Skip to content

Commit

Permalink
Enforce a rule that Scope elements must always have a regexp attribut…
Browse files Browse the repository at this point in the history 
…e. This helps make signed metadata less brittle, by removing the possibility that a schema validating signing application will implicitly take the default into account.
  • Loading branch information
@iay
iay committed Sep 15, 2009
1 parent d6c4f36 commit cda0b19
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 0 deletions.
13 changes: 13 additions & 0 deletions build/check.xsl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
xmlns:set="http://exslt.org/sets"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
Expand Down Expand Up @@ -241,6 +242,18 @@
</xsl:call-template>
</xsl:template>


<!--
Check for Shibboleth Scope elements that don't include a regexp attribute.
This has a default in the schema so omitting it can cause signing brittleness.
-->
<xsl:template match="shibmd:Scope[not(@regexp)]">
<xsl:call-template name="fatal">
<xsl:with-param name="m">Scope <xsl:value-of select="."/> lacks @regexp</xsl:with-param>
</xsl:call-template>
</xsl:template>


<!--
Common template to call to report a fatal error on some element within an entity.
-->
Expand Down
12 changes: 12 additions & 0 deletions build/check_imported.xsl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
xmlns:set="http://exslt.org/sets"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
Expand Down Expand Up @@ -167,6 +168,17 @@
</xsl:template>


<!--
Check for Shibboleth Scope elements that don't include a regexp attribute.
This has a default in the schema so omitting it can cause signing brittleness.
-->
<xsl:template match="shibmd:Scope[not(@regexp)]">
<xsl:call-template name="fatal">
<xsl:with-param name="m">Scope <xsl:value-of select="."/> lacks @regexp</xsl:with-param>
</xsl:call-template>
</xsl:template>


<!--
Common template to call to report a fatal error on some element within an entity.
-->
Expand Down

0 comments on commit cda0b19

Please sign in to comment.