Merge remote-tracking branch 'upstream/master'

.gitignore

@@ -141,6 +141,7 @@
 /xml/member-dates.txt
 /xml/ukfederation-metadata-master.xml
 /xml/ukfederation-export-unsigned.xml
+/xml/ukfederation-export-preview-unsigned.xml
 /xml/ukfederation-test-unsigned.xml
 /xml/ukfederation-export.xml
 /xml/ukfederation-stats.html

build.xml

@@ -107,6 +107,8 @@
     <property name="md.prod.unsigned"   value="ukfederation-metadata-unsigned.xml"/>
     <property name="md.test.unsigned"   value="ukfederation-test-unsigned.xml"/>
     <property name="md.export.unsigned" value="ukfederation-export-unsigned.xml"/>
+    <property name="md.export.preview.unsigned"
+                                        value="ukfederation-export-preview-unsigned.xml"/>
     <property name="md.back.unsigned"   value="ukfederation-back-unsigned.xml"/>
     <property name="md.wayf.unsigned"   value="ukfederation-wayf-unsigned.xml"/>
     <property name="md.cdsall.unsigned" value="ukfederation-cdsall-unsigned.xml"/>
@@ -118,6 +120,8 @@
     <property name="md.prod.signed"     value="ukfederation-metadata.xml"/>
     <property name="md.test.signed"     value="ukfederation-test.xml"/>
     <property name="md.export.signed"   value="ukfederation-export.xml"/>
+    <property name="md.export.preview.signed"
+                                        value="ukfederation-export-preview.xml"/>
     <property name="md.back.signed"     value="ukfederation-back.xml"/>
     <property name="md.wayf.signed"     value="ukfederation-wayf.xml"/>
     <property name="md.cdsall.signed"   value="ukfederation-cdsall.xml"/>
@@ -280,6 +284,7 @@
                 <include name="${md.test.signed}"/>
                 <include name="${md.back.signed}"/>
                 <include name="${md.export.signed}"/>
+                <include name="${md.export.preview.signed}"/>
             </fileset>
         </scp>
     </target>
@@ -349,9 +354,10 @@
         <VFY.remote.both i="${md.prod.signed}"/>
         <VFY.remote.both i="${md.wayf.signed}"/>
         <VFY.remote.both i="${md.cdsall.signed}"/>
-        <VFY.remote i="${md.test.signed}"/>
+        <VFY.remote.both i="${md.test.signed}"/>
         <VFY.remote.both i="${md.back.signed}"/>
-        <VFY.remote i="${md.export.signed}"/>
+        <VFY.remote.both i="${md.export.signed}"/>
+        <VFY.remote.both i="${md.export.preview.signed}"/>
         <echo>Verification completed.</echo>
     </target>
 
@@ -413,6 +419,7 @@
                WAYF/CDS aggregates
                test aggregate
                export aggregate
+               export preview aggregate
                fallback aggregate
                statistics
         -->
@@ -427,6 +434,7 @@
         <MDNORM.noblank i="${xml.dir}/${md.cms.unsigned}"/>
         <MDNORM i="${xml.dir}/${md.test.unsigned}"/>
         <MDNORM i="${xml.dir}/${md.export.unsigned}"/>
+        <MDNORM i="${xml.dir}/${md.export.preview.unsigned}"/>
         <MDNORM i="${xml.dir}/${md.back.unsigned}"/>
         <fixcrlf file="${xml.dir}/ukfederation-stats.html" eol="lf" encoding="UTF-8"/>
 
@@ -601,7 +609,7 @@
         <attribute name="i"/>
         <sequential>
             <MDT i="@{i}" o="${null.device}"
-                keystore="${build.dir}/ukfederation-2012.jks"
+                keystore="${mdx.dir}/uk/ukfederation-2012.jks"
                 alias="${keystore.uk.vfy.alias}"/>
         </sequential>
     </macrodef>
@@ -694,7 +702,7 @@
                 <args>
                     <arg value="--verifySignature"/>
                     <arg value="--certificate"/>
-                    <arg value="${build.dir}/ukfederation-2012.pem"/>
+                    <arg value="${mdx.dir}/uk/ukfederation-2012.pem"/>
                     <!--
                     <arg value="- -quiet"/>
                     -->
@@ -809,6 +817,9 @@
         <echo>Signing UK export metadata.</echo>
         <SIGN.uk i="${md.export.unsigned}" o="${md.export.signed}" digest="SHA-256"/>
 
+        <echo>Signing UK export preview metadata.</echo>
+        <SIGN.uk i="${md.export.preview.unsigned}" o="${md.export.preview.signed}" digest="SHA-256"/>
+
         <echo>Signing UK fallback metadata.</echo>
         <SIGN.uk i="${md.back.unsigned}" o="${md.back.signed}" digest="SHA-256"/>
 
