New release 2.1.0. Add ForceAuh and IsPassive support

Author: pitbulk

README.md

@@ -96,6 +96,13 @@ You can install it executing:
 If you want to know how a project can handle python packages review this [guide](https://packaging.python.org/en/latest/tutorial.html) and review this [sampleproject](https://github.com/pypa/sampleproject)
 
 
+Security warning
+----------------
+
+In production, the **strict** parameter MUST be set as **"true"**. Otherwise 
+your environment is not secure and will be exposed to attacks.
+
+
 Getting started
 ---------------
 
@@ -447,6 +454,10 @@ We can set a 'return_to' url parameter to the login function and that will be co
 target_url = 'https://example.com'
 auth.login(return_to=target_url)
 ```
+The login method can recieve 2 more optional parameters:
+
+* force_authn  When true the AuthNReuqest will set the ForceAuthn='true'
+* is_passive   When true the AuthNReuqest will set the Ispassive='true'
 
 #### The SP Endpoints ####
 

docs/saml2/saml2.html

@@ -232,13 +232,18 @@ <h1>OneLogin saml2 Module<a class="headerlink" href="#onelogin-saml2-package" ti
 
 <dl class="method">
 <dt id="saml2.auth.OneLogin_Saml2_Auth.login">
-<tt class="descname">login</tt><big>(</big><em>return_to=None</em><big>)</big><a class="reference internal" href="_modules/saml2/auth.html#OneLogin_Saml2_Auth.login"><span class="viewcode-link">[source]</span></a><a class="headerlink" href="#saml2.auth.OneLogin_Saml2_Auth.login" title="Permalink to this definition">¶</a></dt>
+<tt class="descname">login</tt><big>(</big><em>return_to=None</em>, <em>force_authn=False</em>, <em>is_passive=False</em><big>)</big><a class="reference internal" href="_modules/saml2/auth.html#OneLogin_Saml2_Auth.login"><span class="viewcode-link">[source]</span></a><a class="headerlink" href="#saml2.auth.OneLogin_Saml2_Auth.login" title="Permalink to this definition">¶</a></dt>
 <dd><p>Initiates the SSO process.</p>
 <table class="docutils field-list" frame="void" rules="none">
 <col class="field-name" />
 <col class="field-body" />
 <tbody valign="top">
-<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><strong>return_to</strong> (<em>string</em>) &#8211; Optional argument. The target URL the user should be redirected to after login.</td>
+<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first simple">
+<li><strong>return_to</strong> (<em>string</em>) &#8211; Optional argument. The target URL the user should be redirected to after login.</li>
+<li><strong>force_authn</strong> (<em>bool</em>) &#8211; Optional argument. When true the AuthNReuqest will set the ForceAuthn='true'.</li>
+<li><strong>is_passive</strong> (<em>bool</em>) &#8211; Optional argument. When true the AuthNReuqest will set the Ispassive='true'.</li>
+</ul>
+</td>
 </tr>
 <tr class="field-even field"><th class="field-name">Returns:</th><td class="field-body">Redirection url</td>
 </tr>
@@ -346,7 +351,7 @@ <h1>OneLogin saml2 Module<a class="headerlink" href="#onelogin-saml2-package" ti
 <span id="authn-request-module"></span><h2><tt class="xref py py-mod docutils literal"><span class="pre">authn_request</span></tt> Class<a class="headerlink" href="#module-saml2.authn_request" title="Permalink to this headline">¶</a></h2>
 <dl class="class">
 <dt id="saml2.authn_request.OneLogin_Saml2_Authn_Request">
