Unbundle the checks for TLS on IdP and SP endpoints.

internet2 · May 6, 2016 · 4b362fd · 4b362fd
1 parent 2d22f7b
commit 4b362fd
Show file tree

Hide file tree

Showing 5 changed files with 83 additions and 16 deletions.
diff --git a/mdx/_rules/check_idp_tls.xsl b/mdx/_rules/check_idp_tls.xsl
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	check_idp_tls.xsl
+	
+	Checking that all IdP endpoints are TLS-protected.
+	
+	Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		Common support functions.
+	-->
+	<xsl:import href="check_framework.xsl"/>
+
+
+	<!--
+		Check for IdP endpoints that don't start with https://
+	-->
+    <xsl:template match="md:IDPSSODescriptor//*[@Location and not(starts-with(@Location,'https://'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location does not start with https://</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+	<xsl:template match="md:AttributeAuthorityDescriptor//*[@Location and not(starts-with(@Location,'https://'))]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location does not start with https://</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+</xsl:stylesheet>
diff --git a/mdx/_rules/check_misc.xsl b/mdx/_rules/check_misc.xsl
@@ -55,22 +55,6 @@
 	</xsl:template>
 
 
-	<!--
-		Check for Locations that don't start with https://
-		
-		This may be a little strict, and might be better confined to md:* elements.
-		In addition, we might at some point require more complex rules: whitelisting certain
-		entities, or permitting http:// to Locations associated with certain bindngs.
-		
-		At present, however, this simpler rule produces no false positives.
-	-->
-	<xsl:template match="*[@Location and not(starts-with(@Location,'https://'))]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location does not start with https://</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
 	<!--
 		@Binding attributes should not contain space characters.
 		

diff --git a/mdx/_rules/check_sp_tls.xsl b/mdx/_rules/check_sp_tls.xsl
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	check_sp_tls.xsl
+	
+	Checking that all SP endpoints are TLS-protected.
+	
+	Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		Common support functions.
+	-->
+	<xsl:import href="check_framework.xsl"/>
+
+
+	<!--
+		Check for SP endpoints that don't start with https://
+	-->
+    <xsl:template match="md:SPSSODescriptor//*[@Location and not(starts-with(@Location,'https://'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location does not start with https://</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+</xsl:stylesheet>
diff --git a/mdx/uk/verbs.xml b/mdx/uk/verbs.xml
@@ -256,6 +256,7 @@
                 <ref bean="check_entityid_prefix"/>
                 <ref bean="check_hoksso"/>
                 <ref bean="check_idpdisc"/>
+                <ref bean="check_idp_tls"/>
                 <ref bean="check_incmd"/>
                 <ref bean="check_init"/>
                 <ref bean="check_mdiop"/>
@@ -268,6 +269,7 @@
                 <ref bean="check_saml2int"/>
                 <!-- <ref bean="check_saml2meta"/> -->
                 <ref bean="check_shibboleth"/>
+                <ref bean="check_sp_tls"/>
                 <ref bean="check_uk_trust"/>
 
                 <bean id="checkCertificates" parent="X509ValidationStage">

diff --git a/mdx/validation-beans.xml b/mdx/validation-beans.xml
@@ -337,6 +337,18 @@
     <bean id="check_entityid_prefix" parent="XSLValidationStage"
         p:XSLResource="classpath:_rules/check_entityid_prefix.xsl"/>
 
+    <!--
+        check_idp_tls
+    -->
+    <bean id="check_idp_tls" parent="XSLValidationStage"
+        p:XSLResource="classpath:_rules/check_idp_tls.xsl"/>
+
+    <!--
+        check_sp_tls
+    -->
+    <bean id="check_sp_tls" parent="XSLValidationStage"
+        p:XSLResource="classpath:_rules/check_sp_tls.xsl"/>
+
     <!--
         check_misc
     -->
@@ -581,6 +593,7 @@
                 <ref bean="check_entityid_prefix"/>
                 <ref bean="check_hoksso"/>
                 <ref bean="check_idpdisc"/>
+                <ref bean="check_idp_tls"/>
                 <ref bean="check_incmd"/>
                 <ref bean="check_init"/>
                 <ref bean="check_mdattr"/>
@@ -595,6 +608,7 @@
                 <ref bean="check_saml2meta"/>
                 <ref bean="check_saml_strings"/>
                 <ref bean="check_shibboleth"/>
+                <ref bean="check_sp_tls"/>
                 <ref bean="check_uk_algorithms"/>
                 <ref bean="check_uk_trust"/>
                 <ref bean="check_uk_wayf"/>