Split out the check for Scope elements entirely lacking regexp attrib…

…utes.
internet2 · May 23, 2016 · 24d59de · 24d59de
1 parent 6011b24
commit 24d59de
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 18 deletions.
diff --git a/mdx/_rules/check_shib_noregscope.xsl b/mdx/_rules/check_shib_noregscope.xsl
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	check_shib_noregscope.xsl
+
+    Check for Shibboleth Scope elements lacking a regexp attribute, which can cause
+    problems with signature generation and validation because the schema includes
+    a default value.
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		Common support functions.
+	-->
+	<xsl:import href="check_framework.xsl"/>
+
+	<xsl:template match="shibmd:Scope[not(@regexp)]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">Scope <xsl:value-of select="."/> lacks @regexp</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+</xsl:stylesheet>
diff --git a/mdx/_rules/check_shibboleth.xsl b/mdx/_rules/check_shibboleth.xsl
@@ -148,18 +148,6 @@
 			<xsl:with-param name="m">SIDPO-34: Attribute lacking NameFormat in IDPSSODescriptor</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-
-
-	<!--
-		Check for Shibboleth Scope elements that don't include a regexp attribute.
-		This has a default in the schema so omitting it can cause signing brittleness.
-	-->
-	<xsl:template match="shibmd:Scope[not(@regexp)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">Scope <xsl:value-of select="."/> lacks @regexp</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
 
 	<!--
 		Scope elements should not contain space characters.

diff --git a/mdx/uk/verbs.xml b/mdx/uk/verbs.xml
@@ -268,6 +268,7 @@
                 <ref bean="check_saml2"/>
                 <ref bean="check_saml2int"/>
                 <!-- <ref bean="check_saml2meta"/> -->
+                <ref bean="check_shib_noregscope"/>
                 <ref bean="check_shibboleth"/>
                 <ref bean="check_sp_tls"/>
                 <ref bean="check_uk_trust"/>

diff --git a/mdx/validation-beans.xml b/mdx/validation-beans.xml
@@ -294,6 +294,22 @@
     <bean id="check_shib_regscope" parent="XSLValidationStage"
         p:XSLResource="classpath:_rules/check_shib_regscope.xsl"/>
 
+    <!--
+        check_shib_noregscope
+        
+        Check for Shibboleth Scope elements lacking a regexp attribute, which can cause
+        problems with signature generation and validation because the schema includes
+        a default value.
+    -->
+    <bean id="check_shib_noregscope" parent="XSLValidationStage"
+        p:XSLResource="classpath:_rules/check_shib_noregscope.xsl"/>
+
+    <!--
+        check_shibboleth
+    -->
+    <bean id="check_shibboleth" parent="XSLValidationStage"
+        p:XSLResource="classpath:_rules/check_shibboleth.xsl"/>
+
 
     <!--
         *******************************************************************
@@ -550,12 +566,6 @@
         </property>
     </bean>
 
-    <!--
-        check_shibboleth
-    -->
-    <bean id="check_shibboleth" parent="XSLValidationStage"
-        p:XSLResource="classpath:_rules/check_shibboleth.xsl"/>
-
     <!--
         check_validUntil
         
@@ -617,6 +627,7 @@
                 <ref bean="check_saml2int"/>
                 <ref bean="check_saml2meta"/>
                 <ref bean="check_saml_strings"/>
+                <ref bean="check_shib_noregscope"/>
                 <ref bean="check_shibboleth"/>
                 <ref bean="check_sp_tls"/>
                 <ref bean="check_uk_algorithms"/>