From 21342e539d044a7fcbd0583ab7604635867c982f Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 2 May 2011 18:27:22 +0000
Subject: [PATCH] Remove the fixup code for @use-less KeyDescriptor elements
 out of the (registrar) import transform and add it instead to each of the
 four publication flow transforms. Similarly, remove the check for this case
 out of the check_shibboleth ruleset into its own check_fixups ruleset, and
 impose that on all of the publication flows through a new CHECK.publishable
 macro. There is no net effect of this for currently registered metadata.  New
 registration may have @use-less KeyDescriptors, however, which will now be
 retainin their entity fragment files but still fixed up in the publication
 flows.  Metadata imported from other sources may also now have @use-less
 KeyDescriptor elements without that being flagged as an issue as long as the
 fixup is applied at some time before publication.

---
 build.xml                    | 30 ++++++++++++++++++++--
 build/check_fixups.xsl       | 49 ++++++++++++++++++++++++++++++++++++
 build/check_shibboleth.xsl   | 22 ----------------
 build/import.xsl             | 13 ----------
 build/uk_master_back.xsl     | 12 +++++++++
 build/uk_master_export.xsl   | 12 +++++++++
 build/uk_master_test.xsl     | 12 +++++++++
 build/uk_master_unsigned.xsl | 12 +++++++++
 8 files changed, 125 insertions(+), 37 deletions(-)
 create mode 100644 build/check_fixups.xsl

diff --git a/build.xml b/build.xml
index db39db1b..7235eee4 100644
--- a/build.xml
+++ b/build.xml
@@ -415,26 +415,51 @@
         </CHECK.base>
 	</target>
 	
+    <!--
+        Check a metadata document for publishability.  This is applied during all
+        publication flows prior to any signature step.
+        
+        At the moment, this is a single test which is no longer being performed elsewhere
+        but should pass by construction.  In the longer term it may make sense to
+        expand this to the fullest battery possible, with the exception of those
+        tests which are registrar-specific.
+        
+        Parameter 'i' is the file to be checked; no assumption is made
+        about its location so this must contain a full path.
+    -->
+    <macrodef name="CHECK.publishable">
+        <attribute name="i"/>
+        <sequential>
+            <CHECK.base i="@{i}">
+                <arg value="${build.dir}/check_fixups.xsl"/>
+            </CHECK.base>
+        </sequential>
+    </macrodef>
+
 	<target name="gen.uk.unsigned" depends="gen.uk.master">
 		<echo>Generating unsigned UK metadata files.</echo>
 		<!-- [19] -->
 		<XALAN x="uk_master_unsigned.xsl" i="${uk.master.file}"
-			o="${md.prod.unsigned}" />
+			o="${md.prod.unsigned}" />
 		<MDNORM i="${md.prod.unsigned}"/>
+        <CHECK.publishable i="${xml.dir}/${md.prod.unsigned}"/>
 		
 		<!-- [27] -->
 		<XALAN x="uk_master_test.xsl" i="${uk.master.file}"
 			o="${md.test.unsigned}" />
 		<MDNORM i="${md.test.unsigned}"/>
+        <CHECK.publishable i="${xml.dir}/${md.test.unsigned}"/>
 		
 		<!-- [29] -->
 		<XALAN x="uk_master_export.xsl" i="${uk.master.file}"
 			o="${md.export.unsigned}" />
 		<MDNORM i="${md.export.unsigned}"/>
+        <CHECK.publishable i="${xml.dir}/${md.export.unsigned}"/>
 		
 		<!-- [31] -->
 		<XALAN x="uk_master_back.xsl" i="${uk.master.file}"
 			o="${md.back.unsigned}" />
+        <CHECK.publishable i="${xml.dir}/${md.back.unsigned}"/>
 	</target>
 	
 	<target name="gen.uk.wayf" depends="gen.uk.unsigned">
@@ -442,6 +467,7 @@
 		<!-- [25] -->
 		<XALAN x="master_to_wayf.xsl" i="${md.prod.unsigned}"
 			o="${md.wayf.unsigned}"/>
+        <CHECK.publishable i="${xml.dir}/${md.wayf.unsigned}"/>
 	</target>
 
     <!--
@@ -900,7 +926,7 @@
         Parameter 'i' is the file to be checked; no assumption is made
         about its location so this must contain a full path.
         
-        Parameter 's' is the primary checking stylesheet to use; assumed to be
+        Parameter 's' is the checking stylesheet to use; assumed to be
         present in the build.dir.
     -->
 	<macrodef name="CHECK.one">
diff --git a/build/check_fixups.xsl b/build/check_fixups.xsl
new file mode 100644
index 00000000..bdd1395c
--- /dev/null
+++ b/build/check_fixups.xsl
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	check_fixups.xsl
+
+	This checking ruleset verifies that certain fixups have been performed on the
+	metadata before it is published.
+	
+	Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		Common support functions.
+	-->
+	<xsl:import href="check_framework.xsl"/>
+
+	
+	<!--
+		Checks for an IdP whose KeyDescriptor elements do not include a @use attribute.
+		This causes problems with the Shibboleth 1.3 SP prior to V1.3.1, which
+		interprets this as "no use permitted" rather than "either signing or encryption use
+		permitted".
+		
+		Two checks are required, one for each of the IdP role descriptors.
+	-->
+	
+	<xsl:template match="md:IDPSSODescriptor/md:KeyDescriptor[not(@use)]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">IdP SSO KeyDescriptor lacking @use</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	<xsl:template match="md:AttributeAuthorityDescriptor/md:KeyDescriptor[not(@use)]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">IdP AA KeyDescriptor lacking @use</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+</xsl:stylesheet>
diff --git a/build/check_shibboleth.xsl b/build/check_shibboleth.xsl
index 8b563f3c..4430eb0a 100644
--- a/build/check_shibboleth.xsl
+++ b/build/check_shibboleth.xsl
@@ -87,28 +87,6 @@
 	</xsl:template>
 	
