Skip to content

Commit

Permalink
Test the ues_as_nameid feature
Browse files Browse the repository at this point in the history
  • Loading branch information
MKodde committed Aug 15, 2024
1 parent da3ea77 commit 12257be
Show file tree
Hide file tree
Showing 3 changed files with 78 additions and 3 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ Feature:
And a Service Provider named "Stepup Gateway"
And a Service Provider named "Stepup SelfService"
And a Service Provider named "Release As"
And a Service Provider named "Use as NameID"
And a Service Provider named "Use as NameID and Release As"
And SP "Empty ARP" allows no attributes
And SP "Wildcard ARP" allows an attribute named "urn:mace:dir:attribute-def:uid"
And SP "Wrong Value ARP" allows an attribute named "urn:mace:terena.org:attribute-def:schacHomeOrganization" with value "example.edu"
Expand All @@ -31,6 +33,10 @@ Feature:
And SP "Stepup Gateway" allows an attribute named "urn:mace:terena.org:attribute-def:eduPersonAffiliation"
And SP "Stepup SelfService" allows an attribute named "urn:mace:dir:attribute-def:uid"
And SP "Release As" allows an attribute named "urn:mace:dir:attribute-def:uid" released as "Kustom-UiD"
And SP "Use as NameID" allows an attribute named "urn:mace:terena.org:attribute-def:schacHomeOrganization"
And SP "Use as NameID" uses the value of attribute "urn:mace:terena.org:attribute-def:schacHomeOrganization" as the NameId
And SP "Use as NameID and Release As" allows an attribute named "urn:mace:terena.org:attribute-def:schacHomeOrganization" released as "Kustom-schacHomeOrganization"
And SP "Use as NameID and Release As" uses the value of attribute "urn:mace:terena.org:attribute-def:schacHomeOrganization" as the NameId
And feature "eb.run_all_manipulations_prior_to_consent" is disabled

Scenario: As a user for an Idp SP without ARPs I get all attributes
Expand Down Expand Up @@ -89,6 +95,32 @@ Feature:
Then the response should not contain "urn:mace:dir:attribute-def:uid"
And the response should contain "Kustom-UiD"

Scenario: As a user for an SP the ARP can overwrite the NameId with a given attribute value
When I log in at "Use as NameID"
And I pass through EngineBlock
And I pass through the IdP
Then the response should contain "urn:mace:terena.org:attribute-def:schacHomeOrganization"
When I give my consent
And I pass through EngineBlock
# The NameID is overwritten with the value of the schacHomeOrganization
# The IdP always releases the value: engine-test-stand.openconext.org for this schacHomeOrganization
# See: MockIdentityProviderFactory::generateDefaultResponse
Then the response should contain "urn:mace:terena.org:attribute-def:schacHomeOrganization"
# The name id always becomes unspecified after substitution
And the response should match xpath '/samlp:Response/saml:Assertion/saml:Subject/saml:NameID[@Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" and text()="engine-test-stand.openconext.org"]'

Scenario: As a user for an SP the ARP can overwrite the NameId with a given attribute value and rename the attribute at the same time
When I log in at "Use as NameID and Release As"
And I pass through EngineBlock
And I pass through the IdP
Then the response should contain "urn:mace:terena.org:attribute-def:schacHomeOrganization"
And the response should not contain "Kustom-schacHomeOrganization"
When I give my consent
And I pass through EngineBlock
Then the response should not contain "urn:mace:terena.org:attribute-def:schacHomeOrganization"
And the response should contain "Kustom-schacHomeOrganization"
And the response should match xpath '/samlp:Response/saml:Assertion/saml:Subject/saml:NameID[@Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" and text()="engine-test-stand.openconext.org"]'

Scenario: As a user for an SP with a specific value ARP I do see the attribute if it has the right value
When I log in at "Right Value ARP"
And I pass through EngineBlock
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -461,6 +461,19 @@ public function spAllowsAnAttributeNamedReleasedAs($spName, $arpAttribute, $rele
->save();
}

/**
* @Given /^SP "([^"]*)" uses the value of attribute "([^"]*)" as the NameId$/
**/
public function spOverridesNameId($spName, $attributeName)
{
/** @var MockServiceProvider $sp */
$sp = $this->mockSpRegistry->get($spName);

$this->serviceRegistryFixture
->substituteNameIdWithAttributeValue($sp->entityId(), $attributeName)
->save();
}

/**
* @Given /^SP "([^"]*)" allows an attribute named "([^"]*)" and configures it for aggregation from "([^"]*)"$/
*/
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@
use OpenConext\EngineBlock\Metadata\X509\X509CertificateLazyProxy;
use ReflectionClass;
use SAML2\Constants;
use function array_key_exists;

/**
* @SuppressWarnings("PMD")
Expand Down Expand Up @@ -401,11 +402,9 @@ public function allowAttributeReleasedAsForSp($entityId, $arpAttribute, $release
$rules = $arp->getAttributeRules();
}

$attributeSource = 'idp';

$arpRule = [
'value' => "*",
'source' => $attributeSource,
'source' => 'idp',
'release_as' => $releasedAs,
];

Expand All @@ -416,6 +415,37 @@ public function allowAttributeReleasedAsForSp($entityId, $arpAttribute, $release
return $this;
}


public function substituteNameIdWithAttributeValue(string $entityId, $attributeName)
{
/** @var AttributeReleasePolicy $arp */
$arp = $this->getServiceProvider($entityId)->attributeReleasePolicy;

$rules = [];

if (!empty($arp)) {
$rules = $arp->getAttributeRules();
}

$arpRule = [
'value' => "*",
'source' => 'idp',
'use_as_nameid' => true,
];
// It could be the rule was already added (for example to set the release_as directive)
// in that case, load the existing rule and add the 'use_as_nameid'
if (array_key_exists($attributeName, $rules)) {
$arpRule = $rules[$attributeName];
$arpRule[0]['use_as_nameid'] = true;
}

$rules[$attributeName] = [$arpRule];

$this->getServiceProvider($entityId)->attributeReleasePolicy = new AttributeReleasePolicy($rules);

return $this;
}

public function setSpWorkflowState($entityId, $workflowState)
{
$this->getServiceProvider($entityId)->workflowState = $workflowState;
Expand Down

0 comments on commit 12257be

Please sign in to comment.