@@ -851,10 +862,13 @@
         <VFY.uk.both i="${md.cdsall.signed}"/>
 
         <echo>Verifying signed UK test metadata.</echo>
-        <XMLSECTOOL.VFY.uk i="${md.test.signed}"/>
+        <VFY.uk.both i="${md.test.signed}"/>
 
         <echo>Verifying signed UK export metadata.</echo>
-        <XMLSECTOOL.VFY.uk i="${md.export.signed}"/>
+        <VFY.uk.both i="${md.export.signed}"/>
+
+        <echo>Verifying signed UK export preview metadata.</echo>
+        <VFY.uk.both i="${md.export.preview.signed}"/>
 
         <echo>Verifying signed UK fallback metadata.</echo>
         <VFY.uk.both i="${md.back.signed}"/>

mdx/common-beans.xml

@@ -609,6 +609,7 @@
     -->
     <bean id="md-NameIDFormat"            parent="QName" c:_0-ref="md_namespace" c:_1="NameIDFormat"/>
     <bean id="md-OrganizationDisplayName" parent="QName" c:_0-ref="md_namespace" c:_1="OrganizationDisplayName"/>
+    <bean id="md-OrganizationURL"         parent="QName" c:_0-ref="md_namespace" c:_1="OrganizationURL"/>
 
     <!--
         Basic EntitiesDescriptor disassembler pipeline stage.
@@ -737,6 +738,7 @@
     -->
 
     <bean id="mdui-InformationURL" parent="QName" c:_0-ref="mdui_namespace" c:_1="InformationURL"/>
+    <bean id="mdui-Logo"           parent="QName" c:_0-ref="mdui_namespace" c:_1="Logo"/>
 
     <bean id="stripMDUIDiscoHints" parent="ElementStrippingStage"
         p:id="stripMDUIDiscoHints"
@@ -1022,7 +1024,9 @@
             <set>
                 <ref bean="md-NameIDFormat"/>
                 <ref bean="md-OrganizationDisplayName"/>
+                <ref bean="md-OrganizationURL"/>
                 <ref bean="mdui-InformationURL"/>
+                <ref bean="mdui-Logo"/>
             </set>
         </property>
     </bean>

mdx/int_edugain/beans.xml

@@ -67,7 +67,7 @@
     <bean id="int_edugain_signingCertificate" parent="X509CertificateFactoryBean">
         <property name="certificateFile">
             <bean class="java.io.File">
-                <constructor-arg value="${basedir}/mdx/int_edugain/edugain-signer.crt"/>
+                <constructor-arg value="${basedir}/mdx/int_edugain/mds-2014.cer"/>
             </bean>
         </property>
     </bean>

mdx/int_edugain/mds-2014.cer

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1DCCAbwCCQDDDZyGtn6K8TANBgkqhkiG9w0BAQUFADAsMQ4wDAYDVQQKEwVH
+RUFOVDEaMBgGA1UEAxMRZWR1R0FJTiBTaWduZXIgQ0EwHhcNMTQwNzAyMTQzNDQ5
+WhcNMTkwNzAxMTQzNDQ5WjAsMQ4wDAYDVQQKEwVHRUFOVDEaMBgGA1UEAxMRZWR1
+R0FJTiBTaWduZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCR
+fl1zhkaFveJvJtS03bRIO3k77q2s5m+c6sQ83j71rIad+vGCO29S4JHBXHI/U57y
+NbNLgoKzl0MI4WQrs4KT/y+LPMFB9M0lNrALQd/op6PNc7CWKMN1yV8V/L74/vap
+Rlb90gPVJABHmoAfQmjyMXLW38KLwzK1qEpKUIxPBfQMBawmh0gC2T5ndZndcMPp
+gsMXyG2AZ4QGSOt4tgpspjTSRY++X+gi9WUuWzsEHHdFhCR9UYQ6+1glMVheJjVm
+oD0b9V/KQ0BF/1zry2jfWlchFeILlWbWgiWsIBA4BPNHqFW42qGgUr9DI3FzRLHX
+qF2N2f592tzcTeDZ11ejAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBACq0ER17moQB
+/39SstbsWdpGQMIsrHZ+ERF7jYdjnE/63xBfMIVFQo2G1PW0cZ1ckpLIQMyKyTAv
+9RAVxv3WVnQ9IGh715jP/QHH7ycTM7oE5XdpNzNMRDMevrtTa1T/GX6G6+cc73JG
+VoJ9JQNXbLv5bspyG9kkIu9VQqUqlrUWTjzBBysAYj4kR1gorrUmI7l2GBrrcGej
+Q57VXdUxaCKzQita0aSSzbHQ+2BxcvYV1r4QWm6Jv8HTn3c4B1d6QbaSEgGHSCkp
+CxwOq82gt1OM/hOz7wzkIQohaYEo3koNlGsat5Hc24VffcosRmNFYmGU+dCnwHDO
+YuxCFwLHAcg=
+-----END CERTIFICATE-----

