Example #1
0
 def error_response(self, in_response_to, destination, spid, info, 
                     name_id=None, sign=False, issuer=None):
     """ Create a error response.
     
     :param in_response_to: The identifier of the message this is a response
         to.
         :param destination: The intended recipient of this message
     :param spid: The entitiy ID of the SP that will get this.
     :param info: Either an Exception instance or a 2-tuple consisting of
         error code and descriptive text
     :param name_id:
     :param sign: Whether the message should be signed or not
     :param issuer: The issuer of the response
     :return: A Response instance
     """
     status = error_status_factory(info)
         
     return self._response(
                     in_response_to, # in_response_to
                     destination,    # consumer_url
                     spid,           # sp_entity_id
                     name_id=name_id,
                     status=status,
                     sign=sign,
                     issuer=issuer
                     )
Example #2
0
    def test_parse_faulty_request_to_err_status(self):
        req_id, authn_request = self.client.create_authn_request(
            destination="http://www.example.com")

        binding = BINDING_HTTP_REDIRECT
        htargs = self.client.apply_binding(binding, "%s" % authn_request,
                                           "http://www.example.com", "abcd")
        _dict = parse_qs(htargs["headers"][0][1].split('?')[1])
        print(_dict)

        try:
            self.server.parse_authn_request(_dict["SAMLRequest"][0], binding)
            status = None
        except OtherError as oe:
            print(oe.args)
            status = s_utils.error_status_factory(oe)

        assert status
        print(status)
        assert _eq(status.keyswv(), ["status_code", "status_message"])
        assert status.status_message.text == 'Not destined for me!'
        status_code = status.status_code
        assert _eq(status_code.keyswv(), ["status_code", "value"])
        assert status_code.value == samlp.STATUS_RESPONDER
        assert status_code.status_code.value == samlp.STATUS_UNKNOWN_PRINCIPAL
Example #3
0
    def error_response(self, in_response_to, destination, spid, info, name_id=None, sign=False, issuer=None):
        """ Create a error response.
        
        :param in_response_to: The identifier of the message this is a response
            to.
            :param destination: The intended recipient of this message
        :param spid: The entitiy ID of the SP that will get this.
        :param info: Either an Exception instance or a 2-tuple consisting of
            error code and descriptive text
        :param name_id:
        :param sign: Whether the message should be signed or not
        :param issuer: The issuer of the response
        :return: A Response instance
        """
        status = error_status_factory(info)

        return self._response(
            in_response_to,  # in_response_to
            destination,  # consumer_url
            spid,  # sp_entity_id
            name_id=name_id,
            status=status,
            sign=sign,
            issuer=issuer,
        )
Example #4
0
    def test_parse_faulty_request_to_err_status(self):
        req_id, authn_request = self.client.create_authn_request(
            destination="http://www.example.com")

        binding = BINDING_HTTP_REDIRECT
        htargs = self.client.apply_binding(binding, "%s" % authn_request,
                                           "http://www.example.com", "abcd")
        _dict = parse_qs(htargs["headers"][0][1].split('?')[1])
        print(_dict)

        try:
            self.server.parse_authn_request(_dict["SAMLRequest"][0], binding)
            status = None
        except OtherError as oe:
            print(oe.args)
            status = s_utils.error_status_factory(oe)

        assert status
        print(status)
        assert _eq(status.keyswv(), ["status_code", "status_message"])
        assert status.status_message.text == 'Not destined for me!'
        status_code = status.status_code
        assert _eq(status_code.keyswv(), ["status_code", "value"])
        assert status_code.value == samlp.STATUS_RESPONDER
        assert status_code.status_code.value == samlp.STATUS_UNKNOWN_PRINCIPAL
Example #5
0
    def _logout_response(self, req_info, status_code, req_key, sign_response=True):
        """
        Create logout response.

        :param req_info: Logout request
        :param status_code: logout result (e.g. 'urn:oasis:names:tc:SAML:2.0:status:Success')
        :param req_key: SAML request id
        :param sign_response: cryptographically sign response or not
        :return: HTML response

        :type req_info: saml2.request.LogoutRequest
        :type status_code: string
        :type req_key: string
        :type sign_response: bool
        :rtype: string
        """
        self.logger.debug("LOGOUT of '{!s}' by '{!s}', success={!r}".format(req_info.subject_id(),
                                                                            req_info.sender(),
                                                                            status_code))
        if req_info.binding != BINDING_SOAP:
            bindings = [BINDING_HTTP_REDIRECT, BINDING_HTTP_POST]
            binding, destination = self.context.idp.pick_binding("single_logout_service", bindings,
                                                         entity_id = req_info.sender())
            bindings = [binding]
        else:
            bindings = [BINDING_SOAP]
            destination = ""

        status = None  # None == success in create_logout_response()
        if status_code != saml2.samlp.STATUS_SUCCESS:
            status = error_status_factory((status_code, "Logout failed"))
            self.logger.debug("Created 'logout failed' status based on {!r} : {!r}".format(status_code, status))

        issuer = self.context.idp._issuer(self.context.idp.config.entityid)
        response = self.context.idp.create_logout_response(req_info.message, bindings, status, sign = sign_response,
                                                   issuer = issuer)
        # Only perform expensive parse/pretty-print if debugging
        if self.config.debug:
            xmlstr = eduid_idp.util.maybe_xml_to_string(response, logger=self.logger)
            self.logger.debug("Logout SAMLResponse :\n\n{!s}\n\n".format(xmlstr))

        ht_args = self.context.idp.apply_binding(bindings[0], str(response), destination, req_info.relay_state,
                                         response = True)
        # self.logger.debug("Apply bindings result :\n{!s}\n\n".format(pprint.pformat(ht_args)))

        # Delete the SSO session cookie in the browser
        eduid_idp.mischttp.delete_cookie('idpauthn', self.logger, self.config)

        # INFO-Log the SAML request ID, result of logout and destination
        self.logger.info("{!s}: logout status={!r}, dst={!s}".format(req_key, status_code, destination))

        # XXX old code checked 'if req_info.binding == BINDING_HTTP_REDIRECT:', but it looks like
        # it would be more correct to look at bindings[0] here, since `bindings' is what was used
        # with create_logout_response() and apply_binding().
        if req_info.binding != bindings[0]:
            self.logger.debug("Creating response with binding {!r] instead of {!r} used before".format(
                bindings[0], req_info.binding))
        return eduid_idp.mischttp.create_html_response(bindings[0], ht_args, self.start_response, self.logger)
Example #6
0
    def _logout_response(self, req_info, status_code, req_key, sign_response=True):
        """
        Create logout response.

        :param req_info: Logout request
        :param status_code: logout result (e.g. 'urn:oasis:names:tc:SAML:2.0:status:Success')
        :param req_key: SAML request id
        :param sign_response: cryptographically sign response or not
        :return: HTML response

        :type req_info: saml2.request.LogoutRequest
        :type status_code: string
        :type req_key: string
        :type sign_response: bool
        :rtype: string
        """
        self.logger.debug("LOGOUT of '{!s}' by '{!s}', success={!r}".format(req_info.subject_id(),
                                                                            req_info.sender(),
                                                                            status_code))
        if req_info.binding != BINDING_SOAP:
            bindings = [BINDING_HTTP_REDIRECT, BINDING_HTTP_POST]
            binding, destination = self.IDP.pick_binding("single_logout_service", bindings,
                                                         entity_id = req_info.sender())
            bindings = [binding]
        else:
            bindings = [BINDING_SOAP]
            destination = ""

        status = None  # None == success in create_logout_response()
        if status_code != saml2.samlp.STATUS_SUCCESS:
            status = error_status_factory((status_code, "Logout failed"))
            self.logger.debug("Created 'logout failed' status based on {!r} : {!r}".format(status_code, status))

        issuer = self.IDP._issuer(self.IDP.config.entityid)
        response = self.IDP.create_logout_response(req_info.message, bindings, status, sign = sign_response,
                                                   issuer = issuer)
        # Only perform expensive parse/pretty-print if debugging
        if self.config.debug:
            xmlstr = eduid_idp.util.maybe_xml_to_string(response, logger=self.logger)
            self.logger.debug("Logout SAMLResponse :\n\n{!s}\n\n".format(xmlstr))

        ht_args = self.IDP.apply_binding(bindings[0], str(response), destination, req_info.relay_state,
                                         response = True)
        # self.logger.debug("Apply bindings result :\n{!s}\n\n".format(pprint.pformat(ht_args)))

        # Delete the SSO session cookie in the browser
        eduid_idp.mischttp.delete_cookie('idpauthn', self.logger, self.config)

        # INFO-Log the SAML request ID, result of logout and destination
        self.logger.info("{!s}: logout status={!r}, dst={!s}".format(req_key, status_code, destination))

        # XXX old code checked 'if req_info.binding == BINDING_HTTP_REDIRECT:', but it looks like
        # it would be more correct to look at bindings[0] here, since `bindings' is what was used
        # with create_logout_response() and apply_binding().
        if req_info.binding != bindings[0]:
            self.logger.debug("Creating response with binding {!r] instead of {!r} used before".format(
                bindings[0], req_info.binding))
        return eduid_idp.mischttp.create_html_response(bindings[0], ht_args, self.start_response, self.logger)
    def test_parse_faulty_request_to_err_status(self):
        req_id, authn_request = self.client.create_authn_request(destination="http://www.example.com")

        binding = BINDING_HTTP_REDIRECT
        htargs = self.client.apply_binding(binding, "%s" % authn_request, "http://www.example.com", "abcd")
        _dict = parse_qs(htargs["headers"][0][1].split("?")[1])
        print _dict

        try:
            self.server.parse_authn_request(_dict["SAMLRequest"][0], binding)
            status = None
        except OtherError, oe:
            print oe.args
            status = s_utils.error_status_factory(oe)
Example #8
0
    def test_parse_faulty_request_to_err_status(self):
        authn_request = self.client.authn_request(
                            query_id = "id1",
                            destination = "http://www.example.com",
                            service_url = "http://www.example.org",
                            spentityid = "urn:mace:example.com:saml:roland:sp",
                            my_name = "My real name",
                        )

