diff options
Diffstat (limited to 'src/saml2/server.py')
-rw-r--r-- | src/saml2/server.py | 292 |
1 files changed, 190 insertions, 102 deletions
diff --git a/src/saml2/server.py b/src/saml2/server.py index 1d4b7543..04604b09 100644 --- a/src/saml2/server.py +++ b/src/saml2/server.py @@ -392,6 +392,7 @@ class Server(Entity): **kwargs) return assertion + # XXX > _response def _authn_response( self, in_response_to, @@ -403,8 +404,8 @@ class Server(Entity): authn=None, issuer=None, policy=None, - sign_assertion=False, - sign_response=False, + sign_assertion=None, + sign_response=None, best_effort=False, encrypt_assertion=False, encrypt_cert_advice=None, @@ -493,10 +494,9 @@ class Server(Entity): to_sign = [] if not encrypt_assertion: if sign_assertion: - assertion.signature = pre_signature_part(assertion.id, - self.sec.my_cert, 2, - sign_alg=sign_alg, - digest_alg=digest_alg) + assertion.signature = pre_signature_part( + assertion.id, self.sec.my_cert, 2, sign_alg=sign_alg, digest_alg=digest_alg + ) to_sign.append((class_name(assertion), assertion.id)) args["assertion"] = assertion @@ -505,25 +505,47 @@ class Server(Entity): self.session_db.store_assertion(assertion, to_sign) return self._response( - in_response_to, consumer_url, status, issuer, sign_response, - to_sign, sp_entity_id=sp_entity_id, + in_response_to, + consumer_url, + status, + issuer, + sign_response, + to_sign, + sp_entity_id=sp_entity_id, encrypt_assertion=encrypt_assertion, encrypt_cert_advice=encrypt_cert_advice, encrypt_cert_assertion=encrypt_cert_assertion, encrypt_assertion_self_contained=encrypt_assertion_self_contained, encrypted_advice_attributes=encrypted_advice_attributes, sign_assertion=sign_assertion, - pefim=pefim, sign_alg=sign_alg, digest_alg=digest_alg, **args) + pefim=pefim, + sign_alg=sign_alg, + digest_alg=digest_alg, + **args, + ) # ------------------------------------------------------------------------ - # XXX idp create - def create_attribute_response(self, identity, in_response_to, destination, - sp_entity_id, userid="", name_id=None, - status=None, issuer=None, - sign_assertion=False, sign_response=False, - attributes=None, sign_alg=None, - digest_alg=None, farg=None, **kwargs): + # XXX calls pre_signature_part without ensuring sign_alg/digest_alg + # XXX DONE idp create > _response + def create_attribute_response( + self, + identity, + in_response_to, + destination, + sp_entity_id, + userid="", + name_id=None, + status=None, + issuer=None, + sign_assertion=None, + sign_response=None, + attributes=None, + sign_alg=None, + digest_alg=None, + farg=None, + **kwargs, + ): """ Create an attribute assertion response. :param identity: A dictionary with attributes and values that are @@ -573,10 +595,10 @@ class Server(Entity): farg=farg['assertion']) if sign_assertion: - assertion.signature = pre_signature_part(assertion.id, - self.sec.my_cert, 1, - sign_alg=sign_alg, - digest_alg=digest_alg) + # XXX calls pre_signature_part without ensuring sign_alg/digest_alg + assertion.signature = pre_signature_part( + assertion.id, self.sec.my_cert, 1, sign_alg=sign_alg, digest_alg=digest_alg + ) # Just the assertion or the response and the assertion ? to_sign = [(class_name(assertion), assertion.id)] kwargs['sign_assertion'] = True @@ -690,7 +712,7 @@ class Server(Entity): return args - # XXX idp create + # XXX DONE idp create > _authn_response > _response def create_authn_response( self, identity, @@ -769,52 +791,67 @@ class Server(Entity): try: _authn = authn - if (sign_assertion or sign_response) and \ - self.sec.cert_handler.generate_cert(): - with self.lock: - self.sec.cert_handler.update_cert(True) - return