From 3819c1750370d995d5ad08dc46e5f5c5dcac65c3 Mon Sep 17 00:00:00 2001
From: Nils Caspar <nils@smartinary.com>
Date: Fri, 13 Oct 2023 14:14:11 -0700
Subject: [PATCH] Pass SLO request/response to callback

---
 src/onelogin/saml2/auth.py                  |  4 ++--
 src/onelogin/saml2/utils.py                 |  8 +++++--
 tests/src/OneLogin/saml2_tests/auth_test.py | 23 ++++++++++++++++++---
 3 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
index ac85ebc1..262e382d 100644
--- a/src/onelogin/saml2/auth.py
+++ b/src/onelogin/saml2/auth.py
@@ -170,7 +170,7 @@ def process_slo(self, keep_local_session=False, request_id=None, delete_session_
             else:
                 self._last_message_id = logout_response.id
                 if not keep_local_session:
-                    OneLogin_Saml2_Utils.delete_local_session(delete_session_cb)
+                    OneLogin_Saml2_Utils.delete_local_session(delete_session_cb, logout_response=logout_response)
 
         elif get_data and 'SAMLRequest' in get_data:
             logout_request = self.logout_request_class(self._settings, get_data['SAMLRequest'])
@@ -182,7 +182,7 @@ def process_slo(self, keep_local_session=False, request_id=None, delete_session_
                 self._errors.append('invalid_logout_request')
             else:
                 if not keep_local_session:
-                    OneLogin_Saml2_Utils.delete_local_session(delete_session_cb)
+                    OneLogin_Saml2_Utils.delete_local_session(delete_session_cb, logout_request=logout_request)
 
                 in_response_to = logout_request.id
                 self._last_message_id = logout_request.id
diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py
index 6050ea8d..b64367d2 100644
--- a/src/onelogin/saml2/utils.py
+++ b/src/onelogin/saml2/utils.py
@@ -484,13 +484,17 @@ def get_expire_time(cache_duration=None, valid_until=None):
         return None
 
     @staticmethod
-    def delete_local_session(callback=None):
+    def delete_local_session(callback=None, logout_request=None, logout_response=None):
         """
         Deletes the local session.
         """
 
         if callback is not None:
-            callback()
+            if callback.__code__.co_argcount == 0:
+                # Legacy callback with no parameters
+                callback()
+            else:
+                callback(logout_request=logout_request, logout_response=logout_response)
 
     @staticmethod
     def calculate_x509_fingerprint(x509_cert, alg='sha1'):
diff --git a/tests/src/OneLogin/saml2_tests/auth_test.py b/tests/src/OneLogin/saml2_tests/auth_test.py
index b088874f..b4e9726f 100644
--- a/tests/src/OneLogin/saml2_tests/auth_test.py
+++ b/tests/src/OneLogin/saml2_tests/auth_test.py
@@ -9,6 +9,7 @@
 from onelogin.saml2 import compat
 from onelogin.saml2.auth import OneLogin_Saml2_Auth
 from onelogin.saml2.constants import OneLogin_Saml2_Constants
+from onelogin.saml2.logout_response import OneLogin_Saml2_Logout_Response
 from onelogin.saml2.settings import OneLogin_Saml2_Settings
 from onelogin.saml2.utils import OneLogin_Saml2_Utils, OneLogin_Saml2_Error
 from onelogin.saml2.logout_request import OneLogin_Saml2_Logout_Request
@@ -403,7 +404,15 @@ def testProcessSLOResponseValidDeletingSession(self):
         auth = OneLogin_Saml2_Auth(request_data, old_settings=self.loadSettingsJSON())
 
         auth.set_strict(True)
-        auth.process_slo(False)
+
+        callback_called = False
+        def delete_session_cb(logout_request, logout_response):
+            nonlocal callback_called
+            callback_called = True
+            self.assertIsNone(logout_request)
+            self.assertIsInstance(logout_response, OneLogin_Saml2_Logout_Response)
+        auth.process_slo(False, delete_session_cb=delete_session_cb)
+        self.assertTrue(callback_called)
 
         self.assertEqual(len(auth.get_errors()), 0)
 
@@ -484,7 +493,16 @@ def testProcessSLORequestDeletingSession(self):
         auth = OneLogin_Saml2_Auth(request_data, old_settings=settings_info)
 
         auth.set_strict(True)
-        target_url = auth.process_slo(True)
+
+        callback_called = False
+        def delete_session_cb(logout_request, logout_response):
+            nonlocal callback_called
+            callback_called = True
+            self.assertIsNone(logout_response)
+            self.assertIsInstance(logout_request, OneLogin_Saml2_Logout_Request)
+        target_url = auth.process_slo(False, delete_session_cb=delete_session_cb)
+        self.assertTrue(callback_called)
+
         parsed_query = parse_qs(urlparse(target_url)[4])
         slo_url = settings_info['idp']['singleLogoutService']['url']
         self.assertIn(slo_url, target_url)
@@ -498,7 +516,6 @@ def testProcessSLORequestDeletingSession(self):
 
         auth.set_strict(True)
         target_url_2 = auth.process_slo(True)
-        target_url_2 = auth.process_slo(True)
         parsed_query_2 = parse_qs(urlparse(target_url_2)[4])
         slo_url = settings_info['idp']['singleLogoutService']['url']
         self.assertIn(slo_url, target_url_2)