Add assertion to ensure binding matches idpdisco-specs

simplesamlphp · Oct 18, 2023 · ace246e · ace246e
1 parent 8e5fb9b
commit ace246e
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 4 deletions.
diff --git a/src/SAML2/Constants.php b/src/SAML2/Constants.php
@@ -61,6 +61,11 @@ class Constants extends \SimpleSAML\XMLSecurity\Constants
      */
     public const BINDING_HTTP_REDIRECT_DEFLATE = 'urn:oasis:names:tc:SAML:2.0:bindings:URL-Encoding:DEFLATE';
 
+    /*
+     * The URN for the IdP Discovery Protocol binding
+     */
+    public const BINDING_IDPDISC = 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol';
+
     /**
      * The URN for the PAOS binding.
      */

diff --git a/src/SAML2/XML/idpdisc/DiscoveryResponse.php b/src/SAML2/XML/idpdisc/DiscoveryResponse.php
@@ -6,6 +6,7 @@
 
 use SimpleSAML\Assert\Assert;
 use SimpleSAML\SAML2\Constants as C;
+use SimpleSAML\SAML2\Exception\ProtocolViolationException;
 use SimpleSAML\SAML2\XML\md\AbstractIndexedEndpointType;
 
 /**
@@ -48,10 +49,11 @@ public function __construct(
         array $attributes = [],
         array $children = [],
     ) {
+        Assert::same($binding, C::BINDING_IDPDISC, ProtocolViolationException::class);
         Assert::null(
             $unused,
             'The \'ResponseLocation\' attribute must be omitted for idpdisc:DiscoveryResponse.',
         );
-        parent::__construct($index, $binding, $location, $isDefault, null, $attributes, $children);
+        parent::__construct($index, C::BINDING_IDPDISC, $location, $isDefault, null, $attributes, $children);
     }
 }
diff --git a/tests/SAML2/XML/idpdisc/DiscoveryResponseTest.php b/tests/SAML2/XML/idpdisc/DiscoveryResponseTest.php
@@ -106,7 +106,13 @@ public function testMarshallingWithResponseLocation(): void
         $this->expectExceptionMessage(
             'The \'ResponseLocation\' attribute must be omitted for idpdisc:DiscoveryResponse.',
         );
-        new DiscoveryResponse(42, C::BINDING_HTTP_ARTIFACT, C::LOCATION_A, false, 'https://response.location/');
+        new DiscoveryResponse(
+            42,
+            C::BINDING_IDPDISC,
+            C::LOCATION_A,
+            false,
+            'https://response.location/',
+        );
     }
 
 

diff --git a/tests/SAML2/XML/md/IndexedEndpointTypeTest.php b/tests/SAML2/XML/md/IndexedEndpointTypeTest.php
@@ -51,7 +51,8 @@ public static function setUpBeforeClass(): void
      */
     public function testMarshallingWithoutIsDefault(string $class): void
     {
-        $idxep = new $class(42, C::BINDING_HTTP_POST, C::LOCATION_A);
+        $binding = ($class === DiscoveryResponse::class) ? C::BINDING_IDPDISCO : C::BINDING_HTTP_POST;
+        $idxep = new $class(42, $binding, C::LOCATION_A);
         $this->assertNull($idxep->getIsDefault());
     }
 

diff --git a/tests/resources/xml/idpdisc_DiscoveryResponse.xml b/tests/resources/xml/idpdisc_DiscoveryResponse.xml
@@ -1,3 +1,3 @@
-<idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" xmlns:ssp="urn:x-simplesamlphp:namespace" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://simplesamlphp.org/some/endpoint" index="43" isDefault="false" ssp:attr1="testval1">
+<idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" xmlns:ssp="urn:x-simplesamlphp:namespace" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://simplesamlphp.org/some/endpoint" index="43" isDefault="false" ssp:attr1="testval1">
   <some:Ext xmlns:some="urn:mace:some:metadata:1.0">SomeExtension</some:Ext>
 </idpdisc:DiscoveryResponse>