renamed Conversation.idp_constraints to msg_constraints (namefmt, sigalg pertaining to SAML message)
(+ adding upstream stuff - should merge there w/o issue)
This commit is contained in:
rhoerbe
@@ -14,6 +14,18 @@ from saml2.s_utils import rndstr
|
|||||||
|
|
||||||
from saml2test import tool
|
from saml2test import tool
|
||||||
from saml2test import FatalError
|
from saml2test import FatalError
|
||||||
|
from saml2test.interaction import InteractionNeeded
|
||||||
|
|
||||||
|
try:
|
||||||
|
from xml.etree import cElementTree as ElementTree
|
||||||
|
if ElementTree.VERSION < '1.3.0':
|
||||||
|
# cElementTree has no support for register_namespace
|
||||||
|
# neither _namespace_map, thus we sacrify performance
|
||||||
|
# for correctness
|
||||||
|
from xml.etree import ElementTree
|
||||||
|
except ImportError:
|
||||||
|
import cElementTree as ElementTree
|
||||||
|
|
||||||
|
|
||||||
__author__ = 'rohe0002'
|
__author__ = 'rohe0002'
|
||||||
|
|
||||||
@@ -72,7 +84,7 @@ class Conversation(tool.Conversation):
|
|||||||
self.position = ""
|
self.position = ""
|
||||||
self.response = None
|
self.response = None
|
||||||
self.oper = None
|
self.oper = None
|
||||||
self.idp_constraints = constraints
|
self.msg_constraints = constraints
|
||||||
|
|
||||||
def send(self):
|
def send(self):
|
||||||
srvs = getattr(self.client.metadata, REQ2SRV[self.oper.request])(
|
srvs = getattr(self.client.metadata, REQ2SRV[self.oper.request])(
|
||||||
@@ -98,12 +110,8 @@ class Conversation(tool.Conversation):
|
|||||||
except KeyError:
|
except KeyError:
|
||||||
req = self.qfunc(**self.qargs)
|
req = self.qfunc(**self.qargs)
|
||||||
|
|
||||||
self.request = self.oper.pre_processing(req, self.args)
|
req_id, self.request = self.oper.pre_processing(req, self.args)
|
||||||
try:
|
str_req = "%s" % self.request
|
||||||
str_req = "%s" % self.request
|
|
||||||
except TypeError:
|
|
||||||
print >> sys.stderr, "self.request is of type " + type(self.request).__name__ + ", value: " + str(self.request)
|
|
||||||
raise
|
|
||||||
|
|
||||||
if use_artifact:
|
if use_artifact:
|
||||||
saml_art = _client.use_artifact(str_req, self.args["entity_id"])
|
saml_art = _client.use_artifact(str_req, self.args["entity_id"])
|
||||||
@@ -238,6 +246,8 @@ class Conversation(tool.Conversation):
|
|||||||
logger.info("Faulty response: %s" % _resp)
|
logger.info("Faulty response: %s" % _resp)
|
||||||
logger.error("Exception %s" % ferr)
|
logger.error("Exception %s" % ferr)
|
||||||
raise
|
raise
|
||||||
|
except ElementTree.ParseError:
|
||||||
|
return False
|
||||||
except Exception, err:
|
except Exception, err:
|
||||||
if _resp:
|
if _resp:
|
||||||
logger.info("Faulty response: %s" % _resp)
|
logger.info("Faulty response: %s" % _resp)
|
||||||
|
|||||||
@@ -532,7 +532,7 @@ class VerifyAttributeNameFormat(Check):
|
|||||||
cid = "verify-attribute-name-format"
|
cid = "verify-attribute-name-format"
|
||||||
|
|
||||||
def _func(self, conv):
|
def _func(self, conv):
|
||||||
if "name_format" not in conv.idp_constraints:
|
if "name_format" not in conv.msg_constraints:
|
||||||
return {}
|
return {}
|
||||||
|
|
||||||
# Should be a AuthnResponse or Response instance
|
# Should be a AuthnResponse or Response instance
|
||||||
@@ -546,15 +546,22 @@ class VerifyAttributeNameFormat(Check):
|
|||||||
atrstat = assertion.attribute_statement[0]
|
atrstat = assertion.attribute_statement[0]
|
||||||
for attr in atrstat.attribute:
|
for attr in atrstat.attribute:
|
||||||
try:
|
try:
|
||||||
assert attr.name_format == conv.idp_constraints[
|
assert attr.name_format == conv.msg_constraints[
|
||||||
"name_format"]
|
"name_format"]
|
||||||
|
logger.debug("Attribute name format valid: " +
|
||||||
|
attr.name_format)
|
||||||
except AssertionError:
|
except AssertionError:
|
||||||
if NAME_FORMAT_UNSPECIFIED != conv.idp_constraints[
|
if NAME_FORMAT_UNSPECIFIED != conv.msg_constraints[
|
||||||
