From ccc61fff1e667ee0b0ec0a8826677111cbdac67a Mon Sep 17 00:00:00 2001
From: chasegawa <chasegawa@unicon.net>
Date: Mon, 8 Aug 2022 13:23:58 -0700
Subject: [PATCH] SHIBUI-2268

Adding remaining needed pieces for Algorithm filter
---
 backend/build.gradle                          |  2 +-
 .../JPAMetadataResolverServiceImpl.groovy     | 17 +++++++--
 .../filters/algorithm/ConditionRef.java       | 38 +++++++++++++++++++
 .../filters/algorithm/ConditionScript.java    | 38 +++++++++++++++++++
 .../ui/domain/filters/algorithm/Entity.java   |  3 ++
 .../JPAXMLObjectProviderInitializer.java      | 13 +++----
 ...JPAMetadataResolverServiceImplTests.groovy | 36 ++++++++++++++++++
 .../src/test/resources/conf/2268-actual.xml   | 29 ++++++++++++++
 8 files changed, 164 insertions(+), 12 deletions(-)
 create mode 100644 backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/filters/algorithm/ConditionRef.java
 create mode 100644 backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/filters/algorithm/ConditionScript.java
 create mode 100644 backend/src/test/resources/conf/2268-actual.xml

diff --git a/backend/build.gradle b/backend/build.gradle
index cfd16a65a..83d2c8dd8 100644
--- a/backend/build.gradle
+++ b/backend/build.gradle
@@ -332,7 +332,7 @@ task generateSources {
             }
         }
 
-        new XmlSlurper().parse(file('src/main/resources/jpa-saml2-metadata-ds-config.xml')).with { builders ->
+        new XmlSlurper().parse(file('src/main/resources/jpa-signature-config.xml')).with { builders ->
             builders.ObjectProviders.ObjectProvider.BuilderClass.each {
                 processLine(it['@className'].toString(), 'src/main/templates/SignatureBuilderTemplate.java')
             }
diff --git a/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImpl.groovy b/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImpl.groovy
index 6497608a0..78ca12254 100644
--- a/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImpl.groovy
+++ b/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImpl.groovy
@@ -10,6 +10,8 @@ import edu.internet2.tier.shibboleth.admin.ui.domain.filters.NameIdFormatFilter
 import edu.internet2.tier.shibboleth.admin.ui.domain.filters.RequiredValidUntilFilter
 import edu.internet2.tier.shibboleth.admin.ui.domain.filters.SignatureValidationFilter
 import edu.internet2.tier.shibboleth.admin.ui.domain.filters.algorithm.AlgorithmFilter
+import edu.internet2.tier.shibboleth.admin.ui.domain.filters.algorithm.ConditionRef
+import edu.internet2.tier.shibboleth.admin.ui.domain.filters.algorithm.ConditionScript
 import edu.internet2.tier.shibboleth.admin.ui.domain.filters.algorithm.Entity
 import edu.internet2.tier.shibboleth.admin.ui.domain.filters.opensaml.OpenSamlNameIdFormatFilter
 import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.DynamicHttpMetadataResolver
@@ -111,6 +113,15 @@ class JPAMetadataResolverServiceImpl implements MetadataResolverService {
                 {
                     if (xmlObject instanceof Entity) {
                         Entity(xmlObject.getValue())
+                    } else if (xmlObject instanceof ConditionRef) {
+                        ConditionRef(xmlObject.getValue())
+                    } else if (xmlObject instanceof ConditionScript) {
+                        ConditionScript() {
+                            Script() {
+                                def script = xmlObject.getValue()
+                                mkp.yieldUnescaped("\n<![CDATA[\n${script}\n]]>\n")
+                            }
+                        }
                     } else {
                         mkp.yieldUnescaped(openSamlObjects.marshalToXmlString(xmlObject, false))
                     }
@@ -133,10 +144,8 @@ class JPAMetadataResolverServiceImpl implements MetadataResolverService {
                         Entity(it)
                     }
                     break
-                case EntityAttributesFilterTarget
-                        .EntityAttributesFilterTargetType.CONDITION_SCRIPT:
-                case EntityAttributesFilterTarget
-                        .EntityAttributesFilterTargetType.REGEX:
+                case EntityAttributesFilterTarget.EntityAttributesFilterTargetType.CONDITION_SCRIPT:
+                case EntityAttributesFilterTarget.EntityAttributesFilterTargetType.REGEX:
                     ConditionScript() {
                         Script() {
                             def script
diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/filters/algorithm/ConditionRef.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/filters/algorithm/ConditionRef.java
new file mode 100644
index 000000000..b35cd0762
--- /dev/null
+++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/filters/algorithm/ConditionRef.java
@@ -0,0 +1,38 @@
+package edu.internet2.tier.shibboleth.admin.ui.domain.filters.algorithm;
+
+import edu.internet2.tier.shibboleth.admin.ui.domain.AbstractXMLObject;
+import lombok.EqualsAndHashCode;
+import lombok.Getter;
+import lombok.Setter;
+import lombok.ToString;
+import org.hibernate.envers.Audited;
+
+import javax.annotation.Nullable;
+
+@javax.persistence.Entity
+@Audited
+@Getter
+@Setter
+@ToString
+@EqualsAndHashCode(callSuper = true)
+/**
+ * The textual content (the value/uri) is the Bean ID of type Predicate<EntityDescriptor>
+ */
+public class ConditionRef extends AbstractXMLObject implements org.opensaml.core.xml.schema.XSString {
+    private String uri;
+
+    public ConditionRef() {
+        setElementLocalName("ConditionRef");
+    }
+
+    @Nullable
+    @Override
+    public String getValue() {
+        return this.uri;
+    }
+
+    @Override
+    public void setValue(@Nullable String newValue) {
+        this.uri = newValue;
+    }
+}
\ No newline at end of file
diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/filters/algorithm/ConditionScript.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/filters/algorithm/ConditionScript.java
new file mode 100644
index 000000000..a2d58382a
--- /dev/null
+++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/filters/algorithm/ConditionScript.java
@@ -0,0 +1,38 @@
+package edu.internet2.tier.shibboleth.admin.ui.domain.filters.algorithm;
+
+import edu.internet2.tier.shibboleth.admin.ui.domain.AbstractXMLObject;
+import lombok.EqualsAndHashCode;
+import lombok.Getter;
+import lombok.Setter;
+import lombok.ToString;
+import org.hibernate.envers.Audited;
+
+import javax.annotation.Nullable;
+
+@javax.persistence.Entity
+@Audited
+@Getter
+@Setter
+@ToString
+@EqualsAndHashCode(callSuper = true)
+/**
+ * The textual content is the JS script (the export of the XML will wrap it appropriately)
+ */
+public class ConditionScript extends AbstractXMLObject implements org.opensaml.core.xml.schema.XSString {
+    private String uri;
+
+    public ConditionScript() {
+        setElementLocalName("ConditionScript");
+    }
+
+    @Nullable
+    @Override
+    public String getValue() {
+        return this.uri;
+    }
+
+    @Override
+    public void setValue(@Nullable String newValue) {
+        this.uri = newValue;
+    }
+}
\ No newline at end of file
diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/filters/algorithm/Entity.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/filters/algorithm/Entity.java
index b15ec2ca1..18dfcbe8e 100644
--- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/filters/algorithm/Entity.java
+++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/filters/algorithm/Entity.java
@@ -15,6 +15,9 @@
 @Setter
 @ToString
 @EqualsAndHashCode(callSuper = true)
+/**
+ * The textual content (value/uri) is an entityID.
+ */
 public class Entity extends AbstractXMLObject implements org.opensaml.core.xml.schema.XSString {
     private String uri;
 
diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/opensaml/config/JPAXMLObjectProviderInitializer.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/opensaml/config/JPAXMLObjectProviderInitializer.java
index d1413b87f..24757d560 100644
--- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/opensaml/config/JPAXMLObjectProviderInitializer.java
+++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/opensaml/config/JPAXMLObjectProviderInitializer.java
@@ -8,16 +8,15 @@ public class JPAXMLObjectProviderInitializer extends AbstractXMLObjectProviderIn
     protected String[] getConfigResources() {
         return new String[]{
                 "/jpa-default-config.xml",
-                "/jpa-saml2-metadata-config.xml",
-                "/jpa-saml2-metadata-attr-config.xml",
+                "/encryption-config.xml",
                 "/jpa-saml2-assertion-config.xml",
-                "/jpa-schema-config.xml",
-                "/jpa-saml2-metadata-ui-config.xml",
-                "/jpa-signature-config.xml",
                 "/jpa-saml2-metadata-algorithm-config.xml",
-                "/jpa-saml2-metadata-ds-config.xml",
-                "/encryption-config.xml",
+                "/jpa-saml2-metadata-attr-config.xml",
+                "/jpa-saml2-metadata-config.xml",
                 "/jpa-saml2-metadata-reqinit-config.xml",
+                "/jpa-saml2-metadata-ui-config.xml",
+                "/jpa-schema-config.xml",
+                "/jpa-signature-config.xml",
                 "/saml2-protocol-config.xml",
                 "/modified-saml2-assertion-config.xml"
         };
diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImplTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImplTests.groovy
index 1bdf0f791..505d1507a 100644
--- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImplTests.groovy
+++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImplTests.groovy
@@ -13,6 +13,8 @@ import edu.internet2.tier.shibboleth.admin.ui.domain.filters.EntityAttributesFil
 import edu.internet2.tier.shibboleth.admin.ui.domain.filters.EntityAttributesFilterTarget
 import edu.internet2.tier.shibboleth.admin.ui.domain.filters.MetadataFilter
 import edu.internet2.tier.shibboleth.admin.ui.domain.filters.RequiredValidUntilFilter
+import edu.internet2.tier.shibboleth.admin.ui.domain.filters.algorithm.ConditionRef
+import edu.internet2.tier.shibboleth.admin.ui.domain.filters.algorithm.ConditionScript
 import edu.internet2.tier.shibboleth.admin.ui.domain.filters.algorithm.Entity
 import edu.internet2.tier.shibboleth.admin.ui.domain.filters.algorithm.MGF
 import edu.internet2.tier.shibboleth.admin.ui.domain.filters.algorithm.PRF
@@ -217,6 +219,40 @@ class JPAMetadataResolverServiceImplTests extends AbstractBaseDataJpaTest {
         generatedXmlIsTheSameAsExpectedXml('/conf/2268-simple.xml', domBuilder.parseText(writer.toString()))
     }
 
