If no identity information refrain from constructing an AttributeStatement.

2013-12-05 08:48:25 +01:00
parent 94b574c56a
commit c2701e9ba2
4 changed files with 44 additions and 2 deletions
--- a/src/saml2/init.py
+++ b/src/saml2/init.py
@@ -755,6 +755,22 @@ class SamlBase(ExtensionContainer):
    def verify(self):
        return valid_instance(self)

+    def empty(self):
+        for prop, _typ, _req in self.c_attributes.values():
+            if getattr(self, prop, None):
+                return False
+
+        for prop, klassdef in self.c_children.values():
+            if getattr(self, prop):
+                return False
+
+        for param in ["text", "extension_elements", "extension_attributes"]:
+            if getattr(self, param):
+                return False
+
+        return True
+
+
 # ----------------------------------------------------------------------------


--- a/src/saml2/assertion.py
+++ b/src/saml2/assertion.py
@@ -675,9 +675,9 @@ class Assertion(dict):
        else:
            _authn_statement = None

+
        _ass = assertion_factory(
            issuer=issuer,
-            attribute_statement=[attr_statement],
            conditions=conds,
            subject=factory(
                saml.Subject,
@@ -696,6 +696,9 @@ class Assertion(dict):
        if _authn_statement:
            _ass.authn_statement = [_authn_statement]

+        if not attr_statement.empty():
+            _ass.attribute_statement=[attr_statement],
+
        return _ass
    
    def apply_policy(self, sp_entity_id, policy, metadata=None):
--- a/src/saml2/client.py
+++ b/src/saml2/client.py
@@ -433,6 +433,7 @@ class Saml2Client(Base):
                'method': "POST
            }
        """
+        logger.info("logout request: %s" % request)

        _req = self._parse_request(request, LogoutRequest,
                                   "single_logout_service", binding)
--- a/tests/test_20_assertion.py
+++ b/tests/test_20_assertion.py
@@ -315,6 +315,7 @@ def test_assertion_2():
                       'urn:oid:2.16.840.1.113730.3.1.241',
                       'urn:oid:0.9.2342.19200300.100.1.1'])

+
 # ----------------------------------------------------------------------------


@@ -751,5 +752,26 @@ def test_filter_ava_5():
    assert ava == {}


+def test_assertion_with_zero_attributes():
+    ava = {}
+    ast = Assertion(ava)
+    policy = Policy({
+        "default": {
+            "lifetime": {"minutes": 240},
+            "attribute_restrictions": None,  # means all I have
+            "name_form": NAME_FORMAT_URI
+        },
+    })
+    name_id = NameID(format=NAMEID_FORMAT_TRANSIENT, text="foobar")
+    issuer = Issuer(text="entityid", format=NAMEID_FORMAT_ENTITY)
+    msg = ast.construct("sp_entity_id", "in_response_to", "consumer_url",
+                        name_id, [AttributeConverterNOOP(NAME_FORMAT_URI)],
+                        policy, issuer=issuer, authn_decl=ACD ,
+                        authn_auth="authn_authn")
+
+    print msg
+    assert msg.attribute_statement == []
+
+
 if __name__ == "__main__":
-    test_filter_ava_5()
+    test_assertion_with_zero_attributes()