Beispiel #1
0
 def verify(self, keys=None):
     try:
         valid_instance(self.response)
     except NotValid as exc:
         logger.error("Not valid response: %s" % exc.args[0])
         raise
     return self
Beispiel #2
0
def create_metadata_string(configfile, config=None, valid=None, cert=None,
                           keyfile=None, mid=None, name=None, sign=None):
    valid_for = 0
    nspair = {"xs": "http://www.w3.org/2001/XMLSchema"}
    # paths = [".", "/opt/local/bin"]

    if valid:
        valid_for = int(valid)  # Hours

    eds = []
    if config is None:
        if configfile.endswith(".py"):
            configfile = configfile[:-3]
        config = Config().load_file(configfile, metadata_construction=True)
    eds.append(entity_descriptor(config))

    conf = Config()
    conf.key_file = config.key_file or keyfile
    conf.cert_file = config.cert_file or cert
    conf.debug = 1
    conf.xmlsec_binary = config.xmlsec_binary
    secc = security_context(conf)

    if mid:
        eid, xmldoc = entities_descriptor(eds, valid_for, name, mid,
                                          sign, secc)
    else:
        eid = eds[0]
        if sign:
            eid, xmldoc = sign_entity_descriptor(eid, mid, secc)
        else:
            xmldoc = None

    valid_instance(eid)
    return metadata_tostring_fix(eid, nspair, xmldoc)
Beispiel #3
0
    def import_metadata(self, xml_str, source):
        """ Import information; organization distinguish name, location and
        certificates from a metadata file.
        
        :param xml_str: The metadata as a XML string.
        :param source: A name by which this source should be known, has to be
            unique within this session.
        """

        # now = time.gmtime()
        #print >> sys.stderr, "Loading %s" % (source,)

        entities_descr = md.entities_descriptor_from_string(xml_str)
        if not entities_descr:
            entity_descr = md.entity_descriptor_from_string(xml_str)
            if entity_descr:
                self.do_entity_descriptor(entity_descr, source)
        else:
            try:
                valid_instance(entities_descr)
            except NotValid, exc:
                print >> sys.stderr, exc.args[0]
                return

            try:
                valid(entities_descr.valid_until)
            except AttributeError:
                pass

            for entity_descr in entities_descr.entity_descriptor:
                self.do_entity_descriptor(entity_descr, source,
                                          entities_descr.valid_until)
Beispiel #4
0
def create_metadata_string(configfile, config=None, valid=None, cert=None,
                           keyfile=None, mid=None, name=None, sign=None):
    valid_for = 0
    nspair = {"xs": "http://www.w3.org/2001/XMLSchema"}
    # paths = [".", "/opt/local/bin"]

    if valid:
        valid_for = int(valid)  # Hours

    eds = []
    if config is None:
        if configfile.endswith(".py"):
            configfile = configfile[:-3]
        config = Config().load_file(configfile, metadata_construction=True)
    eds.append(entity_descriptor(config))

    conf = Config()
    conf.key_file = config.key_file or keyfile
    conf.cert_file = config.cert_file or cert
    conf.debug = 1
    conf.xmlsec_binary = config.xmlsec_binary
    secc = security_context(conf)

    if mid:
        eid, xmldoc = entities_descriptor(eds, valid_for, name, mid,
                                          sign, secc)
    else:
        eid = eds[0]
        if sign:
            eid, xmldoc = sign_entity_descriptor(eid, mid, secc)
        else:
            xmldoc = None

    valid_instance(eid)
    return metadata_tostring_fix(eid, nspair, xmldoc)
Beispiel #5
0
    def _loads(self, xmldata, binding=None, origdoc=None):
        # own copy
        self.xmlstr = xmldata[:]
        logger.info("xmlstr: %s" % (self.xmlstr,))
        try:
            self.message = self.signature_check(xmldata, origdoc=origdoc)
        except TypeError:
            raise
        except Exception as excp:
            logger.info("EXCEPTION: %s", excp)
    
        if not self.message:
            logger.error("Response was not correctly signed")
            logger.info(xmldata)
            raise IncorrectlySigned()

        logger.info("request: %s" % (self.message,))

        try:
            valid_instance(self.message)
        except NotValid as exc:
            logger.error("Not valid request: %s" % exc.args[0])
            raise
        
        return self
Beispiel #6
0
 def import_metadata(self, xml_str, source):
     """ Import information; organization distinguish name, location and
     certificates from a metadata file.
     
