summaryrefslogtreecommitdiff
path: root/src/saml2/entity.py
Commit message (Collapse)AuthorAgeFilesLines
* Verify signed logout requests with the redirect bindingIvan Kanakarakis2021-11-161-3/+17
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Small refactorIvan Kanakarakis2021-11-161-4/+11
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* 633: Support for redirect binding signature check using query param valuesVishal Kadam2021-11-151-2/+5
|
* Ouput the according KeyName in encrypted answerClément Hallet2021-11-021-4/+5
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* fix: saml2.Entity/reload_metadata: use self.entity_type instead of iterating ↵Vlad Mencl2021-07-201-5/+4
| | | | | | over all types As per review suggestion in #809
* nfc: fix formatting in comment (tab vs spaces) in src/saml2/entity.pyVlad Mencl2021-07-201-1/+1
| | | Co-authored-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* new: saml2.Entity: support reloading metadataVlad Mencl2021-06-111-0/+34
| | | | | | | | | | | | | | Support reloading metadata by adding a reload_metadata method to saml2.Entity. This method gets the metadata configuration in the same format as the 'metadata' entry in the configuration passed to saml2.Config. To keep metadata refreshed, this method needs to be periodically explicitly called. For a metadata refresh with the same configuration, the calling application should keep a copy of the original configuration to pass to this method. Resolves #808
* Do not restrict the falsy values of bindings on pick_binding methodIvan Kanakarakis2021-05-191-1/+1
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Embed the cert in the EncryptedData elementIvan Kanakarakis2021-05-181-1/+4
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Do not embed the cert in the EncryptedData elementIvan Kanakarakis2021-05-181-15/+8
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* [Strengthen Encryption] PySAML2 Encrypted Assertions now works with ↵peppelinux2021-05-181-8/+13
| | | | | | | Shibboleth SP 3 - Fixed: "ERROR Shibboleth.SSO.SAML2 [6] [default]: failed to decrypt assertion: Unable to resolve any key decryption keys." - Fixed: "WARN XMLTooling.Decrypter [7] [default]: XMLSecurity exception while decrypting key: XSECAlgorithmMapper::mapURIToHandler - URI http://www.w3.org/2001/04/xmlenc#rsa-1_5 disallowed by whitelist/blacklist policy"
* Sign logout requests according to logout_requests_signed config optionIvan Kanakarakis2021-04-091-1/+5
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Calculate entity configurations and then chooseIvan Kanakarakis2020-12-081-7/+6
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Resolve sign_alg and digest_alg wherever pre_signature_part is calledIvan Kanakarakis2020-12-081-0/+4
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Notes on _responseIvan Kanakarakis2020-12-071-43/+90
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Formatting and restructureIvan Kanakarakis2020-12-071-4/+6
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Difference between sigver.signed_instance_factory and Entity.signIvan Kanakarakis2020-12-071-1/+6
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Remove unneeded response_factory helperIvan Kanakarakis2020-12-071-5/+4
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* WIP, TODO cleanup, see descriptionIvan Kanakarakis2020-11-241-109/+301
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * client_base::Base is the base for an SP and manages SP_ARGS * server::Server is the base for an IdP and maanges AA_IDP_ARGS * entity::Entity is the base of SP/IdPs and manages the COMMON_ARGS The signing_algorithm and digest_algorithm are COMMON_ARGS and should be set and managed by entity::Entity. On init they are set as properties of the Entity object. If no configuration has been given, the internal-default is set (through DefaultSignature()). The set sign_alg and digest_alg must be checked against an allow/block-list --- - Signing is done both by SPs (on requests) and IdPs (on responses). - Signing is done both for the Redirect-binding (apply_binding()) and the POST-binding (_message() > sign()). --- * All client_base::Base(SP) (create_*) methods end in Entity::_message() * Almost all server::Server(IdP) (create_*) methods end in Entity::_response() thus: - Entity::_message() must decide the value of "sign" and call Entity::sign() - Entity::_response() must decide the value of "sign" and call Entity::sign() - Entity::_status_response() must decide the value of "sign" and call Entity::sign() - Entity::sign() must