def test_filter_values_req_opt_2():
r = [
to_dict(
Attribute(
friendly_name="surName",
name="urn:oid:2.5.4.4",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"),
ONTS),
to_dict(
Attribute(
friendly_name="givenName",
name="urn:oid:2.5.4.42",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"),
ONTS),
to_dict(
Attribute(
friendly_name="mail",
name="urn:oid:0.9.2342.19200300.100.1.3",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"),
ONTS)]
o = [
to_dict(
Attribute(
friendly_name="title",
name="urn:oid:2.5.4.12",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"),
ONTS)]
ava = {"surname": ["Hedberg"], "givenName": ["Roland"],
"eduPersonAffiliation": ["staff"], "uid": ["rohe0002"]}
raises(MissingValue, "filter_on_attributes(ava, r, o)")
def test_filter_values_req_opt_4():
r = [
Attribute(
friendly_name="surName",
name="urn:oid:2.5.4.4",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"),
Attribute(
friendly_name="givenName",
name="urn:oid:2.5.4.42",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri")
]
o = [
Attribute(
friendly_name="title",
name="urn:oid:2.5.4.12",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri")
]
acs = attribute_converter.ac_factory(full_path("attributemaps"))
rava = attribute_converter.list_to_local(acs, r)
oava = attribute_converter.list_to_local(acs, o)
ava = {
"sn": ["Hedberg"],
"givenName": ["Roland"],
"eduPersonAffiliation": ["staff"],
"uid": ["rohe0002"]
}
ava = assertion.filter_on_demands(ava, rava, oava)
print(ava)
assert _eq(sorted(list(ava.keys())), ['givenName', 'sn'])
assert ava == {'givenName': ['Roland'], 'sn': ['Hedberg']}
def test_filter_on_wire_representation_2():
r = [
Attribute(
friendly_name="surName",
name="urn:oid:2.5.4.4",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"),
Attribute(
friendly_name="givenName",
name="urn:oid:2.5.4.42",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri")
]
o = [
Attribute(
friendly_name="title",
name="urn:oid:2.5.4.12",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri")
]
acs = attribute_converter.ac_factory(full_path("attributemaps"))
ava = {
"sn": ["Hedberg"],
"givenname": ["Roland"],
"title": ["Master"],
"uid": ["rohe0002"]
}
ava = assertion.filter_on_wire_representation(ava, acs, r, o)
assert _eq(sorted(list(ava.keys())), ["givenname", "sn", "title"])
def test_make_vals_multi_dict(self):
ava = ["foo", "bar", "lions", "saints"]
raises(Exception, "saml2.make_vals(ava, AttributeValue, Attribute(), part=True)")
attr = Attribute()
saml2.make_vals(ava, AttributeValue, attr, prop="attribute_value")
assert sorted(attr.keyswv()) == sorted(["name_format", "attribute_value"])
assert len(attr.attribute_value) == 4
def test_filter_values_req_2():
a1 = to_dict(Attribute(name="urn:oid:2.5.4.5", name_format=NAME_FORMAT_URI,
friendly_name="serialNumber"), ONTS)
a2 = to_dict(Attribute(name="urn:oid:2.5.4.4", name_format=NAME_FORMAT_URI,
friendly_name="surName"), ONTS)
required = [a1, a2]
ava = {"serialNumber": ["12345"], "givenName": ["Lars"]}
raises(MissingValue, filter_on_attributes, ava, required)
def test_filter_values_req_opt_0():
r = to_dict(
Attribute(name="urn:oid:2.5.4.5", name_format=NAME_FORMAT_URI,
friendly_name="serialNumber",
attribute_value=[AttributeValue(text="54321")]), ONTS)
o = to_dict(
Attribute(name="urn:oid:2.5.4.5", name_format=NAME_FORMAT_URI,
friendly_name="serialNumber",
attribute_value=[AttributeValue(text="12345")]), ONTS)
ava = {"serialNumber": ["12345", "54321"]}
ava = filter_on_attributes(ava, [r], [o])
assert list(ava.keys()) == ["serialNumber"]
assert _eq(ava["serialNumber"], ["12345", "54321"])
def test_filter_on_attributes_without_friendly_name():
ava = {"eduPersonTargetedID": "*****@*****.**",
"eduPersonAffiliation": "test",
"extra": "foo"}
