Skip to content
Jump to bottom

Produce the IdP-only aggregate #1

Closed
wants to merge 5 commits into from
+507 −0
Closed

Produce the IdP-only aggregate #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
b51f357
Create new pipeline for MDQ and IdP-only aggregate
dshafer Dec 4, 2018
581aaca
Move IdP-only aggregate to idps/all.xml
dshafer Dec 4, 2018
cf3f29c
Working on IdP-only aggregate
dshafer Dec 5, 2018
7d60e86
Rename mdq-new-* to mdq-combined-*
dshafer Dec 7, 2018
4cc8432
Reference JIRA issues in TODOs
dshafer Jan 28, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
60 changes: 60 additions & 0 deletions build.xml
View file
Open in desktop
Expand Up @@ -2655,6 +2655,66 @@
<echo>Generation complete.</echo>
</target>

<!--
inc.mdq-combined.localkey
Generate all required metadata for the InCommon MDQ service
using the localkey configuration:
* Per-entity metadata
* InCommon IdP-only aggregate
Properties:
Set sign.uk.keyPassword (note the slightly anomalous "uk" in that
identifier) to set the password to access the key resource. If not set,
this will be prompted for.
-->
<target name="inc.mdq.combined.localkey" depends="get.sign.uk.keyPassword">
<property name="mda.mdq.input" value="${mda.inc.imported.xml}"/>
<property name="mda.sign.keyPassword" value="${sign.uk.keyPassword}"/>
<echo>Generating per-entity metadata in ${mda.mdq.output}</echo>
<echo> (IdP-only aggregate in ${mda.mdq.output}/idps.xml)</echo>
<echo> from unsigned aggregate in ${mda.mdq.input}</echo>
<delete dir="${mdq.output.dir}" quiet="true"/>
<mkdir dir="${mdq.output.dir}"/>
<mkdir dir="${mdq.output.dir}/idps"/>
<CHANNEL.do channel="incommon" verb="mdq-combined-localkey"/>
<echo>Generation complete.</echo>
</target>

<!--
inc.mdq.combined.cloudhsm
Generate all required metadata for the InCommon MDQ service
using the cloudhsm configuration:
* Per-entity metadata
* InCommon IdP-only aggregate
Properties:
Set sign.uk.keyPassword (note the slightly anomalous "uk" in that
identifier) to set the password to access the key resource. If not set,
this will be prompted for.
-->
<target name="inc.mdq.combined.cloudhsm" depends="get.sign.uk.keyPassword">
<property name="mda.mdq.input" value="${mda.inc.imported.xml}"/>
<property name="mda.sign.keyHandle" value="${sign.keyHandle}"/>
<property name="mda.sign.keyUser" value="${sign.keyUser}"/>
<property name="mda.sign.keyPassword" value="${sign.keyPassword}"/>
<property name="mda.classpath.extra" value="inc-mda-cloudhsm"/>
<property name="mda.jni.path" value="/opt/cloudhsm/lib"/>
<echo>Generating per-entity metadata in ${mda.mdq.output}</echo>
<echo> (IdP-only aggregate in ${mda.mdq.output}/idps.xml)</echo>
<echo> from unsigned aggregate in ${mda.mdq.input}</echo>
<delete dir="${mdq.output.dir}" quiet="true"/>
<mkdir dir="${mdq.output.dir}"/>
<mkdir dir="${mdq.output.dir}/idps"/>
<CHANNEL.do channel="incommon" verb="mdq-combined-cloudhsm"/>
<echo>Generation complete.</echo>
</target>

<!--
inc.mdq.generate.localkey
Expand Down
224 changes: 224 additions & 0 deletions mdx/incommon/mdq-combined-cloudhsm.xml
View file
Open in desktop
@@ -0,0 +1,224 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Generate and sign per-entity metadata using a local private key resource.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
default-lazy-init="true"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">

<!--
Import commonly used beans.
-->
<import resource="classpath:common-beans.xml"/>

<!--
Import inc-mda beans. (from import.xml)
-->
<import resource="classpath:uk/org/iay/incommon/mda/beans.xml"/>

<!--
Import channel-specific beans.
-->
<import resource="classpath:incommon/beans.xml"/>

<!-- This bean MUST be called "conversionService" to work properly. -->
<bean id="conversionService" class="org.springframework.context.support.ConversionServiceFactoryBean">
<property name="converters">
<set>
<bean class="net.shibboleth.ext.spring.config.DurationToLongConverter" />
<bean class="net.shibboleth.ext.spring.config.StringToIPRangeConverter" />
<bean class="net.shibboleth.ext.spring.config.BooleanToPredicateConverter" />
<bean class="net.shibboleth.ext.spring.config.StringBooleanToPredicateConverter" />
<bean class="net.shibboleth.ext.spring.config.StringToResourceConverter" />
</set>
</property>
</bean>

<!--
***********************************************************
*** ***
*** C O M M O N O U T P U T P R O C E S S I N G ***
*** ***
***********************************************************
-->

<bean id="common.output" parent="mda.CompositeStage">
<property name="composedStages">
<list>
<!-- Construct a new aggregate from the collection of entities. -->
<bean id="inc.assemble" parent="mda.EntitiesDescriptorAssemblerStage">
<property name="itemOrderingStrategy">
<bean parent="inc.InCommonEntityOrderingStrategy"
c:_-ref="us_incommon_registrar"/>
</property>
</bean>

