PEP-8 clean up .
This commit is contained in:
Roland Hedberg
@@ -204,7 +204,7 @@ def _dummy(_):
|
|||||||
def for_me(conditions, myself):
|
def for_me(conditions, myself):
|
||||||
""" Am I among the intended audiences """
|
""" Am I among the intended audiences """
|
||||||
|
|
||||||
if not conditions.audience_restriction: # No audience restriction
|
if not conditions.audience_restriction: # No audience restriction
|
||||||
return True
|
return True
|
||||||
|
|
||||||
for restriction in conditions.audience_restriction:
|
for restriction in conditions.audience_restriction:
|
||||||
@@ -221,7 +221,8 @@ def for_me(conditions, myself):
|
|||||||
|
|
||||||
|
|
||||||
def authn_response(conf, return_addrs, outstanding_queries=None, timeslack=0,
|
def authn_response(conf, return_addrs, outstanding_queries=None, timeslack=0,
|
||||||
asynchop=True, allow_unsolicited=False, want_assertions_signed=False):
|
asynchop=True, allow_unsolicited=False,
|
||||||
|
want_assertions_signed=False):
|
||||||
sec = security_context(conf)
|
sec = security_context(conf)
|
||||||
if not timeslack:
|
if not timeslack:
|
||||||
try:
|
try:
|
||||||
@@ -319,7 +320,8 @@ class StatusResponse(object):
|
|||||||
logger.debug("xmlstr: %s" % (self.xmlstr,))
|
logger.debug("xmlstr: %s" % (self.xmlstr,))
|
||||||
|
|
||||||
try:
|
try:
|
||||||
self.response = self.signature_check(xmldata, origdoc=origxml, must=self.require_signature,
|
self.response = self.signature_check(xmldata, origdoc=origxml,
|
||||||
|
must=self.require_signature,
|
||||||
require_response_signature=self.require_response_signature)
|
require_response_signature=self.require_response_signature)
|
||||||
|
|
||||||
except TypeError:
|
except TypeError:
|
||||||
@@ -369,7 +371,7 @@ class StatusResponse(object):
|
|||||||
|
|
||||||
def _verify(self):
|
def _verify(self):
|
||||||
if self.request_id and self.in_response_to and \
|
if self.request_id and self.in_response_to and \
|
||||||
self.in_response_to != self.request_id:
|
self.in_response_to != self.request_id:
|
||||||
logger.error("Not the id I expected: %s != %s" % (
|
logger.error("Not the id I expected: %s != %s" % (
|
||||||
self.in_response_to, self.request_id))
|
self.in_response_to, self.request_id))
|
||||||
return None
|
return None
|
||||||
@@ -385,9 +387,9 @@ class StatusResponse(object):
|
|||||||
|
|
||||||
if self.asynchop:
|
if self.asynchop:
|
||||||
if self.response.destination and \
|
if self.response.destination and \
|
||||||
self.response.destination not in self.return_addrs:
|
self.response.destination not in self.return_addrs:
|
||||||
logger.error("%s not in %s" % (self.response.destination,
|
logger.error("%s not in %s" % (self.response.destination,
|
||||||
self.return_addrs))
|
self.return_addrs))
|
||||||
return None
|
return None
|
||||||
|
|
||||||
assert self.issue_instant_ok()
|
assert self.issue_instant_ok()
|
||||||
@@ -430,7 +432,8 @@ class NameIDMappingResponse(StatusResponse):
|
|||||||
request_id=0, asynchop=True):
|
request_id=0, asynchop=True):
|
||||||
StatusResponse.__init__(self, sec_context, return_addrs, timeslack,
|
StatusResponse.__init__(self, sec_context, return_addrs, timeslack,
|
||||||
request_id, asynchop)
|
request_id, asynchop)
|
||||||
self.signature_check = self.sec.correctly_signed_name_id_mapping_response
|
self.signature_check = self.sec\
|
||||||
|
.correctly_signed_name_id_mapping_response
|
||||||
|
|
||||||
|
|
||||||
class ManageNameIDResponse(StatusResponse):
|
class ManageNameIDResponse(StatusResponse):
|
||||||
@@ -455,7 +458,8 @@ class AuthnResponse(StatusResponse):
|
|||||||
return_addrs=None, outstanding_queries=None,
|
return_addrs=None, outstanding_queries=None,
|
||||||
timeslack=0, asynchop=True, allow_unsolicited=False,
|
timeslack=0, asynchop=True, allow_unsolicited=False,
|
||||||
test=False, allow_unknown_attributes=False,
|
test=False, allow_unknown_attributes=False,
|
||||||
want_assertions_signed=False, want_response_signed=False, **kwargs):
|
want_assertions_signed=False, want_response_signed=False,
|
||||||
|
**kwargs):
|
||||||
|
|
||||||
StatusResponse.__init__(self, sec_context, return_addrs, timeslack,
|
StatusResponse.__init__(self, sec_context, return_addrs, timeslack,
|
||||||
asynchop=asynchop)
|
asynchop=asynchop)
|
||||||
@@ -481,6 +485,16 @@ class AuthnResponse(StatusResponse):
|
|||||||
except KeyError:
|
except KeyError:
|
||||||
self.extension_schema = {}
|
self.extension_schema = {}
|
||||||
|
|
||||||
|
def check_subject_confirmation_in_response_to(self, irp):
|
||||||
|
for assertion in self.response.assertion:
|
||||||
|
for _sc in assertion.subject.subject_confirmation:
|
||||||
|
try:
|
||||||
|
assert _sc.subject_confirmation_data.in_response_to == irp
|
||||||
|
except AssertionError:
|
||||||
|
return False
|
||||||
|
|
||||||
|
return True
|
||||||
|
|
||||||
def loads(self, xmldata, decode=True, origxml=None):
|
def loads(self, xmldata, decode=True, origxml=None):
|
||||||
self._loads(xmldata, decode, origxml)
|
self._loads(xmldata, decode, origxml)
|
||||||
|
|
||||||
@@ -488,11 +502,22 @@ class AuthnResponse(StatusResponse):
|
|||||||
if self.in_response_to in self.outstanding_queries:
|
if self.in_response_to in self.outstanding_queries:
|
||||||
self.came_from = self.outstanding_queries[self.in_response_to]
|
self.came_from = self.outstanding_queries[self.in_response_to]
|
||||||
del self.outstanding_queries[self.in_response_to]
|
del self.outstanding_queries[self.in_response_to]
|
||||||
|
try:
|
||||||
|
if not self.check_subject_confirmation_in_response_to(
|
||||||
|
self.in_response_to):
|
||||||
|
logger.exception(
|
||||||
|
"Unsolicited response %s" % self.in_response_to)
|
||||||
|
raise UnsolicitedResponse(
|
||||||
|
"Unsolicited response: %s" % self.in_response_to)
|
||||||
|
except AttributeError:
|
||||||
|
pass
|
||||||
elif self.allow_unsolicited:
|
elif self.allow_unsolicited:
|
||||||
pass
|
pass
|
||||||
else:
|
else:
|
||||||
logger.exception("Unsolicited response %s" % self.in_response_to)
|
logger.exception(
|
||||||
raise UnsolicitedResponse("Unsolicited response: %s" % self.in_response_to)
|
"Unsolicited response %s" % self.in_response_to)
|
||||||
|
raise UnsolicitedResponse(
|
||||||
|
"Unsolicited response: %s" % self.in_response_to)
|
||||||
|
|
||||||
return self
|
return self
|
||||||
|
|
||||||
@@ -541,7 +566,8 @@ class AuthnResponse(StatusResponse):
|
|||||||
|
|
||||||
# if both are present NotBefore must be earlier than NotOnOrAfter
|
# if both are present NotBefore must be earlier than NotOnOrAfter
|
||||||
if conditions.not_before and conditions.not_on_or_after:
|
if conditions.not_before and conditions.not_on_or_after:
|
||||||
if not later_than(conditions.not_on_or_after, conditions.not_before):
|
if not later_than(conditions.not_on_or_after,
|
||||||
|
conditions.not_before):
|
||||||
return False
|
return False
|
||||||
|
|
||||||
try:
|
try:
|
||||||
@@ -562,10 +588,11 @@ class AuthnResponse(StatusResponse):
|
|||||||
if not lax:
|
if not lax:
|
||||||
raise Exception("Not for me!!!")
