Do not allow for extraneous keys in the ARP

OpenConext · Jun 19, 2024 · caaa971 · caaa971
1 parent e6954d7
commit caaa971
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 3 deletions.
diff --git a/manage-server/src/main/resources/metadata_configuration/oidc10_rp.schema.json b/manage-server/src/main/resources/metadata_configuration/oidc10_rp.schema.json
@@ -33,7 +33,8 @@
           "use_as_nameid": {
             "type": "boolean"
           }
-        }
+        },
+        "additionalProperties": false
       }
     }
   },

diff --git a/manage-server/src/main/resources/metadata_configuration/saml20_sp.schema.json b/manage-server/src/main/resources/metadata_configuration/saml20_sp.schema.json
@@ -61,7 +61,8 @@
           "use_as_nameid": {
             "type": "boolean"
           }
-        }
+        },
+        "additionalProperties": false
       }
     }
   },

diff --git a/manage-server/src/main/resources/metadata_configuration/single_tenant_template.schema.json b/manage-server/src/main/resources/metadata_configuration/single_tenant_template.schema.json
@@ -47,7 +47,8 @@
           "use_as_nameid": {
             "type": "boolean"
           }
-        }
+        },
+        "additionalProperties": false
       }
     }
   },

diff --git a/manage-server/src/test/java/manage/control/MetaDataControllerTest.java b/manage-server/src/test/java/manage/control/MetaDataControllerTest.java
@@ -1874,4 +1874,33 @@ private void doCreateChangeRequest() {
                 .then()
                 .statusCode(SC_OK);
     }
+
+    @Test
+    public void saveInvalidARPMetaData() {
+        MetaData existingMetaData = given()
+                .when()
+                .pathParam("id", "11")
+                .get("manage/api/client/metadata/saml20_sp/{id}")
+                .as(MetaData.class);
+        Map<String, Object> arp = (Map<String, Object>) existingMetaData.getData().get("arp");
+        Map<String, List<Map<String, Object>>> attributes = (Map<String, List<Map<String, Object>>>) arp.get("attributes");
+        List<Map<String, Object>> givenNameArpAttributes = attributes.get("urn:mace:dir:attribute-def:givenName");
+        Map<String, Object> arpAttribute = givenNameArpAttributes.get(0);
+        arpAttribute.put("useAsNameId", true);
+        arpAttribute.put("use_as_name_id", true);
+        arpAttribute.put("releaseAs", true);
+
+        Map errors = given()
+                .when()
+                .body(existingMetaData)
+                .header("Content-type", "application/json")
+                .put("manage/api/client/metadata")
+                .as(Map.class);
+        String validations = (String) errors.get("validations");
+        assertEquals("#/arp/attributes/urn:mace:dir:attribute-def:givenName/0: extraneous key [use_as_name_id] is not permitted, " +
+                "#/arp/attributes/urn:mace:dir:attribute-def:givenName/0: extraneous key [releaseAs] is not permitted, " +
+                "#/arp/attributes/urn:mace:dir:attribute-def:givenName/0: extraneous key [useAsNameId] is not permitted",
+                validations);
+    }
+
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -33,7 +33,8 @@ @@
               "use_as_nameid": {
                 "type": "boolean"
               }
-            }
+            },
+            "additionalProperties": false
           }
         }
       },
@@ Expand Down @@