Deny auth if requested attribute is missing

If a requested attribute is missing the authorization should fail

Author: theseal

src/satosa/micro_services/attribute_authorization.py

@@ -53,6 +53,9 @@ def _check_authz(self, context, attributes, requester, provider):
             if attribute_name in attributes:
                 if not any([any(filter(re.compile(af).search, attributes[attribute_name])) for af in attribute_filters]):
                     raise SATOSAAuthenticationError(context.state, "Permission denied")
+            else:
+                raise SATOSAAuthenticationError(context.state, "Permission denied")
+
 
         for attribute_name, attribute_filters in get_dict_defaults(self.attribute_deny, requester, provider).items():
             if attribute_name in attributes:

tests/satosa/micro_services/test_attribute_authorization.py

@@ -44,6 +44,20 @@ def test_authz_allow_fail(self):
            ctx.state = dict()
            authz_service.process(ctx, resp)
 
+    def test_authz_allow_missing(self):
+        attribute_allow = {
+           "": { "default": {"a0": ['foo1','foo2']} }
+        }
+        attribute_deny = {}
+        authz_service = self.create_authz_service(attribute_allow, attribute_deny)
+        resp = InternalData(auth_info=AuthenticationInformation())
+        resp.attributes = {
+        }
+        with pytest.raises(SATOSAAuthenticationError):
+           ctx = Context()
+           ctx.state = dict()
+           authz_service.process(ctx, resp)
+
     def test_authz_allow_second(self):
         attribute_allow = {
            "": { "default": {"a0": ['foo1','foo2']} }