Add nameid values validation

Signed-off-by: Simo Sorce <simo@redhat.com>

2 files changed, 15 insertions, 0 deletions

diff --git a/ipsilon/providers/saml2/admin.py b/ipsilon/providers/saml2/admin.py
index 2f346ce..0a5a88d 100755
--- a/ipsilon/providers/saml2/admin.py
+++ b/ipsilon/providers/saml2/admin.py
@@ -172,6 +172,8 @@ class SPAdminPage(Page):
             self._debug("Replacing %s: %s -> %s" % (key,
                                                     self.sp.default_nameid,
                                                     value))
+            if not self.sp.is_valid_nameid(value):
+                raise InvalidValueFormat('Invalid default nameid value')
             return {'default_nameid': value}
         else:
             raise UnauthorizedUser("Unauthorized to set default nameid value")
@@ -185,6 +187,11 @@ class SPAdminPage(Page):
             self._debug("Replacing %s: %s -> %s" % (key,
                                                     self.sp.allowed_nameids,
                                                     list(v)))
+            for x in v:
+                if not self.sp.is_valid_nameid(x):
+                    l = ', '.join(self.sp.valid_nameids())
+                    err = 'Invalid nameid [%s]. Available [%s].' % (x, l)
+                    raise InvalidValueFormat(err)
             return {'allowed_nameids': list(v)}
         else:
             raise UnauthorizedUser("Unauthorized to set alowed nameids values")
diff --git a/ipsilon/providers/saml2/provider.py b/ipsilon/providers/saml2/provider.py
index 7d47363..b6ed4bf 100755
--- a/ipsilon/providers/saml2/provider.py
+++ b/ipsilon/providers/saml2/provider.py
@@ -144,6 +144,14 @@ class ServiceProvider(object):
             return username.split('@', 1)[0]
         return username
 
+    def is_valid_nameid(self, value):
+        if value in SAML2_NAMEID_MAP:
+            return True
+        return False
+
+    def valid_nameids(self):
+        return SAML2_NAMEID_MAP.keys()
+
 
 class ServiceProviderCreator(object):