def error_response(self, in_response_to, destination, spid, info, name_id=None, sign=False, issuer=None): """ Create a error response. :param in_response_to: The identifier of the message this is a response to. :param destination: The intended recipient of this message :param spid: The entitiy ID of the SP that will get this. :param info: Either an Exception instance or a 2-tuple consisting of error code and descriptive text :param name_id: :param sign: Whether the message should be signed or not :param issuer: The issuer of the response :return: A Response instance """ status = error_status_factory(info) return self._response( in_response_to, # in_response_to destination, # consumer_url spid, # sp_entity_id name_id=name_id, status=status, sign=sign, issuer=issuer )
def test_parse_faulty_request_to_err_status(self): req_id, authn_request = self.client.create_authn_request( destination="http://www.example.com") binding = BINDING_HTTP_REDIRECT htargs = self.client.apply_binding(binding, "%s" % authn_request, "http://www.example.com", "abcd") _dict = parse_qs(htargs["headers"][0][1].split('?')[1]) print(_dict) try: self.server.parse_authn_request(_dict["SAMLRequest"][0], binding) status = None except OtherError as oe: print(oe.args) status = s_utils.error_status_factory(oe) assert status print(status) assert _eq(status.keyswv(), ["status_code", "status_message"]) assert status.status_message.text == 'Not destined for me!' status_code = status.status_code assert _eq(status_code.keyswv(), ["status_code", "value"]) assert status_code.value == samlp.STATUS_RESPONDER assert status_code.status_code.value == samlp.STATUS_UNKNOWN_PRINCIPAL
def error_response(self, in_response_to, destination, spid, info, name_id=None, sign=False, issuer=None): """ Create a error response. :param in_response_to: The identifier of the message this is a response to. :param destination: The intended recipient of this message :param spid: The entitiy ID of the SP that will get this. :param info: Either an Exception instance or a 2-tuple consisting of error code and descriptive text :param name_id: :param sign: Whether the message should be signed or not :param issuer: The issuer of the response :return: A Response instance """ status = error_status_factory(info) return self._response( in_response_to, # in_response_to destination, # consumer_url spid, # sp_entity_id name_id=name_id, status=status, sign=sign, issuer=issuer, )
def _logout_response(self, req_info, status_code, req_key, sign_response=True): """ Create logout response. :param req_info: Logout request :param status_code: logout result (e.g. 'urn:oasis:names:tc:SAML:2.0:status:Success') :param req_key: SAML request id :param sign_response: cryptographically sign response or not :return: HTML response :type req_info: saml2.request.LogoutRequest :type status_code: string :type req_key: string :type sign_response: bool :rtype: string """ self.logger.debug("LOGOUT of '{!s}' by '{!s}', success={!r}".format(req_info.subject_id(), req_info.sender(), status_code)) if req_info.binding != BINDING_SOAP: bindings = [BINDING_HTTP_REDIRECT, BINDING_HTTP_POST] binding, destination = self.context.idp.pick_binding("single_logout_service", bindings, entity_id = req_info.sender()) bindings = [binding] else: bindings = [BINDING_SOAP] destination = "" status = None # None == success in create_logout_response() if status_code != saml2.samlp.STATUS_SUCCESS: status = error_status_factory((status_code, "Logout failed")) self.logger.debug("Created 'logout failed' status based on {!r} : {!r}".format(status_code, status)) issuer = self.context.idp._issuer(self.context.idp.config.entityid) response = self.context.idp.create_logout_response(req_info.message, bindings, status, sign = sign_response, issuer = issuer) # Only perform expensive parse/pretty-print if debugging if self.config.debug: xmlstr = eduid_idp.util.maybe_xml_to_string(response, logger=self.logger) self.logger.debug("Logout SAMLResponse :\n\n{!s}\n\n".format(xmlstr)) ht_args = self.context.idp.apply_binding(bindings[0], str(response), destination, req_info.relay_state, response = True) # self.logger.debug("Apply bindings result :\n{!s}\n\n".format(pprint.pformat(ht_args))) # Delete the SSO session cookie in the browser eduid_idp.mischttp.delete_cookie('idpauthn', self.logger, self.config) # INFO-Log the SAML request ID, result of logout and destination self.logger.info("{!s}: logout status={!r}, dst={!s}".format(req_key, status_code, destination)) # XXX old code checked 'if req_info.binding == BINDING_HTTP_REDIRECT:', but it looks like # it would be more correct to look at bindings[0] here, since `bindings' is what was used # with create_logout_response() and apply_binding(). if req_info.binding != bindings[0]: self.logger.debug("Creating response with binding {!r] instead of {!r} used before".format( bindings[0], req_info.binding)) return eduid_idp.mischttp.create_html_response(bindings[0], ht_args, self.start_response, self.logger)
