openstack/deb-python-pysaml2
Code Issues Proposed changes

Made SWAMIDs 2-dimensional entity category model work.

Browse Source
This commit is contained in:
Roland Hedberg
2013-11-18 12:52:03 +01:00
parent 2d5ec644d7
commit e9f34b70db
6 changed files with 243 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
src/saml2/assertion.py
View File

@@ -439,29 +439,31 @@ class Policy(object):
pass
if ec_maps:
# always released
for ec_map in ec_maps:
try:
attrs = ec_map[""]
except KeyError:
pass
else:
for attr in attrs:
restrictions[attr] = None
if mds:
try:
ecs = mds.entity_categories(sp_entity_id)
except KeyError:
pass
else:
for ec in ecs:
for ec_map in ec_maps:
try:
attrs = ec_map[ec]
except KeyError:
pass
for attr in ec_map[""]:
restrictions[attr] = None
else:
for ec_map in ec_maps:
for key, val in ec_map.items():
if key == "": # always released
attrs = val
elif isinstance(key, tuple):
attrs = val
for _key in key:
try:
assert _key in ecs
except AssertionError:
attrs = []
break
elif key in ecs:
attrs = val
else:
attrs = []
for attr in attrs:
restrictions[attr] = None

4
src/saml2/entity_category/swamid.py
View File

@@ -17,5 +17,7 @@ HEI = "http://www.swamid.se/category/hei-service"
RELEASE = {
"": ["eduPersonTargetedID"],
SFS_1993_1153: ["norEduPersonNIN"],
RESEARCH_AND_EDUCATION: NAME + STATIC_ORG_INFO + OTHER,
(RESEARCH_AND_EDUCATION, EU): NAME + STATIC_ORG_INFO + OTHER,
(RESEARCH_AND_EDUCATION, NREN): NAME + STATIC_ORG_INFO + OTHER,
(RESEARCH_AND_EDUCATION, HEI): NAME + STATIC_ORG_INFO + OTHER,
}