eptid = to_dict(
Attribute(name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11",
name_format=NAME_FORMAT_URI), ONTS)
ep_affiliation = to_dict(
Attribute(name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1",
name_format=NAME_FORMAT_URI), ONTS)
restricted_ava = filter_on_attributes(ava, required=[eptid],
optional=[ep_affiliation],
acs=ac_factory())
assert restricted_ava == {"eduPersonTargetedID": "*****@*****.**",
"eduPersonAffiliation": "test"}
def do_aa_descriptor(conf, cert):
aad = md.AttributeAuthorityDescriptor()
aad.protocol_support_enumeration = samlp.NAMESPACE
endps = conf.getattr("endpoints", "aa")
if endps:
for (endpoint, instlist) in do_endpoints(endps,
ENDPOINTS["aa"]).items():
setattr(aad, endpoint, instlist)
_do_nameid_format(aad, conf, "aa")
if cert:
aad.key_descriptor = do_key_descriptor(cert)
attributes = conf.getattr("attribute", "aa")
if attributes:
for attribute in attributes:
aad.attribute.append(Attribute(text=attribute))
attribute_profiles = conf.getattr("attribute_profile", "aa")
if attribute_profiles:
for attribute_profile in attribute_profiles:
aad.attribute.append(AttributeProfile(text=attribute_profile))
return aad
def test_identity_attribute_4():
a = Attribute(name="urn:oid:2.5.4.5", name_format=NAME_FORMAT_URI,
friendly_name="serialNumber")
assert utils.identity_attribute("name", a) == "urn:oid:2.5.4.5"
# if there would be a map it would be serialNumber
assert utils.identity_attribute("friendly", a) == "serialNumber"
def test_filter_on_attributes_with_missing_optional_attribute():
ava = {"extra": "foo"}
eptid = to_dict(
Attribute(friendly_name="eduPersonTargetedID",
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10",
name_format=NAME_FORMAT_URI), ONTS)
assert filter_on_attributes(ava, optional=[eptid], acs=ac_factory()) == {}
def test_identity_attribute_1():
(forward,
backward) = utils.parse_attribute_map([full_path("attribute.map")])
a = Attribute(name="urn:oid:2.5.4.4", name_format=NAME_FORMAT_URI)
assert utils.identity_attribute("name", a, forward) == "urn:oid:2.5.4.4"
assert utils.identity_attribute("friendly", a, forward) == "surName"
def test_identity_attribute_2():
(forward, backward) = utils.parse_attribute_map(["attribute.map"])
a = Attribute(name="urn:oid:2.5.4.5", name_format=NAME_FORMAT_URI)
assert utils.identity_attribute("name", a, forward) == "urn:oid:2.5.4.5"
# if there would be a map it would be serialNumber
assert utils.identity_attribute("friendly", a,
forward) == "urn:oid:2.5.4.5"
def test_filter_on_attributes_with_missing_required_attribute():
ava = {"extra": "foo"}
eptid = to_dict(
Attribute(friendly_name="eduPersonTargetedID",
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10",
name_format=NAME_FORMAT_URI), ONTS)
with raises(MissingValue):
filter_on_attributes(ava, required=[eptid], acs=ac_factory())
def entity_descriptor(confd):
mycert = None
enc_cert = None
if confd.cert_file is not None:
mycert = []
mycert.append("".join(open(confd.cert_file).readlines()[1:-1]))
if confd.additional_cert_files is not None:
for _cert_file in confd.additional_cert_files:
mycert.append("".join(open(_cert_file).readlines()[1:-1]))
if confd.encryption_keypairs is not None:
enc_cert = []
for _encryption in confd.encryption_keypairs:
enc_cert.append("".join(
open(_encryption["cert_file"]).readlines()[1:-1]))
entd = md.EntityDescriptor()
entd.entity_id = confd.entityid
if confd.valid_for:
entd.valid_until = in_a_while(hours=int(confd.valid_for))
if confd.organization is not None:
entd.organization = do_organization_info(confd.organization)
if confd.contact_person is not None:
entd.contact_person = do_contact_person_info(confd.contact_person)
if confd.entity_category:
entd.extensions = md.Extensions()
