Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Add metadata checks for conformance with Sirtfi version 2.0 specifica…
…tion See ukf/ukf-meta#352 for details
Alex Stuart
committed
Sep 20, 2022
1 parent
8d05662
commit 3ecf61c
Showing
9 changed files
with
215 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,86 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <!-- | ||
| check_sirtfi2.xsl | ||
| Checking ruleset containing rules associated with the Sirtfi version 2.0 specification, | ||
| as described on the REFEDS page https://refeds.org/sirtfi and with specifcation at: | ||
| https://refeds.org/wp-content/uploads/2022/08/Sirtfi-v2.pdf | ||
| --> | ||
| <xsl:stylesheet version="1.0" | ||
| xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" | ||
| xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" | ||
| xmlns:remd="http://refeds.org/metadata" | ||
| xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" | ||
|
|
||
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
| xmlns:xsl="http://www.w3.org/1999/XSL/Transform" | ||
| xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> | ||
|
|
||
| <!-- | ||
| Common support functions. | ||
| --> | ||
| <xsl:import href="check_framework.xsl"/> | ||
|
|
||
| <!-- | ||
| Process only entities claiming Sirtfi version 2 compliance. | ||
| --> | ||
| <xsl:template match="md:EntityDescriptor[ | ||
| md:Extensions/mdattr:EntityAttributes/saml:Attribute[@NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:uri'] | ||
| [@Name='urn:oasis:names:tc:SAML:attribute:assurance-certification'] | ||
| /saml:AttributeValue[.='https://refeds.org/sirtfi2'] | ||
| ]"> | ||
|
|
||
| <!-- | ||
| Collect the REFEDS security contacts for this entity. | ||
| --> | ||
| <xsl:variable name="securityContacts" | ||
| select="md:ContactPerson | ||
| [@contactType='other'] | ||
| [@remd:contactType='http://refeds.org/metadata/contactType/security']"/> | ||
|
|
||
| <!-- | ||
| There must be at least one REFEDS security contact. | ||
| --> | ||
| <xsl:if test="count($securityContacts) = 0"> | ||
| <xsl:call-template name="error"> | ||
| <xsl:with-param name="m">Sirtfi version 2 requires a REFEDS security contact</xsl:with-param> | ||
| </xsl:call-template> | ||
| </xsl:if> | ||
|
|
||
| <!-- | ||
| REFEDS security contacts used in Sirtfi version 2 compliant entities need to have | ||
| GivenName and EmailAddress attributes. | ||
| --> | ||
| <xsl:for-each select="$securityContacts"> | ||
| <xsl:if test="not(md:GivenName)"> | ||
| <xsl:call-template name="error"> | ||
| <xsl:with-param name="m">Sirtfi version 2 requires a REFEDS security contact to have a GivenName</xsl:with-param> | ||
| </xsl:call-template> | ||
| </xsl:if> | ||
| <xsl:if test="not(md:EmailAddress)"> | ||
| <xsl:call-template name="error"> | ||
| <xsl:with-param name="m">Sirtfi version 2 requires a REFEDS security contact to have an EmailAddress</xsl:with-param> | ||
| </xsl:call-template> | ||
| </xsl:if> | ||
| </xsl:for-each> | ||
|
|
||
| <!-- | ||
| Sirtfi version 2 requires that the entity also asserts the original Sirtfi entity attribute | ||
| --> | ||
| <xsl:if test="not( | ||
| ./md:Extensions/mdattr:EntityAttributes/saml:Attribute | ||
| [@NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:uri'] | ||
| [@Name='urn:oasis:names:tc:SAML:attribute:assurance-certification'] | ||
| /saml:AttributeValue[.='https://refeds.org/sirtfi']) | ||
| "> | ||
| <xsl:call-template name="error"> | ||
| <xsl:with-param name="m">Sirtfi version 2 requires the entity to also support the original Sirtfi entity attribute</xsl:with-param> | ||
| </xsl:call-template> | ||
| </xsl:if> | ||
|
|
||
| </xsl:template> | ||
|
|
||
| </xsl:stylesheet> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
|
|
||
| Manual tests for checking Sirtfi version 2 conformance | ||
|
|
||
| Run the following bash command in this directory to see the thrown errors | ||
|
|
||
| ```bash | ||
| for i in *.xml; do echo $i; xsltproc ../../../mdx/_rules/check_sirtfi2.xsl $i; done | ||
| ``` |
15 changes: 15 additions & 0 deletions
15
tests/manual/ukf-meta-352/both-entity-attributes-as-spec.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" | ||
| xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" | ||
| xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" | ||
| xmlns:remd="http://refeds.org/metadata" | ||
| entityID="https://example.ac.uk/both-entity-attributes-as-spec"> | ||
| <Extensions> | ||
| <mdattr:EntityAttributes> | ||
| <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> | ||
| <saml:AttributeValue>https://refeds.org/sirtfi2</saml:AttributeValue> | ||
| <saml:AttributeValue>https://refeds.org/sirtfi</saml:AttributeValue> | ||
| </saml:Attribute> | ||
| </mdattr:EntityAttributes> | ||
| </Extensions> | ||
| </EntityDescriptor> |
17 changes: 17 additions & 0 deletions
17
tests/manual/ukf-meta-352/both-entity-attributes-separate-attributes.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" | ||
| xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" | ||
| xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" | ||
| xmlns:remd="http://refeds.org/metadata" | ||
| entityID="https://example.ac.uk/both-entity-attributes-separate-attributes"> | ||
| <Extensions> | ||
| <mdattr:EntityAttributes> | ||
| <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> | ||
| <saml:AttributeValue>https://refeds.org/sirtfi2</saml:AttributeValue> | ||
| </saml:Attribute> | ||
| <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> | ||
| <saml:AttributeValue>https://refeds.org/sirtfi</saml:AttributeValue> | ||
| </saml:Attribute> | ||
| </mdattr:EntityAttributes> | ||
| </Extensions> | ||
| </EntityDescriptor> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" | ||
| xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" | ||
| xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" | ||
| xmlns:remd="http://refeds.org/metadata" | ||
| entityID="https://example.ac.uk/correctly-specified"> | ||
| <Extensions> | ||
| <mdattr:EntityAttributes> | ||
| <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> | ||
| <saml:AttributeValue>https://refeds.org/sirtfi2</saml:AttributeValue> | ||
| <saml:AttributeValue>https://refeds.org/sirtfi</saml:AttributeValue> | ||
| </saml:Attribute> | ||
| </mdattr:EntityAttributes> | ||
| </Extensions> | ||
| <ContactPerson contactType="other" | ||
| remd:contactType="http://refeds.org/metadata/contactType/security"> | ||
| <GivenName>Name of the security contact</GivenName> | ||
| <EmailAddress>mailto:csirt@example.ac.uk</EmailAddress> | ||
| </ContactPerson> | ||
| </EntityDescriptor> |
18 changes: 18 additions & 0 deletions
18
tests/manual/ukf-meta-352/entity-attribute-contact-with-email.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" | ||
| xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" | ||
| xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" | ||
| xmlns:remd="http://refeds.org/metadata" | ||
| entityID="https://example.ac.uk/entity-attribute-contact-with-email"> | ||
| <Extensions> | ||
| <mdattr:EntityAttributes> | ||
| <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> | ||
| <saml:AttributeValue>https://refeds.org/sirtfi2</saml:AttributeValue> | ||
| </saml:Attribute> | ||
| </mdattr:EntityAttributes> | ||
| </Extensions> | ||
| <ContactPerson contactType="other" | ||
| remd:contactType="http://refeds.org/metadata/contactType/security"> | ||
| <EmailAddress>mailto:csirt@example.ac.uk</EmailAddress> | ||
| </ContactPerson> | ||
| </EntityDescriptor> |
18 changes: 18 additions & 0 deletions
18
tests/manual/ukf-meta-352/entity-attribute-contact-with-givenname.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" | ||
| xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" | ||
| xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" | ||
| xmlns:remd="http://refeds.org/metadata" | ||
| entityID="https://example.ac.uk/entity-attribute-contact-with-givenname"> | ||
| <Extensions> | ||
| <mdattr:EntityAttributes> | ||
| <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> | ||
| <saml:AttributeValue>https://refeds.org/sirtfi2</saml:AttributeValue> | ||
| </saml:Attribute> | ||
| </mdattr:EntityAttributes> | ||
| </Extensions> | ||
| <ContactPerson contactType="other" | ||
| remd:contactType="http://refeds.org/metadata/contactType/security"> | ||
| <GivenName>Name of the security contact</GivenName> | ||
| </ContactPerson> | ||
| </EntityDescriptor> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" | ||
| xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" | ||
| xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" | ||
| xmlns:remd="http://refeds.org/metadata" | ||
| entityID="https://example.ac.uk/no-sirtfi-v1"> | ||
| <Extensions> | ||
| <mdattr:EntityAttributes> | ||
| <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> | ||
| <saml:AttributeValue>https://refeds.org/sirtfi2</saml:AttributeValue> | ||
| </saml:Attribute> | ||
| </mdattr:EntityAttributes> | ||
| </Extensions> | ||
| <ContactPerson contactType="other" | ||
| remd:contactType="http://refeds.org/metadata/contactType/security"> | ||
| <GivenName>Name of the security contact</GivenName> | ||
| <EmailAddress>mailto:csirt@example.ac.uk</EmailAddress> | ||
| </ContactPerson> | ||
| </EntityDescriptor> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" | ||
| xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" | ||
| xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" | ||
| xmlns:remd="http://refeds.org/metadata" | ||
| entityID="https://example.ac.uk/only-entity-attribute"> | ||
| <Extensions> | ||
| <mdattr:EntityAttributes> | ||
| <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> | ||
| <saml:AttributeValue>https://refeds.org/sirtfi2</saml:AttributeValue> | ||
| </saml:Attribute> | ||
| </mdattr:EntityAttributes> | ||
| </Extensions> | ||
| </EntityDescriptor> |