Skip to content

Commit

Permalink
Add draft phase 2 and phase 3 policy files.
Browse files Browse the repository at this point in the history
  • Loading branch information
@iay
iay committed Jun 5, 2015
1 parent 859fbea commit 5014a09
Show file tree
Hide file tree
Showing 2 changed files with 317 additions and 0 deletions.
170 changes: 170 additions & 0 deletions mdx/incommon/edugain-phase2.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,170 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
default-lazy-init="true"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">

<!--
edugainPolicy
Applies policy to entities sourced from eduGAIN.
Entities may be transformed by policy, or marked as being in error.
Entities with errors are NOT removed here, so that this policy can be
used in contexts where reporting is more appropriate than just removal.
-->
<bean id="edugainPolicy" parent="CompositeStage"
p:id="edugainPolicy">
<property name="composedStages">
<list>

<!--
removeInCommonEntities
Filter out entities that declare themselves as registered
by our federation. We don't want those coming back in
from another registrar or metadata exchange as they may be
old versions of entities we have deregistered, or spoofed.
-->
<bean p:id="removeInCommonEntities" parent="EntityRegistrationAuthorityFilterStage">
<property name="designatedRegistrationAuthorities">
<list>
<ref bean="us_incommon_registrar"/>
</list>
</property>
<property name="requiringRegistrationInformation" value="true"/>
<property name="whitelistingRegistrationAuthorities" value="false"/>
</bean>

<!--
Remove all but those eduGAIN entities we intend to import in this
phase of the roadmap.
Phase 2: import all SPs, plus IdPs that support global R&S.
-->
<bean p:id="selectEntities" parent="XPathFilteringStage"
p:XPathExpression="not(/md:EntityDescriptor
[md:IDPSSODescriptor]
[md:Extensions
/mdattr:EntityAttributes
/saml:Attribute
[@NameFormat = 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri']
[@Name = 'http://macedir.org/entity-category-support']
/saml:AttributeValue
[. = 'http://refeds.org/category/research-and-scholarship']
]
or
/md:EntityDescriptor
[md:SPSSODescriptor]
)"
/>

<!-- Filter the entity attributes imported from eduGAIN. -->
<bean parent="EntityAttributeFilteringStage" p:id="entityAttributes">
<property name="rules">
<list>
<!-- Permit REFEDS R&S category membership -->
<bean parent="EntityCategoryMatcher"
c:category="http://refeds.org/category/research-and-scholarship"/>

<!-- Permit REFEDS R&S category support -->
<bean parent="EntityCategorySupportMatcher"
c:category="http://refeds.org/category/research-and-scholarship"/>

<!-- Permit REFEDS Hide From Discovery category membership -->
<bean parent="EntityCategoryMatcher"
c:category="http://refeds.org/category/hide-from-discovery"/>

</list>
</property>
</bean>

<!--
The following two namespaces are always stripped because they are
specific to the UK registrar and can't be valid when imported from
some other source.
-->
<ref bean="stripUkfedlabelNamespace"/>
<ref bean="stripWayfNamespace"/>

<ref bean="cleanImport"/>
<ref bean="stripAAMDUI"/>
<ref bean="trimImportElementWhitespace"/>
<ref bean="removeEmptyExtensions"/>
<ref bean="checkSchemas"/>

<!--
We do not currently apply the complete battery of checking rulesets used by
the UK federation. Originally, this was because of issues porting some rules
into the MDA 0.9 environment.
For reference, here is an expanded list of the individual checking beans
so that we can review and reintroduce those which seem appropriate.
CHECK_imported:
CHECK_std:
<ref bean="check_adfs"/>
<ref bean="check_algsupport"/>
<ref bean="check_bindings"/>
<ref bean="check_hoksso"/>
<ref bean="check_idpdisc"/>
<ref bean="check_incmd"/>
<ref bean="check_init"/>
<ref bean="check_mdattr"/>
<ref bean="check_mdiop"/>
<ref bean="check_mdrpi"/>
<ref bean="check_mdui"/>
<ref bean="check_misc"/>
<ref bean="check_reqattr"/>
<ref bean="check_saml1"/>
<ref bean="check_saml2"/>
<ref bean="check_saml2int"/>
<ref bean="check_saml2meta"/>
<ref bean="check_saml_strings"/>
<ref bean="check_shibboleth"/>
<ref bean="check_uk_algorithms"/>
<ref bean="check_uk_trust"/>
<ref bean="check_uk_wayf"/>
<ref bean="check_dup_display"/>
<ref bean="check_regscope"/>
<ref bean="check_namespaces"/>
-->

<bean p:id="certificateValidation" parent="X509ValidationStage">
<property name="validators">
<list>
<!-- Error on RSA key length less than 2048 bits. -->
<bean parent="X509RSAKeyLengthValidator"
p:warningBoundary="0" p:errorBoundary="2048"/>
<!-- Error on small RSA public exponents. -->
<bean parent="X509RSAExponentValidator"/>

