| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Following d257d3054f36b4f3dfaba8b7394a2e8bab0aaf2e the ForceAuthn attribute is
an xsd:boolean value which can be any of "false", "true", "0" or "1". We must
set force_authn when the value is "true" or "1".
We set the value into kwargs, which is then mirrored onto _args, which is
merged with args, which is finally given to the saml2.samlp.AuthnRequest class
to construct the object.
Previously, we set the value into args directly, which would be overwritten by
the call to _filter_args.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
|
|
| |
No need to generate an exception and stack trace.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\
| |
| | |
Allow NameQualifier and SPNameQualifier attributes to be set for ePTID
|
| |
| |
| |
| |
| |
| |
| | |
Use "text" instead of "value" as the key that denotes the text-value of the
NameID node.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The attribute value for eduPersonTargetedID (ePTID) is a NameID
element. The SAML specification allows the NameID element to include
the two optional attributes 'NameQualifier' and 'SPNameQualifier'. This
patch enables specifying a dictionary as the internal or local attribute
value instead of a string. When the local attribute value is a
dictionary with keys 'value', 'NameQualifier', and 'SPNameQualifier'
then the resulting XML NameID element will include the 'NameQualifier'
and 'SPNameQualifier' attributes with values taken from the values
of the dictionary. The value for the NameID element is taken from the
value associated with tthe 'value' key.
|
|\ \
| | |
| | | |
Add py37 as a test target
|
| | |
| | |
| | |
| | | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|/ /
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|/
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\
| |
| | |
Fix parsing of assertions with Holder-of-Key profile
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| | |
Instead of explicitly declaring `KeyInfo` as child of `SubjectConfirmationData`, use `extension_elements` to extract `KeyInfo` element(s).
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Problem:
Holder-of-Key assertions are used to achieve higher levels of federation security, compared to bearer assertions, by having Relying Party challenge subscriber to prove possession of the key specified in the assertion that represents subscriber in addition to verifying the assertion itself signed by Identity Provider. More information about it can be found in https://pages.nist.gov/800-63-3/sp800-63c.html
This library fails to parase SAML respones containing assertions with Holder-of-Key profile, for example:
```
<ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<ns1:SubjectConfirmationData InResponseTo="id-KHlas49TtW2VdC8WN" NotOnOrAfter="2019-05-14T20:36:13Z" Recipient="https://sp:443/.auth/saml/login">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>MIICITCCAYoCAQEwDQYJKoZIhvcNAQELBQAwWDELMAkGA1UEBhMCenoxCzAJBgNVBAgMAnp6MQ0wCwYDVQQHDAR6enp6MQ4wDAYDVQQKDAVaenp6ejEOMAwGA1UECwwFWnp6enoxDTALBgNVBAMMBHRlc3QwIBcNMTkwNDEyMTk1MDM0WhgPMzAxODA4MTMxOTUwMzRaMFgxCzAJBgNVBAYTAnp6MQswCQYDVQQIDAJ6ejENMAsGA1UEBwwEenp6ejEOMAwGA1UECgwFWnp6enoxDjAMBgNVBAsMBVp6enp6MQ0wCwYDVQQDDAR0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHcj80WU/XBsd9FlyQmfjPUdfmedhCFDd6TEQmZNNqP/UG+VkGa+BXjRIHMfic/WxPTbGhCjv68ci0UDNomUXagFexLGNpkwa7+CRVtoc/1xgq+ySE6M4nhcCutScoxNvWNn5eSQ66i3U0sTv91MgsXxqEdTaiZg0BIufEc3dueQIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAGUV5B+USHvaRa8kgCNJSuNpo6ARlv0ekrk8bbdNRBiEUdCMyoGJFfuM9K0zybX6Vr25wai3nvaog294Vx/jWjX2g5SDbjItH6VGy6C9GCGf1A07VxFRCfJn5tA9HuJjPKiE+g/BmrV5N4CealzFxPHWYkNOzoRU8qI7OqUai1kL</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns1:SubjectConfirmationData>
</ns1:SubjectConfirmation>
```
fails to be parsed with the following error:
```
ERROR saml2.response:response.py:836 get subject
Traceback (most recent call last):
File "/home/abublich/repos/abliqo-pysaml2/venv/local/lib/python2.7/site-packages/pysaml2-4.7.0-py2.7.egg/saml2/response.py", line 828, in _assertion
self.get_subject()
File "/home/abublich/repos/abliqo-pysaml2/venv/local/lib/python2.7/site-packages/pysaml2-4.7.0-py2.7.egg/saml2/response.py", line 753, in get_subject
if not self._holder_of_key_confirmed(_data):
File "/home/abublich/repos/abliqo-pysaml2/venv/local/lib/python2.7/site-packages/pysaml2-4.7.0-py2.7.egg/saml2/response.py", line 730, in _holder_of_key_confirmed
[samlp, saml, xenc, ds]):
File "/home/abublich/repos/abliqo-pysaml2/venv/local/lib/python2.7/site-packages/pysaml2-4.7.0-py2.7.egg/saml2/__init__.py", line 1004, in extension_elements_to_elements
for extension_element in extension_elements:
TypeError: 'SubjectConfirmationData' object is not iterable
```
The root cause is two-fold:
