1 files changed, 155 insertions, 128 deletions

diff --git a/example/sp-wsgi/sp.py b/example/sp-wsgi/sp.py
index 90d7838c..4e9eab9c 100755
--- a/example/sp-wsgi/sp.py
+++ b/example/sp-wsgi/sp.py
@@ -49,9 +49,8 @@ from saml2.saml import NAMEID_FORMAT_PERSISTENT
 from saml2.samlp import Extensions
 
 logger = logging.getLogger("")
-hdlr = logging.FileHandler('spx.log')
-base_formatter = logging.Formatter(
-    "%(asctime)s %(name)s:%(levelname)s %(message)s")
+hdlr = logging.FileHandler("spx.log")
+base_formatter = logging.Formatter("%(asctime)s %(name)s:%(levelname)s %(message)s")
 
 hdlr.setFormatter(base_formatter)
 logger.addHandler(hdlr)
@@ -93,7 +92,7 @@ def dict_to_table(ava, lev=0, width=1):
             txt.extend(dict_to_table(valarr, lev + 1, width - 1))
             txt.append("</td>\n")
         txt.append("</tr>\n")
-    txt.append('</table>\n')
+    txt.append("</table>\n")
     return txt
 
 
@@ -108,19 +107,19 @@ def handle_static(environ, start_response, path):
     :return: wsgi response for the static file.
     """
     try:
-        data = open(path, 'rb').read()
+        data = open(path, "rb").read()
         if path.endswith(".ico"):
-            resp = Response(data, headers=[('Content-Type', "image/x-icon")])
+            resp = Response(data, headers=[("Content-Type", "image/x-icon")])
         elif path.endswith(".html"):
-            resp = Response(data, headers=[('Content-Type', 'text/html')])
+            resp = Response(data, headers=[("Content-Type", "text/html")])
         elif path.endswith(".txt"):
-            resp = Response(data, headers=[('Content-Type', 'text/plain')])
+            resp = Response(data, headers=[("Content-Type", "text/plain")])
         elif path.endswith(".css"):
-            resp = Response(data, headers=[('Content-Type', 'text/css')])
+            resp = Response(data, headers=[("Content-Type", "text/css")])
         elif path.endswith(".js"):
-            resp = Response(data, headers=[('Content-Type', 'text/javascript')])
+            resp = Response(data, headers=[("Content-Type", "text/javascript")])
         elif path.endswith(".png"):
-            resp = Response(data, headers=[('Content-Type', 'image/png')])
+            resp = Response(data, headers=[("Content-Type", "image/png")])
         else:
             resp = Response(data)
     except IOError:
@@ -130,22 +129,23 @@ def handle_static(environ, start_response, path):
 
 class ECPResponse(object):
     code = 200
-    title = 'OK'
+    title = "OK"
 
     def __init__(self, content):
         self.content = content
 
     # noinspection PyUnusedLocal
     def __call__(self, environ, start_response):
-        start_response('%s %s' % (self.code, self.title),
-                       [('Content-Type', "text/xml")])
+        start_response(
+            "%s %s" % (self.code, self.title), [("Content-Type", "text/xml")]
+        )
         return [self.content]
 
 
 def _expiration(timeout, tformat=None):
     # Wed, 06-Jun-2012 01:34:34 GMT
     if not tformat:
-        tformat = '%a, %d-%b-%Y %T GMT'
+        tformat = "%a, %d-%b-%Y %T GMT"
 
     if timeout == "now":
         return time_util.instant(tformat)
@@ -165,7 +165,7 @@ class Cache(object):
         self.result = {}
 
     def get_user(self, environ):
-        cookie = environ.get("HTTP_COOKIE", '')
+        cookie = environ.get("HTTP_COOKIE", "")
         logger.debug("Cookie: %s", cookie)
         if cookie:
             cookie_obj = SimpleCookie(cookie)
@@ -181,7 +181,7 @@ class Cache(object):
         return None
 
     def delete_cookie(self, environ):
-        cookie = environ.get("HTTP_COOKIE", '')
+        cookie = environ.get("HTTP_COOKIE", "")
         logger.debug("delete cookie: %s", cookie)
         if cookie:
             _name = self.cookie_name
@@ -189,7 +189,7 @@ class Cache(object):
             morsel = cookie_obj.get(_name, None)
             cookie = SimpleCookie()
             cookie[_name] = ""
-            cookie[_name]['path'] = "/"
+            cookie[_name]["path"] = "/"
             logger.debug("Expire: %s", morsel)
             cookie[_name]["expires"] = _expiration("now")
             return cookie.output().split(": ", 1)
@@ -200,7 +200,7 @@ class Cache(object):
         self.uid2user[uid] = user
         cookie = SimpleCookie()
         cookie[self.cookie_name] = uid
-        cookie[self.cookie_name]['path'] = "/"
+        cookie[self.cookie_name]["path"] = "/"
         cookie[self.cookie_name]["expires"] = _expiration(480)
         logger.debug("Cookie expires: %s", cookie[self.cookie_name]["expires"])
         return cookie.output().split(": ", 1)
@@ -227,7 +227,7 @@ class Service(object):
             return None
 
     def unpack_post(self):
-        _dict = parse_qs(get_post(self.environ).decode('utf8'))
+        _dict = parse_qs(get_post(self.environ).decode("utf8"))
         logger.debug("unpack_post:: %s", _dict)
         return dict([(k, v[0]) for k, v in _dict.items()])
 
@@ -251,7 +251,7 @@ class Service(object):
     def operation(self, _dict, binding):
         logger.debug("_operation: %s", _dict)
         if not _dict:
-            resp = BadRequest('Error parsing request or no request')
+            resp = BadRequest("Error parsing request or no request")
             return resp(self.environ, self.start_response)
         else:
             try:
@@ -259,11 +259,13 @@ class Service(object):
             except KeyError:
                 _relay_state = ""
             if "SAMLResponse" in _dict:
-                return self.do(_dict["SAMLResponse"], binding,
-                               _relay_state, mtype="response")
+                return self.do(
+                    _dict["SAMLResponse"], binding, _relay_state, mtype="response"
+                )
             elif "SAMLRequest" in _dict:
-                return self.do(_dict["SAMLRequest"], binding,
-                               _relay_state, mtype="request")
+                return self.do(
+                    _dict["SAMLRequest"], binding, _relay_state, mtype="request"
+                )
 
     def artifact_operation(self, _dict):
         if not _dict:
@@ -315,7 +317,7 @@ class Service(object):
         return self.operation(_dict, BINDING_SOAP)
 
     def not_authn(self):
-        resp = Unauthorized('Unknown user')
+        resp = Unauthorized("Unknown user")
         return resp(self.environ, self.start_response)
 
 
@@ -333,7 +335,8 @@ class User(object):
     @property
     def authn_statement(self):
         xml_doc = xml.dom.minidom.parseString(
-            str(self.response.assertion.authn_statement[0]))
+            str(self.response.assertion.authn_statement[0])
+        )
         return xml_doc.toprettyxml()
 
 
@@ -354,18 +357,24 @@ class ACS(Service):
         # tmp_outstanding_queries = dict(self.outstanding_queries)
         if not response:
             logger.info("Missing Response")
-            resp = Unauthorized('Unknown user')
+            resp = Unauthorized("Unknown user")
             return resp(self.environ, self.start_response)
 
         try:
-            conv_info = {'remote_addr': self.environ['REMOTE_ADDR'],
-                         'request_uri': self.environ['REQUEST_URI'],
-                         'entity_id': self.sp.config.entityid,
-                         'endpoints': self.sp.config.getattr('endpoints', 'sp')}
+            conv_info = {
+                "remote_addr": self.environ["REMOTE_ADDR"],
+                "request_uri": self.environ["REQUEST_URI"],
+                "entity_id": self.sp.config.entityid,
+                "endpoints": self.sp.config.getattr("endpoints", "sp"),
+            }
 
             self.response = self.sp.parse_authn_request_response(
-                response, binding, self.outstanding_queries,
-                self.cache.outstanding_certs, conv_info=conv_info)
+                response,
+                binding,
+                self.outstanding_queries,
+                self.cache.outstanding_certs,
+                conv_info=conv_info,
+            )
         except UnknownPrincipal as excp:
             logger.error("UnknownPrincipal: %s", excp)
             resp = ServiceError("UnknownPrincipal: %s" % (excp,))
@@ -389,15 +398,12 @@ class ACS(Service):
         user = User(self.response.name_id, self.response.ava, self.response)
         cookie = self.cache.set_cookie(user)
 
-        resp = Redirect("/", headers=[
-            cookie,
-        ])
+        resp = Redirect("/", headers=[cookie])
         return resp(self.environ, self.start_response)
 
     def verify_attributes(self, ava):
         logger.info("SP: %s", self.sp.config.entityid)
-        rest = POLICY.get_entity_categories(
-            self.sp.config.entityid, self.sp.metadata)
+        rest = POLICY.get_entity_categories(self.sp.config.entityid, self.sp.metadata)
 
         akeys = [k.lower() for k in ava.keys()]
 
@@ -421,8 +427,16 @@ class ACS(Service):
 
 
 class SSO(object):
-    def __init__(self, sp, environ, start_response, cache=None,
-                 wayf=None, discosrv=None, bindings=None):
+    def __init__(
+        self,
+        sp,
+        environ,
+        start_response,
+        cache=None,
+        wayf=None,
+        discosrv=None,
+        bindings=None,
+    ):
         self.sp = sp
         self.environ = environ
         self.start_response = start_response
@@ -433,8 +447,11 @@ class SSO(object):
         if bindings:
             self.bindings = bindings
         else:
-            self.bindings = [BINDING_HTTP_REDIRECT, BINDING_HTTP_POST,
-                             BINDING_HTTP_ARTIFACT]
+            self.bindings = [
+                BINDING_HTTP_REDIRECT,
+                BINDING_HTTP_POST,
+                BINDING_HTTP_ARTIFACT,
+            ]
         logger.debug("--- SSO ---")
 
     def response(self, binding, http_args, do_not_start_response=False):
@@ -459,7 +476,7 @@ class SSO(object):
         sid_ = sid()
         self.cache.outstanding_queries[sid_] = came_from
         logger.debug("Redirect to WAYF function: %s", self.wayf)
-        return -1, SeeOther(headers=[('Location', "%s?%s" % (self.wayf, sid_))])
+        return -1, SeeOther(headers=[("Location", "%s?%s" % (self.wayf, sid_))])
 
     def _pick_idp(self, came_from):
         """
@@ -481,24 +498,23 @@ class SSO(object):
 
                     _rstate = rndstr()
                     self.cache.relay_state[_rstate] = geturl(self.environ)
-                    _entityid = _cli.config.ecp_endpoint(
-                        self.environ["REMOTE_ADDR"])
+                    _entityid = _cli.config.ecp_endpoint(self.environ["REMOTE_ADDR"])
 
                     if not _entityid:
                         return -1, ServiceError("No IdP to talk to")
                     logger.debug("IdP to talk to: %s", _entityid)
                     return ecp.ecp_auth_request(_cli, _entityid, _rstate)
                 else:
-                    return -1, ServiceError('Faulty Accept header')
+                    return -1, ServiceError("Faulty Accept header")
             else:
-                return -1, ServiceError('unknown ECP version')
+                return -1, ServiceError("unknown ECP version")
 
         # Find all IdPs
         idps = self.sp.metadata.with_descriptor("idpsso")
 
         idp_entity_id = None
 
-        kaka = self.environ.get("HTTP_COOKIE", '')
+        kaka = self.environ.get("HTTP_COOKIE", "")
         if kaka:
             try:
                 (idp_entity_id, _) = parse_cookie("ve_disco", "SEED_SAW", kaka)
@@ -511,8 +527,7 @@ class SSO(object):
         query = self.environ.get("QUERY_STRING")
         if not idp_entity_id and query:
             try:
-                _idp_entity_id = dict(parse_qs(query))[
-                    self.idp_query_param][0]
+                _idp_entity_id = dict(parse_qs(query))[self.idp_query_param][0]
                 if _idp_entity_id in idps:
                     idp_entity_id = _idp_entity_id
             except KeyError:
@@ -524,8 +539,7 @@ class SSO(object):
             if self.wayf:
                 if query:
                     try:
-                        wayf_selected = dict(parse_qs(query))[
-                            "wayf_selected"][0]
+                        wayf_selected = dict(parse_qs(query))["wayf_selected"][0]
                     except KeyError:
                         return self._wayf_redirect(came_from)
                     idp_entity_id = wayf_selected
@@ -534,23 +548,26 @@ class SSO(object):
             elif self.discosrv:
                 if query:
                     idp_entity_id = _cli.parse_discovery_service_response(
-                        query=self.environ.get("QUERY_STRING"))
+                        query=self.environ.get("QUERY_STRING")
+                    )
                 if not idp_entity_id:
                     sid_ = sid()
                     self.cache.outstanding_queries[sid_] = came_from
                     logger.debug("Redirect to Discovery Service function")
                     eid = _cli.config.entityid
-                    ret = _cli.config.getattr("endpoints",
-                                              "sp")["discovery_response"][0][0]
+                    ret = _cli.config.getattr("endpoints", "sp")["discovery_response"][
+                        0
+                    ][0]
                     ret += "?sid=%s" % sid_
                     loc = _cli.create_discovery_service_request(
-                        self.discosrv, eid, **{"return": ret})
+                        self.discosrv, eid, **{"return": ret}
+                    )
                     return -1, SeeOther(loc)
             elif len(idps) == 1:
                 # idps is a dictionary
                 idp_entity_id = list(idps.keys())[0]
             elif not len(idps):
-                return -1, ServiceError('Misconfiguration')
+                return -1, ServiceError("Misconfiguration")
             else:
                 return -1, NotImplemented("No WAYF or DS present!")
 
@@ -561,14 +578,12 @@ class SSO(object):
         try:
             # Picks a binding to use for sending the Request to the IDP
             _binding, destination = _cli.pick_binding(
-                "single_sign_on_service", self.bindings, "idpsso",
-                entity_id=entity_id)
-            logger.debug("binding: %s, destination: %s", _binding,
-                         destination)
+                "single_sign_on_service", self.bindings, "idpsso", entity_id=entity_id
+            )
+            logger.debug("binding: %s, destination: %s", _binding, destination)
             # Binding here is the response binding that is which binding the
             # IDP should use to return the response.
-            acs = _cli.config.getattr("endpoints", "sp")[
-                "assertion_consumer_service"]
+            acs = _cli.config.getattr("endpoints", "sp")["assertion_consumer_service"]
             # just pick one
             endp, return_binding = acs[0]
 
@@ -576,24 +591,27 @@ class SSO(object):
             cert = None
             if _cli.config.generate_cert_func is not None:
                 cert_str, req_key_str = _cli.config.generate_cert_func()
-                cert = {
-                    "cert": cert_str,
-                    "key": req_key_str
-                }
-                spcertenc = SPCertEnc(x509_data=ds.X509Data(
-                    x509_certificate=ds.X509Certificate(text=cert_str)))
-                extensions = Extensions(extension_elements=[
-                    element_to_extension_element(spcertenc)])
-
-            req_id, req = _cli.create_authn_request(destination,
-                                                    binding=return_binding,
-                                                    extensions=extensions,
-                                                    nameid_format=NAMEID_FORMAT_PERSISTENT)
+                cert = {"cert": cert_str, "key": req_key_str}
+                spcertenc = SPCertEnc(
+                    x509_data=ds.X509Data(
+                        x509_certificate=ds.X509Certificate(text=cert_str)
+                    )
+                )
+                extensions = Extensions(
+                    extension_elements=[element_to_extension_element(spcertenc)]
+                )
+
+            req_id, req = _cli.create_authn_request(
+                destination,
+                binding=return_binding,
+                extensions=extensions,
+                nameid_format=NAMEID_FORMAT_PERSISTENT,
+            )
             _rstate = rndstr()
             self.cache.relay_state[_rstate] = came_from
-            ht_args = _cli.apply_binding(_binding, "%s" % req, destination,
-                                         relay_state=_rstate,
-                                         sigalg=sigalg)
+            ht_args = _cli.apply_binding(
+                _binding, "%s" % req, destination, relay_state=_rstate, sigalg=sigalg
+            )
             _sid = req_id
 
             if cert is not None:
@@ -601,8 +619,7 @@ class SSO(object):
 
         except Exception as exc:
             logger.exception(exc)
-            resp = ServiceError(
-                "Failed to construct the AuthnRequest: %s" % exc)
+            resp = ServiceError("Failed to construct the AuthnRequest: %s" % exc)
             return resp
 
         # remember the request
@@ -646,7 +663,7 @@ class SLO(Service):
     def do(self, message, binding, relay_state="", mtype="response"):
         try:
             txt = decode_base64_and_inflate(message)
-            is_logout_request = 'LogoutRequest' in txt.split('>', 1)[0]
+            is_logout_request = "LogoutRequest" in txt.split(">", 1)[0]
         except:  # TODO: parse the XML correctly
             is_logout_request = False
 
@@ -664,7 +681,7 @@ class SLO(Service):
 # noinspection PyUnusedLocal
 def not_found(environ, start_response):
     """Called if no URL matches."""
-    resp = NotFound('Not Found')
+    resp = NotFound("Not Found")
     return resp(environ, start_response)
 
 
@@ -681,7 +698,7 @@ def main(environ, start_response, sp):
 
     body = dict_to_table(user.data)
     authn_stmt = cgi.escape(user.authn_statement)
-    body.append('<br><pre>' + authn_stmt + "</pre>")
+    body.append("<br><pre>" + authn_stmt + "</pre>")
     body.append('<br><a href="/logout">logout</a>')
 
     resp = Response(body)
@@ -724,19 +741,19 @@ def logout(environ, start_response, sp):
             binding, http_info = logout_info
 
             if binding == BINDING_HTTP_POST:
-                body = ''.join(http_info['data'])
+                body = "".join(http_info["data"])
                 resp = Response(body)
                 return resp(environ, start_response)
             elif binding == BINDING_HTTP_REDIRECT:
-                for key, value in http_info['headers']:
-                    if key.lower() == 'location':
+                for key, value in http_info["headers"]:
+                    if key.lower() == "location":
                         resp = Redirect(value)
                         return resp(environ, start_response)
 
-                resp = ServiceError('missing Location header')
+                resp = ServiceError("missing Location header")
                 return resp(environ, start_response)
             else:
-                resp = ServiceError('unknown logout binding: %s', binding)
+                resp = ServiceError("unknown logout binding: %s", binding)
                 return resp(environ, start_response)
         else:  # result from logout, should be OK
             pass
@@ -751,9 +768,7 @@ def finish_logout(environ, start_response):
     # remove cookie and stored info
     cookie = CACHE.delete_cookie(environ)
 
-    resp = Response('You are now logged out of this service', headers=[
-        cookie,
-    ])
+    resp = Response("You are now logged out of this service", headers=[cookie])
     return resp(environ, start_response)
 
 
@@ -762,10 +777,10 @@ def finish_logout(environ, start_response):
 # map urls to functions
 urls = [
     # Hmm, place holder, NOT used
-    ('place', ("holder", None)),
-    (r'^$', main),
-    (r'^disco', disco),
-    (r'^logout$', logout),
+    ("place", ("holder", None)),
+    (r"^$", main),
+    (r"^disco", disco),
+    (r"^logout$", logout),
 ]
 
 
@@ -787,6 +802,7 @@ def add_urls():
 
 # ----------------------------------------------------------------------------
 
+
 def metadata(environ, start_response):
     try:
         path = _args.path
@@ -794,11 +810,17 @@ def metadata(environ, start_response):
             path = os.path.dirname(os.path.abspath(__file__))
         if path[-1] != "/":
             path += "/"
-        metadata = create_metadata_string(path + "sp_conf.py", None,
-                                          _args.valid, _args.cert,
-                                          _args.keyfile,
-                                          _args.id, _args.name, _args.sign)
-        start_response('200 OK', [('Content-Type', "text/xml")])
+        metadata = create_metadata_string(
+            path + "sp_conf.py",
+            None,
+            _args.valid,
+            _args.cert,
+            _args.keyfile,
+            _args.id,
+            _args.name,
+            _args.sign,
+        )
+        start_response("200 OK", [("Content-Type", "text/xml")])
         return metadata
     except Exception as ex:
         logger.error("An error occured while creating metadata: %s", ex.message)
@@ -817,7 +839,7 @@ def application(environ, start_response):
         request is done
     :return: The response as a list of lines
     """
-    path = environ.get('PATH_INFO', '').lstrip('/')
+    path = environ.get("PATH_INFO", "").lstrip("/")
     logger.debug("<application> PATH: '%s'", path)
 
     if path == "metadata":
@@ -850,7 +872,7 @@ def application(environ, start_response):
         return resp(environ, start_response)
 
 
-if __name__ == '__main__':
+if __name__ == "__main__":
     try:
         from cheroot.wsgi import Server as WSGIServer
         from cheroot.ssl import pyopenssl
@@ -859,30 +881,34 @@ if __name__ == '__main__':
         from cherrypy.wsgiserver import ssl_pyopenssl as pyopenssl
 
     _parser = argparse.ArgumentParser()
-    _parser.add_argument('-d', dest='debug', action='store_true',
-                         help="Print debug information")
-    _parser.add_argument('-D', dest='discosrv',
-                         help="Which disco server to use")
-    _parser.add_argument('-s', dest='seed',
-                         help="Cookie seed")
-    _parser.add_argument('-W', dest='wayf', action='store_true',
-                         help="Which WAYF url to use")
+    _parser.add_argument(
+        "-d", dest="debug", action="store_true", help="Print debug information"
+    )
+    _parser.add_argument("-D", dest="discosrv", help="Which disco server to use")
+    _parser.add_argument("-s", dest="seed", help="Cookie seed")
+    _parser.add_argument(
+        "-W", dest="wayf", action="store_true", help="Which WAYF url to use"
+    )
     _parser.add_argument("config", help="SAML client config")
-    _parser.add_argument('-p', dest='path', help='Path to configuration file.')
-    _parser.add_argument('-v', dest='valid', default="4",
-                         help="How long, in days, the metadata is valid from "
-                              "the time of creation")
-    _parser.add_argument('-c', dest='cert', help='certificate')
-    _parser.add_argument('-i', dest='id',
-                         help="The ID of the entities descriptor in the "
-                              "metadata")
-    _parser.add_argument('-k', dest='keyfile',
-                         help="A file with a key to sign the metadata with")
-    _parser.add_argument('-n', dest='name')
-    _parser.add_argument('-S', dest='sign', action='store_true',
-                         help="sign the metadata")
-    _parser.add_argument('-C', dest='service_conf_module',
-                         help="service config module")
+    _parser.add_argument("-p", dest="path", help="Path to configuration file.")
+    _parser.add_argument(
+        "-v",
+        dest="valid",
+        default="4",
+        help="How long, in days, the metadata is valid from " "the time of creation",
+    )
+    _parser.add_argument("-c", dest="cert", help="certificate")
+    _parser.add_argument(
+        "-i", dest="id", help="The ID of the entities descriptor in the " "metadata"
+    )
+    _parser.add_argument(
+        "-k", dest="keyfile", help="A file with a key to sign the metadata with"
+    )
+    _parser.add_argument("-n", dest="name")
+    _parser.add_argument(
+        "-S", dest="sign", action="store_true", help="sign the metadata"
+    )
+    _parser.add_argument("-C", dest="service_conf_module", help="service config module")
 
     ARGS = {}
     _args = _parser.parse_args()
@@ -935,7 +961,8 @@ if __name__ == '__main__':
     _https = ""
     if service_conf.HTTPS:
         SRV.ssl_adapter = pyopenssl.pyOpenSSLAdapter(
-                SERVER_CERT, SERVER_KEY, CERT_CHAIN)
+            SERVER_CERT, SERVER_KEY, CERT_CHAIN
+        )
         _https = " using SSL/TLS"
     logger.info("Server starting")
     print("SP listening on %s:%s%s" % (HOST, PORT, _https))