Bug 6445

Summary: gridshib-saml-issuer --infile creates wrong Advice
Product: GridShib Reporter: Benjamin Henne <henne@rvs.uni-hannover.de>
Component: SAML/Binding ToolsAssignee: Tom Scavo <trscavo@gmail.com>
Status: NEW    
Severity: normal CC: gridshib-dev@globus.org
Priority: P3    
Version: 0.5   
Target Milestone: beta   
Hardware: PC   
OS: Linux   
Bug Depends on:    
Bug Blocks: 6572, 6641    

Description From 2008-10-09 03:05:04 
If one inserts xml into Advice element of generated attribute assertion using
the --infile option of gridshib-saml-issuer, the special characters < > ... are
wrongly replaced with the xml entity references &lt; &gt; .... --infile
specifies a file containing xml to be inserted and hence there must not be any
special character replacement.

Example shown at
http://www.globus.org/mail_archive/gridshib-user/2008/10/msg00005.html

Second, --infile always puts the input of the file into an AssertionIDReference
element. I think this should be omitted, because not only this, but also
Assertion elements or elements from other namespaces with lax schema validation
can be inserted into Advice as described in 2.3.2.2 of [SAMLCore1.0] or later.
Maybe this is the reason for the first issue?

I would propose removing AssertionIDReference and the character replacing.
------- Comment #1 From 2009-02-03 15:20:45 ------- 
(In reply to comment #0)
> 
> Assertion elements or elements from other namespaces with lax schema validation
> can be inserted into Advice as described in 2.3.2.2 of [SAMLCore1.0] or later.
> Maybe this is the reason for the first issue?

Yes, this is precisely the cause of the bug.  OpenSAML 1.1 (on which our
so-called Globus SAML Library is based) parses Advice as follows:

if (advice != null) {
  for (Iterator i = advice.iterator(); i.hasNext(); ) {
    Object obj=i.next();
    if (obj instanceof String && ((String)obj).length() > 0)
      this.advice.add(obj);
    else if (obj instanceof SAMLAssertion)
      this.advice.add(((SAMLAssertion)obj).setParent(this));
    else if (obj instanceof Element && ((Element)obj).getParentNode()==null &&
             !((Element)obj).getNamespaceURI().equals(XML.SAML_NS))
      this.advice.add(obj);
    else
      throw new IllegalArgumentException("SAMLAssertion() can only process
advice Strings, SAMLAssertions, or DOM elements from a non-saml namespace");
  }
}

This implies that the CLI must distinguish between arbitrary strings and DOM
elements, which currently it does not.