Allow to configuration option name_id_format_allow_create for sp config

2017-04-21 14:21:21 +02:00 · 2017-04-21 14:21:21 +02:00 · 4c6e454ee5
parent a0c510af7a
commit 4c6e454ee5
4 changed files with 96 additions and 5 deletions
--- a/src/saml2/client_base.py
+++ b/src/saml2/client_base.py
@ -207,7 +207,7 @@ class Base(Entity):
            nameid_format=None,
            service_url_binding=None, message_id=0,
            consent=None, extensions=None, sign=None,
-            allow_create=False, sign_prepare=False, sign_alg=None,
+            allow_create=None, sign_prepare=False, sign_alg=None,
            digest_alg=None, **kwargs):
        """ Creates an authentication request.

@ -288,10 +288,15 @@ class Base(Entity):
            args["name_id_policy"] = kwargs["name_id_policy"]
            del kwargs["name_id_policy"]
        except KeyError:
-            if allow_create:
-                allow_create = "true"
-            else:
-                allow_create = "false"
+            if allow_create is None:
+                allow_create = self.config.getattr("name_id_format_allow_create", "sp")
+                if allow_create is None:
+                    allow_create = "false"
+                else:
+                    if allow_create is True:
+                        allow_create = "true"
+                    else:
+                        allow_create = "false"

            if nameid_format == "":
                name_id_policy = None
--- a/src/saml2/config.py
+++ b/src/saml2/config.py
@ -73,6 +73,7 @@ SP_ARGS = [
    "allow_unsolicited",
    "ecp",
    "name_id_format",
+    "name_id_format_allow_create",
    "logout_requests_signed",
    "requested_attribute_name_format"
 ]
@ -187,6 +188,7 @@ class Config(object):
        self.contact_person = None
        self.name_form = None
        self.name_id_format = None
+        self.name_id_format_allow_create = None
        self.virtual_organization = None
        self.logger = None
        self.only_use_keys_in_metadata = True
--- a/tests/sp_conf_nameidpolicy.py
+++ b/tests/sp_conf_nameidpolicy.py
@ -0,0 +1,64 @@
+from pathutils import full_path
+from pathutils import xmlsec_path
+
+CONFIG = {
+    "entityid": "urn:mace:example.com:saml:roland:sp",
+    "name": "urn:mace:example.com:saml:roland:sp",
+    "description": "My own SP",
+    "service": {
+        "sp": {
+            "endpoints": {
+                "assertion_consumer_service": [
+                    "http://lingon.catalogix.se:8087/"],
+            },
+            "required_attributes": ["surName", "givenName", "mail"],
+            "optional_attributes": ["title"],
+            "idp": ["urn:mace:example.com:saml:roland:idp"],
+            "name_id_format": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
+            "name_id_format_allow_create": "true"
+        }
+    },
+    "debug": 1,
+    "key_file": full_path("test.key"),
+    "cert_file": full_path("test.pem"),
+    "encryption_keypairs": [{"key_file": full_path("test_1.key"), "cert_file": full_path("test_1.crt")},
+                            {"key_file": full_path("test_2.key"), "cert_file": full_path("test_2.crt")}],
+    "ca_certs": full_path("cacerts.txt"),
+    "xmlsec_binary": xmlsec_path,
+    "metadata": [{
+        "class": "saml2.mdstore.MetaDataFile",
+        "metadata": [(full_path("idp.xml"), ), (full_path("vo_metadata.xml"), )],
+    }],
+    "virtual_organization": {
+        "urn:mace:example.com:it:tek": {
+            "nameid_format": "urn:oid:1.3.6.1.4.1.1466.115.121.1.15-NameID",
+            "common_identifier": "umuselin",
+        }
+    },
+    "subject_data": "subject_data.db",
+    "accepted_time_diff": 60,
+    "attribute_map_dir": full_path("attributemaps"),
+    "valid_for": 6,
+    "organization": {
+        "name": ("AB Exempel", "se"),
+        "display_name": ("AB Exempel", "se"),
+        "url": "http://www.example.org",
+    },
+    "contact_person": [{
+                           "given_name": "Roland",
+                           "sur_name": "Hedberg",
+                           "telephone_number": "+46 70 100 0000",
+                           "email_address": ["tech@eample.com",
+                                             "tech@example.org"],
+                           "contact_type": "technical"
+                       },
+    ],
+    "logger": {
+        "rotating": {
+            "filename": full_path("sp.log"),
+            "maxBytes": 100000,
+            "backupCount": 5,
+        },
+        "loglevel": "info",
+    }
+}
--- a/tests/test_51_client.py
+++ b/tests/test_51_client.py
@ -280,6 +280,26 @@ class TestClient:
        assert nid_policy.allow_create == "false"
        assert nid_policy.format == saml.NAMEID_FORMAT_TRANSIENT

+    def test_create_auth_request_nameid_policy_allow_create(self):
+        conf = config.SPConfig()
+        conf.load_file("sp_conf_nameidpolicy")
+        client = Saml2Client(conf)
+        ar_str = "%s" % client.create_authn_request(
+            "http://www.example.com/sso", message_id="id1")[1]
+
+        ar = samlp.authn_request_from_string(ar_str)
+        print(ar)
+        assert ar.assertion_consumer_service_url == ("http://lingon.catalogix"
+                                                     ".se:8087/")
+        assert ar.destination == "http://www.example.com/sso"
+        assert ar.protocol_binding == BINDING_HTTP_POST
+        assert ar.version == "2.0"
+        assert ar.provider_name == "urn:mace:example.com:saml:roland:sp"
+        assert ar.issuer.text == "urn:mace:example.com:saml:roland:sp"
+        nid_policy = ar.name_id_policy
+        assert nid_policy.allow_create == "true"
+        assert nid_policy.format == saml.NAMEID_FORMAT_PERSISTENT
+
    def test_create_auth_request_vo(self):
        assert list(self.client.config.vorg.keys()) == [
            "urn:mace:example.com:it:tek"]