fix tests for 4.0

test-compose/idp/container_files/config/shib-idp/conf/access-control.xml

@@ -30,7 +30,7 @@
 
         <entry key="AccessByIPAddress">
             <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
-                p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '172.17.0.0/24', '172.18.0.0/24', '10.255.0.0/16'} }" />
+                p:allowedRanges="#{ {'127.0.0.1/32', '::1/128'} }" />
         </entry>
 
         <!--

test-compose/idp/container_files/config/shib-idp/conf/admin/general-admin.xml

@@ -36,6 +36,18 @@
             p:loggingId="%{idp.service.logging.resolvertest:ResolverTest}"
             p:policyName="%{idp.resolvertest.accessPolicy:AccessByIPAddress}" />
 
+        <!-- Metadata Query -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/mdquery"
+            p:loggingId="MetadataQuery"
+            p:policyName="AccessByIPAddress" />
+
+        <!-- REST AccountLockoutManager Access -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/lockout-manager"
+            p:loggingId="Lockout"
+            p:policyName="AccessByIPAddress" />
+
         <!-- REST StorageService Access -->
         <bean parent="shibboleth.AdminFlow"
             c:id="http://shibboleth.net/ns/profiles/storage"
@@ -47,6 +59,15 @@
             c:id="http://shibboleth.net/ns/profiles/metrics"
             p:loggingId="Metrics"
             p:policyNameLookupStrategy-ref="shibboleth.metrics.AccessPolicyStrategy" />
+
+        <!-- Attended Startup Unlock -->
+        <!--
+        <bean parent="shibboleth.OneTimeAdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/unlock-keys"
+            p:loggingId="UnlockKeys"
+            p:authenticated="true"
+            p:policyName="AccessByAdminUser" />
+        -->
 
     </util:list>
 

test-compose/idp/container_files/config/shib-idp/conf/admin/metrics.xml

@@ -28,6 +28,8 @@
                 <ref bean="shibboleth.metrics.RelyingPartyGaugeSet" />
                 <ref bean="shibboleth.metrics.AttributeResolverGaugeSet" />
                 <ref bean="shibboleth.metrics.AttributeFilterGaugeSet" />
+                <ref bean="shibboleth.metrics.CASServiceRegistryGaugeSet" />
+                <ref bean="shibboleth.metrics.ManagedBeanGaugeSet" />
 
                 <!--
                 <bean class="com.codahale.metrics.jvm.CachedThreadStatesGaugeSet"
@@ -59,6 +61,8 @@
         <entry key="relyingparty" value-ref="shibboleth.metrics.RelyingPartyGaugeSet" />
         <entry key="resolver" value-ref="shibboleth.metrics.AttributeResolverGaugeSet" />
         <entry key="filter" value-ref="shibboleth.metrics.AttributeFilterGaugeSet" />
+        <entry key="cas" value-ref="shibboleth.metrics.CASServiceRegistryGaugeSet" />
+        <entry key="bean" value-ref="shibboleth.metrics.ManagedBeanGaugeSet" />
     </util:map>
 
     <!-- If you don't specify an alternate access policy, this named policy will be enforced. -->

test-compose/idp/container_files/config/shib-idp/conf/attribute-filter.xml

@@ -4,53 +4,109 @@
     example file is illustrative of some simple cases, it relies on the names of
     non-existent example services and the example attributes demonstrated in the
     default attribute-resolver.xml file.
-    
-    Deployers should refer to the documentation for a complete list of components
-    and their options.
+
+    This example does contain some usable "general purpose" policies that may be
+    useful in conjunction with specific deployment choices, but those policies may
+    not be applicable to your specific needs or constraints.    
 -->
 <AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
         xmlns="urn:mace:shibboleth:2.0:afp"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
 
-    <!-- EXAMPLES -->
-    <!-- Release some attributes to an SP. -->
     <!--
-    <AttributeFilterPolicy id="example1">
-        <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" />
+    Example rule relying on a locally applied tag in metadata to trigger attribute
+    release of some specific attributes. Add additional attributes as desired.
+    -->
+<!--
+	<AttributeFilterPolicy id="Per-Attribute-singleValued">
+	    <PolicyRequirementRule xsi:type="ANY" />
+	 
+	    <AttributeRule attributeID="eduPersonPrincipalName">
+	        <PermitValueRule xsi:type="EntityAttributeExactMatch"
+	            attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+	            attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+	            attributeValue="eduPersonPrincipalName" />
+	    </AttributeRule>
+	 
+	    <AttributeRule attributeID="mail">
+	        <PermitValueRule xsi:type="EntityAttributeExactMatch"
+	            attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+	            attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+	            attributeValue="mail" />
+	    </AttributeRule>
+	</AttributeFilterPolicy>
+-->
 
