Exbed selected inner beans for testability

See ukf/ukf-meta#434.
InCommon · Jul 1, 2024 · 8c0014e · 8c0014e
1 parent 87780af
commit 8c0014e
Show file tree

Hide file tree

Showing 4 changed files with 117 additions and 97 deletions.
diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
@@ -1276,37 +1276,7 @@
                 <ref bean="CHECK_std"/>
                 <ref bean="check_namespaces"/>
 
-                <bean id="checkCertificates" parent="mda.X509ValidationStage">
-                    <property name="validators">
-                        <list>
-                            <!-- Error on DSA keys. -->
-                            <bean p:id="DSA" parent="ukf.X509DSADetector"/>
-
-                            <!-- Error on RSA key length less than 2048 bits. -->
-                            <bean p:id="RSAKeyLength" parent="mda.X509RSAKeyLengthValidator"
-                                p:warningBoundary="0" p:errorBoundary="2048"/>
-                            <!-- Error on small RSA public exponents. -->
-                            <bean p:id="RSAExponent" parent="mda.X509RSAExponentValidator"/>
-                            <!-- Error on keys vulnerable to ROCA. -->
-                            <bean p:id="ROCA" parent="ukf.X509ROCAValidator"/>
-
-                            <!--
-                                Debian weak key blacklists.
-
-                                Don't need to check for keys below our minimum key size.
-                            -->
-                            <ref bean="debian.2048"/>
-                            <ref bean="debian.4096"/>
-
-                            <!--
-                                Compromised key blacklists.
-
-                                Again, don't need to check for keys below our minimum key size.
-                            -->
-                            <ref bean="compromised.2048"/>
-                        </list>
-                    </property>
-                </bean>
+                <ref bean="check_standard_certificates"/>
 
             </list>
         </property>

diff --git a/mdx/uk/beans.xml b/mdx/uk/beans.xml
@@ -335,6 +335,14 @@
     <bean id="check_uk_rands" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:uk/check_uk_rands.xsl"/>
 
+    <!--
+        check_ukfedlabel
+
+        Check use of elements from the ukfedlabel namespace.
+    -->
+    <bean id="check_ukfedlabel" parent="mda.XSLValidationStage"
+        p:XSLResource="classpath:uk/check_ukfedlabel.xsl"/>
+
     <!--
         ***************************************
         ***                                 ***
@@ -416,8 +424,7 @@
 
                 <ref bean="checkSchemas"/>
                 <ref bean="CHECK_std"/>
-                <bean id="check_ukfedlabel" parent="mda.XSLValidationStage"
-                    p:XSLResource="classpath:uk/check_ukfedlabel.xsl"/>
+                <ref bean="check_ukfedlabel"/>
                 <ref bean="check_ukreg"/>
                 <ref bean="check_uk_email"/>
                 <ref bean="check_owner"/>

diff --git a/mdx/uk/edugain-policy.xml b/mdx/uk/edugain-policy.xml
@@ -67,69 +67,7 @@
 
                     Perform detailed scope checking.
                 -->
-                <bean id="checkScopes" parent="inc.stage_parent"
-                    class="uk.org.iay.incommon.mda.dom.saml.shib.ScopeValidationStage">
-                    <property name="validators">
-                        <list>
-                            <bean p:id="empty" parent="inc.RejectStringRegexValidator"
-                                p:regex="" p:message="scope element must not be empty"/>
-                            <bean p:id="whiteSpace" parent="inc.RejectStringRegexValidator"
-                                p:regex=".*\s.*" p:message="scope '%s' includes white space"/>
-
-                            <!--
-                                Explicitly accept domains which, although they
-                                fall afoul of the public suffic heuristic, are
-                                nevertheless known to be legitimately used as
-                                security domains.
-                            -->
-                            <bean p:id="mil.no" parent="inc.AcceptStringValueValidator"
-                                p:value="mil.no"/>
-
-                            <bean p:id="domainName" parent="inc.AsDomainNameStringValidator"
-                                p:message="scope is not a valid domain name: %s">
-                                <property name="validators">
-                                    <list>
-                                        <!-- DNS name validators -->
-                                        <bean p:id="publicSuffix" parent="inc.RejectDomainNamePublicSuffixValidator"
-                                            p:message="scope is a public suffix: '%s'"/>
-                                        <bean p:id="noPublicSuffix" parent="inc.RejectDomainNameNotUnderPublicSuffixValidator"
-                                            p:message="scope is not under a public suffix: '%s'"/>
-                                    </list>
-                                </property>
-                            </bean>
-                        </list>
-                    </property>
-                    <property name="regexpValidators">
-                        <list>
-                            <bean p:id="empty" parent="inc.RejectStringRegexValidator"
-                                p:regex="" p:message="regex scope element must not be empty"/>
-                            <bean p:id="whiteSpace" parent="inc.RejectStringRegexValidator"
-                                p:regex=".*\s.*" p:message="regex scope '%s' includes white space"/>
-                            <bean p:id="endAnchor" parent="inc.RejectStringRegexValidator"
-                                p:regex=".*[^$]" p:message="regex scope '%s' does not end with an anchor ('$')"/>
-                            <bean p:id="literalTail" parent="inc.AsLiteralTailStringValidator"
-                                p:message="regular expression '%s' does not end with a literal tail">
-                                <property name="validators">
-                                    <!-- validators to apply to the literal tail -->
-                                    <list>
-                                        <bean p:id="domainName" parent="inc.AsDomainNameStringValidator"
-                                            p:message="literal tail is not a valid domain name: %s">
-                                            <property name="validators">
-                                                <list>
-                                                    <!-- DNS name validators for the literal tail -->
-                                                    <bean p:id="publicSuffix" parent="inc.RejectDomainNamePublicSuffixValidator"
-                                                        p:message="literal tail is a public suffix: '%s'"/>
-                                                    <bean p:id="noPublicSuffix" parent="inc.RejectDomainNameNotUnderPublicSuffixValidator"
-                                                        p:message="literal tail is not under a public suffix: '%s'"/>
-                                                </list>
-                                            </property>
-                                        </bean>
-                                    </list>
-                                </property>
-                            </bean>
-                        </list>
-                    </property>
-                </bean>
+                <ref bean="check_edugain_scopes"/>
 
