openstack/deb-python-pysaml2
Code Issues Proposed changes

Made things work after the last merge.

Browse Source
This commit is contained in:
Roland Hedberg
2013-05-09 11:38:12 +02:00
parent ce1c2c95fa
commit a432390da2
6 changed files with 161 additions and 117 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
src/saml2/assertion.py
View File

@@ -97,8 +97,11 @@ def filter_on_attributes(ava, required=None, optional=None):
found = False
nform = ""
for nform in ["friendly_name", "name"]:
if nform in attr:
try:
_fn = _match(attr[nform], ava)
except KeyError:
pass
else:
if _fn:
try:
values = [av["text"] for av in attr["attribute_value"]]
@@ -239,6 +242,8 @@ def filter_attribute_value_assertions(ava, attribute_restrictions=None):
else:
if _rests is None:
continue
if isinstance(vals, basestring):
vals = [vals]
rvals = []
for restr in _rests:
for val in vals:
@@ -289,6 +294,8 @@ class Policy(object):
self._restrictions = restrictions.copy()
for who, spec in self._restrictions.items():
if spec is None:
continue
try:
items = spec["entity_categories"]
except KeyError:
@@ -311,14 +318,14 @@ class Policy(object):
if restr is None:
continue
_are = {}
for key, values in restr.items():
if not values:
spec["attribute_restrictions"][key.lower()] = None
_are[key.lower()] = None
continue
spec["attribute_restrictions"][key.lower()] = \
[re.compile(value) for value in values]
_are[key.lower()] = [re.compile(value) for value in values]
spec["attribute_restrictions"] = _are
logger.debug("policy restrictions: %s" % self._restrictions)
return self._restrictions
@@ -430,20 +437,21 @@ class Policy(object):
for attr in attrs:
restrictions[attr] = None
try:
ecs = mds.entity_categories(sp_entity_id)
except KeyError:
pass
else:
for ec in ecs:
for ec_map in ec_maps:
try:
attrs = ec_map[ec]
except KeyError:
pass
else:
for attr in attrs:
restrictions[attr] = None
if mds:
try:
ecs = mds.entity_categories(sp_entity_id)
except KeyError:
pass
else:
for ec in ecs:
for ec_map in ec_maps:
try:
attrs = ec_map[ec]
except KeyError:
pass
else:
for attr in attrs:
restrictions[attr] = None
return restrictions

