KEY := /opt/swamid-credentials/swamid-signer.key CERT := /opt/swamid-credentials/swamid-signer.crt PASS := $(shell test -f /opt/swamid-credentials/swamid-signer-pass.txt && cat /opt/swamid-credentials/swamid-signer-pass.txt) DEST := /opt/published-metadata SRCDIRS=swamid-2.0 DAYS:=15 DATE=$(shell perl scripts/expiration_date.pl $(DAYS)) NOW=$(shell perl scripts/now_date.pl) RPI=false CONTACTS=false TOU=true ORG=true TRANSFORM=xslt/normalize.xsl ID=$(shell perl scripts/unique_id.pl) XSLTDEFS := --stringparam org $(ORG) --stringparam ID $(ID) --stringparam tou $(TOU) --stringparam rpi $(RPI) --stringparam defaultContact $(CONTACTS) --stringparam date $(DATE) --stringparam now $(NOW) SIGNER := xmlsec1 --sign --privkey-pem $(KEY),$(CERT) --pwd $(PASS) --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor BASEURL := http://md.swamid.se/md SIGN := xslt/sign.xsl SITE := site/md.swamid.se TOU := swamid-tou-en.txt swamid-tou-sv.txt -include $(SWAMID_MK_CONFIG) all: clean dependencies test sign clean web MXML=$(shell echo *.mxml) sign: swamid upstream projects %.sig: %.mxml xsltproc $(XSLTDEFS) --stringparam target "$(BASEURL)/$*.xml" --xinclude $(TRANSFORM) $< > $*.n xsltproc $(XSLTDEFS) --xinclude $(SIGN) $*.n > $*.tbs $(SIGNER) --output $@ $*.tbs xmllint --xinclude --nowarning --noout --path schema --schema schema.xsd $@ rm -f $*.tbs $*.n %.pub: %.sig mkdir -p $(DEST) && xmllint --nowarning --noout --path schema --schema schema.xsd $< && mv $< $(DEST)/$*.xml dependencies: swamid-externals-sp-2.0.xml swamid-interfederations-idp-2.0.xml # kalmar obsolete #upstream: edugain kalmar upstream: edugain kalmar: env SWAMID_MK_CONFIG=$(SWAMID_MK_CONFIG) $(MAKE) RPI=false CONTACTS=false swamid-kalmar-1.0.pub swamid-kalmar-testing-1.0.pub edugain: env SWAMID_MK_CONFIG=$(SWAMID_MK_CONFIG) $(MAKE) RPI=true CONTACTS=true swamid-edugain-testing-1.0.pub swamid-edugain-1.0.pub projects: swamid-fiv-test swamid-ki-sll swamid-ki-sll: env SWAMID_MK_CONFIG=$(SWAMID_MK_CONFIG) $(MAKE) RPI=false CONTACTS=false TOU=false ORG=false swamid-ki-sll-1.0.pub swamid-fiv-test: env SWAMID_MK_CONFIG=$(SWAMID_MK_CONFIG) $(MAKE) RPI=false CONTACTS=false TOU=false ORG=false swamid-fiv-test.pub aggregate: swamid-externals swamid-interfederations swamid-externals: swamid-externals1 swamid-externals2 swamid-externals1: scripts/aggregate.sh swamid-externals-1.0 swamid-externals2: scripts/aggregate.sh swamid-externals-2.0 # kalmar obsolete #swamid-interfederations: swamid-interfederations1 swamid-interfederations2 swamid-interfederations: swamid-interfederations2 swamid-interfederations1: scripts/aggregate.sh swamid-interfederations-1.0 swamid-interfederations2: scripts/aggregate.sh swamid-interfederations-2.0 swamid: swamid-2.0.pub swamid-no-interfederation-combined.pub swamid-discovery.pub swamid-idp.pub swamid-idp-transitive.pub swamid-registered.pub swamid-testing-1.0.pub swamid-testing-idp-1.0.pub web: $(SITE) $(TOU) rsync -avz $(TOU) $(SITE)/ $(DEST) swamid-interfederations-idp-2.0.xml: swamid-interfederations-2.0.mxml @xsltproc --xinclude xslt/extract-idp.xslt swamid-interfederations-2.0.mxml > swamid-interfederations-idp-2.0.xml swamid-externals-sp-2.0.xml: swamid-externals-2.0.mxml @xsltproc --xinclude xslt/extract-non-idp.xslt swamid-externals-2.0.mxml > swamid-externals-sp-2.0.xml syntaxtest: clean dependencies schematest pedantic: clean dependencies schematest testRefedsRnS testGeantCoCo testEduGAINchecks schematest: @fail=false ; for x in $(MXML); do test=`xmllint --xinclude --nowarning --noout --path schema --schema schema.xsd $$x 2>&1`; rc=$$?; echo $$test | sed 's/fails to validate/&/;s/validates/&/'; if [ $$rc -gt 0 ]; then fail=true ; fi; done ; if $$fail ; then exit 1 ; fi clean: @rm -f *.xml *.tbs *.n *.sig tidy: @for x in `find $(SRCDIRS) -name \*.xml`; do xsltproc xslt/clean-entitydescriptor.xsl $$x > $$x.c && mv $$x.c $$x; done testMetadataUsage: @echo "Checking for files in swamid-2.0 that isn't used" @for file in swamid-2.0/* ; do if ! grep -q $$file *.mxml; then echo " $$file: Doesn't exist in any mxml files"; fi; done | sed 's/.*/&/' testRefedsRnS: @echo "Checking for refeds R&S compatibillity for entities exported to eduGAIN" @for x in `cat swamid-edugain-*.mxml | grep -v "\.mxml$$" | grep "xi:include" | awk -F\" '{print $$2}' | xargs grep -l SPSSODescriptor` ; do \ got_refeds_RnS=`cat $$x | sed 's;\(/dev/null | grep 'http://refeds.org/category/research-and-scholarship'` ; \ if [ -n "$$got_refeds_RnS" ] ; then \ http_post=`cat $$x | sed 's;\(/dev/null | grep 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'` ; \ if [ -z "$$http_post" ] ; then echo " $$x: Missing HTTP-POST binding." | sed 's/.*/&/' ; fi ; \ mdui_DisplayName=`cat $$x | sed 's;\(/dev/null | grep 'DisplayName'` ; \ if [ -z "$$mdui_DisplayName" ] ; then echo " $$x: Missing mdui:DisplayName." | sed 's/.*/&/' ; fi ; \ mdui_InformationURL=`cat $$x | sed 's;\(/dev/null | grep 'InformationURL'` ; \ if [ -z "$$mdui_InformationURL" ] ; then echo " $$x: Missing mdui:InformationURL." | sed 's/.*/&/' ; fi ; \ tech_contact=`cat $$x | sed 's;\(/dev/null | grep 'EmailAddress'` ; \ if [ -z "$$tech_contact" ] ; then echo " $$x: Missing ContactPerson contactType='technical'." | sed 's/.*/&/' ; fi ; \ requested_attributes=`cat $$x | sed 's;\(/dev/null | grep 'RequestedAttribute'` ; \ if [ -z "$$requested_attributes" ] ; then echo " $$x: Missing requested attributes." | sed 's/.*/&/' ; fi ; \ fi ; \ done testGeantCoCo: @echo "Checking for Geant CoCo compliance for entities exported to eduGAIN" @for x in `cat swamid-edugain-*.mxml | grep -v "\.mxml$$" | grep "xi:include" | awk -F\" '{print $$2}' | xargs grep -l SPSSODescriptor` ; do \ got_geant_CoCo=`cat $$x | sed 's;\(/dev/null | grep 'http://www.geant.net/uri/dataprotection-code-of-conduct/v1'` ; \ if [ -n "$$got_geant_CoCo" ] ; then \ mdui_check=`cat $$x | sed 's;\(/dev/null` ; \ if [ -z "$$mdui_check" ] ; then \ echo " $$x: Missing MDUI." | sed 's/.*/&/' ; \ else \ mdui_DisplayName=`cat $$x | sed 's;\(/dev/null | grep 'DisplayName'` ; \ if [ -z "$$mdui_DisplayName" ] ; then echo " $$x: Missing mdui:DisplayName." | sed 's/.*/&/' ; fi ; \ mdui_Descr=`cat $$x | sed 's;\(/dev/null | grep 'DisplayName'` ; \ if [ -z "$$mdui_Descr" ] ; then echo " $$x: Missing mdui:Description." | sed 's/.*/&/' ; fi ; \ for y in `cat $$x | sed 's;\(/dev/null | grep $$y | grep 'xml:lang="en"'` ; \ if [ -z "$$mdui_Test" ] ; then echo " $$x: Missing xml:lang=\"en\" on mdui:$$y." | sed 's/.