pass assertion_info dic instead of assertion object

lucyeun-alation · lucyeun-alation · commit 774e85db2e09 · 2021-04-14T16:46:25.000-07:00
diff --git a/djangosaml2/backends.py b/djangosaml2/backends.py
@@ -106,7 +106,7 @@ def _get_attribute_value(self, django_field: str, attributes: dict, attribute_ma
                          'value is missing. Probably the user '
                          'session is expired.')
 
-    def authenticate(self, request, session_info=None, attribute_mapping=None, create_unknown_user=True, assertion=None, **kwargs):
+    def authenticate(self, request, session_info=None, attribute_mapping=None, create_unknown_user=True, assertion_info=None, **kwargs):
         if session_info is None or attribute_mapping is None:
             logger.info('Session info or attribute mapping are None')
             return None
@@ -121,7 +121,7 @@ def authenticate(self, request, session_info=None, attribute_mapping=None, creat
 
         logger.debug(f'attributes: {attributes}')
 
-        if not self.is_authorized(attributes, attribute_mapping, idp_entityid, assertion):
+        if not self.is_authorized(attributes, attribute_mapping, idp_entityid, assertion_info):
             logger.error('Request not authorized')
             return None
 
@@ -194,7 +194,7 @@ def clean_attributes(self, attributes: dict, idp_entityid: str, **kwargs) -> dic
         """ Hook to clean or filter attributes from the SAML response. No-op by default. """
         return attributes
 
-    def is_authorized(self, attributes: dict, attribute_mapping: dict, idp_entityid: str, assertion: object, **kwargs) -> bool:
+    def is_authorized(self, attributes: dict, attribute_mapping: dict, idp_entityid: str, assertion_info: dict, **kwargs) -> bool:
         """ Hook to allow custom authorization policies based on SAML attributes. True by default. """
         return True
 
diff --git a/djangosaml2/views.py b/djangosaml2/views.py
@@ -419,6 +419,8 @@ def post(self, request, attribute_mapping=None, create_unknown_user=None):
 
         # authenticate the remote user
         session_info = response.session_info()
+        assertion = response.assertion
+        assertion_info = {'assertion_id': assertion.id, 'not_on_or_after': assertion.conditions.not_on_or_after if assertion.conditions else None}
 
         if callable(attribute_mapping):
             attribute_mapping = attribute_mapping()
@@ -431,7 +433,7 @@ def post(self, request, attribute_mapping=None, create_unknown_user=None):
                                  session_info=session_info,
                                  attribute_mapping=attribute_mapping,
                                  create_unknown_user=create_unknown_user,
-                                 assertion=response.assertion)
+                                 assertion_info=assertion_info)
         if user is None:
             logger.warning(
                 "Could not authenticate user received in SAML Assertion. Session info: %s", session_info)
diff --git a/tests/testprofiles/tests.py b/tests/testprofiles/tests.py
@@ -21,7 +21,6 @@
 from django.core.exceptions import ImproperlyConfigured
 from django.test import TestCase, override_settings
 from djangosaml2.backends import Saml2Backend, set_attribute
-from saml2.saml import Assertion
 
 from testprofiles.models import TestUser
 
@@ -105,7 +104,7 @@ def test_extract_user_identifier_params_use_nameid_missing(self):
                 self.assertEqual(lookup_value, None)
 
     def test_is_authorized(self):
-        self.assertTrue(self.backend.is_authorized({}, {}, '', None))
+        self.assertTrue(self.backend.is_authorized({}, {}, '', {}))
 
     def test_clean_attributes(self):
         attributes = {'random': 'dummy', 'value': 123}
@@ -334,9 +333,9 @@ def test_deprecations(self):
 class CustomizedBackend(Saml2Backend):
     """ Override the available methods with some customized implementation to test customization
     """
-    def is_authorized(self, attributes, attribute_mapping, idp_entityid: str, assertion, **kwargs):
+    def is_authorized(self, attributes, attribute_mapping, idp_entityid: str, assertion_info, **kwargs):
         ''' Allow only staff users from the IDP '''
-        return attributes.get('is_staff', (None, ))[0] == True and getattr(assertion, 'id', None) != None
+        return attributes.get('is_staff', (None, ))[0] == True and assertion_info.get('assertion_id', None) != None
     
     def clean_attributes(self, attributes: dict, idp_entityid: str, **kwargs) -> dict:
         ''' Keep only age attribute '''
@@ -369,12 +368,15 @@ def test_is_authorized(self):
             'cn': ('John', ),
             'sn': ('Doe', ),
             }
-        assertion = Assertion()
-        self.assertFalse(self.backend.is_authorized(attributes, attribute_mapping, '', assertion))
+        assertion_info = {
+            'assertion_id': None,
+            'not_on_or_after': None,
+        }
+        self.assertFalse(self.backend.is_authorized(attributes, attribute_mapping, '', assertion_info))
         attributes['is_staff'] = (True, )
-        self.assertFalse(self.backend.is_authorized(attributes, attribute_mapping, '', assertion))
-        assertion.id = 'abcdefg12345'
-        self.assertTrue(self.backend.is_authorized(attributes, attribute_mapping, '', assertion))
+        self.assertFalse(self.backend.is_authorized(attributes, attribute_mapping, '', assertion_info))
+        assertion_info['assertion_id'] = 'abcdefg12345'
+        self.assertTrue(self.backend.is_authorized(attributes, attribute_mapping, '', assertion_info))
 
     def test_clean_attributes(self):
         attributes = {'random': 'dummy', 'value': 123, 'age': '28'}
@@ -400,7 +402,10 @@ def test_authenticate(self):
             'age': ('28', ),
             'is_staff': (True, ),
             }
-        assertion = Assertion(id='abcdefg12345')
+        assertion_info = {
+            'assertion_id': 'abcdefg12345',
+            'not_on_or_after': '',
+        }
 
         self.assertEqual(self.user.age, '')
         self.assertEqual(self.user.is_staff, False)
@@ -414,7 +419,7 @@ def test_authenticate(self):
             None,
             session_info={'random': 'content'},
             attribute_mapping=attribute_mapping,
-            assertion=assertion,
+            assertion_info=assertion_info,
         )
         self.assertIsNone(user)
 
@@ -423,7 +428,7 @@ def test_authenticate(self):
                 None,
                 session_info={'ava': attributes, 'issuer': 'dummy_entity_id'},
                 attribute_mapping=attribute_mapping,
-                assertion=assertion,
+                assertion_info=assertion_info,
             )
             self.assertIsNone(user)
 
@@ -432,7 +437,7 @@ def test_authenticate(self):
             None,
             session_info={'ava': attributes, 'issuer': 'dummy_entity_id'},
             attribute_mapping=attribute_mapping,
-            assertion=assertion,
+            assertion_info=assertion_info,
         )
         self.assertIsNone(user)
 
@@ -441,7 +446,7 @@ def test_authenticate(self):
             None,
             session_info={'ava': attributes, 'issuer': 'dummy_entity_id'},
             attribute_mapping=attribute_mapping,
-            assertion=assertion,
+            assertion_info=assertion_info,
         )
 
         self.assertEqual(user, self.user)
