def create_authn_request(self,
destination,
vorg="",
scoping=None,
binding=saml2.BINDING_HTTP_POST,
nameid_format=None,
service_url_binding=None,
message_id=0,
consent=None,
extensions=None,
sign=None,
allow_create=None,
sign_prepare=False,
sign_alg=None,
digest_alg=None,
requested_attributes=None,
**kwargs):
""" Creates an authentication request.
:param destination: Where the request should be sent.
:param vorg: The virtual organization the service belongs to.
:param scoping: The scope of the request
:param binding: The protocol to use for the Response !!
:param nameid_format: Format of the NameIDPolicy
:param service_url_binding: Where the reply should be sent dependent
on reply binding.
:param message_id: The identifier for this request
:param consent: Whether the principal have given her consent
:param extensions: Possible extensions
:param sign: Whether the request should be signed or not.
:param sign_prepare: Whether the signature should be prepared or not.
:param allow_create: If the identity provider is allowed, in the course
of fulfilling the request, to create a new identifier to represent
the principal.
:param requested_attributes: A list of dicts which define attributes to
be used as eIDAS Requested Attributes for this request. If not
defined the configuration option requested_attributes will be used,
if defined. The format is the same as the requested_attributes
configuration option.
:param kwargs: Extra key word arguments
:return: either a tuple of request ID and <samlp:AuthnRequest> instance
or a tuple of request ID and str when sign is set to True
"""
args = {}
# AssertionConsumerServiceURL
# AssertionConsumerServiceIndex
hide_assertion_consumer_service = self.config.getattr(
'hide_assertion_consumer_service', 'sp')
assertion_consumer_service_url = (
kwargs.pop("assertion_consumer_service_urls", [None])[0]
or kwargs.pop("assertion_consumer_service_url", None))
assertion_consumer_service_index = kwargs.pop(
"assertion_consumer_service_index", None)
service_url = (self.service_urls(service_url_binding or binding)
or [None])[0]
if hide_assertion_consumer_service:
args["assertion_consumer_service_url"] = None
binding = None
elif assertion_consumer_service_url:
args[
"assertion_consumer_service_url"] = assertion_consumer_service_url
elif assertion_consumer_service_index:
args[
"assertion_consumer_service_index"] = assertion_consumer_service_index
elif service_url:
args["assertion_consumer_service_url"] = service_url
# ProviderName
provider_name = kwargs.get("provider_name")
if not provider_name and binding != BINDING_PAOS:
provider_name = self._my_name()
args["provider_name"] = provider_name
# Allow argument values either as class instances or as dictionaries
# all of these have cardinality 0..1
_msg = AuthnRequest()
for param in [
"scoping", "requested_authn_context", "conditions", "subject"
]:
_item = kwargs.pop(param, None)
if not _item:
continue
if isinstance(_item, _msg.child_class(param)):
args[param] = _item
elif isinstance(_item, dict):
args[param] = RequestedAuthnContext(**_item)
else:
raise ValueError(
"Wrong type for param {name}".format(name=param))
# NameIDPolicy
nameid_policy_format_config = self.config.getattr(
"name_id_policy_format", "sp")
nameid_policy_format = (nameid_format or nameid_policy_format_config
or None)
allow_create_config = self.config.getattr(
"name_id_format_allow_create", "sp")
allow_create = (
None
