| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
|
|
| |
over all types
As per review suggestion in #809
|
|
|
| |
Co-authored-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Support reloading metadata by adding a reload_metadata method to saml2.Entity.
This method gets the metadata configuration in the same format
as the 'metadata' entry in the configuration passed to saml2.Config.
To keep metadata refreshed, this method needs to be periodically explicitly called.
For a metadata refresh with the same configuration, the calling application
should keep a copy of the original configuration to pass to this method.
Resolves #808
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
|
|
|
| |
Shibboleth SP 3
- Fixed: "ERROR Shibboleth.SSO.SAML2 [6] [default]: failed to decrypt assertion: Unable to resolve any key decryption keys."
- Fixed: "WARN XMLTooling.Decrypter [7] [default]: XMLSecurity exception while decrypting key: XSECAlgorithmMapper::mapURIToHandler - URI http://www.w3.org/2001/04/xmlenc#rsa-1_5 disallowed by whitelist/blacklist policy"
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* client_base::Base is the base for an SP and manages SP_ARGS
* server::Server is the base for an IdP and maanges AA_IDP_ARGS
* entity::Entity is the base of SP/IdPs and manages the COMMON_ARGS
The signing_algorithm and digest_algorithm are COMMON_ARGS
and should be set and managed by entity::Entity.
On init they are set as properties of the Entity object.
If no configuration has been given, the internal-default is set (through DefaultSignature()).
The set sign_alg and digest_alg must be checked against an allow/block-list
---
- Signing is done both by SPs (on requests) and IdPs (on responses).
- Signing is done both for the Redirect-binding (apply_binding()) and the POST-binding (_message() > sign()).
---
* All client_base::Base(SP) (create_*) methods end in Entity::_message()
* Almost all server::Server(IdP) (create_*) methods end in Entity::_response()
thus:
- Entity::_message() must decide the value of "sign" and call Entity::sign()
- Entity::_response() must decide the value of "sign" and call Entity::sign()
- Entity::_status_response() must decide the value of "sign" and call Entity::sign()
- Entity::sign() must decide the value of sign_alg and digest_alg and call sigver::pre_signature_part()
---
All calls to Entity::_message() and Entity::_response() (or to their callers)
must pass on sign, sign_alg and digest_alg
All calls to sigver::pre_signature_part() should happen through the same call-chain
and should pass on specific sign_alg and digest_alg params
All relevant params should be set to None unless they have been set by the caller.
---
client::do_logout should be refactored to use the same call-chain
---
These type of checks (and self.lock blocks) should be removed (there are more for sign_assertion)
```
if (sign and self.sec.cert_handler.generate_cert()) or client_crt is not None:
```
```
if self.sec.cert_handler.generate_cert()
```
---
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When an AuthnRequest is created with HTTP-Redirect binding, the XML document is not
signed, but instead, a signature is calculated and becomes part of the query params of
the Redirect-URL, through the Signature and SignAlg params.
Previously, when the Redirect binding was requested and signing was enabled but no
SignAlg params were defined, the Signature and SignAlg query params would be missing.
Now, if no SignAlg is defined, the default is used and the request is correctly created
with the proper query params.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ResponseLocation [Optional]
Optionally specifies a different location to which response messages sent as part of
the protocol or profile should be sent. The allowable syntax of this URI depends on
the protocol binding.
The ResponseLocation attribute is used to enable different endpoints to be specified for
receiving request and response messages associated with a protocol or profile, not as a
means of load-balancing or redundancy (multiple elements of this type can be included
for this purpose). When a role contains an element of this type pertaining to a protocol
or profile for which only a single type of message (request or response) is applicable,
then the ResponseLocation attribute is unused. [E41]If the ResponseLocation attribute is
omitted, any response messages associated with a protocol or profile may be assumed to
be handled at the URI indicated by the Location attribute.
ArtifactResolutionService, SingleSignOnService and NameIDMappingService MUST omit the
ResponseLocation attribute. This is enforced here, but metadata with such service
declarations and such attributes should not have been part of the metadata store in the
first place.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
```
************* Module saml2.config
src/saml2/config.py:464:23: E1135: Value '_logconf' doesn't support membership test (unsupported-membership-test)
src/saml2/config.py:466:27: E1136: Value '_logconf' is unsubscriptable (unsubscriptable-object)
src/saml2/config.py:481:50: E1136: Value '_logconf' is unsubscriptable (unsubscriptable-object)
src/saml2/config.py:486:22: E1120: No value for argument 'filename' in constructor call (no-value-for-parameter)
src/saml2/config.py:488:23: E1135: Value '_logconf' doesn't support membership test (unsupported-membership-test)
src/saml2/config.py:489:42: E1136: Value '_logconf' is unsubscriptable (unsubscriptable-object)
src/saml2/config.py:505:43: E1136: Value '_logconf' is unsubscriptable (unsubscriptable-object)
src/saml2/config.py:552:19: E1136: Value 'self.virtual_organization' is unsubscriptable (unsubscriptable-object)
```
this seems right; the operations upon the Logger object do not make sense.
There is no need to "fix" this, we just remove the relevant code.
We should come back to this and refactor how the logger is configured for the library.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Moves parsing PYSAML2_DELETE_TMPFILES option to config.py and uses the
value as a Config class property (`delete_tmpfiles`). This attribute is
part of the configuration so its place is in the config.py and the
corresponding class. This may add the config object dependency to
classes/functions that are calling the `make_temp` function, but at the
same time keeps a more layered approach since this config option is now
processed and set up in the correct layer; that is the Config class and
the config module. Scripts that (in)directly use classes that have
methods that use the `make_temp` functions were not changed since
those methods are not called when these scripts run and they are out of
the scripts' scope (that is, the script functionality does not create
any temp file). Those scripts are `verify_metadata`, `merge_metadata`
and `mdexport`
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix logic in the pick_binding method for the class Entity that prevented
the method from properly returning binding and location tuples for
authentication requests with AssertionConsumerServiceIndex instead
of AssertionConsumerServiceURL. The logic error was assuming that
a getattr() call on a request without an AssertionConsumerServiceURL
would throw an AttributeError. It does not and instead returns None, so
the resulting path through the code would cause the "first" binding
and location tuple found in the SAML metadata to be returned instead
of the tuple corresponding to the AssertionConsumerServiceIndex.
|
|
|
| |
Fixes IdentityPython/pysaml2#571
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
|
|
|
| |
Add the ability to configure an SP to require either a signed response
or signed assertions.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
pyOpenSSL is already a dependency and pyOpenSSL uses cryptography.
This also reduces the complexity of the code significantly in several
places (and removes the need to directly manipulate asn1). A future
PR could remove pyOpenSSL entirely as all the cert behavior is supported
directly by cryptography.
|
| |
|