Skip to content

Commit

Permalink
[SHIBUI-1059]
Browse files Browse the repository at this point in the history
  • Loading branch information
@jj
jj committed Dec 13, 2018
1 parent bbcaece commit f4a995f
Show file tree
Hide file tree
Showing 3 changed files with 50 additions and 7 deletions.
14 changes: 7 additions & 7 deletions ...oovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImpl.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ class JPAMetadataResolverServiceImpl implements MetadataResolverService {
List<MetadataFilter> metadataFilters = new ArrayList<>()

// set up namespace protection
if (shibUIConfiguration.protectedAttributeNamespaces && shibUIConfiguration.protectedAttributeNamespaces.size() > 0) {
if (shibUIConfiguration.protectedAttributeNamespaces && shibUIConfiguration.protectedAttributeNamespaces.size() > 0 && targetMetadataResolver && jpaMetadataResolver.type in ['FileBackedMetadataResolver', 'DynamicHttpMetadataResolver']) {
def target = new org.opensaml.saml.metadata.resolver.filter.impl.EntityAttributesFilter()
target.attributeFilter = new ScriptedPredicate(new EvaluableScript(protectedNamespaceScript()))
metadataFilters.add(target)
Expand Down Expand Up @@ -192,17 +192,17 @@ class JPAMetadataResolverServiceImpl implements MetadataResolverService {
constructXmlNodeForResolver(mr, delegate) {
//TODO: enhance
def didNamespaceProtectionFilter = !(shibUIConfiguration.protectedAttributeNamespaces && shibUIConfiguration.protectedAttributeNamespaces.size() > 0)
mr.metadataFilters.each { edu.internet2.tier.shibboleth.admin.ui.domain.filters.MetadataFilter filter ->
if (filter instanceof EntityAttributesFilter && !didNamespaceProtectionFilter) {
def doNamespaceProtectionFilter = { def filter ->
if (mr.type in ['FileBackedMetadataResolver', 'DynamicHttpMetadataResolver'] && (filter == null || filter instanceof EntityAttributesFilter) && !didNamespaceProtectionFilter) {
constructXmlNodeForEntityAttributeNamespaceProtection(delegate)
didNamespaceProtectionFilter = true
}
constructXmlNodeForFilter(filter, delegate)
}
if (!didNamespaceProtectionFilter) {
constructXmlNodeForEntityAttributeNamespaceProtection(delegate)
didNamespaceProtectionFilter = true
mr.metadataFilters.each { edu.internet2.tier.shibboleth.admin.ui.domain.filters.MetadataFilter filter ->
doNamespaceProtectionFilter()
constructXmlNodeForFilter(filter, delegate)
}
doNamespaceProtectionFilter()
}
}
}
Expand Down
26 changes: 26 additions & 0 deletions ...edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImplTests.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import edu.internet2.tier.shibboleth.admin.ui.domain.filters.EntityAttributesFil
import edu.internet2.tier.shibboleth.admin.ui.domain.filters.RequiredValidUntilFilter
import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.ClasspathMetadataResource
import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.DynamicHttpMetadataResolver
import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.LocalDynamicMetadataResolver
import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.MetadataQueryProtocolScheme
import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.RegexScheme
import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.SvnMetadataResource
Expand Down Expand Up @@ -395,6 +396,31 @@ class JPAMetadataResolverServiceImplTests extends Specification {
['http://shibboleth.net/ns/profiles', 'http://scaldingspoon.com/iam'] | '/conf/984-2.xml'
}

@DirtiesContext(methodMode = DirtiesContext.MethodMode.AFTER_METHOD)
def 'test namespace protection in nonURL resolver'() {
setup:
shibUIConfiguration.protectedAttributeNamespaces = ['http://shibboleth.net/ns/profiles']
def resolver = new LocalDynamicMetadataResolver().with {
it.xmlId = 'LocalDynamic'
it.sourceDirectory = '/tmp'
it
}

when:
metadataResolverRepository.save(resolver)
def x = new StringWriter().with {
TransformerFactory.newInstance().newTransformer().with {
it.setOutputProperty(OutputKeys.INDENT, "yes")
it.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "2")
it
}.transform(new DOMSource(metadataResolverService.generateConfiguration()), new StreamResult(it))
it
}.toString()

then:
generatedXmlIsTheSameAsExpectedXml('/conf/1059.xml', metadataResolverService.generateConfiguration())
}

@Ignore('there is a bug in org.opensaml.saml.metadata.resolver.filter.impl.EntityAttributesFilter.applyFilter')
def 'test namespace protection internal filtering'() {
setup:
Expand Down
17 changes: 17 additions & 0 deletions backend/src/test/resources/conf/1059.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- This file is an EXAMPLE metadata configuration file. -->
<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
xmlns:resource="urn:mace:shibboleth:2.0:resource"
xmlns:security="urn:mace:shibboleth:2.0:security"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd urn:oasis:names:tc:SAML:2.0:assertion http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd">
<MetadataProvider id="LocalDynamic"
initializeFromPersistentCacheInBackground="true"
removeIdleEntityData="true"
sourceDirectory="/tmp"
xsi:type="DynamicHttpMetadataProvider">
</MetadataProvider>
</MetadataProvider>

0 comments on commit f4a995f

Please sign in to comment.