decide the value of sign_alg and digest_alg and call sigver::pre_signature_part() --- All calls to Entity::_message() and Entity::_response() (or to their callers) must pass on sign, sign_alg and digest_alg All calls to sigver::pre_signature_part() should happen through the same call-chain and should pass on specific sign_alg and digest_alg params All relevant params should be set to None unless they have been set by the caller. --- client::do_logout should be refactored to use the same call-chain --- These type of checks (and self.lock blocks) should be removed (there are more for sign_assertion) ``` if (sign and self.sec.cert_handler.generate_cert()) or client_crt is not None: ``` ``` if self.sec.cert_handler.generate_cert() ``` --- Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* WIP works good - set on init use on create_Ivan Kanakarakis2020-11-241-18/+30
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Fix formattingIvan Kanakarakis2020-11-241-7/+13
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Configurable signing and digest algpeppelinux2020-11-241-0/+4
|
* Check allowed signature and digest algo for the POST bindingIvan Kanakarakis2020-11-231-2/+2
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Remove unneeded intermediate static methodsIvan Kanakarakis2020-11-231-7/+3
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Create the signer along with the sigalg allowance checkIvan Kanakarakis2020-11-231-12/+8
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Correctly sign an AuthnRequest with Redirect bindingIvan Kanakarakis2020-11-231-2/+24
| | | | | | | | | | | | | | When an AuthnRequest is created with HTTP-Redirect binding, the XML document is not signed, but instead, a signature is calculated and becomes part of the query params of the Redirect-URL, through the Signature and SignAlg params. Previously, when the Redirect binding was requested and signing was enabled but no SignAlg params were defined, the Signature and SignAlg query params would be missing. Now, if no SignAlg is defined, the default is used and the request is correctly created with the proper query params. Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* FormattingIvan Kanakarakis2020-11-231-24/+60
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Fix #242: make sure status code is always returned in http_info dictFlorian Best2020-11-101-1/+1
|
* Return the ResponseLocation before falling back to Locationfeature-logout-response-locationIvan Kanakarakis2020-10-281-11/+9
| | | | | | | | | | | | | | | | | | | | | | | | ResponseLocation [Optional] Optionally specifies a different location to which response messages sent as part of the protocol or profile should be sent. The allowable syntax of this URI depends on the protocol binding. The ResponseLocation attribute is used to enable different endpoints to be specified for receiving request and response messages associated with a protocol or profile, not as a means of load-balancing or redundancy (multiple elements of this type can be included for this purpose). When a role contains an element of this type pertaining to a protocol or profile for which only a single type of message (request or response) is applicable, then the ResponseLocation attribute is unused. [E41]If the ResponseLocation attribute is omitted, any response messages associated with a protocol or profile may be assumed to be handled at the URI indicated by the Location attribute. ArtifactResolutionService, SingleSignOnService and NameIDMappingService MUST omit the ResponseLocation attribute. This is enforced here, but metadata with such service declarations and such attributes should not have been part of the metadata store in the first place. Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Fixes #720: honor ResponseLocation in metadata when building logout responsesMaxime Besson2020-10-271-4/+8
|
* Replace assert with proper checksassert_deletionIvan Kanakarakis2020-09-111-4/+10
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Allow request signing in artifact2messageKrzysztof Jurewicz2020-08-251-2/+8
|
* Remove logger configurationIvan Kanakarakis2020-05-121-1/+0
