renamed Conversation.idp_constraints to msg_constraints (namefmt, sigalg pertaining to SAML message)
(+ adding upstream stuff - should merge there w/o issue)
This commit is contained in:
rhoerbe
@@ -14,6 +14,18 @@ from saml2.s_utils import rndstr
|
||||
|
||||
from saml2test import tool
|
||||
from saml2test import FatalError
|
||||
from saml2test.interaction import InteractionNeeded
|
||||
|
||||
try:
|
||||
from xml.etree import cElementTree as ElementTree
|
||||
if ElementTree.VERSION < '1.3.0':
|
||||
# cElementTree has no support for register_namespace
|
||||
# neither _namespace_map, thus we sacrify performance
|
||||
# for correctness
|
||||
from xml.etree import ElementTree
|
||||
except ImportError:
|
||||
import cElementTree as ElementTree
|
||||
|
||||
|
||||
__author__ = 'rohe0002'
|
||||
|
||||
@@ -72,7 +84,7 @@ class Conversation(tool.Conversation):
|
||||
self.position = ""
|
||||
self.response = None
|
||||
self.oper = None
|
||||
self.idp_constraints = constraints
|
||||
self.msg_constraints = constraints
|
||||
|
||||
def send(self):
|
||||
srvs = getattr(self.client.metadata, REQ2SRV[self.oper.request])(
|
||||
@@ -98,12 +110,8 @@ class Conversation(tool.Conversation):
|
||||
except KeyError:
|
||||
req = self.qfunc(**self.qargs)
|
||||
|
||||
self.request = self.oper.pre_processing(req, self.args)
|
||||
try:
|
||||
str_req = "%s" % self.request
|
||||
except TypeError:
|
||||
print >> sys.stderr, "self.request is of type " + type(self.request).__name__ + ", value: " + str(self.request)
|
||||
raise
|
||||
req_id, self.request = self.oper.pre_processing(req, self.args)
|
||||
str_req = "%s" % self.request
|
||||
|
||||
if use_artifact:
|
||||
saml_art = _client.use_artifact(str_req, self.args["entity_id"])
|
||||
@@ -238,6 +246,8 @@ class Conversation(tool.Conversation):
|
||||
logger.info("Faulty response: %s" % _resp)
|
||||
logger.error("Exception %s" % ferr)
|
||||
raise
|
||||
except ElementTree.ParseError:
|
||||
return False
|
||||
except Exception, err:
|
||||
if _resp:
|
||||
logger.info("Faulty response: %s" % _resp)
|
||||
|
||||
@@ -532,7 +532,7 @@ class VerifyAttributeNameFormat(Check):
|
||||
cid = "verify-attribute-name-format"
|
||||
|
||||
def _func(self, conv):
|
||||
if "name_format" not in conv.idp_constraints:
|
||||
if "name_format" not in conv.msg_constraints:
|
||||
return {}
|
||||
|
||||
# Should be a AuthnResponse or Response instance
|
||||
@@ -546,15 +546,22 @@ class VerifyAttributeNameFormat(Check):
|
||||
atrstat = assertion.attribute_statement[0]
|
||||
for attr in atrstat.attribute:
|
||||
try:
|
||||
assert attr.name_format == conv.idp_constraints[
|
||||
assert attr.name_format == conv.msg_constraints[
|
||||
"name_format"]
|
||||
logger.debug("Attribute name format valid: " +
|
||||
attr.name_format)
|
||||
except AssertionError:
|
||||
if NAME_FORMAT_UNSPECIFIED != conv.idp_constraints[
|
||||
if NAME_FORMAT_UNSPECIFIED != conv.msg_constraints[
|
||||
"name_format"]:
|
||||
self._message = \
|
||||
"Wrong name format: '%s'" % attr.name_format
|
||||
"Wrong name format: '%s', should be %s" % \
|
||||
(attr.name_format, \
|
||||
conv.msg_constraints["name_format"])
|
||||
self._status = CRITICAL
|
||||
break
|
||||
else:
|
||||
logger.debug("Accepting any attribute name format")
|
||||
|
||||
return {}
|
||||
|
||||
|
||||
@@ -574,17 +581,17 @@ class VerifyDigestAlgorithm(Check):
|
||||
return True
|
||||
|
||||
def _func(self, conv):
|
||||
if "digest_algorithm" not in conv.idp_constraints:
|
||||
if "digest_algorithm" not in conv.msg_constraints:
|
||||
logger.info("Not verifying digest_algorithm (not configured)")
|
||||
return {}
|
||||
else:
|
||||
try:
|
||||
assert len(conv.idp_constraints["digest_algorithm"]) > 0
|
||||
assert len(conv.msg_constraints["digest_algorithm"]) > 0
|
||||
except AssertionError:
|
||||
self._message = "List of allowed digest algorithm must not be empty"
|
||||
self._status = CRITICAL
|
||||
return {}
|
||||
_algs = conv.idp_constraints["digest_algorithm"]
|
||||
_algs = conv.msg_constraints["digest_algorithm"]
|
||||
|
||||
response = conv.saml_response[-1].response
|
||||
|
||||
@@ -616,17 +623,17 @@ class VerifySignatureAlgorithm(Check):
|
||||
return True
|
||||
|
||||
def _func(self, conv):
|
||||
if "signature_algorithm" not in conv.idp_constraints:
|
||||
if "signature_algorithm" not in conv.msg_constraints:
|
||||
logger.info("Not verifying signature_algorithm (not configured)")
|
||||
return {}
|
||||
else:
|
||||
try:
|
||||
assert len(conv.idp_constraints["signature_algorithm"]) > 0
|
||||
assert len(conv.msg_constraints["signature_algorithm"]) > 0
|
||||
except AssertionError:
|
||||
self._message = "List of allowed signature algorithm must not be empty"
|
||||
self._status = CRITICAL
|
||||
return {}
|
||||
_algs = conv.idp_constraints["signature_algorithm"]
|
||||
_algs = conv.msg_constraints["signature_algorithm"]
|
||||
|
||||
response = conv.saml_response[-1].response
|
||||
|
||||
@@ -648,11 +655,11 @@ class VerifySignedPart(Check):
|
||||
|
||||
def _func(self, conv):
|
||||
|
||||
if "signed_part" not in conv.idp_constraints:
|
||||
if "signed_part" not in conv.msg_constraints:
|
||||
return {}
|
||||
|
||||
response = conv.saml_response[-1].response
|
||||
if "response" in conv.idp_constraints["signed_part"]:
|
||||
if "response" in conv.msg_constraints["signed_part"]:
|
||||
if response.signature:
|
||||
pass
|
||||
else:
|
||||
@@ -660,7 +667,7 @@ class VerifySignedPart(Check):
|
||||
self._status = CRITICAL
|
||||
|
||||
if self._status == OK:
|
||||
if "assertion" in conv.idp_constraints["signed_part"]:
|
||||
if "assertion" in conv.msg_constraints["signed_part"]:
|
||||
for assertion in response.assertion:
|
||||
if assertion.signature:
|
||||
pass
|
||||
|
||||
Reference in New Issue
Block a user