Fixed a problem with filtering assertion by required/optional attributes.

Roland Hedberg · Roland Hedberg · commit eeb4b5d694f4 · 2014-03-27T11:12:41.000+01:00
diff --git a/src/saml2/assertion.py b/src/saml2/assertion.py
@@ -24,7 +24,7 @@
 from saml2 import saml
 
 from saml2.time_util import instant, in_a_while
-from saml2.attribute_converter import from_local
+from saml2.attribute_converter import from_local, get_local_name
 from saml2.s_utils import sid, MissingValue
 from saml2.s_utils import factory
 from saml2.s_utils import assertion_factory
@@ -78,7 +78,7 @@ def _match(attr, ava):
     return None
 
 
-def filter_on_attributes(ava, required=None, optional=None):
+def filter_on_attributes(ava, required=None, optional=None, acs=None):
     """ Filter
     
     :param ava: An attribute value assertion as a dictionary
@@ -98,18 +98,23 @@ def filter_on_attributes(ava, required=None, optional=None):
         nform = ""
         for nform in ["friendly_name", "name"]:
             try:
-                _fn = _match(attr[nform], ava)
+                _name = attr[nform]
             except KeyError:
-                pass
-            else:
-                if _fn:
-                    try:
-                        values = [av["text"] for av in attr["attribute_value"]]
-                    except KeyError:
-                        values = []
-                    res[_fn] = _filter_values(ava[_fn], values, True)
-                    found = True
-                    break
+                if nform == "friendly_name":
+                    _name = get_local_name(acs, attr["name"],
+                                           attr["name_format"])
+                else:
+                    continue
+
+            _fn = _match(_name, ava)
+            if _fn:
+                try:
+                    values = [av["text"] for av in attr["attribute_value"]]
+                except KeyError:
+                    values = []
+                res[_fn] = _filter_values(ava[_fn], values, True)
+                found = True
+                break
 
         if not found:
             raise MissingValue("Required attribute missing: '%s'" % (
@@ -311,7 +316,8 @@ def __init__(self, restrictions=None):
             self.compile(restrictions)
         else:
             self._restrictions = None
-    
+        self.acs = []
+
     def compile(self, restrictions):
         """ This is only for IdPs or AAs, and it's about limiting what
         is returned to the SP.
@@ -484,7 +490,8 @@ def filter(self, ava, sp_entity_id, mdstore, required=None, optional=None):
         ava = filter_attribute_value_assertions(ava, _rest)
         
         if required or optional:
-            ava = filter_on_attributes(ava, required, optional)
+            logger.debug("required: %s, optional: %s" % (required, optional))
+            ava = filter_on_attributes(ava, required, optional, self.acs)
         
         return ava
     
@@ -540,7 +547,8 @@ class Assertion(dict):
     
     def __init__(self, dic=None):
         dict.__init__(self, dic)
-    
+        self.acs = []
+
     @staticmethod
     def _authn_context_decl(decl, authn_auth=None):
         """
@@ -727,6 +735,8 @@ def apply_policy(self, sp_entity_id, policy, metadata=None):
         :param metadata: Metadata to use
         :return: The resulting AVA after the policy is applied
         """
+
+        policy.acs = self.acs
         ava = policy.restrict(self, sp_entity_id, metadata)
         self.update(ava)
         return ava
diff --git a/src/saml2/attribute_converter.py b/src/saml2/attribute_converter.py
@@ -255,6 +255,13 @@ def to_local_name(acs, attr):
     return attr.friendly_name
 
 
+def get_local_name(acs, attr, name_format):
+    for aconv in acs:
+        #print ac.format, name_format
+        if aconv.name_format == name_format:
+            return aconv._fro[attr]
+
+
 def d_to_local_name(acs, attr):
     """
     :param acs: List of AttributeConverter instances
diff --git a/src/saml2/attributemaps/saml_uri.py b/src/saml2/attributemaps/saml_uri.py
@@ -177,6 +177,7 @@
         'edupersonaffiliation': EDUPERSON_OID+'1',
         'eduPersonPrincipalName': EDUPERSON_OID+'6',
         'edupersonprincipalname': EDUPERSON_OID+'6',
+        'eppn': EDUPERSON_OID+'6',
         'localityName': X500ATTR_OID+'7',
         'owner': X500ATTR_OID+'32',
         'norEduOrgUnitUniqueNumber': NOREDUPERSON_OID+'2',
diff --git a/src/saml2/server.py b/src/saml2/server.py
@@ -308,6 +308,7 @@ def _authn_response(self, in_response_to, consumer_url,
         #if identity:
         _issuer = self._issuer(issuer)
         ast = Assertion(identity)
+        ast.acs = self.config.getattr("attribute_converters", "idp")
         if policy is None:
             policy = Policy()
         try:
diff --git a/tools/update_metadata.sh b/tools/update_metadata.sh
@@ -1,2 +1,3 @@
+#!/bin/sh
 curl -O -G http://md.swamid.se/md/swamid-2.0.xml
 mdexport.py -t local -o swamid2.md swamid-2.0.xml

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
	`1`	`+#!/bin/sh`
`1`	`2`	`curl -O -G http://md.swamid.se/md/swamid-2.0.xml`
`2`	`3`	`mdexport.py -t local -o swamid2.md swamid-2.0.xml`