From ae855414a090f3bdbefda2ed5afeaffb9c9a6dff Mon Sep 17 00:00:00 2001 From: Robert Bradley Date: Wed, 26 Apr 2017 20:56:37 +0100 Subject: [PATCH 01/18] Add support for attribute name mapping and value filtering At present, the php-saml library reports the attribute names as specified by the IdP to the caller. In some cases, it is necessary or useful to rename, or "map", these names to a more friendly form. For example, an IdP may use OIDs in place of "mail" or "eduPersonPrincipalName". It can also be useful to filter out known-bad or unwanted values from the returned attribute values. This patch adds two new parameters to the SP configuration block: "attributeMap" and "attributePolicy". These perform the same basic roles as the similarly named XML files in the Shibboleth SP software. The attributeMap parameter is an associative array of 'source'=>'destination' attribute name mappings. This supports the merging of many source attributes into a single destination attribute. If an attribute name is not present as a key, the attribute is passed through as-is. The attributePolicy parameter is an associative array of filtering functions where the keys are the 'destination' attribute names defined in attributeMap. These take a sole argument of an array of values and return a filtered array of values. If an attribute name is not present, the values are passed through unfiltered. --- lib/Saml2/Response.php | 49 ++++++++++++++++++++++++++++++++++++++++++ lib/Saml2/Settings.php | 6 ++++++ 2 files changed, 55 insertions(+) diff --git a/lib/Saml2/Response.php b/lib/Saml2/Response.php index 6c43068e..95960baa 100644 --- a/lib/Saml2/Response.php +++ b/lib/Saml2/Response.php @@ -722,9 +722,58 @@ public function getAttributes() $attributes[$attributeName] = $attributeValues; } + + $spData = $this->_settings->getSPData(); + $attributeMap = $spData['attributeMap']; + $attributePolicy = $spData['attributePolicy']; + $attributes = applyAttributeMapping($attributeMap, $attributes); + $attributes = applyAttributePolicy($attributePolicy, $attributes); return $attributes; } + private function applyAttributeMapping($attributeMap, $attributes) { + $mappedAttributes = array(); + + foreach ($attributes as $attributeName => $attributeValues) { + # Generate hash of new values + + # Default value: identity function + $newAttrName = $attributeName; + if (array_key_exists($attributeName, $attributeMap)) { + # Apply mapping function + $newAttrName = $attributeMap[$attributeName]; + } + + # Merge into already-mapped attribute assoc array + # (allows for multiple source attributes to be merged) + foreach ($attributeValues as $newAttrValue) { + if (!array_key_exists( $newAttrName, $mappedAttributes)) { + $mappedAttributes[$newAttrName] = array(); + } + array_push($mappedAttributes[$newAttrName], $newAttrValue); + } + } + return $mappedAttributes; + } + + private function applyAttributePolicy($attributePolicy, $attributes) { + $filteredAttributes = array(); + + foreach ($attributes as $attributeName => $attributeValues) { + # Generate hash of new values + + # Default value: identity function + $newAttrValues = $attributeValues; + if (array_key_exists($attributeName, $attributePolicy)) { + # Apply mapping function + $newAttrValues = $attributePolicy[$attributeName]($attributeValues); + } + + $filteredAttributes[$attributeName] = $newAttrValues; + } + return $filteredAttributes; + } + /** * Verifies