     :param xml_str: The metadata as a XML string.
     :param source: A name by which this source should be known, has to be
         unique within this session.
     """
     
     # now = time.gmtime()
     #print >> sys.stderr, "Loading %s" % (source,)
     
     entities_descr = md.entities_descriptor_from_string(xml_str)
     if not entities_descr:
         entity_descr = md.entity_descriptor_from_string(xml_str)
         if entity_descr:
             self.do_entity_descriptor(entity_descr, source)
     else:
         try:
             valid_instance(entities_descr)
         except NotValid, exc:
             print >> sys.stderr, exc.args[0]
             return
     
         try:
             valid(entities_descr.valid_until)
         except AttributeError:
             pass
     
         for entity_descr in entities_descr.entity_descriptor:
             self.do_entity_descriptor(entity_descr, source, 
                                         entities_descr.valid_until)
Beispiel #7
0
    def _loads(self, xmldata, binding=None, origdoc=None, must=None,
               only_valid_cert=False):
        if binding == BINDING_HTTP_REDIRECT:
            pass

        # own copy
        self.xmlstr = xmldata[:]
        logger.debug("xmlstr: %s" % (self.xmlstr,))
        try:
            self.message = self.signature_check(xmldata, origdoc=origdoc,
                                                must=must,
                                                only_valid_cert=only_valid_cert)
        except TypeError:
            raise
        except Exception as excp:
            logger.info("EXCEPTION: %s", excp)

        if not self.message:
            logger.error("Response was not correctly signed")
            logger.info(xmldata)
            raise IncorrectlySigned()

        logger.info("request: %s" % (self.message,))

        try:
            valid_instance(self.message)
        except NotValid as exc:
            logger.error("Not valid request: %s" % exc.args[0])
            raise

        return self
Beispiel #8
0
 def verify(self, keys=None):
     try:
         valid_instance(self.response)
     except NotValid as exc:
         logger.error("Not valid response: %s", exc.args[0])
         raise
     return self
Beispiel #9
0
    def parse(self, xmlstr):
        self.entities_descr = md.entities_descriptor_from_string(xmlstr)

        if not self.entities_descr:
            self.entity_descr = md.entity_descriptor_from_string(xmlstr)
            if self.entity_descr:
                self.do_entity_descriptor(self.entity_descr)
        else:
            try:
                valid_instance(self.entities_descr)
            except NotValid, exc:
                logger.error(exc.args[0])
                return

            if self.check_validity:
                try:
                    if not valid(self.entities_descr.valid_until):
                        raise ToOld(
                            "Metadata not valid anymore, it's after %s" % (
                                self.entities_descr.valid_until,))
                except AttributeError:
                    pass

            for entity_descr in self.entities_descr.entity_descriptor:
                self.do_entity_descriptor(entity_descr)
Beispiel #10
0
    def _loads(self, xmldata, binding=None, origdoc=None):
        # own copy
        self.xmlstr = xmldata[:]
        logger.info("xmlstr: %s" % (self.xmlstr, ))
        try:
            self.message = self.signature_check(xmldata, origdoc=origdoc)
        except TypeError:
            raise
        except Exception as excp:
            logger.info("EXCEPTION: %s", excp)

        if not self.message:
            logger.error("Response was not correctly signed")
            logger.info(xmldata)
            raise IncorrectlySigned()

        logger.info("request: %s" % (self.message, ))

        try:
            valid_instance(self.message)
        except NotValid as exc:
            logger.error("Not valid request: %s" % exc.args[0])
            raise

        return self
Beispiel #11
0
    def parse(self, xmlstr):
        self.entities_descr = md.entities_descriptor_from_string(xmlstr)

        if not self.entities_descr:
            self.entity_descr = md.entity_descriptor_from_string(xmlstr)
            if self.entity_descr:
                self.do_entity_descriptor(self.entity_descr)
        else:
            try:
                valid_instance(self.entities_descr)
            except NotValid as exc:
                logger.error("Invalid XML message: %s", exc.args[0])
                return

            if self.check_validity:
                try:
                    if not valid(self.entities_descr.valid_until):
                        raise ToOld(
                            "Metadata not valid anymore, it's only valid "
                            "until %s" % (self.entities_descr.valid_until, ))
                except AttributeError:
                    pass

            for entity_descr in self.entities_descr.entity_descriptor:
                self.do_entity_descriptor(entity_descr)
Beispiel #12
0
 def verify(self, key_file="", decrypt=True):
     try:
         valid_instance(self.response)
     except NotValid as exc:
         logger.error("Not valid response: %s" % exc.args[0])
         raise
     return self
Beispiel #13
0
    def __init__(self, cargs, kwargs):
        self.nspair = {"xs": "http://www.w3.org/2001/XMLSchema"}

        _cnf = kwargs['conf']
        res = read_multi_conf(_cnf, True)
        eds = []
        for key, cnf in res.items():
            eds.append(entity_descriptor(cnf))

        valid_for = 0

        """
            Setting things to None here that are now unused, but might be useful someday
        """
        conf = Config()
        conf.key_file = None
        conf.cert_file = None
        conf.debug = 1
        conf.xmlsec_binary = None
        args_name = None
        args_id = None
        args_sign = None
        secc = security_context(conf)

        desc, xmldoc = entities_descriptor(eds, valid_for, args_name, args_id,
                                           args_sign, secc)
        valid_instance(desc)

        self.desc = desc
        self.xmldoc = xmldoc
Beispiel #14
0
    def _metadata_endpoint(self, context):
        """
        Endpoint for retrieving the backend metadata
        :type context: satosa.context.Context
        :rtype: satosa.response.Response