<!--
Debian weak key blacklists.
Don't need to check for keys below our minimum key size.
-->
<ref bean="debian.2048"/>
<ref bean="debian.4096"/>

<!--
Compromised key blacklists.
Again, don't need to check for keys below our minimum key size.
-->
<ref bean="compromised.2048"/>
</list>
</property>
</bean>

</list>
</property>
</bean>

</beans>
147 changes: 147 additions & 0 deletions mdx/incommon/edugain-phase3.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,147 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
default-lazy-init="true"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">

<!--
edugainPolicy
Applies policy to entities sourced from eduGAIN.
Entities may be transformed by policy, or marked as being in error.
Entities with errors are NOT removed here, so that this policy can be
used in contexts where reporting is more appropriate than just removal.
-->
<bean id="edugainPolicy" parent="CompositeStage"
p:id="edugainPolicy">
<property name="composedStages">
<list>

<!--
removeInCommonEntities
Filter out entities that declare themselves as registered
by our federation. We don't want those coming back in
from another registrar or metadata exchange as they may be
old versions of entities we have deregistered, or spoofed.
-->
<bean p:id="removeInCommonEntities" parent="EntityRegistrationAuthorityFilterStage">
<property name="designatedRegistrationAuthorities">
<list>
<ref bean="us_incommon_registrar"/>
</list>
</property>
<property name="requiringRegistrationInformation" value="true"/>
<property name="whitelistingRegistrationAuthorities" value="false"/>
</bean>

<!-- Filter the entity attributes imported from eduGAIN. -->
<bean parent="EntityAttributeFilteringStage" p:id="entityAttributes">
<property name="rules">
<list>
<!-- Permit REFEDS R&S category membership -->
<bean parent="EntityCategoryMatcher"
c:category="http://refeds.org/category/research-and-scholarship"/>

<!-- Permit REFEDS R&S category support -->
<bean parent="EntityCategorySupportMatcher"
c:category="http://refeds.org/category/research-and-scholarship"/>

<!-- Permit REFEDS Hide From Discovery category membership -->
<bean parent="EntityCategoryMatcher"
c:category="http://refeds.org/category/hide-from-discovery"/>

</list>
</property>
</bean>

<!--
The following two namespaces are always stripped because they are
specific to the UK registrar and can't be valid when imported from
some other source.
-->
<ref bean="stripUkfedlabelNamespace"/>
<ref bean="stripWayfNamespace"/>

<ref bean="cleanImport"/>
<ref bean="stripAAMDUI"/>
<ref bean="trimImportElementWhitespace"/>
<ref bean="removeEmptyExtensions"/>
<ref bean="checkSchemas"/>

<!--
We do not currently apply the complete battery of checking rulesets used by
the UK federation. Originally, this was because of issues porting some rules
into the MDA 0.9 environment.
For reference, here is an expanded list of the individual checking beans
so that we can review and reintroduce those which seem appropriate.
CHECK_imported:
CHECK_std:
<ref bean="check_adfs"/>
<ref bean="check_algsupport"/>
<ref bean="check_bindings"/>
<ref bean="check_hoksso"/>
<ref bean="check_idpdisc"/>
<ref bean="check_incmd"/>
<ref bean="check_init"/>
<ref bean="check_mdattr"/>
<ref bean="check_mdiop"/>
<ref bean="check_mdrpi"/>
<ref bean="check_mdui"/>
<ref bean="check_misc"/>
<ref bean="check_reqattr"/>
<ref bean="check_saml1"/>
<ref bean="check_saml2"/>
<ref bean="check_saml2int"/>
<ref bean="check_saml2meta"/>
<ref bean="check_saml_strings"/>
<ref bean="check_shibboleth"/>
<ref bean="check_uk_algorithms"/>
<ref bean="check_uk_trust"/>
<ref bean="check_uk_wayf"/>
<ref bean="check_dup_display"/>
<ref bean="check_regscope"/>
<ref bean="check_namespaces"/>
-->

<bean p:id="certificateValidation" parent="X509ValidationStage">
<property name="validators">
<list>
<!-- Error on RSA key length less than 2048 bits. -->
<bean parent="X509RSAKeyLengthValidator"
p:warningBoundary="0" p:errorBoundary="2048"/>
<!-- Error on small RSA public exponents. -->
<bean parent="X509RSAExponentValidator"/>

<!--
Debian weak key blacklists.
Don't need to check for keys below our minimum key size.
-->
<ref bean="debian.2048"/>
<ref bean="debian.4096"/>

<!--
Compromised key blacklists.
Again, don't need to check for keys below our minimum key size.
-->
<ref bean="compromised.2048"/>
</list>
</property>
</bean>

</list>
</property>
</bean>

</beans>

0 comments on commit 5014a09

Please sign in to comment.