def _logout_response(self, req_info, status_code, req_key, sign_response=True): """ Create logout response. :param req_info: Logout request :param status_code: logout result (e.g. 'urn:oasis:names:tc:SAML:2.0:status:Success') :param req_key: SAML request id :param sign_response: cryptographically sign response or not :return: HTML response :type req_info: saml2.request.LogoutRequest :type status_code: string :type req_key: string :type sign_response: bool :rtype: string """ self.logger.debug("LOGOUT of '{!s}' by '{!s}', success={!r}".format(req_info.subject_id(), req_info.sender(), status_code)) if req_info.binding != BINDING_SOAP: bindings = [BINDING_HTTP_REDIRECT, BINDING_HTTP_POST] binding, destination = self.IDP.pick_binding("single_logout_service", bindings, entity_id = req_info.sender()) bindings = [binding] else: bindings = [BINDING_SOAP] destination = "" status = None # None == success in create_logout_response() if status_code != saml2.samlp.STATUS_SUCCESS: status = error_status_factory((status_code, "Logout failed")) self.logger.debug("Created 'logout failed' status based on {!r} : {!r}".format(status_code, status)) issuer = self.IDP._issuer(self.IDP.config.entityid) response = self.IDP.create_logout_response(req_info.message, bindings, status, sign = sign_response, issuer = issuer) # Only perform expensive parse/pretty-print if debugging if self.config.debug: xmlstr = eduid_idp.util.maybe_xml_to_string(response, logger=self.logger) self.logger.debug("Logout SAMLResponse :\n\n{!s}\n\n".format(xmlstr)) ht_args = self.IDP.apply_binding(bindings[0], str(response), destination, req_info.relay_state, response = True) # self.logger.debug("Apply bindings result :\n{!s}\n\n".format(pprint.pformat(ht_args))) # Delete the SSO session cookie in the browser eduid_idp.mischttp.delete_cookie('idpauthn', self.logger, self.config) # INFO-Log the SAML request ID, result of logout and destination self.logger.info("{!s}: logout status={!r}, dst={!s}".format(req_key, status_code, destination)) # XXX old code checked 'if req_info.binding == BINDING_HTTP_REDIRECT:', but it looks like # it would be more correct to look at bindings[0] here, since `bindings' is what was used # with create_logout_response() and apply_binding(). if req_info.binding != bindings[0]: self.logger.debug("Creating response with binding {!r] instead of {!r} used before".format( bindings[0], req_info.binding)) return eduid_idp.mischttp.create_html_response(bindings[0], ht_args, self.start_response, self.logger)
def test_parse_faulty_request_to_err_status(self): req_id, authn_request = self.client.create_authn_request(destination="http://www.example.com") binding = BINDING_HTTP_REDIRECT htargs = self.client.apply_binding(binding, "%s" % authn_request, "http://www.example.com", "abcd") _dict = parse_qs(htargs["headers"][0][1].split("?")[1]) print _dict try: self.server.parse_authn_request(_dict["SAMLRequest"][0], binding) status = None except OtherError, oe: print oe.args status = s_utils.error_status_factory(oe)
def test_parse_faulty_request_to_err_status(self): authn_request = self.client.authn_request( query_id = "id1", destination = "http://www.example.com", service_url = "http://www.example.org", spentityid = "urn:mace:example.com:saml:roland:sp", my_name = "My real name", ) intermed = s_utils.deflate_and_base64_encode("%s" % authn_request) try: self.server.parse_authn_request(intermed) status = None except OtherError, oe: print oe.args status = s_utils.error_status_factory(oe)
def test_parse_faulty_request_to_err_status(self): req_id, authn_request = self.client.create_authn_request( destination="http://www.example.com") binding = BINDING_HTTP_REDIRECT htargs = self.client.apply_binding(binding, "%s" % authn_request, "http://www.example.com", "abcd") _dict = parse_qs(htargs["headers"][0][1].split('?')[1]) print _dict try: self.server.parse_authn_request(_dict["SAMLRequest"][0], binding) status = None except OtherError, oe: print oe.args status = s_utils.error_status_factory(oe)
def create_error_response(self, in_response_to, destination, info, sign=False, issuer=None): """ Create a error response. :param in_response_to: The identifier of the message this is a response to. :param destination: The intended recipient of this message :param info: Either an Exception instance or a 2-tuple consisting of error code and descriptive text :param sign: Whether the response should be signed or not :param issuer: The issuer of the response :return: A response instance """ status = error_status_factory(info) return self._response(in_response_to, destination, status, issuer, sign)
def create_error_response(self, in_response_to, destination, info, sign=False, issuer=None, sign_alg=None, digest_alg=None, **kwargs): """ Create a error response. :param in_response_to: The identifier of the message this is a response to. :param destination: The intended recipient of this message :param info: Either an Exception instance or a 2-tuple consisting of error code and descriptive text :param sign: Whether the response should be signed or not :param issuer: The issuer of the response :param kwargs: To capture key,value pairs I don't care about :return: A response instance """ status = error_status_factory(info) return self._response(in_response_to, destination, status, issuer, sign, sign_alg=sign_alg, digest_alg=digest_alg)
def do_logout_response(req_info, status=None): if status: status = s_utils.error_status_factory((status, "Logout failed")) return logout_response(req_info, status)
def test_status_from_exception(): e = utils.UnknownPrincipal("Error resolving principal") stat = utils.error_status_factory(e) status_text = "%s" % stat print status_text assert status_text == ERROR_STATUS
def test_status_from_tuple(): stat = utils.error_status_factory((samlp.STATUS_UNKNOWN_PRINCIPAL, 'Error resolving principal')) status_text = "%s" % stat assert status_text in (ERROR_STATUS_NO_HEADER, ERROR_STATUS)
def test_status_from_tuple_empty_message(): stat = utils.error_status_factory((samlp.STATUS_UNKNOWN_PRINCIPAL, None)) status_text = "%s" % stat assert status_text in (ERROR_STATUS_EMPTY, ERROR_STATUS_NO_HEADER_EMPTY)
def test_status_from_tuple(): stat = utils.error_status_factory( (samlp.STATUS_UNKNOWN_PRINCIPAL, 'Error resolving principal')) status_text = "%s" % stat assert status_text in (ERROR_STATUS_NO_HEADER, ERROR_STATUS)