Skip to content

Commit

Permalink
Reorder policy rules to correspond with new policy page
Browse files Browse the repository at this point in the history 
See #2.
  • Loading branch information
@iay
iay committed Feb 16, 2017
1 parent 0d1a021 commit 8633b93
Showing 1 changed file with 89 additions and 94 deletions.
183 changes: 89 additions & 94 deletions mdx/incommon/edugain-policy.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,27 +24,12 @@
https://spaces.internet2.edu/display/InCFederation/Interfederation+Technical+Policy
The numbers given here are up to date as of 2016-08-12.
The numbers given here are up to date as of 2017-02-16.
-->
<bean id="edugainPolicy" parent="CompositeStage">
<property name="composedStages">
<list>

<!--
Check entities against the MDATTR specification.
This is not called out in the technical policy, so would
normally be placed at the end of the policy. We need to
perform this check at the start so that any entity attribute
filtering we perform below does not accidentally bring the
entity into apparent compliance.
See https://issues.shibboleth.net/jira/browse/MDA-168
(EntityAttributeFilteringStage mishandles multiple containers)
-->
<ref bean="check_mdattr"/>

<!--
Technical Policy rule 1.
Expand All @@ -71,62 +56,7 @@
<!--
Technical Policy rule 2.
"Silently remove all entity attributes not on the Entity Attribute
Whitelist."
-->
<bean id="entityAttributes" parent="EntityAttributeFilteringStage">
<property name="rules">
<list>
<!-- Permit REFEDS R&S category membership -->
<bean parent="EntityCategoryMatcher"
c:category="http://refeds.org/category/research-and-scholarship"/>

<!-- Permit REFEDS R&S category support -->
<bean parent="EntityCategorySupportMatcher"
c:category="http://refeds.org/category/research-and-scholarship"/>

<!-- Permit REFEDS Hide From Discovery category membership -->
<bean parent="EntityCategoryMatcher"
c:category="http://refeds.org/category/hide-from-discovery"/>

<!-- Permit SIRTFI entity attribute -->
<bean parent="MultiPredicateMatcher">
<property name="nameFormatPredicate">
<bean class="com.google.common.base.Predicates"
factory-method="equalTo"
c:_="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
/>
</property>
<property name="namePredicate">
<bean class="com.google.common.base.Predicates"
factory-method="equalTo"
c:_="urn:oasis:names:tc:SAML:attribute:assurance-certification"
/>
</property>
<property name="valuePredicate">
<bean class="com.google.common.base.Predicates"
factory-method="equalTo"
c:_="https://refeds.org/sirtfi"
/>
</property>
</bean>

</list>
</property>
</bean>

<!--
Technical Policy rule 3.
"Remove and log the removal of all imported mdui:Logo elements
(not entities) with a URL that is not HTTPS-protected."
-->
<ref bean="stripMDUILogoHttp"/>

<!--
Technical Policy rule 4.
"Fiter out (remove and log the removal of) all imported
"Remove and log the removal of all imported
entities matching one or more of the following conditions:"
This rule is performed by the error-detecting beans below
Expand All @@ -136,15 +66,15 @@
-->

<!--
Technical Policy rule 4.a.
Technical Policy rule 2.a.
Mark entities with an entityID that does not begin with one of the
following prefixes: urn:mace:, http://, https://.
-->
<ref bean="check_entityid_prefix"/>

<!--
Technical Policy rule 4.b.
Technical Policy rule 2.b.
Mark entities with weak keys.
-->
Expand Down Expand Up @@ -176,29 +106,29 @@
</bean>

<!--
Technical Policy rule 4.c.i.
Technical Policy rule 2.c.i.
Filter entities without regexp attributes.
Require regexp attribute on shibmd:Scope.
-->
<ref bean="check_shib_noregscope"/>

<!--
Technical Policy rule 4.c.ii.
Technical Policy rule 2.c.ii.
Disallow regexp="true".
-->
<ref bean="check_shib_regscope"/>

<!--
Technical Policy rule 4.d.
Technical Policy rule 2.d.
Mark IdP entities with an endpoint location that
is not HTTPS-protected.
-->
<ref bean="check_idp_tls"/>

