openstack/deb-python-pysaml2
Code Issues Proposed changes

As Rainer Hörbe pointed out: "A principal is a user, not an entity in SAML. The UnknownPrincipal exception in mdstore.py should be renamed as suggested in the title to avoid confusion.

Browse Source 
Unfortunately the OASIS SAML glossary is using the X-811 definition of principal, but contradicts itself otherwise by redefining the term implicitly in other definitions such as Account, Affiliation, IDP, Persistent Pseudonym, etc"
This commit is contained in:
Roland Hedberg
2014-08-14 09:43:01 +02:00
parent 1f764f68b0
commit cc486e83cf
3 changed files with 259 additions and 212 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/saml2/mdstore.py
View File

@@ -16,7 +16,7 @@ from saml2 import SAMLError
from saml2 import BINDING_HTTP_REDIRECT
from saml2 import BINDING_HTTP_POST
from saml2 import BINDING_SOAP
from saml2.s_utils import UnsupportedBinding, UnknownPrincipal
from saml2.s_utils import UnsupportedBinding, UnknownSystemEntity
from saml2.sigver import split_len
from saml2.validate import valid_instance
from saml2.time_util import valid
@@ -564,7 +564,7 @@ class MetadataStore(object):
self.load(key, val)
def service(self, entity_id, typ, service, binding=None):
known_principal = False
known_entity = False
for key, _md in self.metadata.items():
srvs = _md.service(entity_id, typ, service, binding)
if srvs:
@@ -572,17 +572,17 @@ class MetadataStore(object):
elif srvs is None:
pass
else:
known_principal = True
known_entity = True
if known_principal:
if known_entity:
logger.error("Unsupported binding: %s (%s)" % (binding, entity_id))
raise UnsupportedBinding(binding)
else:
logger.error("Unknown principal: %s" % entity_id)
raise UnknownPrincipal(entity_id)
logger.error("Unknown system entity: %s" % entity_id)
raise UnknownSystemEntity(entity_id)
def ext_service(self, entity_id, typ, service, binding=None):
known_principal = False
known_entity = False
for key, _md in self.metadata.items():
srvs = _md.ext_service(entity_id, typ, service, binding)
if srvs:
@@ -590,12 +590,12 @@ class MetadataStore(object):
elif srvs is None:
pass
else:
known_principal = True
known_entity = True
if known_principal:
if known_entity:
raise UnsupportedBinding(binding)
else:
raise UnknownPrincipal(entity_id)
raise UnknownSystemEntity(entity_id)
def single_sign_on_service(self, entity_id, binding=None, typ="idpsso"):
# IDP

4
src/saml2/s_utils.py
View File

@@ -47,6 +47,10 @@ class UnknownPrincipal(SamlException):
pass
class UnknownSystemEntity(SamlException):
pass
class Unsupported(SamlException):
pass

