| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Following d257d3054f36b4f3dfaba8b7394a2e8bab0aaf2e the ForceAuthn attribute is
an xsd:boolean value which can be any of "false", "true", "0" or "1". We must
set force_authn when the value is "true" or "1".
We set the value into kwargs, which is then mirrored onto _args, which is
merged with args, which is finally given to the saml2.samlp.AuthnRequest class
to construct the object.
Previously, we set the value into args directly, which would be overwritten by
the call to _filter_args.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
|
|
|
| |
Use "text" instead of "value" as the key that denotes the text-value of the
NameID node.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The attribute value for eduPersonTargetedID (ePTID) is a NameID
element. The SAML specification allows the NameID element to include
the two optional attributes 'NameQualifier' and 'SPNameQualifier'. This
patch enables specifying a dictionary as the internal or local attribute
value instead of a string. When the local attribute value is a
dictionary with keys 'value', 'NameQualifier', and 'SPNameQualifier'
then the resulting XML NameID element will include the 'NameQualifier'
and 'SPNameQualifier' attributes with values taken from the values
of the dictionary. The value for the NameID element is taken from the
value associated with tthe 'value' key.
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Instead of explicitly declaring `KeyInfo` as child of `SubjectConfirmationData`, use `extension_elements` to extract `KeyInfo` element(s).
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Problem:
Holder-of-Key assertions are used to achieve higher levels of federation security, compared to bearer assertions, by having Relying Party challenge subscriber to prove possession of the key specified in the assertion that represents subscriber in addition to verifying the assertion itself signed by Identity Provider. More information about it can be found in https://pages.nist.gov/800-63-3/sp800-63c.html
This library fails to parase SAML respones containing assertions with Holder-of-Key profile, for example:
```
<ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<ns1:SubjectConfirmationData InResponseTo="id-KHlas49TtW2VdC8WN" NotOnOrAfter="2019-05-14T20:36:13Z" Recipient="https://sp:443/.auth/saml/login">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>MIICITCCAYoCAQEwDQYJKoZIhvcNAQELBQAwWDELMAkGA1UEBhMCenoxCzAJBgNVBAgMAnp6MQ0wCwYDVQQHDAR6enp6MQ4wDAYDVQQKDAVaenp6ejEOMAwGA1UECwwFWnp6enoxDTALBgNVBAMMBHRlc3QwIBcNMTkwNDEyMTk1MDM0WhgPMzAxODA4MTMxOTUwMzRaMFgxCzAJBgNVBAYTAnp6MQswCQYDVQQIDAJ6ejENMAsGA1UEBwwEenp6ejEOMAwGA1UECgwFWnp6enoxDjAMBgNVBAsMBVp6enp6MQ0wCwYDVQQDDAR0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHcj80WU/XBsd9FlyQmfjPUdfmedhCFDd6TEQmZNNqP/UG+VkGa+BXjRIHMfic/WxPTbGhCjv68ci0UDNomUXagFexLGNpkwa7+CRVtoc/1xgq+ySE6M4nhcCutScoxNvWNn5eSQ66i3U0sTv91MgsXxqEdTaiZg0BIufEc3dueQIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAGUV5B+USHvaRa8kgCNJSuNpo6ARlv0ekrk8bbdNRBiEUdCMyoGJFfuM9K0zybX6Vr25wai3nvaog294Vx/jWjX2g5SDbjItH6VGy6C9GCGf1A07VxFRCfJn5tA9HuJjPKiE+g/BmrV5N4CealzFxPHWYkNOzoRU8qI7OqUai1kL</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns1:SubjectConfirmationData>
</ns1:SubjectConfirmation>
```
fails to be parsed with the following error:
```
ERROR saml2.response:response.py:836 get subject
Traceback (most recent call last):
File "/home/abublich/repos/abliqo-pysaml2/venv/local/lib/python2.7/site-packages/pysaml2-4.7.0-py2.7.egg/saml2/response.py", line 828, in _assertion
self.get_subject()
File "/home/abublich/repos/abliqo-pysaml2/venv/local/lib/python2.7/site-packages/pysaml2-4.7.0-py2.7.egg/saml2/response.py", line 753, in get_subject
if not self._holder_of_key_confirmed(_data):
File "/home/abublich/repos/abliqo-pysaml2/venv/local/lib/python2.7/site-packages/pysaml2-4.7.0-py2.7.egg/saml2/response.py", line 730, in _holder_of_key_confirmed
[samlp, saml, xenc, ds]):
File "/home/abublich/repos/abliqo-pysaml2/venv/local/lib/python2.7/site-packages/pysaml2-4.7.0-py2.7.egg/saml2/__init__.py", line 1004, in extension_elements_to_elements
for extension_element in extension_elements:
TypeError: 'SubjectConfirmationData' object is not iterable
```
The root cause is two-fold:
1. The type SubjectConfirmationDataType_ does not declare KeyInfo as child element.
2. The bug in function _holder_of_key_confirmed: it should check KeyInfo child element of SubjectConfirmationData instead of SubjectConfirmationData itself.
Solution:
Fixed the root cause and added new unit tests that verify successful parsing of Holder-of-Key assertions.
|
|\
| |
| | |
Make tests pass after 2024
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Background:
As part of my work on reproducible builds for openSUSE, I check that software still gives identical build results in the future.
The usual offset is +15 years, because that is how long I expect some software will be used in some places.
This showed up failing tests in our package build.
See https://reproducible-builds.org/ for why this matters.
This patch made tests pass in 2037
|
|\ \
| | |
| | | |
Make entity category imports more flexible
|
| |/
| |
| |
| |
| |
| | |
Added tests for the new entity category import functionality that
searches for entity category modules on the general import path
before searching in saml2.entity_category.<module>.
|
|/
|
|
| |
AllowCreate is not supposed to be present for transient Name IDs.
|
|\
| |
| | |
Allow tests to pass after 2020
|
| |
| |
| |
| |
| | |
This helps to verify reproducible builds.
See https://reproducible-builds.org/ for why this matters.
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When xmlsec1 fails, it returns a non-zero returncode. The returncode was
checked only for values less than zero, and not greater than zero. This results
in situations where xmlsec1 fails to run a command, but the executation
continues as nothing failed. This happens to be ok, because, the result we
depend upon is coupled to xmlsec1's output stream. When xmlsec1 fails, the
output stream is empty and the error stream will have information relevant to
the failure cause.
Now, the check expects a returncode with value zero, otherwise an XmlsecError
exception is raised, to be handled by the caller up the stack.
This could have been a major security issue, but we stood lucky.
Special thanks to @pjsg for bringing this to our attention.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| |
| |
| |
| | |
All callers set it to false, but one which calls the validation method itself
after the call to _run_xmlsec (which means that validation is done twice).
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|/
|
|
|
|
|
|
| |
_run_xmlsec function allowed to pass the kind of exception that would be raised
in case of error. This was parameter was ignored. As such, it is not needed and
is removed completely.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
|
|
|
| |
status response.
This test passes in v4.6.3 but is failing in v4.6.4 due to IdentityPython/pysaml2#571
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
|
|
| |
Add logic to test client configuration options
want_response_signed, want_assertions_signed, and
want_assertions_or_response_signed.
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\
| |
| | |
Support non-ascii attribute values for encryption and decryption
|
| | |
|
|/ |
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
|
|
|
| |
Mock utcnow call used by time_util module to return the same date as the
IssueInstant date of the response.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\
| |
| | |
Raise ValueError for invalid attribute type
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Without this patch, the AttributeValueBase set_text method checks for a
valid xsi:type before setting the text value, but when it gets to the
catchall case, instead of raising an exception it simply creates an
unassigned ValueError instance and does nothing with it. This is clearly
not intentional, and it is a problem because it means it is possible to
set an invalid xsi:type for an AttributeValue. This patch corrects the
error by raising the ValueError exception rather than letting it
disappear into the ether.
|
|/
|
|
|
| |
Added a test to test the parsing of an authentication response that does
not contain a <NameID> element.
|
|
|
|
|
|
|
| |
Okta integration requires decryption id_attr to be set to 'Id'.
Add SAML2 response generated from okta into test directory, and
test that this is successfully decrypted using a properly
configured SecurityContext
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
|
|
|
|
| |
Added tests to check the relay state in the HTML that is returned for a
response with the HTTP-POST binding. The tests check that if a relay
state is input then it appears in the HTML with the correct value, and
that if no relay state or an empty relay state is input that no relay
state appears in the HTML.
|
|
|
|
|
|
|
| |
* Use better subprocess functions to correctly close pipes.
* When opening files, use a context manager to ensure file is closed
in a deterministic way.
* Close logging handlers
|
| |
|
| |
|