From f4a995f9af920387b13f20fd9787c37018d138fe Mon Sep 17 00:00:00 2001
From: Jj! <jj@unicon.net>
Date: Thu, 13 Dec 2018 11:15:36 -0600
Subject: [PATCH 1/3] [SHIBUI-1059]

---
 .../JPAMetadataResolverServiceImpl.groovy     | 14 +++++-----
 ...JPAMetadataResolverServiceImplTests.groovy | 26 +++++++++++++++++++
 backend/src/test/resources/conf/1059.xml      | 17 ++++++++++++
 3 files changed, 50 insertions(+), 7 deletions(-)
 create mode 100644 backend/src/test/resources/conf/1059.xml

diff --git a/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImpl.groovy b/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImpl.groovy
index 4b41a9e29..1aa4f758a 100644
--- a/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImpl.groovy
+++ b/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImpl.groovy
@@ -77,7 +77,7 @@ class JPAMetadataResolverServiceImpl implements MetadataResolverService {
             List<MetadataFilter> metadataFilters = new ArrayList<>()
 
             // set up namespace protection
-            if (shibUIConfiguration.protectedAttributeNamespaces && shibUIConfiguration.protectedAttributeNamespaces.size() > 0) {
+            if (shibUIConfiguration.protectedAttributeNamespaces && shibUIConfiguration.protectedAttributeNamespaces.size() > 0 && targetMetadataResolver && jpaMetadataResolver.type in ['FileBackedMetadataResolver', 'DynamicHttpMetadataResolver']) {
                 def target = new org.opensaml.saml.metadata.resolver.filter.impl.EntityAttributesFilter()
                 target.attributeFilter = new ScriptedPredicate(new EvaluableScript(protectedNamespaceScript()))
                 metadataFilters.add(target)
@@ -192,17 +192,17 @@ class JPAMetadataResolverServiceImpl implements MetadataResolverService {
                             constructXmlNodeForResolver(mr, delegate) {
                                 //TODO: enhance
                                 def didNamespaceProtectionFilter = !(shibUIConfiguration.protectedAttributeNamespaces && shibUIConfiguration.protectedAttributeNamespaces.size() > 0)
-                                mr.metadataFilters.each { edu.internet2.tier.shibboleth.admin.ui.domain.filters.MetadataFilter filter ->
-                                    if (filter instanceof EntityAttributesFilter && !didNamespaceProtectionFilter) {
+                                def doNamespaceProtectionFilter = { def filter ->
+                                    if (mr.type in ['FileBackedMetadataResolver', 'DynamicHttpMetadataResolver'] && (filter == null || filter instanceof EntityAttributesFilter) && !didNamespaceProtectionFilter) {
                                         constructXmlNodeForEntityAttributeNamespaceProtection(delegate)
                                         didNamespaceProtectionFilter = true
                                     }
-                                    constructXmlNodeForFilter(filter, delegate)
                                 }
-                                if (!didNamespaceProtectionFilter) {
-                                    constructXmlNodeForEntityAttributeNamespaceProtection(delegate)
-                                    didNamespaceProtectionFilter = true
+                                mr.metadataFilters.each { edu.internet2.tier.shibboleth.admin.ui.domain.filters.MetadataFilter filter ->
+                                    doNamespaceProtectionFilter()
+                                    constructXmlNodeForFilter(filter, delegate)
                                 }
+                                doNamespaceProtectionFilter()
                             }
                         }
                 }
diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImplTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImplTests.groovy
index cbeac0960..e248d5af3 100644
--- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImplTests.groovy
+++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImplTests.groovy
@@ -11,6 +11,7 @@ import edu.internet2.tier.shibboleth.admin.ui.domain.filters.EntityAttributesFil
 import edu.internet2.tier.shibboleth.admin.ui.domain.filters.RequiredValidUntilFilter
 import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.ClasspathMetadataResource
 import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.DynamicHttpMetadataResolver
+import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.LocalDynamicMetadataResolver
 import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.MetadataQueryProtocolScheme
 import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.RegexScheme
 import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.SvnMetadataResource
@@ -395,6 +396,31 @@ class JPAMetadataResolverServiceImplTests extends Specification {
         ['http://shibboleth.net/ns/profiles', 'http://scaldingspoon.com/iam'] | '/conf/984-2.xml'
     }
 
