edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] MDS re-publishes schema-invalid metadata

From: Peter Schober <peter.schober AT univie.ac.at>
To: edugain-discuss AT lists.geant.org
Subject: Re: [eduGAIN-discuss] MDS re-publishes schema-invalid metadata
Date: Fri, 20 Sep 2019 15:56:15 +0200
Organization: ACOnet

* Tomasz Wolniewicz <twoln AT umk.pl> [2019-09-20 15:29]:
> as you are well aware OT is running schema validation with both MDA
> and pyFF and they did not choke on it.

I didn't know about use of the MDA but either way, I should't have to
remember these things in order to report this. ;)

> In fact Validator2 does report this problem but only as a warning
> which is probably wrong.

Yes, the following is not sufficient (I looked at both the old and new
validator outputs for eduID.hu and managed to miss this), IMO:

https://mdd.pte.hu/saml/module.php/saml/sp/metadata.php/mdd
mdrpi:UIInfo/DisplayName has wrong language tag ''
mdrpi:UIInfo/Description has wrong language tag ''

> Looks like another specific rule to be added.

Not sure schema-validity is so "specific" as a requirement.
At least both xmllint (and xmlstarlet, both using libxml2) and
XmlSecTool report this as fatal error, which is why my tooling stopped
this from being republished to our members:

xmllint (line numbers are specific to the eduID.hu UPSTREAM, not the MDS):

/tmp/hu.xml:5982: element DisplayName: Schemas validity error : Element
'{urn:oasis:names:tc:SAML:metadata:ui}DisplayName', attribute
'{http://www.w3.org/XML/1998/namespace}lang': '' is not a valid value of the
atomic type 'xs:language'.
/tmp/hu.xml:5985: element Description: Schemas validity error : Element
'{urn:oasis:names:tc:SAML:metadata:ui}Description', attribute
'{http://www.w3.org/XML/1998/namespace}lang': '' is not a valid value of the
atomic type 'xs:language'.
/tmp/hu.xml:6006: element ServiceName: Schemas validity error : Element
'{urn:oasis:names:tc:SAML:2.0:metadata}ServiceName', attribute
'{http://www.w3.org/XML/1998/namespace}lang': '' is not a valid value of the
atomic type 'xs:language'.
/tmp/hu.xml:6009: element ServiceDescription: Schemas validity error :
Element '{urn:oasis:names:tc:SAML:2.0:metadata}ServiceDescription', attribute
'{http://www.w3.org/XML/1998/namespace}lang': '' is not a valid value of the
atomic type 'xs:language'.

XmlSecTool:

INFO XMLSecTool - XML document parsed and is well-formed.
ERROR XMLSecTool - XML is not schema valid
org.xml.sax.SAXParseException: cvc-pattern-valid: Value '' is not facet-valid
with respect to pattern '([a-zA-Z]{1,8})(-[a-zA-Z0-9]{1,8})*' for type
'language'.
at
java.xml/com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:204)
~[na:na]
at
java.xml/com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.error(ErrorHandlerWrapper.java:135)
~[na:na]
at
java.xml/com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:396)
~[na:na]
at
java.xml/com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:327)
~[na:na]
at
java.xml/com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:284)
~[na:na]
at
java.xml/com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator$XSIErrorReporter.reportError(XMLSchemaValidator.java:511)
~[na:na]
at
java.xml/com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.reportSchemaError(XMLSchemaValidator.java:3587)
~[na:na]
at
java.xml/com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.processOneAttribute(XMLSchemaValidator.java:3107)
~[na:na]
at
java.xml/com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.processAttributes(XMLSchemaValidator.java:3051)
~[na:na]
at
java.xml/com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.handleStartElement(XMLSchemaValidator.java:2286)
~[na:na]
at
java.xml/com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.startElement(XMLSchemaValidator.java:829)
~[na:na]
at
java.xml/com.sun.org.apache.xerces.internal.jaxp.validation.DOMValidatorHelper.beginNode(DOMValidatorHelper.java:276)
~[na:na]
at
java.xml/com.sun.org.apache.xerces.internal.jaxp.validation.DOMValidatorHelper.validate(DOMValidatorHelper.java:243)
~[na:na]
at
java.xml/com.sun.org.apache.xerces.internal.jaxp.validation.DOMValidatorHelper.validate(DOMValidatorHelper.java:189)
~[na:na]
at
java.xml/com.sun.org.apache.xerces.internal.jaxp.validation.ValidatorImpl.validate(ValidatorImpl.java:108)
~[na:na]
at
java.xml/javax.xml.validation.Validator.validate(Validator.java:124) ~[na:na]
at
net.shibboleth.tool.xmlsectool.SchemaValidator.validate(SchemaValidator.java:146)
~[xmlsectool-2.0.0.jar:na]
at
net.shibboleth.tool.xmlsectool.XMLSecTool.schemaValidate(XMLSecTool.java:342)
~[xmlsectool-2.0.0.jar:na]
at
net.shibboleth.tool.xmlsectool.XMLSecTool.main(XMLSecTool.java:144)
~[xmlsectool-2.0.0.jar:na]