mdx/ns_norm.xsl

@@ -46,6 +46,7 @@
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
 	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
+	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
 
 	exclude-result-prefixes="md"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -184,6 +185,12 @@
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:element>
 	</xsl:template>
+
+	<xsl:template match="xenc:*">
+		<xsl:element name="xenc:{local-name()}">
+			<xsl:apply-templates select="node()|@*"/>
+		</xsl:element>
+	</xsl:template>
 
 
 	<!--

mdx/uk/beans.xml

@@ -74,7 +74,7 @@
     <bean id="uk_signingCertificate" parent="X509CertificateFactoryBean">
         <property name="certificateFile">
             <bean class="java.io.File">
-                <constructor-arg value="${basedir}/mdx/uk/metadata-signer.crt"/>
+                <constructor-arg value="${basedir}/mdx/uk/ukfederation-2012.pem"/>
             </bean>
         </property>
     </bean>

mdx/uk/generate.xml

@@ -338,7 +338,6 @@
                 <ref bean="errorTerminatingFilter"/>
 
                 <ref bean="uk_assemble"/>
-                <ref bean="stripMdattrNamespace"/>
                 <ref bean="fixup_EncryptionMethod"/>
                 <ref bean="performOtherFixups"/>
                 <ref bean="uk_finaliseProduction"/>
@@ -724,6 +723,61 @@
         </property>
     </bean>
 
+    <!--
+        ***********************************************************
+        ***                                                     ***
+        ***   E X P O R T   P R E V I E W   A G G R E G A T E   ***
+        ***                                                     ***
+        ***********************************************************
+    -->
+
+    <bean id="uk_exportPreviewSelector" class="net.shibboleth.metadata.dom.XPathItemSelectionStrategy">
+        <constructor-arg value="/md:EntityDescriptor[not(md:Extensions/ukfedlabel:ExportOptOut)]"/>
+        <constructor-arg ref="commonNamespaces"/>
+    </bean>
+
+    <bean id="uk_exportPreviewPipeline" parent="SimplePipeline"
+        p:id="uk_exportPreviewPipeline">
+        <property name="stages">
+            <list>
+                <!--
+                    Enforce IdP display name uniqueness before assembling aggregate
+                -->
+                <ref bean="check_dup_display"/>
+                <ref bean="errorTerminatingFilter"/>
+
+                <ref bean="stripUkfedlabelNamespace"/>
+                <ref bean="stripWayfNamespace"/>
+                <ref bean="stripKeyNames"/>
+                <ref bean="uk_assemble"/>
+                <ref bean="stripEntityScopes"/>
+                <ref bean="removeEmptyExtensions"/>
+                <ref bean="uk_finaliseExport"/>
+                <ref bean="uk_normaliseExport"/>
+
+                <!--
+                    Schema validity and other checks MUST pass.
+                    
+                    These are a subset of the publishability tests applied to
+                    aggregates published to federation members.
+                -->
+                <ref bean="checkSchemas"/>
+                <ref bean="check_aggregate"/>
+                <ref bean="check_namespaces"/>
+                <ref bean="errorTerminatingFilter"/>
+
+                <bean parent="SerializationStage" p:id="serializeUnsignedExportPreviewAggregate">
+                    <property name="outputFile">
+                        <bean class="java.io.File">
+                            <constructor-arg value="${basedir}/xml/ukfederation-export-preview-unsigned.xml"/>
+                        </bean>
+                    </property>
+                </bean>
+
+            </list>
+        </property>
+    </bean>
+
     <!--
         *************************************
         ***                               ***
@@ -884,12 +938,12 @@
                 -->
 
                 <!--
-                    Fork a new output pipeline for the export aggregate.
+                    Fork a new output pipeline for the export and export preview aggregates.
                     
-                    The export aggregate only includes UK-registered entities,
+                    These aggregates only include UK-registered entities,
                     so the fork needs to occur before any others are introduced.
                     