| | | | | | | | | | | | | | | | | | | | ``` ************* Module saml2.config src/saml2/config.py:464:23: E1135: Value '_logconf' doesn't support membership test (unsupported-membership-test) src/saml2/config.py:466:27: E1136: Value '_logconf' is unsubscriptable (unsubscriptable-object) src/saml2/config.py:481:50: E1136: Value '_logconf' is unsubscriptable (unsubscriptable-object) src/saml2/config.py:486:22: E1120: No value for argument 'filename' in constructor call (no-value-for-parameter) src/saml2/config.py:488:23: E1135: Value '_logconf' doesn't support membership test (unsupported-membership-test) src/saml2/config.py:489:42: E1136: Value '_logconf' is unsubscriptable (unsubscriptable-object) src/saml2/config.py:505:43: E1136: Value '_logconf' is unsubscriptable (unsubscriptable-object) src/saml2/config.py:552:19: E1136: Value 'self.virtual_organization' is unsubscriptable (unsubscriptable-object) ``` this seems right; the operations upon the Logger object do not make sense. There is no need to "fix" this, we just remove the relevant code. We should come back to this and refactor how the logger is configured for the library. Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Extract `PYSAML2_DELETE_TMPFILES` option to config.pyJohn Paraskevopoulos2019-11-261-2/+4
| | | | | | | | | | | | | | | | - Moves parsing PYSAML2_DELETE_TMPFILES option to config.py and uses the value as a Config class property (`delete_tmpfiles`). This attribute is part of the configuration so its place is in the config.py and the corresponding class. This may add the config object dependency to classes/functions that are calling the `make_temp` function, but at the same time keeps a more layered approach since this config option is now processed and set up in the correct layer; that is the Config class and the config module. Scripts that (in)directly use classes that have methods that use the `make_temp` functions were not changed since those methods are not called when these scripts run and they are out of the scripts' scope (that is, the script functionality does not create any temp file). Those scripts are `verify_metadata`, `merge_metadata` and `mdexport`
* Read from env var PYSAML2_DELETE_TMPFILESIvan Kanakarakis2019-11-261-4/+4
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Fix logic error in pick_binding method for class EntityScott Koranda2019-08-261-10/+2
| | | | | | | | | | | | Fix logic in the pick_binding method for the class Entity that prevented the method from properly returning binding and location tuples for authentication requests with AssertionConsumerServiceIndex instead of AssertionConsumerServiceURL. The logic error was assuming that a getattr() call on a request without an AssertionConsumerServiceURL would throw an AttributeError. It does not and instead returns None, so the resulting path through the code would cause the "first" binding and location tuple found in the SAML metadata to be returned instead of the tuple corresponding to the AssertionConsumerServiceIndex.
* Do not swallow response verification exceptions.Andrew Wason2018-11-281-2/+0
| | | Fixes IdentityPython/pysaml2#571
* Pull out sigalg and look it up onceIvan Kanakarakis2018-11-211-2/+3
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Lookup signer only if signing is requestedIvan Kanakarakis2018-11-211-1/+1
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Remove unused code about only_identity_in_encrypted_assertionIvan Kanakarakis2018-11-211-5/+0
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Group response_is_signed and assertions_are_signed blocksIvan Kanakarakis2018-11-211-24/+20
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Add want_assertions_or_response_signed functionalityScott Koranda2018-11-211-3/+66
| | | | | | | Add the ability to configure an SP to require either a signed response or signed assertions. Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Remove unneeded variableIvan Kanakarakis2018-11-191-2/+1
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Various small refactorEgor Panfilov2018-11-191-3/+1
|
* Retrieve SLO endpoint by the appropriate service typeIvan Kanakarakis2018-08-031-2/+9
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Cleanup Entity _parse_responseIvan Kanakarakis2018-08-031-58/+47
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* fixbug: 'NoneType' object has no attribute 'get_signer'william2017-05-251-1/+1
|
* Fix some ECP problemsCzémán Arnold2017-04-151-2/+3
|
* Swap pycrypto* for pyca/cryptographyPaul Kehrer2017-01-121-3/+0
| | | | | | | | pyOpenSSL is already a dependency and pyOpenSSL uses cryptography. This also reduces the complexity of the code significantly in several places (and removes the need to directly manipulate asn1). A future PR could remove pyOpenSSL entirely as all the cert behavior is supported directly by cryptography.
* Added functionality needed by the saml2test tool.Roland Hedberg2016-04-161-1/+1
|
View Lorry Controller Status