summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Release version 4.7.0v4.7.0v4.7.0Ivan Kanakarakis2019-04-022-1/+14
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Introduce middleware to convert data to bytesIvan Kanakarakis2019-04-011-8/+23
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Handle eduPersonTargetedID as a single value on examplesIvan Kanakarakis2019-03-181-2/+2
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Fix metadata endpoint on sp-wsgi exampleIvan Kanakarakis2019-03-181-1/+1
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Keep old behaviour until decryption is properly understoodIvan Kanakarakis2019-03-121-2/+19
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Align parse_assertion with the new decryption codeIvan Kanakarakis2019-02-051-36/+39
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Fix python2 compatibility for metadata creationIvan Kanakarakis2019-02-041-4/+5
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Fix examples python3 compatibilityIvan Kanakarakis2019-02-041-1/+3
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Merge pull request #581 from bmwiedemann/test2020Ivan Kanakarakis2019-02-024-4/+4
|\ | | | | Allow tests to pass after 2020
| * Allow tests to pass after 2020Bernhard M. Wiedemann2019-01-074-4/+4
| | | | | | | | | | This helps to verify reproducible builds. See https://reproducible-builds.org/ for why this matters.
* | Merge pull request #585 from johanlundberg/fix_xmlsec_sign_statementIvan Kanakarakis2019-01-251-1/+4
|\ \ | | | | | | Python 3 problem with lxml.etree.tostring
| * | Convert sign_statement result to native stringJohan Lundberg2019-01-251-1/+4
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Using lxml.etree.tostring without encoding in python3 results in a unparsable xml document. To fix this, we always set the encoding to UTF-8 and omit the xml declaration. We then convert the result to the native string type before returning it. --- Our preferred encoding (in general) is `utf-8`. `lxml` defaults to `ASCII`, or expects us to provide an encoding. Provided an encoding, `lxml` serializes the tree-representation of the xml document by encoding it with that encoding. If it is directed to include an xml declaration, it embeds that encoding in the xml declaration as the `encoding` property. (ie, `<?xml version='1.0' encoding='iso-8859-7'?>`) `lxml` allows for some _special_ values as an encoding. - In python2 those are: `"unicode"` and `unicode`. - In python3 those are: `"unicode"` and `str`. By specifying those values, the result will be _decoded_ from bytes to unicode ("unicode" is not an actual encoding; the actual encoding will be utf-8). The encoding is already the _type_ of the result. This is why you are not allowed to have an xml declaration for those cases. The result is not bytes that have to be read by some encoding rules, but decoded data that their type dictates how they are managed. With the latest changes, what we do is: 1. we always encode the result as UTF-8 2. we do not include an xml declaration (because of _(3)_) 3. we convert to the native string type (that is `bytes`/`str` for Python2, and `str` for Python3 (the equivalent of `unicode` in Python2) The consumer of the result should expect to treat the result as utf8-encoded bytes in Python2, and utf8-decoded string in Python3. Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | Fix docstring for the return type of create_authn_requestIvan Kanakarakis2019-01-141-1/+2
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | Merge pull request #583 from c00kiemon5ter/fix-check-xmlsec-returncodeIvan Kanakarakis2019-01-144-219/+210
|\ \ | |/ |/| Check the xmlsec returncode
| * Refactor CryptoBackendXmlSec1::sign_statementIvan Kanakarakis2019-01-141-13/+10
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Convert exception expectation to with-raises idiomIvan Kanakarakis2019-01-142-60/+33
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Reformat code for test_40_sigverIvan Kanakarakis2019-01-141-49/+74
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Refactor SecurityContext::decrypt to report failuresIvan Kanakarakis2019-01-141-46/+43
| | | | | | | | | | | | | | | | | | | | Previously there was no reliable way to know whether decryption failed. Now, when decryption fails an DecryptError exception is raised containing the keys that were tried to decrypt the given ciphertext. The same refactoring is done to SecurityContext::decrypt_keys. Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Reformat code related to PYSAML2_KEEP_XMLSEC_TMPIvan Kanakarakis2019-01-141-18/+23
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Raise XmlsecError if xmlsec1 returns an errorIvan Kanakarakis2019-01-142-28/+49
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When xmlsec1 fails, it returns a non-zero returncode. The returncode was checked only for values less than zero, and not greater than zero. This results in situations where xmlsec1 fails to run a command, but the executation continues as nothing failed. This happens to be ok, because, the result we depend upon is coupled to xmlsec1's output stream. When xmlsec1 fails, the output stream is empty and the error stream will have information relevant to the failure cause. Now, the check expects a returncode with value zero, otherwise an XmlsecError exception is raised, to be handled by the caller up the stack. This could have been a major security issue, but we stood lucky. Special thanks to @pjsg for bringing this to our attention. Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Remove validate_output parameter from _run_xmlsecIvan Kanakarakis2019-01-112-23/+6
