diff options
author | Roland Hedberg <roland@catalogix.se> | 2017-10-11 08:38:52 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-10-11 08:38:52 +0200 |
commit | 46d24f6af561d75d455f7b73e5a3d19837d32d2f (patch) | |
tree | c1e415295c5d09c8f4df58fc25d63cb8005b11e6 /src/saml2/client_base.py | |
parent | d8eef64ebe54989f577a1e48eb78787b0dd8db41 (diff) | |
parent | 61fa999aba7d9b02a15c9792e843aa55b1b1956b (diff) | |
download | pysaml2-46d24f6af561d75d455f7b73e5a3d19837d32d2f.tar.gz |
Merge pull request #439 from jkakavas/fix_sane_defaults
Ensure signature checking for SAML Responses is enabled by default
Diffstat (limited to 'src/saml2/client_base.py')
-rw-r--r-- | src/saml2/client_base.py | 35 |
1 files changed, 24 insertions, 11 deletions
diff --git a/src/saml2/client_base.py b/src/saml2/client_base.py index 531ddea5..f8704c20 100644 --- a/src/saml2/client_base.py +++ b/src/saml2/client_base.py @@ -113,17 +113,30 @@ class Base(Entity): else: self.state = state_cache - self.logout_requests_signed = False - self.allow_unsolicited = False - self.authn_requests_signed = False - self.want_assertions_signed = False - self.want_response_signed = False - for foo in ["allow_unsolicited", "authn_requests_signed", - "logout_requests_signed", "want_assertions_signed", - "want_response_signed"]: - v = self.config.getattr(foo, "sp") - if v is True or v == 'true': - setattr(self, foo, True) + attribute_defaults = { + "logout_requests_signed": False, + "allow_unsolicited": False, + "authn_requests_signed": False, + "want_assertions_signed": False, + "want_response_signed": True, + } + + for attr, val_default in attribute_defaults.items(): + val_config = self.config.getattr(attr, "sp") + if val_config is None: + val = val_default + else: + val = val_config + + if val == 'true': + val = True + + setattr(self, attr, val) + + if self.entity_type == "sp" and not any([self.want_assertions_signed, + self.want_response_signed]): + logger.warning("The SAML service provider accepts unsigned SAML Responses " + + "and Assertions. This configuration is insecure.") self.artifact2response = {} |