-                    The export aggregate is also intended to reflect the registered
+                    The export aggregates are also intended to reflect the registered
                     metadata as closely as possible, so the fork must happen before
                     too many UK-specific transformations are performed.
                 -->
@@ -901,6 +955,10 @@
                                 <constructor-arg ref="uk_exportPipeline"/>
                                 <constructor-arg ref="uk_exportSelector"/>
                             </bean>
+                            <bean class="net.shibboleth.utilities.java.support.collection.Pair">
+                                <constructor-arg ref="uk_exportPreviewPipeline"/>
+                                <constructor-arg ref="uk_exportPreviewSelector"/>
+                            </bean>
                         </list>
                     </property>
                     <property name="waitingForPipelines" value="true"/>

mdx/uk/metadata-signer.crt → mdx/uk/ukfederation-2014.pem

@@ -1,9 +1,9 @@
 -----BEGIN CERTIFICATE-----
-MIIDxzCCAq+gAwIBAgIJANixLkdCTNtvMA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV
+MIIDxzCCAq+gAwIBAgIJAOwuoY8tsvYGMA0GCSqGSIb3DQEBCwUAMHoxCzAJBgNV
 BAYTAkdCMUMwQQYDVQQKDDpVSyBBY2Nlc3MgTWFuYWdlbWVudCBGZWRlcmF0aW9u
 IGZvciBFZHVjYXRpb24gYW5kIFJlc2VhcmNoMSYwJAYDVQQDDB1VSyBGZWRlcmF0
-aW9uIE1ldGFkYXRhIFNpZ25lcjAeFw0xMjEwMTEwNzA4MThaFw0xNDExMTYwNzA4
-MThaMHoxCzAJBgNVBAYTAkdCMUMwQQYDVQQKDDpVSyBBY2Nlc3MgTWFuYWdlbWVu
+aW9uIE1ldGFkYXRhIFNpZ25lcjAeFw0xNDA4MjYxMjIwMjhaFw0zNzEyMzExMjIw
+MjhaMHoxCzAJBgNVBAYTAkdCMUMwQQYDVQQKDDpVSyBBY2Nlc3MgTWFuYWdlbWVu
 dCBGZWRlcmF0aW9uIGZvciBFZHVjYXRpb24gYW5kIFJlc2VhcmNoMSYwJAYDVQQD
 DB1VSyBGZWRlcmF0aW9uIE1ldGFkYXRhIFNpZ25lcjCCASIwDQYJKoZIhvcNAQEB
 BQADggEPADCCAQoCggEBAOqtfMvCmBuQudC4/jZFPYkHDNHFyp1FA3KJihIUXppF
@@ -13,11 +13,11 @@ ks0NqIaZmtgc7e8435nMhqLHV95UK2oCLcT4gZrTaXa2vt9kukTOijB0KqDIfEG5
 PA2JYEpovmnr13sTnGssai5Db/FkrE2NJ4Q4drbPYcwincUo/UXzrtuPclr+l3JE
 gjtvDzPrBxxvK0S/gARrbKz5tk4LDLkYsj4PKlwVS+UCAwEAAaNQME4wHQYDVR0O
 BBYEFE9HhBuMxrzBYOj1Kj/3gtzAgtUEMB8GA1UdIwQYMBaAFE9HhBuMxrzBYOj1
-Kj/3gtzAgtUEMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAByZ5haR
-hr8QqCo8DWO1qgVkUpPR1e/EFl+zV633esn5GJxIkD95va1Lxv84BmLBTD+EtX3T
-OkrXccIL1PCUkGmP3xVsh99mzsVEGmfTC0wu8PYDz1UvUwQLcjg6YQDN3GmA1EUW
-gt2cL8F4Q4/saowkkYjt0wWGQ/SNhwnGWwpo4ViTnoh3sNgr5gPHlozDGkL1NPG1
-bxdmyxmkr778yExS9xoEC4+Bnm7ApJyv3R2L9fpxCfEjE4tf3rWiSQL0Ss5etZNH
-9qmw7sGZ7xX0g6rcki/r5Y9u0v/rRKvIOw8/YGW5B2P3Ij/paJWzasZsdsgj0pDJ
-buk20xhyzBW6D/I=
+Kj/3gtzAgtUEMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALJkjT3K
+QL3w3xNfVe27nEOY44K2AZiu4IhqmRSslcyMnhnxrovEhLL3ieKFXQ+QFIkzVdR5
+BcO3NrSIz5V6b+mHtr5IjqLFHzOzzjw/3i8LddGOsApJiav+JrU1CGJXCU4cwYDN
+hAyfuAlrrEEL2lWMU1L1ZTzHsG1yWTfukfuvTftY5BwZ/dgANgIWwLDhvL6CAQZ3
+g5XteFPyChU0Z7b3XAHdVNHDa2VzWSsSUDtSQZ9DyTuqSjZH1q2/qtdMcrbJpdMB
+cndOf1pZRLzb6a+akIYi//1qO48HpB4wouH9gS3ZER+rNBhVWu301UYxoVI7o8mG
+Yq7dENJce7lO9yE=
 -----END CERTIFICATE-----