|
raise Exception("Not for me!!!")
|
||||||
|
|
||||||
if conditions.condition: # extra conditions
|
if conditions.condition: # extra conditions
|
||||||
for cond in conditions.condition:
|
for cond in conditions.condition:
|
||||||
try:
|
try:
|
||||||
if cond.extension_attributes[XSI_TYPE] in self.extension_schema:
|
if cond.extension_attributes[
|
||||||
|
XSI_TYPE] in self.extension_schema:
|
||||||
pass
|
pass
|
||||||
else:
|
else:
|
||||||
raise Exception("Unknown condition")
|
raise Exception("Unknown condition")
|
||||||
@@ -582,9 +609,9 @@ class AuthnResponse(StatusResponse):
|
|||||||
:param attribute_statement: A SAML.AttributeStatement which might
|
:param attribute_statement: A SAML.AttributeStatement which might
|
||||||
contain both encrypted attributes and attributes.
|
contain both encrypted attributes and attributes.
|
||||||
"""
|
"""
|
||||||
# _node_name = [
|
# _node_name = [
|
||||||
# "urn:oasis:names:tc:SAML:2.0:assertion:EncryptedData",
|
# "urn:oasis:names:tc:SAML:2.0:assertion:EncryptedData",
|
||||||
# "urn:oasis:names:tc:SAML:2.0:assertion:EncryptedAttribute"]
|
# "urn:oasis:names:tc:SAML:2.0:assertion:EncryptedAttribute"]
|
||||||
|
|
||||||
for encattr in attribute_statement.encrypted_attribute:
|
for encattr in attribute_statement.encrypted_attribute:
|
||||||
if not encattr.encrypted_key:
|
if not encattr.encrypted_key:
|
||||||
@@ -624,7 +651,7 @@ class AuthnResponse(StatusResponse):
|
|||||||
if data.address:
|
if data.address:
|
||||||
if not valid_address(data.address):
|
if not valid_address(data.address):
|
||||||
return False
|
return False
|
||||||
# verify that I got it from the correct sender
|
# verify that I got it from the correct sender
|
||||||
|
|
||||||
# These two will raise exception if untrue
|
# These two will raise exception if untrue
|
||||||
validate_on_or_after(data.not_on_or_after, self.timeslack)
|
validate_on_or_after(data.not_on_or_after, self.timeslack)
|
||||||
@@ -650,7 +677,8 @@ class AuthnResponse(StatusResponse):
|
|||||||
logger.info("outstanding queries: %s" % (
|
logger.info("outstanding queries: %s" % (
|
||||||
self.outstanding_queries.keys(),))
|
self.outstanding_queries.keys(),))
|
||||||
raise Exception(
|
raise Exception(
|
||||||
"Combination of session id and requestURI I don't recall")
|
"Combination of session id and requestURI I don't "
|
||||||
|
"recall")
|
||||||
return True
|
return True
|
||||||
|
|
||||||
def _holder_of_key_confirmed(self, data):
|
def _holder_of_key_confirmed(self, data):
|
||||||
@@ -720,8 +748,8 @@ class AuthnResponse(StatusResponse):
|
|||||||
#if self.context == "AuthnReq" or self.context == "AttrQuery":
|
#if self.context == "AuthnReq" or self.context == "AttrQuery":
|
||||||
if self.context == "AuthnReq":
|
if self.context == "AuthnReq":
|
||||||
self.authn_statement_ok()
|
self.authn_statement_ok()
|
||||||
# elif self.context == "AttrQuery":
|
# elif self.context == "AttrQuery":
|
||||||
# self.authn_statement_ok(True)
|
# self.authn_statement_ok(True)
|
||||||
|
|
||||||
if not self.condition_ok():
|
if not self.condition_ok():
|
||||||
raise VerificationError("Condition not OK")
|
raise VerificationError("Condition not OK")
|
||||||
@@ -773,7 +801,7 @@ class AuthnResponse(StatusResponse):
|
|||||||
else: # This is a saml2int limitation
|
else: # This is a saml2int limitation
|
||||||
try:
|
try:
|
||||||
assert len(self.response.assertion) == 1 or \
|
assert len(self.response.assertion) == 1 or \
