Merge Same-named Attribute Elements

jzheaux · jzheaux · commit 56a6133b20a2 · 2022-07-20T18:43:25.000-06:00
Closes gh-11042
diff --git a/saml2/saml2-service-provider/src/opensaml3Test/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProviderTests.java b/saml2/saml2-service-provider/src/opensaml3Test/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProviderTests.java
@@ -244,6 +244,7 @@ public void authenticateWhenAssertionContainsAttributesThenItSucceeds() {
 		expected.put("age", Collections.singletonList(21));
 		expected.put("website", Collections.singletonList("https://johndoe.com/"));
 		expected.put("registered", Collections.singletonList(true));
+		expected.put("role", Arrays.asList("RoleTwo"));
 		Instant registeredDate = Instant.ofEpochMilli(DateTime.parse("1970-01-01T00:00:00Z").getMillis());
 		expected.put("registeredDate", Collections.singletonList(registeredDate));
 		assertThat((String) principal.getFirstAttribute("name")).isEqualTo("John Doe");
diff --git a/saml2/saml2-service-provider/src/opensaml4Main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java b/saml2/saml2-service-provider/src/opensaml4Main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java
@@ -23,7 +23,6 @@
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
-import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.function.Consumer;
@@ -86,6 +85,8 @@
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.util.Assert;
 import org.springframework.util.CollectionUtils;
+import org.springframework.util.LinkedMultiValueMap;
+import org.springframework.util.MultiValueMap;
 import org.springframework.util.StringUtils;
 
 /**
@@ -601,7 +602,7 @@ private boolean hasName(Assertion assertion) {
 	}
 
 	private static Map<String, List<Object>> getAssertionAttributes(Assertion assertion) {
-		Map<String, List<Object>> attributeMap = new LinkedHashMap<>();
+		MultiValueMap<String, Object> attributeMap = new LinkedMultiValueMap<>();
 		for (AttributeStatement attributeStatement : assertion.getAttributeStatements()) {
 			for (Attribute attribute : attributeStatement.getAttributes()) {
 				List<Object> attributeValues = new ArrayList<>();
@@ -611,7 +612,7 @@ private static Map<String, List<Object>> getAssertionAttributes(Assertion assert
 						attributeValues.add(attributeValue);
 					}
 				}
-				attributeMap.put(attribute.getName(), attributeValues);
+				attributeMap.addAll(attribute.getName(), attributeValues);
 			}
 		}
 		return attributeMap;
diff --git a/saml2/saml2-service-provider/src/opensaml4Test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProviderTests.java b/saml2/saml2-service-provider/src/opensaml4Test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProviderTests.java
@@ -245,6 +245,7 @@ public void authenticateWhenAssertionContainsAttributesThenItSucceeds() {
 		expected.put("registered", Collections.singletonList(true));
 		Instant registeredDate = Instant.parse("1970-01-01T00:00:00Z");
 		expected.put("registeredDate", Collections.singletonList(registeredDate));
+		expected.put("role", Arrays.asList("RoleOne", "RoleTwo")); // gh-11042
 		assertThat((String) principal.getFirstAttribute("name")).isEqualTo("John Doe");
 		assertThat(principal.getAttributes()).isEqualTo(expected);
 	}
diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/TestOpenSamlObjects.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/TestOpenSamlObjects.java
@@ -312,6 +312,18 @@ static List<AttributeStatement> attributeStatements() {
 		name.setValue("John Doe");
 		nameAttr.getAttributeValues().add(name);
 		attrStmt1.getAttributes().add(nameAttr);
+		Attribute roleOneAttr = attributeBuilder.buildObject(); // gh-11042
+		roleOneAttr.setName("role");
+		XSString roleOne = new XSStringBuilder().buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSString.TYPE_NAME);
+		roleOne.setValue("RoleOne");
+		roleOneAttr.getAttributeValues().add(roleOne);
+		attrStmt1.getAttributes().add(roleOneAttr);
+		Attribute roleTwoAttr = attributeBuilder.buildObject(); // gh-11042
+		roleTwoAttr.setName("role");
+		XSString roleTwo = new XSStringBuilder().buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSString.TYPE_NAME);
+		roleTwo.setValue("RoleTwo");
+		roleTwoAttr.getAttributeValues().add(roleTwo);
+		attrStmt1.getAttributes().add(roleTwoAttr);
 		Attribute ageAttr = attributeBuilder.buildObject();
 		ageAttr.setName("age");
 		XSInteger age = new XSIntegerBuilder().buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSInteger.TYPE_NAME);

Original file line number	Diff line number	Diff line change
`@@ -245,6 +245,7 @@ public void authenticateWhenAssertionContainsAttributesThenItSucceeds() {`
`245`	`245`	`expected.put("registered", Collections.singletonList(true));`
`246`	`246`	`Instant registeredDate = Instant.parse("1970-01-01T00:00:00Z");`
`247`	`247`	`expected.put("registeredDate", Collections.singletonList(registeredDate));`
	`248`	`+ expected.put("role", Arrays.asList("RoleOne", "RoleTwo")); // gh-11042`
`248`	`249`	`assertThat((String) principal.getFirstAttribute("name")).isEqualTo("John Doe");`
`249`	`250`	`assertThat(principal.getAttributes()).isEqualTo(expected);`
`250`	`251`	`}`