Strict specs enforcement

E14: AllowCreate

Author: tvdijen

src/XML/samlp/NameIDPolicy.php

@@ -6,7 +6,9 @@
 
 use DOMElement;
 use SimpleSAML\SAML2\Assert\Assert;
+use SimpleSAML\SAML2\Constants as C;
 use SimpleSAML\SAML2\Exception\ArrayValidationException;
+use SimpleSAML\SAML2\Exception\ProtocolViolationException;
 use SimpleSAML\SAML2\Type\SAMLAnyURIValue;
 use SimpleSAML\SAML2\Type\SAMLStringValue;
 use SimpleSAML\XML\ArrayizableElementInterface;
@@ -45,6 +47,22 @@ public function __construct(
         protected ?SAMLStringValue $SPNameQualifier = null,
         protected ?BooleanValue $AllowCreate = null,
     ) {
+        if (
+            $AllowCreate !== null
+            && $Format !== null
+            && $AllowCreate->equals(BooleanValue::fromBoolean(true))
+        ) {
+            // Per Errata E14: AllowCreate
+            Assert::notSame(
+                $Format->getValue(),
+                C::NAMEID_TRANSIENT,
+                sprintf(
+                    'AllowCreate=\"true\" MUST NOT be used in conjunction with the %s <NameID> Format.',
+                    C::NAMEID_TRANSIENT,
+                ),
+                ProtocolViolationException::class,
+            );
+        }
     }
 
 

tests/SAML2/Binding/HTTPRedirectTest.php

@@ -69,7 +69,7 @@ public static function tearDownAfterClass(): void
     public function testRequestParsing(): void
     {
         $q = [
-            'SAMLRequest' => 'pVJNjxMxDP0ro9yn88FOtRu1lcpWiEoLVNvCgQtKE6eNlHGG2IHl35OZLmLZQy+crNh+z88vXpDq/SDXic/4CN8TEBdPvUeSU2EpUkQZFDmSqHogyVru1x8eZDur5RADBx28eAG5jlBEENkFFMV2sxTfzO0dmKa11namPuoc39hba+fqpqlbM6/b5mZ+1LWtj6L4ApEycikyUYYTJdgisULOqbrpyqYt67tD28iulV33VRSbvI1DxRPqzDyQrCrAk0OYUYpWB4QnnqGvVN4fkJ2emitnhoocnjyU5E5YjnrXf6TfB6TUQ9xD/OE0fH58+EueHbHOv2Yn1w8eRneqPpiU68M5DxjfdIltqTRNWQNWJc8lDaLYPfv71qHJaq5be7w0kXx/OOzK3af9QawWI7ecrIqr/9HYAyujWL2SuKheDlhcbuljlrbd7IJ3+lfxLsRe8XXlY8aZ0k6tkqNCcvkzsuXeh5/3ERTDUnBMIKrVZeS/F7v6DQ==',