-        <AttributeRule attributeID="eduPersonPrincipalName">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
+    <!--
+    Same as above but more efficient form for an attribute with multiple values.
+    -->
+<!--
+    <AttributeFilterPolicy id="Per-Attribute-Affiliation">
+        <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+            attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+            attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+            attributeValue="eduPersonScopedAffiliation" />
+     
+        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
+    </AttributeFilterPolicy>
+-->
 
-        <AttributeRule attributeID="uid">
-            <PermitValueRule xsi:type="ANY" />
+    <!--
+    Example rule for honoring Subject ID requirement tag in metadata.
+    The example supplies pairwise-id if subject-id isn't explicitly required.
+    -->
+<!--
+    <AttributeFilterPolicy id="subject-identifiers">
+        <PolicyRequirementRule xsi:type="ANY" />
+
+        <AttributeRule attributeID="samlPairwiseID">
+            <PermitValueRule xsi:type="OR">
+                <Rule xsi:type="EntityAttributeExactMatch"
+                    attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
+                    attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                    attributeValue="pairwise-id" />
+                <Rule xsi:type="EntityAttributeExactMatch"
+                    attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
+                    attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                    attributeValue="any" />
+            </PermitValueRule>
         </AttributeRule>
 
-        <AttributeRule attributeID="mail">
-            <PermitValueRule xsi:type="ANY" />
+        <AttributeRule attributeID="samlSubjectID">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
+                attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                attributeValue="subject-id" />
         </AttributeRule>
     </AttributeFilterPolicy>
-	-->
-    <!-- Release eduPersonAffiliation to two specific SPs. -->
-    <!--
+-->
+
+    <!-- Release an additional attribute to an SP. -->
+<!--
+    <AttributeFilterPolicy id="example1">
+        <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" />
+
+        <AttributeRule attributeID="uid" permitAny="true" />
+    </AttributeFilterPolicy>
+-->
+
+    <!-- Release eduPersonScopedAffiliation to two specific SPs. -->
+<!--
     <AttributeFilterPolicy id="example2">
         <PolicyRequirementRule xsi:type="OR">
             <Rule xsi:type="Requester" value="https://sp.example.org" />
             <Rule xsi:type="Requester" value="https://another.example.org/shibboleth" />
         </PolicyRequirementRule>
-
-        <AttributeRule attributeID="eduPersonScopedAffiliation">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
+        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
     </AttributeFilterPolicy>
-	-->
-	
+-->
+
     <!-- Attribute release for all SPs (global) tagged as 'Research and Scholarship' -->
     <AttributeFilterPolicy id="releaseRandSAttributeBundle">
         <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
-			attributeName="http://macedir.org/entity-category"
-			attributeValue="http://refeds.org/category/research-and-scholarship"/>
+                        attributeName="http://macedir.org/entity-category"
+                        attributeValue="http://refeds.org/category/research-and-scholarship"/>
         <AttributeRule attributeID="eduPersonPrincipalName">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
@@ -70,13 +126,12 @@
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
     </AttributeFilterPolicy>
-
-
+
     <!-- Attribute release for all InCommon SPs -->
-    <AttributeFilterPolicy id="releaseToInCommon">	
+    <AttributeFilterPolicy id="releaseToInCommon">
         <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
-			attributeName="http://macedir.org/entity-category"
-			attributeValue="http://id.incommon.org/category/registered-by-incommon"/>
+                        attributeName="http://macedir.org/entity-category"
+                        attributeValue="http://id.incommon.org/category/registered-by-incommon"/>
         <AttributeRule attributeID="eduPersonPrincipalName">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>

test-compose/idp/container_files/config/shib-idp/conf/mvc-beans.xml → test-compose/idp/container_files/config/shib-idp/conf/attribute-registry.xml

@@ -1,23 +1,26 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <beans xmlns="http://www.springframework.org/schema/beans"
-       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:context="http://www.springframework.org/schema/context"
        xmlns:util="http://www.springframework.org/schema/util"
        xmlns:p="http://www.springframework.org/schema/p"
        xmlns:c="http://www.springframework.org/schema/c"
-       xmlns:mvc="http://www.springframework.org/schema/mvc"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
-                           http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
                            http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
                            http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
 
        default-init-method="initialize"
        default-destroy-method="destroy">
 
     <!--
-    Use this file to define any custom MVC beans needed. Its contents are imported
-    by system/conf/mvc-beans.xml, which configures a lot of the low-level Spring Web
-    behavior of the IdP. You can ignore this file otherwise.
-    -->
+    The system comes preconfigured to load rules directly from resource files
+    configured in services.xml so they're monitored for changes.
     
+    You can add mappings here, add more XML resource files,
+    or drop property files into the directory noted below.
+    -->
+
+    <!-- Default directory for custom mappings. -->
+    <bean parent="shibboleth.TranscodingRuleLoader" c:_0="%{idp.home}/conf/attributes/custom" />
+
 </beans>