113
tests/test_12_s_utils.py
View File

@@ -1,36 +1,36 @@
# !/usr/bin/env python
# -*- coding: utf-8 -*-
import zlib
import base64
import gzip
from saml2 import make_instance
from saml2 import s_utils as utils
from saml2 import saml
from saml2 import samlp
from saml2 import md
from saml2.s_utils import do_attribute_statement
from saml2.sigver import make_temp
from saml2.saml import Attribute, NAME_FORMAT_URI, AttributeValue
from saml2.saml import Attribute
from saml2.saml import NAME_FORMAT_URI
from py.test import raises
from pathutils import full_path
SUCCESS_STATUS = """<?xml version=\'1.0\' encoding=\'UTF-8\'?>
<ns0:Status xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol"><ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></ns0:Status>"""
<ns0:Status xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol"><ns0:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></ns0:Status>"""
ERROR_STATUS = """<?xml version='1.0' encoding='UTF-8'?>
<ns0:Status xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol"><ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal" /></ns0:StatusCode><ns0:StatusMessage>Error resolving principal</ns0:StatusMessage></ns0:Status>"""
<ns0:Status xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol"><ns0:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><ns0:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal"
/></ns0:StatusCode><ns0:StatusMessage>Error resolving
principal</ns0:StatusMessage></ns0:Status>"""
def _eq(l1, l2):
return set(l1) == set(l2)
def _oeq(l1, l2):
if len(l1) != len(l2):
print "Different number of items"
@@ -43,14 +43,16 @@ def _oeq(l1,l2):
return False
return True
def test_inflate_then_deflate():
str = """Selma Lagerlöf (1858-1940) was born in Östra Emterwik, Värmland,
txt = """Selma Lagerlöf (1858-1940) was born in Östra Emterwik, Värmland,
Sweden. She was brought up on Mårbacka, the family estate, which she did
not leave until 1881, when she went to a teachers' college at Stockholm"""
interm = utils.deflate_and_base64_encode(str)
interm = utils.deflate_and_base64_encode(txt)
bis = utils.decode_base64_and_inflate(interm)
assert bis == str
assert bis == txt
def test_status_success():
status = utils.success_status_factory()
@@ -58,6 +60,7 @@ def test_status_success():
assert status_text == SUCCESS_STATUS
assert status.status_code.value == samlp.STATUS_SUCCESS
def test_error_status():
status = utils.status_message_factory("Error resolving principal",
samlp.STATUS_UNKNOWN_PRINCIPAL,
@@ -67,6 +70,7 @@ def test_error_status():
print status_text
assert status_text == ERROR_STATUS
def test_status_from_exception():
e = utils.UnknownPrincipal("Error resolving principal")
stat = utils.error_status_factory(e)
@@ -74,6 +78,7 @@ def test_status_from_exception():
print status_text
assert status_text == ERROR_STATUS
def test_attribute_sn():
attr = utils.do_attributes({"surName": ("Jeter", "")})
assert len(attr) == 1
@@ -84,6 +89,7 @@ def test_attribute_sn():
av = inst.attribute_value[0]
assert av.text == "Jeter"
def test_attribute_age():
attr = utils.do_attributes({"age": (37, "")})
@@ -96,6 +102,7 @@ def test_attribute_age():
assert av.text == "37"
assert av.get_type() == "xs:integer"
def test_attribute_onoff():
attr = utils.do_attributes({"onoff": (False, "")})
@@ -108,6 +115,7 @@ def test_attribute_onoff():
assert av.text == "false"
assert av.get_type() == "xs:boolean"
def test_attribute_base64():
b64sl = base64.b64encode("Selma Lagerlöf")
attr = utils.do_attributes({"name": (b64sl, "xs:base64Binary")})
@@ -121,6 +129,7 @@ def test_attribute_base64():
assert av.get_type() == "xs:base64Binary"
assert av.text.strip() == b64sl
def test_attribute_statement():
statement = do_attribute_statement({"surName": ("Jeter", ""),
"givenName": ("Derek", "")})
@@ -143,19 +152,24 @@ def test_attribute_statement():
assert attr1.name == "givenName"
assert attr1.attribute_value[0].text == "Derek"
def test_audience():
aud_restr = utils.factory(saml.AudienceRestriction,
audience=utils.factory(saml.Audience,text="urn:foo:bar"))
audience=utils.factory(saml.Audience,
text="urn:foo:bar"))
assert aud_restr.keyswv() == ["audience"]
assert aud_restr.audience.text == "urn:foo:bar"
