Custom attribute release should be per IdP per SP.

Rebecka Gulliksson · Rebecka Gulliksson · commit d534683b6c7e · 2016-08-29T15:28:30.000+02:00
Include custom attribute release under IdP entity id to be able to have
custom release rules per IdP per SP.
diff --git a/doc/README.md b/doc/README.md
@@ -242,14 +242,16 @@ restrict the attribute release with the `custom_attribute_release` configuration
 
 To exclude any attribute, just include its friendly name in the exclude list per SP.
 
-In the following example the given name is never released to the SP with entity id `"sp-entity-id1"`:
+In the following example the given name is never released from the IdP with entity id `"idp-entity-id1"` to the SP
+with entity id `"sp-entity-id1"`:
 
 ```yaml
 config:
     config: [...]
     custom_attribute_release:
-        sp-entity-id1:
-            exclude: ["givenName"]
+        idp-entity-id1
+            sp-entity-id1:
+                exclude: ["givenName"]
             
 
 #### Backend
diff --git a/src/satosa/frontends/saml2.py b/src/satosa/frontends/saml2.py
@@ -68,7 +68,7 @@ def __init__(self, auth_req_callback_func, internal_attributes, conf, base_url,
         self.config = conf
         self.endpoints = conf["endpoints"]
         self.acr_mapping = conf.get("acr_mapping")
-        self.custom_attributes = conf.get("custom_attribute_release")
+        self.custom_attribute_release = conf.get("custom_attribute_release")
         self.attribute_profile = conf.get("attribute_profile", "saml")
         self.idp = None
 
@@ -254,9 +254,10 @@ def _handle_authn_response(self, context, internal_response, idp):
         else:
             auth_info["class_ref"] = internal_response.auth_info.auth_class_ref
 
-        if self.custom_attributes:
-            custom_attributes = self.custom_attributes.get(resp_args["sp_entity_id"], {})
-            attributes_to_remove = custom_attributes.get("exclude", [])
+        if self.custom_attribute_release:
+            custom_release_per_idp = self.custom_attribute_release.get(internal_response.auth_info.issuer, {})
+            custom_release = custom_release_per_idp.get(resp_args["sp_entity_id"], {})
+            attributes_to_remove = custom_release.get("exclude", [])
             for k in attributes_to_remove:
                 ava.pop(k, None)
 
diff --git a/tests/satosa/frontends/test_saml2.py b/tests/satosa/frontends/test_saml2.py
@@ -314,7 +314,7 @@ def test_custom_attribute_release_with_less_attributes_than_entity_category(self
         user_attributes = {k: "foo" for k in expected_attributes}
         internal_response.attributes = AttributeMapper(internal_attributes).to_internal("saml", user_attributes)
 
-        custom_attributes = {sp_conf["entityid"]: {"exclude": ["norEduPersonNIN"]}}
+        custom_attributes = {idp_conf["entityid"]: {sp_conf["entityid"]: {"exclude": ["norEduPersonNIN"]}}}
         samlfrontend = self.setup_for_authn_req(context, idp_conf, sp_conf, internal_attributes=internal_attributes,
                                                 extra_config=dict(custom_attribute_release=custom_attributes))
 