-<em class="property">class </em><tt class="descclassname">onelogin.saml2.authn_request.</tt><tt class="descname">OneLogin_Saml2_Authn_Request</tt><big>(</big><em>settings</em><big>)</big><a class="reference internal" href="_modules/saml2/authn_request.html#OneLogin_Saml2_Authn_Request"><span class="viewcode-link">[source]</span></a><a class="headerlink" href="#saml2.authn_request.OneLogin_Saml2_Authn_Request" title="Permalink to this definition">¶</a></dt>
+<em class="property">class </em><tt class="descclassname">onelogin.saml2.authn_request.</tt><tt class="descname">OneLogin_Saml2_Authn_Request</tt><big>(</big><em>settings</em>, <em>force_authn=False</em>, <em>is_passive=False</em><big>)</big><a class="reference internal" href="_modules/saml2/authn_request.html#OneLogin_Saml2_Authn_Request"><span class="viewcode-link">[source]</span></a><a class="headerlink" href="#saml2.authn_request.OneLogin_Saml2_Authn_Request" title="Permalink to this definition">¶</a></dt>
 <dd><dl class="method">
 <dt id="saml2.authn_request.OneLogin_Saml2_Authn_Request.get_request">
 <tt class="descname">get_request</tt><big>(</big><big>)</big><a class="reference internal" href="_modules/saml2/authn_request.html#OneLogin_Saml2_Authn_Request.get_request"><span class="viewcode-link">[source]</span></a><a class="headerlink" href="#saml2.authn_request.OneLogin_Saml2_Authn_Request.get_request" title="Permalink to this definition">¶</a></dt>

setup.py

@@ -9,7 +9,7 @@
 
 setup(
     name='python-saml',
-    version='2.0.2',
+    version='2.1.0',
     description='Onelogin Python Toolkit. Add SAML support to your Python software using this library',
     classifiers=[
         'Development Status :: 4 - Beta',

src/onelogin/saml2/auth.py

@@ -247,16 +247,22 @@ def get_attribute(self, name):
             value = self.__attributes[name]
         return value
 
-    def login(self, return_to=None):
+    def login(self, return_to=None, force_authn=False, is_passive=False):
         """
         Initiates the SSO process.
 
         :param return_to: Optional argument. The target URL the user should be redirected to after login.
         :type return_to: string
 
+        :param force_authn: Optional argument. When true the AuthNReuqest will set the ForceAuthn='true'.
+        :type force_authn: string
+
+        :param is_passive: Optional argument. When true the AuthNReuqest will set the Ispassive='true'.
+        :type is_passive: string
+
         :returns: Redirection url
         """
-        authn_request = OneLogin_Saml2_Authn_Request(self.__settings)
+        authn_request = OneLogin_Saml2_Authn_Request(self.__settings, force_authn, is_passive)
 
         saml_request = authn_request.get_request()
         parameters = {'SAMLRequest': saml_request}

src/onelogin/saml2/authn_request.py

@@ -24,12 +24,18 @@ class OneLogin_Saml2_Authn_Request(object):
 
     """
 
-    def __init__(self, settings):
+    def __init__(self, settings, force_authn=False, is_passive=False):
         """
         Constructs the AuthnRequest object.
 
-        Arguments are:
-            * (OneLogin_Saml2_Settings)   settings. Setting data
+        :param settings: OSetting data
+        :type return_to: OneLogin_Saml2_Settings
+
+        :param force_authn: Optional argument. When true the AuthNReuqest will set the ForceAuthn='true'.
+        :type force_authn: bool
+
+        :param is_passive: Optional argument. When true the AuthNReuqest will set the Ispassive='true'.