        :param context: The current context
        :return: response with metadata
        """
        logger.debug("Sending metadata response")
        conf = self.sp.config

        metadata = entity_descriptor(conf)
        # creare gli attribute_consuming_service
        cnt = 0
        for (attribute_consuming_service
             ) in metadata.spsso_descriptor.attribute_consuming_service:
            attribute_consuming_service.index = str(cnt)
            cnt += 1

        cnt = 0
        for (assertion_consumer_service
             ) in metadata.spsso_descriptor.assertion_consumer_service:
            assertion_consumer_service.is_default = "true" if not cnt else ""
            assertion_consumer_service.index = str(cnt)
            cnt += 1

        # nameformat patch... tutto questo non rispecchia gli standard OASIS
        for reqattr in metadata.spsso_descriptor.attribute_consuming_service[
                0].requested_attribute:
            reqattr.name_format = None
            reqattr.friendly_name = None

        # attribute consuming service service name patch
        service_name = metadata.spsso_descriptor.attribute_consuming_service[
            0].service_name[0]
        service_name.lang = "it"
        service_name.text = metadata.entity_id

        # remove extension disco and uuinfo (spid-testenv2)
        # metadata.spsso_descriptor.extensions = []

        # load ContactPerson Extensions
        self._metadata_contact_person(metadata, conf)

        # metadata signature
        secc = security_context(conf)
        #
        sign_dig_algs = self.get_kwargs_sign_dig_algs()
        eid, xmldoc = sign_entity_descriptor(metadata, None, secc,
                                             **sign_dig_algs)

        valid_instance(eid)
        return Response(text_type(xmldoc).encode("utf-8"),
                        content="text/xml; charset=utf8")
Beispiel #15
0
    def _loads(self,
               xmldata,
               binding=None,
               origdoc=None,
               must=None,
               only_valid_cert=False,
               relayState=None,
               sigalg=None,
               signature=None):
        # own copy
        self.xmlstr = xmldata[:]
        logger.debug("xmlstr: %s, relayState: %s, sigalg: %s, signature: %s",
                     self.xmlstr, relayState, sigalg, signature)
        # If redirect binding, and provided SigAlg, Signature use that to verify
        # and skip signatureCheck withing SAMLRequest/xmldata
        _need_redirect_sig_check, _saml_msg, must = self._should_do_redirect_sig_check(
            binding, must, origdoc, relayState, sigalg, signature)

        try:
            self.message = self.signature_check(
                xmldata,
                origdoc=origdoc,
                must=must,
                only_valid_cert=only_valid_cert)
        except TypeError:
            raise
        except Exception as excp:
            self.message = None
            logger.info("EXCEPTION: %s", excp)

        if _need_redirect_sig_check and self.message is not None:
            _verified_ok = self._do_redirect_sig_check(_saml_msg)
            # Set self.message to None, it shall raise error further down.
            if not _verified_ok:
                self.message = None
                logger.error('Failed to verify signature')

        if not self.message:
            logger.error("Request was not correctly signed")
            logger.info("Request: %s", xmldata)
            raise IncorrectlySigned()

        logger.info("Request: %s", self.message)

        try:
            valid_instance(self.message)
        except NotValid as exc:
            logger.error("Not valid request: %s", exc.args[0])
            raise

        return self
Beispiel #16
0
    def _postamble(self):
        if not self.response:
            logger.error("Response was not correctly signed")
            if self.xmlstr:
                logger.info(self.xmlstr)
            raise IncorrectlySigned()

        logger.debug("response: %s" % (self.response,))

        try:
            valid_instance(self.response)
        except NotValid, exc:
            logger.error("Not valid response: %s" % exc.args[0])
            self._clear()
            return self
Beispiel #17
0
    def _postamble(self):
        if not self.response:
            logger.error("Response was not correctly signed")
            if self.xmlstr:
                logger.info(self.xmlstr)
            raise IncorrectlySigned()

        logger.debug("response: %s" % (self.response, ))

        try:
            valid_instance(self.response)
        except NotValid, exc:
            logger.error("Not valid response: %s" % exc.args[0])
            self._clear()
            return self
Beispiel #18
0
def _make_metadata(config_dict, option):
    """
    Creates metadata from the given idp config

    :type config_dict: dict[str, Any]
    :type option: vopaas.metadata_creation.make_vopaas_metadata.MetadataOption
    :rtype: str

