Merge pull request #39 from its-dirg/samlfrontend-filter

Filter the attributes before forming the authentication response.

Author: RebeckaG

src/satosa/frontends/saml2.py

@@ -225,11 +225,22 @@ def _get_approved_attributes(self, idp, idp_policy, sp_entity_id, state):
         attribute_filter = []
         for aconv in attrconvs:
             if aconv.name_format == name_format:
-                attribute_filter = list(idp_policy.restrict(aconv._to, sp_entity_id, idp.metadata).keys())
+                all_attributes = {v: None for v in aconv._fro.values()}
+                attribute_filter = list(idp_policy.restrict(all_attributes, sp_entity_id, idp.metadata).keys())
+                break
         attribute_filter = self.converter.to_internal_filter(self.attribute_profile, attribute_filter)
         satosa_logging(logger, logging.DEBUG, "Filter: %s" % attribute_filter, state)
         return attribute_filter
 
+    def _filter_attributes(self, idp, internal_response, context,):
+        idp_policy = idp.config.getattr("policy", "idp")
+        if idp_policy:
+            approved_attributes = self._get_approved_attributes(idp, idp_policy, internal_response.requester,
+                                                                context.state)
+            attributes = {k: v for k, v in internal_response.attributes.items() if k in approved_attributes}
+
+        return attributes
+
     def _handle_authn_response(self, context, internal_response, idp):
         """
         See super class satosa.frontends.base.FrontendModule
@@ -246,6 +257,7 @@ def _handle_authn_response(self, context, internal_response, idp):
         request_state = self.load_state(context.state)
 
         resp_args = request_state["resp_args"]
+        internal_response.attributes = self._filter_attributes(idp, internal_response, context)
         ava = self.converter.from_internal(self.attribute_profile, internal_response.attributes)
 
         auth_info = {}

tests/satosa/frontends/test_saml2.py

@@ -199,10 +199,10 @@ def test_get_filter_attributes_with_sp_requested_attributes_without_friendlyname
         base_url = self.construct_base_url_from_entity_id(idp_conf["entityid"])
         conf = {"idp_config": idp_conf, "endpoints": ENDPOINTS}
 
-        internal_attributes = {"attributes": {attr_name: {"saml": [attr_name]} for attr_name in
-                                              ["edupersontargetedid", "edupersonprincipalname",
-                                               "edupersonaffiliation", "mail", "displayname", "sn",
-                                               "givenname"]}}  # no op mapping for saml attribute names
+        internal_attributes = {"attributes": {attr_name.lower(): {"saml": [attr_name]} for attr_name in
+                                              ["eduPersonTargetedID", "eduPersonPrincipalName",
+                                               "eduPersonAffiliation", "mail", "displayName", "sn",
+                                               "givenName"]}}  # no op mapping for saml attribute names
 
         samlfrontend = SAMLFrontend(None, internal_attributes, conf, base_url, "saml_frontend")
         samlfrontend.register_endpoints(["testprovider"])
@@ -271,6 +271,7 @@ def test_respect_sp_entity_categories(self, context, entity_category, entity_cat
 
         user_attributes = {k: "foo" for k in expected_attributes_in_all_entity_categories}
         internal_response.attributes = AttributeMapper(internal_attributes).to_internal("saml", user_attributes)
+        internal_response.requester = sp_conf["entityid"]
 
         resp = self.get_auth_response(samlfrontend, context, internal_response, sp_conf, idp_metadata_str)
         assert Counter(resp.ava.keys()) == Counter(expected_attributes)