Skip to content
Snippets Groups Projects
Unverified Commit ae45cd82 authored by Zenon Mousmoulas's avatar Zenon Mousmoulas Committed by GitHub
Browse files

Fix bug in saml:NameIDAttribute authproc filter (#1325)

Fix several bugs in saml:NameIDAttribute authproc filter & raise coverage
parent 721d73f1
No related branches found
No related tags found
No related merge requests found
...@@ -43,13 +43,13 @@ class NameIDAttribute extends \SimpleSAML\Auth\ProcessingFilter ...@@ -43,13 +43,13 @@ class NameIDAttribute extends \SimpleSAML\Auth\ProcessingFilter
parent::__construct($config, $reserved); parent::__construct($config, $reserved);
if (isset($config['attribute'])) { if (isset($config['attribute'])) {
$this->attribute = (string) $config['attribute']; $this->attribute = strval($config['attribute']);
} else { } else {
$this->attribute = 'nameid'; $this->attribute = 'nameid';
} }
if (isset($config['format'])) { if (isset($config['format'])) {
$format = (string) $config['format']; $format = strval($config['format']);
} else { } else {
$format = '%I!%S!%V'; $format = '%I!%S!%V';
} }
...@@ -119,15 +119,16 @@ class NameIDAttribute extends \SimpleSAML\Auth\ProcessingFilter ...@@ -119,15 +119,16 @@ class NameIDAttribute extends \SimpleSAML\Auth\ProcessingFilter
$rep = $state['saml:sp:NameID']; $rep = $state['saml:sp:NameID'];
Assert::notNull($rep->getValue()); Assert::notNull($rep->getValue());
$rep->{'%'} = '%';
if ($rep->getFormat() !== null) { if ($rep->getFormat() === null) {
$rep->setFormat(Constants::NAMEID_UNSPECIFIED); $rep->setFormat(Constants::NAMEID_UNSPECIFIED);
} }
if ($rep->getNameQualifier() !== null) {
$rep->setNameQualifier($state['Source']['entityid']); if ($rep->getSPNameQualifier() === null) {
$rep->setSPNameQualifier($state['Source']['entityid']);
} }
if ($rep->getSPNameQualifier() !== null) { if ($rep->getNameQualifier() === null) {
$rep->setSPNameQualifier($state['Destination']['entityid']); $rep->setNameQualifier($state['Destination']['entityid']);
} }
$value = ''; $value = '';
...@@ -135,6 +136,8 @@ class NameIDAttribute extends \SimpleSAML\Auth\ProcessingFilter ...@@ -135,6 +136,8 @@ class NameIDAttribute extends \SimpleSAML\Auth\ProcessingFilter
foreach ($this->format as $element) { foreach ($this->format as $element) {
if ($isString) { if ($isString) {
$value .= $element; $value .= $element;
} elseif ($element === '%') {
$value .= '%';
} else { } else {
$value .= call_user_func([$rep, 'get' . $element]); $value .= call_user_func([$rep, 'get' . $element]);
} }
......
...@@ -5,6 +5,7 @@ declare(strict_types=1); ...@@ -5,6 +5,7 @@ declare(strict_types=1);
namespace SimpleSAML\Test\Module\saml\Auth\Process; namespace SimpleSAML\Test\Module\saml\Auth\Process;
use PHPUnit\Framework\TestCase; use PHPUnit\Framework\TestCase;
use SimpleSAML\Error;
use SimpleSAML\Module\saml\Auth\Process\NameIDAttribute; use SimpleSAML\Module\saml\Auth\Process\NameIDAttribute;
use SAML2\XML\saml\NameID; use SAML2\XML\saml\NameID;
use SAML2\Constants; use SAML2\Constants;
...@@ -59,7 +60,7 @@ class NameIDAttributeTest extends TestCase ...@@ -59,7 +60,7 @@ class NameIDAttributeTest extends TestCase
'saml:sp:NameID' => $nameId, 'saml:sp:NameID' => $nameId,
]; ];
$result = $this->processFilter($config, $request); $result = $this->processFilter($config, $request);
$this->assertEquals("{$spId}!{$idpId}!{$nameId->getValue()}", $result['Attributes']['nameid'][0]); $this->assertEquals("{$idpId}!{$spId}!{$nameId->getValue()}", $result['Attributes']['nameid'][0]);
} }
...@@ -91,7 +92,7 @@ class NameIDAttributeTest extends TestCase ...@@ -91,7 +92,7 @@ class NameIDAttributeTest extends TestCase
]; ];
$result = $this->processFilter($config, $request); $result = $this->processFilter($config, $request);
$this->assertTrue(isset($result['Attributes'][$attributeName])); $this->assertTrue(isset($result['Attributes'][$attributeName]));
$this->assertEquals("{$spId}!{$idpId}!{$nameId->getValue()}", $result['Attributes'][$attributeName][0]); $this->assertEquals("{$idpId}!{$spId}!{$nameId->getValue()}", $result['Attributes'][$attributeName][0]);
} }
...@@ -101,7 +102,7 @@ class NameIDAttributeTest extends TestCase ...@@ -101,7 +102,7 @@ class NameIDAttributeTest extends TestCase
*/ */
public function testFormat(): void public function testFormat(): void
{ {
$config = ['format' => '%V']; $config = ['format' => '%V!%%'];
$spId = 'eugeneSP'; $spId = 'eugeneSP';
$idpId = 'eugeneIdP'; $idpId = 'eugeneIdP';
...@@ -121,7 +122,62 @@ class NameIDAttributeTest extends TestCase ...@@ -121,7 +122,62 @@ class NameIDAttributeTest extends TestCase
'saml:sp:NameID' => $nameId, 'saml:sp:NameID' => $nameId,
]; ];
$result = $this->processFilter($config, $request); $result = $this->processFilter($config, $request);
$this->assertEquals("{$nameId->getValue()}", $result['Attributes']['nameid'][0]); $this->assertEquals("{$nameId->getValue()}!%", $result['Attributes']['nameid'][0]);
}
/**
* Test invalid format throws an exception.
* @return void
*/
public function testInvalidFormatThrowsException(): void
{
$config = ['format' => '%X'];
$spId = 'eugeneSP';
$idpId = 'eugeneIdP';
$nameId = new NameID();
$nameId->setValue('eugene@oombaas');
$request = [
'Source' => [
'entityid' => $spId,
],
'Destination' => [
'entityid' => $idpId,
],
'saml:sp:NameID' => $nameId,
];
$this->expectException(Error\Exception::class);
$this->expectExceptionMessage('NameIDAttribute: Invalid replacement: "%X"');
$this->processFilter($config, $request);
}
/**
* Test invalid request silently continues, leaving the state untouched
* @return void
*/
public function testInvalidRequestLeavesStateUntouched(): void
{
$config = ['format' => '%V!%F'];
$spId = 'eugeneSP';
$idpId = 'eugeneIdP';
$request = [
'Source' => [
'entityid' => $spId,
],
'Destination' => [
'entityid' => $idpId,
],
];
$pre = $request;
$this->processFilter($config, $request);
$this->assertEquals($pre, $request);
} }
...@@ -155,4 +211,32 @@ class NameIDAttributeTest extends TestCase ...@@ -155,4 +211,32 @@ class NameIDAttributeTest extends TestCase
$this->assertTrue(isset($result['Attributes'][$attributeName])); $this->assertTrue(isset($result['Attributes'][$attributeName]));
$this->assertEquals("{$nameId->getValue()}", $result['Attributes'][$attributeName][0]); $this->assertEquals("{$nameId->getValue()}", $result['Attributes'][$attributeName][0]);
} }
/**
* Test overriding NameID Format/NameQualifier/SPNameQualifier with defaults.
* @return void
*/
public function testOverrideNameID(): void
{
$spId = 'eugeneSP';
$idpId = 'eugeneIdP';
$nameId = new NameID();
$nameId->setValue('eugene@oombaas');
$request = [
'Source' => [
'entityid' => $spId,
],
'Destination' => [
'entityid' => $idpId,
],
'saml:sp:NameID' => $nameId,
];
$this->processFilter(array(), $request);
$this->assertEquals("{$nameId->getFormat()}", Constants::NAMEID_UNSPECIFIED);
$this->assertEquals("{$nameId->getNameQualifier()}", $idpId);
$this->assertEquals("{$nameId->getSPNameQualifier()}", $spId);
}
} }
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment