Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Make a basic test pipeline
@iay
iay committed May 14, 2018
1 parent 522a196 commit 12dad4b
Showing 8 changed files with 397 additions and 0 deletions.
178 changes: 178 additions & 0 deletions src/main/resources/_rules/check_bindings.xsl
View file
@@ -0,0 +1,178 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
check_bindings.xsl
Checking ruleset that checks SAML 2.0 metadata Binding values.
Author: Ian A. Young <ian@iay.org.uk>
-->
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

<!--
Common support functions.
-->
<xsl:import href="check_framework.xsl"/>

<xsl:template match="md:ArtifactResolutionService
[@Binding != 'urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding']
[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
">
<xsl:call-template name="error">
<xsl:with-param name="m">
<xsl:text>invalid binding '</xsl:text>
<xsl:value-of select="@Binding"/>
<xsl:text>' on </xsl:text>
<xsl:value-of select="name()"/>
</xsl:with-param>
</xsl:call-template>
</xsl:template>

<xsl:template match="md:AssertionConsumerService
[@Binding != 'http://schemas.xmlsoap.org/ws/2003/07/secext']
[@Binding != 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01']
[@Binding != 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post']
[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact']
[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:PAOS']
[@Binding != 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
">
<xsl:call-template name="error">
<xsl:with-param name="m">
<xsl:text>invalid binding '</xsl:text>
<xsl:value-of select="@Binding"/>
<xsl:text>' on </xsl:text>
<xsl:value-of select="name()"/>
</xsl:with-param>
</xsl:call-template>
</xsl:template>

<xsl:template match="md:AssertionIDRequestService
[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:URI']
">
<xsl:call-template name="error">
<xsl:with-param name="m">
<xsl:text>invalid binding '</xsl:text>
<xsl:value-of select="@Binding"/>
<xsl:text>' on </xsl:text>
<xsl:value-of select="name()"/>
</xsl:with-param>
</xsl:call-template>
</xsl:template>

<xsl:template match="md:AttributeService
[@Binding != 'urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding']
[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
">
<xsl:call-template name="error">
<xsl:with-param name="m">
<xsl:text>invalid binding '</xsl:text>
<xsl:value-of select="@Binding"/>
<xsl:text>' on </xsl:text>
<xsl:value-of select="name()"/>
</xsl:with-param>
</xsl:call-template>
</xsl:template>

<xsl:template match="md:ManageNameIDService
[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact']
[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
">
<xsl:call-template name="error">
<xsl:with-param name="m">
<xsl:text>invalid binding '</xsl:text>
<xsl:value-of select="@Binding"/>
<xsl:text>' on </xsl:text>
<xsl:value-of select="name()"/>
</xsl:with-param>
</xsl:call-template>
</xsl:template>

<xsl:template match="md:NameIDMappingService
[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
">
<xsl:call-template name="error">
<xsl:with-param name="m">
<xsl:text>invalid binding '</xsl:text>
<xsl:value-of select="@Binding"/>
<xsl:text>' on </xsl:text>
<xsl:value-of select="name()"/>
</xsl:with-param>
</xsl:call-template>
</xsl:template>

<xsl:template match="md:SingleLogoutService
[@Binding != 'http://schemas.xmlsoap.org/ws/2003/07/secext']
[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact']
[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
">
<xsl:call-template name="error">
<xsl:with-param name="m">
<xsl:text>invalid binding '</xsl:text>
<xsl:value-of select="@Binding"/>
<xsl:text>' on </xsl:text>
<xsl:value-of select="name()"/>
</xsl:with-param>
</xsl:call-template>
</xsl:template>

<xsl:template match="md:SingleSignOnService
[@Binding != 'urn:mace:shibboleth:1.0:profiles:AuthnRequest']
[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact']
[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
[@Binding != 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
[@Binding != 'http://schemas.xmlsoap.org/ws/2003/07/secext']
">
<xsl:call-template name="error">
<xsl:with-param name="m">
<xsl:text>invalid binding '</xsl:text>
<xsl:value-of select="@Binding"/>
<xsl:text>' on </xsl:text>
<xsl:value-of select="name()"/>
</xsl:with-param>
</xsl:call-template>
</xsl:template>

<!--
Issue warnings for all Bindings on elements other than the ones
called out above, as they may well be accurate but need additional
checks researched.
-->
<xsl:template match="md:*
[@Binding]
[local-name() != 'ArtifactResolutionService']
[local-name() != 'AssertionConsumerService']
[local-name() != 'AssertionIDRequestService']
[local-name() != 'AttributeService']
[local-name() != 'ManageNameIDService']
[local-name() != 'NameIDMappingService']
[local-name() != 'SingleLogoutService']
[local-name() != 'SingleSignOnService']
">
<xsl:call-template name="warning">
<xsl:with-param name="m">
<xsl:text>unknown binding '</xsl:text>
<xsl:value-of select="@Binding"/>
<xsl:text>' on </xsl:text>
<xsl:value-of select="name()"/>
</xsl:with-param>
</xsl:call-template>
</xsl:template>

</xsl:stylesheet>
128 changes: 128 additions & 0 deletions src/main/resources/_rules/check_framework.xsl
View file
@@ -0,0 +1,128 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
check_framework.xsl
XSL stylesheet providing a framework for use by rule checking files.
Author: Ian A. Young <ian@iay.org.uk>
-->
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<!--
The stylesheet output will be a text file, which will probably be thrown
away in any case. The real output from the check is sent using the
xsl:message element.
-->
<xsl:output method="text"/>


