summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJohn Dennis <jdennis@redhat.com>2015-03-18 17:14:07 -0400
committerRob Crittenden <rcritten@redhat.com>2015-03-18 17:49:43 -0400
commitb5730c293fc532fffd3f3300a14813027c4242ae (patch)
tree7fb66e300fafb0292b3637e4a401b080caa401f7
parent7f146bcbe3ae20db27e2daf294c19a40ccd419e6 (diff)
downloadipsilon-b5730c293fc532fffd3f3300a14813027c4242ae.zip
ipsilon-b5730c293fc532fffd3f3300a14813027c4242ae.tar.gz
ipsilon-b5730c293fc532fffd3f3300a14813027c4242ae.tar.xz
Assertion AttributeStatements must be non-empty
The saml-core-2.0-os specification section 2.7.3 requires the AttributeStatement element to be non-empty. Shibboleth verifies this and rejects assertions that do not comply. We gather attributes into a local dict first before adding them to the AttributeStatement so the fix is easy. Test if the dict is empty, move the initialization of the assertion AttributeStatement inside the test so it's conditional on whether the dict has members. https://fedorahosted.org/ipsilon/ticket/61 Signed-off-by: John Dennis <jdennis@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com>
-rw-r--r--ipsilon/providers/saml2/auth.py19
1 files changed, 11 insertions, 8 deletions
diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py
index ddebd8c..f5e8f0f 100644
--- a/ipsilon/providers/saml2/auth.py
+++ b/ipsilon/providers/saml2/auth.py
@@ -202,14 +202,6 @@ class AuthenticateRequest(ProviderPageBase):
raise AuthenticationError("Unavailable Name ID type",
lasso.SAML2_STATUS_CODE_AUTHN_FAILED)
- if not login.assertion.attributeStatement:
- attrstat = lasso.Saml2AttributeStatement()
- login.assertion.attributeStatement = [attrstat]
- else:
- attrstat = login.assertion.attributeStatement[0]
- if not attrstat.attribute:
- attrstat.attribute = ()
-
# Check attribute policy and perform mapping and filtering
policy = Policy(self.cfg.default_attribute_mapping,
self.cfg.default_allowed_attributes)
@@ -222,6 +214,17 @@ class AuthenticateRequest(ProviderPageBase):
self.debug("%s's attributes: %s" % (user.name, attributes))
+ # The saml-core-2.0-os specification section 2.7.3 requires
+ # the AttributeStatement element to be non-empty.
+ if attributes:
+ if not login.assertion.attributeStatement:
+ attrstat = lasso.Saml2AttributeStatement()
+ login.assertion.attributeStatement = [attrstat]
+ else:
+ attrstat = login.assertion.attributeStatement[0]
+ if not attrstat.attribute:
+ attrstat.attribute = ()
+
for key in attributes:
# skip internal info
if key[0] == '_':