32
src/saml2/sigver.py
View File

@@ -72,7 +72,7 @@ def signed(item):
return False
def _get_xmlsec_binary(paths=None):
def get_xmlsec_binary(paths=None):
"""
Tries to find the xmlsec1 binary.
@@ -107,6 +107,7 @@ def _get_xmlsec_binary(paths=None):
raise Exception("Can't find %s" % bin_name)
def _get_xmlsec_cryptobackend(path=None, search_paths=None, debug=False):
"""
Initialize a CryptoBackendXmlSec1 crypto backend.
@@ -114,7 +115,7 @@ def _get_xmlsec_cryptobackend(path=None, search_paths=None, debug=False):
This function is now internal to this module.
"""
if path is None:
path=_get_xmlsec_binary(paths=search_paths)
path = get_xmlsec_binary(paths=search_paths)
return CryptoBackendXmlSec1(path, debug=debug)
@@ -144,7 +145,6 @@ class DecryptError(Exception):
# --------------------------------------------------------------------------
def _make_vals(val, klass, seccont, klass_inst=None, prop=None, part=False,
base64encode=False, elements_to_sign=None):
"""
@@ -173,7 +173,8 @@ def _make_vals(val, klass, seccont, klass_inst=None, prop=None, part=False,
except ValueError:
if not part:
cis = [_make_vals(sval, klass, seccont, klass_inst, prop,
True, base64encode, elements_to_sign) for sval in val]
True, base64encode, elements_to_sign) for sval
in val]
setattr(klass_inst, prop, cis)
else:
raise
@@ -485,6 +486,7 @@ def sha1_digest(msg):
class Signer(object):
"""Abstract base class for signing algorithms."""
def sign(self, msg, key):
"""Sign ``msg`` with ``key`` and return the signature."""
raise NotImplementedError
@@ -544,6 +546,7 @@ def verify_redirect_signature(info, cert):
else:
raise Unsupported("Signature algorithm: %s" % info["SigAlg"])
LOG_LINE = 60 * "=" + "\n%s\n" + 60 * "-" + "\n%s" + 60 * "="
LOG_LINE_2 = 60 * "=" + "\n%s\n%s\n" + 60 * "-" + "\n%s" + 60 * "="
@@ -588,7 +591,6 @@ def read_cert_from_file(cert_file, cert_type):
class CryptoBackend():
def __init__(self, debug=False):
self.debug = debug
@@ -620,7 +622,7 @@ class CryptoBackendXmlSec1(CryptoBackend):
def __init__(self, xmlsec_binary, **kwargs):
CryptoBackend.__init__(self, **kwargs)
assert(isinstance(xmlsec_binary, basestring))
assert (isinstance(xmlsec_binary, basestring))
self.xmlsec = xmlsec_binary
def version(self):
@@ -637,7 +639,7 @@ class CryptoBackendXmlSec1(CryptoBackend):
com_list = [self.xmlsec, "--encrypt", "--pubkey-cert-pem", recv_key,
"--session-key", key_type, "--xml-data", fil,
]
]
(_stdout, _stderr, output) = self._run_xmlsec(com_list, [template],
exception=DecryptError,
@@ -650,7 +652,7 @@ class CryptoBackendXmlSec1(CryptoBackend):
com_list = [self.xmlsec, "--decrypt", "--privkey-pem",
key_file, "--id-attr:%s" % ID_ATTR, ENC_KEY_CLASS,
]
]
(_stdout, _stderr, output) = self._run_xmlsec(com_list, [fil],
exception=DecryptError,
@@ -677,7 +679,7 @@ class CryptoBackendXmlSec1(CryptoBackend):
"--privkey-pem", key_file,
"--id-attr:%s" % id_attr, class_name,
#"--store-signatures"
]
]
if node_id:
com_list.extend(["--node-id", node_id])
@@ -767,6 +769,7 @@ class CryptoBackendXmlSec1(CryptoBackend):
ntf.seek(0)
return p_out, p_err, ntf.read()
class CryptoBackendXMLSecurity(CryptoBackend):
"""
CryptoBackend implementation using pyXMLSecurity to sign and verify
@@ -804,6 +807,7 @@ class CryptoBackendXMLSecurity(CryptoBackend):
"""
import xmlsec
import lxml.etree
xml = xmlsec.parse_xml(statement)
signed = xmlsec.sign(xml, key_file)
return lxml.etree.tostring(signed, xml_declaration=True)
@@ -825,12 +829,14 @@ class CryptoBackendXMLSecurity(CryptoBackend):
if cert_type != "pem":
raise Unsupported("Only PEM certs supported here")
import xmlsec
xml = xmlsec.parse_xml(signedtext)
try:
return xmlsec.verify(xml, cert_file)
except xmlsec.XMLSigException:
return False
def security_context(conf, debug=None):
""" Creates a security context based on the configuration
@@ -852,8 +858,8 @@ def security_context(conf, debug=None):
if conf.crypto_backend == 'xmlsec1':
xmlsec_binary = conf.xmlsec_binary
if not xmlsec_binary:
xmlsec_binary = _get_xmlsec_binary()
# verify that xmlsec is where it's supposed to be
xmlsec_binary = get_xmlsec_binary()
# verify that xmlsec is where it's supposed to be
if not os.path.exists(xmlsec_binary):
#if not os.access(, os.F_OK):
raise Exception(
@@ -864,7 +870,7 @@ def security_context(conf, debug=None):
crypto = CryptoBackendXMLSecurity(debug=debug)
else:
raise Exception('Unknown crypto_backend %s' % (
repr(conf.crypto_backend)))
repr(conf.crypto_backend)))
return SecurityContext(crypto, conf.key_file,
cert_file=conf.cert_file, metadata=metadata,
@@ -957,7 +963,7 @@ class SecurityContext(object):
cert_type=cert_type,
node_name=node_name,
node_id=node_id, id_attr=id_attr,
)
)
def _check_signature(self, decoded_xml, item, node_name=NODE_NAME,
origdoc=None, id_attr="", must=False):

