Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix attribute filtering #423

Merged
merged 5 commits into from Jul 11, 2017
Merged

Fix attribute filtering #423

merged 5 commits into from Jul 11, 2017

Conversation

jkakavas
Copy link
Member

Use the internal representation names instead of metadata FriendlyNames for attributes in order to do name filtering. Solves #422

@jkakavas
Add failing test for filtering attributes
9d0cc9c 
Added a test that fails when the friendlyName of the requested attribute
is not the same with the name of the internal attribute (even though the
OIDs and the internal representation names of the attribute are the same)
@jkakavas
Base attribute filtering on internal representation names
c24b47c 
Instead on relying on the FriendlyName from metadatata, use the name
of the internal representation of an attribute in order to perform
filtering. Resolves IdentityPython#422
@jkakavas
Copy link
Member Author

I thought only the tests in tests/test_20_assertion.py where applicable so I didn't run the whole suite. I will check the failures and resolve the problems

@jkakavas
Copy link
Member Author

After looking at this, I believe that the tests fail because of the tests themselves and not because of the changes introduced in the PR.
For example in test_50_server.py :

def setup_class(self):
      self.server = Server("idp_conf")
      conf = config.SPConfig()
      conf.load_file("server_conf")
      self.client = client.Saml2Client(conf)
      self.name_id = self.server.ident.transient_nameid(
          "urn:mace:example.com:saml:roland:sp", "id12")
      self.ava = {"givenName": ["Derek"], "surName": ["Jeter"],
             "mail": ["derek@nyy.mlb.com"], "title": "The man"}

However, if we see how ava is populated, then there is no way to get a "surName" key in there. In read_attribute_statement , to_local is used to convert the attribute names from the Attribute Statement to the internal representation names using the attributemaps so the key in the ava should be sn and not surName.
The only way for a key surName to make it to the ava is if a SAML Identity Provider releases a SAML Response that contains an attribute statement that has an attribute with Name="surName" which, to my understanding, violates SAML V2.0 X.500/LDAP Attribute Profile

@jkakavas
Updated test cases
695e2f0 
As explained in
IdentityPython#423 (comment) , ava
cannot contain an 'surName' key, it should be named 'sn'
@jkakavas
Copy link
Member Author

@rohe or anyone else interested, can I get a review or some feedback on the changes proposed above ?

@lhaemmerle
Copy link

It really would be great if this issue could be fixed by accepting Ioanni's pull request.

jkakavas
jkakavas commented Jul 5, 2017
View reviewed changes
src/saml2/assertion.py Outdated
friendly_name = attr["friendly_name"]
except KeyError:
friendly_name = get_local_name(acs, attr["name"],
friendly_name = get_local_name(acs, attr["name"],
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

change friendly_name to local_name

jkakavas
jkakavas commented Jul 5, 2017
View reviewed changes
src/saml2/assertion.py Outdated
@@ -79,10 +79,15 @@ def filter_on_attributes(ava, required=None, optional=None, acs=None,

def _match_attr_name(attr, ava):
try:
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove try catch clause

@jkakavas
Copy link
Member Author

jkakavas commented Jul 5, 2017

get_local_name raises an exception when acs is None, hence the failures above. I will revisit the change

@jkakavas
Modified test cases to include acs in the args
f00e0dd 
Since acs can't be None ( it get's a value in __init__()
https://github.com/rohe/pysaml2/blob/master/src/saml2/assertion.py#L319)
there is no reason to test for it. So we add a default value to acs
using ac_factory() before passing it to filter_on_attributes
@skoranda skoranda merged commit 63023d2 into IdentityPython:master Jul 11, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jkakavas @lhaemmerle @skoranda