fix: attrValueMapper fails to parse complex AttributeValue tags (#245) #427
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dfdeagle47
force-pushed
the
fix/complex-attribute-value-mapping
branch
3 times, most recently
from
45664c6
to
9bb8257
Compare
|
Edit: should be fixed now. I had an incorrect change in this PR because I'm trying to make it compatible for 0.35.x, but I added up making a separate commit on another branch starting from 0.35.0. |
dfdeagle47
force-pushed
the
fix/complex-attribute-value-mapping
branch
from
9bb8257
to
96a0edd
Compare
…-saml#245) This fixes an issue where the `attrValueMapper` would fail to properly map the value for complex `AttributeValue` tags. This handles the case where the `AttributeValue` contains a nested `NameID` tag. One such example is the `eduPersonTargetedID` that is used as an identifier in [eduGAIN][1] which can return an Attribute of the form ```xml <saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.example-university.fr/idp/shibboleth" SPNameQualifier="https://www.service-provider.com/shibboleth">a6c2c4d4-08b9-4ca7-8ff9-43d83e6e1d35</saml2:NameID> </saml2:AttributeValue> </saml2:Attribute> ``` Note that in reality, the `AttributeValue` tags can be much more complex. [The Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0][2] uses the following schema for the `Attribute` tag: ```xml <element name="Attribute" type="saml:AttributeType"/> <complexType name="AttributeType"> <sequence> <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Name" type="string" use="required"/> <attribute name="NameFormat" type="anyURI" use="optional"/> <attribute name="FriendlyName" type="string" use="optional"/> <anyAttribute namespace="##other" processContents="lax"/> </complexType> ``` and the following schema for the `AttributeValue`: ```xml <element name="AttributeValue" type="anyType" nillable="true"/> ``` which means it can take any type. As pointed in [3], it is customary to use `NameQualifier` and the `SPNameQualifier` in addition to the actual value to create a unique identifier for the platform. That is why the `AttributeValue` is mapped to an object containing the attribute of the `NameID` tag as well as the string value for `eduPersonTargetedID` that is stored in the `Value` property. [1]: https://wiki.geant.org/display/eduGAIN/Identifier+Attributes [2]: https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf [3]: node-saml#245 (comment)
dfdeagle47
force-pushed
the
fix/complex-attribute-value-mapping
branch
from
96a0edd
to
c1801a4
Compare
|
Since #245 is closed, should this be closed too @dfdeagle47 ? |
Looks like it does, thanks for the update. You might want to look at those PRs as well: because they seem to be fixing the same issue. |
This was referenced Dec 15, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Context
This fixes an issue where the
attrValueMapperwould fail to properly map the value for complexAttributeValuetags. This handles the case where theAttributeValuecontains a nestedNameIDtag.One such example is the
eduPersonTargetedIDthat is used as an identifier in eduGAIN which can return an Attribute of the formLimitations
Note that in reality, the
AttributeValuetags can be much more complex. The Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0 uses the following schema for theAttributetag:and the following schema for the
AttributeValue:which means it can take any type.
As pointed out in this issue, it is customary to use
NameQualifierand theSPNameQualifierin addition to the actual value to create a unique identifier for the platform. That is why theAttributeValueis mapped to an object containing the attribute of theNameIDtag as well as the string value foreduPersonTargetedIDthat is stored in theValueproperty.Additional information regarding the fix
attrValueMapperis extracted to the SAML prototype to make it easier to test and it is renamed toattributeValueMapperto make it more explicit.attrValueMapperwould returnundefinedfor this use case. Now, it returns an object whereValueis the nested string value and the tag attributes are properties of that object.Related PRs and issues
This should close the following PRs (although the mapping is different):
This should close the following issue: