Do not send NameID with no TextContent

skoranda · skoranda · commit 919a288619cc · 2018-12-08T07:24:15.000-06:00
Fix to the SAMLFrontend so that it will not create and return to the SP
a SAML &lt;NameID&gt; that has no TextContent, since that is not valid
SAML.
diff --git a/src/satosa/frontends/saml2.py b/src/satosa/frontends/saml2.py
@@ -308,15 +308,24 @@ def _handle_authn_response(self, context, internal_response, idp):
                 ava.pop(k, None)
 
         nameid_value = internal_response.subject_id
-        nameid_format = subject_type_to_saml_nameid_format(
-            internal_response.subject_type
-        )
-        name_id = NameID(
-            text=nameid_value,
-            format=nameid_format,
-            sp_name_qualifier=None,
-            name_qualifier=None,
-        )
+
+        # If the backend did not receive a SAML <NameID> and so
+        # name_id is set to None then do not create a NameID instance.
+        # Instead pass None as the name name_id to the IdP server
+        # instance and it will use its configured policy to construct
+        # a <NameID>, with the default to create a transient <NameID>.
+        if nameid_value is None:
+            name_id = None
+        else:
+            nameid_format = subject_type_to_saml_nameid_format(
+                internal_response.subject_type
+            )
+            name_id = NameID(
+                text=nameid_value,
+                format=nameid_format,
+                sp_name_qualifier=None,
+                name_qualifier=None,
+            )
 
         dbgmsg = "returning attributes %s" % json.dumps(ava)
         satosa_logging(logger, logging.DEBUG, dbgmsg, context.state)
diff --git a/tests/satosa/frontends/test_saml2.py b/tests/satosa/frontends/test_saml2.py
@@ -190,11 +190,34 @@ def test_handle_authn_response_without_relay_state(self, context, idp_conf, sp_c
         fakesp = FakeSP(SPConfig().load(sp_conf, metadata_construction=False))
         resp = fakesp.parse_authn_request_response(resp_dict["SAMLResponse"][0],
                                                    BINDING_HTTP_REDIRECT)
+
         for key in resp.ava:
             assert USERS["testuser1"][key] == resp.ava[key]
 
         assert samlfrontend.name not in context.state
 
+    def test_handle_authn_response_without_name_id(
+                          self, context, idp_conf, sp_conf, internal_response):
+        samlfrontend = self.setup_for_authn_req(
+                                  context, idp_conf, sp_conf, relay_state=None)
+        _, internal_req = samlfrontend.handle_authn_request(
+                                                context, BINDING_HTTP_REDIRECT)
+
+        # Make sure we are testing the equivalent of a <Response> with no
+        # <NameID> in the <Subject>.
+        assert internal_response.subject_type is None
+        assert internal_response.subject_id is None
+
+        resp = samlfrontend.handle_authn_response(context, internal_response)
+        resp_dict = parse_qs(urlparse(resp.message).query)
+
+        fakesp = FakeSP(SPConfig().load(sp_conf, metadata_construction=False))
+        resp = fakesp.parse_authn_request_response(
+                           resp_dict["SAMLResponse"][0], BINDING_HTTP_REDIRECT)
+
+        # The <NameID> must not have an empty TextContent.
+        assert resp.name_id.text is not None
+
     def test_get_filter_attributes_with_sp_requested_attributes_without_friendlyname(self, idp_conf):
         sp_metadata_str = """<?xml version="1.0"?>
         <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://sp.example.com">
