Exemple #1
0
    def _bearer_confirmed(self, data):
        if not data:
            return False

        if data.address:
            if not valid_address(data.address):
                return False
                # verify that I got it from the correct sender

        # These two will raise exception if untrue
        validate_on_or_after(data.not_on_or_after, self.timeslack)
        validate_before(data.not_before, self.timeslack)

        # not_before must be < not_on_or_after
        if not later_than(data.not_on_or_after, data.not_before):
            return False

        if self.asynchop and self.came_from is None:
            if data.in_response_to:
                if data.in_response_to in self.outstanding_queries:
                    self.came_from = self.outstanding_queries[data.in_response_to]
                    # del self.outstanding_queries[data.in_response_to]
                elif self.allow_unsolicited:
                    pass
                else:
                    # This is where I don't allow unsolicited reponses
                    # Either in_response_to == None or has a value I don't
                    # recognize
                    logger.debug("in response to: '%s'", data.in_response_to)
                    logger.info("outstanding queries: %s", self.outstanding_queries.keys())
                    raise Exception("Combination of session id and requestURI I don't " "recall")
        return True
Exemple #2
0
 def get_subject(self):
     """ The assertion must contain a Subject
     """
     assert self.assertion.subject
     subject = self.assertion.subject
     subjconf = []
     for subject_confirmation in subject.subject_confirmation:
         data = subject_confirmation.subject_confirmation_data
         if not data:
             # I don't know where this belongs so I ignore it
             continue
             
         if data.address:
             if not valid_address(data.address):
                 # ignore this subject_confirmation
                 continue
                 
         # These two will raise exception if untrue
         validate_on_or_after(data.not_on_or_after, self.timeslack)
         validate_before(data.not_before, self.timeslack)
         
         # not_before must be < not_on_or_after
         if not time_util.later_than(data.not_on_or_after, data.not_before):
             continue
         
         if self.asynchop and not self.came_from:
             if data.in_response_to in self.outstanding_queries:
                 self.came_from = self.outstanding_queries[
                                                     data.in_response_to]
                 del self.outstanding_queries[data.in_response_to]
             elif self.allow_unsolicited:
                 pass
             else:
                 # This is where I don't allow unsolicited reponses
                 # Either in_response_to == None or has a value I don't
                 # recognize
                 if self.debug and self.log:
                     self.log.info(
                             "in response to: '%s'" % data.in_response_to)
                     self.log.info("outstanding queries: %s" % \
                                         self.outstanding_queries.keys())
                 raise Exception(
                 "Combination of session id and requestURI I don't recall")
                     
         subjconf.append(subject_confirmation)
         
     if not subjconf:
         raise Exception("No valid subject confirmation")
         
     subject.subject_confirmation = subjconf
     
     # The subject must contain a name_id
     assert subject.name_id
     self.name_id = subject.name_id.text.strip()
     return self.name_id
Exemple #3
0
    def condition_ok(self, lax=False):
        # The Identity Provider MUST include a <saml:Conditions> element
        #print "Conditions",assertion.conditions
        if self.test:
            lax = True
        assert self.assertion.conditions
        condition = self.assertion.conditions

        logger.debug("condition: %s" % condition)

        # if no sub-elements or elements are supplied, then the
        # assertion is considered to be valid.
        if not condition.keyswv():
            return True

        # if both are present NotBefore must be earlier than NotOnOrAfter
        if condition.not_before and condition.not_on_or_after:
            if not later_than(condition.not_on_or_after, condition.not_before):
                return False

        try:
            if condition.not_on_or_after:
                self.not_on_or_after = validate_on_or_after(
                    condition.not_on_or_after, self.timeslack)
            if condition.not_before:
                validate_before(condition.not_before, self.timeslack)
        except Exception, excp:
            logger.error("Exception on condition: %s" % (excp,))
            if not lax:
                raise
            else:
                self.not_on_or_after = 0
Exemple #4
0
    def condition_ok(self, lax=False):
        if not self.assertion.conditions:
            # Conditions is Optional for Assertion, so, if it's absent, then we
            # assume that its valid
            return True

        if self.test:
            lax = True

        conditions = self.assertion.conditions

        logger.debug("conditions: %s", conditions)

        # if no sub-elements or elements are supplied, then the
        # assertion is considered to be valid.
        if not conditions.keyswv():
            return True