"name_format"]:
|
"name_format"]:
|
||||||
self._message = \
|
self._message = \
|
||||||
"Wrong name format: '%s'" % attr.name_format
|
"Wrong name format: '%s', should be %s" % \
|
||||||
|
(attr.name_format, \
|
||||||
|
conv.msg_constraints["name_format"])
|
||||||
self._status = CRITICAL
|
self._status = CRITICAL
|
||||||
break
|
break
|
||||||
|
else:
|
||||||
|
logger.debug("Accepting any attribute name format")
|
||||||
|
|
||||||
return {}
|
return {}
|
||||||
|
|
||||||
|
|
||||||
@@ -574,17 +581,17 @@ class VerifyDigestAlgorithm(Check):
|
|||||||
return True
|
return True
|
||||||
|
|
||||||
def _func(self, conv):
|
def _func(self, conv):
|
||||||
if "digest_algorithm" not in conv.idp_constraints:
|
if "digest_algorithm" not in conv.msg_constraints:
|
||||||
logger.info("Not verifying digest_algorithm (not configured)")
|
logger.info("Not verifying digest_algorithm (not configured)")
|
||||||
return {}
|
return {}
|
||||||
else:
|
else:
|
||||||
try:
|
try:
|
||||||
assert len(conv.idp_constraints["digest_algorithm"]) > 0
|
assert len(conv.msg_constraints["digest_algorithm"]) > 0
|
||||||
except AssertionError:
|
except AssertionError:
|
||||||
self._message = "List of allowed digest algorithm must not be empty"
|
self._message = "List of allowed digest algorithm must not be empty"
|
||||||
self._status = CRITICAL
|
self._status = CRITICAL
|
||||||
return {}
|
return {}
|
||||||
_algs = conv.idp_constraints["digest_algorithm"]
|
_algs = conv.msg_constraints["digest_algorithm"]
|
||||||
|
|
||||||
response = conv.saml_response[-1].response
|
response = conv.saml_response[-1].response
|
||||||
|
|
||||||
@@ -616,17 +623,17 @@ class VerifySignatureAlgorithm(Check):
|
|||||||
return True
|
return True
|
||||||
|
|
||||||
def _func(self, conv):
|
def _func(self, conv):
|
||||||
if "signature_algorithm" not in conv.idp_constraints:
|
if "signature_algorithm" not in conv.msg_constraints:
|
||||||
logger.info("Not verifying signature_algorithm (not configured)")
|
logger.info("Not verifying signature_algorithm (not configured)")
|
||||||
return {}
|
return {}
|
||||||
else:
|
else:
|
||||||
try:
|
try:
|
||||||
assert len(conv.idp_constraints["signature_algorithm"]) > 0
|
assert len(conv.msg_constraints["signature_algorithm"]) > 0
|
||||||
except AssertionError:
|
except AssertionError:
|
||||||
self._message = "List of allowed signature algorithm must not be empty"
|
self._message = "List of allowed signature algorithm must not be empty"
|
||||||
self._status = CRITICAL
|
self._status = CRITICAL
|
||||||
return {}
|
return {}
|
||||||
_algs = conv.idp_constraints["signature_algorithm"]
|
_algs = conv.msg_constraints["signature_algorithm"]
|
||||||
|
|
||||||
response = conv.saml_response[-1].response
|
response = conv.saml_response[-1].response
|
||||||
|
|
||||||
@@ -648,11 +655,11 @@ class VerifySignedPart(Check):
|
|||||||
|
|
||||||
def _func(self, conv):
|
def _func(self, conv):
|
||||||
|
|
||||||
if "signed_part" not in conv.idp_constraints:
|
if "signed_part" not in conv.msg_constraints:
|
||||||
return {}
|
return {}
|
||||||
|
|
||||||
response = conv.saml_response[-1].response
|
response = conv.saml_response[-1].response
|
||||||
if "response" in conv.idp_constraints["signed_part"]:
|
if "response" in conv.msg_constraints["signed_part"]:
|
||||||
if response.signature:
|
if response.signature:
|
||||||
pass
|
pass
|
||||||
else:
|
else:
|
||||||
@@ -660,7 +667,7 @@ class VerifySignedPart(Check):
|
|||||||
self._status = CRITICAL
|
self._status = CRITICAL
|
||||||
|
|
||||||
if self._status == OK:
|
if self._status == OK:
|
||||||
if "assertion" in conv.idp_constraints["signed_part"]:
|
if "assertion" in conv.msg_constraints["signed_part"]:
|
||||||
for assertion in response.assertion:
|
for assertion in response.assertion:
|
||||||
if assertion.signature:
|
if assertion.signature:
|
||||||
pass
|
pass
|
||||||
|
|||||||
Reference in New Issue
Block a user