From 86373e8a5fad71d68caae7d3af554a00099dc9a8 Mon Sep 17 00:00:00 2001
From: Mikhail Katasonov <mkatasonov@netsuite.com>
Date: Fri, 10 Jun 2016 13:55:17 +0200
Subject: [PATCH] Add the support for multiple Audiences within one
 AudienceRestriction

---
 lib/Net/SAML2/Protocol/Assertion.pm | 14 ++++++++++----
 t/03-assertions.t                   |  6 +++++-
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/lib/Net/SAML2/Protocol/Assertion.pm b/lib/Net/SAML2/Protocol/Assertion.pm
index fb2d9e4..18ec4a5 100644
--- a/lib/Net/SAML2/Protocol/Assertion.pm
+++ b/lib/Net/SAML2/Protocol/Assertion.pm
@@ -25,7 +25,7 @@ has 'session'    => (isa => Str, is => 'ro', required => 1);
 has 'nameid'     => (isa => Str, is => 'ro', required => 1);
 has 'not_before' => (isa => DateTime, is => 'ro', required => 1);
 has 'not_after'  => (isa => DateTime, is => 'ro', required => 1);
-has 'audience'   => (isa => NonEmptySimpleStr, is => 'ro', required => 1);
+has 'audience'   => (isa => HashRef[NonEmptySimpleStr], is => 'ro', required => 1);
 
 =head1 METHODS
 
@@ -51,7 +51,13 @@ sub new_from_xml {
             map { $_->string_value } @values
         ];
     }
-        
+
+    my %audiences = ();
+    for my $audience_restriction ($xpath->findnodes('//saml:Conditions/saml:AudienceRestriction')) {
+        my @values = $audience_restriction->findnodes('saml:Audience');
+        %audiences = map { $_->string_value => 1 } @values;
+    }
+
     my $not_before = DateTime::Format::XSD->parse_datetime(
         $xpath->findvalue('//saml:Conditions/@NotBefore')->value
     );
@@ -63,7 +69,7 @@ sub new_from_xml {
         attributes     => $attributes,
         session        => $xpath->findvalue('//saml:AuthnStatement/@SessionIndex')->value,
         nameid         => $xpath->findvalue('//saml:Subject/saml:NameID')->value,
-        audience       => $xpath->findvalue('//saml:Conditions/saml:AudienceRestriction/saml:Audience')->value,
+        audience       => \%audiences,
         not_before     => $not_before,
         not_after      => $not_after,
     );
@@ -95,7 +101,7 @@ sub valid {
     my ($self, $audience) = @_;
 
     return 0 unless defined $audience;
-    return 0 unless ($audience eq $self->audience);
+    return 0 unless ($self->audience->{$audience});
 
     my $now = DateTime::->now;
         
diff --git a/t/03-assertions.t b/t/03-assertions.t
index 9c7cb18..6f74bcd 100644
--- a/t/03-assertions.t
+++ b/t/03-assertions.t
@@ -39,6 +39,7 @@ my $xml = <<XML;
     <saml:Conditions NotBefore="2010-10-12T14:39:27Z" NotOnOrAfter="2010-10-12T14:59:27Z">
       <saml:AudienceRestriction>
         <saml:Audience>http://ct.local</saml:Audience>
+        <saml:Audience>http://ct2.local</saml:Audience>
       </saml:AudienceRestriction>
     </saml:Conditions>
     <saml:AuthnStatement AuthnInstant="2010-10-12T12:58:34Z" SessionIndex="s2b087bdce06dbbf9cd4662af82b8b853d4d285c01">
@@ -79,7 +80,8 @@ is($assertion->attributes->{Phone2}->[2], '345678');
 
 isa_ok($assertion->not_before, 'DateTime');
 isa_ok($assertion->not_after,  'DateTime');
-is($assertion->audience, 'http://ct.local');
+is($assertion->audience->{'http://ct.local'}, 1);
+is($assertion->audience->{'http://ct2.local'}, 1);
 is($assertion->valid('foo'), 0);
 is($assertion->valid('http://ct.local'), 0);
 
@@ -87,8 +89,10 @@ is($assertion->valid('http://ct.local'), 0);
 $assertion->{not_before} = DateTime->now;
 $assertion->{not_after} = DateTime->now->add( minutes => 15);
 is($assertion->valid('http://ct.local'), 1);
+is($assertion->valid('http://ct2.local'), 1);
 
 $assertion->{not_before} = DateTime->now->add( minutes => 5 );
 is($assertion->valid('http://ct.local'), 0);
+is($assertion->valid('http://ct2.local'), 0);
 
 done_testing;