    :param config_dict: config
    :param option: metadata creation settings
    :return: A xml string
    """
    eds = []
    cnf = Config()
    cnf.load(copy.deepcopy(config_dict), metadata_construction=True)

    if option.valid:
        cnf.valid_for = option.valid
    eds.append(entity_descriptor(cnf))

    conf = Config()
    conf.key_file = option.keyfile
    conf.cert_file = option.cert
    conf.debug = 1
    conf.xmlsec_binary = option.xmlsec
    secc = security_context(conf)

    if option.id:
        desc, xmldoc = entities_descriptor(eds, option.valid, option.name, option.id,
                                           option.sign, secc)
        valid_instance(desc)
        print(desc.to_string(NSPAIR))
    else:
        for eid in eds:
            if option.sign:
                assert conf.key_file
                assert conf.cert_file
                eid, xmldoc = sign_entity_descriptor(eid, option.id, secc)
            else:
                xmldoc = None

            valid_instance(eid)
            xmldoc = metadata_tostring_fix(eid, NSPAIR, xmldoc).decode()
            return xmldoc
Beispiel #19
0
class Request(object):
    def __init__(self,
                 sec_context,
                 receiver_addrs,
                 attribute_converters=None,
                 timeslack=0):
        self.sec = sec_context
        self.receiver_addrs = receiver_addrs
        self.timeslack = timeslack
        self.xmlstr = ""
        self.name_id = ""
        self.message = None
        self.not_on_or_after = 0
        self.attribute_converters = attribute_converters
        self.binding = None
        self.relay_state = ""
        self.signature_check = _dummy  # has to be set !!!

    def _clear(self):
        self.xmlstr = ""
        self.name_id = ""
        self.message = None
        self.not_on_or_after = 0

    def _loads(self,
               xmldata,
               binding=None,
               origdoc=None,
               must=None,
               only_valid_cert=False):
        # own copy
        self.xmlstr = xmldata[:]
        logger.info("xmlstr: %s" % (self.xmlstr, ))
        try:
            self.message = self.signature_check(
                xmldata,
                origdoc=origdoc,
                must=must,
                only_valid_cert=only_valid_cert)
        except TypeError:
            raise
        except Exception, excp:
            logger.info("EXCEPTION: %s", excp)

        if not self.message:
            logger.error("Response was not correctly signed")
            logger.info(xmldata)
            raise IncorrectlySigned()

        logger.info("request: %s" % (self.message, ))

        try:
            valid_instance(self.message)
        except NotValid, exc:
            logger.error("Not valid request: %s" % exc.args[0])
            raise
Beispiel #20
0
def write_metadata(sp_configs):
    """
    Generate SAML XML metadata from the pysaml2 JSON format.
    :param base: base url of the svs node
    :return: dictionary with the config for the two SP's
    """

    for _, config in sp_configs.iteritems():
        cnf = Config().load(config, metadata_construction=True)
        eid = entity_descriptor(cnf)
        valid_instance(eid)
        nspair = {"xs": "http://www.w3.org/2001/XMLSchema"}
        xmldoc = metadata_tostring_fix(eid, nspair, None)

        entity_id = config["entityid"]
        path = urlparse.urlparse(entity_id).path
        filename = os.path.basename(path)
        with open(filename, "w") as output_file:
            output_file.write(xmldoc)
Beispiel #21
0
def _make_metadata(config_dict, option):
    """
    Creates metadata from the given idp config

    :type config_dict: dict[str, Any]
    :type option: vopaas.metadata_creation.make_vopaas_metadata.MetadataOption
    :rtype: str

    :param config_dict: config
    :param option: metadata creation settings
    :return: A xml string
    """
    eds = []
    cnf = Config()
    cnf.load(copy.deepcopy(config_dict), metadata_construction=True)

    if option.valid:
        cnf.valid_for = option.valid
    eds.append(entity_descriptor(cnf))

    conf = Config()
    conf.key_file = option.keyfile
    conf.cert_file = option.cert
    conf.debug = 1
    conf.xmlsec_binary = option.xmlsec
    secc = security_context(conf)

    if option.id:
        desc, xmldoc = entities_descriptor(eds, option.valid, option.name, option.id, option.sign, secc)
        valid_instance(desc)
        print(desc.to_string(NSPAIR))
    else:
        for eid in eds:
            if option.sign:
                assert conf.key_file
                assert conf.cert_file
                eid, xmldoc = sign_entity_descriptor(eid, option.id, secc)
            else:
                xmldoc = None

            valid_instance(eid)
            xmldoc = metadata_tostring_fix(eid, NSPAIR, xmldoc).decode()
            return xmldoc
Beispiel #22
0
    def parse(self, xmlstr):
        self.entities_descr = md.entities_descriptor_from_string(xmlstr)

        if not self.entities_descr:
            self.entity_descr = md.entity_descriptor_from_string(xmlstr)
            if self.entity_descr:
                self.do_entity_descriptor(self.entity_descr)
        else:
            try:
                valid_instance(self.entities_descr)
            except NotValid, exc:
                logger.error(exc.args[0])
                return

            try:
                valid(self.entities_descr.valid_until)
            except AttributeError:
                pass