ava = [AttributeValue(text=c) for c in confd.entity_category]
attr = Attribute(attribute_value=ava,
name="http://macedir.org/entity-category")
item = mdattr.EntityAttributes(attribute=attr)
entd.extensions.add_extension_element(item)
serves = confd.serves
if not serves:
raise SAMLError(
'No service type ("sp","idp","aa") provided in the configuration')
if "sp" in serves:
confd.context = "sp"
entd.spsso_descriptor = do_spsso_descriptor(confd, mycert, enc_cert)
if "idp" in serves:
confd.context = "idp"
entd.idpsso_descriptor = do_idpsso_descriptor(confd, mycert, enc_cert)
if "aa" in serves:
confd.context = "aa"
entd.attribute_authority_descriptor = do_aa_descriptor(
confd, mycert, enc_cert)
if "pdp" in serves:
confd.context = "pdp"
entd.pdp_descriptor = do_pdp_descriptor(confd, mycert, enc_cert)
if "aq" in serves:
confd.context = "aq"
entd.authn_authority_descriptor = do_aq_descriptor(
confd, mycert, enc_cert)
return entd
def test_filter_on_attributes_with_missing_name_format():
ava = {"eduPersonTargetedID": "*****@*****.**",
"eduPersonAffiliation": "test",
"extra": "foo"}
eptid = to_dict(Attribute(friendly_name="eduPersonTargetedID",
name="urn:myown:eptid",
name_format=''), ONTS)
ava = filter_on_attributes(ava, optional=[eptid], acs=ac_factory())
assert ava['eduPersonTargetedID'] == "*****@*****.**"
def test_filter_on_attributes_2():
a = to_dict(Attribute(friendly_name="surName",name="urn:oid:2.5.4.4",
name_format=NAME_FORMAT_URI), ONTS)
required = [a]
ava = {"sn":["kakavas"]}
ava = filter_on_attributes(ava,required,acs=ac_factory())
assert list(ava.keys()) == ['sn']
assert ava["sn"] == ["kakavas"]
def test_filter_on_attributes_1():
a = to_dict(Attribute(name="urn:oid:2.5.4.5", name_format=NAME_FORMAT_URI,
friendly_name="serialNumber"), ONTS)
required = [a]
ava = {"serialNumber": ["12345"], "givenName": ["Lars"]}
ava = filter_on_attributes(ava, required)
assert list(ava.keys()) == ["serialNumber"]
assert ava["serialNumber"] == ["12345"]
def test_filter_values_req_4():
a = to_dict(
Attribute(name="urn:oid:2.5.4.5", name_format=NAME_FORMAT_URI,
friendly_name="serialNumber",
attribute_value=[AttributeValue(text="54321")]), ONTS)
required = [a]
ava = {"serialNumber": ["12345"]}
raises(MissingValue, filter_on_attributes, ava, required)
def handle_metadata_save(self, environ, start_response, qs):
"""
Takes the input for the page metadata.mako.
Encrypts entity id and secret information for the social services.
Creates the partial xml to be added to the metadata for the service
provider.
:param environ: wsgi enviroment
:param start_response: wsgi start respons
:param qs: Query parameters in a dictionary.
:return: wsgi response for the mako file metadatasave.mako.
"""
resp = Response(mako_template="metadatasave.mako",
template_lookup=self.lookup,
headers=[])
if "entityId" not in qs or "secret" not in qs:
xml = ("Xml could not be generated because no entityId or secret"
"has been sent to the service.")
_logger.warning(xml)
else:
try:
secret_data = json.dumps({
"entityId": json.loads(qs["entityId"]),
"secret": json.loads(qs["secret"])
})
# create a JWE
jwe = JWE(secret_data, alg=self.alg, enc=self.enc)
secret_data_encrypted = jwe.encrypt([self.key])
val = AttributeValue()
val.set_text(secret_data_encrypted)
attr = Attribute(name_format=NAME_FORMAT_URI,
name="http://social2saml.nordu.net/customer",
attribute_value=[val])
eattr = mdattr.EntityAttributes(attribute=[attr])
nspair = {
"mdattr": "urn:oasis:names:tc:SAML:metadata:attribute",
"samla": "urn:oasis:names:tc:SAML:2.0:assertion",
}
xml = eattr.to_string(nspair)
xml_list = xml.split("\n", 1)
if len(xml_list) == 2:
xml = xml_list[1]
except Exception:
_logger.fatal('Unknown error in handle_metadata_save.',
exc_info=True)
xml = "Xml could not be generated."
