Add check for duplicated entityIDs and duplicated IdP display names t…

…o publishability check for aggregates. This code was moved from check_misc where it was never being invoked as that was not run at the aggregate level. Add publishability check to the uk collect flow, and add the corresponding fixup step so that this will be viable.
InCommon · Aug 5, 2011 · f141189 · f141189
1 parent 7e9a476
commit f141189
Show file tree

Hide file tree

Showing 5 changed files with 88 additions and 75 deletions.
diff --git a/build.xml b/build.xml
@@ -342,30 +342,6 @@
         <CHANNEL.do channel="uk" verb="collect"/>
     </target>
 
-    <!--
-        Check a metadata document for publishability.  This is applied during all
-        UK publication flows prior to any signature step.  It is not applied to
-        export flows, for which we desire the closest possible correspondence to
-        the registered metadata.
-        
-        At the moment, this consists of a few tests which are no longer being performed elsewhere
-        but should pass by construction.  In the longer term it may make sense to
-        expand this to the fullest battery possible, with the exception of those
-        tests which are registrar-specific.
-        
-        Parameter 'i' is the file to be checked; no assumption is made
-        about its location so this must contain a full path.
-    -->
-    <macrodef name="CHECK.publishable">
-        <attribute name="i"/>
-        <sequential>
-            <CHECK.base i="@{i}">
-            	<arg value="${build.dir}/check_filtered.xsl"/>
-                <arg value="${build.dir}/check_fixups.xsl"/>
-            </CHECK.base>
-        </sequential>
-    </macrodef>
-
     <!--
         Unsigned metadata generation for the UK Federation.
     -->

diff --git a/build/check_aggregate.xsl b/build/check_aggregate.xsl
@@ -0,0 +1,66 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	check_aggregate.xsl
+	
+	Checking ruleset containing aggregate-level checks.
+	
+	Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:set="http://exslt.org/sets"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		Common support functions.
+	-->
+	<xsl:import href="check_framework.xsl"/>
+
+	<xsl:variable name="entities" select="//md:EntityDescriptor"/>
+	<xsl:variable name="idps" select="$entities[md:IDPSSODescriptor]"/>
+
+	<!--
+		Checks across the whole of the document are defined here.
+		
+		The match expression here works with version 0.6 of the metadata aggregator.
+		Once MDA-45 is fixed, it should be replaced with "/":
+		
+		https://issues.shibboleth.net/jira/browse/MDA-45
+		
+		This will make the transform more robust in the presence of nested
+		EntitiesDescriptor elements.
+	-->
+	<xsl:template match="md:EntitiesDescriptor">
+
+		<!-- check for duplicate entityID values -->
+		<xsl:variable name="distinct.entityIDs" select="set:distinct($entities/@entityID)"/>
+		<xsl:variable name="dup.entityIDs"
+			select="set:distinct(set:difference($entities/@entityID, $distinct.entityIDs))"/>
+		<xsl:for-each select="$dup.entityIDs">
+			<xsl:variable name="dup.entityID" select="."/>
+			<xsl:for-each select="$entities[@entityID = $dup.entityID]">
+				<xsl:call-template name="error">
+					<xsl:with-param name="m">duplicate entityID: <xsl:value-of select='$dup.entityID'/></xsl:with-param>
+				</xsl:call-template>
+			</xsl:for-each>
+		</xsl:for-each>
+
+		<!-- check for duplicate OrganisationDisplayName values -->
+		<xsl:variable name="distinct.ODNs"
+			select="set:distinct($idps/md:Organization/md:OrganizationDisplayName)"/>
+		<xsl:variable name="dup.ODNs"
+			select="set:distinct(set:difference($idps/md:Organization/md:OrganizationDisplayName, $distinct.ODNs))"/>
+		<xsl:for-each select="$dup.ODNs">
+			<xsl:variable name="dup.ODN" select="."/>
+			<xsl:for-each select="$idps[md:Organization/md:OrganizationDisplayName = $dup.ODN]">
+				<xsl:call-template name="error">
+					<xsl:with-param name="m">duplicate OrganisationDisplayName: <xsl:value-of select='$dup.ODN'/></xsl:with-param>
+				</xsl:call-template>
+			</xsl:for-each>
+		</xsl:for-each>
+	</xsl:template>
+
+</xsl:stylesheet>
diff --git a/build/check_misc.xsl b/build/check_misc.xsl
@@ -11,16 +11,8 @@
 -->
 <xsl:stylesheet version="1.0"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
 	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:set="http://exslt.org/sets"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-
-	xmlns:mdxURL="xalan://uk.ac.sdss.xalan.md.URLchecker"
-
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
 	<!--
@@ -29,49 +21,6 @@
 	<xsl:import href="check_framework.xsl"/>
 
