Skip to content

Commit ba8c62e

Browse files
tvdijentvdijen
committed
Strict specs enforcement
E14: AllowCreate
1 parent 489e704 commit ba8c62e

File tree

2 files changed

+30
-0
lines changed

2 files changed

+30
-0
lines changed

src/XML/samlp/NameIDPolicy.php

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,9 @@
66

77
use DOMElement;
88
use SimpleSAML\SAML2\Assert\Assert;
9+
use SimpleSAML\SAML2\Constants as C;
910
use SimpleSAML\SAML2\Exception\ArrayValidationException;
11+
use SimpleSAML\SAML2\Exception\ProtocolViolationException;
1012
use SimpleSAML\SAML2\Type\SAMLAnyURIValue;
1113
use SimpleSAML\SAML2\Type\SAMLStringValue;
1214
use SimpleSAML\XML\ArrayizableElementInterface;
@@ -45,6 +47,18 @@ public function __construct(
4547
protected ?SAMLStringValue $SPNameQualifier = null,
4648
protected ?BooleanValue $AllowCreate = null,
4749
) {
50+
if ($AllowCreate->equals(BooleanValue::fromBoolean(true)) {
51+
// Per Errata E14: AllowCreate
52+
Assert::notSame(
53+
$Format->getValue(),
54+
C::NAMEID_TRANSIENT,
55+
ProtocolViolationException::class,
56+
sprintf(
57+
'AllowCreate=\"true\" MUST NOT be used in conjunction with the %s <NameID> Format.',
58+
C::NAMEID_TRANSIENT,
59+
),
60+
);
61+
}
4862
}
4963

5064

tests/SAML2/XML/samlp/NameIDPolicyTest.php

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@
88
use PHPUnit\Framework\Attributes\Group;
99
use PHPUnit\Framework\TestCase;
1010
use SimpleSAML\SAML2\Constants as C;
11+
use SimpleSAML\SAML2\Exception\ProtocolViolationException;
1112
use SimpleSAML\SAML2\Type\SAMLAnyURIValue;
1213
use SimpleSAML\SAML2\Type\SAMLStringValue;
1314
use SimpleSAML\SAML2\XML\samlp\AbstractSamlpElement;
@@ -103,4 +104,19 @@ public function testMarshallingEmptyElement(): void
103104
);
104105
$this->assertTrue($nameIdPolicy->isEmptyElement());
105106
}
107+
108+
109+
/**
110+
* Illegal combination of AllowCreate=true and transient NameID format is rejected.
111+
*/
112+
public function testIllegalCombinationThrowsException(): void
113+
{
114+
$this->expectException(ProtocolViolationException::class);
115+
116+
new NameIDPolicy(
117+
SAMLAnyURIValue::fromString(C::NAMEID_TRANSIENT),
118+
SAMLStringValue::fromString('urn:x-simplesamlphp:spnamequalifier'),
119+
BooleanValue::fromBoolean(true),
120+
);
121+
}
106122
}

0 commit comments

Comments
 (0)