Single Log Out Fix, Add nameID & sessionIndex support Related to #38

Author: pitbulk

src/onelogin/saml2/auth.py

@@ -272,7 +272,7 @@ def login(self, return_to=None):
             parameters['Signature'] = self.build_request_signature(saml_request, parameters['RelayState'])
         return self.redirect_to(self.get_sso_url(), parameters)
 
-    def logout(self, return_to=None):
+    def logout(self, return_to=None, name_id=None, session_index=None):
         """
         Initiates the SLO process.
 
@@ -288,7 +288,10 @@ def logout(self, return_to=None):
                 OneLogin_Saml2_Error.SAML_SINGLE_LOGOUT_NOT_SUPPORTED
             )
 
-        logout_request = OneLogin_Saml2_Logout_Request(self.__settings)
+        if name_id is None and self.__nameid is not None:
+            name_id = self.__nameid
+
+        logout_request = OneLogin_Saml2_Logout_Request(self.__settings, name_id=name_id, session_index=session_index)
 
         saml_request = logout_request.get_request()
 

src/onelogin/saml2/logout_request.py

@@ -29,7 +29,7 @@ class OneLogin_Saml2_Logout_Request(object):
 
     """
 
-    def __init__(self, settings, request=None):
+    def __init__(self, settings, request=None, name_id=None, session_index=None):
         """
         Constructs the Logout Request object.
 
@@ -45,20 +45,30 @@ def __init__(self, settings, request=None):
             security = self.__settings.get_security_data()
 
             uid = OneLogin_Saml2_Utils.generate_unique_id()
-            name_id_value = OneLogin_Saml2_Utils.generate_unique_id()
             issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
 
             cert = None
             if 'nameIdEncrypted' in security and security['nameIdEncrypted']:
                 cert = idp_data['x509cert']
 
-            name_id = OneLogin_Saml2_Utils.generate_name_id(
-                name_id_value,
+            if name_id is not None:
+                nameIdFormat = sp_data['NameIDFormat']
+            else:
+                name_id = idp_data['entityId']
+                nameIdFormat = OneLogin_Saml2_Constants.NAMEID_ENTITY
+
+            name_id_obj = OneLogin_Saml2_Utils.generate_name_id(
+                name_id,
                 sp_data['entityId'],
-                sp_data['NameIDFormat'],
+                nameIdFormat,
                 cert
             )
 
+            if session_index:
+                session_index_str = '<samlp:SessionIndex>%s</samlp:SessionIndex>' % session_index
+            else:
+                session_index_str = ''
+
             logout_request = """<samlp:LogoutRequest
         xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
         xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
@@ -68,13 +78,15 @@ def __init__(self, settings, request=None):
         Destination="%(single_logout_url)s">
         <saml:Issuer>%(entity_id)s</saml:Issuer>
         %(name_id)s
+        %(session_index)s
     </samlp:LogoutRequest>""" % \
                 {
                     'id': uid,
                     'issue_instant': issue_instant,
                     'single_logout_url': idp_data['singleLogoutService']['url'],
                     'entity_id': sp_data['entityId'],
-                    'name_id': name_id,
+                    'name_id': name_id_obj,
+                    'session_index': session_index_str,
                 }
         else:
             decoded = b64decode(request)

tests/src/OneLogin/saml2_tests/auth_test.py

@@ -13,6 +13,7 @@
 from onelogin.saml2.constants import OneLogin_Saml2_Constants
 from onelogin.saml2.settings import OneLogin_Saml2_Settings
 from onelogin.saml2.utils import OneLogin_Saml2_Utils
+from onelogin.saml2.logout_request import OneLogin_Saml2_Logout_Request
 
 
 class OneLogin_Saml2_Auth_Test(unittest.TestCase):
@@ -95,9 +96,25 @@ def testGetSessionIndex(self):
         auth2.process_response()
         self.assertEqual('_6273d77b8cde0c333ec79d22a9fa0003b9fe2d75cb', auth2.get_session_index())
 
+    def testGetLastErrorReason(self):
+        """
+        Tests the get_last_error_reason method of the OneLogin_Saml2_Auth class
+        Case Invalid Response
+        """
+        request_data = self.get_request()
+        message = self.file_contents(join(self.data_path, 'responses', 'response1.xml.base64'))
+        del request_data['get_data']
+        request_data['post_data'] = {
+            'SAMLResponse': message
+        }
+        auth = OneLogin_Saml2_Auth(request_data, old_settings=self.loadSettingsJSON())
+        auth.process_response()
+
+        self.assertEqual(auth.get_last_error_reason(), 'Signature validation failed. SAML Response rejected')
+
     def testProcessNoResponse(self):
         """
-        Tests the processResponse method of the OneLogin_Saml2_Auth class
+        Tests the process_response method of the OneLogin_Saml2_Auth class
         Case No Response, An exception is throw
         """
         auth = OneLogin_Saml2_Auth(self.get_request(), old_settings=self.loadSettingsJSON())
@@ -645,6 +662,53 @@ def testLogoutNoSLO(self):
         except Exception as e:
             self.assertIn('The IdP does not support Single Log Out', e.message)
 
+    def testLogoutNameIDandSessionIndex(self):
+        """
+        Tests the logout method of the OneLogin_Saml2_Auth class
+        Case nameID and sessionIndex as parameters.
+        """
+        settings_info = self.loadSettingsJSON()
+        request_data = self.get_request()
+        auth = OneLogin_Saml2_Auth(request_data, old_settings=settings_info)
+
+        name_id = 'name_id_example'
+        session_index = 'session_index_example'
+        target_url = auth.logout(name_id=name_id, session_index=session_index)
+        parsed_query = parse_qs(urlparse(target_url)[4])
+        slo_url = settings_info['idp']['singleLogoutService']['url']
+        self.assertIn(slo_url, target_url)
+        self.assertIn('SAMLRequest', parsed_query)
+
+        logout_request = OneLogin_Saml2_Utils.decode_base64_and_inflate(parsed_query['SAMLRequest'][0])
+        name_id_from_request =  OneLogin_Saml2_Logout_Request.get_nameid(logout_request)
+        sessions_index_in_request = OneLogin_Saml2_Logout_Request.get_session_indexes(logout_request)
+        self.assertIn(session_index, sessions_index_in_request)
+        self.assertEqual(name_id, name_id_from_request)
+
+    def testLogoutNameID(self):
+        """
+        Tests the logout method of the OneLogin_Saml2_Auth class
+        Case nameID loaded after process SAML Response
+        """
+        request_data = self.get_request()
+        message = self.file_contents(join(self.data_path, 'responses', 'valid_response.xml.base64'))
+        del request_data['get_data']
+        request_data['post_data'] = {
+            'SAMLResponse': message
+        }
+        auth = OneLogin_Saml2_Auth(request_data, old_settings=self.loadSettingsJSON())
+        auth.process_response()
+
+        name_id_from_response = auth.get_nameid()
+
+        target_url = auth.logout()
+        parsed_query = parse_qs(urlparse(target_url)[4])
+        self.assertIn('SAMLRequest', parsed_query)
+        logout_request = OneLogin_Saml2_Utils.decode_base64_and_inflate(parsed_query['SAMLRequest'][0])
+
+        name_id_from_request =  OneLogin_Saml2_Logout_Request.get_nameid(logout_request)
+        self.assertEqual(name_id_from_response, name_id_from_request)
+
     def testSetStrict(self):
         """
         Tests the set_strict method of the OneLogin_Saml2_Auth