From 12e759155a03def510b085e0cef3f31495531202 Mon Sep 17 00:00:00 2001
From: Richard van der Hoff <richard@matrix.org>
Date: Tue, 21 Jan 2020 12:55:26 +0000
Subject: [PATCH] remove saml attribute maps and hardcode attribute names

the maps are hard to maintain and don't add much value.
---
 .../mapping_provider.py                       | 39 +++++++++++++------
 .../saml_maps/nameformat_basic.py             |  5 ---
 .../saml_maps/nameformat_uri.py               | 11 ------
 3 files changed, 27 insertions(+), 28 deletions(-)
 delete mode 100644 matrix_synapse_saml_mozilla/saml_maps/nameformat_basic.py
 delete mode 100644 matrix_synapse_saml_mozilla/saml_maps/nameformat_uri.py

diff --git a/matrix_synapse_saml_mozilla/mapping_provider.py b/matrix_synapse_saml_mozilla/mapping_provider.py
index 0963a50..9f65510 100644
--- a/matrix_synapse_saml_mozilla/mapping_provider.py
+++ b/matrix_synapse_saml_mozilla/mapping_provider.py
@@ -37,6 +37,13 @@ logger = logging.getLogger(__name__)
 
 MAPPING_SESSION_VALIDITY_PERIOD_MS = 15 * 60 * 1000
 
+# names of attributes in the `ava` property we get from pysaml2
+UID_ATTRIBUTE_NAME = (
+    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
+)
+EMAIL_ATTRIBUTE_NAME = "http://schemas.auth0.com/emails"
+DISPLAYNAME_ATTRIBUTE_NAME = "displayName"
+
 
 @attr.s
 class SamlConfig(object):
@@ -70,10 +77,14 @@ class SamlMappingProvider(object):
             return name_id.text
         else:
             try:
-                return saml_response.ava["uid"][0]
+                return saml_response.ava[UID_ATTRIBUTE_NAME][0]
             except KeyError:
-                logger.warning("SAML2 response lacks a 'uid' attribute")
-                raise CodeMessageException(400, "'uid' not in SAML2 response")
+                logger.warning(
+                    "SAML2 response lacks a '%s' attribute", UID_ATTRIBUTE_NAME
+                )
+                raise CodeMessageException(
+                    400, "'%s' not in SAML2 response" % (UID_ATTRIBUTE_NAME,)
+                )
 
     def saml_response_to_user_attributes(
         self,
@@ -96,16 +107,20 @@ class SamlMappingProvider(object):
                 * displayname (str): The displayname of the user
         """
         remote_user_id = self.get_remote_user_id(saml_response, client_redirect_url)
-        displayname = saml_response.ava.get("displayName", [None])[0]
+        displayname = saml_response.ava.get(DISPLAYNAME_ATTRIBUTE_NAME, [None])[0]
 
         expire_old_sessions()
 
         # check the user's emails against our block list
-        if "emails" not in saml_response.ava:
-            logger.warning("SAML2 response lacks an 'emails' attribute")
-            raise CodeMessageException(400, "'emails' not in SAML2 response")
-
-        for email in saml_response.ava["emails"]:
+        if EMAIL_ATTRIBUTE_NAME not in saml_response.ava:
+            logger.warning(
+                "SAML2 response lacks a '%s' attribute", EMAIL_ATTRIBUTE_NAME,
+            )
+            raise CodeMessageException(
+                400, "'%s' not in SAML2 response" % (EMAIL_ATTRIBUTE_NAME,)
+            )
+
+        for email in saml_response.ava[EMAIL_ATTRIBUTE_NAME]:
             parts = email.rsplit("@", 1)
             if len(parts) != 2:
                 logger.warning(
@@ -187,10 +202,10 @@ class SamlMappingProvider(object):
                 second set consists of those attributes which can be used if
                 available, but are not necessary
         """
-        required = set()
-        optional = {"uid", "emails", "displayName"}
+        required = {EMAIL_ATTRIBUTE_NAME}
+        optional = {UID_ATTRIBUTE_NAME, DISPLAYNAME_ATTRIBUTE_NAME}
 
         if not config.use_name_id_for_remote_uid:
-            required += "uid"
+            required += UID_ATTRIBUTE_NAME
 
         return required, optional
diff --git a/matrix_synapse_saml_mozilla/saml_maps/nameformat_basic.py b/matrix_synapse_saml_mozilla/saml_maps/nameformat_basic.py
deleted file mode 100644
index b2e8734..0000000
--- a/matrix_synapse_saml_mozilla/saml_maps/nameformat_basic.py
+++ /dev/null
@@ -1,5 +0,0 @@
-MAP = {
-    "identifier": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
-    "fro": {"displayName": "displayName"},
-    "to": {"displayName": "displayName"},
-}
diff --git a/matrix_synapse_saml_mozilla/saml_maps/nameformat_uri.py b/matrix_synapse_saml_mozilla/saml_maps/nameformat_uri.py
deleted file mode 100644
index a719b24..0000000
--- a/matrix_synapse_saml_mozilla/saml_maps/nameformat_uri.py
+++ /dev/null
@@ -1,11 +0,0 @@
-MAP = {
-    "identifier": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
-    "fro": {
-        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "uid",
-        "http://schemas.auth0.com/emails": "emails",
-    },
-    "to": {
-        "emails": "http://schemas.auth0.com/emails",
-        "uid": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
-    },
-}