Add as many checks from eduGAIN profile as possible in one PR

alexstuart commented 10 months ago

If two or more people are independently adding new checks and associated tests, there can be a bottleneck landing PRs. This happens because the checks are added to the list in default-validator-stages.xml and two PRs would add different checks to the same file. Consequently the PRs cannot be merged as a fast-forward.

This issue is to bring forward all the additions to the default-validator-stages.xml file so that we can parallelise adding tests.

Some things that @philsmart, @iay and I agreed on:

The default validator is the eduGAIN profile
Some of the checks may throw errors with the existing tests. There may not be many because our existing tests are contstructed from metadata which passes the production pipeline and are tweaked for the existing checks. But if we do get errors, then we won't add that particular check to this PR.
We referred to this as the "kitchen sink" PR. Adding it here so it'll get picked up by the search engine.

philsmart commented 10 months ago

Trying to figure out what profiles are running. Running samlmd.aggregates.generate executes the pipelines:

 uk_statisticsPipeline 
 uk_exportPipeline 
 nonSelectedItemPipeline 
 uk_exportPreviewPipeline 
 nonSelectedItemPipeline#1 
 uk_int_edugain_importPipeline 
 uk_productionPipeline 
 uk_fallbackPipeline 
 uk_wayfPipeline 
 CDSAllPipeline 
 WugenPipeline

alexstuart commented 10 months ago

I think the "eduGAIN profile" that we're working towards can be defined as the checks that we do on import from eduGAIN, and then to the uk_productionPipeline.

philsmart commented 10 months ago

I think this is the set of checks related to an eduGain Entity. These are just what I see as the checks by name—possible I've missed something:

<!-- 
    Checks for uk_int_edugain_importPipeline 
-->
<bean id="uk_int_edugain_importPipeline" parent="mda.SimplePipeline">
    <property name="stages">
        <list>
            <ref bean="int_edugain_productionEntities"/>
            <ref bean="standardImportActions"/>
            <ref bean="edugainPolicy"/>
        </list>
    </property>
</bean>

<bean id="int_edugain_productionEntities" parent="mda.CompositeStage">
    <property name="composedStages">
        <list>
            <ref bean="check_validUntil"/>
        </list>
    </property>
</bean>

<bean id="standardImportActions" parent="mda.CompositeStage">
    <property name="composedStages">
        <list>
            <ref bean="checkSchemas"/>
            <ref bean="CHECK_std"/>
            <ref bean="check_namespaces"/>
            <bean id="checkCertificates" parent="mda.X509ValidationStage">
            </bean>
        </list>
    </property>
</bean>

<bean id="edugainPolicy" parent="mda.CompositeStage">
    <property name="composedStages">
        <list>
            <bean id="checkScopes" parent="inc.stage_parent" class="uk.org.iay.incommon.mda.dom.saml.shib.ScopeValidationStage">
            </bean>
            <ref bean="check_hasreginfo"/>
            <ref bean="check_ukf_compromised"/>
        </list>
    </property>
</bean>

<!-- 
    Checks for uk_productionPipeline 
-->
<bean id="uk_productionPipeline" parent="mda.SimplePipeline">
    <property name="stages">
        <list>
            <ref bean="checkPublishable"/>
        </list>
    </property>
</bean>

<bean id="checkPublishable" parent="mda.CompositeStage">
    <property name="composedStages">
        <list>
            <ref bean="checkSchemas"/>
            <ref bean="check_aggregate"/>
            <ref bean="check_filtered"/>
            <ref bean="check_namespaces"/>
        </list>
    </property>
</bean>

<bean id="CHECK_std" parent="mda.CompositeStage">
    <property name="composedStages">
        <list>
            <ref bean="check_adfs"/>
            <ref bean="check_algsupport"/>
            <ref bean="check_bindings"/>
            <ref bean="check_cr"/>
            <ref bean="check_entityid_prefix"/>
            <ref bean="check_hoksso"/>
            <ref bean="check_idpdisc"/>
            <ref bean="check_idp_tls"/>
            <ref bean="check_incmd"/>
            <ref bean="check_init"/>
            <ref bean="check_mdattr"/>
            <ref bean="check_mdiop"/>
            <ref bean="check_mdrpi"/>
            <ref bean="check_mdui"/>
            <ref bean="check_misc"/>
            <ref bean="check_rands"/>
            <ref bean="check_coco_v2"/>
            <ref bean="check_reqattr"/>
            <ref bean="check_saml1"/>
            <ref bean="check_saml2"/>
            <ref bean="check_saml2_lang"/>
            <ref bean="check_saml2int"/>
            <ref bean="check_saml2meta"/>
            <ref bean="check_saml_strings"/>
            <ref bean="check_shib_noregscope"/>
            <ref bean="check_shibboleth"/>
            <ref bean="check_sirtfi"/>
            <ref bean="check_sp_tls"/>
            <ref bean="check_uk_algorithms"/>
            <ref bean="check_uk_trust"/>
        </list>
    </property>
</bean>

philsmart commented 10 months ago

flattened:

check_validUntil
checkSchemas
check_adfs
check_algsupport
check_bindings
check_cr
check_entityid_prefix
check_hoksso
check_idpdisc
check_idp_tls
check_incmd
check_init
check_mdattr
check_mdiop
check_mdrpi
check_mdui
check_misc
check_rands
check_coco_v2
check_reqattr
check_saml1
check_saml2
check_saml2_lang
check_saml2int
check_saml2meta
check_saml_strings
check_shib_noregscope
check_shibboleth
check_sirtfi
check_sp_tls
check_uk_algorithms
check_uk_trust
check_namespaces
checkCertificates
checkScopes
check_hasreginfo
check_ukf_compromised
checkSchemas
check_aggregate
check_filtered
check_namespaces

ukf / ukf-testbed

Add as many checks from eduGAIN profile as possible in one PR #19