Handle the affiliation attribute from SAML being an array

eclipse-pass · Apr 24, 2024 · f060790 · f060790
1 parent dccc09c
commit f060790
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 12 deletions.
diff --git a/pass-core-main/src/main/java/org/eclipse/pass/main/security/PassAuthenticationFilter.java b/pass-core-main/src/main/java/org/eclipse/pass/main/security/PassAuthenticationFilter.java
@@ -16,6 +16,7 @@
 package org.eclipse.pass.main.security;
 
 import java.io.IOException;
+import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
@@ -241,7 +242,7 @@ private User parse_user(Map<String, List<Object>> attributes) {
         String eppn = get(attributes, Attribute.EPPN, true);
         String employee_id = get(attributes, Attribute.EMPLOYEE_ID, false);
         String unique_id = get(attributes, Attribute.UNIQUE_ID, true);
-        String affiliation = get(attributes, Attribute.SCOPED_AFFILIATION, false);
+        List<String> affiliation = get_list(attributes, Attribute.SCOPED_AFFILIATION, false);
 
         String[] eppn_parts = eppn.split("@");
 
@@ -271,10 +272,8 @@ private User parse_user(Map<String, List<Object>> attributes) {
 
         user.getAffiliation().add(domain);
 
-        if (affiliation != null) {
-            for (String s : affiliation.split(";")) {
-                user.getAffiliation().add(s);
-            }
+        for (String s : affiliation) {
+            user.getAffiliation().add(s);
         }
 
         user.setDisplayName(display_name);
@@ -287,6 +286,7 @@ private User parse_user(Map<String, List<Object>> attributes) {
         return user;
     }
 
+    // Return the first attribute
     private String get(Map<String, List<Object>> attributes, Attribute attr, boolean required)
             throws AuthenticationException {
         String key = config.getAttributeMap().get(attr);
@@ -297,10 +297,6 @@ private String get(Map<String, List<Object>> attributes, Attribute attr, boolean
             throw new BadCredentialsException("Missing attribute: " + attr + "[" + key + "]");
         }
 
-        if (values.size() > 1) {
-            throw new BadCredentialsException("Too many attributes: " + attr + "[" + key + "]");
-        }
-
         String value = null;
 
         if (values.get(0) != null) {
@@ -318,6 +314,33 @@ private String get(Map<String, List<Object>> attributes, Attribute attr, boolean
         return value;
     }
 
+    private List<String> get_list(Map<String, List<Object>> attributes, Attribute attr, boolean required)
+            throws AuthenticationException {
+        String key = config.getAttributeMap().get(attr);
+
+        List<Object> values = attributes.get(key);
+
+        if (values == null) {
+            values = List.of();
+        }
+
+        List<String> result = new ArrayList<String>();
+
+        for (Object v: values) {
+            String s = v == null ? null : v.toString().trim();
+
+            if (s != null && !s.isEmpty()) {
+                result.add(s);
+            }
+        }
+
+        if (values.size() == 0 && required) {
+            throw new BadCredentialsException("Missing attribute: " + attr + "[" + key + "]");
+        }
+
+        return result;
+    }
+
     @Override
     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
             throws ServletException, IOException {

diff --git a/pass-core-main/src/main/resources/saml2/authsources.php b/pass-core-main/src/main/resources/saml2/authsources.php
@@ -19,7 +19,7 @@
         'exampleauth:UserPass',
         'user1:password' => array_merge($test_user_base, array(
             'urn:oid:2.16.840.1.113730.3.1.241' => 'Sally M. Submitter',
-            'urn:oid:1.3.6.1.4.1.5923.1.1.1.9' => '[email protected]',
+            'urn:oid:1.3.6.1.4.1.5923.1.1.1.9' => array('[email protected]', '[email protected]'),
             'urn:oid:0.9.2342.19200300.100.1.3' => '[email protected]',
             'urn:oid:1.3.6.1.4.1.5923.1.1.1.6' => '[email protected]',
             'urn:oid:2.5.4.42' => 'Sally',
@@ -29,7 +29,7 @@
         )),
         'user2:password' => array_merge($test_user_base, array(
             'urn:oid:2.16.840.1.113730.3.1.241' => 'Thomas L. Submitter',
-            'urn:oid:1.3.6.1.4.1.5923.1.1.1.9' => '[email protected]',
+            'urn:oid:1.3.6.1.4.1.5923.1.1.1.9' => array('[email protected]'),
             'urn:oid:0.9.2342.19200300.100.1.3' => '[email protected]',
             'urn:oid:1.3.6.1.4.1.5923.1.1.1.6' => '[email protected]',
             'urn:oid:2.5.4.42' => 'Tom',

diff --git a/...-core-main/src/test/java/org/eclipse/pass/main/security/PassAuthenticationFilterTest.java b/...-core-main/src/test/java/org/eclipse/pass/main/security/PassAuthenticationFilterTest.java
@@ -23,7 +23,8 @@ public void testLoggedInUser() throws IOException {
 
         expected.setDisplayName("Sally M. Submitter");
         expected.setEmail("[email protected]");
-        expected.setAffiliation(new HashSet<>(List.of("[email protected]", "johnshopkins.edu")));
+        expected.setAffiliation(new HashSet<>(List.of("[email protected]",
+                "[email protected]", "johnshopkins.edu")));
         expected.setFirstName("Sally");
         expected.setLastName("Submitter");
         expected.setLocatorIds(List.of("johnshopkins.edu:unique-id:sms123456789",