+        :type is_passive: bool
         """
         self.__settings = settings
 
@@ -58,6 +64,14 @@ def __init__(self, settings):
             if 'displayname' in organization_data[lang] and organization_data[lang]['displayname'] is not None:
                 provider_name_str = 'ProviderName="%s"' % organization_data[lang]['displayname']
 
+        force_authn_str = ''
+        if force_authn is True:
+            force_authn_str = 'ForceAuthn="true"'
+
+        is_passive_str = ''
+        if is_passive is True:
+            is_passive_str = 'IsPassive="true"'
+
         requested_authn_context_str = ''
         if 'requestedAuthnContext' in security.keys() and security['requestedAuthnContext'] is not False:
             if security['requestedAuthnContext'] is True:
@@ -76,6 +90,8 @@ def __init__(self, settings):
     ID="%(id)s"
     Version="2.0"
     %(provider_name)s
+    %(force_authn_str)s
+    %(is_passive_str)s
     IssueInstant="%(issue_instant)s"
     Destination="%(destination)s"
     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
@@ -89,6 +105,8 @@ def __init__(self, settings):
             {
                 'id': uid,
                 'provider_name': provider_name_str,
+                'force_authn_str': force_authn_str,
+                'is_passive_str': is_passive_str,
                 'issue_instant': issue_instant,
                 'destination': destination,
                 'assertion_url': sp_data['assertionConsumerService']['url'],

tests/src/OneLogin/saml2_tests/auth_test.py

@@ -582,6 +582,74 @@ def testLoginSigned(self):
         self.assertIn(return_to, parsed_query['RelayState'])
         self.assertIn(OneLogin_Saml2_Constants.RSA_SHA1, parsed_query['SigAlg'])
 
+    def testLoginForceAuthN(self):
+        """
+        Tests the login method of the OneLogin_Saml2_Auth class
+        Case Logout with no parameters. A AuthN Request is built with ForceAuthn and redirect executed
+        """
+        settings_info = self.loadSettingsJSON()
+        return_to = u'http://example.com/returnto'
+        sso_url = settings_info['idp']['singleSignOnService']['url']
+
+        auth = OneLogin_Saml2_Auth(self.get_request(), old_settings=settings_info)
+        target_url = auth.login(return_to)
+        parsed_query = parse_qs(urlparse(target_url)[4])
+        sso_url = settings_info['idp']['singleSignOnService']['url']
+        self.assertIn(sso_url, target_url)
+        self.assertIn('SAMLRequest', parsed_query)
+        request = OneLogin_Saml2_Utils.decode_base64_and_inflate(parsed_query['SAMLRequest'][0])
+        self.assertNotIn('ForceAuthn="true"', request)
+
+        auth_2 = OneLogin_Saml2_Auth(self.get_request(), old_settings=settings_info)
+        target_url_2 = auth_2.login(return_to, False, False)
+        parsed_query_2 = parse_qs(urlparse(target_url_2)[4])
+        self.assertIn(sso_url, target_url_2)
+        self.assertIn('SAMLRequest', parsed_query_2)
+        request_2 = OneLogin_Saml2_Utils.decode_base64_and_inflate(parsed_query_2['SAMLRequest'][0])
+        self.assertNotIn('ForceAuthn="true"', request_2)
+
+        auth_3 = OneLogin_Saml2_Auth(self.get_request(), old_settings=settings_info)
+        target_url_3 = auth_3.login(return_to, True, False)
+        parsed_query_3 = parse_qs(urlparse(target_url_3)[4])
+        self.assertIn(sso_url, target_url_3)
+        self.assertIn('SAMLRequest', parsed_query_3)
+        request_3 = OneLogin_Saml2_Utils.decode_base64_and_inflate(parsed_query_3['SAMLRequest'][0])
+        self.assertIn('ForceAuthn="true"', request_3)
+
+    def testLoginIsPassive(self):
+        """
+        Tests the login method of the OneLogin_Saml2_Auth class
+        Case Logout with no parameters. A AuthN Request is built with IsPassive and redirect executed
+        """
+        settings_info = self.loadSettingsJSON()
+        return_to = u'http://example.com/returnto'
+        sso_url = settings_info['idp']['singleSignOnService']['url']
+
+        auth = OneLogin_Saml2_Auth(self.get_request(), old_settings=settings_info)
+        target_url = auth.login(return_to)
+        parsed_query = parse_qs(urlparse(target_url)[4])
+        sso_url = settings_info['idp']['singleSignOnService']['url']
+        self.assertIn(sso_url, target_url)
+        self.assertIn('SAMLRequest', parsed_query)
+        request = OneLogin_Saml2_Utils.decode_base64_and_inflate(parsed_query['SAMLRequest'][0])
+        self.assertNotIn('IsPassive="true"', request)
+
+        auth_2 = OneLogin_Saml2_Auth(self.get_request(), old_settings=settings_info)
+        target_url_2 = auth_2.login(return_to, False, False)
+        parsed_query_2 = parse_qs(urlparse(target_url_2)[4])
+        self.assertIn(sso_url, target_url_2)
+        self.assertIn('SAMLRequest', parsed_query_2)
+        request_2 = OneLogin_Saml2_Utils.decode_base64_and_inflate(parsed_query_2['SAMLRequest'][0])
+        self.assertNotIn('IsPassive="true"', request_2)
+
+        auth_3 = OneLogin_Saml2_Auth(self.get_request(), old_settings=settings_info)
+        target_url_3 = auth_3.login(return_to, False, True)
+        parsed_query_3 = parse_qs(urlparse(target_url_3)[4])
+        self.assertIn(sso_url, target_url_3)
+        self.assertIn('SAMLRequest', parsed_query_3)
+        request_3 = OneLogin_Saml2_Utils.decode_base64_and_inflate(parsed_query_3['SAMLRequest'][0])
+        self.assertIn('IsPassive="true"', request_3)
+
     def testLogout(self):
         """
         Tests the logout method of the OneLogin_Saml2_Auth class

tests/src/OneLogin/saml2_tests/authn_request_test.py

@@ -117,6 +117,62 @@ def testCreateRequestAuthContext(self):
         self.assertIn(OneLogin_Saml2_Constants.AC_PASSWORD_PROTECTED, inflated)
         self.assertIn(OneLogin_Saml2_Constants.AC_X509, inflated)
 
+    def testCreateRequestForceAuthN(self):
+        """
+        Tests the OneLogin_Saml2_Authn_Request Constructor.
