Audiences from xml

simplesamlphp · Nov 23, 2018 · df18268 · df18268
1 parent 9c3cef6
commit df18268
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 2 deletions.
diff --git a/src/SAML2/AuthnRequest.php b/src/SAML2/AuthnRequest.php
@@ -175,6 +175,7 @@ public function __construct(\DOMElement $xml = null)
         $this->parseNameIdPolicy($xml);
         $this->parseRequestedAuthnContext($xml);
         $this->parseScoping($xml);
+        $this->parseConditions($xml);
     }
 
     /**
@@ -302,6 +303,30 @@ protected function parseScoping(\DOMElement $xml)
         }
     }
 
+    /**
+     * @param \DOMElement $xml
+     */
+    protected function parseConditions(\DOMElement $xml)
+    {
+        $conditions = Utils::xpQuery($xml, './saml_assertion:Conditions');
+        if (empty($conditions)) {
+            return;
+        }
+        $conditions = $conditions[0];
+
+        $ar = Utils::xpQuery($conditions, './saml_assertion:AudienceRestriction');
+        if (empty($ar)) {
+            return;
+        }
+        $ar = $ar[0];
+
+        $audiences = Utils::xpQuery($ar, './saml_assertion:Audience');
+        $this->audiences = array();
+        foreach ($audiences as $a) {
+            $this->audiences[] = trim($a->textContent);
+        }
+    }
+
     /**
      * Retrieve the NameIdPolicy.
      *
@@ -412,9 +437,9 @@ public function setIsPassive($isPassive)
     }
 
     /**
-     * Retrieve the audiences to send in the request.
+     * Retrieve the audiences from the request.
      *
-     * This may be null, in which case no audience will be sent.
+     * This may be null, in which case no audience is included.
      *
      * @return array|null The audiences.
      */

diff --git a/tests/SAML2/AuthnRequestTest.php b/tests/SAML2/AuthnRequestTest.php
@@ -1019,4 +1019,34 @@ public function testAudiencesAreAddedCorrectly()
 
         $this->assertEqualXMLStructure($expectedStructure, $requestStructure);
     }
+
+    /**
+     * Test reading audiences.
+     */
+    public function testAudiencesAreReadCorrectly()
+    {
+        $expectedAudiences = array('https://sp1.example.org', 'https://sp2.example.org');
+
+        $xmlRequest = <<<AUTHNREQUEST
+<samlp:AuthnRequest
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    ID="_1234567890abvdefghijkl"
+    Version="2.0"
+    IssueInstant="2015-05-11T09:02:36Z"
+    Destination="https://tiqr.example.org/idp/profile/saml2/Redirect/SSO">
+    <saml:Issuer>https://gateway.example.org/saml20/sp/metadata</saml:Issuer>
+    <saml:Conditions>
+      <saml:AudienceRestriction>
+        <saml:Audience>https://sp1.example.org</saml:Audience>
+        <saml:Audience>https://sp2.example.org</saml:Audience>
+      </saml:AudienceRestriction>
+    </saml:Conditions>
+</samlp:AuthnRequest>
+AUTHNREQUEST;
+
+        $authnRequest = new AuthnRequest(DOMDocumentFactory::fromString($xmlRequest)->firstChild);
+
+        $this->assertEquals($expectedAudiences, $authnRequest->getAudiences());
+    }
 }