Add scoping to Net::SAML2::Protocol::AuthnRequest

waterkip · waterkip · commit 2d815e06a939 · 2023-07-05T17:31:05.000-04:00
Additionally, rewrite to use XML::Generator, which means no more XML::Writer

Signed-off-by: Wesley Schwengle &lt;waterkip@cpan.org&gt;
diff --git a/Makefile.PL b/Makefile.PL
@@ -54,7 +54,6 @@ my %WriteMakefileArgs = (
     "XML::LibXML" => 0,
     "XML::LibXML::XPathContext" => 0,
     "XML::Sig" => "0.64",
-    "XML::Writer" => "0.625",
     "base" => 0,
     "namespace::autoclean" => 0,
     "strict" => 0,
@@ -77,7 +76,7 @@ my %WriteMakefileArgs = (
     "URI::URL" => 0,
     "XML::LibXML::XPathContext" => 0
   },
-  "VERSION" => "0.71",
+  "VERSION" => "0.72",
   "test" => {
     "TESTS" => "t/*.t t/author/*.t"
   }
@@ -136,7 +135,6 @@ my %FallbackPrereqs = (
   "XML::LibXML" => 0,
   "XML::LibXML::XPathContext" => 0,
   "XML::Sig" => "0.64",
-  "XML::Writer" => "0.625",
   "base" => 0,
   "namespace::autoclean" => 0,
   "strict" => 0,
diff --git a/README b/README
@@ -2,7 +2,7 @@ NAME
     Net::SAML2 - SAML2 bindings and protocol implementation
 
 VERSION
-    version 0.71
+    version 0.72
 
 SYNOPSIS
       See TUTORIAL.md for implementation documentation and
diff --git a/cpanfile b/cpanfile
@@ -38,7 +38,6 @@ requires "XML::Generator" => "1.13";
 requires "XML::LibXML" => "0";
 requires "XML::LibXML::XPathContext" => "0";
 requires "XML::Sig" => "0.64";
-requires "XML::Writer" => "0.625";
 requires "base" => "0";
 requires "namespace::autoclean" => "0";
 requires "perl" => "5.012";
diff --git a/dist.ini b/dist.ini
@@ -50,7 +50,6 @@ skip = Saml2Test
 [Prereqs / RuntimeRequires]
 XML::Enc = 0.13
 XML::Sig = 0.64
-XML::Writer = 0.625
 ; Here because otherwise only on test you get to pull in this dependency
 ; which might only be an issue with cpm or if you run --no-test with cpanm
 XML::LibXML::XPathContext = 0
diff --git a/lib/Net/SAML2/Protocol/AuthnRequest.pm b/lib/Net/SAML2/Protocol/AuthnRequest.pm
@@ -1,13 +1,12 @@
-use strict;
-use warnings;
 package Net::SAML2::Protocol::AuthnRequest;
-# VERSION
-
 use Moose;
-use MooseX::Types::URI qw/ Uri /;
+
+# VERSION
+use MooseX::Types::URI            qw/ Uri /;
 use MooseX::Types::Common::String qw/ NonEmptySimpleStr /;
-use XML::Writer 0.625;
-use List::Util qw(any);
+use XML::Generator;
+use List::Util        qw(any);
+use URN::OASIS::SAML2 qw(:urn BINDING_HTTP_POST);
 
 with 'Net::SAML2::Role::ProtocolMessage';
 
@@ -54,7 +53,7 @@ Net::SAML2::Protocol::AuthnRequest - SAML2 AuthnRequest object
 Constructor. Creates an instance of the AuthnRequest object.
 
 Important Note: Best practice is to always do this first.  While it is possible
-to call as_xml() first you do not have to set the id as it will be set for you
+to call C<as_xml()> first you do not have to set the id as it will be set for you
 automatically.
 
 However tracking the id is important for security to ensure that the response
@@ -64,19 +63,25 @@ Arguments:
 
 =over
 
-=item B<nameidpolicy_format>
+=item nameidpolicy_format
 
 Format attribute for NameIDPolicy
 
-=item B<AuthnContextClassRef>, B<AuthnContextDeclRef>
+=item AuthnContextClassRef, <AuthnContextDeclRef
+
+Each one is an arrayref containing values for AuthnContextClassRef and
+AuthnContextDeclRef.  If any is populated, the RequestedAuthnContext will be
+included in the request.
 
-Each one is an arrayref containing values for AuthnContextClassRef and AuthnContextDeclRef.
-If any is populated, the RequestedAuthnContext will be included in the request.
+=item RequestedAuthnContext_Comparison
 
-=item B<RequestedAuthnContext_Comparison>
+Value for the I<Comparison> attribute in case I<RequestedAuthnContext> is
+included (see above). Default value is I<exact>.
 
