Include check_mdattr in eduGAIN policy

While the MDA-168 bug is in effect, this protects against unwanted entity attributes being accepted and republished because they appear in (invalid per the specification) multiple EntityAttributes containers.
internet2 · Sep 12, 2016 · 375405c · 375405c
1 parent cb67cee
commit 375405c
Showing 1 changed file with 16 additions and 1 deletion.
diff --git a/mdx/incommon/edugain-policy.xml b/mdx/incommon/edugain-policy.xml
@@ -30,6 +30,21 @@
         <property name="composedStages">
             <list>
 
+                <!--
+                    Check entities against the MDATTR specification.
+
+                    This is not called out in the technical policy, so would
+                    normally be placed at the end of the policy. We need to
+                    perform this check at the start so that any entity attribute
+                    filtering we perform below does not accidentally bring the
+                    entity into apparent compliance.
+
+                    See https://issues.shibboleth.net/jira/browse/MDA-168
+
+                    (EntityAttributeFilteringStage mishandles multiple containers)
+                -->
+                <ref bean="check_mdattr"/>
+
                 <!--
                     Technical Policy rule 1.
 
@@ -281,7 +296,7 @@
                             (check_idp_tls included)
                             <ref bean="check_incmd"/>
                             <ref bean="check_init"/>
-                            <ref bean="check_mdattr"/>
+                            (check_mdattr included)
                             <ref bean="check_mdiop"/>
                             <ref bean="check_mdrpi"/>
                             <ref bean="check_mdui"/>