1

I am troubleshooting a problem related to the perl module AuthCASSaml. We have a piece of software which we would like to use our CAS server to authenticate. Authentication is working. However, when AuthCASSaml processes the returned output, it ends up returninf HASH references instead of the actual value of the ldap attributes being returned by the CAS server. I have pinpointed it to this section of the AuthCASSaml.pm code:

my $user = $responseBase->{'saml1:Assertion'}{'saml1:AuthenticationStatement'}{'saml1:Subject'}{'saml1:NameIdentifier'};
my %casAttrs;
my $attrs = $responseBase->{'saml1:Assertion'}{'saml1:AttributeStatement'}{'saml1:Attribute'};
if($attrs) {
for(my $i=0;$i<@$attrs;$i++) {
my $attr = $$attrs[$i];
my $name = $attr->{'AttributeName'};
my $value = $attr->{'saml1:AttributeValue'};
$casAttrs{$name} = $value;
}
}

"AttributeName" returns as expected. The problem is with "AttributeValue". The code seems to be expecting a string, but the xml code returned from the CAS server for "AttributeValue" is more than a simple string.

<saml1:Attribute AttributeName="UDC_IDENTIFIER" AttributeNamespace="http://www.ja-sig.org/products/cas/">
      <saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">useriden</saml1:AttributeValue>
</saml1:Attribute>

What is getting returned is "Attributes : uid=>HASH(0x331ecb0), UDC_IDENTIFIER=>HASH(0x331ee90)".

I should also note, all of the code we are running is vendor provided. I am not a perl programmer. I'm just trying to get everything to play nice together. It's a long story, but I'll just say the vendor is of no help in this situation.

I can provide the code in the cgi script for testing, but the main software code also experiences this problem, which is why I'm pretty sure AuthCASSaml.pm is the place to attempt to fix this.

Any help is greatly appreciated.

Phrygian Moon
  • 13
  • 3
  • 1
    It seems like the data that falls out of your XML parser is not what the code expects. That could have many reasons. If you can't change that code, then you are likely out of luck. You'll have to provide a proper error report to the vendor I'm afraid. – simbabque Dec 11 '19 at 17:18
  • 4
    It seems [the module](https://github.com/Unicon/cas-perl-client/blob/master/AuthCASSaml.pm#L5) uses [XML::Simple](http://p3rl.org/XML::Simple). This is one of the reasons why XML::Simple shouldn't be used. – choroba Dec 11 '19 at 17:22
  • Yes, it does use XML::Simple I'm afraid. The code for this software is ridiculously old. The last time any real update was done was 2014. I'd toss the software if it were up to me. Unfortunately, it's not my call. I do appreciate the responses, as they have confirmed several of my suspicions about this code as a whole. – Phrygian Moon Dec 11 '19 at 18:05

1 Answers1

1

A relevant snippet from my answer to Why is XML::Simple Discouraged?:

This means that you have to perform all kinds of checks to see what you actually got. But the sheer complexity of this encourages developers to make very bad assumptions instead.

It appears exactly that is happening here. That said, the data you want is accessible using the following:

 my $av_node = $attr->{'saml1:AttributeValue'};
 $casAttrs{$name} = ref($av_node) ? $av_node->{content} : $av_node;

Note that still makes some of the aforementioned assumptions.

ikegami
  • 367,544
  • 15
  • 269
  • 518
  • This sounds very useful, but I'm afraid I don't know enough perl to know how to apply it in my case. Can you please explain how I would modify the code that I have to do this? Would I be modifying this line: `my $value = $attr->{'saml1:AttributeValue'};` ? – Phrygian Moon Dec 12 '19 at 19:58
  • Thanks for the clarification. That really helps a lot. – Phrygian Moon Dec 13 '19 at 14:48