10
tests/idp_conf_ec.py
View File

@@ -1,8 +1,12 @@
from saml2 import BINDING_SOAP, BINDING_HTTP_REDIRECT, BINDING_HTTP_POST
from saml2.saml import NAMEID_FORMAT_PERSISTENT
from saml2.sigver import get_xmlsec_binary
from saml2 import BINDING_SOAP
from saml2 import BINDING_HTTP_REDIRECT
from saml2 import BINDING_HTTP_POST
from saml2.saml import NAME_FORMAT_URI
from pathutils import full_path, xmlsec_path
from pathutils import full_path
xmlsec_path = get_xmlsec_binary(["/opt/local/bin"])
BASE = "http://localhost:8088"

21
tests/test_20_assertion.py
View File

@@ -172,15 +172,15 @@ def test_ava_filter_2():
"surName": "Jeter",
"mail": "derek@example.com"}
raises(Exception, policy.filter, ava, 'urn:mace:umu.se:saml:roland:sp',
[mail], [gn, sn])
raises(MissingValue, policy.filter, ava, 'urn:mace:umu.se:saml:roland:sp',
None, [mail], [gn, sn])
ava = {"givenName": "Derek",
"surName": "Jeter"}
# it wasn't there to begin with
raises(Exception, policy.filter, ava, 'urn:mace:umu.se:saml:roland:sp',
[gn, sn, mail])
None, [gn, sn, mail])
def test_filter_attribute_value_assertions_0(AVA):
@@ -643,7 +643,7 @@ def test_req_opt():
'uid': 'rohe0002', 'edupersonaffiliation': 'staff'}
sp_entity_id = "urn:mace:example.com:saml:curt:sp"
fava = policy.filter(ava, sp_entity_id, req, opt)
fava = policy.filter(ava, sp_entity_id, None, req, opt)
assert fava
@@ -736,19 +736,20 @@ def test_filter_ava_5():
"default": {
"lifetime": {"minutes": 15},
#"attribute_restrictions": None # means all I have
"entity_categories": ["swami", "edugain"]
"entity_categories": ["swamid", "edugain"]
}
})
ava = {"givenName": ["Derek"], "surName": ["Jeter"],
"mail": ["derek@nyy.mlb.com", "dj@example.com"]}
# No restrictions apply
ava = policy.filter(ava, "urn:mace:example.com:saml:curt:sp", [], [])
ava = policy.filter(ava, "urn:mace:example.com:saml:curt:sp", None, [], [])
assert _eq(ava.keys(), ['mail', 'givenName', 'surName'])
assert _eq(ava["mail"], ["derek@nyy.mlb.com", "dj@example.com"])
# using entity_categories means there *always* are restrictions
# in this case the only allowed attribute is eduPersonTargetedID
# which isn't available in the ava hence zip is returned.
assert ava == {}
if __name__ == "__main__":
test_assertion_with_noop_attribute_conv()
test_filter_ava_5()

