Improve NameIdFormat support. Be able to provide a NameIDFormat to LogoutRequest

pitbulk · pitbulk · commit c45c0f8ae029 · 2017-03-12T12:57:19.000+01:00
diff --git a/demo-flask/saml/advanced_settings.json b/demo-flask/saml/advanced_settings.json
@@ -10,7 +10,8 @@
         "wantNameId" : true,
         "wantNameIdEncrypted": false,
         "wantAssertionsEncrypted": false,
-        "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
+        "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
+        "digestAlgorithm": "http://www.w3.org/2000/09/xmldsig#sha1"
     },
     "contactPerson": {
         "technical": {
diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
@@ -54,6 +54,7 @@ def __init__(self, request_data, old_settings=None, custom_base_path=None):
             self.__settings = OneLogin_Saml2_Settings(old_settings, custom_base_path)
         self.__attributes = dict()
         self.__nameid = None
+        self.__nameid_format = None
         self.__session_index = None
         self.__session_expiration = None
         self.__authenticated = False
@@ -100,6 +101,7 @@ def process_response(self, request_id=None):
             if response.is_valid(self.__request_data, request_id):
                 self.__attributes = response.get_attributes()
                 self.__nameid = response.get_nameid()
+                self.__nameid_format = response.get_nameid_format()
                 self.__session_index = response.get_session_index()
                 self.__session_expiration = response.get_session_not_on_or_after()
                 self.__authenticated = True
@@ -221,6 +223,15 @@ def get_nameid(self):
         """
         return self.__nameid
 
+    def get_nameid_format(self):
+        """
+        Returns the nameID Format.
+
+        :returns: NameID Format
+        :rtype: string|None
+        """
+        return self.__nameid_format
+
     def get_session_index(self):
         """
         Returns the SessionIndex from the AuthnStatement.
@@ -311,7 +322,7 @@ def login(self, return_to=None, force_authn=False, is_passive=False, set_nameid_
             self.add_request_signature(parameters, security['signatureAlgorithm'])
         return self.redirect_to(self.get_sso_url(), parameters)
 
-    def logout(self, return_to=None, name_id=None, session_index=None, nq=None):
+    def logout(self, return_to=None, name_id=None, session_index=None, nq=None, name_id_format=None):
         """
         Initiates the SLO process.
 
@@ -327,6 +338,9 @@ def logout(self, return_to=None, name_id=None, session_index=None, nq=None):
         :param nq: IDP Name Qualifier
         :type: string
 
+        :param name_id_format: The NameID Format that will be set in the LogoutRequest.
+        :type: string
+
         :returns: Redirection URL
         """
         slo_url = self.get_slo_url()
@@ -339,11 +353,15 @@ def logout(self, return_to=None, name_id=None, session_index=None, nq=None):
         if name_id is None and self.__nameid is not None:
             name_id = self.__nameid
 
+        if name_id_format is None and self.__nameid_format is not None:
+            name_id_format = self.__nameid_format
+
         logout_request = OneLogin_Saml2_Logout_Request(
             self.__settings,
             name_id=name_id,
             session_index=session_index,
-            nq=nq
+            nq=nq,
+            name_id_format=name_id_format
         )
         self.__last_request = logout_request.get_xml()
         self.__last_request_id = logout_request.id
diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py
@@ -25,7 +25,7 @@ class OneLogin_Saml2_Logout_Request(object):
 
     """
 
-    def __init__(self, settings, request=None, name_id=None, session_index=None, nq=None):
+    def __init__(self, settings, request=None, name_id=None, session_index=None, nq=None, name_id_format=None):
         """
         Constructs the Logout Request object.
 
@@ -43,6 +43,9 @@ def __init__(self, settings, request=None, name_id=None, session_index=None, nq=
 
         :param nq: IDP Name Qualifier
         :type: string
+
+        :param name_id_format: The NameID Format that will be set in the LogoutRequest.
+        :type: string
         """
         self.__settings = settings
         self.__error = None
@@ -63,7 +66,8 @@ def __init__(self, settings, request=None, name_id=None, session_index=None, nq=
                 cert = idp_data['x509cert']
 
             if name_id is not None:
-                name_id_format = sp_data['NameIDFormat']
+                if name_id_format is None:
+                    name_id_format = sp_data['NameIDFormat']
                 sp_name_qualifier = None
             else:
                 name_id = idp_data['entityId']
@@ -75,7 +79,8 @@ def __init__(self, settings, request=None, name_id=None, session_index=None, nq=
                 sp_name_qualifier,
                 name_id_format,
                 cert,
-                nq=nq,
+                False,
+                nq
             )
 
             if session_index:
@@ -194,6 +199,23 @@ def get_nameid(request, key=None):
         name_id = OneLogin_Saml2_Logout_Request.get_nameid_data(request, key)
         return name_id['Value']
 
