| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
This is always done on use, ie, on client_base.py::create_authn_request
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
|
|
| |
Add requested_attributes param to create_authn_request
|
|
|
|
|
|
|
| |
The name of the id-attribute for signing, encrypting and decrypting an XML document is
well know for each of those operations. There is no need to define another.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\
| |
| | |
Fix xmlsec1 --id-attr option
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We need to know _the name of the attribute_ that represents the identifier of the node
that is being signed, or encrypted, or verified. We guess the name -by trying `ID`, `Id`
and `id`- and pass it to `xmlsec1` using the `--id-attr` command line option.
_Why is this needed?_ Shouldn't the attribute names be specified by the corresponding
specifications? Let's look into the specs to find out.
* saml-core:
* `StatusResponseType` uses `ID`
* `RequestAbstractType` uses `ID`
* `Assertion` uses `ID`
* xmldsig-core:
* `SignatureType` uses `Id`
* xmlenc-core:
* `EncryptedType` uses `Id`
So, the answer is _yes_ - the attribute names are defined and, instead of guessing, we
should be passing in the id-attribute names as defined by the specs.
_Note_: But, do we even need to do this? If the names are standardized, why do we bother
with this? In fact, the manual for `xmlsec1` explicitly says that
--id-attr[:<attr-name>] [<node-namespace-uri>:]<node-name>
adds attributes <attr-name> (default value "id") from all nodes
with<node-name> and namespace <node-namespace-uri> to the list of
known ID attributes; this is a hack and if you can use DTD or schema
to declare ID attributes instead (see "--dtd-file" option), I don't
know what else might be broken in your application when you use this
hack
However, it seems that `xmlsec1` by default will only look for an attribute with name
`id`. The right way to solve this is to pass in a DTD file. Then, `xmlsec1` will
understand that it needs to look up a different attribute name. Unfortunately, there are
no official DTDs (or even unofficial, to my knowledge) for SAML. The SAML specifications
instead provide XSD files. Even though `xmlsec1` mentions _schema_, there doesn't seem
to be a way to pass in an XSD file. So, we have to resort to this "hack".
When we sign a document, we need to point to the node that will be signed. The nodes
that we are signing are always SAML nodes (Assertion, StatusResponseType (Response,
etc), RequestAbstractType (AuthnRequest, etc)). All SAML nodes that will be signed use
`ID` as the attribute name. So, in order to sign and verify a signature, we need to pass
in `ID`.
When encrypting a document, we need to point to the node whose content will be
encrypted. Currently, we use XPath to point to that node, without the use of an id. But,
we could be using an identifier to locate the node, and if we did so, we would still be
using `ID`.
When decrypting a document, we need to point to the node that contains the encrypted
data. This is where things change. Since the SAML node itself is encrypted we cannot
point to an `ID` attribute, as we did in the other cases. Instead, it is specified that
a node named `EncryptedData` exists, that may have an `Id` attribute. This is where we
want to point to. So, we need to use `Id`.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\
| |
| | |
Fix pylint errors
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
```
************* Module saml2.saml
src/saml2/saml.py:168:15: E0602: Undefined variable 'unicode' (undefined-variable)
```
There is no compatibility to python2 anymore. We can safely remove any such checks that
tried to set the right types for the string object to catter for the differences in
types between py2 and py3.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
```
************* Module saml2.client
src/saml2/client.py:225:27: E1101: Instance of 'Saml2Client' has no 'logout_requests_signed' member (no-member)
```
The reference should be through the config member of the Saml2Client object.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
```
************* Module saml2.s_utils
src/saml2/s_utils.py:385:42: E0602: Undefined variable 'sha' (undefined-variable)
```
This is referenced on a branch of a backwards compatibility check for py25.
This branch will not be reached anymore and it is now removed.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
```
************* Module saml2.authn
src/saml2/authn.py:32:8: E0711: NotImplemented raised - should raise NotImplementedError (notimplemented-raised)
src/saml2/authn.py:32:8: E0702: Raising NotImplementedType while only classes or instances are allowed (raising-bad-type)
src/saml2/authn.py:35:8: E0711: NotImplemented raised - should raise NotImplementedError (notimplemented-raised)
src/saml2/authn.py:35:8: E0702: Raising NotImplementedType while only classes or instances are allowed (raising-bad-type)
src/saml2/authn.py:38:8: E0711: NotImplemented raised - should raise NotImplementedError (notimplemented-raised)
src/saml2/authn.py:38:8: E0702: Raising NotImplementedType while only classes or instances are allowed (raising-bad-type)
```
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
```
************* Module saml2.config
src/saml2/config.py:464:23: E1135: Value '_logconf' doesn't support membership test (unsupported-membership-test)
src/saml2/config.py:466:27: E1136: Value '_logconf' is unsubscriptable (unsubscriptable-object)
src/saml2/config.py:481:50: E1136: Value '_logconf' is unsubscriptable (unsubscriptable-object)
src/saml2/config.py:486:22: E1120: No value for argument 'filename' in constructor call (no-value-for-parameter)
src/saml2/config.py:488:23: E1135: Value '_logconf' doesn't support membership test (unsupported-membership-test)
src/saml2/config.py:489:42: E1136: Value '_logconf' is unsubscriptable (unsubscriptable-object)
src/saml2/config.py:505:43: E1136: Value '_logconf' is unsubscriptable (unsubscriptable-object)
src/saml2/config.py:552:19: E1136: Value 'self.virtual_organization' is unsubscriptable (unsubscriptable-object)
```
this seems right; the operations upon the Logger object do not make sense.
There is no need to "fix" this, we just remove the relevant code.
We should come back to this and refactor how the logger is configured for the library.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\
| |
| | |
Fix typo
|
|/ |
|
|\
| |
| | |
Fix typos and phrasing in docs
|
| | |
|
| | |
|
|/ |
|
|\
| |
| | |
Fix escape not in cgi in example for newer python versions
|
|/ |
|
|\
| |
| | |
Fix eidas attribute mapping for legal person
|
|/ |
|
|\
| |
| | |
Disco URL can already contain parameters
|
|/
|
|
| |
If it contains parameters we need to add return_url as another pamametr into URL.
|
|\
| |
| | |
Indicate python 3.8 as supported
|
|/ |
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\
| |
| | |
Document default value for 'want_response_signed'
|
|/
|
|
|
| |
Document the default value for 'want_response_signed' so users don't
have to dig through the code to fine it.
|
|
|
|
|
|
| |
decodestring has been removed from py39
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
|
|
|
|
|
| |
Test for compile warning using:
find src/ -iname '*.py' | xargs -P 4 -I{} python -Wall -m py_compile {}
find tests/ -iname '*.py' | xargs -P 4 -I{} python -Wall -m py_compile {}
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\
| |
| | |
Update test metadata expiration date
|
|/
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\
| |
| | |
Provide more information in case of AudienceRestrictions conditions not satisfied
|
| |\
|/ /
| | |
Update response.py
|
|/
|
| |
Providing more information in case of AudienceRestrictions conditions not satisfied
|
|\
| |
| | |
Use os.linesep to write pem files in a cross-platform way
|