+            'SAMLRequest' => 'pVJNbxMxEP0rK983+0E3aq0kUmiEiFQgagIHLsixx4kl73jxjKH8e7ybIkoPuXAazcd78+ZpFqR6P8h14jM+wvcExMVT75Hk1FiKFFEGRY4kqh5Ispb79YcH2c5qOcTAQQcvXkCuIxQRRHYBRbHdLMU3c3sHpmmttZ2pjzrHN/bW2rm6aerWzOu2uZkfdW3royi+QKSMXIpMlOFECbZIrJBzqW66smnL+u7QNrJrZdd9FcUmX+NQ8YQ6Mw8kqwrw5BBmlKLVAeGJZ+grle8HZKen4cqZoSKHJw8luROWo971H+n3ASn1EPcQfzgNnx8f/pJnR6zzr9nJ9YOH0Z2qDybl/nDOC8acLrEtlaapasCq5LmkQRS7Z3/fOjRZzXVrj5chku8Ph125+7Q/iNVi5JaTVXH1Pxp7YGUUq1cSF9XLBYvLL33M0rabXfBO/yrehdgrvq58rDhT2mlUJqQBtLMOTDbd+/DzPoJiWAqOCUS1uiz992dXvwE=',
         ];
         $request = new ServerRequest('GET', 'http://tnyholm.se');
         $request = $request->withQueryParams($q);
@@ -109,7 +109,7 @@ public function testResponseParsing(): void
      */
     public function testRequestParsingMoreParams(): void
     {
-        $request = 'SAMLRequest=pVJNb9swDP0rhu6O7XjeGiEJkDYoGqDbgibboZdCkahEgEx5Ir11%2F36y02FdD7n0JPDjPT4%2BcU6q9Z1c9XzCB%2FjRA3H23HokORYWoo8ogyJHElULJFnL3erzvZxOStnFwEEHL15BLiMUEUR2AUW2WS%2FEUw2NrXRp7NWshEPVzJqm%2BTQzVV1DddC21rUy1tq6norsO0RKyIVIRAlO1MMGiRVySpVVk1fTvKr25ZVsGvnh46PI1mkbh4pH1Im5I1kUgEeHMKE%2BWh0QnnmCvlBpf0B2emwunOkKcnj0kJM7Yj7oXf2VfhOQ%2BhbiDuJPp%2BHbw%2F0%2F8uSIdf4tO7m28zC4U7TB9KnendKAIabzO82VpjFrwKrec06dyLYv%2Fl47NEnNZWsP5yaSd%2Fv9Nt9%2B3e3Fcj5wy9GquHyPxhZYGcXqjcR58XrA%2FHxLX5K0zXobvNO%2Fs9sQW8WXlQ8ZZ3I7tkqOCsmlz0iWex9%2B3URQDAvBsQdRLM8j%2F7%2FY5R8%3D&RelayState=https%3A%2F%2Fprofile.surfconext.nl%2F&SAMLEncoding=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AURL-Encoding%3ADEFLATE';
+        $request = 'SAMLRequest=pVJNbxMxEP0rK983%2B0E3aq0kUmiEiFQgagIHLsixx4kl73jxjKH8e7ybIkoPuXAazcd78%2BZpFqR6P8h14jM%2BwvcExMVT75Hk1FiKFFEGRY4kqh5Ispb79YcH2c5qOcTAQQcvXkCuIxQRRHYBRbHdLMU3c3sHpmmttZ2pjzrHN%2FbW2rm6aerWzOu2uZkfdW3royi%2BQKSMXIpMlOFECbZIrJBzqW66smnL%2Bu7QNrJrZdd9FcUmX%2BNQ8YQ6Mw8kqwrw5BBmlKLVAeGJZ%2Bgrle8HZKen4cqZoSKHJw8luROWo971H%2Bn3ASn1EPcQfzgNnx8f%2FpJnR6zzr9nJ9YOH0Z2qDybl%2FnDOC8acLrEtlaapasCq5LmkQRS7Z3%2FfOjRZzXVrj5chku8Ph125%2B7Q%2FiNVi5JaTVXH1Pxp7YGUUq1cSF9XLBYvLL33M0rabXfBO%2Fyrehdgrvq58rDhT2mlUJqQBtLMOTDbd%2B%2FDzPoJiWAqOCUS1uiz992dXvwE%3D&RelayState=https%3A%2F%2Fprofile.surfconext.nl%2F&SAMLEncoding=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AURL-Encoding%3ADEFLATE';
         $_SERVER['QUERY_STRING'] = $request;
 
