Skip to content

Commit 78c7281

Browse files
tvdijentvdijen
committed
Assert that assertions containing an AttributeStatement also contain a subject
1 parent c412ae5 commit 78c7281

File tree

2 files changed

+24
-2
lines changed

2 files changed

+24
-2
lines changed

src/XML/saml/Assertion.php

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -94,10 +94,14 @@ public function __construct(
9494
return $statement instanceof AuthnStatement;
9595
}));
9696

97-
if (count($authnStatements) > 0) {
97+
$attributeStatements = array_values(array_filter($statements, function ($statement) {
98+
return $statement instanceof AttributeStatement;
99+
}));
100+
101+
if (count($attributeStatements) > 0) {
98102
Assert::notNull(
99103
$subject,
100-
"Assertions containing an <AuthnStatement> element MUST contain a <Subject> element.",
104+
"Assertions containing an <AttributeStatement> element MUST contain a <Subject> element.",
101105
ProtocolViolationException::class,
102106
);
103107
}

tests/SAML2/XML/saml/AssertionTest.php

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -554,6 +554,12 @@ public function testEptiAttributeValuesAreParsedCorrectly(): void
554554
ID="_93af655219464fb403b34436cfb0c5cb1d9a5502"
555555
IssueInstant="1970-01-01T01:33:31Z">
556556
<saml:Issuer>urn:x-simplesamlphp:issuer</saml:Issuer>
557+
<saml:Subject>
558+
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">s00000000:123456789</saml:NameID>
559+
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
560+
<saml:SubjectConfirmationData NotOnOrAfter="2011-08-31T08:51:05Z" Recipient="https://sp.example.com/assertion_consumer" InResponseTo="_13603a6565a69297e9809175b052d115965121c8" />
561+
</saml:SubjectConfirmation>
562+
</saml:Subject>
557563
<saml:Conditions/>
558564
<saml:AttributeStatement>
559565
<saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
@@ -609,6 +615,12 @@ public function testEptiLegacyAttributeValuesCanBeString(): void
609615
ID="_93af655219464fb403b34436cfb0c5cb1d9a5502"
610616
IssueInstant="1970-01-01T01:33:31Z">
611617
<saml:Issuer>urn:x-simplesamlphp:issuer</saml:Issuer>
618+
<saml:Subject>
619+
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">s00000000:123456789</saml:NameID>
620+
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
621+
<saml:SubjectConfirmationData NotOnOrAfter="2011-08-31T08:51:05Z" Recipient="https://sp.example.com/assertion_consumer" InResponseTo="_13603a6565a69297e9809175b052d115965121c8" />
622+
</saml:SubjectConfirmation>
623+
</saml:Subject>
612624
<saml:Conditions/>
613625
<saml:AttributeStatement>
614626
<saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
@@ -648,6 +660,12 @@ public function testEptiAttributeParsingSupportsMultipleValues(): void
648660
ID="_93af655219464fb403b34436cfb0c5cb1d9a5502"
649661
IssueInstant="1970-01-01T01:33:31Z">
650662
<saml:Issuer>urn:x-simplesamlphp:issuer</saml:Issuer>
663+
<saml:Subject>
664+
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">s00000000:123456789</saml:NameID>
665+
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
666+
<saml:SubjectConfirmationData NotOnOrAfter="2011-08-31T08:51:05Z" Recipient="https://sp.example.com/assertion_consumer" InResponseTo="_13603a6565a69297e9809175b052d115965121c8" />
667+
</saml:SubjectConfirmation>
668+
</saml:Subject>
651669
<saml:Conditions/>
652670
<saml:AttributeStatement>
653671
<saml:Attribute Name="urn:mace:dir:attribute-def:eduPersonTargetedID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

0 commit comments

Comments
 (0)