Store away the original XML document (the SAML response) so it can be used later.
Verify signature on an assertion in the proper place, after possible decryption of an encrypted assertion.
This commit is contained in:
Roland Hedberg
@@ -263,6 +263,7 @@ class StatusResponse(object):
|
|||||||
self.request_id = request_id
|
self.request_id = request_id
|
||||||
|
|
||||||
self.xmlstr = ""
|
self.xmlstr = ""
|
||||||
|
self.origxml = ""
|
||||||
self.name_id = None
|
self.name_id = None
|
||||||
self.response = None
|
self.response = None
|
||||||
self.not_on_or_after = 0
|
self.not_on_or_after = 0
|
||||||
@@ -290,7 +291,7 @@ class StatusResponse(object):
|
|||||||
|
|
||||||
try:
|
try:
|
||||||
valid_instance(self.response)
|
valid_instance(self.response)
|
||||||
except NotValid, exc:
|
except NotValid as exc:
|
||||||
logger.error("Not valid response: %s" % exc.args[0])
|
logger.error("Not valid response: %s" % exc.args[0])
|
||||||
self._clear()
|
self._clear()
|
||||||
return self
|
return self
|
||||||
@@ -318,18 +319,22 @@ class StatusResponse(object):
|
|||||||
# own copy
|
# own copy
|
||||||
self.xmlstr = xmldata[:]
|
self.xmlstr = xmldata[:]
|
||||||
logger.debug("xmlstr: %s" % (self.xmlstr,))
|
logger.debug("xmlstr: %s" % (self.xmlstr,))
|
||||||
|
if origxml:
|
||||||
|
self.origxml = origxml
|
||||||
|
else:
|
||||||
|
self.origxml = self.xmlstr
|
||||||
|
|
||||||
try:
|
try:
|
||||||
self.response = self.signature_check(xmldata, origdoc=origxml,
|
self.response = self.signature_check(
|
||||||
must=self.require_signature,
|
xmldata, origdoc=origxml, must=self.require_signature,
|
||||||
require_response_signature=self.require_response_signature)
|
require_response_signature=self.require_response_signature)
|
||||||
|
|
||||||
except TypeError:
|
except TypeError:
|
||||||
raise
|
raise
|
||||||
except SignatureError:
|
except SignatureError:
|
||||||
raise
|
raise
|
||||||
except Exception, excp:
|
except Exception as excp:
|
||||||
#logger.exception("EXCEPTION: %s", excp)
|
logger.exception("EXCEPTION: %s", excp)
|
||||||
raise
|
raise
|
||||||
|
|
||||||
#print "<", self.response
|
#print "<", self.response
|
||||||
@@ -577,7 +582,7 @@ class AuthnResponse(StatusResponse):
|
|||||||
conditions.not_on_or_after, self.timeslack)
|
conditions.not_on_or_after, self.timeslack)
|
||||||
if conditions.not_before:
|
if conditions.not_before:
|
||||||
validate_before(conditions.not_before, self.timeslack)
|
validate_before(conditions.not_before, self.timeslack)
|
||||||
except Exception, excp:
|
except Exception as excp:
|
||||||
logger.error("Exception on conditions: %s" % (excp,))
|
logger.error("Exception on conditions: %s" % (excp,))
|
||||||
if not lax:
|
if not lax:
|
||||||
raise
|
raise
|
||||||
@@ -746,6 +751,19 @@ class AuthnResponse(StatusResponse):
|
|||||||
:return: True/False depending on if the assertion is sane or not
|
:return: True/False depending on if the assertion is sane or not
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
if not hasattr(assertion, 'signature') or not assertion.signature:
|
||||||
|
logger.debug("unsigned")
|
||||||
|
if self.require_signature:
|
||||||
|
raise SignatureError("Signature missing for assertion")
|
||||||
|
else:
|
||||||
|
logger.debug("signed")
|
||||||
|
|
||||||
|
try:
|
||||||
|
self.sec.check_signature(assertion, class_name(assertion),
|
||||||
|
self.xmlstr)
|
||||||
|
except Exception as exc:
|
||||||
|
logger.error("correctly_signed_response: %s" % exc)
|
||||||
|
raise
|
||||||
self.assertion = assertion
|
self.assertion = assertion
|
||||||
logger.debug("assertion context: %s" % (self.context,))
|
logger.debug("assertion context: %s" % (self.context,))
|
||||||
logger.debug("assertion keys: %s" % (assertion.keyswv()))
|
logger.debug("assertion keys: %s" % (assertion.keyswv()))
|
||||||
@@ -1041,6 +1059,7 @@ class AssertionIDResponse(object):
|
|||||||
self.sec = sec_context
|
self.sec = sec_context
|
||||||
self.timeslack = timeslack
|
self.timeslack = timeslack
|
||||||
self.xmlstr = ""
|
self.xmlstr = ""
|
||||||
|
self.origxml = ""
|
||||||
self.name_id = ""
|
self.name_id = ""
|
||||||
self.response = None
|
self.response = None
|
||||||
self.not_signed = False
|
self.not_signed = False
|
||||||
@@ -1053,6 +1072,7 @@ class AssertionIDResponse(object):
|
|||||||
# own copy
|
# own copy
|
||||||
self.xmlstr = xmldata[:]
|
self.xmlstr = xmldata[:]
|
||||||
logger.debug("xmlstr: %s" % (self.xmlstr,))
|
logger.debug("xmlstr: %s" % (self.xmlstr,))
|
||||||
|
self.origxml = origxml
|
||||||
|
|
||||||
try:
|
try:
|
||||||
self.response = self.signature_check(xmldata, origdoc=origxml)
|
self.response = self.signature_check(xmldata, origdoc=origxml)
|
||||||
@@ -1061,7 +1081,7 @@ class AssertionIDResponse(object):
|
|||||||
raise
|
raise
|
||||||
except SignatureError:
|
except SignatureError:
|
||||||
raise
|
raise
|
||||||
except Exception, excp:
|
except Exception as excp:
|
||||||
logger.exception("EXCEPTION: %s", excp)
|
logger.exception("EXCEPTION: %s", excp)
|
||||||
raise
|
raise
|
||||||
|
|
||||||
@@ -1072,7 +1092,7 @@ class AssertionIDResponse(object):
|
|||||||
def verify(self, key_file=""):
|
def verify(self, key_file=""):
|
||||||
try:
|
try:
|
||||||
valid_instance(self.response)
|
valid_instance(self.response)
|
||||||
except NotValid, exc:
|
except NotValid as exc:
|
||||||
logger.error("Not valid response: %s" % exc.args[0])
|
logger.error("Not valid response: %s" % exc.args[0])
|
||||||
raise
|
raise
|
||||||
return self
|
return self
|
||||||
|
|||||||
Reference in New Issue
Block a user