summaryrefslogtreecommitdiff
path: root/src/saml2/server.py
diff options
context:
space:
mode:
Diffstat (limited to 'src/saml2/server.py')
-rw-r--r--src/saml2/server.py292
1 files changed, 190 insertions, 102 deletions
diff --git a/src/saml2/server.py b/src/saml2/server.py
index 1d4b7543..04604b09 100644
--- a/src/saml2/server.py
+++ b/src/saml2/server.py
@@ -392,6 +392,7 @@ class Server(Entity):
**kwargs)
return assertion
+ # XXX > _response
def _authn_response(
self,
in_response_to,
@@ -403,8 +404,8 @@ class Server(Entity):
authn=None,
issuer=None,
policy=None,
- sign_assertion=False,
- sign_response=False,
+ sign_assertion=None,
+ sign_response=None,
best_effort=False,
encrypt_assertion=False,
encrypt_cert_advice=None,
@@ -493,10 +494,9 @@ class Server(Entity):
to_sign = []
if not encrypt_assertion:
if sign_assertion:
- assertion.signature = pre_signature_part(assertion.id,
- self.sec.my_cert, 2,
- sign_alg=sign_alg,
- digest_alg=digest_alg)
+ assertion.signature = pre_signature_part(
+ assertion.id, self.sec.my_cert, 2, sign_alg=sign_alg, digest_alg=digest_alg
+ )
to_sign.append((class_name(assertion), assertion.id))
args["assertion"] = assertion
@@ -505,25 +505,47 @@ class Server(Entity):
self.session_db.store_assertion(assertion, to_sign)
return self._response(
- in_response_to, consumer_url, status, issuer, sign_response,
- to_sign, sp_entity_id=sp_entity_id,
+ in_response_to,
+ consumer_url,
+ status,
+ issuer,
+ sign_response,
+ to_sign,
+ sp_entity_id=sp_entity_id,
encrypt_assertion=encrypt_assertion,
encrypt_cert_advice=encrypt_cert_advice,
encrypt_cert_assertion=encrypt_cert_assertion,
encrypt_assertion_self_contained=encrypt_assertion_self_contained,
encrypted_advice_attributes=encrypted_advice_attributes,
sign_assertion=sign_assertion,
- pefim=pefim, sign_alg=sign_alg, digest_alg=digest_alg, **args)
+ pefim=pefim,
+ sign_alg=sign_alg,
+ digest_alg=digest_alg,
+ **args,
+ )
# ------------------------------------------------------------------------
- # XXX idp create
- def create_attribute_response(self, identity, in_response_to, destination,
- sp_entity_id, userid="", name_id=None,
- status=None, issuer=None,
- sign_assertion=False, sign_response=False,
- attributes=None, sign_alg=None,
- digest_alg=None, farg=None, **kwargs):
+ # XXX calls pre_signature_part without ensuring sign_alg/digest_alg
+ # XXX DONE idp create > _response
+ def create_attribute_response(
+ self,
+ identity,
+ in_response_to,
+ destination,
+ sp_entity_id,
+ userid="",
+ name_id=None,
+ status=None,
+ issuer=None,
+ sign_assertion=None,
+ sign_response=None,
+ attributes=None,
+ sign_alg=None,
+ digest_alg=None,
+ farg=None,
+ **kwargs,
+ ):
""" Create an attribute assertion response.
:param identity: A dictionary with attributes and values that are
@@ -573,10 +595,10 @@ class Server(Entity):
farg=farg['assertion'])
if sign_assertion:
- assertion.signature = pre_signature_part(assertion.id,
- self.sec.my_cert, 1,
- sign_alg=sign_alg,
- digest_alg=digest_alg)
+ # XXX calls pre_signature_part without ensuring sign_alg/digest_alg
+ assertion.signature = pre_signature_part(
+ assertion.id, self.sec.my_cert, 1, sign_alg=sign_alg, digest_alg=digest_alg
+ )
