Enable NameQualifier and SPNameQualifier attributes for ePTID

skoranda · skoranda · commit 634644e94c33 · 2019-06-04T12:41:13.000-05:00
The attribute value for eduPersonTargetedID (ePTID) is a NameID
element. The SAML specification allows the NameID element to include
the two optional attributes 'NameQualifier' and 'SPNameQualifier'. This
patch enables specifying a dictionary as the internal or local attribute
value instead of a string. When the local attribute value is a
dictionary with keys 'value', 'NameQualifier', and 'SPNameQualifier'
then the resulting XML NameID element will include the 'NameQualifier'
and 'SPNameQualifier' attributes with values taken from the values
of the dictionary. The value for the NameID element is taken from the
value associated with tthe 'value' key.
diff --git a/src/saml2/attribute_converter.py b/src/saml2/attribute_converter.py
@@ -432,12 +432,7 @@ def to_(self, attrvals):
             if name:
                 if name == "urn:oid:1.3.6.1.4.1.5923.1.1.1.10":
                     # special case for eduPersonTargetedID
-                    attr_value = []
-                    for v in value:
-                        extension_element = ExtensionElement("NameID", NAMESPACE,
-                                                             attributes={'Format': NAMEID_FORMAT_PERSISTENT}, text=v)
-                        attrval = saml.AttributeValue(extension_elements=[extension_element])
-                        attr_value.append(attrval)
+                    attr_value = self.to_eptid_value(value)
                 else:
                     attr_value = do_ava(value)
                 attributes.append(factory(saml.Attribute,
@@ -452,6 +447,41 @@ def to_(self, attrvals):
 
         return attributes
 
+    def to_eptid_value(self, value):
+        """
+        Special handling for the attribute with name
+        urn:oid:1.3.6.1.4.1.5923.1.1.1.10, usually known by the friendly
+        name eduPersonTargetedID. Create the AttributeValue instance(s)
+        for the attribute.
+
+        value is either a string or a dictionary with keys 'value',
+        'NameQualifier', and 'SPNameQualifier'.
+
+        Returns a list of AttributeValue instances.
+        """
+        attribute_values = []
+
+        for v in value:
+            if isinstance(v, dict):
+                element_attributes = {
+                        'Format': NAMEID_FORMAT_PERSISTENT,
+                        'NameQualifier': v['NameQualifier'],
+                        'SPNameQualifier': v['SPNameQualifier']
+                        }
+                text = v['value']
+            else:
+                element_attributes = {'Format': NAMEID_FORMAT_PERSISTENT}
+                text = v
+
+            element = ExtensionElement("NameID", NAMESPACE, element_attributes,
+                                       text=text)
+
+            attrval = saml.AttributeValue(extension_elements=[element])
+
+            attribute_values.append(attrval)
+
+        return attribute_values
+
 
 class AttributeConverterNOOP(AttributeConverter):
     """ Does a NOOP conversion, that is no conversion is made """
diff --git a/tests/test_19_attribute_converter.py b/tests/test_19_attribute_converter.py
@@ -221,6 +221,24 @@ def test_from_local_nest_eduPersonTargetedID_in_NameID(self):
         assert attributes[0].attribute_value[0].extension_elements[0].text == "test value1"
         assert attributes[0].attribute_value[1].extension_elements[0].text == "test value2"
 
+    def test_from_local_eduPersonTargetedID_with_qualifiers(self):
+        IDP_ENTITY_ID = 'https://some.org/idp'
+        SP_ENTITY_ID = 'https://some.org/sp'
+
+        ava = {"edupersontargetedid": [{
+               'value': "test value1",
+               'NameQualifier': IDP_ENTITY_ID,
+               'SPNameQualifier': SP_ENTITY_ID}]}
+        attributes = from_local(self.acs, ava, URI_NF)
+
+        assert len(attributes) == 1
+
+        element = attributes[0].attribute_value[0].extension_elements[0]
+
+        assert element.text == "test value1"
+        assert element.attributes['NameQualifier'] == IDP_ENTITY_ID
+        assert element.attributes['SPNameQualifier'] == SP_ENTITY_ID
+
 
 def test_noop_attribute_conversion():
     ava = {"urn:oid:2.5.4.4": "Roland", "urn:oid:2.5.4.42": "Hedberg"}
