Remove the fixup code for @use-less KeyDescriptor elements out of the…

… (registrar) import transform and add it instead to each of the four publication flow transforms. Similarly, remove the check for this case out of the check_shibboleth ruleset into its own check_fixups ruleset, and impose that on all of the publication flows through a new CHECK.publishable macro. There is no net effect of this for currently registered metadata. New registration may have @use-less KeyDescriptors, however, which will now be retainin their entity fragment files but still fixed up in the publication flows. Metadata imported from other sources may also now have @use-less KeyDescriptor elements without that being flagged as an issue as long as the fixup is applied at some time before publication.
InCommon · May 2, 2011 · 21342e5 · 21342e5
1 parent 7b87209
commit 21342e5
Show file tree

Hide file tree

Showing 8 changed files with 125 additions and 37 deletions.
diff --git a/build.xml b/build.xml
@@ -415,33 +415,59 @@
         </CHECK.base>
 	</target>
 
+    <!--
+        Check a metadata document for publishability.  This is applied during all
+        publication flows prior to any signature step.
+        
+        At the moment, this is a single test which is no longer being performed elsewhere
+        but should pass by construction.  In the longer term it may make sense to
+        expand this to the fullest battery possible, with the exception of those
+        tests which are registrar-specific.
+        
+        Parameter 'i' is the file to be checked; no assumption is made
+        about its location so this must contain a full path.
+    -->
+    <macrodef name="CHECK.publishable">
+        <attribute name="i"/>
+        <sequential>
+            <CHECK.base i="@{i}">
+                <arg value="${build.dir}/check_fixups.xsl"/>
+            </CHECK.base>
+        </sequential>
+    </macrodef>
+
 	<target name="gen.uk.unsigned" depends="gen.uk.master">
 		<echo>Generating unsigned UK metadata files.</echo>
 		<!-- [19] -->
 		<XALAN x="uk_master_unsigned.xsl" i="${uk.master.file}"
-			o="${md.prod.unsigned}" />
+			o="${md.prod.unsigned}" />
 		<MDNORM i="${md.prod.unsigned}"/>
+        <CHECK.publishable i="${xml.dir}/${md.prod.unsigned}"/>
 
 		<!-- [27] -->
 		<XALAN x="uk_master_test.xsl" i="${uk.master.file}"
 			o="${md.test.unsigned}" />
 		<MDNORM i="${md.test.unsigned}"/>
+        <CHECK.publishable i="${xml.dir}/${md.test.unsigned}"/>
 
 		<!-- [29] -->
 		<XALAN x="uk_master_export.xsl" i="${uk.master.file}"
 			o="${md.export.unsigned}" />
 		<MDNORM i="${md.export.unsigned}"/>
+        <CHECK.publishable i="${xml.dir}/${md.export.unsigned}"/>
 
 		<!-- [31] -->
 		<XALAN x="uk_master_back.xsl" i="${uk.master.file}"
 			o="${md.back.unsigned}" />
+        <CHECK.publishable i="${xml.dir}/${md.back.unsigned}"/>
 	</target>
 
 	<target name="gen.uk.wayf" depends="gen.uk.unsigned">
 		<echo>Generating unsigned UK WAYF metadata.</echo>
 		<!-- [25] -->
 		<XALAN x="master_to_wayf.xsl" i="${md.prod.unsigned}"
 			o="${md.wayf.unsigned}"/>
+        <CHECK.publishable i="${xml.dir}/${md.wayf.unsigned}"/>
 	</target>
 
     <!--
@@ -900,7 +926,7 @@
         Parameter 'i' is the file to be checked; no assumption is made
         about its location so this must contain a full path.
         
-        Parameter 's' is the primary checking stylesheet to use; assumed to be
+        Parameter 's' is the checking stylesheet to use; assumed to be
         present in the build.dir.
     -->
 	<macrodef name="CHECK.one">

diff --git a/build/check_fixups.xsl b/build/check_fixups.xsl
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	check_fixups.xsl
+
+	This checking ruleset verifies that certain fixups have been performed on the
+	metadata before it is published.
+	
+	Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		Common support functions.
+	-->
+	<xsl:import href="check_framework.xsl"/>
+
+
+	<!--
+		Checks for an IdP whose KeyDescriptor elements do not include a @use attribute.
+		This causes problems with the Shibboleth 1.3 SP prior to V1.3.1, which
+		interprets this as "no use permitted" rather than "either signing or encryption use
+		permitted".
+		
+		Two checks are required, one for each of the IdP role descriptors.
+	-->
+
+	<xsl:template match="md:IDPSSODescriptor/md:KeyDescriptor[not(@use)]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">IdP SSO KeyDescriptor lacking @use</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+	<xsl:template match="md:AttributeAuthorityDescriptor/md:KeyDescriptor[not(@use)]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">IdP AA KeyDescriptor lacking @use</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+</xsl:stylesheet>
diff --git a/build/check_shibboleth.xsl b/build/check_shibboleth.xsl
@@ -87,28 +87,6 @@
 	</xsl:template>
 
