allowRepeatAttributeName settings added in order to support AttributeStatements with Attribute elements with the same name

pitbulk · pitbulk · commit 370a5d9c8432 · 2020-11-25T19:58:50.000+01:00
diff --git a/README.md b/README.md
@@ -520,6 +520,10 @@ $advancedSettings = array (
         // attribute will not be rejected for this fact.
         'relaxDestinationValidation' => false,
 
+        // If true, the toolkit will not raised an error when the Statement Element
+        // contain atribute elements with name duplicated
+        'allowRepeatAttributeName' => false,
+
         // If true, Destination URL should strictly match to the address to
         // which the response has been sent.
         // Notice that if 'relaxDestinationValidation' is true an empty Destintation
diff --git a/advanced_settings_example.php b/advanced_settings_example.php
@@ -85,6 +85,10 @@
         // attribute will not be rejected for this fact.
         'relaxDestinationValidation' => false,
 
+        // If true, the toolkit will not raised an error when the Statement Element
+        // contain atribute elements with name duplicated
+        'allowRepeatAttributeName' => false,
+
         // If true, Destination URL should strictly match to the address to
         // which the response has been sent.
         // Notice that if 'relaxDestinationValidation' is true an empty Destintation
diff --git a/lib/Saml2/Response.php b/lib/Saml2/Response.php
@@ -779,6 +779,9 @@ private function _getAttributesByKeyName($keyName = "Name")
 
         $entries = $this->_queryAssertion('/saml:AttributeStatement/saml:Attribute');
 
+        $security = $this->_settings->getSecurityData();
+        $allowRepeatAttributeName = $security['allowRepeatAttributeName'];
+
         /** @var $entry DOMNode */
         foreach ($entries as $entry) {
             $attributeKeyNode = $entry->attributes->getNamedItem($keyName);
@@ -790,10 +793,12 @@ private function _getAttributesByKeyName($keyName = "Name")
             $attributeKeyName = $attributeKeyNode->nodeValue;
 
             if (in_array($attributeKeyName, array_keys($attributes))) {
-                throw new OneLogin_Saml2_ValidationError(
-                    "Found an Attribute element with duplicated ".$keyName,
-                    OneLogin_Saml2_ValidationError::DUPLICATED_ATTRIBUTE_NAME_FOUND
-                );
+                if (!$allowRepeatAttributeName) {
+                    throw new OneLogin_Saml2_ValidationError(
+                        "Found an Attribute element with duplicated ".$keyName,
+                        OneLogin_Saml2_ValidationError::DUPLICATED_ATTRIBUTE_NAME_FOUND
+                    );
+                }
             }
 
             $attributeValues = array();
@@ -804,7 +809,11 @@ private function _getAttributesByKeyName($keyName = "Name")
                 }
             }
 
-            $attributes[$attributeKeyName] = $attributeValues;
+            if (in_array($attributeKeyName, array_keys($attributes))) {
+                $attributes[$attributeKeyName] = array_merge($attributes[$attributeKeyName], $attributeValues);
+            } else {
+                $attributes[$attributeKeyName] = $attributeValues;
+            }
         }
         return $attributes;
     }
diff --git a/lib/Saml2/Settings.php b/lib/Saml2/Settings.php
@@ -399,6 +399,10 @@ private function _addDefaultValues()
             $this->_security['relaxDestinationValidation'] = false;
         }
 
+        // Allow duplicated Attribute Names
+        if (!isset($this->_security['allowRepeatAttributeName'])) {
+            $this->_security['allowRepeatAttributeName'] = false;
+        }
 
         // Strict Destination match validation
         if (!isset($this->_security['destinationStrictlyMatches'])) {
diff --git a/tests/src/OneLogin/Saml2/ResponseTest.php b/tests/src/OneLogin/Saml2/ResponseTest.php
@@ -622,6 +622,14 @@ public function testGetAttributes()
         } catch (OneLogin_Saml2_ValidationError $e) {
             $this->assertContains('Found an Attribute element with duplicated Name', $e->getMessage());
         }
+
+        $settingsDir = TEST_ROOT .'/settings/';
+        include $settingsDir.'settings1.php';
+        $settingsInfo['security']['allowRepeatAttributeName'] = true;
+        $settings2 = new OneLogin_Saml2_Settings($settingsInfo);
+        $response5 = new OneLogin_Saml2_Response($settings2, $xml4);
+        $attrs = $response5->getAttributes();
+        $this->assertEquals([0 => "test", 1 => "test2"], $attrs['uid']);
     }
 
     /**

Original file line number	Diff line number	Diff line change
`@@ -399,6 +399,10 @@ private function _addDefaultValues()`
`399`	`399`	`$this->_security['relaxDestinationValidation'] = false;`
`400`	`400`	`}`
`401`	`401`
	`402`	`+ // Allow duplicated Attribute Names`
	`403`	`+ if (!isset($this->_security['allowRepeatAttributeName'])) {`
	`404`	`+ $this->_security['allowRepeatAttributeName'] = false;`
	`405`	`+ }`
`402`	`406`
`403`	`407`	`// Strict Destination match validation`
`404`	`408`	`if (!isset($this->_security['destinationStrictlyMatches'])) {`
Original file line number	Diff line number	Diff line change
`@@ -622,6 +622,14 @@ public function testGetAttributes()`
`622`	`622`	`} catch (OneLogin_Saml2_ValidationError $e) {`
`623`	`623`	`$this->assertContains('Found an Attribute element with duplicated Name', $e->getMessage());`
`624`	`624`	`}`
	`625`	`+`
	`626`	`+ $settingsDir = TEST_ROOT .'/settings/';`
	`627`	`+ include $settingsDir.'settings1.php';`
	`628`	`+ $settingsInfo['security']['allowRepeatAttributeName'] = true;`
	`629`	`+ $settings2 = new OneLogin_Saml2_Settings($settingsInfo);`
	`630`	`+ $response5 = new OneLogin_Saml2_Response($settings2, $xml4);`
	`631`	`+ $attrs = $response5->getAttributes();`
	`632`	`+ $this->assertEquals([0 => "test", 1 => "test2"], $attrs['uid']);`
`625`	`633`	`}`
`626`	`634`
`627`	`635`	`/**`