Merge remote-tracking branch 'upstream/master'

build.xml

@@ -83,8 +83,7 @@
     -->
     <property name="tools.dir" value="tools"/>
     <property name="tools.ant" value="${tools.dir}/ant"/>
-    <property name="tools.mda" value="${tools.dir}/aggregator-cli-0.9.0"/>
-    <property name="tools.mda.old" value="${tools.dir}/aggregator-cli-0.8.0"/>
+    <property name="tools.mda" value="${tools.dir}/aggregator-cli-0.9.1"/>
     <property name="tools.mdnorm" value="${tools.dir}/mdnorm"/>
     <property name="tools.metadatatool" value="${tools.dir}/metadatatool"/>
     <property name="tools.xmlsectool" value="${tools.dir}/xmlsectool"/>
@@ -154,7 +153,7 @@
         be more than some invocations require, but there's no harm in having a higher
         limit for all of them.
     -->
-    <property name="java.max.memory" value="768m"/>
+    <property name="java.max.memory" value="1024m"/>
 
     <!--
         Full paths to a couple of temporary file locations.
@@ -462,7 +461,7 @@
         The individual properties listed here can be augmented or overridden
         by properties defined in the external properties files, e.g., build.properties.
     -->
-    <property name="mda.java.endorsed.dirs" value="${tools.mda.old}/lib/endorsed"/>
+    <property name="mda.java.endorsed.dirs" value="${tools.dir}/endorsed"/>
     <property name="mda.basedir" value="${basedir}"/>
 
     <!--

mdx/_rules/check_entityid_prefix.xsl

@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	check_entityid_prefix.xsl
+	
+	Checking that entityID attributes start with one of a whitelist of prefixes.
+	
+	Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		Common support functions.
+	-->
+	<xsl:import href="check_framework.xsl"/>
+
+
+	<!--
+		Entity IDs should start with one of "http://", "https://" or "urn:mace:".
+	-->
+	<xsl:template match="md:EntityDescriptor[not(starts-with(@entityID, 'urn:mace:'))]
+		[not(starts-with(@entityID, 'http://'))]
+		[not(starts-with(@entityID, 'https://'))]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">entity ID <xsl:value-of select="@entityID"/> does not start with acceptable prefix</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+</xsl:stylesheet>

mdx/_rules/check_idp_tls.xsl

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	check_idp_tls.xsl
+	
+	Checking that all IdP endpoints are TLS-protected.
+	
+	Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		Common support functions.
+	-->
+	<xsl:import href="check_framework.xsl"/>
+
+
+	<!--
+		Check for IdP endpoints that don't start with https://
+	-->
+    <xsl:template match="md:IDPSSODescriptor//*[@Location and not(starts-with(@Location,'https://'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location does not start with https://</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+	<xsl:template match="md:AttributeAuthorityDescriptor//*[@Location and not(starts-with(@Location,'https://'))]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location does not start with https://</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+</xsl:stylesheet>

mdx/_rules/check_misc.xsl

@@ -32,18 +32,6 @@
 	</xsl:template>
 
 
-	<!--
-		Entity IDs should start with one of "http://", "https://" or "urn:mace:".
-	-->
-	<xsl:template match="md:EntityDescriptor[not(starts-with(@entityID, 'urn:mace:'))]
-		[not(starts-with(@entityID, 'http://'))]
-		[not(starts-with(@entityID, 'https://'))]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">entity ID <xsl:value-of select="@entityID"/> does not start with acceptable prefix</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
 	<!--
 		Check for OrganizationDisplayName elements containing line breaks.
 	-->
@@ -67,22 +55,6 @@
 	</xsl:template>
 
 
-	<!--
-		Check for Locations that don't start with https://
-		
-		This may be a little strict, and might be better confined to md:* elements.
-		In addition, we might at some point require more complex rules: whitelisting certain
-		entities, or permitting http:// to Locations associated with certain bindngs.
-		
-		At present, however, this simpler rule produces no false positives.
-	-->
-	<xsl:template match="*[@Location and not(starts-with(@Location,'https://'))]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location does not start with https://</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
 	<!--
 		@Binding attributes should not contain space characters.
 		

mdx/_rules/check_sp_tls.xsl

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	check_sp_tls.xsl
+	
+	Checking that all SP endpoints are TLS-protected.
+	
+	Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		Common support functions.
+	-->
+	<xsl:import href="check_framework.xsl"/>
+
+
+	<!--
+		Check for SP endpoints that don't start with https://
+	-->
+    <xsl:template match="md:SPSSODescriptor//*[@Location and not(starts-with(@Location,'https://'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location does not start with https://</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+</xsl:stylesheet>

mdx/common-beans.xml

@@ -245,6 +245,9 @@
 
     <!-- *** Parent beans for Shibboleth MDA components. *** -->
 
+    <bean id="CRDetectionStage" abstract="true" parent="stage_parent"
+        class="net.shibboleth.metadata.dom.CRDetectionStage"/>
+
     <bean id="ElementWhitespaceTrimmingStage" abstract="true" parent="stage_parent"
         class="net.shibboleth.metadata.dom.ElementWhitespaceTrimmingStage"/>
 