# SAML 2.0 errata says AllowCreate MUST NOT be used for transient ids
if nameid_policy_format == NAMEID_FORMAT_TRANSIENT
else allow_create if allow_create else str(
bool(allow_create_config)).lower())
name_id_policy = (
kwargs.pop("name_id_policy", None) if "name_id_policy" in kwargs
else None if not nameid_policy_format else samlp.NameIDPolicy(
allow_create=allow_create, format=nameid_policy_format))
if name_id_policy and vorg:
name_id_policy.sp_name_qualifier = vorg
name_id_policy.format = nameid_policy_format or NAMEID_FORMAT_PERSISTENT
args["name_id_policy"] = name_id_policy
# eIDAS SPType
conf_sp_type = self.config.getattr('sp_type', 'sp')
conf_sp_type_in_md = self.config.getattr('sp_type_in_metadata', 'sp')
if conf_sp_type and conf_sp_type_in_md is False:
if not extensions:
extensions = Extensions()
item = sp_type.SPType(text=conf_sp_type)
extensions.add_extension_element(item)
# eIDAS RequestedAttributes
requested_attrs = (requested_attributes
or self.config.getattr('requested_attributes', 'sp')
or [])
if requested_attrs:
req_attrs_node = create_requested_attribute_node(
requested_attrs, self.config.attribute_converters)
if not extensions:
extensions = Extensions()
extensions.add_extension_element(req_attrs_node)
# ForceAuthn
force_authn = str(
kwargs.pop("force_authn", None)
or self.config.getattr("force_authn", "sp")).lower() in [
"true", "1"
]
if force_authn:
kwargs["force_authn"] = "true"
if kwargs:
_args, extensions = self._filter_args(AuthnRequest(), extensions,
**kwargs)
args.update(_args)
args.pop("id", None)
client_crt = kwargs.get("client_crt")
nsprefix = kwargs.get("nsprefix")
sign = self.authn_requests_signed if sign is None else sign
if (sign and self.sec.cert_handler.generate_cert()
) or client_crt is not None:
with self.lock:
self.sec.cert_handler.update_cert(True, client_crt)
if client_crt is not None:
sign_prepare = True
msg = self._message(
AuthnRequest,
destination,
message_id,
consent,
extensions,
sign,
sign_prepare,
protocol_binding=binding,
scoping=scoping,
nsprefix=nsprefix,
sign_alg=sign_alg,
digest_alg=digest_alg,
**args,
)
else:
msg = self._message(
AuthnRequest,
destination,
message_id,
consent,
extensions,
sign,
sign_prepare,
protocol_binding=binding,
scoping=scoping,
nsprefix=nsprefix,
sign_alg=sign_alg,
digest_alg=digest_alg,
**args,
)
return msg
def create_authn_request(self,
destination,
vorg="",
scoping=None,
binding=saml2.BINDING_HTTP_POST,
nameid_format=None,
service_url_binding=None,
message_id=0,
consent=None,
extensions=None,
sign=None,
allow_create=None,
sign_prepare=False,
sign_alg=None,
digest_alg=None,
**kwargs):
""" Creates an authentication request.
:param destination: Where the request should be sent.
:param vorg: The virtual organization the service belongs to.
:param scoping: The scope of the request
:param binding: The protocol to use for the Response !!
:param nameid_format: Format of the NameID
:param service_url_binding: Where the reply should be sent dependent
on reply binding.
:param message_id: The identifier for this request
:param consent: Whether the principal have given her consent
:param extensions: Possible extensions
:param sign: Whether the request should be signed or not.
:param sign_prepare: Whether the signature should be prepared or not.
:param allow_create: If the identity provider is allowed, in the course
of fulfilling the request, to create a new identifier to represent
the principal.
