Handle request without nameid_policy in SAML frontend.

Don't assume the request will contain a nameid policy,
but default to requesting a transient identifier from the
backing provider.

Author: Rebecka Gulliksson

src/satosa/frontends/saml2.py

@@ -19,7 +19,7 @@
 from saml2.server import Server
 
 from satosa.frontends.base import FrontendModule
-from satosa.internal_data import InternalRequest, DataConverter
+from satosa.internal_data import InternalRequest, DataConverter, UserIdHashType
 from satosa.logging_util import satosa_logging
 from satosa.util import response, get_saml_name_id_format, saml_name_format_to_hash_type
 
@@ -102,7 +102,8 @@ def save_state(self, context, resp_args, relay_state):
         :param relay_state: Request relay state
         :return: A state as a dict
         """
-        resp_args["name_id_policy"] = resp_args["name_id_policy"].to_string().decode("utf-8")
+        if "name_id_policy" in resp_args and resp_args["name_id_policy"] is not None:
+            resp_args["name_id_policy"] = resp_args["name_id_policy"].to_string().decode("utf-8")
         return {"resp_args": resp_args,
                 "relay_state": relay_state}
 
@@ -262,12 +263,17 @@ def _handle_authn_request(self, context, binding_in, idp):
             except IndexError:
                 pass
 
-            internal_req = InternalRequest(
-                saml_name_format_to_hash_type(extracted_request['req_args']
-                                              ['name_id_policy'].format),
-                extracted_request["resp_args"]["sp_entity_id"],
-                requester_name
-            )
+            name_format = None
+            if 'name_id_policy' in extracted_request['req_args']:
+                name_format = saml_name_format_to_hash_type(
+                    extracted_request['req_args']['name_id_policy'].format)
+            if name_format is None:
+                # default to requesting transient name id
+                name_format = UserIdHashType.transient
+
+            internal_req = InternalRequest(name_format,
+                                           extracted_request["resp_args"]["sp_entity_id"],
+                                           requester_name)
 
             # Get attribute filter
             idp_policy = idp.config.getattr("policy", "idp")

tests/satosa/frontends/test_saml2.py

@@ -40,6 +40,35 @@ class TestSamlFrontend:
     def construct_base_url_from_entity_id(self, entity_id):
         return "{parsed.scheme}://{parsed.netloc}".format(parsed=urlparse(entity_id))
 
+    def setup_for_authn_req(self, idp_conf, sp_conf, nameid_format):
+        base = self.construct_base_url_from_entity_id(idp_conf["entityid"])
+        config = {"idp_config": idp_conf, "endpoints": ENDPOINTS, "base": base,
+                  "state_id": "state_id"}
+        sp_metadata_str = create_metadata_from_config_dict(sp_conf)
+        idp_conf["metadata"]["inline"] = [sp_metadata_str]
+
+        samlfrontend = SamlFrontend(lambda context, internal_req: (context, internal_req),
+                                    INTERNAL_ATTRIBUTES, config)
+        samlfrontend.register_endpoints(["saml"])
+
+        idp_metadata_str = create_metadata_from_config_dict(samlfrontend.config)
+        sp_conf["metadata"]["inline"].append(idp_metadata_str)
+
+        fakesp = FakeSP(None, config=SPConfig().load(sp_conf, metadata_construction=False))
+        context = Context()
+        context.state = State()
+        context.request = parse.parse_qs(
+                urlparse(fakesp.make_auth_req(samlfrontend.config["entityid"], nameid_format)).query)
+        tmp_dict = {}
+        for val in context.request:
+            if isinstance(context.request[val], list):
+                tmp_dict[val] = context.request[val][0]
+            else:
+                tmp_dict[val] = context.request[val]
+        context.request = tmp_dict
+
+        return context, samlfrontend
+
     @pytest.mark.parametrize("conf", [
         None,
         {"idp_config_notok": {}, "endpoints": {}, "base": "base",
@@ -76,31 +105,29 @@ def test_handle_authn_request(self, idp_conf, sp_conf):
         """
         Performs a complete test for the module. The flow should be accepted.
         """
-        base = self.construct_base_url_from_entity_id(idp_conf["entityid"])
-        config = {"idp_config": idp_conf, "endpoints": ENDPOINTS, "base": base,
-                  "state_id": "state_id"}
-        sp_metadata_str = create_metadata_from_config_dict(sp_conf)
-        idp_conf["metadata"]["inline"] = [sp_metadata_str]
+        context, samlfrontend = self.setup_for_authn_req(idp_conf, sp_conf, None)
+        _, internal_req = samlfrontend.handle_authn_request(context, BINDING_HTTP_REDIRECT)
+        assert internal_req.requestor == sp_conf["entityid"]
 
