Skip to content
This repository has been archived by the owner. It is now read-only.

Commit

Permalink
Add default exclusion rules to the export preview aggregate.
Browse files Browse the repository at this point in the history 
ExportOptOut always opts an entity out. ExportOptIn always opts an entity in. If an entity has neither label, it is included in the export preview aggregate unless it falls into one of these categories:

* IdPs lacking SAML 2.0 support
* aggregated schools sector IdPs
* IdPs with Scope elements with regexp="true"
  • Loading branch information
@iay
iay committed Aug 28, 2014
1 parent 352937d commit 18ffcd5
Show file tree
Hide file tree
Showing 2 changed files with 88 additions and 4 deletions.
6 changes: 6 additions & 0 deletions mdx/common-beans.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -261,6 +261,12 @@

<bean id="PipelineMergeStage.deduplicate" abstract="true" parent="PipelineMergeStage"
p:collectionMergeStrategy-ref="deduplicateMergeStrategy"/>

<bean id="SplitMergeStage" abstract="true" parent="stage_parent"
class="net.shibboleth.metadata.pipeline.SplitMergeStage"/>

<bean id="XPathItemSelectionStrategy" abstract="true"
class="net.shibboleth.metadata.dom.XPathItemSelectionStrategy"/>

<!-- *** Parent beans for ukf-mda. *** -->

Expand Down
86 changes: 82 additions & 4 deletions mdx/uk/generate.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -361,7 +361,7 @@
***************************************
-->

<bean id="uk_wayfSelector" class="net.shibboleth.metadata.dom.XPathItemSelectionStrategy">
<bean id="uk_wayfSelector" parent="XPathItemSelectionStrategy">
<constructor-arg value="/md:EntityDescriptor[not(md:Extensions/wayf:HideFromWAYF)]"/>
<constructor-arg ref="commonNamespaces"/>
</bean>
Expand Down Expand Up @@ -479,7 +479,7 @@
Entities in the CDSALL aggregate are restricted to those entities registered by the
UK federation plus all identity providers from whatever source.
-->
<bean id="CDSAllSelector" class="net.shibboleth.metadata.dom.XPathItemSelectionStrategy">
<bean id="CDSAllSelector" parent="XPathItemSelectionStrategy">
<constructor-arg value="/md:EntityDescriptor[md:IDPSSODescriptor or
md:Extensions/mdrpi:RegistrationInfo/@registrationAuthority = 'http://ukfederation.org.uk']"/>
<constructor-arg ref="commonNamespaces"/>
Expand Down Expand Up @@ -674,7 +674,7 @@
</property>
</bean>

<bean id="uk_exportSelector" class="net.shibboleth.metadata.dom.XPathItemSelectionStrategy">
<bean id="uk_exportSelector" parent="XPathItemSelectionStrategy">
<constructor-arg value="/md:EntityDescriptor[md:Extensions/ukfedlabel:ExportOptIn]"/>
<constructor-arg ref="commonNamespaces"/>
</bean>
Expand Down Expand Up @@ -731,7 +731,7 @@
***********************************************************
-->

<bean id="uk_exportPreviewSelector" class="net.shibboleth.metadata.dom.XPathItemSelectionStrategy">
<bean id="uk_exportPreviewSelector" parent="XPathItemSelectionStrategy">
<constructor-arg value="/md:EntityDescriptor[not(md:Extensions/ukfedlabel:ExportOptOut)]"/>
<constructor-arg ref="commonNamespaces"/>
</bean>
Expand All @@ -740,6 +740,84 @@
p:id="uk_exportPreviewPipeline">
<property name="stages">
<list>

<!--
Additional rules excluding entities from the aggregate.
The basic rule (expressed in uk_exportPreviewSelector) is that
entities are excluded if they do not have the ExportOptOut label.
Additional rules below are applied to entities which do not
have the ExportOptIn label: in other words, a rule in this section
can always be overridden by an explicit ExportOptIn.
-->
<bean p:id="exclusion" parent="SplitMergeStage">

<!-- select entities with ExportOptIn label -->
<property name="selectionStrategy">
<bean parent="XPathItemSelectionStrategy">
<constructor-arg value="/md:EntityDescriptor[md:Extensions/ukfedlabel:ExportOptIn]"/>
<constructor-arg ref="commonNamespaces"/>
</bean>
</property>

<!--
Pipeline for selected (explicitly opted in) items.
-->
<property name="selectedItemPipeline">
<bean p:id="selectedItemPipeline" parent="SimplePipeline">
<property name="stages">
<list>
<!-- nothing required -->
</list>
</property>
</bean>
</property>

<!--
The pipeline for unselected (not explicitly opted in) items removes entities
matching specific rules.
-->
<property name="nonselectedItemPipeline">
<bean p:id="nonSelectedItemPipeline" parent="SimplePipeline">
<property name="stages">
<list>

<!-- Identity providers lacking support for SAML 2.0 -->
<bean p:id="SAML1onlyIdPs" parent="XPathFilteringStage"
p:XPathExpression="md:IDPSSODescriptor
[not(contains(@protocolSupportEnumeration,'urn:oasis:names:tc:SAML:2.0:protocol'))]">
</bean>

<!-- Aggregated schools sector identity providers -->
<!--
Preferred implementation:
<bean p:id="syntheticScopes" parent="XPathFilteringStage"
p:XPathExpression="shibmd:Scope[ends-with(., '.eng.ukfederation.org.uk']"/>
Unfortunately, the "ends-with" function is an XPath 2 feature, so we settle for
using "contains" instead; in our case it is equivalent.
-->
<bean p:id="syntheticScopes" parent="XPathFilteringStage"
p:XPathExpression="//shibmd:Scope[contains(., '.eng.ukfederation.org.uk')]"/>
<!-- Specific providers not caught by the previous condition -->
<bean p:id="GlowScotland" parent="EntityFilterStage">
<property name="designatedEntities">
<set>
<value>https://idp.glowscotland.org.uk/shibboleth</value>
</set>
</property>
</bean>

<!-- Identity providers with regular expression scopes -->
<bean p:id="regexScopes" parent="XPathFilteringStage"
p:XPathExpression="//shibmd:Scope[@regexp='true']"/>
</list>
</property>
</bean>
</property>
</bean>

<!--
Enforce IdP display name uniqueness before assembling aggregate
-->
Expand Down

0 comments on commit 18ffcd5

Please sign in to comment.