159
tests/test_31_config.py
View File

@@ -14,29 +14,31 @@ from saml2 import root_logger
from pathutils import dotname, full_path
sp1 = {
"entityid" : "urn:mace:umu.se:saml:roland:sp",
"entityid": "urn:mace:umu.se:saml:roland:sp",
"service": {
"sp": {
"endpoints" : {
"assertion_consumer_service" : ["http://lingon.catalogix.se:8087/"],
"endpoints": {
"assertion_consumer_service": [
"http://lingon.catalogix.se:8087/"],
},
"name": "test",
"idp" : {
"urn:mace:example.com:saml:roland:idp": {'single_sign_on_service':
{'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect':
'http://localhost:8088/sso/'}},
"idp": {
"urn:mace:example.com:saml:roland:idp": {
'single_sign_on_service':
{'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect':
'http://localhost:8088/sso/'}},
}
}
},
"key_file" : full_path("test.key"),
"cert_file" : full_path("test.pem"),
"metadata": {
"local": [full_path("metadata.xml"),
"key_file": full_path("test.key"),
"cert_file": full_path("test.pem"),
"metadata": {
"local": [full_path("metadata.xml"),
full_path("urn-mace-swami.se-swamid-test-1.0-metadata.xml")],
},
"virtual_organization" : {
"coip":{
"nameid_format" : "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
"virtual_organization": {
"coip": {
"nameid_format": "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
"common_identifier": "eduPersonPrincipalName",
"attribute_auth": [
"https://coip-test.sunet.se/idp/shibboleth",
@@ -48,17 +50,18 @@ sp1 = {
}
sp2 = {
"entityid" : "urn:mace:umu.se:saml:roland:sp",
"name" : "Rolands SP",
"entityid": "urn:mace:umu.se:saml:roland:sp",
"name": "Rolands SP",
"service": {
"sp": {
"endpoints" : {
"assertion_consumer_service" : ["http://lingon.catalogix.se:8087/"],
"endpoints": {
"assertion_consumer_service": [
"http://lingon.catalogix.se:8087/"],
},
"required_attributes": ["surName", "givenName", "mail"],
"optional_attributes": ["title"],
"idp": {
"" : "https://example.com/saml2/idp/SSOService.php",
"": "https://example.com/saml2/idp/SSOService.php",
}
}
},
@@ -66,12 +69,12 @@ sp2 = {
}
IDP1 = {
"entityid" : "urn:mace:umu.se:saml:roland:idp",
"name" : "Rolands IdP",
"entityid": "urn:mace:umu.se:saml:roland:idp",
"name": "Rolands IdP",
"service": {
"idp": {
"endpoints": {
"single_sign_on_service" : ["http://localhost:8088/"],
"single_sign_on_service": ["http://localhost:8088/"],
},
"policy": {
"default": {
@@ -90,15 +93,16 @@ IDP1 = {
}
IDP2 = {
"entityid" : "urn:mace:umu.se:saml:roland:idp",
"name" : "Rolands IdP",
"entityid": "urn:mace:umu.se:saml:roland:idp",
"name": "Rolands IdP",
"service": {
"idp": {
"endpoints": {
"single_sign_on_service" : ["http://localhost:8088/"],
"single_logout_service" : [("http://localhost:8088/", BINDING_HTTP_REDIRECT)],
"single_sign_on_service": ["http://localhost:8088/"],
"single_logout_service": [
("http://localhost:8088/", BINDING_HTTP_REDIRECT)],
},
"policy":{
"policy": {
"default": {
"attribute_restrictions": {
"givenName": None,
@@ -115,41 +119,42 @@ IDP2 = {
}
PDP = {
"entityid" : "http://example.org/pysaml2/pdp",
"name" : "Rolands PdP",
"entityid": "http://example.org/pysaml2/pdp",
"name": "Rolands PdP",
"service": {
"pdp": {
"endpoints": {
"authz_service" : [("http://example.org/pysaml2/pdp/authz",
"authz_service": [("http://example.org/pysaml2/pdp/authz",
BINDING_SOAP)],
},
}
},
"key_file" : full_path("test.key"),
"cert_file" : full_path("test.pem"),
"key_file": full_path("test.key"),
"cert_file": full_path("test.pem"),
"organization": {
"name": "Exempel AB",
"display_name": [("Exempel AB","se"),("Example Co.","en")],
"url":"http://www.example.com/roland",
"display_name": [("Exempel AB", "se"), ("Example Co.", "en")],
"url": "http://www.example.com/roland",
},
"contact_person": [{
"given_name":"John",
"sur_name": "Smith",
"email_address": ["john.smith@example.com"],
"contact_type": "technical",
},
"given_name": "John",
"sur_name": "Smith",
"email_address": ["john.smith@example.com"],
"contact_type": "technical",
},
],
}
ECP_SP = {
"entityid" : "urn:mace:umu.se:saml:roland:ecpsp",
"name" : "Rolands ECP_SP",
"entityid": "urn:mace:umu.se:saml:roland:ecpsp",
"name": "Rolands ECP_SP",
"service": {
"sp": {
"endpoints" : {
"assertion_consumer_service" : ["http://lingon.catalogix.se:8087/"],
"endpoints": {
"assertion_consumer_service": [
"http://lingon.catalogix.se:8087/"],
},
"ecp" : {
"ecp": {
"130.239.": "http://example.com/idp",
}
}
@@ -157,9 +162,11 @@ ECP_SP = {
#"xmlsec_binary" : "/opt/local/bin/xmlsec1",
}
def _eq(l1,l2):
def _eq(l1, l2):
return set(l1) == set(l2)
def test_1():
c = SPConfig().load(sp1)
c.context = "sp"
@@ -173,11 +180,13 @@ def test_1():
assert len(c._sp_idp) == 1
