Skip to content

Commit

Permalink
Check imported metadata to make sure that IdPs aren't going to run in…
Browse files Browse the repository at this point in the history 
…to the SSL renegotiation problem by ensuring that the hosts used for SSO are distinct from the hosts used for SOAP (on which X.509 credentials are presented)
  • Loading branch information
@iay
iay committed Mar 8, 2010
1 parent 8a3b638 commit 51f73d9
Showing 1 changed file with 28 additions and 2 deletions.
30 changes: 28 additions & 2 deletions build/check_imported.xsl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
xmlns:dyn="http://exslt.org/dynamic"
xmlns:set="http://exslt.org/sets"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
Expand All @@ -25,7 +26,32 @@
<xsl:import href="check_framework.xsl"/>

<!--
There aren't any rules that apply only in this context.
Look for IdPs which have either attribute authority or artifact resolution locations
on the same host:port combination as any of the SSO locations.
-->

<xsl:template match="md:EntityDescriptor[md:IDPSSODescriptor]">
<!-- XPath expression to evaluate to extract host:port strings from locations -->
<xsl:variable name="extract">substring-before(substring-after(concat(., '/'), 'https://'), '/')</xsl:variable>

<!-- Collect all of the SSO locations -->
<xsl:variable name="ssoLocations" select="descendant::md:SingleSignOnService/@Location"/>
<!-- convert to set of unique host:port strings -->
<xsl:variable name="ssoHosts" select="set:distinct(dyn:map($ssoLocations, $extract))"/>

<!-- Collect all of the attribute authority and artifact resolution locations -->
<xsl:variable name="soapLocations"
select="descendant::md:AttributeService/@Location |
descendant::md:ArtifactResolutionService/@Location"/>
<!-- convert to set of unique host:port strings -->
<xsl:variable name="soapHosts" select="set:distinct(dyn:map($soapLocations, $extract))"/>

<!-- we expect these two sets to be disjoint -->
<xsl:variable name="bothHosts" select="set:distinct($ssoHosts | $soapHosts)"/>
<xsl:if test="count($bothHosts) != count($ssoHosts) + count($soapHosts)">
<xsl:call-template name="fatal">
<xsl:with-param name="m">at least one SOAP location on same vhost as an SSO location</xsl:with-param>
</xsl:call-template>
</xsl:if>
</xsl:template>

</xsl:stylesheet>

0 comments on commit 51f73d9

Please sign in to comment.