that the document only contains a single Assertion (encrypted or not). * diff --git a/lib/Saml2/Settings.php b/lib/Saml2/Settings.php index 74defa72..24d02527 100644 --- a/lib/Saml2/Settings.php +++ b/lib/Saml2/Settings.php @@ -420,6 +420,12 @@ private function _addDefaultValues() if (!isset($this->_sp['privateKey'])) { $this->_sp['privateKey'] = ''; } + if (!isset($this->_sp['attributeMap'])) { + $this->_sp['attributeMap'] = array(); + } + if (!isset($this->_sp['attributePolicy'])) { + $this->_sp['attributePolicy'] = array(); + } } /** From 2ad298b79ec435b82bc2a87b93e5146ff6bf5e3d Mon Sep 17 00:00:00 2001 From: Robert Bradley Date: Wed, 26 Apr 2017 21:40:26 +0100 Subject: [PATCH 02/18] Add tests for new attribute mapping and filtering functionality --- tests/src/OneLogin/Saml2/ResponseTest.php | 50 +++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/tests/src/OneLogin/Saml2/ResponseTest.php b/tests/src/OneLogin/Saml2/ResponseTest.php index df8e14d2..49168556 100644 --- a/tests/src/OneLogin/Saml2/ResponseTest.php +++ b/tests/src/OneLogin/Saml2/ResponseTest.php @@ -1514,4 +1514,54 @@ public function testIsValidSignWithEmptyReferenceURI() $this->assertTrue(!empty($attributes)); $this->assertEquals('saml@user.com', $attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'][0]); } + + public function testAttributeMapping() + { + $settingsDir = TEST_ROOT .'/settings/'; + include $settingsDir.'settings1.php'; + $settingsInfo['sp']['attributeMap'] = array( + 'mail' => 'urn:oid:1.3.6.1.7', + ); + + $xml = file_get_contents(TEST_ROOT . '/data/responses/valid_response.xml.base64'); + + $settings = new OneLogin_Saml2_Settings($settingsInfo); + $response = new OneLogin_Saml2_Response($settings, $xml); + $this->assertTrue($response->isValid()); + $attributes = $response->getAttributes(); + $this->assertTrue(!empty($attributes)); + $this->assertEquals('smartin@yaco.es', $attributes['urn:oid:1.3.6.1.7'][0]); + # Test should fail as-is + $this->asserTrue(array_key_exists('mail', $attributes)); + } + + public function testAttributePolicy() + { + $settingsDir = TEST_ROOT .'/settings/'; + include $settingsDir.'settings1.php'; + $settingsInfo['sp']['attributePolicy'] = array( + 'eduPersonAffiliation' => function($values) + { + $valid_values = array('user'); + $new_values = array(); + foreach ($values as $value) { + if (in_array($value, $valid_values, true)) { + array_push($new_values, $value); + } + } + return $new_values; + }, + ); + + $xml = file_get_contents(TEST_ROOT . '/data/responses/valid_response.xml.base64'); + + $settings = new OneLogin_Saml2_Settings($settingsInfo); + $response = new OneLogin_Saml2_Response($settings, $xml); + $this->assertTrue($response->isValid()); + $attributes = $response->getAttributes(); + $this->assertTrue(!empty($attributes)); + $this->assertTrue(in_array('user', $attributes['eduPersonAffiliation']); + # Should break tests... + $this->assertTrue(in_array('admin', $attributes['eduPersonAffiliation']); + } } From 9a6e9edbf7a1c5595bebfdf4c65eeb744f11abc4 Mon Sep 17 00:00:00 2001 From: Robert Bradley Date: Wed, 26 Apr 2017 21:52:56 +0100 Subject: [PATCH 03/18] Fix code formatting issues found by Travis tests --- lib/Saml2/Response.php | 8 +++++--- tests/src/OneLogin/Saml2/ResponseTest.php | 8 ++++---- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/lib/Saml2/Response.php b/lib/Saml2/Response.php index 95960baa..2a050985 