Set force_authn when the value is "true" or "1"

Following d257d30 the ForceAuthn attribute is
an xsd:boolean value which can be any of "false", "true", "0" or "1". We must
set force_authn when the value is "true" or "1".

We set the value into kwargs, which is then mirrored onto _args, which is
merged with args, which is finally given to the saml2.samlp.AuthnRequest class
to construct the object.
Previously, we set the value into args directly, which would be overwritten by
the call to _filter_args.

Signed-off-by: Ivan Kanakarakis <[email protected]>

Author: c00kiemon5ter

src/saml2/client_base.py

@@ -371,13 +371,6 @@ def create_authn_request(self, destination, vorg="", scoping=None,
         except KeyError:
             nsprefix = None
 
-        force_authn = (
-            kwargs.get("force_authn")
-            or self.config.getattr('force_authn', 'sp')
-        )
-        if str(force_authn).lower() == 'true':
-            args['force_authn'] = 'true'
-
         conf_sp_type = self.config.getattr('sp_type', 'sp')
         conf_sp_type_in_md = self.config.getattr('sp_type_in_metadata', 'sp')
         if conf_sp_type and conf_sp_type_in_md is False:
@@ -439,9 +432,17 @@ def create_authn_request(self, destination, vorg="", scoping=None,
                 extension_elements=items)
             extensions.add_extension_element(item)
 
+        force_authn = str(
+            kwargs.pop("force_authn", None)
+            or self.config.getattr("force_authn", "sp")
+        ).lower() in ["true", "1"]
+        if force_authn:
+            kwargs["force_authn"] = "true"
+
         if kwargs:
-            _args, extensions = self._filter_args(AuthnRequest(), extensions,
-                                                  **kwargs)
+            _args, extensions = self._filter_args(
+                AuthnRequest(), extensions, **kwargs
+            )
             args.update(_args)
 
         args.pop("id", None)

tests/test_51_client.py

@@ -286,16 +286,38 @@ def test_create_auth_request_0(self):
             assert c.attributes['FriendlyName']
             assert c.attributes['NameFormat']
 
-    def test_create_auth_request_unset_force_authn(self):
+    def test_create_auth_request_unset_force_authn_by_default(self):
         req_id, req = self.client.create_authn_request(
-            "http://www.example.com/sso", sign=False, message_id="id1")
-        assert bool(req.force_authn) == False
+            "http://www.example.com/sso", sign=False, message_id="id1"
+        )
+        assert req.force_authn is None
 
-    def test_create_auth_request_set_force_authn(self):
+    def test_create_auth_request_set_force_authn_not_true_or_1(self):
         req_id, req = self.client.create_authn_request(
-            "http://www.example.com/sso", sign=False, message_id="id1",
-            force_authn="true")
-        assert bool(req.force_authn) == True
+            "http://www.example.com/sso",
+            sign=False,
+            message_id="id1",
+            force_authn="0",
+        )
+        assert req.force_authn is None
+
+    def test_create_auth_request_set_force_authn_true(self):
+        req_id, req = self.client.create_authn_request(
+            "http://www.example.com/sso",
+            sign=False,
+            message_id="id1",
+            force_authn="true",
+        )
+        assert req.force_authn == "true"
+
+    def test_create_auth_request_set_force_authn_1(self):
+        req_id, req = self.client.create_authn_request(
+            "http://www.example.com/sso",
+            sign=False,
+            message_id="id1",
+            force_authn="true",
+        )
+        assert req.force_authn == "true"
 
     def test_create_auth_request_nameid_policy_allow_create(self):
         conf = config.SPConfig()