self._authn_response( - in_response_to, destination, sp_entity_id, identity, - authn=_authn, issuer=issuer, pefim=pefim, - sign_alg=sign_alg, digest_alg=digest_alg, - session_not_on_or_after=session_not_on_or_after, **args) return self._authn_response( - in_response_to, destination, sp_entity_id, identity, - authn=_authn, issuer=issuer, pefim=pefim, sign_alg=sign_alg, + in_response_to, + destination, + sp_entity_id, + identity, + authn=_authn, + issuer=issuer, + pefim=pefim, + sign_alg=sign_alg, digest_alg=digest_alg, - session_not_on_or_after=session_not_on_or_after, **args) - + session_not_on_or_after=session_not_on_or_after, + **args, + ) except MissingValue as exc: - return self.create_error_response(in_response_to, destination, - sp_entity_id, exc, name_id) - - # XXX idp create - def create_authn_request_response(self, identity, in_response_to, - destination, sp_entity_id, - name_id_policy=None, userid=None, - name_id=None, authn=None, authn_decl=None, - issuer=None, sign_response=False, - sign_assertion=False, - session_not_on_or_after=None, **kwargs): - - return self.create_authn_response(identity, in_response_to, destination, - sp_entity_id, name_id_policy, userid, - name_id, authn, issuer, - sign_response, sign_assertion, - authn_decl=authn_decl, - session_not_on_or_after=session_not_on_or_after) - - # XXX idp create - def create_assertion_id_request_response(self, assertion_id, sign=False, - sign_alg=None, - digest_alg=None, **kwargs): - """ + return self.create_error_response( + in_response_to, destination, sp_entity_id, exc, name_id + ) - :param assertion_id: - :param sign: - :return: - """ + # XXX DONE idp create > create_authn_response > _authn_response > _response + def create_authn_request_response( + self, + identity, + in_response_to, + destination, + sp_entity_id, + name_id_policy=None, + userid=None, + name_id=None, + authn=None, + authn_decl=None, + issuer=None, + sign_response=None, + sign_assertion=None, + session_not_on_or_after=None, + sign_alg=None, + digest_alg=None, + **kwargs, + ): + return self.create_authn_response( + identity, + in_response_to, + destination, + sp_entity_id, + name_id_policy, + userid, + name_id, + authn, + issuer, + sign_response, + sign_assertion, + authn_decl=authn_decl, + session_not_on_or_after=session_not_on_or_after, + sign_alg=sign_alg, + digest_alg=digest_alg, + ) + # XXX calls pre_signature_part without ensuring sign_alg/digest_alg + # XXX DONE idp create > [...] + def create_assertion_id_request_response( + self, assertion_id, sign=None, sign_alg=None, digest_alg=None, **kwargs + ): try: (assertion, to_sign) = self.session_db.get_assertion(assertion_id) except KeyError: @@ -822,22 +859,33 @@ class Server(Entity): if to_sign: if assertion.signature is None: - assertion.signature = pre_signature_part(assertion.id, - self.sec.my_cert, 1, - sign_alg=sign_alg, - digest_alg=digest_alg) - + # XXX calls pre_signature_part without ensuring sign_alg/digest_alg + assertion.signature = pre_signature_part( + assertion.id, + self.sec.my_cert, + 1, + sign_alg=sign_alg, + digest_alg=digest_alg, + ) return signed_instance_factory(assertion, self.sec, to_sign) else: return assertion + # XXX calls self.sign without ensuring sign # XXX calls self.sign => should it call _message (which calls self.sign)? - # XXX idp create - def create_name_id_mapping_response(self, name_id=None, encrypted_id=None, - in_response_to=None, - issuer=None, sign_response=False, - status=None, sign_alg=None, - digest_alg=None, **kwargs): + # XXX idp create > NameIDMappingResponse & sign? + def