            for entity_descr in self.entities_descr.entity_descriptor:
                self.do_entity_descriptor(entity_descr)
Beispiel #23
0
    def _postamble(self):
        if not self.response:
            if self.log:
                self.log.error("Response was not correctly signed")
                if self.xmlstr:
                    self.log.info(self.xmlstr)
            raise IncorrectlySigned()
    
        if self.debug:
            self.log.info("response: %s" % (self.response,))

        try:
            valid_instance(self.response)
        except NotValid, exc:
            if self.log:
                self.log.error("Not valid response: %s" % exc.args[0])
            else:
                print >> sys.stderr, "Not valid response: %s" % exc.args[0]
        
            self._clear()
            return self
Beispiel #24
0
    def parse(self, xmlstr):
        self.entities_descr = md.entities_descriptor_from_string(xmlstr)

        if not self.entities_descr:
            self.entity_descr = md.entity_descriptor_from_string(xmlstr)
            if self.entity_descr:
                self.do_entity_descriptor(self.entity_descr)
        else:
            try:
                valid_instance(self.entities_descr)
            except NotValid, exc:
                logger.error(exc.args[0])
                return

            try:
                valid(self.entities_descr.valid_until)
            except AttributeError:
                pass

            for entity_descr in self.entities_descr.entity_descriptor:
                self.do_entity_descriptor(entity_descr)
Beispiel #25
0
def create_metadata_string(configfile, config, valid, cert, keyfile, id, name,
                           sign):
    valid_for = 0
    nspair = {"xs": "http://www.w3.org/2001/XMLSchema"}
    #paths = [".", "/opt/local/bin"]

    if valid:
        valid_for = int(valid)  # Hours

    eds = []
    if config is not None:
        eds.append(entity_descriptor(config))
    else:
        if configfile.endswith(".py"):
            configfile = configfile[:-3]
        config = Config().load_file(configfile, metadata_construction=True)
        eds.append(entity_descriptor(config))

    conf = Config()
    conf.key_file = keyfile
    conf.cert_file = cert
    conf.debug = 1
    conf.xmlsec_binary = config.xmlsec_binary
    secc = security_context(conf)

    if id:
        desc = entities_descriptor(eds, valid_for, name, id,
                                   sign, secc)
        valid_instance(desc)

        return metadata_tostring_fix(desc, nspair)
    else:
        for eid in eds:
            if sign:
                desc = sign_entity_descriptor(eid, id, secc)
            else:
                desc = eid
            valid_instance(desc)
            return metadata_tostring_fix(desc, nspair)
Beispiel #26
0
def test_valid_instance():
    attr_statem = saml.AttributeStatement()
    text = [
        "value of test attribute",
        "value1 of test attribute",
        "value2 of test attribute",
        "value1 of test attribute2",
        "value2 of test attribute2",
    ]

    attr_statem.attribute.append(saml.Attribute())
    attr_statem.attribute.append(saml.Attribute())
    attr_statem.attribute[0].name = "testAttribute"
    attr_statem.attribute[0].name_format = saml.NAME_FORMAT_URI
    attr_statem.attribute[0].friendly_name = "test attribute"
    attr_statem.attribute[0].attribute_value.append(saml.AttributeValue())
    attr_statem.attribute[0].attribute_value[0].text = text[0]

    attr_statem.attribute[1].name = "testAttribute2"
    attr_statem.attribute[1].name_format = saml.NAME_FORMAT_UNSPECIFIED
    attr_statem.attribute[1].friendly_name = text[2]
    attr_statem.attribute[1].attribute_value.append(saml.AttributeValue())
    attr_statem.attribute[1].attribute_value[0].text = text[2]

    assert valid_instance(attr_statem)

    response = samlp.Response()
    response.id = "response id"
    response.in_response_to = "request id"
    response.version = saml2.VERSION
    response.issue_instant = "2007-09-14T01:05:02Z"
    response.destination = "http://www.example.com/Destination"
    response.consent = saml.CONSENT_UNSPECIFIED
    response.issuer = saml.Issuer()
    response.status = samlp.Status()
    response.assertion.append(saml.Assertion())

    with raises(MustValueError):
        valid_instance(response)
Beispiel #27
0
    def _loads(self,
               xmldata,
               binding=None,
               origdoc=None,
               must=None,
               only_valid_cert=False):
        if binding == BINDING_HTTP_REDIRECT:
            pass

        # own copy
        self.xmlstr = xmldata[:]
        logger.debug("xmlstr: %s" % (self.xmlstr, ))
        try:
            self.message = self.signature_check(
                xmldata,
                origdoc=origdoc,
                must=must,
                only_valid_cert=only_valid_cert)
        except TypeError:
            raise
        except Exception as excp:
            logger.info("EXCEPTION: %s", excp)

        if not self.message:
            logger.error("Response was not correctly signed")
            logger.info(xmldata)
            raise IncorrectlySigned()

        logger.info("request: %s" % (self.message, ))

        try:
            valid_instance(self.message)
        except NotValid as exc:
            logger.error("Not valid request: %s" % exc.args[0])
            raise

        return self
Beispiel #28
0
class Request(object):
    def __init__(self, sec_context, receiver_addrs, timeslack=0):
        self.sec = sec_context
        self.receiver_addrs = receiver_addrs
        self.timeslack = timeslack
        self.xmlstr = ""
        self.name_id = ""
        self.message = None
        self.not_on_or_after = 0

        self.signature_check = _dummy  # has to be set !!!