def test_conditions():
conditions = utils.factory(saml.Conditions,
not_before="2009-10-30T07:58:10.852Z",
not_on_or_after="2009-10-30T08:03:10.852Z",
audience_restriction=[utils.factory(saml.AudienceRestriction,
audience=utils.factory(saml.Audience,
audience_restriction=[
utils.factory(saml.AudienceRestriction,
audience=utils.factory(
saml.Audience,
text="urn:foo:bar"))])
assert _eq(conditions.keyswv(), ["not_before", "not_on_or_after",
@@ -164,6 +178,7 @@ def test_conditions():
assert conditions.not_on_or_after == "2009-10-30T08:03:10.852Z"
assert conditions.audience_restriction[0].audience.text == "urn:foo:bar"
def test_value_1():
#FriendlyName="givenName" Name="urn:oid:2.5.4.42"
# NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
@@ -173,6 +188,7 @@ def test_value_1():
assert attribute.name == "urn:oid:2.5.4.42"
assert attribute.name_format == saml.NAME_FORMAT_URI
def test_value_2():
attribute = utils.factory(saml.Attribute, name="urn:oid:2.5.4.42",
name_format=NAME_FORMAT_URI,
@@ -182,6 +198,7 @@ def test_value_2():
assert attribute.name_format == NAME_FORMAT_URI
assert attribute.friendly_name == "givenName"
def test_value_3():
attribute = utils.factory(saml.Attribute,
attribute_value=[utils.factory(
@@ -198,6 +215,7 @@ def test_value_3():
assert len(attribute.attribute_value) == 1
assert attribute.attribute_value[0].text == "Derek"
def test_value_4():
attribute = utils.factory(saml.Attribute,
attribute_value=[utils.factory(
@@ -209,6 +227,7 @@ def test_value_4():
assert len(attribute.attribute_value) == 1
assert attribute.attribute_value[0].text == "Derek"
def test_do_attribute_statement_0():
statement = do_attribute_statement({"vo_attr": ("foobar", "")})
@@ -220,6 +239,7 @@ def test_do_attribute_statement_0():
assert len(attr0.attribute_value) == 1
assert attr0.attribute_value[0].text == "foobar"
def test_do_attribute_statement():
statement = do_attribute_statement({"surName": ("Jeter", ""),
"givenName": (["Derek",
@@ -247,6 +267,7 @@ def test_do_attribute_statement():
assert _eq([av.text for av in attr1.attribute_value],
["Derek", "Sanderson"])
def test_do_attribute_statement_multi():
statement = do_attribute_statement(
{("urn:oid:1.3.6.1.4.1.5923.1.1.1.7",
@@ -263,6 +284,7 @@ def test_do_attribute_statement_multi():
"urn:oasis:names:tc:SAML:2.0:attrname-format:uri")
assert attribute.friendly_name == "eduPersonEntitlement"
def test_subject():
subject = utils.factory(saml.Subject, text="_aaa",
name_id=saml.NameID(
@@ -272,10 +294,12 @@ def test_subject():
assert subject.text == "_aaa"
assert subject.name_id.text == saml.NAMEID_FORMAT_TRANSIENT
# ---------------------------------------------------------------------------
def test_parse_attribute_map():
(forward, backward) = utils.parse_attribute_map([full_path("attribute.map")])
(forward, backward) = utils.parse_attribute_map(
[full_path("attribute.map")])
assert _eq(forward.keys(), backward.values())
assert _eq(forward.values(), backward.keys())
@@ -302,28 +326,34 @@ def test_parse_attribute_map():
def test_identity_attribute_0():
(forward, backward) = utils.parse_attribute_map([full_path("attribute.map")])
(forward, backward) = utils.parse_attribute_map(
[full_path("attribute.map")])
a = Attribute(name="urn:oid:2.5.4.4", name_format=NAME_FORMAT_URI,
friendly_name="surName")
assert utils.identity_attribute("name", a, forward) == "urn:oid:2.5.4.4"
assert utils.identity_attribute("friendly", a, forward) == "surName"
def test_identity_attribute_1():
(forward, backward) = utils.parse_attribute_map([full_path("attribute.map")])
(forward, backward) = utils.parse_attribute_map(
[full_path("attribute.map")])
a = Attribute(name="urn:oid:2.5.4.4", name_format=NAME_FORMAT_URI)
assert utils.identity_attribute("name", a, forward) == "urn:oid:2.5.4.4"
assert utils.identity_attribute("friendly", a, forward) == "surName"
def test_identity_attribute_2():
(forward, backward) = utils.parse_attribute_map([full_path("attribute.map")])
(forward, backward) = utils.parse_attribute_map(
[full_path("attribute.map")])
a = Attribute(name="urn:oid:2.5.4.5", name_format=NAME_FORMAT_URI)
assert utils.identity_attribute("name", a, forward) == "urn:oid:2.5.4.5"
