From 4fad832a2e47ab71059a971bc4d093248dddcbfe Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Wed, 14 Mar 2012 17:21:46 +0000
Subject: [PATCH] Reorganize the handling of "future" validation rulesets. The
 saml2int ruleset is now run everywhere, but the things that we still have
 exceptions to are now commented out. Those failing tests are now included
 within the "future" ruleset, which is all that the "check.uk.future" target
 runs. The "future" rulesets have been broken down into multiple
 non-overlapping XSLT transforms so that we get to see *all* matches, and none
 are hidden. One implicit change is that the import transform will now also
 perform all the saml2int tests (present and future). The intention is that
 each independent failing part of the saml2int ruleset can now be promoted
 independently once we have cleaned our own metadata up.

---
 build/check_future_1.xsl |  70 ++++++++++++++++++++++++++
 build/check_future_2.xsl |  54 ++++++++++++++++++++
 build/check_saml2int.xsl |  10 ++--
 mdx/common-beans.xml     |  24 +++++++++
 mdx/uk/verbs.xml         |   1 -
 mdx/validation-beans.xml | 104 +++++++++++++++++++++++++++++++++------
 6 files changed, 243 insertions(+), 20 deletions(-)
 create mode 100644 build/check_future_1.xsl
 create mode 100644 build/check_future_2.xsl

diff --git a/build/check_future_1.xsl b/build/check_future_1.xsl
new file mode 100644
index 00000000..0a7ba737
--- /dev/null
+++ b/build/check_future_1.xsl
@@ -0,0 +1,70 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	check_future_1.xsl
+	
+	Checking ruleset containing rules that we don't currently implement,
+	but which we may implement in the future.
+	
+	Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+	xmlns:set="http://exslt.org/sets"
+	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+
+	xmlns:mdxURL="xalan://uk.ac.sdss.xalan.md.URLchecker"
+
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		Common support functions.
+	-->
+	<xsl:import href="check_framework.xsl"/>
+
+	
+	<!--
+		***************************
+		***                     ***
+		***   S A M L 2 I N T   ***
+		***                     ***
+		***************************
+	-->
+	
+	<!--
+        Section 6.
+        
+        Check for SAML 2.0 SPs which exclude both transient and persistent SAML 2 name identifier formats.
+    -->
+    <xsl:template match="md:SPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+        [md:NameIDFormat]
+        [not(md:NameIDFormat[.='urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'])]
+        [not(md:NameIDFormat[.='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'])]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">saml2int: SP excludes both SAML 2 name identifier formats</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+	
+	<!--
+        Section 6.
+        
+        Check for SAML 2.0 IdPs which exclude the transient SAML 2 name identifier format.
+    -->
+    <xsl:template match="md:IDPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+        [md:NameIDFormat]
+        [not(md:NameIDFormat[.='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'])]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">IdP excludes SAML 2 transient name identifier format</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+	
+</xsl:stylesheet>
diff --git a/build/check_future_2.xsl b/build/check_future_2.xsl
new file mode 100644
index 00000000..a4689377
--- /dev/null
+++ b/build/check_future_2.xsl
@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	check_future_1.xsl
+	
+	Checking ruleset containing rules that we don't currently implement,
+	but which we may implement in the future.
+	
+	Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+	xmlns:set="http://exslt.org/sets"
+	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+
+	xmlns:mdxURL="xalan://uk.ac.sdss.xalan.md.URLchecker"
+
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		Common support functions.
+	-->
+	<xsl:import href="check_framework.xsl"/>
+
+	
+	<!--
+		***************************
+		***                     ***
+		***   S A M L 2 I N T   ***
+		***                     ***
+		***************************
+	-->
+	
+	<!--
+        Section 9.1
+        
+        Responses MUST use the HTTP-POST binding, so metadata for that MUST be present.
+    -->
+    <xsl:template match="md:SPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+        [not(md:AssertionConsumerService[@Binding = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'])]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">no HTTP-POST support on SAML 2.0 SP</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+</xsl:stylesheet>
diff --git a/build/check_saml2int.xsl b/build/check_saml2int.xsl
index de54b5fa..83904536 100644
--- a/build/check_saml2int.xsl
+++ b/build/check_saml2int.xsl
@@ -36,7 +36,7 @@
 		
 		Check for SAML 2.0 SPs which exclude both transient and persistent SAML 2 name identifier formats.
 	-->
-	
+	<!--
 	<xsl:template match="md:SPSSODescriptor
 		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
 		[md:NameIDFormat]
@@ -46,14 +46,14 @@
 			<xsl:with-param name="m">SP excludes both SAML 2 name identifier formats</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+	-->
 	
 	<!--
 		Section 6.
 		
 		Check for SAML 2.0 IdPs which exclude the transient SAML 2 name identifier format.
 	-->
-	
+	<!--
 	<xsl:template match="md:IDPSSODescriptor
 		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
 		[md:NameIDFormat]
@@ -62,7 +62,7 @@
 			<xsl:with-param name="m">IdP excludes SAML 2 transient name identifier format</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+	-->
 	
 	<!--
 		Section 7.
@@ -94,6 +94,7 @@
 		
 		Responses MUST use the HTTP-POST binding, so metadata for that MUST be present.
 	-->
+	<!--
 	<xsl:template match="md:SPSSODescriptor
 		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
 		[not(md:AssertionConsumerService[@Binding = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'])]">
@@ -101,5 +102,6 @@
 			<xsl:with-param name="m">no HTTP-POST support on SAML 2.0 SP</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
+	-->
 	
 </xsl:stylesheet>
diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
index 18b87551..06393465 100644
--- a/mdx/common-beans.xml
+++ b/mdx/common-beans.xml
@@ -10,6 +10,30 @@
         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
         http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd">
 