    def _clear(self):
        self.xmlstr = ""
        self.name_id = ""
        self.message = None
        self.not_on_or_after = 0

    def _loads(self, xmldata, decode=True):
        if decode:
            logger.debug("Expected to decode and inflate xml data")
            decoded_xml = s_utils.decode_base64_and_inflate(xmldata)
        else:
            decoded_xml = xmldata

        # own copy
        self.xmlstr = decoded_xml[:]
        logger.info("xmlstr: %s" % (self.xmlstr, ))
        try:
            self.message = self.signature_check(decoded_xml)
        except TypeError:
            raise
        except Exception, excp:
            logger.info("EXCEPTION: %s", excp)

        if not self.message:
            logger.error("Response was not correctly signed")
            logger.info(decoded_xml)
            raise IncorrectlySigned()

        logger.info("request: %s" % (self.message, ))

        try:
            valid_instance(self.message)
        except NotValid, exc:
            logger.error("Not valid request: %s" % exc.args[0])
            raise
Beispiel #29
0
def create_signed_entities_descriptor(entity_descriptors, security_context, valid_for=None):
    """
    :param entity_descriptors: the entity descriptors to put in in an EntitiesDescriptor tag and sign
    :param security_context: security context for the signature
    :param valid_for: number of hours the metadata should be valid
    :return: the signed XML document

    :type entity_descriptors: Sequence[saml2.md.EntityDescriptor]]
    :type security_context: saml2.sigver.SecurityContext
    :type valid_for: Optional[int]
    """
    entities_desc, xmldoc = entities_descriptor(entity_descriptors, valid_for=valid_for, name=None, ident=None,
                                                sign=True, secc=security_context)
    if not valid_instance(entities_desc):
        raise ValueError("Could not construct valid EntitiesDescriptor tag")

    return xmldoc
Beispiel #30
0
def create_signed_entity_descriptor(entity_descriptor, security_context, valid_for=None):
    """
    :param entity_descriptor: the entity descriptor to sign
    :param security_context: security context for the signature
    :param valid_for: number of hours the metadata should be valid
    :return: the signed XML document

    :type entity_descriptor: saml2.md.EntityDescriptor]
    :type security_context: saml2.sigver.SecurityContext
    :type valid_for: Optional[int]
    """
    if valid_for:
        entity_descriptor.valid_until = in_a_while(hours=valid_for)

    entity_desc, xmldoc = sign_entity_descriptor(entity_descriptor, None, security_context)

    if not valid_instance(entity_desc):
        raise ValueError("Could not construct valid EntityDescriptor tag")

    return xmldoc
Beispiel #31
0
def test_valid_instance():
    attr_statem = saml.AttributeStatement()
    text = ["value of test attribute",
            "value1 of test attribute",
            "value2 of test attribute",
            "value1 of test attribute2",
            "value2 of test attribute2", ]

    attr_statem.attribute.append(saml.Attribute())
    attr_statem.attribute.append(saml.Attribute())
    attr_statem.attribute[0].name = "testAttribute"
    attr_statem.attribute[0].name_format = saml.NAME_FORMAT_URI
    attr_statem.attribute[0].friendly_name = "test attribute"
    attr_statem.attribute[0].attribute_value.append(saml.AttributeValue())
    attr_statem.attribute[0].attribute_value[0].text = text[0]

    attr_statem.attribute[1].name = "testAttribute2"
    attr_statem.attribute[1].name_format = saml.NAME_FORMAT_UNSPECIFIED
    attr_statem.attribute[1].friendly_name = text[2]
    attr_statem.attribute[1].attribute_value.append(saml.AttributeValue())
    attr_statem.attribute[1].attribute_value[0].text = text[2]

    assert valid_instance(attr_statem)

    response = samlp.Response()
    response.id = "response id"
    response.in_response_to = "request id"
    response.version = saml2.VERSION
    response.issue_instant = "2007-09-14T01:05:02Z"
    response.destination = "http://www.example.com/Destination"
    response.consent = saml.CONSENT_UNSPECIFIED
    response.issuer = saml.Issuer()
    response.status = samlp.Status()
    response.assertion.append(saml.Assertion())

    raises(MustValueError, 'valid_instance(response)')
Beispiel #32
0
 def verify(self):
     return valid_instance(self)
Beispiel #33
0
 def verify(self):
     try:
         valid_instance(self.response)
     except NotValid, exc:
         logger.error("Not valid response: %s" % exc.args[0])
         raise
Beispiel #34
0
 def verify(self):
     try:
         valid_instance(self.response)
     except NotValid, exc:
         logger.error("Not valid response: %s" % exc.args[0])
         raise
Beispiel #35
0
    def _metadata_endpoint(self, context):
        """
        Endpoint for retrieving the backend metadata
        :type context: satosa.context.Context
        :rtype: satosa.response.Response

        :param context: The current context
        :return: response with metadata
        """
        logger.debug("Sending metadata response")
        conf = self.sp.config

        metadata = entity_descriptor(conf)
        # creare gli attribute_consuming_service
        cnt = 0
        for attribute_consuming_service in metadata.spsso_descriptor.attribute_consuming_service:
            attribute_consuming_service.index = str(cnt)
            cnt += 1

        cnt = 0
        for assertion_consumer_service in metadata.spsso_descriptor.assertion_consumer_service:
            assertion_consumer_service.is_default = 'true' if not cnt else ''
            assertion_consumer_service.index = str(cnt)
            cnt += 1

        # nameformat patch... tutto questo non rispecchia gli standard OASIS
        for reqattr in metadata.spsso_descriptor.attribute_consuming_service[
                0].requested_attribute:
            reqattr.name_format = None
            reqattr.friendly_name = None

        # attribute consuming service service name patch
        service_name = metadata.spsso_descriptor.attribute_consuming_service[
            0].service_name[0]
        service_name.lang = 'it'
        service_name.text = metadata.entity_id

        # remove extension disco and uuinfo (spid-testenv2)
        #metadata.spsso_descriptor.extensions = []

        ##############
        # avviso 29 v3
        #
        # https://www.agid.gov.it/sites/default/files/repository_files/spid-avviso-n29v3-specifiche_sp_pubblici_e_privati_0.pdf
        # Avviso 29v3
        SPID_PREFIXES = dict(spid="https://spid.gov.it/saml-extensions",
                             fpa="https://spid.gov.it/invoicing-extensions")
        saml2.md.SamlBase.register_prefix(SPID_PREFIXES)
        metadata.contact_person = []
        contact_map = conf.contact_person
        cnt = 0
        metadata.contact_person = []
        for contact in contact_map:
            spid_contact = saml2.md.ContactPerson()
            spid_contact.contact_type = contact['contact_type']
            contact_kwargs = {
                'email_address': [contact['email_address']],
                'telephone_number': [contact['telephone_number']]
            }
            if contact['contact_type'] == 'other':
                spid_contact.loadd(contact_kwargs)
                contact_kwargs['contact_type'] = contact['contact_type']
                spid_extensions = saml2.ExtensionElement(
                    'Extensions',
                    namespace='urn:oasis:names:tc:SAML:2.0:metadata')
                for k, v in contact.items():
                    if k in contact_kwargs: continue
                    ext = saml2.ExtensionElement(
                        k, namespace=SPID_PREFIXES['spid'], text=v)
                    spid_extensions.children.append(ext)

            elif contact['contact_type'] == 'billing':
                contact_kwargs['company'] = contact['company']
                spid_contact.loadd(contact_kwargs)
                spid_extensions = saml2.ExtensionElement(
                    'Extensions',
                    namespace='urn:oasis:names:tc:SAML:2.0:metadata')

                elements = {}
                for k, v in contact.items():
                    if k in contact_kwargs: continue
                    ext = saml2.ExtensionElement(
                        k, namespace=SPID_PREFIXES['fpa'], text=v)
                    elements[k] = ext

                # DatiAnagrafici
                IdFiscaleIVA = saml2.ExtensionElement(
                    'IdFiscaleIVA',
                    namespace=SPID_PREFIXES['fpa'],
                )
                Anagrafica = saml2.ExtensionElement(
                    'Anagrafica',
                    namespace=SPID_PREFIXES['fpa'],
                )
                Anagrafica.children.append(elements['Denominazione'])

                IdFiscaleIVA.children.append(elements['IdPaese'])
                IdFiscaleIVA.children.append(elements['IdCodice'])
                DatiAnagrafici = saml2.ExtensionElement(
                    'DatiAnagrafici',
                    namespace=SPID_PREFIXES['fpa'],
                )
                if elements.get('CodiceFiscale'):
                    DatiAnagrafici.children.append(elements['CodiceFiscale'])
                DatiAnagrafici.children.append(IdFiscaleIVA)
                DatiAnagrafici.children.append(Anagrafica)
                CessionarioCommittente = saml2.ExtensionElement(
                    'CessionarioCommittente',
                    namespace=SPID_PREFIXES['fpa'],
                )
                CessionarioCommittente.children.append(DatiAnagrafici)

