Correct Attribute Value Parsing #60
Conversation
This commit adds complex type attribute value support as well as ensures that basic simple typed attributes (string or integer) are supported as well. This was already the case when generating XML, however this was not yet supported when parsing XML
|
@thijskh @jaimeperez Thoughts, ideas, comments? This stems from an issue where attribute values were not copied correctly by a SAML proxy when the attributes contained complex types (in this case, a NameID) as attribute value. In the current situation, the |
| if ($type === 'xs:integer') { | ||
| $this->attributes[$name][] = (int) $value->textContent; | ||
| } else { | ||
| $this->attributes[$name][] = trim($value->textContent); |
There was a problem hiding this comment.
Doh, I see it now. Alright, we'll have to live with that.
|
👍 |
|
@jaimeperez would this be ok from a simpleSAMLphp pov? |
|
The I'm not very familiar with encrypted attributes, but seeing as these contain |
|
Wouldn't the correct type for With respect to decrypting encrypted attributes, I agree, will add that. |
|
Oops, I do mean |
|
:+2: |
|
Thanks a lot for this @DRvanR, and sorry so much for the delay offering a response. I've taken a look into the code and it looks perfectly good, and something we definitely need to fix as the way it is today should be considered a bug. I was a bit confused as part of the PR is actually fixing a different problem, that being some code parsing documents without using the Regarding SSP, I don't know if this will have any direct impact (though it definitely shouldn't), but it will take a while anyway until we migrate to the current library, so that's something we can sort out if it causes trouble. 👍 from me. |
…es-correctly Correct Attribute Value Parsing
|
Hi all! Six months later, here I am again to take my last statement back and confirm that this change has an impact on SimpleSAMLphp, and actually broke all SSP service providers trying to use eduPersonTargetedID encoded as a NameID (which I suspect is how Shibboleth encodes it by default). The problem is that returning objects instead of strings or integers as the attribute values is dangerous, as those objects might not be serializable, as it is the case with the The consequence: when we receive an eduPersonTargetedID encoded as a SAML NameID, the new code returns its value as a I've tried to reproduce the problem with a simple class, and the In any case, I've managed to resolve the issue by iterating over the attribute values and dumping back to XML those that are not plain strings or integers (i.e. I thought it was a good idea to avoid modifying the SAML2 library again, but we need then to make people aware of the issue. @DRvanR, could you please add a comment about this in the code at least? If you already noticed this problem and have some mitigation in place, you can just disregard my message 😉 |
|
Here's the bug report, by the way. |
A recent change in simplesamlphp/saml2#60 made the library return a DOMNodeList object when the contents of the AttributeValue element are not text. This lead to a bug, since the returned value is not serializable, and when storing it in the session it will go away as soon as we serialize the session to store it in the backend (whatever that is). This is always, as the SP will always redirect to the URL originating authentication. The result was an empty DOMNodeList object where there should be some value. This commit makes the SimpleSAML_Session to implement the Serializable interface. When obtaining the attributes during login (doLogin() method), the code will now look for DOMNodeList objects, and dump them as a string with the XML representation of their contents in the 'RawAttributes' array inside $this->authData[$authority]. This allows us to parse the XML back when unserializing, and restore the original DOMNodeList object as the value of the attribute. The issue was reported originally in the mailing list by Enrico Cavalli, affecting eduPersonTargetedID. This resolves #424.
|
Hi Jaime, that is indeed a quite nasty issue. The contents are however listed in the docblock, what additional documentation would you suggest? As an aside, we've encountered this problem not once but twice ourselves. What we've been thinking about is to allow nested attribute detection and parsing. I've not yet been able to actually play around with that idea (busy eh 😉), but it would solve not only this, but other possible cases as well. It however will remain an issue that a nested attribute will always be the odd one out and that it will always be needed to be handled intelligently somehow. |
|
Hi Daan! I was thinking basically about a big comment in the docblock warning about the returned value not being serializable —or put differently, that you can't store it in any way—, in case a I love the idea of having some logic in place to detect what's inside the attribute value, and parse it automatically for you. It would be great if we could return a Did you discuss how to approach such implementation? |
Adds complex type attribute value support as well as ensures that basic simple typed attributes (string or integer) are supported as well. This was already the case when generating XML, however this was not yet supported when parsing XML.