summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Better generalization for PEM certsshibsp_encpeppelinux2020-12-142-15/+17
|
* Tests Fixedpeppelinux2020-12-142-15/+21
| | | | a regexp generalization for wrapped and unwrapped PEM certs (BEGIN/END)
* Fixed test 42peppelinux2020-12-131-1/+1
|
* Fixed: "WARN XMLTooling.Decrypter [7] [default]: XMLSecurity exception while ↵peppelinux2020-12-132-6/+7
| | | | decrypting key: XSECAlgorithmMapper::mapURIToHandler - URI http://www.w3.org/2001/04/xmlenc#rsa-1_5 disallowed by whitelist/blacklist policy"
* Fixed: "ERROR Shibboleth.SSO.SAML2 [6] [default]: failed to decrypt ↵peppelinux2020-12-132-3/+11
| | | | assertion: Unable to resolve any key decryption keys."
* Merge pull request #753 from ↵Ivan Kanakarakis2020-12-121-1/+0
|\ | | | | | | | | johanlundberg/swamid_policy_update_eduperson_targeted_id_2 No eduPersonTargetedID for entity category refeds research-and-scholarship
| * No eduPersonTargetedID for entity category refeds research-and-scholarshipJohan Lundberg2020-12-111-1/+0
|/
* Merge pull request #751 from ↵Ivan Kanakarakis2020-12-102-4/+4
|\ | | | | | | | | johanlundberg/swamid_policy_update_eduperson_targeted_id Update of SWAMID policy regarding eduPersonTargetedID when no entity category is used
| * Update of SWAMID policy regarding eduPersonTargetedIDJohan Lundberg2020-12-102-4/+4
|/ | | | | According to SWAMID policy no attributes should be released when entitity category is missing
* Release version 6.4.1v6.4.1Ivan Kanakarakis2020-12-082-1/+6
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Add python runtime specifier requirementIvan Kanakarakis2020-12-081-0/+1
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Update CHANGELOG.mdScott Koranda2020-12-081-1/+1
|
* Release version 6.4.0v6.4.0Ivan Kanakarakis2020-12-082-1/+11
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Merge pull request #744 from peppelinux/sign_dig_algsIvan Kanakarakis2020-12-0812-648/+1248
|\
| * Update documentationIvan Kanakarakis2020-12-081-2/+2
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Calculate entity configurations and then chooseIvan Kanakarakis2020-12-081-7/+6
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Resolve sign_alg and digest_alg wherever pre_signature_part is calledIvan Kanakarakis2020-12-083-28/+32
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Notes on _responseIvan Kanakarakis2020-12-071-43/+90
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Formatting and restructureIvan Kanakarakis2020-12-073-18/+33
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Do no prepare assertion signature in create_attribute_response but in _responseIvan Kanakarakis2020-12-071-15/+3
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Difference between sigver.signed_instance_factory and Entity.signIvan Kanakarakis2020-12-072-1/+12
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Remove unneeded response_factory helperIvan Kanakarakis2020-12-074-37/+43
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * WIP fix ensure callersIvan Kanakarakis2020-11-252-73/+156
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * WIP callersIvan Kanakarakis2020-11-242-15/+30
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * WIP, TODO cleanup, see descriptionIvan Kanakarakis2020-11-244-365/+723
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * client_base::Base is the base for an SP and manages SP_ARGS * server::Server is the base for an IdP and maanges AA_IDP_ARGS * entity::Entity is the base of SP/IdPs and manages the COMMON_ARGS The signing_algorithm and digest_algorithm are COMMON_ARGS and should be set and managed by entity::Entity. On init they are set as properties of the Entity object. If no configuration has been given, the internal-default is set (through DefaultSignature()). The set sign_alg and digest_alg must be checked against an allow/block-list --- - Signing is done both by SPs (on requests) and IdPs (on responses). - Signing is done both for the Redirect-binding (apply_binding()) and the POST-binding (_message() > sign()). --- * All client_base::Base(SP) (create_*) methods end in Entity::_message() * Almost all server::Server(IdP) (create_*) methods end in Entity::_response() thus: - Entity::_message() must decide the value of "sign" and call Entity::sign() - Entity::_response() must decide the value of "sign" and call Entity::sign() - Entity::_status_response() must decide the value of "sign" and call Entity::sign() - Entity::sign() must decide the value of sign_alg and digest_alg and call sigver::pre_signature_part() --- All calls to Entity::_message() and Entity::_response() (or to their callers) must pass on sign, sign_alg and digest_alg All calls to sigver::pre_signature_part() should happen through the same call-chain and should pass on specific sign_alg and digest_alg params All relevant params should be set to None unless they have been set by the caller. --- client::do_logout should be refactored to use the same call-chain --- These type of checks (and self.lock blocks) should be removed (there are more for sign_assertion) ``` if (sign and self.sec.cert_handler.generate_cert()) or client_crt is not None: ``` ``` if self.sec.cert_handler.generate_cert() ``` --- Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * WIP works good - set on init use on create_Ivan Kanakarakis2020-11-245-51/+70
