| Commit message (Collapse) | Author | Age | Files | Lines |
|\
| |
| | |
Allow tests to pass after 2020
|
| |
| |
| |
| |
| | |
This helps to verify reproducible builds.
See https://reproducible-builds.org/ for why this matters.
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When xmlsec1 fails, it returns a non-zero returncode. The returncode was
checked only for values less than zero, and not greater than zero. This results
in situations where xmlsec1 fails to run a command, but the executation
continues as nothing failed. This happens to be ok, because, the result we
depend upon is coupled to xmlsec1's output stream. When xmlsec1 fails, the
output stream is empty and the error stream will have information relevant to
the failure cause.
Now, the check expects a returncode with value zero, otherwise an XmlsecError
exception is raised, to be handled by the caller up the stack.
This could have been a major security issue, but we stood lucky.
Special thanks to @pjsg for bringing this to our attention.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| |
| |
| |
| | |
All callers set it to false, but one which calls the validation method itself
after the call to _run_xmlsec (which means that validation is done twice).
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|/
|
|
|
|
|
|
| |
_run_xmlsec function allowed to pass the kind of exception that would be raised
in case of error. This was parameter was ignored. As such, it is not needed and
is removed completely.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
|
|
|
| |
status response.
This test passes in v4.6.3 but is failing in v4.6.4 due to IdentityPython/pysaml2#571
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
|
|
| |
Add logic to test client configuration options
want_response_signed, want_assertions_signed, and
want_assertions_or_response_signed.
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\
| |
| | |
Support non-ascii attribute values for encryption and decryption
|
| | |
|
|/ |
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
|
|
|
| |
Mock utcnow call used by time_util module to return the same date as the
IssueInstant date of the response.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\
| |
| | |
Raise ValueError for invalid attribute type
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Without this patch, the AttributeValueBase set_text method checks for a
valid xsi:type before setting the text value, but when it gets to the
catchall case, instead of raising an exception it simply creates an
unassigned ValueError instance and does nothing with it. This is clearly
not intentional, and it is a problem because it means it is possible to
set an invalid xsi:type for an AttributeValue. This patch corrects the
error by raising the ValueError exception rather than letting it
disappear into the ether.
|
|/
|
|
|
| |
Added a test to test the parsing of an authentication response that does
not contain a <NameID> element.
|
|
|
|
|
|
|
| |
Okta integration requires decryption id_attr to be set to 'Id'.
Add SAML2 response generated from okta into test directory, and
test that this is successfully decrypted using a properly
configured SecurityContext
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
|
|
|
|
| |
Added tests to check the relay state in the HTML that is returned for a
response with the HTTP-POST binding. The tests check that if a relay
state is input then it appears in the HTML with the correct value, and
that if no relay state or an empty relay state is input that no relay
state appears in the HTML.
|
|
|
|
|
|
|
| |
* Use better subprocess functions to correctly close pipes.
* When opening files, use a context manager to ensure file is closed
in a deterministic way.
* Close logging handlers
|
| |
|
| |
|
|\
| |
| | |
Ensure signature checking for SAML Responses is enabled by default
|
| | |
|
| |\ |
|
| | | |
|
| | |
| | |
| | |
| | |
| | | |
Explicitly allow unsigned responses in tests where we do not
sign them.
|
|\ \ \ |
|
| | | | |
|
| | | | |
|
| | |/
| |/| |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix for issue 459 "Form used with HTTP_POST binding nonconforming and
shows submit button". The fix introduces an HTML5 DOCTYPE declaration
and uses noscript tags appropriately to hide the submit button when
Javascript is enabled.
Modification of tests were necessary because the tests unecessarily
relied on the response being a list of strings with the <form> element
being the fourth item in the list, in order to unpack the form and pull
out the SAMLResponse and relay state for comparison. The new tests do not
require the response to be arbitrarily broken up as a list of
strings.
|
| |\
| | |
| | | |
Add force_authn sp configuration option
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
If the value is truthy, "true" is given as the ForceAuthn value. The
value is derived from the 'force_authn' keyword argument as passed to
'create_authn_request()' method otherwise it fallbacks to the
configuration value.
|
| |\ \
| | | |
| | | | |
Using the binary response content of requests to avoid incorrect metadata encoding
|
| | | |
| | | |
| | | |
| | | | |
MetaDataMDX to avoid same issue there
|