argv = {
"home": CONST_METADATA,
"action": CONST_METADATAVERIFY,
"xml": xml
}
return resp(environ, start_response, **argv)
def test_filter_on_attributes_0():
a = Attribute(name="urn:oid:2.5.4.5",
name_format=NAME_FORMAT_URI,
friendly_name="serialNumber")
required = [a]
ava = {"serialNumber": ["12345"]}
ava = filter_on_attributes(ava, required)
assert ava.keys() == ["serialNumber"]
assert ava["serialNumber"] == ["12345"]
def test_filter_values_req_6():
a = to_dict(
Attribute(name="urn:oid:2.5.4.5", name_format=NAME_FORMAT_URI,
friendly_name="serialNumber",
attribute_value=[AttributeValue(text="54321")]), ONTS)
required = [a]
ava = {"serialNumber": ["12345", "54321"]}
ava = filter_on_attributes(ava, required)
assert list(ava.keys()) == ["serialNumber"]
assert ava["serialNumber"] == ["54321"]
#!/usr/bin/env python
__author__ = 'rohe0002'
import sys
from saml2.extension import mdattr
from saml2.saml import Attribute
from saml2.saml import AttributeValue
consumer = sys.stdin.read()
val = AttributeValue()
val.set_text(consumer)
attr = Attribute(name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
name="http://social2saml.nordu.net/customer",
attribute_value=[val])
eattr = mdattr.EntityAttributes(attribute=[attr])
nspair = {
"mdattr": "urn:oasis:names:tc:SAML:metadata:attribute",
"samla": "urn:oasis:names:tc:SAML:2.0:assertion"
}
print eattr.to_string(nspair)
def test_attribute_producer_should_default_to_uri():
attr = Attribute()
assert attr.name_format == NAME_FORMAT_URI
def entity_descriptor(confd):
mycert = None
enc_cert = None
if confd.cert_file is not None:
mycert = []
mycert.append("".join(read_cert(confd.cert_file)))
if confd.additional_cert_files is not None:
for _cert_file in confd.additional_cert_files:
mycert.append("".join(read_cert(_cert_file)))
if confd.encryption_keypairs is not None:
enc_cert = []
for _encryption in confd.encryption_keypairs:
enc_cert.append("".join(read_cert(_encryption["cert_file"])))
entd = md.EntityDescriptor()
entd.entity_id = confd.entityid
if confd.valid_for:
entd.valid_until = in_a_while(hours=int(confd.valid_for))
if confd.organization is not None:
entd.organization = do_organization_info(confd.organization)
if confd.contact_person is not None:
entd.contact_person = do_contact_persons_info(confd.contact_person)
if confd.assurance_certification:
if not entd.extensions:
entd.extensions = md.Extensions()
ava = [AttributeValue(text=c) for c in confd.assurance_certification]
attr = Attribute(
attribute_value=ava,
name="urn:oasis:names:tc:SAML:attribute:assurance-certification",
)
_add_attr_to_entity_attributes(entd.extensions, attr)
if confd.entity_category:
if not entd.extensions:
entd.extensions = md.Extensions()
ava = [AttributeValue(text=c) for c in confd.entity_category]
attr = Attribute(
attribute_value=ava, name="http://macedir.org/entity-category"
)
_add_attr_to_entity_attributes(entd.extensions, attr)
if confd.entity_category_support:
if not entd.extensions:
entd.extensions = md.Extensions()
ava = [AttributeValue(text=c) for c in confd.entity_category_support]
attr = Attribute(
attribute_value=ava, name="http://macedir.org/entity-category-support"
)
_add_attr_to_entity_attributes(entd.extensions, attr)
for item in algorithm_support_in_metadata(confd.xmlsec_binary):
if not entd.extensions:
entd.extensions = md.Extensions()
entd.extensions.add_extension_element(item)
conf_sp_type = confd.getattr('sp_type', 'sp')
conf_sp_type_in_md = confd.getattr('sp_type_in_metadata', 'sp')
if conf_sp_type and conf_sp_type_in_md is True:
if not entd.extensions:
entd.extensions = md.Extensions()
item = sp_type.SPType(text=conf_sp_type)
entd.extensions.add_extension_element(item)
serves = confd.serves
if not serves:
raise SAMLError(
'No service type ("sp","idp","aa") provided in the configuration')
if "sp" in serves:
confd.context = "sp"
entd.spsso_descriptor = do_spsso_descriptor(confd, mycert, enc_cert)
if "idp" in serves:
confd.context = "idp"
entd.idpsso_descriptor = do_idpsso_descriptor(confd, mycert, enc_cert)
if "aa" in serves:
confd.context = "aa"