+        The creation of a deflated SAML Request with ForceAuthn="true"
+        """
+        saml_settings = self.loadSettingsJSON()
+        settings = OneLogin_Saml2_Settings(saml_settings)
+        authn_request = OneLogin_Saml2_Authn_Request(settings)
+        authn_request_encoded = authn_request.get_request()
+        decoded = b64decode(authn_request_encoded)
+        inflated = decompress(decoded, -15)
+        self.assertRegexpMatches(inflated, '^<samlp:AuthnRequest')
+        self.assertNotIn('ForceAuthn="true"', inflated)
+
+        authn_request_2 = OneLogin_Saml2_Authn_Request(settings, False, False)
+        authn_request_encoded_2 = authn_request_2.get_request()
+        decoded_2 = b64decode(authn_request_encoded_2)
+        inflated_2 = decompress(decoded_2, -15)
+        self.assertRegexpMatches(inflated_2, '^<samlp:AuthnRequest')
+        self.assertNotIn('ForceAuthn="true"', inflated_2)
+
+        authn_request_3 = OneLogin_Saml2_Authn_Request(settings, True, False)
+        authn_request_encoded_3 = authn_request_3.get_request()
+        decoded_3 = b64decode(authn_request_encoded_3)
+        inflated_3 = decompress(decoded_3, -15)
+        self.assertRegexpMatches(inflated_3, '^<samlp:AuthnRequest')
+        self.assertIn('ForceAuthn="true"', inflated_3)
+
+    def testCreateRequestIsPassive(self):
+        """
+        Tests the OneLogin_Saml2_Authn_Request Constructor.
+        The creation of a deflated SAML Request with IsPassive="true"
+        """
+        saml_settings = self.loadSettingsJSON()
+        settings = OneLogin_Saml2_Settings(saml_settings)
+        authn_request = OneLogin_Saml2_Authn_Request(settings)
+        authn_request_encoded = authn_request.get_request()
+        decoded = b64decode(authn_request_encoded)
+        inflated = decompress(decoded, -15)
+        self.assertRegexpMatches(inflated, '^<samlp:AuthnRequest')
+        self.assertNotIn('IsPassive="true"', inflated)
+
+        authn_request_2 = OneLogin_Saml2_Authn_Request(settings, False, False)
+        authn_request_encoded_2 = authn_request_2.get_request()
+        decoded_2 = b64decode(authn_request_encoded_2)
+        inflated_2 = decompress(decoded_2, -15)
+        self.assertRegexpMatches(inflated_2, '^<samlp:AuthnRequest')
+        self.assertNotIn('IsPassive="true"', inflated_2)
+
+        authn_request_3 = OneLogin_Saml2_Authn_Request(settings, False, True)
+        authn_request_encoded_3 = authn_request_3.get_request()
+        decoded_3 = b64decode(authn_request_encoded_3)
+        inflated_3 = decompress(decoded_3, -15)
+        self.assertRegexpMatches(inflated_3, '^<samlp:AuthnRequest')
+        self.assertIn('IsPassive="true"', inflated_3)
+
     def testCreateDeflatedSAMLRequestURLParameter(self):
         """
         Tests the OneLogin_Saml2_Authn_Request Constructor.