From 51f73d974b3c348c21d7186a14cf2a55996b6368 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 8 Mar 2010 15:34:45 +0000
Subject: [PATCH] Check imported metadata to make sure that IdPs aren't going
 to run into the SSL renegotiation problem by ensuring that the hosts used for
 SSO are distinct from the hosts used for SOAP (on which X.509 credentials are
 presented)

---
 build/check_imported.xsl | 30 ++++++++++++++++++++++++++++--
 1 file changed, 28 insertions(+), 2 deletions(-)

diff --git a/build/check_imported.xsl b/build/check_imported.xsl
index 6955e945..926c53b3 100644
--- a/build/check_imported.xsl
+++ b/build/check_imported.xsl
@@ -14,6 +14,7 @@
 	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
 	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+	xmlns:dyn="http://exslt.org/dynamic"
 	xmlns:set="http://exslt.org/sets"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
@@ -25,7 +26,32 @@
 	<xsl:import href="check_framework.xsl"/>
 
 	<!--
-		There aren't any rules that apply only in this context.
+		Look for IdPs which have either attribute authority or artifact resolution locations
+		on the same host:port combination as any of the SSO locations.
 	-->
-
+	<xsl:template match="md:EntityDescriptor[md:IDPSSODescriptor]">
+		<!-- XPath expression to evaluate to extract host:port strings from locations -->
+		<xsl:variable name="extract">substring-before(substring-after(concat(., '/'), 'https://'), '/')</xsl:variable>
+		
+		<!-- Collect all of the SSO locations -->
+		<xsl:variable name="ssoLocations" select="descendant::md:SingleSignOnService/@Location"/>
+		<!-- convert to set of unique host:port strings -->
+		<xsl:variable name="ssoHosts" select="set:distinct(dyn:map($ssoLocations, $extract))"/>
+		
+		<!-- Collect all of the attribute authority and artifact resolution locations -->
+		<xsl:variable name="soapLocations"
+			select="descendant::md:AttributeService/@Location |
+			descendant::md:ArtifactResolutionService/@Location"/>
+		<!-- convert to set of unique host:port strings -->
+		<xsl:variable name="soapHosts" select="set:distinct(dyn:map($soapLocations, $extract))"/>
+		
+		<!-- we expect these two sets to be disjoint -->
+		<xsl:variable name="bothHosts" select="set:distinct($ssoHosts | $soapHosts)"/>
+		<xsl:if test="count($bothHosts) != count($ssoHosts) + count($soapHosts)">
+			<xsl:call-template name="fatal">
+				<xsl:with-param name="m">at least one SOAP location on same vhost as an SSO location</xsl:with-param>
+			</xsl:call-template>
+		</xsl:if>
+	</xsl:template>
+	
 </xsl:stylesheet>