# if there would be a map it would be serialNumber
assert utils.identity_attribute("friendly", a, forward) == "urn:oid:2.5.4.5"
def test_identity_attribute_3():
a = Attribute(name="urn:oid:2.5.4.5", name_format=NAME_FORMAT_URI)
@@ -331,6 +361,7 @@ def test_identity_attribute_3():
# if there would be a map it would be serialNumber
assert utils.identity_attribute("friendly", a) == "urn:oid:2.5.4.5"
def test_identity_attribute_4():
a = Attribute(name="urn:oid:2.5.4.5", name_format=NAME_FORMAT_URI,
friendly_name="serialNumber")
@@ -339,34 +370,39 @@ def test_identity_attribute_4():
# if there would be a map it would be serialNumber
assert utils.identity_attribute("friendly", a) == "serialNumber"
def _givenName(a):
def given_name(a):
assert a["name"] == "urn:oid:2.5.4.42"
assert a["friendly_name"] == "givenName"
assert len(a["attribute_value"]) == 1
assert a["attribute_value"] == [{"text": "Derek"}]
def _surName(a):
def sur_name(a):
assert a["name"] == "urn:oid:2.5.4.4"
assert a["friendly_name"] == "surName"
assert len(a["attribute_value"]) == 1
assert a["attribute_value"] == [{"text": "Jeter"}]
def test_nameformat_email():
assert utils.valid_email("foo@example.com")
assert utils.valid_email("a@b.com")
assert utils.valid_email("a@b.se")
assert utils.valid_email("john@doe@johndoe.com") == False
assert utils.valid_email("john@doe@johndoe.com") is False
def test_attribute():
a = utils.factory(saml.Attribute,
friendly_name="eduPersonScopedAffiliation",
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri")
name_format="urn:oasis:names:tc:SAML:2.0:attrname"
"-format:uri")
assert _eq(a.keyswv(), ["friendly_name", "name", "name_format"])
a = utils.factory(saml.Attribute,
friendly_name="eduPersonScopedAffiliation",
a = utils.factory(
saml.Attribute, friendly_name="eduPersonScopedAffiliation",
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
attribute_value=[saml.AttributeValue(text="member@example.com")])
@@ -374,23 +410,27 @@ def test_attribute():
assert _eq(a.keyswv(), ["friendly_name", "name", "name_format",
"attribute_value"])
def test_attribute_statement():
def test_attribute_statement_2():
statement = utils.factory(saml.Statement,
attribute=[
utils.factory(saml.Attribute,
attribute_value=[
utils.factory(
saml.AttributeValue,text="Derek")],
saml.AttributeValue,
text="Derek")],
friendly_name="givenName"),
utils.factory(saml.Attribute,
attribute_value=[
utils.factory(
saml.AttributeValue,text="Jeter")],
saml.AttributeValue,
text="Jeter")],
friendly_name="surName"),
])
assert statement.keyswv() == ["attribute"]
assert len(statement.attribute) == 2
def test_subject_confirmation_data():
s = utils.factory(saml.SubjectConfirmation,
in_response_to="_12345678",
@@ -402,6 +442,7 @@ def test_subject_confirmation_data():
assert _eq(s.keyswv(), ["in_response_to", "not_before", "not_on_or_after",
"recipient", "address"])
def test_subject_confirmation():
s = utils.factory(saml.SubjectConfirmation,
method="urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser",
@@ -423,15 +464,19 @@ def test_authn_context_class_ref():
assert a.keyswv() == ["text"]
assert a.text == "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"
def test_authn_context():
accr = utils.factory( saml.AuthnContext,
accr = utils.factory(
saml.AuthnContext,
text="urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified")
a = utils.factory(saml.AuthnContext, authn_context_class_ref=accr)
assert a.keyswv() == ["authn_context_class_ref"]
def test_authn_statement():
accr = utils.factory( saml.AuthnContextClassRef,
accr = utils.factory(
saml.AuthnContextClassRef,
text="urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified")
ac = utils.factory(saml.AuthnContext,
authn_context_class_ref=accr)
@@ -439,17 +484,15 @@ def test_authn_statement():
authn_instant="2010-03-10T12:33:00Z",
session_index="_12345",
session_not_on_or_after="2010-03-11T12:00:00Z",
authn_context=ac
)
authn_context=ac)
assert _eq(ast.keyswv(), ["authn_instant", "session_index",
"session_not_on_or_after",
"authn_context"])
def test_signature():
arr = ["foobar", "1234567890"]
csum = utils.signature("abcdef", arr)
arr.append(csum)
assert utils.verify_signature("abcdef", arr)