Allow logout to succeed if NotOnOrAfter expired.

Author: Serge Domkowski

src/saml2/client.py

@@ -207,7 +207,9 @@ def do_logout(self, name_id, entity_ids, reason, expire, sign=None,
                 destination = destinations(srvs)[0]
                 logger.info("destination to provider: %s", destination)
                 try:
-                    session_info = self.users.get_info_from(name_id, entity_id)
+                    session_info = self.users.get_info_from(name_id,
+                                                            entity_id,
+                                                            False)
                     session_indexes = [session_info['session_index']]
                 except KeyError:
                     session_indexes = None

src/saml2/population.py

@@ -45,8 +45,8 @@ def issuers_of_info(self, name_id):
     def get_identity(self, name_id, entities=None, check_not_on_or_after=True):
         return self.cache.get_identity(name_id, entities, check_not_on_or_after)
 
-    def get_info_from(self, name_id, entity_id):
-        return self.cache.get(name_id, entity_id)
+    def get_info_from(self, name_id, entity_id, check_not_on_or_after=True):
+        return self.cache.get(name_id, entity_id, check_not_on_or_after)
 
     def subjects(self):
         """Returns the name id's for all the persons in the cache"""

tests/test_51_client.py

@@ -32,7 +32,7 @@
 from saml2.sigver import verify_redirect_signature
 from saml2.s_utils import do_attribute_statement
 from saml2.s_utils import factory
-from saml2.time_util import in_a_while
+from saml2.time_util import in_a_while, a_while_ago
 
 from fakeIDP import FakeIDP
 from fakeIDP import unpack_form
@@ -1265,6 +1265,36 @@ def test_do_logout_post(self):
                                                BINDING_HTTP_POST)
         assert b'<ns0:SessionIndex>_foo</ns0:SessionIndex>' in res.xmlstr
 
+    def test_do_logout_session_expired(self):
+        # information about the user from an IdP
+        session_info = {
+            "name_id": nid,
+            "issuer": "urn:mace:example.com:saml:roland:idp",
+            "not_on_or_after": a_while_ago(minutes=15),
+            "ava": {
+                "givenName": "Anders",
+                "surName": "Andersson",
+                "mail": "[email protected]"
+            },
+            "session_index": SessionIndex("_foo")
+        }
+        self.client.users.add_information_about_person(session_info)
+        entity_ids = self.client.users.issuers_of_info(nid)
+        assert entity_ids == ["urn:mace:example.com:saml:roland:idp"]
+        resp = self.client.do_logout(nid, entity_ids, "Tired",
+                                     in_a_while(minutes=5), sign=True,
+                                     expected_binding=BINDING_HTTP_POST)
+        assert resp
+        assert len(resp) == 1
+        assert list(resp.keys()) == entity_ids
+        binding, info = resp[entity_ids[0]]
+        assert binding == BINDING_HTTP_POST
+
+        _dic = unpack_form(info["data"][3])
+        res = self.server.parse_logout_request(_dic["SAMLRequest"],
+                                               BINDING_HTTP_POST)
+        assert b'<ns0:SessionIndex>_foo</ns0:SessionIndex>' in res.xmlstr
+
 
 # Below can only be done with dummy Server
 IDP = "urn:mace:example.com:saml:roland:idp"