84
tests/entity_cat_re.xml Normal file
View File

@@ -0,0 +1,84 @@
<?xml version='1.0' encoding='UTF-8'?>
<ns0:EntityDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:ns1="urn:oasis:names:tc:SAML:metadata:attribute"
xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ns5="http://www.w3.org/2000/09/xmldsig#"
xmlns:ns4="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
entityID="urn:mace:example.com:saml:roland:sp">
<ns0:Extensions>
<ns1:EntityAttributes>
<ns2:Attribute Name="http://macedir.org/entity-category">
<ns2:AttributeValue xsi:type="xs:string">
http://www.swamid.se/category/research-and-education
</ns2:AttributeValue>
</ns2:Attribute>
</ns1:EntityAttributes>
</ns0:Extensions>
<ns0:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<ns0:Extensions>
<ns4:DiscoveryResponse
Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
Location="https://xenosmilus2.umdc.umu.se:8086/disco"
index="1"/>
</ns0:Extensions>
<ns0:KeyDescriptor use="encryption">
<ns5:KeyInfo>
<ns5:X509Data>
<ns5:X509Certificate>
MIIC8jCCAlugAwIBAgIJAJHg2V5J31I8MA0GCSqGSIb3DQEBBQUAMFoxCzAJBgNV
BAYTAlNFMQ0wCwYDVQQHEwRVbWVhMRgwFgYDVQQKEw9VbWVhIFVuaXZlcnNpdHkx
EDAOBgNVBAsTB0lUIFVuaXQxEDAOBgNVBAMTB1Rlc3QgU1AwHhcNMDkxMDI2MTMz
MTE1WhcNMTAxMDI2MTMzMTE1WjBaMQswCQYDVQQGEwJTRTENMAsGA1UEBxMEVW1l
YTEYMBYGA1UEChMPVW1lYSBVbml2ZXJzaXR5MRAwDgYDVQQLEwdJVCBVbml0MRAw
DgYDVQQDEwdUZXN0IFNQMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDkJWP7
bwOxtH+E15VTaulNzVQ/0cSbM5G7abqeqSNSs0l0veHr6/ROgW96ZeQ57fzVy2MC
FiQRw2fzBs0n7leEmDJyVVtBTavYlhAVXDNa3stgvh43qCfLx+clUlOvtnsoMiiR
mo7qf0BoPKTj7c0uLKpDpEbAHQT4OF1HRYVxMwIDAQABo4G/MIG8MB0GA1UdDgQW
BBQ7RgbMJFDGRBu9o3tDQDuSoBy7JjCBjAYDVR0jBIGEMIGBgBQ7RgbMJFDGRBu9
o3tDQDuSoBy7JqFepFwwWjELMAkGA1UEBhMCU0UxDTALBgNVBAcTBFVtZWExGDAW
BgNVBAoTD1VtZWEgVW5pdmVyc2l0eTEQMA4GA1UECxMHSVQgVW5pdDEQMA4GA1UE
AxMHVGVzdCBTUIIJAJHg2V5J31I8MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
BQADgYEAMuRwwXRnsiyWzmRikpwinnhTmbooKm5TINPE7A7gSQ710RxioQePPhZO
zkM27NnHTrCe2rBVg0EGz7QTd1JIwLPvgoj4VTi/fSha/tXrYUaqc9AqU1kWI4WN
+vffBGQ09mo+6CffuFTZYeOhzP/2stAPwCTU4kxEoiy0KpZMANI=
</ns5:X509Certificate>
</ns5:X509Data>
</ns5:KeyInfo>
</ns0:KeyDescriptor>
<ns0:KeyDescriptor use="signing">
<ns5:KeyInfo>
<ns5:X509Data>
<ns5:X509Certificate>
MIIC8jCCAlugAwIBAgIJAJHg2V5J31I8MA0GCSqGSIb3DQEBBQUAMFoxCzAJBgNV
BAYTAlNFMQ0wCwYDVQQHEwRVbWVhMRgwFgYDVQQKEw9VbWVhIFVuaXZlcnNpdHkx
EDAOBgNVBAsTB0lUIFVuaXQxEDAOBgNVBAMTB1Rlc3QgU1AwHhcNMDkxMDI2MTMz
MTE1WhcNMTAxMDI2MTMzMTE1WjBaMQswCQYDVQQGEwJTRTENMAsGA1UEBxMEVW1l
YTEYMBYGA1UEChMPVW1lYSBVbml2ZXJzaXR5MRAwDgYDVQQLEwdJVCBVbml0MRAw
DgYDVQQDEwdUZXN0IFNQMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDkJWP7
bwOxtH+E15VTaulNzVQ/0cSbM5G7abqeqSNSs0l0veHr6/ROgW96ZeQ57fzVy2MC
FiQRw2fzBs0n7leEmDJyVVtBTavYlhAVXDNa3stgvh43qCfLx+clUlOvtnsoMiiR
mo7qf0BoPKTj7c0uLKpDpEbAHQT4OF1HRYVxMwIDAQABo4G/MIG8MB0GA1UdDgQW
BBQ7RgbMJFDGRBu9o3tDQDuSoBy7JjCBjAYDVR0jBIGEMIGBgBQ7RgbMJFDGRBu9
o3tDQDuSoBy7JqFepFwwWjELMAkGA1UEBhMCU0UxDTALBgNVBAcTBFVtZWExGDAW
BgNVBAoTD1VtZWEgVW5pdmVyc2l0eTEQMA4GA1UECxMHSVQgVW5pdDEQMA4GA1UE
AxMHVGVzdCBTUIIJAJHg2V5J31I8MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
BQADgYEAMuRwwXRnsiyWzmRikpwinnhTmbooKm5TINPE7A7gSQ710RxioQePPhZO
zkM27NnHTrCe2rBVg0EGz7QTd1JIwLPvgoj4VTi/fSha/tXrYUaqc9AqU1kWI4WN
+vffBGQ09mo+6CffuFTZYeOhzP/2stAPwCTU4kxEoiy0KpZMANI=
</ns5:X509Certificate>
</ns5:X509Data>
</ns5:KeyInfo>
</ns0:KeyDescriptor>
<ns0:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://xenosmilus2.umdc.umu.se:8086/acs/sfs/re_nren/redirect"
index="1"/>
<ns0:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://xenosmilus2.umdc.umu.se:8086/acs/sfs/re_nren/post"
index="2"/>
</ns0:SPSSODescriptor>
</ns0:EntityDescriptor>