 	
-	<!--
-		Checks for an IdP whose KeyDescriptor elements do not include a @use attribute.
-		This causes problems with the Shibboleth 1.3 SP prior to V1.3.1, which
-		interprets this as "no use permitted" rather than "either signing or encryption use
-		permitted".
-		
-		Two checks are required, one for each of the IdP role descriptors.
-	-->
-	
-	<xsl:template match="md:IDPSSODescriptor/md:KeyDescriptor[not(@use)]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">IdP SSO KeyDescriptor lacking @use</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="md:AttributeAuthorityDescriptor/md:KeyDescriptor[not(@use)]">
-		<xsl:call-template name="fatal">
-			<xsl:with-param name="m">IdP AA KeyDescriptor lacking @use</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-
 	<!--
 		Check for SAML 1.1 SPs which exclude the Shibboleth transient name identifier format.
 		
diff --git a/build/import.xsl b/build/import.xsl
index c63b16cc..b0fa912d 100644
--- a/build/import.xsl
+++ b/build/import.xsl
@@ -204,19 +204,6 @@
 	</xsl:template>
 
 
-	<!--
-		Patch any @use-less KeyName descriptors in IdP roles
-		for the benefit of Shib SPs pre-1.3.1.
-	-->
-	<xsl:template match="md:IDPSSODescriptor/md:KeyDescriptor[not(@use)] |
-		md:AttributeAuthorityDescriptor/md:KeyDescriptor[not(@use)]">
-		<xsl:copy>
-			<xsl:attribute name="use">signing</xsl:attribute>
-			<xsl:apply-templates/>
-		</xsl:copy>
-	</xsl:template>
-	
-	
 	<!--
 		md:AttributeConsumingService
 		
diff --git a/build/uk_master_back.xsl b/build/uk_master_back.xsl
index 4f03d769..a9fcbe39 100644
--- a/build/uk_master_back.xsl
+++ b/build/uk_master_back.xsl
@@ -109,6 +109,18 @@
 		</xsl:if>
 	</xsl:template>
 	
+	<!--
+		Patch any @use-less KeyName descriptors in IdP roles
+		for the benefit of Shib SPs pre-1.3.1.
+	-->
+	<xsl:template match="md:IDPSSODescriptor/md:KeyDescriptor[not(@use)] |
+		md:AttributeAuthorityDescriptor/md:KeyDescriptor[not(@use)]">
+		<xsl:copy>
+			<xsl:attribute name="use">signing</xsl:attribute>
+			<xsl:apply-templates/>
+		</xsl:copy>
+	</xsl:template>
+	
 	<!--
 		Pass through certain ukfedlabel namespace elements.
 	-->
diff --git a/build/uk_master_export.xsl b/build/uk_master_export.xsl
index 689f01a9..4a893f96 100644
--- a/build/uk_master_export.xsl
+++ b/build/uk_master_export.xsl
@@ -129,6 +129,18 @@
 		</xsl:if>
 	</xsl:template>
 	
+	<!--
+		Patch any @use-less KeyName descriptors in IdP roles
+		for the benefit of Shib SPs pre-1.3.1.
+	-->
+	<xsl:template match="md:IDPSSODescriptor/md:KeyDescriptor[not(@use)] |
+		md:AttributeAuthorityDescriptor/md:KeyDescriptor[not(@use)]">
+		<xsl:copy>
+			<xsl:attribute name="use">signing</xsl:attribute>
+			<xsl:apply-templates/>
+		</xsl:copy>
+	</xsl:template>
+	
 	<!--
 		Drop text nodes inside the document element.  There's one of these for each
 		EntityDescriptor in the original document, so without this most of the output
diff --git a/build/uk_master_test.xsl b/build/uk_master_test.xsl
index eb90f15c..f2ba4721 100644
--- a/build/uk_master_test.xsl
+++ b/build/uk_master_test.xsl
@@ -131,6 +131,18 @@
 		</xsl:if>
 	</xsl:template>
 	
+	<!--
+		Patch any @use-less KeyName descriptors in IdP roles
+		for the benefit of Shib SPs pre-1.3.1.
+	-->
+	<xsl:template match="md:IDPSSODescriptor/md:KeyDescriptor[not(@use)] |
+		md:AttributeAuthorityDescriptor/md:KeyDescriptor[not(@use)]">
+		<xsl:copy>
+			<xsl:attribute name="use">signing</xsl:attribute>
+			<xsl:apply-templates/>
+		</xsl:copy>
+	</xsl:template>
+	
 	<!--
 		Normalise and pass through certain ukfedlabel namespace elements.
 	-->
diff --git a/build/uk_master_unsigned.xsl b/build/uk_master_unsigned.xsl
index 33e27838..032ab432 100644
--- a/build/uk_master_unsigned.xsl
+++ b/build/uk_master_unsigned.xsl
@@ -126,6 +126,18 @@
 		</xsl:if>
 	</xsl:template>
 	
+	<!--
+		Patch any @use-less KeyName descriptors in IdP roles
+		for the benefit of Shib SPs pre-1.3.1.
+	-->
+	<xsl:template match="md:IDPSSODescriptor/md:KeyDescriptor[not(@use)] |
+		md:AttributeAuthorityDescriptor/md:KeyDescriptor[not(@use)]">
+		<xsl:copy>
+			<xsl:attribute name="use">signing</xsl:attribute>
+			<xsl:apply-templates/>
+		</xsl:copy>
+	</xsl:template>
+	
 	<!--
 		Normalise and pass through certain ukfedlabel namespace elements.
 	-->