Uploaded image for project: 'Identity Provider'
  1. Identity Provider
  2. IDP-1206

Option to strip empty/null values on AttributeDefinition output

    XMLWordPrintable

    Details

    • Operating System:
      Multiple
    • Java Version:
      Oracle Java 8
    • Servlet Container:
      Apache Tomcat 8

      Description

      When using the SimpleAttributePredicate with a wildcard match, NULL attributes that get mapped as EmptyAttributeValue(s) erroneously return true. Wildcard testing on an attribute of EmptyAttributeValue should return false.

      The following bean was used for testing this conditions:

      <!-- Ensure that mail is not already populated -->
      <bean parent="shibboleth.Conditions.NOT">
        <constructor-arg>
          <bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate">
            <property name="attributeValueMap">
              <map>
                <entry key="mail">
                  <list>
                    <value>*</value>
                  </list>
                </entry>
              </map>
            </property>
          </bean>
        </constructor-arg>
      </bean>
      

      The following log line demonstrates that the mail attribute (a SQL NULL value in the connected data store for the test individual) is pulled from the connector as an EmptyAttrbuteValue:

      2017-08-10 10:31:37,439 DEBUG {http-nio-443-exec-21} [,X.X.X.X,3BFD312A96CB6BB87EA8E3B38C6F9C0B] net.shibboleth.idp.attribute.resolver.AbstractDataConnector:143 Data Connector 'myIDW': Attribute 'mail': Values '[EmptyAttributeValue{value=NULL_VALUE}]'
      

      Later, the predicate logs the following:

      2017-08-10 10:31:38,033 DEBUG {http-nio-443-exec-21} [,X.X.X.X,3BFD312A96CB6BB87EA8E3B38C6F9C0B] net.shibboleth.idp.profile.logic.SimpleAttributePredicate:87 Checking for attribute: mail
      2017-08-10 10:31:38,033 DEBUG {http-nio-443-exec-21} [,X.X.X.X,3BFD312A96CB6BB87EA8E3B38C6F9C0B] net.shibboleth.idp.profile.logic.SimpleAttributePredicate:123 Wildcard (*) value rule for attribute mail
      2017-08-10 10:31:38,033 DEBUG {http-nio-443-exec-21} [,X.X.X.X,3BFD312A96CB6BB87EA8E3B38C6F9C0B] net.shibboleth.idp.profile.logic.AbstractAttributePredicate:97 Context satisfied requirements
      

      This seems to be because the hasMatch method of the SimpleAttributePredicate, line 97, loops through all available attributes in the context without checking for EmptyAttributeValues, and calls findMatch.

      Later, in the findMatch method, lines 122 - 124, if the toMatch parameter is the wildcard character ("*"), it returns true without inspecting the attribute value to check for EmptyAttributeValues.

      I've tagged this as AttributeMapper and AttributeResolver, neither of which seems like an exact match (since predicates and activation conditions weren't available), so feel free to re-categorize as is appropriate.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              rdw@iay.org.uk Rod Widdowson
              Reporter:
              mdomingues@uiowa.edu mdomingues@uiowa.edu
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 5 hours, 40 minutes
                  5h 40m