1. The type SubjectConfirmationDataType_ does not declare KeyInfo as child element.
2. The bug in function _holder_of_key_confirmed: it should check KeyInfo child element of SubjectConfirmationData instead of SubjectConfirmationData itself.
Solution:
Fixed the root cause and added new unit tests that verify successful parsing of Holder-of-Key assertions.
|
|\ \
| |/
|/| |
Explicit request of cherrypy version for the example application
|
|/
|
|
|
|
|
| |
Unless you are pulling always from https://pypi.org/simple, it is possible
that you might get an older version of `cherrypy`.
Make sure we request a "relatively recent" version.
`pip install 'CherryPy>14.0.2,<15'` gave `CherryPy-14.2.0` which works
|
|
|
|
|
|
|
| |
Allow values of None in the collected information.
Filter out those fields later.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\
| |
| | |
Fix typos: tupel and test_ouput
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\ \
| | |
| | | |
Use html.escape when available
|
| | |
| | |
| | |
| | | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | | |
|
|\ \ \
| | | |
| | | | |
Make tests pass after 2024
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Background:
As part of my work on reproducible builds for openSUSE, I check that software still gives identical build results in the future.
The usual offset is +15 years, because that is how long I expect some software will be used in some places.
This showed up failing tests in our package build.
See https://reproducible-builds.org/ for why this matters.
This patch made tests pass in 2037
|
|\ \ \ \
| | | | |
| | | | | |
Make entity category imports more flexible
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Added tests for the new entity category import functionality that
searches for entity category modules on the general import path
before searching in saml2.entity_category.<module>.
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This enhancement causes an entity category import to first be tried from
the general module search path, and if that fails then to fall back to
the current default of importing saml2.entity_category.<module>. This
allows deployers to overlay their own customized versions of entity
category modules like edugain.py that contain CoCo. This is helpful
since the list of attributes to be included as part of the entity
category may not be globally the same for all deployments. Such is the
case with CoCo where the list of attributes changes from federation to
federation and deployment to deployment.
|
|\ \ \ \ \
| | | | | |
| | | | | | |
Add installation instruction to README
|
| | | | | | |
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Add timestamps for ident mongodb documents
|
| |/ / / / / |
|
|\ \ \ \ \ \
| |/ / / / /
|/| | | | | |
Check for an existing local-persistent NameID when retrieving it
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
AllowCreate is not supposed to be present for transient Name IDs.
|
| | | | | | |
|
| | | | | | |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Implement MongoDB version of function to look for an existing persistent
NameId for a user.
|
| |/ / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
http://docs.oasis-open.org/security/saml/v2.0/errata05/os/saml-v2.0-errata05-os.html#__RefHeading__8058_1983180497:
"The use of the AllowCreate attribute MUST NOT be used and SHOULD be
ignored in conjunction with requests for or assertions issued with name
identifiers with a Format of
urn:oasis:names:tc:SAML:2.0:nameid-format:transient (they preclude any
such state in and of themselves)."
|
|\ \ \ \ \
| |/ / / /
|/| | | | |
Typo in comment
|
|/ / / / |
|
|\ \ \ \
| |/ / /
|/| | | |
Add SAML subject identifier attributes to saml2_uri attributemap
|
|/ / / |
|
|\ \ \
| |/ /
|/| | |
install.rst: complete pytest invocation
|