Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Update configuration for MDA 0.10.0
@iay
iay committed Dec 2, 2024
1 parent 87e595c commit 61b93fc
Showing 10 changed files with 42 additions and 81 deletions.
2 changes: 1 addition & 1 deletion mdx/incommon/beans.xml
View file
@@ -47,7 +47,7 @@
-->
<bean id="remove_blacklisted_incommon_entities"
parent="mda.EntityFilterStage"
p:whitelistingEntities="false"
p:keepingEntities="false"
p:designatedEntities-ref="incommon_entity_blacklist"/>

</beans>
37 changes: 18 additions & 19 deletions mdx/incommon/edugain-policy.xml
View file
@@ -37,7 +37,7 @@
-->
<bean id="edugainPolicy" parent="mda.CompositeStage">
<property name="composedStages">
<property name="stages">
<list>

<!--
@@ -67,7 +67,7 @@
</list>
</property>
<property name="requiringRegistrationInformation" value="true"/>
<property name="whitelistingRegistrationAuthorities" value="false"/>
<property name="keepingRegistrationAuthorities" value="false"/>
</bean>

<!--
@@ -121,7 +121,7 @@
All entity attributes on the Entity Attribute Blacklist.
-->
<bean id="entityAttributes" parent="mda.EntityAttributeFilteringStage"
p:whitelisting="false">
p:keeping="false">
<property name="rules">
<list>
<!-- "registered by InCommon" entity category. -->
@@ -188,7 +188,7 @@
defined in namespaces not on the XML Namespace Whitelist.
-->
<bean id="whitelistImportedNamespaces" parent="mda.NamespacesStrippingStage"
p:whitelisting="true">
p:keeping="true">
<property name="namespaces">
<set>
<ref bean="alg_namespace"/>
@@ -293,13 +293,12 @@
Perform detailed scope checking.
-->
<bean id="checkScopes" parent="inc.stage_parent"
class="uk.org.iay.incommon.mda.dom.saml.shib.ScopeValidationStage">
<bean id="checkScopes" parent="mda.ScopeValidationStage">
<property name="validators">
<list>
<bean p:id="empty" parent="inc.RejectStringRegexValidator"
<bean p:id="empty" parent="mda.RejectStringRegexValidator"
p:regex="" p:message="scope element must not be empty"/>
<bean p:id="whiteSpace" parent="inc.RejectStringRegexValidator"
<bean p:id="whiteSpace" parent="mda.RejectStringRegexValidator"
p:regex=".*\s.*" p:message="scope '%s' includes white space"/>

<!--
@@ -308,17 +307,17 @@
nevertheless known to be legitimately used as
security domains.
-->
<bean p:id="mil.no" parent="inc.AcceptStringValueValidator"
<bean p:id="mil.no" parent="mda.AcceptStringValueValidator"
p:value="mil.no"/>

<bean p:id="domainName" parent="inc.AsDomainNameStringValidator"
<bean p:id="domainName" parent="mda.AsDomainNameStringValidator"
p:message="scope is not a valid domain name: %s">
<property name="validators">
<list>
<!-- DNS name validators -->
<bean p:id="publicSuffix" parent="inc.RejectDomainNamePublicSuffixValidator"
<bean p:id="publicSuffix" parent="mda.RejectDomainNamePublicSuffixValidator"
p:message="scope is a public suffix: '%s'"/>
<bean p:id="noPublicSuffix" parent="inc.RejectDomainNameNotUnderPublicSuffixValidator"
<bean p:id="noPublicSuffix" parent="mda.RejectDomainNameNotUnderPublicSuffixValidator"
p:message="scope is not under a public suffix: '%s'"/>
</list>
</property>
@@ -327,25 +326,25 @@
</property>
<property name="regexpValidators">
<list>
<bean p:id="empty" parent="inc.RejectStringRegexValidator"
<bean p:id="empty" parent="mda.RejectStringRegexValidator"
p:regex="" p:message="regex scope element must not be empty"/>
<bean p:id="whiteSpace" parent="inc.RejectStringRegexValidator"
<bean p:id="whiteSpace" parent="mda.RejectStringRegexValidator"
p:regex=".*\s.*" p:message="regex scope '%s' includes white space"/>
<bean p:id="endAnchor" parent="inc.RejectStringRegexValidator"
<bean p:id="endAnchor" parent="mda.RejectStringRegexValidator"
p:regex=".*[^$]" p:message="regex scope '%s' does not end with an anchor ('$')"/>
<bean p:id="literalTail" parent="inc.AsLiteralTailStringValidator"
<bean p:id="literalTail" parent="mda.AsLiteralTailStringValidator"
p:message="regular expression '%s' does not end with a literal tail">
<property name="validators">
<!-- validators to apply to the literal tail -->
<list>
<bean p:id="domainName" parent="inc.AsDomainNameStringValidator"
<bean p:id="domainName" parent="mda.AsDomainNameStringValidator"
p:message="literal tail is not a valid domain name: %s">
<property name="validators">
<list>
<!-- DNS name validators for the literal tail -->
<bean p:id="publicSuffix" parent="inc.RejectDomainNamePublicSuffixValidator"
<bean p:id="publicSuffix" parent="mda.RejectDomainNamePublicSuffixValidator"
p:message="literal tail is a public suffix: '%s'"/>
<bean p:id="noPublicSuffix" parent="inc.RejectDomainNameNotUnderPublicSuffixValidator"
<bean p:id="noPublicSuffix" parent="mda.RejectDomainNameNotUnderPublicSuffixValidator"
p:message="literal tail is not under a public suffix: '%s'"/>
</list>
</property>
2 changes: 1 addition & 1 deletion mdx/incommon/export.xml
View file
@@ -56,7 +56,7 @@

<!-- Remove all but the entities we want to export. -->
<bean id="applyEntityWhitelist" parent="mda.EntityFilterStage"
p:whitelistingEntities="true"
p:keepingEntities="true"
p:designatedEntities-ref="incommon_edugain_export_whitelist"/>

<!-- Include a default registrationAuthority for each entity. -->
8 changes: 4 additions & 4 deletions mdx/incommon/import.xml
View file
@@ -42,7 +42,7 @@
-->

<bean id="common.output" parent="mda.CompositeStage">
<property name="composedStages">
<property name="stages">
<list>
<!-- Construct a new aggregate from the collection of entities. -->
<bean id="inc.assemble" parent="mda.EntitiesDescriptorAssemblerStage">
@@ -245,7 +245,7 @@
</list>
</property>
<property name="requiringRegistrationInformation" value="true"/>
<property name="whitelistingRegistrationAuthorities" value="true"/>
<property name="keepingRegistrationAuthorities" value="true"/>
</bean>

<!-- Include a default registrationAuthority for each entity. -->
@@ -275,10 +275,10 @@

<!-- Fork new pipelines to generate special aggregates. -->
<bean id="demux" parent="mda.PipelineDemultiplexerStage">
<property name="pipelineAndSelectionStrategies">
<property name="pipelinesAndStrategies">
<list>
<!-- IdP-only aggregate. -->
<bean class="net.shibboleth.utilities.java.support.collection.Pair">
<bean parent="mda.PipelineAndStrategy">
<constructor-arg ref="idp.pipeline"/>
<constructor-arg ref="idp.selector"/>
</bean>
10 changes: 5 additions & 5 deletions mdx/incommon/import_sign.xml
View file
@@ -42,7 +42,7 @@
-->

<bean id="common.output" parent="mda.CompositeStage">
<property name="composedStages">
<property name="stages">
<list>
<!-- Construct a new aggregate from the collection of entities. -->
<bean id="inc.assemble" parent="mda.EntitiesDescriptorAssemblerStage">
@@ -218,7 +218,7 @@
</property>
<property name="certificates">
<list>
<bean id="us_incommon_signingCertificate" parent="X509CertificateFactoryBean"
<bean id="us_incommon_signingCertificate" parent="mda.X509CertificateFactoryBean"
p:resource="classpath:us_incommon/inc-md-cert.pem"/>
</list>
</property>
@@ -270,7 +270,7 @@
</list>
</property>
<property name="requiringRegistrationInformation" value="true"/>
<property name="whitelistingRegistrationAuthorities" value="true"/>
<property name="keepingRegistrationAuthorities" value="true"/>
</bean>