# Just the assertion or the response and the assertion ?
to_sign = [(class_name(assertion), assertion.id)]
kwargs['sign_assertion'] = True
@@ -690,7 +712,7 @@ class Server(Entity):
return args
- # XXX idp create
+ # XXX DONE idp create > _authn_response > _response
def create_authn_response(
self,
identity,
@@ -769,52 +791,67 @@ class Server(Entity):
try:
_authn = authn
- if (sign_assertion or sign_response) and \
- self.sec.cert_handler.generate_cert():
- with self.lock:
- self.sec.cert_handler.update_cert(True)
- return self._authn_response(
- in_response_to, destination, sp_entity_id, identity,
- authn=_authn, issuer=issuer, pefim=pefim,
- sign_alg=sign_alg, digest_alg=digest_alg,
- session_not_on_or_after=session_not_on_or_after, **args)
return self._authn_response(
- in_response_to, destination, sp_entity_id, identity,
- authn=_authn, issuer=issuer, pefim=pefim, sign_alg=sign_alg,
+ in_response_to,
+ destination,
+ sp_entity_id,
+ identity,
+ authn=_authn,
+ issuer=issuer,
+ pefim=pefim,
+ sign_alg=sign_alg,
digest_alg=digest_alg,
- session_not_on_or_after=session_not_on_or_after, **args)
-
+ session_not_on_or_after=session_not_on_or_after,
+ **args,
+ )
except MissingValue as exc:
- return self.create_error_response(in_response_to, destination,
- sp_entity_id, exc, name_id)
-
- # XXX idp create
- def create_authn_request_response(self, identity, in_response_to,
- destination, sp_entity_id,
- name_id_policy=None, userid=None,
- name_id=None, authn=None, authn_decl=None,
- issuer=None, sign_response=False,
- sign_assertion=False,
- session_not_on_or_after=None, **kwargs):
-
- return self.create_authn_response(identity, in_response_to, destination,
- sp_entity_id, name_id_policy, userid,
- name_id, authn, issuer,
- sign_response, sign_assertion,
- authn_decl=authn_decl,
- session_not_on_or_after=session_not_on_or_after)
-
- # XXX idp create
- def create_assertion_id_request_response(self, assertion_id, sign=False,
- sign_alg=None,
- digest_alg=None, **kwargs):
- """
+ return self.create_error_response(
+ in_response_to, destination, sp_entity_id, exc, name_id
+ )
- :param assertion_id:
- :param sign:
- :return:
- """
+ # XXX DONE idp create > create_authn_response > _authn_response > _response
+ def create_authn_request_response(
+ self,
+ identity,
+ in_response_to,
+ destination,
+ sp_entity_id,
+ name_id_policy=None,
+ userid=None,
+ name_id=None,
+ authn=None,
+ authn_decl=None,
+ issuer=None,
+ sign_response=None,
+ sign_assertion=None,
+ session_not_on_or_after=None,
+ sign_alg=None,
+ digest_alg=None,
+ **kwargs,
+ ):
+ return self.create_authn_response(
+ identity,
+ in_response_to,
+ destination,
+ sp_entity_id,
+ name_id_policy,
+ userid,
+ name_id,
+ authn,
+ issuer,
+ sign_response,
+ sign_assertion,
+ authn_decl=authn_decl,
+ session_not_on_or_after=session_not_on_or_after,
+ sign_alg=sign_alg,
+ digest_alg=digest_alg,
+ )
+ # XXX calls pre_signature_part without ensuring sign_alg/digest_alg
+ # XXX DONE idp create > [...]
+ def create_assertion_id_request_response(
+ self, assertion_id, sign=None, sign_alg=None, digest_alg=None, **kwargs
+ ):
try:
(assertion, to_sign) = self.session_db.get_assertion(assertion_id)
except KeyError:
@@ -822,22 +859,33 @@ class Server(Entity):
if to_sign:
if assertion.signature is None:
- assertion.signature = pre_signature_part(assertion.id,
- self.sec.my_cert, 1,
- sign_alg=sign_alg,
- digest_alg=digest_alg)
-
+ # XXX calls pre_signature_part without ensuring sign_alg/digest_alg
+ assertion.signature = pre_signature_part(
+ assertion.id,
+ self.sec.my_cert,
+ 1,
+ sign_alg=sign_alg,
+ digest_alg=digest_alg,
+ )
return signed_instance_factory(assertion, self.sec, to_sign)
else:
return assertion
+ # XXX calls self.sign without ensuring sign
# XXX calls self.sign => should it call _message (which calls self.sign)?
- # XXX idp create
- def create_name_id_mapping_response(self, name_id=None, encrypted_id=None,
- in_response_to=None,
- issuer=None, sign_response=False,
- status=None, sign_alg=None,
- digest_alg=None, **kwargs):
+ # XXX idp create > NameIDMappingResponse & sign?
