diff options
author | ivan <ivan@grnet.gr> | 2017-07-12 09:53:52 +0300 |
---|---|---|
committer | ivan <ivan@grnet.gr> | 2017-07-14 14:36:04 +0300 |
commit | ee17e8f9b732f5b08f2b94a67ef92ccc33f19b01 (patch) | |
tree | 8814df1a273b362231300c5c36ac663004decd99 | |
parent | a490e4759d5ea5f6e0cdf8da3e853937fe0d9371 (diff) | |
download | pysaml2-ee17e8f9b732f5b08f2b94a67ef92ccc33f19b01.tar.gz |
Add force_authn sp configuration option
If the value is truthy, "true" is given as the ForceAuthn value. The
value is derived from the 'force_authn' keyword argument as passed to
'create_authn_request()' method otherwise it fallbacks to the
configuration value.
-rw-r--r-- | src/saml2/client_base.py | 8 | ||||
-rw-r--r-- | src/saml2/config.py | 3 | ||||
-rw-r--r-- | tests/test_31_config.py | 11 | ||||
-rw-r--r-- | tests/test_51_client.py | 11 |
4 files changed, 32 insertions, 1 deletions
diff --git a/src/saml2/client_base.py b/src/saml2/client_base.py index f740cb07..a5957f1d 100644 --- a/src/saml2/client_base.py +++ b/src/saml2/client_base.py @@ -335,6 +335,14 @@ class Base(Entity): except KeyError: nsprefix = None + try: + force_authn = kwargs['force_authn'] + except KeyError: + force_authn = self.config.getattr('force_authn', 'sp') + finally: + if force_authn: + args['force_authn'] = 'true' + if kwargs: _args, extensions = self._filter_args(AuthnRequest(), extensions, **kwargs) diff --git a/src/saml2/config.py b/src/saml2/config.py index 50d61c57..df567117 100644 --- a/src/saml2/config.py +++ b/src/saml2/config.py @@ -75,7 +75,8 @@ SP_ARGS = [ "name_id_format", "name_id_format_allow_create", "logout_requests_signed", - "requested_attribute_name_format" + "requested_attribute_name_format", + "force_authn", ] AA_IDP_ARGS = [ diff --git a/tests/test_31_config.py b/tests/test_31_config.py index 623c944f..eb8480c6 100644 --- a/tests/test_31_config.py +++ b/tests/test_31_config.py @@ -68,6 +68,7 @@ sp2 = { }, "authn_requests_signed": True, "logout_requests_signed": True, + "force_authn": True, } }, #"xmlsec_binary" : "/opt/local/bin/xmlsec1", @@ -408,5 +409,15 @@ def test_crypto_backend(): sec = security_context(idpc) assert isinstance(sec.crypto, CryptoBackendXMLSecurity) +def test_unset_force_authn(): + cnf = SPConfig().load(sp1) + assert bool(cnf.getattr('force_authn', 'sp')) == False + + +def test_set_force_authn(): + cnf = SPConfig().load(sp2) + assert bool(cnf.getattr('force_authn', 'sp')) == True + + if __name__ == "__main__": test_crypto_backend() diff --git a/tests/test_51_client.py b/tests/test_51_client.py index 1806de41..937e0e20 100644 --- a/tests/test_51_client.py +++ b/tests/test_51_client.py @@ -280,6 +280,17 @@ class TestClient: assert nid_policy.allow_create == "false" assert nid_policy.format == saml.NAMEID_FORMAT_TRANSIENT + def test_create_auth_request_unset_force_authn(self): + req_id, req = self.client.create_authn_request( + "http://www.example.com/sso", sign=False, message_id="id1") + assert bool(req.force_authn) == False + + def test_create_auth_request_set_force_authn(self): + req_id, req = self.client.create_authn_request( + "http://www.example.com/sso", sign=False, message_id="id1", + force_authn="true") + assert bool(req.force_authn) == True + def test_create_auth_request_nameid_policy_allow_create(self): conf = config.SPConfig() conf.load_file("sp_conf_nameidpolicy") |