87
tests/entity_cat_re_nren.xml Normal file
View File

@@ -0,0 +1,87 @@
<?xml version='1.0' encoding='UTF-8'?>
<ns0:EntityDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:ns1="urn:oasis:names:tc:SAML:metadata:attribute"
xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ns5="http://www.w3.org/2000/09/xmldsig#"
xmlns:ns4="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
entityID="urn:mace:example.com:saml:roland:sp">
<ns0:Extensions>
<ns1:EntityAttributes>
<ns2:Attribute Name="http://macedir.org/entity-category">
<ns2:AttributeValue xsi:type="xs:string">
http://www.swamid.se/category/research-and-education
</ns2:AttributeValue>
<ns2:AttributeValue xsi:type="xs:string">
http://www.swamid.se/category/nren-service
</ns2:AttributeValue>
</ns2:Attribute>
</ns1:EntityAttributes>
</ns0:Extensions>
<ns0:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<ns0:Extensions>
<ns4:DiscoveryResponse
Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
Location="https://xenosmilus2.umdc.umu.se:8086/disco"
index="1"/>
</ns0:Extensions>
<ns0:KeyDescriptor use="encryption">
<ns5:KeyInfo>
<ns5:X509Data>
<ns5:X509Certificate>
MIIC8jCCAlugAwIBAgIJAJHg2V5J31I8MA0GCSqGSIb3DQEBBQUAMFoxCzAJBgNV
BAYTAlNFMQ0wCwYDVQQHEwRVbWVhMRgwFgYDVQQKEw9VbWVhIFVuaXZlcnNpdHkx
EDAOBgNVBAsTB0lUIFVuaXQxEDAOBgNVBAMTB1Rlc3QgU1AwHhcNMDkxMDI2MTMz
MTE1WhcNMTAxMDI2MTMzMTE1WjBaMQswCQYDVQQGEwJTRTENMAsGA1UEBxMEVW1l
YTEYMBYGA1UEChMPVW1lYSBVbml2ZXJzaXR5MRAwDgYDVQQLEwdJVCBVbml0MRAw
DgYDVQQDEwdUZXN0IFNQMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDkJWP7
bwOxtH+E15VTaulNzVQ/0cSbM5G7abqeqSNSs0l0veHr6/ROgW96ZeQ57fzVy2MC
FiQRw2fzBs0n7leEmDJyVVtBTavYlhAVXDNa3stgvh43qCfLx+clUlOvtnsoMiiR
mo7qf0BoPKTj7c0uLKpDpEbAHQT4OF1HRYVxMwIDAQABo4G/MIG8MB0GA1UdDgQW
BBQ7RgbMJFDGRBu9o3tDQDuSoBy7JjCBjAYDVR0jBIGEMIGBgBQ7RgbMJFDGRBu9
o3tDQDuSoBy7JqFepFwwWjELMAkGA1UEBhMCU0UxDTALBgNVBAcTBFVtZWExGDAW
BgNVBAoTD1VtZWEgVW5pdmVyc2l0eTEQMA4GA1UECxMHSVQgVW5pdDEQMA4GA1UE
AxMHVGVzdCBTUIIJAJHg2V5J31I8MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
BQADgYEAMuRwwXRnsiyWzmRikpwinnhTmbooKm5TINPE7A7gSQ710RxioQePPhZO
zkM27NnHTrCe2rBVg0EGz7QTd1JIwLPvgoj4VTi/fSha/tXrYUaqc9AqU1kWI4WN
+vffBGQ09mo+6CffuFTZYeOhzP/2stAPwCTU4kxEoiy0KpZMANI=
</ns5:X509Certificate>
</ns5:X509Data>
</ns5:KeyInfo>
</ns0:KeyDescriptor>
<ns0:KeyDescriptor use="signing">
<ns5:KeyInfo>
<ns5:X509Data>
<ns5:X509Certificate>
MIIC8jCCAlugAwIBAgIJAJHg2V5J31I8MA0GCSqGSIb3DQEBBQUAMFoxCzAJBgNV
BAYTAlNFMQ0wCwYDVQQHEwRVbWVhMRgwFgYDVQQKEw9VbWVhIFVuaXZlcnNpdHkx
EDAOBgNVBAsTB0lUIFVuaXQxEDAOBgNVBAMTB1Rlc3QgU1AwHhcNMDkxMDI2MTMz
MTE1WhcNMTAxMDI2MTMzMTE1WjBaMQswCQYDVQQGEwJTRTENMAsGA1UEBxMEVW1l
YTEYMBYGA1UEChMPVW1lYSBVbml2ZXJzaXR5MRAwDgYDVQQLEwdJVCBVbml0MRAw
DgYDVQQDEwdUZXN0IFNQMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDkJWP7
bwOxtH+E15VTaulNzVQ/0cSbM5G7abqeqSNSs0l0veHr6/ROgW96ZeQ57fzVy2MC
FiQRw2fzBs0n7leEmDJyVVtBTavYlhAVXDNa3stgvh43qCfLx+clUlOvtnsoMiiR
mo7qf0BoPKTj7c0uLKpDpEbAHQT4OF1HRYVxMwIDAQABo4G/MIG8MB0GA1UdDgQW
BBQ7RgbMJFDGRBu9o3tDQDuSoBy7JjCBjAYDVR0jBIGEMIGBgBQ7RgbMJFDGRBu9
o3tDQDuSoBy7JqFepFwwWjELMAkGA1UEBhMCU0UxDTALBgNVBAcTBFVtZWExGDAW
BgNVBAoTD1VtZWEgVW5pdmVyc2l0eTEQMA4GA1UECxMHSVQgVW5pdDEQMA4GA1UE
AxMHVGVzdCBTUIIJAJHg2V5J31I8MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
BQADgYEAMuRwwXRnsiyWzmRikpwinnhTmbooKm5TINPE7A7gSQ710RxioQePPhZO
zkM27NnHTrCe2rBVg0EGz7QTd1JIwLPvgoj4VTi/fSha/tXrYUaqc9AqU1kWI4WN
+vffBGQ09mo+6CffuFTZYeOhzP/2stAPwCTU4kxEoiy0KpZMANI=
</ns5:X509Certificate>
</ns5:X509Data>
</ns5:KeyInfo>
</ns0:KeyDescriptor>
<ns0:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://xenosmilus2.umdc.umu.se:8086/acs/sfs/re_nren/redirect"
index="1"/>
<ns0:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://xenosmilus2.umdc.umu.se:8086/acs/sfs/re_nren/post"
index="2"/>
</ns0:SPSSODescriptor>
</ns0:EntityDescriptor>

