Skip to content
This repository has been archived by the owner. It is now read-only.

Commit

Permalink
Split scope processing into a copy phase and an injection phase.
Browse files Browse the repository at this point in the history 
This isolates the use of the Xalan extension in the injection phase so that it can
be replaced by an MDA stage.
  • Loading branch information
@iay
iay committed Jul 8, 2016
1 parent e75e3d5 commit 939e7ea
Show file tree
Hide file tree
Showing 3 changed files with 121 additions and 84 deletions.
45 changes: 20 additions & 25 deletions mdx/uk/beans.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -124,30 +124,6 @@
</bean>


<!--
uk_processScopes
This stage normalises scope handling in two ways particular to the UK
federation:
* we make all three potential scope lists equivalent (on the entity, on
the IDPSSODescriptor and on the AttributeAuthority)
* we inject scopes "pushed" to entities from the members.xml file
This transform can be run on individual EntityDescriptors or on an
aggregate EntitiesDescriptor.
-->
<bean id="uk_processScopes" parent="XSLTransformationStage"
p:XSLResource="classpath:uk/scopes.xsl">
<property name="transformParameters">
<map>
<entry key="members" value-ref="uk_members"/>
</map>
</property>
</bean>


<!--
uk_membersResource
Expand Down Expand Up @@ -304,7 +280,26 @@
<list>
<ref bean="uk_fetchFragmentFiles"/>
<ref bean="uk_processFragment"/>
<ref bean="uk_processScopes"/>

<!--
Make all three potential scope lists equivalent (on the entity, on
the IDPSSODescriptor and on the AttributeAuthority).
-->
<bean id="scopes_copy" parent="XSLTransformationStage"
p:XSLResource="classpath:uk/scopes_copy.xsl"/>

<!--
Inject scopes "pushed" to entities from the members.xml file.
-->
<bean id="scopes_inject" parent="XSLTransformationStage"
p:XSLResource="classpath:uk/scopes_inject.xsl">
<property name="transformParameters">
<map>
<entry key="members" value-ref="uk_members"/>
</map>
</property>
</bean>

<ref bean="populateItemIds"/>
<ref bean="uk_populateIds"/>
<ref bean="uk_default_regauth"/>
Expand Down
66 changes: 7 additions & 59 deletions mdx/uk/scopes.xsl → mdx/uk/scopes_copy.xsl
View file
Original file line number Diff line number Diff line change
@@ -1,63 +1,30 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
scopes.xsl
scopes_copy.xsl
XSL stylesheet that handles the UK federation's approach to Shibboleth
scope extensions.
Make all three potential scope lists equivalent (on the entity, on
the IDPSSODescriptor and on the AttributeAuthority).
-->
<xsl:stylesheet version="1.0"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:members="http://ukfederation.org.uk/2007/01/members"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"

xmlns:ukfxMembers="xalan://uk.org.ukfederation.members.Members"
extension-element-prefixes="ukfxMembers"

xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
exclude-result-prefixes="members">
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">

<!--Force UTF-8 encoding for the output.-->
<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>

<!--
Parameters.
-->
<xsl:param name="members"/>

<!--
Extend the scope list contained within an IdP's entity-level Extensions element
with any outsourced scopes provided by the member list.
-->
<xsl:template match="md:EntityDescriptor[md:IDPSSODescriptor]/md:Extensions">
<xsl:copy>
<!-- copy everything from within the original element -->
<xsl:apply-templates select="node()"/>
<!-- copy scopes from member outsource records -->
<xsl:variable name="entityID" select="ancestor::md:EntityDescriptor/@entityID"/>
<xsl:for-each select="ukfxMembers:scopesForEntity($members, $entityID)/shibmd:Scope">
<xsl:text> </xsl:text>
<xsl:element name="shibmd:Scope">
<xsl:attribute name="regexp">false</xsl:attribute>
<xsl:value-of select="."/>
</xsl:element>
<xsl:text>&#10; </xsl:text>
</xsl:for-each>
</xsl:copy>
</xsl:template>

