Strip imported namespaces by whitelisting, not blacklisting.

Update ukf-mda to 0.8.8 to acquire NamespacesStrippingStage. Use this to whitelist namespaces acceptable from eduGAIN rather than removing ones we specifically don't want. This makes the system more resilient when new unknown namespaces are added, as they will be silently discarded rather than preventing processing.
InCommon · Dec 3, 2015 · 73acf33 · 73acf33
1 parent fef30af
commit 73acf33
Show file tree

Hide file tree

Showing 10 changed files with 28 additions and 524 deletions.
diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
@@ -291,6 +291,9 @@
     <bean id="MultiPredicateMatcher" abstract="true"
         class="uk.org.ukfederation.mda.dom.saml.mdattr.MultiPredicateMatcher"/>
 
+    <bean id="NamespacesStrippingStage" abstract="true" parent="stage_parent"
+        class="uk.org.ukfederation.mda.dom.NamespacesStrippingStage"/>
+
     <bean id="RegistrationAuthorityMatcher" abstract="true"
         class="uk.org.ukfederation.mda.dom.saml.mdattr.RegistrationAuthorityMatcher"/>
 
@@ -342,6 +345,7 @@
     <bean id="wayf_namespace"       parent="String" c:_="http://sdss.ac.uk/2006/06/WAYF"/>
     <bean id="xenc_namespace"       parent="String" c:_="http://www.w3.org/2001/04/xmlenc#"/>
     <bean id="xenc11_namespace"     parent="String" c:_="http://www.w3.org/2009/xmlenc11#"/>
+    <bean id="xml_namespace"        parent="String" c:_="http://www.w3.org/XML/1998/namespace"/>
     <bean id="xs_namespace"         parent="String" c:_="http://www.w3.org/2001/XMLSchema"/>
     <bean id="xsi_namespace"        parent="String" c:_="http://www.w3.org/2001/XMLSchema-instance"/>
     <bean id="xsl_namespace"        parent="String" c:_="http://www.w3.org/1999/XSL/Transform"/>
@@ -1163,13 +1167,31 @@
                 <ref bean="populateRegistrationAuthorities"/>
 
                 <!--
-                    The following two namespaces are always stripped because they are
-                    specific to the UK registrar and can't be valid when imported from
-                    some other source.
+                    Strip all elements and attributes that are in namespaces
+                    other than the ones we accept from partners.
                 -->
-                <ref bean="stripUkfedlabelNamespace"/>
-                <ref bean="stripWayfNamespace"/>
-
+                <bean id="whitelistImportedNamespaces" parent="NamespacesStrippingStage"
+                    p:id="whitelistImportedNamespaces" p:whitelisting="true">
+                    <property name="namespaces">
+                        <set>
+                            <ref bean="alg_namespace"/>
+                            <ref bean="ds_namespace"/>
+                            <ref bean="hoksso_namespace"/>
+                            <ref bean="icmd_namespace"/>
+                            <ref bean="idpdisc_namespace"/>
+                            <ref bean="init_namespace"/>
+                            <ref bean="md_namespace"/>
+                            <ref bean="mdattr_namespace"/>
+                            <ref bean="mdrpi_namespace"/>
+                            <ref bean="mdui_namespace"/>
+                            <ref bean="saml_namespace"/>
+                            <ref bean="shibmd_namespace"/>
+                            <ref bean="xenc_namespace"/>
+                            <ref bean="xml_namespace"/>
+                        </set>
+                    </property>
+                </bean>
+
                 <ref bean="cleanImport"/>
                 <ref bean="stripAAMDUI"/>
                 <ref bean="trimImportElementWhitespace"/>

diff --git a/mdx/cz_eduid/beans.xml b/mdx/cz_eduid/beans.xml
diff --git a/mdx/cz_eduid/metadata.eduid.cz.crt.pem b/mdx/cz_eduid/metadata.eduid.cz.crt.pem
diff --git a/mdx/cz_eduid/verbs.xml b/mdx/cz_eduid/verbs.xml