47
tests/test_37_entity_categories.py
View File

@@ -102,6 +102,53 @@ def test_filter_ava3():
assert _eq(ava.keys(), ['eduPersonTargetedID', "norEduPersonNIN"])
def test_filter_ava4():
policy = Policy({
"default": {
"lifetime": {"minutes": 15},
#"attribute_restrictions": None # means all I have
"entity_categories": ["swamid"]
}
})
mds = MetadataStore(ONTS.values(), ATTRCONV, sec_config,
disable_ssl_certificate_validation=True)
mds.imp({"local": [full_path("entity_cat_re_nren.xml")]})
ava = {"givenName": ["Derek"], "sn": ["Jeter"],
"mail": ["derek@nyy.mlb.com"], "c": ["USA"],
"eduPersonTargetedID": "foo!bar!xyz",
"norEduPersonNIN": "19800101134"}
ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", mds)
assert _eq(ava.keys(), ['eduPersonTargetedID', "givenName", "c", "mail",
"sn"])
def test_filter_ava5():
policy = Policy({
"default": {
"lifetime": {"minutes": 15},
#"attribute_restrictions": None # means all I have
"entity_categories": ["swamid"]
}
})
mds = MetadataStore(ONTS.values(), ATTRCONV, sec_config,
disable_ssl_certificate_validation=True)
mds.imp({"local": [full_path("entity_cat_re.xml")]})
ava = {"givenName": ["Derek"], "sn": ["Jeter"],
"mail": ["derek@nyy.mlb.com"], "c": ["USA"],
"eduPersonTargetedID": "foo!bar!xyz",
"norEduPersonNIN": "19800101134"}
ava = policy.filter(ava, "urn:mace:example.com:saml:roland:sp", mds)
assert _eq(ava.keys(), ['eduPersonTargetedID'])
def test_idp_policy_filter():
idp = Server("idp_conf_ec")

2
tests/vo_metadata.xml
View File

@@ -1,7 +1,7 @@
<?xml version='1.0' encoding='UTF-8'?>
<ns0:EntitiesDescriptor
name="urn:mace:example.com:votest"
validUntil="2010-11-28T09:10:09Z"
validUntil="2014-11-28T09:10:09Z"
xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata">
<ns0:EntityDescriptor
entityID="urn:mace:example.com:it:tek">