Merge pull request #155 from waterkip/GL-no-name_id_ADFS

Allow assertion without a NameID

Author: waterkip

lib/Net/SAML2/Protocol/Assertion.pm

@@ -41,8 +41,9 @@ has 'xpath' => (isa => 'XML::LibXML::XPathContext', is => 'ro', required => 1);
 has 'nameid_object' => (
     isa      => 'XML::LibXML::Element',
     is       => 'ro',
-    required => 1,
-    init_arg => 'nameid'
+    required => 0,
+    init_arg => 'nameid',
+    predicate => 'has_nameid',
 );
 
 =head1 METHODS
@@ -166,12 +167,20 @@ sub new_from_xml {
         $not_after = DateTime->from_epoch(epoch => time() + 1000);
     }
 
+    my $nameid;
+    if (my $node = $xpath->findnodes('//samlp:Response/saml:Assertion/saml:Subject/    saml:NameID')) {
+        $nameid = $node->get_node(1);
+    }
+    elsif (my $global = $xpath->findnodes('//saml:Subject/saml:NameID')) {
+        $nameid = $global->get_node(1);
+    }
+
     my $self = $class->new(
         issuer         => $xpath->findvalue('//saml:Assertion/saml:Issuer'),
         destination    => $xpath->findvalue('/samlp:Response/@Destination'),
         attributes     => $attributes,
         session        => $xpath->findvalue('//saml:AuthnStatement/@SessionIndex'),
-        nameid         => $xpath->findnodes('//saml:Subject/saml:NameID')->get_node(1),
+        $nameid ? (nameid => $nameid) : (),
         audience       => $xpath->findvalue('//saml:Conditions/saml:AudienceRestriction/saml:Audience'),
         not_before     => $not_before,
         not_after      => $not_after,
@@ -202,6 +211,7 @@ Returns the NameID
 
 sub nameid {
     my $self = shift;
+    return unless $self->has_nameid;
     return $self->nameid_object->textContent;
 }
 
@@ -213,6 +223,7 @@ Returns the NameID Format
 
 sub nameid_format {
     my $self = shift;
+    return unless $self->has_nameid;
     return $self->nameid_object->getAttribute('Format');
 }
 
@@ -224,6 +235,7 @@ Returns the NameID NameQualifier
 
 sub nameid_name_qualifier {
     my $self = shift;
+    return unless $self->has_nameid;
     return $self->nameid_object->getAttribute('NameQualifier');
 }
 
@@ -235,6 +247,7 @@ Returns the NameID SPNameQualifier
 
 sub nameid_sp_name_qualifier {
     my $self = shift;
+    return unless $self->has_nameid;
     return $self->nameid_object->getAttribute('SPNameQualifier');
 }
 
@@ -246,6 +259,7 @@ Returns the NameID SPProvidedID
 
 sub nameid_sp_provided_id {
     my $self = shift;
+    return unless $self->has_nameid;
     return $self->nameid_object->getAttribute('SPProvidedID');
 }
 

t/03-assertions.t

@@ -128,8 +128,6 @@ is($assertion->nameid_sp_provided_id,
     undef,
     "nameid_sp_provided_id undefined as expected");
 
-
-
 lives_ok(
     sub {
        my  $xml = path('t/data/eherkenning-assertion.xml')->slurp;
@@ -145,4 +143,12 @@ isa_ok($assertion->not_after, "DateTime", "... and so it not after");
 is($assertion->not_before, "2020-06-02T11:48:07", "... and the correct not_before");
 is($assertion->not_after, "2020-06-02T11:53:07", "... and the correct not_after");
 
+lives_ok(
+    sub {
+       my  $xml = path('t/data/saml-adfs-plain.xml')->slurp;
+       $assertion = Net::SAML2::Protocol::Assertion->new_from_xml(xml => $xml);
+    },
+    "Correct parsing of plain ADFS"
+);
+
 done_testing;

t/data/saml-adfs-plain.xml

@@ -0,0 +1,75 @@
+<?xml version="1.0"?>
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_f0b0652f-1382-43af-a70e-97254820f180" Version="2.0" IssueInstant="2018-07-25T08:02:24.342Z" Destination="https://testsuite.zaaksysteem.nl/auth/saml/consumer-post" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_c217d2c8502884bf418552907827f430d745fa6c">
+  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.dev.mintlab.nl/adfs/services/trust</Issuer>
+  <samlp:Status>
+    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </samlp:Status>
+  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_0024c3a6-3b4e-4920-8c59-0602ae4a3c5d" IssueInstant="2018-07-25T08:02:24.341Z" Version="2.0">
+    <Issuer>http://adfs.dev.mintlab.nl/adfs/services/trust</Issuer>
+    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+      <ds:SignedInfo>
+        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+        <ds:Reference URI="#_0024c3a6-3b4e-4920-8c59-0602ae4a3c5d">
+          <ds:Transforms>
+            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+          </ds:Transforms>
+          <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+          <ds:DigestValue>/UGIkccgX9xPwusXApqxm7KDyLpgx7W/tp6gANTvNsw=</ds:DigestValue>
+        </ds:Reference>
+      </ds:SignedInfo>
+      <ds:SignatureValue></ds:SignatureValue>
+      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate></ds:X509Certificate>
+        </ds:X509Data>
+      </KeyInfo>
+    </ds:Signature>
+    <Subject>
+      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+        <SubjectConfirmationData InResponseTo="_c217d2c8502884bf418552907827f430d745fa6c" NotOnOrAfter="2018-07-25T08:07:24.342Z" Recipient="https://testsuite.zaaksysteem.nl/auth/saml/consumer-post"/>
+      </SubjectConfirmation>
+    </Subject>
+    <Conditions NotBefore="2018-07-25T08:02:24.338Z" NotOnOrAfter="2018-07-25T09:02:24.338Z">
+      <AudienceRestriction>
+        <Audience>TestUPN</Audience>
+      </AudienceRestriction>
+    </Conditions>
+    <AttributeStatement>
+      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/initials">
+        <AttributeValue>G.B.</AttributeValue>
+      </Attribute>
+      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
+        <AttributeValue>G&#xC3;&#xA9; G.B.. Ruiker</AttributeValue>
+      </Attribute>
+      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
+        <AttributeValue>G&#xC3;&#xA9;</AttributeValue>
+      </Attribute>
+      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
+        <AttributeValue>gebruiker@testsuite.zaaksysteem.nl</AttributeValue>
+      </Attribute>
+      <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname">
+        <AttributeValue>gebruiker</AttributeValue>
+      </Attribute>
+      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone">
+        <AttributeValue>0123123123</AttributeValue>
+      </Attribute>
+      <Attribute Name="http://schemas.xmlsoap.org/claims/Group">
+        <AttributeValue>Domain Users</AttributeValue>
+        <AttributeValue>Zaaksysteemgebruikers</AttributeValue>
+      </Attribute>
+      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn">
+        <AttributeValue>gebruiker@testsuite.dev.zaaksysteem.nl</AttributeValue>
+      </Attribute>
+      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
+        <AttributeValue>Ruiker</AttributeValue>
+      </Attribute>
+    </AttributeStatement>
+    <AuthnStatement AuthnInstant="2018-07-25T07:54:35.599Z">
+      <AuthnContext>
+        <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
+      </AuthnContext>
+    </AuthnStatement>
+  </Assertion>
+</samlp:Response>