                # Sede
                Sede = saml2.ExtensionElement(
                    'Sede',
                    namespace=SPID_PREFIXES['fpa'],
                )
                Sede.children.append(elements['Indirizzo'])
                Sede.children.append(elements['NumeroCivico'])
                Sede.children.append(elements['CAP'])
                Sede.children.append(elements['Comune'])
                Sede.children.append(elements['Provincia'])
                Sede.children.append(elements['Nazione'])
                CessionarioCommittente.children.append(Sede)

                spid_extensions.children.append(CessionarioCommittente)

            spid_contact.extensions = spid_extensions
            metadata.contact_person.append(spid_contact)
            cnt += 1
        #
        # fine avviso 29v3
        ###################

        # metadata signature
        secc = security_context(conf)
        #
        sign_dig_algs = self.get_kwargs_sign_dig_algs()
        eid, xmldoc = sign_entity_descriptor(metadata, None, secc,
                                             **sign_dig_algs)

        valid_instance(eid)
        return Response(text_type(xmldoc).encode('utf-8'),
                        content="text/xml; charset=utf8")
Beispiel #36
0
if args.xmlsec:
    xmlsec = args.xmlsec
else:
    xmlsec = get_xmlsec_binary(paths)

eds = []
for filespec in args.config:
    bas, fil = os.path.split(filespec)
    if bas != "":
        sys.path.insert(0, bas)
    if fil.endswith(".py"):
        fil = fil[:-3]
    cnf = Config().load_file(fil, metadata_construction=True)
    eds.append(entity_descriptor(cnf))

secc = SecurityContext(xmlsec, args.keyfile, cert_file=args.cert)
if args.id:
    desc = entities_descriptor(eds, valid_for, args.name, args.id,
                               args.sign, secc)
    valid_instance(desc)
    print desc.to_string(nspair)
else:
    for eid in eds:
        if args.sign:
            desc = sign_entity_descriptor(eid, id, secc)
        else:
            desc = eid
        valid_instance(desc)
        print desc.to_string(nspair)
Beispiel #37
0
    def _loads(
        self,
        xmldata,
        binding=None,
        origdoc=None,
        must=None,
        only_valid_cert=False,
        relay_state=None,
        sigalg=None,
        signature=None,
    ):
        # own copy
        self.xmlstr = xmldata[:]
        logger.debug("xmlstr: %s, relay_state: %s, sigalg: %s, signature: %s",
                     self.xmlstr, relay_state, sigalg, signature)

        sign_redirect = must and binding == BINDING_HTTP_REDIRECT
        sign_post = must and not sign_redirect
        incorrectly_signed = IncorrectlySigned("Request was not signed correctly")

        try:
            self.message = self.signature_check(
                xmldata,
                origdoc=origdoc,
                must=sign_post,
                only_valid_cert=only_valid_cert,
            )
        except Exception as e:
            self.message = None
            raise incorrectly_signed from e

        if sign_redirect:
            if sigalg is None or signature is None:
                raise incorrectly_signed

            _saml_msg = {
                "SAMLRequest": origdoc,
                "Signature": signature,
                "SigAlg": sigalg,
            }
            if relay_state is not None:
                _saml_msg["RelayState"] = relay_state
            try:
                sig_verified = self._do_redirect_sig_check(_saml_msg)
            except Exception as e:
                self.message = None
                raise incorrectly_signed from e
            else:
                if not sig_verified:
                    self.message = None
                    raise incorrectly_signed

        if not self.message:
            logger.error("Request was not signed correctly")
            logger.info("Request data: %s", xmldata)
            raise incorrectly_signed

        logger.info("Request message: %s", self.message)

        try:
            valid_instance(self.message)
        except NotValid as exc:
            logger.error("Request not valid: %s", exc.args[0])
            raise

        return self
Beispiel #38
0
 def create_sp_metadata(self):
     nspair = {"xs": "http://www.w3.org/2001/XMLSchema"}
     ed = entity_descriptor(self.config)
     valid_instance(ed)
     return metadata_tostring_fix(ed, nspair)
Beispiel #39
0
    cnf = Config().load_file(fil, metadata_construction=True)
    if valid_for:
        cnf.valid_for = valid_for
    eds.append(entity_descriptor(cnf))

conf = Config()
conf.key_file = args.keyfile
conf.cert_file = args.cert
conf.debug = 1
conf.xmlsec_binary = args.xmlsec
secc = security_context(conf)

if args.id:
    desc, xmldoc = entities_descriptor(eds, valid_for, args.name, args.id,
                                       args.sign, secc)
    valid_instance(desc)
    xmldoc = metadata_tostring_fix(desc, nspair, xmldoc)
    print(xmldoc.decode("utf-8"))
else:
    for eid in eds:
        if args.sign:
            assert conf.key_file
            assert conf.cert_file
            eid, xmldoc = sign_entity_descriptor(eid, args.id, secc)
        else:
            xmldoc = None

        valid_instance(eid)
        xmldoc = metadata_tostring_fix(eid, nspair, xmldoc)
        print(xmldoc.decode("utf-8"))
Beispiel #40
0
 def verify(self):
     return valid_instance(self)