<!--
Technical Policy rule 4.e.
Technical Policy rule 2.e.
Mark IdP entities that do not have a SAML2 SingleSignOnService endpoint
that supports the HTTP-Redirect binding.
Expand All @@ -207,7 +137,7 @@
p:XSLResource="classpath:incommon/check_idp_no_saml2.xsl"/>

<!--
Technical Policy rule 4.f.
Technical Policy rule 2.f.
Mark SP entities that do not have at least one SAML2 AssertionConsumerService
endpoint that supports the HTTP-POST binding.
Expand All @@ -216,37 +146,80 @@
p:XSLResource="classpath:incommon/check_sp_no_saml2.xsl"/>

<!--
Technical Policy rule 4.g.
Technical Policy rule 2.g.
Mark entities containing literal CR characters.
-->
<ref bean="check_cr"/>

<!--
Technical Policy rule 5.
"Silently remove all imported entities that have the same entityID as an existing
entity in the InCommon aggregate."
Technical Policy rule 2.h.
This policy rule is implemented by the merge strategy used when these
entities are merged in with the ones from InCommon.
Mark entities containing misplaced or duplicated
EntityAttributes elements.
-->
<ref bean="check_mdattr"/>

<!--
The following technical policy rules do not yet appear in the
published wiki page.
Technical Policy rule 3.
"Silently remove all entity attributes not on the Entity Attribute
Whitelist."
-->
<bean id="entityAttributes" parent="EntityAttributeFilteringStage">
<property name="rules">
<list>
<!-- Permit REFEDS R&S category membership -->
<bean parent="EntityCategoryMatcher"
c:category="http://refeds.org/category/research-and-scholarship"/>

<!-- none -->
<!-- Permit REFEDS R&S category support -->
<bean parent="EntityCategorySupportMatcher"
c:category="http://refeds.org/category/research-and-scholarship"/>

<!-- Permit REFEDS Hide From Discovery category membership -->
<bean parent="EntityCategoryMatcher"
c:category="http://refeds.org/category/hide-from-discovery"/>

<!-- Permit SIRTFI entity attribute -->
<bean parent="MultiPredicateMatcher">
<property name="nameFormatPredicate">
<bean class="com.google.common.base.Predicates"
factory-method="equalTo"
c:_="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
/>
</property>
<property name="namePredicate">
<bean class="com.google.common.base.Predicates"
factory-method="equalTo"
c:_="urn:oasis:names:tc:SAML:attribute:assurance-certification"
/>
</property>
<property name="valuePredicate">
<bean class="com.google.common.base.Predicates"
factory-method="equalTo"
c:_="https://refeds.org/sirtfi"
/>
</property>
</bean>

</list>
</property>
</bean>

<!--
Policy rules below this point are not called out explicitly in the
published policy wiki page.
Technical Policy rule 4.
"Remove (and log the removal of) all imported mdui:Logo elements
(not entities) with a URL that is not HTTPS-protected."
-->
<ref bean="stripMDUILogoHttp"/>

<!--
Strip all elements and attributes that are in namespaces
other than the ones we accept from partners.
Technical Policy rule 5.
Silently remove all extended XML elements and attributes
defined in namespaces not on the XML Namespace Whitelist.
-->
<bean id="whitelistImportedNamespaces" parent="NamespacesStrippingStage"
p:whitelisting="true">
Expand All @@ -271,6 +244,28 @@
</property>
</bean>

<!--
Technical Policy rule 6.
"Silently remove all imported entities that have the same entityID as an existing
entity in the InCommon aggregate."
This policy rule is implemented by the merge strategy used when these
entities are merged in with the ones from InCommon.
-->

<!--
The following technical policy rules do not yet appear in the
published wiki page.
-->

<!-- none -->

<!--
Policy rules below this point are not called out explicitly in the
published policy wiki page.
-->

<ref bean="cleanImport"/>
<ref bean="stripAAMDUI"/>
<ref bean="trimImportElementWhitespace"/>
Expand Down

0 comments on commit 8633b93

Please sign in to comment.