From 30cbe7c056f9e2a3892b3c61f79ac9086aa0631e Mon Sep 17 00:00:00 2001
From: Sixto Martin <pitbulk@gmail.com>
Date: Thu, 14 Sep 2017 18:38:22 +0200
Subject: [PATCH] Allow empty nameid if setting wantNameId is false. Only raise
 Exceptions when strict mode is enabled

---
 src/onelogin/saml2/response.py                |  7 ++--
 .../src/OneLogin/saml2_tests/response_test.py | 32 +++++++++++++++++--
 2 files changed, 34 insertions(+), 5 deletions(-)

diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index d57f8c42..a5992617 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -421,16 +421,19 @@ def get_nameid_data(self):
             nameid_nodes = self.__query_assertion('/saml:Subject/saml:NameID')
             if nameid_nodes:
                 nameid = nameid_nodes[0]
+
+        is_strict = self.__settings.is_strict()
+        want_nameid = self.__settings.get_security_data().get('wantNameId', True)
         if nameid is None:
             security = self.__settings.get_security_data()
 
-            if security.get('wantNameId', True):
+            if is_strict and want_nameid:
                 raise OneLogin_Saml2_ValidationError(
                     'NameID not found in the assertion of the Response',
                     OneLogin_Saml2_ValidationError.NO_NAMEID
                 )
         else:
-            if self.__settings.is_strict() and not nameid.text:
+            if is_strict and want_nameid and not nameid.text:
                 raise OneLogin_Saml2_ValidationError(
                     'An empty NameID value found',
                     OneLogin_Saml2_ValidationError.EMPTY_NAMEID
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
index f8c396e0..e811b003 100644
--- a/tests/src/OneLogin/saml2_tests/response_test.py
+++ b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -82,6 +82,7 @@ def testReturnNameId(self):
         Tests the get_nameid method of the OneLogin_Saml2_Response
         """
         json_settings = self.loadSettingsJSON()
+        json_settings['strict'] = True
 
         settings = OneLogin_Saml2_Settings(json_settings)
         xml = self.file_contents(join(self.data_path, 'responses', 'response1.xml.base64'))
@@ -135,11 +136,18 @@ def testReturnNameId(self):
         with self.assertRaisesRegexp(OneLogin_Saml2_ValidationError, 'An empty NameID value found'):
             response_9.get_nameid()
 
+        json_settings['security']['wantNameId'] = False
+        settings = OneLogin_Saml2_Settings(json_settings)
+
+        nameid_9 = response_9.get_nameid()
+        self.assertEqual(None, nameid_9)
+
     def testReturnNameIdFormat(self):
         """
         Tests the get_nameid_format method of the OneLogin_Saml2_Response
         """
         json_settings = self.loadSettingsJSON()
+        json_settings['strict'] = True
 
         settings = OneLogin_Saml2_Settings(json_settings)
         xml = self.file_contents(join(self.data_path, 'responses', 'response1.xml.base64'))
@@ -193,11 +201,18 @@ def testReturnNameIdFormat(self):
         with self.assertRaisesRegexp(OneLogin_Saml2_ValidationError, 'An empty NameID value found'):
             response_9.get_nameid_format()
 
+        json_settings['security']['wantNameId'] = False
+        settings = OneLogin_Saml2_Settings(json_settings)
+
+        nameid_9 = response_9.get_nameid_format()
+        self.assertEqual('urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', nameid_9)
+
     def testGetNameIdData(self):
         """
         Tests the get_nameid_data method of the OneLogin_Saml2_Response
         """
         json_settings = self.loadSettingsJSON()
+        json_settings['strict'] = True
 
         settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
         xml = self.file_contents(join(self.data_path, 'responses', 'response1.xml.base64'))
@@ -231,8 +246,9 @@ def testGetNameIdData(self):
 
         xml_4 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_nameid.xml.base64'))
         response_4 = OneLogin_Saml2_Response(settings, xml_4)
-        with self.assertRaisesRegexp(OneLogin_Saml2_ValidationError, 'NameID not found in the assertion of the Response'):
-            response_4.get_nameid_data()
+
+        nameid_data_4 = response_4.get_nameid_data()
+        self.assertEqual({}, nameid_data_4)
 
         json_settings['security']['wantNameId'] = True
         settings = OneLogin_Saml2_Settings(json_settings)
@@ -262,13 +278,23 @@ def testGetNameIdData(self):
         response_8 = OneLogin_Saml2_Response(settings, xml_5)
         with self.assertRaisesRegexp(OneLogin_Saml2_ValidationError, 'The SPNameQualifier value mistmatch the SP entityID value.'):
             response_8.get_nameid_data()
-            self.assertTrue(False)
 
         xml_6 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'empty_nameid.xml.base64'))
         response_9 = OneLogin_Saml2_Response(settings, xml_6)
         with self.assertRaisesRegexp(OneLogin_Saml2_ValidationError, 'An empty NameID value found'):
             response_9.get_nameid_data()
 
+        json_settings['security']['wantNameId'] = False
+        settings = OneLogin_Saml2_Settings(json_settings)
+
+        nameid_data_9 = response_9.get_nameid_data()
+
+        expected_nameid_data_4 = {
+            'Value': None,
+            'Format': 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+        }
+        self.assertEqual(expected_nameid_data_4, nameid_data_9)
+
     def testCheckStatus(self):
         """
         Tests the check_status method of the OneLogin_Saml2_Response