create_name_id_mapping_response( + self, + name_id=None, + encrypted_id=None, + in_response_to=None, + issuer=None, + sign_response=None, + status=None, + sign_alg=None, + digest_alg=None, + **kwargs, + ): """ protocol for mapping a principal's name identifier into a different name identifier for the same principal. @@ -855,8 +903,9 @@ class Server(Entity): ms_args = self.message_args() - _resp = NameIDMappingResponse(name_id, encrypted_id, - in_response_to=in_response_to, **ms_args) + _resp = NameIDMappingResponse( + name_id, encrypted_id, in_response_to=in_response_to, **ms_args + ) if sign_response: return self.sign(_resp, sign_alg=sign_alg, digest_alg=digest_alg) @@ -864,12 +913,20 @@ class Server(Entity): logger.info("Message: %s", _resp) return _resp - # XXX idp create - def create_authn_query_response(self, subject, session_index=None, - requested_context=None, in_response_to=None, - issuer=None, sign_response=False, - status=None, sign_alg=None, digest_alg=None, - **kwargs): + # XXX DONE idp create > _response + def create_authn_query_response( + self, + subject, + session_index=None, + requested_context=None, + in_response_to=None, + issuer=None, + sign_response=None, + status=None, + sign_alg=None, + digest_alg=None, + **kwargs, + ): """ A successful <Response> will contain one or more assertions containing authentication statements. @@ -878,33 +935,54 @@ class Server(Entity): """ margs = self.message_args() - asserts = [] - for statement in self.session_db.get_authn_statements( - subject.name_id, session_index, requested_context): - asserts.append(saml.Assertion(authn_statement=statement, - subject=subject, **margs)) + asserts = [ + saml.Assertion(authn_statement=statement, subject=subject, **margs) + for statement in self.session_db.get_authn_statements( + subject.name_id, session_index, requested_context + ) + ] if asserts: args = {"assertion": asserts} else: args = {} - return self._response(in_response_to, "", status, issuer, - sign_response, to_sign=[], sign_alg=sign_alg, - digest_alg=digest_alg, **args) + return self._response( + in_response_to, + "", + status, + issuer, + sign_response, + to_sign=[], + sign_alg=sign_alg, + digest_alg=digest_alg, + **args, + ) # --------- def parse_ecp_authn_request(self): pass - # XXX idp create - def create_ecp_authn_request_response(self, acs_url, identity, - in_response_to, destination, - sp_entity_id, name_id_policy=None, - userid=None, name_id=None, authn=None, - issuer=None, sign_response=False, - sign_assertion=False, **kwargs): + # XXX DONE idp create > create_authn_response > _authn_response > _response + def create_ecp_authn_request_response( + self, + acs_url, + identity, + in_response_to, + destination, + sp_entity_id, + name_id_policy=None, + userid=None, + name_id=None, + authn=None, + issuer=None, + sign_response=None, + sign_assertion=None, + sign_alg=None, + digest_alg=None, + **kwargs, + ): # ---------------------------------------- # <ecp:Response @@ -918,17 +996,27 @@ class Server(Entity): # <samlp:Response # ---------------------------------------- - response = self.create_authn_response(identity, in_response_to, - destination, sp_entity_id, - name_id_policy, userid, name_id, - authn, issuer, - sign_response, sign_assertion) + response = self.create_authn_response( + identity, + in_response_to, + destination, + sp_entity_id, + name_id_policy, + userid, + name_id, + authn, + issuer, + sign_response, + sign_assertion, + sign_alg=sign_alg, + digest_alg=digest_alg + ) body = soapenv.Body() body.extension_elements = [element_to_extension_element(response)] soap_envelope = soapenv.Envelope(header=header, body=body) - return "%s" % soap_envelope + return str(soap_envelope) def close(self): self.ident.close() |