| | | | | | | | | | | | | | All callers set it to false, but one which calls the validation method itself after the call to _run_xmlsec (which means that validation is done twice). Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Remove configurable exception typeIvan Kanakarakis2019-01-102-22/+12
|/ | | | | | | | _run_xmlsec function allowed to pass the kind of exception that would be raised in case of error. This was parameter was ignored. As such, it is not needed and is removed completely. Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Do not hardcode the warning filterIvan Kanakarakis2019-01-073-8/+2
| | | | | | | | | | | | | | | | | | | | The application should control whether warnings should be visible or not. By hardcoding the simplefilter we turn on warnings' visibility for all modules that follow. Removing this allows the application code to decide if warnings should be shown. To enable warnings through the command line pass -Wd to the python interpreter. Quoting the python warnings module documentation[0]: > You can do this from the command-line by passing -Wd to the interpreter (this > is shorthand for -W default). This enables default handling for all warnings, > including those that are ignored by default. To change what action is taken > for encountered warnings you simply change what argument is passed to -W, > e.g. -W error. See the -W flag for more details on what is possible. [0]: https://docs.python.org/2/library/warnings.html#updating-code-for-new-versions-of-python Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Merge pull request #483 from skoranda/mdq_check_signatureIvan Kanakarakis2018-12-112-18/+62
|\ | | | | Enable signature verification for MDQ
| * Reformat paragraph to respect text width limitsIvan Kanakarakis2018-12-111-4/+5
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Fix typo in documentationIvan Kanakarakis2018-12-111-1/+1
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Reformat documented code exampleIvan Kanakarakis2018-12-111-8/+11
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Remove whitespaceIvan Kanakarakis2018-12-112-5/+5
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Fix typo and remove redundant argumentScott Koranda2018-12-051-2/+2
| |
| * Enable signature verification for MDQScott Koranda2018-12-052-13/+53
| | | | | | | | | | | | | | Add functionality to allow configuration of signature verification for metadata obtained using the MDQ protocol. Support is limited to checking the signature of a response containing a single entity and not multiple entities.
* | Remove the python-future module and use sixIvan Kanakarakis2018-12-067-41/+32
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | Use cgi instead of html moduleIvan Kanakarakis2018-12-061-4/+4
| | | | | | | | | | | | | | The html module is only available for python3. The cgi module provides almost identical functionality and is present for both python2 and python3. Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | Merge pull request #577 from johanlundberg/non_standard_status_codeIvan Kanakarakis2018-12-062-21/+55
|\ \ | |/ |/| Handle non standard response error status codes
| * Rework status_ok structureIvan Kanakarakis2018-12-061-20/+23
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Handle non standard response error status codesJohan Lundberg2018-12-052-3/+34
|/
* Release version 4.6.5v4.6.5Ivan Kanakarakis2018-12-042-1/+10
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Merge pull request #574 from rectalogic/error-statusIvan Kanakarakis2018-12-042-3/+32
|\ | | | | Raise status exception when parsing an error status response
| * Do not swallow response verification exceptions.Andrew Wason2018-11-281-2/+0
| | | | | | Fixes IdentityPython/pysaml2#571
| * Add a test that client raises the proper exception when parsing an error ↵Andrew Wason2018-11-281-1/+32
|/ | | | | status response. This test passes in v4.6.3 but is failing in v4.6.4 due to IdentityPython/pysaml2#571
* Merge pull request #573 from skanct/ck_add_entity_category_support_attributeIvan Kanakarakis2018-11-282-0/+11
|\ | | | | Add metadata attribute for entity_category_support
| * Adds metadata attribute for entity_category_supportChristos Kanellopoulos2018-11-282-0/+11
|/
* Group assurance-certification and entity-categoryIvan Kanakarakis2018-11-271-7/+19
| | | | | | | Assurance-certification and entity-category should be under the same EntityAttributes elements. Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Add assurance_certification configuration optionIvan Kanakarakis2018-11-263-5/+36
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Use SamlBase::loadd to do_contact_person_infoIvan Kanakarakis2018-11-262-45/+14
| | | | | | | | metadata.do_contact_person_info does not need to reimplement loading of the data given, as this is already implemented and more complete through SamlBase::loadd Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Release version 4.6.4v4.6.4Ivan Kanakarakis2018-11-222-1/+21
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Use short form for markdown headersIvan Kanakarakis2018-11-221-14/+9
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Change changelog format to markdownIvan Kanakarakis2018-11-222-1/+1
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Pull out sigalg and look it up onceIvan Kanakarakis2018-11-211-2/+3
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Lookup signer only if signing is requestedIvan Kanakarakis2018-11-211-1/+1
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Pass sign information when calling apply_bindingIvan Kanakarakis2018-11-213-7/+11
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
View Lorry Controller Status