Sign logout requests according to logout_requests_signed config option

c00kiemon5ter · c00kiemon5ter · commit 4c550f537086 · 2021-04-09T13:31:03.000+03:00
Signed-off-by: Ivan Kanakarakis &lt;ivan.kanak@gmail.com&gt;
diff --git a/src/saml2/client.py b/src/saml2/client.py
@@ -280,6 +280,7 @@ def do_logout(
                 except KeyError:
                     session_indexes = None
 
+                sign = sign if sign is not None else self.logout_requests_signed
                 sign_post = False if binding == BINDING_HTTP_REDIRECT else sign
                 sign_redirect = False if binding == BINDING_HTTP_POST and sign else sign
 
diff --git a/src/saml2/entity.py b/src/saml2/entity.py
@@ -241,7 +241,11 @@ def apply_binding(
         :return: A dictionary
         """
 
-        # XXX sig-allowed should be configurable
+        # XXX SIG_ALLOWED_ALG should be configurable
+        # XXX should_sign stems from authn_requests_signed and sign_response
+        # XXX based on the type of the entity
+        # XXX but should also take into account the type of message (Authn/Logout/etc)
+        # XXX should_sign should be split and the exact config options should be checked
         sign = sign if sign is not None else self.should_sign
         sign_alg = sigalg or self.signing_algorithm
         if sign_alg not in [long_name for short_name, long_name in SIG_ALLOWED_ALG]:
