Allow logout to succeed if NotOnOrAfter expired.

2015-10-16 20:17:40 +00:00
parent 6c0bec3d7f
commit a9983d5f94
3 changed files with 36 additions and 4 deletions
--- a/src/saml2/client.py
+++ b/src/saml2/client.py
@@ -207,7 +207,9 @@ class Saml2Client(Base):
                destination = destinations(srvs)[0]
                logger.info("destination to provider: %s", destination)
                try:
-                    session_info = self.users.get_info_from(name_id, entity_id)
+                    session_info = self.users.get_info_from(name_id,
+                                                            entity_id,
+                                                            False)
                    session_indexes = [session_info['session_index']]
                except KeyError:
                    session_indexes = None
--- a/src/saml2/population.py
+++ b/src/saml2/population.py
@@ -45,8 +45,8 @@ class Population(object):
    def get_identity(self, name_id, entities=None, check_not_on_or_after=True):
        return self.cache.get_identity(name_id, entities, check_not_on_or_after)

-    def get_info_from(self, name_id, entity_id):
-        return self.cache.get(name_id, entity_id)
+    def get_info_from(self, name_id, entity_id, check_not_on_or_after=True):
+        return self.cache.get(name_id, entity_id, check_not_on_or_after)

    def subjects(self):
        """Returns the name id's for all the persons in the cache"""
--- a/tests/test_51_client.py
+++ b/tests/test_51_client.py
@@ -32,7 +32,7 @@ from saml2.sigver import rm_xmltag
 from saml2.sigver import verify_redirect_signature
 from saml2.s_utils import do_attribute_statement
 from saml2.s_utils import factory
-from saml2.time_util import in_a_while
+from saml2.time_util import in_a_while, a_while_ago

 from fakeIDP import FakeIDP
 from fakeIDP import unpack_form
@@ -1265,6 +1265,36 @@ class TestClient:
                                               BINDING_HTTP_POST)
        assert b'<ns0:SessionIndex>_foo</ns0:SessionIndex>' in res.xmlstr

+    def test_do_logout_session_expired(self):
+        # information about the user from an IdP
+        session_info = {
+            "name_id": nid,
+            "issuer": "urn:mace:example.com:saml:roland:idp",
+            "not_on_or_after": a_while_ago(minutes=15),
+            "ava": {
+                "givenName": "Anders",
+                "surName": "Andersson",
+                "mail": "anders.andersson@example.com"
+            },
+            "session_index": SessionIndex("_foo")
+        }
+        self.client.users.add_information_about_person(session_info)
+        entity_ids = self.client.users.issuers_of_info(nid)
+        assert entity_ids == ["urn:mace:example.com:saml:roland:idp"]
+        resp = self.client.do_logout(nid, entity_ids, "Tired",
+                                     in_a_while(minutes=5), sign=True,
+                                     expected_binding=BINDING_HTTP_POST)
+        assert resp
+        assert len(resp) == 1
+        assert list(resp.keys()) == entity_ids
+        binding, info = resp[entity_ids[0]]
+        assert binding == BINDING_HTTP_POST
+
+        _dic = unpack_form(info["data"][3])
+        res = self.server.parse_logout_request(_dic["SAMLRequest"],
+                                               BINDING_HTTP_POST)
+        assert b'<ns0:SessionIndex>_foo</ns0:SessionIndex>' in res.xmlstr
+

 # Below can only be done with dummy Server
 IDP = "urn:mace:example.com:saml:roland:idp"