                 <!--
                     ***************************************************
@@ -154,7 +92,76 @@
                     Checks against the UKf-specific list of compromised RSA keys.
                 -->
                 <ref bean="check_ukf_compromised"/>
-
+
+            </list>
+        </property>
+    </bean>
+
+    <!--
+        check_edugain_scopes
+
+        eduGAIN-specific rules for Scope elements.
+    -->
+    <bean id="check_edugain_scopes" p:id="checkScopes" parent="inc.stage_parent"
+        class="uk.org.iay.incommon.mda.dom.saml.shib.ScopeValidationStage">
+        <property name="validators">
+            <list>
+                <bean p:id="empty" parent="inc.RejectStringRegexValidator"
+                    p:regex="" p:message="scope element must not be empty"/>
+                <bean p:id="whiteSpace" parent="inc.RejectStringRegexValidator"
+                    p:regex=".*\s.*" p:message="scope '%s' includes white space"/>
+
+                <!--
+                    Explicitly accept domains which, although they
+                    fall afoul of the public suffic heuristic, are
+                    nevertheless known to be legitimately used as
+                    security domains.
+                -->
+                <bean p:id="mil.no" parent="inc.AcceptStringValueValidator"
+                    p:value="mil.no"/>
+
+                <bean p:id="domainName" parent="inc.AsDomainNameStringValidator"
+                    p:message="scope is not a valid domain name: %s">
+                    <property name="validators">
+                        <list>
+                            <!-- DNS name validators -->
+                            <bean p:id="publicSuffix" parent="inc.RejectDomainNamePublicSuffixValidator"
+                                p:message="scope is a public suffix: '%s'"/>
+                            <bean p:id="noPublicSuffix" parent="inc.RejectDomainNameNotUnderPublicSuffixValidator"
+                                p:message="scope is not under a public suffix: '%s'"/>
+                        </list>
+                    </property>
+                </bean>
+            </list>
+        </property>
+        <property name="regexpValidators">
+            <list>
+                <bean p:id="empty" parent="inc.RejectStringRegexValidator"
+                    p:regex="" p:message="regex scope element must not be empty"/>
+                <bean p:id="whiteSpace" parent="inc.RejectStringRegexValidator"
+                    p:regex=".*\s.*" p:message="regex scope '%s' includes white space"/>
+                <bean p:id="endAnchor" parent="inc.RejectStringRegexValidator"
+                    p:regex=".*[^$]" p:message="regex scope '%s' does not end with an anchor ('$')"/>
+                <bean p:id="literalTail" parent="inc.AsLiteralTailStringValidator"
+                    p:message="regular expression '%s' does not end with a literal tail">
+                    <property name="validators">
+                        <!-- validators to apply to the literal tail -->
+                        <list>
+                            <bean p:id="domainName" parent="inc.AsDomainNameStringValidator"
+                                p:message="literal tail is not a valid domain name: %s">
+                                <property name="validators">
+                                    <list>
+                                        <!-- DNS name validators for the literal tail -->
+                                        <bean p:id="publicSuffix" parent="inc.RejectDomainNamePublicSuffixValidator"
+                                            p:message="literal tail is a public suffix: '%s'"/>
+                                        <bean p:id="noPublicSuffix" parent="inc.RejectDomainNameNotUnderPublicSuffixValidator"
+                                            p:message="literal tail is not under a public suffix: '%s'"/>
+                                    </list>
+                                </property>
+                            </bean>
+                        </list>
+                    </property>
+                </bean>
             </list>
         </property>
     </bean>

diff --git a/mdx/validation-beans.xml b/mdx/validation-beans.xml
@@ -454,6 +454,42 @@
         p:keySize="2048"
         p:blacklistResource="classpath:net/shibboleth/metadata/validate/x509/compromised-2048.txt"/>
 
+    <!--
+        check_standard_certificates
+
+        Perform a group of standard checks on X.509 certificates.
+    -->
+    <bean id="check_standard_certificates" parent="mda.X509ValidationStage">
+        <property name="validators">
+            <list>
+                <!-- Error on DSA keys. -->
+                <bean p:id="DSA" parent="ukf.X509DSADetector"/>
+
+                <!-- Error on RSA key length less than 2048 bits. -->
+                <bean p:id="RSAKeyLength" parent="mda.X509RSAKeyLengthValidator"
+                    p:warningBoundary="0" p:errorBoundary="2048"/>
+                <!-- Error on small RSA public exponents. -->
+                <bean p:id="RSAExponent" parent="mda.X509RSAExponentValidator"/>
+                <!-- Error on keys vulnerable to ROCA. -->
+                <bean p:id="ROCA" parent="ukf.X509ROCAValidator"/>
+
+                <!--
+                    Debian weak key blacklists.
+
+                    Don't need to check for keys below our minimum key size.
+                -->
+                <ref bean="debian.2048"/>
+                <ref bean="debian.4096"/>
+
+                <!--
+                    Compromised key blacklists.
+
+                    Again, don't need to check for keys below our minimum key size.
+                -->
+                <ref bean="compromised.2048"/>
+            </list>
+        </property>
+    </bean>
 
     <!--
         ****************************************************