100644 --- a/lib/Saml2/Response.php +++ b/lib/Saml2/Response.php @@ -731,7 +731,8 @@ public function getAttributes() return $attributes; } - private function applyAttributeMapping($attributeMap, $attributes) { + private function applyAttributeMapping($attributeMap, $attributes) + { $mappedAttributes = array(); foreach ($attributes as $attributeName => $attributeValues) { @@ -747,7 +748,7 @@ private function applyAttributeMapping($attributeMap, $attributes) { # Merge into already-mapped attribute assoc array # (allows for multiple source attributes to be merged) foreach ($attributeValues as $newAttrValue) { - if (!array_key_exists( $newAttrName, $mappedAttributes)) { + if (!array_key_exists($newAttrName, $mappedAttributes)) { $mappedAttributes[$newAttrName] = array(); } array_push($mappedAttributes[$newAttrName], $newAttrValue); @@ -756,7 +757,8 @@ private function applyAttributeMapping($attributeMap, $attributes) { return $mappedAttributes; } - private function applyAttributePolicy($attributePolicy, $attributes) { + private function applyAttributePolicy($attributePolicy, $attributes) + { $filteredAttributes = array(); foreach ($attributes as $attributeName => $attributeValues) { diff --git a/tests/src/OneLogin/Saml2/ResponseTest.php b/tests/src/OneLogin/Saml2/ResponseTest.php index 49168556..270d82ec 100644 --- a/tests/src/OneLogin/Saml2/ResponseTest.php +++ b/tests/src/OneLogin/Saml2/ResponseTest.php @@ -1542,11 +1542,11 @@ public function testAttributePolicy() $settingsInfo['sp']['attributePolicy'] = array( 'eduPersonAffiliation' => function($values) { - $valid_values = array('user'); - $new_values = array(); + $validValues = array('user'); + $newValues = array(); foreach ($values as $value) { - if (in_array($value, $valid_values, true)) { - array_push($new_values, $value); + if (in_array($value, $validValues, true)) { + array_push($newValues, $value); } } return $new_values; From ab96e63db0c9a1925b09d3d58fcf11ed02587f88 Mon Sep 17 00:00:00 2001 From: Robert Bradley Date: Wed, 26 Apr 2017 22:03:45 +0100 Subject: [PATCH 04/18] Fix coveralls configuration --- .coveralls.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.coveralls.yml b/.coveralls.yml index 173ff356..d43702dd 100644 --- a/.coveralls.yml +++ b/.coveralls.yml @@ -1,7 +1,5 @@ service_name: travis-ci -src_dir: lib - coverage_clover: tests/build/logs/clover.xml json_path: tests/build/logs/coveralls-upload.json From cd631640407b2a69b0ca3cff6fb33fe4c9d51631 Mon Sep 17 00:00:00 2001 From: Robert Bradley Date: Wed, 26 Apr 2017 22:04:10 +0100 Subject: [PATCH 05/18] Fix typo caused by previous Travis fixes --- tests/src/OneLogin/Saml2/ResponseTest.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/src/OneLogin/Saml2/ResponseTest.php b/tests/src/OneLogin/Saml2/ResponseTest.php index 270d82ec..380d1647 100644 --- a/tests/src/OneLogin/Saml2/ResponseTest.php +++ b/tests/src/OneLogin/Saml2/ResponseTest.php @@ -1549,7 +1549,7 @@ public function testAttributePolicy() array_push($newValues, $value); } } - return $new_values; + return $newValues; }, ); From 9f020ca467e24bc1bfdac667850b869de81b89ea Mon Sep 17 00:00:00 2001 From: Robert Bradley Date: Wed, 26 Apr 2017 22:08:15 +0100 Subject: [PATCH 06/18] Fix more typos found by Travis --- tests/src/OneLogin/Saml2/ResponseTest.