+    <!--
+        ***********************************
+        ***                             ***
+        ***   P A R E N T   B E A N S   ***
+        ***                             ***
+        ***********************************
+    -->
+    
+    <!--
+        stage_parent
+        
+        Parent (template) for all stages.
+    -->
+    <bean id="stage_parent" lazy-init="true" init-method="initialize" abstract="true"/>
+    
+    <!--
+        composite_parent
+        
+        Parent (template) for composite stages.
+    -->
+    <bean id="composite_parent" class="net.shibboleth.metadata.pipeline.CompositeStage"
+        parent="stage_parent" abstract="true"/>
+    
+    
     <!--
         ***********************************************
         ***                                         ***
diff --git a/mdx/uk/verbs.xml b/mdx/uk/verbs.xml
index e21c801b..908532d6 100644
--- a/mdx/uk/verbs.xml
+++ b/mdx/uk/verbs.xml
@@ -140,7 +140,6 @@
                 <ref bean="populateItemIds"/>
                 <ref bean="uk_populateIds"/>
                 
-                <ref bean="check_saml2int"/>
                 <ref bean="check_future"/>
                 <ref bean="errorAnnouncingFilter"/>
             </list>
diff --git a/mdx/validation-beans.xml b/mdx/validation-beans.xml
index 70987037..376e9a90 100644
--- a/mdx/validation-beans.xml
+++ b/mdx/validation-beans.xml
@@ -10,14 +10,101 @@
         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
         http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd">
 
+    <!--
+        ***********************************
+        ***                             ***
+        ***   P A R E N T   B E A N S   ***
+        ***                             ***
+        ***********************************
+    -->
+    
     <!--
         check_xslt_parent
         
         Parent (template) for XSLT-based checking stages.
     -->
     <bean id="check_xslt_parent" class="net.shibboleth.metadata.dom.XSLValidationStage"
-        lazy-init="true" init-method="initialize" abstract="true"/>
+        parent="stage_parent" abstract="true"/>
+    
+    
+    <!--
+        ***********************************
+        ***                             ***
+        ***   F U T U R E   T E S T S   ***
+        ***                             ***
+        ***********************************
+        
+        The tests in this section are not applied to the UK federation metadata at the moment,
+        but will be in the future.  Usually, the delay is due to the presence of the specific
+        case in the current metadata, and the test will be moved into production once that
+        has been cleaned up.  In some cases, this can be a lengthy process.
+        
+        The main check_future test is broken down into a number of sub-tests rather than
+        just writing it as one long XSLT ruleset so that overlapping failures can all be
+        seen at the same time.  This isn't so important in production, where any failure
+        is definitive.  It's much more important while cleaning up existing metadata, where
+        it's less productive to clear up one problem only to have another one emerge from
+        hiding.
+    -->
+    
+    <!--
+        check_future_0
+    -->
+    <bean id="check_future_0" p:id="check_future_0" parent="check_xslt_parent">
+        <property name="xslResource">
+            <bean class="org.opensaml.util.resource.FilesystemResource">
+                <constructor-arg value="#{ systemProperties['basedir'] }/build/check_future.xsl"/>
+            </bean>
+        </property>
+    </bean>
+    
+    <!--
+        check_future_1
+    -->
+    <bean id="check_future_1" p:id="check_future_1" parent="check_xslt_parent">
+        <property name="xslResource">
+            <bean class="org.opensaml.util.resource.FilesystemResource">
+                <constructor-arg value="#{ systemProperties['basedir'] }/build/check_future_1.xsl"/>
+            </bean>
+        </property>
+    </bean>
+    
+    <!--
+        check_future_2
+    -->
+    <bean id="check_future_2" p:id="check_future_2" parent="check_xslt_parent">
+        <property name="xslResource">
+            <bean class="org.opensaml.util.resource.FilesystemResource">
+                <constructor-arg value="#{ systemProperties['basedir'] }/build/check_future_2.xsl"/>
+            </bean>
+        </property>
+    </bean>
     
+    <!--
+        check_future
+        
+        Combines all check_future_N stages.
+    -->
+    <bean id="check_future" p:id="check_future" parent="composite_parent">
+        <property name="composedStages">
+            <list>
+                <ref bean="check_future_0"/>
+                <ref bean="check_future_1"/>
+                <ref bean="check_future_2"/>
+            </list>
+        </property>
+    </bean>
+    
+
+    <!--
+        *********************
+        ***               ***
+        ***   ( E N D )   ***
+        ***               ***
+        *********************
+    -->
+    
+
     <!--
         check_adfs
     -->
@@ -70,19 +157,6 @@
         </property>
     </bean>
     
-    <!--
-        check_future
-    -->
-    <bean id="check_future" class="net.shibboleth.metadata.dom.XSLValidationStage"
-        init-method="initialize" lazy-init="true">
-        <property name="id" value="check_future"/>
-        <property name="xslResource">
-            <bean class="org.opensaml.util.resource.FilesystemResource">
-                <constructor-arg value="#{ systemProperties['basedir'] }/build/check_future.xsl"/>
-            </bean>
-        </property>
-    </bean>
-    
     <!--
         check_idpdisc
     -->
@@ -430,6 +504,7 @@
                 <ref bean="check_reqattr"/>
                 <ref bean="check_saml1"/>
                 <ref bean="check_saml2"/>
+                <ref bean="check_saml2int"/>
                 <ref bean="check_saml2meta"/>
                 <ref bean="check_shibboleth"/>
             </list>
@@ -446,7 +521,6 @@
             <list>
                 <ref bean="CHECK_std"/>
                 <ref bean="check_future"/>
-                <ref bean="check_saml2int"/>
                 <ref bean="check_regscope"/>
             </list>
         </property>