<!-- Apply final tweaks to the aggregate. -->
<bean id="finalise" parent="incommon_finalise_parent">
<property name="transformParameters">
<map>
<entry key="extraText" value="Contains InCommon and eduGAIN metadata"/>
<entry key="publisher" value-ref="us_incommon_registrar"/>
</map>
</property>
</bean>

<!-- Normalise the use of namespace prefixes in the resulting XML document. -->
<bean id="normalise" parent="mda.XSLTransformationStage"
p:XSLResource="classpath:incommon/ns_norm_import.xsl"/>
</list>
</property>
</bean>

<!--
*****************************************
*** ***
*** I D P - O N L Y O U T P U T ***
*** ***
*****************************************
-->

<!--
idp.serialize
Writes the IdP-only aggregate out to a file.
-->
<bean id="idp.serialize" parent="mda.SerializationStage">
<property name="serializer" ref="serializer"/>
<property name="outputFile">
<bean parent="File">
<constructor-arg value="${mdq.output}/idps/all.xml"/>
</bean>
</property>
</bean>

<!--
idp.selector
Entities in the IdP-only aggregate are restricted to identity providers.
-->
<bean id="idp.selector" parent="mda.XPathItemSelectionStrategy">
<constructor-arg value="/md:EntityDescriptor[md:IDPSSODescriptor]"/>
<constructor-arg ref="commonNamespaces"/>
</bean>

<!--
idp.pipeline
Generates the IdP-only aggregate. The selector has already taken care
of removing non-IdP entities.
-->
<bean id="idp.pipeline" parent="mda.SimplePipeline">
<property name="stages">
<list>
<!-- Perform common steps in constructing an output aggregate. -->
<ref bean="common.output"/>

<!-- Write the resulting aggregate out to a file. -->
<ref bean="idp.serialize"/>
</list>
</property>
</bean>

<!--
Generate all required metadata for the InCommon MDQ service
using the localkey configuration:
* Per-entity metadata
* InCommon aggregate
* InCommon IdP-only aggregate
Properties:
Set sign.uk.keyPassword (note the slightly anomalous "uk" in that
identifier) to set the password to access the key resource. If not set,
this will be prompted for.
-->
<bean id="mdq-combined-cloudhsm" parent="mda.SimplePipeline">
<property name="stages">
<list>
<!--
Start with the unsigned production aggregate.
TODO: (MDQ-177) For now, we're actually starting with a signed aggregate;
this pipeline isn't configured to check the signature
-->
<bean id="production_aggregate" parent="mda.DOMResourceSourceStage">
<property name="parserPool" ref="parserPool"/>
<property name="DOMResource">
<bean parent="FileSystemResource" c:_0="${mdq.input}"/>
</property>
</bean>

<!-- Break down into individual entities. -->
<ref bean="disassemble"/>

<!-- Include a default registrationAuthority for each entity. -->
<ref bean="us_incommon_default_regauth"/>

<!-- Populate identifiers for future actions. -->
<ref bean="populateItemIds"/>
<ref bean="populateRegistrationAuthorities"/>

<!-- Discard entities in the InCommon entity blacklist. -->
<ref bean="remove_blacklisted_incommon_entities"/>

<!-- Fork new pipelines to generate special aggregates. -->
<bean id="demux" parent="mda.PipelineDemultiplexerStage">
<property name="pipelineAndSelectionStrategies">
<list>
<!-- IdP-only aggregate. -->
<bean class="net.shibboleth.utilities.java.support.collection.Pair">
<constructor-arg ref="idp.pipeline"/>
<constructor-arg ref="idp.selector"/>
</bean>
</list>
</property>
<property name="waitingForPipelines" value="true"/>
</bean>

<!-- Set ID, cacheDuration and validUntil attributes. -->
<bean parent="mda.GenerateIdStage"/>
<bean parent="mda.SetValidUntilStage" p:validityDuration="P14D"/>

<!-- Identity transform fixes signing issues. -->
<bean parent="mda.XSLTransformationStage"
p:XSLResource="classpath:identity.xsl"/>

<!-- Sign each item. -->
<bean id="perform.signature" parent="mda.XMLSignatureSigningStage">
<property name="privateKey">
<bean class="uk.org.iay.incommon.mda.cloudhsm.CaviumPrivateKeyFactoryBean"
p:username="${sign.keyUser}"
p:password="${sign.keyPassword}"
p:keyHandle="${sign.keyHandle}"
/>
</property>
</bean>

<!-- Write individual entity documents to files. -->
<bean id="write.perentity" parent="mda.MultiOutputSerializationStage">
<property name="serializer" ref="serializer"/>
<property name="outputStrategy">
<bean parent="mda.FilesInDirectoryMultiOutputStrategy" p:nameSuffix=".xml">
<property name="directory">
<bean parent="File" c:_="${mdq.output}"/>
</property>
<property name="nameTransformer">
<bean parent="mda.PathSegmentStringTransformer"/>
</property>
</bean>
</property>
</bean>

</list>
</property>

</bean>

</beans>