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/src/OneLogin/Saml2/ResponseTest.php b/tests/src/OneLogin/Saml2/ResponseTest.php index 380d1647..49f19916 100644 --- a/tests/src/OneLogin/Saml2/ResponseTest.php +++ b/tests/src/OneLogin/Saml2/ResponseTest.php @@ -1532,7 +1532,7 @@ public function testAttributeMapping() $this->assertTrue(!empty($attributes)); $this->assertEquals('smartin@yaco.es', $attributes['urn:oid:1.3.6.1.7'][0]); # Test should fail as-is - $this->asserTrue(array_key_exists('mail', $attributes)); + $this->assertTrue(array_key_exists('mail', $attributes)); } public function testAttributePolicy() @@ -1560,8 +1560,8 @@ public function testAttributePolicy() $this->assertTrue($response->isValid()); $attributes = $response->getAttributes(); $this->assertTrue(!empty($attributes)); - $this->assertTrue(in_array('user', $attributes['eduPersonAffiliation']); + $this->assertTrue(in_array('user', $attributes['eduPersonAffiliation'])); # Should break tests... - $this->assertTrue(in_array('admin', $attributes['eduPersonAffiliation']); + $this->assertTrue(in_array('admin', $attributes['eduPersonAffiliation'])); } } From 6939a7b5464db41c57a8502894ef930847db3ad9 Mon Sep 17 00:00:00 2001 From: Robert Bradley Date: Wed, 26 Apr 2017 22:15:02 +0100 Subject: [PATCH 07/18] Saml2/Response: Move applyAttribute* functions higher up the file and mark as protected --- lib/Saml2/Response.php | 94 +++++++++++++++++++++--------------------- 1 file changed, 47 insertions(+), 47 deletions(-) diff --git a/lib/Saml2/Response.php b/lib/Saml2/Response.php index 2a050985..7f88c309 100644 --- a/lib/Saml2/Response.php +++ b/lib/Saml2/Response.php @@ -726,56 +726,11 @@ public function getAttributes() $spData = $this->_settings->getSPData(); $attributeMap = $spData['attributeMap']; $attributePolicy = $spData['attributePolicy']; - $attributes = applyAttributeMapping($attributeMap, $attributes); - $attributes = applyAttributePolicy($attributePolicy, $attributes); + $attributes = $this->_applyAttributeMapping($attributeMap, $attributes); + $attributes = $this->_applyAttributePolicy($attributePolicy, $attributes); return $attributes; } - private function applyAttributeMapping($attributeMap, $attributes) - { - $mappedAttributes = array(); - - foreach ($attributes as $attributeName => $attributeValues) { - # Generate hash of new values - - # Default value: identity function - $newAttrName = $attributeName; - if (array_key_exists($attributeName, $attributeMap)) { - # Apply mapping function - $newAttrName = $attributeMap[$attributeName]; - } - - # Merge into already-mapped attribute assoc array - # (allows for multiple source attributes to be merged) - foreach ($attributeValues as $newAttrValue) { - if (!array_key_exists($newAttrName, $mappedAttributes)) { - $mappedAttributes[$newAttrName] = array(); - } - array_push($mappedAttributes[$newAttrName], $newAttrValue); - } - } - return $mappedAttributes; - } - - private function applyAttributePolicy($attributePolicy, $attributes) - { - $filteredAttributes = array(); - - foreach ($attributes as $attributeName => $attributeValues) { - # Generate hash of new values - - # Default value: identity function - $newAttrValues = $attributeValues; - if (array_key_exists($attributeName, $attributePolicy)) { - # Apply mapping function - $newAttrValues = $attributePolicy[$attributeName]($attributeValues); - } - - $filteredAttributes[$attributeName] = $newAttrValues; - } - return $filteredAttributes; - } - /** * Verifies that the document only contains a single