def openid_url(self, **kwargs): """ Does XRD discovery and returns OpenID URL. """ kwargs['hd'] = self.domain_name url = self.XRDS_URL + '?' + urlencode(kwargs) response = urlopen(url) data = response.read() if response.code == 200: xrd = etxrd.parseXRDS(data) for service in etxrd.iterServices(xrd): if self.OPENID_ENDPOINT_TYPE in etxrd.getTypeURIs(service): return etxrd.sortedURIs(service)[0] return LOGIN_ERROR_URL
def openid_url(self, **kwargs): """ Does XRD discovery and returns OpenID URL. """ kwargs["hd"] = self.domain_name url = self.XRDS_URL + "?" + urlencode(kwargs) response = urlopen(url) data = response.read() if response.code == 200: xrd = etxrd.parseXRDS(data) for service in etxrd.iterServices(xrd): if self.OPENID_ENDPOINT_TYPE in etxrd.getTypeURIs(service): return etxrd.sortedURIs(service)[0] return LOGIN_ERROR_URL
def query(self, xri, service_types): """Resolve some services for an XRI. Note: I don't implement any service endpoint selection beyond what the resolver I'm querying does, so the Services I return may well include Services that were not of the types you asked for. May raise fetchers.HTTPFetchingError or L{etxrd.XRDSError} if the fetching or parsing don't go so well. @param xri: An XRI to resolve. @type xri: unicode @param service_types: A list of services types to query for. Service types are URIs. @type service_types: list of str @returns: tuple of (CanonicalID, Service elements) @returntype: (unicode, list of C{ElementTree.Element}s) """ # FIXME: No test coverage! services = [] # Make a seperate request to the proxy resolver for each service # type, as, if it is following Refs, it could return a different # XRDS for each. canonicalID = None for service_type in service_types: url = self.queryURL(xri, service_type) if re.search("i\.mydocomo\.com", url): url = 'http://m.calil.jp/proxy.php?key=sdv62x23&uri='+url response = fetchers.fetch(url) if response.status != 200: # XXX: sucks to fail silently. # print "response not OK:", response continue et = etxrd.parseXRDS(response.body) canonicalID = etxrd.getCanonicalID(xri, et) some_services = list(iterServices(et)) services.extend(some_services) # TODO: # * If we do get hits for multiple service_types, we're almost # certainly going to have duplicated service entries and # broken priority ordering. return canonicalID, services
def test_xxe(self): xxe_content = b'XXE CONTENT' _, tmp_file = tempfile.mkstemp() try: with open(tmp_file, 'wb') as xxe_file: xxe_file.write(xxe_content) # XXE example from Testing for XML Injection (OTG-INPVAL-008) # https://www.owasp.org/index.php/Testing_for_XML_Injection_(OTG-INPVAL-008) xml = ('<?xml version="1.0" encoding="ISO-8859-1"?>' '<!DOCTYPE foo [' '<!ELEMENT foo ANY >' '<!ENTITY xxe SYSTEM "file://%s" >]>' '<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">&xxe;</xrds:XRDS>') xml = xml % tmp_file tree = etxrd.parseXRDS(xml.encode('utf-8')) self.assertNotIn(xxe_content, etree.tostring(tree)) finally: os.remove(tmp_file)
def query(self, xri, service_types): """Resolve some services for an XRI. Note: I don't implement any service endpoint selection beyond what the resolver I'm querying does, so the Services I return may well include Services that were not of the types you asked for. May raise fetchers.HTTPFetchingError or L{etxrd.XRDSError} if the fetching or parsing don't go so well. @param xri: An XRI to resolve. @type xri: unicode @param service_types: A list of services types to query for. Service types are URIs. @type service_types: list of str @returns: tuple of (CanonicalID, Service elements) @returntype: (unicode, list of C{ElementTree.Element}s) """ # FIXME: No test coverage! services = [] # Make a seperate request to the proxy resolver for each service # type, as, if it is following Refs, it could return a different # XRDS for each. canonicalID = None for service_type in service_types: url = self.queryURL(xri, service_type) response = fetchers.fetch(url) if response.status != 200: # XXX: sucks to fail silently. # print "response not OK:", response continue et = etxrd.parseXRDS(response.body) canonicalID = etxrd.getCanonicalID(xri, et) some_services = list(iterServices(et)) services.extend(some_services) # TODO: # * If we do get hits for multiple service_types, we're almost # certainly going to have duplicated service entries and # broken priority ordering. return canonicalID, services
def applyFilter(normalized_uri, xrd_data, flt=None): """Generate an iterable of endpoint objects given this input data, presumably from the result of performing the Yadis protocol. @param normalized_uri: The input URL, after following redirects, as in the Yadis protocol. @param xrd_data: The XML text the XRDS file fetched from the normalized URI. @type xrd_data: six.binary_type """ flt = mkFilter(flt) et = parseXRDS(xrd_data) endpoints = [] for service_element in iterServices(et): endpoints.extend( flt.getServiceEndpoints(normalized_uri, service_element)) return endpoints
def test_xxe(self): xxe_content = b'XXE CONTENT' _, tmp_file = tempfile.mkstemp() try: with open(tmp_file, 'wb') as xxe_file: xxe_file.write(xxe_content) # XXE example from Testing for XML Injection (OTG-INPVAL-008) # https://www.owasp.org/index.php/Testing_for_XML_Injection_(OTG-INPVAL-008) xml = ( '<?xml version="1.0" encoding="ISO-8859-1"?>' '<!DOCTYPE foo [' '<!ELEMENT foo ANY >' '<!ENTITY xxe SYSTEM "file://%s" >]>' '<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">&xxe;</xrds:XRDS>' ) xml = xml % tmp_file tree = etxrd.parseXRDS(xml.encode('utf-8')) self.assertNotIn(xxe_content, etree.tostring(tree)) finally: os.remove(tmp_file)
def test(self): with open(filename, 'rb') as f: xrds = etxrd.parseXRDS(f.read()) self._getCanonicalID(iname, xrds, expectedID)
def test_invalid_xml(self): xml = '<' with six.assertRaisesRegex(self, etxrd.XRDSError, 'Error parsing document as XML'): etxrd.parseXRDS(xml)
def test_not_xrds(self): xml = '<not_xrds />' with six.assertRaisesRegex(self, etxrd.XRDSError, 'Not an XRDS document'): etxrd.parseXRDS(xml)
def test_minimal_xrds(self): xml = '<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"></xrds:XRDS>' tree = etxrd.parseXRDS(xml) self.assertIsInstance(tree, type(etree.ElementTree())) self.assertXmlEqual(tree.getroot(), etree.XML(xml))
def test(self): with open(filename, 'rb') as xrds_file: xrds = etxrd.parseXRDS(xrds_file.read()) self._getCanonicalID(iname, xrds, expectedID)
def test(self): xrds = etxrd.parseXRDS(file(filename).read()) self._getCanonicalID(iname, xrds, expectedID)
def test(self): with open(filename) as f: xrds = etxrd.parseXRDS(f.read()) self._getCanonicalID(iname, xrds, expectedID)