        # if both are present NotBefore must be earlier than NotOnOrAfter
        if conditions.not_before and conditions.not_on_or_after:
            if not later_than(conditions.not_on_or_after,
                              conditions.not_before):
                return False

        try:
            if conditions.not_on_or_after:
                self.not_on_or_after = validate_on_or_after(
                    conditions.not_on_or_after, self.timeslack)
            if conditions.not_before:
                validate_before(conditions.not_before, self.timeslack)
        except Exception as excp:
            logger.error("Exception on conditions: %s", excp)
            if not lax:
                raise
            else:
                self.not_on_or_after = 0

        if not self.allow_unsolicited:
            if not for_me(conditions, self.entity_id):
                if not lax:
                    raise Exception("Not for me!!!")

        if conditions.condition:  # extra conditions
            for cond in conditions.condition:
                try:
                    if cond.extension_attributes[
                        XSI_TYPE] in self.extension_schema:
                        pass
                    else:
                        raise Exception("Unknown condition")
                except KeyError:
                    raise Exception("Missing xsi:type specification")

        return True
Exemple #5
0
    def condition_ok(self, lax=False):
        if self.test:
            lax = True

        # The Identity Provider MUST include a <saml:Conditions> element
        assert self.assertion.conditions
        conditions = self.assertion.conditions

        logger.debug("conditions: %s" % conditions)

        # if no sub-elements or elements are supplied, then the
        # assertion is considered to be valid.
        if not conditions.keyswv():
            return True

        # if both are present NotBefore must be earlier than NotOnOrAfter
        if conditions.not_before and conditions.not_on_or_after:
            if not later_than(conditions.not_on_or_after, conditions.not_before):
                return False

        try:
            if conditions.not_on_or_after:
                self.not_on_or_after = validate_on_or_after(conditions.not_on_or_after, self.timeslack)
            if conditions.not_before:
                validate_before(conditions.not_before, self.timeslack)
        except Exception as excp:
            logger.error("Exception on conditions: %s" % (excp,))
            if not lax:
                raise
            else:
                self.not_on_or_after = 0

        if not for_me(conditions, self.entity_id):
            if not lax:
                raise Exception("Not for me!!!")

        if conditions.condition:  # extra conditions
            for cond in conditions.condition:
                try:
                    if cond.extension_attributes[XSI_TYPE] in self.extension_schema:
                        pass
                    else:
                        raise Exception("Unknown condition")
                except KeyError:
                    raise Exception("Missing xsi:type specification")

        return True
Exemple #6
0
    def authn_statement_ok(self, optional=False):
        try:
            # the assertion MUST contain one AuthNStatement
            assert len(self.assertion.authn_statement) == 1
        except AssertionError:
            if optional:
                return True
            else:
                raise

        authn_statement = self.assertion.authn_statement[0]
        if authn_statement.session_not_on_or_after:
            if validate_on_or_after(authn_statement.session_not_on_or_after, self.timeslack):
                self.session_not_on_or_after = calendar.timegm(
                    time_util.str_to_time(authn_statement.session_not_on_or_after)
                )
            else:
                return False
        return True
Exemple #7
0
 def condition_ok(self, lax=False):
     # The Identity Provider MUST include a <saml:Conditions> element
     #print "Conditions",assertion.conditions
     if self.test:
         lax = True
     assert self.assertion.conditions
     condition = self.assertion.conditions
     logger.debug("condition: %s" % condition)
     
     try:
         self.not_on_or_after = validate_on_or_after(
                                                 condition.not_on_or_after,
                                                 self.timeslack)
         validate_before(condition.not_before, self.timeslack)
     except Exception, excp:
         logger.error("Exception on condition: %s" % (excp,))
         if not lax:
             raise
         else:
             self.not_on_or_after = 0
Exemple #8
0
    def authn_statement_ok(self, optional=False):
        try:
            # the assertion MUST contain one AuthNStatement
            assert len(self.assertion.authn_statement) == 1
        except AssertionError:
            if optional:
                return True
            else:
                logger.error("No AuthnStatement")
                raise

        authn_statement = self.assertion.authn_statement[0]
        if authn_statement.session_not_on_or_after:
            if validate_on_or_after(authn_statement.session_not_on_or_after,
                                    self.timeslack):
                self.session_not_on_or_after = calendar.timegm(
                    time_util.str_to_time(
                        authn_statement.session_not_on_or_after))
            else:
                return False
        return True