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Fix formattingIvan Kanakarakis2020-11-243-76/+93
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Configurable signing and digest algpeppelinux2020-11-245-3/+41
|/
* Merge branch 'fix-signed-authnreq-w-redirect-binding'Ivan Kanakarakis2020-11-2310-250/+419
|\
| * Allow do_attribute_query to set a signature algorithmIvan Kanakarakis2020-11-231-0/+2
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Allow phase2 to specify signing algorithm; although unused atmIvan Kanakarakis2020-11-231-15/+27
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Fix formattingIvan Kanakarakis2020-11-231-27/+46
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Do not sign logout requests if not specified to do soIvan Kanakarakis2020-11-231-4/+0
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Check allowed signature and digest algo for the POST bindingIvan Kanakarakis2020-11-234-8/+17
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Remove unneeded intermediate static methodsIvan Kanakarakis2020-11-232-44/+3
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Create the signer along with the sigalg allowance checkIvan Kanakarakis2020-11-234-48/+32
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Correctly sign an AuthnRequest with Redirect bindingIvan Kanakarakis2020-11-234-14/+60
| | | | | | | | | | | | | | | | | | | | | | | | | | | | When an AuthnRequest is created with HTTP-Redirect binding, the XML document is not signed, but instead, a signature is calculated and becomes part of the query params of the Redirect-URL, through the Signature and SignAlg params. Previously, when the Redirect binding was requested and signing was enabled but no SignAlg params were defined, the Signature and SignAlg query params would be missing. Now, if no SignAlg is defined, the default is used and the request is correctly created with the proper query params. Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * FormattingIvan Kanakarakis2020-11-236-108/+207
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Test AuthnRequest default sign algo with redirect bindingIvan Kanakarakis2020-11-231-12/+55
|/ | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Merge pull request #748 from brunato/fix-identifier-testsIvan Kanakarakis2020-11-193-26/+38
|\ | | | | Fix test_33_identifier.py to avoid reuse of old test data files
| * Fix test_33_identifier.py to avoid reuse of old test data filesDavide Brunato2020-11-163-26/+38
| | | | | | | | | | | | | | | | | | | | | | - If for any reason the dbm.dumb is used for saving subject.db data the following tests can fail because subject.db.dat and subject.db.dir are not removed. To avoid this additional deletes of test data files are added to setup_class(). - Add also tests/*.dir, tests/*.dat, tests/*.bak to .gitignore to prevent erroneous adding of test data to the repository - Use full_path() helper to create the test data files under tests/ - Add py39 to tox.ini envlist
* | Ignore duplicate RequestedAttribute entries when filtering attributesIvan Kanakarakis2020-11-131-1/+3
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | Release version 6.3.1v6.3.1Ivan Kanakarakis2020-11-112-1/+7
|/ | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Merge pull request #746 from spaceone/apply-binding-status-codeIvan Kanakarakis2020-11-105-15/+22
|\ | | | | | | | | Include status-code in http_info struct Note that, we still need to switch between 302 and 303 depending on the HTTP protocol version (1.1 or newer)
| * Amend test case adjustmentsIvan Kanakarakis2020-11-102-8/+5
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Issue #242: adjust test casesFlorian Best2020-11-103-4/+11
| |
| * Fix #242: make sure status code is always returned in http_info dictFlorian Best2020-11-102-6/+9
|/
* Revert "Fix travis warning"Ivan Kanakarakis2020-11-041-1/+1
| | | | | | | | | | | | | | There seems to be a problem with Travis and the handling of 'skip_cleanup' and 'cleanup'. > Preparing deploy > > Cleaning up git repository with `git stash --all`. If you need build artifacts for > deployment, set `deploy.skip_cleanup: true`. See > https://docs.travis-ci.com/user/deployment#Uploading-Files-and-skip_cleanup. > > Saved working directory and index state WIP on (no branch): ... This reverts commit 239c7a93d649a9dea171102406014a7d5113cf95.
* Merge pull request #742 from johanlundberg/bugfix_registration_policy_noneIvan Kanakarakis2020-11-042-14/+31
|\ | | | | Handle registration_policy None
| * Restructure the registration_info methodIvan Kanakarakis2020-11-041-14/+21
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
View Lorry Controller Status