| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
| |
Allow values of None in the collected information.
Filter out those fields later.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\
| |
| | |
Fix typos: tupel and test_ouput
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\ \
| | |
| | | |
Use html.escape when available
|
| | |
| | |
| | |
| | | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | | |
|
|\ \ \
| | | |
| | | | |
Make tests pass after 2024
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Background:
As part of my work on reproducible builds for openSUSE, I check that software still gives identical build results in the future.
The usual offset is +15 years, because that is how long I expect some software will be used in some places.
This showed up failing tests in our package build.
See https://reproducible-builds.org/ for why this matters.
This patch made tests pass in 2037
|
|\ \ \ \
| | | | |
| | | | | |
Make entity category imports more flexible
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Added tests for the new entity category import functionality that
searches for entity category modules on the general import path
before searching in saml2.entity_category.<module>.
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This enhancement causes an entity category import to first be tried from
the general module search path, and if that fails then to fall back to
the current default of importing saml2.entity_category.<module>. This
allows deployers to overlay their own customized versions of entity
category modules like edugain.py that contain CoCo. This is helpful
since the list of attributes to be included as part of the entity
category may not be globally the same for all deployments. Such is the
case with CoCo where the list of attributes changes from federation to
federation and deployment to deployment.
|
|\ \ \ \ \
| | | | | |
| | | | | | |
Add installation instruction to README
|
| | | | | | |
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Add timestamps for ident mongodb documents
|
| |/ / / / / |
|
|\ \ \ \ \ \
| |/ / / / /
|/| | | | | |
Check for an existing local-persistent NameID when retrieving it
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
AllowCreate is not supposed to be present for transient Name IDs.
|
| | | | | | |
|
| | | | | | |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Implement MongoDB version of function to look for an existing persistent
NameId for a user.
|
| |/ / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
http://docs.oasis-open.org/security/saml/v2.0/errata05/os/saml-v2.0-errata05-os.html#__RefHeading__8058_1983180497:
"The use of the AllowCreate attribute MUST NOT be used and SHOULD be
ignored in conjunction with requests for or assertions issued with name
identifiers with a Format of
urn:oasis:names:tc:SAML:2.0:nameid-format:transient (they preclude any
such state in and of themselves)."
|
|\ \ \ \ \
| |/ / / /
|/| | | | |
Typo in comment
|
|/ / / / |
|
|\ \ \ \
| |/ / /
|/| | | |
Add SAML subject identifier attributes to saml2_uri attributemap
|
|/ / / |
|
|\ \ \
| |/ /
|/| | |
install.rst: complete pytest invocation
|
|/ / |
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|/
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\
| |
| | |
Allow tests to pass after 2020
|
| |
| |
| |
| |
| | |
This helps to verify reproducible builds.
See https://reproducible-builds.org/ for why this matters.
|
|\ \
| | |
| | | |
Python 3 problem with lxml.etree.tostring
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Using lxml.etree.tostring without encoding in python3 results in a unparsable
xml document. To fix this, we always set the encoding to UTF-8 and omit the xml
declaration. We then convert the result to the native string type before
returning it.
---
Our preferred encoding (in general) is `utf-8`. `lxml` defaults to `ASCII`, or
expects us to provide an encoding. Provided an encoding, `lxml` serializes the
tree-representation of the xml document by encoding it with that encoding. If
it is directed to include an xml declaration, it embeds that encoding in the
xml declaration as the `encoding` property.
(ie, `<?xml version='1.0' encoding='iso-8859-7'?>`)
`lxml` allows for some _special_ values as an encoding.
- In python2 those are: `"unicode"` and `unicode`.
- In python3 those are: `"unicode"` and `str`.
By specifying those values, the result will be _decoded_ from bytes to unicode
("unicode" is not an actual encoding; the actual encoding will be utf-8). The
encoding is already the _type_ of the result. This is why you are not allowed
to have an xml declaration for those cases. The result is not bytes that have
to be read by some encoding rules, but decoded data that their type dictates
how they are managed.
With the latest changes, what we do is:
1. we always encode the result as UTF-8
2. we do not include an xml declaration (because of _(3)_)
3. we convert to the native string type (that is `bytes`/`str` for Python2, and
`str` for Python3 (the equivalent of `unicode` in Python2)
The consumer of the result should expect to treat the result as utf8-encoded
bytes in Python2, and utf8-decoded string in Python3.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\ \
| |/
|/| |
Check the xmlsec returncode
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously there was no reliable way to know whether decryption failed. Now,
when decryption fails an DecryptError exception is raised containing the keys
that were tried to decrypt the given ciphertext.
The same refactoring is done to SecurityContext::decrypt_keys.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When xmlsec1 fails, it returns a non-zero returncode. The returncode was
checked only for values less than zero, and not greater than zero. This results
in situations where xmlsec1 fails to run a command, but the executation
continues as nothing failed. This happens to be ok, because, the result we
depend upon is coupled to xmlsec1's output stream. When xmlsec1 fails, the
output stream is empty and the error stream will have information relevant to
the failure cause.
Now, the check expects a returncode with value zero, otherwise an XmlsecError
exception is raised, to be handled by the caller up the stack.
This could have been a major security issue, but we stood lucky.
Special thanks to @pjsg for bringing this to our attention.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|