Implement per-entity metadata generation

InCommon · Oct 20, 2016 · 54bbee8 · 54bbee8
1 parent 3ae2f24
commit 54bbee8
Show file tree

Hide file tree

Showing 2 changed files with 132 additions and 0 deletions.
diff --git a/build.xml b/build.xml
@@ -210,6 +210,7 @@
     <property name="entities.dir" value="${shared.ws.dir}/${git.repo.project.data}/entities"/>
     <property name="members.dir" value="${shared.ws.dir}/${git.repo.project.data}/members"/>
     <property name="output.dir" value="${shared.ws.dir}/build"/>
+    <property name="mdq.output.dir" value="${shared.ws.dir}/build/mdq"/>
     <property name="temp.dir" value="${shared.ws.dir}/build"/>
 
     <!--
@@ -1374,6 +1375,9 @@
     <property name="mda.mdx.dir" value="${mdx.dir}"/>
     <property name="mda.members.dir" value="${members.dir}"/>
     <property name="mda.output.dir" value="${output.dir}"/>
+    <property name="mda.sign.keyAlias" value="${sign.uk.keyAlias}"/>
+    <property name="mda.sign.pkcs11Config" value="${sign.uk.pkcs11Config}"/>
+    <property name="mda.mdq.output" value="${mdq.output.dir}"/>
 
     <!--
         Build a property set of all the properties to be passed through, with
@@ -1708,6 +1712,7 @@
         <input addproperty="sign.uk.keyPassword">
             Please enter the password for the keystores:
         </input>
+        <property name="mda.sign.keyPassword" value="${sign.uk.keyPassword}"/>
     </target>
 
     <!--
@@ -1779,6 +1784,36 @@
         <echo>Verification completed.</echo>
     </target>
 
+    <!--
+        Break the production aggregate into per-entity metadata, sign the
+        individual documents and write them as individual files into a
+        destination directory.
+    -->
+    <target name="samlmd.mdq.sign" depends="get.sign.uk.keyPassword">
+        <property name="mda.mdq.input" value="${output.dir}/${mdaggr.prod.unsigned}"/>
+        <echo>Generating per-entity metadata in ${mda.mdq.output}</echo>
+        <echo>    from production aggregate in ${mda.mdq.input}</echo>
+        <delete dir="${mdq.output.dir}" quiet="true"/>
+        <mkdir dir="${mdq.output.dir}"/>
+        <CHANNEL.do channel="uk" verb="mdq-multisign"/>
+        <echo>Generation complete.</echo>
+    </target>
+
+    <!--
+        Simple local test of per-entity metadata generation, based on a single
+        entity rather than the whole production aggregate, because dev environment
+        PKCS#11 tokens are not fast enough to sign everything.
+    -->
+    <target name="samlmd.mdq.sign.test" depends="get.sign.uk.keyPassword">
+        <property name="mda.mdq.input" value="${entities.dir}/uk000006.xml"/>
+        <echo>Generating per-entity metadata in ${mda.mdq.output}</echo>
+        <echo>    from test metadata in ${mda.mdq.input}</echo>
+        <delete dir="${mdq.output.dir}" quiet="true"/>
+        <mkdir dir="${mdq.output.dir}"/>
+        <CHANNEL.do channel="uk" verb="mdq-multisign"/>
+        <echo>Generation complete.</echo>
+    </target>
+
 
     <!--
         *******************************************************

diff --git a/mdx/uk/mdq-multisign.xml b/mdx/uk/mdq-multisign.xml
@@ -0,0 +1,97 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Generate and sign per-entity metadata.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+    default-lazy-init="true"
+    xmlns:c="http://www.springframework.org/schema/c"
+    xmlns:p="http://www.springframework.org/schema/p"
+    xmlns:util="http://www.springframework.org/schema/util"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
+
+    <!--
+        Import commonly used beans.
+    -->
+    <import resource="classpath:common-beans.xml"/>
+
+    <!--
+        Import channel-specific beans.
+    -->
+    <import resource="classpath:uk/beans.xml"/>
+
+    <!-- This bean MUST be called "conversionService" to work properly. -->
+    <bean id="conversionService" class="org.springframework.context.support.ConversionServiceFactoryBean">
+        <property name="converters">
+            <set>
+                <bean class="net.shibboleth.ext.spring.config.DurationToLongConverter" />
+                <bean class="net.shibboleth.ext.spring.config.StringToIPRangeConverter" />
+                <bean class="net.shibboleth.ext.spring.config.BooleanToPredicateConverter" />
+                <bean class="net.shibboleth.ext.spring.config.StringBooleanToPredicateConverter" />
+                <bean class="net.shibboleth.ext.spring.config.StringToResourceConverter" />
+            </set>
+        </property>
+    </bean>
+
+    <!--
+        Generate per-entity metadata.
+    -->
+    <bean id="mdq-multisign" parent="SimplePipeline">
+        <property name="stages">
+            <list>
+                <!--
+                    Start with the unsigned production aggregate.
+                -->
+                <bean id="production_aggregate" parent="DOMResourceSourceStage">
+                    <property name="DOMResource">
+                        <bean parent="FileSystemResource" c:_0="${mdq.input}"/>
+                    </property>
+                </bean>
+
+                <!-- Break down into individual entities. -->
+                <ref bean="disassemble"/>
+
+                <!-- Populate ItemId with the entityID. -->
+                <ref bean="populateItemIds"/>
+
+                <!-- Set ID, cacheDuration and validUntil attributes. -->
+                <bean parent="GenerateIdStage"/>
+                <bean parent="SetCacheDurationStage" p:cacheDuration="PT6H"/>
+                <bean parent="SetValidUntilStage" p:validityDuration="P14D"/>
+
+                <!-- Identity transform fixes signing issues. -->
+                <bean parent="XSLTransformationStage"
+                    p:XSLResource="classpath:identity.xsl"/>
+
+                <!-- Sign each item. -->
+                <bean id="perform.signature" parent="XMLSignatureSigningStage">
+                    <property name="privateKey">
+                        <bean parent="PKCS11PrivateKeyFactoryBean"
+                            p:pkcs11Config="${sign.pkcs11Config}"
+                            p:keyPassword="${sign.keyPassword}"
+                            p:keyAlias="${sign.keyAlias}"
+                        />
+                    </property>
+                </bean>
+
+                <!-- Write individual entity documents to files. -->
+                <bean id="write.perentity" parent="MultiOutputSerializationStage">
+                    <property name="outputStrategy">
+                        <bean parent="FilesInDirectoryMultiOutputStrategy" p:nameSuffix=".xml">
+                            <property name="directory">
+                                <bean class="java.io.File" c:_="${mdq.output}"/>
+                            </property>
+                            <property name="nameTransformer">
+                                <bean parent="PathSegmentStringTransformer"/>
+                            </property>
+                        </bean>
+                    </property>
+                </bean>
+
+            </list>
+        </property>
+    </bean>
+
+</beans>