diff options
author | Ivan Kanakarakis <ivan.kanak@gmail.com> | 2021-04-18 17:01:45 +0300 |
---|---|---|
committer | Ivan Kanakarakis <ivan.kanak@gmail.com> | 2021-04-18 17:01:45 +0300 |
commit | 8d3fd70924b8b291934bebca936d9255d6e1afe9 (patch) | |
tree | 0e2fb77185fbe7a67599b50fa3b469f17c8028c7 | |
parent | d201dc6802432b29c0362833a538b15281fca247 (diff) | |
download | pysaml2-8d3fd70924b8b291934bebca936d9255d6e1afe9.tar.gz |
Try to get the friendlyName of the required RequestedAttribute else derive it using the canonical Name
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
-rw-r--r-- | src/saml2/assertion.py | 16 | ||||
-rw-r--r-- | tests/test_37_entity_categories.py | 25 |
2 files changed, 27 insertions, 14 deletions
diff --git a/src/saml2/assertion.py b/src/saml2/assertion.py index d8bc12f9..cd01463b 100644 --- a/src/saml2/assertion.py +++ b/src/saml2/assertion.py @@ -454,12 +454,16 @@ class Policy(object): def post_entity_categories(maps, sp_entity_id=None, mds=None, required=None): restrictions = {} - if required is not None: - _req = [] - for d in required: - local_name = get_local_name(acs=self.acs, attr=d['name'], name_format=d['name_format']) - _req.append(local_name.lower()) - required = _req + required_friendly_names = [ + d.get('friendly_name') or get_local_name( + acs=self.acs, attr=d['name'], name_format=d['name_format'] + ) + for d in (required or []) + ] + required = [ + friendly_name.lower() + for friendly_name in required_friendly_names + ] if mds: ecs = mds.entity_categories(sp_entity_id) diff --git a/tests/test_37_entity_categories.py b/tests/test_37_entity_categories.py index ce6fa295..64b674d1 100644 --- a/tests/test_37_entity_categories.py +++ b/tests/test_37_entity_categories.py @@ -10,6 +10,8 @@ from saml2.mdie import to_dict from saml2.mdstore import MetadataStore from saml2.saml import Attribute, NAME_FORMAT_URI from saml2.server import Server +from saml2.md import RequestedAttribute + ATTRCONV = ac_factory(full_path("attributemaps")) sec_config = config.Config() @@ -234,6 +236,7 @@ def test_entity_category_import_from_path(): def test_filter_ava_required_attributes_with_no_friendly_name(): + entity_id = "https://no-friendly-name.example.edu/saml2/metadata/" mds = MetadataStore(ATTRCONV, sec_config, disable_ssl_certificate_validation=True) mds.imp( [ @@ -250,7 +253,6 @@ def test_filter_ava_required_attributes_with_no_friendly_name(): "entity_categories": ["swamid"] } } - policy = Policy(policy_conf, mds) ava = { @@ -259,13 +261,20 @@ def test_filter_ava_required_attributes_with_no_friendly_name(): "mail": ["derek@nyy.mlb.com"], "c": ["USA"], "eduPersonTargetedID": "foo!bar!xyz", - "norEduPersonNIN": "19800101134" + "norEduPersonNIN": "19800101134", } - # Require attribute eduPersonTargetedID but leave out friendlyName in attribute creation - edu_person_targeted_id_oid = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10' - edu_person_targeted_id = to_dict( - Attribute(name=edu_person_targeted_id_oid, - name_format=NAME_FORMAT_URI), onts=[mdattr]) - ava = policy.filter(ava, "https://no-friendly-name.example.edu/saml2/metadata/", required=[edu_person_targeted_id]) + attribute_requirements = mds.attribute_requirement(entity_id) + required = attribute_requirements.get("required", []) + optional = attribute_requirements.get("optional", []) + + # ensure the requirements define the eduPersonTargetedID + # without the friendlyName attribute + oid_eptid = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10' + requested_attribute_eptid = RequestedAttribute( + name=oid_eptid, name_format=NAME_FORMAT_URI, is_required='true' + ) + assert required == [to_dict(requested_attribute_eptid, onts=[mdattr])] + + ava = policy.filter(ava, entity_id, required=required, optional=optional) assert _eq(list(ava.keys()), ["eduPersonTargetedID"]) |