<!-- Include a default registrationAuthority for each entity. -->
@@ -300,10 +300,10 @@

<!-- Fork new pipelines to generate special aggregates. -->
<bean id="demux" parent="mda.PipelineDemultiplexerStage">
<property name="pipelineAndSelectionStrategies">
<property name="pipelinesAndStrategies">
<list>
<!-- IdP-only aggregate. -->
<bean class="net.shibboleth.utilities.java.support.collection.Pair">
<bean parent="mda.PipelineAndStrategy">
<constructor-arg ref="idp.pipeline"/>
<constructor-arg ref="idp.selector"/>
</bean>
3 changes: 2 additions & 1 deletion mdx/incommon/mdq-all-localkey.xml
View file
@@ -12,7 +12,8 @@
<import resource="classpath:incommon/mdq-all.xml" />

<!-- Define a private key factory (based on a local key) to be used by the generateAll stage -->
<bean id="privateKeyFactory" parent="PrivateKeyFactoryBean" p:resource="${sign.keyResource}"
<bean id="privateKeyFactory" parent="mda.PrivateKeyFactoryBean"
p:resource="${sign.keyResource}"
p:privateKeyPassword="${sign.keyPassword}" />

<!-- Generate all signed metadata required by the InCommon MDQ service -->
29 changes: 8 additions & 21 deletions mdx/incommon/mdq-all.xml
View file
@@ -17,25 +17,12 @@
<!-- Import channel-specific beans -->
<import resource="classpath:incommon/beans.xml" />

<!-- This bean MUST be called "conversionService" to work properly -->
<bean id="conversionService" class="org.springframework.context.support.ConversionServiceFactoryBean">
<property name="converters">
<set>
<bean class="net.shibboleth.ext.spring.config.DurationToLongConverter" />
<bean class="net.shibboleth.ext.spring.config.StringToIPRangeConverter" />
<bean class="net.shibboleth.ext.spring.config.BooleanToPredicateConverter" />
<bean class="net.shibboleth.ext.spring.config.StringBooleanToPredicateConverter" />
<bean class="net.shibboleth.ext.spring.config.StringToResourceConverter" />
</set>
</property>
</bean>

<!-- Predicate for matching everything -->
<bean id="matchEverything" class="com.google.common.base.Predicates" factory-method="alwaysTrue" />

<!-- Generate all required metadata for the InCommon MDQ service -->
<bean id="generateAll" parent="mda.CompositeStage">
<property name="composedStages">
<property name="stages">
<list>

<!-- Begin with the published aggregate -->
@@ -44,17 +31,17 @@
<!-- Fork pipelines for creating signed aggregates -->
<bean id="demux" parent="mda.PipelineDemultiplexerStage">

<property name="pipelineAndSelectionStrategies">
<property name="pipelinesAndStrategies">
<list>

<!-- Create the signed aggregate -->
<bean class="net.shibboleth.utilities.java.support.collection.Pair">
<bean parent="mda.PipelineAndStrategy">
<constructor-arg ref="aggregatePipeline" />
<constructor-arg ref="matchEverything" />
</bean>

<!-- Create the signed IdP-only aggregate -->
<bean class="net.shibboleth.utilities.java.support.collection.Pair">
<bean parent="mda.PipelineAndStrategy">
<constructor-arg ref="idpPipeline" />
<constructor-arg ref="idpSelectionStrategy" />
</bean>
@@ -84,7 +71,7 @@

<!-- Stage that produces the signed aggregate from a collection of entities -->
<bean id="aggregateStage" parent="mda.CompositeStage">
<property name="composedStages">
<property name="stages">
<list>