        intermed = s_utils.deflate_and_base64_encode("%s" % authn_request)
        try:
            self.server.parse_authn_request(intermed)
            status = None
        except OtherError, oe:
            print oe.args
            status = s_utils.error_status_factory(oe)
Example #9
0
    def test_parse_faulty_request_to_err_status(self):
        req_id, authn_request = self.client.create_authn_request(
            destination="http://www.example.com")

        binding = BINDING_HTTP_REDIRECT
        htargs = self.client.apply_binding(binding, "%s" % authn_request,
                                           "http://www.example.com", "abcd")
        _dict = parse_qs(htargs["headers"][0][1].split('?')[1])
        print _dict

        try:
            self.server.parse_authn_request(_dict["SAMLRequest"][0], binding)
            status = None
        except OtherError, oe:
            print oe.args
            status = s_utils.error_status_factory(oe)
Example #10
0
    def create_error_response(self, in_response_to, destination, info,
                              sign=False, issuer=None):
        """ Create a error response.
        
        :param in_response_to: The identifier of the message this is a response
            to.
        :param destination: The intended recipient of this message
        :param info: Either an Exception instance or a 2-tuple consisting of
            error code and descriptive text
        :param sign: Whether the response should be signed or not
        :param issuer: The issuer of the response
        :return: A response instance
        """
        status = error_status_factory(info)

        return self._response(in_response_to, destination, status, issuer,
                              sign)
Example #11
0
    def create_error_response(self, in_response_to, destination, info,
                              sign=False, issuer=None, sign_alg=None, digest_alg=None, **kwargs):
        """ Create a error response.

        :param in_response_to: The identifier of the message this is a response
            to.
        :param destination: The intended recipient of this message
        :param info: Either an Exception instance or a 2-tuple consisting of
            error code and descriptive text
        :param sign: Whether the response should be signed or not
        :param issuer: The issuer of the response
        :param kwargs: To capture key,value pairs I don't care about
        :return: A response instance
        """
        status = error_status_factory(info)

        return self._response(in_response_to, destination, status, issuer,
                              sign, sign_alg=sign_alg, digest_alg=digest_alg)
Example #12
0
    def create_error_response(self, in_response_to, destination, info,
                              sign=False, issuer=None, sign_alg=None,
                              digest_alg=None, **kwargs):
        """ Create a error response.

        :param in_response_to: The identifier of the message this is a response
            to.
        :param destination: The intended recipient of this message
        :param info: Either an Exception instance or a 2-tuple consisting of
            error code and descriptive text
        :param sign: Whether the response should be signed or not
        :param issuer: The issuer of the response
        :param kwargs: To capture key,value pairs I don't care about
        :return: A response instance
        """
        status = error_status_factory(info)

        return self._response(in_response_to, destination, status, issuer,
                              sign, sign_alg=sign_alg, digest_alg=digest_alg)
Example #13
0
def do_logout_response(req_info, status=None):
    if status:
        status = s_utils.error_status_factory((status, "Logout failed"))

    return logout_response(req_info, status)
def test_status_from_exception():
    e = utils.UnknownPrincipal("Error resolving principal")
    stat = utils.error_status_factory(e)
    status_text = "%s" % stat
    print status_text
    assert status_text == ERROR_STATUS
Example #15
0
def test_status_from_exception():
    e = utils.UnknownPrincipal("Error resolving principal")
    stat = utils.error_status_factory(e)
    status_text = "%s" % stat
    print status_text
    assert status_text == ERROR_STATUS
Example #16
0
def do_logout_response(req_info, status=None):
    if status:
        status = s_utils.error_status_factory((status, "Logout failed"))

    return logout_response(req_info, status)
Example #17
0
def test_status_from_tuple():
    stat = utils.error_status_factory((samlp.STATUS_UNKNOWN_PRINCIPAL,
                                       'Error resolving principal'))
    status_text = "%s" % stat
    assert status_text in (ERROR_STATUS_NO_HEADER, ERROR_STATUS)
Example #18
0
def test_status_from_tuple_empty_message():
    stat = utils.error_status_factory((samlp.STATUS_UNKNOWN_PRINCIPAL, None))
    status_text = "%s" % stat
    assert status_text in (ERROR_STATUS_EMPTY, ERROR_STATUS_NO_HEADER_EMPTY)
Example #19
0
def test_status_from_tuple_empty_message():
    stat = utils.error_status_factory((samlp.STATUS_UNKNOWN_PRINCIPAL, None))
    status_text = "%s" % stat
    assert status_text in (ERROR_STATUS_EMPTY, ERROR_STATUS_NO_HEADER_EMPTY)
Example #20
0
def test_status_from_tuple():
    stat = utils.error_status_factory(
        (samlp.STATUS_UNKNOWN_PRINCIPAL, 'Error resolving principal'))
    status_text = "%s" % stat
    assert status_text in (ERROR_STATUS_NO_HEADER, ERROR_STATUS)