fix: SAML2 Issuer format SPID test 30, issuer MAY be omitted (#128)

* fix: SAML2 Issuer format SPID test 30, issuer MAY be omitted * feat: SPIDA validator cie_mode * fix: SPIDA validator cie_mode - test 72
italia · Feb 21, 2024 · dd3f479 · dd3f479
1 parent 2042c95
commit dd3f479
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 15 deletions.
diff --git a/example/backends/ciesaml2.py b/example/backends/ciesaml2.py
@@ -472,7 +472,6 @@ def authn_response(self, context, binding):
                 **{"message": _msg, "troubleshoot": _TROUBLESHOOT_MSG}
             )
 
-        list(context.state.keys())[1]
         # deprecated
         # if not context.state.get('Saml2IDP'):
         # _msg = "context.state['Saml2IDP'] KeyError"
@@ -496,6 +495,7 @@ def authn_response(self, context, binding):
             authn_context_class_ref=authn_context_classref,
             return_addrs=authn_response.return_addrs,
             allowed_acrs=self.config["spid_allowed_acrs"],
+            cie_mode = True
         )
         try:
             validator.run()

diff --git a/example/backends/spidsaml2_validator.py b/example/backends/spidsaml2_validator.py
@@ -34,6 +34,7 @@ def __init__(
         authn_context_class_ref="https://www.spid.gov.it/SpidL2",
         return_addrs=[],
         allowed_acrs=[],
+        cie_mode = False
     ):
 
         self.response = samlp.response_from_string(authn_response)
@@ -45,6 +46,7 @@ def __init__(
         self.return_addrs = return_addrs
         self.issuer = issuer
         self.allowed_acrs = allowed_acrs
+        self.cie_mode = cie_mode
 
     # handled adding authn req arguments in the session state (cookie)
     def validate_in_response_to(self):
@@ -77,7 +79,8 @@ def validate_issuer(self):
 
         # 30
         # check that this issuer is in the metadata...
-        if self.response.issuer.format:
+        # L'attributo Format di Issuer della Response deve essere omesso o assumere valore urn:oasis:names:tc:SAML:2.0:nameid-format:entity. In questo test il valore è diverso. Risultato atteso: KO
+        if hasattr(self.response.issuer, "format") and self.response.issuer.format:
             if (
                 self.response.issuer.format
                 != "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
@@ -87,22 +90,23 @@ def validate_issuer(self):
                     '!= "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"'
                 )
 
-        msg = "Issuer format is not valid: {}. {}"
-        # 70, 71
-        assiss = self.response.assertion[0].issuer
-        if not hasattr(assiss, "format") or not getattr(assiss, "format", None):
-            raise SPIDValidatorException(
-                msg.format(self.response.issuer.format, _ERROR_TROUBLESHOOT)
-            )
-
-        # 72
-        for i in self.response.assertion:
-            if i.issuer.format != "urn:oasis:names:tc:SAML:2.0:nameid-format:entity":
+        if not self.cie_mode:
+            msg = "Issuer format is not valid: {}. {}"
+            # 70, 71
+            assiss = self.response.assertion[0].issuer
+            if not hasattr(assiss, "format") or not getattr(assiss, "format", None):
                 raise SPIDValidatorException(
-                    msg.format(self.response.issuer.format,
-                               _ERROR_TROUBLESHOOT)
+                    msg.format(self.response.issuer.format, _ERROR_TROUBLESHOOT)
                 )
 
+            # 72
+            for i in self.response.assertion:
+                if i.issuer.format != "urn:oasis:names:tc:SAML:2.0:nameid-format:entity":
+                    raise SPIDValidatorException(
+                        msg.format(self.response.issuer.format,
+                                   _ERROR_TROUBLESHOOT)
+                    )
+
     def validate_assertion_version(self):
         """spid saml check 35"""
         for i in self.response.assertion: