    -->
+	<xsl:template match="md:SPSSODescriptor
+		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">SAML 2.0 SP has KeyDescriptor without embedded key</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+</xsl:stylesheet>
diff --git a/mdx/validation-beans.xml b/mdx/validation-beans.xml
@@ -587,6 +587,34 @@
         </property>
     </bean>
 
+    <!--
+        *******************************************************************
+        ***                                                             ***
+        ***   U K   F E D E R A T I O N   S P E C I F I C A T I O N S   ***
+        ***                                                             ***
+        *******************************************************************
+    -->
+
+    <!--
+        check_uk_trust
+    -->
+    <bean id="check_uk_trust" parent="check_xslt_parent"
+        p:id="check_uk_trust">
+        <property name="xslResource">
+            <bean parent="file_parent">
+                <constructor-arg value="#{ systemProperties['rulesdir'] }/check_uk_trust.xsl"/>
+            </bean>
+        </property>
+    </bean>
+
+    <!--
+        *********************************************
+        ***                                       ***
+        ***   A G G R E G A T E D   C H E C K S   ***
+        ***                                       ***
+        *********************************************
+    -->
+
     <!--
         CHECK_std
     -->
@@ -611,6 +639,7 @@
                 <ref bean="check_saml2int"/>
                 <ref bean="check_saml2meta"/>
                 <ref bean="check_shibboleth"/>
+                <ref bean="check_uk_trust"/>
             </list>
         </property>
     </bean>