-Value for the I<Comparison> attribute in case I<RequestedAuthnContext> is included
-(see above). Default value is I<exact>.
+=item identity_providers
+
+An arrayref of Identity providers, if used the Scoping element is added to the
+XML
 
 =back
 
@@ -102,46 +107,46 @@ has 'nameid_allow_create' => (
 );
 
 has 'assertion_url' => (
-    isa    => Uri,
-    is     => 'rw',
-    coerce => 1,
+    isa       => Uri,
+    is        => 'rw',
+    coerce    => 1,
     predicate => 'has_assertion_url',
 );
 
 has 'assertion_index' => (
-    isa => 'Int',
-    is  => 'rw',
+    isa       => 'Int',
+    is        => 'rw',
     predicate => 'has_assertion_index',
 );
 
 has 'attribute_index' => (
-    isa => 'Int',
-    is  => 'rw',
+    isa       => 'Int',
+    is        => 'rw',
     predicate => 'has_attribute_index',
 );
 
 has 'protocol_binding' => (
-    isa    => Uri,
-    is     => 'rw',
-    coerce => 1,
+    isa       => Uri,
+    is        => 'rw',
+    coerce    => 1,
     predicate => 'has_protocol_binding',
 );
 has 'provider_name' => (
-    isa => 'Str',
-    is  => 'rw',
+    isa       => 'Str',
+    is        => 'rw',
     predicate => 'has_provider_name',
 );
 
 has 'AuthnContextClassRef' => (
-    isa => 'ArrayRef[Str]',
-    is => 'rw',
-    default => sub {[]}
+    isa     => 'ArrayRef[Str]',
+    is      => 'rw',
+    default => sub { [] }
 );
 
 has 'AuthnContextDeclRef' => (
-    isa => 'ArrayRef[Str]',
-    is => 'rw',
-    default => sub {[]}
+    isa     => 'ArrayRef[Str]',
+    is      => 'rw',
+    default => sub { [] }
 );
 
 has 'RequestedAuthnContext_Comparison' => (
@@ -151,17 +156,23 @@ has 'RequestedAuthnContext_Comparison' => (
 );
 
 has 'force_authn' => (
-    isa     => 'Bool',
-    is      => 'ro',
+    isa       => 'Bool',
+    is        => 'ro',
     predicate => 'has_force_authn',
 );
 
 has 'is_passive' => (
-    isa     => 'Bool',
-    is      => 'ro',
+    isa       => 'Bool',
+    is        => 'ro',
     predicate => 'has_is_passive',
 );
 
+has identity_providers => (
+    isa       => 'ArrayRef[Str]',
+    is        => 'ro',
+    predicate => 'has_identity_providers',
+);
+
 around BUILDARGS => sub {
     my $orig = shift;
     my $self = shift;
@@ -180,20 +191,13 @@ Returns the AuthnRequest as XML.
 
 =cut
 
-my $saml  = 'urn:oasis:names:tc:SAML:2.0:assertion';
-my $samlp = 'urn:oasis:names:tc:SAML:2.0:protocol';
+my $samlp = ['samlp' => URN_PROTOCOL];
+my $saml  = ['samlp' => URN_ASSERTION];
 
 sub as_xml {
     my ($self) = @_;
-    my $x = XML::Writer->new(
-        OUTPUT => 'self',
-        NAMESPACES => 1,
-        FORCED_NS_DECLS => [$saml, $samlp],
-        PREFIX_MAP => {
-            $saml => 'saml2',
-            $samlp => 'saml2p'
-        }
-    );
+
+    my $x = XML::Generator->new(':std');
 
     my %req_atts = (
         ID           => $self->id,
@@ -203,9 +207,8 @@ sub as_xml {
 
     my %issuer_attrs = ();
 
-    my %protocol_bindings = (
-        'HTTP-POST' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
-    );
+    my %protocol_bindings
+        = ('HTTP-POST' => BINDING_HTTP_POST);
 
     my %att_map = (
         'assertion_url'        => 'AssertionConsumerServiceURL',
@@ -235,7 +238,7 @@ sub as_xml {
             $req_atts{ $att_map{$opt} } = $protocol_bindings{$val};
         }
         elsif (any { $opt eq $_ } qw(force_authn is_passive)) {
-            $req_atts{ $att_map{$opt} } = ( $val ? 'true' : 'false' );
+            $req_atts{ $att_map{$opt} } = ($val ? 'true' : 'false');
         }
         else {
             $req_atts{ $att_map{$opt} } = $val;
@@ -250,59 +253,68 @@ sub as_xml {
         $issuer_attrs{ $att_map{$opt} } = $val;
     }
 
-    $x->startTag([$samlp, 'AuthnRequest'], %req_atts);
-    $x->dataElement([$saml, 'Issuer'], $self->issuer, %issuer_attrs);
+    return $x->AuthnRequest($samlp,
+        \%req_atts,
+        $x->Issuer($saml, \%issuer_attrs, $self->issuer),
+        $self->_set_name_id($x),
+        $self->_set_name_policy_format($x),
+        $self->_set_requested_authn_context($x),
+        $self->_set_scoping($x),
+    );
+
+}
 
