Store NameID as subject_id from authn-requests

c00kiemon5ter · c00kiemon5ter · commit f3db4d0fb18b · 2018-11-10T00:00:13.000+02:00
The Subject/NameID text value is stored in the internal data structure
as subject_id.  It can be used to forward an authn-request with the same
Subject element.

The Subject/NameID format is also available, but it remains to be
discussed how it should be handle in relation to the specified (name_id)
policy or the metadata settings.

Signed-off-by: Ivan Kanakarakis &lt;ivan.kanak@gmail.com&gt;
diff --git a/src/satosa/frontends/saml2.py b/src/satosa/frontends/saml2.py
@@ -208,11 +208,14 @@ def _handle_authn_request(self, context, binding_in, idp):
             else:
                 name_format = NAMEID_FORMAT_TRANSIENT
 
-        # XXX TODO support nameid on request
-        # subject = authn_req.subject
-        # identifier = subject.text if subject else None
+        subject = authn_req.subject
+        subject_id = subject.name_id.text if subject else None
+        # XXX TODO how should type be handled in relation to name_format above?
+        # subject_type = subject.name_id.format if subject else None
+
         requester_name = self._get_sp_display_name(idp, requester)
         internal_req = InternalData(
+            subject_id=subject_id,
             subject_type=name_format,
             requester=requester,
             requester_name=requester_name,
diff --git a/tests/satosa/frontends/test_saml2.py b/tests/satosa/frontends/test_saml2.py
@@ -18,6 +18,7 @@
 from saml2.saml import NAMEID_FORMAT_PERSISTENT
 from saml2.saml import NAMEID_FORMAT_EMAILADDRESS
 from saml2.saml import NAMEID_FORMAT_UNSPECIFIED
+from saml2.saml import NameID, Subject
 from saml2.samlp import NameIDPolicy
 
 from satosa.attribute_mapping import AttributeMapper
@@ -57,7 +58,8 @@ def construct_base_url_from_entity_id(self, entity_id):
         return "{parsed.scheme}://{parsed.netloc}".format(parsed=urlparse(entity_id))
 
     def setup_for_authn_req(self, context, idp_conf, sp_conf, nameid_format=None, relay_state="relay_state",
-                            internal_attributes=INTERNAL_ATTRIBUTES, extra_config={}):
+                            internal_attributes=INTERNAL_ATTRIBUTES, extra_config={},
+                            subject=None):
         config = {"idp_config": idp_conf, "endpoints": ENDPOINTS}
         config.update(extra_config)
         sp_metadata_str = create_metadata_from_config_dict(sp_conf)
@@ -72,7 +74,12 @@ def setup_for_authn_req(self, context, idp_conf, sp_conf, nameid_format=None, re
         sp_conf["metadata"]["inline"].append(idp_metadata_str)
 
         fakesp = FakeSP(SPConfig().load(sp_conf, metadata_construction=False))
-        destination, auth_req = fakesp.make_auth_req(samlfrontend.idp_config["entityid"], nameid_format, relay_state)
+        destination, auth_req = fakesp.make_auth_req(
+            samlfrontend.idp_config["entityid"],
+            nameid_format,
+            relay_state,
+            subject=subject,
+        )
         context.request = auth_req
         tmp_dict = {}
         for val in context.request:
@@ -147,6 +154,18 @@ def test_handle_authn_request(self, context, idp_conf, sp_conf, internal_respons
         for key in resp.ava:
             assert USERS["testuser1"][key] == resp.ava[key]
 
+    def test_create_authn_request_with_subject(self, context, idp_conf, sp_conf, internal_response):
+        name_id_value = 'somenameid'
+        name_id = NameID(format=NAMEID_FORMAT_UNSPECIFIED, text=name_id_value)
+        subject = Subject(name_id=name_id)
+        samlfrontend = self.setup_for_authn_req(
+            context, idp_conf, sp_conf, subject=subject
+        )
+        _, internal_req = samlfrontend.handle_authn_request(context, BINDING_HTTP_REDIRECT)
+        assert internal_req.subject_id == name_id_value
+        # XXX TODO how should type be handled?
+        # assert internal_req.subject_type == NAMEID_FORMAT_UNSPECIFIED
+
     def test_handle_authn_request_without_name_id_policy_default_to_name_id_format_from_metadata(
             self, context, idp_conf, sp_conf):
         samlfrontend = self.setup_for_authn_req(context, idp_conf, sp_conf, nameid_format="")
diff --git a/tests/util.py b/tests/util.py
@@ -38,7 +38,8 @@ def __init__(self, config):
         Saml2Client.__init__(self, config)
 
     def make_auth_req(self, entity_id, nameid_format=None, relay_state="relay_state",
-                      request_binding=BINDING_HTTP_REDIRECT, response_binding=BINDING_HTTP_REDIRECT):
+                      request_binding=BINDING_HTTP_REDIRECT, response_binding=BINDING_HTTP_REDIRECT,
+                      subject=None):
         """
         :type entity_id: str
         :rtype: str
@@ -52,8 +53,17 @@ def make_auth_req(self, entity_id, nameid_format=None, relay_state="relay_state"
             [request_binding], 'idpsso',
             entity_id=entity_id)
 
-        req_id, req = self.create_authn_request(destination,
-                                                binding=response_binding, nameid_format=nameid_format)
+        kwargs = {}
+        if subject:
+            kwargs['subject'] = subject
+
+        req_id, req = self.create_authn_request(
+            destination,
+            binding=response_binding,
+            nameid_format=nameid_format,
+            **kwargs
+        )
+
         ht_args = self.apply_binding(_binding, '%s' % req, destination,
                                      relay_state=relay_state)
 