         $q = [
@@ -348,7 +348,8 @@ public function testDuplicateQueryParameters(): void
     {
         $q = [
             /** @phpstan-ignore array.duplicateKey */
-            'SAMLRequest' => 'nVLBauMwEP0Vo7sjW7FpKpJA2rBsoNuGOruHXhZFHm8EsuRqxtv27yvbWWgvYelFgjfvzbx5zBJVazu56enkHuG5B6TktbUO5VhYsT446RUalE61gJK0rDY/7qSYZbILnrz2ln2QXFYoRAhkvGPJbrtiv7VoygJEoTJ9LOusXDSFuJ4vdH6cxwoIEGUjsrqoFUt+QcCoXLHYKMoRe9g5JOUoQlleprlI8/yQz6W4ksXiiSXbuI1xikbViahDyfkRSM2wD40DmjnL0bSdhcE6Hx7BTd3xqnqoIPw1GmbdqWPJNx80jCGtGIUeWLL5t8mtd9i3EM78n493/zWr9XVvx+58mj39IlUaR/QmKOPq4Dtkyf4c9E1EjPtzOePjREL5/XDYp/uH6sDWy6G3HDML66+5ayO7VlHx2dySf2y9nM7pPprabffeGv02ZNcquux5QEydNiNVUlAODTiKMVvrX24DKIJz8nw9jfx8tOt3',
+            'SAMLRequest' => 'pVJNbxMxEP0rK983+0E3aq0kUmiEiFQgagIHLsixx4kl73jxjKH8e7ybIkoPuXAazcd78+ZpFqR6P8h14jM+wvcExMVT75Hk1FiKFFEGRY4kqh5Ispb79YcH2c5qOcTAQQcvXkCuIxQRRHYBRbHdLMU3c3sHpmmttZ2pjzrHN/bW2rm6aerWzOu2uZkfdW3royi+QKSMXIpMlOFECbZIrJBzqW66smnL+u7QNrJrZdd9FcUmX+NQ8YQ6Mw8kqwrw5BBmlKLVAeGJZ+grle8HZKen4cqZoSKHJw8luROWo971H+n3ASn1EPcQfzgNnx8f/pJnR6zzr9nJ9YOH0Z2qDybl/nDOC8acLrEtlaapasCq5LmkQRS7Z3/fOjRZzXVrj5chku8Ph125+7Q/iNVi5JaTVXH1Pxp7YGUUq1cSF9XLBYvLL33M0rabXfBO/yrehdgrvq58rDhT2mlUJqQBtLMOTDbd+/DzPoJiWAqOCUS1uiz992dXvwE=',
+//            'SAMLRequest' => 'nVLBauMwEP0Vo7sjW7FpKpJA2rBsoNuGOruHXhZFHm8EsuRqxtv27yvbWWgvYelFgjfvzbx5zBJVazu56enkHuG5B6TktbUO5VhYsT446RUalE61gJK0rDY/7qSYZbILnrz2ln2QXFYoRAhkvGPJbrtiv7VoygJEoTJ9LOusXDSFuJ4vdH6cxwoIEGUjsrqoFUt+QcCoXLHYKMoRe9g5JOUoQlleprlI8/yQz6W4ksXiiSXbuI1xikbViahDyfkRSM2wD40DmjnL0bSdhcE6Hx7BTd3xqnqoIPw1GmbdqWPJNx80jCGtGIUeWLL5t8mtd9i3EM78n493/zWr9XVvx+58mj39IlUaR/QmKOPq4Dtkyf4c9E1EjPtzOePjREL5/XDYp/uH6sDWy6G3HDML66+5ayO7VlHx2dySf2y9nM7pPprabffeGv02ZNcquux5QEydNiNVUlAODTiKMVvrX24DKIJz8nw9jfx8tOt3',
             'SAMLRequest' => 'hVLLbttADPwVYe+ylJXsyAvbgBujqIG0MWK3h1wCVkvFC+xDXVJp+/ddywmS9uCeCJAznOGACwJne7Ue+Ojv8ceAxNkvZz2pcbAUQ/QqABlSHhyS4lbt159vlZyUqo+BQxuseEe5zAAijGyCF9l2sxSPjZ41jW5npZxjpWvsrisoZ9ddV8NU6is5nTczXTfTeS2ybxgpMZciLUp0ogG3nhg8p1Ypq7y8ymV1kJUqa1XJB5Ft0jXGA4+sI3NPqiiM7icuhBxiezTPOPG2cEEPFif9sS9OJ5wgBRn/ZHFvnvyd32N8Ni2KbP1q/yZ4GhzGl8nX+9s3AY0u/E+BzlXm0NLY1djBYDmnXmS7l1g/GK+Ti8uJfj+DSH06HHb57m5/EKvFabcaE4qrV1v/OEoOHDJoYFgU7/GL80d8SUrbzS5Y0/7OPobogC8bOXWMzrsRqjiCJ4OeU2jWhp83EYFxKTgOKIrVWfLvv1v9AQ==',
             'RelayState' => 'https://demo.moo-archive.nl/module.php/admin/test/default-sp',
             'SigAlg' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
@@ -363,7 +364,8 @@ public function testDuplicateQueryParameters(): void
 