+    @staticmethod
+    def get_nameid_format(request, key=None):
+        """
+        Gets the NameID Format of the Logout Request Message
+        :param request: Logout Request Message
+        :type request: string|DOMDocument
+        :param key: The SP key
+        :type key: string
+        :return: Name ID Format
+        :rtype: string
+        """
+        name_id_format = None
+        name_id_data = OneLogin_Saml2_Logout_Request.get_nameid_data(request, key)
+        if name_id_data and 'Format' in name_id_data.keys():
+            name_id_format = name_id_data['Format']
+        return name_id_format
+
     @staticmethod
     def get_issuer(request):
         """
diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
@@ -444,6 +444,19 @@ def get_nameid(self):
             nameid_value = nameid_data['Value']
         return nameid_value
 
+    def get_nameid_format(self):
+        """
+        Gets the NameID Format provided by the SAML Response from the IdP
+
+        :returns: NameID Format
+        :rtype: string|None
+        """
+        nameid_format = None
+        nameid_data = self.get_nameid_data()
+        if nameid_data and 'Format' in nameid_data.keys():
+            nameid_format = nameid_data['Format']
+        return nameid_format
+
     def get_session_not_on_or_after(self):
         """
         Gets the SessionNotOnOrAfter from the AuthnStatement
diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py
@@ -584,7 +584,8 @@ def generate_name_id(value, sp_nq, sp_format, cert=None, debug=False, nq=None):
         name_id = OneLogin_Saml2_XML.make_child(root, '{%s}NameID' % OneLogin_Saml2_Constants.NS_SAML)
         if sp_nq is not None:
             name_id.set('SPNameQualifier', sp_nq)
-        name_id.set('Format', sp_format)
+        if sp_format is not None:
+            name_id.set('Format', sp_format)
         if nq is not None:
             name_id.set('NameQualifier', nq)
         name_id.text = value
diff --git a/tests/src/OneLogin/saml2_tests/auth_test.py b/tests/src/OneLogin/saml2_tests/auth_test.py
@@ -24,15 +24,16 @@
 class OneLogin_Saml2_Auth_Test(unittest.TestCase):
     data_path = join(dirname(__file__), '..', '..', '..', 'data')
 
-    def loadSettingsJSON(self):
-        filename = join(dirname(__file__), '..', '..', '..', 'settings', 'settings1.json')
+    def loadSettingsJSON(self, filename=None):
+        if filename:
+            filename = join(dirname(__file__), '..', '..', '..', 'settings', filename)
+        else:
+            filename = join(dirname(__file__), '..', '..', '..', 'settings', 'settings1.json')
         if exists(filename):
             stream = open(filename, 'r')
             settings = json.load(stream)
             stream.close()
             return settings
-        else:
-            raise Exception('Settings json file does not exist')
 
     def file_contents(self, filename):
         f = open(filename, 'r')
@@ -810,14 +811,29 @@ def testLogoutNameID(self):
         auth.process_response()
 
         name_id_from_response = auth.get_nameid()
+        name_id_format_from_response = auth.get_nameid_format()
 
         target_url = auth.logout()
         parsed_query = parse_qs(urlparse(target_url)[4])
         self.assertIn('SAMLRequest', parsed_query)
         logout_request = OneLogin_Saml2_Utils.decode_base64_and_inflate(parsed_query['SAMLRequest'][0])
 
         name_id_from_request = OneLogin_Saml2_Logout_Request.get_nameid(logout_request)
+        name_id_format_from_request = OneLogin_Saml2_Logout_Request.get_nameid_format(logout_request)
         self.assertEqual(name_id_from_response, name_id_from_request)
+        self.assertEqual(name_id_format_from_response, name_id_format_from_request)
+
+        new_name_id = "new_name_id"
+        new_name_id_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+        target_url_2 = auth.logout(name_id=new_name_id, name_id_format=new_name_id_format)
+        parsed_query = parse_qs(urlparse(target_url_2)[4])
+        self.assertIn('SAMLRequest', parsed_query)
+        logout_request = OneLogin_Saml2_Utils.decode_base64_and_inflate(parsed_query['SAMLRequest'][0])
+
+        name_id_from_request = OneLogin_Saml2_Logout_Request.get_nameid(logout_request)
+        name_id_format_from_request = OneLogin_Saml2_Logout_Request.get_nameid_format(logout_request)
+        self.assertEqual(new_name_id, name_id_from_request)
+        self.assertEqual(new_name_id_format, name_id_format_from_request)
 
     def testSetStrict(self):
         """
@@ -840,6 +856,98 @@ def testSetStrict(self):
 
         self.assertRaises(AssertionError, auth.set_strict, '42')
 