<!--
If an IdP's SSO or AA roles are missing Extensions (and Scope extensions in
particular) then manufacture them as a combination of the EntityDescriptor's
overall scope extensions and any outsourced scopes provided by the member list.
particular) then copy down the EntityDescriptor's overall scope extensions.
-->
<xsl:template match="md:IDPSSODescriptor[not(md:Extensions)] |
md:AttributeAuthorityDescriptor[not(md:Extensions)]">
<xsl:copy>
<xsl:variable name="entityID" select="ancestor::md:EntityDescriptor/@entityID"/>
<xsl:apply-templates select="@*"/>
<xsl:text>&#10; </xsl:text>
<xsl:element name="Extensions" namespace="urn:oasis:names:tc:SAML:2.0:metadata">
Expand All @@ -66,15 +33,7 @@
<xsl:text>&#10; </xsl:text>
<xsl:copy-of select="."/>
</xsl:for-each>
<!-- copy scopes from member outsource records -->
<xsl:for-each select="ukfxMembers:scopesForEntity($members, $entityID)/shibmd:Scope">
<xsl:text>&#10; </xsl:text>
<xsl:element name="shibmd:Scope">
<xsl:attribute name="regexp">false</xsl:attribute>
<xsl:value-of select="."/>
</xsl:element>
</xsl:for-each>
<xsl:text>&#10; </xsl:text>
<xsl:text>&#10; </xsl:text>
</xsl:element>
<xsl:apply-templates select="node()"/>
</xsl:copy>
Expand All @@ -84,13 +43,11 @@
If an IdP's SSO or AA roles already includes an Extensions element, this may
already contain extensions other than scopes. We need to make sure that
if it does not also contain scopes, then any scopes declared at the entity
level are copied down, and any outsourced scopes provided by the member
list are imported.
level are copied down.
-->
<xsl:template match="md:IDPSSODescriptor/md:Extensions |
md:AttributeAuthorityDescriptor/md:Extensions">
<xsl:copy>
<xsl:variable name="entityID" select="ancestor::md:EntityDescriptor/@entityID"/>
<xsl:apply-templates select="node()"/>
<xsl:if test="not(shibmd:Scope)">
<!-- copy scopes from EntityDescriptor extensions -->
Expand All @@ -100,15 +57,6 @@
<xsl:text>&#10; </xsl:text>
</xsl:for-each>
</xsl:if>
<!-- copy scopes from member outsource records -->
<xsl:for-each select="ukfxMembers:scopesForEntity($members, $entityID)/shibmd:Scope">
<xsl:text> </xsl:text>
<xsl:element name="shibmd:Scope">
<xsl:attribute name="regexp">false</xsl:attribute>
<xsl:value-of select="."/>
</xsl:element>
<xsl:text>&#10; </xsl:text>
</xsl:for-each>
</xsl:copy>
</xsl:template>

Expand Down
94 changes: 94 additions & 0 deletions mdx/uk/scopes_inject.xsl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
scopes_inject.xsl
Inject scopes "pushed" to entities from the members.xml file.
-->
<xsl:stylesheet version="1.0"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:members="http://ukfederation.org.uk/2007/01/members"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"

xmlns:ukfxMembers="xalan://uk.org.ukfederation.members.Members"
extension-element-prefixes="ukfxMembers"

xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
exclude-result-prefixes="members">

<!--Force UTF-8 encoding for the output.-->
<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>

<!--
Parameters.
-->
<xsl:param name="members"/>

<!--
Extend the scope list contained within an IdP's entity-level Extensions element
with any outsourced scopes provided by the member list.
-->
<xsl:template match="md:EntityDescriptor[md:IDPSSODescriptor]/md:Extensions">
<xsl:copy>
<!-- copy everything from within the original element -->
<xsl:apply-templates select="node()"/>
<!-- copy scopes from member outsource records -->
<xsl:variable name="entityID" select="ancestor::md:EntityDescriptor/@entityID"/>
<xsl:for-each select="ukfxMembers:scopesForEntity($members, $entityID)/shibmd:Scope">
<xsl:text> </xsl:text>
<xsl:element name="shibmd:Scope">
<xsl:attribute name="regexp">false</xsl:attribute>
<xsl:value-of select="."/>
</xsl:element>
<xsl:text>&#10; </xsl:text>
</xsl:for-each>
</xsl:copy>
</xsl:template>

<!--
If an IdP's SSO or AA roles includes an Extensions element, add in
and any outsourced scopes provided by the member list.
-->
<xsl:template match="md:IDPSSODescriptor/md:Extensions |
md:AttributeAuthorityDescriptor/md:Extensions">
<xsl:copy>
<!-- copy everything from within the original element -->
<xsl:apply-templates select="node()"/>
<!-- copy scopes from member outsource records -->
<xsl:variable name="entityID" select="ancestor::md:EntityDescriptor/@entityID"/>
<xsl:for-each select="ukfxMembers:scopesForEntity($members, $entityID)/shibmd:Scope">
<xsl:text> </xsl:text>
<xsl:element name="shibmd:Scope">
<xsl:attribute name="regexp">false</xsl:attribute>
<xsl:value-of select="."/>
</xsl:element>
<xsl:text>&#10; </xsl:text>
</xsl:for-each>
</xsl:copy>
</xsl:template>

<!--
*********************************************
*** ***
*** D E F A U L T T E M P L A T E S ***
*** ***
*********************************************
-->


<!--By default, copy text blocks, comments and attributes unchanged.-->
<xsl:template match="text()|comment()|@*">
<xsl:copy/>
</xsl:template>

<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
<xsl:template match="*">
<xsl:copy>
<xsl:apply-templates select="node()|@*"/>
</xsl:copy>
</xsl:template>

</xsl:stylesheet>

0 comments on commit 939e7ea

Please sign in to comment.