From 9bbb7ecc38b52dd318a17378323f2386851e89c5 Mon Sep 17 00:00:00 2001
From: Giuseppe De Marco <demarcog83@gmail.com>
Date: Wed, 21 Feb 2024 09:43:26 +0100
Subject: [PATCH 1/5] fix: SAML2 Issuer format SPID test 30, issuer MAY be
 omitted

---
 example/backends/spidsaml2_validator.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/example/backends/spidsaml2_validator.py b/example/backends/spidsaml2_validator.py
index e740f209..9311e9be 100644
--- a/example/backends/spidsaml2_validator.py
+++ b/example/backends/spidsaml2_validator.py
@@ -77,7 +77,8 @@ def validate_issuer(self):
 
         # 30
         # check that this issuer is in the metadata...
-        if self.response.issuer.format:
+        # L'attributo Format di Issuer della Response deve essere omesso o assumere valore urn:oasis:names:tc:SAML:2.0:nameid-format:entity. In questo test il valore è diverso. Risultato atteso: KO
+        if hasattr(self.response.issuer.format):
             if (
                 self.response.issuer.format
                 != "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"

From 1b694e709cd5a14c48cdd1aa1313a60cf1b8182f Mon Sep 17 00:00:00 2001
From: Giuseppe De Marco <demarcog83@gmail.com>
Date: Wed, 21 Feb 2024 10:03:21 +0100
Subject: [PATCH 2/5] fix: SAML2 Issuer format SPID test 30, issuer MAY be
 omitted

---
 example/backends/spidsaml2_validator.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/example/backends/spidsaml2_validator.py b/example/backends/spidsaml2_validator.py
index 9311e9be..15e272a3 100644
--- a/example/backends/spidsaml2_validator.py
+++ b/example/backends/spidsaml2_validator.py
@@ -78,7 +78,7 @@ def validate_issuer(self):
         # 30
         # check that this issuer is in the metadata...
         # L'attributo Format di Issuer della Response deve essere omesso o assumere valore urn:oasis:names:tc:SAML:2.0:nameid-format:entity. In questo test il valore è diverso. Risultato atteso: KO
-        if hasattr(self.response.issuer.format):
+        if hasattr(self.response.issuer, "format"):
             if (
                 self.response.issuer.format
                 != "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"

From 1dac75773eb7398a18d32d4f7e3920c900f37f4b Mon Sep 17 00:00:00 2001
From: Giuseppe De Marco <demarcog83@gmail.com>
Date: Wed, 21 Feb 2024 13:00:35 +0100
Subject: [PATCH 3/5] fix: SAML2 Issuer format SPID test 30, issuer MAY be
 omitted

---
 example/backends/spidsaml2_validator.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/example/backends/spidsaml2_validator.py b/example/backends/spidsaml2_validator.py
index 15e272a3..a83258b3 100644
--- a/example/backends/spidsaml2_validator.py
+++ b/example/backends/spidsaml2_validator.py
@@ -78,7 +78,7 @@ def validate_issuer(self):
         # 30
         # check that this issuer is in the metadata...
         # L'attributo Format di Issuer della Response deve essere omesso o assumere valore urn:oasis:names:tc:SAML:2.0:nameid-format:entity. In questo test il valore è diverso. Risultato atteso: KO
-        if hasattr(self.response.issuer, "format"):
+        if hasattr(self.response.issuer, "format") and self.response.issuer.format:
             if (
                 self.response.issuer.format
                 != "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"

From 8e9f449c5fa5579d8e66904175a3b258c5c813f8 Mon Sep 17 00:00:00 2001
From: Giuseppe De Marco <demarcog83@gmail.com>
Date: Wed, 21 Feb 2024 14:21:27 +0100
Subject: [PATCH 4/5] feat: SPIDA validator cie_mode

---
 example/backends/ciesaml2.py            |  2 +-
 example/backends/spidsaml2_validator.py | 17 ++++++++++-------
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/example/backends/ciesaml2.py b/example/backends/ciesaml2.py
index f3558d16..92167fb0 100644
--- a/example/backends/ciesaml2.py
+++ b/example/backends/ciesaml2.py
@@ -472,7 +472,6 @@ def authn_response(self, context, binding):
                 **{"message": _msg, "troubleshoot": _TROUBLESHOOT_MSG}
             )
 
-        list(context.state.keys())[1]
         # deprecated
         # if not context.state.get('Saml2IDP'):
         # _msg = "context.state['Saml2IDP'] KeyError"
@@ -496,6 +495,7 @@ def authn_response(self, context, binding):
             authn_context_class_ref=authn_context_classref,
             return_addrs=authn_response.return_addrs,
             allowed_acrs=self.config["spid_allowed_acrs"],
+            cie_mode = True
         )
         try:
             validator.run()
diff --git a/example/backends/spidsaml2_validator.py b/example/backends/spidsaml2_validator.py
index a83258b3..1db0af26 100644
--- a/example/backends/spidsaml2_validator.py
+++ b/example/backends/spidsaml2_validator.py
@@ -34,6 +34,7 @@ def __init__(
         authn_context_class_ref="https://www.spid.gov.it/SpidL2",
         return_addrs=[],
         allowed_acrs=[],
+        cie_mode = False
     ):
 
         self.response = samlp.response_from_string(authn_response)
@@ -45,6 +46,7 @@ def __init__(
         self.return_addrs = return_addrs
         self.issuer = issuer
         self.allowed_acrs = allowed_acrs
+        self.cie_mode = cie_mode
 
     # handled adding authn req arguments in the session state (cookie)
     def validate_in_response_to(self):
@@ -88,13 +90,14 @@ def validate_issuer(self):
                     '!= "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"'
                 )
 
-        msg = "Issuer format is not valid: {}. {}"
-        # 70, 71
-        assiss = self.response.assertion[0].issuer
-        if not hasattr(assiss, "format") or not getattr(assiss, "format", None):
-            raise SPIDValidatorException(
-                msg.format(self.response.issuer.format, _ERROR_TROUBLESHOOT)
-            )
+        if not self.cie_mode:
+            msg = "Issuer format is not valid: {}. {}"
+            # 70, 71
+            assiss = self.response.assertion[0].issuer
+            if not hasattr(assiss, "format") or not getattr(assiss, "format", None):
+                raise SPIDValidatorException(
+                    msg.format(self.response.issuer.format, _ERROR_TROUBLESHOOT)
+                )
 
         # 72
         for i in self.response.assertion:

From f4c9501e37b298472c6d4f5df8d77280fdee2504 Mon Sep 17 00:00:00 2001
From: Giuseppe De Marco <demarcog83@gmail.com>
Date: Wed, 21 Feb 2024 14:25:20 +0100
Subject: [PATCH 5/5] fix: SPIDA validator cie_mode - test 72

---
 example/backends/spidsaml2_validator.py | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/example/backends/spidsaml2_validator.py b/example/backends/spidsaml2_validator.py
index 1db0af26..a99027f5 100644
--- a/example/backends/spidsaml2_validator.py
+++ b/example/backends/spidsaml2_validator.py
@@ -99,13 +99,13 @@ def validate_issuer(self):
                     msg.format(self.response.issuer.format, _ERROR_TROUBLESHOOT)
                 )
 
-        # 72
-        for i in self.response.assertion:
-            if i.issuer.format != "urn:oasis:names:tc:SAML:2.0:nameid-format:entity":
-                raise SPIDValidatorException(
-                    msg.format(self.response.issuer.format,
-                               _ERROR_TROUBLESHOOT)
-                )
+            # 72
+            for i in self.response.assertion:
+                if i.issuer.format != "urn:oasis:names:tc:SAML:2.0:nameid-format:entity":
+                    raise SPIDValidatorException(
+                        msg.format(self.response.issuer.format,
+                                   _ERROR_TROUBLESHOOT)
+                    )
 
     def validate_assertion_version(self):
         """spid saml check 35"""