Merge pull request #537 from sheilatron/multi-attr-statements

Allow for multiple AttributeStatement tags per Assertion

Author: c00kiemon5ter

src/saml2/response.py

@@ -649,7 +649,7 @@ def read_attribute_statement(self, attr_statem):
                         self.allow_unknown_attributes)
 
     def get_identity(self):
-        """ The assertion can contain zero or one attributeStatements
+        """ The assertion can contain zero or more attributeStatements
 
         """
         ava = {}
@@ -662,9 +662,11 @@ def get_identity(self):
                             ava.update(self.read_attribute_statement(
                                 tmp_assertion.attribute_statement[0]))
             if _assertion.attribute_statement:
-                assert len(_assertion.attribute_statement) == 1
-                _attr_statem = _assertion.attribute_statement[0]
-                ava.update(self.read_attribute_statement(_attr_statem))
+                logger.debug("Assertion contains %s attribute statement(s)",
+                             (len(self.assertion.attribute_statement)))
+                for _attr_statem in _assertion.attribute_statement:
+                    logger.debug("Attribute Statement: %s" % (_attr_statem,))
+                    ava.update(self.read_attribute_statement(_attr_statem))
             if not ava:
                 logger.debug("Assertion contains no attribute statements")
         return ava

tests/test_44_authnresp.py

@@ -62,31 +62,31 @@ def setup_class(self):
             self.conf = config_factory("sp", dotname("server_conf"))
             self.conf.only_use_keys_in_metadata = False
             self.ar = authn_response(self.conf, "http://lingon.catalogix.se:8087/")
-    
+
     def test_verify_1(self):
         xml_response = "%s" % (self._resp_,)
         print(xml_response)
         self.ar.outstanding_queries = {"id12": "http://localhost:8088/sso"}
         self.ar.timeslack = 10000
         self.ar.loads(xml_response, decode=False)
         self.ar.verify()
-        
+
         print(self.ar.__dict__)
         assert self.ar.came_from == 'http://localhost:8088/sso'
         assert self.ar.session_id() == "id12"
         assert self.ar.ava["givenName"] == IDENTITY["givenName"]
         assert self.ar.name_id
         assert self.ar.issuer() == 'urn:mace:example.com:saml:roland:idp'
-    
+
     def test_verify_signed_1(self):
         xml_response = self._sign_resp_
         print(xml_response)
-        
+
         self.ar.outstanding_queries = {"id12": "http://localhost:8088/sso"}
         self.ar.timeslack = 10000
         self.ar.loads(xml_response, decode=False)
         self.ar.verify()
-        
+
         print(self.ar.__dict__)
         assert self.ar.came_from == 'http://localhost:8088/sso'
         assert self.ar.session_id() == "id12"
@@ -98,14 +98,14 @@ def test_parse_2(self):
         with open(XML_RESPONSE_FILE) as fp:
             xml_response = fp.read()
         ID = "bahigehogffohiphlfmplepdpcohkhhmheppcdie"
-        self.ar.outstanding_queries = {ID: "http://localhost:8088/foo"}    
+        self.ar.outstanding_queries = {ID: "http://localhost:8088/foo"}
         self.ar.return_addr = "http://xenosmilus.umdc.umu.se:8087/login"
         self.ar.entity_id = "xenosmilus.umdc.umu.se"
         # roughly a year, should create the response on the fly
         self.ar.timeslack = 315360000 # indecent long time
         self.ar.loads(xml_response, decode=False)
         self.ar.verify()
-        
+
         print(self.ar.__dict__)
         assert self.ar.came_from == 'http://localhost:8088/foo'
         assert self.ar.session_id() == ID
@@ -189,8 +189,78 @@ def test_unpack_nested_eptid(self):
         resp.loads(authn_response_xml, False)
         resp.parse_assertion()
         ava = resp.get_identity()
+        assert len(ava) == 1
         assert ava["eduPersonTargetedID"] == ["b8e734571d9adb0e6444a5b49a22f4206df24d88"]
 
+    def test_multiple_attribute_statement(self):
+        authn_response_xml = """<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+                ID="CORTO54673f841c5297dd3614527d38e217332f9e3000"
+                Version="2.0"
+                IssueInstant="2016-09-23T14:00:45Z"
+                Destination="https://sp.example.com/acs/post"
+                InResponseTo="id-Wnv7CMQO1pFJoRWgi"
+                >
+            <saml:Issuer>https://idp.example.com</saml:Issuer>
+            <samlp:Status>
+                <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
+            </samlp:Status>
+            <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                            xmlns:xs="http://www.w3.org/2001/XMLSchema"
+                            ID="CORTOadad7cb5e1237cf30fa7ab49544c15eec582854e"
+                            Version="2.0"
+                            IssueInstant="2016-09-23T14:00:45Z"
+                            >
+                <saml:Issuer>https://idp.example.com</saml:Issuer>
+                <saml:Subject>
+                    <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">b8e734571d9adb0e6444a5b49a22f4206df24d88</saml:NameID>
+                    <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+                        <saml:SubjectConfirmationData Recipient="https://sp.example.com/acs/post"
+                                                      InResponseTo="id-Wnv7CMQO1pFJoRWgi"
+                                                      />
+                    </saml:SubjectConfirmation>
+                </saml:Subject>
+                <saml:Conditions NotBefore="2016-09-23T14:00:44Z">
+                    <saml:AudienceRestriction>
+                        <saml:Audience>https://sp.example.com</saml:Audience>
+                    </saml:AudienceRestriction>
+                </saml:Conditions>
+                <saml:AuthnStatement AuthnInstant="2016-09-23T13:55:40Z"
+                                     SessionIndex="_9f1148918f12525c6cad9aea29bc557afab2cb8c33"
+                                     >
+                    <saml:AuthnContext>
+                        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
+                        <saml:AuthenticatingAuthority>https://idp.example.com</saml:AuthenticatingAuthority>
+                    </saml:AuthnContext>
+                </saml:AuthnStatement>
+                <saml:AttributeStatement>
+                    <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
+                                    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                                    >
+                        <saml:AttributeValue>
+                            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">b8e734571d9adb0e6444a5b49a22f4206df24d88</saml:NameID>
+                        </saml:AttributeValue>
+                    </saml:Attribute>
+                </saml:AttributeStatement>
+                <saml:AttributeStatement>
+                    <saml:Attribute Name="name"
+                                    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
+                                    >
+                        <saml:AttributeValue xsi:type="xs:string">John Doe</saml:AttributeValue>
+                    </saml:Attribute>
+                </saml:AttributeStatement>
+            </saml:Assertion>
+        </samlp:Response>"""
+
+        resp = authn_response(self.conf, "https://sp.example.com/acs/post", asynchop=False, allow_unsolicited=True)
+        resp.loads(authn_response_xml, False)
+        resp.parse_assertion()
+        ava = resp.get_identity()
+        assert len(ava) == 2
+        assert ava["eduPersonTargetedID"] == ["b8e734571d9adb0e6444a5b49a22f4206df24d88"]
+        assert ava["name"] == ["John Doe"]
+
+
 if __name__ == "__main__":
     t = TestAuthnResponse()
     t.setup_class()