| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Following d257d3054f36b4f3dfaba8b7394a2e8bab0aaf2e the ForceAuthn attribute is
an xsd:boolean value which can be any of "false", "true", "0" or "1". We must
set force_authn when the value is "true" or "1".
We set the value into kwargs, which is then mirrored onto _args, which is
merged with args, which is finally given to the saml2.samlp.AuthnRequest class
to construct the object.
Previously, we set the value into args directly, which would be overwritten by
the call to _filter_args.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
|
|
| |
No need to generate an exception and stack trace.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |\
| |
| | |
Allow NameQualifier and SPNameQualifier attributes to be set for ePTID
|
| | |
| |
| |
| |
| |
| |
| | |
Use "text" instead of "value" as the key that denotes the text-value of the
NameID node.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The attribute value for eduPersonTargetedID (ePTID) is a NameID
element. The SAML specification allows the NameID element to include
the two optional attributes 'NameQualifier' and 'SPNameQualifier'. This
patch enables specifying a dictionary as the internal or local attribute
value instead of a string. When the local attribute value is a
dictionary with keys 'value', 'NameQualifier', and 'SPNameQualifier'
then the resulting XML NameID element will include the 'NameQualifier'
and 'SPNameQualifier' attributes with values taken from the values
of the dictionary. The value for the NameID element is taken from the
value associated with tthe 'value' key.
|
| |/
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Instead of explicitly declaring `KeyInfo` as child of `SubjectConfirmationData`, use `extension_elements` to extract `KeyInfo` element(s).
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Problem:
Holder-of-Key assertions are used to achieve higher levels of federation security, compared to bearer assertions, by having Relying Party challenge subscriber to prove possession of the key specified in the assertion that represents subscriber in addition to verifying the assertion itself signed by Identity Provider. More information about it can be found in https://pages.nist.gov/800-63-3/sp800-63c.html
This library fails to parase SAML respones containing assertions with Holder-of-Key profile, for example:
```
<ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<ns1:SubjectConfirmationData InResponseTo="id-KHlas49TtW2VdC8WN" NotOnOrAfter="2019-05-14T20:36:13Z" Recipient="https://sp:443/.auth/saml/login">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>MIICITCCAYoCAQEwDQYJKoZIhvcNAQELBQAwWDELMAkGA1UEBhMCenoxCzAJBgNVBAgMAnp6MQ0wCwYDVQQHDAR6enp6MQ4wDAYDVQQKDAVaenp6ejEOMAwGA1UECwwFWnp6enoxDTALBgNVBAMMBHRlc3QwIBcNMTkwNDEyMTk1MDM0WhgPMzAxODA4MTMxOTUwMzRaMFgxCzAJBgNVBAYTAnp6MQswCQYDVQQIDAJ6ejENMAsGA1UEBwwEenp6ejEOMAwGA1UECgwFWnp6enoxDjAMBgNVBAsMBVp6enp6MQ0wCwYDVQQDDAR0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHcj80WU/XBsd9FlyQmfjPUdfmedhCFDd6TEQmZNNqP/UG+VkGa+BXjRIHMfic/WxPTbGhCjv68ci0UDNomUXagFexLGNpkwa7+CRVtoc/1xgq+ySE6M4nhcCutScoxNvWNn5eSQ66i3U0sTv91MgsXxqEdTaiZg0BIufEc3dueQIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAGUV5B+USHvaRa8kgCNJSuNpo6ARlv0ekrk8bbdNRBiEUdCMyoGJFfuM9K0zybX6Vr25wai3nvaog294Vx/jWjX2g5SDbjItH6VGy6C9GCGf1A07VxFRCfJn5tA9HuJjPKiE+g/BmrV5N4CealzFxPHWYkNOzoRU8qI7OqUai1kL</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns1:SubjectConfirmationData>
</ns1:SubjectConfirmation>
```
fails to be parsed with the following error:
```
ERROR saml2.response:response.py:836 get subject
Traceback (most recent call last):
File "/home/abublich/repos/abliqo-pysaml2/venv/local/lib/python2.7/site-packages/pysaml2-4.7.0-py2.7.egg/saml2/response.py", line 828, in _assertion
self.get_subject()
File "/home/abublich/repos/abliqo-pysaml2/venv/local/lib/python2.7/site-packages/pysaml2-4.7.0-py2.7.egg/saml2/response.py", line 753, in get_subject
if not self._holder_of_key_confirmed(_data):
File "/home/abublich/repos/abliqo-pysaml2/venv/local/lib/python2.7/site-packages/pysaml2-4.7.0-py2.7.egg/saml2/response.py", line 730, in _holder_of_key_confirmed
[samlp, saml, xenc, ds]):
File "/home/abublich/repos/abliqo-pysaml2/venv/local/lib/python2.7/site-packages/pysaml2-4.7.0-py2.7.egg/saml2/__init__.py", line 1004, in extension_elements_to_elements
for extension_element in extension_elements:
TypeError: 'SubjectConfirmationData' object is not iterable
```
The root cause is two-fold:
1. The type SubjectConfirmationDataType_ does not declare KeyInfo as child element.
2. The bug in function _holder_of_key_confirmed: it should check KeyInfo child element of SubjectConfirmationData instead of SubjectConfirmationData itself.
Solution:
Fixed the root cause and added new unit tests that verify successful parsing of Holder-of-Key assertions.
|
| |
|
|
|
|
|
| |
Allow values of None in the collected information.
