error for missing metadata values

OpenConext / OpenConext-manage

Stores and publishes metadata of all entities known to OpenConext

Apache License 2.0

7 stars 10 forks source link

error for missing metadata values #357

Closed phavekes closed 1 month ago

phavekes commented 1 month ago

This issue is imported from pivotal - Originaly created at Nov 7, 2018 by Joost van Dijk

In order to generate valid SAML metadata (not just according to the SAML XSD, but also wrt additional requirements such as edugain profiles) it would be useful to warn about missing metadata fields.

For instance, it is typically required to include an Organization block in IdP metadata containing element (OrganizationName, OrganizationDisplayName, OrganizationURL).

If one of these are missing, the others cannot be published. An error will prevent confusion as to why certain fields don\'t show up in metadata.

Additional errors for other fields (open to discussion) may be useful as well.

phavekes commented 1 month ago

Would initially put that in our SURFconext manage-checker script instead since that\'s more flexibile to adapt to our specific business rules. (Thijs Kinkhorst - Nov 12, 2018)

phavekes commented 1 month ago

Should be a warning I think, since incoming metadata may be incomplete, I think we still want to be able to save it. (Thijs Kinkhorst - May 22, 2019)

phavekes commented 1 month ago

@thijskh then this is a bit more difficult / work. The current validation hook for related fields is done server side and results in errors when saving the metadata. If it needs to be a warning then we need a different mechanism than we use now: either client side validation or a separate endpoint on the server to be called before actually saving the metadata. For now excluded in the 4.0.3 release (Okke Harsta - May 27, 2019)

phavekes commented 1 month ago

The proposed solution:

For an attribute, add in config a list "required attributes". When the given attribute is set, all attributes in "required attributes" must also be set or the entity cannot be saved.

This can just be a hard error. (Thijs Kinkhorst - Jan 31, 2022)

phavekes commented 1 month ago

See https://github.com/OpenConext/OpenConext-manage/blob/master/manage-server/src/main/java/manage/hook/RequiredAttributesHook.java. Note that the requiredAttributes format for properties and patternProperties is different:

        "coin:stepup:requireloa": {
          "type": "string",
          "format": "url",
          "enum": [
            "http://test.surfconext.nl/assurance/loa2",
            "http://test.surfconext.nl/assurance/loa3"
          ],
          "default": "http://test.surfconext.nl/assurance/loa2",
          "info": "Set to require Stepup Authentication for this SP with the specified minimum Level of Assurance.",
          "requiredAttributes": [
              "coin:stepup:allow_no_token"
            ]
        },


        "^OrganizationName:(en|nl)$": {
          "type": "string",
          "info": "The formal name of the organization. e.g. Service by University of Harderwijk.",
          "requiredAttributes": {
            "OrganizationName:en": [
              "OrganizationDisplayName:en",
              "OrganizationURL:en"
            ]
          }
        },
``` (Okke Harsta - Feb 2, 2022)

phavekes commented 1 month ago

All validation errors from the server with the above schema configuration (Okke Harsta - Feb 2, 2022)