 
-	<!--
-		Checks for an IdP whose KeyDescriptor elements do not include a @use attribute.
-		This causes problems with the Shibboleth 1.3 SP prior to V1.3.1, which
-		interprets this as "no use permitted" rather than "either signing or encryption use
-		permitted".
-		
-		Two checks are required, one for each of the IdP role descriptors.
-	-->
-
-	<xsl:template match="md:IDPSSODescriptor/md:KeyDescriptor[not(@use)]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">IdP SSO KeyDescriptor lacking @use</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<xsl:template match="md:AttributeAuthorityDescriptor/md:KeyDescriptor[not(@use)]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">IdP AA KeyDescriptor lacking @use</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
 	<!--
 		Check for SAML 1.1 SPs which exclude the Shibboleth transient name identifier format.
 		

diff --git a/build/import.xsl b/build/import.xsl
@@ -204,19 +204,6 @@
 	</xsl:template>
 
 
-	<!--
-		Patch any @use-less KeyName descriptors in IdP roles
-		for the benefit of Shib SPs pre-1.3.1.
-	-->
-	<xsl:template match="md:IDPSSODescriptor/md:KeyDescriptor[not(@use)] |
-		md:AttributeAuthorityDescriptor/md:KeyDescriptor[not(@use)]">
-		<xsl:copy>
-			<xsl:attribute name="use">signing</xsl:attribute>
-			<xsl:apply-templates/>
-		</xsl:copy>
-	</xsl:template>
-
-
 	<!--
 		md:AttributeConsumingService
 		

diff --git a/build/uk_master_back.xsl b/build/uk_master_back.xsl
@@ -109,6 +109,18 @@
 		</xsl:if>
 	</xsl:template>
 
+	<!--
+		Patch any @use-less KeyName descriptors in IdP roles
+		for the benefit of Shib SPs pre-1.3.1.
+	-->
+	<xsl:template match="md:IDPSSODescriptor/md:KeyDescriptor[not(@use)] |
+		md:AttributeAuthorityDescriptor/md:KeyDescriptor[not(@use)]">
+		<xsl:copy>
+			<xsl:attribute name="use">signing</xsl:attribute>
+			<xsl:apply-templates/>
+		</xsl:copy>
+	</xsl:template>
+
 	<!--
 		Pass through certain ukfedlabel namespace elements.
 	-->

diff --git a/build/uk_master_export.xsl b/build/uk_master_export.xsl
@@ -129,6 +129,18 @@
 		</xsl:if>
 	</xsl:template>
 
+	<!--
+		Patch any @use-less KeyName descriptors in IdP roles
+		for the benefit of Shib SPs pre-1.3.1.
+	-->
+	<xsl:template match="md:IDPSSODescriptor/md:KeyDescriptor[not(@use)] |
+		md:AttributeAuthorityDescriptor/md:KeyDescriptor[not(@use)]">
+		<xsl:copy>
+			<xsl:attribute name="use">signing</xsl:attribute>
+			<xsl:apply-templates/>
+		</xsl:copy>
+	</xsl:template>
+
 	<!--
 		Drop text nodes inside the document element.  There's one of these for each
 		EntityDescriptor in the original document, so without this most of the output

diff --git a/build/uk_master_test.xsl b/build/uk_master_test.xsl
@@ -131,6 +131,18 @@
 		</xsl:if>
 	</xsl:template>
 
+	<!--
+		Patch any @use-less KeyName descriptors in IdP roles
+		for the benefit of Shib SPs pre-1.3.1.
+	-->
+	<xsl:template match="md:IDPSSODescriptor/md:KeyDescriptor[not(@use)] |
+		md:AttributeAuthorityDescriptor/md:KeyDescriptor[not(@use)]">
+		<xsl:copy>
+			<xsl:attribute name="use">signing</xsl:attribute>
+			<xsl:apply-templates/>
+		</xsl:copy>
+	</xsl:template>
+
 	<!--
 		Normalise and pass through certain ukfedlabel namespace elements.
 	-->

diff --git a/build/uk_master_unsigned.xsl b/build/uk_master_unsigned.xsl
@@ -126,6 +126,18 @@
 		</xsl:if>
 	</xsl:template>
 
+	<!--
+		Patch any @use-less KeyName descriptors in IdP roles
+		for the benefit of Shib SPs pre-1.3.1.
+	-->
+	<xsl:template match="md:IDPSSODescriptor/md:KeyDescriptor[not(@use)] |
+		md:AttributeAuthorityDescriptor/md:KeyDescriptor[not(@use)]">
+		<xsl:copy>
+			<xsl:attribute name="use">signing</xsl:attribute>
+			<xsl:apply-templates/>
+		</xsl:copy>
+	</xsl:template>
+
 	<!--
 		Normalise and pass through certain ukfedlabel namespace elements.
 	-->