assert c._sp_idp.keys() == ["urn:mace:example.com:saml:roland:idp"]
assert c._sp_idp.values() == [{'single_sign_on_service':
{'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect':
'http://localhost:8088/sso/'}}]
{
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect':
'http://localhost:8088/sso/'}}]
assert c.only_use_keys_in_metadata
def test_2():
c = SPConfig().load(sp2)
c.context = "sp"
@@ -192,20 +201,22 @@ def test_2():
assert len(c._sp_idp) == 1
assert c._sp_idp.keys() == [""]
assert c._sp_idp.values() == ["https://example.com/saml2/idp/SSOService.php"]
assert c._sp_idp.values() == [
"https://example.com/saml2/idp/SSOService.php"]
assert c.only_use_keys_in_metadata is True
def test_minimum():
minimum = {
"entityid" : "urn:mace:example.com:saml:roland:sp",
"entityid": "urn:mace:example.com:saml:roland:sp",
"service": {
"sp": {
"endpoints" : {
"assertion_consumer_service" : ["http://sp.example.org/"],
"endpoints": {
"assertion_consumer_service": ["http://sp.example.org/"],
},
"name" : "test",
"name": "test",
"idp": {
"" : "https://example.com/idp/SSOService.php",
"": "https://example.com/idp/SSOService.php",
},
}
},
@@ -216,7 +227,8 @@ def test_minimum():
c.context = "sp"
assert c is not None
def test_idp_1():
c = IdPConfig().load(IDP1)
c.context = "idp"
@@ -224,8 +236,10 @@ def test_idp_1():
print c
assert c.endpoint("single_sign_on_service")[0] == 'http://localhost:8088/'
attribute_restrictions = c.getattr("policy","idp").get_attribute_restriction("")
assert attribute_restrictions["eduPersonAffiliation"][0].match("staff")
attribute_restrictions = c.getattr("policy",
"idp").get_attribute_restriction("")
assert attribute_restrictions["edupersonaffiliation"][0].match("staff")
def test_idp_2():
c = IdPConfig().load(IDP2)
@@ -235,11 +249,13 @@ def test_idp_2():
assert c.endpoint("single_logout_service",
BINDING_SOAP) == []
assert c.endpoint("single_logout_service",
BINDING_HTTP_REDIRECT) == ["http://localhost:8088/"]
BINDING_HTTP_REDIRECT) == ["http://localhost:8088/"]
attribute_restrictions = c.getattr("policy",
"idp").get_attribute_restriction("")
assert attribute_restrictions["edupersonaffiliation"][0].match("staff")
attribute_restrictions = c.getattr("policy","idp").get_attribute_restriction("")
assert attribute_restrictions["eduPersonAffiliation"][0].match("staff")
def test_wayf():
c = SPConfig().load_file("server_conf")
c.context = "sp"
@@ -255,7 +271,7 @@ def test_wayf():
assert root_logger.level == logging.INFO
assert len(root_logger.handlers) == 1
assert isinstance(root_logger.handlers[0],
logging.handlers.RotatingFileHandler)
logging.handlers.RotatingFileHandler)
handler = root_logger.handlers[0]
assert handler.backupCount == 5
try:
@@ -266,6 +282,7 @@ def test_wayf():
assert root_logger.name == "saml2"
assert root_logger.level == 20
def test_conf_syslog():
c = SPConfig().load_file("server_conf_syslog")
c.context = "sp"
@@ -273,7 +290,7 @@ def test_conf_syslog():
# otherwise the logger setting is not changed
root_logger.level = logging.NOTSET
root_logger.handlers = []
print c.logger
c.setup_logger()
@@ -281,7 +298,7 @@ def test_conf_syslog():
assert root_logger.level == logging.INFO
assert len(root_logger.handlers) == 1
assert isinstance(root_logger.handlers[0],
logging.handlers.SysLogHandler)
logging.handlers.SysLogHandler)
handler = root_logger.handlers[0]
print handler.__dict__
assert handler.facility == "local3"
@@ -307,11 +324,13 @@ def test_3():
assert cnf.metadata is not None
assert cnf.attribute_converters is not None
def test_sp():
cnf = SPConfig()
cnf.load_file(dotname("sp_1_conf"))
assert cnf.endpoint("assertion_consumer_service") == \
["http://lingon.catalogix.se:8087/"]
["http://lingon.catalogix.se:8087/"]
def test_dual():
cnf = Config().load_file(dotname("idp_sp_conf"))
@@ -322,16 +341,18 @@ def test_dual():
assert idpe
assert spe != idpe
def test_ecp():
cnf = SPConfig()
cnf.load(ECP_SP)
assert cnf.endpoint("assertion_consumer_service") == \
["http://lingon.catalogix.se:8087/"]
["http://lingon.catalogix.se:8087/"]
eid = cnf.ecp_endpoint("130.239.16.3")
assert eid == "http://example.com/idp"
eid = cnf.ecp_endpoint("130.238.20.20")
assert eid is None
def test_assertion_consumer_service():
c = IdPConfig()
c.load_file(dotname("idp_conf"))
@@ -342,4 +363,8 @@ def test_assertion_consumer_service():
entity_id = "https://www.zimride.com/shibboleth"
acs = c.metadata.assertion_consumer_service(entity_id)
assert len(acs) == 1
assert acs[0]["location"] == 'https://www.zimride.com/Shibboleth.sso/SAML2/POST'
assert acs[0][
"location"] == 'https://www.zimride.com/Shibboleth.sso/SAML2/POST'
if __name__ == "__main__":
test_idp_1()