@@ -576,10 +579,26 @@
     <!--
         errorAnnouncer
         
-        A pipeline stage that logs any errors and warnings present,
+        A pipeline stage that logs any errors present,
         but takes no action on them.
     -->
     <bean id="errorAnnouncer" parent="stage_parent"
+        class="net.shibboleth.metadata.pipeline.StatusMetadataLoggingStage">
+        <property name="identificationStrategy" ref="identificationStrategy"/>
+        <property name="selectionRequirements">
+            <list>
+                <value>#{T(net.shibboleth.metadata.ErrorStatus)}</value>
+            </list>
+        </property>
+    </bean>
+
+    <!--
+        warningAndErrorAnnouncer
+        
+        A pipeline stage that logs any errors and warnings present,
+        but takes no action on them.
+    -->
+    <bean id="warningAndErrorAnnouncer" parent="stage_parent"
         class="net.shibboleth.metadata.pipeline.StatusMetadataLoggingStage">
         <property name="identificationStrategy" ref="identificationStrategy"/>
         <property name="selectionRequirements">
@@ -624,12 +643,12 @@
         errorAnnouncingFilter
         
         Announce any errors or warnings encountered, then remove
-        any items that had errors.  Items with warnings are retained.
+        any items that had errors.  Items with just warnings are retained.
     -->
     <bean id="errorAnnouncingFilter" parent="CompositeStage">
         <property name="composedStages">
             <list>
-                <ref bean="errorAnnouncer"/>
+                <ref bean="warningAndErrorAnnouncer"/>
                 <ref bean="errorRemover"/>
             </list>
         </property>
@@ -638,8 +657,9 @@
     <!--
         errorTerminatingFilter
         
-        A pipeline stage that checks for any errors, and then announces
-        and filters any encountered.
+        Announces any errors encountered, and then terminates if any are present.
+        
+        Warnings are not announced, and do not cause termination.
     -->
     <bean id="errorTerminatingFilter" parent="CompositeStage">
         <property name="composedStages">
@@ -810,6 +830,14 @@
     <bean id="stripMDUILogoData" parent="XSLTransformationStage"
         p:XSLResource="classpath:strip-mdui-logo-data.xsl"/>
 
+    <!--
+        stripMDUILogoHttp
+        
+        Remove any mdui:Logo elements containing http:// URLs.
+    -->
+    <bean id="stripMDUILogoHttp" parent="XSLTransformationStage"
+        p:XSLResource="classpath:strip-mdui-logo-http.xsl"/>
+
     <!--
         stripEmptyMDUIUIInfo
         
@@ -1139,6 +1167,7 @@
 
                 <ref bean="cleanImport"/>
                 <ref bean="stripAAMDUI"/>
+                <ref bean="stripMDUILogoHttp"/>
                 <ref bean="trimImportElementWhitespace"/>
                 <ref bean="stripEmptyExtensions"/>
                 <ref bean="checkSchemas"/>

mdx/int_edugain/verbs.xml

@@ -118,14 +118,18 @@
         
         Same as verify, but not making use of the validation
         blacklist. Can be used to check up on blacklisted entities.
+        
+        Output also includes any warnings attached to entities, although
+        these do not result in an error termination.
     -->
     <bean id="verify.all" parent="SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="int_edugain_productionEntities"/>
 
                 <ref bean="standardImportActions"/>
-                <ref bean="errorTerminatingFilter"/>
+                <ref bean="warningAndErrorAnnouncer"/>
+                <ref bean="errorTerminator"/>
             </list>
         </property>
     </bean>

mdx/strip-mdui-logo-http.xsl

@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	strip-mdui-logo-http.xsl
+
+	Remove mdui:Logo elements whose value starts with http://, as these
+	may cause mixed content errors in browser-based discovery interfaces.
+
+	Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		Common support functions.
+	-->
+	<xsl:import href="_rules/check_framework.xsl"/>
+
+	<!-- Force UTF-8 encoding for the output. -->
+	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
+
+	<!-- Match the pattern we want to remove. -->
+	<xsl:template match="mdui:Logo[starts-with(., 'http://')]">
+		<xsl:call-template name="warning">
+			<xsl:with-param name="m">
+				<xsl:text>mdui:Logo from non-TLS location removed: '</xsl:text>
+				<xsl:value-of select="."/>
+				<xsl:text>'</xsl:text>
+			</xsl:with-param>
+		</xsl:call-template>
+		<!-- ... and don't copy the element to the output, so that it is removed ... -->
+	</xsl:template>
+
+	<!--By default, copy text blocks, comments and attributes unchanged.-->
+	<xsl:template match="text()|comment()|@*">
+		<xsl:copy/>
+	</xsl:template>
+
+	<!-- Copy all elements from the input to the output, along with their attributes and contents. -->
+	<xsl:template match="*">
+		<xsl:copy>
+			<xsl:apply-templates select="node()|@*"/>
+		</xsl:copy>
+	</xsl:template>
+
+</xsl:stylesheet>

mdx/uk/verbs.xml

@@ -253,8 +253,10 @@
                 <ref bean="check_adfs"/>
                 <ref bean="check_algsupport"/>
                 <ref bean="check_bindings"/>
+                <ref bean="check_entityid_prefix"/>
                 <ref bean="check_hoksso"/>
                 <ref bean="check_idpdisc"/>
+                <ref bean="check_idp_tls"/>
                 <ref bean="check_incmd"/>
                 <ref bean="check_init"/>
                 <ref bean="check_mdiop"/>
@@ -267,6 +269,7 @@
                 <ref bean="check_saml2int"/>
                 <!-- <ref bean="check_saml2meta"/> -->
                 <ref bean="check_shibboleth"/>
+                <ref bean="check_sp_tls"/>
                 <ref bean="check_uk_trust"/>
 
                 <bean id="checkCertificates" parent="X509ValidationStage">