Add UK-specific check for SPs asserting REFEDS R&S entity category

This check ensures that entities asserting the entity category have a RegistrationPolicy element. Other checks ensure that this entity is an SP, and that the value in the RegistrationPolicy element is valid. The check is integrated as part of uk_registeredEntities See ukf/ukf-meta#226 for details
InCommon · Nov 11, 2020 · 6efc0a4 · 6efc0a4
1 parent b1f468a
commit 6efc0a4
Showing 8 changed files with 132 additions and 0 deletions.
diff --git a/mdx/uk/beans.xml b/mdx/uk/beans.xml
@@ -302,6 +302,13 @@
     <bean id="check_uk_mdui_dn_en_present" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:uk/check_uk_mdui_dn_en_present.xsl"/>
 
+    <!--
+        check_uk_rands
+
+        If an SP has the R&S entity category, it MUST have an MDRPS
+    -->
+    <bean id="check_uk_rands" parent="mda.XSLValidationStage"
+        p:XSLResource="classpath:uk/check_uk_rands.xsl"/>
 
     <!--
         ***************************************
@@ -387,6 +394,7 @@
                 <ref bean="check_uk_urlenc"/>
                 <ref bean="check_uk_mdui_dn_en_present"/>
                 <ref bean="check_uk_mdui_dn_en_match"/>
+                <ref bean="check_uk_rands"/>
                 <ref bean="check_dup_display"/>
 
                 <bean id="checkCertificates" parent="mda.X509ValidationStage">

diff --git a/mdx/uk/check_uk_rands.xsl b/mdx/uk/check_uk_rands.xsl
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    check_uk_rands.xsl
+
+    UKf-specific check for SPs asserting R&S entity category
+
+-->
+<xsl:stylesheet version="1.0"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="../_rules/check_framework.xsl"/>
+
+
+    <!--
+	SPs which assert the R&S entity category must include an explicit RegistrationPolicy.
+
+	Note that there is a different UK-specific check to ensure that RegistrationPolicy
+	contains valid values, so we don't need to repeat ourselves here.
+
+	Note also that check_rands_member ensures that entities asserting the entity category
+	are SPs.
+    -->
+    <xsl:template match="md:EntityDescriptor
+			[md:Extensions/mdattr:EntityAttributes/saml:Attribute[@Name='http://macedir.org/entity-category']
+				/saml:AttributeValue='http://refeds.org/category/research-and-scholarship']
+			[not(md:Extensions/mdrpi:RegistrationInfo/mdrpi:RegistrationPolicy)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>SP asserts R&amp;S entity category but has no RegistrationPolicy element.</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+</xsl:stylesheet>
diff --git a/tests/manual/ukf-meta-226/README.md b/tests/manual/ukf-meta-226/README.md
@@ -0,0 +1,9 @@
+# Tests for UK-specific check for R and S
+
+If the entity asserts R&S, it must have a RegistrationPolicy
+
+Other checks ensure that the RegistrationPolicy is valid
+
+Run tests like this:
+
+`for i in *.xml; do echo "Test: $i ==="; xsltproc ../../../mdx/uk/check_uk_rands.xsl $i; done`
diff --git a/tests/manual/ukf-meta-226/has-ec-has-policy.xml b/tests/manual/ukf-meta-226/has-ec-has-policy.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
+    <Extensions>
+        <mdrpi:RegistrationInfo registrationAuthority="http://ukfederation.org.uk"
+            registrationInstant="2012-07-13T11:19:55Z">
+            <mdrpi:RegistrationPolicy xml:lang="en"
+                >http://ukfederation.org.uk/doc/mdrps-20130902</mdrpi:RegistrationPolicy>
+        </mdrpi:RegistrationInfo>
+        <mdattr:EntityAttributes>
+            <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://macedir.org/entity-category">
+                <saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
+            </saml:Attribute>
+        </mdattr:EntityAttributes>
+    </Extensions>
+</EntityDescriptor>
diff --git a/tests/manual/ukf-meta-226/has-ec-no-policy.xml b/tests/manual/ukf-meta-226/has-ec-no-policy.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
+    <Extensions>
+        <mdrpi:RegistrationInfo registrationAuthority="http://ukfederation.org.uk"
+            registrationInstant="2012-07-13T11:19:55Z">
+        </mdrpi:RegistrationInfo>
+        <mdattr:EntityAttributes>
+            <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://macedir.org/entity-category">
+                <saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
+            </saml:Attribute>
+        </mdattr:EntityAttributes>
+    </Extensions>
+</EntityDescriptor>
diff --git a/tests/manual/ukf-meta-226/no-ec-has-policy.xml b/tests/manual/ukf-meta-226/no-ec-has-policy.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
+    <Extensions>
+        <mdrpi:RegistrationInfo registrationAuthority="http://ukfederation.org.uk"
+            registrationInstant="2012-07-13T11:19:55Z">
+            <mdrpi:RegistrationPolicy xml:lang="en"
+                >http://ukfederation.org.uk/doc/mdrps-20130902</mdrpi:RegistrationPolicy>
+        </mdrpi:RegistrationInfo>
+    </Extensions>
+</EntityDescriptor>
diff --git a/tests/manual/ukf-meta-226/no-ec-no-policy.xml b/tests/manual/ukf-meta-226/no-ec-no-policy.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" />
diff --git a/tests/manual/ukf-meta-226/sirtfi-ec-no-policy.xml b/tests/manual/ukf-meta-226/sirtfi-ec-no-policy.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
+    <Extensions>
+        <mdrpi:RegistrationInfo registrationAuthority="http://ukfederation.org.uk"
+            registrationInstant="2012-07-13T11:19:55Z">
+            <mdrpi:RegistrationPolicy xml:lang="en"
+                >http://ukfederation.org.uk/doc/mdrps-20130902</mdrpi:RegistrationPolicy>
+        </mdrpi:RegistrationInfo>
+        <mdattr:EntityAttributes>
+            <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://macedir.org/entity-category">
+                <saml:AttributeValue>https://refeds.org/sirtfi</saml:AttributeValue>
+            </saml:Attribute>
+        </mdattr:EntityAttributes>
+    </Extensions>
+</EntityDescriptor>