*/&/' ; fi ; \ done ; \ mdui_PrivacyStatementURL=`cat $$x | sed 's;\(/dev/null | grep 'PrivacyStatementURL'` ; \ if [ -z "$$mdui_PrivacyStatementURL" ] ; then echo " $$x: Missing PrivacyStatementURL." | sed 's/.*/&/' ; \ else \ echo $$mdui_PrivacyStatementURL | sed 's/>\n\(.*\)<.*/\1 \2/' | while read lang url ; do curl -s -L -m 5 $$url | grep http://www.geant.net/uri/dataprotection-code-of-conduct/v1 -q || echo " $$x missing link to geant.net in PrivacyStatementURL $$lang" | sed 's/.*/&/' ; done ; \ fi ; \ fi ; \ requestedAttribute=`cat $$x | sed 's;\(/dev/null | grep 'RequestedAttribute'` ; \ if [ -z "$$requestedAttribute" ] ; then echo " $$x: Missing RequestedAttribute." | sed 's/.*/&/' ; fi ; \ fi ; \ done testEduGAINchecks: @echo "Checking for attributes not allowed in entities exported to eduGAIN" @for x in `cat swamid-edugain-*.mxml | grep -v "\.mxml$$" | grep "xi:include" | awk -F\" '{print $$2}' | xargs grep -l SPSSODescriptor` ; do \ if ( grep -q "AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" $$x ); then \ echo " $$x: AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" not allowed"; \ fi ; \ done testMDUI: @echo "Checking for bad lang codes" @for x in swamid-2.0/*.xml ; do bad_langs=`cat $$x | sed -n 's/.*xml:lang="\([^"]*\)".*/\1/p' | sort -u | grep -vxE 'cs|da|de|en|fi|fr|it|sv'` ; if [ -n "$$bad_langs" ] ; then echo " $$x: `echo $$bad_langs`" | sed 's/.*/&/' ; fi ; done | grep . && exit 1 || exit 0 @echo "Check for mismatch between MDUI DisplayName and OrganizationDisplayName" @for x in `find $(SRCDIRS) -name \*.xml | xargs grep -l IDPSSODescriptor` ; do for lang in `cat $$x | sed -n 's/.*xml:lang="\(..\)".*/\1/p' | sort -u` ; do mdui_displayname=`cat $$x | sed 's;\(/dev/null | sed 's/^[ ]*//;s/[ ]*$$//' | tr -d '\n' | sed 's;<[^>]*>\([^<]*\)]*>;\1\n;g'` organizationdisplayname=`cat $$x | sed 's;\(/dev/null | sed 's/^[ ]*//;s/[ ]*$$//' | tr -d '\n' | sed 's;<[^>]*>\([^<]*\)]*>;\1\n;g'` ; if [ -n "$$mdui_displayname" -a -n "$$organizationdisplayname" -a "$$mdui_displayname" != "$$organizationdisplayname" ] ; then echo "$$x: $$lang '$$mdui_displayname' vs $$lang '$$organizationdisplayname'" | sed 's/.*/&/'; fi ; done ; done | grep . && exit 1 || true @echo "Checking for uniq IdP MDUI DisplayName" @for lang in `cat swamid-2.0/*.xml | sed -n 's/.*xml:lang="\([^"]*\)".*/\1/p' | sort -u` ; do for x in `find $(SRCDIRS) -name \*.xml | xargs grep -l IDPSSODescriptor` ; do cat $$x | sed 's;\(/dev/null | sed 's/^[ ]*//;s/[ ]*$$//' | tr -d '\n' | sed 's;<[^>]*>\([^<]*\)]*>;\1\n;g' | sed "s;^; $$x $$lang ;" | sed 's/.*/&/' ; done | sort -k 3 | uniq -d -f 2 ; done | grep . && exit 1 || true @echo "Checking for invalid IPHint" @for x in `find $(SRCDIRS) -name \*.xml`; do if cat $$x | sed -n 's;.*<[a-z0-9:]*IPHint>\(.*\);\1;p' | grep -q -vE '^$$|^[0-9./a-fA-F:]*$$' ; then echo " $$x" | sed 's/.*/&/' ; fi ; done @echo "Checking for invalid geodata (syntax is geo:xx.yy,zz.vv)" @for x in `find $(SRCDIRS) -name \*.xml`; do if cat $$x | sed -n 's;.*<[a-z0-9:]*GeolocationHint>\(.*\);\1;p' | grep -q -vE '^$$|^geo:[0-9][0-9][0-9.]*,[0-9][0-9][0-9.]*$$' ; then echo " $$x" | sed 's/.*/&/' ; fi ; done @echo "Check for IdP:s with Logos over http" @for x in `find $(SRCDIRS) -name \*.xml`; do if cat $$x | sed -n '/IDPSSODescriptor/,/\/IDPSSODescriptor/p' | grep -q 'Logo .