openstack/deb-python-pysaml2
Code Issues Proposed changes

Fixed problem with signing metadata.

Browse Source
This commit is contained in:
Roland Hedberg
2014-06-09 18:05:29 +02:00
parent f684c4af2b
commit 0dde360db0
3 changed files with 56 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/saml2/config.py
View File

@@ -116,14 +116,17 @@ PDP_ARGS = ["endpoints", "name_form", "name_id_format"]
AQ_ARGS = ["endpoints"] AQ_ARGS = ["endpoints"]
AA_ARGS = ["attribute", "attribute_profile"]
COMPLEX_ARGS = ["attribute_converters", "metadata", "policy"] COMPLEX_ARGS = ["attribute_converters", "metadata", "policy"]
ALL = set(COMMON_ARGS + SP_ARGS + AA_IDP_ARGS + PDP_ARGS + COMPLEX_ARGS) ALL = set(COMMON_ARGS + SP_ARGS + AA_IDP_ARGS + PDP_ARGS + COMPLEX_ARGS +
AA_ARGS)
SPEC = { SPEC = {
"": COMMON_ARGS + COMPLEX_ARGS, "": COMMON_ARGS + COMPLEX_ARGS,
"sp": COMMON_ARGS + COMPLEX_ARGS + SP_ARGS, "sp": COMMON_ARGS + COMPLEX_ARGS + SP_ARGS,
"idp": COMMON_ARGS + COMPLEX_ARGS + AA_IDP_ARGS, "idp": COMMON_ARGS + COMPLEX_ARGS + AA_IDP_ARGS,
"aa": COMMON_ARGS + COMPLEX_ARGS + AA_IDP_ARGS, "aa": COMMON_ARGS + COMPLEX_ARGS + AA_IDP_ARGS + AA_ARGS,
"pdp": COMMON_ARGS + COMPLEX_ARGS + PDP_ARGS, "pdp": COMMON_ARGS + COMPLEX_ARGS + PDP_ARGS,
"aq": COMMON_ARGS + COMPLEX_ARGS + AQ_ARGS, "aq": COMMON_ARGS + COMPLEX_ARGS + AQ_ARGS,
} }
@@ -222,6 +225,8 @@ class Config(object):
self.tmp_key_file = None self.tmp_key_file = None
self.validate_certificate = None self.validate_certificate = None
self.extensions = {} self.extensions = {}
self.attribute = []
self.attribute_profile = []
def setattr(self, context, attr, val): def setattr(self, context, attr, val):
if context == "": if context == "":

53
src/saml2/metadata.py
View File

@@ -1,4 +1,5 @@
#!/usr/bin/env python #!/usr/bin/env python
from saml2.md import AttributeProfile, entity_descriptor_from_string
from saml2.sigver import security_context from saml2.sigver import security_context
from saml2.config import Config from saml2.config import Config
from saml2.validate import valid_instance from saml2.validate import valid_instance
@@ -52,11 +53,13 @@ ORG_ATTR_TRANSL = {
"organization_url": ("url", md.OrganizationURL) "organization_url": ("url", md.OrganizationURL)
} }
MDNS = '"urn:oasis:names:tc:SAML:2.0:metadata"'
XMLNSXS = " xmlns:xs=\"http://www.w3.org/2001/XMLSchema\""
def metadata_tostring_fix(desc, nspair):
MDNS = '"urn:oasis:names:tc:SAML:2.0:metadata"' def metadata_tostring_fix(desc, nspair, xmlstring=""):
XMLNSXS = " xmlns:xs=\"http://www.w3.org/2001/XMLSchema\"" if not xmlstring:
xmlstring = desc.to_string(nspair) xmlstring = desc.to_string(nspair)
if "\"xs:string\"" in xmlstring and XMLNSXS not in xmlstring: if "\"xs:string\"" in xmlstring and XMLNSXS not in xmlstring:
xmlstring = xmlstring.replace(MDNS, MDNS+XMLNSXS) xmlstring = xmlstring.replace(MDNS, MDNS+XMLNSXS)
return xmlstring return xmlstring
@@ -94,13 +97,15 @@ def create_metadata_string(configfile, config, valid, cert, keyfile, mid, name,
return metadata_tostring_fix(desc, nspair) return metadata_tostring_fix(desc, nspair)
else: else:
for eid in eds: eid = eds[0]
if sign: if sign:
desc = sign_entity_descriptor(eid, mid, secc) eid, xmldoc = sign_entity_descriptor(eid, mid, secc)
else: else:
desc = eid xmldoc = None
valid_instance(desc)
return metadata_tostring_fix(desc, nspair) valid_instance(eid)
xmldoc = metadata_tostring_fix(eid, nspair, xmldoc)
return xmldoc
def _localized_name(val, klass): def _localized_name(val, klass):
@@ -598,6 +603,16 @@ def do_aa_descriptor(conf, cert):
if cert: if cert:
aad.key_descriptor = do_key_descriptor(cert) aad.key_descriptor = do_key_descriptor(cert)
attributes = conf.getattr("attribute", "aa")
if attributes:
for attribute in attributes:
aad.attribute.append(Attribute(text=attribute))
attribute_profiles = conf.getattr("attribute_profile", "aa")
if attribute_profiles:
for attribute_profile in attribute_profiles:
aad.attribute.append(AttributeProfile(text=attribute_profile))
return aad return aad
@@ -712,14 +727,26 @@ def entities_descriptor(eds, valid_for, name, ident, sign, secc):
entities.id = ident entities.id = ident
xmldoc = secc.sign_statement("%s" % entities, class_name(entities)) xmldoc = secc.sign_statement("%s" % entities, class_name(entities))
entities = md.entities_descriptor_from_string(xmldoc) entities = md.entities_descriptor_from_string(xmldoc)
return entities else:
xmldoc = None
return entities, xmldoc
def sign_entity_descriptor(edesc, ident, secc): def sign_entity_descriptor(edesc, ident, secc):
"""
:param edesc: EntityDescriptor instance
:param ident: EntityDescriptor identifier
:param secc: Security context
:return: Tuple with EntityDescriptor instance and Signed XML document
"""
if not ident: if not ident:
ident = sid() ident = sid()
edesc.signature = pre_signature_part(ident, secc.my_cert, 1) edesc.signature = pre_signature_part(ident, secc.my_cert, 1)
edesc.id = ident edesc.id = ident
xmldoc = secc.sign_statement("%s" % edesc, class_name(edesc)) xmldoc = secc.sign_statement("%s" % edesc, class_name(edesc))
return md.entity_descriptor_from_string(xmldoc) edesc = md.entity_descriptor_from_string(xmldoc)
return edesc, xmldoc

14
tools/make_metadata.py
View File

@@ -2,7 +2,8 @@
import argparse import argparse
import os import os
import sys import sys
from saml2.metadata import entity_descriptor from saml2.s_utils import rndstr
from saml2.metadata import entity_descriptor, metadata_tostring_fix
from saml2.metadata import entities_descriptor from saml2.metadata import entities_descriptor
from saml2.metadata import sign_entity_descriptor from saml2.metadata import sign_entity_descriptor
@@ -71,9 +72,12 @@ if args.id:
else: else:
for eid in eds: for eid in eds:
if args.sign: if args.sign:
desc = sign_entity_descriptor(eid, id, secc) assert conf.key_file
assert conf.cert_file
eid, xmldoc = sign_entity_descriptor(eid, args.id, secc)
else: else:
desc = eid xmldoc = None
valid_instance(desc)
print desc.to_string(nspair)
valid_instance(eid)
xmldoc = metadata_tostring_fix(eid, nspair, xmldoc)
print xmldoc