From 79b5781e9e0037e6d2f499ada2681055eeea9e23 Mon Sep 17 00:00:00 2001
From: Tom Judge <tomjudge@cisco.com>
Date: Jul 09 2016 08:54:12 +0000
Subject: Fix handling attributes with multiple values (e.g. groups)


When handling attributes with more than one value provide a single
saml:Attribute with multiple saml:AttributeValue's.

I.e.

<saml:Attribute Name="groups"
           NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
       <saml:AttributeValue>group1</saml:AttributeValue>
       <saml:AttributeValue>group2</saml:AttributeValue>
</saml:Attribute>

Not:

<saml:Attribute Name="groups"
           NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
       <saml:AttributeValue>group1</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="groups"
           NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
       <saml:AttributeValue>group2</saml:AttributeValue>
</saml:Attribute>

This fixes handling of attributes with more than one value for pac4j
based clients (Such as the Jenkins SAML plugin).

Merges: #86
Signed-off-by: Tom Judge <tomjudge@cisco.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>

---

diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py
index 84b5a4e..f89c220 100644
--- a/ipsilon/providers/saml2/auth.py
+++ b/ipsilon/providers/saml2/auth.py
@@ -320,17 +320,21 @@ class AuthenticateRequest(ProviderPageBase):
                 continue
             if not isinstance(values, list):
                 values = [values]
+            attr = lasso.Saml2Attribute()
+            attr.name = key
+            attr.nameFormat = lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC
+            attr.attributeValue = []
+            vals = []
             for value in values:
-                attr = lasso.Saml2Attribute()
-                attr.name = key
-                attr.nameFormat = lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC
                 self.debug('value %s' % value)
                 node = lasso.MiscTextNode.newWithString(value)
                 node.textChild = True
                 attrvalue = lasso.Saml2AttributeValue()
                 attrvalue.any = [node]
-                attr.attributeValue = [attrvalue]
-                attrstat.attribute = attrstat.attribute + (attr,)
+                vals.append(attrvalue)
+
+            attr.attributeValue = vals
+            attrstat.attribute = attrstat.attribute + (attr,)
 
         self.debug('Assertion: %s' % login.assertion.dump())