Initial work on a framework for pattern-based checking of metadata.

InCommon · May 8, 2009 · 4b56dfe · 4b56dfe
1 parent 57ead4c
commit 4b56dfe
Show file tree

Hide file tree

Showing 2 changed files with 110 additions and 0 deletions.
diff --git a/build.xml b/build.xml
@@ -361,6 +361,14 @@
 			o="ukfederation-wayf-unsigned.xml"/>
 	</target>
 
+	<!--
+		*******************************************
+		***                                     ***
+		***   M E T A D A T A   S I G N I N G   ***
+		***                                     ***
+		*******************************************
+	-->
+
 	<!--
 		Acquire the keystore password.
 	-->
@@ -489,6 +497,35 @@
 		<echo>Verification completed.</echo>
 	</target>
 
+	<!--
+		*****************************************
+		***                                   ***
+		***   M E T A D A T A   C H E C K S   ***
+		***                                   ***
+		*****************************************
+	-->
+
+	<macrodef name="CHECK">
+		<attribute name="i"/>
+		<sequential>
+			<XALAN i="@{i}" o="temp.tmp" x="check.xsl"/>
+		</sequential>
+	</macrodef>
+
+	<target name="err.test" depends="gen.uk.unsigned">
+		<echo>testing UK federation metadata</echo>
+		<CHECK i="${uk.metadata.unsigned}"/>
+		<echo>tested UK federation metadata</echo>
+	</target>
+
+	<!--
+		*******************************
+		***                         ***
+		***   M I S C E L L A N Y   ***
+		***                         ***
+		*******************************
+	-->
+
 	<!--
 		Statistics generation
 		

diff --git a/build/check.xsl b/build/check.xsl
@@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	check.xsl
+	
+	XSL stylesheet that takes a file full of metadata for the UK federation
+	and checks it against local conventions.
+	
+	Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		The stylesheet output will be a text file, which will probably be thrown
+		away in any case.  The real output from the check is sent using the
+		xsl:message element.
+	-->
+	<xsl:output method="text"/>
+
+
+	<!--
+		Checks for an IdP whose KeyDescriptor elements do not include a @use attribute.
+		This causes problems with certain versions of the Shibboleth 1.3 SP, which
+		interpret this as "no use permitted" rather than "either signing or encryption use
+		permitted".
+		
+		Two checks are required, one for each of the IdP role descriptors.
+	-->
+
+	<xsl:template match="md:IDPSSODescriptor/md:KeyDescriptor[not(@use)]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">IdP SSO KeyDescriptor lacking @use</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+	<xsl:template match="md:AttributeAuthorityDescriptor/md:KeyDescriptor[not(@use)]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">IdP AA KeyDescriptor lacking @use</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+
+	<!--
+		Common template to call to report a fatal error on some element within an entity.
+	-->
+	<xsl:template name="fatal">
+		<xsl:param name="m"/>
+		<xsl:message terminate='no'>
+			<xsl:text>*** </xsl:text>
+			<xsl:value-of select="ancestor::md:EntityDescriptor/@ID"/>
+			<xsl:text>: </xsl:text>
+			<xsl:value-of select="$m"/>
+		</xsl:message>
+	</xsl:template>
+
+
+	<!-- Recurse down through all elements by default. -->
+	<xsl:template match="*">
+		<xsl:apply-templates select="node()|@*"/>
+	</xsl:template>
+
+	<!-- Discard text blocks, comments and attributes by default. -->
+	<xsl:template match="text()|comment()|@*">
+		<!-- do nothing -->
+	</xsl:template>
+
+</xsl:stylesheet>