> And by the why, while this being formally incorrect does this actually
> cause real problems in the IdP/SP side anywhere?

Having stopped local propagation I'm in the unfortunate (?) position
of not having any broken systems to report.

But I suppose it would break most metadata consumers that were
configured (or cannot be configured NOT) to perform schema-validation
(as was part of our own IDP and SP documentation for a long time,
which we changed to avoid the validation problems with the WS-*
extension schemas, back in 2014).

Testing the eduID.du edugain upstream with a current Shibboleth SP
v3.0.4 this metadata fails to load, even with validate="false":

2019-09-20 13:51:43 ERROR OpenSAML.MetadataProvider.XML : metadata instance
failed manual validation checking: DisplayName must have Lang.
2019-09-20 13:51:43 WARN OpenSAML.MetadataProvider.XML : trying backup file,
exception loading remote resource: Metadata instance failed manual validation
checking.
2019-09-20 13:51:43 ERROR XMLTooling.ParserPool : fatal error on line 0,
column 0, message: unable to open primary document entity
'/var/cache/shibboleth/eduIDhu-metadata.xml'
2019-09-20 13:51:43 ERROR OpenSAML.MetadataProvider.XML : error while loading
resource (/var/cache/shibboleth/eduIDhu-metadata.xml): XML error(s) during
parsing, check log for specifics

For me that's already bad enough but see what else I can get my hands
on to provide more feedback.

-peter

[eduGAIN-discuss] MDS re-publishes schema-invalid metadata, Peter Schober, 20-Sep-2019
- Re: [eduGAIN-discuss] MDS re-publishes schema-invalid metadata, Tomasz Wolniewicz, 20-Sep-2019
  - Re: [eduGAIN-discuss] MDS re-publishes schema-invalid metadata, Peter Schober, 09/20/2019
  - Re: [eduGAIN-discuss] MDS re-publishes schema-invalid metadata, Leif Johansson, 20-Sep-2019
    - Re: [eduGAIN-discuss] MDS re-publishes schema-invalid metadata, Peter Schober, 21-Sep-2019
      - Re: [eduGAIN-discuss] MDS re-publishes schema-invalid metadata, Leif Johansson, 22-Sep-2019
        
        Re: [eduGAIN-discuss] MDS re-publishes schema-invalid metadata, Peter Schober, 22-Sep-2019
- Re: [eduGAIN-discuss] MDS re-publishes schema-invalid metadata, Molnár Péter, 20-Sep-2019
  - Re: [eduGAIN-discuss] MDS re-publishes schema-invalid metadata, Peter Schober, 20-Sep-2019
    - Re: [eduGAIN-discuss] MDS re-publishes schema-invalid metadata, Peter Schober, 20-Sep-2019
- Re: [eduGAIN-discuss] MDS re-publishes schema-invalid metadata, Tomasz Wolniewicz, 23-Sep-2019
  - Re: [eduGAIN-discuss] MDS re-publishes schema-invalid metadata, Peter Schober, 23-Sep-2019
    - Re: [eduGAIN-discuss] MDS re-publishes schema-invalid metadata, Leif Johansson, 23-Sep-2019