*http://' ; then echo " $$x" | sed 's/.*/&/' ; fi ; done testIdPinSP: @echo "Check that SP:s does not define IDPSSODescriptor" @for spfile in `cat swamid-sp-2.0.mxml swamid-externals-sp-2.0.xml | grep -v "\.mxml$$" | grep "xi:include" | awk -F\" '{print $$2}'` ; do grep -q IDPSSODescriptor $$spfile && echo " $$spfile" | sed 's/.*/&/' ; done | grep . && exit 1 || exit 0 testMDUIreach: @echo "Check that MDUI URLs are reachable" @cat swamid-idp-2.0.mxml swamid-sp-2.0.mxml swamid-externals-sp-2.0.xml | grep -v "\.mxml$$" | grep "xi:include" | awk -F\" '{print $$2}' | \ xargs -n1 -P 10 scripts/verify-uiinfo-urls.sh testOrgData: @echo "Checking for uniq IdP OrganizationDisplayName" @for lang in `cat swamid-2.0/*.xml | sed -n 's/.*xml:lang="\(..\)".*/\1/p' | sort -u` ; do for x in `find $(SRCDIRS) -name \*.xml | xargs grep -l IDPSSODescriptor` ; do cat $$x | sed 's;\(/dev/null | sed 's/^[ ]*//;s/[ ]*$$//' | tr -d '\n' | sed 's;<[^>]*>\([^<]*\)]*>;\1\n;g' | sed "s;^;$$x $$lang ;" | sed 's/.*/\ \ &/' ; done | sort -k 3 | uniq -d -f 2 ; done | grep . && exit 1 || true testEntCat: @echo "Checking for entity-categories in SPSSODescriptors that should be moved to EntityDescriptor/Extensions" @for x in `find $(SRCDIRS) -name \*.xml`; do if cat $$x | sed 's;\(/dev/null | grep -q entity-category ; then echo " $$x" | sed 's/.*/&/' ; fi ; done | grep . && exit 1 || true @echo "Checking for entity-categories in IDPSSODescriptor that should be moved to EntityDescriptor/Extensions" @for x in `find $(SRCDIRS) -name \*.xml`; do if cat $$x | sed 's;\(/dev/null | grep -q entity-category ; then echo " $$x" | sed 's/.*/&/' ; fi ; done | grep . && exit 1 || true @echo "Checking for MDUI in EntityDescriptor/Extensions" @for x in `find $(SRCDIRS) -name \*.xml`; do if cat $$x | sed 's;\(/dev/null | grep -q . ; then echo " $$x" | sed 's/.*/&/' ; fi ; done | grep . && exit 1 || true @echo "Checking for entitycategories for IdPs that should be entity-category-support" @for x in `find $(SRCDIRS) -name \*.xml | xargs grep -l IDPSSODescriptor` ; do if cat $$x | sed 's;\(/dev/null | grep -q http://refeds.org/category/research-and-scholarship ; then echo " $$x" | sed 's/.*/&/' ; fi ; done | grep . && exit 1 || true @echo "Checking for wrong Name in EntityAttributes/Attribute" @for x in `find $(SRCDIRS) -name \*.xml | xargs grep -l "Attribute "` ; do if cat $$x | sed 's;\(/dev/null | grep "Attribute " | sed 's/.* Name="//' | sed -e 's/ NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"//' -e 's/">//' | egrep -v "http://macedir.org/entity-category|http://macedir.org/entity-category-support|urn:oasis:names:tc:SAML:attribute:assurance-certification|http://www.swamid.se/assurance-requirement" ; then echo " $$x" | sed 's/.*/&/' ; fi ; done | grep . && exit 1 || true @echo "Checking for wrong AttributeValue in EntityAttributes/Attribute http://macedir.org/entity-category" @for x in `find $(SRCDIRS) -name \*.xml | xargs grep -l "http://macedir.org/entity-category"` ; do if cat $$x | sed 's;\(/dev/null | grep "AttributeValue" | egrep -v ">http://refeds.org/category/research-and-scholarship<|>http://www.geant.net/uri/dataprotection-code-of-conduct/v1<|>http://www.swamid.se/category/research-and-education<|>http://www.swamid.se/category/hei-service<|>http://www.swamid.se/category/nren-service<|>http://www.swamid.se/category/sfs-1993-1153<|>http://www.swamid.se/category/eu-adequate-protection<|>http://refeds.org/category/hide-from-discovery<" ; then echo " $$x" | sed 's/.