Assertion (encrypted or not). * @@ -1122,6 +1077,51 @@ protected function _decryptAssertion($dom) } } + protected function _applyAttributeMapping($attributeMap, $attributes) + { + $mappedAttributes = array(); + + foreach ($attributes as $attributeName => $attributeValues) { + # Generate hash of new values + + # Default value: identity function + $newAttrName = $attributeName; + if (array_key_exists($attributeName, $attributeMap)) { + # Apply mapping function + $newAttrName = $attributeMap[$attributeName]; + } + + # Merge into already-mapped attribute assoc array + # (allows for multiple source attributes to be merged) + foreach ($attributeValues as $newAttrValue) { + if (!array_key_exists($newAttrName, $mappedAttributes)) { + $mappedAttributes[$newAttrName] = array(); + } + array_push($mappedAttributes[$newAttrName], $newAttrValue); + } + } + return $mappedAttributes; + } + + protected function _applyAttributePolicy($attributePolicy, $attributes) + { + $filteredAttributes = array(); + + foreach ($attributes as $attributeName => $attributeValues) { + # Generate hash of new values + + # Default value: identity function + $newAttrValues = $attributeValues; + if (array_key_exists($attributeName, $attributePolicy)) { + # Apply mapping function + $newAttrValues = $attributePolicy[$attributeName]($attributeValues); + } + + $filteredAttributes[$attributeName] = $newAttrValues; + } + return $filteredAttributes; + } + /* After execute a validation process, if fails this method returns the cause * * @return string Cause From cac9f47e05ecbcda6400166a82993cf12185996c Mon Sep 17 00:00:00 2001 From: Robert Bradley Date: Wed, 26 Apr 2017 22:20:07 +0100 Subject: [PATCH 08/18] Saml2/ResponseTest: Fix deliberate breakage of the testAttributeMapping and testAttributePolicy tests --- tests/src/OneLogin/Saml2/ResponseTest.php | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/tests/src/OneLogin/Saml2/ResponseTest.php b/tests/src/OneLogin/Saml2/ResponseTest.php index 49f19916..755250be 100644 --- a/tests/src/OneLogin/Saml2/ResponseTest.php +++ b/tests/src/OneLogin/Saml2/ResponseTest.php @@ -1531,8 +1531,7 @@ public function testAttributeMapping() $attributes = $response->getAttributes(); $this->assertTrue(!empty($attributes)); $this->assertEquals('smartin@yaco.es', $attributes['urn:oid:1.3.6.1.7'][0]); - # Test should fail as-is - $this->assertTrue(array_key_exists('mail', $attributes)); + $this->assertFalse(array_key_exists('mail', $attributes)); } public function testAttributePolicy() @@ -1561,7 +1560,6 @@ public function testAttributePolicy() $attributes = $response->getAttributes(); $this->assertTrue(!empty($attributes)); $this->assertTrue(in_array('user', $attributes['eduPersonAffiliation'])); - # Should break tests... - $this->assertTrue(in_array('admin', $attributes['eduPersonAffiliation'])); + $this->assertFalse(in_array('admin', $attributes['eduPersonAffiliation'])); } } From 9807749a9119da53320f2c987b04e146a111151e Mon Sep 17 00:00:00 2001 From: Robert Bradley Date: Wed, 26 Apr 2017 22:53:32 +0100 Subject: [PATCH 09/18] lib/Saml2/Response: Add documentation to _applyAttribute*() functions --- lib/Saml2/Response.php | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/lib/Saml2/Response.php b/lib/Saml2/Response.php index 7f88c309..65985ee1 100644 --- a/lib/Saml2/Response.php +++ b/lib/Saml2/Response.php @@ -1077,6 +1077,14 @@ protected function _decryptAssertion($dom) } } + /** + * Apply attribute name mapping to extracted attributes + * + * @param array $attributeMap Associative array mapping IdP attribute names to local names + * @param array $attributes Associative array of attribute names => values + * + * @return array Attribute list containing renamed/merged attributes + */ protected function _applyAttributeMapping($attributeMap, $attributes) { $mappedAttributes = array(); @@ -1103,6 +1111,14 @@ protected function _applyAttributeMapping($attributeMap, $attributes) return $mappedAttributes; } + /** + * Filter attribute values + * + * @param array $attributePolicy Associative array of filter functions per-attribute-name + * @param array $attributes Associative array of attribute names => values + * + * @return array Attribute list containing filtered attribute values + */ protected function _applyAttributePolicy($attributePolicy, $attributes) { $filteredAttributes = array(); From 177c3f6f73ebec00e1604090ecdbc08fcd5cfaa2 Mon Sep 17 00:00:00 2001 From: Robert Bradley Date: Wed, 26 Apr 2017 22:54:28 +0100 Subject: [PATCH 10/18] lib/Saml2/Response: Filter out attributes with no valid values entirely --- lib/Saml2/Response.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/Saml2/Response.php b/lib/Saml2/Response.php index 65985ee1..ad763d7c 100644 --- a/lib/Saml2/Response.php +++ b/lib/Saml2/Response.php @@ -1132,8 +1132,9 @@ protected function _applyAttributePolicy($attributePolicy, $attributes) # Apply mapping function $newAttrValues = $attributePolicy[$attributeName]($attributeValues); } - - $filteredAttributes[$attributeName] = $newAttrValues; + if (count($newAttrValues) > 0) { + $filteredAttributes[$attributeName] = $newAttrValues; + } } return $filteredAttributes; } From 6c5278c113c920626fc099db12628caff0c64d40 Mon Sep 17 00:00:00 2001 From: Robert Bradley Date: Wed, 26 Apr 2017 22:55:18 +0100 Subject: [PATCH 11/18] ResponseTest: Add combined attribute mapping/filtering test --- lib/Saml2/AttributePolicyHelpers.php | 29 +++++++++++++++++ tests/src/OneLogin/Saml2/ResponseTest.php | 39 +++++++++++++++++++++++ 2 files changed, 68 insertions(+) create mode 100644 lib/Saml2/AttributePolicyHelpers.php diff --git a/lib/Saml2/AttributePolicyHelpers.php b/lib/Saml2/AttributePolicyHelpers.php new file mode 100644 index 00000000..59f256ce --- /dev/null +++ b/lib/Saml2/AttributePolicyHelpers.php @@ -0,0 +1,29 @@ +assertTrue(in_array('user', $attributes['eduPersonAffiliation'])); $this->assertFalse(in_array('admin', $attributes['eduPersonAffiliation'])); } + + public function testAttributeMappingAndPolicy() + { + $settingsDir = TEST_ROOT .'/settings/'; + include $settingsDir.'settings1.php'; + + $attrHelpers = new OneLogin_Saml2_Settings_AttributePolicyHelpers; + + $settingsInfo['sp']['attributeMap'] = array( + 'mail' => 'urn:oid:1.3.6.1.7', + ); + $settingsInfo['sp']['attributePolicy'] = array( + 'eduPersonAffiliation' => $attrHelpers->retrictValuesTo(array('user')), + 'urn:oid:1.3.6.1.7' => $attrHelpers->requireScope('yaco.es'), + ); + + $xml = file_get_contents(TEST_ROOT . '/data/responses/valid_response.xml.base64'); + + $settings = new OneLogin_Saml2_Settings($settingsInfo); + $response = new OneLogin_Saml2_Response($settings, $xml); + $this->assertTrue($response->isValid()); + $attributes = $response->getAttributes(); + $this->assertTrue(!empty($attributes)); + $this->assertEquals('smartin@yaco.es', $attributes['urn:oid:1.3.6.1.7'][0]); + $this->assertFalse(array_key_exists('mail', $attributes)); + $this->assertTrue(in_array('user', $attributes['eduPersonAffiliation'])); + $this->assertFalse(in_array('admin', $attributes['eduPersonAffiliation'])); + + $settingsInfo2 = $settingsInfo + $settingsInfo2['sp']['attributePolicy'] = array( + 'eduPersonAffiliation' => $attrHelpers->retrictValuesTo(array('user')), + 'urn:oid:1.3.6.1.7' => $attrHelpers->requireScope('yaco.com'), + ); + $settings2 = new OneLogin_Saml2_Settings($settingsInfo2); + $response2 = new OneLogin_Saml2_Response($settings2, $xml); + $this->assertTrue(!empty($attributes)); + $this->assertFalse(array_key_exists('urn:oid:1.3.6.1.7', $attributes)); + + } } From e8cb2b0e476174c494dad9b19b398423acccc940 Mon Sep 17 00:00:00 2001 From: Robert Bradley Date: Wed, 26 Apr 2017 22:58:44 +0100 Subject: [PATCH 12/18] Travis: Attempt to cache composer cache directory across tests --- .travis.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.travis.yml b/.travis.yml index 648e8cc0..c8ddc1d7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,5 +1,9 @@ language: php +cache: + directories: + - $HOME/.composer/cache + php: - 5.6 - 5.5 From bdc0e801712af40579c32eceb666c0b88f691436 Mon Sep 17 00:00:00 2001 From: Robert Bradley Date: Wed, 26 Apr 2017 23:00:11 +0100 Subject: [PATCH 13/18] lib/Saml2/AttributePolicyHelpers: Remove stray semi-colon --- lib/Saml2/AttributePolicyHelpers.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/Saml2/AttributePolicyHelpers.php b/lib/Saml2/AttributePolicyHelpers.php index 59f256ce..d14d81f5 100644 --- a/lib/Saml2/AttributePolicyHelpers.php +++ b/lib/Saml2/AttributePolicyHelpers.php @@ -17,7 +17,7 @@ static function restrictValuesTo($validValues) { } return $newValues; }; - }; + } static function requireScope($scope) { $scope = str_replace('.', '\.', $scope); From 0c329813820501e7ef409a864639a2b25d6a6462 Mon Sep 17 00:00:00 2001 From: Robert Bradley Date: Wed, 26 Apr 2017 23:04:28 +0100 Subject: [PATCH 14/18] ResponseTest: Add missing semicolon to testAttributeMappingAndPolicy() --- tests/src/OneLogin/Saml2/ResponseTest.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/src/OneLogin/Saml2/ResponseTest.php b/tests/src/OneLogin/Saml2/ResponseTest.php index c17942b1..8abd09d6 100644 --- a/tests/src/OneLogin/Saml2/ResponseTest.php +++ b/tests/src/OneLogin/Saml2/ResponseTest.php @@ -1590,7 +1590,7 @@ public function testAttributeMappingAndPolicy() $this->assertTrue(in_array('user', $attributes['eduPersonAffiliation'])); $this->assertFalse(in_array('admin', $attributes['eduPersonAffiliation'])); - $settingsInfo2 = $settingsInfo + $settingsInfo2 = $settingsInfo; $settingsInfo2['sp']['attributePolicy'] = array( 'eduPersonAffiliation' => $attrHelpers->retrictValuesTo(array('user')), 'urn:oid:1.3.6.1.7' => $attrHelpers->requireScope('yaco.com'), From d2b405163c67f5a73176227ae99388c9769c6ed4 Mon Sep 17 00:00:00 2001 From: Robert Bradley Date: Wed, 26 Apr 2017 23:07:09 +0100 Subject: [PATCH 15/18] ResponseTest: Fix typo in testAttributeMappingAndPolicy() --- tests/src/OneLogin/Saml2/ResponseTest.