+    def 'test generating AlgorithmFilter shibui-2268 actual'() {
+        given:
+        def filter = TestObjectGenerator.algorithmFilter()
+        EncryptionMethod encryptionMethod =  new EncryptionMethod()
+        encryptionMethod.setElementLocalName(EncryptionMethod.DEFAULT_ELEMENT_LOCAL_NAME)
+        encryptionMethod.setNamespacePrefix(SAMLConstants.SAML20MD_PREFIX)
+        encryptionMethod.setNamespaceURI(SAMLConstants.SAML20MD_NS)
+        encryptionMethod.setSchemaLocation(SAMLConstants.SAML20MD_SCHEMA_LOCATION)
+        encryptionMethod.setAlgorithm("http://www.w3.org/2001/04/xmlenc#aes128-cbc")
+        filter.addUnknownXMLObject(encryptionMethod)
+
+        Entity entity = new Entity()
+        entity.setValue("https://broken.example.org/sp")
+        filter.addUnknownXMLObject(entity)
+
+        ConditionRef cr = new ConditionRef()
+        cr.setValue("shibboleth.Conditions.TRUE")
+        filter.addUnknownXMLObject(cr)
+
+        ConditionScript cs = new ConditionScript()
+        cs.setValue("\"use strict\";\nfalse;")
+        filter.addUnknownXMLObject(cs)
+
+        when:
+        genXmlSnippet(markupBuilder) { JPAMetadataResolverServiceImpl.cast(metadataResolverService).constructXmlNodeForFilter(filter, it) }
+
+        then:
+        generatedXmlIsTheSameAsExpectedXml('/conf/2268-actual.xml', domBuilder.parseText(writer.toString()))
+    }
+
+    /**
+     * This test was written before we simplified the concept of what we'd allow the users to build in the UI. Because the test was
+     * already done and working, it was left here for completeness.
+     */
     def 'test generating complex AlgorithmFilter xml snippet'() {
         given:
         def filter = TestObjectGenerator.algorithmFilter()
diff --git a/backend/src/test/resources/conf/2268-actual.xml b/backend/src/test/resources/conf/2268-actual.xml
new file mode 100644
index 000000000..961079197
--- /dev/null
+++ b/backend/src/test/resources/conf/2268-actual.xml
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<MetadataProvider id="ShibbolethMetadata"
+                  xmlns="urn:mace:shibboleth:2.0:metadata"
+                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                  xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd urn:oasis:names:tc:SAML:2.0:assertion http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd"
+                  xsi:type="ChainingMetadataProvider">
+    <MetadataFilter xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+                    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+                    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+                    xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
+                    xmlns:security="urn:mace:shibboleth:2.0:security"
+                    xmlns:xenc11="http://www.w3.org/2009/xmlenc11#"
+                    xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd urn:oasis:names:tc:SAML:2.0:assertion http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd urn:oasis:names:tc:SAML:metadata:algsupport https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-algsupport-v1.0.xsd http://www.w3.org/2000/09/xmldsig# https://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd http://www.w3.org/2009/xmlenc11# https://www.w3.org/TR/xmlenc-core1/xenc-schema-11.xsd"
+                    xsi:type="Algorithm">
+
+        <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+        <Entity>https://broken.example.org/sp</Entity>
+        <ConditionRef>shibboleth.Conditions.TRUE</ConditionRef>
+        <ConditionScript>
+            <Script>
+                <![CDATA[
+"use strict";
+false;
+]]>
+            </Script>
+        </ConditionScript>
+
+    </MetadataFilter>
+</MetadataProvider>
\ No newline at end of file