 
-	<!--
-		Checks across the whole of the document are defined here.
-		
-		Only bother with these when the document element is an EntitiesDescriptor.
-	-->
-	<xsl:template match="/md:EntitiesDescriptor">
-		<xsl:variable name="entities" select="//md:EntityDescriptor"/>
-		<xsl:variable name="idps" select="$entities[md:IDPSSODescriptor]"/>
-
-		<!-- check for duplicate entityID values -->
-		<xsl:variable name="distinct.entityIDs" select="set:distinct($entities/@entityID)"/>
-		<xsl:variable name="dup.entityIDs"
-			select="set:distinct(set:difference($entities/@entityID, $distinct.entityIDs))"/>
-		<xsl:for-each select="$dup.entityIDs">
-			<xsl:variable name="dup.entityID" select="."/>
-			<xsl:for-each select="$entities[@entityID = $dup.entityID]">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">duplicate entityID: <xsl:value-of select='$dup.entityID'/></xsl:with-param>
-				</xsl:call-template>
-			</xsl:for-each>
-		</xsl:for-each>
-
-		<!-- check for duplicate OrganisationDisplayName values -->
-		<xsl:variable name="distinct.ODNs"
-			select="set:distinct($idps/md:Organization/md:OrganizationDisplayName)"/>
-		<xsl:variable name="dup.ODNs"
-			select="set:distinct(set:difference($idps/md:Organization/md:OrganizationDisplayName, $distinct.ODNs))"/>
-		<xsl:for-each select="$dup.ODNs">
-			<xsl:variable name="dup.ODN" select="."/>
-			<xsl:for-each select="$idps[md:Organization/md:OrganizationDisplayName = $dup.ODN]">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">duplicate OrganisationDisplayName: <xsl:value-of select='$dup.ODN'/></xsl:with-param>
-				</xsl:call-template>
-			</xsl:for-each>
-		</xsl:for-each>
-
-		<!--
-			Perform checks on child elements.
-		-->
-		<xsl:apply-templates/>
-	</xsl:template>
-
-
 	<!--
 		Check for role descriptors with missing KeyDescriptor elements.
 	-->

diff --git a/mdx/uk/collect.xml b/mdx/uk/collect.xml
@@ -36,9 +36,12 @@
         <property name="stages">
             <list>
                 <ref bean="uk_registeredEntities"/>
+                <ref bean="uk_performFixups"/>
                 <ref bean="uk_assemble"/>
                 <ref bean="uk_addTrustRoots"/>
                 <ref bean="normaliseNamespaces"/>
+                <ref bean="CHECK_publishable"/>
+                <ref bean="errorTerminatingFilter"/>
                 <ref bean="serializeCollected"/>
             </list>
         </property>

diff --git a/mdx/validation-beans.xml b/mdx/validation-beans.xml
@@ -22,6 +22,19 @@
         </property>
     </bean>
 
+    <!--
+        check_aggregate
+    -->
+    <bean id="check_aggregate" class="net.shibboleth.metadata.dom.XSLValidationStage"
+        lazy-init="true" init-method="initialize">
+        <property name="id" value="check_aggregate"/>
+        <property name="xslResource">
+            <bean class="org.opensaml.util.resource.FilesystemResource">
+                <constructor-arg value="#{ systemProperties['basedir'] }/build/check_aggregate.xsl"/>
+            </bean>
+        </property>
+    </bean>
+
     <!--
         check_filtered
     -->
@@ -289,12 +302,18 @@
 
     <!--
         CHECK_publishable
+
+        Check an aggregate metadata document for publishability.  This is applied during
+        all UK publication flows prior to any signature step.  It is not applied to
+        export flows, for which we desire the closest possible correspondence to
+        the registered metadata.
     -->
     <bean id="CHECK_publishable" class="net.shibboleth.metadata.pipeline.CompositeStage"
         init-method="initialize" lazy-init="true">
         <property name="id" value="CHECK_publishable"/>
         <property name="composedStages">
             <list>
+                <ref bean="check_aggregate"/>
                 <ref bean="check_filtered"/>
                 <ref bean="check_fixups"/>
             </list>