<!--
Common template to call to report an error on some element within an entity.
-->
<xsl:template name="error">
<xsl:param name="m"/>
<xsl:variable name="entity" select="ancestor-or-self::md:EntityDescriptor"/>
<xsl:message terminate='no'>
<xsl:text>[ERROR] </xsl:text>
<!--
If we're processing an aggregate, we need to indicate which
individual entity we're dealing with.
-->
<xsl:if test="ancestor-or-self::md:EntitiesDescriptor">
<!--
Use an ID if available, otherwise the entityID.
-->
<xsl:choose>
<xsl:when test="$entity/@ID">
<xsl:value-of select="$entity/@ID"/>
</xsl:when>
<xsl:otherwise>
<xsl:value-of select="$entity/@entityID"/>
</xsl:otherwise>
</xsl:choose>
<xsl:text>: </xsl:text>
</xsl:if>
<xsl:value-of select="$m"/>
</xsl:message>
</xsl:template>


<!--
Common template to call to report a warning on some element within an entity.
-->
<xsl:template name="warning">
<xsl:param name="m"/>
<xsl:variable name="entity" select="ancestor-or-self::md:EntityDescriptor"/>
<xsl:message terminate='no'>
<xsl:text>[WARN] </xsl:text>
<!--
If we're processing an aggregate, we need to indicate which
individual entity we're dealing with.
-->
<xsl:if test="ancestor-or-self::md:EntitiesDescriptor">
<!--
Use an ID if available, otherwise the entityID.
-->
<xsl:choose>
<xsl:when test="$entity/@ID">
<xsl:value-of select="$entity/@ID"/>
</xsl:when>
<xsl:otherwise>
<xsl:value-of select="$entity/@entityID"/>
</xsl:otherwise>
</xsl:choose>
<xsl:text>: </xsl:text>
</xsl:if>
<xsl:value-of select="$m"/>
</xsl:message>
</xsl:template>


<!--
Common template to call to report an informational message on some element within an entity.
-->
<xsl:template name="info">
<xsl:param name="m"/>
<xsl:variable name="entity" select="ancestor-or-self::md:EntityDescriptor"/>
<xsl:message terminate='no'>
<xsl:text>[INFO] </xsl:text>
<!--
If we're processing an aggregate, we need to indicate which
individual entity we're dealing with.
-->
<xsl:if test="ancestor-or-self::md:EntitiesDescriptor">
<!--
Use an ID if available, otherwise the entityID.
-->
<xsl:choose>
<xsl:when test="$entity/@ID">
<xsl:value-of select="$entity/@ID"/>
</xsl:when>
<xsl:otherwise>
<xsl:value-of select="$entity/@entityID"/>
</xsl:otherwise>
</xsl:choose>
<xsl:text>: </xsl:text>
</xsl:if>
<xsl:value-of select="$m"/>
</xsl:message>
</xsl:template>


<!-- Recurse down through all elements by default. -->
<xsl:template match="*">
<xsl:apply-templates select="node()|@*"/>
</xsl:template>


<!-- Discard text blocks, comments and attributes by default. -->
<xsl:template match="text()|comment()|@*">
<!-- do nothing -->
</xsl:template>

</xsl:stylesheet>
14 changes: 14 additions & 0 deletions src/main/resources/common-beans.xml
View file
@@ -37,4 +37,18 @@
<bean id="String" abstract="true" class="java.lang.String"/>
<bean id="QName" abstract="true" class="javax.xml.namespace.QName"/>

<!--
*******************************************
*** ***
*** V A L I D A T I O N B E A N S ***
*** ***
*******************************************
-->

<!--
check_bindings
-->
<bean id="check_bindings" parent="mda.XSLValidationStage"
p:XSLResource="classpath:_rules/check_bindings.xsl"/>

</beans>
5 changes: 5 additions & 0 deletions src/main/resources/default-validator.xml
View file
@@ -16,6 +16,11 @@
<bean id="description" parent="String" c:_="Default validator."/>

<bean id="pipeline" parent="mda.SimplePipeline">
<property name="stages">
<list>
<!-- nothing here -->
</list>
</property>
</bean>

</beans>
5 changes: 5 additions & 0 deletions src/main/resources/second-validator.xml
View file
@@ -16,6 +16,11 @@
<bean id="description" parent="String" c:_="Second validator."/>

<bean id="pipeline" parent="mda.SimplePipeline">
<property name="stages">
<list>
<!-- nothing here -->
</list>
</property>
</bean>

</beans>
11 changes: 11 additions & 0 deletions src/main/resources/test-validator.xml
View file
@@ -16,6 +16,17 @@
<bean id="description" parent="String" c:_="Test validator."/>

<bean id="pipeline" parent="mda.SimplePipeline">
<property name="stages">
<list>
<ref bean="check_bindings"/>
<bean id="fake_warn" parent="mda.XSLValidationStage"
p:XSLResource="classpath:test/test_warn.xsl"/>
<bean id="fake_info" parent="mda.XSLValidationStage"
p:XSLResource="classpath:test/test_info.xsl"/>
<bean id="fake_warn_2" parent="mda.XSLValidationStage"
p:XSLResource="classpath:test/test_warn.xsl"/>
</list>
</property>
</bean>

</beans>
28 changes: 28 additions & 0 deletions src/main/resources/test/test_info.xsl
View file
@@ -0,0 +1,28 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Inject an "info" status.
-->
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

<!--
Common support functions.
-->
<xsl:import href="../_rules/check_framework.xsl"/>

<xsl:template match="md:EntityDescriptor">
<xsl:call-template name="info">
<xsl:with-param name="m">
<xsl:text>informational message for entity '</xsl:text>
<xsl:value-of select="@entityID"/>
<xsl:text>'</xsl:text>
</xsl:with-param>
</xsl:call-template>
</xsl:template>

</xsl:stylesheet>

0 comments on commit 12dad4b

Please sign in to comment.