entd.attribute_authority_descriptor = do_aa_descriptor(confd, mycert,
enc_cert)
if "pdp" in serves:
confd.context = "pdp"
entd.pdp_descriptor = do_pdp_descriptor(confd, mycert, enc_cert)
if "aq" in serves:
confd.context = "aq"
entd.authn_authority_descriptor = do_aq_descriptor(confd, mycert,
enc_cert)
return entd
def login(self):
"""
Login endpoint (verify user credentials)
"""
def from_session(key):
return session[key] if key in session else None
key = from_session('request_key')
relay_state = from_session('relay_state')
self.app.logger.debug('Request key: {}'.format(key))
if key and key in self.ticket:
authn_request = self.ticket[key]
message = authn_request.message
sp_id = message.issuer.text
destination = self.get_destination(authn_request, sp_id)
authn_context = message.requested_authn_context
spid_level = authn_context.authn_context_class_ref[0].text
authn_info = self.authn_broker.pick(authn_context)
callback, reference = authn_info[0]
if request.method == 'GET':
# inject extra data in form login based on spid level
extra_challenge = callback(**{'key': key})
rendered_form = render_template(
'login.html', **{
'action': url_for('login'),
'request_key': key,
'relay_state': relay_state,
'extra_challenge': extra_challenge
})
return rendered_form, 200
if 'confirm' in request.form:
# verify optional challenge based on spid level
verified = callback(verify=True,
**{
'key': key,
'data': request.form
})
if verified:
# verify user credentials
user_id, user = self.user_manager.get(
request.form['username'], request.form['password'],
sp_id)
if user_id is not None:
# setup response
identity = user['attrs'].copy()
AUTHN = {
"class_ref": spid_level,
"authn_auth": spid_level
}
self.app.logger.debug(
'Unfiltered data: {}'.format(identity))
atcs_idx = message.attribute_consuming_service_index
self.app.logger.debug(
'attribute_consuming_service_index: {}'.format(
atcs_idx))
if atcs_idx:
attrs = self.server.wants(sp_id, atcs_idx)
required = [
Attribute(name=el.get('name'),
friendly_name=None,
name_format=NAME_FORMAT_BASIC)
for el in attrs.get('required')
]
optional = [
Attribute(name=el.get('name'),
friendly_name=None,
name_format=NAME_FORMAT_BASIC)
for el in attrs.get('optional')
]
acs = ac_factory(
'./testenv/attributemaps',
**{'override_types': self._all_attributes})
rava = list_to_local(acs, required)
oava = list_to_local(acs, optional)
else:
rava = {}
oava = {}
self.app.logger.debug(
'Required attributes: {}'.format(rava))
self.app.logger.debug(
'Optional attributes: {}'.format(oava))
identity = filter_on_demands(identity, rava, oava)
self.app.logger.debug(
'Filtered data: {}'.format(identity))
_data = dict(identity=identity,
userid=user_id,
in_response_to=message.id,
destination=destination,
sp_entity_id=sp_id,
authn=AUTHN,
issuer=self.server.config.entityid,
sign_alg=SIGN_ALG,
digest_alg=DIGEST_ALG,
sign_assertion=True,
release_policy=SpidPolicy(restrictions={
'default': {
'name_form': NAME_FORMAT_BASIC,
}
},
index=atcs_idx))
response = self.server.create_authn_response(**_data)
self.app.logger.debug(
'Response: \n{}'.format(response))
http_args = self.server.apply_binding(
BINDING_HTTP_POST,
response,
destination,
response=True,
sign=True,
relay_state=relay_state)
# Setup confirmation page data
self.responses[key] = http_args['data']
rendered_response = render_template(
'confirm.html', **{
'destination_service':
sp_id,
'lines':
escape(prettify_xml(response)).splitlines(),
'attrs':
identity.keys(),
'action':
'/continue-response',
'request_key':
key
})
return rendered_response, 200
elif 'delete' in request.form:
error_response = self.server.create_error_response(
in_response_to=authn_request.message.id,
destination=destination,
info=get_spid_error(AUTH_NO_CONSENT))
self.app.logger.debug('Error response: \n{}'.format(
prettify_xml(str(error_response))))
http_args = self.server.apply_binding(BINDING_HTTP_POST,
error_response,
destination,
response=True,
sign=True,
relay_state=relay_state)
del self.ticket[key]
return http_args['data'], 200
return render_template('403.html'), 403
