Rework approach to non-TLS mdui:Logo elements.

Although these are still rejected as errors for UKf registration, importing an mdui:Logo from an http:// URL causes the Logo element to be removed rather than causing a rejection. The result for the UKf is still that these are not republished to avoid mixed content errors, but an entity which *only* has this mistake is still imported albeit without its logo being available in discovery interfaces.
internet2 · May 10, 2016 · fad2b3f · fad2b3f
1 parent 8d04b20
commit fad2b3f
Show file tree

Hide file tree

Showing 3 changed files with 84 additions and 5 deletions.
diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
@@ -576,6 +576,22 @@
         </property>
     </bean>
 
+    <!--
+        errorAnnouncer
+        
+        A pipeline stage that logs any errors present,
+        but takes no action on them.
+    -->
+    <bean id="errorAnnouncer" parent="stage_parent"
+        class="net.shibboleth.metadata.pipeline.StatusMetadataLoggingStage">
+        <property name="identificationStrategy" ref="identificationStrategy"/>
+        <property name="selectionRequirements">
+            <list>
+                <value>#{T(net.shibboleth.metadata.ErrorStatus)}</value>
+            </list>
+        </property>
+    </bean>
+
     <!--
         warningAndErrorAnnouncer
         
@@ -627,7 +643,7 @@
         errorAnnouncingFilter
         
         Announce any errors or warnings encountered, then remove
-        any items that had errors.  Items with warnings are retained.
+        any items that had errors.  Items with just warnings are retained.
     -->
     <bean id="errorAnnouncingFilter" parent="CompositeStage">
         <property name="composedStages">
@@ -641,13 +657,14 @@
     <!--
         errorTerminatingFilter
         
-        A pipeline stage that checks for any errors, and then announces
-        and filters any encountered.
+        Announces any errors encountered, and then terminates if any are present.
+        
+        Warnings are not announced, and do not cause termination.
     -->
     <bean id="errorTerminatingFilter" parent="CompositeStage">
         <property name="composedStages">
             <list>
-                <ref bean="warningAndErrorAnnouncer"/>
+                <ref bean="errorAnnouncer"/>
                 <ref bean="errorTerminator"/>
             </list>
         </property>
@@ -813,6 +830,14 @@
     <bean id="stripMDUILogoData" parent="XSLTransformationStage"
         p:XSLResource="classpath:strip-mdui-logo-data.xsl"/>
 
+    <!--
+        stripMDUILogoHttp
+        
+        Remove any mdui:Logo elements containing http:// URLs.
+    -->
+    <bean id="stripMDUILogoHttp" parent="XSLTransformationStage"
+        p:XSLResource="classpath:strip-mdui-logo-http.xsl"/>
+
     <!--
         stripEmptyMDUIUIInfo
         
@@ -1142,6 +1167,7 @@
 
                 <ref bean="cleanImport"/>
                 <ref bean="stripAAMDUI"/>
+                <ref bean="stripMDUILogoHttp"/>
                 <ref bean="trimImportElementWhitespace"/>
                 <ref bean="stripEmptyExtensions"/>
                 <ref bean="checkSchemas"/>

diff --git a/mdx/int_edugain/verbs.xml b/mdx/int_edugain/verbs.xml
@@ -118,14 +118,18 @@
         
         Same as verify, but not making use of the validation
         blacklist. Can be used to check up on blacklisted entities.
+        
+        Output also includes any warnings attached to entities, although
+        these do not result in an error termination.
     -->
     <bean id="verify.all" parent="SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="int_edugain_productionEntities"/>
 
                 <ref bean="standardImportActions"/>
-                <ref bean="errorTerminatingFilter"/>
+                <ref bean="warningAndErrorAnnouncer"/>
+                <ref bean="errorTerminator"/>
             </list>
         </property>
     </bean>

diff --git a/mdx/strip-mdui-logo-http.xsl b/mdx/strip-mdui-logo-http.xsl
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	strip-mdui-logo-http.xsl
+
+	Remove mdui:Logo elements whose value starts with http://, as these
+	may cause mixed content errors in browser-based discovery interfaces.
+
+	Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		Common support functions.
+	-->
+	<xsl:import href="_rules/check_framework.xsl"/>
+
+	<!-- Force UTF-8 encoding for the output. -->
+	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
+
+	<!-- Match the pattern we want to remove. -->
+	<xsl:template match="mdui:Logo[starts-with(., 'http://')]">
+		<xsl:call-template name="warning">
+			<xsl:with-param name="m">
+				<xsl:text>mdui:Logo from non-TLS location removed: '</xsl:text>
+				<xsl:value-of select="."/>
+				<xsl:text>'</xsl:text>
+			</xsl:with-param>
+		</xsl:call-template>
+		<!-- ... and don't copy the element to the output, so that it is removed ... -->
+	</xsl:template>
+
+	<!--By default, copy text blocks, comments and attributes unchanged.-->
+	<xsl:template match="text()|comment()|@*">
+		<xsl:copy/>
+	</xsl:template>
+
+	<!-- Copy all elements from the input to the output, along with their attributes and contents. -->
+	<xsl:template match="*">
+		<xsl:copy>
+			<xsl:apply-templates select="node()|@*"/>
+		</xsl:copy>
+	</xsl:template>
+
+</xsl:stylesheet>