10
tests/test_37_entity_categories.py
View File

@@ -50,12 +50,12 @@ def test_filter_ava():
}
})
ava = {"givenName": ["Derek"], "surname": ["Jeter"],
ava = {"givenName": ["Derek"], "sn": ["Jeter"],
"email": ["derek@nyy.mlb.com", "dj@example.com"], "c": ["USA"]}
ava = policy.filter(ava, "https://connect.sunet.se/shibboleth", MDS)
assert _eq(ava.keys(), ['email', 'givenName', 'surname', 'c'])
assert _eq(ava.keys(), ['email', 'givenName', 'sn', 'c'])
assert _eq(ava["email"], ["derek@nyy.mlb.com", "dj@example.com"])
@@ -68,7 +68,7 @@ def test_filter_ava2():
}
})
ava = {"givenName": ["Derek"], "surname": ["Jeter"],
ava = {"givenName": ["Derek"], "sn": ["Jeter"],
"email": ["derek@nyy.mlb.com"], "c": ["USA"],
"eduPersonTargetedID": "foo!bar!xyz"}
@@ -92,7 +92,7 @@ def test_filter_ava3():
disable_ssl_certificate_validation=True)
mds.imp({"local": [full_path("entity_cat_sfs_hei.xml")]})
ava = {"givenName": ["Derek"], "surname": ["Jeter"],
ava = {"givenName": ["Derek"], "sn": ["Jeter"],
"email": ["derek@nyy.mlb.com"], "c": ["USA"],
"eduPersonTargetedID": "foo!bar!xyz",
"norEduPersonNIN": "19800101134"}
@@ -105,7 +105,7 @@ def test_filter_ava3():
def test_idp_policy_filter():
idp = Server("idp_conf_ec")
ava = {"givenName": ["Derek"], "surname": ["Jeter"],
ava = {"givenName": ["Derek"], "sn": ["Jeter"],
"email": ["derek@nyy.mlb.com"], "c": ["USA"],
"eduPersonTargetedID": "foo!bar!xyz",
"norEduPersonNIN": "19800101134"}