-        samlfrontend = SamlFrontend(lambda context, internal_req: (context, internal_req),
-                                    INTERNAL_ATTRIBUTES, config)
-        samlfrontend.register_endpoints(["saml"])
+        auth_info = AuthenticationInformation(PASSWORD, "2015-09-30T12:21:37Z", "unittest_idp.xml")
+        internal_response = InternalResponse(auth_info=auth_info)
+        internal_response.set_user_id_hash_type(internal_req.user_id_hash_type)
+        internal_response.add_attributes(USERS["testuser1"])
+
+        resp = samlfrontend.handle_authn_response(context, internal_response)
+        resp_dict = parse_qs(urlparse(resp.message).query)
 
-        idp_metadata_str = create_metadata_from_config_dict(samlfrontend.config)
-        sp_conf["metadata"]["inline"].append(idp_metadata_str)
         fakesp = FakeSP(None, config=SPConfig().load(sp_conf, metadata_construction=False))
-        context = Context()
-        context.state = State()
-        context.request = parse.parse_qs(
-                urlparse(fakesp.make_auth_req(samlfrontend.config["entityid"])).query)
-        tmp_dict = {}
-        for val in context.request:
-            if isinstance(context.request[val], list):
-                tmp_dict[val] = context.request[val][0]
-            else:
-                tmp_dict[val] = context.request[val]
-        context.request = tmp_dict
+        resp = fakesp.parse_authn_request_response(resp_dict['SAMLResponse'][0],
+                                                   BINDING_HTTP_REDIRECT)
+        for key in resp.ava:
+            assert USERS["testuser1"][key] == resp.ava[key]
 
+    def test_handle_authn_request_without_name_id_policy(self, idp_conf, sp_conf):
+        """
+        Performs a complete test for the module. The flow should be accepted.
+        """
+        context, samlfrontend = self.setup_for_authn_req(idp_conf, sp_conf, "")
         _, internal_req = samlfrontend.handle_authn_request(context, BINDING_HTTP_REDIRECT)
         assert internal_req.requestor == sp_conf["entityid"]
 
@@ -111,6 +138,8 @@ def test_handle_authn_request(self, idp_conf, sp_conf):
 
         resp = samlfrontend.handle_authn_response(context, internal_response)
         resp_dict = parse_qs(urlparse(resp.message).query)
+
+        fakesp = FakeSP(None, config=SPConfig().load(sp_conf, metadata_construction=False))
         resp = fakesp.parse_authn_request_response(resp_dict['SAMLResponse'][0],
                                                    BINDING_HTTP_REDIRECT)
         for key in resp.ava:

tests/util.py

@@ -37,7 +37,7 @@ def __init__(self, config_module, config=None):
             config = config_factory('sp', config_module)
         Saml2Client.__init__(self, config)
 
-    def make_auth_req(self, entity_id):
+    def make_auth_req(self, entity_id, nameid_format=None):
         """
         :type entity_id: str
         :rtype: str
@@ -62,7 +62,7 @@ def make_auth_req(self, entity_id):
                 break
 
         req_id, req = self.create_authn_request(destination,
-                                                binding=return_binding)
+                                                binding=return_binding, nameid_format=nameid_format)
         ht_args = self.apply_binding(_binding, '%s' % req, destination,
                                      relay_state='hello')
 
@@ -86,7 +86,8 @@ def __init__(self, user_db, config):
         server.Server.__init__(self, config=config)
         self.user_db = user_db
 
-    def handle_auth_req(self, saml_request, relay_state, binding, userid, response_binding=BINDING_HTTP_POST):
+    def handle_auth_req(self, saml_request, relay_state, binding, userid,
+                        response_binding=BINDING_HTTP_POST):
         """
         Handles a SAML request, validates and creates a SAML response.
         :type saml_request: str
@@ -124,7 +125,7 @@ def handle_auth_req(self, saml_request, relay_state, binding, userid, response_b
             resp = {'SAMLResponse': saml_response, 'RelayState': relay_state}
         elif response_binding == BINDING_HTTP_REDIRECT:
             http_args = self.apply_binding(response_binding, '%s' % _resp,
-                                       destination, relay_state, response=True)
+                                           destination, relay_state, response=True)
             resp = dict(parse_qsl(urlparse(dict(http_args["headers"])["Location"]).query))
 
         return destination, resp