Skip to content

Commit

Permalink
Reorganize the handling of "future" validation rulesets.
Browse files Browse the repository at this point in the history 
The saml2int ruleset is now run everywhere, but the things that we still have exceptions to are now commented out.
Those failing tests are now included within the "future" ruleset, which is all that the "check.uk.future" target runs.
The "future" rulesets have been broken down into multiple non-overlapping XSLT transforms so that we get to see *all* matches, and none are hidden.
One implicit change is that the import transform will now also perform all the saml2int tests (present and future).
The intention is that each independent failing part of the saml2int ruleset can now be promoted independently once we have cleaned our own metadata up.
  • Loading branch information
@iay
iay committed Mar 14, 2012
1 parent d4dbb24 commit 4fad832
Show file tree
Hide file tree
Showing 6 changed files with 243 additions and 20 deletions.
70 changes: 70 additions & 0 deletions build/check_future_1.xsl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
check_future_1.xsl
Checking ruleset containing rules that we don't currently implement,
but which we may implement in the future.
Author: Ian A. Young <ian@iay.org.uk>
-->
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
xmlns:set="http://exslt.org/sets"
xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"

xmlns:mdxURL="xalan://uk.ac.sdss.xalan.md.URLchecker"

xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

<!--
Common support functions.
-->
<xsl:import href="check_framework.xsl"/>


<!--
***************************
*** ***
*** S A M L 2 I N T ***
*** ***
***************************
-->

<!--
Section 6.
Check for SAML 2.0 SPs which exclude both transient and persistent SAML 2 name identifier formats.
-->
<xsl:template match="md:SPSSODescriptor
[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
[md:NameIDFormat]
[not(md:NameIDFormat[.='urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'])]
[not(md:NameIDFormat[.='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'])]">
<xsl:call-template name="error">
<xsl:with-param name="m">saml2int: SP excludes both SAML 2 name identifier formats</xsl:with-param>
</xsl:call-template>
</xsl:template>

<!--
Section 6.
Check for SAML 2.0 IdPs which exclude the transient SAML 2 name identifier format.
-->
<xsl:template match="md:IDPSSODescriptor
[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
[md:NameIDFormat]
[not(md:NameIDFormat[.='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'])]">
<xsl:call-template name="error">
<xsl:with-param name="m">IdP excludes SAML 2 transient name identifier format</xsl:with-param>
</xsl:call-template>
</xsl:template>

</xsl:stylesheet>
54 changes: 54 additions & 0 deletions build/check_future_2.xsl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
check_future_1.xsl
Checking ruleset containing rules that we don't currently implement,
but which we may implement in the future.
Author: Ian A. Young <ian@iay.org.uk>
-->
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
xmlns:set="http://exslt.org/sets"
xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"

xmlns:mdxURL="xalan://uk.ac.sdss.xalan.md.URLchecker"

xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

<!--
Common support functions.
-->
<xsl:import href="check_framework.xsl"/>


<!--
***************************
*** ***
*** S A M L 2 I N T ***
*** ***
***************************
-->

<!--
Section 9.1
Responses MUST use the HTTP-POST binding, so metadata for that MUST be present.
-->
<xsl:template match="md:SPSSODescriptor
[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
[not(md:AssertionConsumerService[@Binding = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'])]">
<xsl:call-template name="error">
<xsl:with-param name="m">no HTTP-POST support on SAML 2.0 SP</xsl:with-param>
</xsl:call-template>
</xsl:template>

</xsl:stylesheet>
10 changes: 6 additions & 4 deletions build/check_saml2int.xsl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@
Check for SAML 2.0 SPs which exclude both transient and persistent SAML 2 name identifier formats.
-->

<!--
<xsl:template match="md:SPSSODescriptor
[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
[md:NameIDFormat]
Expand All @@ -46,14 +46,14 @@
<xsl:with-param name="m">SP excludes both SAML 2 name identifier formats</xsl:with-param>
</xsl:call-template>
</xsl:template>

-->

<!--
Section 6.
Check for SAML 2.0 IdPs which exclude the transient SAML 2 name identifier format.
-->

<!--
<xsl:template match="md:IDPSSODescriptor
[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
[md:NameIDFormat]
Expand All @@ -62,7 +62,7 @@
<xsl:with-param name="m">IdP excludes SAML 2 transient name identifier format</xsl:with-param>
</xsl:call-template>
</xsl:template>

-->

<!--
Section 7.
Expand Down Expand Up @@ -94,12 +94,14 @@
Responses MUST use the HTTP-POST binding, so metadata for that MUST be present.
-->
<!--
<xsl:template match="md:SPSSODescriptor
[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
[not(md:AssertionConsumerService[@Binding = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'])]">
<xsl:call-template name="error">
<xsl:with-param name="m">no HTTP-POST support on SAML 2.0 SP</xsl:with-param>
</xsl:call-template>
</xsl:template>
-->