+ def create_name_id_mapping_response(
+ self,
+ name_id=None,
+ encrypted_id=None,
+ in_response_to=None,
+ issuer=None,
+ sign_response=None,
+ status=None,
+ sign_alg=None,
+ digest_alg=None,
+ **kwargs,
+ ):
"""
protocol for mapping a principal's name identifier into a
different name identifier for the same principal.
@@ -855,8 +903,9 @@ class Server(Entity):
ms_args = self.message_args()
- _resp = NameIDMappingResponse(name_id, encrypted_id,
- in_response_to=in_response_to, **ms_args)
+ _resp = NameIDMappingResponse(
+ name_id, encrypted_id, in_response_to=in_response_to, **ms_args
+ )
if sign_response:
return self.sign(_resp, sign_alg=sign_alg, digest_alg=digest_alg)
@@ -864,12 +913,20 @@ class Server(Entity):
logger.info("Message: %s", _resp)
return _resp
- # XXX idp create
- def create_authn_query_response(self, subject, session_index=None,
- requested_context=None, in_response_to=None,
- issuer=None, sign_response=False,
- status=None, sign_alg=None, digest_alg=None,
- **kwargs):
+ # XXX DONE idp create > _response
+ def create_authn_query_response(
+ self,
+ subject,
+ session_index=None,
+ requested_context=None,
+ in_response_to=None,
+ issuer=None,
+ sign_response=None,
+ status=None,
+ sign_alg=None,
+ digest_alg=None,
+ **kwargs,
+ ):
"""
A successful <Response> will contain one or more assertions containing
authentication statements.
@@ -878,33 +935,54 @@ class Server(Entity):
"""
margs = self.message_args()
- asserts = []
- for statement in self.session_db.get_authn_statements(
- subject.name_id, session_index, requested_context):
- asserts.append(saml.Assertion(authn_statement=statement,
- subject=subject, **margs))
+ asserts = [
+ saml.Assertion(authn_statement=statement, subject=subject, **margs)
+ for statement in self.session_db.get_authn_statements(
+ subject.name_id, session_index, requested_context
+ )
+ ]
if asserts:
args = {"assertion": asserts}
else:
args = {}
- return self._response(in_response_to, "", status, issuer,
- sign_response, to_sign=[], sign_alg=sign_alg,
- digest_alg=digest_alg, **args)
+ return self._response(
+ in_response_to,
+ "",
+ status,
+ issuer,
+ sign_response,
+ to_sign=[],
+ sign_alg=sign_alg,
+ digest_alg=digest_alg,
+ **args,
+ )
# ---------
def parse_ecp_authn_request(self):
pass
- # XXX idp create
- def create_ecp_authn_request_response(self, acs_url, identity,
- in_response_to, destination,
- sp_entity_id, name_id_policy=None,
- userid=None, name_id=None, authn=None,
- issuer=None, sign_response=False,
- sign_assertion=False, **kwargs):
+ # XXX DONE idp create > create_authn_response > _authn_response > _response
+ def create_ecp_authn_request_response(
+ self,
+ acs_url,
+ identity,
+ in_response_to,
+ destination,
+ sp_entity_id,
+ name_id_policy=None,
+ userid=None,
+ name_id=None,
+ authn=None,
+ issuer=None,
+ sign_response=None,
+ sign_assertion=None,
+ sign_alg=None,
+ digest_alg=None,
+ **kwargs,
+ ):
# ----------------------------------------
# <ecp:Response
@@ -918,17 +996,27 @@ class Server(Entity):
# <samlp:Response
# ----------------------------------------
- response = self.create_authn_response(identity, in_response_to,
- destination, sp_entity_id,
- name_id_policy, userid, name_id,
- authn, issuer,
- sign_response, sign_assertion)
+ response = self.create_authn_response(
+ identity,
+ in_response_to,
+ destination,
+ sp_entity_id,
+ name_id_policy,
+ userid,
+ name_id,
+ authn,
+ issuer,
+ sign_response,
+ sign_assertion,
+ sign_alg=sign_alg,
+ digest_alg=digest_alg
+ )
body = soapenv.Body()
body.extension_elements = [element_to_extension_element(response)]
soap_envelope = soapenv.Envelope(header=header, body=body)
- return "%s" % soap_envelope
+ return str(soap_envelope)
def close(self):
self.ident.close()
View Lorry Controller Status