Skip to content

Update the SP and IdP URIs to pass the URI regex.#2349

Merged
monkeyiq merged 2 commits intosimplesamlphp:masterfrom
monkeyiq:2024/dec/master-update-nameidattrtest-to-work
Dec 16, 2024
Merged

Update the SP and IdP URIs to pass the URI regex.#2349
monkeyiq merged 2 commits intosimplesamlphp:masterfrom
monkeyiq:2024/dec/master-update-nameidattrtest-to-work

Conversation

@monkeyiq
Copy link
Copy Markdown
Contributor

@monkeyiq monkeyiq commented Dec 11, 2024

These were all failing because of
"eugeneIdP" is not a SAML2-compliant URI

It seems that adding in the colon makes these a compliant test.

The regex that was failing things is
/^([a-z][a-z0-9+-.]+[:])/i

which is not anchored at both ends, so it seems you can have whatever you want after the colon. As long as there is one with a limited prefix.

I discovered this when making the AttributeNameIDTest for pr 2260. It may also cause other tests to fail creating a bunch of smoke around the harder tests to get working.

@monkeyiq
Update the SP and IdP URIs to pass the URI regex.
70836b4 
These were all failing because of
  "eugeneIdP" is not a SAML2-compliant URI

It seems that adding in the colon makes these a compliant test.

The regex that was failing things is
  /^([a-z][a-z0-9\+\-\.]+[:])/i

which is not anchored at both ends, so it seems you can have whatever
you want after the colon. As long as there is one with a limited
prefix.
@monkeyiq
Copy link
Copy Markdown
Contributor Author

monkeyiq commented Dec 11, 2024

If this is merged I might expand things to other tests to try to lower the overall fail count a bit.

tvdijen
tvdijen requested changes Dec 11, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@tvdijen tvdijen left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test should be replaced with \SimpleSAML\SAML2\Assert\Assert::validEntityID and the tests then have to get real entityID's. I usually use urn:x-simplesamlphp:idp as a test-value.

@monkeyiq
Copy link
Copy Markdown
Contributor Author

monkeyiq commented Dec 12, 2024

Forcing one of these to fail again the backtrace is as follows.

vendor/simplesamlphp/saml2/src/Assert/CustomAssertionTrait.php:70
vendor/simplesamlphp/saml2/src/Assert/CustomAssertionTrait.php:81
vendor/simplesamlphp/saml2/src/Assert/Assert.php:107
vendor/simplesamlphp/saml2/src/Assert/Assert.php:73
vendor/simplesamlphp/saml2/src/XML/saml/NameIDType.php:41
vendor/simplesamlphp/saml2/src/XML/saml/NameID.php:75
tests/modules/saml/src/Auth/Process/NameIDAttributeTest.php:47

NameIDType.php:41 / 42 (depending on if it is an invalid entity on sp or idp)

SAMLAssert::nullOrValidEntityID($NameQualifier);
SAMLAssert::nullOrValidEntityID($SPNameQualifier);

After a bit of digging I see there is an Assert and SimpleSAML\SAML2\Assert\Assert as SAMLAssert; as a second assert class.

@monkeyiq
Copy link
Copy Markdown
Contributor Author

monkeyiq commented Dec 15, 2024

I have updated the entity ids here. I guess the regex used here is to try to catch very vague values being used for entities.

monkeyiq added a commit to kwessel/simplesamlphp that referenced this pull request Dec 15, 2024
@monkeyiq
Update AttributeNameIDTest.php
1ba8403 
These entity ids were copied from the test that I then updated which lead to much better values for test idp and sp entities. I am updating these entities here inline with the comment at simplesamlphp#2349 (review)
monkeyiq added a commit that referenced this pull request Dec 15, 2024
@kwessel @monkeyiq
New 'identifyingAttribute option for SAML Attribute NameID filter (#2260
da02c3c 
)

* New 'identifyingAttribute option for SAML Attribute NameID filter

Allow a new option in place of identifyingAttribute called
identifyingAttributes. This option expects an array of attribute
names. The first one in the list that's available in the attributes being
released to the SP will be used. This is particularly useful in the hosted
IdP configuration. One can specify multiple attribute names in order of
precedence, and the IdP will release the first one from that list to the
SP that's in the SP's 'attributes' array. This avoids having to define
a new authproc filter for each SP that needs a different value than the
single one that was previously specified using 'identifyingAttribute'.

The change still supports identifyingAttribute option which will be used
instead of the new option if both are set.

* Throw error when AttributeNameID filter has both identifyingAttribute and identifyingAttributes set

* identifyingAttributes clean-up per PR comments

* Cleaned up logic for finding a value for the nameID
* Corrected bug when $value was empty at end of loop

* add a test for the AttributeNameID using an array of attributes

* lint

* Update AttributeNameIDTest.php

These entity ids were copied from the test that I then updated which lead to much better values for test idp and sp entities. I am updating these entities here inline with the comment at #2349 (review)

* Update nameid.md

Mention that these are mutex options.

* Update nameid.md

lint

---------

Co-authored-by: Ben Martin <monkeyiq@users.sourceforge.net>
Co-authored-by: monkeyiq <monkeyiq@gmail.com>
monkeyiq added a commit that referenced this pull request Dec 15, 2024
@kwessel @monkeyiq
New 'identifyingAttribute option for SAML Attribute NameID filter (#2260
6b71492 
)

* New 'identifyingAttribute option for SAML Attribute NameID filter

Allow a new option in place of identifyingAttribute called
identifyingAttributes. This option expects an array of attribute
names. The first one in the list that's available in the attributes being
released to the SP will be used. This is particularly useful in the hosted
IdP configuration. One can specify multiple attribute names in order of
precedence, and the IdP will release the first one from that list to the
SP that's in the SP's 'attributes' array. This avoids having to define
a new authproc filter for each SP that needs a different value than the
single one that was previously specified using 'identifyingAttribute'.

The change still supports identifyingAttribute option which will be used
instead of the new option if both are set.

* Throw error when AttributeNameID filter has both identifyingAttribute and identifyingAttributes set

* identifyingAttributes clean-up per PR comments

* Cleaned up logic for finding a value for the nameID
* Corrected bug when $value was empty at end of loop

* add a test for the AttributeNameID using an array of attributes

* lint

* Update AttributeNameIDTest.php

These entity ids were copied from the test that I then updated which lead to much better values for test idp and sp entities. I am updating these entities here inline with the comment at #2349 (review)

* Update nameid.md

Mention that these are mutex options.

* Update nameid.md

lint

---------

Co-authored-by: Ben Martin <monkeyiq@users.sourceforge.net>
Co-authored-by: monkeyiq <monkeyiq@gmail.com>
@tvdijen
Copy link
Copy Markdown
Member

tvdijen commented Dec 16, 2024

Yes, SAML 2.0 entities are defined as URIs and from the top of my head they have to be absolute URIs, which leaves us with URNs and URLs. The test-values were neither of those.

@monkeyiq monkeyiq merged commit 92165bf into simplesamlphp:master Dec 16, 2024
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 17, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@tvdijen tvdijen tvdijen approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@monkeyiq @tvdijen