+    @DirtiesContext(methodMode = DirtiesContext.MethodMode.AFTER_METHOD)
+    def 'test namespace protection in nonURL resolver'() {
+        setup:
+        shibUIConfiguration.protectedAttributeNamespaces = ['http://shibboleth.net/ns/profiles']
+        def resolver = new LocalDynamicMetadataResolver().with {
+            it.xmlId = 'LocalDynamic'
+            it.sourceDirectory = '/tmp'
+            it
+        }
+
+        when:
+        metadataResolverRepository.save(resolver)
+        def x = new StringWriter().with {
+            TransformerFactory.newInstance().newTransformer().with {
+                it.setOutputProperty(OutputKeys.INDENT, "yes")
+                it.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "2")
+                it
+            }.transform(new DOMSource(metadataResolverService.generateConfiguration()), new StreamResult(it))
+            it
+        }.toString()
+
+        then:
+        generatedXmlIsTheSameAsExpectedXml('/conf/1059.xml', metadataResolverService.generateConfiguration())
+    }
+
     @Ignore('there is a bug in org.opensaml.saml.metadata.resolver.filter.impl.EntityAttributesFilter.applyFilter')
     def 'test namespace protection internal filtering'() {
         setup:
diff --git a/backend/src/test/resources/conf/1059.xml b/backend/src/test/resources/conf/1059.xml
new file mode 100644
index 000000000..7610893be
--- /dev/null
+++ b/backend/src/test/resources/conf/1059.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- This file is an EXAMPLE metadata configuration file. -->
+<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
+                  xmlns="urn:mace:shibboleth:2.0:metadata"
+                  xmlns:resource="urn:mace:shibboleth:2.0:resource"
+                  xmlns:security="urn:mace:shibboleth:2.0:security"
+                  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+                  xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd urn:oasis:names:tc:SAML:2.0:assertion http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd">
+    <MetadataProvider id="LocalDynamic"
+                      initializeFromPersistentCacheInBackground="true"
+                      removeIdleEntityData="true"
+                      sourceDirectory="/tmp"
+                      xsi:type="DynamicHttpMetadataProvider">
+    </MetadataProvider>
+</MetadataProvider>
\ No newline at end of file

From 545416f9d33a5b7ce4348587353b3c446137f66b Mon Sep 17 00:00:00 2001
From: Jj! <jj@unicon.net>
Date: Fri, 14 Dec 2018 12:38:32 -0600
Subject: [PATCH 2/3] [SHIBUI-1059] remove test code

---
 .../ui/service/JPAMetadataResolverServiceImplTests.groovy | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImplTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImplTests.groovy
index e248d5af3..b46888e14 100644
--- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImplTests.groovy
+++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImplTests.groovy
@@ -408,14 +408,6 @@ class JPAMetadataResolverServiceImplTests extends Specification {
 
         when:
         metadataResolverRepository.save(resolver)
-        def x = new StringWriter().with {
-            TransformerFactory.newInstance().newTransformer().with {
-                it.setOutputProperty(OutputKeys.INDENT, "yes")
-                it.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "2")
-                it
-            }.transform(new DOMSource(metadataResolverService.generateConfiguration()), new StreamResult(it))
-            it
-        }.toString()
 
         then:
         generatedXmlIsTheSameAsExpectedXml('/conf/1059.xml', metadataResolverService.generateConfiguration())

From 15a296c4a8f3ef9dd1203bb2cf0646a32cd5f720 Mon Sep 17 00:00:00 2001
From: Jj! <jj@unicon.net>
Date: Fri, 14 Dec 2018 12:42:39 -0600
Subject: [PATCH 3/3] [SHIBUI-1059] update type

---
 .../admin/ui/service/JPAMetadataResolverServiceImpl.groovy      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImpl.groovy b/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImpl.groovy
index 1aa4f758a..be89653f4 100644
--- a/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImpl.groovy
+++ b/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImpl.groovy
@@ -77,7 +77,7 @@ class JPAMetadataResolverServiceImpl implements MetadataResolverService {
             List<MetadataFilter> metadataFilters = new ArrayList<>()
 
             // set up namespace protection
-            if (shibUIConfiguration.protectedAttributeNamespaces && shibUIConfiguration.protectedAttributeNamespaces.size() > 0 && targetMetadataResolver && jpaMetadataResolver.type in ['FileBackedMetadataResolver', 'DynamicHttpMetadataResolver']) {
+            if (shibUIConfiguration.protectedAttributeNamespaces && shibUIConfiguration.protectedAttributeNamespaces.size() > 0 && targetMetadataResolver && jpaMetadataResolver.type in ['FileBackedHttpMetadataResolver', 'DynamicHttpMetadataResolver']) {
                 def target = new org.opensaml.saml.metadata.resolver.filter.impl.EntityAttributesFilter()
                 target.attributeFilter = new ScriptedPredicate(new EvaluableScript(protectedNamespaceScript()))
                 metadataFilters.add(target)