<!-- Perform common steps in constructing an output aggregate -->
@@ -109,7 +96,7 @@

<!-- Output stage used by all MDQ aggregate pipelines -->
<bean id="commonOutputStage" parent="mda.CompositeStage">
<property name="composedStages">
<property name="stages">
<list>
<!-- Construct a new aggregate from the collection of entities -->
<bean id="inc.assemble" parent="mda.EntitiesDescriptorAssemblerStage">
@@ -141,7 +128,7 @@

<!-- Source stage used by all MDQ pipelines -->
<bean id="commonSourceStage" parent="mda.CompositeStage">
<property name="composedStages">
<property name="stages">
<list>

<!-- Start with the signed production aggregate -->
@@ -203,7 +190,7 @@

<!-- Stage to produce signed per-entity metadata -->
<bean id="perEntityStage" parent="mda.CompositeStage">
<property name="composedStages">
<property name="stages">
<list>

<!-- Set ID, cacheDuration and validUntil attributes. -->
13 changes: 0 additions & 13 deletions mdx/incommon/mdq-multisign-cloudhsm.xml
View file
@@ -22,19 +22,6 @@
-->
<import resource="classpath:incommon/beans.xml"/>

<!-- This bean MUST be called "conversionService" to work properly. -->
<bean id="conversionService" class="org.springframework.context.support.ConversionServiceFactoryBean">
<property name="converters">
<set>
<bean class="net.shibboleth.ext.spring.config.DurationToLongConverter" />
<bean class="net.shibboleth.ext.spring.config.StringToIPRangeConverter" />
<bean class="net.shibboleth.ext.spring.config.BooleanToPredicateConverter" />
<bean class="net.shibboleth.ext.spring.config.StringBooleanToPredicateConverter" />
<bean class="net.shibboleth.ext.spring.config.StringToResourceConverter" />
</set>
</property>
</bean>

<!--
Generate per-entity metadata.
-->
15 changes: 1 addition & 14 deletions mdx/incommon/mdq-multisign-localkey.xml
View file
@@ -22,19 +22,6 @@
-->
<import resource="classpath:incommon/beans.xml"/>

<!-- This bean MUST be called "conversionService" to work properly. -->
<bean id="conversionService" class="org.springframework.context.support.ConversionServiceFactoryBean">
<property name="converters">
<set>
<bean class="net.shibboleth.ext.spring.config.DurationToLongConverter" />
<bean class="net.shibboleth.ext.spring.config.StringToIPRangeConverter" />
<bean class="net.shibboleth.ext.spring.config.BooleanToPredicateConverter" />
<bean class="net.shibboleth.ext.spring.config.StringBooleanToPredicateConverter" />
<bean class="net.shibboleth.ext.spring.config.StringToResourceConverter" />
</set>
</property>
</bean>

<!--
Generate per-entity metadata.
-->
@@ -71,7 +58,7 @@
<!-- Sign each item. -->
<bean id="perform.signature" parent="mda.XMLSignatureSigningStage">
<property name="privateKey">
<bean parent="PrivateKeyFactoryBean"
<bean parent="mda.PrivateKeyFactoryBean"
p:resource="${sign.keyResource}"
p:privateKeyPassword="${sign.keyPassword}"
/>
4 changes: 2 additions & 2 deletions mdx/incommon/sign.xml
View file
@@ -42,7 +42,7 @@
-->

<bean id="common.output" parent="mda.CompositeStage">
<property name="composedStages">
<property name="stages">
<list>
<!-- Construct a new aggregate from the collection of entities. -->
<bean id="inc.assemble" parent="mda.EntitiesDescriptorAssemblerStage">
@@ -218,7 +218,7 @@
</property>
<property name="certificates">
<list>
<bean id="us_incommon_signingCertificate" parent="X509CertificateFactoryBean"
<bean id="us_incommon_signingCertificate" parent="mda.X509CertificateFactoryBean"
p:resource="classpath:us_incommon/inc-md-cert.pem"/>
</list>
</property>

0 comments on commit 61b93fc

Please sign in to comment.