         $q = [
             /** @phpstan-ignore array.duplicateKey */
-            'SAMLRequest' => 'hVLLbttADPwVYe+ylJXsyAvbgBujqIG0MWK3h1wCVkvFC+xDXVJp+/ddywmS9uCeCJAznOGACwJne7Ue+Ojv8ceAxNkvZz2pcbAUQ/QqABlSHhyS4lbt159vlZyUqo+BQxuseEe5zAAijGyCF9l2sxSPjZ41jW5npZxjpWvsrisoZ9ddV8NU6is5nTczXTfTeS2ybxgpMZciLUp0ogG3nhg8p1Ypq7y8ymV1kJUqa1XJB5Ft0jXGA4+sI3NPqiiM7icuhBxiezTPOPG2cEEPFif9sS9OJ5wgBRn/ZHFvnvyd32N8Ni2KbP1q/yZ4GhzGl8nX+9s3AY0u/E+BzlXm0NLY1djBYDmnXmS7l1g/GK+Ti8uJfj+DSH06HHb57m5/EKvFabcaE4qrV1v/OEoOHDJoYFgU7/GL80d8SUrbzS5Y0/7OPobogC8bOXWMzrsRqjiCJ4OeU2jWhp83EYFxKTgOKIrVWfLvv1v9AQ==',
+            'SAMLRequest' => 'pVJNbxMxEP0rK983+0E3aq0kUmiEiFQgagIHLsixx4kl73jxjKH8e7ybIkoPuXAazcd78+ZpFqR6P8h14jM+wvcExMVT75Hk1FiKFFEGRY4kqh5Ispb79YcH2c5qOcTAQQcvXkCuIxQRRHYBRbHdLMU3c3sHpmmttZ2pjzrHN/bW2rm6aerWzOu2uZkfdW3royi+QKSMXIpMlOFECbZIrJBzqW66smnL+u7QNrJrZdd9FcUmX+NQ8YQ6Mw8kqwrw5BBmlKLVAeGJZ+grle8HZKen4cqZoSKHJw8luROWo971H+n3ASn1EPcQfzgNnx8f/pJnR6zzr9nJ9YOH0Z2qDybl/nDOC8acLrEtlaapasCq5LmkQRS7Z3/fOjRZzXVrj5chku8Ph125+7Q/iNVi5JaTVXH1Pxp7YGUUq1cSF9XLBYvLL33M0rabXfBO/yrehdgrvq58rDhT2mlUJqQBtLMOTDbd+/DzPoJiWAqOCUS1uiz992dXvwE=',
+//            'SAMLRequest' => 'hVLLbttADPwVYe+ylJXsyAvbgBujqIG0MWK3h1wCVkvFC+xDXVJp+/ddywmS9uCeCJAznOGACwJne7Ue+Ojv8ceAxNkvZz2pcbAUQ/QqABlSHhyS4lbt159vlZyUqo+BQxuseEe5zAAijGyCF9l2sxSPjZ41jW5npZxjpWvsrisoZ9ddV8NU6is5nTczXTfTeS2ybxgpMZciLUp0ogG3nhg8p1Ypq7y8ymV1kJUqa1XJB5Ft0jXGA4+sI3NPqiiM7icuhBxiezTPOPG2cEEPFif9sS9OJ5wgBRn/ZHFvnvyd32N8Ni2KbP1q/yZ4GhzGl8nX+9s3AY0u/E+BzlXm0NLY1djBYDmnXmS7l1g/GK+Ti8uJfj+DSH06HHb57m5/EKvFabcaE4qrV1v/OEoOHDJoYFgU7/GL80d8SUrbzS5Y0/7OPobogC8bOXWMzrsRqjiCJ4OeU2jWhp83EYFxKTgOKIrVWfLvv1v9AQ==',
             'SAMLRequest' => 'nVLBauMwEP0Vo7sjW7FpKpJA2rBsoNuGOruHXhZFHm8EsuRqxtv27yvbWWgvYelFgjfvzbx5zBJVazu56enkHuG5B6TktbUO5VhYsT446RUalE61gJK0rDY/7qSYZbILnrz2ln2QXFYoRAhkvGPJbrtiv7VoygJEoTJ9LOusXDSFuJ4vdH6cxwoIEGUjsrqoFUt+QcCoXLHYKMoRe9g5JOUoQlleprlI8/yQz6W4ksXiiSXbuI1xikbViahDyfkRSM2wD40DmjnL0bSdhcE6Hx7BTd3xqnqoIPw1GmbdqWPJNx80jCGtGIUeWLL5t8mtd9i3EM78n493/zWr9XVvx+58mj39IlUaR/QmKOPq4Dtkyf4c9E1EjPtzOePjREL5/XDYp/uH6sDWy6G3HDML66+5ayO7VlHx2dySf2y9nM7pPprabffeGv02ZNcquux5QEydNiNVUlAODTiKMVvrX24DKIJz8nw9jfx8tOt3',
             'RelayState' => 'https://demo.moo-archive.nl/module.php/admin/test/default-sp',
             'SigAlg' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',

tests/SAML2/XML/samlp/NameIDPolicyTest.php

@@ -8,6 +8,7 @@
 use PHPUnit\Framework\Attributes\Group;
 use PHPUnit\Framework\TestCase;
 use SimpleSAML\SAML2\Constants as C;
+use SimpleSAML\SAML2\Exception\ProtocolViolationException;
 use SimpleSAML\SAML2\Type\SAMLAnyURIValue;
 use SimpleSAML\SAML2\Type\SAMLStringValue;
 use SimpleSAML\SAML2\XML\samlp\AbstractSamlpElement;
@@ -103,4 +104,19 @@ public function testMarshallingEmptyElement(): void
         );
         $this->assertTrue($nameIdPolicy->isEmptyElement());
     }
+
+
+    /**
+     * Illegal combination of AllowCreate=true and transient NameID format is rejected.
+     */
+    public function testIllegalCombinationThrowsException(): void
+    {
+        $this->expectException(ProtocolViolationException::class);
+
+        new NameIDPolicy(
+            SAMLAnyURIValue::fromString(C::NAMEID_TRANSIENT),
+            SAMLStringValue::fromString('urn:x-simplesamlphp:spnamequalifier'),
+            BooleanValue::fromBoolean(true),
+        );
+    }
 }