diff options
| author | Alex Bublichenko <alex.bublichenko@oracle.com> | 2019-05-23 19:21:14 -0700 |
|---|---|---|
| committer | Alex Bublichenko <alex.bublichenko@oracle.com> | 2019-05-23 19:21:14 -0700 |
| commit | 5d827674714212ad2536e54ac964791c8126024d (patch) | |
| tree | 28e0a3fe169e40cc00625b2f1508ec2815d6b22f /tests/test_02_saml.py | |
| parent | 6acaf874537ea4772b3d2c4a3f760612cfc26055 (diff) | |
| download | pysaml2-5d827674714212ad2536e54ac964791c8126024d.tar.gz | |
Parse assertions with Holder-of-Key profile
Problem:
Holder-of-Key assertions are used to achieve higher levels of federation security, compared to bearer assertions, by having Relying Party challenge subscriber to prove possession of the key specified in the assertion that represents subscriber in addition to verifying the assertion itself signed by Identity Provider. More information about it can be found in https://pages.nist.gov/800-63-3/sp800-63c.html
This library fails to parase SAML respones containing assertions with Holder-of-Key profile, for example:
```
<ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<ns1:SubjectConfirmationData InResponseTo="id-KHlas49TtW2VdC8WN" NotOnOrAfter="2019-05-14T20:36:13Z" Recipient="https://sp:443/.auth/saml/login">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>MIICITCCAYoCAQEwDQYJKoZIhvcNAQELBQAwWDELMAkGA1UEBhMCenoxCzAJBgNVBAgMAnp6MQ0wCwYDVQQHDAR6enp6MQ4wDAYDVQQKDAVaenp6ejEOMAwGA1UECwwFWnp6enoxDTALBgNVBAMMBHRlc3QwIBcNMTkwNDEyMTk1MDM0WhgPMzAxODA4MTMxOTUwMzRaMFgxCzAJBgNVBAYTAnp6MQswCQYDVQQIDAJ6ejENMAsGA1UEBwwEenp6ejEOMAwGA1UECgwFWnp6enoxDjAMBgNVBAsMBVp6enp6MQ0wCwYDVQQDDAR0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHcj80WU/XBsd9FlyQmfjPUdfmedhCFDd6TEQmZNNqP/UG+VkGa+BXjRIHMfic/WxPTbGhCjv68ci0UDNomUXagFexLGNpkwa7+CRVtoc/1xgq+ySE6M4nhcCutScoxNvWNn5eSQ66i3U0sTv91MgsXxqEdTaiZg0BIufEc3dueQIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAGUV5B+USHvaRa8kgCNJSuNpo6ARlv0ekrk8bbdNRBiEUdCMyoGJFfuM9K0zybX6Vr25wai3nvaog294Vx/jWjX2g5SDbjItH6VGy6C9GCGf1A07VxFRCfJn5tA9HuJjPKiE+g/BmrV5N4CealzFxPHWYkNOzoRU8qI7OqUai1kL</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns1:SubjectConfirmationData>
</ns1:SubjectConfirmation>
```
fails to be parsed with the following error:
```
ERROR saml2.response:response.py:836 get subject
Traceback (most recent call last):
File "/home/abublich/repos/abliqo-pysaml2/venv/local/lib/python2.7/site-packages/pysaml2-4.7.0-py2.7.egg/saml2/response.py", line 828, in _assertion
self.get_subject()
File "/home/abublich/repos/abliqo-pysaml2/venv/local/lib/python2.7/site-packages/pysaml2-4.7.0-py2.7.egg/saml2/response.py", line 753, in get_subject
if not self._holder_of_key_confirmed(_data):
File "/home/abublich/repos/abliqo-pysaml2/venv/local/lib/python2.7/site-packages/pysaml2-4.7.0-py2.7.egg/saml2/response.py", line 730, in _holder_of_key_confirmed
[samlp, saml, xenc, ds]):
File "/home/abublich/repos/abliqo-pysaml2/venv/local/lib/python2.7/site-packages/pysaml2-4.7.0-py2.7.egg/saml2/__init__.py", line 1004, in extension_elements_to_elements
for extension_element in extension_elements:
TypeError: 'SubjectConfirmationData' object is not iterable
```
The root cause is two-fold:
1. The type SubjectConfirmationDataType_ does not declare KeyInfo as child element.
2. The bug in function _holder_of_key_confirmed: it should check KeyInfo child element of SubjectConfirmationData instead of SubjectConfirmationData itself.
Solution:
Fixed the root cause and added new unit tests that verify successful parsing of Holder-of-Key assertions.
