Skip to content
This repository has been archived by the owner. It is now read-only.

Commit

Permalink
Reorder and reword rules to correspond to published technical policy.
Browse files Browse the repository at this point in the history
  • Loading branch information
@iay
iay committed Aug 12, 2016
1 parent a1e7872 commit 74e4be7
Showing 1 changed file with 71 additions and 39 deletions.
110 changes: 71 additions & 39 deletions mdx/incommon/edugain-policy.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
https://spaces.internet2.edu/display/InCFederation/Interfederation+Technical+Policy
The numbers given here are up to date as of 2016-05-10.
The numbers given here are up to date as of 2016-08-12.
-->
<bean id="edugainPolicy" parent="CompositeStage">
<property name="composedStages">
Expand All @@ -33,6 +33,11 @@
<!--
Technical Policy rule 1.
"Silently remove all imported entities with XML attribute
mdrpi:RegistrationInfo[@registrationAuthority='https://incommon.org']
Entities so marked must come from primary sources only."
Filter out entities that declare themselves as registered
by our federation. We don't want those coming back in
from another registrar or metadata exchange as they may be
Expand All @@ -51,7 +56,8 @@
<!--
Technical Policy rule 2.
Filter all entity attributes not on the entity attribute whitelist.
"Silently remove all entity attributes not on the Entity Attribute
Whitelist."
-->
<bean id="entityAttributes" parent="EntityAttributeFilteringStage">
<property name="rules">
Expand All @@ -75,7 +81,35 @@
<!--
Technical Policy rule 3.
Filter all imported entities with weak keys.
"Remove and log the removal of all imported mdui:Logo elements
(not entities) with a URL that is not HTTPS-protected."
-->
<ref bean="stripMDUILogoHttp"/>

<!--
Technical Policy rule 4.
"Fiter out (remove and log the removal of) all imported
entities matching one or more of the following conditions:"
This rule is performed by the error-detecting beans below
in combination with the caller of this CompositeStage
taking action on any resulting ErrorStatus objects in
item metadata.
-->

<!--
Technical Policy rule 4.a.
Mark entities with an entityID that does not begin with one of the
following prefixes: urn:mace:, http://, https://.
-->
<ref bean="check_entityid_prefix"/>

<!--
Technical Policy rule 4.b.
Mark entities with weak keys.
-->
<bean p:id="certificateValidation" parent="X509ValidationStage">
<property name="validators">
Expand Down Expand Up @@ -105,70 +139,68 @@
</bean>

<!--
Technical Policy rule 4.
Technical Policy rule 4.c.i.
Filter all imported IdP entities that do not have a SAML2 SingleSignOnService endpoint
that supports the HTTP-Redirect binding.
Filter entities without regexp attributes.
-->
<bean id="check_idp_non_saml2" parent="XSLValidationStage"
p:XSLResource="classpath:incommon/check_idp_no_saml2.xsl"/>
<ref bean="check_shib_noregscope"/>

<!--
Technical Policy rule 5.
Technical Policy rule 4.c.ii.
Filter all imported SP entities that do not have at least one SAML2 AssertionConsumerService
endpoint that supports the HTTP-POST binding.
Disallow regexp="true".
-->
<bean id="check_sp_non_saml2" parent="XSLValidationStage"
p:XSLResource="classpath:incommon/check_sp_no_saml2.xsl"/>
<ref bean="check_shib_regscope"/>

<!--
Technical Policy rule 6.
Technical Policy rule 4.d.
Filter all imported entities that have the same entityID as an existing
entity in the InCommon aggregate.
This policy rule is implemented by the merge strategy used when these
entities are merged in with the ones from InCommon.
Mark IdP entities with an endpoint location that
is not HTTPS-protected.
-->
<ref bean="check_idp_tls"/>

<!--
The following technical policy rules do not yet appear in the
published wiki page.
-->
Technical Policy rule 4.e.
<!--
Filter entities whose entityID does not start with one of the
following prefixes: urn:mace:, http://, https://.
Mark IdP entities that do not have a SAML2 SingleSignOnService endpoint
that supports the HTTP-Redirect binding.
-->
<ref bean="check_entityid_prefix"/>
<bean id="check_idp_non_saml2" parent="XSLValidationStage"
p:XSLResource="classpath:incommon/check_idp_no_saml2.xsl"/>

<!--
Filter all imported IdP entities with an endpoint location that
is not HTTPS-protected.
-->
<ref bean="check_idp_tls"/>
Technical Policy rule 4.f.
<!--
Filter all imported mdui:Logo elements (not entities) with a URL
that is not HTTPS-protected.
Mark SP entities that do not have at least one SAML2 AssertionConsumerService
endpoint that supports the HTTP-POST binding.
-->
<ref bean="stripMDUILogoHttp"/>
<bean id="check_sp_non_saml2" parent="XSLValidationStage"
p:XSLResource="classpath:incommon/check_sp_no_saml2.xsl"/>

<!--
Filter entities containing literal CR characters.
Technical Policy rule 4.g.
Mark entities containing literal CR characters.
-->
<ref bean="check_cr"/>

<!--
Filter entities with regular expression scopes.
Technical Policy rule 5.
"Silently remove all imported entities that have the same entityID as an existing
entity in the InCommon aggregate."
This policy rule is implemented by the merge strategy used when these
entities are merged in with the ones from InCommon.
-->
<ref bean="check_shib_regscope"/>

<!--
Filter entities without regexp attributes.
The following technical policy rules do not yet appear in the
published wiki page.
-->
<ref bean="check_shib_noregscope"/>

<!-- none -->

<!--
Policy rules below this point are not called out explicitly in the
Expand Down

0 comments on commit 74e4be7

Please sign in to comment.