From 17ae922d30a185c1fdd397b0652af3537413fd6f Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 1 Apr 2013 17:12:05 +0000
Subject: [PATCH] Promote check for SAML 2.0 SPs with KeyName-only
 KeyDescriptors to production. Move this and related checks from check_misc
 into a new check_uk_trust ruleset, which will reflect the Trust Fabric
 section of the FTS as it develops, and as we perform our 2013 trust fabric
 evolution. Resolves bugzilla issue 959.

---
 mdx/_rules/check_future_1.xsl | 11 -----
 mdx/_rules/check_misc.xsl     | 43 -------------------
 mdx/_rules/check_uk_trust.xsl | 79 +++++++++++++++++++++++++++++++++++
 mdx/validation-beans.xml      | 29 +++++++++++++
 4 files changed, 108 insertions(+), 54 deletions(-)
 create mode 100644 mdx/_rules/check_uk_trust.xsl

diff --git a/mdx/_rules/check_future_1.xsl b/mdx/_rules/check_future_1.xsl
index 256c9247..676f3626 100644
--- a/mdx/_rules/check_future_1.xsl
+++ b/mdx/_rules/check_future_1.xsl
@@ -29,15 +29,4 @@
 	-->
 	<xsl:import href="check_framework.xsl"/>
 
-	<!--
-		Check for SAML 2.0 SPs with KeyName-only KeyDescriptors.
-	-->
-	<xsl:template match="md:SPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 SP has KeyDescriptor without embedded key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_misc.xsl b/mdx/_rules/check_misc.xsl
index 0e7ee4aa..80ec2836 100644
--- a/mdx/_rules/check_misc.xsl
+++ b/mdx/_rules/check_misc.xsl
@@ -22,29 +22,6 @@
 	<xsl:import href="check_framework.xsl"/>
 
 	
-	<!--
-		Check for role descriptors with missing KeyDescriptor elements.
-	-->
-	
-	<xsl:template match="md:IDPSSODescriptor[not(md:KeyDescriptor)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">IdP SSO Descriptor lacking KeyDescriptor</xsl:with-param>
-		</xsl:call-template>    
-	</xsl:template>
-	
-	<xsl:template match="md:SPSSODescriptor[not(md:KeyDescriptor)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SP SSO Descriptor lacking KeyDescriptor</xsl:with-param>
-		</xsl:call-template>    
-	</xsl:template>
-	
-	<xsl:template match="md:AttributeAuthorityDescriptor[not(md:KeyDescriptor)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">IdP AA Descriptor lacking KeyDescriptor</xsl:with-param>
-		</xsl:call-template>    
-	</xsl:template>
-	
-	
 	<!--
 		Entity IDs should not contain space characters.
 	-->
@@ -152,24 +129,4 @@
 		</xsl:call-template>
 	</xsl:template>
 
-	<!--
-        Look for SAML 2.0 IdPs whose metadata includes pure PKIX KeyDescriptor elements.
-        
-        This causes problems for some OpenAthens SP products.
-    -->
-	<xsl:template match="md:IDPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 IdP has KeyDescriptor without embedded key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	<xsl:template match="md:AttributeAuthorityDescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 AttributeAuthority has KeyDescriptor without embedded key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_uk_trust.xsl b/mdx/_rules/check_uk_trust.xsl
new file mode 100644
index 00000000..f1a223b9
--- /dev/null
+++ b/mdx/_rules/check_uk_trust.xsl
@@ -0,0 +1,79 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+	
+    check_uk_trust.xsl
+    
+    Checking ruleset for the UK federation trust fabric, as documented in the
+    Federation Technical Specifications.  Checks are labelled with a section
+    number and FTS version, as the section number may change between editions.
+    
+    Author: Ian A. Young <ian@iay.org.uk>
+    
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+	
+	<!--
+        Common support functions.
+    -->
+	<xsl:import href="check_framework.xsl"/>
+	
+	
+	<!--
+        Check for role descriptors with missing KeyDescriptor elements.
+    -->
+	
+	<xsl:template match="md:IDPSSODescriptor[not(md:KeyDescriptor)]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">IdP SSO Descriptor lacking KeyDescriptor</xsl:with-param>
+		</xsl:call-template>    
+	</xsl:template>
+	
+	<xsl:template match="md:SPSSODescriptor[not(md:KeyDescriptor)]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">SP SSO Descriptor lacking KeyDescriptor</xsl:with-param>
+		</xsl:call-template>    
+	</xsl:template>
+	
+	<xsl:template match="md:AttributeAuthorityDescriptor[not(md:KeyDescriptor)]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">IdP AA Descriptor lacking KeyDescriptor</xsl:with-param>
+		</xsl:call-template>    
+	</xsl:template>
+	
+	
+	<!--
+        Look for SAML 2.0 IdPs whose metadata includes pure PKIX KeyDescriptor elements.
+        
+        This causes problems for some OpenAthens SP products.
+    -->
+	<xsl:template match="md:IDPSSODescriptor
+		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">SAML 2.0 IdP has KeyDescriptor without embedded key</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	<xsl:template match="md:AttributeAuthorityDescriptor
+		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">SAML 2.0 AttributeAuthority has KeyDescriptor without embedded key</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	<!--
+        Check for SAML 2.0 SPs with KeyName-only KeyDescriptors.
+    -->
+	<xsl:template match="md:SPSSODescriptor
+		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">SAML 2.0 SP has KeyDescriptor without embedded key</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+</xsl:stylesheet>
diff --git a/mdx/validation-beans.xml b/mdx/validation-beans.xml
index fb2907ce..5644fecd 100644
--- a/mdx/validation-beans.xml
+++ b/mdx/validation-beans.xml
@@ -587,6 +587,34 @@
         </property>
     </bean>
     
+    <!--
+        *******************************************************************
+        ***                                                             ***
+        ***   U K   F E D E R A T I O N   S P E C I F I C A T I O N S   ***
+        ***                                                             ***
+        *******************************************************************
+    -->
+    
+    <!--
+        check_uk_trust
+    -->
+    <bean id="check_uk_trust" parent="check_xslt_parent"
+        p:id="check_uk_trust">
+        <property name="xslResource">
+            <bean parent="file_parent">
+                <constructor-arg value="#{ systemProperties['rulesdir'] }/check_uk_trust.xsl"/>
+            </bean>
+        </property>
+    </bean>
+    
+    <!--
+        *********************************************
+        ***                                       ***
+        ***   A G G R E G A T E D   C H E C K S   ***
+        ***                                       ***
+        *********************************************
+    -->
+    
     <!--
         CHECK_std
     -->
@@ -611,6 +639,7 @@
                 <ref bean="check_saml2int"/>
                 <ref bean="check_saml2meta"/>
                 <ref bean="check_shibboleth"/>
+                <ref bean="check_uk_trust"/>
             </list>
         </property>
     </bean>