-    $self->_set_name_id($x);
-    $self->_set_name_policy_format($x);
-    $self->_set_requested_authn_context($x);
+sub _set_scoping {
+    my $self = shift;
+    return unless $self->has_identity_providers;
+    my $x = shift;
 
-    $x->endTag();
-    $x->end();
+    my @providers = map { $x->IDPEntry($samlp, { ProviderID => $_ }) }
+        @{ $self->identity_providers };
+    return $x->Scoping($samlp, $x->IDPList($samlp, @providers));
 }
 
 sub _set_name_id {
-    my ($self, $x) = @_;
-    return if !$self->has_nameid;
-    $x->startTag([$saml, 'Subject']);
-    $x->dataElement([$saml, 'NameID'], undef, NameQualifier => $self->nameid);
-    $x->endTag();
-    return;
+    my $self = shift;
+    return unless $self->has_nameid;
+    my $x = shift;
+    return $x->Subject($saml, $x->NameID($saml, {NameQualifier => $self->nameid}));
 }
 
 sub _set_name_policy_format {
-    my ($self, $x) = @_;
-    return if !$self->has_nameidpolicy_format;
-
-    $x->dataElement([$samlp, 'NameIDPolicy'],
-        undef,
-        Format => $self->nameidpolicy_format,
-        $self->has_nameid_allow_create
+    my $self = shift;
+    return unless $self->has_nameidpolicy_format;
+    my $x = shift;
+    return $x->NameIDPolicy(
+        $samlp,
+        {
+            Format => $self->nameidpolicy_format,
+            $self->has_nameid_allow_create
             ? (AllowCreate => $self->nameid_allow_create)
             : (),
+        }
     );
-    return;
+
 }
 
 sub _set_requested_authn_context {
-    my  ($self, $x) = @_;
+    my ($self, $x) = @_;
 
-    if (!@{ $self->AuthnContextClassRef } && !@{ $self->AuthnContextDeclRef })
-    {
-        return;
-    }
+    return
+        if !@{ $self->AuthnContextClassRef }
+        && !@{ $self->AuthnContextDeclRef };
 
-    $x->startTag([$samlp, 'RequestedAuthnContext'],
-        Comparison => $self->RequestedAuthnContext_Comparison);
+    my @class = map { $x->AuthnContextClassRef($saml, undef, $_) }
+        @{ $self->AuthnContextClassRef };
 
-    foreach my $ref (@{ $self->AuthnContextClassRef }) {
-        $x->dataElement([$saml, 'AuthnContextClassRef'], $ref);
-    }
-    foreach my $ref (@{ $self->AuthnContextDeclRef }) {
-        $x->dataElement([$saml, 'AuthnContextDeclRef'], $ref);
-    }
+    my @decl = map { $x->AuthnContextDeclRef($saml, undef, $_) }
+        @{ $self->AuthnContextDeclRef };
 
-    $x->endTag();
+    return $x->RequestedAuthnContext(
+        $samlp,
+        { Comparison => $self->RequestedAuthnContext_Comparison },
+        @class, @decl
+    );
 }
 
 __PACKAGE__->meta->make_immutable;
diff --git a/t/06-redirect-binding.t b/t/06-redirect-binding.t
@@ -29,7 +29,11 @@ my $authnreq = $sp->authn_request(
     $idp->format('persistent')
 )->as_xml;
 
-my $xp = get_xpath($authnreq);
+my $xp = get_xpath(
+    $authnreq,
+    saml2p => 'urn:oasis:names:tc:SAML:2.0:protocol',
+    saml  => 'urn:oasis:names:tc:SAML:2.0:assertion',
+);
 
 my $redirect = $sp->sso_redirect_binding($idp, 'SAMLRequest');
 isa_ok($redirect, 'Net::SAML2::Binding::Redirect');
diff --git a/t/09-authn-request.t b/t/09-authn-request.t
@@ -183,5 +183,19 @@ $override->override('Net::SAML2::Protocol::AuthnRequest::_build_id' =>
     );
 }
 
+{
+
+    my ($ar, $xp) = net_saml2_authnreq(
+        identity_providers => [qw(one two three)]
+    );
+
+    my $nodes = $xp->findnodes(
+        '/samlp:AuthnRequest/samlp:Scoping/samlp:IDPList/samlp:IDPEntry');
+    is($nodes->size, 3, "Found three IDP entries");
+
+    cmp_deeply([$nodes->map(sub { return $_->getAttribute('ProviderID') })],
+        [qw(one two three)], "... and the correct provider IDs found");
+
+}
 
 done_testing;
diff --git a/t/23-post-binding.t b/t/23-post-binding.t
