tests: add check for idp initiated logout

tests/test_saml_auth.py

@@ -12,7 +12,9 @@ except ImportError:
 import pytest
 
 from quixote import cleanup
+from quixote import get_session, get_session_manager
 from wcs.qommon.http_request import HTTPRequest
+from wcs.qommon.misc import get_lasso_server
 from wcs.qommon.saml2 import Saml2Directory
 from wcs.qommon.ident.idp import MethodAdminDirectory, AdminIDPDir
 from wcs.qommon import sessions, x509utils
@@ -178,8 +180,8 @@ def get_assertion_consumer_request(pub, ni_format=lasso.SAML2_NAME_IDENTIFIER_FO
         'PATH_INFO': '/saml/assertionConsumerPost',
         })
     pub._set_request(req)
-    sessions.Session.wipe()
-    req.session = sessions.Session(id=1)
+    pub.session_class.wipe()
+    req.session = pub.session_class(id=1)
     assert req.session.user is None
     req.form['SAMLResponse'] = get_authn_response_msg(pub, ni_format=ni_format)
     return req
@@ -257,7 +259,7 @@ def test_assertion_consumer_existing_federation(pub, caplog):
         'PATH_INFO': '/saml/assertionConsumerPost',
         })
     pub._set_request(req)
-    req.session = sessions.Session(id=2) # another session
+    req.session = pub.session_class(id=2) # another session
     req.session.message = ('error', 'blah')
     req.form['SAMLResponse'] = saml_response_body
     assert req.session.user is None
@@ -369,3 +371,55 @@ def test_saml_logout(pub):
     body = saml2.slo_sp()
     assert req.response.headers['location'].startswith('http://sso.example.net/saml2/slo?SAMLRequest=')
     assert req.session.user is None
+
+def test_saml_idp_logout(pub):
+    req = get_assertion_consumer_request(pub)
+    saml2 = Saml2Directory()
+    saml2.assertionConsumerPost()
+    assert req.session.user is not None
+    get_session_manager().maintain_session(req.session)
+
+    # get id from existing assertion
+    server = get_lasso_server()
+    login = lasso.Login(server)
+    login.setSessionFromDump(req.session.lasso_session_dump)
+    assertion_id = login.session.assertions['http://sso.example.net/saml2/metadata'].id
+    name_id = req.session.name_identifier
+
+    # and recreate an idp session
+    idp_metadata_filepath = os.path.join(pub.app_dir,
+            'idp-http-sso.example.net-saml2-metadata-metadata.xml')
+    idp_key_filepath = os.path.join(pub.app_dir,
+            'idp-http-sso.example.net-saml2-metadata-privatekey.pem')
+    idp = lasso.Server(idp_metadata_filepath, idp_key_filepath, None, None)
+    idp.addProvider(lasso.PROVIDER_ROLE_SP,
+            os.path.join(pub.app_dir, 'saml2-metadata.xml'),
+            os.path.join(pub.app_dir, 'public-key.pem'))
+
+    login = lasso.Login(idp)
+    login.initIdpInitiatedAuthnRequest(pub.cfg['sp']['saml2_providerid'])
+    login.request.nameIDPolicy.format = lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT
+    login.request.nameIDPolicy.allowCreate = True
+    login.request.protocolBinding = lasso.SAML2_METADATA_BINDING_POST
+    login.processAuthnRequestMsg(None)
+    login.validateRequestMsg(True, True)
+    login.buildAssertion(lasso.SAML2_AUTHN_CONTEXT_PASSWORD,
+            datetime.datetime.now().isoformat(),
+            'unused',
+            (datetime.datetime.now() - datetime.timedelta(3600)).isoformat(),
+            (datetime.datetime.now() + datetime.timedelta(3600)).isoformat())
+    login.assertion.subject.nameID.content = name_id
+    login.assertion.id = assertion_id
+    login.assertion.authnStatement[0].sessionIndex = assertion_id
+    login.buildAuthnResponseMsg()
+    session_dump = login.session.dump()
+
+    logout = lasso.Logout(idp)
+    logout.setSessionFromDump(session_dump)
+    logout.initRequest(pub.cfg['sp']['saml2_providerid'], lasso.HTTP_METHOD_REDIRECT)
+    logout.buildRequestMsg()
+
+    # process logout message
+    saml2.slo_idp(urlparse.urlparse(logout.msgUrl).query)
+    assert req.response.headers['location'].startswith('http://sso.example.net/saml2/slo_return?SAMLResponse=')
+    assert req.session is None