Allow no attributes

Author: mhindery

CHANGES

@@ -1,6 +1,12 @@
 Changes
 =======
 
+0.X.X (to-be-released)
+-------------------
+- Allow a SSO request without any attributes besides the NameID info. Backwards-incompatible changes to allow easier behaviour differentiation, two methods now receive the idp identifier (+ **kwargs were added to introduce possible similar changes in the future with less breaking effect):
+  - Method signature changed on Saml2Backend.clean_attributes: from `clean_attributes(self, attributes: dict)` to `clean_attributes(self, attributes: dict, idp_entityid: str, **kwargs)`
+  - Methodignature changed on Saml2Backend.is_authorized: from `is_authorized(self, attributes: dict, attribute_mapping: dict)` to `is_authorized(self, attributes: dict, attribute_mapping: dict, idp_entityid: str, **kwargs)`
+
 0.30.0 (2020-07-30)
 -------------------
 - SameSite workaround with a specialized cookie, decoupled from django default

djangosaml2/backends.py

@@ -110,14 +110,13 @@ def authenticate(self, request, session_info=None, attribute_mapping=None, creat
             logger.error('"ava" key not found in session_info')
             return None
 
-        attributes = self.clean_attributes(session_info['ava'])
-        if not attributes:
-            logger.error('The (cleaned) attributes dictionary is empty')
-            return None
+        idp_entityid = session_info['issuer']
+
+        attributes = self.clean_attributes(session_info['ava'], idp_entityid)
 
         logger.debug('attributes: %s', attributes)
 
-        if not self.is_authorized(attributes, attribute_mapping):
+        if not self.is_authorized(attributes, attribute_mapping, idp_entityid):
             logger.error('Request not authorized')
             return None
 
@@ -128,7 +127,7 @@ def authenticate(self, request, session_info=None, attribute_mapping=None, creat
 
         user, created = self.get_or_create_user(
             user_lookup_key, user_lookup_value, create_unknown_user,
-            idp_entityid=session_info['issuer'], attributes=attributes, attribute_mapping=attribute_mapping, request=request
+            idp_entityid=idp_entityid, attributes=attributes, attribute_mapping=attribute_mapping, request=request
         )
 
         # Update user with new attributes from incoming request
@@ -184,11 +183,11 @@ def _update_user(self, user, attributes, attribute_mapping, force_save=False):
     # Hooks to override by end-users in subclasses
     # ############################################
 
-    def clean_attributes(self, attributes: dict) -> dict:
+    def clean_attributes(self, attributes: dict, idp_entityid: str, **kwargs) -> dict:
         """ Hook to clean or filter attributes from the SAML response. No-op by default. """
         return attributes
 
-    def is_authorized(self, attributes: dict, attribute_mapping: dict) -> bool:
+    def is_authorized(self, attributes: dict, attribute_mapping: dict, idp_entityid: str, **kwargs) -> bool:
         """ Hook to allow custom authorization policies based on SAML attributes. True by default. """
         return True
 

tests/testprofiles/tests.py

@@ -89,11 +89,11 @@ def test_user_lookup_attribute_default(self):
             self.assertEqual(self.backend._user_lookup_attribute, 'username')
 
     def test_is_authorized(self):
-        self.assertTrue(self.backend.is_authorized({}, {}))
+        self.assertTrue(self.backend.is_authorized({}, {}, ''))
 
     def test_clean_attributes(self):
         attributes = {'random': 'dummy', 'value': 123}
-        self.assertEqual(self.backend.clean_attributes(attributes), attributes)
+        self.assertEqual(self.backend.clean_attributes(attributes, ''), attributes)
 
     def test_clean_user_main_attribute(self):
         self.assertEqual(self.backend.clean_user_main_attribute('value'), 'value')
@@ -273,11 +273,11 @@ def test_get_or_create_user_create(self):
 class CustomizedBackend(Saml2Backend):
     """ Override the available methods with some customized implementation to test customization
     """
-    def is_authorized(self, attributes, attribute_mapping):
+    def is_authorized(self, attributes, attribute_mapping, idp_entityid: str, **kwargs):
         ''' Allow only staff users from the IDP '''
         return attributes.get('is_staff', (None, ))[0] == True
 
-    def clean_attributes(self, attributes: dict) -> dict:
+    def clean_attributes(self, attributes: dict, idp_entityid: str, **kwargs) -> dict:
         ''' Keep only age attribute '''
         return {
             'age': attributes.get('age', (None, )),
@@ -306,13 +306,13 @@ def test_is_authorized(self):
             'cn': ('John', ),
             'sn': ('Doe', ),
             }
-        self.assertFalse(self.backend.is_authorized(attributes, attribute_mapping))
+        self.assertFalse(self.backend.is_authorized(attributes, attribute_mapping, ''))
         attributes['is_staff'] = (True, )
-        self.assertTrue(self.backend.is_authorized(attributes, attribute_mapping))
+        self.assertTrue(self.backend.is_authorized(attributes, attribute_mapping, ''))
 
     def test_clean_attributes(self):
         attributes = {'random': 'dummy', 'value': 123, 'age': '28'}
-        self.assertEqual(self.backend.clean_attributes(attributes), {'age': '28', 'is_staff': (None,), 'uid': (None,)})
+        self.assertEqual(self.backend.clean_attributes(attributes, ''), {'age': '28', 'is_staff': (None,), 'uid': (None,)})
 
     def test_clean_user_main_attribute(self):
         self.assertEqual(self.backend.clean_user_main_attribute('va--l__ u -e'), 'va__l___u__e')