</xsl:stylesheet>
24 changes: 24 additions & 0 deletions mdx/common-beans.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,30 @@
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd">

<!--
***********************************
*** ***
*** P A R E N T B E A N S ***
*** ***
***********************************
-->

<!--
stage_parent
Parent (template) for all stages.
-->
<bean id="stage_parent" lazy-init="true" init-method="initialize" abstract="true"/>

<!--
composite_parent
Parent (template) for composite stages.
-->
<bean id="composite_parent" class="net.shibboleth.metadata.pipeline.CompositeStage"
parent="stage_parent" abstract="true"/>


<!--
***********************************************
*** ***
Expand Down
1 change: 0 additions & 1 deletion mdx/uk/verbs.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,6 @@
<ref bean="populateItemIds"/>
<ref bean="uk_populateIds"/>

<ref bean="check_saml2int"/>
<ref bean="check_future"/>
<ref bean="errorAnnouncingFilter"/>
</list>
Expand Down
104 changes: 89 additions & 15 deletions mdx/validation-beans.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,14 +10,101 @@
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd">

<!--
***********************************
*** ***
*** P A R E N T B E A N S ***
*** ***
***********************************
-->

<!--
check_xslt_parent
Parent (template) for XSLT-based checking stages.
-->
<bean id="check_xslt_parent" class="net.shibboleth.metadata.dom.XSLValidationStage"
lazy-init="true" init-method="initialize" abstract="true"/>
parent="stage_parent" abstract="true"/>


<!--
***********************************
*** ***
*** F U T U R E T E S T S ***
*** ***
***********************************
The tests in this section are not applied to the UK federation metadata at the moment,
but will be in the future. Usually, the delay is due to the presence of the specific
case in the current metadata, and the test will be moved into production once that
has been cleaned up. In some cases, this can be a lengthy process.
The main check_future test is broken down into a number of sub-tests rather than
just writing it as one long XSLT ruleset so that overlapping failures can all be
seen at the same time. This isn't so important in production, where any failure
is definitive. It's much more important while cleaning up existing metadata, where
it's less productive to clear up one problem only to have another one emerge from
hiding.
-->

<!--
check_future_0
-->
<bean id="check_future_0" p:id="check_future_0" parent="check_xslt_parent">
<property name="xslResource">
<bean class="org.opensaml.util.resource.FilesystemResource">
<constructor-arg value="#{ systemProperties['basedir'] }/build/check_future.xsl"/>
</bean>
</property>
</bean>

<!--
check_future_1
-->
<bean id="check_future_1" p:id="check_future_1" parent="check_xslt_parent">
<property name="xslResource">
<bean class="org.opensaml.util.resource.FilesystemResource">
<constructor-arg value="#{ systemProperties['basedir'] }/build/check_future_1.xsl"/>
</bean>
</property>
</bean>

<!--
check_future_2
-->
<bean id="check_future_2" p:id="check_future_2" parent="check_xslt_parent">
<property name="xslResource">
<bean class="org.opensaml.util.resource.FilesystemResource">
<constructor-arg value="#{ systemProperties['basedir'] }/build/check_future_2.xsl"/>
</bean>
</property>
</bean>

<!--
check_future
Combines all check_future_N stages.
-->
<bean id="check_future" p:id="check_future" parent="composite_parent">
<property name="composedStages">
<list>
<ref bean="check_future_0"/>
<ref bean="check_future_1"/>
<ref bean="check_future_2"/>
</list>
</property>
</bean>


<!--
*********************
*** ***
*** ( E N D ) ***
*** ***
*********************
-->


<!--
check_adfs
-->
Expand Down Expand Up @@ -70,19 +157,6 @@
</property>
</bean>

<!--
check_future
-->
<bean id="check_future" class="net.shibboleth.metadata.dom.XSLValidationStage"
init-method="initialize" lazy-init="true">
<property name="id" value="check_future"/>
<property name="xslResource">
<bean class="org.opensaml.util.resource.FilesystemResource">
<constructor-arg value="#{ systemProperties['basedir'] }/build/check_future.xsl"/>
</bean>
</property>
</bean>

<!--
check_idpdisc
-->
Expand Down Expand Up @@ -430,6 +504,7 @@
<ref bean="check_reqattr"/>
<ref bean="check_saml1"/>
<ref bean="check_saml2"/>
<ref bean="check_saml2int"/>
<ref bean="check_saml2meta"/>
<ref bean="check_shibboleth"/>
</list>
Expand All @@ -446,7 +521,6 @@
<list>
<ref bean="CHECK_std"/>
<ref bean="check_future"/>
<ref bean="check_saml2int"/>
<ref bean="check_regscope"/>
</list>
</property>
Expand Down

0 comments on commit 4fad832

Please sign in to comment.