Diffstat (limited to 'tests/test_02_saml.py')
| -rw-r--r-- | tests/test_02_saml.py | 50 |
1 files changed, 34 insertions, 16 deletions
diff --git a/tests/test_02_saml.py b/tests/test_02_saml.py index 7ff64885..2cdb5064 100644 --- a/tests/test_02_saml.py +++ b/tests/test_02_saml.py @@ -867,35 +867,53 @@ class TestSubjectConfirmation: self.sc.subject_confirmation_data = saml.subject_confirmation_data_from_string( saml2_data.TEST_SUBJECT_CONFIRMATION_DATA) new_sc = saml.subject_confirmation_from_string(self.sc.to_string()) - assert new_sc.name_id.sp_provided_id == "sp provided id" - assert new_sc.method == saml.SCM_BEARER - assert new_sc.subject_confirmation_data.not_before == \ - "2007-08-31T01:05:02Z" - assert new_sc.subject_confirmation_data.not_on_or_after == \ - "2007-09-14T01:05:02Z" - assert new_sc.subject_confirmation_data.recipient == "recipient" - assert new_sc.subject_confirmation_data.in_response_to == "responseID" - assert new_sc.subject_confirmation_data.address == "127.0.0.1" - - def testUsingTestData(self): - """Test subject_confirmation_from_string() using test data""" + self._assertBearer(new_sc) + def testBearerUsingTestData(self): + """Test subject_confirmation_from_string() using test data for 'bearer' SubjectConfirmation""" sc = saml.subject_confirmation_from_string( saml2_data.TEST_SUBJECT_CONFIRMATION) + assert sc.verify() + self._assertBearer(sc) + + def _assertBearer(self, sc): + """Asserts SubjectConfirmation that has method 'bearer'""" assert sc.name_id.sp_provided_id == "sp provided id" assert sc.method == saml.SCM_BEARER + assert sc.subject_confirmation_data is not None assert sc.subject_confirmation_data.not_before == "2007-08-31T01:05:02Z" assert sc.subject_confirmation_data.not_on_or_after == "2007-09-14T01:05:02Z" assert sc.subject_confirmation_data.recipient == "recipient" assert sc.subject_confirmation_data.in_response_to == "responseID" assert sc.subject_confirmation_data.address == "127.0.0.1" + assert sc.subject_confirmation_data.key_info is None - def testVerify(self): - """Test SubjectConfirmation verify""" - + def testHolderOfKeyUsingTestData(self): + """Test subject_confirmation_from_string() using test data for 'holder-of-key' SubjectConfirmation""" sc = saml.subject_confirmation_from_string( - saml2_data.TEST_SUBJECT_CONFIRMATION) + saml2_data.TEST_HOLDER_OF_KEY_SUBJECT_CONFIRMATION) assert sc.verify() + assert sc.method == saml.SCM_HOLDER_OF_KEY + assert sc.subject_confirmation_data is not None + assert sc.subject_confirmation_data.not_on_or_after == "2007-09-14T01:05:02Z" + assert sc.subject_confirmation_data.recipient == "recipient" + assert sc.subject_confirmation_data.in_response_to == "responseID" + key_info = sc.subject_confirmation_data.key_info + assert len(key_info) == 1 + assert len(key_info[0].x509_data) == 1 + assert key_info[0].x509_data[0].x509_certificate.text.strip() == """ +MIICITCCAYoCAQEwDQYJKoZIhvcNAQELBQAwWDELMAkGA1UEBhMCenoxCzAJBgNV +BAgMAnp6MQ0wCwYDVQQHDAR6enp6MQ4wDAYDVQQKDAVaenp6ejEOMAwGA1UECwwF +Wnp6enoxDTALBgNVBAMMBHRlc3QwIBcNMTkwNDEyMTk1MDM0WhgPMzAxODA4MTMx +OTUwMzRaMFgxCzAJBgNVBAYTAnp6MQswCQYDVQQIDAJ6ejENMAsGA1UEBwwEenp6 +ejEOMAwGA1UECgwFWnp6enoxDjAMBgNVBAsMBVp6enp6MQ0wCwYDVQQDDAR0ZXN0 +MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHcj80WU/XBsd9FlyQmfjPUdfm +edhCFDd6TEQmZNNqP/UG+VkGa+BXjRIHMfic/WxPTbGhCjv68ci0UDNomUXagFex +LGNpkwa7+CRVtoc/1xgq+ySE6M4nhcCutScoxNvWNn5eSQ66i3U0sTv91MgsXxqE +dTaiZg0BIufEc3dueQIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAGUV5B+USHvaRa8k +gCNJSuNpo6ARlv0ekrk8bbdNRBiEUdCMyoGJFfuM9K0zybX6Vr25wai3nvaog294 +Vx/jWjX2g5SDbjItH6VGy6C9GCGf1A07VxFRCfJn5tA9HuJjPKiE+g/BmrV5N4Ce +alzFxPHWYkNOzoRU8qI7OqUai1kL""".strip() class TestSubject: |