+    def testIsAuthenticated(self):
+        """
+        Tests the is_authenticated method of the OneLogin_Saml2_Auth
+        """
+        request_data = self.get_request()
+        del request_data['get_data']
+        message = self.file_contents(join(self.data_path, 'responses', 'response1.xml.base64'))
+        request_data['post_data'] = {
+            'SAMLResponse': message
+        }
+        auth = OneLogin_Saml2_Auth(request_data, old_settings=self.loadSettingsJSON())
+        auth.process_response()
+        self.assertFalse(auth.is_authenticated())
+
+        message = self.file_contents(join(self.data_path, 'responses', 'valid_response.xml.base64'))
+        request_data['post_data'] = {
+            'SAMLResponse': message
+        }
+        auth = OneLogin_Saml2_Auth(request_data, old_settings=self.loadSettingsJSON())
+        auth.process_response()
+        self.assertTrue(auth.is_authenticated())
+
+    def testGetNameId(self):
+        """
+        Tests the get_nameid method of the OneLogin_Saml2_Auth
+        """
+        settings = self.loadSettingsJSON()
+        request_data = self.get_request()
+        del request_data['get_data']
+        message = self.file_contents(join(self.data_path, 'responses', 'response1.xml.base64'))
+        request_data['post_data'] = {
+            'SAMLResponse': message
+        }
+        auth = OneLogin_Saml2_Auth(request_data, old_settings=settings)
+        auth.process_response()
+        self.assertFalse(auth.is_authenticated())
+        self.assertEqual(auth.get_nameid(), None)
+
+        message = self.file_contents(join(self.data_path, 'responses', 'valid_response.xml.base64'))
+        request_data['post_data'] = {
+            'SAMLResponse': message
+        }
+        auth = OneLogin_Saml2_Auth(request_data, old_settings=settings)
+        auth.process_response()
+        self.assertTrue(auth.is_authenticated())
+        self.assertEqual("492882615acf31c8096b627245d76ae53036c090", auth.get_nameid())
+
+        settings_2 = self.loadSettingsJSON('settings2.json')
+        message = self.file_contents(join(self.data_path, 'responses', 'signed_message_encrypted_assertion2.xml.base64'))
+        request_data['post_data'] = {
+            'SAMLResponse': message
+        }
+        auth = OneLogin_Saml2_Auth(request_data, old_settings=settings_2)
+        auth.process_response()
+        self.assertTrue(auth.is_authenticated())
+        self.assertEqual("25ddd7d34a7d79db69167625cda56a320adf2876", auth.get_nameid())
+
+    def testGetNameIdFormat(self):
+        """
+        Tests the get_nameid_format method of the OneLogin_Saml2_Auth
+        """
+        settings = self.loadSettingsJSON()
+        request_data = self.get_request()
+        del request_data['get_data']
+        message = self.file_contents(join(self.data_path, 'responses', 'response1.xml.base64'))
+        request_data['post_data'] = {
+            'SAMLResponse': message
+        }
+        auth = OneLogin_Saml2_Auth(request_data, old_settings=settings)
+        auth.process_response()
+        self.assertFalse(auth.is_authenticated())
+        self.assertEqual(auth.get_nameid_format(), None)
+
+        message = self.file_contents(join(self.data_path, 'responses', 'valid_response.xml.base64'))
+        request_data['post_data'] = {
+            'SAMLResponse': message
+        }
+        auth = OneLogin_Saml2_Auth(request_data, old_settings=settings)
+        auth.process_response()
+        self.assertTrue(auth.is_authenticated())
+        self.assertEqual("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", auth.get_nameid_format())
+
+        settings_2 = self.loadSettingsJSON('settings2.json')
+        message = self.file_contents(join(self.data_path, 'responses', 'signed_message_encrypted_assertion2.xml.base64'))
+        request_data['post_data'] = {
+            'SAMLResponse': message
+        }
+        auth = OneLogin_Saml2_Auth(request_data, old_settings=settings_2)
+        auth.process_response()
+        self.assertTrue(auth.is_authenticated())
+        self.assertEqual("urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified", auth.get_nameid_format())
+
     def testBuildRequestSignature(self):
         """
         Tests the build_request_signature method of the OneLogin_Saml2_Auth
diff --git a/tests/src/OneLogin/saml2_tests/logout_request_test.py b/tests/src/OneLogin/saml2_tests/logout_request_test.py
@@ -145,6 +145,17 @@ def testGetNameIdData(self):
         with self.assertRaisesRegexp(Exception, 'NameID not found in the Logout Request'):
             OneLogin_Saml2_Logout_Request.get_nameid(inv_request)
 
+        idp_data = settings.get_idp_data()
+        expected_name_id_data = {
+            'Format': 'urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress',
+            'NameQualifier': idp_data['entityId'],
+            'Value': 'ONELOGIN_9c86c4542ab9d6fce07f2f7fd335287b9b3cdf69'
+        }
+
+        logout_request = OneLogin_Saml2_Logout_Request(settings, None, expected_name_id_data['Value'], None, idp_data['entityId'], expected_name_id_data['Format'])
+        name_id_data_3 = OneLogin_Saml2_Logout_Request.get_nameid_data(logout_request.get_xml())
+        self.assertEqual(expected_name_id_data, name_id_data_3)
+
     def testGetNameId(self):
         """
         Tests the get_nameid of the OneLogin_Saml2_LogoutRequest
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