*/&/' ; fi ; done | grep . && exit 1 || true @echo "Checking for wrong AttributeValue in EntityAttributes/Attribute http://macedir.org/entity-category-support" @for x in `find $(SRCDIRS) -name \*.xml | xargs grep -l "http://macedir.org/entity-category-support"` ; do if cat $$x | sed 's;\(/dev/null | grep "AttributeValue" | egrep -v ">http://refeds.org/category/research-and-scholarship<|>http://www.geant.net/uri/dataprotection-code-of-conduct/v1<" ; then echo " $$x" | sed 's/.*/&/' ; fi ; done | grep . && exit 1 || true @echo "Checking for wrong AttributeValue in EntityAttributes/Attribute http://www.swamid.se/assurance-requirement" @for x in `find $(SRCDIRS) -name \*.xml | xargs grep -l "http://www.swamid.se/assurance-requirement"` ; do if cat $$x | sed 's;\(/dev/null | grep "AttributeValue" | egrep -v ">http://www.swamid.se/policy/assurance/al1<|>http://www.swamid.se/policy/assurance/al2<" ; then echo " $$x" | sed 's/.*/&/' ; fi ; done | grep . && exit 1 || true @echo "Checking for wrong AttributeValue in EntityAttributes/Attribute urn:oasis:names:tc:SAML:attribute:assurance-certification" @for x in `find $(SRCDIRS) -name \*.xml | xargs grep -l "urn:oasis:names:tc:SAML:attribute:assurance-certification"` ; do if cat $$x | sed 's;\(/dev/null | grep "AttributeValue" | egrep -v ">https://refeds.org/sirtfi<|>http://www.swamid.se/policy/assurance/al1<|>http://www.swamid.se/policy/assurance/al2<|>http://www.swamid.se/policy/authentication/swamid-al2-mfa<|>http://www.swamid.se/policy/authentication/swamid-al2-mfa-hi<" ; then echo " $$x" | sed 's/.*/&/' ; fi ; done | grep . && exit 1 || true testSimpleSign: @echo "Check for new SP:s with SimpleSign (breaks ADFS IdP:s with Shib SP 2.5+)" @for x in `grep -v "#" sp-with-simplesign`; do if [ ! -r swamid-2.0/$$x ] ; then echo $$x saknas; fi ; done | grep . && exit 1 || exit 0 @for x in `find $(SRCDIRS) -name \*.xml`; do if ! grep -qx `basename $$x` sp-with-simplesign && grep -q HTTP-POST-SimpleSign $$x ; then echo " $$x" | sed 's/.*/&/' ; fi ; done | grep . && exit 1 || exit 0 testALlevel: @echo "Check for IdP:s with AL2 without AL1" @for x in `find $(SRCDIRS) -name \*.xml`; do if grep -q http://www.swamid.se/policy/assurance/al2 $$x && ! grep -q http://www.swamid.se/policy/assurance/al1 $$x ; then echo " $$x" | sed 's/.*/&/' ; fi ; done testBadStrings: @echo "Check for bad strings in metadata" @for x in `find $(SRCDIRS) -name \*.xml`; do grep -E 'ServiceName xml:lang="[^"]*"/>' $$x | sed 's/^/ /' ; done | grep . && exit 1 || exit 0 testRoleDescriptor: @echo "Check for RoleDescriptor that should be removed" @for x in `find $(SRCDIRS) -name \*.xml`; do \ grep -EH 'RoleDescriptor.*xsi:type="fed:(ApplicationServiceType|SecurityTokenServiceType)"' $$x | \ sed -e 's/^/ /' -e 's/xmlns.*xsi:type="fed:/xsi:type="fed:/' -e 's/ protocol.*>/>/' -e 's/.*/&/' ; \ done | grep . && echo "Please remove" || exit 0 testAttributeInIdP: @echo "Check for Attribute inside IDPSSODescriptor" @for x in `find $(SRCDIRS) -name \*.xml`; do \ if cat $$x | sed 's;\(/dev/null | grep -q "