|
||||||
len(self.response.encrypted_assertion) == 1
|
len(self.response.encrypted_assertion) == 1
|
||||||
except AssertionError:
|
except AssertionError:
|
||||||
raise Exception("No assertion part")
|
raise Exception("No assertion part")
|
||||||
|
|
||||||
@@ -892,7 +920,6 @@ class AuthnQueryResponse(AuthnResponse):
|
|||||||
|
|
||||||
def __init__(self, sec_context, attribute_converters, entity_id,
|
def __init__(self, sec_context, attribute_converters, entity_id,
|
||||||
return_addrs=None, timeslack=0, asynchop=False, test=False):
|
return_addrs=None, timeslack=0, asynchop=False, test=False):
|
||||||
|
|
||||||
AuthnResponse.__init__(self, sec_context, attribute_converters,
|
AuthnResponse.__init__(self, sec_context, attribute_converters,
|
||||||
entity_id, return_addrs, timeslack=timeslack,
|
entity_id, return_addrs, timeslack=timeslack,
|
||||||
asynchop=asynchop, test=test)
|
asynchop=asynchop, test=test)
|
||||||
@@ -910,7 +937,6 @@ class AttributeResponse(AuthnResponse):
|
|||||||
|
|
||||||
def __init__(self, sec_context, attribute_converters, entity_id,
|
def __init__(self, sec_context, attribute_converters, entity_id,
|
||||||
return_addrs=None, timeslack=0, asynchop=False, test=False):
|
return_addrs=None, timeslack=0, asynchop=False, test=False):
|
||||||
|
|
||||||
AuthnResponse.__init__(self, sec_context, attribute_converters,
|
AuthnResponse.__init__(self, sec_context, attribute_converters,
|
||||||
entity_id, return_addrs, timeslack=timeslack,
|
entity_id, return_addrs, timeslack=timeslack,
|
||||||
asynchop=asynchop, test=test)
|
asynchop=asynchop, test=test)
|
||||||
@@ -941,7 +967,6 @@ class ArtifactResponse(AuthnResponse):
|
|||||||
|
|
||||||
def __init__(self, sec_context, attribute_converters, entity_id,
|
def __init__(self, sec_context, attribute_converters, entity_id,
|
||||||
return_addrs=None, timeslack=0, asynchop=False, test=False):
|
return_addrs=None, timeslack=0, asynchop=False, test=False):
|
||||||
|
|
||||||
AuthnResponse.__init__(self, sec_context, attribute_converters,
|
AuthnResponse.__init__(self, sec_context, attribute_converters,
|
||||||
entity_id, return_addrs, timeslack=timeslack,
|
entity_id, return_addrs, timeslack=timeslack,
|
||||||
asynchop=asynchop, test=test)
|
asynchop=asynchop, test=test)
|
||||||
@@ -953,7 +978,8 @@ class ArtifactResponse(AuthnResponse):
|
|||||||
|
|
||||||
def response_factory(xmlstr, conf, return_addrs=None, outstanding_queries=None,
|
def response_factory(xmlstr, conf, return_addrs=None, outstanding_queries=None,
|
||||||
timeslack=0, decode=True, request_id=0, origxml=None,
|
timeslack=0, decode=True, request_id=0, origxml=None,
|
||||||
asynchop=True, allow_unsolicited=False, want_assertions_signed=False):
|
asynchop=True, allow_unsolicited=False,
|
||||||
|
want_assertions_signed=False):
|
||||||
sec_context = security_context(conf)
|
sec_context = security_context(conf)
|
||||||
if not timeslack:
|
if not timeslack:
|
||||||
try:
|
try:
|
||||||
@@ -988,6 +1014,7 @@ def response_factory(xmlstr, conf, return_addrs=None, outstanding_queries=None,
|
|||||||
|
|
||||||
return response
|
return response
|
||||||
|
|
||||||
|
|
||||||
# ===========================================================================
|
# ===========================================================================
|
||||||
# A class of it's own
|
# A class of it's own
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user