:param kwargs: Extra key word arguments
:return: tuple of request ID and <samlp:AuthnRequest> instance
"""
client_crt = None
if "client_crt" in kwargs:
client_crt = kwargs["client_crt"]
args = {}
if self.config.getattr('hide_assertion_consumer_service', 'sp'):
args["assertion_consumer_service_url"] = None
binding = None
else:
try:
args["assertion_consumer_service_url"] = kwargs[
"assertion_consumer_service_urls"][0]
del kwargs["assertion_consumer_service_urls"]
except KeyError:
try:
args["assertion_consumer_service_url"] = kwargs[
"assertion_consumer_service_url"]
del kwargs["assertion_consumer_service_url"]
except KeyError:
try:
args["assertion_consumer_service_index"] = str(
kwargs["assertion_consumer_service_index"])
del kwargs["assertion_consumer_service_index"]
except KeyError:
if service_url_binding is None:
service_urls = self.service_urls(binding)
else:
service_urls = self.service_urls(
service_url_binding)
args["assertion_consumer_service_url"] = service_urls[
0]
try:
args["provider_name"] = kwargs["provider_name"]
except KeyError:
if binding == BINDING_PAOS:
pass
else:
args["provider_name"] = self._my_name()
# Allow argument values either as class instances or as dictionaries
# all of these have cardinality 0..1
_msg = AuthnRequest()
for param in [
"scoping", "requested_authn_context", "conditions", "subject"
]:
try:
_item = kwargs[param]
except KeyError:
pass
else:
del kwargs[param]
# either class instance or argument dictionary
if isinstance(_item, _msg.child_class(param)):
args[param] = _item
elif isinstance(_item, dict):
args[param] = RequestedAuthnContext(**_item)
else:
raise ValueError("%s or wrong type expected %s" %
(_item, param))
try:
args["name_id_policy"] = kwargs["name_id_policy"]
del kwargs["name_id_policy"]
except KeyError:
if allow_create is None:
allow_create = self.config.getattr(
"name_id_format_allow_create", "sp")
if allow_create is None:
allow_create = "false"
else:
if allow_create is True:
allow_create = "true"
else:
allow_create = "false"
if nameid_format == "":
name_id_policy = None
else:
if nameid_format is None:
nameid_format = self.config.getattr("name_id_format", "sp")
# If no nameid_format has been set in the configuration
# or passed in then transient is the default.
if nameid_format is None:
nameid_format = NAMEID_FORMAT_TRANSIENT
# If a list has been configured or passed in choose the
# first since NameIDPolicy can only have one format specified.
elif isinstance(nameid_format, list):
nameid_format = nameid_format[0]
# Allow a deployer to signal that no format should be specified
# in the NameIDPolicy by passing in or configuring the string 'None'.
elif nameid_format == 'None':
nameid_format = None
name_id_policy = samlp.NameIDPolicy(allow_create=allow_create,
format=nameid_format)
if name_id_policy and vorg:
try:
name_id_policy.sp_name_qualifier = vorg
name_id_policy.format = saml.NAMEID_FORMAT_PERSISTENT
except KeyError:
pass
args["name_id_policy"] = name_id_policy
try:
nsprefix = kwargs["nsprefix"]
except KeyError:
nsprefix = None
try:
force_authn = kwargs['force_authn']
except KeyError:
force_authn = self.config.getattr('force_authn', 'sp')
finally:
if force_authn:
args['force_authn'] = 'true'
conf_sp_type = self.config.getattr('sp_type', 'sp')
conf_sp_type_in_md = self.config.getattr('sp_type_in_metadata', 'sp')
if conf_sp_type and conf_sp_type_in_md is False:
if not extensions:
extensions = Extensions()
item = sp_type.SPType(text=conf_sp_type)
extensions.add_extension_element(item)
requested_attrs = self.config.getattr('requested_attributes', 'sp')
if requested_attrs:
if not extensions:
extensions = Extensions()
attributemapsmods = []
for modname in attributemaps.__all__:
attributemapsmods.append(getattr(attributemaps, modname))
items = []
for attr in requested_attrs:
friendly_name = attr.get('friendly_name')
name = attr.get('name')
name_format = attr.get('name_format')
is_required = str(attr.get('required', False)).lower()
if not name and not friendly_name:
raise ValueError(
"Missing required attribute: '{}' or '{}'".format(
'name', 'friendly_name'))
if not name:
for mod in attributemapsmods:
try:
name = mod.MAP['to'][friendly_name]
except KeyError:
continue
else:
if not name_format:
name_format = mod.MAP['identifier']
break
if not friendly_name:
for mod in attributemapsmods:
try:
friendly_name = mod.MAP['fro'][name]
except KeyError:
continue
else:
if not name_format:
name_format = mod.MAP['identifier']
break
items.append(
requested_attributes.RequestedAttribute(
is_required=is_required,
name_format=name_format,
friendly_name=friendly_name,
name=name))
item = requested_attributes.RequestedAttributes(
extension_elements=items)
extensions.add_extension_element(item)
if kwargs:
_args, extensions = self._filter_args(AuthnRequest(), extensions,
**kwargs)
args.update(_args)
try:
del args["id"]
except KeyError:
pass
if sign is None:
sign = self.authn_requests_signed
if (sign and self.sec.cert_handler.generate_cert()) or \
client_crt is not None:
with self.lock:
self.sec.cert_handler.update_cert(True, client_crt)
if client_crt is not None:
sign_prepare = True
return self._message(AuthnRequest,
destination,
message_id,
consent,
extensions,
sign,
sign_prepare,
protocol_binding=binding,
scoping=scoping,
nsprefix=nsprefix,
sign_alg=sign_alg,
digest_alg=digest_alg,
**args)
return self._message(AuthnRequest,
destination,
message_id,
consent,
extensions,
sign,
sign_prepare,
protocol_binding=binding,
scoping=scoping,
nsprefix=nsprefix,
sign_alg=sign_alg,
digest_alg=digest_alg,
**args)
def entity_descriptor(confd):
mycert = None
enc_cert = None
if confd.cert_file is not None:
mycert = []
mycert.append("".join(read_cert(confd.cert_file)))
if confd.additional_cert_files is not None:
for _cert_file in confd.additional_cert_files:
mycert.append("".join(read_cert(_cert_file)))
if confd.encryption_keypairs is not None:
enc_cert = []
for _encryption in confd.encryption_keypairs:
enc_cert.append("".join(read_cert(_encryption["cert_file"])))
entd = md.EntityDescriptor()
entd.entity_id = confd.entityid
if confd.valid_for:
entd.valid_until = in_a_while(hours=int(confd.valid_for))
if confd.organization is not None:
entd.organization = do_organization_info(confd.organization)
if confd.contact_person is not None:
entd.contact_person = do_contact_persons_info(confd.contact_person)
if confd.assurance_certification:
if not entd.extensions:
entd.extensions = md.Extensions()
ava = [AttributeValue(text=c) for c in confd.assurance_certification]
attr = Attribute(
attribute_value=ava,
name="urn:oasis:names:tc:SAML:attribute:assurance-certification",
)
_add_attr_to_entity_attributes(entd.extensions, attr)
if confd.entity_category:
if not entd.extensions:
entd.extensions = md.Extensions()
ava = [AttributeValue(text=c) for c in confd.entity_category]
attr = Attribute(
attribute_value=ava, name="http://macedir.org/entity-category"
)
_add_attr_to_entity_attributes(entd.extensions, attr)
if confd.entity_category_support:
if not entd.extensions:
entd.extensions = md.Extensions()
ava = [AttributeValue(text=c) for c in confd.entity_category_support]
attr = Attribute(
attribute_value=ava, name="http://macedir.org/entity-category-support"
)
_add_attr_to_entity_attributes(entd.extensions, attr)
for item in algorithm_support_in_metadata(confd.xmlsec_binary):
if not entd.extensions:
entd.extensions = md.Extensions()
entd.extensions.add_extension_element(item)
conf_sp_type = confd.getattr('sp_type', 'sp')
conf_sp_type_in_md = confd.getattr('sp_type_in_metadata', 'sp')
if conf_sp_type and conf_sp_type_in_md is True:
if not entd.extensions:
entd.extensions = md.Extensions()
item = sp_type.SPType(text=conf_sp_type)
entd.extensions.add_extension_element(item)
serves = confd.serves
if not serves:
raise SAMLError(
'No service type ("sp","idp","aa") provided in the configuration')
if "sp" in serves:
confd.context = "sp"
entd.spsso_descriptor = do_spsso_descriptor(confd, mycert, enc_cert)
if "idp" in serves:
confd.context = "idp"
entd.idpsso_descriptor = do_idpsso_descriptor(confd, mycert, enc_cert)
if "aa" in serves:
confd.context = "aa"
entd.attribute_authority_descriptor = do_aa_descriptor(confd, mycert,
enc_cert)
if "pdp" in serves:
confd.context = "pdp"
entd.pdp_descriptor = do_pdp_descriptor(confd, mycert, enc_cert)
if "aq" in serves:
confd.context = "aq"
entd.authn_authority_descriptor = do_aq_descriptor(confd, mycert,
enc_cert)
return entd