Filter out those fields later.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |\
| |
| | |
Use html.escape when available
|
| | |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | | |
|
| |\ \
| | |
| | | |
Make entity category imports more flexible
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This enhancement causes an entity category import to first be tried from
the general module search path, and if that fails then to fall back to
the current default of importing saml2.entity_category.<module>. This
allows deployers to overlay their own customized versions of entity
category modules like edugain.py that contain CoCo. This is helpful
since the list of attributes to be included as part of the entity
category may not be globally the same for all deployments. Such is the
case with CoCo where the list of attributes changes from federation to
federation and deployment to deployment.
|
| |\ \ \
| | | |
| | | | |
Add timestamps for ident mongodb documents
|
| | | | | |
|
| |\ \ \ \
| |/ / /
|/| | | |
Check for an existing local-persistent NameID when retrieving it
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | | | | |
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
Implement MongoDB version of function to look for an existing persistent
NameId for a user.
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
http://docs.oasis-open.org/security/saml/v2.0/errata05/os/saml-v2.0-errata05-os.html#__RefHeading__8058_1983180497:
"The use of the AllowCreate attribute MUST NOT be used and SHOULD be
ignored in conjunction with requests for or assertions issued with name
identifiers with a Format of
urn:oasis:names:tc:SAML:2.0:nameid-format:transient (they preclude any
such state in and of themselves)."
|
| |/ / |
|
| |/ |
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Using lxml.etree.tostring without encoding in python3 results in a unparsable
xml document. To fix this, we always set the encoding to UTF-8 and omit the xml
declaration. We then convert the result to the native string type before
returning it.
---
Our preferred encoding (in general) is `utf-8`. `lxml` defaults to `ASCII`, or
expects us to provide an encoding. Provided an encoding, `lxml` serializes the
tree-representation of the xml document by encoding it with that encoding. If
it is directed to include an xml declaration, it embeds that encoding in the
xml declaration as the `encoding` property.
(ie, `<?xml version='1.0' encoding='iso-8859-7'?>`)
`lxml` allows for some _special_ values as an encoding.
- In python2 those are: `"unicode"` and `unicode`.
- In python3 those are: `"unicode"` and `str`.
By specifying those values, the result will be _decoded_ from bytes to unicode
("unicode" is not an actual encoding; the actual encoding will be utf-8). The
encoding is already the _type_ of the result. This is why you are not allowed
to have an xml declaration for those cases. The result is not bytes that have
to be read by some encoding rules, but decoded data that their type dictates
how they are managed.
With the latest changes, what we do is:
1. we always encode the result as UTF-8
2. we do not include an xml declaration (because of _(3)_)
3. we convert to the native string type (that is `bytes`/`str` for Python2, and
`str` for Python3 (the equivalent of `unicode` in Python2)
The consumer of the result should expect to treat the result as utf8-encoded
bytes in Python2, and utf8-decoded string in Python3.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Previously there was no reliable way to know whether decryption failed. Now,
when decryption fails an DecryptError exception is raised containing the keys
that were tried to decrypt the given ciphertext.
The same refactoring is done to SecurityContext::decrypt_keys.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When xmlsec1 fails, it returns a non-zero returncode. The returncode was
checked only for values less than zero, and not greater than zero. This results
in situations where xmlsec1 fails to run a command, but the executation
continues as nothing failed. This happens to be ok, because, the result we
depend upon is coupled to xmlsec1's output stream. When xmlsec1 fails, the
output stream is empty and the error stream will have information relevant to
the failure cause.
Now, the check expects a returncode with value zero, otherwise an XmlsecError
exception is raised, to be handled by the caller up the stack.
This could have been a major security issue, but we stood lucky.
Special thanks to @pjsg for bringing this to our attention.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
|
|
|
| |
All callers set it to false, but one which calls the validation method itself
after the call to _run_xmlsec (which means that validation is done twice).
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
|
|
|
|
| |
_run_xmlsec function allowed to pass the kind of exception that would be raised
in case of error. This was parameter was ignored. As such, it is not needed and
is removed completely.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The application should control whether warnings should be visible or not. By
hardcoding the simplefilter we turn on warnings' visibility for all modules
that follow. Removing this allows the application code to decide if warnings
should be shown.
To enable warnings through the command line pass -Wd to the python interpreter.
Quoting the python warnings module documentation[0]:
> You can do this from the command-line by passing -Wd to the interpreter (this
> is shorthand for -W default). This enables default handling for all warnings,
> including those that are ignored by default. To change what action is taken
> for encountered warnings you simply change what argument is passed to -W,
> e.g. -W error. See the -W flag for more details on what is possible.
[0]: https://docs.python.org/2/library/warnings.html#updating-code-for-new-versions-of-python
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |\
| |
| | |
Enable signature verification for MDQ
|
| | |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
Add functionality to allow configuration of signature verification for
metadata obtained using the MDQ protocol. Support is limited to checking
the signature of a response containing a single entity and not multiple
entities.
|
| | |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| | |
The html module is only available for python3. The cgi module provides almost
identical functionality and is present for both python2 and python3.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |/ |
|
| |
|
| |
Fixes IdentityPython/pysaml2#571
|
| | |
|
| |
|
|
|
|
|
| |
Assurance-certification and entity-category should be under the same
EntityAttributes elements.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