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/src/OneLogin/Saml2/ResponseTest.php b/tests/src/OneLogin/Saml2/ResponseTest.php index 8abd09d6..5bd04e8c 100644 --- a/tests/src/OneLogin/Saml2/ResponseTest.php +++ b/tests/src/OneLogin/Saml2/ResponseTest.php @@ -1574,7 +1574,7 @@ public function testAttributeMappingAndPolicy() 'mail' => 'urn:oid:1.3.6.1.7', ); $settingsInfo['sp']['attributePolicy'] = array( - 'eduPersonAffiliation' => $attrHelpers->retrictValuesTo(array('user')), + 'eduPersonAffiliation' => $attrHelpers->restrictValuesTo(array('user')), 'urn:oid:1.3.6.1.7' => $attrHelpers->requireScope('yaco.es'), ); From 16142a6ea33a610ad00aa47645966455a366ab65 Mon Sep 17 00:00:00 2001 From: Robert Bradley Date: Wed, 26 Apr 2017 23:08:27 +0100 Subject: [PATCH 16/18] lib/Saml2/AttributePolicyHelpers: Fix code formatting --- lib/Saml2/AttributePolicyHelpers.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/Saml2/AttributePolicyHelpers.php b/lib/Saml2/AttributePolicyHelpers.php index d14d81f5..74b4ad9d 100644 --- a/lib/Saml2/AttributePolicyHelpers.php +++ b/lib/Saml2/AttributePolicyHelpers.php @@ -7,7 +7,8 @@ class OneLogin_Saml2_Settings_AttributePolicyHelpers { - static function restrictValuesTo($validValues) { + static function restrictValuesTo($validValues) + { return function($values) use ($validValues) { $newValues = array(); foreach ($values as $value) { @@ -19,7 +20,8 @@ static function restrictValuesTo($validValues) { }; } - static function requireScope($scope) { + static function requireScope($scope) + { $scope = str_replace('.', '\.', $scope); return function ($values) use ($scope) { $newValues = preg_grep('/^[^@]+@' . $scope . '$/', $values); From a8506c6d4f9d9e62eb07ac738afc7512565232ac Mon Sep 17 00:00:00 2001 From: Robert Bradley Date: Wed, 26 Apr 2017 23:10:15 +0100 Subject: [PATCH 17/18] ResponseTest: Fix previous typo in testAttributeMappingAndPolicy() --- tests/src/OneLogin/Saml2/ResponseTest.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/src/OneLogin/Saml2/ResponseTest.php b/tests/src/OneLogin/Saml2/ResponseTest.php index 5bd04e8c..26f3daa5 100644 --- a/tests/src/OneLogin/Saml2/ResponseTest.php +++ b/tests/src/OneLogin/Saml2/ResponseTest.php @@ -1592,7 +1592,7 @@ public function testAttributeMappingAndPolicy() $settingsInfo2 = $settingsInfo; $settingsInfo2['sp']['attributePolicy'] = array( - 'eduPersonAffiliation' => $attrHelpers->retrictValuesTo(array('user')), + 'eduPersonAffiliation' => $attrHelpers->restrictValuesTo(array('user')), 'urn:oid:1.3.6.1.7' => $attrHelpers->requireScope('yaco.com'), ); $settings2 = new OneLogin_Saml2_Settings($settingsInfo2); From e5f63e0587fce08419c49c3c999341a7c30d3d42 Mon Sep 17 00:00:00 2001 From: Robert Bradley Date: Wed, 26 Apr 2017 23:17:09 +0100 Subject: [PATCH 18/18] ResponseTest: Fix test so that second set of filtered attributes are used --- tests/src/OneLogin/Saml2/ResponseTest.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/src/OneLogin/Saml2/ResponseTest.php b/tests/src/OneLogin/Saml2/ResponseTest.php index 26f3daa5..35caa128 100644 --- a/tests/src/OneLogin/Saml2/ResponseTest.php +++ b/tests/src/OneLogin/Saml2/ResponseTest.php @@ -1597,8 +1597,10 @@ public function testAttributeMappingAndPolicy() ); $settings2 = new OneLogin_Saml2_Settings($settingsInfo2); $response2 = new OneLogin_Saml2_Response($settings2, $xml); - $this->assertTrue(!empty($attributes)); - $this->assertFalse(array_key_exists('urn:oid:1.3.6.1.7', $attributes)); + $this->assertTrue($response2->isValid()); + $attributes2 = $response2->getAttributes(); + $this->assertTrue(!empty($attributes2)); + $this->assertFalse(array_key_exists('urn:oid:1.3.6.1.7', $attributes2)); } }