def normalize_ed(xml: bytes) -> bytes:
''' convert EntityDescriptor to UTF-8, move namespace declarations to the top,
remove EntitiesDescriptor root element,
remove signature/validuntil/cacheduration pretty-print '''
pvzdconf = PVZDlibConfigAbstract.get_config()
tree: lxml.etree.ElementTree = lxml.etree.fromstring(xml).getroottree()
tree: lxml.etree.ElementTree = SamlEdValidator._extract_saml_entitydescriptor(
pvzdconf, tree)
tree: lxml.etree.ElementTree = SamlEdValidator._tidy_saml_entitydescriptor(
pvzdconf, tree)
return lxml.etree.tostring(tree,
encoding='UTF-8',
xml_declaration=True,
pretty_print=True)
def test_03_initialize(pvzdconfig03):
pvzdconf = PVZDlibConfigAbstract.get_config()
backend = pvzdconf.polstore_backend
try:
pvzdconf.polstore_backend.reset_pjournal_and_derived()
except PolicyJournalNotInitialized: # customize this to actual storage
pass
backend.set_policy_journal_xml(b'\x00')
backend.set_policy_journal_json('{"journaltestentry": ""}')
backend.set_poldict_json('{"dicttestentry": ""}')
backend.set_poldict_html('<html/>')
backend.set_shibacl(b'\x01')
backend.set_trustedcerts_report('lore ipsum')
assert backend.get_policy_journal_xml() == b'\x00'
assert backend.get_policy_journal_json() == '{"journaltestentry": ""}'
assert backend.get_poldict_json() == '{"dicttestentry": ""}'
assert backend.get_poldict_html() == '<html/>'
assert backend.get_shibacl() == b'\x01'
assert backend.get_trustedcerts_report() == 'lore ipsum'
def __init__(self):
self.pvzdconf = PVZDlibConfigAbstract.get_config()
self.trusted_certs = TrustedCerts().certs
self.be = self.pvzdconf.polstore_backend
def __init__(self):
self.pvzdconf = PVZDlibConfigAbstract.get_config()
self._load_certlist_from_certdir()
def test_02_read_existing(pvzdconfig02, expected_poldict_json02):
pvzdconf = PVZDlibConfigAbstract.get_config()
backend = pvzdconf.polstore_backend
policy_journal_json = backend.get_policy_journal_json()
assert json.loads(policy_journal_json) == expected_poldict_json02
def test_01_default_not_init():
pvzdconf = PVZDlibConfigAbstract.get_config()
backend = pvzdconf.polstore_backend
assert backend.get_policy_journal_path().name == 'policyjournal.xml'
with pytest.raises(PolicyJournalNotInitialized) as context:
_ = backend.get_policy_journal_json()
def cre_signedxml_seclay(sig_data, sig_type='envelopingB64BZIP', sig_position=None):
''' Create XAdES signature using AT Bürgerkarte/Security Layer
There are two signature types:
1. envelopingB64BZIP: compress, b64-encode and sign the data (enveloping)
2. enveloped: sign whole element specified py the XPath location
Caveat: the XPAth for the position of the enveloping signature must use the
QName prefix, not the namespace URI
(e.g. md: instead of urn:oasis:names:tc:SAML:2.0:metadata:)
'''
if sig_type not in ('envelopingB64BZIP', 'enveloped'):
raise ValidationError("Signature type must be one of 'envelopingB64BZIP', 'enveloped' but is " + sig_type)
if sig_type == 'envelopingB64BZIP':
dataObject = DATA_HEADER_B64BZIP + base64.b64encode(bz2.compress(sig_data.encode('utf-8'))).decode('ascii')
xml_sig_type = 'enveloping'
else:
dataObject = re.sub(r'<\?xml.*>', '', sig_data) # remove xml-header - provided by SecLay request wrapper
xml_sig_type = 'enveloped'
# logging.debug('data to be signed:\n%s\n\n' % dataObject)
sigRequ = get_seclay_request(xml_sig_type, dataObject, sig_position)
# logging.debug('SecLay request:\n%s\n' % sigRequ)
try:
s = requests.Session()
req = requests.Request(
'POST', 'http://localhost:3495/http-security-layer-request',
data={'XMLRequest': sigRequ})
prepped = req.prepare()
logmsg = '{}\n{}\n{}\n\n{}'.format(
'-----------HTTP Request Start -----------',
prepped.method + ' ' + prepped.url,
'\n'.join('{}: {}'.format(k, v) for k, v in prepped.headers.items()),
prepped.body,
'-----------HTTP Request End -----------'
)
logging.debug(logmsg)
pvzdconf = PVZDlibConfigAbstract.get_config()
testout_path = pvzdconf.testout / 'cresigrequ.xml'
testout_path.write_text(logmsg)
r = s.send(prepped)
except requests.exceptions.ConnectionError as e:
raise ValidationError("Cannot connect to security layer (MOCCA) to create a signature " + e.strerror)
if r.status_code != 200:
raise ValidationError("Security layer failed with HTTP %s, message: \n\n%s" % (r.status_code, r.text))
if r.text.find('sl:ErrorResponse') >= 0:
if r.text.find('<sl:ErrorCode>6001</sl:ErrorCode>'):
# sys.tracebacklimit = 0 # bug in py3 - tracebacklimit not honored
raise SecurityLayerCancelledError(
'Signature cancelled by user. Securty Layer Code 6001. Other cause: trying to sign signed XML')
# sl:ErrorCode=6001, Abbruch durch den Bürger über die Benutzerschnittstelle.
else:
raise ValidationError("Security Layer responed with error message.\n" + r.text)
# Strip xml root element (CreateXMLSignatureResponse), making disg:Signature the new root:
# (keeping namespace prefixes - otherwise the signature would break. Therefore not using etree.)
logging.debug('security layer create signature response:\n%s\n' % r.text)
testout_path = pvzdconf.testout / 'cresigresp.xml'
testout_path.write_text(r.text)
r1 = re.sub(r'<sl:CreateXMLSignatureResponse [^>]*>', '', r.text)
r2 = re.sub(r'</sl:CreateXMLSignatureResponse>', '', r1)
testout_path = pvzdconf.testout / 'signedxml.xml'
testout_path.write_text(r2)
return r2